feat: extend event toolkit and polish guest pwa

app/Http/Controllers/OAuthController.php

@@ -7,22 +7,25 @@ use App\Models\OAuthCode;
 use App\Models\RefreshToken;
 use App\Models\Tenant;
 use App\Models\TenantToken;
+use Firebase\JWT\JWT;
+use GuzzleHttp\Client;
 use Illuminate\Http\Request;
 use Illuminate\Support\Arr;
 use Illuminate\Support\Facades\Cache;
 use Illuminate\Support\Facades\File;
 use Illuminate\Support\Facades\Hash;
+use Illuminate\Support\Facades\Log;
 use Illuminate\Support\Facades\Validator;
 use Illuminate\Support\Str;
-use Firebase\JWT\JWT;
-use GuzzleHttp\Client;
-use Illuminate\Support\Facades\Log;
 
 class OAuthController extends Controller
 {
     private const AUTH_CODE_TTL_MINUTES = 5;
+
     private const ACCESS_TOKEN_TTL_SECONDS = 3600;
+
     private const REFRESH_TOKEN_TTL_DAYS = 30;
+
     private const LEGACY_TOKEN_HEADER_KID = 'fotospiel-jwt';
 
     /**
@@ -104,6 +107,14 @@ class OAuthController extends Controller
             'state' => $request->state,
         ]);
 
+        if ($this->shouldReturnJsonAuthorizeResponse($request)) {
+            return response()->json([
+                'code' => $code,
+                'state' => $request->state,
+                'redirect_url' => $redirectUrl,
+            ]);
+        }
+
         return redirect()->away($redirectUrl);
     }
 
@@ -402,6 +413,40 @@ class OAuthController extends Controller
         ];
     }
 
+    private function shouldReturnJsonAuthorizeResponse(Request $request): bool
+    {
+        if ($request->expectsJson() || $request->ajax()) {
+            return true;
+        }
+
+        $redirectUri = (string) $request->string('redirect_uri');
+        $redirectHost = $redirectUri !== '' ? parse_url($redirectUri, PHP_URL_HOST) : null;
+        $requestHost = $request->getHost();
+
+        if ($redirectHost && ! $this->hostsMatch($requestHost, $redirectHost)) {
+            return true;
+        }
+
+        $origin = $request->headers->get('Origin');
+        if ($origin) {
+            $originHost = parse_url($origin, PHP_URL_HOST);
+            if ($originHost && $redirectHost && ! $this->hostsMatch($originHost, $redirectHost)) {
+                return true;
+            }
+        }
+
+        return false;
+    }
+
+    private function hostsMatch(?string $first, ?string $second): bool
+    {
+        if (! $first || ! $second) {
+            return false;
+        }
+
+        return strtolower($first) === strtolower($second);
+    }
+
     private function createRefreshToken(Tenant $tenant, OAuthClient $client, array $scopes, string $accessTokenJti, Request $request): string
     {
         $refreshTokenId = (string) Str::uuid();
@@ -566,6 +611,7 @@ class OAuthController extends Controller
         File::put($directory.DIRECTORY_SEPARATOR.'public.key', $publicKey, true);
         File::chmod($directory.DIRECTORY_SEPARATOR.'public.key', 0644);
     }
+
     private function scopesAreAllowed(array $requestedScopes, array $availableScopes): bool
     {
         if (empty($requestedScopes)) {
@@ -682,7 +728,7 @@ class OAuthController extends Controller
             return redirect('/event-admin')->with('error', 'Invalid state parameter');
         }
 
-        $client = new Client();
+        $client = new Client;
         $clientId = config('services.stripe.connect_client_id');
         $secret = config('services.stripe.connect_secret');
         $redirectUri = url('/api/v1/oauth/stripe-callback');
@@ -710,11 +756,12 @@ class OAuthController extends Controller
             }
 
             session()->forget(['stripe_state', 'tenant_id']);
+
             return redirect('/event-admin')->with('success', 'Stripe account connected successfully');
         } catch (\Exception $e) {
             Log::error('Stripe OAuth error: '.$e->getMessage());
+
             return redirect('/event-admin')->with('error', 'Connection error: '.$e->getMessage());
         }
     }
 }
-