N°7147 - Error HTTP 500 due to access_token not URL decoded

sources/Application/TwigBase/Controller/Controller.php

@@ -256,6 +256,7 @@ abstract class Controller extends AbstractController
 	}
 
 	/**
+	 * @since 3.0.0 N°3606 - Adapt TwigBase Controller for combodo-monitoring extension
 	 * @throws \Exception
 	 */
 	protected function CheckAccess()
@@ -271,12 +272,24 @@ abstract class Controller extends AbstractController
 
 		if (empty($sExecModule) || empty($sConfiguredAccessTokenValue)){
 			LoginWebPage::DoLogin($this->m_bMustBeAdmin);
-		}else {
+		} else {
 			//token mode without login required
-			$sPassedToken = utils::ReadParam($this->m_sAccessTokenConfigParamId, null);
-			if ($sPassedToken !== $sConfiguredAccessTokenValue){
+			//N°7147 - Error HTTP 500 due to access_token not URL decoded
+			$sPassedToken = utils::ReadPostedParam($this->m_sAccessTokenConfigParamId, null, false, 'raw_data');
+			if (is_null($sPassedToken)){
+				$sPassedToken = utils::ReadParam($this->m_sAccessTokenConfigParamId, null, false, 'raw_data');
+			}
+
+			$sDecodedPassedToken = urldecode($sPassedToken);
+			var_dump([$sPassedToken, $sDecodedPassedToken]);
+			if ($sDecodedPassedToken !== $sConfiguredAccessTokenValue){
 				$sMsg = "Invalid token passed under '$this->m_sAccessTokenConfigParamId' http param to reach '$sExecModule' page.";
-				IssueLog::Error($sMsg);
+				IssueLog::Error($sMsg, null,
+					[
+						'sHtmlDecodedToken' => $sDecodedPassedToken,
+						'conf param ID' => $this->m_sAccessTokenConfigParamId
+					]
+				);
 				throw new Exception("Invalid token");
 			}
 		}

tests/php-unit-tests/unitary-tests/application/twigbase/ControllerTest.php

@@ -0,0 +1,75 @@
+<?php
+namespace Combodo\iTop\Application\TwigBase\Controller;
+
+use Combodo\iTop\Test\UnitTest\ItopDataTestCase;
+use MetaModel;
+
+class ControllerTest extends ItopDataTestCase {
+	protected function setUp(): void
+	{
+		parent::setUp();
+
+		$this->RequireOnceUnitTestFile('FakeController.php');
+	}
+
+	public function CheckAccessProvider() {
+		return [
+			'simple token access OK' => [
+				'access_token' => 'toto123',
+				'http_access_token' => 'toto123',
+				'bSuccess' => true,
+			],
+			'simple token access OK sent by POST' => [
+				'access_token' => 'toto123',
+				'http_access_token' => 'toto123',
+				'bSuccess' => true,
+				'bPost' => true,
+			],
+			'simple token access FAILED' => [
+				'access_token' => 'toto123',
+				'http_access_token' => 'toto124',
+				'bSuccess' => false,
+			],
+			'url encoded token access OK' => [
+				'access_token' => 'rfb4j"E?7}-ZJq4T^B*26pk8{;zxem',
+				'http_access_token' => 'rfb4j%22E%3F7%7D-ZJq4T%5EB%2A26pk8%7B%3Bzxem',
+				'bSuccess' => true,
+			],
+		];
+	}
+
+	/**
+	 * Fix N°7147
+	 * @dataProvider CheckAccessProvider
+	 */
+	public function testCheckAccess($sConfiguredAccessToken, $sHttpAccessToken, $bSuccess, $bPost=false){
+		$sModuleName = "MyModule";
+		$sTokenParamName = "access_token_conf_param";
+
+		$_SESSION = [];
+		$_POST = [];
+		$_REQUEST = [];
+
+		$_REQUEST['exec_module'] = $sModuleName;
+		if ($bPost){
+			$_POST[$sTokenParamName] = $sHttpAccessToken;
+		} else {
+			$_REQUEST[$sTokenParamName] = $sHttpAccessToken;
+		}
+
+		$oController = new FakeController();
+		$oController->SetAccessTokenConfigParamId($sTokenParamName);
+
+		MetaModel::GetConfig()->SetModuleSetting($sModuleName, $sTokenParamName, $sConfiguredAccessToken);
+
+		if (! $bSuccess){
+			$this->expectExceptionMessage("Invalid token");
+		}
+
+		$this->InvokeNonPublicMethod(FakeController::class, "CheckAccess", $oController);
+
+		if ($bSuccess){
+			$this->assertTrue(true, "no issue encountered");
+		}
+	}
+}

tests/php-unit-tests/unitary-tests/application/twigbase/FakeController.php

@@ -0,0 +1,5 @@
+<?php
+namespace Combodo\iTop\Application\TwigBase\Controller;
+
+class FakeController extends Controller {
+}