token based auth

* Add InvalidTokenException
* add DefaultTokenMapper and use it to check if a auth token exists
* create new token for the browser session if none exists
hash stored token; save user agent
* encrypt login password when creating the token
This commit is contained in:
Christoph Wurst 2016-04-25 14:10:55 +02:00 committed by Thomas Müller
parent f39e163d4a
commit d8cde414bd
No known key found for this signature in database
GPG Key ID: A943788A3BBEC44C
16 changed files with 596 additions and 250 deletions

View File

@ -1,6 +1,7 @@
<?php <?php
/** /**
* @author Bernhard Posselt <dev@bernhard-posselt.com> * @author Bernhard Posselt <dev@bernhard-posselt.com>
* @author Christoph Wurst <christoph@owncloud.com>
* @author Lukas Reschke <lukas@owncloud.com> * @author Lukas Reschke <lukas@owncloud.com>
* @author Morris Jobke <hey@morrisjobke.de> * @author Morris Jobke <hey@morrisjobke.de>
* @author Roeland Jago Douma <rullzer@owncloud.com> * @author Roeland Jago Douma <rullzer@owncloud.com>
@ -28,12 +29,13 @@ namespace OC\Core;
use OC\AppFramework\Utility\SimpleContainer; use OC\AppFramework\Utility\SimpleContainer;
use OC\AppFramework\Utility\TimeFactory; use OC\AppFramework\Utility\TimeFactory;
use OC\Core\Controller\AvatarController;
use OC\Core\Controller\LoginController; use OC\Core\Controller\LoginController;
use \OCP\AppFramework\App;
use OC\Core\Controller\LostController; use OC\Core\Controller\LostController;
use OC\Core\Controller\UserController; use OC\Core\Controller\UserController;
use OC\Core\Controller\AvatarController; use OC_Defaults;
use \OCP\Util; use OCP\AppFramework\App;
use OCP\Util;
/** /**
* Class Application * Class Application
@ -132,6 +134,9 @@ class Application extends App {
$container->registerService('UserSession', function(SimpleContainer $c) { $container->registerService('UserSession', function(SimpleContainer $c) {
return $c->query('ServerContainer')->getUserSession(); return $c->query('ServerContainer')->getUserSession();
}); });
$container->registerService('Session', function(SimpleContainer $c) {
return $c->query('ServerContainer')->getSession();
});
$container->registerService('Cache', function(SimpleContainer $c) { $container->registerService('Cache', function(SimpleContainer $c) {
return $c->query('ServerContainer')->getCache(); return $c->query('ServerContainer')->getCache();
}); });
@ -139,7 +144,7 @@ class Application extends App {
return $c->query('ServerContainer')->getUserFolder(); return $c->query('ServerContainer')->getUserFolder();
}); });
$container->registerService('Defaults', function() { $container->registerService('Defaults', function() {
return new \OC_Defaults; return new OC_Defaults;
}); });
$container->registerService('Mailer', function(SimpleContainer $c) { $container->registerService('Mailer', function(SimpleContainer $c) {
return $c->query('ServerContainer')->getMailer(); return $c->query('ServerContainer')->getMailer();

