Expire token after 12h and if user logged-in again

As an hardening measure we should expire password reset tokens after 12h and if the user has logged-in again successfully after the token was requested.
This commit is contained in:
Lukas Reschke 2015-08-22 20:42:45 +02:00
parent 510010e774
commit db4cb1dd4d
3 changed files with 142 additions and 15 deletions

View File

@ -27,6 +27,7 @@
namespace OC\Core; namespace OC\Core;
use OC\AppFramework\Utility\SimpleContainer; use OC\AppFramework\Utility\SimpleContainer;
use OC\AppFramework\Utility\TimeFactory;
use \OCP\AppFramework\App; use \OCP\AppFramework\App;
use OC\Core\LostPassword\Controller\LostController; use OC\Core\LostPassword\Controller\LostController;
use OC\Core\User\UserController; use OC\Core\User\UserController;
@ -63,7 +64,8 @@ class Application extends App {
$c->query('SecureRandom'), $c->query('SecureRandom'),
$c->query('DefaultEmailAddress'), $c->query('DefaultEmailAddress'),
$c->query('IsEncryptionEnabled'), $c->query('IsEncryptionEnabled'),
$c->query('Mailer') $c->query('Mailer'),
$c->query('TimeFactory')
); );
}); });
$container->registerService('UserController', function(SimpleContainer $c) { $container->registerService('UserController', function(SimpleContainer $c) {
@ -120,15 +122,15 @@ class Application extends App {
$container->registerService('UserFolder', function(SimpleContainer $c) { $container->registerService('UserFolder', function(SimpleContainer $c) {
return $c->query('ServerContainer')->getUserFolder(); return $c->query('ServerContainer')->getUserFolder();
}); });
$container->registerService('Defaults', function() { $container->registerService('Defaults', function() {
return new \OC_Defaults; return new \OC_Defaults;
}); });
$container->registerService('Mailer', function(SimpleContainer $c) { $container->registerService('Mailer', function(SimpleContainer $c) {
return $c->query('ServerContainer')->getMailer(); return $c->query('ServerContainer')->getMailer();
}); });
$container->registerService('TimeFactory', function(SimpleContainer $c) {
return new TimeFactory();
});
$container->registerService('DefaultEmailAddress', function() { $container->registerService('DefaultEmailAddress', function() {
return Util::getDefaultEmailAddress('lostpassword-noreply'); return Util::getDefaultEmailAddress('lostpassword-noreply');
}); });

View File

@ -28,6 +28,7 @@ namespace OC\Core\LostPassword\Controller;
use \OCP\AppFramework\Controller; use \OCP\AppFramework\Controller;
use \OCP\AppFramework\Http\TemplateResponse; use \OCP\AppFramework\Http\TemplateResponse;
use OCP\AppFramework\Utility\ITimeFactory;
use \OCP\IURLGenerator; use \OCP\IURLGenerator;
use \OCP\IRequest; use \OCP\IRequest;
use \OCP\IL10N; use \OCP\IL10N;
@ -66,6 +67,8 @@ class LostController extends Controller {
protected $secureRandom; protected $secureRandom;
/** @var IMailer */ /** @var IMailer */
protected $mailer; protected $mailer;
/** @var ITimeFactory */
protected $timeFactory;
/** /**
* @param string $appName * @param string $appName
@ -79,6 +82,7 @@ class LostController extends Controller {
* @param string $from * @param string $from
* @param string $isDataEncrypted * @param string $isDataEncrypted
* @param IMailer $mailer * @param IMailer $mailer
* @param ITimeFactory $timeFactory
*/ */
public function __construct($appName, public function __construct($appName,
IRequest $request, IRequest $request,
@ -90,7 +94,8 @@ class LostController extends Controller {
ISecureRandom $secureRandom, ISecureRandom $secureRandom,
$from, $from,
$isDataEncrypted, $isDataEncrypted,
IMailer $mailer) { IMailer $mailer,
ITimeFactory $timeFactory) {
parent::__construct($appName, $request); parent::__construct($appName, $request);
$this->urlGenerator = $urlGenerator; $this->urlGenerator = $urlGenerator;
$this->userManager = $userManager; $this->userManager = $userManager;
@ -101,6 +106,7 @@ class LostController extends Controller {
$this->isDataEncrypted = $isDataEncrypted; $this->isDataEncrypted = $isDataEncrypted;
$this->config = $config; $this->config = $config;
$this->mailer = $mailer; $this->mailer = $mailer;
$this->timeFactory = $timeFactory;
} }
/** /**
@ -173,7 +179,17 @@ class LostController extends Controller {
try { try {
$user = $this->userManager->get($userId); $user = $this->userManager->get($userId);
if (!StringUtils::equals($this->config->getUserValue($userId, 'owncloud', 'lostpassword', null), $token)) { $splittedToken = explode(':', $this->config->getUserValue($userId, 'owncloud', 'lostpassword', null));
if(count($splittedToken) !== 2) {
throw new \Exception($this->l10n->t('Couldn\'t reset password because the token is invalid'));
}
if ($splittedToken[0] < ($this->timeFactory->getTime() - 60*60*12) ||
$user->getLastLogin() > $splittedToken[0]) {
throw new \Exception($this->l10n->t('Couldn\'t reset password because the token is expired'));
}
if (!StringUtils::equals($splittedToken[1], $token)) {
throw new \Exception($this->l10n->t('Couldn\'t reset password because the token is invalid')); throw new \Exception($this->l10n->t('Couldn\'t reset password because the token is invalid'));
} }
@ -216,12 +232,12 @@ class LostController extends Controller {
ISecureRandom::CHAR_DIGITS. ISecureRandom::CHAR_DIGITS.
ISecureRandom::CHAR_LOWER. ISecureRandom::CHAR_LOWER.
ISecureRandom::CHAR_UPPER); ISecureRandom::CHAR_UPPER);
$this->config->setUserValue($user, 'owncloud', 'lostpassword', $token); $this->config->setUserValue($user, 'owncloud', 'lostpassword', $this->timeFactory->getTime() .':'. $token);
$link = $this->urlGenerator->linkToRouteAbsolute('core.lost.resetform', array('userId' => $user, 'token' => $token)); $link = $this->urlGenerator->linkToRouteAbsolute('core.lost.resetform', array('userId' => $user, 'token' => $token));
$tmpl = new \OC_Template('core/lostpassword', 'email'); $tmpl = new \OC_Template('core/lostpassword', 'email');
$tmpl->assign('link', $link, false); $tmpl->assign('link', $link);
$msg = $tmpl->fetchPage(); $msg = $tmpl->fetchPage();
try { try {

