Inspection of "Merge pull request #17458 from nextcloud/enh/avoid..." - nextcloud/server - Measure and Improve Code Quality continuously with Scrutinizer

Passed

Push — master ( f66315...fa7eb5 )

by Roeland

created 2019-10-09 10:01 UTC

Status

Indentation +146 added lines, -146 removed lines patch added patch discarded remove patch

@@ -34,150 +34,150 @@
 block discarded – undo
 interface IProvider {
 
 
-	/**
-	 * Create and persist a new token
-	 *
-	 * @param string $token
-	 * @param string $uid
-	 * @param string $loginName
-	 * @param string|null $password
-	 * @param string $name
-	 * @param int $type token type
-	 * @param int $remember whether the session token should be used for remember-me
-	 * @return IToken
-	 * @throws \RuntimeException when OpenSSL reports a problem
-	 */
-	public function generateToken(string $token,
-								  string $uid,
-								  string $loginName,
-								  $password,
-								  string $name,
-								  int $type = IToken::TEMPORARY_TOKEN,
-								  int $remember = IToken::DO_NOT_REMEMBER): IToken;
-
-	/**
-	 * Get a token by token id
-	 *
-	 * @param string $tokenId
-	 * @throws InvalidTokenException
-	 * @throws ExpiredTokenException
-	 * @throws WipeTokenException
-	 * @return IToken
-	 */
-	public function getToken(string $tokenId): IToken;
-
-	/**
-	 * Get a token by token id
-	 *
-	 * @param int $tokenId
-	 * @throws InvalidTokenException
-	 * @throws ExpiredTokenException
-	 * @throws WipeTokenException
-	 * @return IToken
-	 */
-	public function getTokenById(int $tokenId): IToken;
-
-	/**
-	 * Duplicate an existing session token
-	 *
-	 * @param string $oldSessionId
-	 * @param string $sessionId
-	 * @throws InvalidTokenException
-	 * @throws \RuntimeException when OpenSSL reports a problem
-	 * @return IToken The new token
-	 */
-	public function renewSessionToken(string $oldSessionId, string $sessionId): IToken;
-
-	/**
-	 * Invalidate (delete) the given session token
-	 *
-	 * @param string $token
-	 */
-	public function invalidateToken(string $token);
-
-	/**
-	 * Invalidate (delete) the given token
-	 *
-	 * @param string $uid
-	 * @param int $id
-	 */
-	public function invalidateTokenById(string $uid, int $id);
-
-	/**
-	 * Invalidate (delete) old session tokens
-	 */
-	public function invalidateOldTokens();
-
-	/**
-	 * Save the updated token
-	 *
-	 * @param IToken $token
-	 */
-	public function updateToken(IToken $token);
-
-	/**
-	 * Update token activity timestamp
-	 *
-	 * @param IToken $token
-	 */
-	public function updateTokenActivity(IToken $token);
-
-	/**
-	 * Get all tokens of a user
-	 *
-	 * The provider may limit the number of result rows in case of an abuse
-	 * where a high number of (session) tokens is generated
-	 *
-	 * @param string $uid
-	 * @return IToken[]
-	 */
-	public function getTokenByUser(string $uid): array;
-
-	/**
-	 * Get the (unencrypted) password of the given token
-	 *
-	 * @param IToken $token
-	 * @param string $tokenId
-	 * @throws InvalidTokenException
-	 * @throws PasswordlessTokenException
-	 * @return string
-	 */
-	public function getPassword(IToken $token, string $tokenId): string;
-
-	/**
-	 * Encrypt and set the password of the given token
-	 *
-	 * @param IToken $token
-	 * @param string $tokenId
-	 * @param string $password
-	 * @throws InvalidTokenException
-	 */
-	public function setPassword(IToken $token, string $tokenId, string $password);
-
-	/**
-	 * Rotate the token. Usefull for for example oauth tokens
-	 *
-	 * @param IToken $token
-	 * @param string $oldTokenId
-	 * @param string $newTokenId
-	 * @return IToken
-	 * @throws \RuntimeException when OpenSSL reports a problem
-	 */
-	public function rotate(IToken $token, string $oldTokenId, string $newTokenId): IToken;
-
-	/**
-	 * Marks a token as having an invalid password.
-	 *
-	 * @param IToken $token
-	 * @param string $tokenId
-	 */
-	public function markPasswordInvalid(IToken $token, string $tokenId);
-
-	/**
-	 * Update all the passwords of $uid if required
-	 *
-	 * @param string $uid
-	 * @param string $password
-	 */
-	public function updatePasswords(string $uid, string $password);
+    /**
+     * Create and persist a new token
+     *
+     * @param string $token
+     * @param string $uid
+     * @param string $loginName
+     * @param string|null $password
+     * @param string $name
+     * @param int $type token type
+     * @param int $remember whether the session token should be used for remember-me
+     * @return IToken
+     * @throws \RuntimeException when OpenSSL reports a problem
+     */
+    public function generateToken(string $token,
+                                    string $uid,
+                                    string $loginName,
+                                    $password,
+                                    string $name,
+                                    int $type = IToken::TEMPORARY_TOKEN,
+                                    int $remember = IToken::DO_NOT_REMEMBER): IToken;
+
+    /**
+     * Get a token by token id
+     *
+     * @param string $tokenId
+     * @throws InvalidTokenException
+     * @throws ExpiredTokenException
+     * @throws WipeTokenException
+     * @return IToken
+     */
+    public function getToken(string $tokenId): IToken;
+
+    /**
+     * Get a token by token id
+     *
+     * @param int $tokenId
+     * @throws InvalidTokenException
+     * @throws ExpiredTokenException
+     * @throws WipeTokenException
+     * @return IToken
+     */
+    public function getTokenById(int $tokenId): IToken;
+
+    /**
+     * Duplicate an existing session token
+     *
+     * @param string $oldSessionId
+     * @param string $sessionId
+     * @throws InvalidTokenException
+     * @throws \RuntimeException when OpenSSL reports a problem
+     * @return IToken The new token
+     */
+    public function renewSessionToken(string $oldSessionId, string $sessionId): IToken;
+
+    /**
+     * Invalidate (delete) the given session token
+     *
+     * @param string $token
+     */
+    public function invalidateToken(string $token);
+
+    /**
+     * Invalidate (delete) the given token
+     *
+     * @param string $uid
+     * @param int $id
+     */
+    public function invalidateTokenById(string $uid, int $id);
+
+    /**
+     * Invalidate (delete) old session tokens
+     */
+    public function invalidateOldTokens();
+
+    /**
+     * Save the updated token
+     *
+     * @param IToken $token
+     */
+    public function updateToken(IToken $token);
+
+    /**
+     * Update token activity timestamp
+     *
+     * @param IToken $token
+     */
+    public function updateTokenActivity(IToken $token);
+
+    /**
+     * Get all tokens of a user
+     *
+     * The provider may limit the number of result rows in case of an abuse
+     * where a high number of (session) tokens is generated
+     *
+     * @param string $uid
+     * @return IToken[]
+     */
+    public function getTokenByUser(string $uid): array;
+
+    /**
+     * Get the (unencrypted) password of the given token
+     *
+     * @param IToken $token
+     * @param string $tokenId
+     * @throws InvalidTokenException
+     * @throws PasswordlessTokenException
+     * @return string
+     */
+    public function getPassword(IToken $token, string $tokenId): string;
+
+    /**
+     * Encrypt and set the password of the given token
+     *
+     * @param IToken $token
+     * @param string $tokenId
+     * @param string $password
+     * @throws InvalidTokenException
+     */
+    public function setPassword(IToken $token, string $tokenId, string $password);
+
+    /**
+     * Rotate the token. Usefull for for example oauth tokens
+     *
+     * @param IToken $token
+     * @param string $oldTokenId
+     * @param string $newTokenId
+     * @return IToken
+     * @throws \RuntimeException when OpenSSL reports a problem
+     */
+    public function rotate(IToken $token, string $oldTokenId, string $newTokenId): IToken;
+
+    /**
+     * Marks a token as having an invalid password.
+     *
+     * @param IToken $token
+     * @param string $tokenId
+     */
+    public function markPasswordInvalid(IToken $token, string $tokenId);
+
+    /**
+     * Update all the passwords of $uid if required
+     *
+     * @param string $uid
+     * @param string $password
+     */
+    public function updatePasswords(string $uid, string $password);
 }

Please login to merge, or discard this patch.

lib/private/Authentication/Token/PublicKeyTokenProvider.php 1 patch

Indentation +378 added lines, -378 removed lines patch added patch discarded remove patch

@@ -35,382 +35,382 @@
 block discarded – undo
 use OCP\Security\ICrypto;
 
 class PublicKeyTokenProvider implements IProvider {
-	/** @var PublicKeyTokenMapper */
-	private $mapper;
-
-	/** @var ICrypto */
-	private $crypto;
-
-	/** @var IConfig */
-	private $config;
-
-	/** @var ILogger $logger */
-	private $logger;
-
-	/** @var ITimeFactory $time */
-	private $time;
-
-	/** @var CappedMemoryCache */
-	private $cache;
-
-	public function __construct(PublicKeyTokenMapper $mapper,
-								ICrypto $crypto,
-								IConfig $config,
-								ILogger $logger,
-								ITimeFactory $time) {
-		$this->mapper = $mapper;
-		$this->crypto = $crypto;
-		$this->config = $config;
-		$this->logger = $logger;
-		$this->time = $time;
-
-		$this->cache = new CappedMemoryCache();
-	}
-
-	/**
-	 * {@inheritDoc}
-	 */
-	public function generateToken(string $token,
-								  string $uid,
-								  string $loginName,
-								  $password,
-								  string $name,
-								  int $type = IToken::TEMPORARY_TOKEN,
-								  int $remember = IToken::DO_NOT_REMEMBER): IToken {
-		$dbToken = $this->newToken($token, $uid, $loginName, $password, $name, $type, $remember);
-		$this->mapper->insert($dbToken);
-
-		// Add the token to the cache
-		$this->cache[$dbToken->getToken()] = $dbToken;
-
-		return $dbToken;
-	}
-
-	public function getToken(string $tokenId): IToken {
-		$tokenHash = $this->hashToken($tokenId);
-
-		if (isset($this->cache[$tokenHash])) {
-			$token = $this->cache[$tokenHash];
-		} else {
-			try {
-				$token = $this->mapper->getToken($this->hashToken($tokenId));
-				$this->cache[$token->getToken()] = $token;
-			} catch (DoesNotExistException $ex) {
-				throw new InvalidTokenException();
-			}
-		}
-
-		if ((int)$token->getExpires() !== 0 && $token->getExpires() < $this->time->getTime()) {
-			throw new ExpiredTokenException($token);
-		}
-
-		if ($token->getType() === IToken::WIPE_TOKEN) {
-			throw new WipeTokenException($token);
-		}
-
-		return $token;
-	}
-
-	public function getTokenById(int $tokenId): IToken {
-		try {
-			$token = $this->mapper->getTokenById($tokenId);
-		} catch (DoesNotExistException $ex) {
-			throw new InvalidTokenException();
-		}
-
-		if ((int)$token->getExpires() !== 0 && $token->getExpires() < $this->time->getTime()) {
-			throw new ExpiredTokenException($token);
-		}
-
-		if ($token->getType() === IToken::WIPE_TOKEN) {
-			throw new WipeTokenException($token);
-		}
-
-		return $token;
-	}
-
-	public function renewSessionToken(string $oldSessionId, string $sessionId): IToken {
-		$this->cache->clear();
-
-		$token = $this->getToken($oldSessionId);
-
-		if (!($token instanceof PublicKeyToken)) {
-			throw new InvalidTokenException();
-		}
-
-		$password = null;
-		if (!is_null($token->getPassword())) {
-			$privateKey = $this->decrypt($token->getPrivateKey(), $oldSessionId);
-			$password = $this->decryptPassword($token->getPassword(), $privateKey);
-		}
-
-		$newToken = $this->generateToken(
-			$sessionId,
-			$token->getUID(),
-			$token->getLoginName(),
-			$password,
-			$token->getName(),
-			IToken::TEMPORARY_TOKEN,
-			$token->getRemember()
-		);
-
-		$this->mapper->delete($token);
-
-		return $newToken;
-	}
-
-	public function invalidateToken(string $token) {
-		$this->cache->clear();
-
-		$this->mapper->invalidate($this->hashToken($token));
-	}
-
-	public function invalidateTokenById(string $uid, int $id) {
-		$this->cache->clear();
-
-		$this->mapper->deleteById($uid, $id);
-	}
-
-	public function invalidateOldTokens() {
-		$this->cache->clear();
-
-		$olderThan = $this->time->getTime() - (int) $this->config->getSystemValue('session_lifetime', 60 * 60 * 24);
-		$this->logger->debug('Invalidating session tokens older than ' . date('c', $olderThan), ['app' => 'cron']);
-		$this->mapper->invalidateOld($olderThan, IToken::DO_NOT_REMEMBER);
-		$rememberThreshold = $this->time->getTime() - (int) $this->config->getSystemValue('remember_login_cookie_lifetime', 60 * 60 * 24 * 15);
-		$this->logger->debug('Invalidating remembered session tokens older than ' . date('c', $rememberThreshold), ['app' => 'cron']);
-		$this->mapper->invalidateOld($rememberThreshold, IToken::REMEMBER);
-	}
-
-	public function updateToken(IToken $token) {
-		$this->cache->clear();
-
-		if (!($token instanceof PublicKeyToken)) {
-			throw new InvalidTokenException();
-		}
-		$this->mapper->update($token);
-	}
-
-	public function updateTokenActivity(IToken $token) {
-		$this->cache->clear();
-
-		if (!($token instanceof PublicKeyToken)) {
-			throw new InvalidTokenException();
-		}
-		/** @var DefaultToken $token */
-		$now = $this->time->getTime();
-		if ($token->getLastActivity() < ($now - 60)) {
-			// Update token only once per minute
-			$token->setLastActivity($now);
-			$this->mapper->update($token);
-		}
-	}
-
-	public function getTokenByUser(string $uid): array {
-		return $this->mapper->getTokenByUser($uid);
-	}
-
-	public function getPassword(IToken $token, string $tokenId): string {
-		if (!($token instanceof PublicKeyToken)) {
-			throw new InvalidTokenException();
-		}
-
-		if ($token->getPassword() === null) {
-			throw new PasswordlessTokenException();
-		}
-
-		// Decrypt private key with tokenId
-		$privateKey = $this->decrypt($token->getPrivateKey(), $tokenId);
-
-		// Decrypt password with private key
-		return $this->decryptPassword($token->getPassword(), $privateKey);
-	}
-
-	public function setPassword(IToken $token, string $tokenId, string $password) {
-		$this->cache->clear();
-
-		if (!($token instanceof PublicKeyToken)) {
-			throw new InvalidTokenException();
-		}
-
-		// When changing passwords all temp tokens are deleted
-		$this->mapper->deleteTempToken($token);
-
-		// Update the password for all tokens
-		$tokens = $this->mapper->getTokenByUser($token->getUID());
-		foreach ($tokens as $t) {
-			$publicKey = $t->getPublicKey();
-			$t->setPassword($this->encryptPassword($password, $publicKey));
-			$this->updateToken($t);
-		}
-	}
-
-	public function rotate(IToken $token, string $oldTokenId, string $newTokenId): IToken {
-		$this->cache->clear();
-
-		if (!($token instanceof PublicKeyToken)) {
-			throw new InvalidTokenException();
-		}
-
-		// Decrypt private key with oldTokenId
-		$privateKey = $this->decrypt($token->getPrivateKey(), $oldTokenId);
-		// Encrypt with the new token
-		$token->setPrivateKey($this->encrypt($privateKey, $newTokenId));
-
-		$token->setToken($this->hashToken($newTokenId));
-		$this->updateToken($token);
-
-		return $token;
-	}
-
-	private function encrypt(string $plaintext, string $token): string {
-		$secret = $this->config->getSystemValue('secret');
-		return $this->crypto->encrypt($plaintext, $token . $secret);
-	}
-
-	/**
-	 * @throws InvalidTokenException
-	 */
-	private function decrypt(string $cipherText, string $token): string {
-		$secret = $this->config->getSystemValue('secret');
-		try {
-			return $this->crypto->decrypt($cipherText, $token . $secret);
-		} catch (\Exception $ex) {
-			// Delete the invalid token
-			$this->invalidateToken($token);
-			throw new InvalidTokenException();
-		}
-	}
-
-	private function encryptPassword(string $password, string $publicKey): string {
-		openssl_public_encrypt($password, $encryptedPassword, $publicKey, OPENSSL_PKCS1_OAEP_PADDING);
-		$encryptedPassword = base64_encode($encryptedPassword);
-
-		return $encryptedPassword;
-	}
-
-	private function decryptPassword(string $encryptedPassword, string $privateKey): string {
-		$encryptedPassword = base64_decode($encryptedPassword);
-		openssl_private_decrypt($encryptedPassword, $password, $privateKey, OPENSSL_PKCS1_OAEP_PADDING);
-
-		return $password;
-	}
-
-	private function hashToken(string $token): string {
-		$secret = $this->config->getSystemValue('secret');
-		return hash('sha512', $token . $secret);
-	}
-
-	/**
-	 * Convert a DefaultToken to a publicKeyToken
-	 * This will also be updated directly in the Database
-	 * @throws \RuntimeException when OpenSSL reports a problem
-	 */
-	public function convertToken(DefaultToken $defaultToken, string $token, $password): PublicKeyToken {
-		$this->cache->clear();
-
-		$pkToken = $this->newToken(
-			$token,
-			$defaultToken->getUID(),
-			$defaultToken->getLoginName(),
-			$password,
-			$defaultToken->getName(),
-			$defaultToken->getType(),
-			$defaultToken->getRemember()
-		);
-
-		$pkToken->setExpires($defaultToken->getExpires());
-		$pkToken->setId($defaultToken->getId());
-
-		return $this->mapper->update($pkToken);
-	}
-
-	/**
-	 * @throws \RuntimeException when OpenSSL reports a problem
-	 */
-	private function newToken(string $token,
-							  string $uid,
-							  string $loginName,
-							  $password,
-							  string $name,
-							  int $type,
-							  int $remember): PublicKeyToken {
-		$dbToken = new PublicKeyToken();
-		$dbToken->setUid($uid);
-		$dbToken->setLoginName($loginName);
-
-		$config = array_merge([
-			'digest_alg' => 'sha512',
-			'private_key_bits' => 2048,
-		], $this->config->getSystemValue('openssl', []));
-
-		// Generate new key
-		$res = openssl_pkey_new($config);
-		if ($res === false) {
-			$this->logOpensslError();
-			throw new \RuntimeException('OpenSSL reported a problem');
-		}
-
-		if (openssl_pkey_export($res, $privateKey, null, $config) === false) {
-			$this->logOpensslError();
-			throw new \RuntimeException('OpenSSL reported a problem');
-		}
-
-		// Extract the public key from $res to $pubKey
-		$publicKey = openssl_pkey_get_details($res);
-		$publicKey = $publicKey['key'];
-
-		$dbToken->setPublicKey($publicKey);
-		$dbToken->setPrivateKey($this->encrypt($privateKey, $token));
-
-		if (!is_null($password)) {
-			$dbToken->setPassword($this->encryptPassword($password, $publicKey));
-		}
-
-		$dbToken->setName($name);
-		$dbToken->setToken($this->hashToken($token));
-		$dbToken->setType($type);
-		$dbToken->setRemember($remember);
-		$dbToken->setLastActivity($this->time->getTime());
-		$dbToken->setLastCheck($this->time->getTime());
-		$dbToken->setVersion(PublicKeyToken::VERSION);
-
-		return $dbToken;
-	}
-
-	public function markPasswordInvalid(IToken $token, string $tokenId) {
-		$this->cache->clear();
-
-		if (!($token instanceof PublicKeyToken)) {
-			throw new InvalidTokenException();
-		}
-
-		$token->setPasswordInvalid(true);
-		$this->mapper->update($token);
-	}
-
-	public function updatePasswords(string $uid, string $password) {
-		$this->cache->clear();
-
-		if (!$this->mapper->hasExpiredTokens($uid)) {
-			// Nothing to do here
-			return;
-		}
-
-		// Update the password for all tokens
-		$tokens = $this->mapper->getTokenByUser($uid);
-		foreach ($tokens as $t) {
-			$publicKey = $t->getPublicKey();
-			$t->setPassword($this->encryptPassword($password, $publicKey));
-			$this->updateToken($t);
-		}
-	}
-
-	private function logOpensslError() {
-		$errors = [];
-		while ($error = openssl_error_string()) {
-			$errors[] = $error;
-		}
-		$this->logger->critical('Something is wrong with your openssl setup: ' . implode(', ', $errors));
-	}
+    /** @var PublicKeyTokenMapper */
+    private $mapper;
+
+    /** @var ICrypto */
+    private $crypto;
+
+    /** @var IConfig */
+    private $config;
+
+    /** @var ILogger $logger */
+    private $logger;
+
+    /** @var ITimeFactory $time */
+    private $time;
+
+    /** @var CappedMemoryCache */
+    private $cache;
+
+    public function __construct(PublicKeyTokenMapper $mapper,
+                                ICrypto $crypto,
+                                IConfig $config,
+                                ILogger $logger,
+                                ITimeFactory $time) {
+        $this->mapper = $mapper;
+        $this->crypto = $crypto;
+        $this->config = $config;
+        $this->logger = $logger;
+        $this->time = $time;
+
+        $this->cache = new CappedMemoryCache();
+    }
+
+    /**
+     * {@inheritDoc}
+     */
+    public function generateToken(string $token,
+                                    string $uid,
+                                    string $loginName,
+                                    $password,
+                                    string $name,
+                                    int $type = IToken::TEMPORARY_TOKEN,
+                                    int $remember = IToken::DO_NOT_REMEMBER): IToken {
+        $dbToken = $this->newToken($token, $uid, $loginName, $password, $name, $type, $remember);
+        $this->mapper->insert($dbToken);
+
+        // Add the token to the cache
+        $this->cache[$dbToken->getToken()] = $dbToken;
+
+        return $dbToken;
+    }
+
+    public function getToken(string $tokenId): IToken {
+        $tokenHash = $this->hashToken($tokenId);
+
+        if (isset($this->cache[$tokenHash])) {
+            $token = $this->cache[$tokenHash];
+        } else {
+            try {
+                $token = $this->mapper->getToken($this->hashToken($tokenId));
+                $this->cache[$token->getToken()] = $token;
+            } catch (DoesNotExistException $ex) {
+                throw new InvalidTokenException();
+            }
+        }
+
+        if ((int)$token->getExpires() !== 0 && $token->getExpires() < $this->time->getTime()) {
+            throw new ExpiredTokenException($token);
+        }
+
+        if ($token->getType() === IToken::WIPE_TOKEN) {
+            throw new WipeTokenException($token);
+        }
+
+        return $token;
+    }
+
+    public function getTokenById(int $tokenId): IToken {
+        try {
+            $token = $this->mapper->getTokenById($tokenId);
+        } catch (DoesNotExistException $ex) {
+            throw new InvalidTokenException();
+        }
+
+        if ((int)$token->getExpires() !== 0 && $token->getExpires() < $this->time->getTime()) {
+            throw new ExpiredTokenException($token);
+        }
+
+        if ($token->getType() === IToken::WIPE_TOKEN) {
+            throw new WipeTokenException($token);
+        }
+
+        return $token;
+    }
+
+    public function renewSessionToken(string $oldSessionId, string $sessionId): IToken {
+        $this->cache->clear();
+
+        $token = $this->getToken($oldSessionId);
+
+        if (!($token instanceof PublicKeyToken)) {
+            throw new InvalidTokenException();
+        }
+
+        $password = null;
+        if (!is_null($token->getPassword())) {
+            $privateKey = $this->decrypt($token->getPrivateKey(), $oldSessionId);
+            $password = $this->decryptPassword($token->getPassword(), $privateKey);
+        }
+
+        $newToken = $this->generateToken(
+            $sessionId,
+            $token->getUID(),
+            $token->getLoginName(),
+            $password,
+            $token->getName(),
+            IToken::TEMPORARY_TOKEN,
+            $token->getRemember()
+        );
+
+        $this->mapper->delete($token);
+
+        return $newToken;
+    }
+
+    public function invalidateToken(string $token) {
+        $this->cache->clear();
+
+        $this->mapper->invalidate($this->hashToken($token));
+    }
+
+    public function invalidateTokenById(string $uid, int $id) {
+        $this->cache->clear();
+
+        $this->mapper->deleteById($uid, $id);
+    }
+
+    public function invalidateOldTokens() {
+        $this->cache->clear();
+
+        $olderThan = $this->time->getTime() - (int) $this->config->getSystemValue('session_lifetime', 60 * 60 * 24);
+        $this->logger->debug('Invalidating session tokens older than ' . date('c', $olderThan), ['app' => 'cron']);
+        $this->mapper->invalidateOld($olderThan, IToken::DO_NOT_REMEMBER);
+        $rememberThreshold = $this->time->getTime() - (int) $this->config->getSystemValue('remember_login_cookie_lifetime', 60 * 60 * 24 * 15);
+        $this->logger->debug('Invalidating remembered session tokens older than ' . date('c', $rememberThreshold), ['app' => 'cron']);
+        $this->mapper->invalidateOld($rememberThreshold, IToken::REMEMBER);
+    }
+
+    public function updateToken(IToken $token) {
+        $this->cache->clear();
+
+        if (!($token instanceof PublicKeyToken)) {
+            throw new InvalidTokenException();
+        }
+        $this->mapper->update($token);
+    }
+
+    public function updateTokenActivity(IToken $token) {
+        $this->cache->clear();
+
+        if (!($token instanceof PublicKeyToken)) {
+            throw new InvalidTokenException();
+        }
+        /** @var DefaultToken $token */
+        $now = $this->time->getTime();
+        if ($token->getLastActivity() < ($now - 60)) {
+            // Update token only once per minute
+            $token->setLastActivity($now);
+            $this->mapper->update($token);
+        }
+    }
+
+    public function getTokenByUser(string $uid): array {
+        return $this->mapper->getTokenByUser($uid);
+    }
+
+    public function getPassword(IToken $token, string $tokenId): string {
+        if (!($token instanceof PublicKeyToken)) {
+            throw new InvalidTokenException();
+        }
+
+        if ($token->getPassword() === null) {
+            throw new PasswordlessTokenException();
+        }
+
+        // Decrypt private key with tokenId
+        $privateKey = $this->decrypt($token->getPrivateKey(), $tokenId);
+
+        // Decrypt password with private key
+        return $this->decryptPassword($token->getPassword(), $privateKey);
+    }
+
+    public function setPassword(IToken $token, string $tokenId, string $password) {
+        $this->cache->clear();
+
+        if (!($token instanceof PublicKeyToken)) {
+            throw new InvalidTokenException();
+        }
+
+        // When changing passwords all temp tokens are deleted
+        $this->mapper->deleteTempToken($token);
+
+        // Update the password for all tokens
+        $tokens = $this->mapper->getTokenByUser($token->getUID());
+        foreach ($tokens as $t) {
+            $publicKey = $t->getPublicKey();
+            $t->setPassword($this->encryptPassword($password, $publicKey));
+            $this->updateToken($t);
+        }
+    }
+
+    public function rotate(IToken $token, string $oldTokenId, string $newTokenId): IToken {
+        $this->cache->clear();
+
+        if (!($token instanceof PublicKeyToken)) {
+            throw new InvalidTokenException();
+        }
+
+        // Decrypt private key with oldTokenId
+        $privateKey = $this->decrypt($token->getPrivateKey(), $oldTokenId);
+        // Encrypt with the new token
+        $token->setPrivateKey($this->encrypt($privateKey, $newTokenId));
+
+        $token->setToken($this->hashToken($newTokenId));
+        $this->updateToken($token);
+
+        return $token;
+    }
+
+    private function encrypt(string $plaintext, string $token): string {
+        $secret = $this->config->getSystemValue('secret');
+        return $this->crypto->encrypt($plaintext, $token . $secret);
+    }
+
+    /**
+     * @throws InvalidTokenException
+     */
+    private function decrypt(string $cipherText, string $token): string {
+        $secret = $this->config->getSystemValue('secret');
+        try {
+            return $this->crypto->decrypt($cipherText, $token . $secret);
+        } catch (\Exception $ex) {
+            // Delete the invalid token
+            $this->invalidateToken($token);
+            throw new InvalidTokenException();
+        }
+    }
+
+    private function encryptPassword(string $password, string $publicKey): string {
+        openssl_public_encrypt($password, $encryptedPassword, $publicKey, OPENSSL_PKCS1_OAEP_PADDING);
+        $encryptedPassword = base64_encode($encryptedPassword);
+
+        return $encryptedPassword;
+    }
+
+    private function decryptPassword(string $encryptedPassword, string $privateKey): string {
+        $encryptedPassword = base64_decode($encryptedPassword);
+        openssl_private_decrypt($encryptedPassword, $password, $privateKey, OPENSSL_PKCS1_OAEP_PADDING);
+
+        return $password;
+    }
+
+    private function hashToken(string $token): string {
+        $secret = $this->config->getSystemValue('secret');
+        return hash('sha512', $token . $secret);
+    }
+
+    /**
+     * Convert a DefaultToken to a publicKeyToken
+     * This will also be updated directly in the Database
+     * @throws \RuntimeException when OpenSSL reports a problem
+     */
+    public function convertToken(DefaultToken $defaultToken, string $token, $password): PublicKeyToken {
+        $this->cache->clear();
+
+        $pkToken = $this->newToken(
+            $token,
+            $defaultToken->getUID(),
+            $defaultToken->getLoginName(),
+            $password,
+            $defaultToken->getName(),
+            $defaultToken->getType(),
+            $defaultToken->getRemember()
+        );
+
+        $pkToken->setExpires($defaultToken->getExpires());
+        $pkToken->setId($defaultToken->getId());
+
+        return $this->mapper->update($pkToken);
+    }
+
+    /**
+     * @throws \RuntimeException when OpenSSL reports a problem
+     */
+    private function newToken(string $token,
+                                string $uid,
+                                string $loginName,
+                                $password,
+                                string $name,
+                                int $type,
+                                int $remember): PublicKeyToken {
+        $dbToken = new PublicKeyToken();
+        $dbToken->setUid($uid);
+        $dbToken->setLoginName($loginName);
+
+        $config = array_merge([
+            'digest_alg' => 'sha512',
+            'private_key_bits' => 2048,
+        ], $this->config->getSystemValue('openssl', []));
+
+        // Generate new key
+        $res = openssl_pkey_new($config);
+        if ($res === false) {
+            $this->logOpensslError();
+            throw new \RuntimeException('OpenSSL reported a problem');
+        }
+
+        if (openssl_pkey_export($res, $privateKey, null, $config) === false) {
+            $this->logOpensslError();
+            throw new \RuntimeException('OpenSSL reported a problem');
+        }
+
+        // Extract the public key from $res to $pubKey
+        $publicKey = openssl_pkey_get_details($res);
+        $publicKey = $publicKey['key'];
+
+        $dbToken->setPublicKey($publicKey);
+        $dbToken->setPrivateKey($this->encrypt($privateKey, $token));
+
+        if (!is_null($password)) {
+            $dbToken->setPassword($this->encryptPassword($password, $publicKey));
+        }
+
+        $dbToken->setName($name);
+        $dbToken->setToken($this->hashToken($token));
+        $dbToken->setType($type);
+        $dbToken->setRemember($remember);
+        $dbToken->setLastActivity($this->time->getTime());
+        $dbToken->setLastCheck($this->time->getTime());
+        $dbToken->setVersion(PublicKeyToken::VERSION);
+
+        return $dbToken;
+    }
+
+    public function markPasswordInvalid(IToken $token, string $tokenId) {
+        $this->cache->clear();
+
+        if (!($token instanceof PublicKeyToken)) {
+            throw new InvalidTokenException();
+        }
+
+        $token->setPasswordInvalid(true);
+        $this->mapper->update($token);
+    }
+
+    public function updatePasswords(string $uid, string $password) {
+        $this->cache->clear();
+
+        if (!$this->mapper->hasExpiredTokens($uid)) {
+            // Nothing to do here
+            return;
+        }
+
+        // Update the password for all tokens
+        $tokens = $this->mapper->getTokenByUser($uid);
+        foreach ($tokens as $t) {
+            $publicKey = $t->getPublicKey();
+            $t->setPassword($this->encryptPassword($password, $publicKey));
+            $this->updateToken($t);
+        }
+    }
+
+    private function logOpensslError() {
+        $errors = [];
+        while ($error = openssl_error_string()) {
+            $errors[] = $error;
+        }
+        $this->logger->critical('Something is wrong with your openssl setup: ' . implode(', ', $errors));
+    }
 }

