Merge pull request #12140 from nextcloud/fix/expired_token_throttler
Expired tokens should not trigger bruteforce protection
This commit is contained in:
commit
a51c8377d4
|
@ -22,7 +22,7 @@
|
|||
namespace OCA\OAuth2\Controller;
|
||||
|
||||
use OC\Authentication\Exceptions\InvalidTokenException;
|
||||
use OC\Authentication\Token\ExpiredTokenException;
|
||||
use OC\Authentication\Exceptions\ExpiredTokenException;
|
||||
use OC\Authentication\Token\IProvider as TokenProvider;
|
||||
use OC\Security\Bruteforce\Throttler;
|
||||
use OCA\OAuth2\Db\AccessTokenMapper;
|
||||
|
|
|
@ -22,11 +22,9 @@
|
|||
namespace OCA\OAuth2\Tests\Controller;
|
||||
|
||||
use OC\Authentication\Exceptions\InvalidTokenException;
|
||||
use OC\Authentication\Exceptions\ExpiredTokenException;
|
||||
use OC\Authentication\Token\DefaultToken;
|
||||
use OC\Authentication\Token\DefaultTokenMapper;
|
||||
use OC\Authentication\Token\ExpiredTokenException;
|
||||
use OC\Authentication\Token\IProvider as TokenProvider;
|
||||
use OC\Authentication\Token\IToken;
|
||||
use OC\Security\Bruteforce\Throttler;
|
||||
use OCA\OAuth2\Controller\OauthApiController;
|
||||
use OCA\OAuth2\Db\AccessToken;
|
||||
|
|
|
@ -474,6 +474,7 @@ return array(
|
|||
'OC\\Archive\\Archive' => $baseDir . '/lib/private/Archive/Archive.php',
|
||||
'OC\\Archive\\TAR' => $baseDir . '/lib/private/Archive/TAR.php',
|
||||
'OC\\Archive\\ZIP' => $baseDir . '/lib/private/Archive/ZIP.php',
|
||||
'OC\\Authentication\\Exceptions\\ExpiredTokenException' => $baseDir . '/lib/private/Authentication/Exceptions/ExpiredTokenException.php',
|
||||
'OC\\Authentication\\Exceptions\\InvalidProviderException' => $baseDir . '/lib/private/Authentication/Exceptions/InvalidProviderException.php',
|
||||
'OC\\Authentication\\Exceptions\\InvalidTokenException' => $baseDir . '/lib/private/Authentication/Exceptions/InvalidTokenException.php',
|
||||
'OC\\Authentication\\Exceptions\\LoginRequiredException' => $baseDir . '/lib/private/Authentication/Exceptions/LoginRequiredException.php',
|
||||
|
@ -487,7 +488,6 @@ return array(
|
|||
'OC\\Authentication\\Token\\DefaultTokenCleanupJob' => $baseDir . '/lib/private/Authentication/Token/DefaultTokenCleanupJob.php',
|
||||
'OC\\Authentication\\Token\\DefaultTokenMapper' => $baseDir . '/lib/private/Authentication/Token/DefaultTokenMapper.php',
|
||||
'OC\\Authentication\\Token\\DefaultTokenProvider' => $baseDir . '/lib/private/Authentication/Token/DefaultTokenProvider.php',
|
||||
'OC\\Authentication\\Token\\ExpiredTokenException' => $baseDir . '/lib/private/Authentication/Exceptions/ExpiredTokenException.php',
|
||||
'OC\\Authentication\\Token\\IProvider' => $baseDir . '/lib/private/Authentication/Token/IProvider.php',
|
||||
'OC\\Authentication\\Token\\IToken' => $baseDir . '/lib/private/Authentication/Token/IToken.php',
|
||||
'OC\\Authentication\\Token\\Manager' => $baseDir . '/lib/private/Authentication/Token/Manager.php',
|
||||
|
|
|
@ -504,6 +504,7 @@ class ComposerStaticInit53792487c5a8370acc0b06b1a864ff4c
|
|||
'OC\\Archive\\Archive' => __DIR__ . '/../../..' . '/lib/private/Archive/Archive.php',
|
||||
'OC\\Archive\\TAR' => __DIR__ . '/../../..' . '/lib/private/Archive/TAR.php',
|
||||
'OC\\Archive\\ZIP' => __DIR__ . '/../../..' . '/lib/private/Archive/ZIP.php',
