diff options
| author | Julien Veyssier <julien-nc@posteo.net> | 2023-10-05 15:16:02 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-10-05 15:16:02 +0200 |
| commit | b4fec29e8e403cdf6a589f5a0855b3b904c720e4 (patch) | |
| tree | f83f5434a0327a3836694445ab95fec35f5af387 | |
| parent | f3f2d9b9784ef3a9304543969a0a88cd1f1054d8 (diff) | |
| parent | d56950a6c92635ca75dd9925ce5c4ad776291ea3 (diff) | |
| download | nextcloud-server-b4fec29e8e403cdf6a589f5a0855b3b904c720e4.tar.gz nextcloud-server-b4fec29e8e403cdf6a589f5a0855b3b904c720e4.zip | |
Merge pull request #40766 from nextcloud/enh/noid/oauth2-code-expiration
Make OAuth2 authorization code expire
| -rw-r--r-- | apps/oauth2/appinfo/info.xml | 6 | ||||
| -rw-r--r-- | apps/oauth2/composer/composer/autoload_classmap.php | 2 | ||||
| -rw-r--r-- | apps/oauth2/composer/composer/autoload_static.php | 2 | ||||
| -rw-r--r-- | apps/oauth2/lib/BackgroundJob/CleanupExpiredAuthorizationCode.php | 61 | ||||
| -rw-r--r-- | apps/oauth2/lib/Controller/OauthApiController.php | 52 | ||||
| -rw-r--r-- | apps/oauth2/lib/Db/AccessToken.php | 10 | ||||
| -rw-r--r-- | apps/oauth2/lib/Db/AccessTokenMapper.php | 31 | ||||
| -rw-r--r-- | apps/oauth2/lib/Migration/Version011603Date20230620111039.php | 86 | ||||
| -rw-r--r-- | apps/oauth2/openapi.json | 26 | ||||
| -rw-r--r-- | apps/oauth2/tests/Controller/OauthApiControllerTest.php | 103 | ||||
| -rw-r--r-- | apps/oauth2/tests/Db/AccessTokenMapperTest.php | 5 | ||||
| -rw-r--r-- | core/Controller/ClientFlowLoginController.php | 3 | ||||
| -rw-r--r-- | tests/Core/Controller/ClientFlowLoginControllerTest.php | 5 |
13 files changed, 362 insertions, 30 deletions
diff --git a/apps/oauth2/appinfo/info.xml b/apps/oauth2/appinfo/info.xml index bc31d12f161..fd17afbb11f 100644 --- a/apps/oauth2/appinfo/info.xml +++ b/apps/oauth2/appinfo/info.xml @@ -5,7 +5,7 @@ <name>OAuth 2.0</name> <summary>Allows OAuth2 compatible authentication from other web applications.</summary> <description>The OAuth2 app allows administrators to configure the built-in authentication workflow to also allow OAuth2 compatible authentication from other web applications.</description> - <version>1.16.2</version> + <version>1.16.3</version> <licence>agpl</licence> <author>Lukas Reschke</author> <namespace>OAuth2</namespace> @@ -19,6 +19,10 @@ <nextcloud min-version="28" max-version="28"/> </dependencies> + <background-jobs> + <job>OCA\OAuth2\BackgroundJob\CleanupExpiredAuthorizationCode</job> + </background-jobs> + <repair-steps> <post-migration> <step>OCA\OAuth2\Migration\SetTokenExpiration</step> diff --git a/apps/oauth2/composer/composer/autoload_classmap.php b/apps/oauth2/composer/composer/autoload_classmap.php index ffc00e254de..536342c0751 100644 --- a/apps/oauth2/composer/composer/autoload_classmap.php +++ b/apps/oauth2/composer/composer/autoload_classmap.php @@ -7,6 +7,7 @@ $baseDir = $vendorDir; return array( 'Composer\\InstalledVersions' => $vendorDir . '/composer/InstalledVersions.php', + 'OCA\\OAuth2\\BackgroundJob\\CleanupExpiredAuthorizationCode' => $baseDir . '/../lib/BackgroundJob/CleanupExpiredAuthorizationCode.php', 'OCA\\OAuth2\\Controller\\LoginRedirectorController' => $baseDir . '/../lib/Controller/LoginRedirectorController.php', 'OCA\\OAuth2\\Controller\\OauthApiController' => $baseDir . '/../lib/Controller/OauthApiController.php', 'OCA\\OAuth2\\Controller\\SettingsController' => $baseDir . '/../lib/Controller/SettingsController.php', @@ -21,5 +22,6 @@ return array( 'OCA\\OAuth2\\Migration\\Version010402Date20190107124745' => $baseDir . '/../lib/Migration/Version010402Date20190107124745.php', 'OCA\\OAuth2\\Migration\\Version011601Date20230522143227' => $baseDir . '/../lib/Migration/Version011601Date20230522143227.php', 'OCA\\OAuth2\\Migration\\Version011602Date20230613160650' => $baseDir . '/../lib/Migration/Version011602Date20230613160650.php', + 'OCA\\OAuth2\\Migration\\Version011603Date20230620111039' => $baseDir . '/../lib/Migration/Version011603Date20230620111039.php', 'OCA\\OAuth2\\Settings\\Admin' => $baseDir . '/../lib/Settings/Admin.php', ); diff --git a/apps/oauth2/composer/composer/autoload_static.php b/apps/oauth2/composer/composer/autoload_static.php index 759e4fc3b79..1dc659778a3 100644 --- a/apps/oauth2/composer/composer/autoload_static.php +++ b/apps/oauth2/composer/composer/autoload_static.php @@ -22,6 +22,7 @@ class ComposerStaticInitOAuth2 public static $classMap = array ( 'Composer\\InstalledVersions' => __DIR__ . '/..' . '/composer/InstalledVersions.php', + 'OCA\\OAuth2\\BackgroundJob\\CleanupExpiredAuthorizationCode' => __DIR__ . '/..' . '/../lib/BackgroundJob/CleanupExpiredAuthorizationCode.php', 'OCA\\OAuth2\\Controller\\LoginRedirectorController' => __DIR__ . '/..' . '/../lib/Controller/LoginRedirectorController.php', 'OCA\\OAuth2\\Controller\\OauthApiController' => __DIR__ . '/..' . '/../lib/Controller/OauthApiController.php', 'OCA\\OAuth2\\Controller\\SettingsController' => __DIR__ . '/..' . '/../lib/Controller/SettingsController.php', @@ -36,6 +37,7 @@ class ComposerStaticInitOAuth2 'OCA\\OAuth2\\Migration\\Version010402Date20190107124745' => __DIR__ . '/..' . '/../lib/Migration/Version010402Date20190107124745.php', 'OCA\\OAuth2\\Migration\\Version011601Date20230522143227' => __DIR__ . '/..' . '/../lib/Migration/Version011601Date20230522143227.php', 'OCA\\OAuth2\\Migration\\Version011602Date20230613160650' => __DIR__ . '/..' . '/../lib/Migration/Version011602Date20230613160650.php', + 'OCA\\OAuth2\\Migration\\Version011603Date20230620111039' => __DIR__ . '/..' . '/../lib/Migration/Version011603Date20230620111039.php', 'OCA\\OAuth2\\Settings\\Admin' => __DIR__ . '/..' . '/../lib/Settings/Admin.php', ); diff --git a/apps/oauth2/lib/BackgroundJob/CleanupExpiredAuthorizationCode.php b/apps/oauth2/lib/BackgroundJob/CleanupExpiredAuthorizationCode.php new file mode 100644 index 00000000000..f4e08081ce6 --- /dev/null +++ b/apps/oauth2/lib/BackgroundJob/CleanupExpiredAuthorizationCode.php @@ -0,0 +1,61 @@ +<?php + +declare(strict_types=1); + +/** + * @copyright Copyright (c) 2023 Julien Veyssier <julien-nc@posteo.net> + * + * @author Julien Veyssier <julien-nc@posteo.net> + * + * @license GNU AGPL version 3 or any later version + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as + * published by the Free Software Foundation, either version 3 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + */ + + +namespace OCA\OAuth2\BackgroundJob; + +use OCA\OAuth2\Db\AccessTokenMapper; +use OCP\AppFramework\Utility\ITimeFactory; +use OCP\BackgroundJob\IJob; +use OCP\BackgroundJob\TimedJob; +use OCP\DB\Exception; +use Psr\Log\LoggerInterface; + +class CleanupExpiredAuthorizationCode extends TimedJob { + + public function __construct( + ITimeFactory $timeFactory, + private AccessTokenMapper $accessTokenMapper, + private LoggerInterface $logger, + + ) { + parent::__construct($timeFactory); + // 30 days + $this->setInterval(60 * 60 * 24 * 30); + $this->setTimeSensitivity(IJob::TIME_INSENSITIVE); + } + + /** + * @param mixed $argument + * @inheritDoc + */ + protected function run($argument): void { + try { + $this->accessTokenMapper->cleanupExpiredAuthorizationCode(); + } catch (Exception $e) { + $this->logger->warning('Failed to cleanup tokens with expired authorization code', ['exception' => $e]); + } + } +} diff --git a/apps/oauth2/lib/Controller/OauthApiController.php b/apps/oauth2/lib/Controller/OauthApiController.php index af1205be0d7..dfb952a0951 100644 --- a/apps/oauth2/lib/Controller/OauthApiController.php +++ b/apps/oauth2/lib/Controller/OauthApiController.php @@ -39,6 +39,7 @@ use OCP\AppFramework\Controller; use OCP\AppFramework\Http; use OCP\AppFramework\Http\JSONResponse; use OCP\AppFramework\Utility\ITimeFactory; +use OCP\DB\Exception; use OCP\IRequest; use OCP\Security\Bruteforce\IThrottler; use OCP\Security\ICrypto; @@ -46,6 +47,8 @@ use OCP\Security\ISecureRandom; use Psr\Log\LoggerInterface; class OauthApiController extends Controller { + // the authorization code expires after 10 minutes + public const AUTHORIZATION_CODE_EXPIRES_AFTER = 10 * 60; public function __construct( string $appName, @@ -57,7 +60,8 @@ class OauthApiController extends Controller { private ISecureRandom $secureRandom, private ITimeFactory $time, private LoggerInterface $logger, - private IThrottler $throttler + private IThrottler $throttler, + private ITimeFactory $timeFactory, ) { parent::__construct($appName, $request); } @@ -70,16 +74,20 @@ class OauthApiController extends Controller { * Get a token * * @param string $grant_type Token type that should be granted - * @param string $code Code of the flow - * @param string $refresh_token Refresh token - * @param string $client_id Client ID - * @param string $client_secret Client secret + * @param ?string $code Code of the flow + * @param ?string $refresh_token Refresh token + * @param ?string $client_id Client ID + * @param ?string $client_secret Client secret + * @throws Exception * @return JSONResponse<Http::STATUS_OK, array{access_token: string, token_type: string, expires_in: int, refresh_token: string, user_id: string}, array{}>|JSONResponse<Http::STATUS_BAD_REQUEST, array{error: string}, array{}> * * 200: Token returned * 400: Getting token is not possible */ - public function getToken($grant_type, $code, $refresh_token, $client_id, $client_secret): JSONResponse { + public function getToken( + string $grant_type, ?string $code, ?string $refresh_token, + ?string $client_id, ?string $client_secret + ): JSONResponse { // We only handle two types if ($grant_type !== 'authorization_code' && $grant_type !== 'refresh_token') { @@ -105,6 +113,33 @@ class OauthApiController extends Controller { return $response; } + if ($grant_type === 'authorization_code') { + // check this token is in authorization code state + $deliveredTokenCount = $accessToken->getTokenCount(); + if ($deliveredTokenCount > 0) { + $response = new JSONResponse([ + 'error' => 'invalid_request', + ], Http::STATUS_BAD_REQUEST); + $response->throttle(['invalid_request' => 'authorization_code_received_for_active_token']); + return $response; + } + + // check authorization code expiration + $now = $this->timeFactory->now()->getTimestamp(); + $codeCreatedAt = $accessToken->getCodeCreatedAt(); + if ($codeCreatedAt < $now - self::AUTHORIZATION_CODE_EXPIRES_AFTER) { + // we know this token is not useful anymore + $this->accessTokenMapper->delete($accessToken); + + $response = new JSONResponse([ + 'error' => 'invalid_request', + ], Http::STATUS_BAD_REQUEST); + $expiredSince = $now - self::AUTHORIZATION_CODE_EXPIRES_AFTER - $codeCreatedAt; + $response->throttle(['invalid_request' => 'authorization_code_expired', 