nextcloud / server

core/templates/loginflow/authpicker.php

Spacing +1 added lines, -1 removed lines

@@ -54,6 +54,6 @@
 	</fieldset>
 </div>
 
-<?php if(empty($_['oauthState'])): ?>
+<?php if (empty($_['oauthState'])): ?>
 <a id="app-token-login" class="warning" href="#"><?php p($l->t('Alternative login using app token')) ?></a>
 <?php endif; ?>

apps/oauth2/lib/Db/Client.php

Indentation +15 added lines, -15 removed lines

@@ -34,20 +34,20 @@
  * @method void setName(string $name)
  */
 class Client extends Entity {
-	/** @var string */
-	protected $name;
-	/** @var string */
-	protected $redirectUri;
-	/** @var string */
-	protected $clientIdentifier;
-	/** @var string */
-	protected $secret;
+    /** @var string */
+    protected $name;
+    /** @var string */
+    protected $redirectUri;
+    /** @var string */
+    protected $clientIdentifier;
+    /** @var string */
+    protected $secret;
 
-	public function __construct() {
-		$this->addType('id', 'int');
-		$this->addType('name', 'string');
-		$this->addType('redirect_uri', 'string');
-		$this->addType('client_identifier', 'string');
-		$this->addType('secret', 'string');
-	}
+    public function __construct() {
+        $this->addType('id', 'int');
+        $this->addType('name', 'string');
+        $this->addType('redirect_uri', 'string');
+        $this->addType('client_identifier', 'string');
+        $this->addType('secret', 'string');
+    }
 }

apps/oauth2/lib/Db/AccessToken.php

Indentation +15 added lines, -15 removed lines

@@ -34,20 +34,20 @@
  * @method void setHashedCode(string $token)
  */
 class AccessToken extends Entity {
-	/** @var int */
-	protected $tokenId;
-	/** @var int */
-	protected $clientId;
-	/** @var string */
-	protected $hashedCode;
-	/** @var string */
-	protected $encryptedToken;
+    /** @var int */
+    protected $tokenId;
+    /** @var int */
+    protected $clientId;
+    /** @var string */
+    protected $hashedCode;
+    /** @var string */
+    protected $encryptedToken;
 
-	public function __construct() {
-		$this->addType('id', 'int');
-		$this->addType('token_id', 'int');
-		$this->addType('client_id', 'int');
-		$this->addType('hashed_code', 'string');
-		$this->addType('encrypted_token', 'string');
-	}
+    public function __construct() {
+        $this->addType('id', 'int');
+        $this->addType('token_id', 'int');
+        $this->addType('client_id', 'int');
+        $this->addType('hashed_code', 'string');
+        $this->addType('encrypted_token', 'string');
+    }
 }

apps/oauth2/lib/Settings/Admin.php

Indentation +33 added lines, -33 removed lines

@@ -27,41 +27,41 @@
 use OCP\Settings\ISettings;
 
 class Admin implements ISettings {
-	/** @var ClientMapper */
-	private $clientMapper;
+    /** @var ClientMapper */
+    private $clientMapper;
 
-	/**
-	 * @param ClientMapper $clientMapper
-	 */
-	public function __construct(ClientMapper $clientMapper) {
-		$this->clientMapper = $clientMapper;
-	}
+    /**
+     * @param ClientMapper $clientMapper
+     */
+    public function __construct(ClientMapper $clientMapper) {
+        $this->clientMapper = $clientMapper;
+    }
 
-	/**
-	 * @return TemplateResponse
-	 */
-	public function getForm() {
-		return new TemplateResponse(
-			'oauth2',
-			'admin',
-			[
-				'clients' => $this->clientMapper->getClients(),
-			],
-			''
-		);
-	}
+    /**
+     * @return TemplateResponse
+     */
+    public function getForm() {
+        return new TemplateResponse(
+            'oauth2',
+            'admin',
+            [
+                'clients' => $this->clientMapper->getClients(),
+            ],
+            ''
+        );
+    }
 
-	/**
-	 * {@inheritdoc}
-	 */
-	public function getSection() {
-		return 'security';
-	}
+    /**
+     * {@inheritdoc}
+     */
+    public function getSection() {
+        return 'security';
+    }
 
-	/**
-	 * {@inheritdoc}
-	 */
-	public function getPriority() {
-		return 0;
-	}
+    /**
+     * {@inheritdoc}
+     */
+    public function getPriority() {
+        return 0;
+    }
 }

