Fix: Variable shadowing in LoginActivity.kt and add unit tests for public PKCE clients

Author: zerox80

opencloudApp/src/main/java/eu/opencloud/android/presentation/authentication/LoginActivity.kt

@@ -682,15 +682,15 @@ class LoginActivity : AppCompatActivity(), SslUntrustedCertDialog.OnSslUntrusted
         // Use oidc discovery one, or build an oauth endpoint using serverBaseUrl + Setup string.
         val tokenEndPoint: String
 
-        var clientId: String? = null
-        var clientSecret: String? = null
+        var clientIdForRequest: String? = null
+        var clientSecretForRequest: String? = null
 
         val serverInfo = authenticationViewModel.serverInfo.value?.peekContent()?.getStoredData()
         if (serverInfo is ServerInfo.OIDCServer) {
             tokenEndPoint = serverInfo.oidcServerConfiguration.tokenEndpoint
             if (serverInfo.oidcServerConfiguration.isTokenEndpointAuthMethodSupportedClientSecretPost()) {
-                clientId = clientRegistrationInfo?.clientId ?: contextProvider.getString(R.string.oauth2_client_id)
-                clientSecret = clientRegistrationInfo?.clientSecret ?: contextProvider.getString(R.string.oauth2_client_secret)
+                clientIdForRequest = clientRegistrationInfo?.clientId ?: contextProvider.getString(R.string.oauth2_client_id)
+                clientSecretForRequest = clientRegistrationInfo?.clientSecret ?: contextProvider.getString(R.string.oauth2_client_secret)
             }
         } else {
             tokenEndPoint = "$serverBaseUrl${File.separator}${contextProvider.getString(R.string.oauth2_url_endpoint_access)}"
@@ -703,8 +703,8 @@ class LoginActivity : AppCompatActivity(), SslUntrustedCertDialog.OnSslUntrusted
             tokenEndpoint = tokenEndPoint,
             clientAuth = clientAuth,
             scope = scope,
-            clientId = clientId,
-            clientSecret = clientSecret,
+            clientId = clientIdForRequest,
+            clientSecret = clientSecretForRequest,
             authorizationCode = authorizationCode,
             redirectUri = OAuthUtils.buildRedirectUri(applicationContext).toString(),
             codeVerifier = authenticationViewModel.codeVerifier

opencloudData/src/test/java/eu/opencloud/android/data/oauth/RemoteOAuthUtils.kt

@@ -27,7 +27,9 @@ import eu.opencloud.android.testutil.oauth.OC_CLIENT_REGISTRATION
 import eu.opencloud.android.testutil.oauth.OC_CLIENT_REGISTRATION_REQUEST
 import eu.opencloud.android.testutil.oauth.OC_OIDC_SERVER_CONFIGURATION
 import eu.opencloud.android.testutil.oauth.OC_TOKEN_REQUEST_ACCESS
+import eu.opencloud.android.testutil.oauth.OC_TOKEN_REQUEST_ACCESS_PUBLIC_CLIENT
 import eu.opencloud.android.testutil.oauth.OC_TOKEN_REQUEST_REFRESH
+import eu.opencloud.android.testutil.oauth.OC_TOKEN_REQUEST_REFRESH_PUBLIC_CLIENT
 import eu.opencloud.android.testutil.oauth.OC_TOKEN_RESPONSE
 
 val OC_REMOTE_OIDC_DISCOVERY_RESPONSE = OIDCDiscoveryResponse(
@@ -65,6 +67,32 @@ val OC_REMOTE_TOKEN_REQUEST_PARAMS_REFRESH = TokenRequestParams.RefreshToken(
     refreshToken = OC_TOKEN_REQUEST_REFRESH.refreshToken
 )
 
