nextcloud / server

core/Controller/AppPasswordController.php

Indentation +126 added lines, -126 removed lines

@@ -43,130 +43,130 @@
 
 class AppPasswordController extends \OCP\AppFramework\OCSController {
 
-	/** @var ISession */
-	private $session;
-
-	/** @var ISecureRandom */
-	private $random;
-
-	/** @var IProvider */
-	private $tokenProvider;
-
-	/** @var IStore */
-	private $credentialStore;
-
-	/** @var IEventDispatcher */
-	private $eventDispatcher;
-
-	public function __construct(string $appName,
-								IRequest $request,
-								ISession $session,
-								ISecureRandom $random,
-								IProvider $tokenProvider,
-								IStore $credentialStore,
-								IEventDispatcher $eventDispatcher) {
-		parent::__construct($appName, $request);
-
-		$this->session = $session;
-		$this->random = $random;
-		$this->tokenProvider = $tokenProvider;
-		$this->credentialStore = $credentialStore;
-		$this->eventDispatcher = $eventDispatcher;
-	}
-
-	/**
-	 * @NoAdminRequired
-	 *
-	 * @return DataResponse
-	 * @throws OCSForbiddenException
-	 */
-	public function getAppPassword(): DataResponse {
-		// We do not allow the creation of new tokens if this is an app password
-		if ($this->session->exists('app_password')) {
-			throw new OCSForbiddenException('You cannot request an new apppassword with an apppassword');
-		}
-
-		try {
-			$credentials = $this->credentialStore->getLoginCredentials();
-		} catch (CredentialsUnavailableException $e) {
-			throw new OCSForbiddenException();
-		}
-
-		try {
-			$password = $credentials->getPassword();
-		} catch (PasswordUnavailableException $e) {
-			$password = null;
-		}
-
-		$userAgent = $this->request->getHeader('USER_AGENT');
-		if (mb_strlen($userAgent) > 128) {
-			$userAgent = mb_substr($userAgent, 0, 120) . '…';
-		}
-
-		$token = $this->random->generate(72, ISecureRandom::CHAR_UPPER.ISecureRandom::CHAR_LOWER.ISecureRandom::CHAR_DIGITS);
-
-		$generatedToken = $this->tokenProvider->generateToken(
-			$token,
-			$credentials->getUID(),
-			$credentials->getLoginName(),
-			$password,
-			$userAgent,
-			IToken::PERMANENT_TOKEN,
-			IToken::DO_NOT_REMEMBER
-		);
-
-		$this->eventDispatcher->dispatchTyped(
-			new AppPasswordCreatedEvent($generatedToken)
-		);
-
-		return new DataResponse([
-			'apppassword' => $token
-		]);
-	}
-
-	/**
-	 * @NoAdminRequired
-	 *
-	 * @return DataResponse
-	 */
-	public function deleteAppPassword() {
-		if (!$this->session->exists('app_password')) {
-			throw new OCSForbiddenException('no app password in use');
-		}
-
-		$appPassword = $this->session->get('app_password');
-
-		try {
-			$token = $this->tokenProvider->getToken($appPassword);
-		} catch (InvalidTokenException $e) {
-			throw new OCSForbiddenException('could not remove apptoken');
-		}
-
-		$this->tokenProvider->invalidateTokenById($token->getUID(), $token->getId());
-		return new DataResponse();
-	}
-
-	/**
-	 * @NoAdminRequired
-	 */
-	public function rotateAppPassword(): DataResponse {
-		if (!$this->session->exists('app_password')) {
-			throw new OCSForbiddenException('no app password in use');
-		}
-
-		$appPassword = $this->session->get('app_password');
-
-		try {
-			$token = $this->tokenProvider->getToken($appPassword);
-		} catch (InvalidTokenException $e) {
-			throw new OCSForbiddenException('could not rotate apptoken');
-		}
-
-		$newToken = $this->random->generate(72, ISecureRandom::CHAR_UPPER.ISecureRandom::CHAR_LOWER.ISecureRandom::CHAR_DIGITS);
-		$this->tokenProvider->rotate($token, $appPassword, $newToken);
-
-		return new DataResponse([
-			'apppassword' => $newToken,
-		]);
-	}
+    /** @var ISession */
+    private $session;
+
+    /** @var ISecureRandom */
+    private $random;
+
+    /** @var IProvider */
+    private $tokenProvider;
+
+    /** @var IStore */
+    private $credentialStore;
+
+    /** @var IEventDispatcher */
+    private $eventDispatcher;
+
+    public function __construct(string $appName,
+                                IRequest $request,
+                                ISession $session,
+                                ISecureRandom $random,
+                                IProvider $tokenProvider,
+                                IStore $credentialStore,
+                                IEventDispatcher $eventDispatcher) {
+        parent::__construct($appName, $request);
+
+        $this->session = $session;
+        $this->random = $random;
+        $this->tokenProvider = $tokenProvider;
+        $this->credentialStore = $credentialStore;
+        $this->eventDispatcher = $eventDispatcher;
+    }
+
+    /**
+     * @NoAdminRequired
+     *
+     * @return DataResponse
+     * @throws OCSForbiddenException
+     */
+    public function getAppPassword(): DataResponse {
+        // We do not allow the creation of new tokens if this is an app password
+        if ($this->session->exists('app_password')) {
+            throw new OCSForbiddenException('You cannot request an new apppassword with an apppassword');
+        }
+
+        try {
+            $credentials = $this->credentialStore->getLoginCredentials();
+        } catch (CredentialsUnavailableException $e) {
+            throw new OCSForbiddenException();
+        }
+
+        try {
+            $password = $credentials->getPassword();
+        } catch (PasswordUnavailableException $e) {
+            $password = null;
+        }
+
+        $userAgent = $this->request->getHeader('USER_AGENT');
+        if (mb_strlen($userAgent) > 128) {
+            $userAgent = mb_substr($userAgent, 0, 120) . '…';
+        }
+
+        $token = $this->random->generate(72, ISecureRandom::CHAR_UPPER.ISecureRandom::CHAR_LOWER.ISecureRandom::CHAR_DIGITS);
+
+        $generatedToken = $this->tokenProvider->generateToken(
+            $token,
+            $credentials->getUID(),
+            $credentials->getLoginName(),
+            $password,
+            $userAgent,
+            IToken::PERMANENT_TOKEN,
+            IToken::DO_NOT_REMEMBER
+        );
+
+        $this->eventDispatcher->dispatchTyped(
+            new AppPasswordCreatedEvent($generatedToken)
+        );
+
+        return new DataResponse([
+            'apppassword' => $token
+        ]);
+    }
+
+    /**
+     * @NoAdminRequired
+     *
+     * @return DataResponse
+     */
+    public function deleteAppPassword() {
+        if (!$this->session->exists('app_password')) {
+            throw new OCSForbiddenException('no app password in use');
+        }
+
+        $appPassword = $this->session->get('app_password');
+
+        try {
+            $token = $this->tokenProvider->getToken($appPassword);
+        } catch (InvalidTokenException $e) {
+            throw new OCSForbiddenException('could not remove apptoken');
+        }
+
+        $this->tokenProvider->invalidateTokenById($token->getUID(), $token->getId());
+        return new DataResponse();
+    }
+
+    /**
+     * @NoAdminRequired
+     */
+    public function rotateAppPassword(): DataResponse {
+        if (!$this->session->exists('app_password')) {
+            throw new OCSForbiddenException('no app password in use');
+        }
+
+        $appPassword = $this->session->get('app_password');
+
+        try {
+            $token = $this->tokenProvider->getToken($appPassword);
+        } catch (InvalidTokenException $e) {
+            throw new OCSForbiddenException('could not rotate apptoken');
+        }
+
+        $newToken = $this->random->generate(72, ISecureRandom::CHAR_UPPER.ISecureRandom::CHAR_LOWER.ISecureRandom::CHAR_DIGITS);
+        $this->tokenProvider->rotate($token, $appPassword, $newToken);
+
+        return new DataResponse([
+            'apppassword' => $newToken,
+        ]);
+    }
 }

