Merge pull request #22276 from owncloud/harden-updater-auth

Harden updater authentication

apps/updatenotification/controller/admincontroller.php

@@ -77,8 +77,8 @@ class AdminController extends Controller {
 		$this->config->setAppValue('core', 'updater.secret.created', $this->timeFactory->getTime());
 
 		// Create a new token
-		$newToken = $this->secureRandom->generate(32);
+		$newToken = $this->secureRandom->generate(64);
-		$this->config->setSystemValue('updater.secret', $newToken);
+		$this->config->setSystemValue('updater.secret', password_hash($newToken, PASSWORD_DEFAULT));
 
 		return new DataResponse($newToken);
 	}

apps/updatenotification/lib/resettokenbackgroundjob.php

@@ -67,7 +67,8 @@ class ResetTokenBackgroundJob extends TimedJob {
 	 * @param $argument
 	 */
 	protected function run($argument) {
-		if($this->timeFactory->getTime() - $this->config->getAppValue('core', 'updater.secret.created', $this->timeFactory->getTime()) >= 86400) {
+		// Delete old tokens after 2 days
+		if($this->timeFactory->getTime() - $this->config->getAppValue('core', 'updater.secret.created', $this->timeFactory->getTime()) >= 172800) {
 			$this->config->deleteSystemValue('updater.secret');
 		}
 	}

apps/updatenotification/tests/controller/AdminControllerTest.php

@@ -77,12 +77,12 @@ class AdminControllerTest extends TestCase {
 		$this->secureRandom
 			->expects($this->once())
 			->method('generate')
-			->with(32)
+			->with(64)
 			->willReturn('MyGeneratedToken');
 		$this->config
 			->expects($this->once())
 			->method('setSystemValue')
-			->with('updater.secret', 'MyGeneratedToken');
+			->with('updater.secret');
 		$this->timeFactory
 			->expects($this->once())
 			->method('getTime')