lib/private/User/Session.php

Indentation +811 added lines, -811 removed lines

@@ -80,817 +80,817 @@
  */
 class Session implements IUserSession, Emitter {
 
-	/** @var IUserManager|PublicEmitter $manager */
-	private $manager;
-
-	/** @var ISession $session */
-	private $session;
-
-	/** @var ITimeFactory */
-	private $timeFactory;
-
-	/** @var IProvider */
-	private $tokenProvider;
-
-	/** @var IConfig */
-	private $config;
-
-	/** @var User $activeUser */
-	protected $activeUser;
-
-	/** @var ISecureRandom */
-	private $random;
-
-	/** @var ILockdownManager  */
-	private $lockdownManager;
-
-	/**
-	 * @param IUserManager $manager
-	 * @param ISession $session
-	 * @param ITimeFactory $timeFactory
-	 * @param IProvider $tokenProvider
-	 * @param IConfig $config
-	 * @param ISecureRandom $random
-	 * @param ILockdownManager $lockdownManager
-	 */
-	public function __construct(IUserManager $manager,
-								ISession $session,
-								ITimeFactory $timeFactory,
-								$tokenProvider,
-								IConfig $config,
-								ISecureRandom $random,
-								ILockdownManager $lockdownManager
-	) {
-		$this->manager = $manager;
-		$this->session = $session;
-		$this->timeFactory = $timeFactory;
-		$this->tokenProvider = $tokenProvider;
-		$this->config = $config;
-		$this->random = $random;
-		$this->lockdownManager = $lockdownManager;
-	}
-
-	/**
-	 * @param IProvider $provider
-	 */
-	public function setTokenProvider(IProvider $provider) {
-		$this->tokenProvider = $provider;
-	}
-
-	/**
-	 * @param string $scope
-	 * @param string $method
-	 * @param callable $callback
-	 */
-	public function listen($scope, $method, callable $callback) {
-		$this->manager->listen($scope, $method, $callback);
-	}
-
-	/**
-	 * @param string $scope optional
-	 * @param string $method optional
-	 * @param callable $callback optional
-	 */
-	public function removeListener($scope = null, $method = null, callable $callback = null) {
-		$this->manager->removeListener($scope, $method, $callback);
-	}
-
-	/**
-	 * get the manager object
-	 *
-	 * @return Manager|PublicEmitter
-	 */
-	public function getManager() {
-		return $this->manager;
-	}
-
-	/**
-	 * get the session object
-	 *
-	 * @return ISession
-	 */
-	public function getSession() {
-		return $this->session;
-	}
-
-	/**
-	 * set the session object
-	 *
-	 * @param ISession $session
-	 */
-	public function setSession(ISession $session) {
-		if ($this->session instanceof ISession) {
-			$this->session->close();
-		}
-		$this->session = $session;
-		$this->activeUser = null;
-	}
-
-	/**
-	 * set the currently active user
-	 *
-	 * @param IUser|null $user
-	 */
-	public function setUser($user) {
-		if (is_null($user)) {
-			$this->session->remove('user_id');
-		} else {
-			$this->session->set('user_id', $user->getUID());
-		}
-		$this->activeUser = $user;
-	}
-
-	/**
-	 * get the current active user
-	 *
-	 * @return IUser|null Current user, otherwise null
-	 */
-	public function getUser() {
-		// FIXME: This is a quick'n dirty work-around for the incognito mode as
-		// described at https://github.com/owncloud/core/pull/12912#issuecomment-67391155
-		if (OC_User::isIncognitoMode()) {
-			return null;
-		}
-		if (is_null($this->activeUser)) {
-			$uid = $this->session->get('user_id');
-			if (is_null($uid)) {
-				return null;
-			}
-			$this->activeUser = $this->manager->get($uid);
-			if (is_null($this->activeUser)) {
-				return null;
-			}
-			$this->validateSession();
-		}
-		return $this->activeUser;
-	}
-
-	/**
-	 * Validate whether the current session is valid
-	 *
-	 * - For token-authenticated clients, the token validity is checked
-	 * - For browsers, the session token validity is checked
-	 */
-	protected function validateSession() {
-		$token = null;
-		$appPassword = $this->session->get('app_password');
-
-		if (is_null($appPassword)) {
-			try {
-				$token = $this->session->getId();
-			} catch (SessionNotAvailableException $ex) {
-				return;
-			}
-		} else {
-			$token = $appPassword;
-		}
-
-		if (!$this->validateToken($token)) {
-			// Session was invalidated
-			$this->logout();
-		}
-	}
-
-	/**
-	 * Checks whether the user is logged in
-	 *
-	 * @return bool if logged in
-	 */
-	public function isLoggedIn() {
-		$user = $this->getUser();
-		if (is_null($user)) {
-			return false;
-		}
-
-		return $user->isEnabled();
-	}
-
-	/**
-	 * set the login name
-	 *
-	 * @param string|null $loginName for the logged in user
-	 */
-	public function setLoginName($loginName) {
-		if (is_null($loginName)) {
-			$this->session->remove('loginname');
-		} else {
-			$this->session->set('loginname', $loginName);
-		}
-	}
-
-	/**
-	 * get the login name of the current user
-	 *
-	 * @return string
-	 */
-	public function getLoginName() {
-		if ($this->activeUser) {
-			return $this->session->get('loginname');
-		} else {
-			$uid = $this->session->get('user_id');
-			if ($uid) {
-				$this->activeUser = $this->manager->get($uid);
-				return $this->session->get('loginname');
-			} else {
-				return null;
-			}
-		}
-	}
-
-	/**
-	 * set the token id
-	 *
-	 * @param int|null $token that was used to log in
-	 */
-	protected function setToken($token) {
-		if ($token === null) {
-			$this->session->remove('token-id');
-		} else {
-			$this->session->set('token-id', $token);
-		}
-	}
-
-	/**
-	 * try to log in with the provided credentials
-	 *
-	 * @param string $uid
-	 * @param string $password
-	 * @return boolean|null
-	 * @throws LoginException
-	 */
-	public function login($uid, $password) {
-		$this->session->regenerateId();
-		if ($this->validateToken($password, $uid)) {
-			return $this->loginWithToken($password);
-		}
-		return $this->loginWithPassword($uid, $password);
-	}
-
-	/**
-	 * @param IUser $user
-	 * @param array $loginDetails
-	 * @param bool $regenerateSessionId
-	 * @return true returns true if login successful or an exception otherwise
-	 * @throws LoginException
-	 */
-	public function completeLogin(IUser $user, array $loginDetails, $regenerateSessionId = true) {
-		if (!$user->isEnabled()) {
-			// disabled users can not log in
-			// injecting l10n does not work - there is a circular dependency between session and \OCP\L10N\IFactory
-			$message = \OC::$server->getL10N('lib')->t('User disabled');
-			throw new LoginException($message);
-		}
-
-		if($regenerateSessionId) {
-			$this->session->regenerateId();
-		}
-
-		$this->setUser($user);
-		$this->setLoginName($loginDetails['loginName']);
-
-		if(isset($loginDetails['token']) && $loginDetails['token'] instanceof IToken) {
-			$this->setToken($loginDetails['token']->getId());
-			$this->lockdownManager->setToken($loginDetails['token']);
-			$firstTimeLogin = false;
-		} else {
-			$this->setToken(null);
-			$firstTimeLogin = $user->updateLastLoginTimestamp();
-		}
-		$this->manager->emit('\OC\User', 'postLogin', [$user, $loginDetails['password']]);
-		if($this->isLoggedIn()) {
-			$this->prepareUserLogin($firstTimeLogin);
-			return true;
-		} else {
-			$message = \OC::$server->getL10N('lib')->t('Login canceled by app');
-			throw new LoginException($message);
-		}
-	}
-
-	/**
-	 * Tries to log in a client
-	 *
-	 * Checks token auth enforced
-	 * Checks 2FA enabled
-	 *
-	 * @param string $user
-	 * @param string $password
-	 * @param IRequest $request
-	 * @param OC\Security\Bruteforce\Throttler $throttler
-	 * @throws LoginException
-	 * @throws PasswordLoginForbiddenException
-	 * @return boolean
-	 */
-	public function logClientIn($user,
-								$password,
-								IRequest $request,
-								OC\Security\Bruteforce\Throttler $throttler) {
-		$currentDelay = $throttler->sleepDelay($request->getRemoteAddress(), 'login');
-
-		if ($this->manager instanceof PublicEmitter) {
-			$this->manager->emit('\OC\User', 'preLogin', array($user, $password));
-		}
-
-		$isTokenPassword = $this->isTokenPassword($password);
-		if (!$isTokenPassword && $this->isTokenAuthEnforced()) {
-			throw new PasswordLoginForbiddenException();
-		}
-		if (!$isTokenPassword && $this->isTwoFactorEnforced($user)) {
-			throw new PasswordLoginForbiddenException();
-		}
-		if (!$this->login($user, $password) ) {
-			$users = $this->manager->getByEmail($user);
-			if (count($users) === 1) {
-				return $this->login($users[0]->getUID(), $password);
-			}
-
-			$throttler->registerAttempt('login', $request->getRemoteAddress(), ['uid' => $user]);
-			if($currentDelay === 0) {
-				$throttler->sleepDelay($request->getRemoteAddress(), 'login');
-			}
-			return false;
-		}
-
-		if ($isTokenPassword) {
-			$this->session->set('app_password', $password);
-		} else if($this->supportsCookies($request)) {
-			// Password login, but cookies supported -> create (browser) session token
-			$this->createSessionToken($request, $this->getUser()->getUID(), $user, $password);
-		}
-
-		return true;
-	}
-
-	protected function supportsCookies(IRequest $request) {
-		if (!is_null($request->getCookie('cookie_test'))) {
-			return true;
-		}
-		setcookie('cookie_test', 'test', $this->timeFactory->getTime() + 3600);
-		return false;
-	}
-
-	private function isTokenAuthEnforced() {
-		return $this->config->getSystemValue('token_auth_enforced', false);
-	}
-
-	protected function isTwoFactorEnforced($username) {
-		Util::emitHook(
-			'\OCA\Files_Sharing\API\Server2Server',
-			'preLoginNameUsedAsUserName',
-			array('uid' => &$username)
-		);
-		$user = $this->manager->get($username);
-		if (is_null($user)) {
-			$users = $this->manager->getByEmail($username);
-			if (empty($users)) {
-				return false;
-			}
-			if (count($users) !== 1) {
-				return true;
-			}
-			$user = $users[0];
-		}
-		// DI not possible due to cyclic dependencies :'-/
-		return OC::$server->getTwoFactorAuthManager()->isTwoFactorAuthenticated($user);
-	}
-
-	/**
-	 * Check if the given 'password' is actually a device token
-	 *
-	 * @param string $password
-	 * @return boolean
-	 */
-	public function isTokenPassword($password) {
-		try {
-			$this->tokenProvider->getToken($password);
-			return true;
-		} catch (InvalidTokenException $ex) {
-			return false;
-		}
-	}
-
-	protected function prepareUserLogin($firstTimeLogin) {
-		// TODO: mock/inject/use non-static
-		// Refresh the token
-		\OC::$server->getCsrfTokenManager()->refreshToken();
-		//we need to pass the user name, which may differ from login name