View File

@ -1,5 +1,7 @@
<?php <?php
/** /**
* @author Christoph Wurst <christoph@owncloud.com>
* @author Lukas Reschke <lukas@owncloud.com> * @author Lukas Reschke <lukas@owncloud.com>
* *
* @copyright Copyright (c) 2016, ownCloud, Inc. * @copyright Copyright (c) 2016, ownCloud, Inc.
@ -21,7 +23,11 @@
namespace OC\Core\Controller; namespace OC\Core\Controller;
use OC\Setup; use OC;
use OC\User\Session;
use OC_App;
use OC_User;
use OC_Util;
use OCP\AppFramework\Controller; use OCP\AppFramework\Controller;
use OCP\AppFramework\Http\RedirectResponse; use OCP\AppFramework\Http\RedirectResponse;
use OCP\AppFramework\Http\TemplateResponse; use OCP\AppFramework\Http\TemplateResponse;
@ -31,17 +37,21 @@ use OCP\ISession;
use OCP\IURLGenerator; use OCP\IURLGenerator;
use OCP\IUser; use OCP\IUser;
use OCP\IUserManager; use OCP\IUserManager;
use OCP\IUserSession;
class LoginController extends Controller { class LoginController extends Controller {
/** @var IUserManager */ /** @var IUserManager */
private $userManager; private $userManager;
/** @var IConfig */ /** @var IConfig */
private $config; private $config;
/** @var ISession */ /** @var ISession */
private $session; private $session;
/** @var IUserSession */
/** @var Session */
private $userSession; private $userSession;
/** @var IURLGenerator */ /** @var IURLGenerator */
private $urlGenerator; private $urlGenerator;
@ -51,16 +61,12 @@ class LoginController extends Controller {
* @param IUserManager $userManager * @param IUserManager $userManager
* @param IConfig $config * @param IConfig $config
* @param ISession $session * @param ISession $session
* @param IUserSession $userSession * @param Session $userSession
* @param IURLGenerator $urlGenerator * @param IURLGenerator $urlGenerator
*/ */
function __construct($appName, function __construct($appName, IRequest $request, IUserManager $userManager,
IRequest $request, IConfig $config, ISession $session, Session $userSession,
IUserManager $userManager, IURLGenerator $urlGenerator) {
IConfig $config,
ISession $session,
IUserSession $userSession,
IURLGenerator $urlGenerator) {
parent::__construct($appName, $request); parent::__construct($appName, $request);
$this->userManager = $userManager; $this->userManager = $userManager;
$this->config = $config; $this->config = $config;
@ -96,18 +102,16 @@ class LoginController extends Controller {
* *
* @return TemplateResponse * @return TemplateResponse
*/ */
public function showLoginForm($user, public function showLoginForm($user, $redirect_url, $remember_login) {
$redirect_url, if ($this->userSession->isLoggedIn()) {
$remember_login) { return new RedirectResponse(OC_Util::getDefaultPageUrl());
if($this->userSession->isLoggedIn()) {
return new RedirectResponse(\OC_Util::getDefaultPageUrl());
} }
$parameters = array(); $parameters = array();
$loginMessages = $this->session->get('loginMessages'); $loginMessages = $this->session->get('loginMessages');
$errors = []; $errors = [];
$messages = []; $messages = [];
if(is_array($loginMessages)) { if (is_array($loginMessages)) {
list($errors, $messages) = $loginMessages; list($errors, $messages) = $loginMessages;
} }
$this->session->remove('loginMessages'); $this->session->remove('loginMessages');
@ -137,8 +141,8 @@ class LoginController extends Controller {
} }
} }
$parameters['alt_login'] = \OC_App::getAlternativeLogIns(); $parameters['alt_login'] = OC_App::getAlternativeLogIns();
$parameters['rememberLoginAllowed'] = \OC_Util::rememberLoginAllowed(); $parameters['rememberLoginAllowed'] = OC_Util::rememberLoginAllowed();
$parameters['rememberLoginState'] = !empty($remember_login) ? $remember_login : 0; $parameters['rememberLoginState'] = !empty($remember_login) ? $remember_login : 0;
if (!is_null($user) && $user !== '') { if (!is_null($user) && $user !== '') {
@ -150,11 +154,36 @@ class LoginController extends Controller {
} }
return new TemplateResponse( return new TemplateResponse(
$this->appName, $this->appName, 'login', $parameters, 'guest'
'login',
$parameters,
'guest'
); );
} }
/**
* @NoCSRFRequired
* @PublicPage
* @UseSession
*
* @param string $user
* @param string $password
* @param string $redirect_url
* @return RedirectResponse
*/
public function tryLogin($user, $password, $redirect_url) {
// TODO: Add all the insane error handling
if ($this->userManager->checkPassword($user, $password) === false) {
return new RedirectResponse($this->urlGenerator->linkToRoute('login#showLoginForm'));
}
$this->userSession->createSessionToken($user, $password);
if (!is_null($redirect_url) && $this->userSession->isLoggedIn()) {
$location = OC::$server->getURLGenerator()->getAbsoluteURL(urldecode($redirect_url));
// Deny the redirect if the URL contains a @
// This prevents unvalidated redirects like ?redirect_url=:user@domain.com
if (strpos($location, '@') === false) {
return new RedirectResponse($location);
}
}
// TODO: Show invalid login warning
return new RedirectResponse($this->urlGenerator->linkTo('files', 'index'));
}
} }

View File

@ -42,9 +42,10 @@ $application->registerRoutes($this, [
['name' => 'avatar#postCroppedAvatar', 'url' => '/avatar/cropped', 'verb' => 'POST'], ['name' => 'avatar#postCroppedAvatar', 'url' => '/avatar/cropped', 'verb' => 'POST'],
['name' => 'avatar#getTmpAvatar', 'url' => '/avatar/tmp', 'verb' => 'GET'], ['name' => 'avatar#getTmpAvatar', 'url' => '/avatar/tmp', 'verb' => 'GET'],
['name' => 'avatar#postAvatar', 'url' => '/avatar/', 'verb' => 'POST'], ['name' => 'avatar#postAvatar', 'url' => '/avatar/', 'verb' => 'POST'],
['name' => 'login#tryLogin', 'url' => '/login', 'verb' => 'POST'],
['name' => 'login#showLoginForm', 'url' => '/login', 'verb' => 'GET'], ['name' => 'login#showLoginForm', 'url' => '/login', 'verb' => 'GET'],
['name' => 'login#logout', 'url' => '/logout', 'verb' => 'GET'], ['name' => 'login#logout', 'url' => '/logout', 'verb' => 'GET'],
] ],
]); ]);
// Post installation check // Post installation check

View File

@ -9,7 +9,7 @@ script('core', [
?> ?>
<!--[if IE 8]><style>input[type="checkbox"]{padding:0;}</style><![endif]--> <!--[if IE 8]><style>input[type="checkbox"]{padding:0;}</style><![endif]-->
<form method="post" name="login" action="<?php p(OC::$WEBROOT) ?>/"> <form method="post" name="login">
<fieldset> <fieldset>
<?php if (!empty($_['redirect_url'])) { <?php if (!empty($_['redirect_url'])) {
print_unescaped('<input type="hidden" name="redirect_url" value="' . \OCP\Util::sanitizeHTML($_['redirect_url']) . '">'); print_unescaped('<input type="hidden" name="redirect_url" value="' . \OCP\Util::sanitizeHTML($_['redirect_url']) . '">');

