Check user status

[jvillafanez]

Handle the case where the user associated to the token is disabled. Both the authorization_code and refresh_token will fail with a 400 status and a "unauthorized_client" error instead of returning a valid access token

Related to owncloud/client#7212 and https://github.com/owncloud/enterprise/issues/2509

[CLAassistant]

All committers have signed the CLA.

[codecov]

Codecov Report

Merging #209 into master will increase coverage by 0.34%.
The diff coverage is 100%.

@@             Coverage Diff              @@
##             master     #209      +/-   ##
============================================
+ Coverage      65.7%   66.04%   +0.34%     
- Complexity      224      228       +4     
============================================
  Files            34       34              
  Lines           898      907       +9     
============================================
+ Hits            590      599       +9     
  Misses          308      308

Impacted Files	Coverage Δ	Complexity Δ
lib/Controller/OAuthApiController.php	97.77% <100%> (+0.24%)	23 <0> (+4)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 4e4057b...bdc0a40. Read the comment docs.

[jvillafanez]

There is some piece still missing. The desktop client opens the url below, which keeps reloading it self over and over.

I guess the session is still active, and that's why the browser doesn't redirect to the login page until the session is invalidated at some point.

[DeepDiver1975]

Looks reasonable! 👍

[jvillafanez]

I'll need confirmation that the problem (#209 (comment)) is caused by core and not by the oAuth2 app. I suspect a middleware trying to login with a token / cookie or similar and core is rejecting the request because the user is disabled. The request doesn't seem to reach the PageController of the oAuth2 app, or at least I don't see how that code could fail like that there.
It's very likely that the session is still valid even with the user being disabled.

[DeepDiver1975]

If you want to logout the user you have to call \OC::$server->getUserSession()->logout()

[HanaGemela]

The 'User disabled' page still reloads with
Client: 2.6.0 (build 12703)
macOS 10.15
Server 10.3.0 stable
oAuth2 0.4.2RC3

Steps to recreate:

1. Login with oAuth2 using enabled user
2. Let the desktop client sync
3. Quit the client
4. Disable user
5. Start the desktop client

It will eventually stop reloading and login page will be shown but till then the page reloads over and over again

[micbar]

@HanaGemela Thank you for testing.

This is a little bit ugly behaviour ;-)

[HanaGemela]

Getting 400 error instead of 200 now. So the original bug has been resolved. But the reloading page still needs fixing

[DeepDiver1975]

Please open a new issue instead of commenting on a closed PR. This helps to track this better. THX