nextcloud / server

core/Controller/AppPasswordController.php

Indentation +123 added lines, -123 removed lines

@@ -43,127 +43,127 @@
 
 class AppPasswordController extends \OCP\AppFramework\OCSController {
 
-	/** @var ISession */
-	private $session;
-
-	/** @var ISecureRandom */
-	private $random;
-
-	/** @var IProvider */
-	private $tokenProvider;
-
-	/** @var IStore */
-	private $credentialStore;
-
-	/** @var IEventDispatcher */
-	private $eventDispatcher;
-
-	public function __construct(string $appName,
-								IRequest $request,
-								ISession $session,
-								ISecureRandom $random,
-								IProvider $tokenProvider,
-								IStore $credentialStore,
-								IEventDispatcher $eventDispatcher) {
-		parent::__construct($appName, $request);
-
-		$this->session = $session;
-		$this->random = $random;
-		$this->tokenProvider = $tokenProvider;
-		$this->credentialStore = $credentialStore;
-		$this->eventDispatcher = $eventDispatcher;
-	}
-
-	/**
-	 * @NoAdminRequired
-	 *
-	 * @return DataResponse
-	 * @throws OCSForbiddenException
-	 */
-	public function getAppPassword(): DataResponse {
-		// We do not allow the creation of new tokens if this is an app password
-		if ($this->session->exists('app_password')) {
-			throw new OCSForbiddenException('You cannot request an new apppassword with an apppassword');
-		}
-
-		try {
-			$credentials = $this->credentialStore->getLoginCredentials();
-		} catch (CredentialsUnavailableException $e) {
-			throw new OCSForbiddenException();
-		}
-
-		try {
-			$password = $credentials->getPassword();
-		} catch (PasswordUnavailableException $e) {
-			$password = null;
-		}
-
-		$userAgent = $this->request->getHeader('USER_AGENT');
-
-		$token = $this->random->generate(72, ISecureRandom::CHAR_UPPER.ISecureRandom::CHAR_LOWER.ISecureRandom::CHAR_DIGITS);
-
-		$generatedToken = $this->tokenProvider->generateToken(
-			$token,
-			$credentials->getUID(),
-			$credentials->getLoginName(),
-			$password,
-			$userAgent,
-			IToken::PERMANENT_TOKEN,
-			IToken::DO_NOT_REMEMBER
-		);
-
-		$this->eventDispatcher->dispatchTyped(
-			new AppPasswordCreatedEvent($generatedToken)
-		);
-
-		return new DataResponse([
-			'apppassword' => $token
-		]);
-	}
-
-	/**
-	 * @NoAdminRequired
-	 *
-	 * @return DataResponse
-	 */
-	public function deleteAppPassword() {
-		if (!$this->session->exists('app_password')) {
-			throw new OCSForbiddenException('no app password in use');
-		}
-
-		$appPassword = $this->session->get('app_password');
-
-		try {
-			$token = $this->tokenProvider->getToken($appPassword);
-		} catch (InvalidTokenException $e) {
-			throw new OCSForbiddenException('could not remove apptoken');
-		}
-
-		$this->tokenProvider->invalidateTokenById($token->getUID(), $token->getId());
-		return new DataResponse();
-	}
-
-	/**
-	 * @NoAdminRequired
-	 */
-	public function rotateAppPassword(): DataResponse {
-		if (!$this->session->exists('app_password')) {
-			throw new OCSForbiddenException('no app password in use');
-		}
-
-		$appPassword = $this->session->get('app_password');
-
-		try {
-			$token = $this->tokenProvider->getToken($appPassword);
-		} catch (InvalidTokenException $e) {
-			throw new OCSForbiddenException('could not rotate apptoken');
-		}
-
-		$newToken = $this->random->generate(72, ISecureRandom::CHAR_UPPER.ISecureRandom::CHAR_LOWER.ISecureRandom::CHAR_DIGITS);
-		$this->tokenProvider->rotate($token, $appPassword, $newToken);
-
-		return new DataResponse([
-			'apppassword' => $newToken,
-		]);
-	}
+    /** @var ISession */
+    private $session;
+
+    /** @var ISecureRandom */
+    private $random;
+
+    /** @var IProvider */
+    private $tokenProvider;
+
+    /** @var IStore */
+    private $credentialStore;
+
+    /** @var IEventDispatcher */
+    private $eventDispatcher;
+
+    public function __construct(string $appName,
+                                IRequest $request,
+                                ISession $session,
+                                ISecureRandom $random,
+                                IProvider $tokenProvider,
+                                IStore $credentialStore,
+                                IEventDispatcher $eventDispatcher) {
+        parent::__construct($appName, $request);
+
+        $this->session = $session;
+        $this->random = $random;
+        $this->tokenProvider = $tokenProvider;
+        $this->credentialStore = $credentialStore;
+        $this->eventDispatcher = $eventDispatcher;
+    }
+
+    /**
+     * @NoAdminRequired
+     *
+     * @return DataResponse
+     * @throws OCSForbiddenException
+     */
+    public function getAppPassword(): DataResponse {
+        // We do not allow the creation of new tokens if this is an app password
+        if ($this->session->exists('app_password')) {
+            throw new OCSForbiddenException('You cannot request an new apppassword with an apppassword');
+        }
+
+        try {
+            $credentials = $this->credentialStore->getLoginCredentials();
+        } catch (CredentialsUnavailableException $e) {
+            throw new OCSForbiddenException();
+        }
+
+        try {
+            $password = $credentials->getPassword();
+        } catch (PasswordUnavailableException $e) {
+            $password = null;
+        }
+
+        $userAgent = $this->request->getHeader('USER_AGENT');
+
+        $token = $this->random->generate(72, ISecureRandom::CHAR_UPPER.ISecureRandom::CHAR_LOWER.ISecureRandom::CHAR_DIGITS);
+
+        $generatedToken = $this->tokenProvider->generateToken(
+            $token,
+            $credentials->getUID(),
+            $credentials->getLoginName(),
+            $password,
+            $userAgent,
+            IToken::PERMANENT_TOKEN,
+            IToken::DO_NOT_REMEMBER
+        );
+
+        $this->eventDispatcher->dispatchTyped(
+            new AppPasswordCreatedEvent($generatedToken)
+        );
+
+        return new DataResponse([
+            'apppassword' => $token
+        ]);
+    }
+
+    /**
+     * @NoAdminRequired
+     *
+     * @return DataResponse
+     */
+    public function deleteAppPassword() {
+        if (!$this->session->exists('app_password')) {
+            throw new OCSForbiddenException('no app password in use');
+        }
+
+        $appPassword = $this->session->get('app_password');
+
+        try {
+            $token = $this->tokenProvider->getToken($appPassword);
+        } catch (InvalidTokenException $e) {
+            throw new OCSForbiddenException('could not remove apptoken');
+        }
+
+        $this->tokenProvider->invalidateTokenById($token->getUID(), $token->getId());
+        return new DataResponse();
+    }
+
+    /**
+     * @NoAdminRequired
+     */
+    public function rotateAppPassword(): DataResponse {
+        if (!$this->session->exists('app_password')) {
+            throw new OCSForbiddenException('no app password in use');
+        }
+
+        $appPassword = $this->session->get('app_password');
+
+        try {
+            $token = $this->tokenProvider->getToken($appPassword);
+        } catch (InvalidTokenException $e) {
+            throw new OCSForbiddenException('could not rotate apptoken');
+        }
+
+        $newToken = $this->random->generate(72, ISecureRandom::CHAR_UPPER.ISecureRandom::CHAR_LOWER.ISecureRandom::CHAR_DIGITS);
+        $this->tokenProvider->rotate($token, $appPassword, $newToken);
+
+        return new DataResponse([
+            'apppassword' => $newToken,
+        ]);
+    }
 }