-		$user = $this->getUser()->getUID();
-		OC_Util::setupFS($user);
-
-		if ($firstTimeLogin) {
-			// TODO: lock necessary?
-			//trigger creation of user home and /files folder
-			$userFolder = \OC::$server->getUserFolder($user);
-
-			try {
-				// copy skeleton
-				\OC_Util::copySkeleton($user, $userFolder);
-			} catch (NotPermittedException $ex) {
-				// read only uses
-			}
-
-			// trigger any other initialization
-			\OC::$server->getEventDispatcher()->dispatch(IUser::class . '::firstLogin', new GenericEvent($this->getUser()));
-		}
-	}
-
-	/**
-	 * Tries to login the user with HTTP Basic Authentication
-	 *
-	 * @todo do not allow basic auth if the user is 2FA enforced
-	 * @param IRequest $request
-	 * @param OC\Security\Bruteforce\Throttler $throttler
-	 * @return boolean if the login was successful
-	 */
-	public function tryBasicAuthLogin(IRequest $request,
-									  OC\Security\Bruteforce\Throttler $throttler) {
-		if (!empty($request->server['PHP_AUTH_USER']) && !empty($request->server['PHP_AUTH_PW'])) {
-			try {
-				if ($this->logClientIn($request->server['PHP_AUTH_USER'], $request->server['PHP_AUTH_PW'], $request, $throttler)) {
-					/**
-					 * Add DAV authenticated. This should in an ideal world not be
-					 * necessary but the iOS App reads cookies from anywhere instead
-					 * only the DAV endpoint.
-					 * This makes sure that the cookies will be valid for the whole scope
-					 * @see https://github.com/owncloud/core/issues/22893
-					 */
-					$this->session->set(
-						Auth::DAV_AUTHENTICATED, $this->getUser()->getUID()
-					);
-
-					// Set the last-password-confirm session to make the sudo mode work
-					 $this->session->set('last-password-confirm', $this->timeFactory->getTime());
-
-					return true;
-				}
-			} catch (PasswordLoginForbiddenException $ex) {
-				// Nothing to do
-			}
-		}
-		return false;
-	}
-
-	/**
-	 * Log an user in via login name and password
-	 *
-	 * @param string $uid
-	 * @param string $password
-	 * @return boolean
-	 * @throws LoginException if an app canceld the login process or the user is not enabled
-	 */
-	private function loginWithPassword($uid, $password) {
-		$user = $this->manager->checkPassword($uid, $password);
-		if ($user === false) {
-			// Password check failed
-			return false;
-		}
-
-		return $this->completeLogin($user, ['loginName' => $uid, 'password' => $password], false);
-	}
-
-	/**
-	 * Log an user in with a given token (id)
-	 *
-	 * @param string $token
-	 * @return boolean
-	 * @throws LoginException if an app canceled the login process or the user is not enabled
-	 */
-	private function loginWithToken($token) {
-		try {
-			$dbToken = $this->tokenProvider->getToken($token);
-		} catch (InvalidTokenException $ex) {
-			return false;
-		}
-		$uid = $dbToken->getUID();
-
-		// When logging in with token, the password must be decrypted first before passing to login hook
-		$password = '';
-		try {
-			$password = $this->tokenProvider->getPassword($dbToken, $token);
-		} catch (PasswordlessTokenException $ex) {
-			// Ignore and use empty string instead
-		}
-
-		$this->manager->emit('\OC\User', 'preLogin', array($uid, $password));
-
-		$user = $this->manager->get($uid);
-		if (is_null($user)) {
-			// user does not exist
-			return false;
-		}
-
-		return $this->completeLogin(
-			$user,
-			[
-				'loginName' => $dbToken->getLoginName(),
-				'password' => $password,
-				'token' => $dbToken
-			],
-			false);
-	}
-
-	/**
-	 * Create a new session token for the given user credentials
-	 *
-	 * @param IRequest $request
-	 * @param string $uid user UID
-	 * @param string $loginName login name
-	 * @param string $password
-	 * @param int $remember
-	 * @return boolean
-	 */
-	public function createSessionToken(IRequest $request, $uid, $loginName, $password = null, $remember = IToken::DO_NOT_REMEMBER) {
-		if (is_null($this->manager->get($uid))) {
-			// User does not exist
-			return false;
-		}
-		$name = isset($request->server['HTTP_USER_AGENT']) ? $request->server['HTTP_USER_AGENT'] : 'unknown browser';
-		try {
-			$sessionId = $this->session->getId();
-			$pwd = $this->getPassword($password);
-			$this->tokenProvider->generateToken($sessionId, $uid, $loginName, $pwd, $name, IToken::TEMPORARY_TOKEN, $remember);
-			return true;
-		} catch (SessionNotAvailableException $ex) {
-			// This can happen with OCC, where a memory session is used
-			// if a memory session is used, we shouldn't create a session token anyway
-			return false;
-		}
-	}
-
-	/**
-	 * Checks if the given password is a token.
-	 * If yes, the password is extracted from the token.
-	 * If no, the same password is returned.
-	 *
-	 * @param string $password either the login password or a device token
-	 * @return string|null the password or null if none was set in the token
-	 */
-	private function getPassword($password) {
-		if (is_null($password)) {
-			// This is surely no token ;-)
-			return null;
-		}
-		try {
-			$token = $this->tokenProvider->getToken($password);
-			try {
-				return $this->tokenProvider->getPassword($token, $password);
-			} catch (PasswordlessTokenException $ex) {
-				return null;
-			}
-		} catch (InvalidTokenException $ex) {
-			return $password;
-		}
-	}
-
-	/**
-	 * @param IToken $dbToken
-	 * @param string $token
-	 * @return boolean
-	 */
-	private function checkTokenCredentials(IToken $dbToken, $token) {
-		// Check whether login credentials are still valid and the user was not disabled
-		// This check is performed each 5 minutes
-		$lastCheck = $dbToken->getLastCheck() ? : 0;
-		$now = $this->timeFactory->getTime();
-		if ($lastCheck > ($now - 60 * 5)) {
-			// Checked performed recently, nothing to do now
-			return true;
-		}
-
-		try {
-			$pwd = $this->tokenProvider->getPassword($dbToken, $token);
-		} catch (InvalidTokenException $ex) {
-			// An invalid token password was used -> log user out
-			return false;
-		} catch (PasswordlessTokenException $ex) {
-			// Token has no password
-
-			if (!is_null($this->activeUser) && !$this->activeUser->isEnabled()) {
-				$this->tokenProvider->invalidateToken($token);
-				return false;
-			}
-
-			$dbToken->setLastCheck($now);
-			return true;
-		}
-
-		if ($this->manager->checkPassword($dbToken->getLoginName(), $pwd) === false
-			|| (!is_null($this->activeUser) && !$this->activeUser->isEnabled())) {
-			$this->tokenProvider->invalidateToken($token);
-			// Password has changed or user was disabled -> log user out
-			return false;
-		}
-		$dbToken->setLastCheck($now);
-		return true;
-	}
-
-	/**
-	 * Check if the given token exists and performs password/user-enabled checks
-	 *
-	 * Invalidates the token if checks fail
-	 *
-	 * @param string $token
-	 * @param string $user login name
-	 * @return boolean
-	 */
-	private function validateToken($token, $user = null) {
-		try {
-			$dbToken = $this->tokenProvider->getToken($token);
-		} catch (InvalidTokenException $ex) {
-			return false;
-		}
-
-		// Check if login names match
-		if (!is_null($user) && $dbToken->getLoginName() !== $user) {
-			// TODO: this makes it imposssible to use different login names on browser and client
-			// e.g. login by e-mail 'user@example.com' on browser for generating the token will not
-			//      allow to use the client token with the login name 'user'.
-			return false;
-		}
-
-		if (!$this->checkTokenCredentials($dbToken, $token)) {
-			return false;
-		}
-
-		$this->tokenProvider->updateTokenActivity($dbToken);
-
-		return true;
-	}
-
-	/**
-	 * Tries to login the user with auth token header
-	 *
-	 * @param IRequest $request
-	 * @todo check remember me cookie
-	 * @return boolean
-	 */
-	public function tryTokenLogin(IRequest $request) {
-		$authHeader = $request->getHeader('Authorization');
-		if (strpos($authHeader, 'Bearer ') === false) {
-			// No auth header, let's try session id
-			try {
-				$token = $this->session->getId();
-			} catch (SessionNotAvailableException $ex) {
-				return false;
-			}
-		} else {
-			$token = substr($authHeader, 7);
-		}
-
-		if (!$this->loginWithToken($token)) {
-			return false;
-		}
-		if(!$this->validateToken($token)) {
-			return false;
-		}
-		return true;
-	}
-
-	/**
-	 * perform login using the magic cookie (remember login)
-	 *
-	 * @param string $uid the username
-	 * @param string $currentToken
-	 * @param string $oldSessionId
-	 * @return bool
-	 */
-	public function loginWithCookie($uid, $currentToken, $oldSessionId) {
-		$this->session->regenerateId();
-		$this->manager->emit('\OC\User', 'preRememberedLogin', array($uid));
-		$user = $this->manager->get($uid);
-		if (is_null($user)) {
-			// user does not exist
-			return false;
-		}
-
-		// get stored tokens
-		$tokens = $this->config->getUserKeys($uid, 'login_token');
-		// test cookies token against stored tokens
-		if (!in_array($currentToken, $tokens, true)) {
-			return false;
-		}
-		// replace successfully used token with a new one
-		$this->config->deleteUserValue($uid, 'login_token', $currentToken);
-		$newToken = $this->random->generate(32);
-		$this->config->setUserValue($uid, 'login_token', $newToken, $this->timeFactory->getTime());
-
-		try {
-			$sessionId = $this->session->getId();
-			$this->tokenProvider->renewSessionToken($oldSessionId, $sessionId);
-		} catch (SessionNotAvailableException $ex) {
-			return false;
-		} catch (InvalidTokenException $ex) {
-			\OC::$server->getLogger()->warning('Renewing session token failed', ['app' => 'core']);
-			return false;
-		}
-
-		$this->setMagicInCookie($user->getUID(), $newToken);
-		$token = $this->tokenProvider->getToken($sessionId);
-
-		//login
-		$this->setUser($user);
-		$this->setLoginName($token->getLoginName());
-		$this->setToken($token->getId());
-		$this->lockdownManager->setToken($token);
-		$user->updateLastLoginTimestamp();
-		$password = null;
-		try {
-			$password = $this->tokenProvider->getPassword($token, $sessionId);
-		} catch (PasswordlessTokenException $ex) {
-			// Ignore
-		}
-		$this->manager->emit('\OC\User', 'postRememberedLogin', [$user, $password]);
-		return true;
-	}
-
-	/**
-	 * @param IUser $user
-	 */
-	public function createRememberMeToken(IUser $user) {
-		$token = $this->random->generate(32);
-		$this->config->setUserValue($user->getUID(), 'login_token', $token, $this->timeFactory->getTime());
