mbk-lab
/
nextcloud
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Don't use special chars to avoid confusion 

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
This commit is contained in:
Roeland Jago Douma 2018-05-16 15:09:35 +02:00
parent d03265fb62
commit 73f8373151
No known key found for this signature in database
GPG Key ID: F941078878347C0C
2 changed files with 8 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
apps/oauth2/lib/Controller/OauthApiController.php
View File

@ -90,6 +90,7 @@ class OauthApiController extends Controller {
*/ */
public function getToken($grant_type, $code, $refresh_token, $client_id, $client_secret) { public function getToken($grant_type, $code, $refresh_token, $client_id, $client_secret) {
// We only handle two types
if ($grant_type !== 'authorization_code' && $grant_type !== 'refresh_token') { if ($grant_type !== 'authorization_code' && $grant_type !== 'refresh_token') {
return new JSONResponse([ return new JSONResponse([
'error' => 'invalid_grant', 'error' => 'invalid_grant',
@ -117,6 +118,7 @@ class OauthApiController extends Controller {
], Http::STATUS_BAD_REQUEST); ], Http::STATUS_BAD_REQUEST);
} }
// The client id and secret must match. Else we don't provide an access token!
if ($client->getClientIdentifier() !== $client_id || $client->getSecret() !== $client_secret) { if ($client->getClientIdentifier() !== $client_id || $client->getSecret() !== $client_secret) {
return new JSONResponse([ return new JSONResponse([
'error' => 'invalid_client', 'error' => 'invalid_client',
@ -125,6 +127,7 @@ class OauthApiController extends Controller {
$decryptedToken = $this->crypto->decrypt($accessToken->getEncryptedToken(), $code); $decryptedToken = $this->crypto->decrypt($accessToken->getEncryptedToken(), $code);
// Obtain the appToken assoicated
try { try {
$appToken = $this->tokenProvider->getTokenById($accessToken->getTokenId()); $appToken = $this->tokenProvider->getTokenById($accessToken->getTokenId());
} catch (ExpiredTokenException $e) { } catch (ExpiredTokenException $e) {
@ -137,6 +140,7 @@ class OauthApiController extends Controller {
], Http::STATUS_BAD_REQUEST); ], Http::STATUS_BAD_REQUEST);
} }
// Rotate the apptoken (so the old one becomes invalid basically)
$newToken = $this->secureRandom->generate(72, ISecureRandom::CHAR_UPPER.ISecureRandom::CHAR_LOWER.ISecureRandom::CHAR_DIGITS); $newToken = $this->secureRandom->generate(72, ISecureRandom::CHAR_UPPER.ISecureRandom::CHAR_LOWER.ISecureRandom::CHAR_DIGITS);
$appToken = $this->tokenProvider->rotate( $appToken = $this->tokenProvider->rotate(
@ -144,9 +148,12 @@ class OauthApiController extends Controller {
$decryptedToken, $decryptedToken,
$newToken $newToken
); );
// Expiration is in 1 hour again
$appToken->setExpires($this->time->getTime() + 3600); $appToken->setExpires($this->time->getTime() + 3600);
$this->tokenProvider->updateToken($appToken); $this->tokenProvider->updateToken($appToken);
// Generate a new refresh token and encrypt the new apptoken in the DB
$newCode = $this->secureRandom->generate(128, ISecureRandom::CHAR_UPPER.ISecureRandom::CHAR_LOWER.ISecureRandom::CHAR_DIGITS); $newCode = $this->secureRandom->generate(128, ISecureRandom::CHAR_UPPER.ISecureRandom::CHAR_LOWER.ISecureRandom::CHAR_DIGITS);
$accessToken->setHashedCode(hash('sha512', $newCode)); $accessToken->setHashedCode(hash('sha512', $newCode));
$accessToken->setEncryptedToken($this->crypto->encrypt($newToken, $newCode)); $accessToken->setEncryptedToken($this->crypto->encrypt($newToken, $newCode));

2
core/Controller/ClientFlowLoginController.php
View File

@ -291,7 +291,7 @@ class ClientFlowLoginController extends Controller {
); );
if($client) { if($client) {
$code = $this->random->generate(128); $code = $this->random->generate(128, ISecureRandom::CHAR_UPPER.ISecureRandom::CHAR_LOWER.ISecureRandom::CHAR_DIGITS);
$accessToken = new AccessToken(); $accessToken = new AccessToken();
$accessToken->setClientId($client->getId()); $accessToken->setClientId($client->getId());
$accessToken->setEncryptedToken($this->crypto->encrypt($token, $code)); $accessToken->setEncryptedToken($this->crypto->encrypt($token, $code));