fix: use server side templates

common/ASC.OAuth/authorization/src/main/java/com/onlyoffice/authorization/configuration/ApplicationConfiguration.java

@@ -77,12 +77,7 @@ public class ApplicationConfiguration {
                                 .invalidateHttpSession(true)
                                 .deleteCookies("JSESSIONID")
                 )
-                .csrf(c -> {
+
-                    c.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
-                    c.csrfTokenRequestHandler(new CsrfTokenRequestAttributeHandler());
-                })
-                .addFilterAfter(new CookieCsrfFilter(), BasicAuthenticationFilter.class)
-                .addFilterAfter(new SimpleCORSFilter(), BasicAuthenticationFilter.class)
                 .build();
     }
 }

common/ASC.OAuth/authorization/src/main/java/com/onlyoffice/authorization/configuration/AuthorizationServerConfiguration.java

@@ -3,8 +3,6 @@ package com.onlyoffice.authorization.configuration;
 import com.nimbusds.jose.jwk.JWKSet;
 import com.nimbusds.jose.jwk.source.JWKSource;
 import com.nimbusds.jose.proc.SecurityContext;
-import com.onlyoffice.authorization.extensions.filters.CookieCsrfFilter;
-import com.onlyoffice.authorization.extensions.filters.SimpleCORSFilter;
 import com.onlyoffice.authorization.extensions.jwks.JwksKeyPairGenerator;
 import com.onlyoffice.authorization.extensions.providers.DocspaceAuthenticationProvider;
 import jakarta.servlet.RequestDispatcher;
@@ -16,7 +14,6 @@ import org.springframework.context.annotation.Configuration;
 import org.springframework.core.Ordered;
 import org.springframework.core.annotation.Order;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
-import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.security.crypto.password.NoOpPasswordEncoder;
 import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.security.oauth2.jose.jws.SignatureAlgorithm;
@@ -30,9 +27,6 @@ import org.springframework.security.oauth2.server.authorization.settings.ClientS
 import org.springframework.security.oauth2.server.authorization.token.JwtEncodingContext;
 import org.springframework.security.oauth2.server.authorization.token.OAuth2TokenCustomizer;
 import org.springframework.security.web.SecurityFilterChain;
-import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
-import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
-import org.springframework.security.web.csrf.CsrfTokenRequestAttributeHandler;
 import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
 
 import java.security.NoSuchAlgorithmException;
@@ -62,13 +56,6 @@ public class AuthorizationServerConfiguration {
             dispatcher.forward(request, response);
         }, new AntPathRequestMatcher(applicationConfiguration.getLogin())));
 
-        http.csrf(c -> {
-            c.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
-            c.csrfTokenRequestHandler(new CsrfTokenRequestAttributeHandler());
-        });
-        http.addFilterAfter(new CookieCsrfFilter(), BasicAuthenticationFilter.class);
-        http.addFilterAfter(new SimpleCORSFilter(), BasicAuthenticationFilter.class);
-
         return http.build();
     }
 

common/ASC.OAuth/authorization/src/main/java/com/onlyoffice/authorization/controllers/AuthorizationConsentController.java

@@ -56,20 +56,12 @@ public class AuthorizationConsentController {
             }
         }
 
-        String url = String.format(
+        model.addAttribute("clientId", clientId);
-                "redirect:%s/consent?clientId=%s&state=%s&principalName=%s",
+        model.addAttribute("state", state);
-                configuration.getFrontendUrl(),
+        model.addAttribute("scopes", scopesToApprove);
-                clientId,
+        model.addAttribute("previouslyApprovedScopes", previouslyApprovedScopes);
-                state,
+        model.addAttribute("principalName", principal.getName());
-                principal.getName()
-        );
 
-        if (scope.length() > 0)
+        return "consent";
-            url += String.format("&scopes=%s", String.join(",", scopesToApprove));
-
-        if (previouslyApprovedScopes.size() > 0)
-            url += String.format("&previouslyApprovedScopes=%s", String.join(",", previouslyApprovedScopes));
-
-        return url;
     }
 }

common/ASC.OAuth/authorization/src/main/java/com/onlyoffice/authorization/controllers/LoginController.java

@@ -6,6 +6,7 @@ import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RequestParam;
 
 @Controller
 @RequiredArgsConstructor
@@ -18,10 +19,20 @@ public class LoginController {
     public String login(HttpServletRequest request) {
         log.debug("A new login request");
         if (request.getDispatcherType().name() == null || !request.getDispatcherType().name().equals(FORWARD))
-            return String.format("redirect:%s/error", configuration.getFrontendUrl());
+            return "error";
-        return String.format(
+        return "login";
-                "redirect:%s/login?%s",
+    }
-                configuration.getFrontendUrl(),
+
-                request.getQueryString());
+    @GetMapping("/authorized")
+    public String authorized(
+            @RequestParam(name = "error", required = false) String error,
+            @RequestParam(name = "error_description", required = false) String description
+    ) {
+        log.debug("Authorized redirect");
+        if (error != null && !error.isBlank() && description != null && !description.isBlank()) {
+            log.debug("Authorization error has occurred {} - {}", error, description);
+            return "error";
+        }
+        return "authorized";
     }
 }