tokenProvider = $provider; } /** * @param string $scope * @param string $method * @param callable $callback */ public function listen($scope, $method, callable $callback) { $this->manager->listen($scope, $method, $callback); } /** * @param string $scope optional * @param string $method optional * @param callable $callback optional */ public function removeListener($scope = null, $method = null, ?callable $callback = null) { $this->manager->removeListener($scope, $method, $callback); } /** * get the manager object * * @return Manager|PublicEmitter */ public function getManager() { return $this->manager; } /** * get the session object * * @return ISession */ public function getSession() { return $this->session; } /** * set the session object * * @param ISession $session */ public function setSession(ISession $session) { if ($this->session instanceof ISession) { $this->session->close(); } $this->session = $session; $this->activeUser = null; } /** * set the currently active user * * @param IUser|null $user */ public function setUser($user) { if (is_null($user)) { $this->session->remove('user_id'); } else { $this->session->set('user_id', $user->getUID()); } $this->activeUser = $user; } /** * Temporarily set the currently active user without persisting in the session * * @param IUser|null $user */ public function setVolatileActiveUser(?IUser $user): void { $this->activeUser = $user; } /** * get the current active user * * @return IUser|null Current user, otherwise null */ public function getUser() { // FIXME: This is a quick'n dirty work-around for the incognito mode as // described at https://github.com/owncloud/core/pull/12912#issuecomment-67391155 if (OC_User::isIncognitoMode()) { return null; } if (is_null($this->activeUser)) { $uid = $this->session->get('user_id'); if (is_null($uid)) { return null; } $this->activeUser = $this->manager->get($uid); if (is_null($this->activeUser)) { return null; } $this->validateSession(); } return $this->activeUser; } /** * Validate whether the current session is valid * * - For token-authenticated clients, the token validity is checked * - For browsers, the session token validity is checked */ protected function validateSession() { $token = null; $appPassword = $this->session->get('app_password'); if (is_null($appPassword)) { try { $token = $this->session->getId(); } catch (SessionNotAvailableException $ex) { return; } } else { $token = $appPassword; } if (!$this->validateToken($token)) { // Session was invalidated $this->logout(); } } /** * Checks whether the user is logged in * * @return bool if logged in */ public function isLoggedIn() { $user = $this->getUser(); if (is_null($user)) { return false; } return $user->isEnabled(); } /** * set the login name * * @param string|null $loginName for the logged in user */ public function setLoginName($loginName) { if (is_null($loginName)) { $this->session->remove('loginname'); } else { $this->session->set('loginname', $loginName); } } /** * Get the login name of the current user * * @return ?string */ public function getLoginName() { if ($this->activeUser) { return $this->session->get('loginname'); } $uid = $this->session->get('user_id'); if ($uid) { $this->activeUser = $this->manager->get($uid); return $this->session->get('loginname'); } return null; } /** * @return null|string */ public function getImpersonatingUserID(): ?string { return $this->session->get('oldUserId'); } public function setImpersonatingUserID(bool $useCurrentUser = true): void { if ($useCurrentUser === false) { $this->session->remove('oldUserId'); return; } $currentUser = $this->getUser(); if ($currentUser === null) { throw new \OC\User\NoUserException(); } $this->session->set('oldUserId', $currentUser->getUID()); } /** * set the token id * * @param int|null $token that was used to log in */ protected function setToken($token) { if ($token === null) { $this->session->remove('token-id'); } else { $this->session->set('token-id', $token); } } /** * try to log in with the provided credentials * * @param string $uid * @param string $password * @return boolean|null * @throws LoginException */ public function login($uid, $password) { $this->session->regenerateId(); if ($this->validateToken($password, $uid)) { return $this->loginWithToken($password); } return $this->loginWithPassword($uid, $password); } /** * @param IUser $user * @param array $loginDetails * @param bool $regenerateSessionId * @return true returns true if login successful or an exception otherwise * @throws LoginException */ public function completeLogin(IUser $user, array $loginDetails, $regenerateSessionId = true) { if (!