Spacing +1 added lines, -1 removed lines

@@ -100,7 +100,7 @@
 
 		$userAgent = $this->request->getHeader('USER_AGENT');
 		if (mb_strlen($userAgent) > 128) {
-			$userAgent = mb_substr($userAgent, 0, 120) . '…';
+			$userAgent = mb_substr($userAgent, 0, 120).'…';
 		}
 
 		$token = $this->random->generate(72, ISecureRandom::CHAR_UPPER.ISecureRandom::CHAR_LOWER.ISecureRandom::CHAR_DIGITS);

core/Controller/ClientFlowLoginController.php

Indentation +371 added lines, -371 removed lines

@@ -55,375 +55,375 @@
 use OCP\Session\Exceptions\SessionNotAvailableException;
 
 class ClientFlowLoginController extends Controller {
-	/** @var IUserSession */
-	private $userSession;
-	/** @var IL10N */
-	private $l10n;
-	/** @var Defaults */
-	private $defaults;
-	/** @var ISession */
-	private $session;
-	/** @var IProvider */
-	private $tokenProvider;
-	/** @var ISecureRandom */
-	private $random;
-	/** @var IURLGenerator */
-	private $urlGenerator;
-	/** @var ClientMapper */
-	private $clientMapper;
-	/** @var AccessTokenMapper */
-	private $accessTokenMapper;
-	/** @var ICrypto */
-	private $crypto;
-	/** @var IEventDispatcher */
-	private $eventDispatcher;
-
-	public const STATE_NAME = 'client.flow.state.token';
-
-	/**
-	 * @param string $appName
-	 * @param IRequest $request
-	 * @param IUserSession $userSession
-	 * @param IL10N $l10n
-	 * @param Defaults $defaults
-	 * @param ISession $session
-	 * @param IProvider $tokenProvider
-	 * @param ISecureRandom $random
-	 * @param IURLGenerator $urlGenerator
-	 * @param ClientMapper $clientMapper
-	 * @param AccessTokenMapper $accessTokenMapper
-	 * @param ICrypto $crypto
-	 * @param IEventDispatcher $eventDispatcher
-	 */
-	public function __construct($appName,
-								IRequest $request,
-								IUserSession $userSession,
-								IL10N $l10n,
-								Defaults $defaults,
-								ISession $session,
-								IProvider $tokenProvider,
-								ISecureRandom $random,
-								IURLGenerator $urlGenerator,
-								ClientMapper $clientMapper,
-								AccessTokenMapper $accessTokenMapper,
-								ICrypto $crypto,
-								IEventDispatcher $eventDispatcher) {
-		parent::__construct($appName, $request);
-		$this->userSession = $userSession;
-		$this->l10n = $l10n;
-		$this->defaults = $defaults;
-		$this->session = $session;
-		$this->tokenProvider = $tokenProvider;
-		$this->random = $random;
-		$this->urlGenerator = $urlGenerator;
-		$this->clientMapper = $clientMapper;
-		$this->accessTokenMapper = $accessTokenMapper;
-		$this->crypto = $crypto;
-		$this->eventDispatcher = $eventDispatcher;
-	}
-
-	/**
-	 * @return string
-	 */
-	private function getClientName() {
-		$userAgent = $this->request->getHeader('USER_AGENT');
-		return $userAgent !== '' ? $userAgent : 'unknown';
-	}
-
-	/**
-	 * @param string $stateToken
-	 * @return bool
-	 */
-	private function isValidToken($stateToken) {
-		$currentToken = $this->session->get(self::STATE_NAME);
-		if (!is_string($stateToken) || !is_string($currentToken)) {
-			return false;
-		}
-		return hash_equals($currentToken, $stateToken);
-	}
-
-	/**
-	 * @return StandaloneTemplateResponse
-	 */
-	private function stateTokenForbiddenResponse() {
-		$response = new StandaloneTemplateResponse(
-			$this->appName,
-			'403',
-			[
-				'message' => $this->l10n->t('State token does not match'),
-			],
-			'guest'
-		);
-		$response->setStatus(Http::STATUS_FORBIDDEN);
-		return $response;
-	}
-
-	/**
-	 * @PublicPage
-	 * @NoCSRFRequired
-	 * @UseSession
-	 *
-	 * @param string $clientIdentifier
-	 *
-	 * @return StandaloneTemplateResponse
-	 */
-	public function showAuthPickerPage($clientIdentifier = '', $user = '') {
-		$clientName = $this->getClientName();
-		$client = null;
-		if ($clientIdentifier !== '') {
-			$client = $this->clientMapper->getByIdentifier($clientIdentifier);
-			$clientName = $client->getName();
-		}
-
-		// No valid clientIdentifier given and no valid API Request (APIRequest header not set)
-		$clientRequest = $this->request->getHeader('OCS-APIREQUEST');
-		if ($clientRequest !== 'true' && $client === null) {
-			return new StandaloneTemplateResponse(
-				$this->appName,
-				'error',
-				[
-					'errors' =>
-					[
-						[
-							'error' => 'Access Forbidden',
-							'hint' => 'Invalid request',
-						],
-					],
-				],
-				'guest'
-			);
-		}
-
-		$stateToken = $this->random->generate(
-			64,
-			ISecureRandom::CHAR_LOWER.ISecureRandom::CHAR_UPPER.ISecureRandom::CHAR_DIGITS
-		);
-		$this->session->set(self::STATE_NAME, $stateToken);
-
-		$csp = new Http\ContentSecurityPolicy();
-		if ($client) {
-			$csp->addAllowedFormActionDomain($client->getRedirectUri());
-		} else {
-			$csp->addAllowedFormActionDomain('nc://*');
-		}
-
-		$response = new StandaloneTemplateResponse(
-			$this->appName,
-			'loginflow/authpicker',
-			[
-				'client' => $clientName,
-				'clientIdentifier' => $clientIdentifier,
-				'instanceName' => $this->defaults->getName(),
-				'urlGenerator' => $this->urlGenerator,
-				'stateToken' => $stateToken,
-				'serverHost' => $this->getServerPath(),
-				'oauthState' => $this->session->get('oauth.state'),
-				'user' => $user,
-			],
-			'guest'
-		);
-
-		$response->setContentSecurityPolicy($csp);
-		return $response;
-	}
-
-	/**
-	 * @NoAdminRequired
-	 * @NoCSRFRequired
-	 * @NoSameSiteCookieRequired
-	 * @UseSession
-	 *
-	 * @param string $stateToken
-	 * @param string $clientIdentifier
-	 * @return StandaloneTemplateResponse
-	 */
-	public function grantPage($stateToken = '',
-								 $clientIdentifier = '') {
-		if (!$this->isValidToken($stateToken)) {
-			return $this->stateTokenForbiddenResponse();
-		}
-
-		$clientName = $this->getClientName();
-		$client = null;
-		if ($clientIdentifier !== '') {
-			$client = $this->clientMapper->getByIdentifier($clientIdentifier);
-			$clientName = $client->getName();
-		}
-
-		$csp = new Http\ContentSecurityPolicy();
-		if ($client) {
-			$csp->addAllowedFormActionDomain($client->getRedirectUri());
-		} else {
-			$csp->addAllowedFormActionDomain('nc://*');
-		}
-
-		$response = new StandaloneTemplateResponse(
-			$this->appName,
-			'loginflow/grant',
