Merge pull request #56238 from nextcloud/backport/56215/stable25

[stable25] feat(EphemeralSessions): Introduce lax period
2026-06-11 09:42:09 -04:00 · 2025-11-07 08:51:23 +01:00 · 2025-11-07 08:51:23 +01:00 · dc2bd5a6ed
commit dc2bd5a6ed
parent 88b7e75f1b 4ce1bcc18d
2 changed files with 23 additions and 4 deletions
--- a/lib/private/AppFramework/Middleware/FlowV2EphemeralSessionsMiddleware.php
+++ b/lib/private/AppFramework/Middleware/FlowV2EphemeralSessionsMiddleware.php
@ -11,6 +11,7 @@ use OC\AppFramework\Utility\ControllerMethodReflector;
 use OC\Core\Controller\ClientFlowLoginV2Controller;
 use OC\Core\Controller\TwoFactorChallengeController;
 use OCP\AppFramework\Middleware;
+use OCP\AppFramework\Utility\ITimeFactory;
 use OCP\Authentication\TwoFactorAuth\ALoginSetupController;
 use OCP\ISession;
 use OCP\IUserSession;
@ -18,25 +19,39 @@ use OCP\IUserSession;
 // Will close the session if the user session is ephemeral.
 // Happens when the user logs in via the login flow v2.
 class FlowV2EphemeralSessionsMiddleware extends Middleware {
+	private const EPHEMERAL_SESSION_TTL = 5 * 60; // 5 minutes
+
 	private ISession $session;
 	private IUserSession $userSession;
 	private ControllerMethodReflector $reflector;
+	private ITimeFactory $timeFactory;

 	public function __construct(
 		ISession $session,
 		IUserSession $userSession,
-		ControllerMethodReflector $reflector
+		ControllerMethodReflector $reflector,
+		ITimeFactory $timeFactory
 	) {
 		$this->session = $session;
 		$this->userSession = $userSession;
 		$this->reflector = $reflector;
+		$this->timeFactory = $timeFactory;
 	}

 	public function beforeController($controller, $methodName) {
-		if (!$this->session->get(ClientFlowLoginV2Controller::EPHEMERAL_NAME)) {
+		$sessionCreationTime = $this->session->get(ClientFlowLoginV2Controller::EPHEMERAL_NAME);
+
+		// Not an ephemeral session.
+		if ($sessionCreationTime === null) {
 			return;
 		}

+		// Lax enforcement until TTL is reached.
+		if ($this->timeFactory->getTime() < $sessionCreationTime + self::EPHEMERAL_SESSION_TTL) {
+			return;
+		}
+
+		// Allow certain controllers/methods to proceed without logging out.
 		if (
 			$controller instanceof ClientFlowLoginV2Controller &&
 			($methodName === 'grantPage' || $methodName === 'generateAppPassword')
--- a/lib/private/Authentication/Login/FlowV2EphemeralSessionsCommand.php
+++ b/lib/private/Authentication/Login/FlowV2EphemeralSessionsCommand.php
@ -9,25 +9,29 @@ declare(strict_types=1);
 namespace OC\Authentication\Login;

 use OC\Core\Controller\ClientFlowLoginV2Controller;
+use OCP\AppFramework\Utility\ITimeFactory;
 use OCP\ISession;
 use OCP\IURLGenerator;

 class FlowV2EphemeralSessionsCommand extends ALoginCommand {
 	private ISession $session;
 	private IURLGenerator $urlGenerator;
+	private ITimeFactory $timeFactory;

 	public function __construct(
 		ISession $session,
-		IURLGenerator $urlGenerator
+		IURLGenerator $urlGenerator,
+		ITimeFactory $timeFactory
 	) {
 		$this->session = $session;
 		$this->urlGenerator = $urlGenerator;
+		$this->timeFactory = $timeFactory;
 	}

 	public function process(LoginData $loginData): LoginResult {
 		$loginV2GrantRoute = $this->urlGenerator->linkToRoute('core.ClientFlowLoginV2.grantPage');
 		if (str_starts_with($loginData->getRedirectUrl() ?? '', $loginV2GrantRoute)) {
-			$this->session->set(ClientFlowLoginV2Controller::EPHEMERAL_NAME, true);
+			$this->session->set(ClientFlowLoginV2Controller::EPHEMERAL_NAME, $this->timeFactory->getTime());
 		}

 		return $this->processNextOrFinishSuccessfully($loginData);