summaryrefslogtreecommitdiffstats
path: root/apps/federation/api/ocsauthapi.php
diff options
context:
space:
mode:
Diffstat (limited to 'apps/federation/api/ocsauthapi.php')
-rw-r--r--apps/federation/api/ocsauthapi.php24
1 files changed, 18 insertions, 6 deletions
diff --git a/apps/federation/api/ocsauthapi.php b/apps/federation/api/ocsauthapi.php
index 42d7113820d..b94550fd4f2 100644
--- a/apps/federation/api/ocsauthapi.php
+++ b/apps/federation/api/ocsauthapi.php
@@ -26,6 +26,7 @@ use OCA\Federation\DbHandler;
use OCA\Federation\TrustedServers;
use OCP\AppFramework\Http;
use OCP\BackgroundJob\IJobList;
+use OCP\ILogger;
use OCP\IRequest;
use OCP\Security\ISecureRandom;
use OCP\Security\StringUtils;
@@ -54,6 +55,9 @@ class OCSAuthAPI {
/** @var DbHandler */
private $dbHandler;
+ /** @var ILogger */
+ private $logger;
+
/**
* OCSAuthAPI constructor.
*
@@ -62,19 +66,22 @@ class OCSAuthAPI {
* @param IJobList $jobList
* @param TrustedServers $trustedServers
* @param DbHandler $dbHandler
+ * @param ILogger $logger
*/
public function __construct(
IRequest $request,
ISecureRandom $secureRandom,
IJobList $jobList,
TrustedServers $trustedServers,
- DbHandler $dbHandler
+ DbHandler $dbHandler,
+ ILogger $logger
) {
$this->request = $request;
$this->secureRandom = $secureRandom;
$this->jobList = $jobList;
$this->trustedServers = $trustedServers;
$this->dbHandler = $dbHandler;
+ $this->logger = $logger;
}
/**
@@ -88,6 +95,7 @@ class OCSAuthAPI {
$token = $this->request->getParam('token');
if ($this->trustedServers->isTrustedServer($url) === false) {
+ $this->logger->log(\OCP\Util::ERROR, 'remote server not trusted (' . $url . ') while requesting shared secret');
return new \OC_OCS_Result(null, HTTP::STATUS_FORBIDDEN);
}
@@ -95,6 +103,7 @@ class OCSAuthAPI {
// token wins
$localToken = $this->dbHandler->getToken($url);
if (strcmp($localToken, $token) > 0) {
+ $this->logger->log(\OCP\Util::ERROR, 'remote server (' . $url . ') presented lower token');
return new \OC_OCS_Result(null, HTTP::STATUS_FORBIDDEN);
}
@@ -120,10 +129,13 @@ class OCSAuthAPI {
$url = $this->request->getParam('url');
$token = $this->request->getParam('token');
- if (
- $this->trustedServers->isTrustedServer($url) === false
- || $this->isValidToken($url, $token) === false
- ) {
+ if ($this->trustedServers->isTrustedServer($url) === false) {
+ $this->logger->log(\OCP\Util::ERROR, 'remote server not trusted (' . $url . ') while getting shared secret');
+ return new \OC_OCS_Result(null, HTTP::STATUS_FORBIDDEN);
+ }
+
+ if ($this->isValidToken($url, $token) === false) {
+ $this->logger->log(\OCP\Util::ERROR, 'remote server (' . $url . ') didn\'t send a valid token (got ' . $token . ') while getting shared secret');
return new \OC_OCS_Result(null, HTTP::STATUS_FORBIDDEN);
}
@@ -139,7 +151,7 @@ class OCSAuthAPI {
protected function isValidToken($url, $token) {
$storedToken = $this->dbHandler->getToken($url);
- return StringUtils::equals($storedToken, $token);
+ return hash_equals($storedToken, $token);
}
}
generated by cgit v1.2.3 (git 2.39.1) at 2025-02-02 15:26:50 +0000