Please login to merge, or discard this patch.

lib/private/Authentication/Token/Manager.php 1 patch

Indentation +222 added lines, -222 removed lines patch added patch discarded remove patch

@@ -30,228 +30,228 @@
 block discarded – undo
 
 class Manager implements IProvider {
 
-	/** @var DefaultTokenProvider */
-	private $defaultTokenProvider;
-
-	/** @var PublicKeyTokenProvider */
-	private $publicKeyTokenProvider;
-
-	public function __construct(DefaultTokenProvider $defaultTokenProvider, PublicKeyTokenProvider $publicKeyTokenProvider) {
-		$this->defaultTokenProvider = $defaultTokenProvider;
-		$this->publicKeyTokenProvider = $publicKeyTokenProvider;
-	}
-
-	/**
-	 * Create and persist a new token
-	 *
-	 * @param string $token
-	 * @param string $uid
-	 * @param string $loginName
-	 * @param string|null $password
-	 * @param string $name
-	 * @param int $type token type
-	 * @param int $remember whether the session token should be used for remember-me
-	 * @return IToken
-	 */
-	public function generateToken(string $token,
-								  string $uid,
-								  string $loginName,
-								  $password,
-								  string $name,
-								  int $type = IToken::TEMPORARY_TOKEN,
-								  int $remember = IToken::DO_NOT_REMEMBER): IToken {
-		return $this->publicKeyTokenProvider->generateToken(
-			$token,
-			$uid,
-			$loginName,
-			$password,
-			$name,
-			$type,
-			$remember
-		);
-	}
-
-	/**
-	 * Save the updated token
-	 *
-	 * @param IToken $token
-	 * @throws InvalidTokenException
-	 */
-	public function updateToken(IToken $token) {
-		$provider = $this->getProvider($token);
-		$provider->updateToken($token);
-	}
-
-	/**
-	 * Update token activity timestamp
-	 *
-	 * @throws InvalidTokenException
-	 * @param IToken $token
-	 */
-	public function updateTokenActivity(IToken $token) {
-		$provider = $this->getProvider($token);
-		$provider->updateTokenActivity($token);
-	}
-
-	/**
-	 * @param string $uid
-	 * @return IToken[]
-	 */
-	public function getTokenByUser(string $uid): array {
-		$old = $this->defaultTokenProvider->getTokenByUser($uid);
-		$new = $this->publicKeyTokenProvider->getTokenByUser($uid);
-
-		return array_merge($old, $new);
-	}
-
-	/**
-	 * Get a token by token
-	 *
-	 * @param string $tokenId
-	 * @throws InvalidTokenException
-	 * @throws \RuntimeException when OpenSSL reports a problem
-	 * @return IToken
-	 */
-	public function getToken(string $tokenId): IToken {
-		try {
-			return $this->publicKeyTokenProvider->getToken($tokenId);
-		} catch (WipeTokenException $e) {
-			throw $e;
-		} catch (ExpiredTokenException $e) {
-			throw $e;
-		} catch(InvalidTokenException $e) {
-			// No worries we try to convert it to a PublicKey Token
-		}
-
-		//Convert!
-		$token = $this->defaultTokenProvider->getToken($tokenId);
-
-		try {
-			$password = $this->defaultTokenProvider->getPassword($token, $tokenId);
-		} catch (PasswordlessTokenException $e) {
-			$password = null;
-		}
-
-		return $this->publicKeyTokenProvider->convertToken($token, $tokenId, $password);
-	}
-
-	/**
-	 * Get a token by token id
-	 *
-	 * @param int $tokenId
-	 * @throws InvalidTokenException
-	 * @return IToken
-	 */
-	public function getTokenById(int $tokenId): IToken {
-		try {
-			return $this->publicKeyTokenProvider->getTokenById($tokenId);
-		} catch (ExpiredTokenException $e) {
-			throw $e;
-		} catch (WipeTokenException $e) {
-			throw $e;
-		} catch (InvalidTokenException $e) {
-			return $this->defaultTokenProvider->getTokenById($tokenId);
-		}
-	}
-
-	/**
-	 * @param string $oldSessionId
-	 * @param string $sessionId
-	 * @throws InvalidTokenException
-	 * @return IToken
-	 */
-	public function renewSessionToken(string $oldSessionId, string $sessionId): IToken {
-		try {
-			return $this->publicKeyTokenProvider->renewSessionToken($oldSessionId, $sessionId);
-		} catch (ExpiredTokenException $e) {
-			throw $e;
-		} catch (InvalidTokenException $e) {
-			return $this->defaultTokenProvider->renewSessionToken($oldSessionId, $sessionId);
-		}
-	}
-
-	/**
-	 * @param IToken $savedToken
-	 * @param string $tokenId session token
-	 * @throws InvalidTokenException
-	 * @throws PasswordlessTokenException
-	 * @return string
-	 */
-	public function getPassword(IToken $savedToken, string $tokenId): string {
-		$provider = $this->getProvider($savedToken);
-		return $provider->getPassword($savedToken, $tokenId);
-	}
-
-	public function setPassword(IToken $token, string $tokenId, string $password) {
-		$provider = $this->getProvider($token);
-		$provider->setPassword($token, $tokenId, $password);
-	}
-
-	public function invalidateToken(string $token) {
-		$this->defaultTokenProvider->invalidateToken($token);
-		$this->publicKeyTokenProvider->invalidateToken($token);
-	}
-
-	public function invalidateTokenById(string $uid, int $id) {
-		$this->defaultTokenProvider->invalidateTokenById($uid, $id);
-		$this->publicKeyTokenProvider->invalidateTokenById($uid, $id);
-	}
-
-	public function invalidateOldTokens() {
-		$this->defaultTokenProvider->invalidateOldTokens();
-		$this->publicKeyTokenProvider->invalidateOldTokens();
-	}
-
-	/**
-	 * @param IToken $token
-	 * @param string $oldTokenId
-	 * @param string $newTokenId
-	 * @return IToken
-	 * @throws InvalidTokenException
-	 * @throws \RuntimeException when OpenSSL reports a problem
-	 */
-	public function rotate(IToken $token, string $oldTokenId, string $newTokenId): IToken {
-		if ($token instanceof DefaultToken) {
-			try {
-				$password = $this->defaultTokenProvider->getPassword($token, $oldTokenId);
-			} catch (PasswordlessTokenException $e) {
-				$password = null;
-			}
-
-			return $this->publicKeyTokenProvider->convertToken($token, $newTokenId, $password);
-		}
-
-		if ($token instanceof PublicKeyToken) {
-			return $this->publicKeyTokenProvider->rotate($token, $oldTokenId, $newTokenId);
-		}
-
-		throw new InvalidTokenException();
-	}
-
-	/**
-	 * @param IToken $token
-	 * @return IProvider
-	 * @throws InvalidTokenException
-	 */
-	private function getProvider(IToken $token): IProvider {
-		if ($token instanceof DefaultToken) {
-			return $this->defaultTokenProvider;
-		}
-		if ($token instanceof PublicKeyToken) {
-			return $this->publicKeyTokenProvider;
-		}
-		throw new InvalidTokenException();
-	}
-
-
-	public function markPasswordInvalid(IToken $token, string $tokenId) {
-		$this->getProvider($token)->markPasswordInvalid($token, $tokenId);
-	}
-
-	public function updatePasswords(string $uid, string $password) {
-		$this->defaultTokenProvider->updatePasswords($uid, $password);
-		$this->publicKeyTokenProvider->updatePasswords($uid, $password);
-	}
+    /** @var DefaultTokenProvider */
+    private $defaultTokenProvider;
+
+    /** @var PublicKeyTokenProvider */
+    private $publicKeyTokenProvider;
+
+    public function __construct(DefaultTokenProvider $defaultTokenProvider, PublicKeyTokenProvider $publicKeyTokenProvider) {
+        $this->defaultTokenProvider = $defaultTokenProvider;
+        $this->publicKeyTokenProvider = $publicKeyTokenProvider;
+    }
+
+    /**
+     * Create and persist a new token
+     *
+     * @param string $token
+     * @param string $uid
+     * @param string $loginName
+     * @param string|null $password
+     * @param string $name
+     * @param int $type token type
+     * @param int $remember whether the session token should be used for remember-me
+     * @return IToken
+     */
+    public function generateToken(string $token,
+                                    string $uid,
+                                    string $loginName,
+                                    $password,
+                                    string $name,
+                                    int $type = IToken::TEMPORARY_TOKEN,
+                                    int $remember = IToken::DO_NOT_REMEMBER): IToken {
+        return $this->publicKeyTokenProvider->generateToken(
+            $token,
+            $uid,
+            $loginName,
+            $password,
+            $name,
+            $type,
+            $remember
+        );
+    }
+
+    /**
+     * Save the updated token
+     *
+     * @param IToken $token
+     * @throws InvalidTokenException
+     */
+    public function updateToken(IToken $token) {
+        $provider = $this->getProvider($token);
+        $provider->updateToken($token);
+    }
+
+    /**
+     * Update token activity timestamp
+     *
+     * @throws InvalidTokenException
+     * @param IToken $token
+     */
+    public function updateTokenActivity(IToken $token) {
+        $provider = $this->getProvider($token);
+        $provider->updateTokenActivity($token);
+    }
+
+    /**
+     * @param string $uid
+     * @return IToken[]
+     */
+    public function getTokenByUser(string $uid): array {
+        $old = $this->defaultTokenProvider->getTokenByUser($uid);
+        $new = $this->publicKeyTokenProvider->getTokenByUser($uid);
+
+        return array_merge($old, $new);
+    }
+
+    /**
+     * Get a token by token
+     *
+     * @param string $tokenId
+     * @throws InvalidTokenException
+     * @throws \RuntimeException when OpenSSL reports a problem
+     * @return IToken
+     */
+    public function getToken(string $tokenId): IToken {
+        try {
+            return $this->publicKeyTokenProvider->getToken($tokenId);
+        } catch (WipeTokenException $e) {
+            throw $e;
+        } catch (ExpiredTokenException $e) {
+            throw $e;
+        } catch(InvalidTokenException $e) {
+            // No worries we try to convert it to a PublicKey Token
+        }
+
+        //Convert!
+        $token = $this->defaultTokenProvider->getToken($tokenId);
+
+        try {
+            $password = $this->defaultTokenProvider->getPassword($token, $tokenId);
+        } catch (PasswordlessTokenException $e) {
+            $password = null;
+        }
+
+        return $this->publicKeyTokenProvider->convertToken($token, $tokenId, $password);
+    }
+
+    /**
+     * Get a token by token id
+     *
+     * @param int $tokenId
+     * @throws InvalidTokenException
+     * @return IToken
+     */
+    public function getTokenById(int $tokenId): IToken {
+        try {
+            return $this->publicKeyTokenProvider->getTokenById($tokenId);
+        } catch (ExpiredTokenException $e) {
+            throw $e;
+        } catch (WipeTokenException $e) {
+            throw $e;
+        } catch (InvalidTokenException $e) {
+            return $this->defaultTokenProvider->getTokenById($tokenId);
+        }
+    }
+
+    /**
+     * @param string $oldSessionId
+     * @param string $sessionId
+     * @throws InvalidTokenException
+     * @return IToken
+     */
+    public function renewSessionToken(string $oldSessionId, string $sessionId): IToken {
+        try {
+            return $this->publicKeyTokenProvider->renewSessionToken($oldSessionId, $sessionId);
+        } catch (ExpiredTokenException $e) {
+            throw $e;
+        } catch (InvalidTokenException $e) {
+            return $this->defaultTokenProvider->renewSessionToken($oldSessionId, $sessionId);
+        }
+    }
+
+    /**
+     * @param IToken $savedToken
+     * @param string $tokenId session token
+     * @throws InvalidTokenException
+     * @throws PasswordlessTokenException
+     * @return string
+     */
+    public function getPassword(IToken $savedToken, string $tokenId): string {
+        $provider = $this->getProvider($savedToken);
+        return $provider->getPassword($savedToken, $tokenId);
+    }
+
+    public function setPassword(IToken $token, string $tokenId, string $password) {
+        $provider = $this->getProvider($token);
+        $provider->setPassword($token, $tokenId, $password);
+    }
+
+    public function invalidateToken(string $token) {
+        $this->defaultTokenProvider->invalidateToken($token);
+        $this->publicKeyTokenProvider->invalidateToken($token);
+    }
+
+    public function invalidateTokenById(string $uid, int $id) {
+        $this->defaultTokenProvider->invalidateTokenById($uid, $id);
+        $this->publicKeyTokenProvider->invalidateTokenById($uid, $id);
+    }
+
+    public function invalidateOldTokens() {
+        $this->defaultTokenProvider->invalidateOldTokens();
+        $this->publicKeyTokenProvider->invalidateOldTokens();
+    }
+
+    /**
+     * @param IToken $token
+     * @param string $oldTokenId
+     * @param string $newTokenId
+     * @return IToken
+     * @throws InvalidTokenException
+     * @throws \RuntimeException when OpenSSL reports a problem
+     */
+    public function rotate(IToken $token, string $oldTokenId, string $newTokenId): IToken {
+        if ($token instanceof DefaultToken) {
+            try {
+                $password = $this->defaultTokenProvider->getPassword($token, $oldTokenId);
+            } catch (PasswordlessTokenException $e) {
+                $password = null;
+            }
+
+            return $this->publicKeyTokenProvider->convertToken($token, $newTokenId, $password);
+        }
+
+        if ($token instanceof PublicKeyToken) {
+            return $this->publicKeyTokenProvider->rotate($token, $oldTokenId, $newTokenId);
+        }
+
+        throw new InvalidTokenException();
+    }
+
+    /**
+     * @param IToken $token
+     * @return IProvider
+     * @throws InvalidTokenException
+     */
+    private function getProvider(IToken $token): IProvider {
+        if ($token instanceof DefaultToken) {
+            return $this->defaultTokenProvider;
+        }
+        if ($token instanceof PublicKeyToken) {
+            return $this->publicKeyTokenProvider;
+        }
+        throw new InvalidTokenException();
+    }
+
+
+    public function markPasswordInvalid(IToken $token, string $tokenId) {
+        $this->getProvider($token)->markPasswordInvalid($token, $tokenId);
+    }
+
+    public function updatePasswords(string $uid, string $password) {
+        $this->defaultTokenProvider->updatePasswords($uid, $password);
+        $this->publicKeyTokenProvider->updatePasswords($uid, $password);
+    }
 
