diff options
author | Roeland Jago Douma <roeland@famdouma.nl> | 2018-05-16 15:09:35 +0200 |
---|---|---|
committer | Roeland Jago Douma <roeland@famdouma.nl> | 2018-05-22 14:51:30 +0200 |
commit | 73f8373151be49eb654ecc421ccb949e80e2f19a (patch) | |
tree | 1acd91e056e48ff6babcc31b4f8a5ef4a7b8385a | |
parent | d03265fb62484536d00b90974f27b0e6282c2e6a (diff) | |
download | nextcloud-server-73f8373151be49eb654ecc421ccb949e80e2f19a.tar.gz nextcloud-server-73f8373151be49eb654ecc421ccb949e80e2f19a.zip |
Don't use special chars to avoid confusion
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
-rw-r--r-- | apps/oauth2/lib/Controller/OauthApiController.php | 7 | ||||
-rw-r--r-- | core/Controller/ClientFlowLoginController.php | 2 |
2 files changed, 8 insertions, 1 deletions
diff --git a/apps/oauth2/lib/Controller/OauthApiController.php b/apps/oauth2/lib/Controller/OauthApiController.php index 4d368801cca..8c96a3feee1 100644 --- a/apps/oauth2/lib/Controller/OauthApiController.php +++ b/apps/oauth2/lib/Controller/OauthApiController.php @@ -90,6 +90,7 @@ class OauthApiController extends Controller { */ public function getToken($grant_type, $code, $refresh_token, $client_id, $client_secret) { + // We only handle two types if ($grant_type !== 'authorization_code' && $grant_type !== 'refresh_token') { return new JSONResponse([ 'error' => 'invalid_grant', @@ -117,6 +118,7 @@ class OauthApiController extends Controller { ], Http::STATUS_BAD_REQUEST); } + // The client id and secret must match. Else we don't provide an access token! if ($client->getClientIdentifier() !== $client_id || $client->getSecret() !== $client_secret) { return new JSONResponse([ 'error' => 'invalid_client', @@ -125,6 +127,7 @@ class OauthApiController extends Controller { $decryptedToken = $this->crypto->decrypt($accessToken->getEncryptedToken(), $code); + // Obtain the appToken assoicated try { $appToken = $this->tokenProvider->getTokenById($accessToken->getTokenId()); } catch (ExpiredTokenException $e) { @@ -137,6 +140,7 @@ class OauthApiController extends Controller { ], Http::STATUS_BAD_REQUEST); } + // Rotate the apptoken (so the old one becomes invalid basically) $newToken = $this->secureRandom->generate(72, ISecureRandom::CHAR_UPPER.ISecureRandom::CHAR_LOWER.ISecureRandom::CHAR_DIGITS); $appToken = $this->tokenProvider->rotate( @@ -144,9 +148,12 @@ class OauthApiController extends Controller { $decryptedToken, $newToken ); + + // Expiration is in 1 hour again $appToken->setExpires($this->time->getTime() + 3600); $this->tokenProvider->updateToken($appToken); + // Generate a new refresh token and encrypt the new apptoken in the DB $newCode = $this->secureRandom->generate(128, ISecureRandom::CHAR_UPPER.ISecureRandom::CHAR_LOWER.ISecureRandom::CHAR_DIGITS); $accessToken->setHashedCode(hash('sha512', $newCode)); $accessToken->setEncryptedToken($this->crypto->encrypt($newToken, $newCode)); diff --git a/core/Controller/ClientFlowLoginController.php b/core/Controller/ClientFlowLoginController.php index 0e7fbf892b6..3bd396a0b97 100644 --- a/core/Controller/ClientFlowLoginController.php +++ b/core/Controller/ClientFlowLoginController.php @@ -291,7 +291,7 @@ class ClientFlowLoginController extends Controller { ); if($client) { - $code = $this->random->generate(128); + $code = $this->random->generate(128, ISecureRandom::CHAR_UPPER.ISecureRandom::CHAR_LOWER.ISecureRandom::CHAR_DIGITS); $accessToken = new AccessToken(); $accessToken->setClientId($client->getId()); $accessToken->setEncryptedToken($this->crypto->encrypt($token, $code)); |