Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>tags/v15.0.0beta1
@@ -338,4 +338,14 @@ class DefaultTokenProvider implements IProvider { | |||
} | |||
} | |||
public function markPasswordInvalid(IToken $token, string $tokenId) { | |||
if (!($token instanceof DefaultToken)) { | |||
throw new InvalidTokenException(); | |||
} | |||
//No need to mark as invalid. We just invalide default tokens | |||
$this->invalidateToken($tokenId); | |||
} | |||
} |
@@ -156,4 +156,12 @@ interface IProvider { | |||
* @return IToken | |||
*/ | |||
public function rotate(IToken $token, string $oldTokenId, string $newTokenId): IToken; | |||
/** | |||
* Marks a token as having an invalid password. | |||
* | |||
* @param IToken $token | |||
* @param string $tokenId | |||
*/ | |||
public function markPasswordInvalid(IToken $token, string $tokenId); | |||
} |
@@ -227,4 +227,9 @@ class Manager implements IProvider { | |||
} | |||
throw new InvalidTokenException(); | |||
} | |||
public function markPasswordInvalid(IToken $token, string $tokenId) { | |||
$this->getProvider($token)->markPasswordInvalid($token, $tokenId); | |||
} | |||
} |
@@ -43,6 +43,8 @@ use OCP\AppFramework\Db\Entity; | |||
* @method string getPublicKey() | |||
* @method void setPublicKey(string $key) | |||
* @method void setVersion(int $version) | |||
* @method bool getPasswordInvalid() | |||
* @method void setPasswordInvalid(bool $invalid); | |||
*/ | |||
class PublicKeyToken extends Entity implements IToken { | |||
@@ -90,6 +92,9 @@ class PublicKeyToken extends Entity implements IToken { | |||
/** @var int */ | |||
protected $version; | |||
/** @var bool */ | |||
protected $passwordInvalid; | |||
public function __construct() { | |||
$this->addType('uid', 'string'); | |||
$this->addType('loginName', 'string'); | |||
@@ -105,6 +110,7 @@ class PublicKeyToken extends Entity implements IToken { | |||
$this->addType('publicKey', 'string'); | |||
$this->addType('privateKey', 'string'); | |||
$this->addType('version', 'int'); | |||
$this->addType('passwordInvalid', 'bool'); | |||
} | |||
public function getId(): int { |
@@ -317,4 +317,15 @@ class PublicKeyTokenProvider implements IProvider { | |||
return $dbToken; | |||
} | |||
public function markPasswordInvalid(IToken $token, string $tokenId) { | |||
if (!($token instanceof PublicKeyToken)) { | |||
throw new InvalidTokenException(); | |||
} | |||
$token->setPasswordInvalid(true); | |||
$this->mapper->update($token); | |||
} | |||
} |
@@ -694,12 +694,19 @@ class Session implements IUserSession, Emitter { | |||
return true; | |||
} | |||
if ($this->manager->checkPassword($dbToken->getLoginName(), $pwd) === false | |||
|| (!is_null($this->activeUser) && !$this->activeUser->isEnabled())) { | |||
// Invalidate token if the user is no longer active | |||
if (!is_null($this->activeUser) && !$this->activeUser->isEnabled()) { | |||
$this->tokenProvider->invalidateToken($token); | |||
// Password has changed or user was disabled -> log user out | |||
return false; | |||
} | |||
// If the token password is no longer valid mark it as such | |||
if ($this->manager->checkPassword($dbToken->getLoginName(), $pwd) === false) { | |||
$this->tokenProvider->markPasswordInvalid($dbToken, $token); | |||
// User is logged out | |||
return false; | |||
} | |||
$dbToken->setLastCheck($now); | |||
return true; | |||
} |
@@ -1017,10 +1017,8 @@ class SessionTest extends \Test\TestCase { | |||
->method('getPassword') | |||
->with($token, 'APP-PASSWORD') | |||
->will($this->returnValue('123456')); | |||
$userManager->expects($this->once()) | |||
->method('checkPassword') | |||
->with('susan', '123456') | |||
->will($this->returnValue(true)); | |||
$userManager->expects($this->never()) | |||
->method('checkPassword'); | |||
$user->expects($this->once()) | |||
->method('isEnabled') | |||
->will($this->returnValue(false)); |