mirror of
https://github.com/nextcloud/server.git
synced 2026-02-22 17:31:10 -05:00
c6293204a2
Sessions created during the login flow v2 should be short lived to not leave an unexpected opened session in the browser. This commit add a property to the session object to track its origin, and will close it as soon as possible, i.e., on the first non public page request. Signed-off-by: Louis Chemineau <louis@chmn.me>
46 lines
1.2 KiB
PHP
46 lines
1.2 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
/**
|
|
* SPDX-FileCopyrightText: 2025 Nextcloud GmbH and Nextcloud contributors
|
|
* SPDX-License-Identifier: AGPL-3.0-only
|
|
*/
|
|
namespace OC\AppFramework\Middleware;
|
|
|
|
use OC\Core\Controller\ClientFlowLoginV2Controller;
|
|
use OCP\AppFramework\Controller;
|
|
use OCP\AppFramework\Middleware;
|
|
use OCP\ISession;
|
|
use OCP\IUserSession;
|
|
use ReflectionMethod;
|
|
|
|
// Will close the session if the user session is ephemeral.
|
|
// Happens when the user logs in via the login flow v2.
|
|
class FlowV2EphemeralSessionsMiddleware extends Middleware {
|
|
public function __construct(
|
|
private ISession $session,
|
|
private IUserSession $userSession,
|
|
) {
|
|
}
|
|
|
|
public function beforeController(Controller $controller, string $methodName) {
|
|
if (!$this->session->get(ClientFlowLoginV2Controller::EPHEMERAL_NAME)) {
|
|
return;
|
|
}
|
|
|
|
if (
|
|
$controller instanceof ClientFlowLoginV2Controller &&
|
|
($methodName === 'grantPage' || $methodName === 'generateAppPassword')
|
|
) {
|
|
return;
|
|
}
|
|
|
|
$reflectionMethod = new ReflectionMethod($controller, $methodName);
|
|
if (!empty($reflectionMethod->getAttributes('PublicPage'))) {
|
|
return;
|
|
}
|
|
|
|
$this->userSession->logout();
|
|
$this->session->close();
|
|
}
|
|
}
|