diff options
author | Christoph Wurst <christoph@winzerhof-wurst.at> | 2025-04-01 14:04:08 +0200 |
---|---|---|
committer | Christoph Wurst <christoph@winzerhof-wurst.at> | 2025-04-03 10:17:43 +0200 |
commit | 91fda246b8bb775cf1a055a1867bbc10804777bc (patch) | |
tree | c720c778dd0aea51d3835ef3badf5d1bfa87d9f6 | |
parent | 3ecf8cb16ec9b269d5617c572a4e68183662b619 (diff) | |
download | nextcloud-server-backport/51905/stable29.tar.gz nextcloud-server-backport/51905/stable29.zip |
fix(session): Only mark sessions of permanent tokens as app passwordsbackport/51905/stable29
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
-rw-r--r-- | lib/private/User/Session.php | 5 | ||||
-rw-r--r-- | tests/lib/User/SessionTest.php | 40 |
2 files changed, 42 insertions, 3 deletions
diff --git a/lib/private/User/Session.php b/lib/private/User/Session.php index 8d0dbf8395e..88e239ca92d 100644 --- a/lib/private/User/Session.php +++ b/lib/private/User/Session.php @@ -864,9 +864,8 @@ class Session implements IUserSession, Emitter { return true; } - // Remember me tokens are not app_passwords - if ($dbToken->getRemember() === IToken::DO_NOT_REMEMBER) { - // Set the session variable so we know this is an app password + // Set the session variable so we know this is an app password + if ($dbToken instanceof PublicKeyToken && $dbToken->getType() === IToken::PERMANENT_TOKEN) { $this->session->set('app_password', $token); } diff --git a/tests/lib/User/SessionTest.php b/tests/lib/User/SessionTest.php index 5b5afbe618a..08b953d9f14 100644 --- a/tests/lib/User/SessionTest.php +++ b/tests/lib/User/SessionTest.php @@ -35,6 +35,7 @@ use OCP\Lockdown\ILockdownManager; use OCP\Security\Bruteforce\IThrottler; use OCP\Security\ISecureRandom; use OCP\User\Events\PostLoginEvent; +use PHPUnit\Framework\ExpectationFailedException; use PHPUnit\Framework\MockObject\MockObject; use Psr\Log\LoggerInterface; use function array_diff; @@ -612,6 +613,45 @@ class SessionTest extends \Test\TestCase { self::assertFalse($loginResult); } + public function testTryTokenLoginNotAnAppPassword(): void { + $request = $this->createMock(IRequest::class); + $this->config->expects(self::once()) + ->method('getSystemValueString') + ->with('instanceid') + ->willReturn('abc123'); + $request->method('getHeader')->with('Authorization')->willReturn(''); + $request->method('getCookie')->with('abc123')->willReturn('abcde12345'); + $this->session->expects(self::once()) + ->method('getId') + ->willReturn('abcde12345'); + $dbToken = new PublicKeyToken(); + $dbToken->setId(42); + $dbToken->setUid('johnny'); + $dbToken->setLoginName('johnny'); + $dbToken->setLastCheck(0); + $dbToken->setType(IToken::TEMPORARY_TOKEN); + $dbToken->setRemember(IToken::REMEMBER); + $this->tokenProvider->expects(self::any()) + ->method('getToken') + ->with('abcde12345') + ->willReturn($dbToken); + $this->session->method('set') + ->willReturnCallback(function ($key, $value) { + if ($key === 'app_password') { + throw new ExpectationFailedException('app_password should not be set in session'); + } + }); + $user = $this->createMock(IUser::class); + $user->method('isEnabled')->willReturn(true); + $this->manager->method('get') + ->with('johnny') + ->willReturn($user); + + $loginResult = $this->userSession->tryTokenLogin($request); + + self::assertTrue($loginResult); + } + public function testRememberLoginValidToken() { $session = $this->createMock(Memory::class); $managerMethods = get_class_methods(Manager::class); |