Error out early on an expired token

Fixes #12131

If we hit an expired token there is no need to continue checking. Since
we know it is a token.

We also should not register this with the bruteforce throttler as it is
actually a valid token. Just expired. Instead the authentication should
fail. And buisness continues as usual.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>

diff --git a/lib/private/User/Session.php b/lib/private/User/Session.php
index fbd6a0a78e3623b7dc61abab6cab5989ce15fcf7..2c2244f06f727316f5930dabe1f9c6075a670b4b 100644 (file)
--- a/lib/private/User/Session.php
+++ b/lib/private/User/Session.php
@@ -38,6 +38,7 @@
 namespace OC\User;
 
 use OC;
+use OC\Authentication\Exceptions\ExpiredTokenException;
 use OC\Authentication\Exceptions\InvalidTokenException;
 use OC\Authentication\Exceptions\PasswordlessTokenException;
 use OC\Authentication\Exceptions\PasswordLoginForbiddenException;
@@ -401,7 +402,13 @@ class Session implements IUserSession, Emitter {
                        $this->manager->emit('\OC\User', 'preLogin', array($user, $password));
                }
 
-               $isTokenPassword = $this->isTokenPassword($password);
+               try {
+                       $isTokenPassword = $this->isTokenPassword($password);
+               } catch (ExpiredTokenException $e) {
+                       // Just return on an expired token no need to check further or record a failed login
+                       return false;
+               }
+
                if (!$isTokenPassword && $this->isTokenAuthEnforced()) {
                        throw new PasswordLoginForbiddenException();
                }
@@ -474,11 +481,14 @@ class Session implements IUserSession, Emitter {
         *
         * @param string $password
         * @return boolean
+        * @throws ExpiredTokenException
         */
        public function isTokenPassword($password) {
                try {
                        $this->tokenProvider->getToken($password);
                        return true;
+               } catch (ExpiredTokenException $e) {
+                       throw $e;
                } catch (InvalidTokenException $ex) {
                        return false;
                }