summaryrefslogtreecommitdiffstats
path: root/lib
diff options
context:
space:
mode:
authorArthur Schiwon <blizzz@arthur-schiwon.de>2021-08-13 15:53:17 +0200
committerArthur Schiwon <blizzz@arthur-schiwon.de>2021-09-10 13:14:02 +0200
commit7c48177830585b150d7044cb87cea8e5fc31d527 (patch)
treea2df0c4a4ff9ec9f22f99daf27f2cb7596491ff7 /lib
parentc7159f932293a674cd4a4a2e2fbf9a7868e808e3 (diff)
downloadnextcloud-server-7c48177830585b150d7044cb87cea8e5fc31d527.tar.gz
nextcloud-server-7c48177830585b150d7044cb87cea8e5fc31d527.zip
move verification token logic out of lost password controller
- to make it reusable - needed for local email verification Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
Diffstat (limited to 'lib')
-rw-r--r--lib/composer/composer/autoload_classmap.php3
-rw-r--r--lib/composer/composer/autoload_static.php3
-rw-r--r--lib/private/Security/VerificationToken/VerificationToken.php111
-rw-r--r--lib/public/Security/VerificationToken/IVerificationToken.php55
-rw-r--r--lib/public/Security/VerificationToken/InvalidTokenException.php74
5 files changed, 246 insertions, 0 deletions
diff --git a/lib/composer/composer/autoload_classmap.php b/lib/composer/composer/autoload_classmap.php
index 55d02c2feeb..b48b67104cf 100644
--- a/lib/composer/composer/autoload_classmap.php
+++ b/lib/composer/composer/autoload_classmap.php
@@ -487,6 +487,8 @@ return array(
'OCP\\Security\\ICrypto' => $baseDir . '/lib/public/Security/ICrypto.php',
'OCP\\Security\\IHasher' => $baseDir . '/lib/public/Security/IHasher.php',
'OCP\\Security\\ISecureRandom' => $baseDir . '/lib/public/Security/ISecureRandom.php',
+ 'OCP\\Security\\VerificationToken\\IVerificationToken' => $baseDir . '/lib/public/Security/VerificationToken/IVerificationToken.php',
+ 'OCP\\Security\\VerificationToken\\InvalidTokenException' => $baseDir . '/lib/public/Security/VerificationToken/InvalidTokenException.php',
'OCP\\Session\\Exceptions\\SessionNotAvailableException' => $baseDir . '/lib/public/Session/Exceptions/SessionNotAvailableException.php',
'OCP\\Settings\\IIconSection' => $baseDir . '/lib/public/Settings/IIconSection.php',
'OCP\\Settings\\IManager' => $baseDir . '/lib/public/Settings/IManager.php',
@@ -1371,6 +1373,7 @@ return array(
'OC\\Security\\RateLimiting\\Limiter' => $baseDir . '/lib/private/Security/RateLimiting/Limiter.php',
'OC\\Security\\SecureRandom' => $baseDir . '/lib/private/Security/SecureRandom.php',
'OC\\Security\\TrustedDomainHelper' => $baseDir . '/lib/private/Security/TrustedDomainHelper.php',
+ 'OC\\Security\\VerificationToken\\VerificationToken' => $baseDir . '/lib/private/Security/VerificationToken/VerificationToken.php',
'OC\\Server' => $baseDir . '/lib/private/Server.php',
'OC\\ServerContainer' => $baseDir . '/lib/private/ServerContainer.php',
'OC\\ServerNotAvailableException' => $baseDir . '/lib/private/ServerNotAvailableException.php',
diff --git a/lib/composer/composer/autoload_static.php b/lib/composer/composer/autoload_static.php
index 6f2bb064fc0..e89d03d5e13 100644
--- a/lib/composer/composer/autoload_static.php
+++ b/lib/composer/composer/autoload_static.php
@@ -516,6 +516,8 @@ class ComposerStaticInit53792487c5a8370acc0b06b1a864ff4c
'OCP\\Security\\ICrypto' => __DIR__ . '/../../..' . '/lib/public/Security/ICrypto.php',
'OCP\\Security\\IHasher' => __DIR__ . '/../../..' . '/lib/public/Security/IHasher.php',
'OCP\\Security\\ISecureRandom' => __DIR__ . '/../../..' . '/lib/public/Security/ISecureRandom.php',
+ 'OCP\\Security\\VerificationToken\\IVerificationToken' => __DIR__ . '/../../..' . '/lib/public/Security/VerificationToken/IVerificationToken.php',
+ 'OCP\\Security\\VerificationToken\\InvalidTokenException' => __DIR__ . '/../../..' . '/lib/public/Security/VerificationToken/InvalidTokenException.php',
'OCP\\Session\\Exceptions\\SessionNotAvailableException' => __DIR__ . '/../../..' . '/lib/public/Session/Exceptions/SessionNotAvailableException.php',