 
 }

Please login to merge, or discard this patch.

lib/private/Authentication/Token/DefaultTokenProvider.php 1 patch

Indentation +314 added lines, -314 removed lines patch added patch discarded remove patch

@@ -40,318 +40,318 @@
 block discarded – undo
 
 class DefaultTokenProvider implements IProvider {
 
-	/** @var DefaultTokenMapper */
-	private $mapper;
-
-	/** @var ICrypto */
-	private $crypto;
-
-	/** @var IConfig */
-	private $config;
-
-	/** @var ILogger $logger */
-	private $logger;
-
-	/** @var ITimeFactory $time */
-	private $time;
-
-	/**
-	 * @param DefaultTokenMapper $mapper
-	 * @param ICrypto $crypto
-	 * @param IConfig $config
-	 * @param ILogger $logger
-	 * @param ITimeFactory $time
-	 */
-	public function __construct(DefaultTokenMapper $mapper,
-								ICrypto $crypto,
-								IConfig $config,
-								ILogger $logger,
-								ITimeFactory $time) {
-		$this->mapper = $mapper;
-		$this->crypto = $crypto;
-		$this->config = $config;
-		$this->logger = $logger;
-		$this->time = $time;
-	}
-
-	/**
-	 * Create and persist a new token
-	 *
-	 * @param string $token
-	 * @param string $uid
-	 * @param string $loginName
-	 * @param string|null $password
-	 * @param string $name
-	 * @param int $type token type
-	 * @param int $remember whether the session token should be used for remember-me
-	 * @return IToken
-	 */
-	public function generateToken(string $token,
-								  string $uid,
-								  string $loginName,
-								  $password,
-								  string $name,
-								  int $type = IToken::TEMPORARY_TOKEN,
-								  int $remember = IToken::DO_NOT_REMEMBER): IToken {
-		$dbToken = new DefaultToken();
-		$dbToken->setUid($uid);
-		$dbToken->setLoginName($loginName);
-		if (!is_null($password)) {
-			$dbToken->setPassword($this->encryptPassword($password, $token));
-		}
-		$dbToken->setName($name);
-		$dbToken->setToken($this->hashToken($token));
-		$dbToken->setType($type);
-		$dbToken->setRemember($remember);
-		$dbToken->setLastActivity($this->time->getTime());
-		$dbToken->setLastCheck($this->time->getTime());
-		$dbToken->setVersion(DefaultToken::VERSION);
-
-		$this->mapper->insert($dbToken);
-
-		return $dbToken;
-	}
-
-	/**
-	 * Save the updated token
-	 *
-	 * @param IToken $token
-	 * @throws InvalidTokenException
-	 */
-	public function updateToken(IToken $token) {
-		if (!($token instanceof DefaultToken)) {
-			throw new InvalidTokenException();
-		}
-		$this->mapper->update($token);
-	}
-
-	/**
-	 * Update token activity timestamp
-	 *
-	 * @throws InvalidTokenException
-	 * @param IToken $token
-	 */
-	public function updateTokenActivity(IToken $token) {
-		if (!($token instanceof DefaultToken)) {
-			throw new InvalidTokenException();
-		}
-		/** @var DefaultToken $token */
-		$now = $this->time->getTime();
-		if ($token->getLastActivity() < ($now - 60)) {
-			// Update token only once per minute
-			$token->setLastActivity($now);
-			$this->mapper->update($token);
-		}
-	}
-
-	public function getTokenByUser(string $uid): array {
-		return $this->mapper->getTokenByUser($uid);
-	}
-
-	/**
-	 * Get a token by token
-	 *
-	 * @param string $tokenId
-	 * @throws InvalidTokenException
-	 * @throws ExpiredTokenException
-	 * @return IToken
-	 */
-	public function getToken(string $tokenId): IToken {
-		try {
-			$token = $this->mapper->getToken($this->hashToken($tokenId));
-		} catch (DoesNotExistException $ex) {
-			throw new InvalidTokenException();
-		}
-
-		if ((int)$token->getExpires() !== 0 && $token->getExpires() < $this->time->getTime()) {
-			throw new ExpiredTokenException($token);
-		}
-
-		return $token;
-	}
-
-	/**
-	 * Get a token by token id
-	 *
-	 * @param int $tokenId
-	 * @throws InvalidTokenException
-	 * @throws ExpiredTokenException
-	 * @return IToken
-	 */
-	public function getTokenById(int $tokenId): IToken {
-		try {
-			$token = $this->mapper->getTokenById($tokenId);
-		} catch (DoesNotExistException $ex) {
-			throw new InvalidTokenException();
-		}
-
-		if ((int)$token->getExpires() !== 0 && $token->getExpires() < $this->time->getTime()) {
-			throw new ExpiredTokenException($token);
-		}
-
-		return $token;
-	}
-
-	/**
-	 * @param string $oldSessionId
-	 * @param string $sessionId
-	 * @throws InvalidTokenException
-	 * @return IToken
-	 */
-	public function renewSessionToken(string $oldSessionId, string $sessionId): IToken {
-		$token = $this->getToken($oldSessionId);
-
-		$newToken = new DefaultToken();
-		$newToken->setUid($token->getUID());
-		$newToken->setLoginName($token->getLoginName());
-		if (!is_null($token->getPassword())) {
-			$password = $this->decryptPassword($token->getPassword(), $oldSessionId);
-			$newToken->setPassword($this->encryptPassword($password, $sessionId));
-		}
-		$newToken->setName($token->getName());
-		$newToken->setToken($this->hashToken($sessionId));
-		$newToken->setType(IToken::TEMPORARY_TOKEN);
-		$newToken->setRemember($token->getRemember());
-		$newToken->setLastActivity($this->time->getTime());
-		$this->mapper->insert($newToken);
-		$this->mapper->delete($token);
-
-		return $newToken;
-	}
-
-	/**
-	 * @param IToken $savedToken
-	 * @param string $tokenId session token
-	 * @throws InvalidTokenException
-	 * @throws PasswordlessTokenException
-	 * @return string
-	 */
-	public function getPassword(IToken $savedToken, string $tokenId): string {
-		$password = $savedToken->getPassword();
-		if (is_null($password)) {
-			throw new PasswordlessTokenException();
-		}
-		return $this->decryptPassword($password, $tokenId);
-	}
-
-	/**
-	 * Encrypt and set the password of the given token
-	 *
-	 * @param IToken $token
-	 * @param string $tokenId
-	 * @param string $password
-	 * @throws InvalidTokenException
-	 */
-	public function setPassword(IToken $token, string $tokenId, string $password) {
-		if (!($token instanceof DefaultToken)) {
-			throw new InvalidTokenException();
-		}
-		/** @var DefaultToken $token */
-		$token->setPassword($this->encryptPassword($password, $tokenId));
-		$this->mapper->update($token);
-	}
-
-	/**
-	 * Invalidate (delete) the given session token
-	 *
-	 * @param string $token
-	 */
-	public function invalidateToken(string $token) {
-		$this->mapper->invalidate($this->hashToken($token));
-	}
-
-	public function invalidateTokenById(string $uid, int $id) {
-		$this->mapper->deleteById($uid, $id);
-	}
-
-	/**
-	 * Invalidate (delete) old session tokens
-	 */
-	public function invalidateOldTokens() {
-		$olderThan = $this->time->getTime() - (int) $this->config->getSystemValue('session_lifetime', 60 * 60 * 24);
-		$this->logger->debug('Invalidating session tokens older than ' . date('c', $olderThan), ['app' => 'cron']);
-		$this->mapper->invalidateOld($olderThan, IToken::DO_NOT_REMEMBER);
-		$rememberThreshold = $this->time->getTime() - (int) $this->config->getSystemValue('remember_login_cookie_lifetime', 60 * 60 * 24 * 15);
-		$this->logger->debug('Invalidating remembered session tokens older than ' . date('c', $rememberThreshold), ['app' => 'cron']);
-		$this->mapper->invalidateOld($rememberThreshold, IToken::REMEMBER);
-	}
-
-	/**
-	 * Rotate the token. Usefull for for example oauth tokens
-	 *
-	 * @param IToken $token
-	 * @param string $oldTokenId
-	 * @param string $newTokenId
-	 * @return IToken
-	 */
-	public function rotate(IToken $token, string $oldTokenId, string $newTokenId): IToken {
-		try {
-			$password = $this->getPassword($token, $oldTokenId);
-			$token->setPassword($this->encryptPassword($password, $newTokenId));
-		} catch (PasswordlessTokenException $e) {
-
-		}
-
-		$token->setToken($this->hashToken($newTokenId));
-		$this->updateToken($token);
-
-		return $token;
-	}
-
-	/**
-	 * @param string $token
-	 * @return string
-	 */
-	private function hashToken(string $token): string {
-		$secret = $this->config->getSystemValue('secret');
-		return hash('sha512', $token . $secret);
-	}
-
-	/**
-	 * Encrypt the given password
-	 *
-	 * The token is used as key
-	 *
-	 * @param string $password
-	 * @param string $token
-	 * @return string encrypted password
-	 */
-	private function encryptPassword(string $password, string $token): string {
-		$secret = $this->config->getSystemValue('secret');
-		return $this->crypto->encrypt($password, $token . $secret);
-	}
-
-	/**
-	 * Decrypt the given password
-	 *
-	 * The token is used as key
-	 *
-	 * @param string $password
-	 * @param string $token
-	 * @throws InvalidTokenException
-	 * @return string the decrypted key
-	 */
-	private function decryptPassword(string $password, string $token): string {
-		$secret = $this->config->getSystemValue('secret');
-		try {
-			return $this->crypto->decrypt($password, $token . $secret);
-		} catch (Exception $ex) {
-			// Delete the invalid token
-			$this->invalidateToken($token);
-			throw new InvalidTokenException();
-		}
-	}
-
-	public function markPasswordInvalid(IToken $token, string $tokenId) {
-		if (!($token instanceof DefaultToken)) {
-			throw new InvalidTokenException();
-		}
-
-		//No need to mark as invalid. We just invalide default tokens
-		$this->invalidateToken($tokenId);
-	}
-
-	public function updatePasswords(string $uid, string $password) {
-		// Nothing to do here
-	}
+    /** @var DefaultTokenMapper */
+    private $mapper;
+
+    /** @var ICrypto */
+    private $crypto;
+
+    /** @var IConfig */
+    private $config;
+
+    /** @var ILogger $logger */
+    private $logger;
+
+    /** @var ITimeFactory $time */
+    private $time;
+
+    /**
+     * @param DefaultTokenMapper $mapper
+     * @param ICrypto $crypto
+     * @param IConfig $config
+     * @param ILogger $logger
+     * @param ITimeFactory $time
+     */
+    public function __construct(DefaultTokenMapper $mapper,
+                                ICrypto $crypto,
+                                IConfig $config,
+                                ILogger $logger,
+                                ITimeFactory $time) {
+        $this->mapper = $mapper;
+        $this->crypto = $crypto;
+        $this->config = $config;
+        $this->logger = $logger;
+        $this->time = $time;
+    }
+
+    /**
+     * Create and persist a new token
+     *
+     * @param string $token
+     * @param string $uid
+     * @param string $loginName
+     * @param string|null $password
+     * @param string $name
+     * @param int $type token type
+     * @param int $remember whether the session token should be used for remember-me
+     * @return IToken
+     */
+    public function generateToken(string $token,
+                                    string $uid,
+                                    string $loginName,
+                                    $password,
+                                    string $name,
+                                    int $type = IToken::TEMPORARY_TOKEN,
+                                    int $remember = IToken::DO_NOT_REMEMBER): IToken {
+        $dbToken = new DefaultToken();
+        $dbToken->setUid($uid);
+        $dbToken->setLoginName($loginName);
+        if (!is_null($password)) {
+            $dbToken->setPassword($this->encryptPassword($password, $token));
+        }
+        $dbToken->setName($name);
+        $dbToken->setToken($this->hashToken($token));
+        $dbToken->setType($type);
+        $dbToken->setRemember($remember);
+        $dbToken->setLastActivity($this->time->getTime());
+        $dbToken->setLastCheck($this->time->getTime());
+        $dbToken->setVersion(DefaultToken::VERSION);
+
+        $this->mapper->insert($dbToken);
+
+        return $dbToken;
+    }
+
+    /**
+     * Save the updated token
+     *
+     * @param IToken $token
+     * @throws InvalidTokenException
+     */
+    public function updateToken(IToken $token) {
+        if (!($token instanceof DefaultToken)) {
+            throw new InvalidTokenException();
+        }
+        $this->mapper->update($token);
+    }
+
+    /**
+     * Update token activity timestamp
+     *
+     * @throws InvalidTokenException
+     * @param IToken $token
+     */
+    public function updateTokenActivity(IToken $token) {
+        if (!($token instanceof DefaultToken)) {
+            throw new InvalidTokenException();
+        }
+        /** @var DefaultToken $token */
+        $now = $this->time->getTime();
+        if ($token->getLastActivity() < ($now - 60)) {
+            // Update token only once per minute
+            $token->setLastActivity($now);
+            $this->mapper->update($token);
+        }
+    }
+
+    public function getTokenByUser(string $uid): array {
+        return $this->mapper->getTokenByUser($uid);
+    }
+
+    /**
+     * Get a token by token
+     *
+     * @param string $tokenId
+     * @throws InvalidTokenException
+     * @throws ExpiredTokenException
+     * @return IToken
+     */
+    public function getToken(string $tokenId): IToken {
+        try {
+            $token = $this->mapper->getToken($this->hashToken($tokenId));
+        } catch (DoesNotExistException $ex) {
+            throw new InvalidTokenException();
+        }
+
+        if ((int)$token->getExpires() !== 0 && $token->getExpires() < $this->time->getTime()) {
+            throw new ExpiredTokenException($token);
+        }
+
+        return $token;
+    }
+
+    /**
+     * Get a token by token id
+     *
+     * @param int $tokenId
+     * @throws InvalidTokenException
+     * @throws ExpiredTokenException
+     * @return IToken
+     */
+    public function getTokenById(int $tokenId): IToken {
+        try {
+            $token = $this->mapper->getTokenById($tokenId);
+        } catch (DoesNotExistException $ex) {
+            throw new InvalidTokenException();
+        }
+
+        if ((int)$token->getExpires() !== 0 && $token->getExpires() < $this->time->getTime()) {
+            throw new ExpiredTokenException($token);
+        }
+
+        return $token;
+    }
+
+    /**
+     * @param string $oldSessionId
+     * @param string $sessionId
+     * @throws InvalidTokenException
+     * @return IToken
+     */
+    public function renewSessionToken(string $oldSessionId, string $sessionId): IToken {
+        $token = $this->getToken($oldSessionId);
+
+        $newToken = new DefaultToken();
+        $newToken->setUid($token->getUID());
+        $newToken->setLoginName($token->getLoginName());
+        if (!is_null($token->getPassword())) {
+            $password = $this->decryptPassword($token->getPassword(), $oldSessionId);
+            $newToken->setPassword($this->encryptPassword($password, $sessionId));
+        }
+        $newToken->setName($token->getName());
+        $newToken->setToken($this->hashToken($sessionId));
+        $newToken->setType(IToken::TEMPORARY_TOKEN);
+        $newToken->setRemember($token->getRemember());
+        $newToken->setLastActivity($this->time->getTime());
+        $this->mapper->insert($newToken);
+        $this->mapper->delete($token);
+
+        return $newToken;
+    }
+
+    /**
+     * @param IToken $savedToken
+     * @param string $tokenId session token
+     * @throws InvalidTokenException
+     * @throws PasswordlessTokenException
+     * @return string
+     */
+    public function getPassword(IToken $savedToken, string $tokenId): string {
+        $password = $savedToken->getPassword();
+        if (is_null($password)) {
+            throw new PasswordlessTokenException();
+        }
+        return $this->decryptPassword($password, $tokenId);
+    }
+
+    /**
+     * Encrypt and set the password of the given token
+     *
+     * @param IToken $token
+     * @param string $tokenId
+     * @param string $password
+     * @throws InvalidTokenException
+     */
+    public function setPassword(IToken $token, string $tokenId, string $password) {
+        if (!($token instanceof DefaultToken)) {
+            throw new InvalidTokenException();
+        }
+        /** @var DefaultToken $token */
+        $token->setPassword($this->encryptPassword($password, $tokenId));
+        $this->mapper->update($token);
+    }
+
+    /**
+     * Invalidate (delete) the given session token
+     *
+     * @param string $token
+     */
+    public function invalidateToken(string $token) {
+        $this->mapper->invalidate($this->hashToken($token));
+    }
+
+    public function invalidateTokenById(string $uid, int $id) {
+        $this->mapper->deleteById($uid, $id);
+    }
+
+    /**
+     * Invalidate (delete) old session tokens
+     */
+    public function invalidateOldTokens() {
+        $olderThan = $this->time->getTime() - (int) $this->config->getSystemValue('session_lifetime', 60 * 60 * 24);
+        $this->logger->debug('Invalidating session tokens older than ' . date('c', $olderThan), ['app' => 'cron']);
+        $this->mapper->invalidateOld($olderThan, IToken::DO_NOT_REMEMBER);
+        $rememberThreshold = $this->time->getTime() - (int) $this->config->getSystemValue('remember_login_cookie_lifetime', 60 * 60 * 24 * 15);
+        $this->logger->debug('Invalidating remembered session tokens older than ' . date('c', $rememberThreshold), ['app' => 'cron']);
+        $this->mapper->invalidateOld($rememberThreshold, IToken::REMEMBER);
+    }
+
+    /**
+     * Rotate the token. Usefull for for example oauth tokens
+     *
+     * @param IToken $token
+     * @param string $oldTokenId
+     * @param string $newTokenId
+     * @return IToken
+     */
+    public function rotate(IToken $token, string $oldTokenId, string $newTokenId): IToken {
+        try {
+            $password = $this->getPassword($token, $oldTokenId);
+            $token->setPassword($this->encryptPassword($password, $newTokenId));
+        } catch (PasswordlessTokenException $e) {
+
+        }
+
+        $token->setToken($this->hashToken($newTokenId));
+        $this->updateToken($token);
+
+        return $token;
+    }
+
+    /**
+     * @param string $token
+     * @return string
+     */
+    private function hashToken(string $token): string {
+        $secret = $this->config->getSystemValue('secret');
+        return hash('sha512', $token . $secret);
+    }
+
+    /**
+     * Encrypt the given password
+     *
+     * The token is used as key
+     *
+     * @param string $password
+     * @param string $token
+     * @return string encrypted password
+     */
+    private function encryptPassword(string $password, string $token): string {
+        $secret = $this->config->getSystemValue('secret');
+        return $this->crypto->encrypt($password, $token . $secret);
+    }
+
+    /**
+     * Decrypt the given password
+     *
+     * The token is used as key
+     *
+     * @param string $password
+     * @param string $token
+     * @throws InvalidTokenException
+     * @return string the decrypted key
+     */
+    private function decryptPassword(string $password, string $token): string {
+        $secret = $this->config->getSystemValue('secret');
+        try {
+            return $this->crypto->decrypt($password, $token . $secret);
+        } catch (Exception $ex) {
+            // Delete the invalid token
+            $this->invalidateToken($token);
+            throw new InvalidTokenException();
+        }
+    }
+
+    public function markPasswordInvalid(IToken $token, string $tokenId) {
+        if (!($token instanceof DefaultToken)) {
+            throw new InvalidTokenException();
+        }
+
+        //No need to mark as invalid. We just invalide default tokens
+        $this->invalidateToken($tokenId);
+    }
+
+    public function updatePasswords(string $uid, string $password) {
+        // Nothing to do here
+    }
 }