$user->isEnabled()) { // disabled users can not log in // injecting l10n does not work - there is a circular dependency between session and \OCP\L10N\IFactory $message = \OCP\Util::getL10N('lib')->t('Account disabled'); throw new LoginException($message); } if ($regenerateSessionId) { $this->session->regenerateId(); $this->session->remove(Auth::DAV_AUTHENTICATED); } $this->setUser($user); $this->setLoginName($loginDetails['loginName']); $isToken = isset($loginDetails['token']) && $loginDetails['token'] instanceof IToken; if ($isToken) { $this->setToken($loginDetails['token']->getId()); $this->lockdownManager->setToken($loginDetails['token']); $firstTimeLogin = false; } else { $this->setToken(null); $firstTimeLogin = $user->updateLastLoginTimestamp(); } $this->dispatcher->dispatchTyped(new PostLoginEvent( $user, $loginDetails['loginName'], $loginDetails['password'], $isToken )); $this->manager->emit('\OC\User', 'postLogin', [ $user, $loginDetails['loginName'], $loginDetails['password'], $isToken, ]); if ($this->isLoggedIn()) { $this->prepareUserLogin($firstTimeLogin, $regenerateSessionId); return true; } $message = \OCP\Util::getL10N('lib')->t('Login canceled by app'); throw new LoginException($message); } /** * Tries to log in a client * * Checks token auth enforced * Checks 2FA enabled * * @param string $user * @param string $password * @param IRequest $request * @param IThrottler $throttler * @throws LoginException * @throws PasswordLoginForbiddenException * @return boolean */ public function logClientIn($user, $password, IRequest $request, IThrottler $throttler) { $remoteAddress = $request->getRemoteAddress(); $currentDelay = $throttler->sleepDelayOrThrowOnMax($remoteAddress, 'login'); if ($this->manager instanceof PublicEmitter) { $this->manager->emit('\OC\User', 'preLogin', [$user, $password]); } try { $isTokenPassword = $this->isTokenPassword($password); } catch (ExpiredTokenException $e) { // Just return on an expired token no need to check further or record a failed login return false; } if (!$isTokenPassword && $this->isTokenAuthEnforced()) { throw new PasswordLoginForbiddenException(); } if (!$isTokenPassword && $this->isTwoFactorEnforced($user)) { throw new PasswordLoginForbiddenException(); } // Try to login with this username and password if (!$this->login($user, $password)) { // Failed, maybe the user used their email address if (!filter_var($user, FILTER_VALIDATE_EMAIL)) { $this->handleLoginFailed($throttler, $currentDelay, $remoteAddress, $user, $password); return false; } if ($isTokenPassword) { $dbToken = $this->tokenProvider->getToken($password); $userFromToken = $this->manager->get($dbToken->getUID()); $isValidEmailLogin = $userFromToken->getEMailAddress() === $user && $this->validateTokenLoginName($userFromToken->getEMailAddress(), $dbToken); } else { $users = $this->manager->getByEmail($user); $isValidEmailLogin = (\count($users) === 1 && $this->login($users[0]->getUID(), $password)); } if (!$isValidEmailLogin) { $this->handleLoginFailed($throttler, $currentDelay, $remoteAddress, $user, $password); return false; } } if ($isTokenPassword) { $this->session->set('app_password', $password); } elseif ($this->supportsCookies($request)) { // Password login, but cookies supported -> create (browser) session token $this->createSessionToken($request, $this->getUser()->getUID(), $user, $password); } return true; } private function handleLoginFailed(IThrottler $throttler, int $currentDelay, string $remoteAddress, string $user, ?string $password) { $this->logger->warning("Login failed: '" . $user . "' (Remote IP: '" . $remoteAddress . "')", ['app' => 'core']); $throttler->registerAttempt('login', $remoteAddress, ['user' => $user]); $this->dispatcher->dispatchTyped(new