Mark token as invalid if the password doesn't match
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
This commit is contained in:
Roeland Jago Douma
parent
efef053960
commit
00e99af586
|
|
@ -338,4 +338,14 @@ class DefaultTokenProvider implements IProvider {
|
|||
}
|
||||
}
|
||||
|
||||
public function markPasswordInvalid(IToken $token, string $tokenId) {
|
||||
if (!($token instanceof DefaultToken)) {
|
||||
throw new InvalidTokenException();
|
||||
}
|
||||
|
||||
//No need to mark as invalid. We just invalide default tokens
|
||||
$this->invalidateToken($tokenId);
|
||||
}
|
||||
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -156,4 +156,12 @@ interface IProvider {
|
|||
* @return IToken
|
||||
*/
|
||||
public function rotate(IToken $token, string $oldTokenId, string $newTokenId): IToken;
|
||||
|
||||
/**
|
||||
* Marks a token as having an invalid password.
|
||||
*
|
||||
* @param IToken $token
|
||||
* @param string $tokenId
|
||||
*/
|
||||
public function markPasswordInvalid(IToken $token, string $tokenId);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -227,4 +227,9 @@ class Manager implements IProvider {
|
|||
}
|
||||
throw new InvalidTokenException();
|
||||
}
|
||||
|
||||
|
||||
public function markPasswordInvalid(IToken $token, string $tokenId) {
|
||||
$this->getProvider($token)->markPasswordInvalid($token, $tokenId);
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -43,6 +43,8 @@ use OCP\AppFramework\Db\Entity;
|
|||
* @method string getPublicKey()
|
||||
* @method void setPublicKey(string $key)
|
||||
* @method void setVersion(int $version)
|
||||
* @method bool getPasswordInvalid()
|
||||
* @method void setPasswordInvalid(bool $invalid);
|
||||
*/
|
||||
class PublicKeyToken extends Entity implements IToken {
|
||||
|
||||
|
|
@ -90,6 +92,9 @@ class PublicKeyToken extends Entity implements IToken {
|
|||
/** @var int */
|
||||
protected $version;
|
||||
|
||||
/** @var bool */
|
||||
protected $passwordInvalid;
|
||||
|
||||
public function __construct() {
|
||||
$this->addType('uid', 'string');
|
||||
$this->addType('loginName', 'string');
|
||||
|
|
@ -105,6 +110,7 @@ class PublicKeyToken extends Entity implements IToken {
|
|||
$this->addType('publicKey', 'string');
|
||||
$this->addType('privateKey', 'string');
|
||||
$this->addType('version', 'int');
|
||||
$this->addType('passwordInvalid', 'bool');
|
||||
}
|
||||
|
||||
public function getId(): int {
|
||||
|
|
|
|||
|
|
@ -317,4 +317,15 @@ class PublicKeyTokenProvider implements IProvider {
|
|||
|
||||
return $dbToken;
|
||||
}
|
||||
|
||||
public function markPasswordInvalid(IToken $token, string $tokenId) {
|
||||
if (!($token instanceof PublicKeyToken)) {
|
||||
throw new InvalidTokenException();
|
||||
}
|
||||
|
||||
$token->setPasswordInvalid(true);
|
||||
$this->mapper->update($token);
|
||||
}
|
||||
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -694,12 +694,19 @@ class Session implements IUserSession, Emitter {
|
|||
return true;
|
||||
}
|
||||
|
||||
if ($this->manager->checkPassword($dbToken->getLoginName(), $pwd) === false
|
||||
|| (!is_null($this->activeUser) && !$this->activeUser->isEnabled())) {
|
||||
// Invalidate token if the user is no longer active
|
||||
if (!is_null($this->activeUser) && !$this->activeUser->isEnabled()) {
|
||||
$this->tokenProvider->invalidateToken($token);
|
||||
// Password has changed or user was disabled -> log user out
|
||||
return false;
|
||||
}
|
||||
|
||||
// If the token password is no longer valid mark it as such
|
||||
if ($this->manager->checkPassword($dbToken->getLoginName(), $pwd) === false) {
|
||||
$this->tokenProvider->markPasswordInvalid($dbToken, $token);
|
||||
// User is logged out
|
||||
return false;
|
||||
}
|
||||
|
||||
$dbToken->setLastCheck($now);
|
||||
return true;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1017,10 +1017,8 @@ class SessionTest extends \Test\TestCase {
|
|||
->method('getPassword')
|
||||
->with($token, 'APP-PASSWORD')
|
||||
->will($this->returnValue('123456'));
|
||||
$userManager->expects($this->once())
|
||||
->method('checkPassword')
|
||||
->with('susan', '123456')
|
||||
->will($this->returnValue(true));
|
||||
$userManager->expects($this->never())
|
||||
->method('checkPassword');
|
||||
$user->expects($this->once())
|
||||
->method('isEnabled')
|
||||
->will($this->returnValue(false));
|
||||
|
|
|
|||
Loading…
Reference in New Issue