Please login to merge, or discard this patch.

lib/private/User/Session.php 1 patch

Indentation +919 added lines, -919 removed lines patch added patch discarded remove patch

@@ -88,925 +88,925 @@
 block discarded – undo
  */
 class Session implements IUserSession, Emitter {
 
-	/** @var Manager|PublicEmitter $manager */
-	private $manager;
-
-	/** @var ISession $session */
-	private $session;
-
-	/** @var ITimeFactory */
-	private $timeFactory;
-
-	/** @var IProvider */
-	private $tokenProvider;
-
-	/** @var IConfig */
-	private $config;
-
-	/** @var User $activeUser */
-	protected $activeUser;
-
-	/** @var ISecureRandom */
-	private $random;
-
-	/** @var ILockdownManager  */
-	private $lockdownManager;
-
-	/** @var ILogger */
-	private $logger;
-	/** @var IEventDispatcher */
-	private $dispatcher;
-
-	/**
-	 * @param Manager $manager
-	 * @param ISession $session
-	 * @param ITimeFactory $timeFactory
-	 * @param IProvider $tokenProvider
-	 * @param IConfig $config
-	 * @param ISecureRandom $random
-	 * @param ILockdownManager $lockdownManager
-	 * @param ILogger $logger
-	 */
-	public function __construct(Manager $manager,
-								ISession $session,
-								ITimeFactory $timeFactory,
-								$tokenProvider,
-								IConfig $config,
-								ISecureRandom $random,
-								ILockdownManager $lockdownManager,
-								ILogger $logger,
-								IEventDispatcher $dispatcher) {
-		$this->manager = $manager;
-		$this->session = $session;
-		$this->timeFactory = $timeFactory;
-		$this->tokenProvider = $tokenProvider;
-		$this->config = $config;
-		$this->random = $random;
-		$this->lockdownManager = $lockdownManager;
-		$this->logger = $logger;
-		$this->dispatcher = $dispatcher;
-	}
-
-	/**
-	 * @param IProvider $provider
-	 */
-	public function setTokenProvider(IProvider $provider) {
-		$this->tokenProvider = $provider;
-	}
-
-	/**
-	 * @param string $scope
-	 * @param string $method
-	 * @param callable $callback
-	 */
-	public function listen($scope, $method, callable $callback) {
-		$this->manager->listen($scope, $method, $callback);
-	}
-
-	/**
-	 * @param string $scope optional
-	 * @param string $method optional
-	 * @param callable $callback optional
-	 */
-	public function removeListener($scope = null, $method = null, callable $callback = null) {
-		$this->manager->removeListener($scope, $method, $callback);
-	}
-
-	/**
-	 * get the manager object
-	 *
-	 * @return Manager|PublicEmitter
-	 */
-	public function getManager() {
-		return $this->manager;
-	}
-
-	/**
-	 * get the session object
-	 *
-	 * @return ISession
-	 */
-	public function getSession() {
-		return $this->session;
-	}
-
-	/**
-	 * set the session object
-	 *
-	 * @param ISession $session
-	 */
-	public function setSession(ISession $session) {
-		if ($this->session instanceof ISession) {
-			$this->session->close();
-		}
-		$this->session = $session;
-		$this->activeUser = null;
-	}
-
-	/**
-	 * set the currently active user
-	 *
-	 * @param IUser|null $user
-	 */
-	public function setUser($user) {
-		if (is_null($user)) {
-			$this->session->remove('user_id');
-		} else {
-			$this->session->set('user_id', $user->getUID());
-		}
-		$this->activeUser = $user;
-	}
-
-	/**
-	 * get the current active user
-	 *
-	 * @return IUser|null Current user, otherwise null
-	 */
-	public function getUser() {
-		// FIXME: This is a quick'n dirty work-around for the incognito mode as
-		// described at https://github.com/owncloud/core/pull/12912#issuecomment-67391155
-		if (OC_User::isIncognitoMode()) {
-			return null;
-		}
-		if (is_null($this->activeUser)) {
-			$uid = $this->session->get('user_id');
-			if (is_null($uid)) {
-				return null;
-			}
-			$this->activeUser = $this->manager->get($uid);
-			if (is_null($this->activeUser)) {
-				return null;
-			}
-			$this->validateSession();
-		}
-		return $this->activeUser;
-	}
-
-	/**
-	 * Validate whether the current session is valid
-	 *
-	 * - For token-authenticated clients, the token validity is checked
-	 * - For browsers, the session token validity is checked
-	 */
-	protected function validateSession() {
-		$token = null;
-		$appPassword = $this->session->get('app_password');
-
-		if (is_null($appPassword)) {
-			try {
-				$token = $this->session->getId();
-			} catch (SessionNotAvailableException $ex) {
-				return;
-			}
-		} else {
-			$token = $appPassword;
-		}
-
-		if (!$this->validateToken($token)) {
-			// Session was invalidated
-			$this->logout();
-		}
-	}
-
-	/**
-	 * Checks whether the user is logged in
-	 *
-	 * @return bool if logged in
-	 */
-	public function isLoggedIn() {
-		$user = $this->getUser();
-		if (is_null($user)) {
-			return false;
-		}
-
-		return $user->isEnabled();
-	}
-
-	/**
-	 * set the login name
-	 *
-	 * @param string|null $loginName for the logged in user
-	 */
-	public function setLoginName($loginName) {
-		if (is_null($loginName)) {
-			$this->session->remove('loginname');
-		} else {
-			$this->session->set('loginname', $loginName);
-		}
-	}
-
-	/**
-	 * get the login name of the current user
-	 *
-	 * @return string
-	 */
-	public function getLoginName() {
-		if ($this->activeUser) {
-			return $this->session->get('loginname');
-		}
-
-		$uid = $this->session->get('user_id');
-		if ($uid) {
-			$this->activeUser = $this->manager->get($uid);
-			return $this->session->get('loginname');
-		}
-
-		return null;
-	}
-
-	/**
-	 * @return mixed
-	 */
-	public function getImpersonatingUserID(): ?string {
-
-		return $this->session->get('oldUserId');
-
-	}
-
-	public function setImpersonatingUserID(bool $useCurrentUser = true): void {
-		if ($useCurrentUser === false) {
-			$this->session->remove('oldUserId');
-			return;
-		}
-
-		$currentUser = $this->getUser();
-
-		if ($currentUser === null) {
-			throw new \OC\User\NoUserException();
-		}
-		$this->session->set('oldUserId', $currentUser->getUID());
-
-	}
-	/**
-	 * set the token id
-	 *
-	 * @param int|null $token that was used to log in
-	 */
-	protected function setToken($token) {
-		if ($token === null) {
-			$this->session->remove('token-id');
-		} else {
-			$this->session->set('token-id', $token);
-		}
-	}
-
-	/**
-	 * try to log in with the provided credentials
-	 *
-	 * @param string $uid
-	 * @param string $password
-	 * @return boolean|null
-	 * @throws LoginException
-	 */
-	public function login($uid, $password) {
-		$this->session->regenerateId();
-		if ($this->validateToken($password, $uid)) {
-			return $this->loginWithToken($password);
-		}
-		return $this->loginWithPassword($uid, $password);
-	}
-
-	/**
-	 * @param IUser $user
-	 * @param array $loginDetails
-	 * @param bool $regenerateSessionId
-	 * @return true returns true if login successful or an exception otherwise
-	 * @throws LoginException
-	 */
-	public function completeLogin(IUser $user, array $loginDetails, $regenerateSessionId = true) {
-		if (!$user->isEnabled()) {
-			// disabled users can not log in
-			// injecting l10n does not work - there is a circular dependency between session and \OCP\L10N\IFactory
-			$message = \OC::$server->getL10N('lib')->t('User disabled');
-			throw new LoginException($message);
-		}
-
-		if($regenerateSessionId) {
-			$this->session->regenerateId();
-		}
-
-		$this->setUser($user);
-		$this->setLoginName($loginDetails['loginName']);
-
-		$isToken = isset($loginDetails['token']) && $loginDetails['token'] instanceof IToken;
-		if ($isToken) {
-			$this->setToken($loginDetails['token']->getId());
-			$this->lockdownManager->setToken($loginDetails['token']);
-			$firstTimeLogin = false;
-		} else {
-			$this->setToken(null);
-			$firstTimeLogin = $user->updateLastLoginTimestamp();
-		}
-
-		$postLoginEvent = new OC\User\Events\PostLoginEvent(
-			$user,
-			$loginDetails['password'],
-			$isToken
-		);
-		$this->dispatcher->dispatch(OC\User\Events\PostLoginEvent::class, $postLoginEvent);
-
-		$this->manager->emit('\OC\User', 'postLogin', [
-			$user,
-			$loginDetails['password'],
-			$isToken,
-		]);
-		if($this->isLoggedIn()) {
-			$this->prepareUserLogin($firstTimeLogin, $regenerateSessionId);
-			return true;
-		}
-
-		$message = \OC::$server->getL10N('lib')->t('Login canceled by app');
-		throw new LoginException($message);
-	}
-
-	/**
-	 * Tries to log in a client
-	 *
-	 * Checks token auth enforced
-	 * Checks 2FA enabled
-	 *
-	 * @param string $user
-	 * @param string $password
-	 * @param IRequest $request
-	 * @param OC\Security\Bruteforce\Throttler $throttler
-	 * @throws LoginException
-	 * @throws PasswordLoginForbiddenException
-	 * @return boolean
-	 */
-	public function logClientIn($user,
-								$password,
-								IRequest $request,
-								OC\Security\Bruteforce\Throttler $throttler) {
-		$currentDelay = $throttler->sleepDelay($request->getRemoteAddress(), 'login');
-
-		if ($this->manager instanceof PublicEmitter) {
-			$this->manager->emit('\OC\User', 'preLogin', array($user, $password));
-		}
-
-		try {
-			$isTokenPassword = $this->isTokenPassword($password);
-		} catch (ExpiredTokenException $e) {
-			// Just return on an expired token no need to check further or record a failed login
-			return false;
-		}
-
-		if (!$isTokenPassword && $this->isTokenAuthEnforced()) {
-			throw new PasswordLoginForbiddenException();
-		}
-		if (!$isTokenPassword && $this->isTwoFactorEnforced($user)) {
-			throw new PasswordLoginForbiddenException();
-		}
-
-		// Try to login with this username and password
-		if (!$this->login($user, $password) ) {
-
-			// Failed, maybe the user used their email address
-			$users = $this->manager->getByEmail($user);
-			if (!(\count($users) === 1 && $this->login($users[0]->getUID(), $password))) {
-
-				$this->logger->warning('Login failed: \'' . $user . '\' (Remote IP: \'' . \OC::$server->getRequest()->getRemoteAddress() . '\')', ['app' => 'core']);
-
-				$throttler->registerAttempt('login', $request->getRemoteAddress(), ['user' => $user]);
-				if ($currentDelay === 0) {
-					$throttler->sleepDelay($request->getRemoteAddress(), 'login');
-				}
-				return false;
-			}
-		}
-
-		if ($isTokenPassword) {
-			$this->session->set('app_password', $password);
-		} else if($this->supportsCookies($request)) {
-			// Password login, but cookies supported -> create (browser) session token
-			$this->createSessionToken($request, $this->getUser()->getUID(), $user, $password);
-		}
-
-		return true;
-	}
-
-	protected function supportsCookies(IRequest $request) {
-		if (!is_null($request->getCookie('cookie_test'))) {
-			return true;
-		}
-		setcookie('cookie_test', 'test', $this->timeFactory->getTime() + 3600);
-		return false;
-	}
-
-	private function isTokenAuthEnforced() {
-		return $this->config->getSystemValue('token_auth_enforced', false);
-	}
-
-	protected function isTwoFactorEnforced($username) {
-		Util::emitHook(
-			'\OCA\Files_Sharing\API\Server2Server',
-			'preLoginNameUsedAsUserName',
-			array('uid' => &$username)
-		);
-		$user = $this->manager->get($username);
-		if (is_null($user)) {
-			$users = $this->manager->getByEmail($username);
-			if (empty($users)) {
-				return false;
-			}
-			if (count($users) !== 1) {
-				return true;
-			}
-			$user = $users[0];
-		}
-		// DI not possible due to cyclic dependencies :'-/
-		return OC::$server->getTwoFactorAuthManager()->isTwoFactorAuthenticated($user);
-	}
-
-	/**
-	 * Check if the given 'password' is actually a device token
-	 *
-	 * @param string $password
-	 * @return boolean
-	 * @throws ExpiredTokenException
-	 */
-	public function isTokenPassword($password) {
-		try {
-			$this->tokenProvider->getToken($password);
-			return true;
-		} catch (ExpiredTokenException $e) {
-			throw $e;
-		} catch (InvalidTokenException $ex) {
-			return false;
-		}
-	}
-
-	protected function prepareUserLogin($firstTimeLogin, $refreshCsrfToken = true) {
-		if ($refreshCsrfToken) {
-			// TODO: mock/inject/use non-static
-			// Refresh the token
-			\OC::$server->getCsrfTokenManager()->refreshToken();
-		}
-
-		//we need to pass the user name, which may differ from login name
-		$user = $this->getUser()->getUID();
-		OC_Util::setupFS($user);
-
-		if ($firstTimeLogin) {
-			// TODO: lock necessary?
-			//trigger creation of user home and /files folder
-			$userFolder = \OC::$server->getUserFolder($user);
-
-			try {
-				// copy skeleton
-				\OC_Util::copySkeleton($user, $userFolder);
-			} catch (NotPermittedException $ex) {
-				// read only uses
-			}
-
-			// trigger any other initialization
-			\OC::$server->getEventDispatcher()->dispatch(IUser::class . '::firstLogin', new GenericEvent($this->getUser()));
-		}
-	}
-
-	/**
-	 * Tries to login the user with HTTP Basic Authentication
-	 *
-	 * @todo do not allow basic auth if the user is 2FA enforced
-	 * @param IRequest $request
-	 * @param OC\Security\Bruteforce\Throttler $throttler
-	 * @return boolean if the login was successful
-	 */
-	public function tryBasicAuthLogin(IRequest $request,
-									  OC\Security\Bruteforce\Throttler $throttler) {
-		if (!empty($request->server['PHP_AUTH_USER']) && !empty($request->server['PHP_AUTH_PW'])) {
-			try {
-				if ($this->logClientIn($request->server['PHP_AUTH_USER'], $request->server['PHP_AUTH_PW'], $request, $throttler)) {
-					/**
-					 * Add DAV authenticated. This should in an ideal world not be
-					 * necessary but the iOS App reads cookies from anywhere instead
-					 * only the DAV endpoint.
-					 * This makes sure that the cookies will be valid for the whole scope
-					 * @see https://github.com/owncloud/core/issues/22893
-					 */
-					$this->session->set(
-						Auth::DAV_AUTHENTICATED, $this->getUser()->getUID()
-					);
-
-					// Set the last-password-confirm session to make the sudo mode work
-					 $this->session->set('last-password-confirm', $this->timeFactory->getTime());
-
-					return true;
-				}
-			} catch (PasswordLoginForbiddenException $ex) {
-				// Nothing to do
-			}
-		}
-		return false;
-	}
-
-	/**
-	 * Log an user in via login name and password
-	 *
-	 * @param string $uid
-	 * @param string $password
-	 * @return boolean
-	 * @throws LoginException if an app canceld the login process or the user is not enabled
-	 */
-	private function loginWithPassword($uid, $password) {
-		$user = $this->manager->checkPasswordNoLogging($uid, $password);
-		if ($user === false) {
-			// Password check failed
-			return false;
-		}
-
-		return $this->completeLogin($user, ['loginName' => $uid, 'password' => $password], false);
-	}
-
-	/**
-	 * Log an user in with a given token (id)
-	 *
-	 * @param string $token
-	 * @return boolean
-	 * @throws LoginException if an app canceled the login process or the user is not enabled
-	 */
-	private function loginWithToken($token) {
-		try {
-			$dbToken = $this->tokenProvider->getToken($token);
-		} catch (InvalidTokenException $ex) {
-			return false;
-		}
-		$uid = $dbToken->getUID();
-
-		// When logging in with token, the password must be decrypted first before passing to login hook
-		$password = '';
-		try {
-			$password = $this->tokenProvider->getPassword($dbToken, $token);
-		} catch (PasswordlessTokenException $ex) {
-			// Ignore and use empty string instead
-		}
-
-		$this->manager->emit('\OC\User', 'preLogin', array($uid, $password));
-
-		$user = $this->manager->get($uid);
-		if (is_null($user)) {
-			// user does not exist
-			return false;
-		}
-
-		return $this->completeLogin(
-			$user,
-			[
-				'loginName' => $dbToken->getLoginName(),
-				'password' => $password,
-				'token' => $dbToken
-			],
-			false);
-	}
-
-	/**
-	 * Create a new session token for the given user credentials
-	 *
-	 * @param IRequest $request
-	 * @param string $uid user UID
-	 * @param string $loginName login name
-	 * @param string $password
-	 * @param int $remember
-	 * @return boolean
-	 */
-	public function createSessionToken(IRequest $request, $uid, $loginName, $password = null, $remember = IToken::DO_NOT_REMEMBER) {
-		if (is_null($this->manager->get($uid))) {
-			// User does not exist
-			return false;
-		}
-		$name = isset($request->server['HTTP_USER_AGENT']) ? $request->server['HTTP_USER_AGENT'] : 'unknown browser';
-		try {
-			$sessionId = $this->session->getId();
-			$pwd = $this->getPassword($password);
-			// Make sure the current sessionId has no leftover tokens
-			$this->tokenProvider->invalidateToken($sessionId);
-			$this->tokenProvider->generateToken($sessionId, $uid, $loginName, $pwd, $name, IToken::TEMPORARY_TOKEN, $remember);
-			return true;
-		} catch (SessionNotAvailableException $ex) {
-			// This can happen with OCC, where a memory session is used
-			// if a memory session is used, we shouldn't create a session token anyway
-			return false;
-		}
-	}
-
-	/**
-	 * Checks if the given password is a token.
-	 * If yes, the password is extracted from the token.
-	 * If no, the same password is returned.
-	 *
-	 * @param string $password either the login password or a device token
-	 * @return string|null the password or null if none was set in the token
-	 */
-	private function getPassword($password) {
-		if (is_null($password)) {
-			// This is surely no token ;-)
-			return null;
-		}
-		try {
-			$token = $this->tokenProvider->getToken($password);
-			try {
-				return $this->tokenProvider->getPassword($token, $password);
-			} catch (PasswordlessTokenException $ex) {
-				return null;
-			}
-		} catch (InvalidTokenException $ex) {
-			return $password;
-		}
-	}
-
-	/**
-	 * @param IToken $dbToken
-	 * @param string $token
-	 * @return boolean
-	 */
-	private function checkTokenCredentials(IToken $dbToken, $token) {
-		// Check whether login credentials are still valid and the user was not disabled
-		// This check is performed each 5 minutes
-		$lastCheck = $dbToken->getLastCheck() ? : 0;
-		$now = $this->timeFactory->getTime();
-		if ($lastCheck > ($now - 60 * 5)) {
-			// Checked performed recently, nothing to do now
-			return true;
-		}
-
-		try {
-			$pwd = $this->tokenProvider->getPassword($dbToken, $token);
-		} catch (InvalidTokenException $ex) {
-			// An invalid token password was used -> log user out
-			return false;
-		} catch (PasswordlessTokenException $ex) {
-			// Token has no password
-
-			if (!is_null($this->activeUser) && !$this->activeUser->isEnabled()) {
-				$this->tokenProvider->invalidateToken($token);
-				return false;
-			}
-
-			$dbToken->setLastCheck($now);
-			return true;
-		}
-
-		// Invalidate token if the user is no longer active
-		if (!is_null($this->activeUser) && !$this->activeUser->isEnabled()) {
-			$this->tokenProvider->invalidateToken($token);
-			return false;
-		}
-
-		// If the token password is no longer valid mark it as such
-		if ($this->manager->checkPassword($dbToken->getLoginName(), $pwd) === false) {
-			$this->tokenProvider->markPasswordInvalid($dbToken, $token);
-			// User is logged out
-			return false;
-		}
-
-		$dbToken->setLastCheck($now);
-		return true;
-	}
-
-	/**
-	 * Check if the given token exists and performs password/user-enabled checks
-	 *
-	 * Invalidates the token if checks fail
-	 *
-	 * @param string $token
-	 * @param string $user login name
-	 * @return boolean
-	 */
-	private function validateToken($token, $user = null) {
-		try {
-			$dbToken = $this->tokenProvider->getToken($token);
-		} catch (InvalidTokenException $ex) {
-			return false;
-		}
-
-		// Check if login names match
-		if (!is_null($user) && $dbToken->getLoginName() !== $user) {
-			// TODO: this makes it imposssible to use different login names on browser and client
-			// e.g. login by e-mail '[email protected]' on browser for generating the token will not
-			//      allow to use the client token with the login name 'user'.
-			return false;
-		}
-
-		if (!$this->checkTokenCredentials($dbToken, $token)) {
-			return false;
-		}
-
-		// Update token scope
-		$this->lockdownManager->setToken($dbToken);
-
-		$this->tokenProvider->updateTokenActivity($dbToken);
-
-		return true;
-	}
-
-	/**
-	 * Tries to login the user with auth token header
-	 *
-	 * @param IRequest $request
-	 * @todo check remember me cookie
-	 * @return boolean
-	 */
-	public function tryTokenLogin(IRequest $request) {
-		$authHeader = $request->getHeader('Authorization');
-		if (strpos($authHeader, 'Bearer ') === false) {
-			// No auth header, let's try session id
-			try {
-				$token = $this->session->getId();
-			} catch (SessionNotAvailableException $ex) {
-				return false;
-			}
-		} else {
-			$token = substr($authHeader, 7);
-		}
-
-		if (!$this->loginWithToken($token)) {
-			return false;
-		}
-		if(!$this->validateToken($token)) {
-			return false;
-		}
-
-		// Set the session variable so we know this is an app password
-		$this->session->set('app_password', $token);
-
-		return true;
-	}
-
-	/**
-	 * perform login using the magic cookie (remember login)
-	 *
-	 * @param string $uid the username
-	 * @param string $currentToken
-	 * @param string $oldSessionId
-	 * @return bool
-	 */
-	public function loginWithCookie($uid, $currentToken, $oldSessionId) {
-		$this->session->regenerateId();
-		$this->manager->emit('\OC\User', 'preRememberedLogin', array($uid));
-		$user = $this->manager->get($uid);
-		if (is_null($user)) {
-			// user does not exist
-			return false;
-		}
-
-		// get stored tokens
-		$tokens = $this->config->getUserKeys($uid, 'login_token');
-		// test cookies token against stored tokens
-		if (!in_array($currentToken, $tokens, true)) {
-			return false;
-		}
-		// replace successfully used token with a new one
-		$this->config->deleteUserValue($uid, 'login_token', $currentToken);
-		$newToken = $this->random->generate(32);
-		$this->config->setUserValue($uid, 'login_token', $newToken, $this->timeFactory->getTime());
-
-		try {
-			$sessionId = $this->session->getId();
-			$token = $this->tokenProvider->renewSessionToken($oldSessionId, $sessionId);
-		} catch (SessionNotAvailableException $ex) {
-			return false;
-		} catch (InvalidTokenException $ex) {
-			\OC::$server->getLogger()->warning('Renewing session token failed', ['app' => 'core']);
-			return false;
-		}
-
-		$this->setMagicInCookie($user->getUID(), $newToken);
-
-		//login
-		$this->setUser($user);
-		$this->setLoginName($token->getLoginName());
-		$this->setToken($token->getId());
-		$this->lockdownManager->setToken($token);
-		$user->updateLastLoginTimestamp();
-		$password = null;
-		try {
-			$password = $this->tokenProvider->getPassword($token, $sessionId);
-		} catch (PasswordlessTokenException $ex) {
-			// Ignore
-		}
-		$this->manager->emit('\OC\User', 'postRememberedLogin', [$user, $password]);
-		return true;
-	}
-
-	/**
-	 * @param IUser $user
-	 */
-	public function createRememberMeToken(IUser $user) {
-		$token = $this->random->generate(32);
-		$this->config->setUserValue($user->getUID(), 'login_token', $token, $this->timeFactory->getTime());
-		$this->setMagicInCookie($user->getUID(), $token);
-	}
-
-	/**
-	 * logout the user from the session
-	 */
-	public function logout() {
-		$this->manager->emit('\OC\User', 'logout');
-		$user = $this->getUser();
-		if (!is_null($user)) {
-			try {
-				$this->tokenProvider->invalidateToken($this->session->getId());
-			} catch (SessionNotAvailableException $ex) {
-
-			}
-		}
-		$this->setUser(null);
-		$this->setLoginName(null);
-		$this->setToken(null);
-		$this->unsetMagicInCookie();
-		$this->session->clear();
-		$this->manager->emit('\OC\User', 'postLogout');
-	}
-
-	/**
-	 * Set cookie value to use in next page load
-	 *
-	 * @param string $username username to be set
-	 * @param string $token
-	 */
-	public function setMagicInCookie($username, $token) {
-		$secureCookie = OC::$server->getRequest()->getServerProtocol() === 'https';
-		$webRoot = \OC::$WEBROOT;
-		if ($webRoot === '') {
-			$webRoot = '/';
-		}
-
-		$maxAge = $this->config->getSystemValue('remember_login_cookie_lifetime', 60 * 60 * 24 * 15);
-		\OC\Http\CookieHelper::setCookie(
-			'nc_username',
-			$username,
-			$maxAge,
-			$webRoot,
-			'',
-			$secureCookie,
-			true,
-			\OC\Http\CookieHelper::SAMESITE_LAX
-		);
-		\OC\Http\CookieHelper::setCookie(
-			'nc_token',
-			$token,
-			$maxAge,
-			$webRoot,
-			'',
-			$secureCookie,
-			true,
-			\OC\Http\CookieHelper::SAMESITE_LAX
-		);
-		try {
-			\OC\Http\CookieHelper::setCookie(
-				'nc_session_id',
-				$this->session->getId(),
-				$maxAge,
-				$webRoot,
-				'',
-				$secureCookie,
-				true,
-				\OC\Http\CookieHelper::SAMESITE_LAX
-			);
-		} catch (SessionNotAvailableException $ex) {
-			// ignore
-		}
-	}
-
-	/**
-	 * Remove cookie for "remember username"
-	 */
-	public function unsetMagicInCookie() {
-		//TODO: DI for cookies and IRequest
-		$secureCookie = OC::$server->getRequest()->getServerProtocol() === 'https';
-
-		unset($_COOKIE['nc_username']); //TODO: DI
-		unset($_COOKIE['nc_token']);
-		unset($_COOKIE['nc_session_id']);
-		setcookie('nc_username', '', $this->timeFactory->getTime() - 3600, OC::$WEBROOT, '', $secureCookie, true);
-		setcookie('nc_token', '', $this->timeFactory->getTime() - 3600, OC::$WEBROOT, '', $secureCookie, true);
-		setcookie('nc_session_id', '', $this->timeFactory->getTime() - 3600, OC::$WEBROOT, '', $secureCookie, true);
-		// old cookies might be stored under /webroot/ instead of /webroot
-		// and Firefox doesn't like it!
-		setcookie('nc_username', '', $this->timeFactory->getTime() - 3600, OC::$WEBROOT . '/', '', $secureCookie, true);
-		setcookie('nc_token', '', $this->timeFactory->getTime() - 3600, OC::$WEBROOT . '/', '', $secureCookie, true);
-		setcookie('nc_session_id', '', $this->timeFactory->getTime() - 3600, OC::$WEBROOT . '/', '', $secureCookie, true);
-	}
-
-	/**
-	 * Update password of the browser session token if there is one
-	 *
-	 * @param string $password
-	 */
-	public function updateSessionTokenPassword($password) {
-		try {
-			$sessionId = $this->session->getId();
-			$token = $this->tokenProvider->getToken($sessionId);
-			$this->tokenProvider->setPassword($token, $sessionId, $password);
-		} catch (SessionNotAvailableException $ex) {
-			// Nothing to do
-		} catch (InvalidTokenException $ex) {
-			// Nothing to do
-		}
-	}
-
-	public function updateTokens(string $uid, string $password) {
-		$this->tokenProvider->updatePasswords($uid, $password);
-	}
+    /** @var Manager|PublicEmitter $manager */
+    private $manager;
+
+    /** @var ISession $session */
+    private $session;
+
+    /** @var ITimeFactory */
+    private $timeFactory;
+
+    /** @var IProvider */
+    private $tokenProvider;
+
+    /** @var IConfig */
+    private $config;
+
+    /** @var User $activeUser */
+    protected $activeUser;
+
+    /** @var ISecureRandom */
+    private $random;
+
+    /** @var ILockdownManager  */
+    private $lockdownManager;
+
+    /** @var ILogger */
+    private $logger;
+    /** @var IEventDispatcher */
+    private $dispatcher;
+
+    /**
+     * @param Manager $manager
+     * @param ISession $session
+     * @param ITimeFactory $timeFactory
+     * @param IProvider $tokenProvider
+     * @param IConfig $config
+     * @param ISecureRandom $random
+     * @param ILockdownManager $lockdownManager
+     * @param ILogger $logger
+     */
+    public function __construct(Manager $manager,
+                                ISession $session,
+                                ITimeFactory $timeFactory,
+                                $tokenProvider,
+                                IConfig $config,
+                                ISecureRandom $random,
+                                ILockdownManager $lockdownManager,
+                                ILogger $logger,
+                                IEventDispatcher $dispatcher) {
+        $this->manager = $manager;
+        $this->session = $session;
+        $this->timeFactory = $timeFactory;
+        $this->tokenProvider = $tokenProvider;
+        $this->config = $config;
+        $this->random = $random;
+        $this->lockdownManager = $lockdownManager;
+        $this->logger = $logger;
+        $this->dispatcher = $dispatcher;
+    }
+
+    /**
+     * @param IProvider $provider
+     */
+    public function setTokenProvider(IProvider $provider) {
+        $this->tokenProvider = $provider;
+    }
+
+    /**
+     * @param string $scope
+     * @param string $method
+     * @param callable $callback
+     */
+    public function listen($scope, $method, callable $callback) {
+        $this->manager->listen($scope, $method, $callback);
+    }
+
+    /**
+     * @param string $scope optional
+     * @param string $method optional
+     * @param callable $callback optional
+     */
+    public function removeListener($scope = null, $method = null, callable $callback = null) {