OC\Authentication\Events\LoginFailed($user, $password)); if ($currentDelay === 0) { $throttler->sleepDelayOrThrowOnMax($remoteAddress, 'login'); } } protected function supportsCookies(IRequest $request) { if (!is_null($request->getCookie('cookie_test'))) { return true; } setcookie('cookie_test', 'test', $this->timeFactory->getTime() + 3600); return false; } private function isTokenAuthEnforced(): bool { return $this->config->getSystemValueBool('token_auth_enforced', false); } protected function isTwoFactorEnforced($username) { Util::emitHook( '\OCA\Files_Sharing\API\Server2Server', 'preLoginNameUsedAsUserName', ['uid' => &$username] ); $user = $this->manager->get($username); if (is_null($user)) { $users = $this->manager->getByEmail($username); if (empty($users)) { return false; } if (count($users) !== 1) { return true; } $user = $users[0]; } // DI not possible due to cyclic dependencies :'-/ return OC::$server->get(TwoFactorAuthManager::class)->isTwoFactorAuthenticated($user); } /** * Check if the given 'password' is actually a device token * * @param string $password * @return boolean * @throws ExpiredTokenException */ public function isTokenPassword($password) { try { $this->tokenProvider->getToken($password); return true; } catch (ExpiredTokenException $e) { throw $e; } catch (InvalidTokenException $ex) { $this->logger->debug('Token is not valid: ' . $ex->getMessage(), [ 'exception' => $ex, ]); return false; } } protected function prepareUserLogin($firstTimeLogin, $refreshCsrfToken = true) { if ($refreshCsrfToken) { // TODO: mock/inject/use non-static // Refresh the token \OC::$server->get(CsrfTokenManager::class)->refreshToken(); } if ($firstTimeLogin) { //we need to pass the user name, which may differ from login name $user = $this->getUser()->getUID(); OC_Util::setupFS($user); // TODO: lock necessary? //trigger creation of user home and /files folder $userFolder = \OC::$server->getUserFolder($user); try { // copy skeleton \OC_Util::copySkeleton($user, $userFolder); } catch (NotPermittedException $ex) { // read only uses } // trigger any other initialization \OC::$server->get(IEventDispatcher::class)->dispatch(IUser::class . '::firstLogin', new GenericEvent($this->getUser())); \OC::$server->get(IEventDispatcher::class)->dispatchTyped(new UserFirstTimeLoggedInEvent($this->getUser())); } } /** * Tries to login the user with HTTP Basic Authentication * * @todo do not allow basic auth if the user is 2FA enforced * @param IRequest $request * @param IThrottler $throttler * @return boolean if the login was successful */ public function tryBasicAuthLogin(IRequest $request, IThrottler $throttler) { if (!empty($request->server['PHP_AUTH_USER']) && !empty($request->server['PHP_AUTH_PW'])) { try { if ($this->logClientIn($request->server['PHP_AUTH_USER'], $request->server['PHP_AUTH_PW'], $request, $throttler)) { /** * Add DAV authenticated. This should in an ideal world not be * necessary but the iOS App reads cookies from anywhere instead * only the DAV endpoint. * This makes sure that the cookies will be valid for the whole scope * @see https://github.com/owncloud/core/issues/22893 */ $this->session->set( Auth::DAV_AUTHENTICATED, $this->getUser()->getUID() ); // Set the last-password-confirm session to make the sudo mode work $this->session->set('last-password-confirm', $this->timeFactory->getTime()); return true; } // If credentials were provided, they need to be valid, otherwise we do boom throw new LoginException(); } catch (PasswordLoginForbiddenException $ex) { // Nothing to do } } return false; } /** * Log an user in via login name and password * * @param string $uid * @param string $password * @return boolean * @throws LoginException if an app canceld the login process or the user is not enabled */ private function loginWithPassword($uid, $password) { $user = $this->manager->checkPasswordNoLogging($uid, $password); if ($user === false) { // Password check failed return false; } return $this->completeLogin($user, ['loginName' => $uid, 'password' => $password], false); } /** * Log an user in with a given token (id) * * @param string $token * @return boolean * @throws