Signed-off-by: Joas Schilling <coding@schilljs.com>pull/30016/head
Joas Schilling
4 years ago
parent
3a1ef2b012
commit
c0ba89ecc9
@ -1,209 +0,0 @@ |
||||
<?php |
||||
|
||||
declare(strict_types=1); |
||||
|
||||
/** |
||||
* @copyright Copyright (c) 2016, ownCloud, Inc. |
||||
* |
||||
* @author Christoph Wurst <christoph@winzerhof-wurst.at> |
||||
* @author Daniel Kesselberg <mail@danielkesselberg.de> |
||||
* @author Robin Appelman <robin@icewind.nl> |
||||
* @author Roeland Jago Douma <roeland@famdouma.nl> |
||||
* |
||||
* @license AGPL-3.0 |
||||
* |
||||
* This code is free software: you can redistribute it and/or modify |
||||
* it under the terms of the GNU Affero General Public License, version 3, |
||||
* as published by the Free Software Foundation. |
||||
* |
||||
* This program is distributed in the hope that it will be useful, |
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of |
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
||||
* GNU Affero General Public License for more details. |
||||
* |
||||
* You should have received a copy of the GNU Affero General Public License, version 3, |
||||
* along with this program. If not, see <http://www.gnu.org/licenses/> |
||||
* |
||||
*/ |
||||
namespace OC\Authentication\Token; |
||||
|
||||
use OCP\AppFramework\Db\Entity; |
||||
|
||||
/** |
||||
* @method void setId(int $id) |
||||
* @method void setUid(string $uid); |
||||
* @method void setLoginName(string $loginname) |
||||
* @method string getToken() |
||||
* @method void setType(int $type) |
||||
* @method int getType() |
||||
* @method void setRemember(int $remember) |
||||
* @method void setLastActivity(int $lastactivity) |
||||
* @method int getLastActivity() |
||||
* @method void setVersion(int $version) |
||||
*/ |
||||
class DefaultToken extends Entity implements INamedToken { |
||||
public const VERSION = 1; |
||||
|
||||
/** @var string user UID */ |
||||
protected $uid; |
||||
|
||||
/** @var string login name used for generating the token */ |
||||
protected $loginName; |
||||
|
||||
/** @var string encrypted user password */ |
||||
protected $password; |
||||
|
||||
/** @var string token name (e.g. browser/OS) */ |
||||
protected $name; |
||||
|
||||
/** @var string */ |
||||
protected $token; |
||||
|
||||
/** @var int */ |
||||
protected $type; |
||||
|
||||
/** @var int */ |
||||
protected $remember; |
||||
|
||||
/** @var int */ |
||||
protected $lastActivity; |
||||
|
||||
/** @var int */ |
||||
protected $lastCheck; |
||||
|
||||
/** @var string */ |
||||
protected $scope; |
||||
|
||||
/** @var int */ |
||||
protected $expires; |
||||
|
||||
/** @var int */ |
||||
protected $version; |
||||
|
||||
public function __construct() { |
||||
$this->addType('uid', 'string'); |
||||
$this->addType('loginName', 'string'); |
||||
$this->addType('password', 'string'); |
||||
$this->addType('name', 'string'); |
||||
$this->addType('token', 'string'); |
||||
$this->addType('type', 'int'); |
||||
$this->addType('remember', 'int'); |
||||
$this->addType('lastActivity', 'int'); |
||||
$this->addType('lastCheck', 'int'); |
||||
$this->addType('scope', 'string'); |
||||
$this->addType('expires', 'int'); |
||||
$this->addType('version', 'int'); |
||||
} |
||||
|
||||
public function getId(): int { |
||||
return $this->id; |
||||
} |
||||
|
||||
public function getUID(): string { |
||||
return $this->uid; |
||||
} |
||||
|
||||
/** |
||||
* Get the login name used when generating the token |
||||
* |
||||
* @return string |
||||
*/ |
||||
public function getLoginName(): string { |
||||
return parent::getLoginName(); |
||||
} |
||||
|
||||
/** |
||||
* Get the (encrypted) login password |
||||
* |
||||
