summaryrefslogtreecommitdiffstats
path: root/core
diff options
context:
space:
mode:
authorChristoph Wurst <christoph@winzerhof-wurst.at>2018-02-26 17:13:23 +0100
committerChristoph Wurst <christoph@winzerhof-wurst.at>2018-03-08 16:48:50 +0100
commitb9720703e8afa26fd42d1bb7cc8fbf54ba2eeeae (patch)
treec5165cb03841c8d814a361d0fd41170474490711 /core
parentcccf6f4d5f18ad01ff5fcd296d7b8411c1e11139 (diff)
downloadnextcloud-server-b9720703e8afa26fd42d1bb7cc8fbf54ba2eeeae.tar.gz
nextcloud-server-b9720703e8afa26fd42d1bb7cc8fbf54ba2eeeae.zip
Add CSRF token controller to retrieve the current CSRF token
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
Diffstat (limited to 'core')
-rw-r--r--core/Controller/CSRFTokenController.php63
-rw-r--r--core/js/js.js37
-rw-r--r--core/js/tests/specs/coreSpec.js12
-rw-r--r--core/routes.php6
4 files changed, 86 insertions, 32 deletions
diff --git a/core/Controller/CSRFTokenController.php b/core/Controller/CSRFTokenController.php
new file mode 100644
index 00000000000..24888e2179f
--- /dev/null
+++ b/core/Controller/CSRFTokenController.php
@@ -0,0 +1,63 @@
+<?php
+declare(strict_types=1);
+
+/**
+ * @copyright 2017 Christoph Wurst <christoph@winzerhof-wurst.at>
+ *
+ * @author 2017 Christoph Wurst <christoph@winzerhof-wurst.at>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+namespace OC\Core\Controller;
+
+use OC\Security\CSRF\CsrfTokenManager;
+use OCP\AppFramework\Controller;
+use OCP\AppFramework\Http\JSONResponse;
+use OCP\IRequest;
+
+class CSRFTokenController extends Controller {
+
+ /** @var CsrfTokenManager */
+ private $tokenManager;
+
+ /**
+ * @param string $appName
+ * @param IRequest $request
+ * @param CsrfTokenManager $tokenManager
+ */
+ public function __construct(string $appName, IRequest $request,
+ CsrfTokenManager $tokenManager) {
+ parent::__construct($appName, $request);
+ $this->tokenManager = $tokenManager;
+ }
+
+ /**
+ * @NoAdminRequired
+ * @NoCSRFRequired
+ * @PublicPage
+ * @return JSONResponse
+ */
+ public function index(): JSONResponse {
+ $requestToken = $this->tokenManager->getToken();
+
+ return new JSONResponse([
+ 'token' => $requestToken->getEncryptedValue(),
+ ]);
+ }
+
+}
diff --git a/core/js/js.js b/core/js/js.js
index 3c6ababf764..26dbbdb6e63 100644
--- a/core/js/js.js
+++ b/core/js/js.js
@@ -1366,34 +1366,29 @@ function initCore() {
});
/**
- * Calls the server periodically to ensure that session doesn't
- * time out
+ * Calls the server periodically to ensure that session and CSRF
+ * token doesn't expire
*/
- function initSessionHeartBeat(){
- // max interval in seconds set to 24 hours
- var maxInterval = 24 * 3600;
+ function initSessionHeartBeat() {
// interval in seconds
var interval = 900;
if (oc_config.session_lifetime) {
interval = Math.floor(oc_config.session_lifetime / 2);
}
// minimum one minute
- if (interval < 60) {
- interval = 60;
- }
- if (interval > maxInterval) {
- interval = maxInterval;
- }
- var url = OC.generateUrl('/heartbeat');
- var heartBeatTimeout = null;
- var heartBeat = function() {
- clearInterval(heartBeatTimeout);
- heartBeatTimeout = setInterval(function() {
- $.post(url);
- }, interval * 1000);
- };
- $(document).ajaxComplete(heartBeat);
- heartBeat();
+ interval = Math.max(60, interval);
+ // max interval in seconds set to 24 hours
