From d8adbce1be3fe3d6db56cf7546cde2cdc5527f3b Mon Sep 17 00:00:00 2001
From: provokateurin <kate@provokateurin.de>
Date: Thu, 25 Jul 2024 13:14:48 +0200
Subject: [PATCH] refactor(oauth2): Replace security annotations with
 respective attributes

Signed-off-by: provokateurin <kate@provokateurin.de>
---
 .../lib/Controller/LoginRedirectorController.php       | 10 ++++++----
 apps/oauth2/lib/Controller/OauthApiController.php      | 10 ++++++----
 2 files changed, 12 insertions(+), 8 deletions(-)

diff --git a/apps/oauth2/lib/Controller/LoginRedirectorController.php b/apps/oauth2/lib/Controller/LoginRedirectorController.php
index f326b821a6084..d9a9ed5c5d0db 100644
--- a/apps/oauth2/lib/Controller/LoginRedirectorController.php
+++ b/apps/oauth2/lib/Controller/LoginRedirectorController.php
@@ -12,6 +12,9 @@
 use OCA\OAuth2\Exceptions\ClientNotFoundException;
 use OCP\AppFramework\Controller;
 use OCP\AppFramework\Http;
+use OCP\AppFramework\Http\Attribute\NoCSRFRequired;
+use OCP\AppFramework\Http\Attribute\PublicPage;
+use OCP\AppFramework\Http\Attribute\UseSession;
 use OCP\AppFramework\Http\RedirectResponse;
 use OCP\AppFramework\Http\TemplateResponse;
 use OCP\IL10N;
@@ -51,10 +54,6 @@ public function __construct(string $appName,
 	}
 
 	/**
-	 * @PublicPage
-	 * @NoCSRFRequired
-	 * @UseSession
-	 *
 	 * Authorize the user
 	 *
 	 * @param string $client_id Client ID
@@ -65,6 +64,9 @@ public function __construct(string $appName,
 	 * 200: Client not found
 	 * 303: Redirect to login URL
 	 */
+	#[PublicPage]
+	#[NoCSRFRequired]
+	#[UseSession]
 	public function authorize($client_id,
 		$state,
 		$response_type): TemplateResponse|RedirectResponse {
diff --git a/apps/oauth2/lib/Controller/OauthApiController.php b/apps/oauth2/lib/Controller/OauthApiController.php
index 389bc73811bab..ec54e86731450 100644
--- a/apps/oauth2/lib/Controller/OauthApiController.php
+++ b/apps/oauth2/lib/Controller/OauthApiController.php
@@ -15,6 +15,9 @@
 use OCA\OAuth2\Exceptions\ClientNotFoundException;
 use OCP\AppFramework\Controller;
 use OCP\AppFramework\Http;
+use OCP\AppFramework\Http\Attribute\BruteForceProtection;
+use OCP\AppFramework\Http\Attribute\NoCSRFRequired;
+use OCP\AppFramework\Http\Attribute\PublicPage;
 use OCP\AppFramework\Http\JSONResponse;
 use OCP\AppFramework\Utility\ITimeFactory;
 use OCP\Authentication\Exceptions\ExpiredTokenException;
@@ -47,10 +50,6 @@ public function __construct(
 	}
 
 	/**
-	 * @PublicPage
-	 * @NoCSRFRequired
-	 * @BruteForceProtection(action=oauth2GetToken)
-	 *
 	 * Get a token
 	 *
 	 * @param string $grant_type Token type that should be granted
@@ -64,6 +63,9 @@ public function __construct(
 	 * 200: Token returned
 	 * 400: Getting token is not possible
 	 */
+	#[PublicPage]
+	#[NoCSRFRequired]
+	#[BruteForceProtection(action: 'oauth2GetToken')]
 	public function getToken(
 		string $grant_type, ?string $code, ?string $refresh_token,
 		?string $client_id, ?string $client_secret