Merge pull request #12212 from nextcloud/backport/12140/stable13
[13] Expired tokens should not trigger bruteforce protection
This commit is contained in:
commit
afed9ae664
|
@ -22,7 +22,7 @@
|
||||||
namespace OCA\OAuth2\Controller;
|
namespace OCA\OAuth2\Controller;
|
||||||
|
|
||||||
use OC\Authentication\Exceptions\InvalidTokenException;
|
use OC\Authentication\Exceptions\InvalidTokenException;
|
||||||
use OC\Authentication\Token\ExpiredTokenException;
|
use OC\Authentication\Exceptions\ExpiredTokenException;
|
||||||
use OC\Authentication\Token\IProvider as TokenProvider;
|
use OC\Authentication\Token\IProvider as TokenProvider;
|
||||||
use OC\Security\Bruteforce\Throttler;
|
use OC\Security\Bruteforce\Throttler;
|
||||||
use OCA\OAuth2\Db\AccessTokenMapper;
|
use OCA\OAuth2\Db\AccessTokenMapper;
|
||||||
|
|
|
@ -22,11 +22,9 @@
|
||||||
namespace OCA\OAuth2\Tests\Controller;
|
namespace OCA\OAuth2\Tests\Controller;
|
||||||
|
|
||||||
use OC\Authentication\Exceptions\InvalidTokenException;
|
use OC\Authentication\Exceptions\InvalidTokenException;
|
||||||
|
use OC\Authentication\Exceptions\ExpiredTokenException;
|
||||||
use OC\Authentication\Token\DefaultToken;
|
use OC\Authentication\Token\DefaultToken;
|
||||||
use OC\Authentication\Token\DefaultTokenMapper;
|
|
||||||
use OC\Authentication\Token\ExpiredTokenException;
|
|
||||||
use OC\Authentication\Token\IProvider as TokenProvider;
|
use OC\Authentication\Token\IProvider as TokenProvider;
|
||||||
use OC\Authentication\Token\IToken;
|
|
||||||
use OC\Security\Bruteforce\Throttler;
|
use OC\Security\Bruteforce\Throttler;
|
||||||
use OCA\OAuth2\Controller\OauthApiController;
|
use OCA\OAuth2\Controller\OauthApiController;
|
||||||
use OCA\OAuth2\Db\AccessToken;
|
use OCA\OAuth2\Db\AccessToken;
|
||||||
|
|
|
@ -382,6 +382,7 @@ return array(
|
||||||
'OC\\Archive\\Archive' => $baseDir . '/lib/private/Archive/Archive.php',
|
'OC\\Archive\\Archive' => $baseDir . '/lib/private/Archive/Archive.php',
|
||||||
'OC\\Archive\\TAR' => $baseDir . '/lib/private/Archive/TAR.php',
|
'OC\\Archive\\TAR' => $baseDir . '/lib/private/Archive/TAR.php',
|
||||||
'OC\\Archive\\ZIP' => $baseDir . '/lib/private/Archive/ZIP.php',
|
'OC\\Archive\\ZIP' => $baseDir . '/lib/private/Archive/ZIP.php',
|
||||||
|
'OC\\Authentication\\Exceptions\\ExpiredTokenException' => $baseDir . '/lib/private/Authentication/Exceptions/ExpiredTokenException.php',
|
||||||
'OC\\Authentication\\Exceptions\\InvalidTokenException' => $baseDir . '/lib/private/Authentication/Exceptions/InvalidTokenException.php',
|
'OC\\Authentication\\Exceptions\\InvalidTokenException' => $baseDir . '/lib/private/Authentication/Exceptions/InvalidTokenException.php',
|
||||||
'OC\\Authentication\\Exceptions\\LoginRequiredException' => $baseDir . '/lib/private/Authentication/Exceptions/LoginRequiredException.php',
|
'OC\\Authentication\\Exceptions\\LoginRequiredException' => $baseDir . '/lib/private/Authentication/Exceptions/LoginRequiredException.php',
|
||||||
'OC\\Authentication\\Exceptions\\PasswordLoginForbiddenException' => $baseDir . '/lib/private/Authentication/Exceptions/PasswordLoginForbiddenException.php',
|
'OC\\Authentication\\Exceptions\\PasswordLoginForbiddenException' => $baseDir . '/lib/private/Authentication/Exceptions/PasswordLoginForbiddenException.php',
|
||||||
|
@ -394,7 +395,6 @@ return array(
|
||||||