* @return string|null |
||||
*/ |
||||
public function getPassword() { |
||||
return parent::getPassword(); |
||||
} |
||||
|
||||
public function jsonSerialize(): array { |
||||
return [ |
||||
'id' => $this->id, |
||||
'name' => $this->name, |
||||
'lastActivity' => $this->lastActivity, |
||||
'type' => $this->type, |
||||
'scope' => $this->getScopeAsArray() |
||||
]; |
||||
} |
||||
|
||||
/** |
||||
* Get the timestamp of the last password check |
||||
* |
||||
* @return int |
||||
*/ |
||||
public function getLastCheck(): int { |
||||
return parent::getLastCheck(); |
||||
} |
||||
|
||||
/** |
||||
* Get the timestamp of the last password check |
||||
* |
||||
* @param int $time |
||||
*/ |
||||
public function setLastCheck(int $time) { |
||||
parent::setLastCheck($time); |
||||
} |
||||
|
||||
public function getScope(): string { |
||||
$scope = parent::getScope(); |
||||
if ($scope === null) { |
||||
return ''; |
||||
} |
||||
|
||||
return $scope; |
||||
} |
||||
|
||||
public function getScopeAsArray(): array { |
||||
$scope = json_decode($this->getScope(), true); |
||||
if (!$scope) { |
||||
return [ |
||||
'filesystem' => true |
||||
]; |
||||
} |
||||
return $scope; |
||||
} |
||||
|
||||
public function setScope($scope) { |
||||
if (\is_array($scope)) { |
||||
parent::setScope(json_encode($scope)); |
||||
} else { |
||||
parent::setScope((string)$scope); |
||||
} |
||||
} |
||||
|
||||
public function getName(): string { |
||||
return parent::getName(); |
||||
} |
||||
|
||||
public function setName(string $name): void { |
||||
parent::setName($name); |
||||
} |
||||
|
||||
public function getRemember(): int { |
||||
return parent::getRemember(); |
||||
} |
||||
|
||||
public function setToken(string $token) { |
||||
parent::setToken($token); |
||||
} |
||||
|
||||
public function setPassword(string $password = null) { |
||||
parent::setPassword($password); |
||||
} |
||||
|
||||
public function setExpires($expires) { |
||||
parent::setExpires($expires); |
||||
} |
||||
|
||||
/** |
||||
* @return int|null |
||||
*/ |
||||
public function getExpires() { |
||||
return parent::getExpires(); |
||||
} |
||||
} |
||||
@ -1,34 +0,0 @@ |
||||
<?php |
||||
/** |
||||
* @copyright Copyright (c) 2016, ownCloud, Inc. |
||||
* |
||||
* @author Christoph Wurst <christoph@winzerhof-wurst.at> |
||||
* @author Morris Jobke <hey@morrisjobke.de> |
||||
* |
||||
* @license AGPL-3.0 |
||||
* |
||||
* This code is free software: you can redistribute it and/or modify |
||||
* it under the terms of the GNU Affero General Public License, version 3, |
||||
* as published by the Free Software Foundation. |
||||
* |
||||
* This program is distributed in the hope that it will be useful, |
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of |
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
||||
* GNU Affero General Public License for more details. |
||||
* |
||||
* You should have received a copy of the GNU Affero General Public License, version 3, |
||||
* along with this program. If not, see <http://www.gnu.org/licenses/> |
||||
* |
||||
*/ |
||||
namespace OC\Authentication\Token; |
||||
|
||||
use OC; |
||||
use OC\BackgroundJob\Job; |
||||
|
||||
class DefaultTokenCleanupJob extends Job { |
||||
protected function run($argument) { |
||||
/* @var $provider IProvider */ |
||||
$provider = OC::$server->query(IProvider::class); |
||||
$provider->invalidateOldTokens(); |
||||
} |
||||
} |
||||
@ -1,172 +0,0 @@ |
||||
<?php |
||||
|
||||
declare(strict_types=1); |
||||
|
||||
/** |
||||
* @copyright Copyright (c) 2016, ownCloud, Inc. |
||||
* |
||||
* @author Bjoern Schiessle <bjoern@schiessle.org> |
||||
* @author Christoph Wurst <christoph@winzerhof-wurst.at> |
