fix(authentication): Check minimum length when creating app tokens

Signed-off-by: Joas Schilling <coding@schilljs.com>
author: Joas Schilling <coding@schilljs.com> 2023-02-08 22:59:18 +0100
committer: Joas Schilling <coding@schilljs.com> 2023-02-09 09:58:35 +0100
commit: 7a85a1596ef09024a351daaadfb82a57c3aa0410 (patch)
tree: f607359e4685c0921280594ab57af0fec18d70d6
parent: 03a585ab4fe499753d9dc03e17dd82aeaea8205e (diff)
download: nextcloud-server-7a85a1596ef09024a351daaadfb82a57c3aa0410.tar.gz
nextcloud-server-7a85a1596ef09024a351daaadfb82a57c3aa0410.zip
1 files changed, 10 insertions, 2 deletions
diff --git a/lib/private/Authentication/Token/PublicKeyTokenProvider.php b/lib/private/Authentication/Token/PublicKeyTokenProvider.php
index bbedd54f91a..978462af6a2 100644
--- a/lib/private/Authentication/Token/PublicKeyTokenProvider.php
+++ b/lib/private/Authentication/Token/PublicKeyTokenProvider.php
@@ -46,6 +46,8 @@ use OCP\Security\IHasher;
 use Psr\Log\LoggerInterface;
 
 class PublicKeyTokenProvider implements IProvider {
+	public const TOKEN_MIN_LENGTH = 22;
+
 	use TTransactional;
 
 	/** @var PublicKeyTokenMapper */
@@ -98,6 +100,12 @@ class PublicKeyTokenProvider implements IProvider {
 								  string $name,
 								  int $type = IToken::TEMPORARY_TOKEN,
 								  int $remember = IToken::DO_NOT_REMEMBER): IToken {
+		if (strlen($token) < self::TOKEN_MIN_LENGTH) {
+			$exception = new InvalidTokenException('Token is too short, minimum of ' . self::TOKEN_MIN_LENGTH . ' characters is required, ' . strlen($token) . ' characters given');
+			$this->logger->error('Invalid token provided when generating new token', ['exception' => $exception]);
+			throw $exception;
+		}
+
 		if (mb_strlen($name) > 128) {
 			$name = mb_substr($name, 0, 120) . '…';
 		}
@@ -122,14 +130,14 @@ class PublicKeyTokenProvider implements IProvider {
 		 * @see \OCA\Preferred_Providers\Controller\PasswordController::generateAppPassword
 		 * @see \OCA\GlobalSiteSelector\TokenHandler::generateAppPassword
 		 *
-		 * Token length: 32-256 - https://www.php.net/manual/en/session.configuration.php#ini.session.sid-length
+		 * Token length: 22-256 - https://www.php.net/manual/en/session.configuration.php#ini.session.sid-length
 		 * @see \OC\User\Session::createSessionToken
 		 *
 		 * Token length: 29
 		 * @see \OCA\Settings\Controller\AuthSettingsController::generateRandomDeviceToken
 		 * @see \OCA\Registration\Service\RegistrationService::generateAppPassword
 		 */
-		if (strlen($tokenId) < 29) {
+		if (strlen($tokenId) < self::TOKEN_MIN_LENGTH) {
 			throw new InvalidTokenException('Token is too short for a generated token, should be the password during basic auth');
 		}
author	Joas Schilling <coding@schilljs.com>	2023-02-08 22:59:18 +0100
committer	Joas Schilling <coding@schilljs.com>	2023-02-09 09:58:35 +0100
commit	7a85a1596ef09024a351daaadfb82a57c3aa0410 (patch)
tree	f607359e4685c0921280594ab57af0fec18d70d6
parent	03a585ab4fe499753d9dc03e17dd82aeaea8205e (diff)
download	nextcloud-server-7a85a1596ef09024a351daaadfb82a57c3aa0410.tar.gz nextcloud-server-7a85a1596ef09024a351daaadfb82a57c3aa0410.zip