upstream/nextcloud
1
0
Fork 0
mirror of https://github.com/nextcloud/server.git synced 2026-06-20 22:19:33 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 8

Merge pull request #59783 from nextcloud/backport/59781/stable29
Some checks failed
Integration sqlite / changes (push) Has been cancelled
Details
Integration sqlite / integration-sqlite (8.2, stable29, --tags ~@large files_features) (push) Has been cancelled
Details
Integration sqlite / integration-sqlite (8.2, stable29, capabilities_features) (push) Has been cancelled
Details
Integration sqlite / integration-sqlite (8.2, stable29, collaboration_features) (push) Has been cancelled
Details
Integration sqlite / integration-sqlite (8.2, stable29, comments_features) (push) Has been cancelled
Details
Integration sqlite / integration-sqlite (8.2, stable29, dav_features) (push) Has been cancelled
Details
Integration sqlite / integration-sqlite (8.2, stable29, features) (push) Has been cancelled
Details
Integration sqlite / integration-sqlite (8.2, stable29, federation_features) (push) Has been cancelled
Details
Integration sqlite / integration-sqlite (8.2, stable29, filesdrop_features) (push) Has been cancelled
Details
Integration sqlite / integration-sqlite (8.2, stable29, ldap_features) (push) Has been cancelled
Details
Integration sqlite / integration-sqlite (8.2, stable29, openldap_features) (push) Has been cancelled
Details
Integration sqlite / integration-sqlite (8.2, stable29, openldap_numerical_features) (push) Has been cancelled
Details
Integration sqlite / integration-sqlite (8.2, stable29, remoteapi_features) (push) Has been cancelled
Details
Integration sqlite / integration-sqlite (8.2, stable29, setup_features) (push) Has been cancelled
Details
Integration sqlite / integration-sqlite (8.2, stable29, sharees_features) (push) Has been cancelled
Details
Integration sqlite / integration-sqlite (8.2, stable29, sharing_features) (push) Has been cancelled
Details
Integration sqlite / integration-sqlite (8.2, stable29, videoverification_features) (push) Has been cancelled
Details
Integration sqlite / integration-sqlite-summary (push) Has been cancelled
Details

Browse source 
[stable29] fix: Reduce the mixups between apptokens and session ids
This commit is contained in:
Louis 2026-04-23 14:02:50 +02:00 committed by GitHub
commit 78909ea4cd
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 58 additions and 22 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

51
lib/private/User/Session.php
View file

@ -418,8 +418,15 @@ class Session implements IUserSession, Emitter {
}
try {
$isTokenPassword = $this->isTokenPassword($password);
} catch (ExpiredTokenException $e) {
$dbToken = $this->getTokenFromPassword($password);
$isTokenPassword = $dbToken !== null;
if (($dbToken instanceof PublicKeyToken)
&& ($dbToken->getType() !== IToken::PERMANENT_TOKEN)
) {
// Refuse session tokens here, only app tokens are handled
return false;
}
} catch (ExpiredTokenException) {
// Just return on an expired token no need to check further or record a failed login
return false;
}
@ -440,7 +447,6 @@ class Session implements IUserSession, Emitter {
}
if ($isTokenPassword) {
$dbToken = $this->tokenProvider->getToken($password);
$userFromToken = $this->manager->get($dbToken->getUID());
$isValidEmailLogin = $userFromToken->getEMailAddress() === $user
&& $this->validateTokenLoginName($userFromToken->getEMailAddress(), $dbToken);
@ -530,6 +536,24 @@ class Session implements IUserSession, Emitter {
}
}
/**
* Check if the given 'password' is actually a device token
*
* @throws ExpiredTokenException
*/
private function getTokenFromPassword(string $password): ?\OCP\Authentication\Token\IToken {
try {
return $this->tokenProvider->getToken($password);
} catch (ExpiredTokenException $e) {
throw $e;
} catch (InvalidTokenException $ex) {
$this->logger->debug('Token is not valid: ' . $ex->getMessage(), [
'exception' => $ex,
]);
return null;
}
}
protected function prepareUserLogin($firstTimeLogin, $refreshCsrfToken = true) {
if ($refreshCsrfToken) {
// TODO: mock/inject/use non-static
@ -836,6 +860,7 @@ class Session implements IUserSession, Emitter {
*/
public function tryTokenLogin(IRequest $request) {
$authHeader = $request->getHeader('Authorization');
$tokenFromCookie = false;
if (str_starts_with($authHeader, 'Bearer ')) {
$token = substr($authHeader, 7);
} elseif ($request->getCookie($this->config->getSystemValueString('instanceid')) !== null) {
@ -843,6 +868,7 @@ class Session implements IUserSession, Emitter {
// session and the request has a session cookie
try {
$token = $this->session->getId();
$tokenFromCookie = true;
} catch (SessionNotAvailableException $ex) {
return false;
}
@ -850,6 +876,18 @@ class Session implements IUserSession, Emitter {
return false;
}
try {
$dbToken = $this->tokenProvider->getToken($token);
} catch (InvalidTokenException $e) {
// Can't really happen but better safe than sorry
return false;
}
if ($dbToken instanceof PublicKeyToken && $dbToken->getType() === IToken::TEMPORARY_TOKEN && !$tokenFromCookie) {
// Session token but from Bearer header, not allowed
return false;
}
if (!$this->loginWithToken($token)) {
return false;
}
@ -857,13 +895,6 @@ class Session implements IUserSession, Emitter {
return false;
}
try {
$dbToken = $this->tokenProvider->getToken($token);
} catch (InvalidTokenException $e) {
// Can't really happen but better save than sorry
return true;
}
// Set the session variable so we know this is an app password
if ($dbToken instanceof PublicKeyToken && $dbToken->getType() === IToken::PERMANENT_TOKEN) {
$this->session->set('app_password', $token);