core/Controller/ClientFlowLoginController.php

Indentation +367 added lines, -367 removed lines

@@ -55,371 +55,371 @@
 use OCP\Session\Exceptions\SessionNotAvailableException;
 
 class ClientFlowLoginController extends Controller {
-	/** @var IUserSession */
-	private $userSession;
-	/** @var IL10N */
-	private $l10n;
-	/** @var Defaults */
-	private $defaults;
-	/** @var ISession */
-	private $session;
-	/** @var IProvider */
-	private $tokenProvider;
-	/** @var ISecureRandom */
-	private $random;
-	/** @var IURLGenerator */
-	private $urlGenerator;
-	/** @var ClientMapper */
-	private $clientMapper;
-	/** @var AccessTokenMapper */
-	private $accessTokenMapper;
-	/** @var ICrypto */
-	private $crypto;
-	/** @var IEventDispatcher */
-	private $eventDispatcher;
-
-	public const STATE_NAME = 'client.flow.state.token';
-
-	/**
-	 * @param string $appName
-	 * @param IRequest $request
-	 * @param IUserSession $userSession
-	 * @param IL10N $l10n
-	 * @param Defaults $defaults
-	 * @param ISession $session
-	 * @param IProvider $tokenProvider
-	 * @param ISecureRandom $random
-	 * @param IURLGenerator $urlGenerator
-	 * @param ClientMapper $clientMapper
-	 * @param AccessTokenMapper $accessTokenMapper
-	 * @param ICrypto $crypto
-	 * @param IEventDispatcher $eventDispatcher
-	 */
-	public function __construct($appName,
-								IRequest $request,
-								IUserSession $userSession,
-								IL10N $l10n,
-								Defaults $defaults,
-								ISession $session,
-								IProvider $tokenProvider,
-								ISecureRandom $random,
-								IURLGenerator $urlGenerator,
-								ClientMapper $clientMapper,
-								AccessTokenMapper $accessTokenMapper,
-								ICrypto $crypto,
-								IEventDispatcher $eventDispatcher) {
-		parent::__construct($appName, $request);
-		$this->userSession = $userSession;
-		$this->l10n = $l10n;
-		$this->defaults = $defaults;
-		$this->session = $session;
-		$this->tokenProvider = $tokenProvider;
-		$this->random = $random;
-		$this->urlGenerator = $urlGenerator;
-		$this->clientMapper = $clientMapper;
-		$this->accessTokenMapper = $accessTokenMapper;
-		$this->crypto = $crypto;
-		$this->eventDispatcher = $eventDispatcher;
-	}
-
-	/**
-	 * @return string
-	 */
-	private function getClientName() {
-		$userAgent = $this->request->getHeader('USER_AGENT');
-		return $userAgent !== '' ? $userAgent : 'unknown';
-	}
-
-	/**
-	 * @param string $stateToken
-	 * @return bool
-	 */
-	private function isValidToken($stateToken) {
-		$currentToken = $this->session->get(self::STATE_NAME);
-		if (!is_string($stateToken) || !is_string($currentToken)) {
-			return false;
-		}
-		return hash_equals($currentToken, $stateToken);
-	}
-
-	/**
-	 * @return StandaloneTemplateResponse
-	 */
-	private function stateTokenForbiddenResponse() {
-		$response = new StandaloneTemplateResponse(
-			$this->appName,
-			'403',
-			[
-				'message' => $this->l10n->t('State token does not match'),
-			],
-			'guest'
-		);
-		$response->setStatus(Http::STATUS_FORBIDDEN);
-		return $response;
-	}
-
-	/**
-	 * @PublicPage
-	 * @NoCSRFRequired
-	 * @UseSession
-	 *
-	 * @param string $clientIdentifier
-	 *
-	 * @return StandaloneTemplateResponse
-	 */
-	public function showAuthPickerPage($clientIdentifier = '', $user = '') {
-		$clientName = $this->getClientName();
-		$client = null;
-		if ($clientIdentifier !== '') {
-			$client = $this->clientMapper->getByIdentifier($clientIdentifier);
-			$clientName = $client->getName();
-		}
-
-		// No valid clientIdentifier given and no valid API Request (APIRequest header not set)
-		$clientRequest = $this->request->getHeader('OCS-APIREQUEST');
-		if ($clientRequest !== 'true' && $client === null) {
-			return new StandaloneTemplateResponse(
-				$this->appName,
-				'error',
-				[
-					'errors' =>
-					[
-						[
-							'error' => 'Access Forbidden',
-							'hint' => 'Invalid request',
-						],
-					],
-				],
-				'guest'
-			);
-		}
-
-		$stateToken = $this->random->generate(
-			64,
-			ISecureRandom::CHAR_LOWER.ISecureRandom::CHAR_UPPER.ISecureRandom::CHAR_DIGITS
-		);
-		$this->session->set(self::STATE_NAME, $stateToken);
-
-		$csp = new Http\ContentSecurityPolicy();
-		if ($client) {
-			$csp->addAllowedFormActionDomain($client->getRedirectUri());
-		} else {
-			$csp->addAllowedFormActionDomain('nc://*');
-		}
-
-		$response = new StandaloneTemplateResponse(
-			$this->appName,
-			'loginflow/authpicker',
-			[
-				'client' => $clientName,
-				'clientIdentifier' => $clientIdentifier,
-				'instanceName' => $this->defaults->getName(),
-				'urlGenerator' => $this->urlGenerator,
-				'stateToken' => $stateToken,
-				'serverHost' => $this->getServerPath(),
-				'oauthState' => $this->session->get('oauth.state'),
-				'user' => $user,
-			],
-			'guest'
-		);
-
-		$response->setContentSecurityPolicy($csp);
-		return $response;
-	}
-
-	/**
-	 * @NoAdminRequired
-	 * @NoCSRFRequired
-	 * @NoSameSiteCookieRequired
-	 * @UseSession
-	 *
-	 * @param string $stateToken
-	 * @param string $clientIdentifier
-	 * @return StandaloneTemplateResponse
-	 */
-	public function grantPage($stateToken = '',
-								 $clientIdentifier = '') {
-		if (!$this->isValidToken($stateToken)) {
-			return $this->stateTokenForbiddenResponse();
-		}
-
-		$clientName = $this->getClientName();
-		$client = null;
-		if ($clientIdentifier !== '') {
-			$client = $this->clientMapper->getByIdentifier($clientIdentifier);
-			$clientName = $client->getName();
-		}
-
-		$csp = new Http\ContentSecurityPolicy();
-		if ($client) {
-			$csp->addAllowedFormActionDomain($client->getRedirectUri());
-		} else {
-			$csp->addAllowedFormActionDomain('nc://*');
-		}
-
-		$response = new StandaloneTemplateResponse(
-			$this->appName,
-			'loginflow/grant',
-			[
-				'client' => $clientName,
-				'clientIdentifier' => $clientIdentifier,
-				'instanceName' => $this->defaults->getName(),
-				'urlGenerator' => $this->urlGenerator,
-				'stateToken' => $stateToken,
-				'serverHost' => $this->getServerPath(),
