upstream/nextcloud
1
0
Fork 0
mirror of https://github.com/nextcloud/server.git synced 2026-02-20 00:12:30 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions 38

fix(session): Only mark sessions of permanent tokens as app passwords

Browse source 
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
This commit is contained in:
Christoph Wurst 2025-04-01 14:04:08 +02:00 committed by backportbot[bot]
parent 32db8e9016
commit 81a8e83bf8
2 changed files with 42 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
lib/private/User/Session.php
View file

@ -834,9 +834,8 @@ class Session implements IUserSession, Emitter {
return true;
}
// Remember me tokens are not app_passwords
if ($dbToken->getRemember() === IToken::DO_NOT_REMEMBER) {
// Set the session variable so we know this is an app password
// Set the session variable so we know this is an app password
if ($dbToken instanceof PublicKeyToken && $dbToken->getType() === IToken::PERMANENT_TOKEN) {
$this->session->set('app_password', $token);
}

40
tests/lib/User/SessionTest.php
View file

@ -34,6 +34,7 @@ use OCP\Lockdown\ILockdownManager;
use OCP\Security\Bruteforce\IThrottler;
use OCP\Security\ISecureRandom;
use OCP\User\Events\PostLoginEvent;
use PHPUnit\Framework\ExpectationFailedException;
use PHPUnit\Framework\MockObject\MockObject;
use Psr\Log\LoggerInterface;
use function array_diff;
@ -611,6 +612,45 @@ class SessionTest extends \Test\TestCase {
self::assertFalse($loginResult);
}
public function testTryTokenLoginNotAnAppPassword(): void {
$request = $this->createMock(IRequest::class);
$this->config->expects(self::once())
->method('getSystemValueString')
->with('instanceid')
->willReturn('abc123');
$request->method('getHeader')->with('Authorization')->willReturn('');
$request->method('getCookie')->with('abc123')->willReturn('abcde12345');
$this->session->expects(self::once())
->method('getId')
->willReturn('abcde12345');
$dbToken = new PublicKeyToken();
$dbToken->setId(42);
$dbToken->setUid('johnny');
$dbToken->setLoginName('johnny');
$dbToken->setLastCheck(0);
$dbToken->setType(IToken::TEMPORARY_TOKEN);
$dbToken->setRemember(IToken::REMEMBER);
$this->tokenProvider->expects(self::any())
->method('getToken')
->with('abcde12345')
->willReturn($dbToken);
$this->session->method('set')
->willReturnCallback(function ($key, $value) {
if ($key === 'app_password') {
throw new ExpectationFailedException('app_password should not be set in session');
}
});
$user = $this->createMock(IUser::class);
$user->method('isEnabled')->willReturn(true);
$this->manager->method('get')
->with('johnny')
->willReturn($user);
$loginResult = $this->userSession->tryTokenLogin($request);
self::assertTrue($loginResult);
}
public function testRememberLoginValidToken(): void {
$session = $this->createMock(Memory::class);
$managerMethods = get_class_methods(Manager::class);