'OCP\\Settings\\IIconSection' => __DIR__ . '/../../..' . '/lib/public/Settings/IIconSection.php',
'OCP\\Settings\\IManager' => __DIR__ . '/../../..' . '/lib/public/Settings/IManager.php',
@@ -1400,6 +1402,7 @@ class ComposerStaticInit53792487c5a8370acc0b06b1a864ff4c
'OC\\Security\\RateLimiting\\Limiter' => __DIR__ . '/../../..' . '/lib/private/Security/RateLimiting/Limiter.php',
'OC\\Security\\SecureRandom' => __DIR__ . '/../../..' . '/lib/private/Security/SecureRandom.php',
'OC\\Security\\TrustedDomainHelper' => __DIR__ . '/../../..' . '/lib/private/Security/TrustedDomainHelper.php',
+ 'OC\\Security\\VerificationToken\\VerificationToken' => __DIR__ . '/../../..' . '/lib/private/Security/VerificationToken/VerificationToken.php',
'OC\\Server' => __DIR__ . '/../../..' . '/lib/private/Server.php',
'OC\\ServerContainer' => __DIR__ . '/../../..' . '/lib/private/ServerContainer.php',
'OC\\ServerNotAvailableException' => __DIR__ . '/../../..' . '/lib/private/ServerNotAvailableException.php',
diff --git a/lib/private/Security/VerificationToken/VerificationToken.php b/lib/private/Security/VerificationToken/VerificationToken.php
new file mode 100644
index 00000000000..4ac5605eecf
--- /dev/null
+++ b/lib/private/Security/VerificationToken/VerificationToken.php
@@ -0,0 +1,111 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * @copyright Copyright (c) 2021 Arthur Schiwon <blizzz@arthur-schiwon.de>
+ *
+ * @author Arthur Schiwon <blizzz@arthur-schiwon.de>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ *
+ */
+
+namespace OC\Security\VerificationToken;
+
+use OCP\AppFramework\Utility\ITimeFactory;
+use OCP\IConfig;
+use OCP\IUser;
+use OCP\Security\ICrypto;
+use OCP\Security\ISecureRandom;
+use OCP\Security\VerificationToken\InvalidTokenException;
+use OCP\Security\VerificationToken\IVerificationToken;
+
+class VerificationToken implements IVerificationToken {
+
+ /** @var IConfig */
+ private $config;
+ /** @var ICrypto */
+ private $crypto;
+ /** @var ITimeFactory */
+ private $timeFactory;
+ /** @var ISecureRandom */
+ private $secureRandom;
+
+ public function __construct(
+ IConfig $config,
+ ICrypto $crypto,
+ ITimeFactory $timeFactory,
+ ISecureRandom $secureRandom
+ ) {
+ $this->config = $config;
+ $this->crypto = $crypto;
+ $this->timeFactory = $timeFactory;
+ $this->secureRandom = $secureRandom;
+ }
+
+ /**
+ * @throws InvalidTokenException
+ */
+ protected function throwInvalidTokenException(int $code): void {
+ throw new InvalidTokenException($code);
+ }
+
+ public function check(string $token, ?IUser $user, string $subject, string $passwordPrefix = ''): void {
+ if ($user === null || !$user->isEnabled()) {
+ $this->throwInvalidTokenException(InvalidTokenException::USER_UNKNOWN);
+ }
+
+ $encryptedToken = $this->config->getUserValue($user->getUID(), 'core', $subject, null);
+ if ($encryptedToken === null) {
+ $this->throwInvalidTokenException(InvalidTokenException::TOKEN_NOT_FOUND);
+ }
+
+ try {
+ $decryptedToken = $this->crypto->decrypt($encryptedToken, $passwordPrefix.$this->config->getSystemValue('secret'));
+ } catch (\Exception $e) {
+ $this->throwInvalidTokenException(InvalidTokenException::TOKEN_DECRYPTION_ERROR);
+ }
+
+ $splitToken = explode(':', $decryptedToken ?? '');
+ if (count($splitToken) !== 2) {
+ $this->throwInvalidTokenException(InvalidTokenException::TOKEN_INVALID_FORMAT);
+ }
+
+ if ($splitToken[0] < ($this->timeFactory->getTime() - 60 * 60 * 24 * 7) ||
+ $user->getLastLogin() > $splitToken[0]) {
+ $this->throwInvalidTokenException(InvalidTokenException::TOKEN_EXPIRED);
+ }
+
+ if (!hash_equals($splitToken[1], $token)) {
+ $this->throwInvalidTokenException(InvalidTokenException::TOKEN_MISMATCH);
+ }
+ }
+
+ public function create(IUser $user, string $subject, string $passwordPrefix = ''): string {
+ $token = $this->secureRandom->generate(
+ 21,
+ ISecureRandom::CHAR_DIGITS.