-				'oauthState' => $this->session->get('oauth.state'),
-			],
-			'guest'
-		);
-
-		$response->setContentSecurityPolicy($csp);
-		return $response;
-	}
-
-	/**
-	 * @NoAdminRequired
-	 * @UseSession
-	 *
-	 * @param string $stateToken
-	 * @param string $clientIdentifier
-	 * @return Http\RedirectResponse|Response
-	 */
-	public function generateAppPassword($stateToken,
-										$clientIdentifier = '') {
-		if (!$this->isValidToken($stateToken)) {
-			$this->session->remove(self::STATE_NAME);
-			return $this->stateTokenForbiddenResponse();
-		}
-
-		$this->session->remove(self::STATE_NAME);
-
-		try {
-			$sessionId = $this->session->getId();
-		} catch (SessionNotAvailableException $ex) {
-			$response = new Response();
-			$response->setStatus(Http::STATUS_FORBIDDEN);
-			return $response;
-		}
-
-		try {
-			$sessionToken = $this->tokenProvider->getToken($sessionId);
-			$loginName = $sessionToken->getLoginName();
-			try {
-				$password = $this->tokenProvider->getPassword($sessionToken, $sessionId);
-			} catch (PasswordlessTokenException $ex) {
-				$password = null;
-			}
-		} catch (InvalidTokenException $ex) {
-			$response = new Response();
-			$response->setStatus(Http::STATUS_FORBIDDEN);
-			return $response;
-		}
-
-		$clientName = $this->getClientName();
-		$client = false;
-		if ($clientIdentifier !== '') {
-			$client = $this->clientMapper->getByIdentifier($clientIdentifier);
-			$clientName = $client->getName();
-		}
-
-		$token = $this->random->generate(72, ISecureRandom::CHAR_UPPER.ISecureRandom::CHAR_LOWER.ISecureRandom::CHAR_DIGITS);
-		$uid = $this->userSession->getUser()->getUID();
-		$generatedToken = $this->tokenProvider->generateToken(
-			$token,
-			$uid,
-			$loginName,
-			$password,
-			$clientName,
-			IToken::PERMANENT_TOKEN,
-			IToken::DO_NOT_REMEMBER
-		);
-
-		if ($client) {
-			$code = $this->random->generate(128, ISecureRandom::CHAR_UPPER.ISecureRandom::CHAR_LOWER.ISecureRandom::CHAR_DIGITS);
-			$accessToken = new AccessToken();
-			$accessToken->setClientId($client->getId());
-			$accessToken->setEncryptedToken($this->crypto->encrypt($token, $code));
-			$accessToken->setHashedCode(hash('sha512', $code));
-			$accessToken->setTokenId($generatedToken->getId());
-			$this->accessTokenMapper->insert($accessToken);
-
-			$redirectUri = $client->getRedirectUri();
-
-			if (parse_url($redirectUri, PHP_URL_QUERY)) {
-				$redirectUri .= '&';
-			} else {
-				$redirectUri .= '?';
-			}
-
-			$redirectUri .= sprintf(
-				'state=%s&code=%s',
-				urlencode($this->session->get('oauth.state')),
-				urlencode($code)
-			);
-			$this->session->remove('oauth.state');
-		} else {
-			$redirectUri = 'nc://login/server:' . $this->getServerPath() . '&user:' . urlencode($loginName) . '&password:' . urlencode($token);
-
-			// Clear the token from the login here
-			$this->tokenProvider->invalidateToken($sessionId);
-		}
-
-		$this->eventDispatcher->dispatchTyped(
-			new AppPasswordCreatedEvent($generatedToken)
-		);
-
-		return new Http\RedirectResponse($redirectUri);
-	}
-
-	/**
-	 * @PublicPage
-	 */
-	public function apptokenRedirect(string $stateToken, string $user, string $password) {
-		if (!$this->isValidToken($stateToken)) {
-			return $this->stateTokenForbiddenResponse();
-		}
-
-		try {
-			$token = $this->tokenProvider->getToken($password);
-			if ($token->getLoginName() !== $user) {
-				throw new InvalidTokenException('login name does not match');
-			}
-		} catch (InvalidTokenException $e) {
-			$response = new StandaloneTemplateResponse(
-				$this->appName,
-				'403',
-				[
-					'message' => $this->l10n->t('Invalid app password'),
-				],
-				'guest'
-			);
-			$response->setStatus(Http::STATUS_FORBIDDEN);
-			return $response;
-		}
-
-		$redirectUri = 'nc://login/server:' . $this->getServerPath() . '&user:' . urlencode($user) . '&password:' . urlencode($password);
-		return new Http\RedirectResponse($redirectUri);
-	}
-
-	private function getServerPath(): string {
-		$serverPostfix = '';
-
-		if (strpos($this->request->getRequestUri(), '/index.php') !== false) {
-			$serverPostfix = substr($this->request->getRequestUri(), 0, strpos($this->request->getRequestUri(), '/index.php'));
-		} elseif (strpos($this->request->getRequestUri(), '/login/flow') !== false) {
-			$serverPostfix = substr($this->request->getRequestUri(), 0, strpos($this->request->getRequestUri(), '/login/flow'));
-		}
-
-		$protocol = $this->request->getServerProtocol();
-
-		if ($protocol !== "https") {
-			$xForwardedProto = $this->request->getHeader('X-Forwarded-Proto');
-			$xForwardedSSL = $this->request->getHeader('X-Forwarded-Ssl');
-			if ($xForwardedProto === 'https' || $xForwardedSSL === 'on') {
-				$protocol = 'https';
-			}
-		}
-
-		return $protocol . "://" . $this->request->getServerHost() . $serverPostfix;
-	}
+    /** @var IUserSession */
+    private $userSession;
+    /** @var IL10N */
+    private $l10n;
+    /** @var Defaults */
+    private $defaults;
+    /** @var ISession */
+    private $session;
+    /** @var IProvider */
+    private $tokenProvider;
+    /** @var ISecureRandom */
+    private $random;
+    /** @var IURLGenerator */
+    private $urlGenerator;
+    /** @var ClientMapper */
+    private $clientMapper;
+    /** @var AccessTokenMapper */
+    private $accessTokenMapper;
+    /** @var ICrypto */
+    private $crypto;
+    /** @var IEventDispatcher */
+    private $eventDispatcher;
+
+    public const STATE_NAME = 'client.flow.state.token';
+
+    /**
+     * @param string $appName
+     * @param IRequest $request
+     * @param IUserSession $userSession
+     * @param IL10N $l10n
+     * @param Defaults $defaults
+     * @param ISession $session
+     * @param IProvider $tokenProvider
+     * @param ISecureRandom $random
+     * @param IURLGenerator $urlGenerator
+     * @param ClientMapper $clientMapper
+     * @param AccessTokenMapper $accessTokenMapper
+     * @param ICrypto $crypto