'expired_since' => $expiredSince]); + return $response; + } + } + try { $client = $this->clientMapper->getByUid($accessToken->getClientId()); } catch (ClientNotFoundException $e) { @@ -172,6 +207,11 @@ class OauthApiController extends Controller { $newCode = $this->secureRandom->generate(128, ISecureRandom::CHAR_ALPHANUMERIC); $accessToken->setHashedCode(hash('sha512', $newCode)); $accessToken->setEncryptedToken($this->crypto->encrypt($newToken, $newCode)); + // increase the number of delivered oauth token + // this helps with cleaning up DB access token when authorization code has expired + // and it never delivered any oauth token + $tokenCount = $accessToken->getTokenCount(); + $accessToken->setTokenCount($tokenCount + 1); $this->accessTokenMapper->update($accessToken); $this->throttler->resetDelay($this->request->getRemoteAddress(), 'login', ['user' => $appToken->getUID()]); diff --git a/apps/oauth2/lib/Db/AccessToken.php b/apps/oauth2/lib/Db/AccessToken.php index 26c830c64ad..e0da141af3f 100644 --- a/apps/oauth2/lib/Db/AccessToken.php +++ b/apps/oauth2/lib/Db/AccessToken.php @@ -34,6 +34,10 @@ use OCP\AppFramework\Db\Entity; * @method void setEncryptedToken(string $token) * @method string getHashedCode() * @method void setHashedCode(string $token) + * @method int getCodeCreatedAt() + * @method void setCodeCreatedAt(int $createdAt) + * @method int getTokenCount() + * @method void setTokenCount(int $tokenCount) */ class AccessToken extends Entity { /** @var int */ @@ -44,6 +48,10 @@ class AccessToken extends Entity { protected $hashedCode; /** @var string */ protected $encryptedToken; + /** @var int */ + protected $codeCreatedAt; + /** @var int */ + protected $tokenCount; public function __construct() { $this->addType('id', 'int'); @@ -51,5 +59,7 @@ class AccessToken extends Entity { $this->addType('clientId', 'int'); $this->addType('hashedCode', 'string'); $this->addType('encryptedToken', 'string'); + $this->addType('codeCreatedAt', 'int'); + $this->addType('tokenCount', 'int'); } } diff --git a/apps/oauth2/lib/Db/AccessTokenMapper.php b/apps/oauth2/lib/Db/AccessTokenMapper.php index da351d5d496..0347a43d7c6 100644 --- a/apps/oauth2/lib/Db/AccessTokenMapper.php +++ b/apps/oauth2/lib/Db/AccessTokenMapper.php @@ -28,9 +28,12 @@ declare(strict_types=1); */ namespace OCA\OAuth2\Db; +use OCA\OAuth2\Controller\OauthApiController; use OCA\OAuth2\Exceptions\AccessTokenNotFoundException; use OCP\AppFramework\Db\IMapperException; use OCP\AppFramework\Db\QBMapper; +use OCP\AppFramework\Utility\ITimeFactory; +use OCP\DB\Exception; use OCP\DB\QueryBuilder\IQueryBuilder; use OCP\IDBConnection; @@ -39,10 +42,10 @@ use OCP\IDBConnection; */ class AccessTokenMapper extends QBMapper { - /** - * @param IDBConnection $db - */ - public function __construct(IDBConnection $db) { + public function __construct( + IDBConnection $db, + private ITimeFactory $timeFactory, + ) { parent::__construct($db, 'oauth2_access_tokens'); } @@ -79,4 +82,24 @@ class AccessTokenMapper extends QBMapper { ->where($qb->expr()->eq('client_id', $qb->createNamedParameter($id, IQueryBuilder::PARAM_INT))); $qb->executeStatement(); } + + /** + * Delete access tokens that have an expired authorization code + * -> those that are old enough + * and which never delivered any oauth token (still in authorization state) + * + * @return void + * @throws Exception + */ + public function cleanupExpiredAuthorizationCode(): void { + $now = $this->timeFactory->now()->getTimestamp(); + $maxTokenCreationTs = $now - OauthApiController::AUTHORIZATION_CODE_EXPIRES_AFTER; + + $qb = $this->db->getQueryBuilder(); + $qb + ->delete($this->tableName) + ->where($qb->expr()->eq('token_count', $qb->createNamedParameter(0, IQueryBuilder::PARAM_INT))) + ->andWhere($qb->expr()->lt('code_created_at', $qb->createNamedParameter($maxTokenCreationTs, IQueryBuilder::PARAM_INT))); + $qb->executeStatement(); + } } diff --git a/apps/oauth2/lib/Migration/Version011603Date20230620111039.php b/apps/oauth2/lib/Migration/Version011603Date20230620111039.php new file mode 100644 index 00000000000..b694963b0f7 --- /dev/null +++ b/apps/oauth2/lib/Migration/Version011603Date20230620111039.php @@ -0,0 +1,86 @@ +<?php + +declare(strict_types=1); + +/** + * @copyright Copyright 2023, Julien Veyssier <julien-nc@posteo.net> + * + * @author Julien Veyssier <julien-nc@posteo.net> + * + * @license GNU AGPL version 3 or any later version + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as + * published by the Free Software Foundation, either version 3 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + */ +namespace OCA\OAuth2\Migration; + +use Closure; +use OCP\DB\ISchemaWrapper; +use OCP\DB\QueryBuilder\IQueryBuilder; +use OCP\DB\Types; +use OCP\IDBConnection; +use OCP\Migration\IOutput; +use OCP\Migration\SimpleMigrationStep; + +class Version011603Date20230620111039 extends SimpleMigrationStep { + + public function __construct( + private IDBConnection $connection, + ) { + } + + public function changeSchema(IOutput $output, Closure $schemaClosure, array $options): ?ISchemaWrapper { + /** @var ISchemaWrapper $schema */ + $schema = $schemaClosure(); + + if ($schema->hasTable('oauth2_access_tokens')) { + $table = $schema->getTable('oauth2_access_tokens'); + $dbChanged = false; + if (!$table->hasColumn('code_created_at')) { + $table->addColumn('code_created_at', Types::BIGINT, [ + 'notnull' => true, + 'default' => 0, + 'unsigned' => true, + ]); + $dbChanged = true; + } + if (!$table->hasColumn('token_count')) { + $table->addColumn('token_count', Types::BIGINT, [ + 'notnull' => true, + 'default' => 0, + 'unsigned' => true, + ]); + $dbChanged = true; + } + if (!$table->hasIndex('oauth2_tk_c_created_idx')) { + $table->addIndex(['token_count', 'code_created_at'], 'oauth2_tk_c_created_idx'); + $dbChanged = true; + } + if ($dbChanged) { + return $schema; + } + } + + return null; + } + + public function postSchemaChange(IOutput $output, Closure $schemaClosure, array $options): void { + // we consider that existing access_tokens have already produced at least one oauth token + // which prevents cleaning them up + $qbUpdate = $this->connection->getQueryBuilder(); + $qbUpdate->update('oauth2_access_tokens') + ->set('token_count', $qbUpdate->createNamedParameter(1, IQueryBuilder::PARAM_INT)); + $qbUpdate->executeStatement(); + } +} diff --git a/apps/oauth2/openapi.json b/apps/oauth2/openapi.json index a9903ae3473..c745e73bf79 100644 --- a/apps/oauth2/openapi.json +++ b/apps/oauth2/openapi.json @@ -121,40 +121,50 @@ "name": "code", "in": "query", "description": "Code of the flow", - "required": true, "schema": { - "type": "string" + "type": "string", + "nullable": true } }, { "name": "refresh_token", "in": "query", "description": "Refresh token", - "required": true, "schema": { - "type": "string" + "type": "string", + "nullable": true } }, { "name": "client_id", "in": "query", "description": "Client ID", - "required": true, "schema": { - "type": "string" + "type": "string", + "nullable": true } }, { "name": "client_secret", "in": "query", "description": "Client