+ interval = Math.min(24 * 3600, interval);
+
+ var url = OC.generateUrl('/csrftoken');
+ setInterval(function() {
+ $.ajax(url).then(function(resp) {
+ oc_requesttoken = resp.token;
+ OC.requestToken = resp.token;
+ }).fail(function(e) {
+ console.error('session heartbeat failed', e);
+ });
+ }, interval * 1000);
}
// session heartbeat (defaults to enabled)
diff --git a/core/js/tests/specs/coreSpec.js b/core/js/tests/specs/coreSpec.js
index 616e7509f7c..6766fc2789c 100644
--- a/core/js/tests/specs/coreSpec.js
+++ b/core/js/tests/specs/coreSpec.js
@@ -351,14 +351,14 @@ describe('Core base tests', function() {
beforeEach(function() {
clock = sinon.useFakeTimers();
oldConfig = window.oc_config;
- routeStub = sinon.stub(OC, 'generateUrl').returns('/heartbeat');
+ routeStub = sinon.stub(OC, 'generateUrl').returns('/csrftoken');
counter = 0;
fakeServer.autoRespond = true;
fakeServer.autoRespondAfter = 0;
- fakeServer.respondWith(/\/heartbeat/, function(xhr) {
+ fakeServer.respondWith(/\/csrftoken/, function(xhr) {
counter++;
- xhr.respond(200, {'Content-Type': 'application/json'}, '{}');
+ xhr.respond(200, {'Content-Type': 'application/json'}, '{"token": "pgBEsb3MzTb1ZPd2mfDZbQ6/0j3OrXHMEZrghHcOkg8=:3khw5PSa+wKQVo4f26exFD3nplud9ECjJ8/Y5zk5/k4="}');
});
$(document).off('ajaxComplete'); // ignore previously registered heartbeats
});
@@ -377,7 +377,7 @@ describe('Core base tests', function() {
session_lifetime: 300
};
window.initCore();
- expect(routeStub.calledWith('/heartbeat')).toEqual(true);
+ expect(routeStub.calledWith('/csrftoken')).toEqual(true);
expect(counter).toEqual(0);
@@ -502,8 +502,8 @@ describe('Core base tests', function() {
});
describe('Generate Url', function() {
it('returns absolute urls', function() {
- expect(OC.generateUrl('heartbeat')).toEqual(OC.webroot + '/index.php/heartbeat');
- expect(OC.generateUrl('/heartbeat')).toEqual(OC.webroot + '/index.php/heartbeat');
+ expect(OC.generateUrl('csrftoken')).toEqual(OC.webroot + '/index.php/csrftoken');
+ expect(OC.generateUrl('/csrftoken')).toEqual(OC.webroot + '/index.php/csrftoken');
});
it('substitutes parameters which are escaped by default', function() {
expect(OC.generateUrl('apps/files/download/{file}', {file: '<">ImAnUnescapedString/!'})).toEqual(OC.webroot + '/index.php/apps/files/download/%3C%22%3EImAnUnescapedString%2F!');
diff --git a/core/routes.php b/core/routes.php
index d357fd45f96..eb6db1046fb 100644
--- a/core/routes.php
+++ b/core/routes.php
@@ -46,6 +46,7 @@ $application->registerRoutes($this, [
['name' => 'avatar#postCroppedAvatar', 'url' => '/avatar/cropped', 'verb' => 'POST'],
['name' => 'avatar#getTmpAvatar', 'url' => '/avatar/tmp', 'verb' => 'GET'],
['name' => 'avatar#postAvatar', 'url' => '/avatar/', 'verb' => 'POST'],
+ ['name' => 'CSRFToken#index', 'url' => '/csrftoken', 'verb' => 'GET'],
['name' => 'login#tryLogin', 'url' => '/login', 'verb' => 'POST'],
['name' => 'login#confirmPassword', 'url' => '/login/confirm', 'verb' => 'POST'],
['name' => 'login#showLoginForm', 'url' => '/login', 'verb' => 'GET'],
@@ -148,8 +149,3 @@ $this->create('files_sharing.publicpreview.directLink', '/s/{token}/preview')->g
throw new \OC\HintException('App file sharing is not enabled');
}
});
-
-// used for heartbeat
-$this->create('heartbeat', '/heartbeat')->action(function(){
- // do nothing
-});