From db34671626e1172624f369433da76bb7d41faf24 Mon Sep 17 00:00:00 2001 From: Christoph Wurst Date: Fri, 24 Jun 2016 13:57:09 +0200 Subject: [PATCH] check login name when authenticating with client token --- lib/private/User/Session.php | 13 +++++++++++-- tests/lib/User/SessionTest.php | 30 ++++++++++++++++++++++++++++++ 2 files changed, 41 insertions(+), 2 deletions(-) diff --git a/lib/private/User/Session.php b/lib/private/User/Session.php index 2b65f31af2..6219a89e5b 100644 --- a/lib/private/User/Session.php +++ b/lib/private/User/Session.php @@ -280,7 +280,7 @@ class Session implements IUserSession, Emitter { */ public function login($uid, $password) { $this->session->regenerateId(); - if ($this->validateToken($password)) { + if ($this->validateToken($password, $uid)) { // When logging in with token, the password must be decrypted first before passing to login hook try { $token = $this->tokenProvider->getToken($password); @@ -584,15 +584,24 @@ class Session implements IUserSession, Emitter { * Invalidates the token if checks fail * * @param string $token + * @param string $user login name * @return boolean */ - private function validateToken($token) { + private function validateToken($token, $user = null) { try { $dbToken = $this->tokenProvider->getToken($token); } catch (InvalidTokenException $ex) { return false; } + // Check if login names match + if (!is_null($user) && $dbToken->getLoginName() !== $user) { + // TODO: this makes it imposssible to use different login names on browser and client + // e.g. login by e-mail 'user@example.com' on browser for generating the token will not + // allow to use the client token with the login name 'user'. + return false; + } + if (!$this->checkTokenCredentials($dbToken, $token)) { return false; } diff --git a/tests/lib/User/SessionTest.php b/tests/lib/User/SessionTest.php index eef4c7ff5e..447c6142f3 100644 --- a/tests/lib/User/SessionTest.php +++ b/tests/lib/User/SessionTest.php @@ -314,6 +314,36 @@ class SessionTest extends \Test\TestCase { $userSession->login('foo', 'bar'); } + /** + * When using a device token, the loginname must match the one that was used + * when generating the token on the browser. + */ + public function testLoginWithDifferentTokenLoginName() { + $session = $this->getMock('\OC\Session\Memory', array(), array('')); + $manager = $this->getMock('\OC\User\Manager'); + $backend = $this->getMock('\Test\Util\User\Dummy'); + $userSession = new \OC\User\Session($manager, $session, $this->timeFactory, $this->tokenProvider, $this->config); + $username = 'user123'; + $token = new \OC\Authentication\Token\DefaultToken(); + $token->setLoginName($username); + + $session->expects($this->never()) + ->method('set'); + $session->expects($this->once()) + ->method('regenerateId'); + $this->tokenProvider->expects($this->once()) + ->method('getToken') + ->with('bar') + ->will($this->returnValue($token)); + + $manager->expects($this->once()) + ->method('checkPassword') + ->with('foo', 'bar') + ->will($this->returnValue(false)); + + $userSession->login('foo', 'bar'); + } + /** * @expectedException \OC\Authentication\Exceptions\PasswordLoginForbiddenException */