secret", - "required": true, "schema": { - "type": "string" + "type": "string", + "nullable": true } } ], "responses": { + "500": { + "description": "", + "content": { + "text/plain": { + "schema": { + "type": "string" + } + } + } + }, "200": { "description": "Token returned", "content": { diff --git a/apps/oauth2/tests/Controller/OauthApiControllerTest.php b/apps/oauth2/tests/Controller/OauthApiControllerTest.php index a7dc35943f0..eec38890e05 100644 --- a/apps/oauth2/tests/Controller/OauthApiControllerTest.php +++ b/apps/oauth2/tests/Controller/OauthApiControllerTest.php @@ -70,6 +70,8 @@ class OauthApiControllerTest extends TestCase { private $throttler; /** @var LoggerInterface|\PHPUnit\Framework\MockObject\MockObject */ private $logger; + /** @var ITimeFactory|\PHPUnit\Framework\MockObject\MockObject */ + private $timeFactory; /** @var OauthApiController */ private $oauthApiController; @@ -85,6 +87,7 @@ class OauthApiControllerTest extends TestCase { $this->time = $this->createMock(ITimeFactory::class); $this->throttler = $this->createMock(IThrottler::class); $this->logger = $this->createMock(LoggerInterface::class); + $this->timeFactory = $this->createMock(ITimeFactory::class); $this->oauthApiController = new OauthApiController( 'oauth2', @@ -96,7 +99,8 @@ class OauthApiControllerTest extends TestCase { $this->secureRandom, $this->time, $this->logger, - $this->throttler + $this->throttler, + $this->timeFactory ); } @@ -122,7 +126,90 @@ class OauthApiControllerTest extends TestCase { $this->assertEquals($expected, $this->oauthApiController->getToken('authorization_code', 'invalidcode', null, null, null)); } - public function testGetTokenInvalidRefreshToken() { + public function testGetTokenExpiredCode() { + $codeCreatedAt = 100; + $expiredSince = 123; + + $expected = new JSONResponse([ + 'error' => 'invalid_request', + ], Http::STATUS_BAD_REQUEST); + $expected->throttle(['invalid_request' => 'authorization_code_expired', 'expired_since' => $expiredSince]); + + $accessToken = new AccessToken(); + $accessToken->setClientId(42); + $accessToken->setCodeCreatedAt($codeCreatedAt); + + $this->accessTokenMapper->method('getByCode') + ->with('validcode') + ->willReturn($accessToken); + + $tsNow = $codeCreatedAt + OauthApiController::AUTHORIZATION_CODE_EXPIRES_AFTER + $expiredSince; + $dateNow = (new \DateTimeImmutable())->setTimestamp($tsNow); + $this->timeFactory->method('now') + ->willReturn($dateNow); + + $this->assertEquals($expected, $this->oauthApiController->getToken('authorization_code', 'validcode', null, null, null)); + } + + public function testGetTokenWithCodeForActiveToken() { + // if a token has already delivered oauth tokens, + // it should not be possible to get a new oauth token from a valid authorization code + $codeCreatedAt = 100; + + $expected = new JSONResponse([ + 'error' => 'invalid_request', + ], Http::STATUS_BAD_REQUEST); + $expected->throttle(['invalid_request' => 'authorization_code_received_for_active_token']); + + $accessToken = new AccessToken(); + $accessToken->setClientId(42); + $accessToken->setCodeCreatedAt($codeCreatedAt); + $accessToken->setTokenCount(1); + + $this->accessTokenMapper->method('getByCode') + ->with('validcode') + ->willReturn($accessToken); + + $tsNow = $codeCreatedAt + 1; + $dateNow = (new \DateTimeImmutable())->setTimestamp($tsNow); + $this->timeFactory->method('now') + ->willReturn($dateNow); + + $this->assertEquals($expected, $this->oauthApiController->getToken('authorization_code', 'validcode', null, null, null)); + } + + public function testGetTokenClientDoesNotExist() { + // In