+/**
+ * Test fixtures for public PKCE clients (RFC 7636).
+ * Public clients MUST NOT send Authorization header during token exchange.
+ */
+val OC_REMOTE_TOKEN_REQUEST_PARAMS_ACCESS_PUBLIC_CLIENT = TokenRequestParams.Authorization(
+    tokenEndpoint = OC_TOKEN_REQUEST_ACCESS_PUBLIC_CLIENT.tokenEndpoint,
+    clientAuth = OC_TOKEN_REQUEST_ACCESS_PUBLIC_CLIENT.clientAuth, // Empty string
+    grantType = OC_TOKEN_REQUEST_ACCESS_PUBLIC_CLIENT.grantType,
+    scope = OC_TOKEN_REQUEST_ACCESS_PUBLIC_CLIENT.scope,
+    clientId = null,
+    clientSecret = null,
+    authorizationCode = OC_TOKEN_REQUEST_ACCESS_PUBLIC_CLIENT.authorizationCode,
+    redirectUri = OC_TOKEN_REQUEST_ACCESS_PUBLIC_CLIENT.redirectUri,
+    codeVerifier = OC_TOKEN_REQUEST_ACCESS_PUBLIC_CLIENT.codeVerifier
+)
+
+val OC_REMOTE_TOKEN_REQUEST_PARAMS_REFRESH_PUBLIC_CLIENT = TokenRequestParams.RefreshToken(
+    tokenEndpoint = OC_TOKEN_REQUEST_REFRESH_PUBLIC_CLIENT.tokenEndpoint,
+    clientAuth = OC_TOKEN_REQUEST_REFRESH_PUBLIC_CLIENT.clientAuth, // Empty string
+    grantType = OC_TOKEN_REQUEST_REFRESH_PUBLIC_CLIENT.grantType,
+    scope = OC_TOKEN_REQUEST_REFRESH_PUBLIC_CLIENT.scope,
+    clientId = null,
+    clientSecret = null,
+    refreshToken = OC_TOKEN_REQUEST_REFRESH_PUBLIC_CLIENT.refreshToken
+)
+
 val OC_REMOTE_TOKEN_RESPONSE = TokenResponse(
     accessToken = OC_TOKEN_RESPONSE.accessToken,
     expiresIn = OC_TOKEN_RESPONSE.expiresIn,

opencloudData/src/test/java/eu/opencloud/android/data/oauth/datasources/implementation/OCRemoteOAuthDataSourceTest.kt

@@ -34,13 +34,16 @@ import eu.opencloud.android.testutil.oauth.OC_CLIENT_REGISTRATION
 import eu.opencloud.android.testutil.oauth.OC_CLIENT_REGISTRATION_REQUEST
 import eu.opencloud.android.testutil.oauth.OC_OIDC_SERVER_CONFIGURATION
 import eu.opencloud.android.testutil.oauth.OC_TOKEN_REQUEST_ACCESS
+import eu.opencloud.android.testutil.oauth.OC_TOKEN_REQUEST_ACCESS_PUBLIC_CLIENT
+import eu.opencloud.android.testutil.oauth.OC_TOKEN_REQUEST_REFRESH_PUBLIC_CLIENT
 import eu.opencloud.android.testutil.oauth.OC_TOKEN_RESPONSE
 import eu.opencloud.android.utils.createRemoteOperationResultMock
 import io.mockk.every
 import io.mockk.mockk
 import io.mockk.verify
 import org.junit.Assert.assertEquals
 import org.junit.Assert.assertNotNull
+import org.junit.Assert.assertTrue
 import org.junit.Before
 import org.junit.Test
 
