diff options
author | Christoph Wurst <christoph@owncloud.com> | 2016-04-25 16:40:41 +0200 |
---|---|---|
committer | Thomas Müller <thomas.mueller@tmit.eu> | 2016-05-11 13:36:46 +0200 |
commit | 2fa5e0a24e34b109fcd4adb98932e9537884bc9a (patch) | |
tree | ac0822860e46ffeb0fee03c5f593dfd49bbc62c5 /lib/private/Authentication | |
parent | d8cde414bd13c327ec2edaf1ae38380073c93e3e (diff) | |
download | nextcloud-server-2fa5e0a24e34b109fcd4adb98932e9537884bc9a.tar.gz nextcloud-server-2fa5e0a24e34b109fcd4adb98932e9537884bc9a.zip |
invalidate (delete) session token on logout
add 'last_activity' column to session tokens and delete old ones via a background job
Diffstat (limited to 'lib/private/Authentication')
4 files changed, 109 insertions, 3 deletions
diff --git a/lib/private/Authentication/Token/DefaultToken.php b/lib/private/Authentication/Token/DefaultToken.php index 28aee555601..9bdae789afd 100644 --- a/lib/private/Authentication/Token/DefaultToken.php +++ b/lib/private/Authentication/Token/DefaultToken.php @@ -47,12 +47,17 @@ class DefaultToken extends Entity implements IToken { protected $token; /** + * @var int + */ + protected $lastActivity; + + /** * Get the token ID * * @return string */ public function getId() { - return $token; + return $this->token; } } diff --git a/lib/private/Authentication/Token/DefaultTokenCleanupJob.php b/lib/private/Authentication/Token/DefaultTokenCleanupJob.php new file mode 100644 index 00000000000..4d1290eb623 --- /dev/null +++ b/lib/private/Authentication/Token/DefaultTokenCleanupJob.php @@ -0,0 +1,36 @@ +<?php + +/** + * @author Christoph Wurst <christoph@owncloud.com> + * + * @copyright Copyright (c) 2016, ownCloud, Inc. + * @license AGPL-3.0 + * + * This code is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License, version 3, + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License, version 3, + * along with this program. If not, see <http://www.gnu.org/licenses/> + * + */ + +namespace OC\Authentication\Token; + +use OC; +use OC\BackgroundJob\Job; + +class DefaultTokenCleanupJob extends Job { + + protected function run($argument) { + /* @var $provider DefaultTokenProvider */ + $provider = OC::$server->query('OC\Authentication\Token\DefaultTokenProvider'); + $provider->invalidateOldTokens(); + } + +} diff --git a/lib/private/Authentication/Token/DefaultTokenMapper.php b/lib/private/Authentication/Token/DefaultTokenMapper.php index 35989d0d350..9a73192c0d8 100644 --- a/lib/private/Authentication/Token/DefaultTokenMapper.php +++ b/lib/private/Authentication/Token/DefaultTokenMapper.php @@ -22,6 +22,7 @@ namespace OC\Authentication\Token; +use OCP\AppFramework\Db\DoesNotExistException; use OCP\AppFramework\Db\Mapper; use OCP\IDBConnection; @@ -31,6 +32,37 @@ class DefaultTokenMapper extends Mapper { parent::__construct($db, 'authtoken'); } + /** + * Invalidate (delete) a given token + * + * @param string $token + */ + public function invalidate($token) { + $sql = 'DELETE FROM `' . $this->getTableName() . '` ' + . 'WHERE `token` = ?'; + return $this->execute($sql, [ + $token + ]); + } + + /** + * @param int $olderThan + */ + public function invalidateOld($olderThan) { + $sql = 'DELETE FROM `' . $this->getTableName() . '` ' + . 'WHERE `last_activity` < ?'; + $this->execute($sql, [ + $olderThan + ]); + } + + /** + * Get the user UID for the given token + * + * @param string $token + * @throws DoesNotExistException + * @return string + */ public function getTokenUser($token) { $sql = 'SELECT `uid` ' . 'FROM `' . $this->getTableName() . '` ' diff --git a/lib/private/Authentication/Token/DefaultTokenProvider.php b/lib/private/Authentication/Token/DefaultTokenProvider.php index c8aa396526b..71f798da370 100644 --- a/lib/private/Authentication/Token/DefaultTokenProvider.php +++ b/lib/private/Authentication/Token/DefaultTokenProvider.php @@ -42,6 +42,12 @@ class DefaultTokenProvider implements IProvider { /** @var ILogger $logger */ private $logger; + /** + * @param DefaultTokenMapper $mapper + * @param ICrypto $crypto + * @param IConfig $config + * @param ILogger $logger + */ public function __construct(DefaultTokenMapper $mapper, ICrypto $crypto, IConfig $config, ILogger $logger) { $this->mapper = $mapper; @@ -64,7 +70,8 @@ class DefaultTokenProvider implements IProvider { $secret = $this->config->getSystemValue('secret'); $dbToken->setPassword($this->crypto->encrypt($password . $secret)); $dbToken->setName($name); - $dbToken->setToken(hash('sha512', $token)); + $dbToken->setToken($this->hashToken($token)); + $dbToken->setLastActivity(time()); $this->mapper->insert($dbToken); @@ -72,6 +79,24 @@ class DefaultTokenProvider implements IProvider { } /** + * Invalidate (delete) the given session token + * + * @param string $token + */ + public function invalidateToken($token) { + $this->mapper->invalidate($this->hashToken($token)); + } + + /** + * Invalidate (delete) old session tokens + */ + public function invalidateOldTokens() { + $olderThan = time() - (int) $this->config->getSystemValue('session_lifetime', 60 * 60 * 24); + $this->logger->info('Invalidating tokens older than ' . date('c', $olderThan)); + $this->mapper->invalidateOld($olderThan); + } + + /** * @param string $token * @throws InvalidTokenException * @return string user UID @@ -79,7 +104,7 @@ class DefaultTokenProvider implements IProvider { public function validateToken($token) { $this->logger->debug('validating default token <' . $token . '>'); try { - $dbToken = $this->mapper->getTokenUser(hash('sha512', $token)); + $dbToken = $this->mapper->getTokenUser($this->hashToken($token)); $this->logger->debug('valid token for ' . $dbToken->getUid()); return $dbToken->getUid(); } catch (DoesNotExistException $ex) { @@ -88,4 +113,12 @@ class DefaultTokenProvider implements IProvider { } } + /** + * @param string $token + * @return string + */ + private function hashToken($token) { + return hash('sha512', $token); + } + } |