From 1889df5c7cac71e9faf42d19686b98bf61b23bf8 Mon Sep 17 00:00:00 2001
From: Christoph Wurst <christoph@owncloud.com>
Date: Fri, 17 Jun 2016 15:41:32 +0200
Subject: [PATCH] dont create a session token for clients, validate the app
 password instead

---
 lib/private/User/Session.php | 32 ++++++++++++++++++++++++--------
 1 file changed, 24 insertions(+), 8 deletions(-)

diff --git a/lib/private/User/Session.php b/lib/private/User/Session.php
index ccae72ed35..cd9e973e30 100644
--- a/lib/private/User/Session.php
+++ b/lib/private/User/Session.php
@@ -197,14 +197,27 @@ class Session implements IUserSession, Emitter {
 		return $this->activeUser;
 	}
 
+	/**
+	 * Validate whether the current session is valid
+	 *
+	 * - For token-authenticated clients, the token validity is checked
+	 * - For browsers, the session token validity is checked
+	 */
 	protected function validateSession() {
-		try {
-			$sessionId = $this->session->getId();
-		} catch (SessionNotAvailableException $ex) {
-			return;
+		$token = null;
+		$appPassword = $this->session->get('app_password');
+
+		if (is_null($appPassword)) {
+			try {
+				$token = $this->session->getId();
+			} catch (SessionNotAvailableException $ex) {
+				return;
+			}
+		} else {
+			$token = $appPassword;
 		}
 
-		if (!$this->validateToken($sessionId)) {
+		if (!$this->validateToken($token)) {
 			// Session was invalidated
 			$this->logout();
 		}
@@ -282,7 +295,6 @@ class Session implements IUserSession, Emitter {
 
 			$this->loginWithToken($password);
 			$user = $this->getUser();
-			$this->tokenProvider->updateTokenActivity($token);
 		} else {
 			$this->manager->emit('\OC\User', 'preLogin', array($uid, $password));
 			$user = $this->manager->checkPassword($uid, $password);
@@ -341,7 +353,10 @@ class Session implements IUserSession, Emitter {
 			return false;
 		}
 
-		if ($this->supportsCookies($request)) {
+		if ($isTokenPassword) {
+			$this->session->set('app_password', $password);
+		} else if($this->supportsCookies($request)) {
+			// Password login, but cookies supported -> create (browser) session token
 			$this->createSessionToken($request, $this->getUser()->getUID(), $user, $password);
 		}
 
@@ -458,7 +473,6 @@ class Session implements IUserSession, Emitter {
 
 		//login
 		$this->setUser($user);
-		$this->tokenProvider->updateTokenActivity($dbToken);
 
 		$this->manager->emit('\OC\User', 'postLogin', array($user, $password));
 		return true;
@@ -582,6 +596,8 @@ class Session implements IUserSession, Emitter {
 			return false;
 		}
 
+		$this->tokenProvider->updateTokenActivity($dbToken);
+
 		return true;
 	}