View File

@ -1,9 +1,22 @@
<?php <?php
/** /**
* Copyright (c) 2014-2015 Lukas Reschke <lukas@owncloud.com> * @author Lukas Reschke <lukas@owncloud.com>
* This file is licensed under the Affero General Public License version 3 or *
* later. * @copyright Copyright (c) 2015, ownCloud, Inc.
* See the COPYING-README file. * @license AGPL-3.0
*
* This code is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License, version 3,
* as published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License, version 3,
* along with this program. If not, see <http://www.gnu.org/licenses/>
*
*/ */
namespace OC\Core\LostPassword\Controller; namespace OC\Core\LostPassword\Controller;
@ -47,6 +60,8 @@ class LostControllerTest extends \PHPUnit_Framework_TestCase {
->disableOriginalConstructor()->getMock(); ->disableOriginalConstructor()->getMock();
$this->container['SecureRandom'] = $this->getMockBuilder('\OCP\Security\ISecureRandom') $this->container['SecureRandom'] = $this->getMockBuilder('\OCP\Security\ISecureRandom')
->disableOriginalConstructor()->getMock(); ->disableOriginalConstructor()->getMock();
$this->container['TimeFactory'] = $this->getMockBuilder('\OCP\AppFramework\Utility\ITimeFactory')
->disableOriginalConstructor()->getMock();
$this->container['IsEncryptionEnabled'] = true; $this->container['IsEncryptionEnabled'] = true;
$this->lostController = $this->container['LostController']; $this->lostController = $this->container['LostController'];
} }
@ -116,6 +131,10 @@ class LostControllerTest extends \PHPUnit_Framework_TestCase {
->method('userExists') ->method('userExists')
->with('ExistingUser') ->with('ExistingUser')
->will($this->returnValue(true)); ->will($this->returnValue(true));
$this->container['TimeFactory']
->expects($this->once())
->method('getTime')
->will($this->returnValue(12348));
$this->container['Config'] $this->container['Config']
->expects($this->once()) ->expects($this->once())
->method('getUserValue') ->method('getUserValue')
@ -128,7 +147,7 @@ class LostControllerTest extends \PHPUnit_Framework_TestCase {
$this->container['Config'] $this->container['Config']
->expects($this->once()) ->expects($this->once())
->method('setUserValue') ->method('setUserValue')
->with('ExistingUser', 'owncloud', 'lostpassword', 'ThisIsMaybeANotSoSecretToken!'); ->with('ExistingUser', 'owncloud', 'lostpassword', '12348:ThisIsMaybeANotSoSecretToken!');
$this->container['URLGenerator'] $this->container['URLGenerator']
->expects($this->once()) ->expects($this->once())
->method('linkToRouteAbsolute') ->method('linkToRouteAbsolute')
@ -190,7 +209,11 @@ class LostControllerTest extends \PHPUnit_Framework_TestCase {
$this->container['Config'] $this->container['Config']
->expects($this->once()) ->expects($this->once())
->method('setUserValue') ->method('setUserValue')
->with('ExistingUser', 'owncloud', 'lostpassword', 'ThisIsMaybeANotSoSecretToken!'); ->with('ExistingUser', 'owncloud', 'lostpassword', '12348:ThisIsMaybeANotSoSecretToken!');
$this->container['TimeFactory']
->expects($this->once())
->method('getTime')
->will($this->returnValue(12348));
$this->container['URLGenerator'] $this->container['URLGenerator']
->expects($this->once()) ->expects($this->once())
->method('linkToRouteAbsolute') ->method('linkToRouteAbsolute')
@ -256,9 +279,13 @@ class LostControllerTest extends \PHPUnit_Framework_TestCase {
->expects($this->once()) ->expects($this->once())
->method('getUserValue') ->method('getUserValue')
->with('ValidTokenUser', 'owncloud', 'lostpassword', null) ->with('ValidTokenUser', 'owncloud', 'lostpassword', null)
->will($this->returnValue('TheOnlyAndOnlyOneTokenToResetThePassword')); ->will($this->returnValue('12345:TheOnlyAndOnlyOneTokenToResetThePassword'));
$user = $this->getMockBuilder('\OCP\IUser') $user = $this->getMockBuilder('\OCP\IUser')
->disableOriginalConstructor()->getMock(); ->disableOriginalConstructor()->getMock();
$user
->expects($this->once())