-			[
-				'client' => $clientName,
-				'clientIdentifier' => $clientIdentifier,
-				'instanceName' => $this->defaults->getName(),
-				'urlGenerator' => $this->urlGenerator,
-				'stateToken' => $stateToken,
-				'serverHost' => $this->getServerPath(),
-				'oauthState' => $this->session->get('oauth.state'),
-			],
-			'guest'
-		);
-
-		$response->setContentSecurityPolicy($csp);
-		return $response;
-	}
-
-	/**
-	 * @NoAdminRequired
-	 * @UseSession
-	 *
-	 * @param string $stateToken
-	 * @param string $clientIdentifier
-	 * @return Http\RedirectResponse|Response
-	 */
-	public function generateAppPassword($stateToken,
-										$clientIdentifier = '') {
-		if (!$this->isValidToken($stateToken)) {
-			$this->session->remove(self::STATE_NAME);
-			return $this->stateTokenForbiddenResponse();
-		}
-
-		$this->session->remove(self::STATE_NAME);
-
-		try {
-			$sessionId = $this->session->getId();
-		} catch (SessionNotAvailableException $ex) {
-			$response = new Response();
-			$response->setStatus(Http::STATUS_FORBIDDEN);
-			return $response;
-		}
-
-		try {
-			$sessionToken = $this->tokenProvider->getToken($sessionId);
-			$loginName = $sessionToken->getLoginName();
-			try {
-				$password = $this->tokenProvider->getPassword($sessionToken, $sessionId);
-			} catch (PasswordlessTokenException $ex) {
-				$password = null;
-			}
-		} catch (InvalidTokenException $ex) {
-			$response = new Response();
-			$response->setStatus(Http::STATUS_FORBIDDEN);
-			return $response;
-		}
-
-		$clientName = $this->getClientName();
-		$client = false;
-		if ($clientIdentifier !== '') {
-			$client = $this->clientMapper->getByIdentifier($clientIdentifier);
-			$clientName = $client->getName();
-		}
-
-		if (mb_strlen($clientName) > 128) {
-			$clientName = mb_substr($clientName, 0, 120) . '…';
-		}
-
-		$token = $this->random->generate(72, ISecureRandom::CHAR_UPPER.ISecureRandom::CHAR_LOWER.ISecureRandom::CHAR_DIGITS);
-		$uid = $this->userSession->getUser()->getUID();
-		$generatedToken = $this->tokenProvider->generateToken(
-			$token,
-			$uid,
-			$loginName,
-			$password,
-			$clientName,
-			IToken::PERMANENT_TOKEN,
-			IToken::DO_NOT_REMEMBER
-		);
-
-		if ($client) {
-			$code = $this->random->generate(128, ISecureRandom::CHAR_UPPER.ISecureRandom::CHAR_LOWER.ISecureRandom::CHAR_DIGITS);
-			$accessToken = new AccessToken();
-			$accessToken->setClientId($client->getId());
-			$accessToken->setEncryptedToken($this->crypto->encrypt($token, $code));
-			$accessToken->setHashedCode(hash('sha512', $code));
-			$accessToken->setTokenId($generatedToken->getId());
-			$this->accessTokenMapper->insert($accessToken);
-
-			$redirectUri = $client->getRedirectUri();
-
-			if (parse_url($redirectUri, PHP_URL_QUERY)) {
-				$redirectUri .= '&';
-			} else {
-				$redirectUri .= '?';
-			}
-
-			$redirectUri .= sprintf(
-				'state=%s&code=%s',
-				urlencode($this->session->get('oauth.state')),
-				urlencode($code)
-			);
-			$this->session->remove('oauth.state');
-		} else {
-			$redirectUri = 'nc://login/server:' . $this->getServerPath() . '&user:' . urlencode($loginName) . '&password:' . urlencode($token);
-
-			// Clear the token from the login here
-			$this->tokenProvider->invalidateToken($sessionId);
-		}
-
-		$this->eventDispatcher->dispatchTyped(
-			new AppPasswordCreatedEvent($generatedToken)
-		);
-
-		return new Http\RedirectResponse($redirectUri);
-	}
-
-	/**
-	 * @PublicPage
-	 */
-	public function apptokenRedirect(string $stateToken, string $user, string $password) {
-		if (!$this->isValidToken($stateToken)) {
-			return $this->stateTokenForbiddenResponse();
-		}
-
-		try {
-			$token = $this->tokenProvider->getToken($password);
-			if ($token->getLoginName() !== $user) {
-				throw new InvalidTokenException('login name does not match');
-			}
-		} catch (InvalidTokenException $e) {
-			$response = new StandaloneTemplateResponse(
-				$this->appName,
-				'403',
-				[
-					'message' => $this->l10n->t('Invalid app password'),
-				],
-				'guest'
-			);
-			$response->setStatus(Http::STATUS_FORBIDDEN);
-			return $response;
-		}
-
-		$redirectUri = 'nc://login/server:' . $this->getServerPath() . '&user:' . urlencode($user) . '&password:' . urlencode($password);
-		return new Http\RedirectResponse($redirectUri);
-	}
-
-	private function getServerPath(): string {
-		$serverPostfix = '';
-
-		if (strpos($this->request->getRequestUri(), '/index.php') !== false) {
-			$serverPostfix = substr($this->request->getRequestUri(), 0, strpos($this->request->getRequestUri(), '/index.php'));
-		} elseif (strpos($this->request->getRequestUri(), '/login/flow') !== false) {
-			$serverPostfix = substr($this->request->getRequestUri(), 0, strpos($this->request->getRequestUri(), '/login/flow'));
-		}
-
-		$protocol = $this->request->getServerProtocol();
-
-		if ($protocol !== "https") {
-			$xForwardedProto = $this->request->getHeader('X-Forwarded-Proto');
-			$xForwardedSSL = $this->request->getHeader('X-Forwarded-Ssl');
-			if ($xForwardedProto === 'https' || $xForwardedSSL === 'on') {
-				$protocol = 'https';
-			}
-		}
-
-		return $protocol . "://" . $this->request->getServerHost() . $serverPostfix;
-	}
+    /** @var IUserSession */
+    private $userSession;
+    /** @var IL10N */
+    private $l10n;
+    /** @var Defaults */
+    private $defaults;
+    /** @var ISession */
+    private $session;
+    /** @var IProvider */
+    private $tokenProvider;
+    /** @var ISecureRandom */
+    private $random;
+    /** @var IURLGenerator */
+    private $urlGenerator;
+    /** @var ClientMapper */
+    private $clientMapper;
+    /** @var AccessTokenMapper */
+    private $accessTokenMapper;
+    /** @var ICrypto */
+    private $crypto;
+    /** @var IEventDispatcher */
+    private $eventDispatcher;
+
+    public const STATE_NAME = 'client.flow.state.token';
+
+    /**
+     * @param string $appName
+     * @param IRequest $request
+     * @param IUserSession $userSession
+     * @param IL10N $l10n
+     * @param Defaults $defaults
+     * @param ISession $session
+     * @param IProvider $tokenProvider
+     * @param ISecureRandom $random