View File

@ -1031,6 +1031,66 @@
</table> </table>
<table>
<name>*dbprefix*authtoken</name>
<declaration>
<field>
<name>id</name>
<type>integer</type>
<default>0</default>
<notnull>true</notnull>
<autoincrement>1</autoincrement>
<unsigned>true</unsigned>
<length>4</length>
</field>
<!-- Foreign Key users::uid -->
<field>
<name>uid</name>
<type>text</type>
<default></default>
<notnull>true</notnull>
<length>64</length>
</field>
<field>
<name>password</name>
<type>text</type>
<default></default>
<notnull>true</notnull>
<length>100</length>
</field>
<field>
<name>name</name>
<type>text</type>
<default></default>
<notnull>true</notnull>
<length>100</length>
</field>
<field>
<name>token</name>
<type>text</type>
<default></default>
<notnull>true</notnull>
<length>100</length>
</field>
<index>
<name>authtoken_token_index</name>
<unique>true</unique>
<field>
<name>token</name>
<sorting>ascending</sorting>
</field>
</index>
</declaration>
</table>
<table> <table>
<!-- <!--

View File

@ -856,7 +856,10 @@ class OC {
} else { } else {
// For guests: Load only filesystem and logging // For guests: Load only filesystem and logging
OC_App::loadApps(array('filesystem', 'logging')); OC_App::loadApps(array('filesystem', 'logging'));
\OC_User::tryBasicAuthLogin(); $userSession = self::$server->getUserSession();
if (!$userSession->tryTokenLogin()) {
$userSession->tryBasicAuthLogin();
}
} }
} }
@ -878,17 +881,6 @@ class OC {
} }
} }
// Handle redirect URL for logged in users
if (isset($_REQUEST['redirect_url']) && OC_User::isLoggedIn()) {
$location = \OC::$server->getURLGenerator()->getAbsoluteURL(urldecode($_REQUEST['redirect_url']));
// Deny the redirect if the URL contains a @
// This prevents unvalidated redirects like ?redirect_url=:user@domain.com
if (strpos($location, '@') === false) {
header('Location: ' . $location);
return;
}
}
// Handle WebDAV // Handle WebDAV
if ($_SERVER['REQUEST_METHOD'] == 'PROPFIND') { if ($_SERVER['REQUEST_METHOD'] == 'PROPFIND') {
// not allowed any more to prevent people // not allowed any more to prevent people
@ -904,11 +896,12 @@ class OC {
OC_App::loadApps(); OC_App::loadApps();
OC_User::setupBackends(); OC_User::setupBackends();
OC_Util::setupFS(); OC_Util::setupFS();
// FIXME
// Redirect to default application // Redirect to default application
OC_Util::redirectToDefaultPage(); OC_Util::redirectToDefaultPage();
} else { } else {
// Not handled and not logged in // Not handled and not logged in
self::handleLogin(); header('Location: '.\OC::$server->getURLGenerator()->linkToRouteAbsolute('core.login.showLoginForm'));
} }
} }
@ -932,163 +925,6 @@ class OC {
} }
} }
} }
protected static function handleLogin() {
OC_App::loadApps(array('prelogin'));
$error = array();
$messages = [];
try {
// auth possible via apache module?
if (OC::tryApacheAuth()) {
$error[] = 'apacheauthfailed';
} // remember was checked after last login
elseif (OC::tryRememberLogin()) {
$error[] = 'invalidcookie';
} // logon via web form
elseif (OC::tryFormLogin()) {
$error[] = 'invalidpassword';
}
} catch (\OC\User\LoginException $e) {
$messages[] = $e->getMessage();
} catch (\Exception $ex) {
\OCP\Util::logException('handleLogin', $ex);
// do not disclose information. show generic error
$error[] = 'internalexception';
}
if(!\OC::$server->getUserSession()->isLoggedIn()) {
$loginMessages = array(array_unique($error), $messages);
\OC::$server->getSession()->set('loginMessages', $loginMessages);
// Read current user and append if possible
$args = [];
if(isset($_POST['user'])) {
$args['user'] = $_POST['user'];
}
$redirectionTarget = \OC::$server->getURLGenerator()->linkToRoute('core.login.showLoginForm', $args);
header('Location: ' . $redirectionTarget);
}
}
/**
* Remove outdated and therefore invalid tokens for a user
* @param string $user
*/
protected static function cleanupLoginTokens($user) {
$config = \OC::$server->getConfig();
$cutoff = time() - $config->getSystemValue('remember_login_cookie_lifetime', 60 * 60 * 24 * 15);
$tokens = $config->getUserKeys($user, 'login_token');
foreach ($tokens as $token) {
$time = $config->getUserValue($user, 'login_token', $token);
if ($time < $cutoff) {
$config->deleteUserValue($user, 'login_token', $token);
}
}
}
/**
* Try to login a user via HTTP authentication
* @return bool|void
*/
protected static function tryApacheAuth() {
$return = OC_User::handleApacheAuth();
// if return is true we are logged in -> redirect to the default page
if ($return === true) {
$_REQUEST['redirect_url'] = \OC::$server->getRequest()->getRequestUri();
OC_Util::redirectToDefaultPage();
exit;
}
// in case $return is null apache based auth is not enabled
return is_null($return) ? false : true;
}
/**
* Try to login a user using the remember me cookie.
* @return bool Whether the provided cookie was valid
*/
protected static function tryRememberLogin() {
if (!isset($_COOKIE["oc_remember_login"])
|| !isset($_COOKIE["oc_token"])
|| !isset($_COOKIE["oc_username"])
|| !$_COOKIE["oc_remember_login"]
|| !OC_Util::rememberLoginAllowed()
) {
return false;
}
if (\OC::$server->getConfig()->getSystemValue('debug', false)) {
\OCP\Util::writeLog('core', 'Trying to login from cookie', \OCP\Util::DEBUG);
}
if(OC_User::userExists($_COOKIE['oc_username'])) {
self::cleanupLoginTokens($_COOKIE['oc_username']);
// verify whether the supplied "remember me" token was valid
$granted = OC_User::loginWithCookie(
$_COOKIE['oc_username'], $_COOKIE['oc_token']);
if($granted === true) {
OC_Util::redirectToDefaultPage();
// doesn't return
}
\OCP\Util::writeLog('core', 'Authentication cookie rejected for user ' .
$_COOKIE['oc_username'], \OCP\Util::WARN);
// if you reach this point you have changed your password
// or you are an attacker
// we can not delete tokens here because users may reach
// this point multiple times after a password change
}
OC_User::unsetMagicInCookie();
return true;
}
/**
* Tries to login a user using the form based authentication
* @return bool|void
*/
protected static function tryFormLogin() {
if (!isset($_POST["user"]) || !isset($_POST['password'])) {
return false;
}
if(!(\OC::$server->getRequest()->passesCSRFCheck())) {
return false;
}
OC_App::loadApps();
//setup extra user backends
OC_User::setupBackends();
if (OC_User::login((string)$_POST["user"], (string)$_POST["password"])) {
$userId = OC_User::getUser();
// setting up the time zone
if (isset($_POST['timezone-offset'])) {
self::$server->getSession()->set('timezone', (string)$_POST['timezone-offset']);
self::$server->getConfig()->setUserValue($userId, 'core', 'timezone', (string)$_POST['timezone']);
}
self::cleanupLoginTokens($userId);
if (!empty($_POST["remember_login"])) {
$config = self::$server->getConfig();
if ($config->getSystemValue('debug', false)) {
self::$server->getLogger()->debug('Setting remember login to cookie', array('app' => 'core'));
}
$token = \OC::$server->getSecureRandom()->generate(32);
$config->setUserValue($userId, 'login_token', $token, time());
OC_User::setMagicInCookie($userId, $token);
} else {
OC_User::unsetMagicInCookie();
}
OC_Util::redirectToDefaultPage();
exit();
}
return true;
}
} }
OC::init(); OC::init();

