fix(federatedfilesharing): POSTs to token endpoint MUST be signed

Signed-off-by: Enrique Pérez Arnaud <enrique@cazalla.net>

Author: enriquepablo

apps/federatedfilesharing/lib/OCM/CloudFederationProviderFiles.php

@@ -757,23 +757,21 @@ private function exchangeToken(string $remote, #[SensitiveParameter] string $sha
 				'connect_timeout' => 10,
 			];
 
-			// Try signing the request
-			if (!$this->appConfig->getValueBool('core', OCMSignatoryManager::APPCONFIG_SIGN_DISABLED, lazy: true)) {
-				try {
-					$options = $this->signatureManager->signOutgoingRequestIClientPayload(
-						$this->signatoryManager,
-						$options,
-						'post',
-						$tokenEndpoint
-					);
-					$this->logger->debug('Token request signed successfully', ['remote' => $remote]);
-				} catch (\Exception $e) {
-					$this->logger->warning('Failed to sign token request, continuing without signature', [
-						'remote' => $remote,
-						'exception' => $e,
-						'endpoint' => $tokenEndpoint,
-					]);
-				}
+			try {
+				$options = $this->signatureManager->signOutgoingRequestIClientPayload(
+					$this->signatoryManager,
+					$options,
+					'post',
+					$tokenEndpoint
+				);
+				$this->logger->debug('Token request signed successfully', ['remote' => $remote]);
+			} catch (\Exception $e) {
+				$this->logger->error('Failed to sign token request', [
+					'remote' => $remote,
+					'exception' => $e,
+					'endpoint' => $tokenEndpoint,
+				]);
+				return null;
 			}
 
 			$response = $client->post($tokenEndpoint, $options);

lib/private/Files/Storage/DAV.php

@@ -281,23 +281,21 @@ protected function exchangeRefreshToken(): string {
 				'connect_timeout' => 10,
 			];
 
-			// Try signing the request
-			if (!$this->appConfig->getValueBool('core', OCMSignatoryManager::APPCONFIG_SIGN_DISABLED, lazy: true)) {
-				try {
-					$options = $this->signatureManager->signOutgoingRequestIClientPayload(
-						$this->signatoryManager,
-						$options,
-						'post',
-						$tokenEndpoint
-					);
-					$this->logger->debug('Token request signed successfully', ['app' => 'dav']);
-				} catch (\Exception $e) {
-					$this->logger->warning('Failed to sign token request, continuing without signature', [
-						'app' => 'dav',
-						'exception' => $e,
-						'endpoint' => $tokenEndpoint,
-					]);
-				}
+			try {
+				$options = $this->signatureManager->signOutgoingRequestIClientPayload(
+					$this->signatoryManager,
+					$options,
+					'post',
+					$tokenEndpoint
+				);
+				$this->logger->debug('Token request signed successfully', ['app' => 'dav']);
+			} catch (\Exception $e) {
+				$this->logger->error('Failed to sign token request', [
+					'app' => 'dav',
+					'exception' => $e,
+					'endpoint' => $tokenEndpoint,
+				]);
+				throw new StorageNotAvailableException('Could not sign token request: ' . $e->getMessage());
 			}
 
 			$response = $client->post($tokenEndpoint, $options);