|
||||
'OC\\Authentication\\Exceptions\\ExpiredTokenException' => __DIR__ . '/../../..' . '/lib/private/Authentication/Exceptions/ExpiredTokenException.php',
|
||||
'OC\\Authentication\\Exceptions\\InvalidProviderException' => __DIR__ . '/../../..' . '/lib/private/Authentication/Exceptions/InvalidProviderException.php',
|
||||
'OC\\Authentication\\Exceptions\\InvalidTokenException' => __DIR__ . '/../../..' . '/lib/private/Authentication/Exceptions/InvalidTokenException.php',
|
||||
'OC\\Authentication\\Exceptions\\LoginRequiredException' => __DIR__ . '/../../..' . '/lib/private/Authentication/Exceptions/LoginRequiredException.php',
|
||||
|
@ -517,7 +518,6 @@ class ComposerStaticInit53792487c5a8370acc0b06b1a864ff4c
|
|||
'OC\\Authentication\\Token\\DefaultTokenCleanupJob' => __DIR__ . '/../../..' . '/lib/private/Authentication/Token/DefaultTokenCleanupJob.php',
|
||||
'OC\\Authentication\\Token\\DefaultTokenMapper' => __DIR__ . '/../../..' . '/lib/private/Authentication/Token/DefaultTokenMapper.php',
|
||||
'OC\\Authentication\\Token\\DefaultTokenProvider' => __DIR__ . '/../../..' . '/lib/private/Authentication/Token/DefaultTokenProvider.php',
|
||||
'OC\\Authentication\\Token\\ExpiredTokenException' => __DIR__ . '/../../..' . '/lib/private/Authentication/Exceptions/ExpiredTokenException.php',
|
||||
'OC\\Authentication\\Token\\IProvider' => __DIR__ . '/../../..' . '/lib/private/Authentication/Token/IProvider.php',
|
||||
'OC\\Authentication\\Token\\IToken' => __DIR__ . '/../../..' . '/lib/private/Authentication/Token/IToken.php',
|
||||
'OC\\Authentication\\Token\\Manager' => __DIR__ . '/../../..' . '/lib/private/Authentication/Token/Manager.php',
|
||||
|
|
|
@ -21,9 +21,9 @@ declare(strict_types=1);
|
|||
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
*
|
||||
*/
|
||||
namespace OC\Authentication\Token;
|
||||
namespace OC\Authentication\Exceptions;
|
||||
|
||||
use OC\Authentication\Exceptions\InvalidTokenException;
|
||||
use OC\Authentication\Token\IToken;
|
||||
|
||||
class ExpiredTokenException extends InvalidTokenException {
|
||||
/** @var IToken */
|
||||
|
|
|
@ -29,6 +29,7 @@ declare(strict_types=1);
|
|||
namespace OC\Authentication\Token;
|
||||
|
||||
use Exception;
|
||||
use OC\Authentication\Exceptions\ExpiredTokenException;
|
||||
use OC\Authentication\Exceptions\InvalidTokenException;
|
||||
use OC\Authentication\Exceptions\PasswordlessTokenException;
|
||||
use OCP\AppFramework\Db\DoesNotExistException;
|
||||
|
|
|
@ -26,6 +26,7 @@ declare(strict_types=1);
|
|||
|
||||
namespace OC\Authentication\Token;
|
||||
|
||||
use OC\Authentication\Exceptions\ExpiredTokenException;
|
||||
use OC\Authentication\Exceptions\InvalidTokenException;
|
||||
use OC\Authentication\Exceptions\PasswordlessTokenException;
|
||||
|
||||
|
|
|
@ -23,6 +23,7 @@ declare(strict_types=1);
|
|||
|
||||
namespace OC\Authentication\Token;
|
||||
|
||||
use OC\Authentication\Exceptions\ExpiredTokenException;
|
||||
use OC\Authentication\Exceptions\InvalidTokenException;
|
||||
use OC\Authentication\Exceptions\PasswordlessTokenException;
|
||||
|
||||
|
|
|
@ -23,6 +23,7 @@ declare(strict_types=1);
|
|||
|
||||
namespace OC\Authentication\Token;
|
||||
|
||||
use OC\Authentication\Exceptions\ExpiredTokenException;
