diff options
| author | Christoph Wurst <christoph@winzerhof-wurst.at> | 2025-04-01 14:04:08 +0200 |
|---|---|---|
| committer | Christoph Wurst <christoph@winzerhof-wurst.at> | 2025-04-03 10:15:11 +0200 |
| commit | 181561771b266b91132efe3387dccdf189899983 (patch) | |
| tree | 9f5fb0d52340ff4d48fb3af532c24c875cdbe378 | |
| parent | c3d0afd77d66cf5d2cf5e8a1056ad1351455f323 (diff) | |
| download | nextcloud-server-backport/51905/stable30.tar.gz nextcloud-server-backport/51905/stable30.zip | |
fix(session): Only mark sessions of permanent tokens as app passwordsbackport/51905/stable30
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
| -rw-r--r-- | lib/private/User/Session.php | 5 | ||||
| -rw-r--r-- | tests/lib/User/SessionTest.php | 40 |
2 files changed, 42 insertions, 3 deletions
diff --git a/lib/private/User/Session.php b/lib/private/User/Session.php index fc6b84fe908..31d387c7583 100644 --- a/lib/private/User/Session.php +++ b/lib/private/User/Session.php @@ -833,9 +833,8 @@ class Session implements IUserSession, Emitter { return true; } - // Remember me tokens are not app_passwords - if ($dbToken->getRemember() === IToken::DO_NOT_REMEMBER) { - // Set the session variable so we know this is an app password + // Set the session variable so we know this is an app password + if ($dbToken instanceof PublicKeyToken && $dbToken->getType() === IToken::PERMANENT_TOKEN) { $this->session->set('app_password', $token); } diff --git a/tests/lib/User/SessionTest.php b/tests/lib/User/SessionTest.php index 0ebc2965b3e..c57306e578f 100644 --- a/tests/lib/User/SessionTest.php +++ b/tests/lib/User/SessionTest.php @@ -34,6 +34,7 @@ use OCP\Lockdown\ILockdownManager; use OCP\Security\Bruteforce\IThrottler; use OCP\Security\ISecureRandom; use OCP\User\Events\PostLoginEvent; +use PHPUnit\Framework\ExpectationFailedException; use PHPUnit\Framework\MockObject\MockObject; use Psr\Log\LoggerInterface; use function array_diff; @@ -611,6 +612,45 @@ class SessionTest extends \Test\TestCase { self::assertFalse($loginResult); } + public function testTryTokenLoginNotAnAppPassword(): void { + $request = $this->createMock(IRequest::class); + $this->config->expects(self::once()) + ->method('getSystemValueString') + ->with('instanceid') + ->willReturn('abc123'); + $request->method('getHeader')->with('Authorization')->willReturn(''); + $request->method('getCookie')->with('abc123')->willReturn('abcde12345'); + $this->session->expects(self::once()) + ->method('getId') + ->willReturn('abcde12345'); + $dbToken = new PublicKeyToken(); + $dbToken->setId(42); + $dbToken->setUid('johnny'); + $dbToken->setLoginName('johnny'); + $dbToken->setLastCheck(0); + $dbToken->setType(IToken::TEMPORARY_TOKEN); + $dbToken->setRemember(IToken::REMEMBER); + $this->tokenProvider->expects(self::any()) + ->method('getToken') + ->with('abcde12345') + ->willReturn($dbToken); + $this->session->method('set') + ->willReturnCallback(function ($key, $value) { + if ($key === 'app_password') { + throw new ExpectationFailedException('app_password should not be set in session'); + } + }); + $user = $this->createMock(IUser::class); + $user->method('isEnabled')->willReturn(true); + $this->manager->method('get') + ->with('johnny') + ->willReturn($user); + + $loginResult = $this->userSession->tryTokenLogin($request); + + self::assertTrue($loginResult); + } + public function testRememberLoginValidToken() { $session = $this->createMock(Memory::class); $managerMethods = get_class_methods(Manager::class); |