->method('getLastLogin')
->will($this->returnValue(12344));
$user->expects($this->once()) $user->expects($this->once())
->method('setPassword') ->method('setPassword')
->with('NewPassword') ->with('NewPassword')
@ -272,12 +299,94 @@ class LostControllerTest extends \PHPUnit_Framework_TestCase {
->expects($this->once()) ->expects($this->once())
->method('deleteUserValue') ->method('deleteUserValue')
->with('ValidTokenUser', 'owncloud', 'lostpassword'); ->with('ValidTokenUser', 'owncloud', 'lostpassword');
$this->container['TimeFactory']
->expects($this->once())
->method('getTime')
->will($this->returnValue(12348));
$response = $this->lostController->setPassword('TheOnlyAndOnlyOneTokenToResetThePassword', 'ValidTokenUser', 'NewPassword', true); $response = $this->lostController->setPassword('TheOnlyAndOnlyOneTokenToResetThePassword', 'ValidTokenUser', 'NewPassword', true);
$expectedResponse = array('status' => 'success'); $expectedResponse = array('status' => 'success');
$this->assertSame($expectedResponse, $response); $this->assertSame($expectedResponse, $response);
} }
public function testSetPasswordExpiredToken() {
$this->container['Config']
->expects($this->once())
->method('getUserValue')
->with('ValidTokenUser', 'owncloud', 'lostpassword', null)
->will($this->returnValue('12345:TheOnlyAndOnlyOneTokenToResetThePassword'));
$user = $this->getMockBuilder('\OCP\IUser')
->disableOriginalConstructor()->getMock();
$this->container['UserManager']
->expects($this->once())
->method('get')
->with('ValidTokenUser')
->will($this->returnValue($user));
$this->container['TimeFactory']
->expects($this->once())
->method('getTime')
->will($this->returnValue(55546));
$response = $this->lostController->setPassword('TheOnlyAndOnlyOneTokenToResetThePassword', 'ValidTokenUser', 'NewPassword', true);
$expectedResponse = [
'status' => 'error',
'msg' => 'Couldn\'t reset password because the token is expired',
];
$this->assertSame($expectedResponse, $response);
}
public function testSetPasswordInvalidDataInDb() {
$this->container['Config']
->expects($this->once())
->method('getUserValue')
->with('ValidTokenUser', 'owncloud', 'lostpassword', null)
->will($this->returnValue('TheOnlyAndOnlyOneTokenToResetThePassword'));
$user = $this->getMockBuilder('\OCP\IUser')
->disableOriginalConstructor()->getMock();
$this->container['UserManager']
->expects($this->once())
->method('get')
->with('ValidTokenUser')
->will($this->returnValue($user));
$response = $this->lostController->setPassword('TheOnlyAndOnlyOneTokenToResetThePassword', 'ValidTokenUser', 'NewPassword', true);
$expectedResponse = [
'status' => 'error',
'msg' => 'Couldn\'t reset password because the token is invalid',
];
$this->assertSame($expectedResponse, $response);
}
public function testSetPasswordExpiredTokenDueToLogin() {
$this->container['Config']
->expects($this->once())
->method('getUserValue')
->with('ValidTokenUser', 'owncloud', 'lostpassword', null)
->will($this->returnValue('12345:TheOnlyAndOnlyOneTokenToResetThePassword'));
$user = $this->getMockBuilder('\OCP\IUser')
->disableOriginalConstructor()->getMock();
$user
->expects($this->once())
->method('getLastLogin')
->will($this->returnValue(12346));
$this->container['UserManager']
->expects($this->once())
->method('get')
->with('ValidTokenUser')
->will($this->returnValue($user));
$this->container['TimeFactory']
->expects($this->once())
->method('getTime')
->will($this->returnValue(12345));
$response = $this->lostController->setPassword('TheOnlyAndOnlyOneTokenToResetThePassword', 'ValidTokenUser', 'NewPassword', true);
$expectedResponse = [
'status' => 'error',
'msg' => 'Couldn\'t reset password because the token is expired',
];
$this->assertSame($expectedResponse, $response);
}
public function testIsSetPasswordWithoutTokenFailing() { public function testIsSetPasswordWithoutTokenFailing() {
$this->container['Config'] $this->container['Config']
->expects($this->once()) ->expects($this->once())