+     * @param IURLGenerator $urlGenerator
+     * @param ClientMapper $clientMapper
+     * @param AccessTokenMapper $accessTokenMapper
+     * @param ICrypto $crypto
+     * @param IEventDispatcher $eventDispatcher
+     */
+    public function __construct($appName,
+                                IRequest $request,
+                                IUserSession $userSession,
+                                IL10N $l10n,
+                                Defaults $defaults,
+                                ISession $session,
+                                IProvider $tokenProvider,
+                                ISecureRandom $random,
+                                IURLGenerator $urlGenerator,
+                                ClientMapper $clientMapper,
+                                AccessTokenMapper $accessTokenMapper,
+                                ICrypto $crypto,
+                                IEventDispatcher $eventDispatcher) {
+        parent::__construct($appName, $request);
+        $this->userSession = $userSession;
+        $this->l10n = $l10n;
+        $this->defaults = $defaults;
+        $this->session = $session;
+        $this->tokenProvider = $tokenProvider;
+        $this->random = $random;
+        $this->urlGenerator = $urlGenerator;
+        $this->clientMapper = $clientMapper;
+        $this->accessTokenMapper = $accessTokenMapper;
+        $this->crypto = $crypto;
+        $this->eventDispatcher = $eventDispatcher;
+    }
+
+    /**
+     * @return string
+     */
+    private function getClientName() {
+        $userAgent = $this->request->getHeader('USER_AGENT');
+        return $userAgent !== '' ? $userAgent : 'unknown';
+    }
+
+    /**
+     * @param string $stateToken
+     * @return bool
+     */
+    private function isValidToken($stateToken) {
+        $currentToken = $this->session->get(self::STATE_NAME);
+        if (!is_string($stateToken) || !is_string($currentToken)) {
+            return false;
+        }
+        return hash_equals($currentToken, $stateToken);
+    }
+
+    /**
+     * @return StandaloneTemplateResponse
+     */
+    private function stateTokenForbiddenResponse() {
+        $response = new StandaloneTemplateResponse(
+            $this->appName,
+            '403',
+            [
+                'message' => $this->l10n->t('State token does not match'),
+            ],
+            'guest'
+        );
+        $response->setStatus(Http::STATUS_FORBIDDEN);
+        return $response;
+    }
+
+    /**
+     * @PublicPage
+     * @NoCSRFRequired
+     * @UseSession
+     *
+     * @param string $clientIdentifier
+     *
+     * @return StandaloneTemplateResponse
+     */
+    public function showAuthPickerPage($clientIdentifier = '', $user = '') {
+        $clientName = $this->getClientName();
+        $client = null;
+        if ($clientIdentifier !== '') {
+            $client = $this->clientMapper->getByIdentifier($clientIdentifier);
+            $clientName = $client->getName();
+        }
+
+        // No valid clientIdentifier given and no valid API Request (APIRequest header not set)
+        $clientRequest = $this->request->getHeader('OCS-APIREQUEST');
+        if ($clientRequest !== 'true' && $client === null) {
+            return new StandaloneTemplateResponse(
+                $this->appName,
+                'error',
+                [
+                    'errors' =>
+                    [
+                        [
+                            'error' => 'Access Forbidden',
+                            'hint' => 'Invalid request',
+                        ],
+                    ],
+                ],
+                'guest'
+            );
+        }
+
+        $stateToken = $this->random->generate(
+            64,
+            ISecureRandom::CHAR_LOWER.ISecureRandom::CHAR_UPPER.ISecureRandom::CHAR_DIGITS
+        );
+        $this->session->set(self::STATE_NAME, $stateToken);
+
+        $csp = new Http\ContentSecurityPolicy();
+        if ($client) {
+            $csp->addAllowedFormActionDomain($client->getRedirectUri());
+        } else {
+            $csp->addAllowedFormActionDomain('nc://*');
+        }
+
+        $response = new StandaloneTemplateResponse(
+            $this->appName,
+            'loginflow/authpicker',
+            [
+                'client' => $clientName,
+                'clientIdentifier' => $clientIdentifier,
+                'instanceName' => $this->defaults->getName(),
+                'urlGenerator' => $this->urlGenerator,
+                'stateToken' => $stateToken,
+                'serverHost' => $this->getServerPath(),
+                'oauthState' => $this->session->get('oauth.state'),
+                'user' => $user,
+            ],
+            'guest'
+        );
+
+        $response->setContentSecurityPolicy($csp);
+        return $response;
+    }
+
+    /**
+     * @NoAdminRequired
+     * @NoCSRFRequired
+     * @NoSameSiteCookieRequired
+     * @UseSession
+     *
+     * @param string $stateToken
+     * @param string $clientIdentifier
+     * @return StandaloneTemplateResponse
+     */
+    public function grantPage($stateToken = '',
+                                    $clientIdentifier = '') {
+        if (!$this->isValidToken($stateToken)) {
+            return $this->stateTokenForbiddenResponse();
+        }
+
+        $clientName = $this->getClientName();
+        $client = null;
+        if ($clientIdentifier !== '') {
+            $client = $this->clientMapper->getByIdentifier($clientIdentifier);
+            $clientName = $client->getName();
+        }
+
+        $csp = new Http\ContentSecurityPolicy();
+        if ($client) {
+            $csp->addAllowedFormActionDomain($client->getRedirectUri());
+        } else {
+            $csp->addAllowedFormActionDomain('nc://*');
+        }
+
+        $response = new StandaloneTemplateResponse(
+            $this->appName,
+            'loginflow/grant',
+            [
+                'client' => $clientName,
+                'clientIdentifier' => $clientIdentifier,
+                'instanceName' => $this->defaults->getName(),
