From 3ab922601a2e6b9b170007461b9e0718c70bddcd Mon Sep 17 00:00:00 2001
From: Christoph Wurst <christoph@owncloud.com>
Date: Tue, 26 Apr 2016 11:32:35 +0200
Subject: [PATCH] Check if session token is valid and log user out if the check
 fails * Update last_activity timestamp of the session token * Check user
 backend credentials once in 5 minutes

---
 core/Controller/LoginController.php           |  1 -
 db_structure.xml                              |  4 +-
 .../Authentication/Token/DefaultToken.php     |  7 +-
 .../Token/DefaultTokenMapper.php              |  6 +-
 .../Token/DefaultTokenProvider.php            | 67 +++++++++++++++++--
 lib/private/User/Session.php                  | 45 +++++++++++--
 lib/private/legacy/user.php                   |  2 +-
 7 files changed, 107 insertions(+), 25 deletions(-)

diff --git a/core/Controller/LoginController.php b/core/Controller/LoginController.php
index fe1ad41aedb..e13d8ae10d2 100644
--- a/core/Controller/LoginController.php
+++ b/core/Controller/LoginController.php
@@ -26,7 +26,6 @@ namespace OC\Core\Controller;
 use OC;
 use OC\User\Session;
 use OC_App;
-use OC_User;
 use OC_Util;
 use OCP\AppFramework\Controller;
 use OCP\AppFramework\Http\RedirectResponse;
diff --git a/db_structure.xml b/db_structure.xml
index 68a812a6b8f..dcbf426e5b8 100644
--- a/db_structure.xml
+++ b/db_structure.xml
@@ -1057,10 +1057,10 @@
 
 			<field>
 				<name>password</name>
-				<type>text</type>
+				<type>clob</type>
 				<default></default>
 				<notnull>true</notnull>
-				<length>100</length>
+				<length>4000</length>
 			</field>
 
 			<field>
diff --git a/lib/private/Authentication/Token/DefaultToken.php b/lib/private/Authentication/Token/DefaultToken.php
index 9bdae789afd..6b859d7d063 100644
--- a/lib/private/Authentication/Token/DefaultToken.php
+++ b/lib/private/Authentication/Token/DefaultToken.php
@@ -51,13 +51,8 @@ class DefaultToken extends Entity implements IToken {
 	 */
 	protected $lastActivity;
 
-	/**
-	 * Get the token ID
-	 *
-	 * @return string
-	 */
 	public function getId() {
-		return $this->token;
+		return $this->id;
 	}
 
 }
diff --git a/lib/private/Authentication/Token/DefaultTokenMapper.php b/lib/private/Authentication/Token/DefaultTokenMapper.php
index 9a73192c0d8..d54d2489399 100644
--- a/lib/private/Authentication/Token/DefaultTokenMapper.php
+++ b/lib/private/Authentication/Token/DefaultTokenMapper.php
@@ -61,10 +61,10 @@ class DefaultTokenMapper extends Mapper {
 	 *
 	 * @param string $token
 	 * @throws DoesNotExistException
-	 * @return string
+	 * @return DefaultToken
 	 */
-	public function getTokenUser($token) {
-		$sql = 'SELECT `uid` '
+	public function getToken($token) {
+		$sql = 'SELECT `id`, `uid`, `password`, `name`, `token`, `last_activity` '
 			. 'FROM `' . $this->getTableName() . '` '
 			. 'WHERE `token` = ?';
 		return $this->findEntity($sql, [
diff --git a/lib/private/Authentication/Token/DefaultTokenProvider.php b/lib/private/Authentication/Token/DefaultTokenProvider.php
index 71f798da370..b3564e0e81b 100644
--- a/lib/private/Authentication/Token/DefaultTokenProvider.php
+++ b/lib/private/Authentication/Token/DefaultTokenProvider.php
@@ -48,8 +48,7 @@ class DefaultTokenProvider implements IProvider {
 	 * @param IConfig $config
 	 * @param ILogger $logger
 	 */
-	public function __construct(DefaultTokenMapper $mapper, ICrypto $crypto,
-		IConfig $config, ILogger $logger) {
+	public function __construct(DefaultTokenMapper $mapper, ICrypto $crypto, IConfig $config, ILogger $logger) {
 		$this->mapper = $mapper;
 		$this->crypto = $crypto;
 		$this->config = $config;
@@ -67,8 +66,7 @@ class DefaultTokenProvider implements IProvider {
 	public function generateToken($token, $uid, $password, $name) {
 		$dbToken = new DefaultToken();
 		$dbToken->setUid($uid);
-		$secret = $this->config->getSystemValue('secret');
-		$dbToken->setPassword($this->crypto->encrypt($password . $secret));
+		$dbToken->setPassword($this->encryptPassword($password, $token));
 		$dbToken->setName($name);
 		$dbToken->setToken($this->hashToken($token));
 		$dbToken->setLastActivity(time());
@@ -78,6 +76,37 @@ class DefaultTokenProvider implements IProvider {
 		return $dbToken;
 	}
 