+ ISecureRandom::CHAR_LOWER.
+ ISecureRandom::CHAR_UPPER
+ );
+ $tokenValue = $this->timeFactory->getTime() .':'. $token;
+ $encryptedValue = $this->crypto->encrypt($tokenValue, $passwordPrefix . $this->config->getSystemValue('secret'));
+ $this->config->setUserValue($user->getUID(), 'core', $subject, $encryptedValue);
+
+ return $token;
+ }
+}
diff --git a/lib/public/Security/VerificationToken/IVerificationToken.php b/lib/public/Security/VerificationToken/IVerificationToken.php
new file mode 100644
index 00000000000..0cd10377a97
--- /dev/null
+++ b/lib/public/Security/VerificationToken/IVerificationToken.php
@@ -0,0 +1,55 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * @copyright Copyright (c) 2021 Arthur Schiwon <blizzz@arthur-schiwon.de>
+ *
+ * @author Arthur Schiwon <blizzz@arthur-schiwon.de>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ *
+ */
+
+namespace OCP\Security\VerificationToken;
+
+use OCP\IUser;
+
+/**
+ * @since 22.2.0
+ */
+interface IVerificationToken {
+
+ /**
+ * Checks whether the a provided tokent matches a stored token and its
+ * constraints. An InvalidTokenException is thrown on issues, otherwise
+ * the check is successful.
+ *
+ * null can be passed as $user, but mind that this is for conveniently
+ * passing the return of IUserManager::getUser() to this method. When
+ * $user is null, InvalidTokenException is thrown for all the issued
+ * tokens are user related.
+ *
+ * @throws InvalidTokenException
+ * @since 22.2.0
+ */
+ public function check(string $token, ?IUser $user, string $subject, string $passwordPrefix = ''): void;
+
+ /**
+ * @since 22.2.0
+ */
+ public function create(IUser $user, string $subject, string $passwordPrefix = ''): string;
+}
diff --git a/lib/public/Security/VerificationToken/InvalidTokenException.php b/lib/public/Security/VerificationToken/InvalidTokenException.php
new file mode 100644
index 00000000000..cd0520c1e07
--- /dev/null
+++ b/lib/public/Security/VerificationToken/InvalidTokenException.php
@@ -0,0 +1,74 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * @copyright Copyright (c) 2021 Arthur Schiwon <blizzz@arthur-schiwon.de>
+ *
+ * @author Arthur Schiwon <blizzz@arthur-schiwon.de>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ *
+ */
+
+namespace OCP\Security\VerificationToken;
+
+/** @since 22.2.0 */
+class InvalidTokenException extends \Exception {
+
+ /**
+ * @since 22.2.0
+ */
+ public function __construct(int $code) {
+ parent::__construct('', $code);
+ }
+
+ /**
+ * @var int
+ * @since 22.2.0
+ */
+ public const USER_UNKNOWN = 1;
+
+ /**
+ * @var int
+ * @since 22.2.0
+ */
+ public const TOKEN_NOT_FOUND = 2;
+
+ /**
+ * @var int
+ * @since 22.2.0
+ */
+ public const TOKEN_DECRYPTION_ERROR = 3;
+
+ /**
+ * @var int
+ * @since 22.2.0
+ */
+ public const TOKEN_INVALID_FORMAT = 4;
+
+ /**
+ * @var int
+ * @since 22.2.0
+ */
+ public const TOKEN_EXPIRED = 5;
+
+ /**
+ * @var int
+ * @since 22.2.0
+ */
+ public const TOKEN_MISMATCH = 6;
+}