upstream/nextcloud
1
0
Fork 0
mirror of https://github.com/nextcloud/server.git synced 2026-05-25 10:49:21 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 9

Merge pull request #46666 from nextcloud/backport/46640/stable26

Browse source 
[stable26] fix(Token): take over scope in token refresh with login by cookie
This commit is contained in:
Arthur Schiwon 2024-07-30 00:14:36 +02:00 committed by GitHub
commit 59e92dddaa
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 40 additions and 24 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
lib/private/Authentication/Token/IProvider.php
View file

@ -48,13 +48,16 @@ interface IProvider {
* @return IToken
* @throws \RuntimeException when OpenSSL reports a problem
*/
public function generateToken(string $token,
string $uid,
string $loginName,
?string $password,
string $name,
int $type = IToken::TEMPORARY_TOKEN,
int $remember = IToken::DO_NOT_REMEMBER): IToken;
public function generateToken(
string $token,
string $uid,
string $loginName,
?string $password,
string $name,
int $type = IToken::TEMPORARY_TOKEN,
int $remember = IToken::DO_NOT_REMEMBER,
?array $scope = null,
): IToken;
/**
* Get a token by token id

20
lib/private/Authentication/Token/Manager.php
View file

@ -54,13 +54,16 @@ class Manager implements IProvider, OCPIProvider {
* @param int $remember whether the session token should be used for remember-me
* @return IToken
*/
public function generateToken(string $token,
string $uid,
string $loginName,
$password,
string $name,
int $type = IToken::TEMPORARY_TOKEN,
int $remember = IToken::DO_NOT_REMEMBER): IToken {
public function generateToken(
string $token,
string $uid,
string $loginName,
$password,
string $name,
int $type = IToken::TEMPORARY_TOKEN,
int $remember = IToken::DO_NOT_REMEMBER,
?array $scope = null,
): IToken {
if (mb_strlen($name) > 128) {
$name = mb_substr($name, 0, 120) . '…';
}
@ -73,7 +76,8 @@ class Manager implements IProvider, OCPIProvider {
$password,
$name,
$type,
$remember
$remember,
$scope,
);
} catch (UniqueConstraintViolationException $e) {
// It's rare, but if two requests of the same session (e.g. env-based SAML)

27
lib/private/Authentication/Token/PublicKeyTokenProvider.php
View file

@ -93,13 +93,16 @@ class PublicKeyTokenProvider implements IProvider {
/**
* {@inheritDoc}
*/
public function generateToken(string $token,
string $uid,
string $loginName,
?string $password,
string $name,
int $type = IToken::TEMPORARY_TOKEN,
int $remember = IToken::DO_NOT_REMEMBER): IToken {
public function generateToken(
string $token,
string $uid,
string $loginName,
?string $password,
string $name,
int $type = IToken::TEMPORARY_TOKEN,
int $remember = IToken::DO_NOT_REMEMBER,
?array $scope = null,
): IToken {
if (strlen($token) < self::TOKEN_MIN_LENGTH) {
$exception = new InvalidTokenException('Token is too short, minimum of ' . self::TOKEN_MIN_LENGTH . ' characters is required, ' . strlen($token) . ' characters given');
$this->logger->error('Invalid token provided when generating new token', ['exception' => $exception]);
@ -121,6 +124,10 @@ class PublicKeyTokenProvider implements IProvider {
$dbToken->setPasswordHash($randomOldToken->getPasswordHash());
}
if ($scope !== null) {
$dbToken->setScope($scope);
}
$this->mapper->insert($dbToken);
if (!$oldTokenMatches && $password !== null) {
@ -233,6 +240,8 @@ class PublicKeyTokenProvider implements IProvider {
$privateKey = $this->decrypt($token->getPrivateKey(), $oldSessionId);
$password = $this->decryptPassword($token->getPassword(), $privateKey);
}
$scope = $token->getScope() === '' ? null : $token->getScopeAsArray();
$newToken = $this->generateToken(
$sessionId,
$token->getUID(),
@ -240,9 +249,9 @@ class PublicKeyTokenProvider implements IProvider {
$password,
$token->getName(),
IToken::TEMPORARY_TOKEN,
$token->getRemember()
$token->getRemember(),
$scope,
);
$newToken->setScope($token->getScopeAsArray());
$this->mapper->delete($token);