'OC\\Authentication\\Token\\DefaultTokenCleanupJob' => $baseDir . '/lib/private/Authentication/Token/DefaultTokenCleanupJob.php',
|
'OC\\Authentication\\Token\\DefaultTokenCleanupJob' => $baseDir . '/lib/private/Authentication/Token/DefaultTokenCleanupJob.php',
|
||||||
'OC\\Authentication\\Token\\DefaultTokenMapper' => $baseDir . '/lib/private/Authentication/Token/DefaultTokenMapper.php',
|
'OC\\Authentication\\Token\\DefaultTokenMapper' => $baseDir . '/lib/private/Authentication/Token/DefaultTokenMapper.php',
|
||||||
'OC\\Authentication\\Token\\DefaultTokenProvider' => $baseDir . '/lib/private/Authentication/Token/DefaultTokenProvider.php',
|
'OC\\Authentication\\Token\\DefaultTokenProvider' => $baseDir . '/lib/private/Authentication/Token/DefaultTokenProvider.php',
|
||||||
'OC\\Authentication\\Token\\ExpiredTokenException' => $baseDir . '/lib/private/Authentication/Exceptions/ExpiredTokenException.php',
|
|
||||||
'OC\\Authentication\\Token\\IProvider' => $baseDir . '/lib/private/Authentication/Token/IProvider.php',
|
'OC\\Authentication\\Token\\IProvider' => $baseDir . '/lib/private/Authentication/Token/IProvider.php',
|
||||||
'OC\\Authentication\\Token\\IToken' => $baseDir . '/lib/private/Authentication/Token/IToken.php',
|
'OC\\Authentication\\Token\\IToken' => $baseDir . '/lib/private/Authentication/Token/IToken.php',
|
||||||
'OC\\Authentication\\TwoFactorAuth\\Manager' => $baseDir . '/lib/private/Authentication/TwoFactorAuth/Manager.php',
|
'OC\\Authentication\\TwoFactorAuth\\Manager' => $baseDir . '/lib/private/Authentication/TwoFactorAuth/Manager.php',
|
||||||
|
|
|
@ -412,6 +412,7 @@ class ComposerStaticInit53792487c5a8370acc0b06b1a864ff4c
|
||||||
'OC\\Archive\\Archive' => __DIR__ . '/../../..' . '/lib/private/Archive/Archive.php',
|
'OC\\Archive\\Archive' => __DIR__ . '/../../..' . '/lib/private/Archive/Archive.php',
|
||||||
'OC\\Archive\\TAR' => __DIR__ . '/../../..' . '/lib/private/Archive/TAR.php',
|
'OC\\Archive\\TAR' => __DIR__ . '/../../..' . '/lib/private/Archive/TAR.php',
|
||||||
'OC\\Archive\\ZIP' => __DIR__ . '/../../..' . '/lib/private/Archive/ZIP.php',
|
'OC\\Archive\\ZIP' => __DIR__ . '/../../..' . '/lib/private/Archive/ZIP.php',
|
||||||
|
'OC\\Authentication\\Exceptions\\ExpiredTokenException' => __DIR__ . '/../../..' . '/lib/private/Authentication/Exceptions/ExpiredTokenException.php',
|
||||||
'OC\\Authentication\\Exceptions\\InvalidTokenException' => __DIR__ . '/../../..' . '/lib/private/Authentication/Exceptions/InvalidTokenException.php',
|
'OC\\Authentication\\Exceptions\\InvalidTokenException' => __DIR__ . '/../../..' . '/lib/private/Authentication/Exceptions/InvalidTokenException.php',
|
||||||
'OC\\Authentication\\Exceptions\\LoginRequiredException' => __DIR__ . '/../../..' . '/lib/private/Authentication/Exceptions/LoginRequiredException.php',
|
'OC\\Authentication\\Exceptions\\LoginRequiredException' => __DIR__ . '/../../..' . '/lib/private/Authentication/Exceptions/LoginRequiredException.php',
|
||||||
'OC\\Authentication\\Exceptions\\PasswordLoginForbiddenException' => __DIR__ . '/../../..' . '/lib/private/Authentication/Exceptions/PasswordLoginForbiddenException.php',
|
'OC\\Authentication\\Exceptions\\PasswordLoginForbiddenException' => __DIR__ . '/../../..' . '/lib/private/Authentication/Exceptions/PasswordLoginForbiddenException.php',
|
||||||
|
@ -424,7 +425,6 @@ class ComposerStaticInit53792487c5a8370acc0b06b1a864ff4c