||||
* @author Lukas Reschke <lukas@statuscode.ch> |
||||
* @author Marcel Waldvogel <marcel.waldvogel@uni-konstanz.de> |
||||
* @author Robin Appelman <robin@icewind.nl> |
||||
* @author Roeland Jago Douma <roeland@famdouma.nl> |
||||
* |
||||
* @license AGPL-3.0 |
||||
* |
||||
* This code is free software: you can redistribute it and/or modify |
||||
* it under the terms of the GNU Affero General Public License, version 3, |
||||
* as published by the Free Software Foundation. |
||||
* |
||||
* This program is distributed in the hope that it will be useful, |
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of |
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
||||
* GNU Affero General Public License for more details. |
||||
* |
||||
* You should have received a copy of the GNU Affero General Public License, version 3, |
||||
* along with this program. If not, see <http://www.gnu.org/licenses/> |
||||
* |
||||
*/ |
||||
namespace OC\Authentication\Token; |
||||
|
||||
use OCP\AppFramework\Db\DoesNotExistException; |
||||
use OCP\AppFramework\Db\QBMapper; |
||||
use OCP\DB\QueryBuilder\IQueryBuilder; |
||||
use OCP\IDBConnection; |
||||
|
||||
/** |
||||
* @template-extends QBMapper<DefaultToken> |
||||
*/ |
||||
class DefaultTokenMapper extends QBMapper { |
||||
public function __construct(IDBConnection $db) { |
||||
parent::__construct($db, 'authtoken'); |
||||
} |
||||
|
||||
/** |
||||
* Invalidate (delete) a given token |
||||
* |
||||
* @param string $token |
||||
*/ |
||||
public function invalidate(string $token) { |
||||
/* @var $qb IQueryBuilder */ |
||||
$qb = $this->db->getQueryBuilder(); |
||||
$qb->delete('authtoken') |
||||
->where($qb->expr()->eq('token', $qb->createNamedParameter($token, IQueryBuilder::PARAM_STR))) |
||||
->andWhere($qb->expr()->eq('version', $qb->createNamedParameter(DefaultToken::VERSION, IQueryBuilder::PARAM_INT))) |
||||
->execute(); |
||||
} |
||||
|
||||
/** |
||||
* @param int $olderThan |
||||
* @param int $remember |
||||
*/ |
||||
public function invalidateOld(int $olderThan, int $remember = IToken::DO_NOT_REMEMBER) { |
||||
/* @var $qb IQueryBuilder */ |
||||
$qb = $this->db->getQueryBuilder(); |
||||
$qb->delete('authtoken') |
||||
->where($qb->expr()->lt('last_activity', $qb->createNamedParameter($olderThan, IQueryBuilder::PARAM_INT))) |
||||
->andWhere($qb->expr()->eq('type', $qb->createNamedParameter(IToken::TEMPORARY_TOKEN, IQueryBuilder::PARAM_INT))) |
||||
->andWhere($qb->expr()->eq('remember', $qb->createNamedParameter($remember, IQueryBuilder::PARAM_INT))) |
||||
->andWhere($qb->expr()->eq('version', $qb->createNamedParameter(DefaultToken::VERSION, IQueryBuilder::PARAM_INT))) |
||||
->execute(); |
||||
} |
||||
|
||||
/** |
||||
* Get the user UID for the given token |
||||
* |
||||
* @param string $token |
||||
* @throws DoesNotExistException |
||||
* @return DefaultToken |
||||
*/ |
||||
public function getToken(string $token): DefaultToken { |
||||
/* @var $qb IQueryBuilder */ |
||||
$qb = $this->db->getQueryBuilder(); |
||||
$result = $qb->select('id', 'uid', 'login_name', 'password', 'name', 'token', 'type', 'remember', 'last_activity', 'last_check', 'scope', 'expires', 'version') |
||||
->from('authtoken') |
||||
->where($qb->expr()->eq('token', $qb->createNamedParameter($token))) |
||||
->andWhere($qb->expr()->eq('version', $qb->createNamedParameter(DefaultToken::VERSION, IQueryBuilder::PARAM_INT))) |
||||
->execute(); |
||||
|
||||
$data = $result->fetch(); |
||||
$result->closeCursor(); |
||||
if ($data === false) { |
||||
throw new DoesNotExistException('token does not exist'); |
||||
} |
||||
return DefaultToken::fromRow($data); |
||||
} |
||||
|
