nextcloud / server

lib/private/Authentication/Token/DefaultTokenProvider.php

Indentation +306 added lines, -306 removed lines

@@ -44,310 +44,310 @@
 
 class DefaultTokenProvider implements IProvider {
 
-	/** @var DefaultTokenMapper */
-	private $mapper;
-
-	/** @var ICrypto */
-	private $crypto;
-
-	/** @var IConfig */
-	private $config;
-
-	/** @var ILogger */
-	private $logger;
-
-	/** @var ITimeFactory */
-	private $time;
-
-	public function __construct(DefaultTokenMapper $mapper,
-								ICrypto $crypto,
-								IConfig $config,
-								ILogger $logger,
-								ITimeFactory $time) {
-		$this->mapper = $mapper;
-		$this->crypto = $crypto;
-		$this->config = $config;
-		$this->logger = $logger;
-		$this->time = $time;
-	}
-
-	/**
-	 * Create and persist a new token
-	 *
-	 * @param string $token
-	 * @param string $uid
-	 * @param string $loginName
-	 * @param string|null $password
-	 * @param string $name
-	 * @param int $type token type
-	 * @param int $remember whether the session token should be used for remember-me
-	 * @return IToken
-	 */
-	public function generateToken(string $token,
-								  string $uid,
-								  string $loginName,
-								  $password,
-								  string $name,
-								  int $type = IToken::TEMPORARY_TOKEN,
-								  int $remember = IToken::DO_NOT_REMEMBER): IToken {
-		$dbToken = new DefaultToken();
-		$dbToken->setUid($uid);
-		$dbToken->setLoginName($loginName);
-		if (!is_null($password)) {
-			$dbToken->setPassword($this->encryptPassword($password, $token));
-		}
-		$dbToken->setName($name);
-		$dbToken->setToken($this->hashToken($token));
-		$dbToken->setType($type);
-		$dbToken->setRemember($remember);
-		$dbToken->setLastActivity($this->time->getTime());
-		$dbToken->setLastCheck($this->time->getTime());
-		$dbToken->setVersion(DefaultToken::VERSION);
-
-		$this->mapper->insert($dbToken);
-
-		return $dbToken;
-	}
-
-	/**
-	 * Save the updated token
-	 *
-	 * @param IToken $token
-	 * @throws InvalidTokenException
-	 */
-	public function updateToken(IToken $token) {
-		if (!($token instanceof DefaultToken)) {
-			throw new InvalidTokenException("Invalid token type");
-		}
-		$this->mapper->update($token);
-	}
-
-	/**
-	 * Update token activity timestamp
-	 *
-	 * @throws InvalidTokenException
-	 * @param IToken $token
-	 */
-	public function updateTokenActivity(IToken $token) {
-		if (!($token instanceof DefaultToken)) {
-			throw new InvalidTokenException("Invalid token type");
-		}
-		/** @var DefaultToken $token */
-		$now = $this->time->getTime();
-		if ($token->getLastActivity() < ($now - 60)) {
-			// Update token only once per minute
-			$token->setLastActivity($now);
-			$this->mapper->update($token);
-		}
-	}
-
-	public function getTokenByUser(string $uid): array {
-		return $this->mapper->getTokenByUser($uid);
-	}
-
-	/**
-	 * Get a token by token
-	 *
-	 * @param string $tokenId
-	 * @throws InvalidTokenException
-	 * @throws ExpiredTokenException
-	 * @return IToken
-	 */
-	public function getToken(string $tokenId): IToken {
-		try {
-			$token = $this->mapper->getToken($this->hashToken($tokenId));
-		} catch (DoesNotExistException $ex) {
-			throw new InvalidTokenException("Token does not exist", 0, $ex);
-		}
-
-		if ((int)$token->getExpires() !== 0 && $token->getExpires() < $this->time->getTime()) {
-			throw new ExpiredTokenException($token);
-		}
-
-		return $token;
-	}
-
-	/**
-	 * Get a token by token id
-	 *
-	 * @param int $tokenId
-	 * @throws InvalidTokenException
-	 * @throws ExpiredTokenException
-	 * @return IToken
-	 */
-	public function getTokenById(int $tokenId): IToken {
-		try {
-			$token = $this->mapper->getTokenById($tokenId);
-		} catch (DoesNotExistException $ex) {
-			throw new InvalidTokenException("Token with ID $tokenId does not exist", 0, $ex);
-		}
-
-		if ((int)$token->getExpires() !== 0 && $token->getExpires() < $this->time->getTime()) {
-			throw new ExpiredTokenException($token);
-		}
-
-		return $token;
-	}
-
-	/**
-	 * @param string $oldSessionId
-	 * @param string $sessionId
-	 * @throws InvalidTokenException
-	 * @return IToken
-	 */
-	public function renewSessionToken(string $oldSessionId, string $sessionId): IToken {
-		$token = $this->getToken($oldSessionId);
-
-		$newToken = new DefaultToken();
-		$newToken->setUid($token->getUID());
-		$newToken->setLoginName($token->getLoginName());
-		if (!is_null($token->getPassword())) {
-			$password = $this->decryptPassword($token->getPassword(), $oldSessionId);
-			$newToken->setPassword($this->encryptPassword($password, $sessionId));
-		}
-		$newToken->setName($token->getName());
-		$newToken->setToken($this->hashToken($sessionId));
-		$newToken->setType(IToken::TEMPORARY_TOKEN);
-		$newToken->setRemember($token->getRemember());
-		$newToken->setLastActivity($this->time->getTime());
-		$this->mapper->insert($newToken);
-		$this->mapper->delete($token);
-
-		return $newToken;
-	}
-
-	/**
-	 * @param IToken $savedToken
-	 * @param string $tokenId session token
-	 * @throws InvalidTokenException
-	 * @throws PasswordlessTokenException
-	 * @return string
-	 */
-	public function getPassword(IToken $savedToken, string $tokenId): string {
-		$password = $savedToken->getPassword();
-		if (is_null($password)) {
-			throw new PasswordlessTokenException();
-		}
-		return $this->decryptPassword($password, $tokenId);
-	}
-
-	/**
-	 * Encrypt and set the password of the given token
-	 *
-	 * @param IToken $token
-	 * @param string $tokenId
-	 * @param string $password
-	 * @throws InvalidTokenException
-	 */
-	public function setPassword(IToken $token, string $tokenId, string $password) {
-		if (!($token instanceof DefaultToken)) {
-			throw new InvalidTokenException("Invalid token type");
-		}
-		/** @var DefaultToken $token */
-		$token->setPassword($this->encryptPassword($password, $tokenId));
-		$this->mapper->update($token);
-	}
-
-	/**
-	 * Invalidate (delete) the given session token
-	 *
-	 * @param string $token
-	 */
-	public function invalidateToken(string $token) {
-		$this->mapper->invalidate($this->hashToken($token));
-	}
-
-	public function invalidateTokenById(string $uid, int $id) {
-		$this->mapper->deleteById($uid, $id);
-	}
-
-	/**
-	 * Invalidate (delete) old session tokens
-	 */
-	public function invalidateOldTokens() {
-		$olderThan = $this->time->getTime() - (int) $this->config->getSystemValue('session_lifetime', 60 * 60 * 24);
-		$this->logger->debug('Invalidating session tokens older than ' . date('c', $olderThan), ['app' => 'cron']);
-		$this->mapper->invalidateOld($olderThan, IToken::DO_NOT_REMEMBER);
-		$rememberThreshold = $this->time->getTime() - (int) $this->config->getSystemValue('remember_login_cookie_lifetime', 60 * 60 * 24 * 15);
-		$this->logger->debug('Invalidating remembered session tokens older than ' . date('c', $rememberThreshold), ['app' => 'cron']);
-		$this->mapper->invalidateOld($rememberThreshold, IToken::REMEMBER);
-	}
-
-	/**
-	 * Rotate the token. Usefull for for example oauth tokens
-	 *
-	 * @param IToken $token
-	 * @param string $oldTokenId
-	 * @param string $newTokenId
-	 * @return IToken
-	 */
-	public function rotate(IToken $token, string $oldTokenId, string $newTokenId): IToken {
-		try {
-			$password = $this->getPassword($token, $oldTokenId);
-			$token->setPassword($this->encryptPassword($password, $newTokenId));
-		} catch (PasswordlessTokenException $e) {
-		}
-
-		$token->setToken($this->hashToken($newTokenId));
-		$this->updateToken($token);
-
-		return $token;
-	}
-
-	/**
-	 * @param string $token
-	 * @return string
-	 */
-	private function hashToken(string $token): string {
-		$secret = $this->config->getSystemValue('secret');
-		return hash('sha512', $token . $secret);
-	}
-
-	/**
-	 * Encrypt the given password
-	 *
-	 * The token is used as key
-	 *
-	 * @param string $password
-	 * @param string $token
-	 * @return string encrypted password
-	 */
-	private function encryptPassword(string $password, string $token): string {
-		$secret = $this->config->getSystemValue('secret');
-		return $this->crypto->encrypt($password, $token . $secret);
-	}
-
-	/**
-	 * Decrypt the given password
-	 *
-	 * The token is used as key
-	 *
-	 * @param string $password
-	 * @param string $token
-	 * @throws InvalidTokenException
-	 * @return string the decrypted key
-	 */
-	private function decryptPassword(string $password, string $token): string {
-		$secret = $this->config->getSystemValue('secret');
-		try {
-			return $this->crypto->decrypt($password, $token . $secret);
-		} catch (Exception $ex) {
-			// Delete the invalid token
-			$this->invalidateToken($token);
-			throw new InvalidTokenException("Can not decrypt token password: " . $ex->getMessage(), 0, $ex);
-		}
-	}
-
-	public function markPasswordInvalid(IToken $token, string $tokenId) {
-		if (!($token instanceof DefaultToken)) {
-			throw new InvalidTokenException("Invalid token type");
-		}
-
-		//No need to mark as invalid. We just invalide default tokens
-		$this->invalidateToken($tokenId);
-	}
-
-	public function updatePasswords(string $uid, string $password) {
-		// Nothing to do here
-	}
+    /** @var DefaultTokenMapper */
+    private $mapper;
+
+    /** @var ICrypto */
+    private $crypto;
+
+    /** @var IConfig */
+    private $config;
+
+    /** @var ILogger */
+    private $logger;
+
+    /** @var ITimeFactory */
+    private $time;
+
+    public function __construct(DefaultTokenMapper $mapper,
+                                ICrypto $crypto,
+                                IConfig $config,
+                                ILogger $logger,
+                                ITimeFactory $time) {
+        $this->mapper = $mapper;
+        $this->crypto = $crypto;
+        $this->config = $config;
+        $this->logger = $logger;
+        $this->time = $time;
+    }
+
+    /**
+     * Create and persist a new token
+     *
+     * @param string $token
+     * @param string $uid
+     * @param string $loginName
+     * @param string|null $password
+     * @param string $name
+     * @param int $type token type
+     * @param int $remember whether the session token should be used for remember-me
+     * @return IToken
+     */
+    public function generateToken(string $token,
+                                    string $uid,
+                                    string $loginName,
+                                    $password,
+                                    string $name,
+                                    int $type = IToken::TEMPORARY_TOKEN,
+                                    int $remember = IToken::DO_NOT_REMEMBER): IToken {
+        $dbToken = new DefaultToken();
+        $dbToken->setUid($uid);
+        $dbToken->setLoginName($loginName);
+        if (!is_null($password)) {
+            $dbToken->setPassword($this->encryptPassword($password, $token));
+        }
+        $dbToken->setName($name);
+        $dbToken->setToken($this->hashToken($token));
+        $dbToken->setType($type);
+        $dbToken->setRemember($remember);
+        $dbToken->setLastActivity($this->time->getTime());
+        $dbToken->setLastCheck($this->time->getTime());
+        $dbToken->setVersion(DefaultToken::VERSION);
+
+        $this->mapper->insert($dbToken);
+
+        return $dbToken;
+    }
+
+    /**
+     * Save the updated token
+     *
+     * @param IToken $token
+     * @throws InvalidTokenException
+     */
+    public function updateToken(IToken $token) {
+        if (!($token instanceof DefaultToken)) {
+            throw new InvalidTokenException("Invalid token type");
+        }
+        $this->mapper->update($token);
+    }
+
+    /**
+     * Update token activity timestamp
+     *
+     * @throws InvalidTokenException
+     * @param IToken $token
+     */
+    public function updateTokenActivity(IToken $token) {
+        if (!($token instanceof DefaultToken)) {
+            throw new InvalidTokenException("Invalid token type");
+        }
+        /** @var DefaultToken $token */
+        $now = $this->time->getTime();
+        if ($token->getLastActivity() < ($now - 60)) {
+            // Update token only once per minute
+            $token->setLastActivity($now);
+            $this->mapper->update($token);
+        }
+    }
+
+    public function getTokenByUser(string $uid): array {
+        return $this->mapper->getTokenByUser($uid);
+    }
+
+    /**
+     * Get a token by token
+     *
+     * @param string $tokenId
+     * @throws InvalidTokenException
+     * @throws ExpiredTokenException
+     * @return IToken
+     */
+    public function getToken(string $tokenId): IToken {
+        try {
+            $token = $this->mapper->getToken($this->hashToken($tokenId));
+        } catch (DoesNotExistException $ex) {
+            throw new InvalidTokenException("Token does not exist", 0, $ex);
+        }
+
+        if ((int)$token->getExpires() !== 0 && $token->getExpires() < $this->time->getTime()) {
+            throw new ExpiredTokenException($token);
+        }
+
+        return $token;
+    }
+
+    /**
+     * Get a token by token id
+     *
+     * @param int $tokenId
+     * @throws InvalidTokenException
+     * @throws ExpiredTokenException
+     * @return IToken
+     */
+    public function getTokenById(int $tokenId): IToken {
+        try {
+            $token = $this->mapper->getTokenById($tokenId);
+        } catch (DoesNotExistException $ex) {
+            throw new InvalidTokenException("Token with ID $tokenId does not exist", 0, $ex);
+        }
+
+        if ((int)$token->getExpires() !== 0 && $token->getExpires() < $this->time->getTime()) {
+            throw new ExpiredTokenException($token);
+        }
+
+        return $token;
+    }
+
+    /**
+     * @param string $oldSessionId
+     * @param string $sessionId
+     * @throws InvalidTokenException
+     * @return IToken
+     */
+    public function renewSessionToken(string $oldSessionId, string $sessionId): IToken {
+        $token = $this->getToken($oldSessionId);
+
+        $newToken = new DefaultToken();
+        $newToken->setUid($token->getUID());
+        $newToken->setLoginName($token->getLoginName());
+        if (!is_null($token->getPassword())) {
+            $password = $this->decryptPassword($token->getPassword(), $oldSessionId);
+            $newToken->setPassword($this->encryptPassword($password, $sessionId));
+        }
+        $newToken->setName($token->getName());
+        $newToken->setToken($this->hashToken($sessionId));
+        $newToken->setType(IToken::TEMPORARY_TOKEN);
+        $newToken->setRemember($token->getRemember());
+        $newToken->setLastActivity($this->time->getTime());
+        $this->mapper->insert($newToken);
+        $this->mapper->delete($token);
+
+        return $newToken;
+    }
+
+    /**
+     * @param IToken $savedToken
+     * @param string $tokenId session token
+     * @throws InvalidTokenException
+     * @throws PasswordlessTokenException
+     * @return string
+     */
+    public function getPassword(IToken $savedToken, string $tokenId): string {
+        $password = $savedToken->getPassword();
+        if (is_null($password)) {
+            throw new PasswordlessTokenException();
+        }
+        return $this->decryptPassword($password, $tokenId);
+    }
+
+    /**
+     * Encrypt and set the password of the given token
+     *
+     * @param IToken $token
+     * @param string $tokenId
+     * @param string $password
+     * @throws InvalidTokenException
+     */
+    public function setPassword(IToken $token, string $tokenId, string $password) {
+        if (!($token instanceof DefaultToken)) {
+            throw new InvalidTokenException("Invalid token type");
+        }
+        /** @var DefaultToken $token */
+        $token->setPassword($this->encryptPassword($password, $tokenId));
+        $this->mapper->update($token);
+    }
+
+    /**
+     * Invalidate (delete) the given session token
+     *
+     * @param string $token
+     */
+    public function invalidateToken(string $token) {
+        $this->mapper->invalidate($this->hashToken($token));
+    }
+
+    public function invalidateTokenById(string $uid, int $id) {
+        $this->mapper->deleteById($uid, $id);
+    }
+
+    /**
+     * Invalidate (delete) old session tokens
+     */
+    public function invalidateOldTokens() {
+        $olderThan = $this->time->getTime() - (int) $this->config->getSystemValue('session_lifetime', 60 * 60 * 24);
+        $this->logger->debug('Invalidating session tokens older than ' . date('c', $olderThan), ['app' => 'cron']);
+        $this->mapper->invalidateOld($olderThan, IToken::DO_NOT_REMEMBER);
+        $rememberThreshold = $this->time->getTime() - (int) $this->config->getSystemValue('remember_login_cookie_lifetime', 60 * 60 * 24 * 15);
+        $this->logger->debug('Invalidating remembered session tokens older than ' . date('c', $rememberThreshold), ['app' => 'cron']);
+        $this->mapper->invalidateOld($rememberThreshold, IToken::REMEMBER);
+    }
+
+    /**
+     * Rotate the token. Usefull for for example oauth tokens
+     *
+     * @param IToken $token
+     * @param string $oldTokenId
+     * @param string $newTokenId
+     * @return IToken
+     */
+    public function rotate(IToken $token, string $oldTokenId, string $newTokenId): IToken {
+        try {
+            $password = $this->getPassword($token, $oldTokenId);
+            $token->setPassword($this->encryptPassword($password, $newTokenId));
+        } catch (PasswordlessTokenException $e) {
+        }
+
+        $token->setToken($this->hashToken($newTokenId));
+        $this->updateToken($token);
+
+        return $token;
+    }
+
+    /**
+     * @param string $token
+     * @return string
+     */
+    private function hashToken(string $token): string {
+        $secret = $this->config->getSystemValue('secret');
+        return hash('sha512', $token . $secret);
+    }
+
+    /**
+     * Encrypt the given password
+     *
+     * The token is used as key
+     *
+     * @param string $password
+     * @param string $token
+     * @return string encrypted password
+     */
+    private function encryptPassword(string $password, string $token): string {
+        $secret = $this->config->getSystemValue('secret');
+        return $this->crypto->encrypt($password, $token . $secret);
+    }
+
+    /**
+     * Decrypt the given password
+     *
+     * The token is used as key
+     *
+     * @param string $password
+     * @param string $token
+     * @throws InvalidTokenException
+     * @return string the decrypted key
+     */
+    private function decryptPassword(string $password, string $token): string {
+        $secret = $this->config->getSystemValue('secret');
+        try {
+            return $this->crypto->decrypt($password, $token . $secret);
+        } catch (Exception $ex) {
+            // Delete the invalid token
+            $this->invalidateToken($token);
+            throw new InvalidTokenException("Can not decrypt token password: " . $ex->getMessage(), 0, $ex);
+        }
+    }
+
+    public function markPasswordInvalid(IToken $token, string $tokenId) {
+        if (!($token instanceof DefaultToken)) {
+            throw new InvalidTokenException("Invalid token type");
+        }
+
+        //No need to mark as invalid. We just invalide default tokens
+        $this->invalidateToken($tokenId);
+    }
+
+    public function updatePasswords(string $uid, string $password) {
+        // Nothing to do here
+    }
 }

