Mark token as invalid if the password doesn't match
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
This commit is contained in:
parent
efef053960
commit
00e99af586
|
@ -338,4 +338,14 @@ class DefaultTokenProvider implements IProvider {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public function markPasswordInvalid(IToken $token, string $tokenId) {
|
||||||
|
if (!($token instanceof DefaultToken)) {
|
||||||
|
throw new InvalidTokenException();
|
||||||
|
}
|
||||||
|
|
||||||
|
//No need to mark as invalid. We just invalide default tokens
|
||||||
|
$this->invalidateToken($tokenId);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -156,4 +156,12 @@ interface IProvider {
|
||||||
* @return IToken
|
* @return IToken
|
||||||
*/
|
*/
|
||||||
public function rotate(IToken $token, string $oldTokenId, string $newTokenId): IToken;
|
public function rotate(IToken $token, string $oldTokenId, string $newTokenId): IToken;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Marks a token as having an invalid password.
|
||||||
|
*
|
||||||
|
* @param IToken $token
|
||||||
|
* @param string $tokenId
|
||||||
|
*/
|
||||||
|
public function markPasswordInvalid(IToken $token, string $tokenId);
|
||||||
}
|
}
|
||||||
|
|
|
@ -227,4 +227,9 @@ class Manager implements IProvider {
|
||||||
}
|
}
|
||||||
throw new InvalidTokenException();
|
throw new InvalidTokenException();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
public function markPasswordInvalid(IToken $token, string $tokenId) {
|
||||||
|
$this->getProvider($token)->markPasswordInvalid($token, $tokenId);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -43,6 +43,8 @@ use OCP\AppFramework\Db\Entity;
|
||||||
* @method string getPublicKey()
|
* @method string getPublicKey()
|
||||||
* @method void setPublicKey(string $key)
|
* @method void setPublicKey(string $key)
|
||||||
* @method void setVersion(int $version)
|
* @method void setVersion(int $version)
|
||||||
|
* @method bool getPasswordInvalid()
|
||||||
|
* @method void setPasswordInvalid(bool $invalid);
|
||||||
*/
|
*/
|
||||||
class PublicKeyToken extends Entity implements IToken {
|
class PublicKeyToken extends Entity implements IToken {
|
||||||
|
|
||||||
|
@ -90,6 +92,9 @@ class PublicKeyToken extends Entity implements IToken {
|
||||||
/** @var int */
|
/** @var int */
|
||||||
protected $version;
|
protected $version;
|
||||||
|
|
||||||
|
/** @var bool */
|
||||||
|
protected $passwordInvalid;
|
||||||
|
|
||||||
public function __construct() {
|
public function __construct() {
|
||||||
$this->addType('uid', 'string');
|
$this->addType('uid', 'string');
|
||||||
$this->addType('loginName', 'string');
|
$this->addType('loginName', 'string');
|
||||||
|
@ -105,6 +110,7 @@ class PublicKeyToken extends Entity implements IToken {
|
||||||
$this->addType('publicKey', 'string');
|
$this->addType('publicKey', 'string');
|
||||||
$this->addType('privateKey', 'string');
|
$this->addType('privateKey', 'string');
|
||||||
$this->addType('version', 'int');
|
$this->addType('version', 'int');
|
||||||
|
$this->addType('passwordInvalid', 'bool');
|
||||||
}
|
}
|
||||||
|
|
||||||
public function getId(): int {
|
public function getId(): int {
|
||||||
|
|
|
@ -317,4 +317,15 @@ class PublicKeyTokenProvider implements IProvider {
|
||||||
|
|
||||||
return $dbToken;
|
return $dbToken;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public function markPasswordInvalid(IToken $token, string $tokenId) {
|
||||||
|
if (!($token instanceof PublicKeyToken)) {
|
||||||
|
throw new InvalidTokenException();
|
||||||
|
}
|
||||||
|
|
||||||
|
$token->setPasswordInvalid(true);
|
||||||
|
$this->mapper->update($token);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -694,12 +694,19 @@ class Session implements IUserSession, Emitter {
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
if ($this->manager->checkPassword($dbToken->getLoginName(), $pwd) === false
|
// Invalidate token if the user is no longer active
|
||||||
|| (!is_null($this->activeUser) && !$this->activeUser->isEnabled())) {
|
if (!is_null($this->activeUser) && !$this->activeUser->isEnabled()) {
|
||||||
$this->tokenProvider->invalidateToken($token);
|
$this->tokenProvider->invalidateToken($token);
|
||||||
// Password has changed or user was disabled -> log user out
|
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// If the token password is no longer valid mark it as such
|
||||||
|
if ($this->manager->checkPassword($dbToken->getLoginName(), $pwd) === false) {
|
||||||
|
$this->tokenProvider->markPasswordInvalid($dbToken, $token);
|
||||||
|
// User is logged out
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
$dbToken->setLastCheck($now);
|
$dbToken->setLastCheck($now);
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
|
@ -1017,10 +1017,8 @@ class SessionTest extends \Test\TestCase {
|
||||||
->method('getPassword')
|
->method('getPassword')
|
||||||
->with($token, 'APP-PASSWORD')
|
->with($token, 'APP-PASSWORD')
|
||||||
->will($this->returnValue('123456'));
|
->will($this->returnValue('123456'));
|
||||||
$userManager->expects($this->once())
|
$userManager->expects($this->never())
|
||||||
->method('checkPassword')
|
->method('checkPassword');
|
||||||
->with('susan', '123456')
|
|
||||||
->will($this->returnValue(true));
|
|
||||||
$user->expects($this->once())
|
$user->expects($this->once())
|
||||||
->method('isEnabled')
|
->method('isEnabled')
|
||||||
->will($this->returnValue(false));
|
->will($this->returnValue(false));
|
||||||
|
|
Loading…
Reference in New Issue