|
||||||
'OC\\Authentication\\Token\\DefaultTokenCleanupJob' => __DIR__ . '/../../..' . '/lib/private/Authentication/Token/DefaultTokenCleanupJob.php',
|
'OC\\Authentication\\Token\\DefaultTokenCleanupJob' => __DIR__ . '/../../..' . '/lib/private/Authentication/Token/DefaultTokenCleanupJob.php',
|
||||||
'OC\\Authentication\\Token\\DefaultTokenMapper' => __DIR__ . '/../../..' . '/lib/private/Authentication/Token/DefaultTokenMapper.php',
|
'OC\\Authentication\\Token\\DefaultTokenMapper' => __DIR__ . '/../../..' . '/lib/private/Authentication/Token/DefaultTokenMapper.php',
|
||||||
'OC\\Authentication\\Token\\DefaultTokenProvider' => __DIR__ . '/../../..' . '/lib/private/Authentication/Token/DefaultTokenProvider.php',
|
'OC\\Authentication\\Token\\DefaultTokenProvider' => __DIR__ . '/../../..' . '/lib/private/Authentication/Token/DefaultTokenProvider.php',
|
||||||
'OC\\Authentication\\Token\\ExpiredTokenException' => __DIR__ . '/../../..' . '/lib/private/Authentication/Exceptions/ExpiredTokenException.php',
|
|
||||||
'OC\\Authentication\\Token\\IProvider' => __DIR__ . '/../../..' . '/lib/private/Authentication/Token/IProvider.php',
|
'OC\\Authentication\\Token\\IProvider' => __DIR__ . '/../../..' . '/lib/private/Authentication/Token/IProvider.php',
|
||||||
'OC\\Authentication\\Token\\IToken' => __DIR__ . '/../../..' . '/lib/private/Authentication/Token/IToken.php',
|
'OC\\Authentication\\Token\\IToken' => __DIR__ . '/../../..' . '/lib/private/Authentication/Token/IToken.php',
|
||||||
'OC\\Authentication\\TwoFactorAuth\\Manager' => __DIR__ . '/../../..' . '/lib/private/Authentication/TwoFactorAuth/Manager.php',
|
'OC\\Authentication\\TwoFactorAuth\\Manager' => __DIR__ . '/../../..' . '/lib/private/Authentication/TwoFactorAuth/Manager.php',
|
||||||
|
|
|
@ -20,9 +20,9 @@
|
||||||
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||||
*
|
*
|
||||||
*/
|
*/
|
||||||
namespace OC\Authentication\Token;
|
namespace OC\Authentication\Exceptions;
|
||||||
|
|
||||||
use OC\Authentication\Exceptions\InvalidTokenException;
|
use OC\Authentication\Token\IToken;
|
||||||
|
|
||||||
class ExpiredTokenException extends InvalidTokenException {
|
class ExpiredTokenException extends InvalidTokenException {
|
||||||
/** @var IToken */
|
/** @var IToken */
|
||||||
|
|
|
@ -28,6 +28,7 @@
|
||||||
namespace OC\Authentication\Token;
|
namespace OC\Authentication\Token;
|
||||||
|
|
||||||
use Exception;
|
use Exception;
|
||||||
|
use OC\Authentication\Exceptions\ExpiredTokenException;
|
||||||
use OC\Authentication\Exceptions\InvalidTokenException;
|
use OC\Authentication\Exceptions\InvalidTokenException;
|
||||||
use OC\Authentication\Exceptions\PasswordlessTokenException;
|
use OC\Authentication\Exceptions\PasswordlessTokenException;
|
||||||
use OCP\AppFramework\Db\DoesNotExistException;
|
use OCP\AppFramework\Db\DoesNotExistException;
|
||||||
|
|
|
@ -25,6 +25,7 @@
|
||||||
|
|
||||||
namespace OC\Authentication\Token;
|
namespace OC\Authentication\Token;
|
||||||
|
|
||||||
|
use OC\Authentication\Exceptions\ExpiredTokenException;
|
||||||
use OC\Authentication\Exceptions\InvalidTokenException;
|
use OC\Authentication\Exceptions\InvalidTokenException;
|
||||||
use OC\Authentication\Exceptions\PasswordlessTokenException;
|
use OC\Authentication\Exceptions\PasswordlessTokenException;
|
||||||
use OCP\IUser;
|