||||
/** |
||||
* Get the token for $id |
||||
* |
||||
* @param int $id |
||||
* @throws DoesNotExistException |
||||
* @return DefaultToken |
||||
*/ |
||||
public function getTokenById(int $id): DefaultToken { |
||||
/* @var $qb IQueryBuilder */ |
||||
$qb = $this->db->getQueryBuilder(); |
||||
$result = $qb->select('id', 'uid', 'login_name', 'password', 'name', 'token', 'type', 'remember', 'last_activity', 'last_check', 'scope', 'expires', 'version') |
||||
->from('authtoken') |
||||
->where($qb->expr()->eq('id', $qb->createNamedParameter($id))) |
||||
->andWhere($qb->expr()->eq('version', $qb->createNamedParameter(DefaultToken::VERSION, IQueryBuilder::PARAM_INT))) |
||||
->execute(); |
||||
|
||||
$data = $result->fetch(); |
||||
$result->closeCursor(); |
||||
if ($data === false) { |
||||
throw new DoesNotExistException('token does not exist'); |
||||
} |
||||
return DefaultToken::fromRow($data); |
||||
} |
||||
|
||||
/** |
||||
* Get all tokens of a user |
||||
* |
||||
* The provider may limit the number of result rows in case of an abuse |
||||
* where a high number of (session) tokens is generated |
||||
* |
||||
* @param string $uid |
||||
* @return DefaultToken[] |
||||
*/ |
||||
public function getTokenByUser(string $uid): array { |
||||
/* @var $qb IQueryBuilder */ |
||||
$qb = $this->db->getQueryBuilder(); |
||||
$qb->select('id', 'uid', 'login_name', 'password', 'name', 'token', 'type', 'remember', 'last_activity', 'last_check', 'scope', 'expires', 'version') |
||||
->from('authtoken') |
||||
->where($qb->expr()->eq('uid', $qb->createNamedParameter($uid))) |
||||
->andWhere($qb->expr()->eq('version', $qb->createNamedParameter(DefaultToken::VERSION, IQueryBuilder::PARAM_INT))) |
||||
->setMaxResults(1000); |
||||
$result = $qb->execute(); |
||||
$data = $result->fetchAll(); |
||||
$result->closeCursor(); |
||||
|
||||
$entities = array_map(function ($row) { |
||||
return DefaultToken::fromRow($row); |
||||
}, $data); |
||||
|
||||
return $entities; |
||||
} |
||||
|
||||
public function deleteById(string $uid, int $id) { |
||||
/* @var $qb IQueryBuilder */ |
||||
$qb = $this->db->getQueryBuilder(); |
||||
$qb->delete('authtoken') |
||||
->where($qb->expr()->eq('id', $qb->createNamedParameter($id))) |
||||
->andWhere($qb->expr()->eq('uid', $qb->createNamedParameter($uid))) |
||||
->andWhere($qb->expr()->eq('version', $qb->createNamedParameter(DefaultToken::VERSION, IQueryBuilder::PARAM_INT))); |
||||
$qb->execute(); |
||||
} |
||||
|
||||
/** |
||||
* delete all auth token which belong to a specific client if the client was deleted |
||||
* |
||||
* @param string $name |
||||
*/ |
||||
public function deleteByName(string $name) { |
||||
$qb = $this->db->getQueryBuilder(); |
||||
$qb->delete('authtoken') |
||||
->where($qb->expr()->eq('name', $qb->createNamedParameter($name), IQueryBuilder::PARAM_STR)) |
||||
->andWhere($qb->expr()->eq('version', $qb->createNamedParameter(DefaultToken::VERSION, IQueryBuilder::PARAM_INT))); |
||||
$qb->execute(); |
||||
} |
||||
} |
||||
@ -1,343 +0,0 @@ |
||||
<?php |
||||
|
||||
declare(strict_types=1); |
||||
|
||||
/** |
||||
* @copyright Copyright (c) 2016, ownCloud, Inc. |
||||
* @copyright Copyright (c) 2016, Christoph Wurst <christoph@winzerhof-wurst.at> |
||||
* |
||||
* @author Christoph Wurst <christoph@winzerhof-wurst.at> |
||||
* @author Flávio Gomes da Silva Lisboa <flavio.lisboa@serpro.gov.br> |
||||
* @author Joas Schilling <coding@schilljs.com> |
||||
* @author Lukas Reschke <lukas@statuscode.ch> |
||||
* @author Martin <github@diemattels.at> |
||||
* @author Robin Appelman <robin@icewind.nl> |
||||
* @author Roeland Jago Douma <roeland@famdouma.nl> |
||||
* |
||||