Spacing +8 added lines, -8 removed lines

@@ -160,7 +160,7 @@ 
 			throw new InvalidTokenException("Token does not exist", 0, $ex);
 		}
 
-		if ((int)$token->getExpires() !== 0 && $token->getExpires() < $this->time->getTime()) {
+		if ((int) $token->getExpires() !== 0 && $token->getExpires() < $this->time->getTime()) {
 			throw new ExpiredTokenException($token);
 		}
 
@@ -182,7 +182,7 @@ 
 			throw new InvalidTokenException("Token with ID $tokenId does not exist", 0, $ex);
 		}
 
-		if ((int)$token->getExpires() !== 0 && $token->getExpires() < $this->time->getTime()) {
+		if ((int) $token->getExpires() !== 0 && $token->getExpires() < $this->time->getTime()) {
 			throw new ExpiredTokenException($token);
 		}
 
@@ -266,10 +266,10 @@ 
 	 */
 	public function invalidateOldTokens() {
 		$olderThan = $this->time->getTime() - (int) $this->config->getSystemValue('session_lifetime', 60 * 60 * 24);
-		$this->logger->debug('Invalidating session tokens older than ' . date('c', $olderThan), ['app' => 'cron']);
+		$this->logger->debug('Invalidating session tokens older than '.date('c', $olderThan), ['app' => 'cron']);
 		$this->mapper->invalidateOld($olderThan, IToken::DO_NOT_REMEMBER);
 		$rememberThreshold = $this->time->getTime() - (int) $this->config->getSystemValue('remember_login_cookie_lifetime', 60 * 60 * 24 * 15);
-		$this->logger->debug('Invalidating remembered session tokens older than ' . date('c', $rememberThreshold), ['app' => 'cron']);
+		$this->logger->debug('Invalidating remembered session tokens older than '.date('c', $rememberThreshold), ['app' => 'cron']);
 		$this->mapper->invalidateOld($rememberThreshold, IToken::REMEMBER);
 	}
 
@@ -300,7 +300,7 @@ 
 	 */
 	private function hashToken(string $token): string {
 		$secret = $this->config->getSystemValue('secret');
-		return hash('sha512', $token . $secret);
+		return hash('sha512', $token.$secret);
 	}
 
 	/**
@@ -314,7 +314,7 @@ 
 	 */
 	private function encryptPassword(string $password, string $token): string {
 		$secret = $this->config->getSystemValue('secret');
-		return $this->crypto->encrypt($password, $token . $secret);
+		return $this->crypto->encrypt($password, $token.$secret);
 	}
 
 	/**
@@ -330,11 +330,11 @@ 
 	private function decryptPassword(string $password, string $token): string {
 		$secret = $this->config->getSystemValue('secret');
 		try {
-			return $this->crypto->decrypt($password, $token . $secret);
+			return $this->crypto->decrypt($password, $token.$secret);
 		} catch (Exception $ex) {
 			// Delete the invalid token
 			$this->invalidateToken($token);
-			throw new InvalidTokenException("Can not decrypt token password: " . $ex->getMessage(), 0, $ex);
+			throw new InvalidTokenException("Can not decrypt token password: ".$ex->getMessage(), 0, $ex);
 		}
 	}
 

lib/private/Authentication/Token/PublicKeyTokenProvider.php

Indentation +388 added lines, -388 removed lines

@@ -42,392 +42,392 @@
 use OCP\Security\ICrypto;
 
