chore: improve redirect callback

leMaur · Mar 26, 2023 · c165109 · c165109
1 parent a82251e
commit c165109
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 6 deletions.
diff --git a/src/Http/Controllers/CallbackController.php b/src/Http/Controllers/CallbackController.php
@@ -14,8 +14,8 @@ class CallbackController
     public function __invoke(Request $request): Response
     {
         return app(CallbackResponseContract::class)(
-            accessCode: (string) $request->query('code'),
-            state: $request->query('state'),
+            accessCode: (string) $request->query('code', ''),
+            state: (string) $request->query('state', ''),
             internalState: Cache::pull('pinterest_api::oauth_state')
         );
     }

diff --git a/src/Http/Responses/CallbackResponse.php b/src/Http/Responses/CallbackResponse.php
@@ -13,6 +13,10 @@ class CallbackResponse implements CallbackResponseContract
 {
     public function __invoke(string $accessCode, string $state, ?string $internalState): Response
     {
+        if (blank($state)) {
+            abort(Response::HTTP_NOT_FOUND);
+        }
+
         if ($internalState === null) {
             return new Response(
                 content: 'Your request has expired! Please try again by running `php artisan pinterest:generate-access-code-link`.',
@@ -21,10 +25,9 @@ public function __invoke(string $accessCode, string $state, ?string $internalSta
         }
 
         if ($state !== $internalState) {
-            return new Response(
-                content: 'Not good! Request has been tampered!',
-                status: Response::HTTP_FORBIDDEN
-            );
+            report('Pinterest callback request has been tampered!');
+
+            abort(Response::HTTP_NOT_FOUND);
         }
 
         event(new CredentialsRetrieved(OAuthData::from(['access_code' => $accessCode])));