this test, the token's authorization code is valid and has not expired + // and we check what happens when the associated Oauth client does not exist + $codeCreatedAt = 100; + + $expected = new JSONResponse([ + 'error' => 'invalid_request', + ], Http::STATUS_BAD_REQUEST); + $expected->throttle(['invalid_request' => 'client not found', 'client_id' => 42]); + + $accessToken = new AccessToken(); + $accessToken->setClientId(42); + $accessToken->setCodeCreatedAt($codeCreatedAt); + + $this->accessTokenMapper->method('getByCode') + ->with('validcode') + ->willReturn($accessToken); + + // 'now' is before the token's authorization code expiration + $tsNow = $codeCreatedAt + OauthApiController::AUTHORIZATION_CODE_EXPIRES_AFTER - 1; + $dateNow = (new \DateTimeImmutable())->setTimestamp($tsNow); + $this->timeFactory->method('now') + ->willReturn($dateNow); + + $this->clientMapper->method('getByUid') + ->with(42) + ->willThrowException(new ClientNotFoundException()); + + $this->assertEquals($expected, $this->oauthApiController->getToken('authorization_code', 'validcode', null, null, null)); + } + + public function testRefreshTokenInvalidRefreshToken() { $expected = new JSONResponse([ 'error' => 'invalid_request', ], Http::STATUS_BAD_REQUEST); @@ -135,7 +222,7 @@ class OauthApiControllerTest extends TestCase { $this->assertEquals($expected, $this->oauthApiController->getToken('refresh_token', null, 'invalidrefresh', null, null)); } - public function testGetTokenClientDoesNotExist() { + public function testRefreshTokenClientDoesNotExist() { $expected = new JSONResponse([ 'error' => 'invalid_request', ], Http::STATUS_BAD_REQUEST); @@ -169,7 +256,7 @@ class OauthApiControllerTest extends TestCase { * @param string $clientId * @param string $clientSecret */ - public function testGetTokenInvalidClient($clientId, $clientSecret) { + public function testRefreshTokenInvalidClient($clientId, $clientSecret) { $expected = new JSONResponse([ 'error' => 'invalid_client', ], Http::STATUS_BAD_REQUEST); @@ -192,7 +279,7 @@ class OauthApiControllerTest extends TestCase { $this->assertEquals($expected, $this->oauthApiController->getToken('refresh_token', null, 'validrefresh', $clientId, $clientSecret)); } - public function testGetTokenInvalidAppToken() { + public function testRefreshTokenInvalidAppToken() { $expected = new JSONResponse([ 'error' => 'invalid_request', ], Http::STATUS_BAD_REQUEST); @@ -236,7 +323,7 @@ class OauthApiControllerTest extends TestCase { $this->assertEquals($expected, $this->oauthApiController->getToken('refresh_token', null, 'validrefresh', 'clientId', 'clientSecret')); } - public function testGetTokenValidAppToken() { + public function testRefreshTokenValidAppToken() { $accessToken = new AccessToken(); $accessToken->setClientId(42); $accessToken->setTokenId(1337); @@ -333,7 +420,7 @@ class OauthApiControllerTest extends TestCase { $this->assertEquals($expected, $this->oauthApiController->getToken('refresh_token', null, 'validrefresh', 'clientId', 'clientSecret')); } - public function testGetTokenValidAppTokenBasicAuth() { + public function testRefreshTokenValidAppTokenBasicAuth() { $accessToken = new AccessToken(); $accessToken->setClientId(42); $accessToken->setTokenId(1337); @@ -433,7 +520,7 @@ class OauthApiControllerTest extends TestCase { $this->assertEquals($expected, $this->oauthApiController->getToken('refresh_token', null, 'validrefresh', null, null)); } - public function testGetTokenExpiredAppToken() { + public function testRefreshTokenExpiredAppToken() { $accessToken = new