 class PublicKeyTokenProvider implements IProvider {
-	/** @var PublicKeyTokenMapper */
-	private $mapper;
-
-	/** @var ICrypto */
-	private $crypto;
-
-	/** @var IConfig */
-	private $config;
-
-	/** @var ILogger $logger */
-	private $logger;
-
-	/** @var ITimeFactory $time */
-	private $time;
-
-	/** @var CappedMemoryCache */
-	private $cache;
-
-	public function __construct(PublicKeyTokenMapper $mapper,
-								ICrypto $crypto,
-								IConfig $config,
-								ILogger $logger,
-								ITimeFactory $time) {
-		$this->mapper = $mapper;
-		$this->crypto = $crypto;
-		$this->config = $config;
-		$this->logger = $logger;
-		$this->time = $time;
-
-		$this->cache = new CappedMemoryCache();
-	}
-
-	/**
-	 * {@inheritDoc}
-	 */
-	public function generateToken(string $token,
-								  string $uid,
-								  string $loginName,
-								  $password,
-								  string $name,
-								  int $type = IToken::TEMPORARY_TOKEN,
-								  int $remember = IToken::DO_NOT_REMEMBER): IToken {
-		$dbToken = $this->newToken($token, $uid, $loginName, $password, $name, $type, $remember);
-		$this->mapper->insert($dbToken);
-
-		// Add the token to the cache
-		$this->cache[$dbToken->getToken()] = $dbToken;
-
-		return $dbToken;
-	}
-
-	public function getToken(string $tokenId): IToken {
-		$tokenHash = $this->hashToken($tokenId);
-
-		if (isset($this->cache[$tokenHash])) {
-			$token = $this->cache[$tokenHash];
-		} else {
-			try {
-				$token = $this->mapper->getToken($this->hashToken($tokenId));
-				$this->cache[$token->getToken()] = $token;
-			} catch (DoesNotExistException $ex) {
-				throw new InvalidTokenException("Token does not exist: " . $ex->getMessage(), 0, $ex);
-			}
-		}
-
-		if ((int)$token->getExpires() !== 0 && $token->getExpires() < $this->time->getTime()) {
-			throw new ExpiredTokenException($token);
-		}
-
-		if ($token->getType() === IToken::WIPE_TOKEN) {
-			throw new WipeTokenException($token);
-		}
-
-		if ($token->getPasswordInvalid() === true) {
-			//The password is invalid we should throw an TokenPasswordExpiredException
-			throw new TokenPasswordExpiredException($token);
-		}
-
-		return $token;
-	}
-
-	public function getTokenById(int $tokenId): IToken {
-		try {
-			$token = $this->mapper->getTokenById($tokenId);
-		} catch (DoesNotExistException $ex) {
-			throw new InvalidTokenException("Token with ID $tokenId does not exist: " . $ex->getMessage(), 0, $ex);
-		}
-
-		if ((int)$token->getExpires() !== 0 && $token->getExpires() < $this->time->getTime()) {
-			throw new ExpiredTokenException($token);
-		}
-
-		if ($token->getType() === IToken::WIPE_TOKEN) {
-			throw new WipeTokenException($token);
-		}
-
-		if ($token->getPasswordInvalid() === true) {
-			//The password is invalid we should throw an TokenPasswordExpiredException
-			throw new TokenPasswordExpiredException($token);
-		}
-
-		return $token;
-	}
-
-	public function renewSessionToken(string $oldSessionId, string $sessionId): IToken {
-		$this->cache->clear();
-
-		$token = $this->getToken($oldSessionId);
-
-		if (!($token instanceof PublicKeyToken)) {
-			throw new InvalidTokenException("Invalid token type");
-		}
-
-		$password = null;
-		if (!is_null($token->getPassword())) {
-			$privateKey = $this->decrypt($token->getPrivateKey(), $oldSessionId);
-			$password = $this->decryptPassword($token->getPassword(), $privateKey);
-		}
-
-		$newToken = $this->generateToken(
-			$sessionId,
-			$token->getUID(),
-			$token->getLoginName(),
-			$password,
-			$token->getName(),
-			IToken::TEMPORARY_TOKEN,
-			$token->getRemember()
-		);
-
-		$this->mapper->delete($token);
-
-		return $newToken;
-	}
-
-	public function invalidateToken(string $token) {
-		$this->cache->clear();
-
-		$this->mapper->invalidate($this->hashToken($token));
-	}
-
-	public function invalidateTokenById(string $uid, int $id) {
-		$this->cache->clear();
-
-		$this->mapper->deleteById($uid, $id);
-	}
-
-	public function invalidateOldTokens() {
-		$this->cache->clear();
-
-		$olderThan = $this->time->getTime() - (int) $this->config->getSystemValue('session_lifetime', 60 * 60 * 24);
-		$this->logger->debug('Invalidating session tokens older than ' . date('c', $olderThan), ['app' => 'cron']);
-		$this->mapper->invalidateOld($olderThan, IToken::DO_NOT_REMEMBER);
-		$rememberThreshold = $this->time->getTime() - (int) $this->config->getSystemValue('remember_login_cookie_lifetime', 60 * 60 * 24 * 15);
-		$this->logger->debug('Invalidating remembered session tokens older than ' . date('c', $rememberThreshold), ['app' => 'cron']);
-		$this->mapper->invalidateOld($rememberThreshold, IToken::REMEMBER);
-	}
-
-	public function updateToken(IToken $token) {
-		$this->cache->clear();
-
-		if (!($token instanceof PublicKeyToken)) {
-			throw new InvalidTokenException("Invalid token type");
-		}
-		$this->mapper->update($token);
-	}
-
-	public function updateTokenActivity(IToken $token) {
-		$this->cache->clear();
-
-		if (!($token instanceof PublicKeyToken)) {
-			throw new InvalidTokenException("Invalid token type");
-		}
-		/** @var DefaultToken $token */
-		$now = $this->time->getTime();
-		if ($token->getLastActivity() < ($now - 60)) {
-			// Update token only once per minute
-			$token->setLastActivity($now);
-			$this->mapper->update($token);
-		}
-	}
-
-	public function getTokenByUser(string $uid): array {
-		return $this->mapper->getTokenByUser($uid);
-	}
-
-	public function getPassword(IToken $token, string $tokenId): string {
-		if (!($token instanceof PublicKeyToken)) {
-			throw new InvalidTokenException("Invalid token type");
-		}
-
-		if ($token->getPassword() === null) {
-			throw new PasswordlessTokenException();
-		}
-
-		// Decrypt private key with tokenId
-		$privateKey = $this->decrypt($token->getPrivateKey(), $tokenId);
-
-		// Decrypt password with private key
-		return $this->decryptPassword($token->getPassword(), $privateKey);
-	}
-
-	public function setPassword(IToken $token, string $tokenId, string $password) {
-		$this->cache->clear();
-
-		if (!($token instanceof PublicKeyToken)) {
-			throw new InvalidTokenException("Invalid token type");
-		}
-
-		// When changing passwords all temp tokens are deleted
-		$this->mapper->deleteTempToken($token);
-
-		// Update the password for all tokens
-		$tokens = $this->mapper->getTokenByUser($token->getUID());
-		foreach ($tokens as $t) {
-			$publicKey = $t->getPublicKey();
-			$t->setPassword($this->encryptPassword($password, $publicKey));
-			$this->updateToken($t);
-		}
-	}
-
-	public function rotate(IToken $token, string $oldTokenId, string $newTokenId): IToken {
-		$this->cache->clear();
-
-		if (!($token instanceof PublicKeyToken)) {
-			throw new InvalidTokenException("Invalid token type");
-		}
-
-		// Decrypt private key with oldTokenId
-		$privateKey = $this->decrypt($token->getPrivateKey(), $oldTokenId);
-		// Encrypt with the new token
-		$token->setPrivateKey($this->encrypt($privateKey, $newTokenId));
-
-		$token->setToken($this->hashToken($newTokenId));
-		$this->updateToken($token);
-
-		return $token;
-	}
-
-	private function encrypt(string $plaintext, string $token): string {
-		$secret = $this->config->getSystemValue('secret');
-		return $this->crypto->encrypt($plaintext, $token . $secret);
-	}
-
-	/**
-	 * @throws InvalidTokenException
-	 */
-	private function decrypt(string $cipherText, string $token): string {
-		$secret = $this->config->getSystemValue('secret');
-		try {
-			return $this->crypto->decrypt($cipherText, $token . $secret);
-		} catch (\Exception $ex) {
-			// Delete the invalid token
-			$this->invalidateToken($token);
-			throw new InvalidTokenException("Could not decrypt token password: " . $ex->getMessage(), 0, $ex);
-		}
-	}
-
-	private function encryptPassword(string $password, string $publicKey): string {
-		openssl_public_encrypt($password, $encryptedPassword, $publicKey, OPENSSL_PKCS1_OAEP_PADDING);
-		$encryptedPassword = base64_encode($encryptedPassword);
-
-		return $encryptedPassword;
-	}
-
-	private function decryptPassword(string $encryptedPassword, string $privateKey): string {
-		$encryptedPassword = base64_decode($encryptedPassword);
-		openssl_private_decrypt($encryptedPassword, $password, $privateKey, OPENSSL_PKCS1_OAEP_PADDING);
-
-		return $password;
-	}
-
-	private function hashToken(string $token): string {
-		$secret = $this->config->getSystemValue('secret');
-		return hash('sha512', $token . $secret);
-	}
-
-	/**
-	 * Convert a DefaultToken to a publicKeyToken
-	 * This will also be updated directly in the Database
-	 * @throws \RuntimeException when OpenSSL reports a problem
-	 */
-	public function convertToken(DefaultToken $defaultToken, string $token, $password): PublicKeyToken {
-		$this->cache->clear();
-
-		$pkToken = $this->newToken(
-			$token,
-			$defaultToken->getUID(),
-			$defaultToken->getLoginName(),
-			$password,
-			$defaultToken->getName(),
-			$defaultToken->getType(),
-			$defaultToken->getRemember()
-		);
-
-		$pkToken->setExpires($defaultToken->getExpires());
-		$pkToken->setId($defaultToken->getId());
-
-		return $this->mapper->update($pkToken);
-	}
-
-	/**
-	 * @throws \RuntimeException when OpenSSL reports a problem
-	 */
-	private function newToken(string $token,
-							  string $uid,
-							  string $loginName,
-							  $password,
-							  string $name,
-							  int $type,
-							  int $remember): PublicKeyToken {
-		$dbToken = new PublicKeyToken();
-		$dbToken->setUid($uid);
-		$dbToken->setLoginName($loginName);
-
-		$config = array_merge([
-			'digest_alg' => 'sha512',
-			'private_key_bits' => 2048,
-		], $this->config->getSystemValue('openssl', []));
-
-		// Generate new key
-		$res = openssl_pkey_new($config);
-		if ($res === false) {
-			$this->logOpensslError();
-			throw new \RuntimeException('OpenSSL reported a problem');
-		}
-
-		if (openssl_pkey_export($res, $privateKey, null, $config) === false) {
-			$this->logOpensslError();
-			throw new \RuntimeException('OpenSSL reported a problem');
-		}
-
-		// Extract the public key from $res to $pubKey
-		$publicKey = openssl_pkey_get_details($res);
-		$publicKey = $publicKey['key'];
-
-		$dbToken->setPublicKey($publicKey);
-		$dbToken->setPrivateKey($this->encrypt($privateKey, $token));
-
-		if (!is_null($password)) {
-			$dbToken->setPassword($this->encryptPassword($password, $publicKey));
-		}
-
-		$dbToken->setName($name);
-		$dbToken->setToken($this->hashToken($token));
-		$dbToken->setType($type);
-		$dbToken->setRemember($remember);
-		$dbToken->setLastActivity($this->time->getTime());
-		$dbToken->setLastCheck($this->time->getTime());
-		$dbToken->setVersion(PublicKeyToken::VERSION);
-
-		return $dbToken;
-	}
-
-	public function markPasswordInvalid(IToken $token, string $tokenId) {
-		$this->cache->clear();
-
-		if (!($token instanceof PublicKeyToken)) {
-			throw new InvalidTokenException("Invalid token type");
-		}
-
-		$token->setPasswordInvalid(true);
-		$this->mapper->update($token);
-	}
-
-	public function updatePasswords(string $uid, string $password) {
-		$this->cache->clear();
-
-		if (!$this->mapper->hasExpiredTokens($uid)) {
-			// Nothing to do here
-			return;
-		}
-
-		// Update the password for all tokens
-		$tokens = $this->mapper->getTokenByUser($uid);
-		foreach ($tokens as $t) {
-			$publicKey = $t->getPublicKey();
-			$t->setPassword($this->encryptPassword($password, $publicKey));
-			$this->updateToken($t);
-		}
-	}
-
-	private function logOpensslError() {
-		$errors = [];
-		while ($error = openssl_error_string()) {
-			$errors[] = $error;
-		}
-		$this->logger->critical('Something is wrong with your openssl setup: ' . implode(', ', $errors));
-	}
+    /** @var PublicKeyTokenMapper */
+    private $mapper;
+
+    /** @var ICrypto */
+    private $crypto;
+
+    /** @var IConfig */
+    private $config;
+
+    /** @var ILogger $logger */
+    private $logger;
+
+    /** @var ITimeFactory $time */
+    private $time;
+
+    /** @var CappedMemoryCache */
+    private $cache;
+
+    public function __construct(PublicKeyTokenMapper $mapper,
+                                ICrypto $crypto,
+                                IConfig $config,
+                                ILogger $logger,
+                                ITimeFactory $time) {
+        $this->mapper = $mapper;
+        $this->crypto = $crypto;
+        $this->config = $config;
+        $this->logger = $logger;
+        $this->time = $time;
+
+        $this->cache = new CappedMemoryCache();
+    }
+
+    /**
+     * {@inheritDoc}
+     */
+    public function generateToken(string $token,
+                                    string $uid,
+                                    string $loginName,
+                                    $password,
+                                    string $name,
+                                    int $type = IToken::TEMPORARY_TOKEN,
+                                    int $remember = IToken::DO_NOT_REMEMBER): IToken {
+        $dbToken = $this->newToken($token, $uid, $loginName, $password, $name, $type, $remember);
+        $this->mapper->insert($dbToken);
+
+        // Add the token to the cache
+        $this->cache[$dbToken->getToken()] = $dbToken;
+
+        return $dbToken;
+    }
+
+    public function getToken(string $tokenId): IToken {
+        $tokenHash = $this->hashToken($tokenId);
+
+        if (isset($this->cache[$tokenHash])) {
+            $token = $this->cache[$tokenHash];
+        } else {
+            try {
+                $token = $this->mapper->getToken($this->hashToken($tokenId));
+                $this->cache[$token->getToken()] = $token;
+            } catch (DoesNotExistException $ex) {
+                throw new InvalidTokenException("Token does not exist: " . $ex->getMessage(), 0, $ex);
+            }
+        }
+
+        if ((int)$token->getExpires() !== 0 && $token->getExpires() < $this->time->getTime()) {
+            throw new ExpiredTokenException($token);
+        }
+
+        if ($token->getType() === IToken::WIPE_TOKEN) {
+            throw new WipeTokenException($token);
+        }
+
+        if ($token->getPasswordInvalid() === true) {
+            //The password is invalid we should throw an TokenPasswordExpiredException
+            throw new TokenPasswordExpiredException($token);
+        }
+
+        return $token;
+    }
+
+    public function getTokenById(int $tokenId): IToken {
+        try {
+            $token = $this->mapper->getTokenById($tokenId);
+        } catch (DoesNotExistException $ex) {
+            throw new InvalidTokenException("Token with ID $tokenId does not exist: " . $ex->getMessage(), 0, $ex);
+        }
+
+        if ((int)$token->getExpires() !== 0 && $token->getExpires() < $this->time->getTime()) {
+            throw new ExpiredTokenException($token);
+        }
+
+        if ($token->getType() === IToken::WIPE_TOKEN) {
+            throw new WipeTokenException($token);
+        }
+
+        if ($token->getPasswordInvalid() === true) {
+            //The password is invalid we should throw an TokenPasswordExpiredException
+            throw new TokenPasswordExpiredException($token);
+        }
+
+        return $token;
+    }
+
+    public function renewSessionToken(string $oldSessionId, string $sessionId): IToken {
+        $this->cache->clear();
+
+        $token = $this->getToken($oldSessionId);
+
+        if (!($token instanceof PublicKeyToken)) {
+            throw new InvalidTokenException("Invalid token type");
+        }
+
+        $password = null;
+        if (!is_null($token->getPassword())) {
+            $privateKey = $this->decrypt($token->getPrivateKey(), $oldSessionId);
+            $password = $this->decryptPassword($token->getPassword(), $privateKey);
+        }
+
+        $newToken = $this->generateToken(
+            $sessionId,
+            $token->getUID(),
+            $token->getLoginName(),
+            $password,
+            $token->getName(),
+            IToken::TEMPORARY_TOKEN,
+            $token->getRemember()
+        );
+
+        $this->mapper->delete($token);
+
+        return $newToken;
+    }
+
+    public function invalidateToken(string $token) {
+        $this->cache->clear();
+
+        $this->mapper->invalidate($this->hashToken($token));
+    }
+
+    public function invalidateTokenById(string $uid, int $id) {
+        $this->cache->clear();
+
+        $this->mapper->deleteById($uid, $id);
+    }
+
+    public function invalidateOldTokens() {
+        $this->cache->clear();
+
+        $olderThan = $this->time->getTime() - (int) $this->config->getSystemValue('session_lifetime', 60 * 60 * 24);
+        $this->logger->debug('Invalidating session tokens older than ' . date('c', $olderThan), ['app' => 'cron']);
+        $this->mapper->invalidateOld($olderThan, IToken::DO_NOT_REMEMBER);
+        $rememberThreshold = $this->time->getTime() - (int) $this->config->getSystemValue('remember_login_cookie_lifetime', 60 * 60 * 24 * 15);
+        $this->logger->debug('Invalidating remembered session tokens older than ' . date('c', $rememberThreshold), ['app' => 'cron']);
+        $this->mapper->invalidateOld($rememberThreshold, IToken::REMEMBER);
+    }
+
+    public function updateToken(IToken $token) {
+        $this->cache->clear();
+
+        if (!($token instanceof PublicKeyToken)) {
+            throw new InvalidTokenException("Invalid token type");
+        }
+        $this->mapper->update($token);
+    }
+
+    public function updateTokenActivity(IToken $token) {
+        $this->cache->clear();
+
+        if (!($token instanceof PublicKeyToken)) {
+            throw new InvalidTokenException("Invalid token type");
+        }
+        /** @var DefaultToken $token */
+        $now = $this->time->getTime();
+        if ($token->getLastActivity() < ($now - 60)) {
+            // Update token only once per minute
+            $token->setLastActivity($now);
+            $this->mapper->update($token);
+        }
+    }
+
+    public function getTokenByUser(string $uid): array {
+        return $this->mapper->getTokenByUser($uid);
+    }
+
+    public function getPassword(IToken $token, string $tokenId): string {
+        if (!($token instanceof PublicKeyToken)) {
+            throw new InvalidTokenException("Invalid token type");
+        }
+
+        if ($token->getPassword() === null) {
+            throw new PasswordlessTokenException();
+        }
+
+        // Decrypt private key with tokenId
+        $privateKey = $this->decrypt($token->getPrivateKey(), $tokenId);
+
+        // Decrypt password with private key
+        return $this->decryptPassword($token->getPassword(), $privateKey);
+    }
+
+    public function setPassword(IToken $token, string $tokenId, string $password) {
+        $this->cache->clear();
+
+        if (!($token instanceof PublicKeyToken)) {
+            throw new InvalidTokenException("Invalid token type");
+        }
+
+        // When changing passwords all temp tokens are deleted
+        $this->mapper->deleteTempToken($token);
+
+        // Update the password for all tokens
+        $tokens = $this->mapper->getTokenByUser($token->getUID());
+        foreach ($tokens as $t) {
+            $publicKey = $t->getPublicKey();
+            $t->setPassword($this->encryptPassword($password, $publicKey));
+            $this->updateToken($t);
+        }
+    }
+
+    public function rotate(IToken $token, string $oldTokenId, string $newTokenId): IToken {
+        $this->cache->clear();
+
+        if (!($token instanceof PublicKeyToken)) {
+            throw new InvalidTokenException("Invalid token type");
+        }
+
+        // Decrypt private key with oldTokenId
+        $privateKey = $this->decrypt($token->getPrivateKey(), $oldTokenId);
+        // Encrypt with the new token
+        $token->setPrivateKey($this->encrypt($privateKey, $newTokenId));
+
+        $token->setToken($this->hashToken($newTokenId));
+        $this->updateToken($token);
+
+        return $token;
+    }
+
+    private function encrypt(string $plaintext, string $token): string {
+        $secret = $this->config->getSystemValue('secret');
+        return $this->crypto->encrypt($plaintext, $token . $secret);
+    }
+
+    /**
+     * @throws InvalidTokenException
+     */
+    private function decrypt(string $cipherText, string $token): string {
+        $secret = $this->config->getSystemValue('secret');
+        try {
+            return $this->crypto->decrypt($cipherText, $token . $secret);
+        } catch (\Exception $ex) {
+            // Delete the invalid token
+            $this->invalidateToken($token);
+            throw new InvalidTokenException("Could not decrypt token password: " . $ex->getMessage(), 0, $ex);
+        }
+    }
+
+    private function encryptPassword(string $password, string $publicKey): string {
+        openssl_public_encrypt($password, $encryptedPassword, $publicKey, OPENSSL_PKCS1_OAEP_PADDING);
+        $encryptedPassword = base64_encode($encryptedPassword);
+
+        return $encryptedPassword;
+    }
+
+    private function decryptPassword(string $encryptedPassword, string $privateKey): string {
+        $encryptedPassword = base64_decode($encryptedPassword);
+        openssl_private_decrypt($encryptedPassword, $password, $privateKey, OPENSSL_PKCS1_OAEP_PADDING);
+
+        return $password;
+    }
+
+    private function hashToken(string $token): string {
+        $secret = $this->config->getSystemValue('secret');
+        return hash('sha512', $token . $secret);
+    }
+
+    /**
+     * Convert a DefaultToken to a publicKeyToken
+     * This will also be updated directly in the Database
+     * @throws \RuntimeException when OpenSSL reports a problem
+     */
+    public function convertToken(DefaultToken $defaultToken, string $token, $password): PublicKeyToken {
+        $this->cache->clear();
+
+        $pkToken = $this->newToken(
+            $token,
+            $defaultToken->getUID(),
+            $defaultToken->getLoginName(),
+            $password,
+            $defaultToken->getName(),
+            $defaultToken->getType(),
+            $defaultToken->getRemember()
+        );
+
+        $pkToken->setExpires($defaultToken->getExpires());
+        $pkToken->setId($defaultToken->getId());
+
+        return $this->mapper->update($pkToken);
+    }
+
+    /**
+     * @throws \RuntimeException when OpenSSL reports a problem
+     */
+    private function newToken(string $token,
+                                string $uid,
+                                string $loginName,
+                                $password,
+                                string $name,
+                                int $type,
+                                int $remember): PublicKeyToken {
+        $dbToken = new PublicKeyToken();
+        $dbToken->setUid($uid);
+        $dbToken->setLoginName($loginName);
+
+        $config = array_merge([
+            'digest_alg' => 'sha512',
+            'private_key_bits' => 2048,
+        ], $this->config->getSystemValue('openssl', []));
+
+        // Generate new key
+        $res = openssl_pkey_new($config);
+        if ($res === false) {
+            $this->logOpensslError();
+            throw new \RuntimeException('OpenSSL reported a problem');
+        }
+
+        if (openssl_pkey_export($res, $privateKey, null, $config) === false) {
+            $this->logOpensslError();
+            throw new \RuntimeException('OpenSSL reported a problem');
+        }
+
+        // Extract the public key from $res to $pubKey
+        $publicKey = openssl_pkey_get_details($res);
+        $publicKey = $publicKey['key'];
+
+        $dbToken->setPublicKey($publicKey);
+        $dbToken->setPrivateKey($this->encrypt($privateKey, $token));
+
+        if (!is_null($password)) {
+            $dbToken->setPassword($this->encryptPassword($password, $publicKey));
+        }
+
+        $dbToken->setName($name);
+        $dbToken->setToken($this->hashToken($token));
+        $dbToken->setType($type);
+        $dbToken->setRemember($remember);
+        $dbToken->setLastActivity($this->time->getTime());
+        $dbToken->setLastCheck($this->time->getTime());
+        $dbToken->setVersion(PublicKeyToken::VERSION);
+
+        return $dbToken;
+    }
+
+    public function markPasswordInvalid(IToken $token, string $tokenId) {
+        $this->cache->clear();
+
+        if (!($token instanceof PublicKeyToken)) {
+            throw new InvalidTokenException("Invalid token type");
+        }
+
+        $token->setPasswordInvalid(true);
+        $this->mapper->update($token);
+    }
+
+    public function updatePasswords(string $uid, string $password) {
+        $this->cache->clear();
+
+        if (!$this->mapper->hasExpiredTokens($uid)) {
+            // Nothing to do here
+            return;
+        }
+
+        // Update the password for all tokens
+        $tokens = $this->mapper->getTokenByUser($uid);
+        foreach ($tokens as $t) {
+            $publicKey = $t->getPublicKey();
+            $t->setPassword($this->encryptPassword($password, $publicKey));
+            $this->updateToken($t);
+        }
+    }
+
+    private function logOpensslError() {
+        $errors = [];
+        while ($error = openssl_error_string()) {
+            $errors[] = $error;
+        }
+        $this->logger->critical('Something is wrong with your openssl setup: ' . implode(', ', $errors));
+    }
 }

