upstream/nextcloud
1
0
Fork 0
mirror of https://github.com/nextcloud/server.git synced 2026-06-11 09:42:09 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 57

Merge pull request #46667 from nextcloud/backport/46640/stable27

Browse source 
[stable27] fix(Token): take over scope in token refresh with login by cookie
This commit is contained in:
Arthur Schiwon 2024-07-30 00:14:23 +02:00 committed by GitHub
commit 54bdb2f079
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 40 additions and 24 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
lib/private/Authentication/Token/IProvider.php
View file

@ -48,13 +48,16 @@ interface IProvider {
* @return IToken
* @throws \RuntimeException when OpenSSL reports a problem
*/
public function generateToken(string $token,
string $uid,
string $loginName,
?string $password,
string $name,
int $type = IToken::TEMPORARY_TOKEN,
int $remember = IToken::DO_NOT_REMEMBER): IToken;
public function generateToken(
string $token,
string $uid,
string $loginName,
?string $password,
string $name,
int $type = IToken::TEMPORARY_TOKEN,
int $remember = IToken::DO_NOT_REMEMBER,
?array $scope = null,
): IToken;
/**
* Get a token by token id

20
lib/private/Authentication/Token/Manager.php
View file

@ -54,13 +54,16 @@ class Manager implements IProvider, OCPIProvider {
* @param int $remember whether the session token should be used for remember-me
* @return IToken
*/
public function generateToken(string $token,
string $uid,
string $loginName,
$password,
string $name,
int $type = IToken::TEMPORARY_TOKEN,
int $remember = IToken::DO_NOT_REMEMBER): IToken {
public function generateToken(
string $token,
string $uid,
string $loginName,
$password,
string $name,
int $type = IToken::TEMPORARY_TOKEN,
int $remember = IToken::DO_NOT_REMEMBER,
?array $scope = null,
): IToken {
if (mb_strlen($name) > 128) {
$name = mb_substr($name, 0, 120) . '…';
}
@ -73,7 +76,8 @@ class Manager implements IProvider, OCPIProvider {
$password,
$name,
$type,
$remember
$remember,
$scope,
);
} catch (UniqueConstraintViolationException $e) {
// It's rare, but if two requests of the same session (e.g. env-based SAML)

27
lib/private/Authentication/Token/PublicKeyTokenProvider.php
View file

@ -98,13 +98,16 @@ class PublicKeyTokenProvider implements IProvider {
/**
* {@inheritDoc}
*/
public function generateToken(string $token,
string $uid,
string $loginName,
?string $password,
string $name,
int $type = IToken::TEMPORARY_TOKEN,
int $remember = IToken::DO_NOT_REMEMBER): IToken {
public function generateToken(
string $token,
string $uid,
string $loginName,
?string $password,
string $name,
int $type = IToken::TEMPORARY_TOKEN,
int $remember = IToken::DO_NOT_REMEMBER,
?array $scope = null,
): IToken {
if (strlen($token) < self::TOKEN_MIN_LENGTH) {
$exception = new InvalidTokenException('Token is too short, minimum of ' . self::TOKEN_MIN_LENGTH . ' characters is required, ' . strlen($token) . ' characters given');
$this->logger->error('Invalid token provided when generating new token', ['exception' => $exception]);
@ -126,6 +129,10 @@ class PublicKeyTokenProvider implements IProvider {
$dbToken->setPasswordHash($randomOldToken->getPasswordHash());
}
if ($scope !== null) {
$dbToken->setScope($scope);
}
$this->mapper->insert($dbToken);
if (!$oldTokenMatches && $password !== null) {
@ -253,6 +260,8 @@ class PublicKeyTokenProvider implements IProvider {
$privateKey = $this->decrypt($token->getPrivateKey(), $oldSessionId);
$password = $this->decryptPassword($token->getPassword(), $privateKey);
}
$scope = $token->getScope() === '' ? null : $token->getScopeAsArray();
$newToken = $this->generateToken(
$sessionId,
$token->getUID(),
@ -260,9 +269,9 @@ class PublicKeyTokenProvider implements IProvider {
$password,
$token->getName(),
IToken::TEMPORARY_TOKEN,
$token->getRemember()
$token->getRemember(),
$scope,
);
$newToken->setScope($token->getScopeAsArray());
$this->cacheToken($newToken);
$this->cacheInvalidHash($token->getToken());