diff options
| author | Julius Härtl <jus@bitgrid.net> | 2024-07-22 08:49:53 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-07-22 08:49:53 +0200 |
| commit | 800dffec31b76a1c6b371d57d41ea9f5085a4a6e (patch) | |
| tree | 9ff588fb8ed23dc9375ace09a502645ab90b97cf | |
| parent | bd0b26178a76f81992fcd8f902171faa531b2fcd (diff) | |
| parent | 99182aac37c0757f8aab65b0a93a2ddb87348dbe (diff) | |
| download | nextcloud-server-800dffec31b76a1c6b371d57d41ea9f5085a4a6e.tar.gz nextcloud-server-800dffec31b76a1c6b371d57d41ea9f5085a4a6e.zip | |
Merge pull request #46640 from nextcloud/fix/noid/google-scope
fix(Token): take over scope in token refresh with login by cookie
| -rw-r--r-- | lib/private/Authentication/Token/IProvider.php | 4 | ||||
| -rw-r--r-- | lib/private/Authentication/Token/Manager.php | 7 | ||||
| -rw-r--r-- | lib/private/Authentication/Token/PublicKeyTokenProvider.php | 14 |
3 files changed, 19 insertions, 6 deletions
diff --git a/lib/private/Authentication/Token/IProvider.php b/lib/private/Authentication/Token/IProvider.php index dfb17301ab3..d47427e79bf 100644 --- a/lib/private/Authentication/Token/IProvider.php +++ b/lib/private/Authentication/Token/IProvider.php @@ -35,7 +35,9 @@ interface IProvider { ?string $password, string $name, int $type = OCPIToken::TEMPORARY_TOKEN, - int $remember = OCPIToken::DO_NOT_REMEMBER): OCPIToken; + int $remember = OCPIToken::DO_NOT_REMEMBER, + ?array $scope = null, + ): OCPIToken; /** * Get a token by token id diff --git a/lib/private/Authentication/Token/Manager.php b/lib/private/Authentication/Token/Manager.php index 37ed6083d82..6953f47b004 100644 --- a/lib/private/Authentication/Token/Manager.php +++ b/lib/private/Authentication/Token/Manager.php @@ -42,7 +42,9 @@ class Manager implements IProvider, OCPIProvider { $password, string $name, int $type = OCPIToken::TEMPORARY_TOKEN, - int $remember = OCPIToken::DO_NOT_REMEMBER): OCPIToken { + int $remember = OCPIToken::DO_NOT_REMEMBER, + ?array $scope = null, + ): OCPIToken { if (mb_strlen($name) > 128) { $name = mb_substr($name, 0, 120) . '…'; } @@ -55,7 +57,8 @@ class Manager implements IProvider, OCPIProvider { $password, $name, $type, - $remember + $remember, + $scope, ); } catch (UniqueConstraintViolationException $e) { // It's rare, but if two requests of the same session (e.g. env-based SAML) diff --git a/lib/private/Authentication/Token/PublicKeyTokenProvider.php b/lib/private/Authentication/Token/PublicKeyTokenProvider.php index 18b850b9377..a3bfa3147a5 100644 --- a/lib/private/Authentication/Token/PublicKeyTokenProvider.php +++ b/lib/private/Authentication/Token/PublicKeyTokenProvider.php @@ -85,7 +85,9 @@ class PublicKeyTokenProvider implements IProvider { ?string $password, string $name, int $type = OCPIToken::TEMPORARY_TOKEN, - int $remember = OCPIToken::DO_NOT_REMEMBER): OCPIToken { + int $remember = OCPIToken::DO_NOT_REMEMBER, + ?array $scope = null, + ): OCPIToken { if (strlen($token) < self::TOKEN_MIN_LENGTH) { $exception = new InvalidTokenException('Token is too short, minimum of ' . self::TOKEN_MIN_LENGTH . ' characters is required, ' . strlen($token) . ' characters given'); $this->logger->error('Invalid token provided when generating new token', ['exception' => $exception]); @@ -107,6 +109,10 @@ class PublicKeyTokenProvider implements IProvider { $dbToken->setPasswordHash($randomOldToken->getPasswordHash()); } + if ($scope !== null) { + $dbToken->setScope($scope); + } + $this->mapper->insert($dbToken); if (!$oldTokenMatches && $password !== null) { @@ -234,6 +240,8 @@ class PublicKeyTokenProvider implements IProvider { $privateKey = $this->decrypt($token->getPrivateKey(), $oldSessionId); $password = $this->decryptPassword($token->getPassword(), $privateKey); } + + $scope = $token->getScope() === '' ? null : $token->getScopeAsArray(); $newToken = $this->generateToken( $sessionId, $token->getUID(), @@ -241,9 +249,9 @@ class PublicKeyTokenProvider implements IProvider { $password, $token->getName(), OCPIToken::TEMPORARY_TOKEN, - $token->getRemember() + $token->getRemember(), + $scope, ); - $newToken->setScope($token->getScopeAsArray()); $this->cacheToken($newToken); $this->cacheInvalidHash($token->getToken()); |