Spacing +11 added lines, -11 removed lines

@@ -103,11 +103,11 @@ 
 				$token = $this->mapper->getToken($this->hashToken($tokenId));
 				$this->cache[$token->getToken()] = $token;
 			} catch (DoesNotExistException $ex) {
-				throw new InvalidTokenException("Token does not exist: " . $ex->getMessage(), 0, $ex);
+				throw new InvalidTokenException("Token does not exist: ".$ex->getMessage(), 0, $ex);
 			}
 		}
 
-		if ((int)$token->getExpires() !== 0 && $token->getExpires() < $this->time->getTime()) {
+		if ((int) $token->getExpires() !== 0 && $token->getExpires() < $this->time->getTime()) {
 			throw new ExpiredTokenException($token);
 		}
 
@@ -127,10 +127,10 @@ 
 		try {
 			$token = $this->mapper->getTokenById($tokenId);
 		} catch (DoesNotExistException $ex) {
-			throw new InvalidTokenException("Token with ID $tokenId does not exist: " . $ex->getMessage(), 0, $ex);
+			throw new InvalidTokenException("Token with ID $tokenId does not exist: ".$ex->getMessage(), 0, $ex);
 		}
 
-		if ((int)$token->getExpires() !== 0 && $token->getExpires() < $this->time->getTime()) {
+		if ((int) $token->getExpires() !== 0 && $token->getExpires() < $this->time->getTime()) {
 			throw new ExpiredTokenException($token);
 		}
 
@@ -192,10 +192,10 @@ 
 		$this->cache->clear();
 
 		$olderThan = $this->time->getTime() - (int) $this->config->getSystemValue('session_lifetime', 60 * 60 * 24);
-		$this->logger->debug('Invalidating session tokens older than ' . date('c', $olderThan), ['app' => 'cron']);
+		$this->logger->debug('Invalidating session tokens older than '.date('c', $olderThan), ['app' => 'cron']);
 		$this->mapper->invalidateOld($olderThan, IToken::DO_NOT_REMEMBER);
 		$rememberThreshold = $this->time->getTime() - (int) $this->config->getSystemValue('remember_login_cookie_lifetime', 60 * 60 * 24 * 15);
-		$this->logger->debug('Invalidating remembered session tokens older than ' . date('c', $rememberThreshold), ['app' => 'cron']);
+		$this->logger->debug('Invalidating remembered session tokens older than '.date('c', $rememberThreshold), ['app' => 'cron']);
 		$this->mapper->invalidateOld($rememberThreshold, IToken::REMEMBER);
 	}
 
@@ -282,7 +282,7 @@ 
 
 	private function encrypt(string $plaintext, string $token): string {
 		$secret = $this->config->getSystemValue('secret');
-		return $this->crypto->encrypt($plaintext, $token . $secret);
+		return $this->crypto->encrypt($plaintext, $token.$secret);
 	}
 
 	/**
@@ -291,11 +291,11 @@ 
 	private function decrypt(string $cipherText, string $token): string {
 		$secret = $this->config->getSystemValue('secret');
 		try {
-			return $this->crypto->decrypt($cipherText, $token . $secret);
+			return $this->crypto->decrypt($cipherText, $token.$secret);
 		} catch (\Exception $ex) {
 			// Delete the invalid token
 			$this->invalidateToken($token);
-			throw new InvalidTokenException("Could not decrypt token password: " . $ex->getMessage(), 0, $ex);
+			throw new InvalidTokenException("Could not decrypt token password: ".$ex->getMessage(), 0, $ex);
 		}
 	}
 
@@ -315,7 +315,7 @@ 
 
 	private function hashToken(string $token): string {
 		$secret = $this->config->getSystemValue('secret');
-		return hash('sha512', $token . $secret);
+		return hash('sha512', $token.$secret);
 	}
 
 	/**
@@ -428,6 +428,6 @@ 
 		while ($error = openssl_error_string()) {
 			$errors[] = $error;
 		}
-		$this->logger->critical('Something is wrong with your openssl setup: ' . implode(', ', $errors));
+		$this->logger->critical('Something is wrong with your openssl setup: '.implode(', ', $errors));
 	}
 }

