Merge pull request #36033 from nextcloud/invalidateTokensWhenDeletingOAuthClientMaster

[master] invalidate existing tokens when deleting an oauth client
author: Côme Chilliet <91878298+come-nc@users.noreply.github.com> 2023-03-15 11:09:51 +0100
committer: GitHub <noreply@github.com> 2023-03-15 11:09:51 +0100
commit: 8568c11d24736d4df1b9781c4121cf7165f40f65 (patch)
tree: aed92ac29df87aa6f5232cb71b9ae1d3be94ab40 /lib
parent: 325c3100c7b1b6a5cbde4e0b2675f237735a7599 (diff)
parent: e97540b9c61e736e9d541dffedd6064680418bc3 (diff)
download: nextcloud-server-8568c11d24736d4df1b9781c4121cf7165f40f65.tar.gz
nextcloud-server-8568c11d24736d4df1b9781c4121cf7165f40f65.zip
5 files changed, 56 insertions, 1 deletions
diff --git a/lib/composer/composer/autoload_classmap.php b/lib/composer/composer/autoload_classmap.php
index 1ecd8152c0f..d21eb18cc5a 100644
--- a/lib/composer/composer/autoload_classmap.php
+++ b/lib/composer/composer/autoload_classmap.php
@@ -96,6 +96,7 @@ return array(
     'OCP\\Authentication\\IProvideUserSecretBackend' => $baseDir . '/lib/public/Authentication/IProvideUserSecretBackend.php',
     'OCP\\Authentication\\LoginCredentials\\ICredentials' => $baseDir . '/lib/public/Authentication/LoginCredentials/ICredentials.php',
     'OCP\\Authentication\\LoginCredentials\\IStore' => $baseDir . '/lib/public/Authentication/LoginCredentials/IStore.php',
+    'OCP\\Authentication\\Token\\IProvider' => $baseDir . '/lib/public/Authentication/Token/IProvider.php',
     'OCP\\Authentication\\TwoFactorAuth\\ALoginSetupController' => $baseDir . '/lib/public/Authentication/TwoFactorAuth/ALoginSetupController.php',
     'OCP\\Authentication\\TwoFactorAuth\\IActivatableAtLogin' => $baseDir . '/lib/public/Authentication/TwoFactorAuth/IActivatableAtLogin.php',
     'OCP\\Authentication\\TwoFactorAuth\\IActivatableByAdmin' => $baseDir . '/lib/public/Authentication/TwoFactorAuth/IActivatableByAdmin.php',
diff --git a/lib/composer/composer/autoload_static.php b/lib/composer/composer/autoload_static.php
index 2127835e514..b4f25f90d7c 100644
--- a/lib/composer/composer/autoload_static.php
+++ b/lib/composer/composer/autoload_static.php
@@ -129,6 +129,7 @@ class ComposerStaticInit749170dad3f5e7f9ca158f5a9f04f6a2
         'OCP\\Authentication\\IProvideUserSecretBackend' => __DIR__ . '/../../..' . '/lib/public/Authentication/IProvideUserSecretBackend.php',
         'OCP\\Authentication\\LoginCredentials\\ICredentials' => __DIR__ . '/../../..' . '/lib/public/Authentication/LoginCredentials/ICredentials.php',
         'OCP\\Authentication\\LoginCredentials\\IStore' => __DIR__ . '/../../..' . '/lib/public/Authentication/LoginCredentials/IStore.php',
+        'OCP\\Authentication\\Token\\IProvider' => __DIR__ . '/../../..' . '/lib/public/Authentication/Token/IProvider.php',
         'OCP\\Authentication\\TwoFactorAuth\\ALoginSetupController' => __DIR__ . '/../../..' . '/lib/public/Authentication/TwoFactorAuth/ALoginSetupController.php',
         'OCP\\Authentication\\TwoFactorAuth\\IActivatableAtLogin' => __DIR__ . '/../../..' . '/lib/public/Authentication/TwoFactorAuth/IActivatableAtLogin.php',
         'OCP\\Authentication\\TwoFactorAuth\\IActivatableByAdmin' => __DIR__ . '/../../..' . '/lib/public/Authentication/TwoFactorAuth/IActivatableByAdmin.php',
diff --git a/lib/private/Authentication/Token/Manager.php b/lib/private/Authentication/Token/Manager.php
index 59c7ca714c6..761e799d298 100644
--- a/lib/private/Authentication/Token/Manager.php
+++ b/lib/private/Authentication/Token/Manager.php
@@ -32,8 +32,9 @@ use OC\Authentication\Exceptions\ExpiredTokenException;
 use OC\Authentication\Exceptions\InvalidTokenException;
 use OC\Authentication\Exceptions\PasswordlessTokenException;
 use OC\Authentication\Exceptions\WipeTokenException;
+use OCP\Authentication\Token\IProvider as OCPIProvider;
 
