invalidate (delete) session token on logout

add 'last_activity' column to session tokens and delete old ones via a background job

4 files changed, 109 insertions, 3 deletions

diff --git a/lib/private/Authentication/Token/DefaultToken.php b/lib/private/Authentication/Token/DefaultToken.php
index 28aee555601..9bdae789afd 100644
--- a/lib/private/Authentication/Token/DefaultToken.php
+++ b/lib/private/Authentication/Token/DefaultToken.php
@@ -47,12 +47,17 @@ class DefaultToken extends Entity implements IToken {
 	protected $token;
 
 	/**
+	 * @var int
+	 */
+	protected $lastActivity;
+
+	/**
 	 * Get the token ID
 	 *
 	 * @return string
 	 */
 	public function getId() {
-		return $token;
+		return $this->token;
 	}
 
 }
diff --git a/lib/private/Authentication/Token/DefaultTokenCleanupJob.php b/lib/private/Authentication/Token/DefaultTokenCleanupJob.php
new file mode 100644
index 00000000000..4d1290eb623
--- /dev/null
+++ b/lib/private/Authentication/Token/DefaultTokenCleanupJob.php
@@ -0,0 +1,36 @@
+<?php
+
+/**
+ * @author Christoph Wurst <christoph@owncloud.com>
+ *
+ * @copyright Copyright (c) 2016, ownCloud, Inc.
+ * @license AGPL-3.0
+ *
+ * This code is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License, version 3,
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License, version 3,
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>
+ *
+ */
+
+namespace OC\Authentication\Token;
+
+use OC;
+use OC\BackgroundJob\Job;
+
+class DefaultTokenCleanupJob extends Job {
+
+	protected function run($argument) {
+		/* @var $provider DefaultTokenProvider */
+		$provider = OC::$server->query('OC\Authentication\Token\DefaultTokenProvider');
+		$provider->invalidateOldTokens();
+	}
+
+}
diff --git a/lib/private/Authentication/Token/DefaultTokenMapper.php b/lib/private/Authentication/Token/DefaultTokenMapper.php
index 35989d0d350..9a73192c0d8 100644
--- a/lib/private/Authentication/Token/DefaultTokenMapper.php
+++ b/lib/private/Authentication/Token/DefaultTokenMapper.php
@@ -22,6 +22,7 @@
 
 namespace OC\Authentication\Token;
 
+use OCP\AppFramework\Db\DoesNotExistException;
 use OCP\AppFramework\Db\Mapper;
 use OCP\IDBConnection;
 
@@ -31,6 +32,37 @@ class DefaultTokenMapper extends Mapper {
 		parent::__construct($db, 'authtoken');
 	}
 
+	/**
+	 * Invalidate (delete) a given token
+	 *
+	 * @param string $token
+	 */
+	public function invalidate($token) {
+		$sql = 'DELETE FROM `' . $this->getTableName() . '` '
+			. 'WHERE `token` = ?';
+		return $this->execute($sql, [
+				$token
+		]);
+	}
+
+	/**
+	 * @param int $olderThan
+	 */
+	public function invalidateOld($olderThan) {
+		$sql = 'DELETE FROM `' . $this->getTableName() . '` '
+			. 'WHERE `last_activity` < ?';
+		$this->execute($sql, [
+			$olderThan
+		]);
+	}
+
+	/**
+	 * Get the user UID for the given token
+	 *
+	 * @param string $token
+	 * @throws DoesNotExistException
+	 * @return string
+	 */
 	public function getTokenUser($token) {
 		$sql = 'SELECT `uid` '
 			. 'FROM `' . $this->getTableName() . '` '
diff --git a/lib/private/Authentication/Token/DefaultTokenProvider.php b/lib/private/Authentication/Token/DefaultTokenProvider.php
index c8aa396526b..71f798da370 100644
--- a/lib/private/Authentication/Token/DefaultTokenProvider.php
+++ b/lib/private/Authentication/Token/DefaultTokenProvider.php
@@ -42,6 +42,12 @@ class DefaultTokenProvider implements IProvider {
 	/** @var ILogger $logger */
 	private $logger;
 
+	/**
+	 * @param DefaultTokenMapper $mapper
+	 * @param ICrypto $crypto
+	 * @param IConfig $config
+	 * @param ILogger $logger
+	 */
 	public function __construct(DefaultTokenMapper $mapper, ICrypto $crypto,
 		IConfig $config, ILogger $logger) {
 		$this->mapper = $mapper;
@@ -64,7 +70,8 @@ class DefaultTokenProvider implements IProvider {
 		$secret = $this->config->getSystemValue('secret');
 		$dbToken->setPassword($this->crypto->encrypt($password . $secret));
 		$dbToken->setName($name);
-		$dbToken->setToken(hash('sha512', $token));
+		$dbToken->setToken($this->hashToken($token));
+		$dbToken->setLastActivity(time());
 
 		$this->mapper->insert($dbToken);
 
@@ -72,6 +79,24 @@ class DefaultTokenProvider implements IProvider {
 	}
 
 	/**
+	 * Invalidate (delete) the given session token
+	 *
+	 * @param string $token
+	 */
+	public function invalidateToken($token) {
+		$this->mapper->invalidate($this->hashToken($token));
+	}
+
+	/**
+	 * Invalidate (delete) old session tokens
+	 */
+	public function invalidateOldTokens() {
+		$olderThan = time() - (int) $this->config->getSystemValue('session_lifetime', 60 * 60 * 24);
+		$this->logger->info('Invalidating tokens older than ' . date('c', $olderThan));
+		$this->mapper->invalidateOld($olderThan);
+	}
+
+	/**
 	 * @param string $token
 	 * @throws InvalidTokenException
 	 * @return string user UID
@@ -79,7 +104,7 @@ class DefaultTokenProvider implements IProvider {
 	public function validateToken($token) {
 		$this->logger->debug('validating default token <' . $token . '>');
 		try {
-			$dbToken = $this->mapper->getTokenUser(hash('sha512', $token));
+			$dbToken = $this->mapper->getTokenUser($this->hashToken($token));
 			$this->logger->debug('valid token for ' . $dbToken->getUid());
 			return $dbToken->getUid();
 		} catch (DoesNotExistException $ex) {
@@ -88,4 +113,12 @@ class DefaultTokenProvider implements IProvider {
 		}
 	}
 
+	/**
+	 * @param string $token
+	 * @return string
+	 */
+	private function hashToken($token) {
+		return hash('sha512', $token);
+	}
+
 }