Merge pull request #2351 from nextcloud/remember-session-default

do not remember session tokens by default

lib/private/User/Session.php

@@ -558,7 +558,7 @@ class Session implements IUserSession, Emitter {
 		try {
 			$sessionId = $this->session->getId();
 			$pwd = $this->getPassword($password);
-			$this->tokenProvider->generateToken($sessionId, $uid, $loginName, $pwd, $name, IToken::TEMPORARY_TOKEN, IToken::REMEMBER);
+			$this->tokenProvider->generateToken($sessionId, $uid, $loginName, $pwd, $name, IToken::TEMPORARY_TOKEN, $remember);
 			return true;
 		} catch (SessionNotAvailableException $ex) {
 			// This can happen with OCC, where a memory session is used

tests/lib/User/SessionTest.php

@@ -767,7 +767,6 @@ class SessionTest extends \Test\TestCase {
 	public function testCreateSessionToken() {
 		$manager = $this->createMock(Manager::class);
 		$session = $this->createMock(ISession::class);
-		$token = $this->createMock(IToken::class);
 		$user = $this->createMock(IUser::class);
 		$userSession = new \OC\User\Session($manager, $session, $this->timeFactory, $this->tokenProvider, $this->config, $this->random);
 
@@ -801,11 +800,52 @@ class SessionTest extends \Test\TestCase {
 
 		$this->tokenProvider->expects($this->once())
 			->method('generateToken')
-			->with($sessionId, $uid, $loginName, $password, 'Firefox');
+			->with($sessionId, $uid, $loginName, $password, 'Firefox', IToken::TEMPORARY_TOKEN, IToken::DO_NOT_REMEMBER);
 
 		$this->assertTrue($userSession->createSessionToken($request, $uid, $loginName, $password));
 	}
 
+	public function testCreateRememberedSessionToken() {
+		$manager = $this->createMock(Manager::class);
+		$session = $this->createMock(ISession::class);
+		$user = $this->createMock(IUser::class);
+		$userSession = new \OC\User\Session($manager, $session, $this->timeFactory, $this->tokenProvider, $this->config, $this->random);
+
+		$random = $this->createMock(ISecureRandom::class);
+		$config = $this->createMock(IConfig::class);
+		$csrf = $this->getMockBuilder('\OC\Security\CSRF\CsrfTokenManager')
+			->disableOriginalConstructor()
+			->getMock();
+		$request = new \OC\AppFramework\Http\Request([
+			'server' => [
+				'HTTP_USER_AGENT' => 'Firefox',
+			]
+		], $random, $config, $csrf);
+
+		$uid = 'user123';
+		$loginName = 'User123';
+		$password = 'passme';
+		$sessionId = 'abcxyz';
+
+		$manager->expects($this->once())
+			->method('get')
+			->with($uid)
+			->will($this->returnValue($user));
+		$session->expects($this->once())
+			->method('getId')
+			->will($this->returnValue($sessionId));
+		$this->tokenProvider->expects($this->once())
+			->method('getToken')
+			->with($password)
+			->will($this->throwException(new \OC\Authentication\Exceptions\InvalidTokenException()));
+
+		$this->tokenProvider->expects($this->once())
+			->method('generateToken')
+			->with($sessionId, $uid, $loginName, $password, 'Firefox', IToken::TEMPORARY_TOKEN, IToken::REMEMBER);
+
+		$this->assertTrue($userSession->createSessionToken($request, $uid, $loginName, $password, true));
+	}
+
 	public function testCreateSessionTokenWithTokenPassword() {
 		$manager = $this->getMockBuilder('\OC\User\Manager')
 			->disableOriginalConstructor()
@@ -850,7 +890,7 @@ class SessionTest extends \Test\TestCase {
 
 		$this->tokenProvider->expects($this->once())
 			->method('generateToken')
-			->with($sessionId, $uid, $loginName, $realPassword, 'Firefox');
+			->with($sessionId, $uid, $loginName, $realPassword, 'Firefox', IToken::TEMPORARY_TOKEN, IToken::DO_NOT_REMEMBER);
 
 		$this->assertTrue($userSession->createSessionToken($request, $uid, $loginName, $password));
 	}