diff options
author | Arthur Schiwon <blizzz@arthur-schiwon.de> | 2024-07-11 09:24:24 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2024-07-11 09:24:24 +0200 |
commit | 95af299cf58e7a4c01c18020627135796eadb591 (patch) | |
tree | 7f6d2dd04c6b561dcdccf64f7099b91984bf02bd | |
parent | d70744136d36f313a205fb8f29261b64572bdb10 (diff) | |
parent | abd8708a96e12cf30b97cee668cb1880d918abec (diff) | |
download | nextcloud-server-95af299cf58e7a4c01c18020627135796eadb591.tar.gz nextcloud-server-95af299cf58e7a4c01c18020627135796eadb591.zip |
Merge pull request #46398 from nextcloud/fix/46165/token-race
fix(Session): avoid race conditions on clustered setups
-rw-r--r-- | build/psalm-baseline.xml | 3 | ||||
-rw-r--r-- | lib/private/Authentication/Token/PublicKeyTokenProvider.php | 2 | ||||
-rw-r--r-- | lib/private/Server.php | 2 | ||||
-rw-r--r-- | lib/private/User/Session.php | 61 |
4 files changed, 22 insertions, 46 deletions
diff --git a/build/psalm-baseline.xml b/build/psalm-baseline.xml index e74c7714a88..ecb3f68c230 100644 --- a/build/psalm-baseline.xml +++ b/build/psalm-baseline.xml @@ -2881,6 +2881,9 @@ <code><![CDATA[$request->server]]></code> <code><![CDATA[$request->server]]></code> </NoInterfaceProperties> + <RedundantCondition> + <code><![CDATA[$this->manager instanceof PublicEmitter]]></code> + </RedundantCondition> </file> <file src="lib/private/User/User.php"> <UndefinedInterfaceMethod> diff --git a/lib/private/Authentication/Token/PublicKeyTokenProvider.php b/lib/private/Authentication/Token/PublicKeyTokenProvider.php index 767ece1e551..18b850b9377 100644 --- a/lib/private/Authentication/Token/PublicKeyTokenProvider.php +++ b/lib/private/Authentication/Token/PublicKeyTokenProvider.php @@ -171,7 +171,7 @@ class PublicKeyTokenProvider implements IProvider { private function getTokenFromCache(string $tokenHash): ?PublicKeyToken { $serializedToken = $this->cache->get($tokenHash); if ($serializedToken === false) { - throw new InvalidTokenException('Token does not exist: ' . $tokenHash); + return null; } if ($serializedToken === null) { diff --git a/lib/private/Server.php b/lib/private/Server.php index 795d72e3076..4d549918a8f 100644 --- a/lib/private/Server.php +++ b/lib/private/Server.php @@ -506,7 +506,7 @@ class Server extends ServerContainer implements IServerContainer { $c->get(ISecureRandom::class), $c->get('LockdownManager'), $c->get(LoggerInterface::class), - $c->get(IEventDispatcher::class) + $c->get(IEventDispatcher::class), ); /** @deprecated 21.0.0 use BeforeUserCreatedEvent event with the IEventDispatcher instead */ $userSession->listen('\OC\User', 'preCreateUser', function ($uid, $password) { diff --git a/lib/private/User/Session.php b/lib/private/User/Session.php index e5d27172519..64e8f6dfdc8 100644 --- a/lib/private/User/Session.php +++ b/lib/private/User/Session.php @@ -19,6 +19,7 @@ use OC\Security\CSRF\CsrfTokenManager; use OC_User; use OC_Util; use OCA\DAV\Connector\Sabre\Auth; +use OCP\AppFramework\Db\TTransactional; use OCP\AppFramework\Utility\ITimeFactory; use OCP\Authentication\Exceptions\ExpiredTokenException; use OCP\Authentication\Exceptions\InvalidTokenException; @@ -26,6 +27,7 @@ use OCP\EventDispatcher\GenericEvent; use OCP\EventDispatcher\IEventDispatcher; use OCP\Files\NotPermittedException; use OCP\IConfig; +use OCP\IDBConnection; use OCP\IRequest; use OCP\ISession; use OCP\IUser; @@ -62,53 +64,22 @@ use Psr\Log\LoggerInterface; * @package OC\User */ class Session implements IUserSession, Emitter { - /** @var Manager $manager */ - private $manager; - - /** @var ISession $session */ - private $session; - - /** @var ITimeFactory */ - private $timeFactory; - - /** @var IProvider */ - private $tokenProvider; - - /** @var IConfig */ - private $config; + use TTransactional; /** @var User $activeUser */ protected $activeUser; - /** @var ISecureRandom */ - private $random; - - /** @var ILockdownManager */ - private $lockdownManager; - - private LoggerInterface $logger; - /** @var IEventDispatcher */ - private $dispatcher; - - public function __construct(Manager $manager, - ISession $session, - ITimeFactory $timeFactory, - ?IProvider $tokenProvider, - IConfig $config, - ISecureRandom $random, - ILockdownManager $lockdownManager, - LoggerInterface $logger, - IEventDispatcher $dispatcher + public function __construct( + private Manager $manager, + private ISession $session, + private ITimeFactory $timeFactory, + private ?IProvider $tokenProvider, + private IConfig $config, + private ISecureRandom $random, + private ILockdownManager $lockdownManager, + private LoggerInterface $logger, + private IEventDispatcher $dispatcher, ) { - $this->manager = $manager; - $this->session = $session; - $this->timeFactory = $timeFactory; - $this->tokenProvider = $tokenProvider; - $this->config = $config; - $this->random = $random; - $this->lockdownManager = $lockdownManager; - $this->logger = $logger; - $this->dispatcher = $dispatcher; } /** @@ -674,8 +645,10 @@ class Session implements IUserSession, Emitter { $sessionId = $this->session->getId(); $pwd = $this->getPassword($password); // Make sure the current sessionId has no leftover tokens - $this->tokenProvider->invalidateToken($sessionId); - $this->tokenProvider->generateToken($sessionId, $uid, $loginName, $pwd, $name, IToken::TEMPORARY_TOKEN, $remember); + $this->atomic(function () use ($sessionId, $uid, $loginName, $pwd, $name, $remember) { + $this->tokenProvider->invalidateToken($sessionId); + $this->tokenProvider->generateToken($sessionId, $uid, $loginName, $pwd, $name, IToken::TEMPORARY_TOKEN, $remember); + }, \OCP\Server::get(IDBConnection::class)); return true; } catch (SessionNotAvailableException $ex) { // This can happen with OCC, where a memory session is used |