diff options
| author | Lukas Reschke <lukas@owncloud.com> | 2016-02-10 14:41:47 +0100 |
|---|---|---|
| committer | Lukas Reschke <lukas@owncloud.com> | 2016-02-10 16:31:11 +0100 |
| commit | 5680743c2b19daf561729d4a78978600150a0553 (patch) | |
| tree | 282ab57d336faa5d3112097fd8e78b2df0d64195 /apps/updatenotification/lib | |
| parent | 5c89cf9565d4c08984af10d39cc4aff0a6cac147 (diff) | |
| download | nextcloud-server-5680743c2b19daf561729d4a78978600150a0553.tar.gz nextcloud-server-5680743c2b19daf561729d4a78978600150a0553.zip | |
Harden updater authentication
- Reset tokens after 2 hours as discussed at https://github.com/owncloud/updater/issues/220#issuecomment-182033453
- Used BCrypt for storing the password in the config.php. This makes it substantially harder in case of a leakage of the token to bruteforce it. In the future we can evaluate also an HMAC including the IP. That's a bit tricker though at the moment considering that we support reverse proxies. Didn't feel brave enough to touch that dragon now as well ;)
Diffstat (limited to 'apps/updatenotification/lib')
| -rw-r--r-- | apps/updatenotification/lib/resettokenbackgroundjob.php | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/apps/updatenotification/lib/resettokenbackgroundjob.php b/apps/updatenotification/lib/resettokenbackgroundjob.php index 0b737f681b6..61bd9fc0490 100644 --- a/apps/updatenotification/lib/resettokenbackgroundjob.php +++ b/apps/updatenotification/lib/resettokenbackgroundjob.php @@ -67,7 +67,8 @@ class ResetTokenBackgroundJob extends TimedJob { * @param $argument */ protected function run($argument) { - if($this->timeFactory->getTime() - $this->config->getAppValue('core', 'updater.secret.created', $this->timeFactory->getTime()) >= 86400) { + // Delete old tokens after 2 days + if($this->timeFactory->getTime() - $this->config->getAppValue('core', 'updater.secret.created', $this->timeFactory->getTime()) >= 172800) { $this->config->deleteSystemValue('updater.secret'); } } |