+     * @param IEventDispatcher $eventDispatcher
+     */
+    public function __construct($appName,
+                                IRequest $request,
+                                IUserSession $userSession,
+                                IL10N $l10n,
+                                Defaults $defaults,
+                                ISession $session,
+                                IProvider $tokenProvider,
+                                ISecureRandom $random,
+                                IURLGenerator $urlGenerator,
+                                ClientMapper $clientMapper,
+                                AccessTokenMapper $accessTokenMapper,
+                                ICrypto $crypto,
+                                IEventDispatcher $eventDispatcher) {
+        parent::__construct($appName, $request);
+        $this->userSession = $userSession;
+        $this->l10n = $l10n;
+        $this->defaults = $defaults;
+        $this->session = $session;
+        $this->tokenProvider = $tokenProvider;
+        $this->random = $random;
+        $this->urlGenerator = $urlGenerator;
+        $this->clientMapper = $clientMapper;
+        $this->accessTokenMapper = $accessTokenMapper;
+        $this->crypto = $crypto;
+        $this->eventDispatcher = $eventDispatcher;
+    }
+
+    /**
+     * @return string
+     */
+    private function getClientName() {
+        $userAgent = $this->request->getHeader('USER_AGENT');
+        return $userAgent !== '' ? $userAgent : 'unknown';
+    }
+
+    /**
+     * @param string $stateToken
+     * @return bool
+     */
+    private function isValidToken($stateToken) {
+        $currentToken = $this->session->get(self::STATE_NAME);
+        if (!is_string($stateToken) || !is_string($currentToken)) {
+            return false;
+        }
+        return hash_equals($currentToken, $stateToken);
+    }
+
+    /**
+     * @return StandaloneTemplateResponse
+     */
+    private function stateTokenForbiddenResponse() {
+        $response = new StandaloneTemplateResponse(
+            $this->appName,
+            '403',
+            [
+                'message' => $this->l10n->t('State token does not match'),
+            ],
+            'guest'
+        );
+        $response->setStatus(Http::STATUS_FORBIDDEN);
+        return $response;
+    }
+
+    /**
+     * @PublicPage
+     * @NoCSRFRequired
+     * @UseSession
+     *
+     * @param string $clientIdentifier
+     *
+     * @return StandaloneTemplateResponse
+     */
+    public function showAuthPickerPage($clientIdentifier = '', $user = '') {
+        $clientName = $this->getClientName();
+        $client = null;
+        if ($clientIdentifier !== '') {
+            $client = $this->clientMapper->getByIdentifier($clientIdentifier);
+            $clientName = $client->getName();
+        }
+
+        // No valid clientIdentifier given and no valid API Request (APIRequest header not set)
+        $clientRequest = $this->request->getHeader('OCS-APIREQUEST');
+        if ($clientRequest !== 'true' && $client === null) {
+            return new StandaloneTemplateResponse(
+                $this->appName,
+                'error',
+                [
+                    'errors' =>
+                    [
+                        [
+                            'error' => 'Access Forbidden',
+                            'hint' => 'Invalid request',
+                        ],
+                    ],
+                ],
+                'guest'
+            );
+        }
+
+        $stateToken = $this->random->generate(
+            64,
+            ISecureRandom::CHAR_LOWER.ISecureRandom::CHAR_UPPER.ISecureRandom::CHAR_DIGITS
+        );
+        $this->session->set(self::STATE_NAME, $stateToken);
+
+        $csp = new Http\ContentSecurityPolicy();
+        if ($client) {
+            $csp->addAllowedFormActionDomain($client->getRedirectUri());
+        } else {
+            $csp->addAllowedFormActionDomain('nc://*');
+        }
+
+        $response = new StandaloneTemplateResponse(
+            $this->appName,
+            'loginflow/authpicker',
+            [
+                'client' => $clientName,
+                'clientIdentifier' => $clientIdentifier,
+                'instanceName' => $this->defaults->getName(),
+                'urlGenerator' => $this->urlGenerator,
+                'stateToken' => $stateToken,
+                'serverHost' => $this->getServerPath(),
+                'oauthState' => $this->session->get('oauth.state'),
+                'user' => $user,
+            ],
+            'guest'
+        );
+
+        $response->setContentSecurityPolicy($csp);
+        return $response;
+    }
+
+    /**
+     * @NoAdminRequired
+     * @NoCSRFRequired
+     * @NoSameSiteCookieRequired
+     * @UseSession
+     *
+     * @param string $stateToken
+     * @param string $clientIdentifier
+     * @return StandaloneTemplateResponse
+     */
+    public function grantPage($stateToken = '',
+                                    $clientIdentifier = '') {
+        if (!$this->isValidToken($stateToken)) {
+            return $this->stateTokenForbiddenResponse();
+        }
+
+        $clientName = $this->getClientName();
+        $client = null;
+        if ($clientIdentifier !== '') {
+            $client = $this->clientMapper->getByIdentifier($clientIdentifier);
+            $clientName = $client->getName();
+        }
+
+        $csp = new Http\ContentSecurityPolicy();
+        if ($client) {
+            $csp->addAllowedFormActionDomain($client->getRedirectUri());
+        } else {
+            $csp->addAllowedFormActionDomain('nc://*');
+        }
+
+        $response = new StandaloneTemplateResponse(
+            $this->appName,
+            'loginflow/grant',
+            [
+                'client' => $clientName,
+                'clientIdentifier' => $clientIdentifier,
+                'instanceName' => $this->defaults->getName(),
+                'urlGenerator' => $this->urlGenerator,