lib/private/User/Session.php

Indentation +920 added lines, -920 removed lines

@@ -90,924 +90,924 @@
  */
 class Session implements IUserSession, Emitter {
 
-	/** @var Manager|PublicEmitter $manager */
-	private $manager;
-
-	/** @var ISession $session */
-	private $session;
-
-	/** @var ITimeFactory */
-	private $timeFactory;
-
-	/** @var IProvider */
-	private $tokenProvider;
-
-	/** @var IConfig */
-	private $config;
-
-	/** @var User $activeUser */
-	protected $activeUser;
-
-	/** @var ISecureRandom */
-	private $random;
-
-	/** @var ILockdownManager  */
-	private $lockdownManager;
-
-	/** @var ILogger */
-	private $logger;
-	/** @var IEventDispatcher */
-	private $dispatcher;
-
-	/**
-	 * @param Manager $manager
-	 * @param ISession $session
-	 * @param ITimeFactory $timeFactory
-	 * @param IProvider $tokenProvider
-	 * @param IConfig $config
-	 * @param ISecureRandom $random
-	 * @param ILockdownManager $lockdownManager
-	 * @param ILogger $logger
-	 */
-	public function __construct(Manager $manager,
-								ISession $session,
-								ITimeFactory $timeFactory,
-								$tokenProvider,
-								IConfig $config,
-								ISecureRandom $random,
-								ILockdownManager $lockdownManager,
-								ILogger $logger,
-								IEventDispatcher $dispatcher
-	) {
-		$this->manager = $manager;
-		$this->session = $session;
-		$this->timeFactory = $timeFactory;
-		$this->tokenProvider = $tokenProvider;
-		$this->config = $config;
-		$this->random = $random;
-		$this->lockdownManager = $lockdownManager;
-		$this->logger = $logger;
-		$this->dispatcher = $dispatcher;
-	}
-
-	/**
-	 * @param IProvider $provider
-	 */
-	public function setTokenProvider(IProvider $provider) {
-		$this->tokenProvider = $provider;
-	}
-
-	/**
-	 * @param string $scope
-	 * @param string $method
-	 * @param callable $callback
-	 */
-	public function listen($scope, $method, callable $callback) {
-		$this->manager->listen($scope, $method, $callback);
-	}
-
-	/**
-	 * @param string $scope optional
-	 * @param string $method optional
-	 * @param callable $callback optional
-	 */
-	public function removeListener($scope = null, $method = null, callable $callback = null) {
-		$this->manager->removeListener($scope, $method, $callback);
-	}
-
-	/**
-	 * get the manager object
-	 *
-	 * @return Manager|PublicEmitter
-	 */
-	public function getManager() {
-		return $this->manager;
-	}
-
-	/**
-	 * get the session object
-	 *
-	 * @return ISession
-	 */
-	public function getSession() {
-		return $this->session;
-	}
-
-	/**
-	 * set the session object
-	 *
-	 * @param ISession $session
-	 */
-	public function setSession(ISession $session) {
-		if ($this->session instanceof ISession) {
-			$this->session->close();
-		}
-		$this->session = $session;
-		$this->activeUser = null;
-	}
-
-	/**
-	 * set the currently active user
-	 *
-	 * @param IUser|null $user
-	 */
-	public function setUser($user) {
-		if (is_null($user)) {
-			$this->session->remove('user_id');
-		} else {
-			$this->session->set('user_id', $user->getUID());
-		}
-		$this->activeUser = $user;
-	}
-
-	/**
-	 * get the current active user
-	 *
-	 * @return IUser|null Current user, otherwise null
-	 */
-	public function getUser() {
-		// FIXME: This is a quick'n dirty work-around for the incognito mode as
-		// described at https://github.com/owncloud/core/pull/12912#issuecomment-67391155
-		if (OC_User::isIncognitoMode()) {
-			return null;
-		}
-		if (is_null($this->activeUser)) {
-			$uid = $this->session->get('user_id');
-			if (is_null($uid)) {
-				return null;
-			}
-			$this->activeUser = $this->manager->get($uid);
-			if (is_null($this->activeUser)) {
-				return null;
-			}
-			$this->validateSession();
-		}
-		return $this->activeUser;
-	}
-
-	/**
-	 * Validate whether the current session is valid
-	 *
-	 * - For token-authenticated clients, the token validity is checked
-	 * - For browsers, the session token validity is checked
-	 */
-	protected function validateSession() {
-		$token = null;
-		$appPassword = $this->session->get('app_password');
-
-		if (is_null($appPassword)) {
-			try {
-				$token = $this->session->getId();
-			} catch (SessionNotAvailableException $ex) {
-				return;
-			}
-		} else {
-			$token = $appPassword;
-		}
-
-		if (!$this->validateToken($token)) {
-			// Session was invalidated
-			$this->logout();
-		}
-	}
-
-	/**
-	 * Checks whether the user is logged in
-	 *
-	 * @return bool if logged in
-	 */
-	public function isLoggedIn() {
-		$user = $this->getUser();
-		if (is_null($user)) {
-			return false;
-		}
-
-		return $user->isEnabled();
-	}
-
-	/**
-	 * set the login name
-	 *
-	 * @param string|null $loginName for the logged in user
-	 */
-	public function setLoginName($loginName) {
-		if (is_null($loginName)) {
-			$this->session->remove('loginname');
-		} else {
-			$this->session->set('loginname', $loginName);
-		}
-	}
-
-	/**
-	 * get the login name of the current user
-	 *
-	 * @return string
-	 */
-	public function getLoginName() {
-		if ($this->activeUser) {
-			return $this->session->get('loginname');
-		}
-
-		$uid = $this->session->get('user_id');
-		if ($uid) {
-			$this->activeUser = $this->manager->get($uid);
-			return $this->session->get('loginname');
-		}
-
-		return null;
-	}
-
-	/**
-	 * @return null|string
-	 */
-	public function getImpersonatingUserID(): ?string {
-		return $this->session->get('oldUserId');
-	}
-
-	public function setImpersonatingUserID(bool $useCurrentUser = true): void {
-		if ($useCurrentUser === false) {
-			$this->session->remove('oldUserId');
-			return;
-		}
-
-		$currentUser = $this->getUser();
-
-		if ($currentUser === null) {
-			throw new \OC\User\NoUserException();
-		}
-		$this->session->set('oldUserId', $currentUser->getUID());
-	}
-	/**
-	 * set the token id
-	 *
-	 * @param int|null $token that was used to log in
-	 */
-	protected function setToken($token) {
-		if ($token === null) {
-			$this->session->remove('token-id');
-		} else {
-			$this->session->set('token-id', $token);
-		}
-	}
-
-	/**
-	 * try to log in with the provided credentials
-	 *
-	 * @param string $uid
-	 * @param string $password
-	 * @return boolean|null
-	 * @throws LoginException
-	 */
-	public function login($uid, $password) {
-		$this->session->regenerateId();
-		if ($this->validateToken($password, $uid)) {
-			return $this->loginWithToken($password);
-		}
-		return $this->loginWithPassword($uid, $password);
-	}
-
-	/**
-	 * @param IUser $user
-	 * @param array $loginDetails
-	 * @param bool $regenerateSessionId
-	 * @return true returns true if login successful or an exception otherwise
-	 * @throws LoginException
-	 */
-	public function completeLogin(IUser $user, array $loginDetails, $regenerateSessionId = true) {
-		if (!$user->isEnabled()) {
-			// disabled users can not log in
-			// injecting l10n does not work - there is a circular dependency between session and \OCP\L10N\IFactory
-			$message = \OC::$server->getL10N('lib')->t('User disabled');
-			throw new LoginException($message);
-		}
-
-		if ($regenerateSessionId) {
-			$this->session->regenerateId();
-		}
-
-		$this->setUser($user);
-		$this->setLoginName($loginDetails['loginName']);
-
-		$isToken = isset($loginDetails['token']) && $loginDetails['token'] instanceof IToken;
-		if ($isToken) {
-			$this->setToken($loginDetails['token']->getId());
-			$this->lockdownManager->setToken($loginDetails['token']);
-			$firstTimeLogin = false;
-		} else {
-			$this->setToken(null);
-			$firstTimeLogin = $user->updateLastLoginTimestamp();
-		}
-
-		$this->dispatcher->dispatchTyped(new PostLoginEvent(
-			$user,
-			$loginDetails['password'],
-			$isToken
-		));
-		$this->manager->emit('\OC\User', 'postLogin', [
-			$user,
-			$loginDetails['password'],
-			$isToken,
-		]);
-		if ($this->isLoggedIn()) {
-			$this->prepareUserLogin($firstTimeLogin, $regenerateSessionId);
-			return true;
-		}
-
-		$message = \OC::$server->getL10N('lib')->t('Login canceled by app');
-		throw new LoginException($message);
-	}
-
-	/**
-	 * Tries to log in a client
-	 *
-	 * Checks token auth enforced
-	 * Checks 2FA enabled
-	 *
-	 * @param string $user
-	 * @param string $password
-	 * @param IRequest $request
-	 * @param OC\Security\Bruteforce\Throttler $throttler
-	 * @throws LoginException
-	 * @throws PasswordLoginForbiddenException
-	 * @return boolean
-	 */
-	public function logClientIn($user,
-								$password,
-								IRequest $request,
-								OC\Security\Bruteforce\Throttler $throttler) {
-		$currentDelay = $throttler->sleepDelay($request->getRemoteAddress(), 'login');
-
-		if ($this->manager instanceof PublicEmitter) {
-			$this->manager->emit('\OC\User', 'preLogin', [$user, $password]);
-		}
-
-		try {
-			$isTokenPassword = $this->isTokenPassword($password);
-		} catch (ExpiredTokenException $e) {
-			// Just return on an expired token no need to check further or record a failed login
-			return false;
-		}
-
-		if (!$isTokenPassword && $this->isTokenAuthEnforced()) {
-			throw new PasswordLoginForbiddenException();
-		}
-		if (!$isTokenPassword && $this->isTwoFactorEnforced($user)) {
-			throw new PasswordLoginForbiddenException();
-		}
-
-		// Try to login with this username and password
-		if (!$this->login($user, $password)) {
-
-			// Failed, maybe the user used their email address
-			$users = $this->manager->getByEmail($user);
-			if (!(\count($users) === 1 && $this->login($users[0]->getUID(), $password))) {
-				$this->logger->warning('Login failed: \'' . $user . '\' (Remote IP: \'' . \OC::$server->getRequest()->getRemoteAddress() . '\')', ['app' => 'core']);
-
-				$throttler->registerAttempt('login', $request->getRemoteAddress(), ['user' => $user]);
-
-				$this->dispatcher->dispatchTyped(new OC\Authentication\Events\LoginFailed($user));
-
-				if ($currentDelay === 0) {
-					$throttler->sleepDelay($request->getRemoteAddress(), 'login');
-				}
-				return false;
-			}
-		}
-
-		if ($isTokenPassword) {
-			$this->session->set('app_password', $password);
-		} elseif ($this->supportsCookies($request)) {
-			// Password login, but cookies supported -> create (browser) session token
-			$this->createSessionToken($request, $this->getUser()->getUID(), $user, $password);
-		}
-
-		return true;
-	}
-
-	protected function supportsCookies(IRequest $request) {
-		if (!is_null($request->getCookie('cookie_test'))) {
-			return true;
-		}
-		setcookie('cookie_test', 'test', $this->timeFactory->getTime() + 3600);
-		return false;
-	}
-
-	private function isTokenAuthEnforced() {
-		return $this->config->getSystemValue('token_auth_enforced', false);
-	}
-
-	protected function isTwoFactorEnforced($username) {
-		Util::emitHook(
-			'\OCA\Files_Sharing\API\Server2Server',
-			'preLoginNameUsedAsUserName',
-			['uid' => &$username]
-		);
-		$user = $this->manager->get($username);
-		if (is_null($user)) {
-			$users = $this->manager->getByEmail($username);
-			if (empty($users)) {
-				return false;
-			}
-			if (count($users) !== 1) {
-				return true;
-			}
-			$user = $users[0];
-		}
-		// DI not possible due to cyclic dependencies :'-/
-		return OC::$server->getTwoFactorAuthManager()->isTwoFactorAuthenticated($user);
-	}
-
-	/**
-	 * Check if the given 'password' is actually a device token
-	 *
-	 * @param string $password
-	 * @return boolean
-	 * @throws ExpiredTokenException
-	 */
-	public function isTokenPassword($password) {
-		try {
-			$this->tokenProvider->getToken($password);
-			return true;
-		} catch (ExpiredTokenException $e) {
-			throw $e;
-		} catch (InvalidTokenException $ex) {
-			$this->logger->logException($ex, [
-				'level' => ILogger::DEBUG,
-				'message' => 'Token is not valid: ' . $ex->getMessage(),
-			]);
-			return false;
-		}
-	}
-
-	protected function prepareUserLogin($firstTimeLogin, $refreshCsrfToken = true) {
-		if ($refreshCsrfToken) {
-			// TODO: mock/inject/use non-static
-			// Refresh the token
-			\OC::$server->getCsrfTokenManager()->refreshToken();
-		}
-
-		//we need to pass the user name, which may differ from login name
-		$user = $this->getUser()->getUID();
-		OC_Util::setupFS($user);
-
-		if ($firstTimeLogin) {
-			// TODO: lock necessary?
-			//trigger creation of user home and /files folder
-			$userFolder = \OC::$server->getUserFolder($user);
-
-			try {
-				// copy skeleton
-				\OC_Util::copySkeleton($user, $userFolder);
-			} catch (NotPermittedException $ex) {
-				// read only uses
-			}
-
-			// trigger any other initialization
-			\OC::$server->getEventDispatcher()->dispatch(IUser::class . '::firstLogin', new GenericEvent($this->getUser()));
-		}
-	}
-
-	/**
-	 * Tries to login the user with HTTP Basic Authentication
-	 *
-	 * @todo do not allow basic auth if the user is 2FA enforced
-	 * @param IRequest $request
-	 * @param OC\Security\Bruteforce\Throttler $throttler
-	 * @return boolean if the login was successful
-	 */
-	public function tryBasicAuthLogin(IRequest $request,
-									  OC\Security\Bruteforce\Throttler $throttler) {
-		if (!empty($request->server['PHP_AUTH_USER']) && !empty($request->server['PHP_AUTH_PW'])) {
-			try {
-				if ($this->logClientIn($request->server['PHP_AUTH_USER'], $request->server['PHP_AUTH_PW'], $request, $throttler)) {
-					/**
-					 * Add DAV authenticated. This should in an ideal world not be
-					 * necessary but the iOS App reads cookies from anywhere instead
-					 * only the DAV endpoint.
-					 * This makes sure that the cookies will be valid for the whole scope
-					 * @see https://github.com/owncloud/core/issues/22893
-					 */
-					$this->session->set(
-						Auth::DAV_AUTHENTICATED, $this->getUser()->getUID()
-					);
-
-					// Set the last-password-confirm session to make the sudo mode work
-					$this->session->set('last-password-confirm', $this->timeFactory->getTime());
-
-					return true;
-				}
-			} catch (PasswordLoginForbiddenException $ex) {
-				// Nothing to do
-			}
-		}
-		return false;
-	}
-
-	/**
-	 * Log an user in via login name and password
-	 *
-	 * @param string $uid
-	 * @param string $password
-	 * @return boolean
-	 * @throws LoginException if an app canceld the login process or the user is not enabled
-	 */
-	private function loginWithPassword($uid, $password) {
-		$user = $this->manager->checkPasswordNoLogging($uid, $password);
-		if ($user === false) {
-			// Password check failed
-			return false;
-		}
-
-		return $this->completeLogin($user, ['loginName' => $uid, 'password' => $password], false);
-	}
-
-	/**
-	 * Log an user in with a given token (id)
-	 *
-	 * @param string $token
-	 * @return boolean
-	 * @throws LoginException if an app canceled the login process or the user is not enabled
-	 */
-	private function loginWithToken($token) {
-		try {
-			$dbToken = $this->tokenProvider->getToken($token);
-		} catch (InvalidTokenException $ex) {
-			return false;
-		}
-		$uid = $dbToken->getUID();
-
-		// When logging in with token, the password must be decrypted first before passing to login hook
-		$password = '';
-		try {
-			$password = $this->tokenProvider->getPassword($dbToken, $token);
-		} catch (PasswordlessTokenException $ex) {
-			// Ignore and use empty string instead
-		}
-
-		$this->manager->emit('\OC\User', 'preLogin', [$uid, $password]);
-
-		$user = $this->manager->get($uid);
-		if (is_null($user)) {
-			// user does not exist
-			return false;
-		}
-
-		return $this->completeLogin(
-			$user,
-			[
-				'loginName' => $dbToken->getLoginName(),
-				'password' => $password,
-				'token' => $dbToken
-			],
-			false);
-	}
-
-	/**
-	 * Create a new session token for the given user credentials
-	 *
-	 * @param IRequest $request
-	 * @param string $uid user UID
-	 * @param string $loginName login name
-	 * @param string $password
-	 * @param int $remember
-	 * @return boolean
-	 */
-	public function createSessionToken(IRequest $request, $uid, $loginName, $password = null, $remember = IToken::DO_NOT_REMEMBER) {
-		if (is_null($this->manager->get($uid))) {
-			// User does not exist
-			return false;
-		}
-		$name = isset($request->server['HTTP_USER_AGENT']) ? $request->server['HTTP_USER_AGENT'] : 'unknown browser';
-		try {
-			$sessionId = $this->session->getId();
-			$pwd = $this->getPassword($password);
-			// Make sure the current sessionId has no leftover tokens
-			$this->tokenProvider->invalidateToken($sessionId);
-			$this->tokenProvider->generateToken($sessionId, $uid, $loginName, $pwd, $name, IToken::TEMPORARY_TOKEN, $remember);
-			return true;
-		} catch (SessionNotAvailableException $ex) {
-			// This can happen with OCC, where a memory session is used
-			// if a memory session is used, we shouldn't create a session token anyway
-			return false;
-		}
-	}
-
-	/**
-	 * Checks if the given password is a token.
-	 * If yes, the password is extracted from the token.
-	 * If no, the same password is returned.
-	 *
-	 * @param string $password either the login password or a device token
-	 * @return string|null the password or null if none was set in the token
-	 */
-	private function getPassword($password) {
-		if (is_null($password)) {
-			// This is surely no token ;-)
-			return null;
-		}
-		try {
-			$token = $this->tokenProvider->getToken($password);
-			try {
-				return $this->tokenProvider->getPassword($token, $password);
-			} catch (PasswordlessTokenException $ex) {
-				return null;
-			}
-		} catch (InvalidTokenException $ex) {
-			return $password;
-		}
-	}
-
-	/**
-	 * @param IToken $dbToken
-	 * @param string $token
-	 * @return boolean
-	 */
-	private function checkTokenCredentials(IToken $dbToken, $token) {
-		// Check whether login credentials are still valid and the user was not disabled
-		// This check is performed each 5 minutes
-		$lastCheck = $dbToken->getLastCheck() ? : 0;
-		$now = $this->timeFactory->getTime();
-		if ($lastCheck > ($now - 60 * 5)) {
-			// Checked performed recently, nothing to do now
-			return true;
-		}
-
-		try {
-			$pwd = $this->tokenProvider->getPassword($dbToken, $token);
-		} catch (InvalidTokenException $ex) {
-			// An invalid token password was used -> log user out
-			return false;
-		} catch (PasswordlessTokenException $ex) {
-			// Token has no password
-
-			if (!is_null($this->activeUser) && !$this->activeUser->isEnabled()) {
-				$this->tokenProvider->invalidateToken($token);
-				return false;
-			}
-
-			$dbToken->setLastCheck($now);
-			return true;
-		}
-
-		// Invalidate token if the user is no longer active
-		if (!is_null($this->activeUser) && !$this->activeUser->isEnabled()) {
-			$this->tokenProvider->invalidateToken($token);
-			return false;
-		}
-
-		// If the token password is no longer valid mark it as such
-		if ($this->manager->checkPassword($dbToken->getLoginName(), $pwd) === false) {
-			$this->tokenProvider->markPasswordInvalid($dbToken, $token);
-			// User is logged out
-			return false;
-		}
-
-		$dbToken->setLastCheck($now);
-		return true;
-	}
-
-	/**
-	 * Check if the given token exists and performs password/user-enabled checks
-	 *
-	 * Invalidates the token if checks fail
-	 *
-	 * @param string $token
-	 * @param string $user login name
-	 * @return boolean
-	 */
-	private function validateToken($token, $user = null) {
-		try {
-			$dbToken = $this->tokenProvider->getToken($token);
-		} catch (InvalidTokenException $ex) {
-			return false;
-		}
-
-		// Check if login names match
-		if (!is_null($user) && $dbToken->getLoginName() !== $user) {
-			// TODO: this makes it imposssible to use different login names on browser and client
-			// e.g. login by e-mail 'user@example.com' on browser for generating the token will not
-			//      allow to use the client token with the login name 'user'.
-			return false;
-		}
-
-		if (!$this->checkTokenCredentials($dbToken, $token)) {
-			return false;
-		}
-
-		// Update token scope
-		$this->lockdownManager->setToken($dbToken);
-
-		$this->tokenProvider->updateTokenActivity($dbToken);
-
-		return true;
-	}
-
-	/**
-	 * Tries to login the user with auth token header
-	 *
-	 * @param IRequest $request
-	 * @todo check remember me cookie
-	 * @return boolean
-	 */
-	public function tryTokenLogin(IRequest $request) {
-		$authHeader = $request->getHeader('Authorization');
-		if (strpos($authHeader, 'Bearer ') === false) {
-			// No auth header, let's try session id
-			try {
-				$token = $this->session->getId();
-			} catch (SessionNotAvailableException $ex) {
-				return false;
-			}
-		} else {
-			$token = substr($authHeader, 7);
-		}
-
-		if (!$this->loginWithToken($token)) {
-			return false;
-		}
-		if (!$this->validateToken($token)) {
-			return false;
-		}
-
-		// Set the session variable so we know this is an app password
-		$this->session->set('app_password', $token);
-
-		return true;
-	}
-
-	/**
-	 * perform login using the magic cookie (remember login)
-	 *
-	 * @param string $uid the username
-	 * @param string $currentToken
-	 * @param string $oldSessionId
-	 * @return bool
-	 */
-	public function loginWithCookie($uid, $currentToken, $oldSessionId) {
-		$this->session->regenerateId();
-		$this->manager->emit('\OC\User', 'preRememberedLogin', [$uid]);
-		$user = $this->manager->get($uid);
-		if (is_null($user)) {
-			// user does not exist
-			return false;
-		}
-
-		// get stored tokens
-		$tokens = $this->config->getUserKeys($uid, 'login_token');
-		// test cookies token against stored tokens
-		if (!in_array($currentToken, $tokens, true)) {
-			return false;
-		}
-		// replace successfully used token with a new one
-		$this->config->deleteUserValue($uid, 'login_token', $currentToken);
-		$newToken = $this->random->generate(32);
-		$this->config->setUserValue($uid, 'login_token', $newToken, $this->timeFactory->getTime());
-
-		try {
-			$sessionId = $this->session->getId();
-			$token = $this->tokenProvider->renewSessionToken($oldSessionId, $sessionId);
-		} catch (SessionNotAvailableException $ex) {
-			return false;
-		} catch (InvalidTokenException $ex) {
-			\OC::$server->getLogger()->warning('Renewing session token failed', ['app' => 'core']);
-			return false;
-		}
-
-		$this->setMagicInCookie($user->getUID(), $newToken);
-
-		//login
-		$this->setUser($user);
-		$this->setLoginName($token->getLoginName());
-		$this->setToken($token->getId());
-		$this->lockdownManager->setToken($token);
-		$user->updateLastLoginTimestamp();
-		$password = null;
-		try {
-			$password = $this->tokenProvider->getPassword($token, $sessionId);
-		} catch (PasswordlessTokenException $ex) {
-			// Ignore
-		}
-		$this->manager->emit('\OC\User', 'postRememberedLogin', [$user, $password]);
-		return true;
-	}
-
-	/**
-	 * @param IUser $user
-	 */
-	public function createRememberMeToken(IUser $user) {
-		$token = $this->random->generate(32);
-		$this->config->setUserValue($user->getUID(), 'login_token', $token, $this->timeFactory->getTime());
-		$this->setMagicInCookie($user->getUID(), $token);
-	}
-
-	/**
-	 * logout the user from the session
-	 */
-	public function logout() {
-		$user = $this->getUser();
-		$this->manager->emit('\OC\User', 'logout', [$user]);
-		if ($user !== null) {
-			try {
-				$this->tokenProvider->invalidateToken($this->session->getId());
-			} catch (SessionNotAvailableException $ex) {
-			}
-		}
-		$this->setUser(null);
-		$this->setLoginName(null);
-		$this->setToken(null);
-		$this->unsetMagicInCookie();
-		$this->session->clear();
-		$this->manager->emit('\OC\User', 'postLogout', [$user]);
-	}
-
-	/**
-	 * Set cookie value to use in next page load
-	 *
-	 * @param string $username username to be set
-	 * @param string $token
-	 */
-	public function setMagicInCookie($username, $token) {
-		$secureCookie = OC::$server->getRequest()->getServerProtocol() === 'https';
-		$webRoot = \OC::$WEBROOT;
-		if ($webRoot === '') {
-			$webRoot = '/';
-		}
-
-		$maxAge = $this->config->getSystemValue('remember_login_cookie_lifetime', 60 * 60 * 24 * 15);
-		\OC\Http\CookieHelper::setCookie(
-			'nc_username',
-			$username,
-			$maxAge,
-			$webRoot,
-			'',
-			$secureCookie,
-			true,
-			\OC\Http\CookieHelper::SAMESITE_LAX
-		);
-		\OC\Http\CookieHelper::setCookie(
-			'nc_token',
-			$token,
-			$maxAge,
-			$webRoot,
-			'',
-			$secureCookie,
-			true,
-			\OC\Http\CookieHelper::SAMESITE_LAX
-		);
-		try {
-			\OC\Http\CookieHelper::setCookie(
-				'nc_session_id',
-				$this->session->getId(),
-				$maxAge,
-				$webRoot,
-				'',
-				$secureCookie,
-				true,
-				\OC\Http\CookieHelper::SAMESITE_LAX
-			);
-		} catch (SessionNotAvailableException $ex) {
-			// ignore
-		}
-	}
-
-	/**
-	 * Remove cookie for "remember username"
-	 */
-	public function unsetMagicInCookie() {
-		//TODO: DI for cookies and IRequest
-		$secureCookie = OC::$server->getRequest()->getServerProtocol() === 'https';
-
-		unset($_COOKIE['nc_username']); //TODO: DI
-		unset($_COOKIE['nc_token']);
-		unset($_COOKIE['nc_session_id']);
-		setcookie('nc_username', '', $this->timeFactory->getTime() - 3600, OC::$WEBROOT, '', $secureCookie, true);
-		setcookie('nc_token', '', $this->timeFactory->getTime() - 3600, OC::$WEBROOT, '', $secureCookie, true);
-		setcookie('nc_session_id', '', $this->timeFactory->getTime() - 3600, OC::$WEBROOT, '', $secureCookie, true);
-		// old cookies might be stored under /webroot/ instead of /webroot
-		// and Firefox doesn't like it!
-		setcookie('nc_username', '', $this->timeFactory->getTime() - 3600, OC::$WEBROOT . '/', '', $secureCookie, true);
-		setcookie('nc_token', '', $this->timeFactory->getTime() - 3600, OC::$WEBROOT . '/', '', $secureCookie, true);
-		setcookie('nc_session_id', '', $this->timeFactory->getTime() - 3600, OC::$WEBROOT . '/', '', $secureCookie, true);
-	}
-
-	/**
-	 * Update password of the browser session token if there is one
-	 *
-	 * @param string $password
-	 */
-	public function updateSessionTokenPassword($password) {
-		try {
-			$sessionId = $this->session->getId();
-			$token = $this->tokenProvider->getToken($sessionId);
-			$this->tokenProvider->setPassword($token, $sessionId, $password);
-		} catch (SessionNotAvailableException $ex) {
-			// Nothing to do
-		} catch (InvalidTokenException $ex) {
-			// Nothing to do
-		}
-	}
-
-	public function updateTokens(string $uid, string $password) {
-		$this->tokenProvider->updatePasswords($uid, $password);
-	}
+    /** @var Manager|PublicEmitter $manager */
+    private $manager;
+
+    /** @var ISession $session */
+    private $session;
+
+    /** @var ITimeFactory */
+    private $timeFactory;
+
+    /** @var IProvider */
+    private $tokenProvider;
+
+    /** @var IConfig */
+    private $config;
+
+    /** @var User $activeUser */
+    protected $activeUser;
+
+    /** @var ISecureRandom */
+    private $random;
+
+    /** @var ILockdownManager  */
+    private $lockdownManager;
+
+    /** @var ILogger */
+    private $logger;
+    /** @var IEventDispatcher */
+    private $dispatcher;
+
+    /**
+     * @param Manager $manager
+     * @param ISession $session
+     * @param ITimeFactory $timeFactory
+     * @param IProvider $tokenProvider
+     * @param IConfig $config
+     * @param ISecureRandom $random
+     * @param ILockdownManager $lockdownManager
+     * @param ILogger $logger
+     */
+    public function __construct(Manager $manager,
+                                ISession $session,
+                                ITimeFactory $timeFactory,
+                                $tokenProvider,
+                                IConfig $config,
+                                ISecureRandom $random,
+                                ILockdownManager $lockdownManager,
+                                ILogger $logger,
+                                IEventDispatcher $dispatcher
+    ) {
+        $this->manager = $manager;
+        $this->session = $session;
+        $this->timeFactory = $timeFactory;
+        $this->tokenProvider = $tokenProvider;
+        $this->config = $config;
+        $this->random = $random;
+        $this->lockdownManager = $lockdownManager;
+        $this->logger = $logger;
+        $this->dispatcher = $dispatcher;
+    }
+
+    /**
+     * @param IProvider $provider
+     */
+    public function setTokenProvider(IProvider $provider) {
+        $this->tokenProvider = $provider;
+    }
+
+    /**
+     * @param string $scope
+     * @param string $method
+     * @param callable $callback
+     */
+    public function listen($scope, $method, callable $callback) {
+        $this->manager->listen($scope, $method, $callback);
+    }
+
+    /**
+     * @param string $scope optional
+     * @param string $method optional
+     * @param callable $callback optional
+     */
+    public function removeListener($scope = null, $method = null, callable $callback = null) {
+        $this->manager->removeListener($scope, $method, $callback);
+    }
+
+    /**
+     * get the manager object
+     *
+     * @return Manager|PublicEmitter
+     */
+    public function getManager() {
+        return $this->manager;
+    }
+
+    /**
+     * get the session object
+     *
+     * @return ISession
+     */
+    public function getSession() {
+        return $this->session;
+    }
+
+    /**
+     * set the session object
+     *
+     * @param ISession $session
+     */
+    public function setSession(ISession $session) {
+        if ($this->session instanceof ISession) {
+            $this->session->close();
+        }
+        $this->session = $session;
+        $this->activeUser = null;
+    }
+
+    /**
+     * set the currently active user
+     *
+     * @param IUser|null $user
+     */
+    public function setUser($user) {
+        if (is_null($user)) {
+            $this->session->remove('user_id');
+        } else {
+            $this->session->set('user_id', $user->getUID());
+        }
+        $this->activeUser = $user;
+    }
+
+    /**
+     * get the current active user
+     *
+     * @return IUser|null Current user, otherwise null
+     */
+    public function getUser() {
+        // FIXME: This is a quick'n dirty work-around for the incognito mode as
+        // described at https://github.com/owncloud/core/pull/12912#issuecomment-67391155
+        if (OC_User::isIncognitoMode()) {
+            return null;
+        }
+        if (is_null($this->activeUser)) {
+            $uid = $this->session->get('user_id');
+            if (is_null($uid)) {
+                return null;
+            }
+            $this->activeUser = $this->manager->get($uid);
+            if (is_null($this->activeUser)) {
+                return null;
+            }
+            $this->validateSession();
+        }
+        return $this->activeUser;
+    }
+
+    /**
+     * Validate whether the current session is valid
+     *
+     * - For token-authenticated clients, the token validity is checked
+     * - For browsers, the session token validity is checked
+     */
+    protected function validateSession() {
+        $token = null;
+        $appPassword = $this->session->get('app_password');
+
+        if (is_null($appPassword)) {
+            try {
+                $token = $this->session->getId();
+            } catch (SessionNotAvailableException $ex) {
+                return;
+            }
+        } else {
+            $token = $appPassword;
+        }
+
+        if (!$this->validateToken($token)) {
+            // Session was invalidated
+            $this->logout();
+        }
+    }
+
+    /**
+     * Checks whether the user is logged in
+     *
+     * @return bool if logged in
+     */
+    public function isLoggedIn() {
+        $user = $this->getUser();
+        if (is_null($user)) {
+            return false;
+        }
+
+        return $user->isEnabled();
+    }
+
+    /**
+     * set the login name
+     *
+     * @param string|null $loginName for the logged in user
+     */
+    public function setLoginName($loginName) {
+        if (is_null($loginName)) {
+            $this->session->remove('loginname');
+        } else {
+            $this->session->set('loginname', $loginName);
+        }
+    }
+
+    /**
+     * get the login name of the current user
+     *
+     * @return string
+     */
+    public function getLoginName() {
+        if ($this->activeUser) {
+            return $this->session->get('loginname');
+        }
+
+        $uid = $this->session->get('user_id');
+        if ($uid) {
+            $this->activeUser = $this->manager->get($uid);
+            return $this->session->get('loginname');
+        }
+
+        return null;
+    }
+
+    /**
+     * @return null|string
+     */
+    public function getImpersonatingUserID(): ?string {
+        return $this->session->get('oldUserId');
+    }
+
+    public function setImpersonatingUserID(bool $useCurrentUser = true): void {
+        if ($useCurrentUser === false) {
+            $this->session->remove('oldUserId');
+            return;
+        }
+
+        $currentUser = $this->getUser();
+
+        if ($currentUser === null) {
+            throw new \OC\User\NoUserException();
+        }
+        $this->session->set('oldUserId', $currentUser->getUID());
+    }
+    /**
+     * set the token id
+     *
+     * @param int|null $token that was used to log in
+     */
+    protected function setToken($token) {
+        if ($token === null) {
+            $this->session->remove('token-id');
+        } else {
+            $this->session->set('token-id', $token);
+        }
+    }
+
+    /**
+     * try to log in with the provided credentials
+     *
+     * @param string $uid
+     * @param string $password
+     * @return boolean|null
+     * @throws LoginException
+     */
+    public function login($uid, $password) {
+        $this->session->regenerateId();
+        if ($this->validateToken($password, $uid)) {
+            return $this->loginWithToken($password);
+        }
+        return $this->loginWithPassword($uid, $password);
+    }
+
+    /**
+     * @param IUser $user
+     * @param array $loginDetails
+     * @param bool $regenerateSessionId
+     * @return true returns true if login successful or an exception otherwise
+     * @throws LoginException
+     */
+    public function completeLogin(IUser $user, array $loginDetails, $regenerateSessionId = true) {
+        if (!$user->isEnabled()) {
+            // disabled users can not log in
+            // injecting l10n does not work - there is a circular dependency between session and \OCP\L10N\IFactory
+            $message = \OC::$server->getL10N('lib')->t('User disabled');
+            throw new LoginException($message);
+        }
+
+        if ($regenerateSessionId) {
+            $this->session->regenerateId();
+        }
+
+        $this->setUser($user);
+        $this->setLoginName($loginDetails['loginName']);
+
+        $isToken = isset($loginDetails['token']) && $loginDetails['token'] instanceof IToken;
+        if ($isToken) {
+            $this->setToken($loginDetails['token']->getId());
+            $this->lockdownManager->setToken($loginDetails['token']);
+            $firstTimeLogin = false;
+        } else {
+            $this->setToken(null);
+            $firstTimeLogin = $user->updateLastLoginTimestamp();
+        }
+
+        $this->dispatcher->dispatchTyped(new PostLoginEvent(
+            $user,
+            $loginDetails['password'],
+            $isToken
+        ));
+        $this->manager->emit('\OC\User', 'postLogin', [
+            $user,
+            $loginDetails['password'],
+            $isToken,
+        ]);
+        if ($this->isLoggedIn()) {
+            $this->prepareUserLogin($firstTimeLogin, $regenerateSessionId);
+            return true;
+        }
+
+        $message = \OC::$server->getL10N('lib')->t('Login canceled by app');
+        throw new LoginException($message);
+    }
+
+    /**
+     * Tries to log in a client
+     *
+     * Checks token auth enforced
+     * Checks 2FA enabled
+     *
+     * @param string $user
+     * @param string $password
+     * @param IRequest $request
+     * @param OC\Security\Bruteforce\Throttler $throttler
+     * @throws LoginException
+     * @throws PasswordLoginForbiddenException
+     * @return boolean
+     */
+    public function logClientIn($user,
+                                $password,
+                                IRequest $request,
+                                OC\Security\Bruteforce\Throttler $throttler) {
+        $currentDelay = $throttler->sleepDelay($request->getRemoteAddress(), 'login');
+
+        if ($this->manager instanceof PublicEmitter) {
+            $this->manager->emit('\OC\User', 'preLogin', [$user, $password]);
+        }
+
+        try {
+            $isTokenPassword = $this->isTokenPassword($password);
+        } catch (ExpiredTokenException $e) {
+            // Just return on an expired token no need to check further or record a failed login
+            return false;
+        }
+
+        if (!$isTokenPassword && $this->isTokenAuthEnforced()) {
+            throw new PasswordLoginForbiddenException();
+        }
+        if (!$isTokenPassword && $this->isTwoFactorEnforced($user)) {
+            throw new PasswordLoginForbiddenException();
+        }
+
+        // Try to login with this username and password
+        if (!$this->login($user, $password)) {
+
+            // Failed, maybe the user used their email address
+            $users = $this->manager->getByEmail($user);
+            if (!(\count($users) === 1 && $this->login($users[0]->getUID(), $password))) {
+                $this->logger->warning('Login failed: \'' . $user . '\' (Remote IP: \'' . \OC::$server->getRequest()->getRemoteAddress() . '\')', ['app' => 'core']);
+
+                $throttler->registerAttempt('login', $request->getRemoteAddress(), ['user' => $user]);
+
+                $this->dispatcher->dispatchTyped(new OC\Authentication\Events\LoginFailed($user));
+
+                if ($currentDelay === 0) {
+                    $throttler->sleepDelay($request->getRemoteAddress(), 'login');
+                }
+                return false;
+            }
+        }
+
+        if ($isTokenPassword) {
+            $this->session->set('app_password', $password);
+        } elseif ($this->supportsCookies($request)) {
+            // Password login, but cookies supported -> create (browser) session token
+            $this->createSessionToken($request, $this->getUser()->getUID(), $user, $password);
+        }
+
+        return true;
+    }
+
+    protected function supportsCookies(IRequest $request) {
+        if (!is_null($request->getCookie('cookie_test'))) {
+            return true;
+        }
+        setcookie('cookie_test', 'test', $this->timeFactory->getTime() + 3600);
+        return false;
+    }
+
+    private function isTokenAuthEnforced() {
+        return $this->config->getSystemValue('token_auth_enforced', false);
+    }
+
+    protected function isTwoFactorEnforced($username) {
+        Util::emitHook(
+            '\OCA\Files_Sharing\API\Server2Server',
+            'preLoginNameUsedAsUserName',
+            ['uid' => &$username]
+        );
+        $user = $this->manager->get($username);
+        if (is_null($user)) {
+            $users = $this->manager->getByEmail($username);
+            if (empty($users)) {
+                return false;
+            }
+            if (count($users) !== 1) {
+                return true;
+            }
+            $user = $users[0];
+        }
+        // DI not possible due to cyclic dependencies :'-/
+        return OC::$server->getTwoFactorAuthManager()->isTwoFactorAuthenticated($user);
+    }
+
+    /**
+     * Check if the given 'password' is actually a device token
+     *
+     * @param string $password
+     * @return boolean
+     * @throws ExpiredTokenException
+     */
+    public function isTokenPassword($password) {
+        try {
+            $this->tokenProvider->getToken($password);
+            return true;
+        } catch (ExpiredTokenException $e) {
+            throw $e;
+        } catch (InvalidTokenException $ex) {
+            $this->logger->logException($ex, [
+                'level' => ILogger::DEBUG,
+                'message' => 'Token is not valid: ' . $ex->getMessage(),
+            ]);
+            return false;
+        }
+    }
+
+    protected function prepareUserLogin($firstTimeLogin, $refreshCsrfToken = true) {
+        if ($refreshCsrfToken) {
+            // TODO: mock/inject/use non-static
+            // Refresh the token
+            \OC::$server->getCsrfTokenManager()->refreshToken();
+        }
+
+        //we need to pass the user name, which may differ from login name
+        $user = $this->getUser()->getUID();
+        OC_Util::setupFS($user);
+
+        if ($firstTimeLogin) {
+            // TODO: lock necessary?
+            //trigger creation of user home and /files folder
+            $userFolder = \OC::$server->getUserFolder($user);
+
+            try {
+                // copy skeleton
+                \OC_Util::copySkeleton($user, $userFolder);
+            } catch (NotPermittedException $ex) {
+                // read only uses
+            }
+
+            // trigger any other initialization
+            \OC::$server->getEventDispatcher()->dispatch(IUser::class . '::firstLogin', new GenericEvent($this->getUser()));
+        }
+    }
+
+    /**
+     * Tries to login the user with HTTP Basic Authentication
+     *
+     * @todo do not allow basic auth if the user is 2FA enforced
+     * @param IRequest $request
+     * @param OC\Security\Bruteforce\Throttler $throttler
+     * @return boolean if the login was successful
+     */
+    public function tryBasicAuthLogin(IRequest $request,
+                                        OC\Security\Bruteforce\Throttler $throttler) {
+        if (!empty($request->server['PHP_AUTH_USER']) && !empty($request->server['PHP_AUTH_PW'])) {
+            try {
+                if ($this->logClientIn($request->server['PHP_AUTH_USER'], $request->server['PHP_AUTH_PW'], $request, $throttler)) {
+                    /**
+                     * Add DAV authenticated. This should in an ideal world not be
+                     * necessary but the iOS App reads cookies from anywhere instead
+                     * only the DAV endpoint.
+                     * This makes sure that the cookies will be valid for the whole scope
+                     * @see https://github.com/owncloud/core/issues/22893
+                     */
+                    $this->session->set(
+                        Auth::DAV_AUTHENTICATED, $this->getUser()->getUID()
+                    );
+
+                    // Set the last-password-confirm session to make the sudo mode work
+                    $this->session->set('last-password-confirm', $this->timeFactory->getTime());
+
+                    return true;
+                }
+            } catch (PasswordLoginForbiddenException $ex) {
+                // Nothing to do
+            }
+        }
+        return false;
+    }
+
+    /**
+     * Log an user in via login name and password
+     *
+     * @param string $uid
+     * @param string $password
+     * @return boolean
+     * @throws LoginException if an app canceld the login process or the user is not enabled
+     */
+    private function loginWithPassword($uid, $password) {
+        $user = $this->manager->checkPasswordNoLogging($uid, $password);
+        if ($user === false) {
+            // Password check failed
+            return false;
+        }
+
+        return $this->completeLogin($user, ['loginName' => $uid, 'password' => $password], false);
+    }
+
+    /**
+     * Log an user in with a given token (id)
+     *
+     * @param string $token
+     * @return boolean
+     * @throws LoginException if an app canceled the login process or the user is not enabled
+     */
+    private function loginWithToken($token) {
+        try {
+            $dbToken = $this->tokenProvider->getToken($token);
+        } catch (InvalidTokenException $ex) {
+            return false;
+        }
+        $uid = $dbToken->getUID();
+
+        // When logging in with token, the password must be decrypted first before passing to login hook
+        $password = '';
+        try {
+            $password = $this->tokenProvider->getPassword($dbToken, $token);
+        } catch (PasswordlessTokenException $ex) {
+            // Ignore and use empty string instead
+        }
+
+        $this->manager->emit('\OC\User', 'preLogin', [$uid, $password]);
+
+        $user = $this->manager->get($uid);
+        if (is_null($user)) {
+            // user does not exist
+            return false;
+        }
+
+        return $this->completeLogin(
+            $user,
+            [
+                'loginName' => $dbToken->getLoginName(),
+                'password' => $password,
+                'token' => $dbToken
+            ],
+            false);
+    }
+
+    /**
+     * Create a new session token for the given user credentials
+     *
+     * @param IRequest $request
+     * @param string $uid user UID
+     * @param string $loginName login name
+     * @param string $password
+     * @param int $remember
+     * @return boolean
+     */
+    public function createSessionToken(IRequest $request, $uid, $loginName, $password = null, $remember = IToken::DO_NOT_REMEMBER) {
+        if (is_null($this->manager->get($uid))) {
+            // User does not exist
+            return false;
+        }
+        $name = isset($request->server['HTTP_USER_AGENT']) ? $request->server['HTTP_USER_AGENT'] : 'unknown browser';
+        try {
+            $sessionId = $this->session->getId();
+            $pwd = $this->getPassword($password);
+            // Make sure the current sessionId has no leftover tokens
+            $this->tokenProvider->invalidateToken($sessionId);
+            $this->tokenProvider->generateToken($sessionId, $uid, $loginName, $pwd, $name, IToken::TEMPORARY_TOKEN, $remember);
+            return true;
+        } catch (SessionNotAvailableException $ex) {
+            // This can happen with OCC, where a memory session is used
+            // if a memory session is used, we shouldn't create a session token anyway
+            return false;
+        }
+    }
+
+    /**
+     * Checks if the given password is a token.
+     * If yes, the password is extracted from the token.
+     * If no, the same password is returned.
+     *
+     * @param string $password either the login password or a device token
+     * @return string|null the password or null if none was set in the token
+     */
+    private function getPassword($password) {
+        if (is_null($password)) {
+            // This is surely no token ;-)
+            return null;
+        }
+        try {
+            $token = $this->tokenProvider->getToken($password);
+            try {
+                return $this->tokenProvider->getPassword($token, $password);
+            } catch (PasswordlessTokenException $ex) {
+                return null;
+            }
+        } catch (InvalidTokenException $ex) {
+            return $password;
+        }
+    }
+
+    /**
+     * @param IToken $dbToken
+     * @param string $token
+     * @return boolean
+     */
+    private function checkTokenCredentials(IToken $dbToken, $token) {
+        // Check whether login credentials are still valid and the user was not disabled
+        // This check is performed each 5 minutes
+        $lastCheck = $dbToken->getLastCheck() ? : 0;
+        $now = $this->timeFactory->getTime();
+        if ($lastCheck > ($now - 60 * 5)) {
+            // Checked performed recently, nothing to do now
+            return true;
+        }
+
+        try {
+            $pwd = $this->tokenProvider->getPassword($dbToken, $token);
+        } catch (InvalidTokenException $ex) {
+            // An invalid token password was used -> log user out
+            return false;
+        } catch (PasswordlessTokenException $ex) {
+            // Token has no password
+
+            if (!is_null($this->activeUser) && !$this->activeUser->isEnabled()) {
+                $this->tokenProvider->invalidateToken($token);
+                return false;
+            }
+
+            $dbToken->setLastCheck($now);
+            return true;
+        }
+
+        // Invalidate token if the user is no longer active
+        if (!is_null($this->activeUser) && !$this->activeUser->isEnabled()) {
+            $this->tokenProvider->invalidateToken($token);
+            return false;
+        }
+
+        // If the token password is no longer valid mark it as such
+        if ($this->manager->checkPassword($dbToken->getLoginName(), $pwd) === false) {
+            $this->tokenProvider->markPasswordInvalid($dbToken, $token);
+            // User is logged out
+            return false;
+        }
+
+        $dbToken->setLastCheck($now);
+        return true;
+    }
+
+    /**
+     * Check if the given token exists and performs password/user-enabled checks
+     *
+     * Invalidates the token if checks fail
+     *
+     * @param string $token
+     * @param string $user login name
+     * @return boolean
+     */
+    private function validateToken($token, $user = null) {
+        try {
+            $dbToken = $this->tokenProvider->getToken($token);
+        } catch (InvalidTokenException $ex) {
+            return false;
+        }
+
+        // Check if login names match
+        if (!is_null($user) && $dbToken->getLoginName() !== $user) {
+            // TODO: this makes it imposssible to use different login names on browser and client
+            // e.g. login by e-mail 'user@example.com' on browser for generating the token will not
+            //      allow to use the client token with the login name 'user'.
+            return false;
+        }
+
+        if (!$this->checkTokenCredentials($dbToken, $token)) {
+            return false;
+        }
+
+        // Update token scope
+        $this->lockdownManager->setToken($dbToken);
+
+        $this->tokenProvider->updateTokenActivity($dbToken);
+
+        return true;
+    }
+
+    /**
+     * Tries to login the user with auth token header
+     *
+     * @param IRequest $request
+     * @todo check remember me cookie
+     * @return boolean
+     */
+    public function tryTokenLogin(IRequest $request) {
+        $authHeader = $request->getHeader('Authorization');
+        if (strpos($authHeader, 'Bearer ') === false) {
+            // No auth header, let's try session id
+            try {
+                $token = $this->session->getId();
+            } catch (SessionNotAvailableException $ex) {
+                return false;
+            }
+        } else {
+            $token = substr($authHeader, 7);
+        }
+
+        if (!$this->loginWithToken($token)) {
+            return false;
+        }
+        if (!$this->validateToken($token)) {
+            return false;
+        }
+
+        // Set the session variable so we know this is an app password
+        $this->session->set('app_password', $token);
+
+        return true;
+    }
+
+    /**
+     * perform login using the magic cookie (remember login)
+     *
+     * @param string $uid the username
+     * @param string $currentToken
+     * @param string $oldSessionId
+     * @return bool
+     */
+    public function loginWithCookie($uid, $currentToken, $oldSessionId) {
+        $this->session->regenerateId();
+        $this->manager->emit('\OC\User', 'preRememberedLogin', [$uid]);
+        $user = $this->manager->get($uid);
+        if (is_null($user)) {
+            // user does not exist
+            return false;
+        }
+
+        // get stored tokens
+        $tokens = $this->config->getUserKeys($uid, 'login_token');
+        // test cookies token against stored tokens
+        if (!in_array($currentToken, $tokens, true)) {
+            return false;
+        }
+        // replace successfully used token with a new one
+        $this->config->deleteUserValue($uid, 'login_token', $currentToken);
+        $newToken = $this->random->generate(32);
+        $this->config->setUserValue($uid, 'login_token', $newToken, $this->timeFactory->getTime());
+
+        try {
+            $sessionId = $this->session->getId();
+            $token = $this->tokenProvider->renewSessionToken($oldSessionId, $sessionId);
+        } catch (SessionNotAvailableException $ex) {
+            return false;
+        } catch (InvalidTokenException $ex) {
+            \OC::$server->getLogger()->warning('Renewing session token failed', ['app' => 'core']);
+            return false;
+        }
+
+        $this->setMagicInCookie($user->getUID(), $newToken);
+
+        //login
+        $this->setUser($user);
+        $this->setLoginName($token->getLoginName());
+        $this->setToken($token->getId());
+        $this->lockdownManager->setToken($token);
+        $user->updateLastLoginTimestamp();
+        $password = null;
+        try {
+            $password = $this->tokenProvider->getPassword($token, $sessionId);
+        } catch (PasswordlessTokenException $ex) {
+            // Ignore
+        }
+        $this->manager->emit('\OC\User', 'postRememberedLogin', [$user, $password]);
+        return true;
+    }
+
+    /**
+     * @param IUser $user
+     */
+    public function createRememberMeToken(IUser $user) {
+        $token = $this->random->generate(32);
+        $this->config->setUserValue($user->getUID(), 'login_token', $token, $this->timeFactory->getTime());
+        $this->setMagicInCookie($user->getUID(), $token);
+    }
+
+    /**
+     * logout the user from the session
+     */
+    public function logout() {
+        $user = $this->getUser();
+        $this->manager->emit('\OC\User', 'logout', [$user]);
+        if ($user !== null) {
+            try {
+                $this->tokenProvider->invalidateToken($this->session->getId());
+            } catch (SessionNotAvailableException $ex) {
+            }
+        }
+        $this->setUser(null);
+        $this->setLoginName(null);
+        $this->setToken(null);
+        $this->unsetMagicInCookie();
+        $this->session->clear();
+        $this->manager->emit('\OC\User', 'postLogout', [$user]);
+    }
+
+    /**
+     * Set cookie value to use in next page load
+     *
+     * @param string $username username to be set
+     * @param string $token
+     */
+    public function setMagicInCookie($username, $token) {
+        $secureCookie = OC::$server->getRequest()->getServerProtocol() === 'https';
+        $webRoot = \OC::$WEBROOT;
+        if ($webRoot === '') {
+            $webRoot = '/';
+        }
+
+        $maxAge = $this->config->getSystemValue('remember_login_cookie_lifetime', 60 * 60 * 24 * 15);
+        \OC\Http\CookieHelper::setCookie(
+            'nc_username',
+            $username,
+            $maxAge,
+            $webRoot,
+            '',
+            $secureCookie,
+            true,
+            \OC\Http\CookieHelper::SAMESITE_LAX
+        );
+        \OC\Http\CookieHelper::setCookie(
+            'nc_token',
+            $token,
+            $maxAge,
+            $webRoot,
+            '',
+            $secureCookie,
+            true,
+            \OC\Http\CookieHelper::SAMESITE_LAX
+        );
+        try {
+            \OC\Http\CookieHelper::setCookie(
+                'nc_session_id',
+                $this->session->getId(),
+                $maxAge,
+                $webRoot,
+                '',
+                $secureCookie,
+                true,
+                \OC\Http\CookieHelper::SAMESITE_LAX
+            );
+        } catch (SessionNotAvailableException $ex) {
+            // ignore
+        }
+    }
+
+    /**
+     * Remove cookie for "remember username"
+     */
+    public function unsetMagicInCookie() {
+        //TODO: DI for cookies and IRequest
+        $secureCookie = OC::$server->getRequest()->getServerProtocol() === 'https';
+
+        unset($_COOKIE['nc_username']); //TODO: DI
+        unset($_COOKIE['nc_token']);
+        unset($_COOKIE['nc_session_id']);
+        setcookie('nc_username', '', $this->timeFactory->getTime() - 3600, OC::$WEBROOT, '', $secureCookie, true);
+        setcookie('nc_token', '', $this->timeFactory->getTime() - 3600, OC::$WEBROOT, '', $secureCookie, true);
+        setcookie('nc_session_id', '', $this->timeFactory->getTime() - 3600, OC::$WEBROOT, '', $secureCookie, true);
+        // old cookies might be stored under /webroot/ instead of /webroot
+        // and Firefox doesn't like it!
+        setcookie('nc_username', '', $this->timeFactory->getTime() - 3600, OC::$WEBROOT . '/', '', $secureCookie, true);
+        setcookie('nc_token', '', $this->timeFactory->getTime() - 3600, OC::$WEBROOT . '/', '', $secureCookie, true);
+        setcookie('nc_session_id', '', $this->timeFactory->getTime() - 3600, OC::$WEBROOT . '/', '', $secureCookie, true);
+    }
+
+    /**
+     * Update password of the browser session token if there is one
+     *
+     * @param string $password
+     */
+    public function updateSessionTokenPassword($password) {
+        try {
+            $sessionId = $this->session->getId();
+            $token = $this->tokenProvider->getToken($sessionId);
+            $this->tokenProvider->setPassword($token, $sessionId, $password);
+        } catch (SessionNotAvailableException $ex) {
+            // Nothing to do
+        } catch (InvalidTokenException $ex) {
+            // Nothing to do
+        }
+    }
+
+    public function updateTokens(string $uid, string $password) {
+        $this->tokenProvider->updatePasswords($uid, $password);
+    }
 }