* @license AGPL-3.0 |
||||
* |
||||
* This code is free software: you can redistribute it and/or modify |
||||
* it under the terms of the GNU Affero General Public License, version 3, |
||||
* as published by the Free Software Foundation. |
||||
* |
||||
* This program is distributed in the hope that it will be useful, |
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of |
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
||||
* GNU Affero General Public License for more details. |
||||
* |
||||
* You should have received a copy of the GNU Affero General Public License, version 3, |
||||
* along with this program. If not, see <http://www.gnu.org/licenses/> |
||||
* |
||||
*/ |
||||
namespace OC\Authentication\Token; |
||||
|
||||
use Exception; |
||||
use OC\Authentication\Exceptions\ExpiredTokenException; |
||||
use OC\Authentication\Exceptions\InvalidTokenException; |
||||
use OC\Authentication\Exceptions\PasswordlessTokenException; |
||||
use OCP\AppFramework\Db\DoesNotExistException; |
||||
use OCP\AppFramework\Utility\ITimeFactory; |
||||
use OCP\IConfig; |
||||
use OCP\Security\ICrypto; |
||||
use Psr\Log\LoggerInterface; |
||||
|
||||
class DefaultTokenProvider implements IProvider { |
||||
|
||||
/** @var DefaultTokenMapper */ |
||||
private $mapper; |
||||
|
||||
/** @var ICrypto */ |
||||
private $crypto; |
||||
|
||||
/** @var IConfig */ |
||||
private $config; |
||||
|
||||
/** @var LoggerInterface */ |
||||
private $logger; |
||||
|
||||
/** @var ITimeFactory */ |
||||
private $time; |
||||
|
||||
public function __construct(DefaultTokenMapper $mapper, |
||||
ICrypto $crypto, |
||||
IConfig $config, |
||||
LoggerInterface $logger, |
||||
ITimeFactory $time) { |
||||
$this->mapper = $mapper; |
||||
$this->crypto = $crypto; |
||||
$this->config = $config; |
||||
$this->logger = $logger; |
||||
$this->time = $time; |
||||
} |
||||
|
||||
/** |
||||
* {@inheritDoc} |
||||
*/ |
||||
public function generateToken(string $token, |
||||
string $uid, |
||||
string $loginName, |
||||
?string $password, |
||||
string $name, |
||||
int $type = IToken::TEMPORARY_TOKEN, |
||||
int $remember = IToken::DO_NOT_REMEMBER): IToken { |
||||
$dbToken = new DefaultToken(); |
||||
$dbToken->setUid($uid); |
||||
$dbToken->setLoginName($loginName); |
||||
if (!is_null($password)) { |
||||
$dbToken->setPassword($this->encryptPassword($password, $token)); |
||||
} |
||||
$dbToken->setName($name); |
||||
$dbToken->setToken($this->hashToken($token)); |
||||
$dbToken->setType($type); |
||||
$dbToken->setRemember($remember); |
||||
$dbToken->setLastActivity($this->time->getTime()); |
||||
$dbToken->setLastCheck($this->time->getTime()); |
||||
$dbToken->setVersion(DefaultToken::VERSION); |
||||
|
||||
$this->mapper->insert($dbToken); |
||||
|
||||
return $dbToken; |
||||
} |
||||
|
||||
/** |
||||
* Save the updated token |
||||
* |
||||
* @param IToken $token |
||||
* @throws InvalidTokenException |
||||
*/ |
||||
public function updateToken(IToken $token) { |
||||
if (!($token instanceof DefaultToken)) { |
||||
throw new InvalidTokenException("Invalid token type"); |
||||
} |
||||
$this->mapper->update($token); |
||||
} |
||||
|
||||
/** |
||||
* Update token activity timestamp |
||||
* |
||||
* @throws InvalidTokenException |
||||
* @param IToken $token |
||||
*/ |
||||
public function updateTokenActivity(IToken $token) { |
||||
if (!($token instanceof DefaultToken)) { |
||||
throw new InvalidTokenException("Invalid token type"); |
||||
} |
||||
/** @var DefaultToken $token */ |
||||
$now = $this->time->getTime(); |
||||
if ($token->getLastActivity() < ($now - 60)) { |
||||
// Update token only once per minute |
||||
$token->setLastActivity($now); |