LoginException if an app canceled the login process or the user is not enabled */ private function loginWithToken($token) { try { $dbToken = $this->tokenProvider->getToken($token); } catch (InvalidTokenException $ex) { return false; } $uid = $dbToken->getUID(); // When logging in with token, the password must be decrypted first before passing to login hook $password = ''; try { $password = $this->tokenProvider->getPassword($dbToken, $token); } catch (PasswordlessTokenException $ex) { // Ignore and use empty string instead } $this->manager->emit('\OC\User', 'preLogin', [$dbToken->getLoginName(), $password]); $user = $this->manager->get($uid); if (is_null($user)) { // user does not exist return false; } return $this->completeLogin( $user, [ 'loginName' => $dbToken->getLoginName(), 'password' => $password, 'token' => $dbToken ], false); } /** * Create a new session token for the given user credentials * * @param IRequest $request * @param string $uid user UID * @param string $loginName login name * @param string $password * @param int $remember * @return boolean */ public function createSessionToken(IRequest $request, $uid, $loginName, $password = null, $remember = IToken::DO_NOT_REMEMBER) { if (is_null($this->manager->get($uid))) { // User does not exist return false; } $name = isset($request->server['HTTP_USER_AGENT']) ? mb_convert_encoding($request->server['HTTP_USER_AGENT'], 'UTF-8', 'ISO-8859-1') : 'unknown browser'; try { $sessionId = $this->session->getId(); $pwd = $this->getPassword($password); // Make sure the current sessionId has no leftover tokens $this->atomic(function () use ($sessionId, $uid, $loginName, $pwd, $name, $remember) { $this->tokenProvider->invalidateToken($sessionId); $this->tokenProvider->generateToken($sessionId, $uid, $loginName, $pwd, $name, IToken::TEMPORARY_TOKEN, $remember); }, \OCP\Server::get(IDBConnection::class)); return true; } catch (SessionNotAvailableException $ex) { // This can happen with OCC, where a memory session is used // if a memory session is used, we shouldn't create a session token anyway return false; } } /** * Checks if the given password is a token. * If yes, the password is extracted from the token. * If no, the same password is returned. * * @param string $password either the login password or a device token * @return string|null the password or null if none was set in the token */ private function getPassword($password) { if (is_null($password)) { // This is surely no token ;-) return null; } try { $token = $this->tokenProvider->getToken($password); try { return $this->tokenProvider->getPassword($token, $password); } catch (PasswordlessTokenException $ex) { return null; } } catch (InvalidTokenException $ex) { return $password; } } /** * @param IToken $dbToken * @param string $token * @return boolean */ private function checkTokenCredentials(IToken $dbToken, $token) { // Check whether login credentials are still valid and the user was not disabled // This check is performed each 5 minutes $lastCheck = $dbToken->getLastCheck() ? : 0; $now = $this->timeFactory->getTime(); if ($lastCheck > ($now - 60 * 5)) { // Checked performed recently, nothing to do now return true; } try { $pwd = $this->tokenProvider->getPassword($dbToken, $token); } catch (InvalidTokenException $ex) { // An invalid token password was used -> log user out return false; } catch (PasswordlessTokenException $ex) { // Token has no password if (!is_null($this->activeUser) && !$this->activeUser->isEnabled()) { $this->tokenProvider->invalidateToken($token); return false; } return true; } // Invalidate token if the user is no longer active if (!is_null($this->activeUser) && !