+        $this->manager->removeListener($scope, $method, $callback);
+    }
+
+    /**
+     * get the manager object
+     *
+     * @return Manager|PublicEmitter
+     */
+    public function getManager() {
+        return $this->manager;
+    }
+
+    /**
+     * get the session object
+     *
+     * @return ISession
+     */
+    public function getSession() {
+        return $this->session;
+    }
+
+    /**
+     * set the session object
+     *
+     * @param ISession $session
+     */
+    public function setSession(ISession $session) {
+        if ($this->session instanceof ISession) {
+            $this->session->close();
+        }
+        $this->session = $session;
+        $this->activeUser = null;
+    }
+
+    /**
+     * set the currently active user
+     *
+     * @param IUser|null $user
+     */
+    public function setUser($user) {
+        if (is_null($user)) {
+            $this->session->remove('user_id');
+        } else {
+            $this->session->set('user_id', $user->getUID());
+        }
+        $this->activeUser = $user;
+    }
+
+    /**
+     * get the current active user
+     *
+     * @return IUser|null Current user, otherwise null
+     */
+    public function getUser() {
+        // FIXME: This is a quick'n dirty work-around for the incognito mode as
+        // described at https://github.com/owncloud/core/pull/12912#issuecomment-67391155
+        if (OC_User::isIncognitoMode()) {
+            return null;
+        }
+        if (is_null($this->activeUser)) {
+            $uid = $this->session->get('user_id');
+            if (is_null($uid)) {
+                return null;
+            }
+            $this->activeUser = $this->manager->get($uid);
+            if (is_null($this->activeUser)) {
+                return null;
+            }
+            $this->validateSession();
+        }
+        return $this->activeUser;
+    }
+
+    /**
+     * Validate whether the current session is valid
+     *
+     * - For token-authenticated clients, the token validity is checked
+     * - For browsers, the session token validity is checked
+     */
+    protected function validateSession() {
+        $token = null;
+        $appPassword = $this->session->get('app_password');
+
+        if (is_null($appPassword)) {
+            try {
+                $token = $this->session->getId();
+            } catch (SessionNotAvailableException $ex) {
+                return;
+            }
+        } else {
+            $token = $appPassword;
+        }
+
+        if (!$this->validateToken($token)) {
+            // Session was invalidated
+            $this->logout();
+        }
+    }
+
+    /**
+     * Checks whether the user is logged in
+     *
+     * @return bool if logged in
+     */
+    public function isLoggedIn() {
+        $user = $this->getUser();
+        if (is_null($user)) {
+            return false;
+        }
+
+        return $user->isEnabled();
+    }
+
+    /**
+     * set the login name
+     *
+     * @param string|null $loginName for the logged in user
+     */
+    public function setLoginName($loginName) {
+        if (is_null($loginName)) {
+            $this->session->remove('loginname');
+        } else {
+            $this->session->set('loginname', $loginName);
+        }
+    }
+
+    /**
+     * get the login name of the current user
+     *
+     * @return string
+     */
+    public function getLoginName() {
+        if ($this->activeUser) {
+            return $this->session->get('loginname');
+        }
+
+        $uid = $this->session->get('user_id');
+        if ($uid) {
+            $this->activeUser = $this->manager->get($uid);
+            return $this->session->get('loginname');
+        }
+
+        return null;
+    }
+
+    /**
+     * @return mixed
+     */
+    public function getImpersonatingUserID(): ?string {
+
+        return $this->session->get('oldUserId');
+
+    }
+
+    public function setImpersonatingUserID(bool $useCurrentUser = true): void {
+        if ($useCurrentUser === false) {
+            $this->session->remove('oldUserId');
+            return;
+        }
+
+        $currentUser = $this->getUser();
+
+        if ($currentUser === null) {
+            throw new \OC\User\NoUserException();
+        }
+        $this->session->set('oldUserId', $currentUser->getUID());
+
+    }
+    /**
+     * set the token id
+     *
+     * @param int|null $token that was used to log in
+     */
+    protected function setToken($token) {
+        if ($token === null) {
+            $this->session->remove('token-id');
+        } else {
+            $this->session->set('token-id', $token);
+        }
+    }
+
+    /**
+     * try to log in with the provided credentials
+     *
+     * @param string $uid
+     * @param string $password
+     * @return boolean|null
+     * @throws LoginException
+     */
+    public function login($uid, $password) {
+        $this->session->regenerateId();
+        if ($this->validateToken($password, $uid)) {
+            return $this->loginWithToken($password);
+        }
+        return $this->loginWithPassword($uid, $password);
+    }
+
+    /**
+     * @param IUser $user
+     * @param array $loginDetails
+     * @param bool $regenerateSessionId
+     * @return true returns true if login successful or an exception otherwise
+     * @throws LoginException
+     */
+    public function completeLogin(IUser $user, array $loginDetails, $regenerateSessionId = true) {
+        if (!$user->isEnabled()) {
+            // disabled users can not log in
+            // injecting l10n does not work - there is a circular dependency between session and \OCP\L10N\IFactory
+            $message = \OC::$server->getL10N('lib')->t('User disabled');
+            throw new LoginException($message);
+        }
+
+        if($regenerateSessionId) {
+            $this->session->regenerateId();
+        }
+
+        $this->setUser($user);
+        $this->setLoginName($loginDetails['loginName']);
+
+        $isToken = isset($loginDetails['token']) && $loginDetails['token'] instanceof IToken;
+        if ($isToken) {
+            $this->setToken($loginDetails['token']->getId());
+            $this->lockdownManager->setToken($loginDetails['token']);
+            $firstTimeLogin = false;
+        } else {
+            $this->setToken(null);
+            $firstTimeLogin = $user->updateLastLoginTimestamp();
+        }
+
+        $postLoginEvent = new OC\User\Events\PostLoginEvent(
+            $user,
+            $loginDetails['password'],
+            $isToken
+        );
+        $this->dispatcher->dispatch(OC\User\Events\PostLoginEvent::class, $postLoginEvent);
+
+        $this->manager->emit('\OC\User', 'postLogin', [
+            $user,
+            $loginDetails['password'],
+            $isToken,
+        ]);
+        if($this->isLoggedIn()) {
+            $this->prepareUserLogin($firstTimeLogin, $regenerateSessionId);
+            return true;
+        }
+
+        $message = \OC::$server->getL10N('lib')->t('Login canceled by app');
+        throw new LoginException($message);
+    }
+
+    /**
+     * Tries to log in a client
+     *
+     * Checks token auth enforced
+     * Checks 2FA enabled
+     *
+     * @param string $user
+     * @param string $password
+     * @param IRequest $request
+     * @param OC\Security\Bruteforce\Throttler $throttler
+     * @throws LoginException
+     * @throws PasswordLoginForbiddenException
+     * @return boolean
+     */
+    public function logClientIn($user,
+                                $password,
+                                IRequest $request,
+                                OC\Security\Bruteforce\Throttler $throttler) {
+        $currentDelay = $throttler->sleepDelay($request->getRemoteAddress(), 'login');
+
+        if ($this->manager instanceof PublicEmitter) {
+            $this->manager->emit('\OC\User', 'preLogin', array($user, $password));
+        }
+
+        try {
+            $isTokenPassword = $this->isTokenPassword($password);
+        } catch (ExpiredTokenException $e) {
+            // Just return on an expired token no need to check further or record a failed login
+            return false;
+        }
+
+        if (!$isTokenPassword && $this->isTokenAuthEnforced()) {
+            throw new PasswordLoginForbiddenException();
+        }
+        if (!$isTokenPassword && $this->isTwoFactorEnforced($user)) {
+            throw new PasswordLoginForbiddenException();
+        }
+
+        // Try to login with this username and password
+        if (!$this->login($user, $password) ) {
+
+            // Failed, maybe the user used their email address
+            $users = $this->manager->getByEmail($user);
+            if (!(\count($users) === 1 && $this->login($users[0]->getUID(), $password))) {
+
+                $this->logger->warning('Login failed: \'' . $user . '\' (Remote IP: \'' . \OC::$server->getRequest()->getRemoteAddress() . '\')', ['app' => 'core']);
+
+                $throttler->registerAttempt('login', $request->getRemoteAddress(), ['user' => $user]);
+                if ($currentDelay === 0) {
+                    $throttler->sleepDelay($request->getRemoteAddress(), 'login');
+                }
+                return false;
+            }
+        }
+
+        if ($isTokenPassword) {
+            $this->session->set('app_password', $password);
+        } else if($this->supportsCookies($request)) {
+            // Password login, but cookies supported -> create (browser) session token
+            $this->createSessionToken($request, $this->getUser()->getUID(), $user, $password);
+        }
+
+        return true;
+    }
+
+    protected function supportsCookies(IRequest $request) {
+        if (!is_null($request->getCookie('cookie_test'))) {
+            return true;
+        }
+        setcookie('cookie_test', 'test', $this->timeFactory->getTime() + 3600);
+        return false;
+    }
+
+    private function isTokenAuthEnforced() {
+        return $this->config->getSystemValue('token_auth_enforced', false);
+    }
+
+    protected function isTwoFactorEnforced($username) {
+        Util::emitHook(
+            '\OCA\Files_Sharing\API\Server2Server',
+            'preLoginNameUsedAsUserName',
+            array('uid' => &$username)
+        );
+        $user = $this->manager->get($username);
+        if (is_null($user)) {
+            $users = $this->manager->getByEmail($username);
+            if (empty($users)) {
+                return false;
+            }
+            if (count($users) !== 1) {
+                return true;
+            }
+            $user = $users[0];
+        }
+        // DI not possible due to cyclic dependencies :'-/
+        return OC::$server->getTwoFactorAuthManager()->isTwoFactorAuthenticated($user);
+    }
+
+    /**
+     * Check if the given 'password' is actually a device token
+     *
+     * @param string $password
+     * @return boolean
+     * @throws ExpiredTokenException
+     */
+    public function isTokenPassword($password) {
+        try {
+            $this->tokenProvider->getToken($password);
+            return true;
+        } catch (ExpiredTokenException $e) {
+            throw $e;
+        } catch (InvalidTokenException $ex) {
+            return false;
+        }
+    }
+
+    protected function prepareUserLogin($firstTimeLogin, $refreshCsrfToken = true) {
+        if ($refreshCsrfToken) {
+            // TODO: mock/inject/use non-static
+            // Refresh the token
+            \OC::$server->getCsrfTokenManager()->refreshToken();
+        }
+
+        //we need to pass the user name, which may differ from login name
+        $user = $this->getUser()->getUID();
+        OC_Util::setupFS($user);
+
+        if ($firstTimeLogin) {
+            // TODO: lock necessary?
+            //trigger creation of user home and /files folder
+            $userFolder = \OC::$server->getUserFolder($user);
+
+            try {
+                // copy skeleton
+                \OC_Util::copySkeleton($user, $userFolder);
+            } catch (NotPermittedException $ex) {
+                // read only uses
+            }
+
+            // trigger any other initialization
+            \OC::$server->getEventDispatcher()->dispatch(IUser::class . '::firstLogin', new GenericEvent($this->getUser()));
+        }
+    }
+
+    /**
+     * Tries to login the user with HTTP Basic Authentication
+     *
+     * @todo do not allow basic auth if the user is 2FA enforced
+     * @param IRequest $request
+     * @param OC\Security\Bruteforce\Throttler $throttler
+     * @return boolean if the login was successful
+     */
+    public function tryBasicAuthLogin(IRequest $request,
+                                        OC\Security\Bruteforce\Throttler $throttler) {
+        if (!empty($request->server['PHP_AUTH_USER']) && !empty($request->server['PHP_AUTH_PW'])) {
+            try {
+                if ($this->logClientIn($request->server['PHP_AUTH_USER'], $request->server['PHP_AUTH_PW'], $request, $throttler)) {
+                    /**
+                     * Add DAV authenticated. This should in an ideal world not be
+                     * necessary but the iOS App reads cookies from anywhere instead
+                     * only the DAV endpoint.
+                     * This makes sure that the cookies will be valid for the whole scope
+                     * @see https://github.com/owncloud/core/issues/22893
+                     */
+                    $this->session->set(
+                        Auth::DAV_AUTHENTICATED, $this->getUser()->getUID()
+                    );
+
+                    // Set the last-password-confirm session to make the sudo mode work
+                        $this->session->set('last-password-confirm', $this->timeFactory->getTime());
+
+                    return true;
+                }
+            } catch (PasswordLoginForbiddenException $ex) {
+                // Nothing to do
+            }
+        }
+        return false;
+    }
+
+    /**
+     * Log an user in via login name and password
+     *
+     * @param string $uid
+     * @param string $password
+     * @return boolean
+     * @throws LoginException if an app canceld the login process or the user is not enabled
+     */
+    private function loginWithPassword($uid, $password) {
+        $user = $this->manager->checkPasswordNoLogging($uid, $password);
+        if ($user === false) {
+            // Password check failed
+            return false;
+        }
+
+        return $this->completeLogin($user, ['loginName' => $uid, 'password' => $password], false);
+    }
+
+    /**
+     * Log an user in with a given token (id)
+     *
+     * @param string $token
+     * @return boolean
+     * @throws LoginException if an app canceled the login process or the user is not enabled
+     */
+    private function loginWithToken($token) {
+        try {
+            $dbToken = $this->tokenProvider->getToken($token);
+        } catch (InvalidTokenException $ex) {
+            return false;
+        }
+        $uid = $dbToken->getUID();
+
+        // When logging in with token, the password must be decrypted first before passing to login hook
+        $password = '';
+        try {
+            $password = $this->tokenProvider->getPassword($dbToken, $token);
+        } catch (PasswordlessTokenException $ex) {
+            // Ignore and use empty string instead
+        }
+
+        $this->manager->emit('\OC\User', 'preLogin', array($uid, $password));
+
+        $user = $this->manager->get($uid);
+        if (is_null($user)) {
+            // user does not exist
+            return false;
+        }
+
+        return $this->completeLogin(
+            $user,
+            [
+                'loginName' => $dbToken->getLoginName(),
+                'password' => $password,
+                'token' => $dbToken
+            ],
+            false);
+    }
+
+    /**
+     * Create a new session token for the given user credentials
+     *
+     * @param IRequest $request
+     * @param string $uid user UID
+     * @param string $loginName login name
+     * @param string $password
+     * @param int $remember
+     * @return boolean
+     */
+    public function createSessionToken(IRequest $request, $uid, $loginName, $password = null, $remember = IToken::DO_NOT_REMEMBER) {
+        if (is_null($this->manager->get($uid))) {
+            // User does not exist
+            return false;
+        }
+        $name = isset($request->server['HTTP_USER_AGENT']) ? $request->server['HTTP_USER_AGENT'] : 'unknown browser';
+        try {
+            $sessionId = $this->session->getId();
+            $pwd = $this->getPassword($password);
+            // Make sure the current sessionId has no leftover tokens
+            $this->tokenProvider->invalidateToken($sessionId);
+            $this->tokenProvider->generateToken($sessionId, $uid, $loginName, $pwd, $name, IToken::TEMPORARY_TOKEN, $remember);
+            return true;
+        } catch (SessionNotAvailableException $ex) {
+            // This can happen with OCC, where a memory session is used
+            // if a memory session is used, we shouldn't create a session token anyway
+            return false;
+        }
+    }
+
+    /**
+     * Checks if the given password is a token.
+     * If yes, the password is extracted from the token.
+     * If no, the same password is returned.
+     *
+     * @param string $password either the login password or a device token
+     * @return string|null the password or null if none was set in the token
+     */
+    private function getPassword($password) {
+        if (is_null($password)) {
+            // This is surely no token ;-)
+            return null;
+        }
+        try {
+            $token = $this->tokenProvider->getToken($password);
+            try {
+                return $this->tokenProvider->getPassword($token, $password);
+            } catch (PasswordlessTokenException $ex) {
+                return null;
+            }
+        } catch (InvalidTokenException $ex) {
+            return $password;
+        }
+    }
+
+    /**
+     * @param IToken $dbToken
+     * @param string $token
+     * @return boolean
+     */
+    private function checkTokenCredentials(IToken $dbToken, $token) {
+        // Check whether login credentials are still valid and the user was not disabled
+        // This check is performed each 5 minutes
+        $lastCheck = $dbToken->getLastCheck() ? : 0;
+        $now = $this->timeFactory->getTime();
+        if ($lastCheck > ($now - 60 * 5)) {
+            // Checked performed recently, nothing to do now
+            return true;
+        }
+
+        try {
+            $pwd = $this->tokenProvider->getPassword($dbToken, $token);
+        } catch (InvalidTokenException $ex) {
+            // An invalid token password was used -> log user out
+            return false;
+        } catch (PasswordlessTokenException $ex) {
+            // Token has no password
+
+            if (!is_null($this->activeUser) && !$this->activeUser->isEnabled()) {
+                $this->tokenProvider->invalidateToken($token);
+                return false;
+            }
+
+            $dbToken->setLastCheck($now);
+            return true;
+        }
+
+        // Invalidate token if the user is no longer active
+        if (!is_null($this->activeUser) && !$this->activeUser->isEnabled()) {
+            $this->tokenProvider->invalidateToken($token);
+            return false;
+        }
+
+        // If the token password is no longer valid mark it as such
+        if ($this->manager->checkPassword($dbToken->getLoginName(), $pwd) === false) {
+            $this->tokenProvider->markPasswordInvalid($dbToken, $token);
+            // User is logged out
+            return false;
+        }
+
+        $dbToken->setLastCheck($now);
+        return true;
+    }
+
+    /**
+     * Check if the given token exists and performs password/user-enabled checks
+     *
+     * Invalidates the token if checks fail
+     *
+     * @param string $token
+     * @param string $user login name
+     * @return boolean
+     */
+    private function validateToken($token, $user = null) {
+        try {
+            $dbToken = $this->tokenProvider->getToken($token);
+        } catch (InvalidTokenException $ex) {
+            return false;
+        }
+
+        // Check if login names match
+        if (!is_null($user) && $dbToken->getLoginName() !== $user) {
+            // TODO: this makes it imposssible to use different login names on browser and client
+            // e.g. login by e-mail '[email protected]' on browser for generating the token will not
+            //      allow to use the client token with the login name 'user'.
+            return false;
+        }
+
+        if (!$this->checkTokenCredentials($dbToken, $token)) {
+            return false;
+        }
+
+        // Update token scope
+        $this->lockdownManager->setToken($dbToken);
+
+        $this->tokenProvider->updateTokenActivity($dbToken);
+
+        return true;
+    }
+
+    /**
+     * Tries to login the user with auth token header
+     *
+     * @param IRequest $request
+     * @todo check remember me cookie
+     * @return boolean
+     */
+    public function tryTokenLogin(IRequest $request) {
+        $authHeader = $request->getHeader('Authorization');
+        if (strpos($authHeader, 'Bearer ') === false) {
+            // No auth header, let's try session id
+            try {
+                $token = $this->session->getId();
+            } catch (SessionNotAvailableException $ex) {
+                return false;
+            }
+        } else {
+            $token = substr($authHeader, 7);
+        }
+
+        if (!$this->loginWithToken($token)) {
+            return false;
+        }
+        if(!$this->validateToken($token)) {
+            return false;
+        }
+
+        // Set the session variable so we know this is an app password
+        $this->session->set('app_password', $token);
+
+        return true;
+    }
+
+    /**
+     * perform login using the magic cookie (remember login)
+     *
+     * @param string $uid the username
+     * @param string $currentToken
+     * @param string $oldSessionId
+     * @return bool
+     */
+    public function loginWithCookie($uid, $currentToken, $oldSessionId) {
+        $this->session->regenerateId();
+        $this->manager->emit('\OC\User', 'preRememberedLogin', array($uid));
+        $user = $this->manager->get($uid);
+        if (is_null($user)) {
+            // user does not exist
+            return false;
+        }
+
+        // get stored tokens
+        $tokens = $this->config->getUserKeys($uid, 'login_token');
+        // test cookies token against stored tokens
+        if (!in_array($currentToken, $tokens, true)) {
+            return false;
+        }
+        // replace successfully used token with a new one
+        $this->config->deleteUserValue($uid, 'login_token', $currentToken);
+        $newToken = $this->random->generate(32);
+        $this->config->setUserValue($uid, 'login_token', $newToken, $this->timeFactory->getTime());
+
+        try {
+            $sessionId = $this->session->getId();
+            $token = $this->tokenProvider->renewSessionToken($oldSessionId, $sessionId);
+        } catch (SessionNotAvailableException $ex) {
+            return false;
+        } catch (InvalidTokenException $ex) {
+            \OC::$server->getLogger()->warning('Renewing session token failed', ['app' => 'core']);
+            return false;
+        }
+
+        $this->setMagicInCookie($user->getUID(), $newToken);
+
+        //login
+        $this->setUser($user);
+        $this->setLoginName($token->getLoginName());
+        $this->setToken($token->getId());
+        $this->lockdownManager->setToken($token);
+        $user->updateLastLoginTimestamp();
+        $password = null;
+        try {
+            $password = $this->tokenProvider->getPassword($token, $sessionId);
+        } catch (PasswordlessTokenException $ex) {
+            // Ignore
+        }
+        $this->manager->emit('\OC\User', 'postRememberedLogin', [$user, $password]);
+        return true;
+    }
+
+    /**
+     * @param IUser $user
+     */
+    public function createRememberMeToken(IUser $user) {
+        $token = $this->random->generate(32);
+        $this->config->setUserValue($user->getUID(), 'login_token', $token, $this->timeFactory->getTime());
+        $this->setMagicInCookie($user->getUID(), $token);
+    }
+
+    /**
+     * logout the user from the session
+     */
+    public function logout() {
+        $this->manager->emit('\OC\User', 'logout');
+        $user = $this->getUser();
+        if (!is_null($user)) {
+            try {
+                $this->tokenProvider->invalidateToken($this->session->getId());
+            } catch (SessionNotAvailableException $ex) {
+
+            }
+        }
+        $this->setUser(null);
+        $this->setLoginName(null);
+        $this->setToken(null);
+        $this->unsetMagicInCookie();
+        $this->session->clear();
+        $this->manager->emit('\OC\User', 'postLogout');
+    }
+
+    /**
+     * Set cookie value to use in next page load
+     *
+     * @param string $username username to be set
+     * @param string $token
+     */
+    public function setMagicInCookie($username, $token) {
+        $secureCookie = OC::$server->getRequest()->getServerProtocol() === 'https';
+        $webRoot = \OC::$WEBROOT;
+        if ($webRoot === '') {
+            $webRoot = '/';
+        }
+
+        $maxAge = $this->config->getSystemValue('remember_login_cookie_lifetime', 60 * 60 * 24 * 15);
+        \OC\Http\CookieHelper::setCookie(
+            'nc_username',
+            $username,
+            $maxAge,
+            $webRoot,
+            '',
+            $secureCookie,
+            true,
+            \OC\Http\CookieHelper::SAMESITE_LAX
+        );
+        \OC\Http\CookieHelper::setCookie(
+            'nc_token',
+            $token,
+            $maxAge,
+            $webRoot,
+            '',
+            $secureCookie,
+            true,
+            \OC\Http\CookieHelper::SAMESITE_LAX
+        );
+        try {
+            \OC\Http\CookieHelper::setCookie(
+                'nc_session_id',
+                $this->session->getId(),
+                $maxAge,
+                $webRoot,
+                '',
+                $secureCookie,
+                true,
+                \OC\Http\CookieHelper::SAMESITE_LAX
+            );
+        } catch (SessionNotAvailableException $ex) {
+            // ignore
+        }
+    }
+
+    /**
+     * Remove cookie for "remember username"
+     */
+    public function unsetMagicInCookie() {
+        //TODO: DI for cookies and IRequest
+        $secureCookie = OC::$server->getRequest()->getServerProtocol() === 'https';
+
+        unset($_COOKIE['nc_username']); //TODO: DI
+        unset($_COOKIE['nc_token']);
+        unset($_COOKIE['nc_session_id']);
+        setcookie('nc_username', '', $this->timeFactory->getTime() - 3600, OC::$WEBROOT, '', $secureCookie, true);
+        setcookie('nc_token', '', $this->timeFactory->getTime() - 3600, OC::$WEBROOT, '', $secureCookie, true);
+        setcookie('nc_session_id', '', $this->timeFactory->getTime() - 3600, OC::$WEBROOT, '', $secureCookie, true);
+        // old cookies might be stored under /webroot/ instead of /webroot
+        // and Firefox doesn't like it!
+        setcookie('nc_username', '', $this->timeFactory->getTime() - 3600, OC::$WEBROOT . '/', '', $secureCookie, true);
+        setcookie('nc_token', '', $this->timeFactory->getTime() - 3600, OC::$WEBROOT . '/', '', $secureCookie, true);
+        setcookie('nc_session_id', '', $this->timeFactory->getTime() - 3600, OC::$WEBROOT . '/', '', $secureCookie, true);
+    }
+
+    /**
+     * Update password of the browser session token if there is one
+     *
+     * @param string $password
+     */
+    public function updateSessionTokenPassword($password) {
+        try {
+            $sessionId = $this->session->getId();
+            $token = $this->tokenProvider->getToken($sessionId);
+            $this->tokenProvider->setPassword($token, $sessionId, $password);
+        } catch (SessionNotAvailableException $ex) {
+            // Nothing to do
+        } catch (InvalidTokenException $ex) {
+            // Nothing to do
+        }
+    }
+
+    public function updateTokens(string $uid, string $password) {
+        $this->tokenProvider->updatePasswords($uid, $password);
+    }
 
