Merge pull request #46668 from nextcloud/backport/46640/stable28

[stable28] fix(Token): take over scope in token refresh with login by cookie

3 files changed, 19 insertions, 6 deletions

diff --git a/lib/private/Authentication/Token/IProvider.php b/lib/private/Authentication/Token/IProvider.php
index fcec8cecac1..f11977a9b8d 100644
--- a/lib/private/Authentication/Token/IProvider.php
+++ b/lib/private/Authentication/Token/IProvider.php
@@ -55,7 +55,9 @@ interface IProvider {
 		?string $password,
 		string $name,
 		int $type = OCPIToken::TEMPORARY_TOKEN,
-		int $remember = OCPIToken::DO_NOT_REMEMBER): OCPIToken;
+		int $remember = OCPIToken::DO_NOT_REMEMBER,
+		?array $scope = null,
+	): OCPIToken;
 
 	/**
 	 * Get a token by token id
diff --git a/lib/private/Authentication/Token/Manager.php b/lib/private/Authentication/Token/Manager.php
index e0b0e2dd14b..bc28f0cde28 100644
--- a/lib/private/Authentication/Token/Manager.php
+++ b/lib/private/Authentication/Token/Manager.php
@@ -62,7 +62,9 @@ class Manager implements IProvider, OCPIProvider {
 		$password,
 		string $name,
 		int $type = OCPIToken::TEMPORARY_TOKEN,
-		int $remember = OCPIToken::DO_NOT_REMEMBER): OCPIToken {
+		int $remember = OCPIToken::DO_NOT_REMEMBER,
+		?array $scope = null,
+	): OCPIToken {
 		if (mb_strlen($name) > 128) {
 			$name = mb_substr($name, 0, 120) . '…';
 		}
@@ -75,7 +77,8 @@ class Manager implements IProvider, OCPIProvider {
 				$password,
 				$name,
 				$type,
-				$remember
+				$remember,
+				$scope,
 			);
 		} catch (UniqueConstraintViolationException $e) {
 			// It's rare, but if two requests of the same session (e.g. env-based SAML)
diff --git a/lib/private/Authentication/Token/PublicKeyTokenProvider.php b/lib/private/Authentication/Token/PublicKeyTokenProvider.php
index 2f3a1236d44..afdd450a64f 100644
--- a/lib/private/Authentication/Token/PublicKeyTokenProvider.php
+++ b/lib/private/Authentication/Token/PublicKeyTokenProvider.php
@@ -107,7 +107,9 @@ class PublicKeyTokenProvider implements IProvider {
 		?string $password,
 		string $name,
 		int $type = OCPIToken::TEMPORARY_TOKEN,
-		int $remember = OCPIToken::DO_NOT_REMEMBER): OCPIToken {
+		int $remember = OCPIToken::DO_NOT_REMEMBER,
+		?array $scope = null,
+	): OCPIToken {
 		if (strlen($token) < self::TOKEN_MIN_LENGTH) {
 			$exception = new InvalidTokenException('Token is too short, minimum of ' . self::TOKEN_MIN_LENGTH . ' characters is required, ' . strlen($token) . ' characters given');
 			$this->logger->error('Invalid token provided when generating new token', ['exception' => $exception]);
@@ -129,6 +131,10 @@ class PublicKeyTokenProvider implements IProvider {
 			$dbToken->setPasswordHash($randomOldToken->getPasswordHash());
 		}
 
+		if ($scope !== null) {
+			$dbToken->setScope($scope);
+		}
+
 		$this->mapper->insert($dbToken);
 
 		if (!$oldTokenMatches && $password !== null) {
@@ -256,6 +262,8 @@ class PublicKeyTokenProvider implements IProvider {
 				$privateKey = $this->decrypt($token->getPrivateKey(), $oldSessionId);
 				$password = $this->decryptPassword($token->getPassword(), $privateKey);
 			}
+
+			$scope = $token->getScope() === '' ? null : $token->getScopeAsArray();
 			$newToken = $this->generateToken(
 				$sessionId,
 				$token->getUID(),
@@ -263,9 +271,9 @@ class PublicKeyTokenProvider implements IProvider {
 				$password,
 				$token->getName(),
 				OCPIToken::TEMPORARY_TOKEN,
-				$token->getRemember()
+				$token->getRemember(),
+				$scope,
 			);
-			$newToken->setScope($token->getScopeAsArray());
 			$this->cacheToken($newToken);
 
 			$this->cacheInvalidHash($token->getToken());