+                'urlGenerator' => $this->urlGenerator,
+                'stateToken' => $stateToken,
+                'serverHost' => $this->getServerPath(),
+                'oauthState' => $this->session->get('oauth.state'),
+            ],
+            'guest'
+        );
+
+        $response->setContentSecurityPolicy($csp);
+        return $response;
+    }
+
+    /**
+     * @NoAdminRequired
+     * @UseSession
+     *
+     * @param string $stateToken
+     * @param string $clientIdentifier
+     * @return Http\RedirectResponse|Response
+     */
+    public function generateAppPassword($stateToken,
+                                        $clientIdentifier = '') {
+        if (!$this->isValidToken($stateToken)) {
+            $this->session->remove(self::STATE_NAME);
+            return $this->stateTokenForbiddenResponse();
+        }
+
+        $this->session->remove(self::STATE_NAME);
+
+        try {
+            $sessionId = $this->session->getId();
+        } catch (SessionNotAvailableException $ex) {
+            $response = new Response();
+            $response->setStatus(Http::STATUS_FORBIDDEN);
+            return $response;
+        }
+
+        try {
+            $sessionToken = $this->tokenProvider->getToken($sessionId);
+            $loginName = $sessionToken->getLoginName();
+            try {
+                $password = $this->tokenProvider->getPassword($sessionToken, $sessionId);
+            } catch (PasswordlessTokenException $ex) {
+                $password = null;
+            }
+        } catch (InvalidTokenException $ex) {
+            $response = new Response();
+            $response->setStatus(Http::STATUS_FORBIDDEN);
+            return $response;
+        }
+
+        $clientName = $this->getClientName();
+        $client = false;
+        if ($clientIdentifier !== '') {
+            $client = $this->clientMapper->getByIdentifier($clientIdentifier);
+            $clientName = $client->getName();
+        }
+
+        if (mb_strlen($clientName) > 128) {
+            $clientName = mb_substr($clientName, 0, 120) . '…';
+        }
+
+        $token = $this->random->generate(72, ISecureRandom::CHAR_UPPER.ISecureRandom::CHAR_LOWER.ISecureRandom::CHAR_DIGITS);
+        $uid = $this->userSession->getUser()->getUID();
+        $generatedToken = $this->tokenProvider->generateToken(
+            $token,
+            $uid,
+            $loginName,
+            $password,
+            $clientName,
+            IToken::PERMANENT_TOKEN,
+            IToken::DO_NOT_REMEMBER
+        );
+
+        if ($client) {
+            $code = $this->random->generate(128, ISecureRandom::CHAR_UPPER.ISecureRandom::CHAR_LOWER.ISecureRandom::CHAR_DIGITS);
+            $accessToken = new AccessToken();
+            $accessToken->setClientId($client->getId());
+            $accessToken->setEncryptedToken($this->crypto->encrypt($token, $code));
+            $accessToken->setHashedCode(hash('sha512', $code));
+            $accessToken->setTokenId($generatedToken->getId());
+            $this->accessTokenMapper->insert($accessToken);
+
+            $redirectUri = $client->getRedirectUri();
+
+            if (parse_url($redirectUri, PHP_URL_QUERY)) {
+                $redirectUri .= '&';
+            } else {
+                $redirectUri .= '?';
+            }
+
+            $redirectUri .= sprintf(
+                'state=%s&code=%s',
+                urlencode($this->session->get('oauth.state')),
+                urlencode($code)
+            );
+            $this->session->remove('oauth.state');
+        } else {
+            $redirectUri = 'nc://login/server:' . $this->getServerPath() . '&user:' . urlencode($loginName) . '&password:' . urlencode($token);
+
+            // Clear the token from the login here
+            $this->tokenProvider->invalidateToken($sessionId);
+        }
+
+        $this->eventDispatcher->dispatchTyped(
+            new AppPasswordCreatedEvent($generatedToken)
+        );
+
+        return new Http\RedirectResponse($redirectUri);
+    }
+
+    /**
+     * @PublicPage
+     */
+    public function apptokenRedirect(string $stateToken, string $user, string $password) {
+        if (!$this->isValidToken($stateToken)) {
+            return $this->stateTokenForbiddenResponse();
+        }
+
+        try {
+            $token = $this->tokenProvider->getToken($password);
+            if ($token->getLoginName() !== $user) {
+                throw new InvalidTokenException('login name does not match');
+            }
+        } catch (InvalidTokenException $e) {
+            $response = new StandaloneTemplateResponse(
+                $this->appName,
+                '403',
+                [
+                    'message' => $this->l10n->t('Invalid app password'),
+                ],
+                'guest'
+            );
+            $response->setStatus(Http::STATUS_FORBIDDEN);
+            return $response;
+        }
+
+        $redirectUri = 'nc://login/server:' . $this->getServerPath() . '&user:' . urlencode($user) . '&password:' . urlencode($password);
+        return new Http\RedirectResponse($redirectUri);
+    }
+
+    private function getServerPath(): string {
+        $serverPostfix = '';
+
+        if (strpos($this->request->getRequestUri(), '/index.php') !== false) {
+            $serverPostfix = substr($this->request->getRequestUri(), 0, strpos($this->request->getRequestUri(), '/index.php'));
+        } elseif (strpos($this->request->getRequestUri(), '/login/flow') !== false) {
+            $serverPostfix = substr($this->request->getRequestUri(), 0, strpos($this->request->getRequestUri(), '/login/flow'));
+        }
+
+        $protocol = $this->request->getServerProtocol();
+
+        if ($protocol !== "https") {
+            $xForwardedProto = $this->request->getHeader('X-Forwarded-Proto');
+            $xForwardedSSL = $this->request->getHeader('X-Forwarded-Ssl');
+            if ($xForwardedProto === 'https' || $xForwardedSSL === 'on') {
+                $protocol = 'https';
+            }
+        }
+
+        return $protocol . "://" . $this->request->getServerHost() . $serverPostfix;
+    }
 }

