mirror of
https://github.com/nextcloud/server.git
synced 2026-05-19 16:39:59 -04:00
Merge pull request #59806 from nextcloud/backport/59804/stable22
[stable22] fix: Reduce the mixups between apptokens and session ids
This commit is contained in:
Stephan Orbaugh
GitHub
commit
88461b1bfe
2 changed files with 61 additions and 21 deletions
|
|
@ -45,6 +45,7 @@ use OC\Authentication\Exceptions\PasswordlessTokenException;
|
|||
use OC\Authentication\Exceptions\PasswordLoginForbiddenException;
|
||||
use OC\Authentication\Token\IProvider;
|
||||
use OC\Authentication\Token\IToken;
|
||||
use OC\Authentication\Token\PublicKeyToken;
|
||||
use OC\Hooks\Emitter;
|
||||
use OC\Hooks\PublicEmitter;
|
||||
use OC\Security\Bruteforce\Throttler;
|
||||
|
|
@ -446,7 +447,14 @@ class Session implements IUserSession, Emitter {
|
|||
}
|
||||
|
||||
try {
|
||||
$isTokenPassword = $this->isTokenPassword($password);
|
||||
$dbToken = $this->getTokenFromPassword($password);
|
||||
$isTokenPassword = $dbToken !== null;
|
||||
if (($dbToken instanceof PublicKeyToken)
|
||||
&& ($dbToken->getType() !== IToken::PERMANENT_TOKEN)
|
||||
) {
|
||||
// Refuse session tokens here, only app tokens are handled
|
||||
return false;
|
||||
}
|
||||
} catch (ExpiredTokenException $e) {
|
||||
// Just return on an expired token no need to check further or record a failed login
|
||||
return false;
|
||||
|
|
@ -550,6 +558,24 @@ class Session implements IUserSession, Emitter {
|
|||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Check if the given 'password' is actually a device token
|
||||
*
|
||||
* @throws ExpiredTokenException
|
||||
*/
|
||||
private function getTokenFromPassword(string $password): ?IToken {
|
||||
try {
|
||||
return $this->tokenProvider->getToken($password);
|
||||
} catch (ExpiredTokenException $e) {
|
||||
throw $e;
|
||||
} catch (InvalidTokenException $ex) {
|
||||
$this->logger->debug('Token is not valid: ' . $ex->getMessage(), [
|
||||
'exception' => $ex,
|
||||
]);
|
||||
return null;
|
||||
}
|
||||
}
|
||||
|
||||
protected function prepareUserLogin($firstTimeLogin, $refreshCsrfToken = true) {
|
||||
if ($refreshCsrfToken) {
|
||||
// TODO: mock/inject/use non-static
|
||||
|
|
@ -831,17 +857,31 @@ class Session implements IUserSession, Emitter {
|
|||
*/
|
||||
public function tryTokenLogin(IRequest $request) {
|
||||
$authHeader = $request->getHeader('Authorization');
|
||||
$tokenFromCookie = false;
|
||||
if (strpos($authHeader, 'Bearer ') === 0) {
|
||||
$token = substr($authHeader, 7);
|
||||
} else {
|
||||
// No auth header, let's try session id
|
||||
try {
|
||||
$token = $this->session->getId();
|
||||
$tokenFromCookie = true;
|
||||
} catch (SessionNotAvailableException $ex) {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
try {
|
||||
$dbToken = $this->tokenProvider->getToken($token);
|
||||
} catch (InvalidTokenException $e) {
|
||||
// Can't really happen but better safe than sorry
|
||||
return false;
|
||||
}
|
||||
|
||||
if ($dbToken instanceof PublicKeyToken && $dbToken->getType() === IToken::TEMPORARY_TOKEN && !$tokenFromCookie) {
|
||||
// Session token but from Bearer header, not allowed
|
||||
return false;
|
||||
}
|
||||
|
||||
if (!$this->loginWithToken($token)) {
|
||||
return false;
|
||||
}
|
||||
|
|
@ -849,13 +889,6 @@ class Session implements IUserSession, Emitter {
|
|||
return false;
|
||||
}
|
||||
|
||||
try {
|
||||
$dbToken = $this->tokenProvider->getToken($token);
|
||||
} catch (InvalidTokenException $e) {
|
||||
// Can't really happen but better save than sorry
|
||||
return true;
|
||||
}
|
||||
|
||||
// Remember me tokens are not app_passwords
|
||||
if ($dbToken->getRemember() === IToken::DO_NOT_REMEMBER) {
|
||||
// Set the session variable so we know this is an app password
|
||||
|
|
|
|||
|
|
@ -1,4 +1,5 @@
|
|||
<?php
|
||||
|
||||
/**
|
||||
* Copyright (c) 2013 Robin Appelman <icewind@owncloud.com>
|
||||
* This file is licensed under the Affero General Public License version 3 or
|
||||
|
|
