From 9b808c40147ebb2ff58908e17039b6caf076ec7e Mon Sep 17 00:00:00 2001 From: Christoph Wurst Date: Sun, 27 Nov 2016 13:59:46 +0100 Subject: [PATCH 1/2] do not remember session tokens by default We have to respect the value of the remember-me checkbox. Due to an error in the source code the default value for the session token was to remember it. Signed-off-by: Christoph Wurst --- lib/private/User/Session.php | 2 +- tests/lib/User/SessionTest.php | 46 +++++++++++++++++++++++++++++++--- 2 files changed, 44 insertions(+), 4 deletions(-) diff --git a/lib/private/User/Session.php b/lib/private/User/Session.php index a45b1dcd10f..c3561cf64e3 100644 --- a/lib/private/User/Session.php +++ b/lib/private/User/Session.php @@ -558,7 +558,7 @@ class Session implements IUserSession, Emitter { try { $sessionId = $this->session->getId(); $pwd = $this->getPassword($password); - $this->tokenProvider->generateToken($sessionId, $uid, $loginName, $pwd, $name, IToken::TEMPORARY_TOKEN, IToken::REMEMBER); + $this->tokenProvider->generateToken($sessionId, $uid, $loginName, $pwd, $name, IToken::TEMPORARY_TOKEN, $remember); return true; } catch (SessionNotAvailableException $ex) { // This can happen with OCC, where a memory session is used diff --git a/tests/lib/User/SessionTest.php b/tests/lib/User/SessionTest.php index ee9ed737cf5..33e19bef70d 100644 --- a/tests/lib/User/SessionTest.php +++ b/tests/lib/User/SessionTest.php @@ -767,7 +767,6 @@ class SessionTest extends \Test\TestCase { public function testCreateSessionToken() { $manager = $this->createMock(Manager::class); $session = $this->createMock(ISession::class); - $token = $this->createMock(IToken::class); $user = $this->createMock(IUser::class); $userSession = new \OC\User\Session($manager, $session, $this->timeFactory, $this->tokenProvider, $this->config, $this->random); @@ -801,11 +800,52 @@ class SessionTest extends \Test\TestCase { $this->tokenProvider->expects($this->once()) ->method('generateToken') - ->with($sessionId, $uid, $loginName, $password, 'Firefox'); + ->with($sessionId, $uid, $loginName, $password, 'Firefox', IToken::DO_NOT_REMEMBER, IToken::TEMPORARY_TOKEN); $this->assertTrue($userSession->createSessionToken($request, $uid, $loginName, $password)); } + public function testCreateRememberedSessionToken() { + $manager = $this->createMock(Manager::class); + $session = $this->createMock(ISession::class); + $user = $this->createMock(IUser::class); + $userSession = new \OC\User\Session($manager, $session, $this->timeFactory, $this->tokenProvider, $this->config, $this->random); + + $random = $this->createMock(ISecureRandom::class); + $config = $this->createMock(IConfig::class); + $csrf = $this->getMockBuilder('\OC\Security\CSRF\CsrfTokenManager') + ->disableOriginalConstructor() + ->getMock(); + $request = new \OC\AppFramework\Http\Request([ + 'server' => [ + 'HTTP_USER_AGENT' => 'Firefox', + ] + ], $random, $config, $csrf); + + $uid = 'user123'; + $loginName = 'User123'; + $password = 'passme'; + $sessionId = 'abcxyz'; + + $manager->expects($this->once()) + ->method('get') + ->with($uid) + ->will($this->returnValue($user)); + $session->expects($this->once()) + ->method('getId') + ->will($this->returnValue($sessionId)); + $this->tokenProvider->expects($this->once()) + ->method('getToken') + ->with($password) + ->will($this->throwException(new \OC\Authentication\Exceptions\InvalidTokenException())); + + $this->tokenProvider->expects($this->once()) + ->method('generateToken') + ->with($sessionId, $uid, $loginName, $password, 'Firefox', IToken::TEMPORARY_TOKEN, IToken::REMEMBER); + + $this->assertTrue($userSession->createSessionToken($request, $uid, $loginName, $password, true)); + } + public function testCreateSessionTokenWithTokenPassword() { $manager = $this->getMockBuilder('\OC\User\Manager') ->disableOriginalConstructor() @@ -850,7 +890,7 @@ class SessionTest extends \Test\TestCase { $this->tokenProvider->expects($this->once()) ->method('generateToken') - ->with($sessionId, $uid, $loginName, $realPassword, 'Firefox'); + ->with($sessionId, $uid, $loginName, $realPassword, 'Firefox', IToken::TEMPORARY_TOKEN, IToken::DO_NOT_REMEMBER); $this->assertTrue($userSession->createSessionToken($request, $uid, $loginName, $password)); } From 6543182d13778eec9471e337727c8c432e565c4b Mon Sep 17 00:00:00 2001 From: Christoph Wurst Date: Mon, 28 Nov 2016 09:59:59 +0100 Subject: [PATCH 2/2] fix parameter order Signed-off-by: Christoph Wurst --- tests/lib/User/SessionTest.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/lib/User/SessionTest.php b/tests/lib/User/SessionTest.php index 33e19bef70d..78b673d10bd 100644 --- a/tests/lib/User/SessionTest.php +++ b/tests/lib/User/SessionTest.php @@ -800,7 +800,7 @@ class SessionTest extends \Test\TestCase { $this->tokenProvider->expects($this->once()) ->method('generateToken') - ->with($sessionId, $uid, $loginName, $password, 'Firefox', IToken::DO_NOT_REMEMBER, IToken::TEMPORARY_TOKEN); + ->with($sessionId, $uid, $loginName, $password, 'Firefox', IToken::TEMPORARY_TOKEN, IToken::DO_NOT_REMEMBER); $this->assertTrue($userSession->createSessionToken($request, $uid, $loginName, $password)); }