+                'stateToken' => $stateToken,
+                'serverHost' => $this->getServerPath(),
+                'oauthState' => $this->session->get('oauth.state'),
+            ],
+            'guest'
+        );
+
+        $response->setContentSecurityPolicy($csp);
+        return $response;
+    }
+
+    /**
+     * @NoAdminRequired
+     * @UseSession
+     *
+     * @param string $stateToken
+     * @param string $clientIdentifier
+     * @return Http\RedirectResponse|Response
+     */
+    public function generateAppPassword($stateToken,
+                                        $clientIdentifier = '') {
+        if (!$this->isValidToken($stateToken)) {
+            $this->session->remove(self::STATE_NAME);
+            return $this->stateTokenForbiddenResponse();
+        }
+
+        $this->session->remove(self::STATE_NAME);
+
+        try {
+            $sessionId = $this->session->getId();
+        } catch (SessionNotAvailableException $ex) {
+            $response = new Response();
+            $response->setStatus(Http::STATUS_FORBIDDEN);
+            return $response;
+        }
+
+        try {
+            $sessionToken = $this->tokenProvider->getToken($sessionId);
+            $loginName = $sessionToken->getLoginName();
+            try {
+                $password = $this->tokenProvider->getPassword($sessionToken, $sessionId);
+            } catch (PasswordlessTokenException $ex) {
+                $password = null;
+            }
+        } catch (InvalidTokenException $ex) {
+            $response = new Response();
+            $response->setStatus(Http::STATUS_FORBIDDEN);
+            return $response;
+        }
+
+        $clientName = $this->getClientName();
+        $client = false;
+        if ($clientIdentifier !== '') {
+            $client = $this->clientMapper->getByIdentifier($clientIdentifier);
+            $clientName = $client->getName();
+        }
+
+        $token = $this->random->generate(72, ISecureRandom::CHAR_UPPER.ISecureRandom::CHAR_LOWER.ISecureRandom::CHAR_DIGITS);
+        $uid = $this->userSession->getUser()->getUID();
+        $generatedToken = $this->tokenProvider->generateToken(
+            $token,
+            $uid,
+            $loginName,
+            $password,
+            $clientName,
+            IToken::PERMANENT_TOKEN,
+            IToken::DO_NOT_REMEMBER
+        );
+
+        if ($client) {
+            $code = $this->random->generate(128, ISecureRandom::CHAR_UPPER.ISecureRandom::CHAR_LOWER.ISecureRandom::CHAR_DIGITS);
+            $accessToken = new AccessToken();
+            $accessToken->setClientId($client->getId());
+            $accessToken->setEncryptedToken($this->crypto->encrypt($token, $code));
+            $accessToken->setHashedCode(hash('sha512', $code));
+            $accessToken->setTokenId($generatedToken->getId());
+            $this->accessTokenMapper->insert($accessToken);
+
+            $redirectUri = $client->getRedirectUri();
+
+            if (parse_url($redirectUri, PHP_URL_QUERY)) {
+                $redirectUri .= '&';
+            } else {
+                $redirectUri .= '?';
+            }
+
+            $redirectUri .= sprintf(
+                'state=%s&code=%s',
+                urlencode($this->session->get('oauth.state')),
+                urlencode($code)
+            );
+            $this->session->remove('oauth.state');
+        } else {
+            $redirectUri = 'nc://login/server:' . $this->getServerPath() . '&user:' . urlencode($loginName) . '&password:' . urlencode($token);
+
+            // Clear the token from the login here
+            $this->tokenProvider->invalidateToken($sessionId);
+        }
+
+        $this->eventDispatcher->dispatchTyped(
+            new AppPasswordCreatedEvent($generatedToken)
+        );
+
+        return new Http\RedirectResponse($redirectUri);
+    }
+
+    /**
+     * @PublicPage
+     */
+    public function apptokenRedirect(string $stateToken, string $user, string $password) {
+        if (!$this->isValidToken($stateToken)) {
+            return $this->stateTokenForbiddenResponse();
+        }
+
+        try {
+            $token = $this->tokenProvider->getToken($password);
+            if ($token->getLoginName() !== $user) {
+                throw new InvalidTokenException('login name does not match');
+            }
+        } catch (InvalidTokenException $e) {
+            $response = new StandaloneTemplateResponse(
+                $this->appName,
+                '403',
+                [
+                    'message' => $this->l10n->t('Invalid app password'),
+                ],
+                'guest'
+            );
+            $response->setStatus(Http::STATUS_FORBIDDEN);
+            return $response;
+        }
+
+        $redirectUri = 'nc://login/server:' . $this->getServerPath() . '&user:' . urlencode($user) . '&password:' . urlencode($password);
+        return new Http\RedirectResponse($redirectUri);
+    }
+
+    private function getServerPath(): string {
+        $serverPostfix = '';
+
+        if (strpos($this->request->getRequestUri(), '/index.php') !== false) {
+            $serverPostfix = substr($this->request->getRequestUri(), 0, strpos($this->request->getRequestUri(), '/index.php'));
+        } elseif (strpos($this->request->getRequestUri(), '/login/flow') !== false) {
+            $serverPostfix = substr($this->request->getRequestUri(), 0, strpos($this->request->getRequestUri(), '/login/flow'));
+        }
+
+        $protocol = $this->request->getServerProtocol();
+
+        if ($protocol !== "https") {
+            $xForwardedProto = $this->request->getHeader('X-Forwarded-Proto');
+            $xForwardedSSL = $this->request->getHeader('X-Forwarded-Ssl');
+            if ($xForwardedProto === 'https' || $xForwardedSSL === 'on') {
+                $protocol = 'https';
+            }
+        }
+
+        return $protocol . "://" . $this->request->getServerHost() . $serverPostfix;
+    }
 }