View File

@ -0,0 +1,29 @@
<?php
/**
* @author Christoph Wurst <christoph@owncloud.com>
*
* @copyright Copyright (c) 2016, ownCloud, Inc.
* @license AGPL-3.0
*
* This code is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License, version 3,
* as published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License, version 3,
* along with this program. If not, see <http://www.gnu.org/licenses/>
*
*/
namespace OC\Authentication\Exceptions;
use Exception;
class InvalidTokenException extends Exception {
}

View File

@ -0,0 +1,58 @@
<?php
/**
* @author Christoph Wurst <christoph@owncloud.com>
*
* @copyright Copyright (c) 2016, ownCloud, Inc.
* @license AGPL-3.0
*
* This code is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License, version 3,
* as published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License, version 3,
* along with this program. If not, see <http://www.gnu.org/licenses/>
*
*/
namespace OC\Authentication\Token;
use OCP\AppFramework\Db\Entity;
class DefaultToken extends Entity implements IToken {
/**
* @var string user UID
*/
protected $uid;
/**
* @var string encrypted user password
*/
protected $password;
/**
* @var string token name (e.g. browser/OS)
*/
protected $name;
/**
* @var string
*/
protected $token;
/**
* Get the token ID
*
* @return string
*/
public function getId() {
return $token;
}
}

View File

@ -0,0 +1,43 @@
<?php
/**
* @author Christoph Wurst <christoph@owncloud.com>
*
* @copyright Copyright (c) 2016, ownCloud, Inc.
* @license AGPL-3.0
*
* This code is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License, version 3,
* as published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License, version 3,
* along with this program. If not, see <http://www.gnu.org/licenses/>
*
*/
namespace OC\Authentication\Token;
use OCP\AppFramework\Db\Mapper;
use OCP\IDBConnection;
class DefaultTokenMapper extends Mapper {
public function __construct(IDBConnection $db) {
parent::__construct($db, 'authtoken');
}
public function getTokenUser($token) {
$sql = 'SELECT `uid` '
. 'FROM `' . $this->getTableName() . '` '
. 'WHERE `token` = ?';
return $this->findEntity($sql, [
$token
]);
}
}