-		$this->setMagicInCookie($user->getUID(), $token);
-	}
-
-	/**
-	 * logout the user from the session
-	 */
-	public function logout() {
-		$this->manager->emit('\OC\User', 'logout');
-		$user = $this->getUser();
-		if (!is_null($user)) {
-			try {
-				$this->tokenProvider->invalidateToken($this->session->getId());
-			} catch (SessionNotAvailableException $ex) {
-
-			}
-		}
-		$this->setUser(null);
-		$this->setLoginName(null);
-		$this->setToken(null);
-		$this->unsetMagicInCookie();
-		$this->session->clear();
-		$this->manager->emit('\OC\User', 'postLogout');
-	}
-
-	/**
-	 * Set cookie value to use in next page load
-	 *
-	 * @param string $username username to be set
-	 * @param string $token
-	 */
-	public function setMagicInCookie($username, $token) {
-		$secureCookie = OC::$server->getRequest()->getServerProtocol() === 'https';
-		$webRoot = \OC::$WEBROOT;
-		if ($webRoot === '') {
-			$webRoot = '/';
-		}
-
-		$expires = $this->timeFactory->getTime() + $this->config->getSystemValue('remember_login_cookie_lifetime', 60 * 60 * 24 * 15);
-		setcookie('nc_username', $username, $expires, $webRoot, '', $secureCookie, true);
-		setcookie('nc_token', $token, $expires, $webRoot, '', $secureCookie, true);
-		try {
-			setcookie('nc_session_id', $this->session->getId(), $expires, $webRoot, '', $secureCookie, true);
-		} catch (SessionNotAvailableException $ex) {
-			// ignore
-		}
-	}
-
-	/**
-	 * Remove cookie for "remember username"
-	 */
-	public function unsetMagicInCookie() {
-		//TODO: DI for cookies and IRequest
-		$secureCookie = OC::$server->getRequest()->getServerProtocol() === 'https';
-
-		unset($_COOKIE['nc_username']); //TODO: DI
-		unset($_COOKIE['nc_token']);
-		unset($_COOKIE['nc_session_id']);
-		setcookie('nc_username', '', $this->timeFactory->getTime() - 3600, OC::$WEBROOT, '', $secureCookie, true);
-		setcookie('nc_token', '', $this->timeFactory->getTime() - 3600, OC::$WEBROOT, '', $secureCookie, true);
-		setcookie('nc_session_id', '', $this->timeFactory->getTime() - 3600, OC::$WEBROOT, '', $secureCookie, true);
-		// old cookies might be stored under /webroot/ instead of /webroot
-		// and Firefox doesn't like it!
-		setcookie('nc_username', '', $this->timeFactory->getTime() - 3600, OC::$WEBROOT . '/', '', $secureCookie, true);
-		setcookie('nc_token', '', $this->timeFactory->getTime() - 3600, OC::$WEBROOT . '/', '', $secureCookie, true);
-		setcookie('nc_session_id', '', $this->timeFactory->getTime() - 3600, OC::$WEBROOT . '/', '', $secureCookie, true);
-	}
-
-	/**
-	 * Update password of the browser session token if there is one
-	 *
-	 * @param string $password
-	 */
-	public function updateSessionTokenPassword($password) {
-		try {
-			$sessionId = $this->session->getId();
-			$token = $this->tokenProvider->getToken($sessionId);
-			$this->tokenProvider->setPassword($token, $sessionId, $password);
-		} catch (SessionNotAvailableException $ex) {
-			// Nothing to do
-		} catch (InvalidTokenException $ex) {
-			// Nothing to do
-		}
-	}
+    /** @var IUserManager|PublicEmitter $manager */
+    private $manager;
+
+    /** @var ISession $session */
+    private $session;
+
+    /** @var ITimeFactory */
+    private $timeFactory;
+
+    /** @var IProvider */
+    private $tokenProvider;
+
+    /** @var IConfig */
+    private $config;
+
+    /** @var User $activeUser */
+    protected $activeUser;
+
+    /** @var ISecureRandom */
+    private $random;
+
+    /** @var ILockdownManager  */
+    private $lockdownManager;
+
+    /**
+     * @param IUserManager $manager
+     * @param ISession $session
+     * @param ITimeFactory $timeFactory
+     * @param IProvider $tokenProvider
+     * @param IConfig $config
+     * @param ISecureRandom $random
+     * @param ILockdownManager $lockdownManager
+     */
+    public function __construct(IUserManager $manager,
+                                ISession $session,
+                                ITimeFactory $timeFactory,
+                                $tokenProvider,
+                                IConfig $config,
+                                ISecureRandom $random,
+                                ILockdownManager $lockdownManager
+    ) {
+        $this->manager = $manager;
+        $this->session = $session;
+        $this->timeFactory = $timeFactory;
+        $this->tokenProvider = $tokenProvider;
+        $this->config = $config;
+        $this->random = $random;
+        $this->lockdownManager = $lockdownManager;
+    }
+
+    /**
+     * @param IProvider $provider
+     */
+    public function setTokenProvider(IProvider $provider) {
+        $this->tokenProvider = $provider;
+    }
+
+    /**
+     * @param string $scope
+     * @param string $method
+     * @param callable $callback
+     */
+    public function listen($scope, $method, callable $callback) {
+        $this->manager->listen($scope, $method, $callback);
+    }
+
+    /**
+     * @param string $scope optional
+     * @param string $method optional
+     * @param callable $callback optional
+     */
+    public function removeListener($scope = null, $method = null, callable $callback = null) {
+        $this->manager->removeListener($scope, $method, $callback);
+    }
+
+    /**
+     * get the manager object
+     *
+     * @return Manager|PublicEmitter
+     */
+    public function getManager() {
+        return $this->manager;
+    }
+
+    /**
+     * get the session object
+     *
+     * @return ISession
+     */
+    public function getSession() {
+        return $this->session;
+    }
+
+    /**
+     * set the session object
+     *
+     * @param ISession $session
+     */
+    public function setSession(ISession $session) {
+        if ($this->session instanceof ISession) {
+            $this->session->close();
+        }
+        $this->session = $session;
+        $this->activeUser = null;
+    }
+
+    /**
+     * set the currently active user
+     *
+     * @param IUser|null $user
+     */
+    public function setUser($user) {
+        if (is_null($user)) {
+            $this->session->remove('user_id');
+        } else {
+            $this->session->set('user_id', $user->getUID());
+        }
+        $this->activeUser = $user;
+    }
+
+    /**
+     * get the current active user
+     *
+     * @return IUser|null Current user, otherwise null
+     */
+    public function getUser() {
+        // FIXME: This is a quick'n dirty work-around for the incognito mode as
+        // described at https://github.com/owncloud/core/pull/12912#issuecomment-67391155
+        if (OC_User::isIncognitoMode()) {
+            return null;
+        }
+        if (is_null($this->activeUser)) {
+            $uid = $this->session->get('user_id');
+            if (is_null($uid)) {
+                return null;
+            }
+            $this->activeUser = $this->manager->get($uid);
+            if (is_null($this->activeUser)) {
+                return null;
+            }
+            $this->validateSession();
+        }
+        return $this->activeUser;
+    }
+
+    /**
+     * Validate whether the current session is valid
+     *
+     * - For token-authenticated clients, the token validity is checked
+     * - For browsers, the session token validity is checked
+     */
+    protected function validateSession() {
+        $token = null;
+        $appPassword = $this->session->get('app_password');
+
+        if (is_null($appPassword)) {
+            try {
+                $token = $this->session->getId();
+            } catch (SessionNotAvailableException $ex) {
+                return;
+            }
+        } else {
+            $token = $appPassword;
+        }
+
+        if (!$this->validateToken($token)) {
+            // Session was invalidated
+            $this->logout();
+        }
+    }
+
+    /**
+     * Checks whether the user is logged in
+     *
+     * @return bool if logged in
+     */
+    public function isLoggedIn() {
+        $user = $this->getUser();
+        if (is_null($user)) {
+            return false;
+        }
+
+        return $user->isEnabled();
+    }
+
+    /**
+     * set the login name
+     *
+     * @param string|null $loginName for the logged in user
+     */
+    public function setLoginName($loginName) {
+        if (is_null($loginName)) {
+            $this->session->remove('loginname');
+        } else {
+            $this->session->set('loginname', $loginName);
+        }
+    }
+
+    /**
+     * get the login name of the current user
+     *
+     * @return string
+     */
+    public function getLoginName() {
+        if ($this->activeUser) {
+            return $this->session->get('loginname');
+        } else {
+            $uid = $this->session->get('user_id');
+            if ($uid) {
+                $this->activeUser = $this->manager->get($uid);
+                return $this->session->get('loginname');
+            } else {
+                return null;
+            }
+        }
+    }
+
+    /**
+     * set the token id
+     *
+     * @param int|null $token that was used to log in
+     */
+    protected function setToken($token) {
+        if ($token === null) {
+            $this->session->remove('token-id');
+        } else {
+            $this->session->set('token-id', $token);
+        }
+    }
+
+    /**
+     * try to log in with the provided credentials
+     *
+     * @param string $uid
+     * @param string $password
+     * @return boolean|null
+     * @throws LoginException
+     */
+    public function login($uid, $password) {
+        $this->session->regenerateId();
+        if ($this->validateToken($password, $uid)) {
+            return $this->loginWithToken($password);
+        }
+        return $this->loginWithPassword($uid, $password);
+    }
+
+    /**
+     * @param IUser $user
+     * @param array $loginDetails
+     * @param bool $regenerateSessionId
+     * @return true returns true if login successful or an exception otherwise
+     * @throws LoginException
+     */
+    public function completeLogin(IUser $user, array $loginDetails, $regenerateSessionId = true) {
+        if (!$user->isEnabled()) {
+            // disabled users can not log in
+            // injecting l10n does not work - there is a circular dependency between session and \OCP\L10N\IFactory
+            $message = \OC::$server->getL10N('lib')->t('User disabled');