lib/private/Authentication/Token/IProvider.php

Indentation +146 added lines, -146 removed lines

@@ -37,150 +37,150 @@
 interface IProvider {
 
 
-	/**
-	 * Create and persist a new token
-	 *
-	 * @param string $token
-	 * @param string $uid
-	 * @param string $loginName
-	 * @param string|null $password
-	 * @param string $name Name will be trimmed to 120 chars when longer
-	 * @param int $type token type
-	 * @param int $remember whether the session token should be used for remember-me
-	 * @return IToken
-	 * @throws \RuntimeException when OpenSSL reports a problem
-	 */
-	public function generateToken(string $token,
-								  string $uid,
-								  string $loginName,
-								  ?string $password,
-								  string $name,
-								  int $type = IToken::TEMPORARY_TOKEN,
-								  int $remember = IToken::DO_NOT_REMEMBER): IToken;
-
-	/**
-	 * Get a token by token id
-	 *
-	 * @param string $tokenId
-	 * @throws InvalidTokenException
-	 * @throws ExpiredTokenException
-	 * @throws WipeTokenException
-	 * @return IToken
-	 */
-	public function getToken(string $tokenId): IToken;
-
-	/**
-	 * Get a token by token id
-	 *
-	 * @param int $tokenId
-	 * @throws InvalidTokenException
-	 * @throws ExpiredTokenException
-	 * @throws WipeTokenException
-	 * @return IToken
-	 */
-	public function getTokenById(int $tokenId): IToken;
-
-	/**
-	 * Duplicate an existing session token
-	 *
-	 * @param string $oldSessionId
-	 * @param string $sessionId
-	 * @throws InvalidTokenException
-	 * @throws \RuntimeException when OpenSSL reports a problem
-	 * @return IToken The new token
-	 */
-	public function renewSessionToken(string $oldSessionId, string $sessionId): IToken;
-
-	/**
-	 * Invalidate (delete) the given session token
-	 *
-	 * @param string $token
-	 */
-	public function invalidateToken(string $token);
-
-	/**
-	 * Invalidate (delete) the given token
-	 *
-	 * @param string $uid
-	 * @param int $id
-	 */
-	public function invalidateTokenById(string $uid, int $id);
-
-	/**
-	 * Invalidate (delete) old session tokens
-	 */
-	public function invalidateOldTokens();
-
-	/**
-	 * Save the updated token
-	 *
-	 * @param IToken $token
-	 */
-	public function updateToken(IToken $token);
-
-	/**
-	 * Update token activity timestamp
-	 *
-	 * @param IToken $token
-	 */
-	public function updateTokenActivity(IToken $token);
-
-	/**
-	 * Get all tokens of a user
-	 *
-	 * The provider may limit the number of result rows in case of an abuse
-	 * where a high number of (session) tokens is generated
-	 *
-	 * @param string $uid
-	 * @return IToken[]
-	 */
-	public function getTokenByUser(string $uid): array;
-
-	/**
-	 * Get the (unencrypted) password of the given token
-	 *
-	 * @param IToken $savedToken
-	 * @param string $tokenId
-	 * @throws InvalidTokenException
-	 * @throws PasswordlessTokenException
-	 * @return string
-	 */
-	public function getPassword(IToken $savedToken, string $tokenId): string;
-
-	/**
-	 * Encrypt and set the password of the given token
-	 *
-	 * @param IToken $token
-	 * @param string $tokenId
-	 * @param string $password
-	 * @throws InvalidTokenException
-	 */
-	public function setPassword(IToken $token, string $tokenId, string $password);
-
-	/**
-	 * Rotate the token. Usefull for for example oauth tokens
-	 *
-	 * @param IToken $token
-	 * @param string $oldTokenId
-	 * @param string $newTokenId
-	 * @return IToken
-	 * @throws \RuntimeException when OpenSSL reports a problem
-	 */
-	public function rotate(IToken $token, string $oldTokenId, string $newTokenId): IToken;
-
-	/**
-	 * Marks a token as having an invalid password.
-	 *
-	 * @param IToken $token
-	 * @param string $tokenId
-	 */
-	public function markPasswordInvalid(IToken $token, string $tokenId);
-
-	/**
-	 * Update all the passwords of $uid if required
-	 *
-	 * @param string $uid
-	 * @param string $password
-	 */
-	public function updatePasswords(string $uid, string $password);
+    /**
+     * Create and persist a new token
+     *
+     * @param string $token
+     * @param string $uid
+     * @param string $loginName
+     * @param string|null $password
+     * @param string $name Name will be trimmed to 120 chars when longer
+     * @param int $type token type
+     * @param int $remember whether the session token should be used for remember-me
+     * @return IToken
+     * @throws \RuntimeException when OpenSSL reports a problem
+     */
+    public function generateToken(string $token,
+                                    string $uid,
+                                    string $loginName,
+                                  ?string $password,
+                                    string $name,
+                                    int $type = IToken::TEMPORARY_TOKEN,
+                                    int $remember = IToken::DO_NOT_REMEMBER): IToken;
+
+    /**
+     * Get a token by token id
+     *
+     * @param string $tokenId
+     * @throws InvalidTokenException
+     * @throws ExpiredTokenException
+     * @throws WipeTokenException
+     * @return IToken
+     */
+    public function getToken(string $tokenId): IToken;
+
+    /**
+     * Get a token by token id
+     *
+     * @param int $tokenId
+     * @throws InvalidTokenException
+     * @throws ExpiredTokenException
+     * @throws WipeTokenException
+     * @return IToken
+     */
+    public function getTokenById(int $tokenId): IToken;
+
+    /**
+     * Duplicate an existing session token
+     *
+     * @param string $oldSessionId
+     * @param string $sessionId
+     * @throws InvalidTokenException
+     * @throws \RuntimeException when OpenSSL reports a problem
+     * @return IToken The new token
+     */
+    public function renewSessionToken(string $oldSessionId, string $sessionId): IToken;
+
+    /**
+     * Invalidate (delete) the given session token
+     *
+     * @param string $token
+     */
+    public function invalidateToken(string $token);
+
+    /**
+     * Invalidate (delete) the given token
+     *
+     * @param string $uid
+     * @param int $id
+     */
+    public function invalidateTokenById(string $uid, int $id);
+
+    /**
+     * Invalidate (delete) old session tokens
+     */
+    public function invalidateOldTokens();
+
+    /**
+     * Save the updated token
+     *
+     * @param IToken $token
+     */
+    public function updateToken(IToken $token);
+
+    /**
+     * Update token activity timestamp
+     *
+     * @param IToken $token
+     */
+    public function updateTokenActivity(IToken $token);
+
+    /**
+     * Get all tokens of a user
+     *
+     * The provider may limit the number of result rows in case of an abuse
+     * where a high number of (session) tokens is generated
+     *
+     * @param string $uid
+     * @return IToken[]
+     */
+    public function getTokenByUser(string $uid): array;
+
+    /**
+     * Get the (unencrypted) password of the given token
+     *
+     * @param IToken $savedToken
+     * @param string $tokenId
+     * @throws InvalidTokenException
+     * @throws PasswordlessTokenException
+     * @return string
+     */
+    public function getPassword(IToken $savedToken, string $tokenId): string;
+
+    /**
+     * Encrypt and set the password of the given token
+     *
+     * @param IToken $token
+     * @param string $tokenId
+     * @param string $password
+     * @throws InvalidTokenException
+     */
+    public function setPassword(IToken $token, string $tokenId, string $password);
+
+    /**
+     * Rotate the token. Usefull for for example oauth tokens
+     *
+     * @param IToken $token
+     * @param string $oldTokenId
+     * @param string $newTokenId
+     * @return IToken
+     * @throws \RuntimeException when OpenSSL reports a problem
+     */
+    public function rotate(IToken $token, string $oldTokenId, string $newTokenId): IToken;
+
+    /**
+     * Marks a token as having an invalid password.
+     *
+     * @param IToken $token
+     * @param string $tokenId
+     */
+    public function markPasswordInvalid(IToken $token, string $tokenId);
+
+    /**
+     * Update all the passwords of $uid if required
+     *
+     * @param string $uid
+     * @param string $password
+     */
+    public function updatePasswords(string $uid, string $password);
 }