View File

@ -0,0 +1,91 @@
<?php
/**
* @author Christoph Wurst <christoph@owncloud.com>
*
* @copyright Copyright (c) 2016, ownCloud, Inc.
* @license AGPL-3.0
*
* This code is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License, version 3,
* as published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License, version 3,
* along with this program. If not, see <http://www.gnu.org/licenses/>
*
*/
namespace OC\Authentication\Token;
use OC\Authentication\Exceptions\InvalidTokenException;
use OCP\AppFramework\Db\DoesNotExistException;
use OCP\IConfig;
use OCP\ILogger;
use OCP\Security\ICrypto;
class DefaultTokenProvider implements IProvider {
/** @var DefaultTokenMapper */
private $mapper;
/** @var ICrypto */
private $crypto;
/** @var IConfig */
private $config;
/** @var ILogger $logger */
private $logger;
public function __construct(DefaultTokenMapper $mapper, ICrypto $crypto,
IConfig $config, ILogger $logger) {
$this->mapper = $mapper;
$this->crypto = $crypto;
$this->config = $config;
$this->logger = $logger;
}
/**
* Create and persist a new token
*
* @param string $token
* @param string $uid
* @param string $password
* @return DefaultToken
*/
public function generateToken($token, $uid, $password, $name) {
$dbToken = new DefaultToken();
$dbToken->setUid($uid);
$secret = $this->config->getSystemValue('secret');
$dbToken->setPassword($this->crypto->encrypt($password . $secret));
$dbToken->setName($name);
$dbToken->setToken(hash('sha512', $token));
$this->mapper->insert($dbToken);
return $dbToken;
}
/**
* @param string $token
* @throws InvalidTokenException
* @return string user UID
*/
public function validateToken($token) {
$this->logger->debug('validating default token <' . $token . '>');
try {
$dbToken = $this->mapper->getTokenUser(hash('sha512', $token));
$this->logger->debug('valid token for ' . $dbToken->getUid());
return $dbToken->getUid();
} catch (DoesNotExistException $ex) {
$this->logger->warning('invalid token');
throw new InvalidTokenException();
}
}
}

View File

@ -0,0 +1,35 @@
<?php
/**
* @author Christoph Wurst <christoph@owncloud.com>
*
* @copyright Copyright (c) 2016, ownCloud, Inc.
* @license AGPL-3.0
*
* This code is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License, version 3,
* as published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License, version 3,
* along with this program. If not, see <http://www.gnu.org/licenses/>
*
*/
namespace OC\Authentication\Token;
use OC\Authentication\Exceptions\InvalidTokenException;
interface IProvider {
/**
* @param string $token
* @throws InvalidTokenException
* @return string user UID
*/
public function validateToken($token);
}

View File

@ -0,0 +1,36 @@
<?php
/**
* @author Christoph Wurst <christoph@owncloud.com>
*
* @copyright Copyright (c) 2016, ownCloud, Inc.
* @license AGPL-3.0
*
* This code is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License, version 3,
* as published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License, version 3,
* along with this program. If not, see <http://www.gnu.org/licenses/>
*
*/
namespace OC\Authentication\Token;
/**
* @since 9.1.0
*/
interface IToken {
/**
* Get the token ID
*
* @return string
*/
public function getId();
}

View File

@ -5,6 +5,7 @@
* @author Bernhard Posselt <dev@bernhard-posselt.com> * @author Bernhard Posselt <dev@bernhard-posselt.com>
* @author Bernhard Reiter <ockham@raz.or.at> * @author Bernhard Reiter <ockham@raz.or.at>
* @author Björn Schießle <schiessle@owncloud.com> * @author Björn Schießle <schiessle@owncloud.com>
* @author Christoph Wurst <christoph@owncloud.com>
* @author Christopher Schäpers <kondou@ts.unde.re> * @author Christopher Schäpers <kondou@ts.unde.re>
* @author Joas Schilling <nickvergessen@owncloud.com> * @author Joas Schilling <nickvergessen@owncloud.com>
* @author Jörn Friedrich Dreyer <jfd@butonic.de> * @author Jörn Friedrich Dreyer <jfd@butonic.de>
@ -208,12 +209,26 @@ class Server extends ServerContainer implements IServerContainer {
}); });
return $groupManager; return $groupManager;
}); });
$this->registerService('DefaultTokenMapper', function (Server $c) {
$dbConnection = $c->getDatabaseConnection();
return new Authentication\Token\DefaultTokenMapper($dbConnection);
});
$this->registerService('DefaultTokenProvider', function (Server $c) {
$mapper = $c->query('DefaultTokenMapper');
$crypto = $c->getCrypto();
$config = $c->getConfig();
$logger = $c->getLogger();
return new \OC\Authentication\Token\DefaultTokenProvider($mapper, $crypto, $config, $logger);
});
$this->registerService('UserSession', function (Server $c) { $this->registerService('UserSession', function (Server $c) {
$manager = $c->getUserManager(); $manager = $c->getUserManager();
$session = new \OC\Session\Memory(''); $session = new \OC\Session\Memory('');
$defaultTokenProvider = $c->query('DefaultTokenProvider');
$tokenProviders = [
$defaultTokenProvider,
];
$userSession = new \OC\User\Session($manager, $session); $userSession = new \OC\User\Session($manager, $session, $defaultTokenProvider, $tokenProviders);
$userSession->listen('\OC\User', 'preCreateUser', function ($uid, $password) { $userSession->listen('\OC\User', 'preCreateUser', function ($uid, $password) {
\OC_Hook::emit('OC_User', 'pre_createUser', array('run' => true, 'uid' => $uid, 'password' => $password)); \OC_Hook::emit('OC_User', 'pre_createUser', array('run' => true, 'uid' => $uid, 'password' => $password));
}); });