@ -10,6 +11,7 @@ namespace Test\User;
|
|||
|
||||
use OC\AppFramework\Http\Request;
|
||||
use OC\Authentication\Events\LoginFailed;
|
||||
use OC\Authentication\Exceptions\InvalidTokenException;
|
||||
use OC\Authentication\Token\DefaultTokenMapper;
|
||||
use OC\Authentication\Token\DefaultTokenProvider;
|
||||
use OC\Authentication\Token\IProvider;
|
||||
|
|
@ -489,16 +491,18 @@ class SessionTest extends \Test\TestCase {
|
|||
$manager = $this->createMock(Manager::class);
|
||||
$session = $this->createMock(ISession::class);
|
||||
$request = $this->createMock(IRequest::class);
|
||||
$token = $this->createMock(IToken::class);
|
||||
|
||||
/** @var \OC\User\Session $userSession */
|
||||
$userSession = $this->getMockBuilder(Session::class)
|
||||
->setConstructorArgs([$manager, $session, $this->timeFactory, $this->tokenProvider, $this->config, $this->random, $this->lockdownManager, $this->logger, $this->dispatcher])
|
||||
->setMethods(['isTokenPassword', 'login', 'supportsCookies', 'createSessionToken', 'getUser'])
|
||||
->onlyMethods(['login', 'supportsCookies', 'createSessionToken', 'getUser'])
|
||||
->getMock();
|
||||
|
||||
$userSession->expects($this->once())
|
||||
->method('isTokenPassword')
|
||||
->willReturn(true);
|
||||
$this->tokenProvider->expects($this->once())
|
||||
->method('getToken')
|
||||
->with('I-AM-AN-APP-PASSWORD')
|
||||
->willReturn($token);
|
||||
$userSession->expects($this->once())
|
||||
->method('login')
|
||||
->with('john', 'I-AM-AN-APP-PASSWORD')
|
||||
|
|
@ -1032,7 +1036,7 @@ class SessionTest extends \Test\TestCase {
|
|||
->method('getHeader')
|
||||
->with('Authorization')
|
||||
->willReturn('Bearer xxxxx');
|
||||
$this->tokenProvider->expects($this->once())
|
||||
$this->tokenProvider->expects($this->atLeastOnce())
|
||||
->method('getToken')
|
||||
->with('xxxxx')
|
||||
->willReturn($token);
|
||||
|
|
@ -1478,16 +1482,18 @@ class SessionTest extends \Test\TestCase {
|
|||
$manager = $this->createMock(Manager::class);
|
||||
$session = $this->createMock(ISession::class);
|
||||
$request = $this->createMock(IRequest::class);
|
||||
$token = $this->createMock(IToken::class);
|
||||
|
||||
/** @var Session $userSession */
|
||||
$userSession = $this->getMockBuilder(Session::class)
|
||||
->setConstructorArgs([$manager, $session, $this->timeFactory, $this->tokenProvider, $this->config, $this->random, $this->lockdownManager, $this->logger, $this->dispatcher])
|
||||
->setMethods(['isTokenPassword', 'login', 'supportsCookies', 'createSessionToken', 'getUser'])
|
||||
->onlyMethods(['login', 'supportsCookies', 'createSessionToken', 'getUser'])
|
||||
->getMock();
|
||||
|
||||
$userSession->expects($this->once())
|
||||
->method('isTokenPassword')
|
||||
->willReturn(true);
|
||||
$this->tokenProvider->expects($this->once())
|
||||
->method('getToken')
|
||||
->with('I-AM-AN-PASSWORD')
|
||||
->willReturn($token);
|
||||
$userSession->expects($this->once())
|
||||
->method('login')
|
||||
->with('john', 'I-AM-AN-PASSWORD')
|
||||
|
|
@ -1528,12 +1534,13 @@ class SessionTest extends \Test\TestCase {
|
|||
/** @var Session $userSession */
|
||||
$userSession = $this->getMockBuilder(Session::class)
|
||||
->setConstructorArgs([$manager, $session, $this->timeFactory, $this->tokenProvider, $this->config, $this->random, $this->lockdownManager, $this->logger, $this->dispatcher])
|
||||
->setMethods(['isTokenPassword', 'login', 'supportsCookies', 'createSessionToken', 'getUser'])
|
||||
->onlyMethods(['login', 'supportsCookies', 'createSessionToken', 'getUser'])
|
||||
->getMock();
|
||||
|
||||
$userSession->expects($this->once())
|
||||
->method('isTokenPassword')
|
||||
->willReturn(true);
|
||||
$this->tokenProvider->expects($this->once())
|
||||
->method('getToken')
|
||||
->with('I-AM-AN-PASSWORD')
|
||||
->willThrowException(new InvalidTokenException());
|
||||
$userSession->expects($this->once())
|
||||
->method('login')
|
||||
->with('john@foo.bar', 'I-AM-AN-PASSWORD')
|
||||
|
|
|
|||
Loading…
Reference in a new issue