lib/private/Authentication/Token/Manager.php

Indentation +205 added lines, -205 removed lines

@@ -35,209 +35,209 @@
 
 class Manager implements IProvider {
 
-	/** @var PublicKeyTokenProvider */
-	private $publicKeyTokenProvider;
-
-	public function __construct(PublicKeyTokenProvider $publicKeyTokenProvider) {
-		$this->publicKeyTokenProvider = $publicKeyTokenProvider;
-	}
-
-	/**
-	 * Create and persist a new token
-	 *
-	 * @param string $token
-	 * @param string $uid
-	 * @param string $loginName
-	 * @param string|null $password
-	 * @param string $name Name will be trimmed to 120 chars when longer
-	 * @param int $type token type
-	 * @param int $remember whether the session token should be used for remember-me
-	 * @return IToken
-	 */
-	public function generateToken(string $token,
-								  string $uid,
-								  string $loginName,
-								  $password,
-								  string $name,
-								  int $type = IToken::TEMPORARY_TOKEN,
-								  int $remember = IToken::DO_NOT_REMEMBER): IToken {
-		if (mb_strlen($name) > 128) {
-			$name = mb_substr($name, 0, 120) . '…';
-		}
-
-		try {
-			return $this->publicKeyTokenProvider->generateToken(
-				$token,
-				$uid,
-				$loginName,
-				$password,
-				$name,
-				$type,
-				$remember
-			);
-		} catch (UniqueConstraintViolationException $e) {
-			// It's rare, but if two requests of the same session (e.g. env-based SAML)
-			// try to create the session token they might end up here at the same time
-			// because we use the session ID as token and the db token is created anew
-			// with every request.
-			//
-			// If the UIDs match, then this should be fine.
-			$existing = $this->getToken($token);
-			if ($existing->getUID() !== $uid) {
-				throw new \Exception('Token conflict handled, but UIDs do not match. This should not happen', 0, $e);
-			}
-			return $existing;
-		}
-	}
-
-	/**
-	 * Save the updated token
-	 *
-	 * @param IToken $token
-	 * @throws InvalidTokenException
-	 */
-	public function updateToken(IToken $token) {
-		$provider = $this->getProvider($token);
-		$provider->updateToken($token);
-	}
-
-	/**
-	 * Update token activity timestamp
-	 *
-	 * @throws InvalidTokenException
-	 * @param IToken $token
-	 */
-	public function updateTokenActivity(IToken $token) {
-		$provider = $this->getProvider($token);
-		$provider->updateTokenActivity($token);
-	}
-
-	/**
-	 * @param string $uid
-	 * @return IToken[]
-	 */
-	public function getTokenByUser(string $uid): array {
-		return $this->publicKeyTokenProvider->getTokenByUser($uid);
-	}
-
-	/**
-	 * Get a token by token
-	 *
-	 * @param string $tokenId
-	 * @throws InvalidTokenException
-	 * @throws \RuntimeException when OpenSSL reports a problem
-	 * @return IToken
-	 */
-	public function getToken(string $tokenId): IToken {
-		try {
-			return $this->publicKeyTokenProvider->getToken($tokenId);
-		} catch (WipeTokenException $e) {
-			throw $e;
-		} catch (ExpiredTokenException $e) {
-			throw $e;
-		} catch (InvalidTokenException $e) {
-			throw $e;
-		}
-	}
-
-	/**
-	 * Get a token by token id
-	 *
-	 * @param int $tokenId
-	 * @throws InvalidTokenException
-	 * @return IToken
-	 */
-	public function getTokenById(int $tokenId): IToken {
-		try {
-			return $this->publicKeyTokenProvider->getTokenById($tokenId);
-		} catch (ExpiredTokenException $e) {
-			throw $e;
-		} catch (WipeTokenException $e) {
-			throw $e;
-		} catch (InvalidTokenException $e) {
-			throw $e;
-		}
-	}
-
-	/**
-	 * @param string $oldSessionId
-	 * @param string $sessionId
-	 * @throws InvalidTokenException
-	 * @return IToken
-	 */
-	public function renewSessionToken(string $oldSessionId, string $sessionId): IToken {
-		try {
-			return $this->publicKeyTokenProvider->renewSessionToken($oldSessionId, $sessionId);
-		} catch (ExpiredTokenException $e) {
-			throw $e;
-		} catch (InvalidTokenException $e) {
-			throw $e;
-		}
-	}
-
-	/**
-	 * @param IToken $savedToken
-	 * @param string $tokenId session token
-	 * @throws InvalidTokenException
-	 * @throws PasswordlessTokenException
-	 * @return string
-	 */
-	public function getPassword(IToken $savedToken, string $tokenId): string {
-		$provider = $this->getProvider($savedToken);
-		return $provider->getPassword($savedToken, $tokenId);
-	}
-
-	public function setPassword(IToken $token, string $tokenId, string $password) {
-		$provider = $this->getProvider($token);
-		$provider->setPassword($token, $tokenId, $password);
-	}
-
-	public function invalidateToken(string $token) {
-		$this->publicKeyTokenProvider->invalidateToken($token);
-	}
-
-	public function invalidateTokenById(string $uid, int $id) {
-		$this->publicKeyTokenProvider->invalidateTokenById($uid, $id);
-	}
-
-	public function invalidateOldTokens() {
-		$this->publicKeyTokenProvider->invalidateOldTokens();
-	}
-
-	/**
-	 * @param IToken $token
-	 * @param string $oldTokenId
-	 * @param string $newTokenId
-	 * @return IToken
-	 * @throws InvalidTokenException
-	 * @throws \RuntimeException when OpenSSL reports a problem
-	 */
-	public function rotate(IToken $token, string $oldTokenId, string $newTokenId): IToken {
-		if ($token instanceof PublicKeyToken) {
-			return $this->publicKeyTokenProvider->rotate($token, $oldTokenId, $newTokenId);
-		}
-
-		throw new InvalidTokenException();
-	}
-
-	/**
-	 * @param IToken $token
-	 * @return IProvider
-	 * @throws InvalidTokenException
-	 */
-	private function getProvider(IToken $token): IProvider {
-		if ($token instanceof PublicKeyToken) {
-			return $this->publicKeyTokenProvider;
-		}
-		throw new InvalidTokenException();
-	}
-
-
-	public function markPasswordInvalid(IToken $token, string $tokenId) {
-		$this->getProvider($token)->markPasswordInvalid($token, $tokenId);
-	}
-
-	public function updatePasswords(string $uid, string $password) {
-		$this->publicKeyTokenProvider->updatePasswords($uid, $password);
-	}
+    /** @var PublicKeyTokenProvider */
+    private $publicKeyTokenProvider;
+
+    public function __construct(PublicKeyTokenProvider $publicKeyTokenProvider) {
+        $this->publicKeyTokenProvider = $publicKeyTokenProvider;
+    }
+
+    /**
+     * Create and persist a new token
+     *
+     * @param string $token
+     * @param string $uid
+     * @param string $loginName
+     * @param string|null $password