+            throw new LoginException($message);
+        }
+
+        if($regenerateSessionId) {
+            $this->session->regenerateId();
+        }
+
+        $this->setUser($user);
+        $this->setLoginName($loginDetails['loginName']);
+
+        if(isset($loginDetails['token']) && $loginDetails['token'] instanceof IToken) {
+            $this->setToken($loginDetails['token']->getId());
+            $this->lockdownManager->setToken($loginDetails['token']);
+            $firstTimeLogin = false;
+        } else {
+            $this->setToken(null);
+            $firstTimeLogin = $user->updateLastLoginTimestamp();
+        }
+        $this->manager->emit('\OC\User', 'postLogin', [$user, $loginDetails['password']]);
+        if($this->isLoggedIn()) {
+            $this->prepareUserLogin($firstTimeLogin);
+            return true;
+        } else {
+            $message = \OC::$server->getL10N('lib')->t('Login canceled by app');
+            throw new LoginException($message);
+        }
+    }
+
+    /**
+     * Tries to log in a client
+     *
+     * Checks token auth enforced
+     * Checks 2FA enabled
+     *
+     * @param string $user
+     * @param string $password
+     * @param IRequest $request
+     * @param OC\Security\Bruteforce\Throttler $throttler
+     * @throws LoginException
+     * @throws PasswordLoginForbiddenException
+     * @return boolean
+     */
+    public function logClientIn($user,
+                                $password,
+                                IRequest $request,
+                                OC\Security\Bruteforce\Throttler $throttler) {
+        $currentDelay = $throttler->sleepDelay($request->getRemoteAddress(), 'login');
+
+        if ($this->manager instanceof PublicEmitter) {
+            $this->manager->emit('\OC\User', 'preLogin', array($user, $password));
+        }
+
+        $isTokenPassword = $this->isTokenPassword($password);
+        if (!$isTokenPassword && $this->isTokenAuthEnforced()) {
+            throw new PasswordLoginForbiddenException();
+        }
+        if (!$isTokenPassword && $this->isTwoFactorEnforced($user)) {
+            throw new PasswordLoginForbiddenException();
+        }
+        if (!$this->login($user, $password) ) {
+            $users = $this->manager->getByEmail($user);
+            if (count($users) === 1) {
+                return $this->login($users[0]->getUID(), $password);
+            }
+
+            $throttler->registerAttempt('login', $request->getRemoteAddress(), ['uid' => $user]);
+            if($currentDelay === 0) {
+                $throttler->sleepDelay($request->getRemoteAddress(), 'login');
+            }
+            return false;
+        }
+
+        if ($isTokenPassword) {
+            $this->session->set('app_password', $password);
+        } else if($this->supportsCookies($request)) {
+            // Password login, but cookies supported -> create (browser) session token
+            $this->createSessionToken($request, $this->getUser()->getUID(), $user, $password);
+        }
+
+        return true;
+    }
+
+    protected function supportsCookies(IRequest $request) {
+        if (!is_null($request->getCookie('cookie_test'))) {
+            return true;
+        }
+        setcookie('cookie_test', 'test', $this->timeFactory->getTime() + 3600);
+        return false;
+    }
+
+    private function isTokenAuthEnforced() {
+        return $this->config->getSystemValue('token_auth_enforced', false);
+    }
+
+    protected function isTwoFactorEnforced($username) {
+        Util::emitHook(
+            '\OCA\Files_Sharing\API\Server2Server',
+            'preLoginNameUsedAsUserName',
+            array('uid' => &$username)
+        );
+        $user = $this->manager->get($username);
+        if (is_null($user)) {
+            $users = $this->manager->getByEmail($username);
+            if (empty($users)) {
+                return false;
+            }
+            if (count($users) !== 1) {
+                return true;
+            }
+            $user = $users[0];
+        }
+        // DI not possible due to cyclic dependencies :'-/
+        return OC::$server->getTwoFactorAuthManager()->isTwoFactorAuthenticated($user);
+    }
+
+    /**
+     * Check if the given 'password' is actually a device token
+     *
+     * @param string $password
+     * @return boolean
+     */
+    public function isTokenPassword($password) {
+        try {
+            $this->tokenProvider->getToken($password);
+            return true;
+        } catch (InvalidTokenException $ex) {
+            return false;
+        }
+    }
+
+    protected function prepareUserLogin($firstTimeLogin) {
+        // TODO: mock/inject/use non-static
+        // Refresh the token
+        \OC::$server->getCsrfTokenManager()->refreshToken();
+        //we need to pass the user name, which may differ from login name
+        $user = $this->getUser()->getUID();
+        OC_Util::setupFS($user);
+
+        if ($firstTimeLogin) {
+            // TODO: lock necessary?
+            //trigger creation of user home and /files folder
+            $userFolder = \OC::$server->getUserFolder($user);
+
+            try {
+                // copy skeleton
+                \OC_Util::copySkeleton($user, $userFolder);
+            } catch (NotPermittedException $ex) {
+                // read only uses
+            }
+
+            // trigger any other initialization
+            \OC::$server->getEventDispatcher()->dispatch(IUser::class . '::firstLogin', new GenericEvent($this->getUser()));
+        }
+    }
+
+    /**
+     * Tries to login the user with HTTP Basic Authentication
+     *
+     * @todo do not allow basic auth if the user is 2FA enforced
+     * @param IRequest $request
+     * @param OC\Security\Bruteforce\Throttler $throttler
+     * @return boolean if the login was successful
+     */
+    public function tryBasicAuthLogin(IRequest $request,
+                                        OC\Security\Bruteforce\Throttler $throttler) {
+        if (!empty($request->server['PHP_AUTH_USER']) && !empty($request->server['PHP_AUTH_PW'])) {
+            try {
+                if ($this->logClientIn($request->server['PHP_AUTH_USER'], $request->server['PHP_AUTH_PW'], $request, $throttler)) {
+                    /**
+                     * Add DAV authenticated. This should in an ideal world not be
+                     * necessary but the iOS App reads cookies from anywhere instead
+                     * only the DAV endpoint.
+                     * This makes sure that the cookies will be valid for the whole scope
+                     * @see https://github.com/owncloud/core/issues/22893
+                     */
+                    $this->session->set(
+                        Auth::DAV_AUTHENTICATED, $this->getUser()->getUID()
+                    );
+
+                    // Set the last-password-confirm session to make the sudo mode work
+                        $this->session->set('last-password-confirm', $this->timeFactory->getTime());
+
+                    return true;
+                }
+            } catch (PasswordLoginForbiddenException $ex) {
+                // Nothing to do
+            }
+        }
+        return false;
+    }
+
+    /**
+     * Log an user in via login name and password
+     *
+     * @param string $uid
+     * @param string $password
+     * @return boolean
+     * @throws LoginException if an app canceld the login process or the user is not enabled
+     */
+    private function loginWithPassword($uid, $password) {
+        $user = $this->manager->checkPassword($uid, $password);
+        if ($user === false) {
+            // Password check failed
+            return false;
+        }
+
+        return $this->completeLogin($user, ['loginName' => $uid, 'password' => $password], false);
+    }
+
+    /**
+     * Log an user in with a given token (id)
+     *
+     * @param string $token
+     * @return boolean
+     * @throws LoginException if an app canceled the login process or the user is not enabled
+     */
+    private function loginWithToken($token) {
+        try {
+            $dbToken = $this->tokenProvider->getToken($token);
+        } catch (InvalidTokenException $ex) {
+            return false;
+        }
+        $uid = $dbToken->getUID();
+
+        // When logging in with token, the password must be decrypted first before passing to login hook
+        $password = '';
+        try {
+            $password = $this->tokenProvider->getPassword($dbToken, $token);
+        } catch (PasswordlessTokenException $ex) {
+            // Ignore and use empty string instead
+        }
+
+        $this->manager->emit('\OC\User', 'preLogin', array($uid, $password));
+
+        $user = $this->manager->get($uid);
+        if (is_null($user)) {
+            // user does not exist
+            return false;
+        }
+
+        return $this->completeLogin(
+            $user,
+            [
+                'loginName' => $dbToken->getLoginName(),
+                'password' => $password,
+                'token' => $dbToken
+            ],
+            false);
+    }
+
+    /**
+     * Create a new session token for the given user credentials
+     *
+     * @param IRequest $request
+     * @param string $uid user UID
+     * @param string $loginName login name
+     * @param string $password
+     * @param int $remember
+     * @return boolean
+     */
+    public function createSessionToken(IRequest $request, $uid, $loginName, $password = null, $remember = IToken::DO_NOT_REMEMBER) {
+        if (is_null($this->manager->get($uid))) {
+            // User does not exist
+            return false;
+        }
+        $name = isset($request->server['HTTP_USER_AGENT']) ? $request->server['HTTP_USER_AGENT'] : 'unknown browser';
+        try {
+            $sessionId = $this->session->getId();
+            $pwd = $this->getPassword($password);
+            $this->tokenProvider->generateToken($sessionId, $uid, $loginName, $pwd, $name, IToken::TEMPORARY_TOKEN, $remember);
+            return true;
+        } catch (SessionNotAvailableException $ex) {
+            // This can happen with OCC, where a memory session is used
+            // if a memory session is used, we shouldn't create a session token anyway
+            return false;