|
||||
use OC\Authentication\Exceptions\InvalidTokenException;
|
||||
use OC\Authentication\Exceptions\PasswordlessTokenException;
|
||||
use OCP\AppFramework\Db\DoesNotExistException;
|
||||
|
|
|
@ -38,6 +38,7 @@
|
|||
namespace OC\User;
|
||||
|
||||
use OC;
|
||||
use OC\Authentication\Exceptions\ExpiredTokenException;
|
||||
use OC\Authentication\Exceptions\InvalidTokenException;
|
||||
use OC\Authentication\Exceptions\PasswordlessTokenException;
|
||||
use OC\Authentication\Exceptions\PasswordLoginForbiddenException;
|
||||
|
@ -401,7 +402,13 @@ class Session implements IUserSession, Emitter {
|
|||
$this->manager->emit('\OC\User', 'preLogin', array($user, $password));
|
||||
}
|
||||
|
||||
$isTokenPassword = $this->isTokenPassword($password);
|
||||
try {
|
||||
$isTokenPassword = $this->isTokenPassword($password);
|
||||
} catch (ExpiredTokenException $e) {
|
||||
// Just return on an expired token no need to check further or record a failed login
|
||||
return false;
|
||||
}
|
||||
|
||||
if (!$isTokenPassword && $this->isTokenAuthEnforced()) {
|
||||
throw new PasswordLoginForbiddenException();
|
||||
}
|
||||
|
@ -474,11 +481,14 @@ class Session implements IUserSession, Emitter {
|
|||
*
|
||||
* @param string $password
|
||||
* @return boolean
|
||||
* @throws ExpiredTokenException
|
||||
*/
|
||||
public function isTokenPassword($password) {
|
||||
try {
|
||||
$this->tokenProvider->getToken($password);
|
||||
return true;
|
||||
} catch (ExpiredTokenException $e) {
|
||||
throw $e;
|
||||
} catch (InvalidTokenException $ex) {
|
||||
return false;
|
||||
}
|
||||
|
|
|
@ -22,18 +22,17 @@
|
|||
|
||||
namespace Test\Authentication\Token;
|
||||
|
||||
use OC\Authentication\Exceptions\ExpiredTokenException;
|
||||
use OC\Authentication\Exceptions\InvalidTokenException;
|
||||
use OC\Authentication\Token\DefaultToken;
|
||||
use OC\Authentication\Token\DefaultTokenMapper;
|
||||
use OC\Authentication\Token\DefaultTokenProvider;
|
||||
use OC\Authentication\Token\ExpiredTokenException;
|
||||
use OC\Authentication\Token\IToken;
|
||||
use OC\Authentication\Token\PublicKeyToken;
|
||||
use OCP\AppFramework\Db\DoesNotExistException;
|
||||
use OCP\AppFramework\Utility\ITimeFactory;
|
||||
use OCP\IConfig;
|
||||
use OCP\ILogger;
|
||||
use OCP\IUser;
|
||||
use OCP\Security\ICrypto;
|
||||
use Test\TestCase;
|
||||
|
||||
|
|
|
@ -23,19 +23,17 @@
|
|||
|
||||
namespace Test\Authentication\Token;
|
||||
|
||||
use OC\Authentication\Exceptions\ExpiredTokenException;
|
||||
use OC\Authentication\Exceptions\InvalidTokenException;
|
||||
use OC\Authentication\Exceptions\PasswordlessTokenException;
|
||||
use OC\Authentication\Token\DefaultToken;
|
||||
use OC\Authentication\Token\PublicKeyToken;
|
||||
use OC\Authentication\Token\PublicKeyTokenMapper;
|
||||
use OC\Authentication\Token\PublicKeyTokenProvider;
|
||||
use OC\Authentication\Token\ExpiredTokenException;
|
||||
use OC\Authentication\Token\IToken;
|
||||
use OCP\AppFramework\Db\DoesNotExistException;
|
||||
use OCP\AppFramework\Utility\ITimeFactory;
|
||||
use OCP\IConfig;
|
||||
use OCP\ILogger;
|
||||
use OCP\IUser;
|
||||
use OCP\Security\ICrypto;
|
||||
use Test\TestCase;
|
||||
|
||||
|
|
Loading…
Reference in New Issue