Spacing +4 added lines, -4 removed lines

@@ -323,7 +323,7 @@ 
 		}
 
 		if (mb_strlen($clientName) > 128) {
-			$clientName = mb_substr($clientName, 0, 120) . '…';
+			$clientName = mb_substr($clientName, 0, 120).'…';
 		}
 
 		$token = $this->random->generate(72, ISecureRandom::CHAR_UPPER.ISecureRandom::CHAR_LOWER.ISecureRandom::CHAR_DIGITS);
@@ -362,7 +362,7 @@ 
 			);
 			$this->session->remove('oauth.state');
 		} else {
-			$redirectUri = 'nc://login/server:' . $this->getServerPath() . '&user:' . urlencode($loginName) . '&password:' . urlencode($token);
+			$redirectUri = 'nc://login/server:'.$this->getServerPath().'&user:'.urlencode($loginName).'&password:'.urlencode($token);
 
 			// Clear the token from the login here
 			$this->tokenProvider->invalidateToken($sessionId);
@@ -401,7 +401,7 @@ 
 			return $response;
 		}
 
-		$redirectUri = 'nc://login/server:' . $this->getServerPath() . '&user:' . urlencode($user) . '&password:' . urlencode($password);
+		$redirectUri = 'nc://login/server:'.$this->getServerPath().'&user:'.urlencode($user).'&password:'.urlencode($password);
 		return new Http\RedirectResponse($redirectUri);
 	}
 
@@ -424,6 +424,6 @@ 
 			}
 		}
 
-		return $protocol . "://" . $this->request->getServerHost() . $serverPostfix;
+		return $protocol."://".$this->request->getServerHost().$serverPostfix;
 	}
 }

lib/private/Authentication/Token/PublicKeyTokenProvider.php

Indentation +377 added lines, -377 removed lines

@@ -42,381 +42,381 @@
 use Psr\Log\LoggerInterface;
 