+        }
+    }
+
+    /**
+     * Checks if the given password is a token.
+     * If yes, the password is extracted from the token.
+     * If no, the same password is returned.
+     *
+     * @param string $password either the login password or a device token
+     * @return string|null the password or null if none was set in the token
+     */
+    private function getPassword($password) {
+        if (is_null($password)) {
+            // This is surely no token ;-)
+            return null;
+        }
+        try {
+            $token = $this->tokenProvider->getToken($password);
+            try {
+                return $this->tokenProvider->getPassword($token, $password);
+            } catch (PasswordlessTokenException $ex) {
+                return null;
+            }
+        } catch (InvalidTokenException $ex) {
+            return $password;
+        }
+    }
+
+    /**
+     * @param IToken $dbToken
+     * @param string $token
+     * @return boolean
+     */
+    private function checkTokenCredentials(IToken $dbToken, $token) {
+        // Check whether login credentials are still valid and the user was not disabled
+        // This check is performed each 5 minutes
+        $lastCheck = $dbToken->getLastCheck() ? : 0;
+        $now = $this->timeFactory->getTime();
+        if ($lastCheck > ($now - 60 * 5)) {
+            // Checked performed recently, nothing to do now
+            return true;
+        }
+
+        try {
+            $pwd = $this->tokenProvider->getPassword($dbToken, $token);
+        } catch (InvalidTokenException $ex) {
+            // An invalid token password was used -> log user out
+            return false;
+        } catch (PasswordlessTokenException $ex) {
+            // Token has no password
+
+            if (!is_null($this->activeUser) && !$this->activeUser->isEnabled()) {
+                $this->tokenProvider->invalidateToken($token);
+                return false;
+            }
+
+            $dbToken->setLastCheck($now);
+            return true;
+        }
+
+        if ($this->manager->checkPassword($dbToken->getLoginName(), $pwd) === false
+            || (!is_null($this->activeUser) && !$this->activeUser->isEnabled())) {
+            $this->tokenProvider->invalidateToken($token);
+            // Password has changed or user was disabled -> log user out
+            return false;
+        }
+        $dbToken->setLastCheck($now);
+        return true;
+    }
+
+    /**
+     * Check if the given token exists and performs password/user-enabled checks
+     *
+     * Invalidates the token if checks fail
+     *
+     * @param string $token
+     * @param string $user login name
+     * @return boolean
+     */
+    private function validateToken($token, $user = null) {
+        try {
+            $dbToken = $this->tokenProvider->getToken($token);
+        } catch (InvalidTokenException $ex) {
+            return false;
+        }
+
+        // Check if login names match
+        if (!is_null($user) && $dbToken->getLoginName() !== $user) {
+            // TODO: this makes it imposssible to use different login names on browser and client
+            // e.g. login by e-mail 'user@example.com' on browser for generating the token will not
+            //      allow to use the client token with the login name 'user'.
+            return false;
+        }
+
+        if (!$this->checkTokenCredentials($dbToken, $token)) {
+            return false;
+        }
+
+        $this->tokenProvider->updateTokenActivity($dbToken);
+
+        return true;
+    }
+
+    /**
+     * Tries to login the user with auth token header
+     *
+     * @param IRequest $request
+     * @todo check remember me cookie
+     * @return boolean
+     */
+    public function tryTokenLogin(IRequest $request) {
+        $authHeader = $request->getHeader('Authorization');
+        if (strpos($authHeader, 'Bearer ') === false) {
+            // No auth header, let's try session id
+            try {
+                $token = $this->session->getId();
+            } catch (SessionNotAvailableException $ex) {
+                return false;
+            }
+        } else {
+            $token = substr($authHeader, 7);
+        }
+
+        if (!$this->loginWithToken($token)) {
+            return false;
+        }
+        if(!$this->validateToken($token)) {
+            return false;
+        }
+        return true;
+    }
+
+    /**
+     * perform login using the magic cookie (remember login)
+     *
+     * @param string $uid the username
+     * @param string $currentToken
+     * @param string $oldSessionId
+     * @return bool
+     */
+    public function loginWithCookie($uid, $currentToken, $oldSessionId) {
+        $this->session->regenerateId();
+        $this->manager->emit('\OC\User', 'preRememberedLogin', array($uid));
+        $user = $this->manager->get($uid);
+        if (is_null($user)) {
+            // user does not exist
+            return false;
+        }
+
+        // get stored tokens
+        $tokens = $this->config->getUserKeys($uid, 'login_token');
+        // test cookies token against stored tokens
+        if (!in_array($currentToken, $tokens, true)) {
+            return false;
+        }
+        // replace successfully used token with a new one
+        $this->config->deleteUserValue($uid, 'login_token', $currentToken);
+        $newToken = $this->random->generate(32);
+        $this->config->setUserValue($uid, 'login_token', $newToken, $this->timeFactory->getTime());
+
+        try {
+            $sessionId = $this->session->getId();
+            $this->tokenProvider->renewSessionToken($oldSessionId, $sessionId);
+        } catch (SessionNotAvailableException $ex) {
+            return false;
+        } catch (InvalidTokenException $ex) {
+            \OC::$server->getLogger()->warning('Renewing session token failed', ['app' => 'core']);
+            return false;
+        }
+
+        $this->setMagicInCookie($user->getUID(), $newToken);
+        $token = $this->tokenProvider->getToken($sessionId);
+
+        //login
+        $this->setUser($user);
+        $this->setLoginName($token->getLoginName());
+        $this->setToken($token->getId());
+        $this->lockdownManager->setToken($token);
+        $user->updateLastLoginTimestamp();
+        $password = null;
+        try {
+            $password = $this->tokenProvider->getPassword($token, $sessionId);
+        } catch (PasswordlessTokenException $ex) {
+            // Ignore
+        }
+        $this->manager->emit('\OC\User', 'postRememberedLogin', [$user, $password]);
+        return true;
+    }
+
+    /**
+     * @param IUser $user
+     */
+    public function createRememberMeToken(IUser $user) {
+        $token = $this->random->generate(32);
+        $this->config->setUserValue($user->getUID(), 'login_token', $token, $this->timeFactory->getTime());
+        $this->setMagicInCookie($user->getUID(), $token);
+    }
+
+    /**
+     * logout the user from the session
+     */
+    public function logout() {
+        $this->manager->emit('\OC\User', 'logout');
+        $user = $this->getUser();
+        if (!is_null($user)) {
+            try {
+                $this->tokenProvider->invalidateToken($this->session->getId());
+            } catch (SessionNotAvailableException $ex) {
+
+            }
+        }
+        $this->setUser(null);
+        $this->setLoginName(null);
+        $this->setToken(null);
+        $this->unsetMagicInCookie();
+        $this->session->clear();
+        $this->manager->emit('\OC\User', 'postLogout');
+    }
+
+    /**
+     * Set cookie value to use in next page load
+     *
+     * @param string $username username to be set
+     * @param string $token
+     */
+    public function setMagicInCookie($username, $token) {
+        $secureCookie = OC::$server->getRequest()->getServerProtocol() === 'https';
+        $webRoot = \OC::$WEBROOT;
+        if ($webRoot === '') {
+            $webRoot = '/';
+        }
+
+        $expires = $this->timeFactory->getTime() + $this->config->getSystemValue('remember_login_cookie_lifetime', 60 * 60 * 24 * 15);
+        setcookie('nc_username', $username, $expires, $webRoot, '', $secureCookie, true);
+        setcookie('nc_token', $token, $expires, $webRoot, '', $secureCookie, true);
+        try {
+            setcookie('nc_session_id', $this->session->getId(), $expires, $webRoot, '', $secureCookie, true);
+        } catch (SessionNotAvailableException $ex) {
+            // ignore
+        }
+    }
+
+    /**
+     * Remove cookie for "remember username"
+     */
+    public function unsetMagicInCookie() {
+        //TODO: DI for cookies and IRequest
+        $secureCookie = OC::$server->getRequest()->getServerProtocol() === 'https';
+
+        unset($_COOKIE['nc_username']); //TODO: DI
+        unset($_COOKIE['nc_token']);
+        unset($_COOKIE['nc_session_id']);
+        setcookie('nc_username', '', $this->timeFactory->getTime() - 3600, OC::$WEBROOT, '', $secureCookie, true);
+        setcookie('nc_token', '', $this->timeFactory->getTime() - 3600, OC::$WEBROOT, '', $secureCookie, true);
+        setcookie('nc_session_id', '', $this->timeFactory->getTime() - 3600, OC::$WEBROOT, '', $secureCookie, true);
+        // old cookies might be stored under /webroot/ instead of /webroot
+        // and Firefox doesn't like it!
+        setcookie('nc_username', '', $this->timeFactory->getTime() - 3600, OC::$WEBROOT . '/', '', $secureCookie, true);
+        setcookie('nc_token', '', $this->timeFactory->getTime() - 3600, OC::$WEBROOT . '/', '', $secureCookie, true);
+        setcookie('nc_session_id', '', $this->timeFactory->getTime() - 3600, OC::$WEBROOT . '/', '', $secureCookie, true);
+    }
+
+    /**
+     * Update password of the browser session token if there is one
+     *
+     * @param string $password
+     */
+    public function updateSessionTokenPassword($password) {
+        try {
+            $sessionId = $this->session->getId();
+            $token = $this->tokenProvider->getToken($sessionId);
+            $this->tokenProvider->setPassword($token, $sessionId, $password);
+        } catch (SessionNotAvailableException $ex) {
+            // Nothing to do
+        } catch (InvalidTokenException $ex) {
+            // Nothing to do
+        }
+    }
 