+     * @param string $name Name will be trimmed to 120 chars when longer
+     * @param int $type token type
+     * @param int $remember whether the session token should be used for remember-me
+     * @return IToken
+     */
+    public function generateToken(string $token,
+                                    string $uid,
+                                    string $loginName,
+                                    $password,
+                                    string $name,
+                                    int $type = IToken::TEMPORARY_TOKEN,
+                                    int $remember = IToken::DO_NOT_REMEMBER): IToken {
+        if (mb_strlen($name) > 128) {
+            $name = mb_substr($name, 0, 120) . '…';
+        }
+
+        try {
+            return $this->publicKeyTokenProvider->generateToken(
+                $token,
+                $uid,
+                $loginName,
+                $password,
+                $name,
+                $type,
+                $remember
+            );
+        } catch (UniqueConstraintViolationException $e) {
+            // It's rare, but if two requests of the same session (e.g. env-based SAML)
+            // try to create the session token they might end up here at the same time
+            // because we use the session ID as token and the db token is created anew
+            // with every request.
+            //
+            // If the UIDs match, then this should be fine.
+            $existing = $this->getToken($token);
+            if ($existing->getUID() !== $uid) {
+                throw new \Exception('Token conflict handled, but UIDs do not match. This should not happen', 0, $e);
+            }
+            return $existing;
+        }
+    }
+
+    /**
+     * Save the updated token
+     *
+     * @param IToken $token
+     * @throws InvalidTokenException
+     */
+    public function updateToken(IToken $token) {
+        $provider = $this->getProvider($token);
+        $provider->updateToken($token);
+    }
+
+    /**
+     * Update token activity timestamp
+     *
+     * @throws InvalidTokenException
+     * @param IToken $token
+     */
+    public function updateTokenActivity(IToken $token) {
+        $provider = $this->getProvider($token);
+        $provider->updateTokenActivity($token);
+    }
+
+    /**
+     * @param string $uid
+     * @return IToken[]
+     */
+    public function getTokenByUser(string $uid): array {
+        return $this->publicKeyTokenProvider->getTokenByUser($uid);
+    }
+
+    /**
+     * Get a token by token
+     *
+     * @param string $tokenId
+     * @throws InvalidTokenException
+     * @throws \RuntimeException when OpenSSL reports a problem
+     * @return IToken
+     */
+    public function getToken(string $tokenId): IToken {
+        try {
+            return $this->publicKeyTokenProvider->getToken($tokenId);
+        } catch (WipeTokenException $e) {
+            throw $e;
+        } catch (ExpiredTokenException $e) {
+            throw $e;
+        } catch (InvalidTokenException $e) {
+            throw $e;
+        }
+    }
+
+    /**
+     * Get a token by token id
+     *
+     * @param int $tokenId
+     * @throws InvalidTokenException
+     * @return IToken
+     */
+    public function getTokenById(int $tokenId): IToken {
+        try {
+            return $this->publicKeyTokenProvider->getTokenById($tokenId);
+        } catch (ExpiredTokenException $e) {
+            throw $e;
+        } catch (WipeTokenException $e) {
+            throw $e;
+        } catch (InvalidTokenException $e) {
+            throw $e;
+        }
+    }
+
+    /**
+     * @param string $oldSessionId
+     * @param string $sessionId
+     * @throws InvalidTokenException
+     * @return IToken
+     */
+    public function renewSessionToken(string $oldSessionId, string $sessionId): IToken {
+        try {
+            return $this->publicKeyTokenProvider->renewSessionToken($oldSessionId, $sessionId);
+        } catch (ExpiredTokenException $e) {
+            throw $e;
+        } catch (InvalidTokenException $e) {
+            throw $e;
+        }
+    }
+
+    /**
+     * @param IToken $savedToken
+     * @param string $tokenId session token
+     * @throws InvalidTokenException
+     * @throws PasswordlessTokenException
+     * @return string
+     */
+    public function getPassword(IToken $savedToken, string $tokenId): string {
+        $provider = $this->getProvider($savedToken);
+        return $provider->getPassword($savedToken, $tokenId);
+    }
+
+    public function setPassword(IToken $token, string $tokenId, string $password) {
+        $provider = $this->getProvider($token);
+        $provider->setPassword($token, $tokenId, $password);
+    }
+
+    public function invalidateToken(string $token) {
+        $this->publicKeyTokenProvider->invalidateToken($token);
+    }
+
+    public function invalidateTokenById(string $uid, int $id) {
+        $this->publicKeyTokenProvider->invalidateTokenById($uid, $id);
+    }
+
+    public function invalidateOldTokens() {
+        $this->publicKeyTokenProvider->invalidateOldTokens();
+    }
+
+    /**
+     * @param IToken $token
+     * @param string $oldTokenId
+     * @param string $newTokenId
+     * @return IToken
+     * @throws InvalidTokenException
+     * @throws \RuntimeException when OpenSSL reports a problem
+     */
+    public function rotate(IToken $token, string $oldTokenId, string $newTokenId): IToken {
+        if ($token instanceof PublicKeyToken) {
+            return $this->publicKeyTokenProvider->rotate($token, $oldTokenId, $newTokenId);
+        }
+
+        throw new InvalidTokenException();
+    }
+
+    /**
+     * @param IToken $token
+     * @return IProvider
+     * @throws InvalidTokenException
+     */
+    private function getProvider(IToken $token): IProvider {
+        if ($token instanceof PublicKeyToken) {
+            return $this->publicKeyTokenProvider;
+        }
+        throw new InvalidTokenException();
+    }
+
+
+    public function markPasswordInvalid(IToken $token, string $tokenId) {
+        $this->getProvider($token)->markPasswordInvalid($token, $tokenId);
+    }
+
+    public function updatePasswords(string $uid, string $password) {
+        $this->publicKeyTokenProvider->updatePasswords($uid, $password);
+    }
 }