 
 }

Please login to merge, or discard this patch.

		@@ -34,150 +34,150 @@
		block discarded – undo
34	34	interface IProvider {
35	35
36	36
37		- /**
38		- * Create and persist a new token
39		- *
40		- * @param string $token
41		- * @param string $uid
42		- * @param string $loginName
43		- * @param string\|null $password
44		- * @param string $name
45		- * @param int $type token type
46		- * @param int $remember whether the session token should be used for remember-me
47		- * @return IToken
48		- * @throws \RuntimeException when OpenSSL reports a problem
49		- */
50		- public function generateToken(string $token,
51		- string $uid,
52		- string $loginName,
53		- $password,
54		- string $name,
55		- int $type = IToken::TEMPORARY_TOKEN,
56		- int $remember = IToken::DO_NOT_REMEMBER): IToken;
57		-
58		- /**
59		- * Get a token by token id
60		- *
61		- * @param string $tokenId
62		- * @throws InvalidTokenException
63		- * @throws ExpiredTokenException
64		- * @throws WipeTokenException
65		- * @return IToken
66		- */
67		- public function getToken(string $tokenId): IToken;
68		-
69		- /**
70		- * Get a token by token id
71		- *
72		- * @param int $tokenId
73		- * @throws InvalidTokenException
74		- * @throws ExpiredTokenException
75		- * @throws WipeTokenException
76		- * @return IToken
77		- */
78		- public function getTokenById(int $tokenId): IToken;
79		-
80		- /**
81		- * Duplicate an existing session token
82		- *
83		- * @param string $oldSessionId
84		- * @param string $sessionId
85		- * @throws InvalidTokenException
86		- * @throws \RuntimeException when OpenSSL reports a problem
87		- * @return IToken The new token
88		- */
89		- public function renewSessionToken(string $oldSessionId, string $sessionId): IToken;
90		-
91		- /**
92		- * Invalidate (delete) the given session token
93		- *
94		- * @param string $token
95		- */
96		- public function invalidateToken(string $token);
97		-
98		- /**
99		- * Invalidate (delete) the given token
100		- *
101		- * @param string $uid
102		- * @param int $id
103		- */
104		- public function invalidateTokenById(string $uid, int $id);
105		-
106		- /**
107		- * Invalidate (delete) old session tokens
108		- */
109		- public function invalidateOldTokens();
110		-
111		- /**
112		- * Save the updated token
113		- *
114		- * @param IToken $token
115		- */
116		- public function updateToken(IToken $token);
117		-
118		- /**
119		- * Update token activity timestamp
120		- *
121		- * @param IToken $token
122		- */
123		- public function updateTokenActivity(IToken $token);
124		-
125		- /**
126		- * Get all tokens of a user
127		- *
128		- * The provider may limit the number of result rows in case of an abuse
129		- * where a high number of (session) tokens is generated
130		- *
131		- * @param string $uid
132		- * @return IToken[]
133		- */
134		- public function getTokenByUser(string $uid): array;
135		-
136		- /**
137		- * Get the (unencrypted) password of the given token
138		- *
139		- * @param IToken $token
140		- * @param string $tokenId
141		- * @throws InvalidTokenException
142		- * @throws PasswordlessTokenException
143		- * @return string
144		- */
145		- public function getPassword(IToken $token, string $tokenId): string;
146		-
147		- /**
148		- * Encrypt and set the password of the given token
149		- *
150		- * @param IToken $token
151		- * @param string $tokenId
152		- * @param string $password
153		- * @throws InvalidTokenException
154		- */
155		- public function setPassword(IToken $token, string $tokenId, string $password);
156		-
157		- /**
158		- * Rotate the token. Usefull for for example oauth tokens
159		- *
160		- * @param IToken $token
161		- * @param string $oldTokenId
162		- * @param string $newTokenId
163		- * @return IToken
164		- * @throws \RuntimeException when OpenSSL reports a problem
165		- */
166		- public function rotate(IToken $token, string $oldTokenId, string $newTokenId): IToken;
167		-
168		- /**
169		- * Marks a token as having an invalid password.
170		- *
171		- * @param IToken $token
172		- * @param string $tokenId
173		- */
174		- public function markPasswordInvalid(IToken $token, string $tokenId);
175		-
176		- /**
177		- * Update all the passwords of $uid if required
178		- *
179		- * @param string $uid
180		- * @param string $password
181		- */
182		- public function updatePasswords(string $uid, string $password);
	37	+ /**
	38	+ * Create and persist a new token
	39	+ *
	40	+ * @param string $token
	41	+ * @param string $uid
	42	+ * @param string $loginName
	43	+ * @param string\|null $password
	44	+ * @param string $name
	45	+ * @param int $type token type
	46	+ * @param int $remember whether the session token should be used for remember-me
	47	+ * @return IToken
	48	+ * @throws \RuntimeException when OpenSSL reports a problem
	49	+ */
	50	+ public function generateToken(string $token,
	51	+ string $uid,
	52	+ string $loginName,
	53	+ $password,
	54	+ string $name,
	55	+ int $type = IToken::TEMPORARY_TOKEN,
	56	+ int $remember = IToken::DO_NOT_REMEMBER): IToken;
	57	+
	58	+ /**
	59	+ * Get a token by token id
	60	+ *
	61	+ * @param string $tokenId
	62	+ * @throws InvalidTokenException
	63	+ * @throws ExpiredTokenException
	64	+ * @throws WipeTokenException
	65	+ * @return IToken
	66	+ */
	67	+ public function getToken(string $tokenId): IToken;
	68	+
	69	+ /**
	70	+ * Get a token by token id
	71	+ *
	72	+ * @param int $tokenId
	73	+ * @throws InvalidTokenException
	74	+ * @throws ExpiredTokenException
	75	+ * @throws WipeTokenException
	76	+ * @return IToken
	77	+ */
	78	+ public function getTokenById(int $tokenId): IToken;
	79	+
	80	+ /**
	81	+ * Duplicate an existing session token
	82	+ *
	83	+ * @param string $oldSessionId
	84	+ * @param string $sessionId
	85	+ * @throws InvalidTokenException
	86	+ * @throws \RuntimeException when OpenSSL reports a problem
	87	+ * @return IToken The new token
	88	+ */
	89	+ public function renewSessionToken(string $oldSessionId, string $sessionId): IToken;
	90	+
	91	+ /**
	92	+ * Invalidate (delete) the given session token
	93	+ *
	94	+ * @param string $token
	95	+ */
	96	+ public function invalidateToken(string $token);
	97	+
	98	+ /**
	99	+ * Invalidate (delete) the given token
	100	+ *
	101	+ * @param string $uid
	102	+ * @param int $id
	103	+ */
	104	+ public function invalidateTokenById(string $uid, int $id);
	105	+
	106	+ /**
	107	+ * Invalidate (delete) old session tokens
	108	+ */
	109	+ public function invalidateOldTokens();
	110	+
	111	+ /**
	112	+ * Save the updated token
	113	+ *
	114	+ * @param IToken $token
	115	+ */
	116	+ public function updateToken(IToken $token);
	117	+
	118	+ /**
	119	+ * Update token activity timestamp
	120	+ *
	121	+ * @param IToken $token
	122	+ */
	123	+ public function updateTokenActivity(IToken $token);
	124	+
	125	+ /**
	126	+ * Get all tokens of a user
	127	+ *
	128	+ * The provider may limit the number of result rows in case of an abuse
	129	+ * where a high number of (session) tokens is generated
	130	+ *
	131	+ * @param string $uid
	132	+ * @return IToken[]
	133	+ */
	134	+ public function getTokenByUser(string $uid): array;
	135	+
	136	+ /**
	137	+ * Get the (unencrypted) password of the given token
	138	+ *
	139	+ * @param IToken $token
	140	+ * @param string $tokenId
	141	+ * @throws InvalidTokenException
	142	+ * @throws PasswordlessTokenException
	143	+ * @return string
	144	+ */
	145	+ public function getPassword(IToken $token, string $tokenId): string;
	146	+
	147	+ /**
	148	+ * Encrypt and set the password of the given token
	149	+ *
	150	+ * @param IToken $token
	151	+ * @param string $tokenId
	152	+ * @param string $password
	153	+ * @throws InvalidTokenException
	154	+ */
	155	+ public function setPassword(IToken $token, string $tokenId, string $password);
	156	+
	157	+ /**
	158	+ * Rotate the token. Usefull for for example oauth tokens
	159	+ *
	160	+ * @param IToken $token
	161	+ * @param string $oldTokenId
	162	+ * @param string $newTokenId
	163	+ * @return IToken
	164	+ * @throws \RuntimeException when OpenSSL reports a problem
	165	+ */
	166	+ public function rotate(IToken $token, string $oldTokenId, string $newTokenId): IToken;
	167	+
	168	+ /**
	169	+ * Marks a token as having an invalid password.
	170	+ *
	171	+ * @param IToken $token
	172	+ * @param string $tokenId
	173	+ */
	174	+ public function markPasswordInvalid(IToken $token, string $tokenId);
	175	+
	176	+ /**
	177	+ * Update all the passwords of $uid if required
	178	+ *
	179	+ * @param string $uid
	180	+ * @param string $password
	181	+ */
	182	+ public function updatePasswords(string $uid, string $password);
183	183	}