 
 }

apps/oauth2/lib/Controller/SettingsController.php

Indentation +61 added lines, -61 removed lines

@@ -32,69 +32,69 @@
 use OCP\Security\ISecureRandom;
 
 class SettingsController extends Controller {
-	/** @var IURLGenerator */
-	private $urlGenerator;
-	/** @var ClientMapper */
-	private $clientMapper;
-	/** @var ISecureRandom */
-	private $secureRandom;
-	/** @var AccessTokenMapper  */
-	private $accessTokenMapper;
-	/** @var  DefaultTokenMapper */
-	private $defaultTokenMapper;
+    /** @var IURLGenerator */
+    private $urlGenerator;
+    /** @var ClientMapper */
+    private $clientMapper;
+    /** @var ISecureRandom */
+    private $secureRandom;
+    /** @var AccessTokenMapper  */
+    private $accessTokenMapper;
+    /** @var  DefaultTokenMapper */
+    private $defaultTokenMapper;
 
-	const validChars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
+    const validChars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
 
-	/**
-	 * @param string $appName
-	 * @param IRequest $request
-	 * @param IURLGenerator $urlGenerator
-	 * @param ClientMapper $clientMapper
-	 * @param ISecureRandom $secureRandom
-	 * @param AccessTokenMapper $accessTokenMapper
-	 * @param DefaultTokenMapper $defaultTokenMapper
-	 */
-	public function __construct($appName,
-								IRequest $request,
-								IURLGenerator $urlGenerator,
-								ClientMapper $clientMapper,
-								ISecureRandom $secureRandom,
-								AccessTokenMapper $accessTokenMapper,
-								DefaultTokenMapper $defaultTokenMapper
-	) {
-		parent::__construct($appName, $request);
-		$this->urlGenerator = $urlGenerator;
-		$this->secureRandom = $secureRandom;
-		$this->clientMapper = $clientMapper;
-		$this->accessTokenMapper = $accessTokenMapper;
-		$this->defaultTokenMapper = $defaultTokenMapper;
-	}
+    /**
+     * @param string $appName
+     * @param IRequest $request
+     * @param IURLGenerator $urlGenerator
+     * @param ClientMapper $clientMapper
+     * @param ISecureRandom $secureRandom
+     * @param AccessTokenMapper $accessTokenMapper
+     * @param DefaultTokenMapper $defaultTokenMapper
+     */
+    public function __construct($appName,
+                                IRequest $request,
+                                IURLGenerator $urlGenerator,
+                                ClientMapper $clientMapper,
+                                ISecureRandom $secureRandom,
+                                AccessTokenMapper $accessTokenMapper,
+                                DefaultTokenMapper $defaultTokenMapper
+    ) {
+        parent::__construct($appName, $request);
+        $this->urlGenerator = $urlGenerator;
+        $this->secureRandom = $secureRandom;
+        $this->clientMapper = $clientMapper;
+        $this->accessTokenMapper = $accessTokenMapper;
+        $this->defaultTokenMapper = $defaultTokenMapper;
+    }
 
-	/**
-	 * @param string $name
-	 * @param string $redirectUri
-	 * @return RedirectResponse
-	 */
-	public function addClient($name,
-							  $redirectUri) {
-		$client = new Client();
-		$client->setName($name);
-		$client->setRedirectUri($redirectUri);
-		$client->setSecret($this->secureRandom->generate(64, self::validChars));
-		$client->setClientIdentifier($this->secureRandom->generate(64, self::validChars));
-		$this->clientMapper->insert($client);
-		return new RedirectResponse($this->urlGenerator->getAbsoluteURL('/index.php/settings/admin/security'));
-	}
+    /**
+     * @param string $name
+     * @param string $redirectUri
+     * @return RedirectResponse
+     */
+    public function addClient($name,
+                                $redirectUri) {
+        $client = new Client();
+        $client->setName($name);
+        $client->setRedirectUri($redirectUri);
+        $client->setSecret($this->secureRandom->generate(64, self::validChars));
+        $client->setClientIdentifier($this->secureRandom->generate(64, self::validChars));
+        $this->clientMapper->insert($client);
+        return new RedirectResponse($this->urlGenerator->getAbsoluteURL('/index.php/settings/admin/security'));
+    }
 