29
tests/lib/User/SessionTest.php
View file

@ -483,16 +483,18 @@ class SessionTest extends \Test\TestCase {
$manager = $this->createMock(Manager::class);
$session = $this->createMock(ISession::class);
$request = $this->createMock(IRequest::class);
$token = $this->createMock(IToken::class);
/** @var Session $userSession */
$userSession = $this->getMockBuilder(Session::class)
->setConstructorArgs([$manager, $session, $this->timeFactory, $this->tokenProvider, $this->config, $this->random, $this->lockdownManager, $this->logger, $this->dispatcher])
->setMethods(['isTokenPassword', 'login', 'supportsCookies', 'createSessionToken', 'getUser'])
->onlyMethods(['login', 'supportsCookies', 'createSessionToken', 'getUser'])
->getMock();
$userSession->expects($this->once())
->method('isTokenPassword')
->willReturn(true);
$this->tokenProvider->expects($this->once())
->method('getToken')
->with('I-AM-AN-APP-PASSWORD')
->willReturn($token);
$userSession->expects($this->once())
->method('login')
->with('john', 'I-AM-AN-APP-PASSWORD')
@ -1232,16 +1234,18 @@ class SessionTest extends \Test\TestCase {
$manager = $this->createMock(Manager::class);
$session = $this->createMock(ISession::class);
$request = $this->createMock(IRequest::class);
$token = $this->createMock(IToken::class);
/** @var Session $userSession */
$userSession = $this->getMockBuilder(Session::class)
->setConstructorArgs([$manager, $session, $this->timeFactory, $this->tokenProvider, $this->config, $this->random, $this->lockdownManager, $this->logger, $this->dispatcher])
->setMethods(['isTokenPassword', 'login', 'supportsCookies', 'createSessionToken', 'getUser'])
->onlyMethods(['login', 'supportsCookies', 'createSessionToken', 'getUser'])
->getMock();
$userSession->expects($this->once())
->method('isTokenPassword')
->willReturn(true);
$this->tokenProvider->expects($this->once())
->method('getToken')
->with('I-AM-AN-PASSWORD')
->willReturn($token);
$userSession->expects($this->once())
->method('login')
->with('john', 'I-AM-AN-PASSWORD')
@ -1282,12 +1286,13 @@ class SessionTest extends \Test\TestCase {
/** @var Session $userSession */
$userSession = $this->getMockBuilder(Session::class)
->setConstructorArgs([$manager, $session, $this->timeFactory, $this->tokenProvider, $this->config, $this->random, $this->lockdownManager, $this->logger, $this->dispatcher])
->setMethods(['isTokenPassword', 'login', 'supportsCookies', 'createSessionToken', 'getUser'])
->onlyMethods(['login', 'supportsCookies', 'createSessionToken', 'getUser'])
->getMock();
$userSession->expects($this->once())
->method('isTokenPassword')
->willReturn(false);
$this->tokenProvider->expects($this->once())
->method('getToken')
->with('I-AM-AN-PASSWORD')
->willThrowException(new InvalidTokenException());
$userSession->expects($this->once())
->method('login')
->with('john@foo.bar', 'I-AM-AN-PASSWORD')