-class Manager implements IProvider {
+class Manager implements IProvider, OCPIProvider {
 	/** @var PublicKeyTokenProvider */
 	private $publicKeyTokenProvider;
 
@@ -239,4 +240,13 @@ class Manager implements IProvider {
 	public function updatePasswords(string $uid, string $password) {
 		$this->publicKeyTokenProvider->updatePasswords($uid, $password);
 	}
+
+	public function invalidateTokensOfUser(string $uid, ?string $clientName) {
+		$tokens = $this->getTokenByUser($uid);
+		foreach ($tokens as $token) {
+			if ($clientName === null || ($token->getName() === $clientName)) {
+				$this->invalidateTokenById($uid, $token->getId());
+			}
+		}
+	}
 }
diff --git a/lib/private/Server.php b/lib/private/Server.php
index 9a4ee0da198..f1e96170886 100644
--- a/lib/private/Server.php
+++ b/lib/private/Server.php
@@ -163,6 +163,7 @@ use OCA\Theming\Util;
 use OCP\Accounts\IAccountManager;
 use OCP\App\IAppManager;
 use OCP\Authentication\LoginCredentials\IStore;
+use OCP\Authentication\Token\IProvider as OCPIProvider;
 use OCP\BackgroundJob\IJobList;
 use OCP\Collaboration\AutoComplete\IManager;
 use OCP\Collaboration\Reference\IReferenceManager;
@@ -550,6 +551,7 @@ class Server extends ServerContainer implements IServerContainer {
 		});
 		$this->registerAlias(IStore::class, Store::class);
 		$this->registerAlias(IProvider::class, Authentication\Token\Manager::class);
+		$this->registerAlias(OCPIProvider::class, Authentication\Token\Manager::class);
 
 		$this->registerService(\OC\User\Session::class, function (Server $c) {
 			$manager = $c->get(IUserManager::class);
diff --git a/lib/public/Authentication/Token/IProvider.php b/lib/public/Authentication/Token/IProvider.php
new file mode 100644
index 00000000000..da2e400eb79
--- /dev/null
+++ b/lib/public/Authentication/Token/IProvider.php
@@ -0,0 +1,41 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * @copyright Copyright (c) 2022 Artur Neumann <artur@jankaritech.com>
+ *
+ * @author Artur Neumann <artur@jankaritech.com>
+ *
+ * @license AGPL-3.0
+ *
+ * This code is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License, version 3,
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License, version 3,
+ * along with this program. If not, see <http://www.gnu.org/licenses/>
+ *
+ */
+namespace OCP\Authentication\Token;
+
+/**
+ * @since 24.0.8
+ */
+interface IProvider {
+	/**
+	 * invalidates all tokens of a specific user
+	 * if a client name is given only tokens of that client will be invalidated
+	 *
+	 * @param string $uid
+	 * @param string|null $clientName
+	 * @since 24.0.8
+	 * @return void
+	 */
+	public function invalidateTokensOfUser(string $uid, ?string $clientName);
+}
author	Côme Chilliet <91878298+come-nc@users.noreply.github.com>	2023-03-15 11:09:51 +0100
committer	GitHub <noreply@github.com>	2023-03-15 11:09:51 +0100
commit	8568c11d24736d4df1b9781c4121cf7165f40f65 (patch)
tree	aed92ac29df87aa6f5232cb71b9ae1d3be94ab40 /lib
parent	325c3100c7b1b6a5cbde4e0b2675f237735a7599 (diff)
parent	e97540b9c61e736e9d541dffedd6064680418bc3 (diff)
download	nextcloud-server-8568c11d24736d4df1b9781c4121cf7165f40f65.tar.gz nextcloud-server-8568c11d24736d4df1b9781c4121cf7165f40f65.zip