summaryrefslogtreecommitdiffstats
path: root/apps/oauth2
diff options
context:
space:
mode:
authorRoeland Jago Douma <roeland@famdouma.nl>2018-05-16 15:09:35 +0200
committerRoeland Jago Douma <roeland@famdouma.nl>2018-05-22 14:51:30 +0200
commit73f8373151be49eb654ecc421ccb949e80e2f19a (patch)
tree1acd91e056e48ff6babcc31b4f8a5ef4a7b8385a /apps/oauth2
parentd03265fb62484536d00b90974f27b0e6282c2e6a (diff)
downloadnextcloud-server-73f8373151be49eb654ecc421ccb949e80e2f19a.tar.gz
nextcloud-server-73f8373151be49eb654ecc421ccb949e80e2f19a.zip
Don't use special chars to avoid confusion
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
Diffstat (limited to 'apps/oauth2')
-rw-r--r--apps/oauth2/lib/Controller/OauthApiController.php7
1 files changed, 7 insertions, 0 deletions
diff --git a/apps/oauth2/lib/Controller/OauthApiController.php b/apps/oauth2/lib/Controller/OauthApiController.php
index 4d368801cca..8c96a3feee1 100644
--- a/apps/oauth2/lib/Controller/OauthApiController.php
+++ b/apps/oauth2/lib/Controller/OauthApiController.php
@@ -90,6 +90,7 @@ class OauthApiController extends Controller {
*/
public function getToken($grant_type, $code, $refresh_token, $client_id, $client_secret) {
+ // We only handle two types
if ($grant_type !== 'authorization_code' && $grant_type !== 'refresh_token') {
return new JSONResponse([
'error' => 'invalid_grant',
@@ -117,6 +118,7 @@ class OauthApiController extends Controller {
], Http::STATUS_BAD_REQUEST);
}
+ // The client id and secret must match. Else we don't provide an access token!
if ($client->getClientIdentifier() !== $client_id || $client->getSecret() !== $client_secret) {
return new JSONResponse([
'error' => 'invalid_client',
@@ -125,6 +127,7 @@ class OauthApiController extends Controller {
$decryptedToken = $this->crypto->decrypt($accessToken->getEncryptedToken(), $code);
+ // Obtain the appToken assoicated
try {
$appToken = $this->tokenProvider->getTokenById($accessToken->getTokenId());
} catch (ExpiredTokenException $e) {
@@ -137,6 +140,7 @@ class OauthApiController extends Controller {
], Http::STATUS_BAD_REQUEST);
}
+ // Rotate the apptoken (so the old one becomes invalid basically)
$newToken = $this->secureRandom->generate(72, ISecureRandom::CHAR_UPPER.ISecureRandom::CHAR_LOWER.ISecureRandom::CHAR_DIGITS);
$appToken = $this->tokenProvider->rotate(
@@ -144,9 +148,12 @@ class OauthApiController extends Controller {
$decryptedToken,
$newToken
);
+
+ // Expiration is in 1 hour again
$appToken->setExpires($this->time->getTime() + 3600);
$this->tokenProvider->updateToken($appToken);
+ // Generate a new refresh token and encrypt the new apptoken in the DB
$newCode = $this->secureRandom->generate(128, ISecureRandom::CHAR_UPPER.ISecureRandom::CHAR_LOWER.ISecureRandom::CHAR_DIGITS);
$accessToken->setHashedCode(hash('sha512', $newCode));
$accessToken->setEncryptedToken($this->crypto->encrypt($newToken, $newCode));