Merge pull request #25154 from owncloud/token-login-check-loginname
check login name when authenticating via token and basic auth
This commit is contained in:
commit
089fcb45c0
|
@ -280,7 +280,7 @@ class Session implements IUserSession, Emitter {
|
|||
*/
|
||||
public function login($uid, $password) {
|
||||
$this->session->regenerateId();
|
||||
if ($this->validateToken($password)) {
|
||||
if ($this->validateToken($password, $uid)) {
|
||||
// When logging in with token, the password must be decrypted first before passing to login hook
|
||||
try {
|
||||
$token = $this->tokenProvider->getToken($password);
|
||||
|
@ -584,15 +584,24 @@ class Session implements IUserSession, Emitter {
|
|||
* Invalidates the token if checks fail
|
||||
*
|
||||
* @param string $token
|
||||
* @param string $user login name
|
||||
* @return boolean
|
||||
*/
|
||||
private function validateToken($token) {
|
||||
private function validateToken($token, $user = null) {
|
||||
try {
|
||||
$dbToken = $this->tokenProvider->getToken($token);
|
||||
} catch (InvalidTokenException $ex) {
|
||||
return false;
|
||||
}
|
||||
|
||||
// Check if login names match
|
||||
if (!is_null($user) && $dbToken->getLoginName() !== $user) {
|
||||
// TODO: this makes it imposssible to use different login names on browser and client
|
||||
// e.g. login by e-mail 'user@example.com' on browser for generating the token will not
|
||||
// allow to use the client token with the login name 'user'.
|
||||
return false;
|
||||
}
|
||||
|
||||
if (!$this->checkTokenCredentials($dbToken, $token)) {
|
||||
return false;
|
||||
}
|
||||
|
|
|
@ -314,6 +314,36 @@ class SessionTest extends \Test\TestCase {
|
|||
$userSession->login('foo', 'bar');
|
||||
}
|
||||
|
||||
/**
|
||||
* When using a device token, the loginname must match the one that was used
|
||||
* when generating the token on the browser.
|
||||
*/
|
||||
public function testLoginWithDifferentTokenLoginName() {
|
||||
$session = $this->getMock('\OC\Session\Memory', array(), array(''));
|
||||
$manager = $this->getMock('\OC\User\Manager');
|
||||
$backend = $this->getMock('\Test\Util\User\Dummy');
|
||||
$userSession = new \OC\User\Session($manager, $session, $this->timeFactory, $this->tokenProvider, $this->config);
|
||||
$username = 'user123';
|
||||
$token = new \OC\Authentication\Token\DefaultToken();
|
||||
$token->setLoginName($username);
|
||||
|
||||
$session->expects($this->never())
|
||||
->method('set');
|
||||
$session->expects($this->once())
|
||||
->method('regenerateId');
|
||||
$this->tokenProvider->expects($this->once())
|
||||
->method('getToken')
|
||||
->with('bar')
|
||||
->will($this->returnValue($token));
|
||||
|
||||
$manager->expects($this->once())
|
||||
->method('checkPassword')
|
||||
->with('foo', 'bar')
|
||||
->will($this->returnValue(false));
|
||||
|
||||
$userSession->login('foo', 'bar');
|
||||
}
|
||||
|
||||
/**
|
||||
* @expectedException \OC\Authentication\Exceptions\PasswordLoginForbiddenException
|
||||
*/
|
||||
|
|
Loading…
Reference in New Issue