3 files changed, 84 insertions, 12 deletions

diff --git a/apps/dav/lib/Connector/Sabre/Auth.php b/apps/dav/lib/Connector/Sabre/Auth.php
index 7ddbb70530a..9147e79594c 100644
--- a/apps/dav/lib/Connector/Sabre/Auth.php
+++ b/apps/dav/lib/Connector/Sabre/Auth.php
@@ -211,18 +211,6 @@ class Auth extends AbstractBasic {
 	private function auth(RequestInterface $request, ResponseInterface $response) {
 		$forcedLogout = false;
 
-		$authHeader = $request->getHeader('Authorization');
-		if (strpos($authHeader, 'Bearer ') !== false) {
-			if($this->userSession->tryTokenLogin($this->request)) {
-				$this->session->set(self::DAV_AUTHENTICATED, $this->userSession->getUser()->getUID());
-				$user = $this->userSession->getUser()->getUID();
-				\OC_Util::setupFS($user);
-				$this->currentUser = $user;
-				$this->session->close();
-				return [true, $this->principalPrefix . $user];
-			}
-		}
-
 		if(!$this->request->passesCSRFCheck() &&
 			$this->requiresCSRFCheck()) {
 			// In case of a fail with POST we need to recheck the credentials
diff --git a/apps/dav/lib/Connector/Sabre/BearerAuth.php b/apps/dav/lib/Connector/Sabre/BearerAuth.php
new file mode 100644
index 00000000000..dd0a1bac292
--- /dev/null
+++ b/apps/dav/lib/Connector/Sabre/BearerAuth.php
@@ -0,0 +1,76 @@
+<?php
+/**
+ * @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+namespace OCA\DAV\Connector\Sabre;
+
+use OCP\IRequest;
+use OCP\ISession;
+use OCP\IUserSession;
+use Sabre\DAV\Auth\Backend\AbstractBearer;
+
+class BearerAuth extends AbstractBearer {
+	/** @var IUserSession */
+	private $userSession;
+	/** @var ISession */
+	private $session;
+	/** @var IRequest */
+	private $request;
+	/** @var string */
+	private $principalPrefix;
+
+	/**
+	 * @param IUserSession $userSession
+	 * @param ISession $session
+	 * @param string $principalPrefix
+	 * @param IRequest $request
+	 */
+	public function __construct(IUserSession $userSession,
+								ISession $session,
+								IRequest $request,
+								$principalPrefix = 'principals/users/') {
+		$this->userSession = $userSession;
+		$this->session = $session;
+		$this->request = $request;
+		$this->principalPrefix = $principalPrefix;
+	}
+
+	private function setupUserFs($userId) {
+		\OC_Util::setupFS($userId);
+		$this->session->close();
+		return $this->principalPrefix . $userId;
+	}
+
+	/**
+	 * {@inheritdoc}
+	 */
+	public function validateBearerToken($bearerToken) {
+		\OC_Util::setupFS();
+
+		if(!$this->userSession->isLoggedIn()) {
+			$this->userSession->tryTokenLogin($this->request);
+		}
+		if($this->userSession->isLoggedIn()) {
+			return $this->setupUserFs($this->userSession->getUser()->getUID());
+		}
+
+		return false;
+	}
+}
diff --git a/apps/dav/lib/Server.php b/apps/dav/lib/Server.php
index df5b0ea05b6..994ac04033a 100644
--- a/apps/dav/lib/Server.php
+++ b/apps/dav/lib/Server.php
@@ -33,6 +33,7 @@ use OCA\DAV\CardDAV\ImageExportPlugin;
 use OCA\DAV\CardDAV\PhotoCache;
 use OCA\DAV\Comments\CommentsPlugin;
 use OCA\DAV\Connector\Sabre\Auth;
+use OCA\DAV\Connector\Sabre\BearerAuth;
 use OCA\DAV\Connector\Sabre\BlockLegacyClientPlugin;
 use OCA\DAV\Connector\Sabre\CommentPropertiesPlugin;
 use OCA\DAV\Connector\Sabre\CopyEtagHeaderPlugin;
@@ -52,6 +53,7 @@ use OCP\SabrePluginEvent;
 use Sabre\CardDAV\VCFExportPlugin;
 use Sabre\DAV\Auth\Plugin;
 use OCA\DAV\Connector\Sabre\TagsPlugin;
+use Sabre\HTTP\Auth\Bearer;
 use SearchDAV\DAV\SearchPlugin;
 
 class Server {
@@ -100,6 +102,12 @@ class Server {
 		$event = new SabrePluginEvent($this->server);
 		$dispatcher->dispatch('OCA\DAV\Connector\Sabre::authInit', $event);
 
+		$bearerAuthBackend = new BearerAuth(
+			\OC::$server->getUserSession(),
+			\OC::$server->getSession(),
+			\OC::$server->getRequest()
+		);
+		$authPlugin->addBackend($bearerAuthBackend);
 		// because we are throwing exceptions this plugin has to be the last one
 		$authPlugin->addBackend($authBackend);