aboutsummaryrefslogtreecommitdiffstats
path: root/lib/private/Authentication/Token/PublicKeyTokenProvider.php
diff options
context:
space:
mode:
Diffstat (limited to 'lib/private/Authentication/Token/PublicKeyTokenProvider.php')
-rw-r--r--lib/private/Authentication/Token/PublicKeyTokenProvider.php49
1 files changed, 33 insertions, 16 deletions
diff --git a/lib/private/Authentication/Token/PublicKeyTokenProvider.php b/lib/private/Authentication/Token/PublicKeyTokenProvider.php
index 767ece1e551..12c3a1d535b 100644
--- a/lib/private/Authentication/Token/PublicKeyTokenProvider.php
+++ b/lib/private/Authentication/Token/PublicKeyTokenProvider.php
@@ -85,7 +85,9 @@ class PublicKeyTokenProvider implements IProvider {
?string $password,
string $name,
int $type = OCPIToken::TEMPORARY_TOKEN,
- int $remember = OCPIToken::DO_NOT_REMEMBER): OCPIToken {
+ int $remember = OCPIToken::DO_NOT_REMEMBER,
+ ?array $scope = null,
+ ): OCPIToken {
if (strlen($token) < self::TOKEN_MIN_LENGTH) {
$exception = new InvalidTokenException('Token is too short, minimum of ' . self::TOKEN_MIN_LENGTH . ' characters is required, ' . strlen($token) . ' characters given');
$this->logger->error('Invalid token provided when generating new token', ['exception' => $exception]);
@@ -107,6 +109,10 @@ class PublicKeyTokenProvider implements IProvider {
$dbToken->setPasswordHash($randomOldToken->getPasswordHash());
}
+ if ($scope !== null) {
+ $dbToken->setScope($scope);
+ }
+
$this->mapper->insert($dbToken);
if (!$oldTokenMatches && $password !== null) {
@@ -156,7 +162,7 @@ class PublicKeyTokenProvider implements IProvider {
$this->rotate($token, $tokenId, $tokenId);
} catch (DoesNotExistException) {
$this->cacheInvalidHash($tokenHash);
- throw new InvalidTokenException("Token does not exist: " . $ex->getMessage(), 0, $ex);
+ throw new InvalidTokenException('Token does not exist: ' . $ex->getMessage(), 0, $ex);
}
}
@@ -171,7 +177,7 @@ class PublicKeyTokenProvider implements IProvider {
private function getTokenFromCache(string $tokenHash): ?PublicKeyToken {
$serializedToken = $this->cache->get($tokenHash);
if ($serializedToken === false) {
- throw new InvalidTokenException('Token does not exist: ' . $tokenHash);
+ return null;
}
if ($serializedToken === null) {
@@ -226,7 +232,7 @@ class PublicKeyTokenProvider implements IProvider {
$token = $this->getToken($oldSessionId);
if (!($token instanceof PublicKeyToken)) {
- throw new InvalidTokenException("Invalid token type");
+ throw new InvalidTokenException('Invalid token type');
}
$password = null;
@@ -234,6 +240,8 @@ class PublicKeyTokenProvider implements IProvider {
$privateKey = $this->decrypt($token->getPrivateKey(), $oldSessionId);
$password = $this->decryptPassword($token->getPassword(), $privateKey);
}
+
+ $scope = $token->getScope() === '' ? null : $token->getScopeAsArray();
$newToken = $this->generateToken(
$sessionId,
$token->getUID(),
@@ -241,9 +249,9 @@ class PublicKeyTokenProvider implements IProvider {
$password,
$token->getName(),
OCPIToken::TEMPORARY_TOKEN,
- $token->getRemember()
+ $token->getRemember(),
+ $scope,
);
- $newToken->setScope($token->getScopeAsArray());
$this->cacheToken($newToken);
$this->cacheInvalidHash($token->getToken());
@@ -273,10 +281,19 @@ class PublicKeyTokenProvider implements IProvider {
public function invalidateOldTokens() {
$olderThan = $this->time->getTime() - $this->config->getSystemValueInt('session_lifetime', 60 * 60 * 24);
$this->logger->debug('Invalidating session tokens older than ' . date('c', $olderThan), ['app' => 'cron']);
- $this->mapper->invalidateOld($olderThan, OCPIToken::DO_NOT_REMEMBER);
+ $this->mapper->invalidateOld($olderThan, OCPIToken::TEMPORARY_TOKEN, OCPIToken::DO_NOT_REMEMBER);
+
$rememberThreshold = $this->time->getTime() - $this->config->getSystemValueInt('remember_login_cookie_lifetime', 60 * 60 * 24 * 15);
$this->logger->debug('Invalidating remembered session tokens older than ' . date('c', $rememberThreshold), ['app' => 'cron']);