		@@ -30,228 +30,228 @@
		block discarded – undo
30	30
31	31	class Manager implements IProvider {
32	32
33		- /** @var DefaultTokenProvider */
34		- private $defaultTokenProvider;
35		-
36		- /** @var PublicKeyTokenProvider */
37		- private $publicKeyTokenProvider;
38		-
39		- public function __construct(DefaultTokenProvider $defaultTokenProvider, PublicKeyTokenProvider $publicKeyTokenProvider) {
40		- $this->defaultTokenProvider = $defaultTokenProvider;
41		- $this->publicKeyTokenProvider = $publicKeyTokenProvider;
42		- }
43		-
44		- /**
45		- * Create and persist a new token
46		- *
47		- * @param string $token
48		- * @param string $uid
49		- * @param string $loginName
50		- * @param string\|null $password
51		- * @param string $name
52		- * @param int $type token type
53		- * @param int $remember whether the session token should be used for remember-me
54		- * @return IToken
55		- */
56		- public function generateToken(string $token,
57		- string $uid,
58		- string $loginName,
59		- $password,
60		- string $name,
61		- int $type = IToken::TEMPORARY_TOKEN,
62		- int $remember = IToken::DO_NOT_REMEMBER): IToken {
63		- return $this->publicKeyTokenProvider->generateToken(
64		- $token,
65		- $uid,
66		- $loginName,
67		- $password,
68		- $name,
69		- $type,
70		- $remember
71		- );
72		- }
73		-
74		- /**
75		- * Save the updated token
76		- *
77		- * @param IToken $token
78		- * @throws InvalidTokenException
79		- */
80		- public function updateToken(IToken $token) {
81		- $provider = $this->getProvider($token);
82		- $provider->updateToken($token);
83		- }
84		-
85		- /**
86		- * Update token activity timestamp
87		- *
88		- * @throws InvalidTokenException
89		- * @param IToken $token
90		- */
91		- public function updateTokenActivity(IToken $token) {
92		- $provider = $this->getProvider($token);
93		- $provider->updateTokenActivity($token);
94		- }
95		-
96		- /**
97		- * @param string $uid
98		- * @return IToken[]
99		- */
100		- public function getTokenByUser(string $uid): array {
101		- $old = $this->defaultTokenProvider->getTokenByUser($uid);
102		- $new = $this->publicKeyTokenProvider->getTokenByUser($uid);
103		-
104		- return array_merge($old, $new);
105		- }
106		-
107		- /**
108		- * Get a token by token
109		- *
110		- * @param string $tokenId
111		- * @throws InvalidTokenException
112		- * @throws \RuntimeException when OpenSSL reports a problem
113		- * @return IToken
114		- */
115		- public function getToken(string $tokenId): IToken {
116		- try {
117		- return $this->publicKeyTokenProvider->getToken($tokenId);
118		- } catch (WipeTokenException $e) {
119		- throw $e;
120		- } catch (ExpiredTokenException $e) {
121		- throw $e;
122		- } catch(InvalidTokenException $e) {
123		- // No worries we try to convert it to a PublicKey Token
124		- }
125		-
126		- //Convert!
127		- $token = $this->defaultTokenProvider->getToken($tokenId);
128		-
129		- try {
130		- $password = $this->defaultTokenProvider->getPassword($token, $tokenId);
131		- } catch (PasswordlessTokenException $e) {
132		- $password = null;
133		- }
134		-
135		- return $this->publicKeyTokenProvider->convertToken($token, $tokenId, $password);
136		- }
137		-
138		- /**
139		- * Get a token by token id
140		- *
141		- * @param int $tokenId
142		- * @throws InvalidTokenException
143		- * @return IToken
144		- */
145		- public function getTokenById(int $tokenId): IToken {
146		- try {
147		- return $this->publicKeyTokenProvider->getTokenById($tokenId);
148		- } catch (ExpiredTokenException $e) {
149		- throw $e;
150		- } catch (WipeTokenException $e) {
151		- throw $e;
152		- } catch (InvalidTokenException $e) {
153		- return $this->defaultTokenProvider->getTokenById($tokenId);
154		- }
155		- }
156		-
157		- /**
158		- * @param string $oldSessionId
159		- * @param string $sessionId
160		- * @throws InvalidTokenException
161		- * @return IToken
162		- */
163		- public function renewSessionToken(string $oldSessionId, string $sessionId): IToken {
164		- try {
165		- return $this->publicKeyTokenProvider->renewSessionToken($oldSessionId, $sessionId);
166		- } catch (ExpiredTokenException $e) {
167		- throw $e;
168		- } catch (InvalidTokenException $e) {
169		- return $this->defaultTokenProvider->renewSessionToken($oldSessionId, $sessionId);
170		- }
171		- }
172		-
173		- /**
174		- * @param IToken $savedToken
175		- * @param string $tokenId session token
176		- * @throws InvalidTokenException
177		- * @throws PasswordlessTokenException
178		- * @return string
179		- */
180		- public function getPassword(IToken $savedToken, string $tokenId): string {
181		- $provider = $this->getProvider($savedToken);
182		- return $provider->getPassword($savedToken, $tokenId);
183		- }
184		-
185		- public function setPassword(IToken $token, string $tokenId, string $password) {
186		- $provider = $this->getProvider($token);
187		- $provider->setPassword($token, $tokenId, $password);
188		- }
189		-
190		- public function invalidateToken(string $token) {
191		- $this->defaultTokenProvider->invalidateToken($token);
192		- $this->publicKeyTokenProvider->invalidateToken($token);
193		- }
194		-
195		- public function invalidateTokenById(string $uid, int $id) {
196		- $this->defaultTokenProvider->invalidateTokenById($uid, $id);
197		- $this->publicKeyTokenProvider->invalidateTokenById($uid, $id);
198		- }
199		-
200		- public function invalidateOldTokens() {
201		- $this->defaultTokenProvider->invalidateOldTokens();
202		- $this->publicKeyTokenProvider->invalidateOldTokens();
203		- }
204		-
205		- /**
206		- * @param IToken $token
207		- * @param string $oldTokenId
208		- * @param string $newTokenId
209		- * @return IToken
210		- * @throws InvalidTokenException
211		- * @throws \RuntimeException when OpenSSL reports a problem
212		- */
213		- public function rotate(IToken $token, string $oldTokenId, string $newTokenId): IToken {
214		- if ($token instanceof DefaultToken) {
215		- try {
216		- $password = $this->defaultTokenProvider->getPassword($token, $oldTokenId);
217		- } catch (PasswordlessTokenException $e) {
218		- $password = null;
219		- }
220		-
221		- return $this->publicKeyTokenProvider->convertToken($token, $newTokenId, $password);
222		- }
223		-
224		- if ($token instanceof PublicKeyToken) {
225		- return $this->publicKeyTokenProvider->rotate($token, $oldTokenId, $newTokenId);
226		- }
227		-
228		- throw new InvalidTokenException();
229		- }
230		-
231		- /**
232		- * @param IToken $token
233		- * @return IProvider
234		- * @throws InvalidTokenException
235		- */
236		- private function getProvider(IToken $token): IProvider {
237		- if ($token instanceof DefaultToken) {
238		- return $this->defaultTokenProvider;
239		- }
240		- if ($token instanceof PublicKeyToken) {
241		- return $this->publicKeyTokenProvider;
242		- }
243		- throw new InvalidTokenException();
244		- }
245		-
246		-
247		- public function markPasswordInvalid(IToken $token, string $tokenId) {
248		- $this->getProvider($token)->markPasswordInvalid($token, $tokenId);
249		- }
250		-
251		- public function updatePasswords(string $uid, string $password) {
252		- $this->defaultTokenProvider->updatePasswords($uid, $password);
253		- $this->publicKeyTokenProvider->updatePasswords($uid, $password);
254		- }
	33	+ /** @var DefaultTokenProvider */
	34	+ private $defaultTokenProvider;
	35	+
	36	+ /** @var PublicKeyTokenProvider */
	37	+ private $publicKeyTokenProvider;
	38	+
	39	+ public function __construct(DefaultTokenProvider $defaultTokenProvider, PublicKeyTokenProvider $publicKeyTokenProvider) {
	40	+ $this->defaultTokenProvider = $defaultTokenProvider;
	41	+ $this->publicKeyTokenProvider = $publicKeyTokenProvider;
	42	+ }
	43	+
	44	+ /**
	45	+ * Create and persist a new token
	46	+ *
	47	+ * @param string $token
	48	+ * @param string $uid
	49	+ * @param string $loginName
	50	+ * @param string\|null $password
	51	+ * @param string $name
	52	+ * @param int $type token type
	53	+ * @param int $remember whether the session token should be used for remember-me
	54	+ * @return IToken
	55	+ */
	56	+ public function generateToken(string $token,
	57	+ string $uid,
	58	+ string $loginName,
	59	+ $password,
	60	+ string $name,
	61	+ int $type = IToken::TEMPORARY_TOKEN,
	62	+ int $remember = IToken::DO_NOT_REMEMBER): IToken {
	63	+ return $this->publicKeyTokenProvider->generateToken(
	64	+ $token,
	65	+ $uid,
	66	+ $loginName,
	67	+ $password,
	68	+ $name,
	69	+ $type,
	70	+ $remember
	71	+ );
	72	+ }
	73	+
	74	+ /**
	75	+ * Save the updated token
	76	+ *
	77	+ * @param IToken $token
	78	+ * @throws InvalidTokenException
	79	+ */
	80	+ public function updateToken(IToken $token) {
	81	+ $provider = $this->getProvider($token);
	82	+ $provider->updateToken($token);
	83	+ }
	84	+
	85	+ /**
	86	+ * Update token activity timestamp
	87	+ *
	88	+ * @throws InvalidTokenException
	89	+ * @param IToken $token
	90	+ */
	91	+ public function updateTokenActivity(IToken $token) {
	92	+ $provider = $this->getProvider($token);
	93	+ $provider->updateTokenActivity($token);
	94	+ }
	95	+
	96	+ /**
	97	+ * @param string $uid
	98	+ * @return IToken[]
	99	+ */
	100	+ public function getTokenByUser(string $uid): array {
	101	+ $old = $this->defaultTokenProvider->getTokenByUser($uid);
	102	+ $new = $this->publicKeyTokenProvider->getTokenByUser($uid);
	103	+
	104	+ return array_merge($old, $new);
	105	+ }
	106	+
	107	+ /**
	108	+ * Get a token by token
	109	+ *
	110	+ * @param string $tokenId
	111	+ * @throws InvalidTokenException
	112	+ * @throws \RuntimeException when OpenSSL reports a problem
	113	+ * @return IToken
	114	+ */
	115	+ public function getToken(string $tokenId): IToken {
	116	+ try {
	117	+ return $this->publicKeyTokenProvider->getToken($tokenId);
	118	+ } catch (WipeTokenException $e) {
	119	+ throw $e;
	120	+ } catch (ExpiredTokenException $e) {
	121	+ throw $e;
	122	+ } catch(InvalidTokenException $e) {
	123	+ // No worries we try to convert it to a PublicKey Token
	124	+ }
	125	+
	126	+ //Convert!
	127	+ $token = $this->defaultTokenProvider->getToken($tokenId);
	128	+
	129	+ try {
	130	+ $password = $this->defaultTokenProvider->getPassword($token, $tokenId);
	131	+ } catch (PasswordlessTokenException $e) {
	132	+ $password = null;
	133	+ }
	134	+
	135	+ return $this->publicKeyTokenProvider->convertToken($token, $tokenId, $password);
	136	+ }
	137	+
	138	+ /**
	139	+ * Get a token by token id
	140	+ *
	141	+ * @param int $tokenId
	142	+ * @throws InvalidTokenException
	143	+ * @return IToken
	144	+ */
	145	+ public function getTokenById(int $tokenId): IToken {
	146	+ try {
	147	+ return $this->publicKeyTokenProvider->getTokenById($tokenId);
	148	+ } catch (ExpiredTokenException $e) {
	149	+ throw $e;
	150	+ } catch (WipeTokenException $e) {
	151	+ throw $e;
	152	+ } catch (InvalidTokenException $e) {
	153	+ return $this->defaultTokenProvider->getTokenById($tokenId);
	154	+ }
	155	+ }
	156	+
	157	+ /**
	158	+ * @param string $oldSessionId
	159	+ * @param string $sessionId
	160	+ * @throws InvalidTokenException
	161	+ * @return IToken
	162	+ */
	163	+ public function renewSessionToken(string $oldSessionId, string $sessionId): IToken {
	164	+ try {
	165	+ return $this->publicKeyTokenProvider->renewSessionToken($oldSessionId, $sessionId);
	166	+ } catch (ExpiredTokenException $e) {
	167	+ throw $e;
	168	+ } catch (InvalidTokenException $e) {
	169	+ return $this->defaultTokenProvider->renewSessionToken($oldSessionId, $sessionId);
	170	+ }
	171	+ }
	172	+
	173	+ /**
	174	+ * @param IToken $savedToken
	175	+ * @param string $tokenId session token
	176	+ * @throws InvalidTokenException
	177	+ * @throws PasswordlessTokenException
	178	+ * @return string
	179	+ */
	180	+ public function getPassword(IToken $savedToken, string $tokenId): string {
	181	+ $provider = $this->getProvider($savedToken);
	182	+ return $provider->getPassword($savedToken, $tokenId);
	183	+ }
	184	+
	185	+ public function setPassword(IToken $token, string $tokenId, string $password) {
	186	+ $provider = $this->getProvider($token);
	187	+ $provider->setPassword($token, $tokenId, $password);
	188	+ }
	189	+
	190	+ public function invalidateToken(string $token) {
	191	+ $this->defaultTokenProvider->invalidateToken($token);
	192	+ $this->publicKeyTokenProvider->invalidateToken($token);
	193	+ }
	194	+
	195	+ public function invalidateTokenById(string $uid, int $id) {
	196	+ $this->defaultTokenProvider->invalidateTokenById($uid, $id);
	197	+ $this->publicKeyTokenProvider->invalidateTokenById($uid, $id);
	198	+ }
	199	+
	200	+ public function invalidateOldTokens() {
	201	+ $this->defaultTokenProvider->invalidateOldTokens();
	202	+ $this->publicKeyTokenProvider->invalidateOldTokens();
	203	+ }
	204	+
	205	+ /**
	206	+ * @param IToken $token
	207	+ * @param string $oldTokenId
	208	+ * @param string $newTokenId
	209	+ * @return IToken
	210	+ * @throws InvalidTokenException
	211	+ * @throws \RuntimeException when OpenSSL reports a problem
	212	+ */
	213	+ public function rotate(IToken $token, string $oldTokenId, string $newTokenId): IToken {
	214	+ if ($token instanceof DefaultToken) {
	215	+ try {
	216	+ $password = $this->defaultTokenProvider->getPassword($token, $oldTokenId);
	217	+ } catch (PasswordlessTokenException $e) {
	218	+ $password = null;
	219	+ }
	220	+
	221	+ return $this->publicKeyTokenProvider->convertToken($token, $newTokenId, $password);
	222	+ }
	223	+
	224	+ if ($token instanceof PublicKeyToken) {
	225	+ return $this->publicKeyTokenProvider->rotate($token, $oldTokenId, $newTokenId);
	226	+ }
	227	+
	228	+ throw new InvalidTokenException();
	229	+ }
	230	+
	231	+ /**
	232	+ * @param IToken $token
	233	+ * @return IProvider
	234	+ * @throws InvalidTokenException
	235	+ */
	236	+ private function getProvider(IToken $token): IProvider {
	237	+ if ($token instanceof DefaultToken) {
	238	+ return $this->defaultTokenProvider;
	239	+ }
	240	+ if ($token instanceof PublicKeyToken) {
	241	+ return $this->publicKeyTokenProvider;
	242	+ }
	243	+ throw new InvalidTokenException();
	244	+ }
	245	+
	246	+
	247	+ public function markPasswordInvalid(IToken $token, string $tokenId) {
	248	+ $this->getProvider($token)->markPasswordInvalid($token, $tokenId);
	249	+ }
	250	+
	251	+ public function updatePasswords(string $uid, string $password) {
	252	+ $this->defaultTokenProvider->updatePasswords($uid, $password);
	253	+ $this->publicKeyTokenProvider->updatePasswords($uid, $password);
	254	+ }
255	255
256	256
257	257	}

