Merge pull request #10170 from nextcloud/backport/9823/stable13

[stable13] Allow updating the token on session regeneration
author: Morris Jobke <hey@morrisjobke.de> 2018-07-11 10:02:30 +0200
committer: GitHub <noreply@github.com> 2018-07-11 10:02:30 +0200
commit: 4ff6ea9a5542c9669a4cbff14ff261546eb15b6f (patch)
tree: 8f10ff8edcf2c69767282f545207e368ec46d1c9 /lib
parent: c99529834ce4e840b4905c17e84457d23a0d1413 (diff)
parent: f84789f88bee0b5a6f83f9729b99a299cc64665c (diff)
download: nextcloud-server-4ff6ea9a5542c9669a4cbff14ff261546eb15b6f.tar.gz
nextcloud-server-4ff6ea9a5542c9669a4cbff14ff261546eb15b6f.zip
5 files changed, 41 insertions, 6 deletions
diff --git a/lib/private/Session/CryptoSessionData.php b/lib/private/Session/CryptoSessionData.php
index 272e82ef496..24582b35186 100644
--- a/lib/private/Session/CryptoSessionData.php
+++ b/lib/private/Session/CryptoSessionData.php
@@ -149,10 +149,11 @@ class CryptoSessionData implements \ArrayAccess, ISession {
 	 * Wrapper around session_regenerate_id
 	 *
 	 * @param bool $deleteOldSession Whether to delete the old associated session file or not.
+	 * @param bool $updateToken Wheater to update the associated auth token
 	 * @return void
 	 */
-	public function regenerateId($deleteOldSession = true) {
-		$this->session->regenerateId($deleteOldSession);
+	public function regenerateId($deleteOldSession = true, $updateToken = false) {
+		$this->session->regenerateId($deleteOldSession, $updateToken);
 	}
 
 	/**
diff --git a/lib/private/Session/Internal.php b/lib/private/Session/Internal.php
index d137d72a048..20230acebe8 100644
--- a/lib/private/Session/Internal.php
+++ b/lib/private/Session/Internal.php
@@ -29,6 +29,10 @@
 
 namespace OC\Session;
 
+use OC\Authentication\Exceptions\InvalidTokenException;
+use OC\Authentication\Token\IProvider;
+use OC\SystemConfig;
+use OCP\IConfig;
 use OCP\Session\Exceptions\SessionNotAvailableException;
 
 /**
@@ -110,14 +114,41 @@ class Internal extends Session {
 	 * Wrapper around session_regenerate_id
 	 *
 	 * @param bool $deleteOldSession Whether to delete the old associated session file or not.
+	 * @param bool $updateToken Wheater to update the associated auth token
 	 * @return void
 	 */
-	public function regenerateId($deleteOldSession = true) {
+	public function regenerateId($deleteOldSession = true, $updateToken = false) {
+		$oldId = null;
+
+		if ($updateToken) {
+			// Get the old id to update the token
+			try {
+				$oldId = $this->getId();
+			} catch (SessionNotAvailableException $e) {
+				// We can't update a token if there is no previous id
+				$updateToken = false;
+			}
+		}
+
 		try {
 			@session_regenerate_id($deleteOldSession);
 		} catch (\Error $e) {
 			$this->trapError($e->getCode(), $e->getMessage());
 		}
+
+		if ($updateToken) {
+			// Get the new id to update the token
+			$newId = $this->getId();
+
+			/** @var IProvider $tokenProvider */
+			$tokenProvider = \OC::$server->query(IProvider::class);
+
+			try {
+				$tokenProvider->renewSessionToken($oldId, $newId);
+			} catch (InvalidTokenException $e) {
+				// Just ignore
+			}
+		}
 	}
 
 	/**
diff --git a/lib/private/Session/Memory.php b/lib/private/Session/Memory.php
index 22d6ffa0110..8975d8dfe0b 100644
--- a/lib/private/Session/Memory.php
+++ b/lib/private/Session/Memory.php
@@ -90,7 +90,7 @@ class Memory extends Session {
 	 *
 	 * @param bool $deleteOldSession
 	 */
-	public function regenerateId($deleteOldSession = true) {}
+	public function regenerateId($deleteOldSession = true, $updateToken = false) {}
 
 	/**
 	 * Wrapper around session_id
diff --git a/lib/private/User/Session.php b/lib/private/User/Session.php
index 34319760c86..489f3cc0d3d 100644
--- a/lib/private/User/Session.php
+++ b/lib/private/User/Session.php
@@ -624,6 +624,8 @@ class Session implements IUserSession, Emitter {
 		try {
 			$sessionId = $this->session->getId();
 			$pwd = $this->getPassword($password);
+			// Make sure the current sessionId has no leftover tokens
+			$this->tokenProvider->invalidateToken($sessionId);
 			$this->tokenProvider->generateToken($sessionId, $uid, $loginName, $pwd, $name, IToken::TEMPORARY_TOKEN, $remember);
 			return true;
 		} catch (SessionNotAvailableException $ex) {
diff --git a/lib/public/ISession.php b/lib/public/ISession.php
index 2d234976862..36d855afbff 100644
--- a/lib/public/ISession.php
+++ b/lib/public/ISession.php
@@ -93,10 +93,11 @@ interface ISession {
 	 * Wrapper around session_regenerate_id
 	 *
 	 * @param bool $deleteOldSession Whether to delete the old associated session file or not.
+	 * @param bool $updateToken Wheater to update the associated auth token
 	 * @return void
-	 * @since 9.0.0
+	 * @since 9.0.0, $updateToken added in 14.0.0
 	 */
-	public function regenerateId($deleteOldSession = true);
+	public function regenerateId($deleteOldSession = true, $updateToken = false);
 
 	/**
 	 * Wrapper around session_id
author	Morris Jobke <hey@morrisjobke.de>	2018-07-11 10:02:30 +0200
committer	GitHub <noreply@github.com>	2018-07-11 10:02:30 +0200
commit	4ff6ea9a5542c9669a4cbff14ff261546eb15b6f (patch)
tree	8f10ff8edcf2c69767282f545207e368ec46d1c9 /lib
parent	c99529834ce4e840b4905c17e84457d23a0d1413 (diff)
parent	f84789f88bee0b5a6f83f9729b99a299cc64665c (diff)
download	nextcloud-server-4ff6ea9a5542c9669a4cbff14ff261546eb15b6f.tar.gz nextcloud-server-4ff6ea9a5542c9669a4cbff14ff261546eb15b6f.zip