- $this->mapper->invalidateOld($rememberThreshold, OCPIToken::REMEMBER);
+ $this->mapper->invalidateOld($rememberThreshold, OCPIToken::TEMPORARY_TOKEN, OCPIToken::REMEMBER);
+
+ $wipeThreshold = $this->time->getTime() - $this->config->getSystemValueInt('token_auth_wipe_token_retention', 60 * 60 * 24 * 60);
+ $this->logger->debug('Invalidating auth tokens marked for remote wipe older than ' . date('c', $wipeThreshold), ['app' => 'cron']);
+ $this->mapper->invalidateOld($wipeThreshold, OCPIToken::WIPE_TOKEN);
+
+ $authTokenThreshold = $this->time->getTime() - $this->config->getSystemValueInt('token_auth_token_retention', 60 * 60 * 24 * 365);
+ $this->logger->debug('Invalidating auth tokens older than ' . date('c', $authTokenThreshold), ['app' => 'cron']);
+ $this->mapper->invalidateOld($authTokenThreshold, OCPIToken::PERMANENT_TOKEN);
}
public function invalidateLastUsedBefore(string $uid, int $before): void {
@@ -285,7 +302,7 @@ class PublicKeyTokenProvider implements IProvider {
public function updateToken(OCPIToken $token) {
if (!($token instanceof PublicKeyToken)) {
- throw new InvalidTokenException("Invalid token type");
+ throw new InvalidTokenException('Invalid token type');
}
$this->mapper->update($token);
$this->cacheToken($token);
@@ -293,7 +310,7 @@ class PublicKeyTokenProvider implements IProvider {
public function updateTokenActivity(OCPIToken $token) {
if (!($token instanceof PublicKeyToken)) {
- throw new InvalidTokenException("Invalid token type");
+ throw new InvalidTokenException('Invalid token type');
}
$activityInterval = $this->config->getSystemValueInt('token_auth_activity_update', 60);
@@ -314,7 +331,7 @@ class PublicKeyTokenProvider implements IProvider {
public function getPassword(OCPIToken $savedToken, string $tokenId): string {
if (!($savedToken instanceof PublicKeyToken)) {
- throw new InvalidTokenException("Invalid token type");
+ throw new InvalidTokenException('Invalid token type');
}
if ($savedToken->getPassword() === null) {
@@ -330,7 +347,7 @@ class PublicKeyTokenProvider implements IProvider {
public function setPassword(OCPIToken $token, string $tokenId, string $password) {
if (!($token instanceof PublicKeyToken)) {
- throw new InvalidTokenException("Invalid token type");
+ throw new InvalidTokenException('Invalid token type');
}
$this->atomic(function () use ($password, $token) {
@@ -355,7 +372,7 @@ class PublicKeyTokenProvider implements IProvider {
public function rotate(OCPIToken $token, string $oldTokenId, string $newTokenId): OCPIToken {
if (!($token instanceof PublicKeyToken)) {
- throw new InvalidTokenException("Invalid token type");
+ throw new InvalidTokenException('Invalid token type');
}
// Decrypt private key with oldTokenId
@@ -388,7 +405,7 @@ class PublicKeyTokenProvider implements IProvider {
} catch (\Exception $ex2) {
// Delete the invalid token
$this->invalidateToken($token);
- throw new InvalidTokenException("Could not decrypt token password: " . $ex->getMessage(), 0, $ex2);
+ throw new InvalidTokenException('Could not decrypt token password: ' . $ex->getMessage(), 0, $ex2);
}
}
}
@@ -413,7 +430,7 @@ class PublicKeyTokenProvider implements IProvider {
}
/**
- * @deprecated Fallback for instances where the secret might not have been set by accident
+ * @deprecated 26.0.0 Fallback for instances where the secret might not have been set by accident
*/
private function hashTokenWithEmptySecret(string $token): string {
return hash('sha512', $token);
@@ -478,7 +495,7 @@ class PublicKeyTokenProvider implements IProvider {
public function markPasswordInvalid(OCPIToken $token, string $tokenId) {
if (!($token instanceof PublicKeyToken)) {
- throw new InvalidTokenException("Invalid token type");
+ throw new InvalidTokenException('Invalid token type');
}
$token->setPasswordInvalid(true);
generated by cgit v1.2.3 (git 2.39.1) at 2025-08-14 15:10:28 +0000