-	/**
-	 * @param int $id
-	 * @return RedirectResponse
-	 */
-	public function deleteClient($id) {
-		$client = $this->clientMapper->getByUid($id);
-		$this->accessTokenMapper->deleteByClientId($id);
-		$this->defaultTokenMapper->deleteByName($client->getName());
-		$this->clientMapper->delete($client);
-		return new RedirectResponse($this->urlGenerator->getAbsoluteURL('/index.php/settings/admin/security'));
-	}
+    /**
+     * @param int $id
+     * @return RedirectResponse
+     */
+    public function deleteClient($id) {
+        $client = $this->clientMapper->getByUid($id);
+        $this->accessTokenMapper->deleteByClientId($id);
+        $this->defaultTokenMapper->deleteByName($client->getName());
+        $this->clientMapper->delete($client);
+        return new RedirectResponse($this->urlGenerator->getAbsoluteURL('/index.php/settings/admin/security'));
+    }
 }

apps/oauth2/templates/admin.php

Indentation +3 added lines, -3 removed lines

@@ -46,9 +46,9 @@
 		</thead>
 		<tbody>
 		<?php
-		$imageUrl = $urlGenerator->imagePath('core', 'actions/toggle.svg');
-		foreach ($clients as $client) {
-		?>
+        $imageUrl = $urlGenerator->imagePath('core', 'actions/toggle.svg');
+        foreach ($clients as $client) {
+        ?>
 			<tr>
 				<td><?php p($client->getName()); ?></td>
 				<td><?php p($client->getRedirectUri()); ?></td>

apps/oauth2/lib/Controller/LoginRedirectorController.php

Indentation +44 added lines, -44 removed lines

@@ -29,51 +29,51 @@
 use OCP\IURLGenerator;
 
 class LoginRedirectorController extends Controller {
-	/** @var IURLGenerator */
-	private $urlGenerator;
-	/** @var ClientMapper */
-	private $clientMapper;
-	/** @var ISession */
-	private $session;
+    /** @var IURLGenerator */
+    private $urlGenerator;
+    /** @var ClientMapper */
+    private $clientMapper;
+    /** @var ISession */
+    private $session;
 
-	/**
-	 * @param string $appName
-	 * @param IRequest $request
-	 * @param IURLGenerator $urlGenerator
-	 * @param ClientMapper $clientMapper
-	 * @param ISession $session
-	 */
-	public function __construct($appName,
-								IRequest $request,
-								IURLGenerator $urlGenerator,
-								ClientMapper $clientMapper,
-								ISession $session) {
-		parent::__construct($appName, $request);
-		$this->urlGenerator = $urlGenerator;
-		$this->clientMapper = $clientMapper;
-		$this->session = $session;
-	}
+    /**
+     * @param string $appName
+     * @param IRequest $request
+     * @param IURLGenerator $urlGenerator
+     * @param ClientMapper $clientMapper
+     * @param ISession $session
+     */
+    public function __construct($appName,
+                                IRequest $request,
+                                IURLGenerator $urlGenerator,
+                                ClientMapper $clientMapper,
+                                ISession $session) {
+        parent::__construct($appName, $request);
+        $this->urlGenerator = $urlGenerator;
+        $this->clientMapper = $clientMapper;
+        $this->session = $session;
+    }
 
-	/**
-	 * @PublicPage
-	 * @NoCSRFRequired
-	 * @UseSession
-	 *
-	 * @param string $client_id
-	 * @param string $state
-	 * @return RedirectResponse
-	 */
-	public function authorize($client_id,
-							  $state) {
-		$client = $this->clientMapper->getByIdentifier($client_id);
-		$this->session->set('oauth.state', $state);
+    /**
+     * @PublicPage
+     * @NoCSRFRequired
+     * @UseSession
+     *
+     * @param string $client_id
+     * @param string $state
+     * @return RedirectResponse
+     */
+    public function authorize($client_id,
+                                $state) {
+        $client = $this->clientMapper->getByIdentifier($client_id);
+        $this->session->set('oauth.state', $state);
 
-		$targetUrl = $this->urlGenerator->linkToRouteAbsolute(
-			'core.ClientFlowLogin.showAuthPickerPage',
-			[
-				'clientIdentifier' => $client->getClientIdentifier(),
-			]
-		);
-		return new RedirectResponse($targetUrl);
-	}
+        $targetUrl = $this->urlGenerator->linkToRouteAbsolute(
+            'core.ClientFlowLogin.showAuthPickerPage',
+            [
+                'clientIdentifier' => $client->getClientIdentifier(),
+            ]
+        );
+        return new RedirectResponse($targetUrl);
+    }
 }

apps/oauth2/lib/Controller/OauthApiController.php

Indentation +52 added lines, -52 removed lines

@@ -30,59 +30,59 @@
 use OCP\Security\ISecureRandom;
 
 class OauthApiController extends Controller {
-	/** @var AccessTokenMapper */
-	private $accessTokenMapper;
-	/** @var ICrypto */
-	private $crypto;
-	/** @var DefaultTokenMapper */
-	private $defaultTokenMapper;
-	/** @var ISecureRandom */
-	private $secureRandom;
+    /** @var AccessTokenMapper */
+    private $accessTokenMapper;
+    /** @var ICrypto */
+    private $crypto;
+    /** @var DefaultTokenMapper */
+    private $defaultTokenMapper;
+    /** @var ISecureRandom */
+    private $secureRandom;
 
-	/**
-	 * @param string $appName
-	 * @param IRequest $request
-	 * @param ICrypto $crypto
-	 * @param AccessTokenMapper $accessTokenMapper
-	 * @param DefaultTokenMapper $defaultTokenMapper
-	 * @param ISecureRandom $secureRandom
-	 */
-	public function __construct($appName,
-								IRequest $request,
-								ICrypto $crypto,
-								AccessTokenMapper $accessTokenMapper,
-								DefaultTokenMapper $defaultTokenMapper,
-								ISecureRandom $secureRandom) {
-		parent::__construct($appName, $request);
-		$this->crypto = $crypto;
-		$this->accessTokenMapper = $accessTokenMapper;
-		$this->defaultTokenMapper = $defaultTokenMapper;
-		$this->secureRandom = $secureRandom;
-	}
+    /**
+     * @param string $appName
+     * @param IRequest $request
+     * @param ICrypto $crypto
+     * @param AccessTokenMapper $accessTokenMapper
+     * @param DefaultTokenMapper $defaultTokenMapper
+     * @param ISecureRandom $secureRandom
+     */
+    public function __construct($appName,
+                                IRequest $request,
+                                ICrypto $crypto,
+                                AccessTokenMapper $accessTokenMapper,
+                                DefaultTokenMapper $defaultTokenMapper,
+                                ISecureRandom $secureRandom) {
+        parent::__construct($appName, $request);
+        $this->crypto = $crypto;
+        $this->accessTokenMapper = $accessTokenMapper;
+        $this->defaultTokenMapper = $defaultTokenMapper;
+        $this->secureRandom = $secureRandom;
+    }
 
-	/**
-	 * @PublicPage
-	 * @NoCSRFRequired
-	 *
-	 * @param string $code
-	 * @return JSONResponse
-	 */
-	public function getToken($code) {
-		$accessToken = $this->accessTokenMapper->getByCode($code);
-		$decryptedToken = $this->crypto->decrypt($accessToken->getEncryptedToken(), $code);
-		$newCode = $this->secureRandom->generate(128);
-		$accessToken->setHashedCode(hash('sha512', $newCode));
-		$accessToken->setEncryptedToken($this->crypto->encrypt($decryptedToken, $newCode));
-		$this->accessTokenMapper->update($accessToken);
+    /**
+     * @PublicPage
+     * @NoCSRFRequired
+     *
+     * @param string $code
+     * @return JSONResponse
+     */
+    public function getToken($code) {
+        $accessToken = $this->accessTokenMapper->getByCode($code);
+        $decryptedToken = $this->crypto->decrypt($accessToken->getEncryptedToken(), $code);
+        $newCode = $this->secureRandom->generate(128);
+        $accessToken->setHashedCode(hash('sha512', $newCode));
+        $accessToken->setEncryptedToken($this->crypto->encrypt($decryptedToken, $newCode));
+        $this->accessTokenMapper->update($accessToken);
 
-		return new JSONResponse(
-			[
-				'access_token' => $decryptedToken,
-				'token_type' => 'Bearer',
-				'expires_in' => 3600,
-				'refresh_token' => $newCode,
-				'user_id' => $this->defaultTokenMapper->getTokenById($accessToken->getTokenId())->getUID(),
-			]
-		);
-	}
+        return new JSONResponse(
+            [
+                'access_token' => $decryptedToken,
+                'token_type' => 'Bearer',
+                'expires_in' => 3600,
+                'refresh_token' => $newCode,
+                'user_id' => $this->defaultTokenMapper->getTokenById($accessToken->getTokenId())->getUID(),
+            ]
+        );
+    }
 }