View File

@ -1,7 +1,9 @@
<?php <?php
/** /**
* @author Arthur Schiwon <blizzz@owncloud.com> * @author Arthur Schiwon <blizzz@owncloud.com>
* @author Bernhard Posselt <dev@bernhard-posselt.com> * @author Bernhard Posselt <dev@bernhard-posselt.com>
* @author Christoph Wurst <christoph@owncloud.com>
* @author Joas Schilling <nickvergessen@owncloud.com> * @author Joas Schilling <nickvergessen@owncloud.com>
* @author Jörn Friedrich Dreyer <jfd@butonic.de> * @author Jörn Friedrich Dreyer <jfd@butonic.de>
* @author Lukas Reschke <lukas@owncloud.com> * @author Lukas Reschke <lukas@owncloud.com>
@ -31,8 +33,17 @@
namespace OC\User; namespace OC\User;
use OC;
use OC\Authentication\Exceptions\InvalidTokenException;
use OC\Authentication\Token\DefaultTokenProvider;
use OC\Authentication\Token\IProvider;
use OC\Hooks\Emitter; use OC\Hooks\Emitter;
use OC\Session\Session;
use OC_User;
use OCA\DAV\Connector\Sabre\Auth;
use OCP\IRequest;
use OCP\ISession; use OCP\ISession;
use OCP\IUser;
use OCP\IUserManager; use OCP\IUserManager;
use OCP\IUserSession; use OCP\IUserSession;
@ -55,22 +66,42 @@ use OCP\IUserSession;
* @package OC\User * @package OC\User
*/ */
class Session implements IUserSession, Emitter { class Session implements IUserSession, Emitter {
/** @var \OC\User\Manager $manager */
/*
* @var Manager $manager
*/
private $manager; private $manager;
/** @var \OC\Session\Session $session */ /*
* @var Session $session
*/
private $session; private $session;
/** @var \OC\User\User $activeUser */ /*
* @var DefaultTokenProvider
*/
private $tokenProvider;
/**
* @var IProvider[]
*/
private $tokenProviders;
/**
* @var User $activeUser
protected $activeUser; protected $activeUser;
/** /**
* @param IUserManager $manager * @param IUserManager $manager
* @param ISession $session * @param ISession $session
* @param IProvider[] $tokenProviders
*/ */
public function __construct(IUserManager $manager, ISession $session) { public function __construct(IUserManager $manager, ISession $session,
DefaultTokenProvider $tokenProvider, array $tokenProviders = []) {
$this->manager = $manager; $this->manager = $manager;
$this->session = $session; $this->session = $session;
$this->tokenProvider = $tokenProvider;
$this->tokenProviders = $tokenProviders;
} }
/** /**
@ -87,14 +118,15 @@ class Session implements IUserSession, Emitter {
* @param string $method optional * @param string $method optional
* @param callable $callback optional * @param callable $callback optional
*/ */
public function removeListener($scope = null, $method = null, callable $callback = null) { public function removeListener($scope = null, $method = null,
callable $callback = null) {
$this->manager->removeListener($scope, $method, $callback); $this->manager->removeListener($scope, $method, $callback);
} }
/** /**
* get the manager object * get the manager object
* *
* @return \OC\User\Manager * @return Manager
*/ */
public function getManager() { public function getManager() {
return $this->manager; return $this->manager;
@ -125,7 +157,7 @@ class Session implements IUserSession, Emitter {
/** /**
* set the currently active user * set the currently active user
* *
* @param \OC\User\User|null $user * @param User|null $user
*/ */
public function setUser($user) { public function setUser($user) {
if (is_null($user)) { if (is_null($user)) {
@ -139,12 +171,12 @@ class Session implements IUserSession, Emitter {
/** /**
* get the current active user * get the current active user
* *
* @return \OCP\IUser|null Current user, otherwise null * @return IUser|null Current user, otherwise null
*/ */
public function getUser() { public function getUser() {
// FIXME: This is a quick'n dirty work-around for the incognito mode as // FIXME: This is a quick'n dirty work-around for the incognito mode as
// described at https://github.com/owncloud/core/pull/12912#issuecomment-67391155 // described at https://github.com/owncloud/core/pull/12912#issuecomment-67391155
if (\OC_User::isIncognitoMode()) { if (OC_User::isIncognitoMode()) {
return null; return null;
} }
if ($this->activeUser) { if ($this->activeUser) {
@ -241,6 +273,101 @@ class Session implements IUserSession, Emitter {
return false; return false;
} }
/**
* Tries to login the user with HTTP Basic Authentication
*/
public function tryBasicAuthLogin() {
if (!empty($_SERVER['PHP_AUTH_USER']) && !empty($_SERVER['PHP_AUTH_PW'])) {
$result = $this->login($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']);
if ($result === true) {
/**
* Add DAV authenticated. This should in an ideal world not be
* necessary but the iOS App reads cookies from anywhere instead
* only the DAV endpoint.
* This makes sure that the cookies will be valid for the whole scope
* @see https://github.com/owncloud/core/issues/22893
*/
$this->session->set(
Auth::DAV_AUTHENTICATED, $this->getUser()->getUID()
);
}
}
}
private function loginWithToken($uid) {
//$this->manager->emit('\OC\User', 'preTokenLogin', array($uid));
$user = $this->manager->get($uid);
if (is_null($user)) {
// user does not exist
return false;
}
//login
$this->setUser($user);
//$this->manager->emit('\OC\User', 'postTokenLogin', array($user));
return true;
}
/**
* Create a new session token for the given user credentials
*
* @param string $uid user UID
* @param string $password
* @return boolean
*/
public function createSessionToken($uid, $password) {
if (is_null($this->manager->get($uid))) {
// User does not exist
return false;
}
