diff options
| author | Arthur Schiwon <blizzz@arthur-schiwon.de> | 2024-07-19 15:53:46 +0200 |
|---|---|---|
| committer | backportbot[bot] <backportbot[bot]@users.noreply.github.com> | 2024-07-22 06:53:35 +0000 |
| commit | 79dcb5ae76959645ad3b944a1e69f7dae1a472b9 (patch) | |
| tree | a9a8d18915dbe6f301d384e40da351bc94633513 /lib | |
| parent | cd24a8634bcf4b773aac734f6f9194d15d79a04b (diff) | |
| download | nextcloud-server-79dcb5ae76959645ad3b944a1e69f7dae1a472b9.tar.gz nextcloud-server-79dcb5ae76959645ad3b944a1e69f7dae1a472b9.zip | |
fix(Token): take over scope in token refresh with login by cookie
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/private/Authentication/Token/IProvider.php | 4 | ||||
| -rw-r--r-- | lib/private/Authentication/Token/Manager.php | 7 | ||||
| -rw-r--r-- | lib/private/Authentication/Token/PublicKeyTokenProvider.php | 14 |
3 files changed, 19 insertions, 6 deletions
diff --git a/lib/private/Authentication/Token/IProvider.php b/lib/private/Authentication/Token/IProvider.php index fcec8cecac1..f11977a9b8d 100644 --- a/lib/private/Authentication/Token/IProvider.php +++ b/lib/private/Authentication/Token/IProvider.php @@ -55,7 +55,9 @@ interface IProvider { ?string $password, string $name, int $type = OCPIToken::TEMPORARY_TOKEN, - int $remember = OCPIToken::DO_NOT_REMEMBER): OCPIToken; + int $remember = OCPIToken::DO_NOT_REMEMBER, + ?array $scope = null, + ): OCPIToken; /** * Get a token by token id diff --git a/lib/private/Authentication/Token/Manager.php b/lib/private/Authentication/Token/Manager.php index e0b0e2dd14b..bc28f0cde28 100644 --- a/lib/private/Authentication/Token/Manager.php +++ b/lib/private/Authentication/Token/Manager.php @@ -62,7 +62,9 @@ class Manager implements IProvider, OCPIProvider { $password, string $name, int $type = OCPIToken::TEMPORARY_TOKEN, - int $remember = OCPIToken::DO_NOT_REMEMBER): OCPIToken { + int $remember = OCPIToken::DO_NOT_REMEMBER, + ?array $scope = null, + ): OCPIToken { if (mb_strlen($name) > 128) { $name = mb_substr($name, 0, 120) . '…'; } @@ -75,7 +77,8 @@ class Manager implements IProvider, OCPIProvider { $password, $name, $type, - $remember + $remember, + $scope, ); } catch (UniqueConstraintViolationException $e) { // It's rare, but if two requests of the same session (e.g. env-based SAML) diff --git a/lib/private/Authentication/Token/PublicKeyTokenProvider.php b/lib/private/Authentication/Token/PublicKeyTokenProvider.php index 2f3a1236d44..afdd450a64f 100644 --- a/lib/private/Authentication/Token/PublicKeyTokenProvider.php +++ b/lib/private/Authentication/Token/PublicKeyTokenProvider.php @@ -107,7 +107,9 @@ class PublicKeyTokenProvider implements IProvider { ?string $password, string $name, int $type = OCPIToken::TEMPORARY_TOKEN, - int $remember = OCPIToken::DO_NOT_REMEMBER): OCPIToken { + int $remember = OCPIToken::DO_NOT_REMEMBER, + ?array $scope = null, + ): OCPIToken { if (strlen($token) < self::TOKEN_MIN_LENGTH) { $exception = new InvalidTokenException('Token is too short, minimum of ' . self::TOKEN_MIN_LENGTH . ' characters is required, ' . strlen($token) . ' characters given'); $this->logger->error('Invalid token provided when generating new token', ['exception' => $exception]); @@ -129,6 +131,10 @@ class PublicKeyTokenProvider implements IProvider { $dbToken->setPasswordHash($randomOldToken->getPasswordHash()); } + if ($scope !== null) { + $dbToken->setScope($scope); + } + $this->mapper->insert($dbToken); if (!$oldTokenMatches && $password !== null) { @@ -256,6 +262,8 @@ class PublicKeyTokenProvider implements IProvider { $privateKey = $this->decrypt($token->getPrivateKey(), $oldSessionId); $password = $this->decryptPassword($token->getPassword(), $privateKey); } + + $scope = $token->getScope() === '' ? null : $token->getScopeAsArray(); $newToken = $this->generateToken( $sessionId, $token->getUID(), @@ -263,9 +271,9 @@ class PublicKeyTokenProvider implements IProvider { $password, $token->getName(), OCPIToken::TEMPORARY_TOKEN, - $token->getRemember() + $token->getRemember(), + $scope, ); - $newToken->setScope($token->getScopeAsArray()); $this->cacheToken($newToken); $this->cacheInvalidHash($token->getToken()); |