 class PublicKeyTokenProvider implements IProvider {
-	/** @var PublicKeyTokenMapper */
-	private $mapper;
-
-	/** @var ICrypto */
-	private $crypto;
-
-	/** @var IConfig */
-	private $config;
-
-	/** @var LoggerInterface */
-	private $logger;
-
-	/** @var ITimeFactory */
-	private $time;
-
-	/** @var CappedMemoryCache */
-	private $cache;
-
-	public function __construct(PublicKeyTokenMapper $mapper,
-								ICrypto $crypto,
-								IConfig $config,
-								LoggerInterface $logger,
-								ITimeFactory $time) {
-		$this->mapper = $mapper;
-		$this->crypto = $crypto;
-		$this->config = $config;
-		$this->logger = $logger;
-		$this->time = $time;
-
-		$this->cache = new CappedMemoryCache();
-	}
-
-	/**
-	 * {@inheritDoc}
-	 */
-	public function generateToken(string $token,
-								  string $uid,
-								  string $loginName,
-								  ?string $password,
-								  string $name,
-								  int $type = IToken::TEMPORARY_TOKEN,
-								  int $remember = IToken::DO_NOT_REMEMBER): IToken {
-		if (mb_strlen($name) > 128) {
-			throw new InvalidTokenException('The given name is too long');
-		}
-
-		$dbToken = $this->newToken($token, $uid, $loginName, $password, $name, $type, $remember);
-		$this->mapper->insert($dbToken);
-
-		// Add the token to the cache
-		$this->cache[$dbToken->getToken()] = $dbToken;
-
-		return $dbToken;
-	}
-
-	public function getToken(string $tokenId): IToken {
-		$tokenHash = $this->hashToken($tokenId);
-
-		if (isset($this->cache[$tokenHash])) {
-			if ($this->cache[$tokenHash] instanceof DoesNotExistException) {
-				$ex = $this->cache[$tokenHash];
-				throw new InvalidTokenException("Token does not exist: " . $ex->getMessage(), 0, $ex);
-			}
-			$token = $this->cache[$tokenHash];
-		} else {
-			try {
-				$token = $this->mapper->getToken($this->hashToken($tokenId));
-				$this->cache[$token->getToken()] = $token;
-			} catch (DoesNotExistException $ex) {
-				$this->cache[$tokenHash] = $ex;
-				throw new InvalidTokenException("Token does not exist: " . $ex->getMessage(), 0, $ex);
-			}
-		}
-
-		if ((int)$token->getExpires() !== 0 && $token->getExpires() < $this->time->getTime()) {
-			throw new ExpiredTokenException($token);
-		}
-
-		if ($token->getType() === IToken::WIPE_TOKEN) {
-			throw new WipeTokenException($token);
-		}
-
-		if ($token->getPasswordInvalid() === true) {
-			//The password is invalid we should throw an TokenPasswordExpiredException
-			throw new TokenPasswordExpiredException($token);
-		}
-
-		return $token;
-	}
-
-	public function getTokenById(int $tokenId): IToken {
-		try {
-			$token = $this->mapper->getTokenById($tokenId);
-		} catch (DoesNotExistException $ex) {
-			throw new InvalidTokenException("Token with ID $tokenId does not exist: " . $ex->getMessage(), 0, $ex);
-		}
-
-		if ((int)$token->getExpires() !== 0 && $token->getExpires() < $this->time->getTime()) {
-			throw new ExpiredTokenException($token);
-		}
-
-		if ($token->getType() === IToken::WIPE_TOKEN) {
-			throw new WipeTokenException($token);
-		}
-
-		if ($token->getPasswordInvalid() === true) {
-			//The password is invalid we should throw an TokenPasswordExpiredException
-			throw new TokenPasswordExpiredException($token);
-		}
-
-		return $token;
-	}
-
-	public function renewSessionToken(string $oldSessionId, string $sessionId): IToken {
-		$this->cache->clear();
-
-		$token = $this->getToken($oldSessionId);
-
-		if (!($token instanceof PublicKeyToken)) {
-			throw new InvalidTokenException("Invalid token type");
-		}
-
-		$password = null;
-		if (!is_null($token->getPassword())) {
-			$privateKey = $this->decrypt($token->getPrivateKey(), $oldSessionId);
-			$password = $this->decryptPassword($token->getPassword(), $privateKey);
-		}
-
-		$newToken = $this->generateToken(
-			$sessionId,
-			$token->getUID(),
-			$token->getLoginName(),
-			$password,
-			$token->getName(),
-			IToken::TEMPORARY_TOKEN,
-			$token->getRemember()
-		);
-
-		$this->mapper->delete($token);
-
-		return $newToken;
-	}
-
-	public function invalidateToken(string $token) {
-		$this->cache->clear();
-
-		$this->mapper->invalidate($this->hashToken($token));
-	}
-
-	public function invalidateTokenById(string $uid, int $id) {
-		$this->cache->clear();
-
-		$this->mapper->deleteById($uid, $id);
-	}
-
-	public function invalidateOldTokens() {
-		$this->cache->clear();
-
-		$olderThan = $this->time->getTime() - (int) $this->config->getSystemValue('session_lifetime', 60 * 60 * 24);
-		$this->logger->debug('Invalidating session tokens older than ' . date('c', $olderThan), ['app' => 'cron']);
-		$this->mapper->invalidateOld($olderThan, IToken::DO_NOT_REMEMBER);
-		$rememberThreshold = $this->time->getTime() - (int) $this->config->getSystemValue('remember_login_cookie_lifetime', 60 * 60 * 24 * 15);
-		$this->logger->debug('Invalidating remembered session tokens older than ' . date('c', $rememberThreshold), ['app' => 'cron']);
-		$this->mapper->invalidateOld($rememberThreshold, IToken::REMEMBER);
-	}
-
-	public function updateToken(IToken $token) {
-		$this->cache->clear();
-
-		if (!($token instanceof PublicKeyToken)) {
-			throw new InvalidTokenException("Invalid token type");
-		}
-		$this->mapper->update($token);
-	}
-
-	public function updateTokenActivity(IToken $token) {
-		$this->cache->clear();
-
-		if (!($token instanceof PublicKeyToken)) {
-			throw new InvalidTokenException("Invalid token type");
-		}
-
-		$activityInterval = $this->config->getSystemValueInt('token_auth_activity_update', 60);
-		$activityInterval = min(max($activityInterval, 0), 300);
-
-		/** @var PublicKeyToken $token */
-		$now = $this->time->getTime();
-		if ($token->getLastActivity() < ($now - $activityInterval)) {
-			$token->setLastActivity($now);
-			$this->mapper->updateActivity($token, $now);
-		}
-	}
-
-	public function getTokenByUser(string $uid): array {
-		return $this->mapper->getTokenByUser($uid);
-	}
-
-	public function getPassword(IToken $savedToken, string $tokenId): string {
-		if (!($savedToken instanceof PublicKeyToken)) {
-			throw new InvalidTokenException("Invalid token type");
-		}
-
-		if ($savedToken->getPassword() === null) {
-			throw new PasswordlessTokenException();
-		}
-
-		// Decrypt private key with tokenId
-		$privateKey = $this->decrypt($savedToken->getPrivateKey(), $tokenId);
-
-		// Decrypt password with private key
-		return $this->decryptPassword($savedToken->getPassword(), $privateKey);
-	}
-
-	public function setPassword(IToken $token, string $tokenId, string $password) {
-		$this->cache->clear();
-
-		if (!($token instanceof PublicKeyToken)) {
-			throw new InvalidTokenException("Invalid token type");
-		}
-
-		// When changing passwords all temp tokens are deleted
-		$this->mapper->deleteTempToken($token);
-
-		// Update the password for all tokens
-		$tokens = $this->mapper->getTokenByUser($token->getUID());
-		foreach ($tokens as $t) {