$name = isset($request->server['HTTP_USER_AGENT']) ? $request->server['HTTP_USER_AGENT'] : 'unknown device';
$token = $this->tokenProvider->generateToken($token, $uid, $password, $name);
return $this->loginWithToken($uid);
}
/**
* @param string $token
* @return boolean
*/
private function validateToken(IRequest $request, $token) {
// TODO: hash token
foreach ($this->tokenProviders as $provider) {
try {
$user = $provider->validateToken($token);
if (!is_null($user)) {
$result = $this->loginWithToken($user);
if ($result) {
// Login success
return true;
}
}
} catch (InvalidTokenException $ex) {
}
}
return false;
}
/**
* Tries to login the user with auth token header
*
* @todo check remember me cookie
*/
public function tryTokenLogin() {
// TODO: resolve cyclic dependency and inject IRequest somehow
$request = \OC::$server->getRequest();
$authHeader = $request->getHeader('Authorization');
if (strpos($authHeader, 'token ') === false) {
// No auth header, let's try session id
// TODO: use ISession::getId(), https://github.com/owncloud/core/pull/24229
$sessionId = session_id();
return $this->validateToken($request, $sessionId);
} else {
$token = substr($authHeader, 6);
return $this->validateToken($request, $token);
}
}
/** /**
* perform login using the magic cookie (remember login) * perform login using the magic cookie (remember login)
* *
@ -258,15 +385,15 @@ class Session implements IUserSession, Emitter {
} }
// get stored tokens // get stored tokens
$tokens = \OC::$server->getConfig()->getUserKeys($uid, 'login_token'); $tokens = OC::$server->getConfig()->getUserKeys($uid, 'login_token');
// test cookies token against stored tokens // test cookies token against stored tokens
if (!in_array($currentToken, $tokens, true)) { if (!in_array($currentToken, $tokens, true)) {
return false; return false;
} }
// replace successfully used token with a new one // replace successfully used token with a new one
\OC::$server->getConfig()->deleteUserValue($uid, 'login_token', $currentToken); OC::$server->getConfig()->deleteUserValue($uid, 'login_token', $currentToken);
$newToken = \OC::$server->getSecureRandom()->generate(32); $newToken = OC::$server->getSecureRandom()->generate(32);
\OC::$server->getConfig()->setUserValue($uid, 'login_token', $newToken, time()); OC::$server->getConfig()->setUserValue($uid, 'login_token', $newToken, time());
$this->setMagicInCookie($user->getUID(), $newToken); $this->setMagicInCookie($user->getUID(), $newToken);
//login //login
@ -293,11 +420,11 @@ class Session implements IUserSession, Emitter {
* @param string $token * @param string $token
*/ */
public function setMagicInCookie($username, $token) { public function setMagicInCookie($username, $token) {
$secureCookie = \OC::$server->getRequest()->getServerProtocol() === 'https'; $secureCookie = OC::$server->getRequest()->getServerProtocol() === 'https';
$expires = time() + \OC::$server->getConfig()->getSystemValue('remember_login_cookie_lifetime', 60 * 60 * 24 * 15); $expires = time() + OC::$server->getConfig()->getSystemValue('remember_login_cookie_lifetime', 60 * 60 * 24 * 15);
setcookie("oc_username", $username, $expires, \OC::$WEBROOT, '', $secureCookie, true); setcookie("oc_username", $username, $expires, OC::$WEBROOT, '', $secureCookie, true);
setcookie("oc_token", $token, $expires, \OC::$WEBROOT, '', $secureCookie, true); setcookie("oc_token", $token, $expires, OC::$WEBROOT, '', $secureCookie, true);
setcookie("oc_remember_login", "1", $expires, \OC::$WEBROOT, '', $secureCookie, true); setcookie("oc_remember_login", "1", $expires, OC::$WEBROOT, '', $secureCookie, true);
} }
/** /**
@ -305,18 +432,19 @@ class Session implements IUserSession, Emitter {
*/ */
public function unsetMagicInCookie() { public function unsetMagicInCookie() {
//TODO: DI for cookies and IRequest //TODO: DI for cookies and IRequest
$secureCookie = \OC::$server->getRequest()->getServerProtocol() === 'https'; $secureCookie = OC::$server->getRequest()->getServerProtocol() === 'https';
unset($_COOKIE["oc_username"]); //TODO: DI unset($_COOKIE["oc_username"]); //TODO: DI
unset($_COOKIE["oc_token"]); unset($_COOKIE["oc_token"]);
unset($_COOKIE["oc_remember_login"]); unset($_COOKIE["oc_remember_login"]);
setcookie('oc_username', '', time() - 3600, \OC::$WEBROOT, '',$secureCookie, true); setcookie('oc_username', '', time() - 3600, OC::$WEBROOT, '', $secureCookie, true);
setcookie('oc_token', '', time() - 3600, \OC::$WEBROOT, '', $secureCookie, true); setcookie('oc_token', '', time() - 3600, OC::$WEBROOT, '', $secureCookie, true);
setcookie('oc_remember_login', '', time() - 3600, \OC::$WEBROOT, '', $secureCookie, true); setcookie('oc_remember_login', '', time() - 3600, OC::$WEBROOT, '', $secureCookie, true);
// old cookies might be stored under /webroot/ instead of /webroot // old cookies might be stored under /webroot/ instead of /webroot
// and Firefox doesn't like it! // and Firefox doesn't like it!
setcookie('oc_username', '', time() - 3600, \OC::$WEBROOT . '/', '', $secureCookie, true); setcookie('oc_username', '', time() - 3600, OC::$WEBROOT . '/', '', $secureCookie, true);
setcookie('oc_token', '', time() - 3600, \OC::$WEBROOT . '/', '', $secureCookie, true); setcookie('oc_token', '', time() - 3600, OC::$WEBROOT . '/', '', $secureCookie, true);
setcookie('oc_remember_login', '', time() - 3600, \OC::$WEBROOT . '/', '', $secureCookie, true); setcookie('oc_remember_login', '', time() - 3600, OC::$WEBROOT . '/', '', $secureCookie, true);
} }
} }

