From 2223d199971f537bdeb819a6a209fb1af5a90877 Mon Sep 17 00:00:00 2001 From: Roeland Jago Douma Date: Tue, 30 Oct 2018 13:19:59 +0100 Subject: [PATCH] Error out early on an expired token Fixes #12131 If we hit an expired token there is no need to continue checking. Since we know it is a token. We also should not register this with the bruteforce throttler as it is actually a valid token. Just expired. Instead the authentication should fail. And buisness continues as usual. Signed-off-by: Roeland Jago Douma --- lib/private/User/Session.php | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/lib/private/User/Session.php b/lib/private/User/Session.php index a9c638dca9..674f38e240 100644 --- a/lib/private/User/Session.php +++ b/lib/private/User/Session.php @@ -38,6 +38,7 @@ namespace OC\User; use OC; +use OC\Authentication\Exceptions\ExpiredTokenException; use OC\Authentication\Exceptions\InvalidTokenException; use OC\Authentication\Exceptions\PasswordlessTokenException; use OC\Authentication\Exceptions\PasswordLoginForbiddenException; @@ -401,7 +402,13 @@ class Session implements IUserSession, Emitter { $this->manager->emit('\OC\User', 'preLogin', array($user, $password)); } - $isTokenPassword = $this->isTokenPassword($password); + try { + $isTokenPassword = $this->isTokenPassword($password); + } catch (ExpiredTokenException $e) { + // Just return on an expired token no need to check further or record a failed login + return false; + } + if (!$isTokenPassword && $this->isTokenAuthEnforced()) { throw new PasswordLoginForbiddenException(); } @@ -474,11 +481,14 @@ class Session implements IUserSession, Emitter { * * @param string $password * @return boolean + * @throws ExpiredTokenException */ public function isTokenPassword($password) { try { $this->tokenProvider->getToken($password); return true; + } catch (ExpiredTokenException $e) { + throw $e; } catch (InvalidTokenException $ex) { return false; }