diff options
| author | Christoph Wurst <christoph@winzerhof-wurst.at> | 2025-04-01 14:04:08 +0200 |
|---|---|---|
| committer | Christoph Wurst <christoph@winzerhof-wurst.at> | 2025-04-09 07:48:30 +0200 |
| commit | 829ca3df55bcba860a7850fbe1824f07c849dbbf (patch) | |
| tree | 1f30e95b0e70ceaf6bba9b89886790122622ee60 | |
| parent | fa65153071f1ff85e177ff216caa576e64e42614 (diff) | |
| download | nextcloud-server-backport/51905/stable28.tar.gz nextcloud-server-backport/51905/stable28.zip | |
fix(session): Only mark sessions of permanent tokens as app passwordsbackport/51905/stable28
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
| -rw-r--r-- | lib/private/User/Session.php | 5 | ||||
| -rw-r--r-- | tests/lib/User/SessionTest.php | 40 |
2 files changed, 42 insertions, 3 deletions
diff --git a/lib/private/User/Session.php b/lib/private/User/Session.php index 212914ddb79..426d65b4faf 100644 --- a/lib/private/User/Session.php +++ b/lib/private/User/Session.php @@ -863,9 +863,8 @@ class Session implements IUserSession, Emitter { return true; } - // Remember me tokens are not app_passwords - if ($dbToken->getRemember() === IToken::DO_NOT_REMEMBER) { - // Set the session variable so we know this is an app password + // Set the session variable so we know this is an app password + if ($dbToken instanceof PublicKeyToken && $dbToken->getType() === IToken::PERMANENT_TOKEN) { $this->session->set('app_password', $token); } diff --git a/tests/lib/User/SessionTest.php b/tests/lib/User/SessionTest.php index 9e725e73a5d..8afb6838532 100644 --- a/tests/lib/User/SessionTest.php +++ b/tests/lib/User/SessionTest.php @@ -35,6 +35,7 @@ use OCP\Lockdown\ILockdownManager; use OCP\Security\Bruteforce\IThrottler; use OCP\Security\ISecureRandom; use OCP\User\Events\PostLoginEvent; +use PHPUnit\Framework\ExpectationFailedException; use PHPUnit\Framework\MockObject\MockObject; use Psr\Log\LoggerInterface; use function array_diff; @@ -612,6 +613,45 @@ class SessionTest extends \Test\TestCase { self::assertFalse($loginResult); } + public function testTryTokenLoginNotAnAppPassword(): void { + $request = $this->createMock(IRequest::class); + $this->config->expects(self::once()) + ->method('getSystemValueString') + ->with('instanceid') + ->willReturn('abc123'); + $request->method('getHeader')->with('Authorization')->willReturn(''); + $request->method('getCookie')->with('abc123')->willReturn('abcde12345'); + $this->session->expects(self::once()) + ->method('getId') + ->willReturn('abcde12345'); + $dbToken = new PublicKeyToken(); + $dbToken->setId(42); + $dbToken->setUid('johnny'); + $dbToken->setLoginName('johnny'); + $dbToken->setLastCheck(0); + $dbToken->setType(IToken::TEMPORARY_TOKEN); + $dbToken->setRemember(IToken::REMEMBER); + $this->tokenProvider->expects(self::any()) + ->method('getToken') + ->with('abcde12345') + ->willReturn($dbToken); + $this->session->method('set') + ->willReturnCallback(function ($key, $value) { + if ($key === 'app_password') { + throw new ExpectationFailedException('app_password should not be set in session'); + } + }); + $user = $this->createMock(IUser::class); + $user->method('isEnabled')->willReturn(true); + $this->manager->method('get') + ->with('johnny') + ->willReturn($user); + + $loginResult = $this->userSession->tryTokenLogin($request); + + self::assertTrue($loginResult); + } + public function testRememberLoginValidToken() { $session = $this->getMockBuilder(Memory::class)->setConstructorArgs([''])->getMock(); $managerMethods = get_class_methods(Manager::class); |