Harden apptoken check

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
This commit is contained in:
Roeland Jago Douma 2021-05-17 12:04:21 +02:00 committed by backportbot[bot]
parent 64032f9241
commit e0d2ef32e8
1 changed files with 20 additions and 0 deletions

View File

@ -121,6 +121,10 @@ class AuthSettingsController extends Controller {
* @return JSONResponse * @return JSONResponse
*/ */
public function create($name) { public function create($name) {
if ($this->checkAppToken()) {
return $this->getServiceNotAvailableResponse();
}
try { try {
$sessionId = $this->session->getId(); $sessionId = $this->session->getId();
} catch (SessionNotAvailableException $ex) { } catch (SessionNotAvailableException $ex) {
@ -181,6 +185,10 @@ class AuthSettingsController extends Controller {
return implode('-', $groups); return implode('-', $groups);
} }
private function checkAppToken(): bool {
return $this->session->exists('app_password');
}
/** /**
* @NoAdminRequired * @NoAdminRequired
* @NoSubadminRequired * @NoSubadminRequired
@ -189,6 +197,10 @@ class AuthSettingsController extends Controller {
* @return array|JSONResponse * @return array|JSONResponse
*/ */
public function destroy($id) { public function destroy($id) {
if ($this->checkAppToken()) {
return new JSONResponse([], Http::STATUS_BAD_REQUEST);
}
try { try {
$token = $this->findTokenByIdAndUser($id); $token = $this->findTokenByIdAndUser($id);
} catch (WipeTokenException $e) { } catch (WipeTokenException $e) {
@ -213,6 +225,10 @@ class AuthSettingsController extends Controller {
* @return array|JSONResponse * @return array|JSONResponse
*/ */
public function update($id, array $scope, string $name) { public function update($id, array $scope, string $name) {
if ($this->checkAppToken()) {
return new JSONResponse([], Http::STATUS_BAD_REQUEST);
}
try { try {
$token = $this->findTokenByIdAndUser($id); $token = $this->findTokenByIdAndUser($id);
} catch (InvalidTokenException $e) { } catch (InvalidTokenException $e) {
@ -287,6 +303,10 @@ class AuthSettingsController extends Controller {
* @throws \OC\Authentication\Exceptions\ExpiredTokenException * @throws \OC\Authentication\Exceptions\ExpiredTokenException
*/ */
public function wipe(int $id): JSONResponse { public function wipe(int $id): JSONResponse {
if ($this->checkAppToken()) {
return new JSONResponse([], Http::STATUS_BAD_REQUEST);
}
try { try {
$token = $this->findTokenByIdAndUser($id); $token = $this->findTokenByIdAndUser($id);
} catch (InvalidTokenException $e) { } catch (InvalidTokenException $e) {