AccessToken(); $accessToken->setClientId(42); $accessToken->setTokenId(1337); diff --git a/apps/oauth2/tests/Db/AccessTokenMapperTest.php b/apps/oauth2/tests/Db/AccessTokenMapperTest.php index 013eb72919a..b7de147963a 100644 --- a/apps/oauth2/tests/Db/AccessTokenMapperTest.php +++ b/apps/oauth2/tests/Db/AccessTokenMapperTest.php @@ -25,6 +25,7 @@ namespace OCA\OAuth2\Tests\Db; use OCA\OAuth2\Db\AccessToken; use OCA\OAuth2\Db\AccessTokenMapper; +use OCP\AppFramework\Utility\ITimeFactory; use Test\TestCase; /** @@ -36,7 +37,7 @@ class AccessTokenMapperTest extends TestCase { protected function setUp(): void { parent::setUp(); - $this->accessTokenMapper = new AccessTokenMapper(\OC::$server->getDatabaseConnection()); + $this->accessTokenMapper = new AccessTokenMapper(\OC::$server->getDatabaseConnection(), \OC::$server->get(ITimeFactory::class)); } public function testGetByCode() { @@ -54,7 +55,7 @@ class AccessTokenMapperTest extends TestCase { $this->accessTokenMapper->delete($token); } - + public function testDeleteByClientId() { $this->expectException(\OCA\OAuth2\Exceptions\AccessTokenNotFoundException::class); diff --git a/core/Controller/ClientFlowLoginController.php b/core/Controller/ClientFlowLoginController.php index 3f92ad8cf30..0a073a586e4 100644 --- a/core/Controller/ClientFlowLoginController.php +++ b/core/Controller/ClientFlowLoginController.php @@ -46,6 +46,7 @@ use OCP\AppFramework\Http\Attribute\IgnoreOpenAPI; use OCP\AppFramework\Http\Attribute\UseSession; use OCP\AppFramework\Http\Response; use OCP\AppFramework\Http\StandaloneTemplateResponse; +use OCP\AppFramework\Utility\ITimeFactory; use OCP\Defaults; use OCP\EventDispatcher\IEventDispatcher; use OCP\IL10N; @@ -76,6 +77,7 @@ class ClientFlowLoginController extends Controller { private AccessTokenMapper $accessTokenMapper, private ICrypto $crypto, private IEventDispatcher $eventDispatcher, + private ITimeFactory $timeFactory, ) { parent::__construct($appName, $request); } @@ -287,6 +289,7 @@ class ClientFlowLoginController extends Controller { $accessToken->setEncryptedToken($this->crypto->encrypt($token, $code)); $accessToken->setHashedCode(hash('sha512', $code)); $accessToken->setTokenId($generatedToken->getId()); + $accessToken->setCodeCreatedAt($this->timeFactory->now()->getTimestamp()); $this->accessTokenMapper->insert($accessToken); $redirectUri = $client->getRedirectUri(); diff --git a/tests/Core/Controller/ClientFlowLoginControllerTest.php b/tests/Core/Controller/ClientFlowLoginControllerTest.php index dfd3e629dcd..e340e81f342 100644 --- a/tests/Core/Controller/ClientFlowLoginControllerTest.php +++ b/tests/Core/Controller/ClientFlowLoginControllerTest.php @@ -31,6 +31,7 @@ use OCA\OAuth2\Db\Client; use OCA\OAuth2\Db\ClientMapper; use OCP\AppFramework\Http; use OCP\AppFramework\Http\StandaloneTemplateResponse; +use OCP\AppFramework\Utility\ITimeFactory; use OCP\Defaults; use OCP\EventDispatcher\IEventDispatcher; use OCP\IL10N; @@ -95,6 +96,7 @@ class ClientFlowLoginControllerTest extends TestCase { $this->accessTokenMapper = $this->createMock(AccessTokenMapper::class); $this->crypto = $this->createMock(ICrypto::class); $this->eventDispatcher = $this->createMock(IEventDispatcher::class); + $this->timeFactory = $this->createMock(ITimeFactory::class); $this->clientFlowLoginController = new ClientFlowLoginController( 'core', @@ -109,7 +111,8 @@ class ClientFlowLoginControllerTest extends TestCase { $this->clientMapper, $this->accessTokenMapper, $this->crypto, - $this->eventDispatcher + $this->eventDispatcher, + $this->timeFactory ); } |