diff options
| author | Carl Schwan <carl@carlschwan.eu> | 2022-10-17 16:02:58 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-10-17 16:02:58 +0200 |
| commit | 99191167167dd6c98dc3ae9b0eca947526e7939f (patch) | |
| tree | f4f9f54791d136d861738f93749238fd0708a705 /lib/private/Authentication | |
| parent | 44d2eb8b4ec838652089be6018ae7240663781df (diff) | |
| parent | ef31396727771eb771b450e91e7b097b2ca151b9 (diff) | |
| download | nextcloud-server-99191167167dd6c98dc3ae9b0eca947526e7939f.tar.gz nextcloud-server-99191167167dd6c98dc3ae9b0eca947526e7939f.zip | |
Merge pull request #31499 from nextcloud/bugfix/empty-secret
Add fallback routines for empty secret cases
Diffstat (limited to 'lib/private/Authentication')
| -rw-r--r-- | lib/private/Authentication/Token/PublicKeyTokenProvider.php | 29 |
1 files changed, 24 insertions, 5 deletions
diff --git a/lib/private/Authentication/Token/PublicKeyTokenProvider.php b/lib/private/Authentication/Token/PublicKeyTokenProvider.php index 0f1767e845b..511aad76211 100644 --- a/lib/private/Authentication/Token/PublicKeyTokenProvider.php +++ b/lib/private/Authentication/Token/PublicKeyTokenProvider.php @@ -111,8 +111,14 @@ class PublicKeyTokenProvider implements IProvider { $token = $this->mapper->getToken($this->hashToken($tokenId)); $this->cache[$token->getToken()] = $token; } catch (DoesNotExistException $ex) { - $this->cache[$tokenHash] = $ex; - throw new InvalidTokenException("Token does not exist: " . $ex->getMessage(), 0, $ex); + try { + $token = $this->mapper->getToken($this->hashTokenWithEmptySecret($tokenId)); + $this->cache[$token->getToken()] = $token; + $this->rotate($token, $tokenId, $tokenId); + } catch (DoesNotExistException $ex2) { + $this->cache[$tokenHash] = $ex2; + throw new InvalidTokenException("Token does not exist: " . $ex->getMessage(), 0, $ex); + } } } @@ -189,6 +195,7 @@ class PublicKeyTokenProvider implements IProvider { $this->cache->clear(); $this->mapper->invalidate($this->hashToken($token)); + $this->mapper->invalidate($this->hashTokenWithEmptySecret($token)); } public function invalidateTokenById(string $uid, int $id) { @@ -305,9 +312,14 @@ class PublicKeyTokenProvider implements IProvider { try { return $this->crypto->decrypt($cipherText, $token . $secret); } catch (\Exception $ex) { - // Delete the invalid token - $this->invalidateToken($token); - throw new InvalidTokenException("Could not decrypt token password: " . $ex->getMessage(), 0, $ex); + // Retry with empty secret as a fallback for instances where the secret might not have been set by accident + try { + return $this->crypto->decrypt($cipherText, $token); + } catch (\Exception $ex2) { + // Delete the invalid token + $this->invalidateToken($token); + throw new InvalidTokenException("Could not decrypt token password: " . $ex->getMessage(), 0, $ex2); + } } } @@ -331,6 +343,13 @@ class PublicKeyTokenProvider implements IProvider { } /** + * @deprecated Fallback for instances where the secret might not have been set by accident + */ + private function hashTokenWithEmptySecret(string $token): string { + return hash('sha512', $token); + } + + /** * @throws \RuntimeException when OpenSSL reports a problem */ private function newToken(string $token, |