||||
$this->mapper->update($token); |
||||
} |
||||
} |
||||
|
||||
public function getTokenByUser(string $uid): array { |
||||
return $this->mapper->getTokenByUser($uid); |
||||
} |
||||
|
||||
/** |
||||
* Get a token by token |
||||
* |
||||
* @param string $tokenId |
||||
* @throws InvalidTokenException |
||||
* @throws ExpiredTokenException |
||||
* @return IToken |
||||
*/ |
||||
public function getToken(string $tokenId): IToken { |
||||
try { |
||||
$token = $this->mapper->getToken($this->hashToken($tokenId)); |
||||
} catch (DoesNotExistException $ex) { |
||||
throw new InvalidTokenException("Token does not exist", 0, $ex); |
||||
} |
||||
|
||||
if ((int)$token->getExpires() !== 0 && $token->getExpires() < $this->time->getTime()) { |
||||
throw new ExpiredTokenException($token); |
||||
} |
||||
|
||||
return $token; |
||||
} |
||||
|
||||
/** |
||||
* Get a token by token id |
||||
* |
||||
* @param int $tokenId |
||||
* @throws InvalidTokenException |
||||
* @throws ExpiredTokenException |
||||
* @return IToken |
||||
*/ |
||||
public function getTokenById(int $tokenId): IToken { |
||||
try { |
||||
$token = $this->mapper->getTokenById($tokenId); |
||||
} catch (DoesNotExistException $ex) { |
||||
throw new InvalidTokenException("Token with ID $tokenId does not exist", 0, $ex); |
||||
} |
||||
|
||||
if ((int)$token->getExpires() !== 0 && $token->getExpires() < $this->time->getTime()) { |
||||
throw new ExpiredTokenException($token); |
||||
} |
||||
|
||||
return $token; |
||||
} |
||||
|
||||
/** |
||||
* @param string $oldSessionId |
||||
* @param string $sessionId |
||||
* @throws InvalidTokenException |
||||
* @return IToken |
||||
*/ |
||||
public function renewSessionToken(string $oldSessionId, string $sessionId): IToken { |
||||
$token = $this->getToken($oldSessionId); |
||||
|
||||
$newToken = new DefaultToken(); |
||||
$newToken->setUid($token->getUID()); |
||||
$newToken->setLoginName($token->getLoginName()); |
||||
if (!is_null($token->getPassword())) { |
||||
$password = $this->decryptPassword($token->getPassword(), $oldSessionId); |
||||
$newToken->setPassword($this->encryptPassword($password, $sessionId)); |
||||
} |
||||
$newToken->setName($token->getName()); |
||||
$newToken->setToken($this->hashToken($sessionId)); |
||||
$newToken->setType(IToken::TEMPORARY_TOKEN); |
||||
$newToken->setRemember($token->getRemember()); |
||||
$newToken->setLastActivity($this->time->getTime()); |
||||
$this->mapper->insert($newToken); |
||||
$this->mapper->delete($token); |
||||
|
||||
return $newToken; |
||||
} |
||||
|
||||
/** |
||||
* @param IToken $savedToken |
||||
* @param string $tokenId session token |
||||
* @throws InvalidTokenException |
||||
* @throws PasswordlessTokenException |
||||
* @return string |
||||
*/ |
||||
public function getPassword(IToken $savedToken, string $tokenId): string { |
||||
$password = $savedToken->getPassword(); |
||||
if ($password === null || $password === '') { |
||||
throw new PasswordlessTokenException(); |
||||
} |
||||
return $this->decryptPassword($password, $tokenId); |
||||
} |
||||
|
||||
/** |
||||
* Encrypt and set the password of the given token |
||||
* |
||||
* @param IToken $token |
||||
* @param string $tokenId |
||||
* @param string $password |
||||
* @throws InvalidTokenException |
||||
*/ |
||||
public function setPassword(IToken $token, string $tokenId, string $password) { |
||||
if (!($token instanceof DefaultToken)) { |
||||
throw new InvalidTokenException("Invalid token type"); |
||||
} |
||||
/** @var DefaultToken $token */ |
||||
$token->setPassword($this->encryptPassword($password, $tokenId)); |
||||
$this->mapper->update($token); |
||||
} |
||||
|
||||
/** |
