diff options
| author | Thomas Müller <thomas.mueller@tmit.eu> | 2016-02-10 17:31:38 +0100 |
|---|---|---|
| committer | Thomas Müller <thomas.mueller@tmit.eu> | 2016-02-10 17:31:38 +0100 |
| commit | 6b836325cf8b8087a0734574ce4d5d1f8ec8456d (patch) | |
| tree | 56be9205131a55605d6547cbc218b6c218a90ae7 | |
| parent | 6ffb83ae19e423ab894670cef116350ca86f331b (diff) | |
| parent | 5680743c2b19daf561729d4a78978600150a0553 (diff) | |
| download | nextcloud-server-6b836325cf8b8087a0734574ce4d5d1f8ec8456d.tar.gz nextcloud-server-6b836325cf8b8087a0734574ce4d5d1f8ec8456d.zip | |
Merge pull request #22276 from owncloud/harden-updater-auth
Harden updater authentication
3 files changed, 6 insertions, 5 deletions
diff --git a/apps/updatenotification/controller/admincontroller.php b/apps/updatenotification/controller/admincontroller.php index ec1cc45075c..505ea01edd9 100644 --- a/apps/updatenotification/controller/admincontroller.php +++ b/apps/updatenotification/controller/admincontroller.php @@ -77,8 +77,8 @@ class AdminController extends Controller { $this->config->setAppValue('core', 'updater.secret.created', $this->timeFactory->getTime()); // Create a new token - $newToken = $this->secureRandom->generate(32); - $this->config->setSystemValue('updater.secret', $newToken); + $newToken = $this->secureRandom->generate(64); + $this->config->setSystemValue('updater.secret', password_hash($newToken, PASSWORD_DEFAULT)); return new DataResponse($newToken); } diff --git a/apps/updatenotification/lib/resettokenbackgroundjob.php b/apps/updatenotification/lib/resettokenbackgroundjob.php index 0b737f681b6..61bd9fc0490 100644 --- a/apps/updatenotification/lib/resettokenbackgroundjob.php +++ b/apps/updatenotification/lib/resettokenbackgroundjob.php @@ -67,7 +67,8 @@ class ResetTokenBackgroundJob extends TimedJob { * @param $argument */ protected function run($argument) { - if($this->timeFactory->getTime() - $this->config->getAppValue('core', 'updater.secret.created', $this->timeFactory->getTime()) >= 86400) { + // Delete old tokens after 2 days + if($this->timeFactory->getTime() - $this->config->getAppValue('core', 'updater.secret.created', $this->timeFactory->getTime()) >= 172800) { $this->config->deleteSystemValue('updater.secret'); } } diff --git a/apps/updatenotification/tests/controller/AdminControllerTest.php b/apps/updatenotification/tests/controller/AdminControllerTest.php index 01801626000..5a0f9d21469 100644 --- a/apps/updatenotification/tests/controller/AdminControllerTest.php +++ b/apps/updatenotification/tests/controller/AdminControllerTest.php @@ -77,12 +77,12 @@ class AdminControllerTest extends TestCase { $this->secureRandom ->expects($this->once()) ->method('generate') - ->with(32) + ->with(64) ->willReturn('MyGeneratedToken'); $this->config ->expects($this->once()) ->method('setSystemValue') - ->with('updater.secret', 'MyGeneratedToken'); + ->with('updater.secret'); $this->timeFactory ->expects($this->once()) ->method('getTime') |