View File

@ -6,6 +6,7 @@
* @author Bart Visscher <bartv@thisnet.nl> * @author Bart Visscher <bartv@thisnet.nl>
* @author Bartek Przybylski <bart.p.pl@gmail.com> * @author Bartek Przybylski <bart.p.pl@gmail.com>
* @author Björn Schießle <schiessle@owncloud.com> * @author Björn Schießle <schiessle@owncloud.com>
* @author Christoph Wurst <christoph@owncloud.com>
* @author Florian Preinstorfer <nblock@archlinux.us> * @author Florian Preinstorfer <nblock@archlinux.us>
* @author Georg Ehrke <georg@owncloud.com> * @author Georg Ehrke <georg@owncloud.com>
* @author Jakob Sack <mail@jakobsack.de> * @author Jakob Sack <mail@jakobsack.de>
@ -155,6 +156,8 @@ class OC_User {
* @return boolean|null * @return boolean|null
* *
* Log in a user and regenerate a new session - if the password is ok * Log in a user and regenerate a new session - if the password is ok
*
* @deprecated Use \OCP\IUserSession::login
*/ */
public static function login($loginName, $password) { public static function login($loginName, $password) {
@ -283,28 +286,6 @@ class OC_User {
} }
} }
/**
* Tries to login the user with HTTP Basic Authentication
*/
public static function tryBasicAuthLogin() {
if (!empty($_SERVER['PHP_AUTH_USER']) && !empty($_SERVER['PHP_AUTH_PW'])) {
$result = \OC_User::login($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']);
if($result === true) {
/**
* Add DAV authenticated. This should in an ideal world not be
* necessary but the iOS App reads cookies from anywhere instead
* only the DAV endpoint.
* This makes sure that the cookies will be valid for the whole scope
* @see https://github.com/owncloud/core/issues/22893
*/
\OC::$server->getSession()->set(
\OCA\DAV\Connector\Sabre\Auth::DAV_AUTHENTICATED,
\OC::$server->getUserSession()->getUser()->getUID()
);
}
}
}
/** /**
* Check if the user is logged in, considers also the HTTP basic credentials * Check if the user is logged in, considers also the HTTP basic credentials
* *

View File

@ -957,8 +957,7 @@ class OC_Util {
public static function checkLoggedIn() { public static function checkLoggedIn() {
// Check if we are a user // Check if we are a user
if (!OC_User::isLoggedIn()) { if (!OC_User::isLoggedIn()) {
header('Location: ' . \OC::$server->getURLGenerator()->linkToRoute( header('Location: ' . \OCP\Util::linkToAbsolute('', 'index.php',
'core.login.showLoginForm',
[ [
'redirect_url' => \OC::$server->getRequest()->getRequestUri() 'redirect_url' => \OC::$server->getRequest()->getRequestUri()
] ]