diff options
| author | Vincent Petry <pvince81@owncloud.com> | 2016-06-27 09:54:37 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2016-06-27 09:54:37 +0200 |
| commit | 089fcb45c081d66f7280ab08fccc647164565b09 (patch) | |
| tree | 4cc59065c7bdbcde0f0cb66315cb1d1fa5116362 | |
| parent | ee90bef50a179e542b15ea5c7b1cf3d808cd3ad4 (diff) | |
| parent | db34671626e1172624f369433da76bb7d41faf24 (diff) | |
| download | nextcloud-server-089fcb45c081d66f7280ab08fccc647164565b09.tar.gz nextcloud-server-089fcb45c081d66f7280ab08fccc647164565b09.zip | |
Merge pull request #25154 from owncloud/token-login-check-loginname
check login name when authenticating via token and basic auth
| -rw-r--r-- | lib/private/User/Session.php | 13 | ||||
| -rw-r--r-- | tests/lib/User/SessionTest.php | 30 |
2 files changed, 41 insertions, 2 deletions
diff --git a/lib/private/User/Session.php b/lib/private/User/Session.php index 2b65f31af28..6219a89e5b3 100644 --- a/lib/private/User/Session.php +++ b/lib/private/User/Session.php @@ -280,7 +280,7 @@ class Session implements IUserSession, Emitter { */ public function login($uid, $password) { $this->session->regenerateId(); - if ($this->validateToken($password)) { + if ($this->validateToken($password, $uid)) { // When logging in with token, the password must be decrypted first before passing to login hook try { $token = $this->tokenProvider->getToken($password); @@ -584,15 +584,24 @@ class Session implements IUserSession, Emitter { * Invalidates the token if checks fail * * @param string $token + * @param string $user login name * @return boolean */ - private function validateToken($token) { + private function validateToken($token, $user = null) { try { $dbToken = $this->tokenProvider->getToken($token); } catch (InvalidTokenException $ex) { return false; } + // Check if login names match + if (!is_null($user) && $dbToken->getLoginName() !== $user) { + // TODO: this makes it imposssible to use different login names on browser and client + // e.g. login by e-mail 'user@example.com' on browser for generating the token will not + // allow to use the client token with the login name 'user'. + return false; + } + if (!$this->checkTokenCredentials($dbToken, $token)) { return false; } diff --git a/tests/lib/User/SessionTest.php b/tests/lib/User/SessionTest.php index eef4c7ff5ea..447c6142f34 100644 --- a/tests/lib/User/SessionTest.php +++ b/tests/lib/User/SessionTest.php @@ -315,6 +315,36 @@ class SessionTest extends \Test\TestCase { } /** + * When using a device token, the loginname must match the one that was used + * when generating the token on the browser. + */ + public function testLoginWithDifferentTokenLoginName() { + $session = $this->getMock('\OC\Session\Memory', array(), array('')); + $manager = $this->getMock('\OC\User\Manager'); + $backend = $this->getMock('\Test\Util\User\Dummy'); + $userSession = new \OC\User\Session($manager, $session, $this->timeFactory, $this->tokenProvider, $this->config); + $username = 'user123'; + $token = new \OC\Authentication\Token\DefaultToken(); + $token->setLoginName($username); + + $session->expects($this->never()) + ->method('set'); + $session->expects($this->once()) + ->method('regenerateId'); + $this->tokenProvider->expects($this->once()) + ->method('getToken') + ->with('bar') + ->will($this->returnValue($token)); + + $manager->expects($this->once()) + ->method('checkPassword') + ->with('foo', 'bar') + ->will($this->returnValue(false)); + + $userSession->login('foo', 'bar'); + } + + /** * @expectedException \OC\Authentication\Exceptions\PasswordLoginForbiddenException */ public function testLogClientInNoTokenPasswordWith2fa() { |