From e1b13cda6333932ab1193196c53385c8b538dea9 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 28 Apr 2026 16:37:23 +0000
Subject: [PATCH] refactor(nextcloud): extract inline OAuth2 client PHP into
 standalone script

Agent-Logs-Url: https://github.com/nextcloud/all-in-one/sessions/b35a7dbb-ff0a-483c-9bc7-1cf43a192e92

Co-authored-by: szaimen <42591237+szaimen@users.noreply.github.com>
---
 Containers/nextcloud/Dockerfile               |  2 +
 Containers/nextcloud/create-oauth2-client.php | 60 +++++++++++++++++++
 Containers/nextcloud/entrypoint.sh            | 30 +---------
 3 files changed, 65 insertions(+), 27 deletions(-)
 create mode 100644 Containers/nextcloud/create-oauth2-client.php

diff --git a/Containers/nextcloud/Dockerfile b/Containers/nextcloud/Dockerfile
index e98bbd9c..538d79fa 100644
--- a/Containers/nextcloud/Dockerfile
+++ b/Containers/nextcloud/Dockerfile
@@ -263,6 +263,8 @@ RUN set -ex; \
     mkdir -p /nc-updater; \
     chmod -R 777 /nc-updater
 
+COPY --chmod=775 Containers/nextcloud/create-oauth2-client.php /create-oauth2-client.php
+
 # hadolint ignore=DL3002
 USER root
 ENTRYPOINT ["/start.sh"]
diff --git a/Containers/nextcloud/create-oauth2-client.php b/Containers/nextcloud/create-oauth2-client.php
new file mode 100644
index 00000000..d1616ce1
--- /dev/null
+++ b/Containers/nextcloud/create-oauth2-client.php
@@ -0,0 +1,60 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * Creates a Nextcloud OAuth2 client and prints its credentials to stdout.
+ *
+ * Usage: php create-oauth2-client.php <name> <redirect-uri>
+ *
+ * Output (two lines):
+ *   <client_id>
+ *   <client_secret>
+ *
+ * Any existing client with the same name is deleted first so that the
+ * operation is idempotent (stale clients whose secret has been lost are
+ * replaced by a fresh one).
+ */
+
+if ($argc !== 3) {
+    fwrite(STDERR, "Usage: php create-oauth2-client.php <name> <redirect-uri>\n");
+    exit(1);
+}
+
+$name = $argv[1];
+$redirectUri = $argv[2];
+
+define('OC_CONSOLE', 1);
+require_once '/var/www/html/lib/base.php';
+
+\OC_App::loadApp('oauth2');
+
+$container = \OC::getContainer();
+/** @var \OCA\OAuth2\Db\ClientMapper $mapper */
+$mapper = $container->get(\OCA\OAuth2\Db\ClientMapper::class);
+/** @var \OCP\Security\ICrypto $crypto */
+$crypto = $container->get(\OCP\Security\ICrypto::class);
+/** @var \OCP\Security\ISecureRandom $random */
+$random = $container->get(\OCP\Security\ISecureRandom::class);
+
+// Delete any stale client with the same name that might have lost its secret.
+foreach ($mapper->getClients() as $existing) {
+    if ($existing->getName() === $name) {
+        $mapper->delete($existing);
+    }
+}
+
+$client = new \OCA\OAuth2\Db\Client();
+$client->setName($name);
+$client->setRedirectUri($redirectUri);
+
+$secret = $random->generate(64, 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789');
+$client->setSecret(bin2hex($crypto->calculateHMAC($secret)));
+
+$clientId = $random->generate(64, 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789');
+$client->setClientIdentifier($clientId);
+
+$mapper->insert($client);
+
+echo $clientId . "\n";
+echo $secret . "\n";
diff --git a/Containers/nextcloud/entrypoint.sh b/Containers/nextcloud/entrypoint.sh
index 458071f6..256cc4fa 100644
--- a/Containers/nextcloud/entrypoint.sh
+++ b/Containers/nextcloud/entrypoint.sh
@@ -1106,33 +1106,9 @@ if [ "$WINDMILL_ENABLED" = 'yes' ]; then
     WINDMILL_NC_OAUTH_CLIENT_SECRET="$(php /var/www/html/occ config:app:get windmill nc_oauth_client_secret 2>/dev/null)"
     if [ -z "$WINDMILL_NC_OAUTH_CLIENT_ID" ] || [ -z "$WINDMILL_NC_OAUTH_CLIENT_SECRET" ]; then
         WINDMILL_NC_REDIRECT_URI="https://$NC_DOMAIN/windmill/user/login_callback/nextcloud"
-        # Bootstrap NC to create the oauth2 client using NC's own DI container
-        WINDMILL_OAUTH_JSON="$(php -r "
-define('OC_CONSOLE', 1);
-require_once '/var/www/html/lib/base.php';
-\OC_App::loadApp('oauth2');
-\$container = \OC::getContainer();
-\$mapper = \$container->get(\OCA\OAuth2\Db\ClientMapper::class);
-\$crypto = \$container->get(\OCP\Security\ICrypto::class);
-\$random = \$container->get(\OCP\Security\ISecureRandom::class);
-\$redirectUri = '${WINDMILL_NC_REDIRECT_URI}';
-// Delete any stale 'Windmill' client that might have lost its secret
-foreach (\$mapper->getClients() as \$c) {
-    if (\$c->getName() === 'Windmill') { \$mapper->delete(\$c); }
-}
-\$client = new \OCA\OAuth2\Db\Client();
-\$client->setName('Windmill');
-\$client->setRedirectUri(\$redirectUri);
-\$secret = \$random->generate(64, 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789');
-\$hashedSecret = bin2hex(\$crypto->calculateHMAC(\$secret));
-\$client->setSecret(\$hashedSecret);
-\$clientId = \$random->generate(64, 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789');
-\$client->setClientIdentifier(\$clientId);
-\$mapper->insert(\$client);
-echo json_encode(['client_id' => \$clientId, 'client_secret' => \$secret]);
-" 2>/dev/null)"
-        WINDMILL_NC_OAUTH_CLIENT_ID="$(echo "$WINDMILL_OAUTH_JSON" | php -r "echo json_decode(stream_get_contents(STDIN))->client_id;")"
-        WINDMILL_NC_OAUTH_CLIENT_SECRET="$(echo "$WINDMILL_OAUTH_JSON" | php -r "echo json_decode(stream_get_contents(STDIN))->client_secret;")"
+        WINDMILL_OAUTH_OUTPUT="$(php /create-oauth2-client.php "Windmill" "$WINDMILL_NC_REDIRECT_URI" 2>/dev/null)"
+        WINDMILL_NC_OAUTH_CLIENT_ID="$(printf '%s' "$WINDMILL_OAUTH_OUTPUT" | head -1)"
+        WINDMILL_NC_OAUTH_CLIENT_SECRET="$(printf '%s' "$WINDMILL_OAUTH_OUTPUT" | tail -1)"
         php /var/www/html/occ config:app:set windmill nc_oauth_client_id --value="$WINDMILL_NC_OAUTH_CLIENT_ID"
         php /var/www/html/occ config:app:set windmill nc_oauth_client_secret --value="$WINDMILL_NC_OAUTH_CLIENT_SECRET"
     fi