@@ -102,6 +105,98 @@ class OCRemoteOAuthDataSourceTest {
         }
     }
 
+    /**
+     * Test for public PKCE clients (RFC 7636).
+     * Public clients MUST NOT send Authorization header during token exchange.
+     * This test verifies that token requests work correctly with empty clientAuth.
+     */
+    @Test
+    fun `performTokenRequest with public PKCE client returns a TokenResponse`() {
+        val tokenResponseResult: RemoteOperationResult<TokenResponse> =
+            createRemoteOperationResultMock(data = OC_REMOTE_TOKEN_RESPONSE, isSuccess = true)
+
+        every {
+            oidcService.performTokenRequest(ocClientMocked, any())
+        } returns tokenResponseResult
+
+        // Use the public client fixture which has empty clientAuth
+        assertTrue(
+            "clientAuth should be empty for public clients",
+            OC_TOKEN_REQUEST_ACCESS_PUBLIC_CLIENT.clientAuth.isEmpty()
+        )
+
+        val tokenResponse = remoteOAuthDataSource.performTokenRequest(OC_TOKEN_REQUEST_ACCESS_PUBLIC_CLIENT)
+
+        assertNotNull(tokenResponse)
+        assertEquals(OC_TOKEN_RESPONSE, tokenResponse)
+
+        verify(exactly = 1) {
+            clientManager.getClientForAnonymousCredentials(OC_SECURE_BASE_URL, any())
+            oidcService.performTokenRequest(ocClientMocked, any())
+        }
+    }
+
+    /**
+     * Test for public PKCE clients (RFC 7636) using refresh token.
+     * Public clients MUST NOT send Authorization header during token refresh.
+     * This test verifies that refresh token requests work correctly with empty clientAuth.
+     */
+    @Test
+    fun `performTokenRequest with public PKCE client refresh token returns a TokenResponse`() {
+        val tokenResponseResult: RemoteOperationResult<TokenResponse> =
+            createRemoteOperationResultMock(data = OC_REMOTE_TOKEN_RESPONSE, isSuccess = true)
+
+        every {
+            oidcService.performTokenRequest(ocClientMocked, any())
+        } returns tokenResponseResult
+
+        // Verify the refresh token fixture has empty clientAuth
+        assertTrue(
+            "clientAuth should be empty for public clients",
+            OC_TOKEN_REQUEST_REFRESH_PUBLIC_CLIENT.clientAuth.isEmpty()
+        )
+
+        val tokenResponse = remoteOAuthDataSource.performTokenRequest(OC_TOKEN_REQUEST_REFRESH_PUBLIC_CLIENT)
+
+        assertNotNull(tokenResponse)
+        assertEquals(OC_TOKEN_RESPONSE, tokenResponse)
+
+        verify(exactly = 1) {
+            clientManager.getClientForAnonymousCredentials(OC_SECURE_BASE_URL, any())
+            oidcService.performTokenRequest(ocClientMocked, any())
+        }
+    }
+
+    /**
+     * RFC 7636 compliance verification:
+     * This test ensures that our public client test fixtures correctly have empty clientAuth,
+     * which means TokenRequestRemoteOperation will NOT add an Authorization header.
+     * The actual header logic is in TokenRequestRemoteOperation:
+     *   if (tokenRequestParams.clientAuth.isNotEmpty()) {
+     *       postMethod.addRequestHeader(AUTHORIZATION_HEADER, tokenRequestParams.clientAuth)
+     *   }
+     */
+    @Test
+    fun `public PKCE client fixtures have empty clientAuth preventing Authorization header`() {
+        // Verify access token fixture
+        assertTrue(
+            "Access token public client fixture should have empty clientAuth",
+            OC_TOKEN_REQUEST_ACCESS_PUBLIC_CLIENT.clientAuth.isEmpty()
+        )
+
+        // Verify refresh token fixture
+        assertTrue(
+            "Refresh token public client fixture should have empty clientAuth",
+            OC_TOKEN_REQUEST_REFRESH_PUBLIC_CLIENT.clientAuth.isEmpty()
+        )
+
+        // Verify confidential client fixtures have non-empty clientAuth (for comparison)
+        assertTrue(
+            "Confidential client fixture should have non-empty clientAuth",
+            OC_TOKEN_REQUEST_ACCESS.clientAuth.isNotEmpty()
+        )
+    }
+
     @Test
     fun `registerClient returns a ClientRegistrationInfo`() {
         val clientRegistrationResponse: RemoteOperationResult<ClientRegistrationResponse> =

opencloudTestUtil/src/main/java/eu/opencloud/android/testutil/oauth/TokenRequest.kt

@@ -43,3 +43,25 @@ val OC_TOKEN_REQUEST_ACCESS = TokenRequest.AccessToken(
     redirectUri = OC_REDIRECT_URI,
     codeVerifier = "A high-entropy cryptographic random STRING using the unreserved characters"
 )
+
+/**
+ * Test fixtures for public PKCE clients (RFC 7636).
+ * Public clients MUST NOT send Authorization header during token exchange.
+ */
+val OC_TOKEN_REQUEST_REFRESH_PUBLIC_CLIENT = TokenRequest.RefreshToken(
+    baseUrl = OC_SECURE_BASE_URL,
+    tokenEndpoint = OC_TOKEN_ENDPOINT,
+    clientAuth = "", // Empty for public clients per RFC 7636
+    scope = OC_SCOPE,
+    refreshToken = OC_REFRESH_TOKEN
+)
+
+val OC_TOKEN_REQUEST_ACCESS_PUBLIC_CLIENT = TokenRequest.AccessToken(
+    baseUrl = OC_SECURE_BASE_URL,
+    tokenEndpoint = OC_TOKEN_ENDPOINT,
+    clientAuth = "", // Empty for public clients per RFC 7636
+    scope = OC_SCOPE,
+    authorizationCode = "4uth0r1z4t10nC0d3",
+    redirectUri = OC_REDIRECT_URI,
+    codeVerifier = "A high-entropy cryptographic random STRING using the unreserved characters"
+)