diff options
| author | Lukas Reschke <lukas@owncloud.com> | 2016-02-10 14:41:47 +0100 |
|---|---|---|
| committer | Lukas Reschke <lukas@owncloud.com> | 2016-02-10 16:31:11 +0100 |
| commit | 5680743c2b19daf561729d4a78978600150a0553 (patch) | |
| tree | 282ab57d336faa5d3112097fd8e78b2df0d64195 /apps | |
| parent | 5c89cf9565d4c08984af10d39cc4aff0a6cac147 (diff) | |
| download | nextcloud-server-5680743c2b19daf561729d4a78978600150a0553.tar.gz nextcloud-server-5680743c2b19daf561729d4a78978600150a0553.zip | |
Harden updater authentication
- Reset tokens after 2 hours as discussed at https://github.com/owncloud/updater/issues/220#issuecomment-182033453
- Used BCrypt for storing the password in the config.php. This makes it substantially harder in case of a leakage of the token to bruteforce it. In the future we can evaluate also an HMAC including the IP. That's a bit tricker though at the moment considering that we support reverse proxies. Didn't feel brave enough to touch that dragon now as well ;)
Diffstat (limited to 'apps')
3 files changed, 6 insertions, 5 deletions
diff --git a/apps/updatenotification/controller/admincontroller.php b/apps/updatenotification/controller/admincontroller.php index ec1cc45075c..505ea01edd9 100644 --- a/apps/updatenotification/controller/admincontroller.php +++ b/apps/updatenotification/controller/admincontroller.php @@ -77,8 +77,8 @@ class AdminController extends Controller { $this->config->setAppValue('core', 'updater.secret.created', $this->timeFactory->getTime()); // Create a new token - $newToken = $this->secureRandom->generate(32); - $this->config->setSystemValue('updater.secret', $newToken); + $newToken = $this->secureRandom->generate(64); + $this->config->setSystemValue('updater.secret', password_hash($newToken, PASSWORD_DEFAULT)); return new DataResponse($newToken); } diff --git a/apps/updatenotification/lib/resettokenbackgroundjob.php b/apps/updatenotification/lib/resettokenbackgroundjob.php index 0b737f681b6..61bd9fc0490 100644 --- a/apps/updatenotification/lib/resettokenbackgroundjob.php +++ b/apps/updatenotification/lib/resettokenbackgroundjob.php @@ -67,7 +67,8 @@ class ResetTokenBackgroundJob extends TimedJob { * @param $argument */ protected function run($argument) { - if($this->timeFactory->getTime() - $this->config->getAppValue('core', 'updater.secret.created', $this->timeFactory->getTime()) >= 86400) { + // Delete old tokens after 2 days + if($this->timeFactory->getTime() - $this->config->getAppValue('core', 'updater.secret.created', $this->timeFactory->getTime()) >= 172800) { $this->config->deleteSystemValue('updater.secret'); } } diff --git a/apps/updatenotification/tests/controller/AdminControllerTest.php b/apps/updatenotification/tests/controller/AdminControllerTest.php index 01801626000..5a0f9d21469 100644 --- a/apps/updatenotification/tests/controller/AdminControllerTest.php +++ b/apps/updatenotification/tests/controller/AdminControllerTest.php @@ -77,12 +77,12 @@ class AdminControllerTest extends TestCase { $this->secureRandom ->expects($this->once()) ->method('generate') - ->with(32) + ->with(64) ->willReturn('MyGeneratedToken'); $this->config ->expects($this->once()) ->method('setSystemValue') - ->with('updater.secret', 'MyGeneratedToken'); + ->with('updater.secret'); $this->timeFactory ->expects($this->once()) ->method('getTime') |