		@@ -40,318 +40,318 @@
		block discarded – undo
40	40
41	41	class DefaultTokenProvider implements IProvider {
42	42
43		- /** @var DefaultTokenMapper */
44		- private $mapper;
45		-
46		- /** @var ICrypto */
47		- private $crypto;
48		-
49		- /** @var IConfig */
50		- private $config;
51		-
52		- /** @var ILogger $logger */
53		- private $logger;
54		-
55		- /** @var ITimeFactory $time */
56		- private $time;
57		-
58		- /**
59		- * @param DefaultTokenMapper $mapper
60		- * @param ICrypto $crypto
61		- * @param IConfig $config
62		- * @param ILogger $logger
63		- * @param ITimeFactory $time
64		- */
65		- public function __construct(DefaultTokenMapper $mapper,
66		- ICrypto $crypto,
67		- IConfig $config,
68		- ILogger $logger,
69		- ITimeFactory $time) {
70		- $this->mapper = $mapper;
71		- $this->crypto = $crypto;
72		- $this->config = $config;
73		- $this->logger = $logger;
74		- $this->time = $time;
75		- }
76		-
77		- /**
78		- * Create and persist a new token
79		- *
80		- * @param string $token
81		- * @param string $uid
82		- * @param string $loginName
83		- * @param string\|null $password
84		- * @param string $name
85		- * @param int $type token type
86		- * @param int $remember whether the session token should be used for remember-me
87		- * @return IToken
88		- */
89		- public function generateToken(string $token,
90		- string $uid,
91		- string $loginName,
92		- $password,
93		- string $name,
94		- int $type = IToken::TEMPORARY_TOKEN,
95		- int $remember = IToken::DO_NOT_REMEMBER): IToken {
96		- $dbToken = new DefaultToken();
97		- $dbToken->setUid($uid);
98		- $dbToken->setLoginName($loginName);
99		- if (!is_null($password)) {
100		- $dbToken->setPassword($this->encryptPassword($password, $token));
101		- }
102		- $dbToken->setName($name);
103		- $dbToken->setToken($this->hashToken($token));
104		- $dbToken->setType($type);
105		- $dbToken->setRemember($remember);
106		- $dbToken->setLastActivity($this->time->getTime());
107		- $dbToken->setLastCheck($this->time->getTime());
108		- $dbToken->setVersion(DefaultToken::VERSION);
109		-
110		- $this->mapper->insert($dbToken);
111		-
112		- return $dbToken;
113		- }
114		-
115		- /**
116		- * Save the updated token
117		- *
118		- * @param IToken $token
119		- * @throws InvalidTokenException
120		- */
121		- public function updateToken(IToken $token) {
122		- if (!($token instanceof DefaultToken)) {
123		- throw new InvalidTokenException();
124		- }
125		- $this->mapper->update($token);
126		- }
127		-
128		- /**
129		- * Update token activity timestamp
130		- *
131		- * @throws InvalidTokenException
132		- * @param IToken $token
133		- */
134		- public function updateTokenActivity(IToken $token) {
135		- if (!($token instanceof DefaultToken)) {
136		- throw new InvalidTokenException();
137		- }
138		- /** @var DefaultToken $token */
139		- $now = $this->time->getTime();
140		- if ($token->getLastActivity() < ($now - 60)) {
141		- // Update token only once per minute
142		- $token->setLastActivity($now);
143		- $this->mapper->update($token);
144		- }
145		- }
146		-
147		- public function getTokenByUser(string $uid): array {
148		- return $this->mapper->getTokenByUser($uid);
149		- }
150		-
151		- /**
152		- * Get a token by token
153		- *
154		- * @param string $tokenId
155		- * @throws InvalidTokenException
156		- * @throws ExpiredTokenException
157		- * @return IToken
158		- */
159		- public function getToken(string $tokenId): IToken {
160		- try {
161		- $token = $this->mapper->getToken($this->hashToken($tokenId));
162		- } catch (DoesNotExistException $ex) {
163		- throw new InvalidTokenException();
164		- }
165		-
166		- if ((int)$token->getExpires() !== 0 && $token->getExpires() < $this->time->getTime()) {
167		- throw new ExpiredTokenException($token);
168		- }
169		-
170		- return $token;
171		- }
172		-
173		- /**
174		- * Get a token by token id
175		- *
176		- * @param int $tokenId
177		- * @throws InvalidTokenException
178		- * @throws ExpiredTokenException
179		- * @return IToken
180		- */
181		- public function getTokenById(int $tokenId): IToken {
182		- try {
183		- $token = $this->mapper->getTokenById($tokenId);
184		- } catch (DoesNotExistException $ex) {
185		- throw new InvalidTokenException();
186		- }
187		-
188		- if ((int)$token->getExpires() !== 0 && $token->getExpires() < $this->time->getTime()) {
189		- throw new ExpiredTokenException($token);
190		- }
191		-
192		- return $token;
193		- }
194		-
195		- /**
196		- * @param string $oldSessionId
197		- * @param string $sessionId
198		- * @throws InvalidTokenException
199		- * @return IToken
200		- */
201		- public function renewSessionToken(string $oldSessionId, string $sessionId): IToken {
202		- $token = $this->getToken($oldSessionId);
203		-
204		- $newToken = new DefaultToken();
205		- $newToken->setUid($token->getUID());
206		- $newToken->setLoginName($token->getLoginName());
207		- if (!is_null($token->getPassword())) {
208		- $password = $this->decryptPassword($token->getPassword(), $oldSessionId);
209		- $newToken->setPassword($this->encryptPassword($password, $sessionId));
210		- }
211		- $newToken->setName($token->getName());
212		- $newToken->setToken($this->hashToken($sessionId));
213		- $newToken->setType(IToken::TEMPORARY_TOKEN);
214		- $newToken->setRemember($token->getRemember());
215		- $newToken->setLastActivity($this->time->getTime());
216		- $this->mapper->insert($newToken);
217		- $this->mapper->delete($token);
218		-
219		- return $newToken;
220		- }
221		-
222		- /**
223		- * @param IToken $savedToken
224		- * @param string $tokenId session token
225		- * @throws InvalidTokenException
226		- * @throws PasswordlessTokenException
227		- * @return string
228		- */
229		- public function getPassword(IToken $savedToken, string $tokenId): string {
230		- $password = $savedToken->getPassword();
231		- if (is_null($password)) {
232		- throw new PasswordlessTokenException();
233		- }
234		- return $this->decryptPassword($password, $tokenId);
235		- }
236		-
237		- /**
238		- * Encrypt and set the password of the given token
239		- *
240		- * @param IToken $token
241		- * @param string $tokenId
242		- * @param string $password
243		- * @throws InvalidTokenException
244		- */
245		- public function setPassword(IToken $token, string $tokenId, string $password) {
246		- if (!($token instanceof DefaultToken)) {
247		- throw new InvalidTokenException();
248		- }
249		- /** @var DefaultToken $token */
250		- $token->setPassword($this->encryptPassword($password, $tokenId));
251		- $this->mapper->update($token);
252		- }
253		-
254		- /**
255		- * Invalidate (delete) the given session token
256		- *
257		- * @param string $token
258		- */
259		- public function invalidateToken(string $token) {
260		- $this->mapper->invalidate($this->hashToken($token));
261		- }
262		-
263		- public function invalidateTokenById(string $uid, int $id) {
264		- $this->mapper->deleteById($uid, $id);
265		- }
266		-
267		- /**
268		- * Invalidate (delete) old session tokens
269		- */
270		- public function invalidateOldTokens() {
271		- $olderThan = $this->time->getTime() - (int) $this->config->getSystemValue('session_lifetime', 60 * 60 * 24);
272		- $this->logger->debug('Invalidating session tokens older than ' . date('c', $olderThan), ['app' => 'cron']);
273		- $this->mapper->invalidateOld($olderThan, IToken::DO_NOT_REMEMBER);
274		- $rememberThreshold = $this->time->getTime() - (int) $this->config->getSystemValue('remember_login_cookie_lifetime', 60 * 60 * 24 * 15);
275		- $this->logger->debug('Invalidating remembered session tokens older than ' . date('c', $rememberThreshold), ['app' => 'cron']);
276		- $this->mapper->invalidateOld($rememberThreshold, IToken::REMEMBER);
277		- }
278		-
279		- /**
280		- * Rotate the token. Usefull for for example oauth tokens
281		- *
282		- * @param IToken $token
283		- * @param string $oldTokenId
284		- * @param string $newTokenId
285		- * @return IToken
286		- */
287		- public function rotate(IToken $token, string $oldTokenId, string $newTokenId): IToken {
288		- try {
289		- $password = $this->getPassword($token, $oldTokenId);
290		- $token->setPassword($this->encryptPassword($password, $newTokenId));
291		- } catch (PasswordlessTokenException $e) {
292		-
293		- }
294		-
295		- $token->setToken($this->hashToken($newTokenId));
296		- $this->updateToken($token);
297		-
298		- return $token;
299		- }
300		-
301		- /**
302		- * @param string $token
303		- * @return string
304		- */
305		- private function hashToken(string $token): string {
306		- $secret = $this->config->getSystemValue('secret');
307		- return hash('sha512', $token . $secret);
308		- }
309		-
310		- /**
311		- * Encrypt the given password
312		- *
313		- * The token is used as key
314		- *
315		- * @param string $password
316		- * @param string $token
317		- * @return string encrypted password
318		- */
319		- private function encryptPassword(string $password, string $token): string {
320		- $secret = $this->config->getSystemValue('secret');
321		- return $this->crypto->encrypt($password, $token . $secret);
322		- }
323		-
324		- /**
325		- * Decrypt the given password
326		- *
327		- * The token is used as key
328		- *
329		- * @param string $password
330		- * @param string $token
331		- * @throws InvalidTokenException
332		- * @return string the decrypted key
333		- */
334		- private function decryptPassword(string $password, string $token): string {
335		- $secret = $this->config->getSystemValue('secret');
336		- try {
337		- return $this->crypto->decrypt($password, $token . $secret);
338		- } catch (Exception $ex) {
339		- // Delete the invalid token
340		- $this->invalidateToken($token);
341		- throw new InvalidTokenException();
342		- }
343		- }
344		-
345		- public function markPasswordInvalid(IToken $token, string $tokenId) {
346		- if (!($token instanceof DefaultToken)) {
347		- throw new InvalidTokenException();
348		- }
349		-
350		- //No need to mark as invalid. We just invalide default tokens
351		- $this->invalidateToken($tokenId);
352		- }
353		-
354		- public function updatePasswords(string $uid, string $password) {
355		- // Nothing to do here
356		- }
	43	+ /** @var DefaultTokenMapper */
	44	+ private $mapper;
	45	+
	46	+ /** @var ICrypto */
	47	+ private $crypto;
	48	+
	49	+ /** @var IConfig */
	50	+ private $config;
	51	+
	52	+ /** @var ILogger $logger */
	53	+ private $logger;
	54	+
	55	+ /** @var ITimeFactory $time */
	56	+ private $time;
	57	+
	58	+ /**
	59	+ * @param DefaultTokenMapper $mapper
	60	+ * @param ICrypto $crypto
	61	+ * @param IConfig $config
	62	+ * @param ILogger $logger
	63	+ * @param ITimeFactory $time
	64	+ */
	65	+ public function __construct(DefaultTokenMapper $mapper,
	66	+ ICrypto $crypto,
	67	+ IConfig $config,
	68	+ ILogger $logger,
	69	+ ITimeFactory $time) {
	70	+ $this->mapper = $mapper;
	71	+ $this->crypto = $crypto;
	72	+ $this->config = $config;
	73	+ $this->logger = $logger;
	74	+ $this->time = $time;
	75	+ }
	76	+
	77	+ /**
	78	+ * Create and persist a new token
	79	+ *
	80	+ * @param string $token
	81	+ * @param string $uid
	82	+ * @param string $loginName
	83	+ * @param string\|null $password
	84	+ * @param string $name
	85	+ * @param int $type token type
	86	+ * @param int $remember whether the session token should be used for remember-me
	87	+ * @return IToken
	88	+ */
	89	+ public function generateToken(string $token,
	90	+ string $uid,
	91	+ string $loginName,
	92	+ $password,
	93	+ string $name,
	94	+ int $type = IToken::TEMPORARY_TOKEN,
	95	+ int $remember = IToken::DO_NOT_REMEMBER): IToken {
	96	+ $dbToken = new DefaultToken();
	97	+ $dbToken->setUid($uid);
	98	+ $dbToken->setLoginName($loginName);
	99	+ if (!is_null($password)) {
	100	+ $dbToken->setPassword($this->encryptPassword($password, $token));
	101	+ }
	102	+ $dbToken->setName($name);
	103	+ $dbToken->setToken($this->hashToken($token));
	104	+ $dbToken->setType($type);
	105	+ $dbToken->setRemember($remember);
	106	+ $dbToken->setLastActivity($this->time->getTime());
	107	+ $dbToken->setLastCheck($this->time->getTime());
	108	+ $dbToken->setVersion(DefaultToken::VERSION);
	109	+
	110	+ $this->mapper->insert($dbToken);
	111	+
	112	+ return $dbToken;
	113	+ }
	114	+
	115	+ /**
	116	+ * Save the updated token
	117	+ *
	118	+ * @param IToken $token
	119	+ * @throws InvalidTokenException
	120	+ */
	121	+ public function updateToken(IToken $token) {
	122	+ if (!($token instanceof DefaultToken)) {
	123	+ throw new InvalidTokenException();
	124	+ }
	125	+ $this->mapper->update($token);
	126	+ }
	127	+
	128	+ /**
	129	+ * Update token activity timestamp
	130	+ *
	131	+ * @throws InvalidTokenException
	132	+ * @param IToken $token
	133	+ */
	134	+ public function updateTokenActivity(IToken $token) {
	135	+ if (!($token instanceof DefaultToken)) {
	136	+ throw new InvalidTokenException();
	137	+ }
	138	+ /** @var DefaultToken $token */
	139	+ $now = $this->time->getTime();
	140	+ if ($token->getLastActivity() < ($now - 60)) {
	141	+ // Update token only once per minute
	142	+ $token->setLastActivity($now);
	143	+ $this->mapper->update($token);
	144	+ }
	145	+ }
	146	+
	147	+ public function getTokenByUser(string $uid): array {
	148	+ return $this->mapper->getTokenByUser($uid);
	149	+ }
	150	+
	151	+ /**
	152	+ * Get a token by token
	153	+ *
	154	+ * @param string $tokenId
	155	+ * @throws InvalidTokenException
	156	+ * @throws ExpiredTokenException
	157	+ * @return IToken
	158	+ */
	159	+ public function getToken(string $tokenId): IToken {
	160	+ try {
	161	+ $token = $this->mapper->getToken($this->hashToken($tokenId));
	162	+ } catch (DoesNotExistException $ex) {
	163	+ throw new InvalidTokenException();
	164	+ }
	165	+
	166	+ if ((int)$token->getExpires() !== 0 && $token->getExpires() < $this->time->getTime()) {
	167	+ throw new ExpiredTokenException($token);
	168	+ }
	169	+
	170	+ return $token;
	171	+ }
	172	+
	173	+ /**
	174	+ * Get a token by token id
	175	+ *
	176	+ * @param int $tokenId
	177	+ * @throws InvalidTokenException
	178	+ * @throws ExpiredTokenException
	179	+ * @return IToken
	180	+ */
	181	+ public function getTokenById(int $tokenId): IToken {
	182	+ try {
	183	+ $token = $this->mapper->getTokenById($tokenId);
	184	+ } catch (DoesNotExistException $ex) {
	185	+ throw new InvalidTokenException();
	186	+ }
	187	+
	188	+ if ((int)$token->getExpires() !== 0 && $token->getExpires() < $this->time->getTime()) {
	189	+ throw new ExpiredTokenException($token);
	190	+ }
	191	+
	192	+ return $token;
	193	+ }
	194	+
	195	+ /**
	196	+ * @param string $oldSessionId
	197	+ * @param string $sessionId
	198	+ * @throws InvalidTokenException
	199	+ * @return IToken
	200	+ */
	201	+ public function renewSessionToken(string $oldSessionId, string $sessionId): IToken {
	202	+ $token = $this->getToken($oldSessionId);
	203	+
	204	+ $newToken = new DefaultToken();
	205	+ $newToken->setUid($token->getUID());
	206	+ $newToken->setLoginName($token->getLoginName());
	207	+ if (!is_null($token->getPassword())) {
	208	+ $password = $this->decryptPassword($token->getPassword(), $oldSessionId);
	209	+ $newToken->setPassword($this->encryptPassword($password, $sessionId));
	210	+ }
	211	+ $newToken->setName($token->getName());
	212	+ $newToken->setToken($this->hashToken($sessionId));
	213	+ $newToken->setType(IToken::TEMPORARY_TOKEN);
	214	+ $newToken->setRemember($token->getRemember());
	215	+ $newToken->setLastActivity($this->time->getTime());
	216	+ $this->mapper->insert($newToken);
	217	+ $this->mapper->delete($token);
	218	+
	219	+ return $newToken;
	220	+ }
	221	+
	222	+ /**
	223	+ * @param IToken $savedToken
	224	+ * @param string $tokenId session token
	225	+ * @throws InvalidTokenException
	226	+ * @throws PasswordlessTokenException
	227	+ * @return string
	228	+ */
	229	+ public function getPassword(IToken $savedToken, string $tokenId): string {
	230	+ $password = $savedToken->getPassword();
	231	+ if (is_null($password)) {
	232	+ throw new PasswordlessTokenException();
	233	+ }
	234	+ return $this->decryptPassword($password, $tokenId);
	235	+ }
	236	+
	237	+ /**
	238	+ * Encrypt and set the password of the given token
	239	+ *
	240	+ * @param IToken $token
	241	+ * @param string $tokenId
	242	+ * @param string $password
	243	+ * @throws InvalidTokenException
	244	+ */
	245	+ public function setPassword(IToken $token, string $tokenId, string $password) {
	246	+ if (!($token instanceof DefaultToken)) {
	247	+ throw new InvalidTokenException();
	248	+ }
	249	+ /** @var DefaultToken $token */
	250	+ $token->setPassword($this->encryptPassword($password, $tokenId));
	251	+ $this->mapper->update($token);
	252	+ }
	253	+
	254	+ /**
	255	+ * Invalidate (delete) the given session token
	256	+ *
	257	+ * @param string $token
	258	+ */
	259	+ public function invalidateToken(string $token) {
	260	+ $this->mapper->invalidate($this->hashToken($token));
	261	+ }
	262	+
	263	+ public function invalidateTokenById(string $uid, int $id) {
	264	+ $this->mapper->deleteById($uid, $id);
	265	+ }
	266	+
	267	+ /**
	268	+ * Invalidate (delete) old session tokens
	269	+ */
	270	+ public function invalidateOldTokens() {
	271	+ $olderThan = $this->time->getTime() - (int) $this->config->getSystemValue('session_lifetime', 60 * 60 * 24);
	272	+ $this->logger->debug('Invalidating session tokens older than ' . date('c', $olderThan), ['app' => 'cron']);
	273	+ $this->mapper->invalidateOld($olderThan, IToken::DO_NOT_REMEMBER);
	274	+ $rememberThreshold = $this->time->getTime() - (int) $this->config->getSystemValue('remember_login_cookie_lifetime', 60 * 60 * 24 * 15);
	275	+ $this->logger->debug('Invalidating remembered session tokens older than ' . date('c', $rememberThreshold), ['app' => 'cron']);
	276	+ $this->mapper->invalidateOld($rememberThreshold, IToken::REMEMBER);
	277	+ }
	278	+
	279	+ /**
	280	+ * Rotate the token. Usefull for for example oauth tokens
	281	+ *
	282	+ * @param IToken $token
	283	+ * @param string $oldTokenId
	284	+ * @param string $newTokenId
	285	+ * @return IToken
	286	+ */
	287	+ public function rotate(IToken $token, string $oldTokenId, string $newTokenId): IToken {
	288	+ try {
	289	+ $password = $this->getPassword($token, $oldTokenId);
	290	+ $token->setPassword($this->encryptPassword($password, $newTokenId));
	291	+ } catch (PasswordlessTokenException $e) {
	292	+
	293	+ }
	294	+
	295	+ $token->setToken($this->hashToken($newTokenId));
	296	+ $this->updateToken($token);
	297	+
	298	+ return $token;
	299	+ }
	300	+
	301	+ /**
	302	+ * @param string $token
	303	+ * @return string
	304	+ */
	305	+ private function hashToken(string $token): string {
	306	+ $secret = $this->config->getSystemValue('secret');
	307	+ return hash('sha512', $token . $secret);
	308	+ }
	309	+
	310	+ /**
	311	+ * Encrypt the given password
	312	+ *
	313	+ * The token is used as key
	314	+ *
	315	+ * @param string $password
	316	+ * @param string $token
	317	+ * @return string encrypted password
	318	+ */
	319	+ private function encryptPassword(string $password, string $token): string {
	320	+ $secret = $this->config->getSystemValue('secret');
	321	+ return $this->crypto->encrypt($password, $token . $secret);
	322	+ }
	323	+
	324	+ /**
	325	+ * Decrypt the given password
	326	+ *
	327	+ * The token is used as key
	328	+ *
	329	+ * @param string $password
	330	+ * @param string $token
	331	+ * @throws InvalidTokenException
	332	+ * @return string the decrypted key
	333	+ */
	334	+ private function decryptPassword(string $password, string $token): string {
	335	+ $secret = $this->config->getSystemValue('secret');
	336	+ try {
	337	+ return $this->crypto->decrypt($password, $token . $secret);
	338	+ } catch (Exception $ex) {
	339	+ // Delete the invalid token
	340	+ $this->invalidateToken($token);
	341	+ throw new InvalidTokenException();
	342	+ }
	343	+ }
	344	+
	345	+ public function markPasswordInvalid(IToken $token, string $tokenId) {
	346	+ if (!($token instanceof DefaultToken)) {
	347	+ throw new InvalidTokenException();
	348	+ }
	349	+
	350	+ //No need to mark as invalid. We just invalide default tokens
	351	+ $this->invalidateToken($tokenId);
	352	+ }
	353	+
	354	+ public function updatePasswords(string $uid, string $password) {
	355	+ // Nothing to do here
	356	+ }
357	357	}

nextcloud / server

Push — master ( f66315...fa7eb5 )

Status

Category

Indentation +146 added lines, -146 removed lines patch added patch discarded remove patch

Indentation +378 added lines, -378 removed lines patch added patch discarded remove patch

Indentation +222 added lines, -222 removed lines patch added patch discarded remove patch

Indentation +314 added lines, -314 removed lines patch added patch discarded remove patch

Indentation +919 added lines, -919 removed lines patch added patch discarded remove patch