diff options
| author | Christoph Wurst <christoph@winzerhof-wurst.at> | 2025-04-01 14:04:08 +0200 |
|---|---|---|
| committer | Christoph Wurst <christoph@winzerhof-wurst.at> | 2025-04-09 07:50:12 +0200 |
| commit | 57463df26a8124d38f9428d32ba26d0484c3fdac (patch) | |
| tree | ec52fe6e80c142c0420cdcc2be5614a9a0aeeddb | |
| parent | 8ddc78da5e65e5162622ba4b6469600d770f6270 (diff) | |
| download | nextcloud-server-backport/51905/stable27.tar.gz nextcloud-server-backport/51905/stable27.zip | |
fix(session): Only mark sessions of permanent tokens as app passwordsbackport/51905/stable27
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
| -rw-r--r-- | lib/private/User/Session.php | 5 | ||||
| -rw-r--r-- | tests/lib/User/SessionTest.php | 40 |
2 files changed, 42 insertions, 3 deletions
diff --git a/lib/private/User/Session.php b/lib/private/User/Session.php index 32391e35adf..4e6e2a61b70 100644 --- a/lib/private/User/Session.php +++ b/lib/private/User/Session.php @@ -861,9 +861,8 @@ class Session implements IUserSession, Emitter { return true; } - // Remember me tokens are not app_passwords - if ($dbToken->getRemember() === IToken::DO_NOT_REMEMBER) { - // Set the session variable so we know this is an app password + // Set the session variable so we know this is an app password + if ($dbToken instanceof PublicKeyToken && $dbToken->getType() === IToken::PERMANENT_TOKEN) { $this->session->set('app_password', $token); } diff --git a/tests/lib/User/SessionTest.php b/tests/lib/User/SessionTest.php index ec7727e9de3..fe239ff7d05 100644 --- a/tests/lib/User/SessionTest.php +++ b/tests/lib/User/SessionTest.php @@ -34,6 +34,7 @@ use OCP\IUser; use OCP\Lockdown\ILockdownManager; use OCP\Security\ISecureRandom; use OCP\User\Events\PostLoginEvent; +use PHPUnit\Framework\ExpectationFailedException; use PHPUnit\Framework\MockObject\MockObject; use Psr\Log\LoggerInterface; use Symfony\Component\EventDispatcher\EventDispatcherInterface; @@ -613,6 +614,45 @@ class SessionTest extends \Test\TestCase { self::assertFalse($loginResult); } + public function testTryTokenLoginNotAnAppPassword(): void { + $request = $this->createMock(IRequest::class); + $this->config->expects(self::once()) + ->method('getSystemValueString') + ->with('instanceid') + ->willReturn('abc123'); + $request->method('getHeader')->with('Authorization')->willReturn(''); + $request->method('getCookie')->with('abc123')->willReturn('abcde12345'); + $this->session->expects(self::once()) + ->method('getId') + ->willReturn('abcde12345'); + $dbToken = new PublicKeyToken(); + $dbToken->setId(42); + $dbToken->setUid('johnny'); + $dbToken->setLoginName('johnny'); + $dbToken->setLastCheck(0); + $dbToken->setType(IToken::TEMPORARY_TOKEN); + $dbToken->setRemember(IToken::REMEMBER); + $this->tokenProvider->expects(self::any()) + ->method('getToken') + ->with('abcde12345') + ->willReturn($dbToken); + $this->session->method('set') + ->willReturnCallback(function ($key, $value) { + if ($key === 'app_password') { + throw new ExpectationFailedException('app_password should not be set in session'); + } + }); + $user = $this->createMock(IUser::class); + $user->method('isEnabled')->willReturn(true); + $this->manager->method('get') + ->with('johnny') + ->willReturn($user); + + $loginResult = $this->userSession->tryTokenLogin($request); + + self::assertTrue($loginResult); + } + public function testRememberLoginValidToken() { $session = $this->getMockBuilder(Memory::class)->setConstructorArgs([''])->getMock(); $managerMethods = get_class_methods(Manager::class); |