Error out early on an expired token

Fixes #12131

If we hit an expired token there is no need to continue checking. Since
we know it is a token.

We also should not register this with the bruteforce throttler as it is
actually a valid token. Just expired. Instead the authentication should
fail. And buisness continues as usual.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
This commit is contained in:
Roeland Jago Douma 2018-10-30 13:19:59 +01:00
parent 04617a28d4
commit 40d1202076
No known key found for this signature in database
GPG Key ID: F941078878347C0C
1 changed files with 11 additions and 1 deletions

View File

@ -38,6 +38,7 @@
namespace OC\User;
use OC;
use OC\Authentication\Exceptions\ExpiredTokenException;
use OC\Authentication\Exceptions\InvalidTokenException;
use OC\Authentication\Exceptions\PasswordlessTokenException;
use OC\Authentication\Exceptions\PasswordLoginForbiddenException;
@ -399,7 +400,13 @@ class Session implements IUserSession, Emitter {
$this->manager->emit('\OC\User', 'preLogin', array($user, $password));
}
$isTokenPassword = $this->isTokenPassword($password);
try {
$isTokenPassword = $this->isTokenPassword($password);
} catch (ExpiredTokenException $e) {
// Just return on an expired token no need to check further or record a failed login
return false;
}
if (!$isTokenPassword && $this->isTokenAuthEnforced()) {
throw new PasswordLoginForbiddenException();
}
@ -472,11 +479,14 @@ class Session implements IUserSession, Emitter {
*
* @param string $password
* @return boolean
* @throws ExpiredTokenException
*/
public function isTokenPassword($password) {
try {
$this->tokenProvider->getToken($password);
return true;
} catch (ExpiredTokenException $e) {
throw $e;
} catch (InvalidTokenException $ex) {
return false;
}