use OCP\IUser;
|
||||||
|
|
|
@ -38,6 +38,7 @@
|
||||||
namespace OC\User;
|
namespace OC\User;
|
||||||
|
|
||||||
use OC;
|
use OC;
|
||||||
|
use OC\Authentication\Exceptions\ExpiredTokenException;
|
||||||
use OC\Authentication\Exceptions\InvalidTokenException;
|
use OC\Authentication\Exceptions\InvalidTokenException;
|
||||||
use OC\Authentication\Exceptions\PasswordlessTokenException;
|
use OC\Authentication\Exceptions\PasswordlessTokenException;
|
||||||
use OC\Authentication\Exceptions\PasswordLoginForbiddenException;
|
use OC\Authentication\Exceptions\PasswordLoginForbiddenException;
|
||||||
|
@ -399,7 +400,13 @@ class Session implements IUserSession, Emitter {
|
||||||
$this->manager->emit('\OC\User', 'preLogin', array($user, $password));
|
$this->manager->emit('\OC\User', 'preLogin', array($user, $password));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
try {
|
||||||
$isTokenPassword = $this->isTokenPassword($password);
|
$isTokenPassword = $this->isTokenPassword($password);
|
||||||
|
} catch (ExpiredTokenException $e) {
|
||||||
|
// Just return on an expired token no need to check further or record a failed login
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
if (!$isTokenPassword && $this->isTokenAuthEnforced()) {
|
if (!$isTokenPassword && $this->isTokenAuthEnforced()) {
|
||||||
throw new PasswordLoginForbiddenException();
|
throw new PasswordLoginForbiddenException();
|
||||||
}
|
}
|
||||||
|
@ -472,11 +479,14 @@ class Session implements IUserSession, Emitter {
|
||||||
*
|
*
|
||||||
* @param string $password
|
* @param string $password
|
||||||
* @return boolean
|
* @return boolean
|
||||||
|
* @throws ExpiredTokenException
|
||||||
*/
|
*/
|
||||||
public function isTokenPassword($password) {
|
public function isTokenPassword($password) {
|
||||||
try {
|
try {
|
||||||
$this->tokenProvider->getToken($password);
|
$this->tokenProvider->getToken($password);
|
||||||
return true;
|
return true;
|
||||||
|
} catch (ExpiredTokenException $e) {
|
||||||
|
throw $e;
|
||||||
} catch (InvalidTokenException $ex) {
|
} catch (InvalidTokenException $ex) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
|
@ -22,17 +22,16 @@
|
||||||
|
|
||||||
namespace Test\Authentication\Token;
|
namespace Test\Authentication\Token;
|
||||||
|
|
||||||
|
use OC\Authentication\Exceptions\ExpiredTokenException;
|
||||||
use OC\Authentication\Exceptions\InvalidTokenException;
|
use OC\Authentication\Exceptions\InvalidTokenException;
|
||||||
use OC\Authentication\Token\DefaultToken;
|
use OC\Authentication\Token\DefaultToken;
|
||||||
use OC\Authentication\Token\DefaultTokenProvider;
|
use OC\Authentication\Token\DefaultTokenProvider;
|
||||||
use OC\Authentication\Token\ExpiredTokenException;
|
|
||||||
use OC\Authentication\Token\IToken;
|
use OC\Authentication\Token\IToken;
|
||||||
use OCP\AppFramework\Db\DoesNotExistException;
|
use OCP\AppFramework\Db\DoesNotExistException;
|
||||||
use OCP\AppFramework\Db\Mapper;
|
use OCP\AppFramework\Db\Mapper;
|
||||||
use OCP\AppFramework\Utility\ITimeFactory;
|
use OCP\AppFramework\Utility\ITimeFactory;
|
||||||
use OCP\IConfig;
|
use OCP\IConfig;
|
||||||
use OCP\ILogger;
|
use OCP\ILogger;
|
||||||
use OCP\IUser;
|
|
||||||
use OCP\Security\ICrypto;
|
use OCP\Security\ICrypto;
|
||||||
use Test\TestCase;
|
use Test\TestCase;
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue