nextcloud / server

settings/Controller/AuthSettingsController.php

Indentation +163 added lines, -163 removed lines

@@ -42,168 +42,168 @@
 
 class AuthSettingsController extends Controller {
 
-	/** @var IProvider */
-	private $tokenProvider;
-
-	/** @var IUserManager */
-	private $userManager;
-
-	/** @var ISession */
-	private $session;
-
-	/** @var string */
-	private $uid;
-
-	/** @var ISecureRandom */
-	private $random;
-
-	/**
-	 * @param string $appName
-	 * @param IRequest $request
-	 * @param IProvider $tokenProvider
-	 * @param IUserManager $userManager
-	 * @param ISession $session
-	 * @param ISecureRandom $random
-	 * @param string $userId
-	 */
-	public function __construct($appName, IRequest $request, IProvider $tokenProvider, IUserManager $userManager,
-		ISession $session, ISecureRandom $random, $userId) {
-		parent::__construct($appName, $request);
-		$this->tokenProvider = $tokenProvider;
-		$this->userManager = $userManager;
-		$this->uid = $userId;
-		$this->session = $session;
-		$this->random = $random;
-	}
-
-	/**
-	 * @NoAdminRequired
-	 * @NoSubadminRequired
-	 *
-	 * @return JSONResponse|array
-	 */
-	public function index() {
-		$tokens = $this->tokenProvider->getTokenByUser($this->uid);
+    /** @var IProvider */
+    private $tokenProvider;
+
+    /** @var IUserManager */
+    private $userManager;
+
+    /** @var ISession */
+    private $session;
+
+    /** @var string */
+    private $uid;
+
+    /** @var ISecureRandom */
+    private $random;
+
+    /**
+     * @param string $appName
+     * @param IRequest $request
+     * @param IProvider $tokenProvider
+     * @param IUserManager $userManager
+     * @param ISession $session
+     * @param ISecureRandom $random
+     * @param string $userId
+     */
+    public function __construct($appName, IRequest $request, IProvider $tokenProvider, IUserManager $userManager,
+        ISession $session, ISecureRandom $random, $userId) {
+        parent::__construct($appName, $request);
+        $this->tokenProvider = $tokenProvider;
+        $this->userManager = $userManager;
+        $this->uid = $userId;
+        $this->session = $session;
+        $this->random = $random;
+    }
+
+    /**
+     * @NoAdminRequired
+     * @NoSubadminRequired
+     *
+     * @return JSONResponse|array
+     */
+    public function index() {
+        $tokens = $this->tokenProvider->getTokenByUser($this->uid);
 		
-		try {
-			$sessionId = $this->session->getId();
-		} catch (SessionNotAvailableException $ex) {
-			return $this->getServiceNotAvailableResponse();
-		}
-		try {
-			$sessionToken = $this->tokenProvider->getToken($sessionId);
-		} catch (InvalidTokenException $ex) {
-			return $this->getServiceNotAvailableResponse();
-		}
-
-		return array_map(function(IToken $token) use ($sessionToken) {
-			$data = $token->jsonSerialize();
-			if ($sessionToken->getId() === $token->getId()) {
-				$data['canDelete'] = false;
-				$data['current'] = true;
-			} else {
-				$data['canDelete'] = true;
-			}
-			return $data;
-		}, $tokens);
-	}
-
-	/**
-	 * @NoAdminRequired
-	 * @NoSubadminRequired
-	 * @PasswordConfirmationRequired
-	 *
-	 * @param string $name
-	 * @return JSONResponse
-	 */
-	public function create($name) {
-		try {
-			$sessionId = $this->session->getId();
-		} catch (SessionNotAvailableException $ex) {
-			return $this->getServiceNotAvailableResponse();
-		}
-
-		try {
-			$sessionToken = $this->tokenProvider->getToken($sessionId);
-			$loginName = $sessionToken->getLoginName();
-			try {
-				$password = $this->tokenProvider->getPassword($sessionToken, $sessionId);
-			} catch (PasswordlessTokenException $ex) {
-				$password = null;
-			}
-		} catch (InvalidTokenException $ex) {
-			return $this->getServiceNotAvailableResponse();
-		}
-
-		$token = $this->generateRandomDeviceToken();
-		$deviceToken = $this->tokenProvider->generateToken($token, $this->uid, $loginName, $password, $name, IToken::PERMANENT_TOKEN);
-		$tokenData = $deviceToken->jsonSerialize();
-		$tokenData['canDelete'] = true;
-
-		return new JSONResponse([
-			'token' => $token,
-			'loginName' => $loginName,
-			'deviceToken' => $tokenData,
-		]);
-	}
-
-	/**
-	 * @return JSONResponse
-	 */
-	private function getServiceNotAvailableResponse() {
-		$resp = new JSONResponse();
-		$resp->setStatus(Http::STATUS_SERVICE_UNAVAILABLE);
-		return $resp;
-	}
-
-	/**
-	 * Return a 25 digit device password
-	 *
-	 * Example: AbCdE-fGhJk-MnPqR-sTwXy-23456
-	 *
-	 * @return string
-	 */
-	private function generateRandomDeviceToken() {
-		$groups = [];
-		for ($i = 0; $i < 5; $i++) {
-			$groups[] = $this->random->generate(5, ISecureRandom::CHAR_HUMAN_READABLE);
-		}
-		return implode('-', $groups);
-	}
-
-	/**
-	 * @NoAdminRequired
-	 * @NoSubadminRequired
-	 *
-	 * @return array
-	 */
-	public function destroy($id) {
-		$this->tokenProvider->invalidateTokenById($this->uid, $id);
-		return [];
-	}
-
-	/**
-	 * @NoAdminRequired
-	 * @NoSubadminRequired
-	 *
-	 * @param int $id
-	 * @param array $scope
-	 * @return array|JSONResponse
-	 */
-	public function update($id, array $scope) {
-		try {
-			$token = $this->tokenProvider->getTokenById((string)$id);
-			if ($token->getUID() !== $this->uid) {
-				throw new InvalidTokenException('User mismatch');
-			}
-		} catch (InvalidTokenException $e) {
-			return new JSONResponse([], Http::STATUS_NOT_FOUND);
-		}
-
-		$token->setScope([
-			'filesystem' => $scope['filesystem']
-		]);
-		$this->tokenProvider->updateToken($token);
-		return [];
-	}
+        try {
+            $sessionId = $this->session->getId();
+        } catch (SessionNotAvailableException $ex) {
+            return $this->getServiceNotAvailableResponse();
+        }
+        try {
+            $sessionToken = $this->tokenProvider->getToken($sessionId);
+        } catch (InvalidTokenException $ex) {
+            return $this->getServiceNotAvailableResponse();
+        }
+
+        return array_map(function(IToken $token) use ($sessionToken) {
+            $data = $token->jsonSerialize();
+            if ($sessionToken->getId() === $token->getId()) {
+                $data['canDelete'] = false;
+                $data['current'] = true;
+            } else {
+                $data['canDelete'] = true;
+            }
+            return $data;
+        }, $tokens);
+    }
+
+    /**
+     * @NoAdminRequired
+     * @NoSubadminRequired
+     * @PasswordConfirmationRequired
+     *
+     * @param string $name
+     * @return JSONResponse
+     */
+    public function create($name) {
+        try {
+            $sessionId = $this->session->getId();
+        } catch (SessionNotAvailableException $ex) {
+            return $this->getServiceNotAvailableResponse();
+        }
+
+        try {
+            $sessionToken = $this->tokenProvider->getToken($sessionId);
+            $loginName = $sessionToken->getLoginName();
+            try {
+                $password = $this->tokenProvider->getPassword($sessionToken, $sessionId);
+            } catch (PasswordlessTokenException $ex) {
+                $password = null;
+            }
+        } catch (InvalidTokenException $ex) {
+            return $this->getServiceNotAvailableResponse();
+        }
+
+        $token = $this->generateRandomDeviceToken();
+        $deviceToken = $this->tokenProvider->generateToken($token, $this->uid, $loginName, $password, $name, IToken::PERMANENT_TOKEN);
+        $tokenData = $deviceToken->jsonSerialize();
+        $tokenData['canDelete'] = true;
+
+        return new JSONResponse([
+            'token' => $token,
+            'loginName' => $loginName,
+            'deviceToken' => $tokenData,
+        ]);
+    }
+
+    /**
+     * @return JSONResponse
+     */
+    private function getServiceNotAvailableResponse() {
+        $resp = new JSONResponse();
+        $resp->setStatus(Http::STATUS_SERVICE_UNAVAILABLE);
+        return $resp;
+    }
+
+    /**
+     * Return a 25 digit device password
+     *
+     * Example: AbCdE-fGhJk-MnPqR-sTwXy-23456
+     *
+     * @return string
+     */
+    private function generateRandomDeviceToken() {
+        $groups = [];
+        for ($i = 0; $i < 5; $i++) {
+            $groups[] = $this->random->generate(5, ISecureRandom::CHAR_HUMAN_READABLE);
+        }
+        return implode('-', $groups);
+    }
+
+    /**
+     * @NoAdminRequired
+     * @NoSubadminRequired
+     *
+     * @return array
+     */
+    public function destroy($id) {
+        $this->tokenProvider->invalidateTokenById($this->uid, $id);
+        return [];
+    }
+
+    /**
+     * @NoAdminRequired
+     * @NoSubadminRequired
+     *
+     * @param int $id
+     * @param array $scope
+     * @return array|JSONResponse
+     */
+    public function update($id, array $scope) {
+        try {
+            $token = $this->tokenProvider->getTokenById((string)$id);
+            if ($token->getUID() !== $this->uid) {
+                throw new InvalidTokenException('User mismatch');
+            }
+        } catch (InvalidTokenException $e) {
+            return new JSONResponse([], Http::STATUS_NOT_FOUND);
+        }
+
+        $token->setScope([
+            'filesystem' => $scope['filesystem']
+        ]);
+        $this->tokenProvider->updateToken($token);
+        return [];
+    }
 }

lib/private/Authentication/Token/IProvider.php

Indentation +124 added lines, -124 removed lines

@@ -32,128 +32,128 @@
 interface IProvider {
 
 
-	/**
-	 * Create and persist a new token
-	 *
-	 * @param string $token
-	 * @param string $uid
-	 * @param string $loginName
-	 * @param string|null $password
-	 * @param string $name
-	 * @param int $type token type
-	 * @param int $remember whether the session token should be used for remember-me
-	 * @return IToken
-	 */
-	public function generateToken(string $token,
-								  string $uid,
-								  string $loginName,
-								  $password,
-								  string $name,
-								  int $type = IToken::TEMPORARY_TOKEN,
-								  int $remember = IToken::DO_NOT_REMEMBER): IToken;
-
-	/**
-	 * Get a token by token id
-	 *
-	 * @param string $tokenId
-	 * @throws InvalidTokenException
-	 * @throws ExpiredTokenException
-	 * @return IToken
-	 */
-	public function getToken(string $tokenId): IToken;
-
-	/**
-	 * Get a token by token id
-	 *
-	 * @param int $tokenId
-	 * @throws InvalidTokenException
-	 * @throws ExpiredTokenException
-	 * @return IToken
-	 */
-	public function getTokenById(int $tokenId): IToken;
-
-	/**
-	 * Duplicate an existing session token
-	 *
-	 * @param string $oldSessionId
-	 * @param string $sessionId
-	 * @throws InvalidTokenException
-	 */
-	public function renewSessionToken(string $oldSessionId, string $sessionId);
-
-	/**
-	 * Invalidate (delete) the given session token
-	 *
-	 * @param string $token
-	 */
-	public function invalidateToken(string $token);
-
-	/**
-	 * Invalidate (delete) the given token
-	 *
-	 * @param string $uid
-	 * @param int $id
-	 */
-	public function invalidateTokenById(string $uid, int $id);
-
-	/**
-	 * Invalidate (delete) old session tokens
-	 */
-	public function invalidateOldTokens();
-
-	/**
-	 * Save the updated token
-	 *
-	 * @param IToken $token
-	 */
-	public function updateToken(IToken $token);
-
-	/**
-	 * Update token activity timestamp
-	 *
-	 * @param IToken $token
-	 */
-	public function updateTokenActivity(IToken $token);
-
-	/**
-	 * Get all tokens of a user
-	 *
-	 * The provider may limit the number of result rows in case of an abuse
-	 * where a high number of (session) tokens is generated
-	 *
-	 * @param string $uid
-	 * @return IToken[]
-	 */
-	public function getTokenByUser(string $uid): array;
-
-	/**
-	 * Get the (unencrypted) password of the given token
-	 *
-	 * @param IToken $token
-	 * @param string $tokenId
-	 * @throws InvalidTokenException
-	 * @throws PasswordlessTokenException
-	 * @return string
-	 */
-	public function getPassword(IToken $token, string $tokenId): string;
-
-	/**
-	 * Encrypt and set the password of the given token
-	 *
-	 * @param IToken $token
-	 * @param string $tokenId
-	 * @param string $password
-	 * @throws InvalidTokenException
-	 */
-	public function setPassword(IToken $token, string $tokenId, string $password);
-
-	/**
-	 * Rotate the token. Usefull for for example oauth tokens
-	 *
-	 * @param IToken $token
-	 * @param string $oldTokenId
-	 * @param string $newTokenId
-	 * @return IToken
-	 */
-	public function rotate(IToken $token, string $oldTokenId, string $newTokenId): IToken;
+    /**
+     * Create and persist a new token
+     *
+     * @param string $token
+     * @param string $uid
+     * @param string $loginName
+     * @param string|null $password
+     * @param string $name
+     * @param int $type token type
+     * @param int $remember whether the session token should be used for remember-me
+     * @return IToken
+     */
+    public function generateToken(string $token,
+                                    string $uid,
+                                    string $loginName,
+                                    $password,
+                                    string $name,
+                                    int $type = IToken::TEMPORARY_TOKEN,
+                                    int $remember = IToken::DO_NOT_REMEMBER): IToken;
+
+    /**
+     * Get a token by token id
+     *
+     * @param string $tokenId
+     * @throws InvalidTokenException
+     * @throws ExpiredTokenException
+     * @return IToken
+     */
+    public function getToken(string $tokenId): IToken;
+
+    /**
+     * Get a token by token id
+     *
+     * @param int $tokenId
+     * @throws InvalidTokenException
+     * @throws ExpiredTokenException
+     * @return IToken
+     */
+    public function getTokenById(int $tokenId): IToken;
+
+    /**
+     * Duplicate an existing session token
+     *
+     * @param string $oldSessionId
+     * @param string $sessionId
+     * @throws InvalidTokenException
+     */
+    public function renewSessionToken(string $oldSessionId, string $sessionId);
+
+    /**
+     * Invalidate (delete) the given session token
+     *
+     * @param string $token
+     */
+    public function invalidateToken(string $token);
+
+    /**
+     * Invalidate (delete) the given token
+     *
+     * @param string $uid
+     * @param int $id
+     */
+    public function invalidateTokenById(string $uid, int $id);
+
+    /**
+     * Invalidate (delete) old session tokens
+     */
+    public function invalidateOldTokens();
+
+    /**
+     * Save the updated token
+     *
+     * @param IToken $token
+     */
+    public function updateToken(IToken $token);
+
+    /**
+     * Update token activity timestamp
+     *
+     * @param IToken $token
+     */
+    public function updateTokenActivity(IToken $token);
+
+    /**
+     * Get all tokens of a user
+     *
+     * The provider may limit the number of result rows in case of an abuse
+     * where a high number of (session) tokens is generated
+     *
+     * @param string $uid
+     * @return IToken[]
+     */
+    public function getTokenByUser(string $uid): array;
+
+    /**
+     * Get the (unencrypted) password of the given token
+     *
+     * @param IToken $token
+     * @param string $tokenId
+     * @throws InvalidTokenException
+     * @throws PasswordlessTokenException
+     * @return string
+     */
+    public function getPassword(IToken $token, string $tokenId): string;
+
+    /**
+     * Encrypt and set the password of the given token
+     *
+     * @param IToken $token
+     * @param string $tokenId
+     * @param string $password
+     * @throws InvalidTokenException
+     */
+    public function setPassword(IToken $token, string $tokenId, string $password);
+
+    /**
+     * Rotate the token. Usefull for for example oauth tokens
+     *
+     * @param IToken $token
+     * @param string $oldTokenId
+     * @param string $newTokenId
+     * @return IToken
+     */
+    public function rotate(IToken $token, string $oldTokenId, string $newTokenId): IToken;
 }

core/Migrations/Version14000Date20180518120534.php

Indentation +19 added lines, -19 removed lines

@@ -30,25 +30,25 @@
 
 class Version14000Date20180518120534 extends SimpleMigrationStep {
 
-	public function changeSchema(IOutput $output, \Closure $schemaClosure, array $options) {
-		/** @var ISchemaWrapper $schema */
-		$schema = $schemaClosure();
+    public function changeSchema(IOutput $output, \Closure $schemaClosure, array $options) {
+        /** @var ISchemaWrapper $schema */
+        $schema = $schemaClosure();
 
-		$table = $schema->getTable('authtoken');
-		$table->addColumn('private_key', 'text', [
-			'notnull' => false,
-		]);
-		$table->addColumn('public_key', 'text', [
-			'notnull' => false,
-		]);
-		$table->addColumn('version', 'smallint', [
-			'notnull' => true,
-			'default' => 1,
-			'unsigned' => true,
-		]);
-		$table->addIndex(['uid'], 'authtoken_uid_index');
-		$table->addIndex(['version'], 'authtoken_version_index');
+        $table = $schema->getTable('authtoken');
+        $table->addColumn('private_key', 'text', [
+            'notnull' => false,
+        ]);
+        $table->addColumn('public_key', 'text', [
+            'notnull' => false,
+        ]);
+        $table->addColumn('version', 'smallint', [
+            'notnull' => true,
+            'default' => 1,
+            'unsigned' => true,
+        ]);
+        $table->addIndex(['uid'], 'authtoken_uid_index');
+        $table->addIndex(['version'], 'authtoken_version_index');
 
-		return $schema;
-	}
+        return $schema;
+    }
 }

lib/private/Authentication/Token/DefaultTokenMapper.php

Indentation +131 added lines, -131 removed lines

@@ -36,136 +36,136 @@
 
 class DefaultTokenMapper extends QBMapper {
 
-	public function __construct(IDBConnection $db) {
-		parent::__construct($db, 'authtoken');
-	}
-
-	/**
-	 * Invalidate (delete) a given token
-	 *
-	 * @param string $token
-	 */
-	public function invalidate(string $token) {
-		/* @var $qb IQueryBuilder */
-		$qb = $this->db->getQueryBuilder();
-		$qb->delete('authtoken')
-			->where($qb->expr()->eq('token', $qb->createNamedParameter($token, IQueryBuilder::PARAM_STR)))
-			->andWhere($qb->expr()->eq('version', $qb->createNamedParameter(DefaultToken::VERSION, IQueryBuilder::PARAM_INT)))
-			->execute();
-	}
-
-	/**
-	 * @param int $olderThan
-	 * @param int $remember
-	 */
-	public function invalidateOld(int $olderThan, int $remember = IToken::DO_NOT_REMEMBER) {
-		/* @var $qb IQueryBuilder */
-		$qb = $this->db->getQueryBuilder();
-		$qb->delete('authtoken')
-			->where($qb->expr()->lt('last_activity', $qb->createNamedParameter($olderThan, IQueryBuilder::PARAM_INT)))
-			->andWhere($qb->expr()->eq('type', $qb->createNamedParameter(IToken::TEMPORARY_TOKEN, IQueryBuilder::PARAM_INT)))
-			->andWhere($qb->expr()->eq('remember', $qb->createNamedParameter($remember, IQueryBuilder::PARAM_INT)))
-			->andWhere($qb->expr()->eq('version', $qb->createNamedParameter(DefaultToken::VERSION, IQueryBuilder::PARAM_INT)))
-			->execute();
-	}
-
-	/**
-	 * Get the user UID for the given token
-	 *
-	 * @param string $token
-	 * @throws DoesNotExistException
-	 * @return DefaultToken
-	 */
-	public function getToken(string $token): DefaultToken {
-		/* @var $qb IQueryBuilder */
-		$qb = $this->db->getQueryBuilder();
-		$result = $qb->select('id', 'uid', 'login_name', 'password', 'name', 'token', 'type', 'remember', 'last_activity', 'last_check', 'scope', 'expires', 'version')
-			->from('authtoken')
-			->where($qb->expr()->eq('token', $qb->createNamedParameter($token)))
-			->andWhere($qb->expr()->eq('version', $qb->createNamedParameter(DefaultToken::VERSION, IQueryBuilder::PARAM_INT)))
-			->execute();
-
-		$data = $result->fetch();
-		$result->closeCursor();
-		if ($data === false) {
-			throw new DoesNotExistException('token does not exist');
-		}
-		return DefaultToken::fromRow($data);
-	}
-
-	/**
-	 * Get the token for $id
-	 *
-	 * @param int $id
-	 * @throws DoesNotExistException
-	 * @return DefaultToken
-	 */
-	public function getTokenById(int $id): DefaultToken {
-		/* @var $qb IQueryBuilder */
-		$qb = $this->db->getQueryBuilder();
-		$result = $qb->select('id', 'uid', 'login_name', 'password', 'name', 'token', 'type', 'remember', 'last_activity', 'last_check', 'scope', 'expires', 'version')
-			->from('authtoken')
-			->where($qb->expr()->eq('id', $qb->createNamedParameter($id)))
-			->andWhere($qb->expr()->eq('version', $qb->createNamedParameter(DefaultToken::VERSION, IQueryBuilder::PARAM_INT)))
-			->execute();
-
-		$data = $result->fetch();
-		$result->closeCursor();
-		if ($data === false) {
-			throw new DoesNotExistException('token does not exist');
-		}
-		return DefaultToken::fromRow($data);
-	}
-
-	/**
-	 * Get all tokens of a user
-	 *
-	 * The provider may limit the number of result rows in case of an abuse
-	 * where a high number of (session) tokens is generated
-	 *
-	 * @param string $uid
-	 * @return DefaultToken[]
-	 */
-	public function getTokenByUser(string $uid): array {
-		/* @var $qb IQueryBuilder */
-		$qb = $this->db->getQueryBuilder();
-		$qb->select('id', 'uid', 'login_name', 'password', 'name', 'token', 'type', 'remember', 'last_activity', 'last_check', 'scope', 'expires', 'version')
-			->from('authtoken')
-			->where($qb->expr()->eq('uid', $qb->createNamedParameter($uid)))
-			->andWhere($qb->expr()->eq('version', $qb->createNamedParameter(DefaultToken::VERSION, IQueryBuilder::PARAM_INT)))
-			->setMaxResults(1000);
-		$result = $qb->execute();
-		$data = $result->fetchAll();
-		$result->closeCursor();
-
-		$entities = array_map(function ($row) {
-			return DefaultToken::fromRow($row);
-		}, $data);
-
-		return $entities;
-	}
-
-	public function deleteById(string $uid, int $id) {
-		/* @var $qb IQueryBuilder */
-		$qb = $this->db->getQueryBuilder();
-		$qb->delete('authtoken')
-			->where($qb->expr()->eq('id', $qb->createNamedParameter($id)))
-			->andWhere($qb->expr()->eq('uid', $qb->createNamedParameter($uid)))
-			->andWhere($qb->expr()->eq('version', $qb->createNamedParameter(DefaultToken::VERSION, IQueryBuilder::PARAM_INT)));
-		$qb->execute();
-	}
-
-	/**
-	 * delete all auth token which belong to a specific client if the client was deleted
-	 *
-	 * @param string $name
-	 */
-	public function deleteByName(string $name) {
-		$qb = $this->db->getQueryBuilder();
-		$qb->delete('authtoken')
-			->where($qb->expr()->eq('name', $qb->createNamedParameter($name), IQueryBuilder::PARAM_STR))
-			->andWhere($qb->expr()->eq('version', $qb->createNamedParameter(DefaultToken::VERSION, IQueryBuilder::PARAM_INT)));
-		$qb->execute();
-	}
+    public function __construct(IDBConnection $db) {
+        parent::__construct($db, 'authtoken');
+    }
+
+    /**
+     * Invalidate (delete) a given token
+     *
+     * @param string $token
+     */
+    public function invalidate(string $token) {
+        /* @var $qb IQueryBuilder */
+        $qb = $this->db->getQueryBuilder();
+        $qb->delete('authtoken')
+            ->where($qb->expr()->eq('token', $qb->createNamedParameter($token, IQueryBuilder::PARAM_STR)))
+            ->andWhere($qb->expr()->eq('version', $qb->createNamedParameter(DefaultToken::VERSION, IQueryBuilder::PARAM_INT)))
+            ->execute();
+    }
+
+    /**
+     * @param int $olderThan
+     * @param int $remember
+     */
+    public function invalidateOld(int $olderThan, int $remember = IToken::DO_NOT_REMEMBER) {
+        /* @var $qb IQueryBuilder */
+        $qb = $this->db->getQueryBuilder();
+        $qb->delete('authtoken')
+            ->where($qb->expr()->lt('last_activity', $qb->createNamedParameter($olderThan, IQueryBuilder::PARAM_INT)))
+            ->andWhere($qb->expr()->eq('type', $qb->createNamedParameter(IToken::TEMPORARY_TOKEN, IQueryBuilder::PARAM_INT)))
+            ->andWhere($qb->expr()->eq('remember', $qb->createNamedParameter($remember, IQueryBuilder::PARAM_INT)))
+            ->andWhere($qb->expr()->eq('version', $qb->createNamedParameter(DefaultToken::VERSION, IQueryBuilder::PARAM_INT)))
+            ->execute();
+    }
+
+    /**
+     * Get the user UID for the given token
+     *
+     * @param string $token
+     * @throws DoesNotExistException
+     * @return DefaultToken
+     */
+    public function getToken(string $token): DefaultToken {
+        /* @var $qb IQueryBuilder */
+        $qb = $this->db->getQueryBuilder();
+        $result = $qb->select('id', 'uid', 'login_name', 'password', 'name', 'token', 'type', 'remember', 'last_activity', 'last_check', 'scope', 'expires', 'version')
+            ->from('authtoken')
+            ->where($qb->expr()->eq('token', $qb->createNamedParameter($token)))
+            ->andWhere($qb->expr()->eq('version', $qb->createNamedParameter(DefaultToken::VERSION, IQueryBuilder::PARAM_INT)))
+            ->execute();
+
+        $data = $result->fetch();
+        $result->closeCursor();
+        if ($data === false) {
+            throw new DoesNotExistException('token does not exist');
+        }
+        return DefaultToken::fromRow($data);
+    }
+
+    /**
+     * Get the token for $id
+     *
+     * @param int $id
+     * @throws DoesNotExistException
+     * @return DefaultToken
+     */
+    public function getTokenById(int $id): DefaultToken {
+        /* @var $qb IQueryBuilder */
+        $qb = $this->db->getQueryBuilder();
+        $result = $qb->select('id', 'uid', 'login_name', 'password', 'name', 'token', 'type', 'remember', 'last_activity', 'last_check', 'scope', 'expires', 'version')
+            ->from('authtoken')
+            ->where($qb->expr()->eq('id', $qb->createNamedParameter($id)))
+            ->andWhere($qb->expr()->eq('version', $qb->createNamedParameter(DefaultToken::VERSION, IQueryBuilder::PARAM_INT)))
+            ->execute();
+
+        $data = $result->fetch();
+        $result->closeCursor();
+        if ($data === false) {
+            throw new DoesNotExistException('token does not exist');
+        }
+        return DefaultToken::fromRow($data);
+    }
+
+    /**
+     * Get all tokens of a user
+     *
+     * The provider may limit the number of result rows in case of an abuse
+     * where a high number of (session) tokens is generated
+     *
+     * @param string $uid
+     * @return DefaultToken[]
+     */
+    public function getTokenByUser(string $uid): array {
+        /* @var $qb IQueryBuilder */
+        $qb = $this->db->getQueryBuilder();
+        $qb->select('id', 'uid', 'login_name', 'password', 'name', 'token', 'type', 'remember', 'last_activity', 'last_check', 'scope', 'expires', 'version')
+            ->from('authtoken')
+            ->where($qb->expr()->eq('uid', $qb->createNamedParameter($uid)))
+            ->andWhere($qb->expr()->eq('version', $qb->createNamedParameter(DefaultToken::VERSION, IQueryBuilder::PARAM_INT)))
+            ->setMaxResults(1000);
+        $result = $qb->execute();
+        $data = $result->fetchAll();
+        $result->closeCursor();
+
+        $entities = array_map(function ($row) {
+            return DefaultToken::fromRow($row);
+        }, $data);
+
+        return $entities;
+    }
+
+    public function deleteById(string $uid, int $id) {
+        /* @var $qb IQueryBuilder */
+        $qb = $this->db->getQueryBuilder();
+        $qb->delete('authtoken')
+            ->where($qb->expr()->eq('id', $qb->createNamedParameter($id)))
+            ->andWhere($qb->expr()->eq('uid', $qb->createNamedParameter($uid)))
+            ->andWhere($qb->expr()->eq('version', $qb->createNamedParameter(DefaultToken::VERSION, IQueryBuilder::PARAM_INT)));
+        $qb->execute();
+    }
+
+    /**
+     * delete all auth token which belong to a specific client if the client was deleted
+     *
+     * @param string $name
+     */
+    public function deleteByName(string $name) {
+        $qb = $this->db->getQueryBuilder();
+        $qb->delete('authtoken')
+            ->where($qb->expr()->eq('name', $qb->createNamedParameter($name), IQueryBuilder::PARAM_STR))
+            ->andWhere($qb->expr()->eq('version', $qb->createNamedParameter(DefaultToken::VERSION, IQueryBuilder::PARAM_INT)));
+        $qb->execute();
+    }
 
 }

lib/private/Authentication/Token/DefaultToken.php

Indentation +160 added lines, -160 removed lines

@@ -41,164 +41,164 @@
  */
 class DefaultToken extends Entity implements IToken {
 
-	const VERSION = 1;
-
-	/** @var string user UID */
-	protected $uid;
-
-	/** @var string login name used for generating the token */
-	protected $loginName;
-
-	/** @var string encrypted user password */
-	protected $password;
-
-	/** @var string token name (e.g. browser/OS) */
-	protected $name;
-
-	/** @var string */
-	protected $token;
-
-	/** @var int */
-	protected $type;
-
-	/** @var int */
-	protected $remember;
-
-	/** @var int */
-	protected $lastActivity;
-
-	/** @var int */
-	protected $lastCheck;
-
-	/** @var string */
-	protected $scope;
-
-	/** @var int */
-	protected $expires;
-
-	/** @var int */
-	protected $version;
-
-	public function __construct() {
-		$this->addType('uid', 'string');
-		$this->addType('loginName', 'string');
-		$this->addType('password', 'string');
-		$this->addType('name', 'string');
-		$this->addType('token', 'string');
-		$this->addType('type', 'int');
-		$this->addType('remember', 'int');
-		$this->addType('lastActivity', 'int');
-		$this->addType('lastCheck', 'int');
-		$this->addType('scope', 'string');
-		$this->addType('expires', 'int');
-		$this->addType('version', 'int');
-	}
-
-	public function getId(): int {
-		return $this->id;
-	}
-
-	public function getUID(): string {
-		return $this->uid;
-	}
-
-	/**
-	 * Get the login name used when generating the token
-	 *
-	 * @return string
-	 */
-	public function getLoginName(): string {
-		return parent::getLoginName();
-	}
-
-	/**
-	 * Get the (encrypted) login password
-	 *
-	 * @return string|null
-	 */
-	public function getPassword() {
-		return parent::getPassword();
-	}
-
-	public function jsonSerialize() {
-		return [
-			'id' => $this->id,
-			'name' => $this->name,
-			'lastActivity' => $this->lastActivity,
-			'type' => $this->type,
-			'scope' => $this->getScopeAsArray()
-		];
-	}
-
-	/**
-	 * Get the timestamp of the last password check
-	 *
-	 * @return int
-	 */
-	public function getLastCheck(): int {
-		return parent::getLastCheck();
-	}
-
-	/**
-	 * Get the timestamp of the last password check
-	 *
-	 * @param int $time
-	 */
-	public function setLastCheck(int $time) {
-		parent::setLastCheck($time);
-	}
-
-	public function getScope(): string {
-		$scope = parent::getScope();
-		if ($scope === null) {
-			return '';
-		}
-
-		return $scope;
-	}
-
-	public function getScopeAsArray(): array {
-		$scope = json_decode($this->getScope(), true);
-		if (!$scope) {
-			return [
-				'filesystem'=> true
-			];
-		}
-		return $scope;
-	}
-
-	public function setScope($scope) {
-		if (\is_array($scope)) {
-			parent::setScope(json_encode($scope));
-		} else {
-			parent::setScope((string)$scope);
-		}
-	}
-
-	public function getName(): string {
-		return parent::getName();
-	}
-
-	public function getRemember(): int {
-		return parent::getRemember();
-	}
-
-	public function setToken(string $token) {
-		parent::setToken($token);
-	}
-
-	public function setPassword(string $password = null) {
-		parent::setPassword($password);
-	}
-
-	public function setExpires($expires) {
-		parent::setExpires($expires);
-	}
-
-	/**
-	 * @return int|null
-	 */
-	public function getExpires() {
-		return parent::getExpires();
-	}
+    const VERSION = 1;
+
+    /** @var string user UID */
+    protected $uid;
+
+    /** @var string login name used for generating the token */
+    protected $loginName;
+
+    /** @var string encrypted user password */
+    protected $password;
+
+    /** @var string token name (e.g. browser/OS) */
+    protected $name;
+
+    /** @var string */
+    protected $token;
+
+    /** @var int */
+    protected $type;
+
+    /** @var int */
+    protected $remember;
+
+    /** @var int */
+    protected $lastActivity;
+
+    /** @var int */
+    protected $lastCheck;
+
+    /** @var string */
+    protected $scope;
+
+    /** @var int */
+    protected $expires;
+
+    /** @var int */
+    protected $version;
+
+    public function __construct() {
+        $this->addType('uid', 'string');
+        $this->addType('loginName', 'string');
+        $this->addType('password', 'string');
+        $this->addType('name', 'string');
+        $this->addType('token', 'string');
+        $this->addType('type', 'int');
+        $this->addType('remember', 'int');
+        $this->addType('lastActivity', 'int');
+        $this->addType('lastCheck', 'int');
+        $this->addType('scope', 'string');
+        $this->addType('expires', 'int');
+        $this->addType('version', 'int');
+    }
+
+    public function getId(): int {
+        return $this->id;
+    }
+
+    public function getUID(): string {
+        return $this->uid;
+    }
+
+    /**
+     * Get the login name used when generating the token
+     *
+     * @return string
+     */
+    public function getLoginName(): string {
+        return parent::getLoginName();
+    }
+
+    /**
+     * Get the (encrypted) login password
+     *
+     * @return string|null
+     */
+    public function getPassword() {
+        return parent::getPassword();
+    }
+
+    public function jsonSerialize() {
+        return [
+            'id' => $this->id,
+            'name' => $this->name,
+            'lastActivity' => $this->lastActivity,
+            'type' => $this->type,
+            'scope' => $this->getScopeAsArray()
+        ];
+    }
+
+    /**
+     * Get the timestamp of the last password check
+     *
+     * @return int
+     */
+    public function getLastCheck(): int {
+        return parent::getLastCheck();
+    }
+
+    /**
+     * Get the timestamp of the last password check
+     *
+     * @param int $time
+     */
+    public function setLastCheck(int $time) {
+        parent::setLastCheck($time);
+    }
+
+    public function getScope(): string {
+        $scope = parent::getScope();
+        if ($scope === null) {
+            return '';
+        }
+
+        return $scope;
+    }
+
+    public function getScopeAsArray(): array {
+        $scope = json_decode($this->getScope(), true);
+        if (!$scope) {
+            return [
+                'filesystem'=> true
+            ];
+        }
+        return $scope;
+    }
+
+    public function setScope($scope) {
+        if (\is_array($scope)) {
+            parent::setScope(json_encode($scope));
+        } else {
+            parent::setScope((string)$scope);
+        }
+    }
+
+    public function getName(): string {
+        return parent::getName();
+    }
+
+    public function getRemember(): int {
+        return parent::getRemember();
+    }
+
+    public function setToken(string $token) {
+        parent::setToken($token);
+    }
+
+    public function setPassword(string $password = null) {
+        parent::setPassword($password);
+    }
+
+    public function setExpires($expires) {
+        parent::setExpires($expires);
+    }
+
+    /**
+     * @return int|null
+     */
+    public function getExpires() {
+        return parent::getExpires();
+    }
 }

lib/private/Authentication/Token/PublicKeyTokenProvider.php

Indentation +285 added lines, -285 removed lines

@@ -33,289 +33,289 @@
 use OCP\Security\ICrypto;
 
 class PublicKeyTokenProvider implements IProvider {
-	/** @var PublicKeyTokenMapper */
-	private $mapper;
-
-	/** @var ICrypto */
-	private $crypto;
-
-	/** @var IConfig */
-	private $config;
-
-	/** @var ILogger $logger */
-	private $logger;
-
-	/** @var ITimeFactory $time */
-	private $time;
-
-	public function __construct(PublicKeyTokenMapper $mapper,
-								ICrypto $crypto,
-								IConfig $config,
-								ILogger $logger,
-								ITimeFactory $time) {
-		$this->mapper = $mapper;
-		$this->crypto = $crypto;
-		$this->config = $config;
-		$this->logger = $logger;
-		$this->time = $time;
-	}
-
-	public function generateToken(string $token,
-								  string $uid,
-								  string $loginName,
-								  $password,
-								  string $name,
-								  int $type = IToken::TEMPORARY_TOKEN,
-								  int $remember = IToken::DO_NOT_REMEMBER): IToken {
-		$dbToken = $this->newToken($token, $uid, $loginName, $password, $name, $type, $remember);
-
-		$this->mapper->insert($dbToken);
-
-		return $dbToken;
-	}
-
-	public function getToken(string $tokenId): IToken {
-		try {
-			$token = $this->mapper->getToken($this->hashToken($tokenId));
-		} catch (DoesNotExistException $ex) {
-			throw new InvalidTokenException();
-		}
-
-		if ($token->getExpires() !== null && $token->getExpires() < $this->time->getTime()) {
-			throw new ExpiredTokenException($token);
-		}
-
-		return $token;
-	}
-
-	public function getTokenById(int $tokenId): IToken {
-		try {
-			$token = $this->mapper->getTokenById($tokenId);
-		} catch (DoesNotExistException $ex) {
-			throw new InvalidTokenException();
-		}
-
-		if ($token->getExpires() !== null && $token->getExpires() < $this->time->getTime()) {
-			throw new ExpiredTokenException($token);
-		}
-
-		return $token;
-	}
-
-	public function renewSessionToken(string $oldSessionId, string $sessionId) {
-		$token = $this->getToken($oldSessionId);
-
-		if (!($token instanceof PublicKeyToken)) {
-			throw new InvalidTokenException();
-		}
-
-		$password = null;
-		if (!is_null($token->getPassword())) {
-			$privateKey = $this->decrypt($token->getPrivateKey(), $oldSessionId);
-			$password = $this->decryptPassword($token->getPassword(), $privateKey);
-		}
-
-		$this->generateToken(
-			$sessionId,
-			$token->getUID(),
-			$token->getLoginName(),
-			$password,
-			$token->getName(),
-			IToken::TEMPORARY_TOKEN,
-			$token->getRemember()
-		);
-
-		$this->mapper->delete($token);
-	}
-
-	public function invalidateToken(string $token) {
-		$this->mapper->invalidate($this->hashToken($token));
-	}
-
-	public function invalidateTokenById(string $uid, int $id) {
-		$this->mapper->deleteById($uid, $id);
-	}
-
-	public function invalidateOldTokens() {
-		$olderThan = $this->time->getTime() - (int) $this->config->getSystemValue('session_lifetime', 60 * 60 * 24);
-		$this->logger->debug('Invalidating session tokens older than ' . date('c', $olderThan), ['app' => 'cron']);
-		$this->mapper->invalidateOld($olderThan, IToken::DO_NOT_REMEMBER);
-		$rememberThreshold = $this->time->getTime() - (int) $this->config->getSystemValue('remember_login_cookie_lifetime', 60 * 60 * 24 * 15);
-		$this->logger->debug('Invalidating remembered session tokens older than ' . date('c', $rememberThreshold), ['app' => 'cron']);
-		$this->mapper->invalidateOld($rememberThreshold, IToken::REMEMBER);
-	}
-
-	public function updateToken(IToken $token) {
-		if (!($token instanceof PublicKeyToken)) {
-			throw new InvalidTokenException();
-		}
-		$this->mapper->update($token);
-	}
-
-	public function updateTokenActivity(IToken $token) {
-		if (!($token instanceof PublicKeyToken)) {
-			throw new InvalidTokenException();
-		}
-		/** @var DefaultToken $token */
-		$now = $this->time->getTime();
-		if ($token->getLastActivity() < ($now - 60)) {
-			// Update token only once per minute
-			$token->setLastActivity($now);
-			$this->mapper->update($token);
-		}
-	}
-
-	public function getTokenByUser(string $uid): array {
-		return $this->mapper->getTokenByUser($uid);
-	}
-
-	public function getPassword(IToken $token, string $tokenId): string {
-		if (!($token instanceof PublicKeyToken)) {
-			throw new InvalidTokenException();
-		}
-
-		if ($token->getPassword() === null) {
-			throw new PasswordlessTokenException();
-		}
-
-		// Decrypt private key with tokenId
-		$privateKey = $this->decrypt($token->getPrivateKey(), $tokenId);
-
-		// Decrypt password with private key
-		return $this->decryptPassword($token->getPassword(), $privateKey);
-	}
-
-	public function setPassword(IToken $token, string $tokenId, string $password) {
-		if (!($token instanceof PublicKeyToken)) {
-			throw new InvalidTokenException();
-		}
-
-		// When changing passwords all temp tokens are deleted
-		$this->mapper->deleteTempToken($token);
-
-		// Update the password for all tokens
-		$tokens = $this->mapper->getTokenByUser($token->getUID());
-		foreach ($tokens as $t) {
-			$publicKey = $t->getPublicKey();
-			$t->setPassword($this->encryptPassword($password, $publicKey));
-			$this->updateToken($t);
-		}
-	}
-
-	public function rotate(IToken $token, string $oldTokenId, string $newTokenId): IToken {
-		if (!($token instanceof PublicKeyToken)) {
-			throw new InvalidTokenException();
-		}
-
-		// Decrypt private key with oldTokenId
-		$privateKey = $this->decrypt($token->getPrivateKey(), $oldTokenId);
-		// Encrypt with the new token
-		$token->setPrivateKey($this->encrypt($privateKey, $newTokenId));
-
-		$token->setToken($this->hashToken($newTokenId));
-		$this->updateToken($token);
-
-		return $token;
-	}
-
-	private function encrypt(string $plaintext, string $token): string {
-		$secret = $this->config->getSystemValue('secret');
-		return $this->crypto->encrypt($plaintext, $token . $secret);
-	}
-
-	/**
-	 * @throws InvalidTokenException
-	 */
-	private function decrypt(string $cipherText, string $token): string {
-		$secret = $this->config->getSystemValue('secret');
-		try {
-			return $this->crypto->decrypt($cipherText, $token . $secret);
-		} catch (\Exception $ex) {
-			// Delete the invalid token
-			$this->invalidateToken($token);
-			throw new InvalidTokenException();
-		}
-	}
-
-	private function encryptPassword(string $password, string $publicKey): string {
-		openssl_public_encrypt($password, $encryptedPassword, $publicKey, OPENSSL_PKCS1_OAEP_PADDING);
-		$encryptedPassword = base64_encode($encryptedPassword);
-
-		return $encryptedPassword;
-	}
-
-	private function decryptPassword(string $encryptedPassword, string $privateKey): string {
-		$encryptedPassword = base64_decode($encryptedPassword);
-		openssl_private_decrypt($encryptedPassword, $password, $privateKey, OPENSSL_PKCS1_OAEP_PADDING);
-
-		return $password;
-	}
-
-	private function hashToken(string $token): string {
-		$secret = $this->config->getSystemValue('secret');
-		return hash('sha512', $token . $secret);
-	}
-
-	/**
-	 * Convert a DefaultToken to a publicKeyToken
-	 * This will also be updated directly in the Database
-	 */
-	public function convertToken(DefaultToken $defaultToken, string $token, $password): PublicKeyToken {
-		$pkToken = $this->newToken(
-			$token,
-			$defaultToken->getUID(),
-			$defaultToken->getLoginName(),
-			$password,
-			$defaultToken->getName(),
-			$defaultToken->getType(),
-			$defaultToken->getRemember()
-		);
-
-		$pkToken->setExpires($defaultToken->getExpires());
-		$pkToken->setId($defaultToken->getId());
-
-		return $this->mapper->update($pkToken);
-	}
-
-	private function newToken(string $token,
-							  string $uid,
-							  string $loginName,
-							  $password,
-							  string $name,
-							  int $type,
-							  int $remember): PublicKeyToken {
-		$dbToken = new PublicKeyToken();
-		$dbToken->setUid($uid);
-		$dbToken->setLoginName($loginName);
-
-		$config = [
-			'digest_alg' => 'sha512',
-			'private_key_bits' => 2048,
-		];
-
-		// Generate new key
-		$res = openssl_pkey_new($config);
-		openssl_pkey_export($res, $privateKey);
-
-		// Extract the public key from $res to $pubKey
-		$publicKey = openssl_pkey_get_details($res);
-		$publicKey = $publicKey['key'];
-
-		$dbToken->setPublicKey($publicKey);
-		$dbToken->setPrivateKey($this->encrypt($privateKey, $token));
-
-		if (!is_null($password)) {
-			$dbToken->setPassword($this->encryptPassword($password, $publicKey));
-		}
-
-		$dbToken->setName($name);
-		$dbToken->setToken($this->hashToken($token));
-		$dbToken->setType($type);
-		$dbToken->setRemember($remember);
-		$dbToken->setLastActivity($this->time->getTime());
-		$dbToken->setLastCheck($this->time->getTime());
-		$dbToken->setVersion(PublicKeyToken::VERSION);
-
-		return $dbToken;
-	}
+    /** @var PublicKeyTokenMapper */
+    private $mapper;
+
+    /** @var ICrypto */
+    private $crypto;
+
+    /** @var IConfig */
+    private $config;
+
+    /** @var ILogger $logger */
+    private $logger;
+
+    /** @var ITimeFactory $time */
+    private $time;
+
+    public function __construct(PublicKeyTokenMapper $mapper,
+                                ICrypto $crypto,
+                                IConfig $config,
+                                ILogger $logger,
+                                ITimeFactory $time) {
+        $this->mapper = $mapper;
+        $this->crypto = $crypto;
+        $this->config = $config;
+        $this->logger = $logger;
+        $this->time = $time;
+    }
+
+    public function generateToken(string $token,
+                                    string $uid,
+                                    string $loginName,
+                                    $password,
+                                    string $name,
+                                    int $type = IToken::TEMPORARY_TOKEN,
+                                    int $remember = IToken::DO_NOT_REMEMBER): IToken {
+        $dbToken = $this->newToken($token, $uid, $loginName, $password, $name, $type, $remember);
+
+        $this->mapper->insert($dbToken);
+
+        return $dbToken;
+    }
+
+    public function getToken(string $tokenId): IToken {
+        try {
+            $token = $this->mapper->getToken($this->hashToken($tokenId));
+        } catch (DoesNotExistException $ex) {
+            throw new InvalidTokenException();
+        }
+
+        if ($token->getExpires() !== null && $token->getExpires() < $this->time->getTime()) {
+            throw new ExpiredTokenException($token);
+        }
+
+        return $token;
+    }
+
+    public function getTokenById(int $tokenId): IToken {
+        try {
+            $token = $this->mapper->getTokenById($tokenId);
+        } catch (DoesNotExistException $ex) {
+            throw new InvalidTokenException();
+        }
+
+        if ($token->getExpires() !== null && $token->getExpires() < $this->time->getTime()) {
+            throw new ExpiredTokenException($token);
+        }
+
+        return $token;
+    }
+
+    public function renewSessionToken(string $oldSessionId, string $sessionId) {
+        $token = $this->getToken($oldSessionId);
+
+        if (!($token instanceof PublicKeyToken)) {
+            throw new InvalidTokenException();
+        }
+
+        $password = null;
+        if (!is_null($token->getPassword())) {
+            $privateKey = $this->decrypt($token->getPrivateKey(), $oldSessionId);
+            $password = $this->decryptPassword($token->getPassword(), $privateKey);
+        }
+
+        $this->generateToken(
+            $sessionId,
+            $token->getUID(),
+            $token->getLoginName(),
+            $password,
+            $token->getName(),
+            IToken::TEMPORARY_TOKEN,
+            $token->getRemember()
+        );
+
+        $this->mapper->delete($token);
+    }
+
+    public function invalidateToken(string $token) {
+        $this->mapper->invalidate($this->hashToken($token));
+    }
+
+    public function invalidateTokenById(string $uid, int $id) {
+        $this->mapper->deleteById($uid, $id);
+    }
+
+    public function invalidateOldTokens() {
+        $olderThan = $this->time->getTime() - (int) $this->config->getSystemValue('session_lifetime', 60 * 60 * 24);
+        $this->logger->debug('Invalidating session tokens older than ' . date('c', $olderThan), ['app' => 'cron']);
+        $this->mapper->invalidateOld($olderThan, IToken::DO_NOT_REMEMBER);
+        $rememberThreshold = $this->time->getTime() - (int) $this->config->getSystemValue('remember_login_cookie_lifetime', 60 * 60 * 24 * 15);
+        $this->logger->debug('Invalidating remembered session tokens older than ' . date('c', $rememberThreshold), ['app' => 'cron']);
+        $this->mapper->invalidateOld($rememberThreshold, IToken::REMEMBER);
+    }
+
+    public function updateToken(IToken $token) {
+        if (!($token instanceof PublicKeyToken)) {
+            throw new InvalidTokenException();
+        }
+        $this->mapper->update($token);
+    }
+
+    public function updateTokenActivity(IToken $token) {
+        if (!($token instanceof PublicKeyToken)) {
+            throw new InvalidTokenException();
+        }
+        /** @var DefaultToken $token */
+        $now = $this->time->getTime();
+        if ($token->getLastActivity() < ($now - 60)) {
+            // Update token only once per minute
+            $token->setLastActivity($now);
+            $this->mapper->update($token);
+        }
+    }
+
+    public function getTokenByUser(string $uid): array {
+        return $this->mapper->getTokenByUser($uid);
+    }
+
+    public function getPassword(IToken $token, string $tokenId): string {
+        if (!($token instanceof PublicKeyToken)) {
+            throw new InvalidTokenException();
+        }
+
+        if ($token->getPassword() === null) {
+            throw new PasswordlessTokenException();
+        }
+
+        // Decrypt private key with tokenId
+        $privateKey = $this->decrypt($token->getPrivateKey(), $tokenId);
+
+        // Decrypt password with private key
+        return $this->decryptPassword($token->getPassword(), $privateKey);
+    }
+
+    public function setPassword(IToken $token, string $tokenId, string $password) {
+        if (!($token instanceof PublicKeyToken)) {
+            throw new InvalidTokenException();
+        }
+
+        // When changing passwords all temp tokens are deleted
+        $this->mapper->deleteTempToken($token);
+
+        // Update the password for all tokens
+        $tokens = $this->mapper->getTokenByUser($token->getUID());
+        foreach ($tokens as $t) {
+            $publicKey = $t->getPublicKey();
+            $t->setPassword($this->encryptPassword($password, $publicKey));
+            $this->updateToken($t);
+        }
+    }
+
+    public function rotate(IToken $token, string $oldTokenId, string $newTokenId): IToken {
+        if (!($token instanceof PublicKeyToken)) {
+            throw new InvalidTokenException();
+        }
+
+        // Decrypt private key with oldTokenId
+        $privateKey = $this->decrypt($token->getPrivateKey(), $oldTokenId);
+        // Encrypt with the new token
+        $token->setPrivateKey($this->encrypt($privateKey, $newTokenId));
+
+        $token->setToken($this->hashToken($newTokenId));
+        $this->updateToken($token);
+
+        return $token;
+    }
+
+    private function encrypt(string $plaintext, string $token): string {
+        $secret = $this->config->getSystemValue('secret');
+        return $this->crypto->encrypt($plaintext, $token . $secret);
+    }
+
+    /**
+     * @throws InvalidTokenException
+     */
+    private function decrypt(string $cipherText, string $token): string {
+        $secret = $this->config->getSystemValue('secret');
+        try {
+            return $this->crypto->decrypt($cipherText, $token . $secret);
+        } catch (\Exception $ex) {
+            // Delete the invalid token
+            $this->invalidateToken($token);
+            throw new InvalidTokenException();
+        }
+    }
+
+    private function encryptPassword(string $password, string $publicKey): string {
+        openssl_public_encrypt($password, $encryptedPassword, $publicKey, OPENSSL_PKCS1_OAEP_PADDING);
+        $encryptedPassword = base64_encode($encryptedPassword);
+
+        return $encryptedPassword;
+    }
+
+    private function decryptPassword(string $encryptedPassword, string $privateKey): string {
+        $encryptedPassword = base64_decode($encryptedPassword);
+        openssl_private_decrypt($encryptedPassword, $password, $privateKey, OPENSSL_PKCS1_OAEP_PADDING);
+
+        return $password;
+    }
+
+    private function hashToken(string $token): string {
+        $secret = $this->config->getSystemValue('secret');
+        return hash('sha512', $token . $secret);
+    }
+
+    /**
+     * Convert a DefaultToken to a publicKeyToken
+     * This will also be updated directly in the Database
+     */
+    public function convertToken(DefaultToken $defaultToken, string $token, $password): PublicKeyToken {
+        $pkToken = $this->newToken(
+            $token,
+            $defaultToken->getUID(),
+            $defaultToken->getLoginName(),
+            $password,
+            $defaultToken->getName(),
+            $defaultToken->getType(),
+            $defaultToken->getRemember()
+        );
+
+        $pkToken->setExpires($defaultToken->getExpires());
+        $pkToken->setId($defaultToken->getId());
+
+        return $this->mapper->update($pkToken);
+    }
+
+    private function newToken(string $token,
+                                string $uid,
+                                string $loginName,
+                                $password,
+                                string $name,
+                                int $type,
+                                int $remember): PublicKeyToken {
+        $dbToken = new PublicKeyToken();
+        $dbToken->setUid($uid);
+        $dbToken->setLoginName($loginName);
+
+        $config = [
+            'digest_alg' => 'sha512',
+            'private_key_bits' => 2048,
+        ];
+
+        // Generate new key
+        $res = openssl_pkey_new($config);
+        openssl_pkey_export($res, $privateKey);
+
+        // Extract the public key from $res to $pubKey
+        $publicKey = openssl_pkey_get_details($res);
+        $publicKey = $publicKey['key'];
+
+        $dbToken->setPublicKey($publicKey);
+        $dbToken->setPrivateKey($this->encrypt($privateKey, $token));
+
+        if (!is_null($password)) {
+            $dbToken->setPassword($this->encryptPassword($password, $publicKey));
+        }
+
+        $dbToken->setName($name);
+        $dbToken->setToken($this->hashToken($token));
+        $dbToken->setType($type);
+        $dbToken->setRemember($remember);
+        $dbToken->setLastActivity($this->time->getTime());
+        $dbToken->setLastCheck($this->time->getTime());
+        $dbToken->setVersion(PublicKeyToken::VERSION);
+
+        return $dbToken;
+    }
 }

lib/private/Authentication/Token/PublicKeyToken.php

Indentation +168 added lines, -168 removed lines

@@ -46,172 +46,172 @@
  */
 class PublicKeyToken extends Entity implements IToken {
 
-	const VERSION = 2;
-
-	/** @var string user UID */
-	protected $uid;
-
-	/** @var string login name used for generating the token */
-	protected $loginName;
-
-	/** @var string encrypted user password */
-	protected $password;
-
-	/** @var string token name (e.g. browser/OS) */
-	protected $name;
-
-	/** @var string */
-	protected $token;
-
-	/** @var int */
-	protected $type;
-
-	/** @var int */
-	protected $remember;
-
-	/** @var int */
-	protected $lastActivity;
-
-	/** @var int */
-	protected $lastCheck;
-
-	/** @var string */
-	protected $scope;
-
-	/** @var int */
-	protected $expires;
-
-	/** @var string */
-	protected $privateKey;
-
-	/** @var string */
-	protected $publicKey;
-
-	/** @var int */
-	protected $version;
-
-	public function __construct() {
-		$this->addType('uid', 'string');
-		$this->addType('loginName', 'string');
-		$this->addType('password', 'string');
-		$this->addType('name', 'string');
-		$this->addType('token', 'string');
-		$this->addType('type', 'int');
-		$this->addType('remember', 'int');
-		$this->addType('lastActivity', 'int');
-		$this->addType('lastCheck', 'int');
-		$this->addType('scope', 'string');
-		$this->addType('expires', 'int');
-		$this->addType('publicKey', 'string');
-		$this->addType('privateKey', 'string');
-		$this->addType('version', 'int');
-	}
-
-	public function getId(): int {
-		return $this->id;
-	}
-
-	public function getUID(): string {
-		return $this->uid;
-	}
-
-	/**
-	 * Get the login name used when generating the token
-	 *
-	 * @return string
-	 */
-	public function getLoginName(): string {
-		return parent::getLoginName();
-	}
-
-	/**
-	 * Get the (encrypted) login password
-	 *
-	 * @return string|null
-	 */
-	public function getPassword() {
-		return parent::getPassword();
-	}
-
-	public function jsonSerialize() {
-		return [
-			'id' => $this->id,
-			'name' => $this->name,
-			'lastActivity' => $this->lastActivity,
-			'type' => $this->type,
-			'scope' => $this->getScopeAsArray()
-		];
-	}
-
-	/**
-	 * Get the timestamp of the last password check
-	 *
-	 * @return int
-	 */
-	public function getLastCheck(): int {
-		return parent::getLastCheck();
-	}
-
-	/**
-	 * Get the timestamp of the last password check
-	 *
-	 * @param int $time
-	 */
-	public function setLastCheck(int $time) {
-		parent::setLastCheck($time);
-	}
-
-	public function getScope(): string {
-		$scope = parent::getScope();
-		if ($scope === null) {
-			return '';
-		}
-
-		return $scope;
-	}
-
-	public function getScopeAsArray(): array {
-		$scope = json_decode($this->getScope(), true);
-		if (!$scope) {
-			return [
-				'filesystem'=> true
-			];
-		}
-		return $scope;
-	}
-
-	public function setScope($scope) {
-		if (is_array($scope)) {
-			parent::setScope(json_encode($scope));
-		} else {
-			parent::setScope((string)$scope);
-		}
-	}
-
-	public function getName(): string {
-		return parent::getName();
-	}
-
-	public function getRemember(): int {
-		return parent::getRemember();
-	}
-
-	public function setToken(string $token) {
-		parent::setToken($token);
-	}
-
-	public function setPassword(string $password = null) {
-		parent::setPassword($password);
-	}
-
-	public function setExpires($expires) {
-		parent::setExpires($expires);
-	}
-
-	/**
-	 * @return int|null
-	 */
-	public function getExpires() {
-		return parent::getExpires();
-	}
+    const VERSION = 2;
+
+    /** @var string user UID */
+    protected $uid;
+
+    /** @var string login name used for generating the token */
+    protected $loginName;
+
+    /** @var string encrypted user password */
+    protected $password;
+
+    /** @var string token name (e.g. browser/OS) */
+    protected $name;
+
+    /** @var string */
+    protected $token;
+
+    /** @var int */
+    protected $type;
+
+    /** @var int */
+    protected $remember;
+
+    /** @var int */
+    protected $lastActivity;
+
+    /** @var int */
+    protected $lastCheck;
+
+    /** @var string */
+    protected $scope;
+
+    /** @var int */
+    protected $expires;
+
+    /** @var string */
+    protected $privateKey;
+
+    /** @var string */
+    protected $publicKey;
+
+    /** @var int */
+    protected $version;
+
+    public function __construct() {
+        $this->addType('uid', 'string');
+        $this->addType('loginName', 'string');
+        $this->addType('password', 'string');
+        $this->addType('name', 'string');
+        $this->addType('token', 'string');
+        $this->addType('type', 'int');
+        $this->addType('remember', 'int');
+        $this->addType('lastActivity', 'int');
+        $this->addType('lastCheck', 'int');
+        $this->addType('scope', 'string');
+        $this->addType('expires', 'int');
+        $this->addType('publicKey', 'string');
+        $this->addType('privateKey', 'string');
+        $this->addType('version', 'int');
+    }
+
+    public function getId(): int {
+        return $this->id;
+    }
+
+    public function getUID(): string {
+        return $this->uid;
+    }
+
+    /**
+     * Get the login name used when generating the token
+     *
+     * @return string
+     */
+    public function getLoginName(): string {
+        return parent::getLoginName();
+    }
+
+    /**
+     * Get the (encrypted) login password
+     *
+     * @return string|null
+     */
+    public function getPassword() {
+        return parent::getPassword();
+    }
+
+    public function jsonSerialize() {
+        return [
+            'id' => $this->id,
+            'name' => $this->name,
+            'lastActivity' => $this->lastActivity,
+            'type' => $this->type,
+            'scope' => $this->getScopeAsArray()
+        ];
+    }
+
+    /**
+     * Get the timestamp of the last password check
+     *
+     * @return int
+     */
+    public function getLastCheck(): int {
+        return parent::getLastCheck();
+    }
+
+    /**
+     * Get the timestamp of the last password check
+     *
+     * @param int $time
+     */
+    public function setLastCheck(int $time) {
+        parent::setLastCheck($time);
+    }
+
+    public function getScope(): string {
+        $scope = parent::getScope();
+        if ($scope === null) {
+            return '';
+        }
+
+        return $scope;
+    }
+
+    public function getScopeAsArray(): array {
+        $scope = json_decode($this->getScope(), true);
+        if (!$scope) {
+            return [
+                'filesystem'=> true
+            ];
+        }
+        return $scope;
+    }
+
+    public function setScope($scope) {
+        if (is_array($scope)) {
+            parent::setScope(json_encode($scope));
+        } else {
+            parent::setScope((string)$scope);
+        }
+    }
+
+    public function getName(): string {
+        return parent::getName();
+    }
+
+    public function getRemember(): int {
+        return parent::getRemember();
+    }
+
+    public function setToken(string $token) {
+        parent::setToken($token);
+    }
+
+    public function setPassword(string $password = null) {
+        parent::setPassword($password);
+    }
+
+    public function setExpires($expires) {
+        parent::setExpires($expires);
+    }
+
+    /**
+     * @return int|null
+     */
+    public function getExpires() {
+        return parent::getExpires();
+    }
 }

lib/private/Authentication/Token/DefaultTokenProvider.php

Indentation +298 added lines, -298 removed lines

@@ -39,303 +39,303 @@
 
 class DefaultTokenProvider implements IProvider {
 
-	/** @var DefaultTokenMapper */
-	private $mapper;
-
-	/** @var ICrypto */
-	private $crypto;
-
-	/** @var IConfig */
-	private $config;
-
-	/** @var ILogger $logger */
-	private $logger;
-
-	/** @var ITimeFactory $time */
-	private $time;
-
-	/**
-	 * @param DefaultTokenMapper $mapper
-	 * @param ICrypto $crypto
-	 * @param IConfig $config
-	 * @param ILogger $logger
-	 * @param ITimeFactory $time
-	 */
-	public function __construct(DefaultTokenMapper $mapper,
-								ICrypto $crypto,
-								IConfig $config,
-								ILogger $logger,
-								ITimeFactory $time) {
-		$this->mapper = $mapper;
-		$this->crypto = $crypto;
-		$this->config = $config;
-		$this->logger = $logger;
-		$this->time = $time;
-	}
-
-	/**
-	 * Create and persist a new token
-	 *
-	 * @param string $token
-	 * @param string $uid
-	 * @param string $loginName
-	 * @param string|null $password
-	 * @param string $name
-	 * @param int $type token type
-	 * @param int $remember whether the session token should be used for remember-me
-	 * @return IToken
-	 */
-	public function generateToken(string $token,
-								  string $uid,
-								  string $loginName,
-								  $password,
-								  string $name,
-								  int $type = IToken::TEMPORARY_TOKEN,
-								  int $remember = IToken::DO_NOT_REMEMBER): IToken {
-		$dbToken = new DefaultToken();
-		$dbToken->setUid($uid);
-		$dbToken->setLoginName($loginName);
-		if (!is_null($password)) {
-			$dbToken->setPassword($this->encryptPassword($password, $token));
-		}
-		$dbToken->setName($name);
-		$dbToken->setToken($this->hashToken($token));
-		$dbToken->setType($type);
-		$dbToken->setRemember($remember);
-		$dbToken->setLastActivity($this->time->getTime());
-		$dbToken->setLastCheck($this->time->getTime());
-		$dbToken->setVersion(DefaultToken::VERSION);
-
-		$this->mapper->insert($dbToken);
-
-		return $dbToken;
-	}
-
-	/**
-	 * Save the updated token
-	 *
-	 * @param IToken $token
-	 * @throws InvalidTokenException
-	 */
-	public function updateToken(IToken $token) {
-		if (!($token instanceof DefaultToken)) {
-			throw new InvalidTokenException();
-		}
-		$this->mapper->update($token);
-	}
-
-	/**
-	 * Update token activity timestamp
-	 *
-	 * @throws InvalidTokenException
-	 * @param IToken $token
-	 */
-	public function updateTokenActivity(IToken $token) {
-		if (!($token instanceof DefaultToken)) {
-			throw new InvalidTokenException();
-		}
-		/** @var DefaultToken $token */
-		$now = $this->time->getTime();
-		if ($token->getLastActivity() < ($now - 60)) {
-			// Update token only once per minute
-			$token->setLastActivity($now);
-			$this->mapper->update($token);
-		}
-	}
-
-	public function getTokenByUser(string $uid): array {
-		return $this->mapper->getTokenByUser($uid);
-	}
-
-	/**
-	 * Get a token by token
-	 *
-	 * @param string $tokenId
-	 * @throws InvalidTokenException
-	 * @throws ExpiredTokenException
-	 * @return IToken
-	 */
-	public function getToken(string $tokenId): IToken {
-		try {
-			$token = $this->mapper->getToken($this->hashToken($tokenId));
-		} catch (DoesNotExistException $ex) {
-			throw new InvalidTokenException();
-		}
-
-		if ((int)$token->getExpires() !== 0 && $token->getExpires() < $this->time->getTime()) {
-			throw new ExpiredTokenException($token);
-		}
-
-		return $token;
-	}
-
-	/**
-	 * Get a token by token id
-	 *
-	 * @param int $tokenId
-	 * @throws InvalidTokenException
-	 * @throws ExpiredTokenException
-	 * @return IToken
-	 */
-	public function getTokenById(int $tokenId): IToken {
-		try {
-			$token = $this->mapper->getTokenById($tokenId);
-		} catch (DoesNotExistException $ex) {
-			throw new InvalidTokenException();
-		}
-
-		if ($token->getExpires() !== null && $token->getExpires() < $this->time->getTime()) {
-			throw new ExpiredTokenException($token);
-		}
-
-		return $token;
-	}
-
-	/**
-	 * @param string $oldSessionId
-	 * @param string $sessionId
-	 * @throws InvalidTokenException
-	 */
-	public function renewSessionToken(string $oldSessionId, string $sessionId) {
-		$token = $this->getToken($oldSessionId);
-
-		$newToken = new DefaultToken();
-		$newToken->setUid($token->getUID());
-		$newToken->setLoginName($token->getLoginName());
-		if (!is_null($token->getPassword())) {
-			$password = $this->decryptPassword($token->getPassword(), $oldSessionId);
-			$newToken->setPassword($this->encryptPassword($password, $sessionId));
-		}
-		$newToken->setName($token->getName());
-		$newToken->setToken($this->hashToken($sessionId));
-		$newToken->setType(IToken::TEMPORARY_TOKEN);
-		$newToken->setRemember($token->getRemember());
-		$newToken->setLastActivity($this->time->getTime());
-		$this->mapper->insert($newToken);
-		$this->mapper->delete($token);
-	}
-
-	/**
-	 * @param IToken $savedToken
-	 * @param string $tokenId session token
-	 * @throws InvalidTokenException
-	 * @throws PasswordlessTokenException
-	 * @return string
-	 */
-	public function getPassword(IToken $savedToken, string $tokenId): string {
-		$password = $savedToken->getPassword();
-		if (is_null($password)) {
-			throw new PasswordlessTokenException();
-		}
-		return $this->decryptPassword($password, $tokenId);
-	}
-
-	/**
-	 * Encrypt and set the password of the given token
-	 *
-	 * @param IToken $token
-	 * @param string $tokenId
-	 * @param string $password
-	 * @throws InvalidTokenException
-	 */
-	public function setPassword(IToken $token, string $tokenId, string $password) {
-		if (!($token instanceof DefaultToken)) {
-			throw new InvalidTokenException();
-		}
-		/** @var DefaultToken $token */
-		$token->setPassword($this->encryptPassword($password, $tokenId));
-		$this->mapper->update($token);
-	}
-
-	/**
-	 * Invalidate (delete) the given session token
-	 *
-	 * @param string $token
-	 */
-	public function invalidateToken(string $token) {
-		$this->mapper->invalidate($this->hashToken($token));
-	}
-
-	public function invalidateTokenById(string $uid, int $id) {
-		$this->mapper->deleteById($uid, $id);
-	}
-
-	/**
-	 * Invalidate (delete) old session tokens
-	 */
-	public function invalidateOldTokens() {
-		$olderThan = $this->time->getTime() - (int) $this->config->getSystemValue('session_lifetime', 60 * 60 * 24);
-		$this->logger->debug('Invalidating session tokens older than ' . date('c', $olderThan), ['app' => 'cron']);
-		$this->mapper->invalidateOld($olderThan, IToken::DO_NOT_REMEMBER);
-		$rememberThreshold = $this->time->getTime() - (int) $this->config->getSystemValue('remember_login_cookie_lifetime', 60 * 60 * 24 * 15);
-		$this->logger->debug('Invalidating remembered session tokens older than ' . date('c', $rememberThreshold), ['app' => 'cron']);
-		$this->mapper->invalidateOld($rememberThreshold, IToken::REMEMBER);
-	}
-
-	/**
-	 * Rotate the token. Usefull for for example oauth tokens
-	 *
-	 * @param IToken $token
-	 * @param string $oldTokenId
-	 * @param string $newTokenId
-	 * @return IToken
-	 */
-	public function rotate(IToken $token, string $oldTokenId, string $newTokenId): IToken {
-		try {
-			$password = $this->getPassword($token, $oldTokenId);
-			$token->setPassword($this->encryptPassword($password, $newTokenId));
-		} catch (PasswordlessTokenException $e) {
-
-		}
-
-		$token->setToken($this->hashToken($newTokenId));
-		$this->updateToken($token);
-
-		return $token;
-	}
-
-	/**
-	 * @param string $token
-	 * @return string
-	 */
-	private function hashToken(string $token): string {
-		$secret = $this->config->getSystemValue('secret');
-		return hash('sha512', $token . $secret);
-	}
-
-	/**
-	 * Encrypt the given password
-	 *
-	 * The token is used as key
-	 *
-	 * @param string $password
-	 * @param string $token
-	 * @return string encrypted password
-	 */
-	private function encryptPassword(string $password, string $token): string {
-		$secret = $this->config->getSystemValue('secret');
-		return $this->crypto->encrypt($password, $token . $secret);
-	}
-
-	/**
-	 * Decrypt the given password
-	 *
-	 * The token is used as key
-	 *
-	 * @param string $password
-	 * @param string $token
-	 * @throws InvalidTokenException
-	 * @return string the decrypted key
-	 */
-	private function decryptPassword(string $password, string $token): string {
-		$secret = $this->config->getSystemValue('secret');
-		try {
-			return $this->crypto->decrypt($password, $token . $secret);
-		} catch (Exception $ex) {
-			// Delete the invalid token
-			$this->invalidateToken($token);
-			throw new InvalidTokenException();
-		}
-	}
+    /** @var DefaultTokenMapper */
+    private $mapper;
+
+    /** @var ICrypto */
+    private $crypto;
+
+    /** @var IConfig */
+    private $config;
+
+    /** @var ILogger $logger */
+    private $logger;
+
+    /** @var ITimeFactory $time */
+    private $time;
+
+    /**
+     * @param DefaultTokenMapper $mapper
+     * @param ICrypto $crypto
+     * @param IConfig $config
+     * @param ILogger $logger
+     * @param ITimeFactory $time
+     */
+    public function __construct(DefaultTokenMapper $mapper,
+                                ICrypto $crypto,
+                                IConfig $config,
+                                ILogger $logger,
+                                ITimeFactory $time) {
+        $this->mapper = $mapper;
+        $this->crypto = $crypto;
+        $this->config = $config;
+        $this->logger = $logger;
+        $this->time = $time;
+    }
+
+    /**
+     * Create and persist a new token
+     *
+     * @param string $token
+     * @param string $uid
+     * @param string $loginName
+     * @param string|null $password
+     * @param string $name
+     * @param int $type token type
+     * @param int $remember whether the session token should be used for remember-me
+     * @return IToken
+     */
+    public function generateToken(string $token,
+                                    string $uid,
+                                    string $loginName,
+                                    $password,
+                                    string $name,
+                                    int $type = IToken::TEMPORARY_TOKEN,
+                                    int $remember = IToken::DO_NOT_REMEMBER): IToken {
+        $dbToken = new DefaultToken();
+        $dbToken->setUid($uid);
+        $dbToken->setLoginName($loginName);
+        if (!is_null($password)) {
+            $dbToken->setPassword($this->encryptPassword($password, $token));
+        }
+        $dbToken->setName($name);
+        $dbToken->setToken($this->hashToken($token));
+        $dbToken->setType($type);
+        $dbToken->setRemember($remember);
+        $dbToken->setLastActivity($this->time->getTime());
+        $dbToken->setLastCheck($this->time->getTime());
+        $dbToken->setVersion(DefaultToken::VERSION);
+
+        $this->mapper->insert($dbToken);
+
+        return $dbToken;
+    }
+
+    /**
+     * Save the updated token
+     *
+     * @param IToken $token
+     * @throws InvalidTokenException
+     */
+    public function updateToken(IToken $token) {
+        if (!($token instanceof DefaultToken)) {
+            throw new InvalidTokenException();
+        }
+        $this->mapper->update($token);
+    }
+
+    /**
+     * Update token activity timestamp
+     *
+     * @throws InvalidTokenException
+     * @param IToken $token
+     */
+    public function updateTokenActivity(IToken $token) {
+        if (!($token instanceof DefaultToken)) {
+            throw new InvalidTokenException();
+        }
+        /** @var DefaultToken $token */
+        $now = $this->time->getTime();
+        if ($token->getLastActivity() < ($now - 60)) {
+            // Update token only once per minute
+            $token->setLastActivity($now);
+            $this->mapper->update($token);
+        }
+    }
+
+    public function getTokenByUser(string $uid): array {
+        return $this->mapper->getTokenByUser($uid);
+    }
+
+    /**
+     * Get a token by token
+     *
+     * @param string $tokenId
+     * @throws InvalidTokenException
+     * @throws ExpiredTokenException
+     * @return IToken
+     */
+    public function getToken(string $tokenId): IToken {
+        try {
+            $token = $this->mapper->getToken($this->hashToken($tokenId));
+        } catch (DoesNotExistException $ex) {
+            throw new InvalidTokenException();
+        }
+
+        if ((int)$token->getExpires() !== 0 && $token->getExpires() < $this->time->getTime()) {
+            throw new ExpiredTokenException($token);
+        }
+
+        return $token;
+    }
+
+    /**
+     * Get a token by token id
+     *
+     * @param int $tokenId
+     * @throws InvalidTokenException
+     * @throws ExpiredTokenException
+     * @return IToken
+     */
+    public function getTokenById(int $tokenId): IToken {
+        try {
+            $token = $this->mapper->getTokenById($tokenId);
+        } catch (DoesNotExistException $ex) {
+            throw new InvalidTokenException();
+        }
+
+        if ($token->getExpires() !== null && $token->getExpires() < $this->time->getTime()) {
+            throw new ExpiredTokenException($token);
+        }
+
+        return $token;
+    }
+
+    /**
+     * @param string $oldSessionId
+     * @param string $sessionId
+     * @throws InvalidTokenException
+     */
+    public function renewSessionToken(string $oldSessionId, string $sessionId) {
+        $token = $this->getToken($oldSessionId);
+
+        $newToken = new DefaultToken();
+        $newToken->setUid($token->getUID());
+        $newToken->setLoginName($token->getLoginName());
+        if (!is_null($token->getPassword())) {
+            $password = $this->decryptPassword($token->getPassword(), $oldSessionId);
+            $newToken->setPassword($this->encryptPassword($password, $sessionId));
+        }
+        $newToken->setName($token->getName());
+        $newToken->setToken($this->hashToken($sessionId));
+        $newToken->setType(IToken::TEMPORARY_TOKEN);
+        $newToken->setRemember($token->getRemember());
+        $newToken->setLastActivity($this->time->getTime());
+        $this->mapper->insert($newToken);
+        $this->mapper->delete($token);
+    }
+
+    /**
+     * @param IToken $savedToken
+     * @param string $tokenId session token
+     * @throws InvalidTokenException
+     * @throws PasswordlessTokenException
+     * @return string
+     */
+    public function getPassword(IToken $savedToken, string $tokenId): string {
+        $password = $savedToken->getPassword();
+        if (is_null($password)) {
+            throw new PasswordlessTokenException();
+        }
+        return $this->decryptPassword($password, $tokenId);
+    }
+
+    /**
+     * Encrypt and set the password of the given token
+     *
+     * @param IToken $token
+     * @param string $tokenId
+     * @param string $password
+     * @throws InvalidTokenException
+     */
+    public function setPassword(IToken $token, string $tokenId, string $password) {
+        if (!($token instanceof DefaultToken)) {
+            throw new InvalidTokenException();
+        }
+        /** @var DefaultToken $token */
+        $token->setPassword($this->encryptPassword($password, $tokenId));
+        $this->mapper->update($token);
+    }
+
+    /**
+     * Invalidate (delete) the given session token
+     *
+     * @param string $token
+     */
+    public function invalidateToken(string $token) {
+        $this->mapper->invalidate($this->hashToken($token));
+    }
+
+    public function invalidateTokenById(string $uid, int $id) {
+        $this->mapper->deleteById($uid, $id);
+    }
+
+    /**
+     * Invalidate (delete) old session tokens
+     */
+    public function invalidateOldTokens() {
+        $olderThan = $this->time->getTime() - (int) $this->config->getSystemValue('session_lifetime', 60 * 60 * 24);
+        $this->logger->debug('Invalidating session tokens older than ' . date('c', $olderThan), ['app' => 'cron']);
+        $this->mapper->invalidateOld($olderThan, IToken::DO_NOT_REMEMBER);
+        $rememberThreshold = $this->time->getTime() - (int) $this->config->getSystemValue('remember_login_cookie_lifetime', 60 * 60 * 24 * 15);
+        $this->logger->debug('Invalidating remembered session tokens older than ' . date('c', $rememberThreshold), ['app' => 'cron']);
+        $this->mapper->invalidateOld($rememberThreshold, IToken::REMEMBER);
+    }
+
+    /**
+     * Rotate the token. Usefull for for example oauth tokens
+     *
+     * @param IToken $token
+     * @param string $oldTokenId
+     * @param string $newTokenId
+     * @return IToken
+     */
+    public function rotate(IToken $token, string $oldTokenId, string $newTokenId): IToken {
+        try {
+            $password = $this->getPassword($token, $oldTokenId);
+            $token->setPassword($this->encryptPassword($password, $newTokenId));
+        } catch (PasswordlessTokenException $e) {
+
+        }
+
+        $token->setToken($this->hashToken($newTokenId));
+        $this->updateToken($token);
+
+        return $token;
+    }
+
+    /**
+     * @param string $token
+     * @return string
+     */
+    private function hashToken(string $token): string {
+        $secret = $this->config->getSystemValue('secret');
+        return hash('sha512', $token . $secret);
+    }
+
+    /**
+     * Encrypt the given password
+     *
+     * The token is used as key
+     *
+     * @param string $password
+     * @param string $token
+     * @return string encrypted password
+     */
+    private function encryptPassword(string $password, string $token): string {
+        $secret = $this->config->getSystemValue('secret');
+        return $this->crypto->encrypt($password, $token . $secret);
+    }
+
+    /**
+     * Decrypt the given password
+     *
+     * The token is used as key
+     *
+     * @param string $password
+     * @param string $token
+     * @throws InvalidTokenException
+     * @return string the decrypted key
+     */
+    private function decryptPassword(string $password, string $token): string {
+        $secret = $this->config->getSystemValue('secret');
+        try {
+            return $this->crypto->decrypt($password, $token . $secret);
+        } catch (Exception $ex) {
+            // Delete the invalid token
+            $this->invalidateToken($token);
+            throw new InvalidTokenException();
+        }
+    }
 
 }

lib/private/Authentication/Token/PublicKeyTokenMapper.php

Indentation +138 added lines, -138 removed lines

@@ -31,142 +31,142 @@
 
 class PublicKeyTokenMapper extends QBMapper {
 
-	public function __construct(IDBConnection $db) {
-		parent::__construct($db, 'authtoken');
-	}
-
-	/**
-	 * Invalidate (delete) a given token
-	 *
-	 * @param string $token
-	 */
-	public function invalidate(string $token) {
-		/* @var $qb IQueryBuilder */
-		$qb = $this->db->getQueryBuilder();
-		$qb->delete('authtoken')
-			->where($qb->expr()->eq('token', $qb->createNamedParameter($token)))
-			->andWhere($qb->expr()->eq('version', $qb->createNamedParameter(PublicKeyToken::VERSION, IQueryBuilder::PARAM_INT)))
-			->execute();
-	}
-
-	/**
-	 * @param int $olderThan
-	 * @param int $remember
-	 */
-	public function invalidateOld(int $olderThan, int $remember = IToken::DO_NOT_REMEMBER) {
-		/* @var $qb IQueryBuilder */
-		$qb = $this->db->getQueryBuilder();
-		$qb->delete('authtoken')
-			->where($qb->expr()->lt('last_activity', $qb->createNamedParameter($olderThan, IQueryBuilder::PARAM_INT)))
-			->andWhere($qb->expr()->eq('type', $qb->createNamedParameter(IToken::TEMPORARY_TOKEN, IQueryBuilder::PARAM_INT)))
-			->andWhere($qb->expr()->eq('remember', $qb->createNamedParameter($remember, IQueryBuilder::PARAM_INT)))
-			->andWhere($qb->expr()->eq('version', $qb->createNamedParameter(PublicKeyToken::VERSION, IQueryBuilder::PARAM_INT)))
-			->execute();
-	}
-
-	/**
-	 * Get the user UID for the given token
-	 *
-	 * @throws DoesNotExistException
-	 */
-	public function getToken(string $token): PublicKeyToken {
-		/* @var $qb IQueryBuilder */
-		$qb = $this->db->getQueryBuilder();
-		$result = $qb->select('*')
-			->from('authtoken')
-			->where($qb->expr()->eq('token', $qb->createNamedParameter($token)))
-			->andWhere($qb->expr()->eq('version', $qb->createNamedParameter(PublicKeyToken::VERSION, IQueryBuilder::PARAM_INT)))
-			->execute();
-
-		$data = $result->fetch();
-		$result->closeCursor();
-		if ($data === false) {
-			throw new DoesNotExistException('token does not exist');
-		}
-		return PublicKeyToken::fromRow($data);
-	}
-
-	/**
-	 * Get the token for $id
-	 *
-	 * @throws DoesNotExistException
-	 */
-	public function getTokenById(int $id): PublicKeyToken {
-		/* @var $qb IQueryBuilder */
-		$qb = $this->db->getQueryBuilder();
-		$result = $qb->select('*')
-			->from('authtoken')
-			->where($qb->expr()->eq('id', $qb->createNamedParameter($id)))
-			->andWhere($qb->expr()->eq('version', $qb->createNamedParameter(PublicKeyToken::VERSION, IQueryBuilder::PARAM_INT)))
-			->execute();
-
-		$data = $result->fetch();
-		$result->closeCursor();
-		if ($data === false) {
-			throw new DoesNotExistException('token does not exist');
-		}
-		return PublicKeyToken::fromRow($data);
-	}
-
-	/**
-	 * Get all tokens of a user
-	 *
-	 * The provider may limit the number of result rows in case of an abuse
-	 * where a high number of (session) tokens is generated
-	 *
-	 * @param string $uid
-	 * @return PublicKeyToken[]
-	 */
-	public function getTokenByUser(string $uid): array {
-		/* @var $qb IQueryBuilder */
-		$qb = $this->db->getQueryBuilder();
-		$qb->select('*')
-			->from('authtoken')
-			->where($qb->expr()->eq('uid', $qb->createNamedParameter($uid)))
-			->andWhere($qb->expr()->eq('version', $qb->createNamedParameter(PublicKeyToken::VERSION, IQueryBuilder::PARAM_INT)))
-			->setMaxResults(1000);
-		$result = $qb->execute();
-		$data = $result->fetchAll();
-		$result->closeCursor();
-
-		$entities = array_map(function ($row) {
-			return PublicKeyToken::fromRow($row);
-		}, $data);
-
-		return $entities;
-	}
-
-	public function deleteById(string $uid, int $id) {
-		/* @var $qb IQueryBuilder */
-		$qb = $this->db->getQueryBuilder();
-		$qb->delete('authtoken')
-			->where($qb->expr()->eq('id', $qb->createNamedParameter($id)))
-			->andWhere($qb->expr()->eq('uid', $qb->createNamedParameter($uid)))
-			->andWhere($qb->expr()->eq('version', $qb->createNamedParameter(PublicKeyToken::VERSION, IQueryBuilder::PARAM_INT)));
-		$qb->execute();
-	}
-
-	/**
-	 * delete all auth token which belong to a specific client if the client was deleted
-	 *
-	 * @param string $name
-	 */
-	public function deleteByName(string $name) {
-		$qb = $this->db->getQueryBuilder();
-		$qb->delete('authtoken')
-			->where($qb->expr()->eq('name', $qb->createNamedParameter($name), IQueryBuilder::PARAM_STR))
-			->andWhere($qb->expr()->eq('version', $qb->createNamedParameter(PublicKeyToken::VERSION, IQueryBuilder::PARAM_INT)));
-		$qb->execute();
-	}
-
-	public function deleteTempToken(PublicKeyToken $except) {
-		$qb = $this->db->getQueryBuilder();
-
-		$qb->delete('authtoken')
-			->where($qb->expr()->eq('type', $qb->createNamedParameter(IToken::TEMPORARY_TOKEN)))
-			->andWhere($qb->expr()->neq('id', $qb->createNamedParameter($except->getId())))
-			->andWhere($qb->expr()->eq('version', $qb->createNamedParameter(PublicKeyToken::VERSION, IQueryBuilder::PARAM_INT)));
-
-		$qb->execute();
-	}
+    public function __construct(IDBConnection $db) {
+        parent::__construct($db, 'authtoken');
+    }
+
+    /**
+     * Invalidate (delete) a given token
+     *
+     * @param string $token
+     */
+    public function invalidate(string $token) {
+        /* @var $qb IQueryBuilder */
+        $qb = $this->db->getQueryBuilder();
+        $qb->delete('authtoken')
+            ->where($qb->expr()->eq('token', $qb->createNamedParameter($token)))
+            ->andWhere($qb->expr()->eq('version', $qb->createNamedParameter(PublicKeyToken::VERSION, IQueryBuilder::PARAM_INT)))
+            ->execute();
+    }
+
+    /**
+     * @param int $olderThan
+     * @param int $remember
+     */
+    public function invalidateOld(int $olderThan, int $remember = IToken::DO_NOT_REMEMBER) {
+        /* @var $qb IQueryBuilder */
+        $qb = $this->db->getQueryBuilder();
+        $qb->delete('authtoken')
+            ->where($qb->expr()->lt('last_activity', $qb->createNamedParameter($olderThan, IQueryBuilder::PARAM_INT)))
+            ->andWhere($qb->expr()->eq('type', $qb->createNamedParameter(IToken::TEMPORARY_TOKEN, IQueryBuilder::PARAM_INT)))
+            ->andWhere($qb->expr()->eq('remember', $qb->createNamedParameter($remember, IQueryBuilder::PARAM_INT)))
+            ->andWhere($qb->expr()->eq('version', $qb->createNamedParameter(PublicKeyToken::VERSION, IQueryBuilder::PARAM_INT)))
+            ->execute();
+    }
+
+    /**
+     * Get the user UID for the given token
+     *
+     * @throws DoesNotExistException
+     */
+    public function getToken(string $token): PublicKeyToken {
+        /* @var $qb IQueryBuilder */
+        $qb = $this->db->getQueryBuilder();
+        $result = $qb->select('*')
+            ->from('authtoken')
+            ->where($qb->expr()->eq('token', $qb->createNamedParameter($token)))
+            ->andWhere($qb->expr()->eq('version', $qb->createNamedParameter(PublicKeyToken::VERSION, IQueryBuilder::PARAM_INT)))
+            ->execute();
+
+        $data = $result->fetch();
+        $result->closeCursor();
+        if ($data === false) {
+            throw new DoesNotExistException('token does not exist');
+        }
+        return PublicKeyToken::fromRow($data);
+    }
+
+    /**
+     * Get the token for $id
+     *
+     * @throws DoesNotExistException
+     */
+    public function getTokenById(int $id): PublicKeyToken {
+        /* @var $qb IQueryBuilder */
+        $qb = $this->db->getQueryBuilder();
+        $result = $qb->select('*')
+            ->from('authtoken')
+            ->where($qb->expr()->eq('id', $qb->createNamedParameter($id)))
+            ->andWhere($qb->expr()->eq('version', $qb->createNamedParameter(PublicKeyToken::VERSION, IQueryBuilder::PARAM_INT)))
+            ->execute();
+
+        $data = $result->fetch();
+        $result->closeCursor();
+        if ($data === false) {
+            throw new DoesNotExistException('token does not exist');
+        }
+        return PublicKeyToken::fromRow($data);
+    }
+
+    /**
+     * Get all tokens of a user
+     *
+     * The provider may limit the number of result rows in case of an abuse
+     * where a high number of (session) tokens is generated
+     *
+     * @param string $uid
+     * @return PublicKeyToken[]
+     */
+    public function getTokenByUser(string $uid): array {
+        /* @var $qb IQueryBuilder */
+        $qb = $this->db->getQueryBuilder();
+        $qb->select('*')
+            ->from('authtoken')
+            ->where($qb->expr()->eq('uid', $qb->createNamedParameter($uid)))
+            ->andWhere($qb->expr()->eq('version', $qb->createNamedParameter(PublicKeyToken::VERSION, IQueryBuilder::PARAM_INT)))
+            ->setMaxResults(1000);
+        $result = $qb->execute();
+        $data = $result->fetchAll();
+        $result->closeCursor();
+
+        $entities = array_map(function ($row) {
+            return PublicKeyToken::fromRow($row);
+        }, $data);
+
+        return $entities;
+    }
+
+    public function deleteById(string $uid, int $id) {
+        /* @var $qb IQueryBuilder */
+        $qb = $this->db->getQueryBuilder();
+        $qb->delete('authtoken')
+            ->where($qb->expr()->eq('id', $qb->createNamedParameter($id)))
+            ->andWhere($qb->expr()->eq('uid', $qb->createNamedParameter($uid)))
+            ->andWhere($qb->expr()->eq('version', $qb->createNamedParameter(PublicKeyToken::VERSION, IQueryBuilder::PARAM_INT)));
+        $qb->execute();
+    }
+
+    /**
+     * delete all auth token which belong to a specific client if the client was deleted
+     *
+     * @param string $name
+     */
+    public function deleteByName(string $name) {
+        $qb = $this->db->getQueryBuilder();
+        $qb->delete('authtoken')
+            ->where($qb->expr()->eq('name', $qb->createNamedParameter($name), IQueryBuilder::PARAM_STR))
+            ->andWhere($qb->expr()->eq('version', $qb->createNamedParameter(PublicKeyToken::VERSION, IQueryBuilder::PARAM_INT)));
+        $qb->execute();
+    }
+
+    public function deleteTempToken(PublicKeyToken $except) {
+        $qb = $this->db->getQueryBuilder();
+
+        $qb->delete('authtoken')
+            ->where($qb->expr()->eq('type', $qb->createNamedParameter(IToken::TEMPORARY_TOKEN)))
+            ->andWhere($qb->expr()->neq('id', $qb->createNamedParameter($except->getId())))
+            ->andWhere($qb->expr()->eq('version', $qb->createNamedParameter(PublicKeyToken::VERSION, IQueryBuilder::PARAM_INT)));
+
+        $qb->execute();
+    }
 }