$this->activeUser->isEnabled()) { $this->tokenProvider->invalidateToken($token); return false; } // If the token password is no longer valid mark it as such if ($this->manager->checkPassword($dbToken->getLoginName(), $pwd) === false) { $this->tokenProvider->markPasswordInvalid($dbToken, $token); // User is logged out return false; } $dbToken->setLastCheck($now); if ($dbToken instanceof PublicKeyToken) { $dbToken->setLastActivity($now); } $this->tokenProvider->updateToken($dbToken); return true; } /** * Check if the given token exists and performs password/user-enabled checks * * Invalidates the token if checks fail * * @param string $token * @param string $user login name * @return boolean */ private function validateToken($token, $user = null) { try { $dbToken = $this->tokenProvider->getToken($token); } catch (InvalidTokenException $ex) { $this->logger->debug('Session token is invalid because it does not exist', [ 'app' => 'core', 'user' => $user, 'exception' => $ex, ]); return false; } if (!is_null($user) && !$this->validateTokenLoginName($user, $dbToken)) { return false; } if (!$this->checkTokenCredentials($dbToken, $token)) { $this->logger->warning('Session token credentials are invalid', [ 'app' => 'core', 'user' => $user, ]); return false; } // Update token scope $this->lockdownManager->setToken($dbToken); $this->tokenProvider->updateTokenActivity($dbToken); return true; } /** * Check if login names match */ private function validateTokenLoginName(?string $loginName, IToken $token): bool { if ($token->getLoginName() !== $loginName) { // TODO: this makes it impossible to use different login names on browser and client // e.g. login by e-mail 'user@example.com' on browser for generating the token will not // allow to use the client token with the login name 'user'. $this->logger->error('App token login name does not match', [ 'tokenLoginName' => $token->getLoginName(), 'sessionLoginName' => $loginName, 'app' => 'core', 'user' => $token->getUID(), ]); return false; } return true; } /** * Tries to login the user with auth token header * * @param IRequest $request * @todo check remember me cookie * @return boolean */ public function tryTokenLogin(IRequest $request) { $authHeader = $request->getHeader('Authorization'); if (str_starts_with($authHeader, 'Bearer ')) { $token = substr($authHeader, 7); } elseif ($request->getCookie($this->config->getSystemValueString('instanceid')) !== null) { // No auth header, let's try session id, but only if this is an existing // session and the request has a session cookie try { $token = $this->session->getId(); } catch (SessionNotAvailableException $ex) { return false; } } else { return false; } if (!$this->loginWithToken($token)) { return false; } if (!$this->validateToken($token)) { return false; } try { $dbToken = $this->tokenProvider->getToken($token); } catch (InvalidTokenException $e) { // Can't really happen but better save than sorry return true; } // Remember me tokens are not app_passwords if ($dbToken->getRemember() === IToken::DO_NOT_REMEMBER) { // Set the session variable so we know this is an app password $this->session->set('app_password', $token); } return true; } /** * perform login using the magic cookie (remember login) * * @param string $uid the username * @param string $currentToken * @param string $oldSessionId * @return bool */ public function loginWithCookie($uid, $currentToken, $oldSessionId) { $this->session->regenerateId(); $this->manager->emit('\OC\User', 'preRememberedLogin', [$uid]); $user = $this->manager->get($uid); if (is_null($user)) { // user does not exist return false; } // get stored tokens $tokens = $this->config->getUserKeys($uid, 'login_token'); // test cookies token against stored tokens if (!in_array($currentToken, $tokens, true)) { $this->logger->info('Tried to log in but could not verify token', [ 'app' => 'core', 'user' => $uid, ]); return false; } // replace successfully used token with a new one $this->config->deleteUserValue($uid, 'login_token', $currentToken); $newToken = $this->random->generate(32); $this->config->setUserValue($uid, 'login_token', $newToken, (string)$this->timeFactory->getTime()); $this->logger->debug('Remember-me token replaced', [ 'app' => 'core', 'user' => $uid, ]); try { $sessionId = $this->session->getId(); $token = $this->tokenProvider->renewSessionToken($oldSessionId, $sessionId); $this->logger->debug('Session token replaced', [ 'app' => 'core', 'user' => $uid, ]); } catch (SessionNotAvailableException $ex) { $this->logger->critical('Could not renew session token for {uid} because the session is unavailable', [ 'app' => 'core', 'uid' => $uid, 'user' => $uid, ]); return false; } catch (InvalidTokenException $ex) { $this->logger->error('Renewing session token failed: ' . $ex->getMessage(), [ 'app' => 'core', 'user' => $uid, 'exception' => $ex, ]); return false; } $this->setMagicInCookie($user->getUID(), $newToken); //login $this->setUser($user); $this->setLoginName($token->getLoginName()); $this->setToken($token->getId()); $this->lockdownManager->setToken($token); $user->updateLastLoginTimestamp(); $password = null; try { $password = $this->tokenProvider->getPassword($token, $sessionId); } catch (PasswordlessTokenException $ex) { // Ignore } $this->manager->emit('\OC\User', 'postRememberedLogin', [$user, $password]); return true; } /** * @param IUser $user */ public function createRememberMeToken(IUser $user) { $token = $this->random->generate(32); $this->config->setUserValue($user->getUID(), 'login_token', $token, (string)$this->timeFactory->getTime()); $this->setMagicInCookie($user->getUID(), $token); } /** * logout the user from the session */ public function logout() { $user = $this->getUser(); $this->manager->emit('\OC\User', 'logout', [$user]); if ($user !== null) { try { $token = $this->session->getId(); $this->tokenProvider->invalidateToken($token); $this->logger->debug('Session token invalidated before logout', [ 'user' => $user->getUID(), ]); } catch (SessionNotAvailableException $ex) { } } $this->logger->debug('Logging out', [ 'user' => $user === null ? null : $user->getUID(), ]); $this->setUser(null); $this->setLoginName(null); $this->setToken(null); $this->unsetMagicInCookie(); $this->session->clear(); $this->manager->emit('\OC\User', 'postLogout', [$user]); } /** * Set cookie value to use in next page load * * @param string $username username to be set * @param string $token */ public function setMagicInCookie($username, $token) { $secureCookie = OC::$server->getRequest()->getServerProtocol() === 'https'; $webRoot = \OC::$WEBROOT; if ($webRoot === '') { $webRoot = '/'; } $maxAge = $this->config->getSystemValueInt('remember_login_cookie_lifetime', 60 * 60 * 24 * 15); \OC\Http\CookieHelper::setCookie( 'nc_username', $username, $maxAge, $webRoot, '', $secureCookie, true, \OC\Http\CookieHelper::SAMESITE_LAX ); \OC\Http\CookieHelper::setCookie( 'nc_token', $token, $maxAge, $webRoot, '', $secureCookie, true, \OC\Http\CookieHelper::SAMESITE_LAX ); try { \OC\Http\CookieHelper::setCookie( 'nc_session_id', $this->session->getId(), $maxAge, $webRoot, '', $secureCookie, true, \OC\Http\CookieHelper::SAMESITE_LAX ); } catch (SessionNotAvailableException $ex) { // ignore } } /** * Remove cookie for "remember username" */ public function unsetMagicInCookie() { //TODO: DI for cookies and IRequest $secureCookie = OC::$server->getRequest()->getServerProtocol() === 'https'; unset($_COOKIE['nc_username']); //TODO: DI unset($_COOKIE['nc_token']); unset($_COOKIE['nc_session_id']); setcookie('nc_username', '', $this->timeFactory->getTime() - 3600, OC::$WEBROOT, '', $secureCookie, true); setcookie('nc_token', '', $this->timeFactory->getTime() - 3600, OC::$WEBROOT, '', $secureCookie, true); setcookie('nc_session_id', '', $this->timeFactory->getTime() - 3600, OC::$WEBROOT, '', $secureCookie, true); // old cookies might be stored under /webroot/ instead of /webroot // and Firefox doesn't like it! setcookie('nc_username', '', $this->timeFactory->getTime() - 3600, OC::$WEBROOT . '/', '', $secureCookie, true); setcookie('nc_token', '', $this->timeFactory->getTime() - 3600, OC::$WEBROOT . '/', '', $secureCookie, true); setcookie('nc_session_id', '', $this->timeFactory->getTime() - 3600, OC::$WEBROOT . '/', '', $secureCookie, true); } /** * Update password of the browser session token if there is one * * @param string $password */ public function updateSessionTokenPassword($password) { try { $sessionId = $this->session->getId(); $token = $this->tokenProvider->getToken($sessionId); $this->tokenProvider->setPassword($token, $sessionId, $password); } catch (SessionNotAvailableException $ex) { // Nothing to do } catch (InvalidTokenException $ex) { // Nothing to do } } public function updateTokens(string $uid, string $password) { $this->tokenProvider->updatePasswords($uid, $password); } }