+	/**
+	 * Update token activity timestamp
+	 *
+	 * @param DefaultToken $token
+	 */
+	public function updateToken(DefaultToken $token) {
+		$token->setLastActivity(time());
+
+		$this->mapper->update($token);
+	}
+
+	/**
+	 * @param string $token
+	 * @throws InvalidTokenException
+	 */
+	public function getToken($token) {
+		try {
+			return $this->mapper->getToken($this->hashToken($token));
+		} catch (DoesNotExistException $ex) {
+			throw new InvalidTokenException();
+		}
+	}
+
+	/**
+	 * @param DefaultToken $savedToken
+	 * @param string $token session token
+	 */
+	public function getPassword(DefaultToken $savedToken, $token) {
+		return $this->decryptPassword($savedToken->getPassword(), $token);
+	}
+
 	/**
 	 * Invalidate (delete) the given session token
 	 *
@@ -104,7 +133,7 @@ class DefaultTokenProvider implements IProvider {
 	public function validateToken($token) {
 		$this->logger->debug('validating default token <' . $token . '>');
 		try {
-			$dbToken = $this->mapper->getTokenUser($this->hashToken($token));
+			$dbToken = $this->mapper->getToken($this->hashToken($token));
 			$this->logger->debug('valid token for ' . $dbToken->getUid());
 			return $dbToken->getUid();
 		} catch (DoesNotExistException $ex) {
@@ -121,4 +150,32 @@ class DefaultTokenProvider implements IProvider {
 		return hash('sha512', $token);
 	}
 
+	/**
+	 * Encrypt the given password
+	 *
+	 * The token is used as key
+	 *
+	 * @param string $password
+	 * @param string $token
+	 * @return string encrypted password
+	 */
+	private function encryptPassword($password, $token) {
+		$secret = $this->config->getSystemValue('secret');
+		return $this->crypto->encrypt($password, $token . $secret);
+	}
+
+	/**
+	 * Decrypt the given password
+	 *
+	 * The token is used as key
+	 *
+	 * @param string $password
+	 * @param string $token
+	 * @return string the decrypted key
+	 */
+	private function decryptPassword($password, $token) {
+		$secret = $this->config->getSystemValue('secret');
+		return $this->crypto->decrypt($password, $token . $secret);
+	}
+
 }
diff --git a/lib/private/User/Session.php b/lib/private/User/Session.php
index 9db503e6add..7d4594e7205 100644
--- a/lib/private/User/Session.php
+++ b/lib/private/User/Session.php
@@ -96,8 +96,7 @@ class Session implements IUserSession, Emitter {
 	 * @param ISession $session
 	 * @param IProvider[] $tokenProviders
 	 */
-	public function __construct(IUserManager $manager, ISession $session,
-		DefaultTokenProvider $tokenProvider, array $tokenProviders = []) {
+	public function __construct(IUserManager $manager, ISession $session, DefaultTokenProvider $tokenProvider, array $tokenProviders = []) {
 		$this->manager = $manager;
 		$this->session = $session;
 		$this->tokenProvider = $tokenProvider;
@@ -118,8 +117,7 @@ class Session implements IUserSession, Emitter {
 	 * @param string $method optional
 	 * @param callable $callback optional
 	 */
-	public function removeListener($scope = null, $method = null,
-		callable $callback = null) {
+	public function removeListener($scope = null, $method = null, callable $callback = null) {
 		$this->manager->removeListener($scope, $method, $callback);
 	}
 
@@ -183,8 +181,7 @@ class Session implements IUserSession, Emitter {
 			return $this->activeUser;
 		} else {
 			$uid = $this->session->get('user_id');
-			if ($uid !== null) {
-				$this->activeUser = $this->manager->get($uid);
+			if ($uid !== null && $this->isValidSession($uid)) {
 				return $this->activeUser;
 			} else {
 				return null;
@@ -192,6 +189,41 @@ class Session implements IUserSession, Emitter {
 		}
 	}
 
+	private function isValidSession($uid) {
+		$this->activeUser = $this->manager->get($uid);
+		if (is_null($this->activeUser)) {
+			// User does not exist
+			return false;
+		}
+		// TODO: use ISession::getId(), https://github.com/owncloud/core/pull/24229
+		$sessionId = session_id();
+		try {
+			$token = $this->tokenProvider->getToken($sessionId);
+		} catch (InvalidTokenException $ex) {
+			// Session was inalidated
+			$this->logout();
+			return false;
+		}
+
+		// Check whether login credentials are still valid
+		// This check is performed each 5 minutes
+		$lastCheck = $this->session->get('last_login_check') ? : 0;
+		if ($lastCheck < (time() - 60 * 5)) {
+			$pwd = $this->tokenProvider->getPassword($token, $sessionId);
+			if ($this->manager->checkPassword($uid, $pwd) === false) {
+				// Password has changed -> log user out
+				$this->logout();
+				return false;
+			}
+			$this->session->set('last_login_check', time());
+		}
+
+		// Session is valid, so the token can be refreshed
+		$this->tokenProvider->updateToken($token);
+
+		return true;
+	}
+
 	/**
 	 * Checks whether the user is logged in
 	 *
@@ -334,7 +366,6 @@ class Session implements IUserSession, Emitter {
 	 * @return boolean
 	 */
 	private function validateToken(IRequest $request, $token) {
-		// TODO: hash token
 		foreach ($this->tokenProviders as $provider) {
 			try {
 				$user = $provider->validateToken($token);
diff --git a/lib/private/legacy/user.php b/lib/private/legacy/user.php
index 575011d3985..ca408d347bd 100644
--- a/lib/private/legacy/user.php
+++ b/lib/private/legacy/user.php
@@ -68,7 +68,7 @@ class OC_User {
 
 	private static $_setupedBackends = array();
 
-	// bool, stores if a user want to access a resource anonymously, e.g if he opens a public link
+	// bool, stores if a user want to access a resource anonymously, e.g if they open a public link
 	private static $incognitoMode = false;
 
 	/**