From e3090136b832498042778f81593c6b95fa79305c Mon Sep 17 00:00:00 2001 From: Roeland Jago Douma Date: Mon, 17 May 2021 12:04:21 +0200 Subject: [PATCH] Harden apptoken check Signed-off-by: Roeland Jago Douma --- .../lib/Controller/AuthSettingsController.php | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/apps/settings/lib/Controller/AuthSettingsController.php b/apps/settings/lib/Controller/AuthSettingsController.php index 13815f95c5..566c03536a 100644 --- a/apps/settings/lib/Controller/AuthSettingsController.php +++ b/apps/settings/lib/Controller/AuthSettingsController.php @@ -121,6 +121,10 @@ class AuthSettingsController extends Controller { * @return JSONResponse */ public function create($name) { + if ($this->checkAppToken()) { + return $this->getServiceNotAvailableResponse(); + } + try { $sessionId = $this->session->getId(); } catch (SessionNotAvailableException $ex) { @@ -181,6 +185,10 @@ class AuthSettingsController extends Controller { return implode('-', $groups); } + private function checkAppToken(): bool { + return $this->session->exists('app_password'); + } + /** * @NoAdminRequired * @NoSubAdminRequired @@ -189,6 +197,10 @@ class AuthSettingsController extends Controller { * @return array|JSONResponse */ public function destroy($id) { + if ($this->checkAppToken()) { + return new JSONResponse([], Http::STATUS_BAD_REQUEST); + } + try { $token = $this->findTokenByIdAndUser($id); } catch (WipeTokenException $e) { @@ -213,6 +225,10 @@ class AuthSettingsController extends Controller { * @return array|JSONResponse */ public function update($id, array $scope, string $name) { + if ($this->checkAppToken()) { + return new JSONResponse([], Http::STATUS_BAD_REQUEST); + } + try { $token = $this->findTokenByIdAndUser($id); } catch (InvalidTokenException $e) { @@ -287,6 +303,10 @@ class AuthSettingsController extends Controller { * @throws \OC\Authentication\Exceptions\ExpiredTokenException */ public function wipe(int $id): JSONResponse { + if ($this->checkAppToken()) { + return new JSONResponse([], Http::STATUS_BAD_REQUEST); + } + try { $token = $this->findTokenByIdAndUser($id); } catch (InvalidTokenException $e) {