upstream/nextcloud
1
0
Fork 0
mirror of https://github.com/nextcloud/server.git synced 2026-05-26 11:22:28 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 10

fix: Reduce the mixups between apptokens and session ids

Browse source 
Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
This commit is contained in:
Côme Chilliet 2026-04-07 12:26:54 +02:00 committed by Côme Chilliet
parent c126084dca
commit 4ce151bfbb
1 changed files with 20 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

27
lib/private/User/Session.php
View file

@ -391,6 +391,12 @@ class Session implements IUserSession, Emitter {
try {
$dbToken = $this->getTokenFromPassword($password);
$isTokenPassword = $dbToken !== null;
if (($dbToken instanceof PublicKeyToken)
&& !in_array($dbToken->getType(), [IToken::PERMANENT_TOKEN,IToken::ONETIME_TOKEN])
) {
// Refuse session tokens here, only app tokens and onetime tokens are handled
return false;
}
} catch (ExpiredTokenException) {
// Just return on an expired token no need to check further or record a failed login
return false;
@ -814,6 +820,7 @@ class Session implements IUserSession, Emitter {
*/
public function tryTokenLogin(IRequest $request) {
$authHeader = $request->getHeader('Authorization');
$tokenFromCookie = false;
if (str_starts_with($authHeader, 'Bearer ')) {
$token = substr($authHeader, 7);
} elseif ($request->getCookie($this->config->getSystemValueString('instanceid')) !== null) {
@ -821,6 +828,7 @@ class Session implements IUserSession, Emitter {
// session and the request has a session cookie
try {
$token = $this->session->getId();
$tokenFromCookie = true;
} catch (SessionNotAvailableException $ex) {
return false;
}
@ -828,6 +836,18 @@ class Session implements IUserSession, Emitter {
return false;
}
try {
$dbToken = $this->tokenProvider->getToken($token);
} catch (InvalidTokenException $e) {
// Can't really happen but better safe than sorry
return false;
}
if ($dbToken instanceof PublicKeyToken && $dbToken->getType() === IToken::TEMPORARY_TOKEN && !$tokenFromCookie) {
// Session token but from Bearer header, not allowed
return false;
}
if (!$this->loginWithToken($token)) {
return false;
}
@ -835,13 +855,6 @@ class Session implements IUserSession, Emitter {
return false;
}
try {
$dbToken = $this->tokenProvider->getToken($token);
} catch (InvalidTokenException $e) {
// Can't really happen but better save than sorry
return true;
}
// Set the session variable so we know this is an app password
if ($dbToken instanceof PublicKeyToken && $dbToken->getType() === IToken::PERMANENT_TOKEN) {
$this->session->set('app_password', $token);