);
}
+ /**
+ * @param string $redirectUrl
+ * @return RedirectResponse
+ */
+ private function generateRedirect($redirectUrl) {
+ if (!is_null($redirectUrl) && $this->userSession->isLoggedIn()) {
+ $location = $this->urlGenerator->getAbsoluteURL(urldecode($redirectUrl));
+ // Deny the redirect if the URL contains a @
+ // This prevents unvalidated redirects like ?redirect_url=:user@domain.com
+ if (strpos($location, '@') === false) {
+ return new RedirectResponse($location);
+ }
+ }
+ return new RedirectResponse(OC_Util::getDefaultPageUrl());
+ }
+
/**
* @PublicPage
* @UseSession
+ * @NoCSRFRequired
*
* @param string $user
* @param string $password
$currentDelay = $this->throttler->getDelay($this->request->getRemoteAddress());
$this->throttler->sleepDelay($this->request->getRemoteAddress());
+ // If the user is already logged in and the CSRF check does not pass then
+ // simply redirect the user to the correct page as required. This is the
+ // case when an user has already logged-in, in another tab.
+ if(!$this->request->passesCSRFCheck()) {
+ return $this->generateRedirect($redirect_url);
+ }
+
$originalUser = $user;
// TODO: Add all the insane error handling
/* @var $loginResult IUser */
return new RedirectResponse($this->urlGenerator->linkToRoute('core.TwoFactorChallenge.selectChallenge'));
}
- if (!is_null($redirect_url) && $this->userSession->isLoggedIn()) {
- $location = $this->urlGenerator->getAbsoluteURL(urldecode($redirect_url));
- // Deny the redirect if the URL contains a @
- // This prevents unvalidated redirects like ?redirect_url=:user@domain.com
- if (strpos($location, '@') === false) {
- return new RedirectResponse($location);
- }
- }
- return new RedirectResponse(OC_Util::getDefaultPageUrl());
+ return $this->generateRedirect($redirect_url);
}
}
->expects($this->exactly(4))
->method('getRemoteAddress')
->willReturn('192.168.0.1');
+ $this->request
+ ->expects($this->once())
+ ->method('passesCSRFCheck')
+ ->willReturn(true);
$this->throttler
->expects($this->exactly(2))
->method('sleepDelay')
->expects($this->exactly(2))
->method('getRemoteAddress')
->willReturn('192.168.0.1');
+ $this->request
+ ->expects($this->once())
+ ->method('passesCSRFCheck')
+ ->willReturn(true);
$this->throttler
->expects($this->once())
->method('sleepDelay')
$this->assertEquals($expected, $this->loginController->tryLogin($user, $password, null));
}
+ public function testLoginWithoutPassedCsrfCheckAndNotLoggedIn() {
+ /** @var IUser | \PHPUnit_Framework_MockObject_MockObject $user */
+ $user = $this->createMock('\OCP\IUser');
+ $user->expects($this->any())
+ ->method('getUID')
+ ->will($this->returnValue('jane'));
+ $password = 'secret';
+ $originalUrl = 'another%20url';
+
+ $this->request
+ ->expects($this->exactly(2))
+ ->method('getRemoteAddress')
+ ->willReturn('192.168.0.1');
+ $this->request
+ ->expects($this->once())
+ ->method('passesCSRFCheck')
+ ->willReturn(false);
+ $this->throttler
+ ->expects($this->once())
+ ->method('sleepDelay')
+ ->with('192.168.0.1');
+ $this->throttler
+ ->expects($this->once())
+ ->method('getDelay')
+ ->with('192.168.0.1')
+ ->willReturn(200);
+ $this->userSession->expects($this->once())
+ ->method('isLoggedIn')
+ ->with()
+ ->will($this->returnValue(false));
+
+ $expected = new \OCP\AppFramework\Http\RedirectResponse(\OC_Util::getDefaultPageUrl());
+ $this->assertEquals($expected, $this->loginController->tryLogin('Jane', $password, $originalUrl));
+ }
+
+ public function testLoginWithoutPassedCsrfCheckAndLoggedIn() {
+ /** @var IUser | \PHPUnit_Framework_MockObject_MockObject $user */
+ $user = $this->createMock('\OCP\IUser');
+ $user->expects($this->any())
+ ->method('getUID')
+ ->will($this->returnValue('jane'));
+ $password = 'secret';
+ $originalUrl = 'another%20url';
+ $redirectUrl = 'http://localhost/another url';
+
+ $this->request
+ ->expects($this->exactly(2))
+ ->method('getRemoteAddress')
+ ->willReturn('192.168.0.1');
+ $this->request
+ ->expects($this->once())
+ ->method('passesCSRFCheck')
+ ->willReturn(false);
+ $this->throttler
+ ->expects($this->once())
+ ->method('sleepDelay')
+ ->with('192.168.0.1');
+ $this->throttler
+ ->expects($this->once())
+ ->method('getDelay')
+ ->with('192.168.0.1')
+ ->willReturn(200);
+ $this->userSession->expects($this->once())
+ ->method('isLoggedIn')
+ ->with()
+ ->will($this->returnValue(true));
+ $this->urlGenerator->expects($this->once())
+ ->method('getAbsoluteURL')
+ ->with(urldecode($originalUrl))
+ ->will($this->returnValue($redirectUrl));
+
+ $expected = new \OCP\AppFramework\Http\RedirectResponse($redirectUrl);
+ $this->assertEquals($expected, $this->loginController->tryLogin('Jane', $password, $originalUrl));
+ }
+
public function testLoginWithValidCredentialsAndRedirectUrl() {
/** @var IUser | \PHPUnit_Framework_MockObject_MockObject $user */
$user = $this->getMock('\OCP\IUser');
->expects($this->exactly(2))
->method('getRemoteAddress')
->willReturn('192.168.0.1');
+ $this->request
+ ->expects($this->once())
+ ->method('passesCSRFCheck')
+ ->willReturn(true);
$this->throttler
->expects($this->once())
->method('sleepDelay')
->expects($this->exactly(2))
->method('getRemoteAddress')
->willReturn('192.168.0.1');
+ $this->request
+ ->expects($this->once())
+ ->method('passesCSRFCheck')
+ ->willReturn(true);
$this->throttler
->expects($this->once())
->method('sleepDelay')
->expects($this->exactly(3))
->method('getRemoteAddress')
->willReturn('192.168.0.1');
+ $this->request
+ ->expects($this->once())
+ ->method('passesCSRFCheck')
+ ->willReturn(true);
$this->throttler
->expects($this->once())
->method('getDelay')
projects / nextcloud-server.git / commitdiff