||||
* Invalidate (delete) the given session token |
||||
* |
||||
* @param string $token |
||||
*/ |
||||
public function invalidateToken(string $token) { |
||||
$this->mapper->invalidate($this->hashToken($token)); |
||||
} |
||||
|
||||
public function invalidateTokenById(string $uid, int $id) { |
||||
$this->mapper->deleteById($uid, $id); |
||||
} |
||||
|
||||
/** |
||||
* Invalidate (delete) old session tokens |
||||
*/ |
||||
public function invalidateOldTokens() { |
||||
$olderThan = $this->time->getTime() - (int) $this->config->getSystemValue('session_lifetime', 60 * 60 * 24); |
||||
$this->logger->debug('Invalidating session tokens older than ' . date('c', $olderThan), ['app' => 'cron']); |
||||
$this->mapper->invalidateOld($olderThan, IToken::DO_NOT_REMEMBER); |
||||
$rememberThreshold = $this->time->getTime() - (int) $this->config->getSystemValue('remember_login_cookie_lifetime', 60 * 60 * 24 * 15); |
||||
$this->logger->debug('Invalidating remembered session tokens older than ' . date('c', $rememberThreshold), ['app' => 'cron']); |
||||
$this->mapper->invalidateOld($rememberThreshold, IToken::REMEMBER); |
||||
} |
||||
|
||||
/** |
||||
* Rotate the token. Usefull for for example oauth tokens |
||||
* |
||||
* @param IToken $token |
||||
* @param string $oldTokenId |
||||
* @param string $newTokenId |
||||
* @return IToken |
||||
*/ |
||||
public function rotate(IToken $token, string $oldTokenId, string $newTokenId): IToken { |
||||
try { |
||||
$password = $this->getPassword($token, $oldTokenId); |
||||
$token->setPassword($this->encryptPassword($password, $newTokenId)); |
||||
} catch (PasswordlessTokenException $e) { |
||||
} |
||||
|
||||
$token->setToken($this->hashToken($newTokenId)); |
||||
$this->updateToken($token); |
||||
|
||||
return $token; |
||||
} |
||||
|
||||
/** |
||||
* @param string $token |
||||
* @return string |
||||
*/ |
||||
private function hashToken(string $token): string { |
||||
$secret = $this->config->getSystemValue('secret'); |
||||
return hash('sha512', $token . $secret); |
||||
} |
||||
|
||||
/** |
||||
* Encrypt the given password |
||||
* |
||||
* The token is used as key |
||||
* |
||||
* @param string $password |
||||
* @param string $token |
||||
* @return string encrypted password |
||||
*/ |
||||
private function encryptPassword(string $password, string $token): string { |
||||
$secret = $this->config->getSystemValue('secret'); |
||||
return $this->crypto->encrypt($password, $token . $secret); |
||||
} |
||||
|
||||
/** |
||||
* Decrypt the given password |
||||
* |
||||
* The token is used as key |
||||
* |
||||
* @param string $password |
||||
* @param string $token |
||||
* @throws InvalidTokenException |
||||
* @return string the decrypted key |
||||
*/ |
||||
private function decryptPassword(string $password, string $token): string { |
||||
$secret = $this->config->getSystemValue('secret'); |
||||
try { |
||||
return $this->crypto->decrypt($password, $token . $secret); |
||||
} catch (Exception $ex) { |
||||
// Delete the invalid token |
||||
$this->invalidateToken($token); |
||||
throw new InvalidTokenException("Can not decrypt token password: " . $ex->getMessage(), 0, $ex); |
||||
} |
||||
} |
||||
|
||||
public function markPasswordInvalid(IToken $token, string $tokenId) { |
||||
if (!($token instanceof DefaultToken)) { |
||||
throw new InvalidTokenException("Invalid token type"); |
||||
} |
||||
|
||||
//No need to mark as invalid. We just invalide default tokens |
||||
$this->invalidateToken($tokenId); |
||||
} |
||||
|
||||
public function updatePasswords(string $uid, string $password) { |
||||
// Nothing to do here |
||||
} |
||||
} |
||||
Loading…
Reference in new issue