From 2006a6dd0e568998965246263b142613660c5baf Mon Sep 17 00:00:00 2001 From: Christoph Wurst Date: Wed, 27 May 2020 09:21:47 +0200 Subject: [PATCH 1/2] Improve traces of invalid token exceptions Signed-off-by: Christoph Wurst --- .../Exceptions/InvalidTokenException.php | 3 +++ .../Token/DefaultTokenProvider.php | 14 ++++++------- .../Token/PublicKeyTokenProvider.php | 20 +++++++++---------- 3 files changed, 20 insertions(+), 17 deletions(-) diff --git a/lib/private/Authentication/Exceptions/InvalidTokenException.php b/lib/private/Authentication/Exceptions/InvalidTokenException.php index efc6096da88..000d6dee3e8 100644 --- a/lib/private/Authentication/Exceptions/InvalidTokenException.php +++ b/lib/private/Authentication/Exceptions/InvalidTokenException.php @@ -1,4 +1,7 @@ mapper->update($token); } @@ -130,7 +130,7 @@ class DefaultTokenProvider implements IProvider { */ public function updateTokenActivity(IToken $token) { if (!($token instanceof DefaultToken)) { - throw new InvalidTokenException(); + throw new InvalidTokenException("Invalid token type"); } /** @var DefaultToken $token */ $now = $this->time->getTime(); @@ -157,7 +157,7 @@ class DefaultTokenProvider implements IProvider { try { $token = $this->mapper->getToken($this->hashToken($tokenId)); } catch (DoesNotExistException $ex) { - throw new InvalidTokenException(); + throw new InvalidTokenException("Token does not exist", 0, $ex); } if ((int)$token->getExpires() !== 0 && $token->getExpires() < $this->time->getTime()) { @@ -179,7 +179,7 @@ class DefaultTokenProvider implements IProvider { try { $token = $this->mapper->getTokenById($tokenId); } catch (DoesNotExistException $ex) { - throw new InvalidTokenException(); + throw new InvalidTokenException("Token with ID $tokenId does not exist", 0, $ex); } if ((int)$token->getExpires() !== 0 && $token->getExpires() < $this->time->getTime()) { @@ -241,7 +241,7 @@ class DefaultTokenProvider implements IProvider { */ public function setPassword(IToken $token, string $tokenId, string $password) { if (!($token instanceof DefaultToken)) { - throw new InvalidTokenException(); + throw new InvalidTokenException("Invalid token type"); } /** @var DefaultToken $token */ $token->setPassword($this->encryptPassword($password, $tokenId)); @@ -334,13 +334,13 @@ class DefaultTokenProvider implements IProvider { } catch (Exception $ex) { // Delete the invalid token $this->invalidateToken($token); - throw new InvalidTokenException(); + throw new InvalidTokenException("Can not decrypt token password: " . $ex->getMessage(), 0, $ex); } } public function markPasswordInvalid(IToken $token, string $tokenId) { if (!($token instanceof DefaultToken)) { - throw new InvalidTokenException(); + throw new InvalidTokenException("Invalid token type"); } //No need to mark as invalid. We just invalide default tokens diff --git a/lib/private/Authentication/Token/PublicKeyTokenProvider.php b/lib/private/Authentication/Token/PublicKeyTokenProvider.php index 664440fe6bb..091f47d7da3 100644 --- a/lib/private/Authentication/Token/PublicKeyTokenProvider.php +++ b/lib/private/Authentication/Token/PublicKeyTokenProvider.php @@ -103,7 +103,7 @@ class PublicKeyTokenProvider implements IProvider { $token = $this->mapper->getToken($this->hashToken($tokenId)); $this->cache[$token->getToken()] = $token; } catch (DoesNotExistException $ex) { - throw new InvalidTokenException(); + throw new InvalidTokenException("Token does not exist: " . $ex->getMessage(), 0, $ex); } } @@ -127,7 +127,7 @@ class PublicKeyTokenProvider implements IProvider { try { $token = $this->mapper->getTokenById($tokenId); } catch (DoesNotExistException $ex) { - throw new InvalidTokenException(); + throw new InvalidTokenException("Token with ID $tokenId does not exist: " . $ex->getMessage(), 0, $ex); } if ((int)$token->getExpires() !== 0 && $token->getExpires() < $this->time->getTime()) { @@ -152,7 +152,7 @@ class PublicKeyTokenProvider implements IProvider { $token = $this->getToken($oldSessionId); if (!($token instanceof PublicKeyToken)) { - throw new InvalidTokenException(); + throw new InvalidTokenException("Invalid token type"); } $password = null; @@ -203,7 +203,7 @@ class PublicKeyTokenProvider implements IProvider { $this->cache->clear(); if (!($token instanceof PublicKeyToken)) { - throw new InvalidTokenException(); + throw new InvalidTokenException("Invalid token type"); } $this->mapper->update($token); } @@ -212,7 +212,7 @@ class PublicKeyTokenProvider implements IProvider { $this->cache->clear(); if (!($token instanceof PublicKeyToken)) { - throw new InvalidTokenException(); + throw new InvalidTokenException("Invalid token type"); } /** @var DefaultToken $token */ $now = $this->time->getTime(); @@ -229,7 +229,7 @@ class PublicKeyTokenProvider implements IProvider { public function getPassword(IToken $token, string $tokenId): string { if (!($token instanceof PublicKeyToken)) { - throw new InvalidTokenException(); + throw new InvalidTokenException("Invalid token type"); } if ($token->getPassword() === null) { @@ -247,7 +247,7 @@ class PublicKeyTokenProvider implements IProvider { $this->cache->clear(); if (!($token instanceof PublicKeyToken)) { - throw new InvalidTokenException(); + throw new InvalidTokenException("Invalid token type"); } // When changing passwords all temp tokens are deleted @@ -266,7 +266,7 @@ class PublicKeyTokenProvider implements IProvider { $this->cache->clear(); if (!($token instanceof PublicKeyToken)) { - throw new InvalidTokenException(); + throw new InvalidTokenException("Invalid token type"); } // Decrypt private key with oldTokenId @@ -295,7 +295,7 @@ class PublicKeyTokenProvider implements IProvider { } catch (\Exception $ex) { // Delete the invalid token $this->invalidateToken($token); - throw new InvalidTokenException(); + throw new InvalidTokenException("Could not decrypt token password: " . $ex->getMessage(), 0, $ex); } } @@ -399,7 +399,7 @@ class PublicKeyTokenProvider implements IProvider { $this->cache->clear(); if (!($token instanceof PublicKeyToken)) { - throw new InvalidTokenException(); + throw new InvalidTokenException("Invalid token type"); } $token->setPasswordInvalid(true); From 5b92f35fe20bc82fda9548e35675dca7dec6659d Mon Sep 17 00:00:00 2001 From: Christoph Wurst Date: Wed, 27 May 2020 09:58:44 +0200 Subject: [PATCH 2/2] Log why a token is not valid during password check Signed-off-by: Christoph Wurst --- lib/private/User/Session.php | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/lib/private/User/Session.php b/lib/private/User/Session.php index 817dcbf4c33..3996869c692 100644 --- a/lib/private/User/Session.php +++ b/lib/private/User/Session.php @@ -531,6 +531,10 @@ class Session implements IUserSession, Emitter { } catch (ExpiredTokenException $e) { throw $e; } catch (InvalidTokenException $ex) { + $this->logger->logException($ex, [ + 'level' => ILogger::DEBUG, + 'message' => 'Token is not valid: ' . $ex->getMessage(), + ]); return false; } }