Spacing +7 added lines, -7 removed lines

@@ -461,7 +461,7 @@ 
 			// Failed, maybe the user used their email address
 			$users = $this->manager->getByEmail($user);
 			if (!(\count($users) === 1 && $this->login($users[0]->getUID(), $password))) {
-				$this->logger->warning('Login failed: \'' . $user . '\' (Remote IP: \'' . \OC::$server->getRequest()->getRemoteAddress() . '\')', ['app' => 'core']);
+				$this->logger->warning('Login failed: \''.$user.'\' (Remote IP: \''.\OC::$server->getRequest()->getRemoteAddress().'\')', ['app' => 'core']);
 
 				$throttler->registerAttempt('login', $request->getRemoteAddress(), ['user' => $user]);
 
@@ -533,7 +533,7 @@ 
 		} catch (InvalidTokenException $ex) {
 			$this->logger->logException($ex, [
 				'level' => ILogger::DEBUG,
-				'message' => 'Token is not valid: ' . $ex->getMessage(),
+				'message' => 'Token is not valid: '.$ex->getMessage(),
 			]);
 			return false;
 		}
@@ -563,7 +563,7 @@ 
 			}
 
 			// trigger any other initialization
-			\OC::$server->getEventDispatcher()->dispatch(IUser::class . '::firstLogin', new GenericEvent($this->getUser()));
+			\OC::$server->getEventDispatcher()->dispatch(IUser::class.'::firstLogin', new GenericEvent($this->getUser()));
 		}
 	}
 
@@ -725,7 +725,7 @@ 
 	private function checkTokenCredentials(IToken $dbToken, $token) {
 		// Check whether login credentials are still valid and the user was not disabled
 		// This check is performed each 5 minutes
-		$lastCheck = $dbToken->getLastCheck() ? : 0;
+		$lastCheck = $dbToken->getLastCheck() ?: 0;
 		$now = $this->timeFactory->getTime();
 		if ($lastCheck > ($now - 60 * 5)) {
 			// Checked performed recently, nothing to do now
@@ -985,9 +985,9 @@ 
 		setcookie('nc_session_id', '', $this->timeFactory->getTime() - 3600, OC::$WEBROOT, '', $secureCookie, true);
 		// old cookies might be stored under /webroot/ instead of /webroot
 		// and Firefox doesn't like it!
-		setcookie('nc_username', '', $this->timeFactory->getTime() - 3600, OC::$WEBROOT . '/', '', $secureCookie, true);
-		setcookie('nc_token', '', $this->timeFactory->getTime() - 3600, OC::$WEBROOT . '/', '', $secureCookie, true);
-		setcookie('nc_session_id', '', $this->timeFactory->getTime() - 3600, OC::$WEBROOT . '/', '', $secureCookie, true);
+		setcookie('nc_username', '', $this->timeFactory->getTime() - 3600, OC::$WEBROOT.'/', '', $secureCookie, true);
+		setcookie('nc_token', '', $this->timeFactory->getTime() - 3600, OC::$WEBROOT.'/', '', $secureCookie, true);
+		setcookie('nc_session_id', '', $this->timeFactory->getTime() - 3600, OC::$WEBROOT.'/', '', $secureCookie, true);
 	}
 
 	/**