mirror of
https://github.com/nextcloud/server.git
synced 2026-04-21 22:27:31 -04:00
feat(auth): Clean-up unused auth tokens and wipe tokens
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
This commit is contained in:
Christoph Wurst
parent
cee227ae99
commit
5100e3152d
3 changed files with 31 additions and 20 deletions
|
|
@ -36,17 +36,20 @@ class PublicKeyTokenMapper extends QBMapper {
|
|||
|
||||
/**
|
||||
* @param int $olderThan
|
||||
* @param int $remember
|
||||
* @param int $type
|
||||
* @param int|null $remember
|
||||
*/
|
||||
public function invalidateOld(int $olderThan, int $remember = IToken::DO_NOT_REMEMBER) {
|
||||
public function invalidateOld(int $olderThan, int $type = IToken::TEMPORARY_TOKEN, ?int $remember = null) {
|
||||
/* @var $qb IQueryBuilder */
|
||||
$qb = $this->db->getQueryBuilder();
|
||||
$qb->delete($this->tableName)
|
||||
$delete = $qb->delete($this->tableName)
|
||||
->where($qb->expr()->lt('last_activity', $qb->createNamedParameter($olderThan, IQueryBuilder::PARAM_INT)))
|
||||
->andWhere($qb->expr()->eq('type', $qb->createNamedParameter(IToken::TEMPORARY_TOKEN, IQueryBuilder::PARAM_INT)))
|
||||
->andWhere($qb->expr()->eq('remember', $qb->createNamedParameter($remember, IQueryBuilder::PARAM_INT)))
|
||||
->andWhere($qb->expr()->eq('version', $qb->createNamedParameter(PublicKeyToken::VERSION, IQueryBuilder::PARAM_INT)))
|
||||
->execute();
|
||||
->andWhere($qb->expr()->eq('type', $qb->createNamedParameter($type, IQueryBuilder::PARAM_INT)))
|
||||
->andWhere($qb->expr()->eq('version', $qb->createNamedParameter(PublicKeyToken::VERSION, IQueryBuilder::PARAM_INT)));
|
||||
if ($remember !== null) {
|
||||
$delete->andWhere($qb->expr()->eq('remember', $qb->createNamedParameter($remember, IQueryBuilder::PARAM_INT)));
|
||||
}
|
||||
$delete->executeStatement();
|
||||
}
|
||||
|
||||
public function invalidateLastUsedBefore(string $uid, int $before): int {
|
||||
|
|
|
|||
|
|
@ -281,10 +281,19 @@ class PublicKeyTokenProvider implements IProvider {
|
|||
public function invalidateOldTokens() {
|
||||
$olderThan = $this->time->getTime() - $this->config->getSystemValueInt('session_lifetime', 60 * 60 * 24);
|
||||
$this->logger->debug('Invalidating session tokens older than ' . date('c', $olderThan), ['app' => 'cron']);
|
||||
$this->mapper->invalidateOld($olderThan, OCPIToken::DO_NOT_REMEMBER);
|
||||
$this->mapper->invalidateOld($olderThan, OCPIToken::TEMPORARY_TOKEN, OCPIToken::DO_NOT_REMEMBER);
|
||||
|
||||
$rememberThreshold = $this->time->getTime() - $this->config->getSystemValueInt('remember_login_cookie_lifetime', 60 * 60 * 24 * 15);
|
||||
$this->logger->debug('Invalidating remembered session tokens older than ' . date('c', $rememberThreshold), ['app' => 'cron']);
|
||||
$this->mapper->invalidateOld($rememberThreshold, OCPIToken::REMEMBER);
|
||||
$this->mapper->invalidateOld($rememberThreshold, OCPIToken::TEMPORARY_TOKEN, OCPIToken::REMEMBER);
|
||||
|
||||
$wipeThreshold = $this->time->getTime() - $this->config->getSystemValueInt('token_auth_wipe_token_retention', 60 * 60 * 24 * 60);
|
||||
$this->logger->debug('Invalidating auth tokens marked for remote wipe older than ' . date('c', $wipeThreshold), ['app' => 'cron']);
|
||||
$this->mapper->invalidateOld($wipeThreshold, OCPIToken::WIPE_TOKEN);
|
||||
|
||||
$authTokenThreshold = $this->time->getTime() - $this->config->getSystemValueInt('token_auth_token_retention', 60 * 60 * 24 * 365);
|
||||
$this->logger->debug('Invalidating auth tokens older than ' . date('c', $authTokenThreshold), ['app' => 'cron']);
|
||||
$this->mapper->invalidateOld($authTokenThreshold, OCPIToken::PERMANENT_TOKEN);
|
||||
}
|
||||
|
||||
public function invalidateLastUsedBefore(string $uid, int $before): void {
|
||||
|
|
|
|||
|
|
@ -56,12 +56,6 @@ class PublicKeyTokenProviderTest extends TestCase {
|
|||
$this->hasher = \OC::$server->get(IHasher::class);
|
||||
$this->crypto = \OC::$server->getCrypto();
|
||||
$this->config = $this->createMock(IConfig::class);
|
||||
$this->config->method('getSystemValueInt')
|
||||
->willReturnMap([
|
||||
['session_lifetime', 60 * 60 * 24, 150],
|
||||
['remember_login_cookie_lifetime', 60 * 60 * 24 * 15, 300],
|
||||
['token_auth_activity_update', 60, 60],
|
||||
]);
|
||||
$this->config->method('getSystemValue')
|
||||
->willReturnMap([
|
||||
['openssl', [], []],
|
||||
|
|
@ -330,20 +324,25 @@ class PublicKeyTokenProviderTest extends TestCase {
|
|||
$this->tokenProvider->invalidateTokenById('uid', $id);
|
||||
}
|
||||
|
||||
public function testInvalidateOldTokens() {
|
||||
public function testInvalidateOldTokens(): void {
|
||||
$defaultSessionLifetime = 60 * 60 * 24;
|
||||
$defaultRememberMeLifetime = 60 * 60 * 24 * 15;
|
||||
$this->config->expects($this->exactly(2))
|
||||
$wipeTokenLifetime = 60 * 60 * 24 * 60;
|
||||
$this->config->expects($this->exactly(4))
|
||||
->method('getSystemValueInt')
|
||||
->willReturnMap([
|
||||
['session_lifetime', $defaultSessionLifetime, 150],
|
||||
['remember_login_cookie_lifetime', $defaultRememberMeLifetime, 300],
|
||||
['token_auth_wipe_token_retention', $wipeTokenLifetime, 500],
|
||||
['token_auth_token_retention', 60 * 60 * 24 * 365, 800],
|
||||
]);
|
||||
$this->mapper->expects($this->exactly(2))
|
||||
$this->mapper->expects($this->exactly(4))
|
||||
->method('invalidateOld')
|
||||
->withConsecutive(
|
||||
[$this->time - 150],
|
||||
[$this->time - 300]
|
||||
[$this->time - 150, IToken::TEMPORARY_TOKEN, IToken::DO_NOT_REMEMBER],
|
||||
[$this->time - 300, IToken::TEMPORARY_TOKEN, IToken::REMEMBER],
|
||||
[$this->time - 500, IToken::WIPE_TOKEN, null],
|
||||
[$this->time - 800, IToken::PERMANENT_TOKEN, null],
|
||||
);
|
||||
|
||||
$this->tokenProvider->invalidateOldTokens();
|
||||
|
|
|
|||
Loading…
Reference in a new issue