-			$publicKey = $t->getPublicKey();
-			$t->setPassword($this->encryptPassword($password, $publicKey));
-			$this->updateToken($t);
-		}
-	}
-
-	public function rotate(IToken $token, string $oldTokenId, string $newTokenId): IToken {
-		$this->cache->clear();
-
-		if (!($token instanceof PublicKeyToken)) {
-			throw new InvalidTokenException("Invalid token type");
-		}
-
-		// Decrypt private key with oldTokenId
-		$privateKey = $this->decrypt($token->getPrivateKey(), $oldTokenId);
-		// Encrypt with the new token
-		$token->setPrivateKey($this->encrypt($privateKey, $newTokenId));
-
-		$token->setToken($this->hashToken($newTokenId));
-		$this->updateToken($token);
-
-		return $token;
-	}
-
-	private function encrypt(string $plaintext, string $token): string {
-		$secret = $this->config->getSystemValue('secret');
-		return $this->crypto->encrypt($plaintext, $token . $secret);
-	}
-
-	/**
-	 * @throws InvalidTokenException
-	 */
-	private function decrypt(string $cipherText, string $token): string {
-		$secret = $this->config->getSystemValue('secret');
-		try {
-			return $this->crypto->decrypt($cipherText, $token . $secret);
-		} catch (\Exception $ex) {
-			// Delete the invalid token
-			$this->invalidateToken($token);
-			throw new InvalidTokenException("Could not decrypt token password: " . $ex->getMessage(), 0, $ex);
-		}
-	}
-
-	private function encryptPassword(string $password, string $publicKey): string {
-		openssl_public_encrypt($password, $encryptedPassword, $publicKey, OPENSSL_PKCS1_OAEP_PADDING);
-		$encryptedPassword = base64_encode($encryptedPassword);
-
-		return $encryptedPassword;
-	}
-
-	private function decryptPassword(string $encryptedPassword, string $privateKey): string {
-		$encryptedPassword = base64_decode($encryptedPassword);
-		openssl_private_decrypt($encryptedPassword, $password, $privateKey, OPENSSL_PKCS1_OAEP_PADDING);
-
-		return $password;
-	}
-
-	private function hashToken(string $token): string {
-		$secret = $this->config->getSystemValue('secret');
-		return hash('sha512', $token . $secret);
-	}
-
-	/**
-	 * @throws \RuntimeException when OpenSSL reports a problem
-	 */
-	private function newToken(string $token,
-							  string $uid,
-							  string $loginName,
-							  $password,
-							  string $name,
-							  int $type,
-							  int $remember): PublicKeyToken {
-		$dbToken = new PublicKeyToken();
-		$dbToken->setUid($uid);
-		$dbToken->setLoginName($loginName);
-
-		$config = array_merge([
-			'digest_alg' => 'sha512',
-			'private_key_bits' => 2048,
-		], $this->config->getSystemValue('openssl', []));
-
-		// Generate new key
-		$res = openssl_pkey_new($config);
-		if ($res === false) {
-			$this->logOpensslError();
-			throw new \RuntimeException('OpenSSL reported a problem');
-		}
-
-		if (openssl_pkey_export($res, $privateKey, null, $config) === false) {
-			$this->logOpensslError();
-			throw new \RuntimeException('OpenSSL reported a problem');
-		}
-
-		// Extract the public key from $res to $pubKey
-		$publicKey = openssl_pkey_get_details($res);
-		$publicKey = $publicKey['key'];
-
-		$dbToken->setPublicKey($publicKey);
-		$dbToken->setPrivateKey($this->encrypt($privateKey, $token));
-
-		if (!is_null($password)) {
-			$dbToken->setPassword($this->encryptPassword($password, $publicKey));
-		}
-
-		$dbToken->setName($name);
-		$dbToken->setToken($this->hashToken($token));
-		$dbToken->setType($type);
-		$dbToken->setRemember($remember);
-		$dbToken->setLastActivity($this->time->getTime());
-		$dbToken->setLastCheck($this->time->getTime());
-		$dbToken->setVersion(PublicKeyToken::VERSION);
-
-		return $dbToken;
-	}
-
-	public function markPasswordInvalid(IToken $token, string $tokenId) {
-		$this->cache->clear();
-
-		if (!($token instanceof PublicKeyToken)) {
-			throw new InvalidTokenException("Invalid token type");
-		}
-
-		$token->setPasswordInvalid(true);
-		$this->mapper->update($token);
-	}
-
-	public function updatePasswords(string $uid, string $password) {
-		$this->cache->clear();
-
-		// prevent setting an empty pw as result of pw-less-login
-		if ($password === '') {
-			return;
-		}
-
-		// Update the password for all tokens
-		$tokens = $this->mapper->getTokenByUser($uid);
-		foreach ($tokens as $t) {
-			$publicKey = $t->getPublicKey();
-			$t->setPassword($this->encryptPassword($password, $publicKey));
-			$t->setPasswordInvalid(false);
-			$this->updateToken($t);
-		}
-	}
-
-	private function logOpensslError() {
-		$errors = [];
-		while ($error = openssl_error_string()) {
-			$errors[] = $error;
-		}
-		$this->logger->critical('Something is wrong with your openssl setup: ' . implode(', ', $errors));
-	}
+    /** @var PublicKeyTokenMapper */
+    private $mapper;
+
+    /** @var ICrypto */
+    private $crypto;
+
+    /** @var IConfig */
+    private $config;
+
+    /** @var LoggerInterface */
+    private $logger;
+
+    /** @var ITimeFactory */
+    private $time;
+
+    /** @var CappedMemoryCache */
+    private $cache;
+
+    public function __construct(PublicKeyTokenMapper $mapper,
+                                ICrypto $crypto,
+                                IConfig $config,
+                                LoggerInterface $logger,
+                                ITimeFactory $time) {
+        $this->mapper = $mapper;
+        $this->crypto = $crypto;
+        $this->config = $config;
+        $this->logger = $logger;
+        $this->time = $time;
+
+        $this->cache = new CappedMemoryCache();
+    }
+
+    /**
+     * {@inheritDoc}
+     */
+    public function generateToken(string $token,
+                                    string $uid,
+                                    string $loginName,
+                                  ?string $password,
+                                    string $name,
+                                    int $type = IToken::TEMPORARY_TOKEN,
+                                    int $remember = IToken::DO_NOT_REMEMBER): IToken {
+        if (mb_strlen($name) > 128) {
+            throw new InvalidTokenException('The given name is too long');
+        }
+
+        $dbToken = $this->newToken($token, $uid, $loginName, $password, $name, $type, $remember);
+        $this->mapper->insert($dbToken);
+
+        // Add the token to the cache
+        $this->cache[$dbToken->getToken()] = $dbToken;
+
+        return $dbToken;
+    }
+
+    public function getToken(string $tokenId): IToken {
+        $tokenHash = $this->hashToken($tokenId);
+
+        if (isset($this->cache[$tokenHash])) {
+            if ($this->cache[$tokenHash] instanceof DoesNotExistException) {
+                $ex = $this->cache[$tokenHash];
+                throw new InvalidTokenException("Token does not exist: " . $ex->getMessage(), 0, $ex);
+            }
+            $token = $this->cache[$tokenHash];
+        } else {
+            try {
+                $token = $this->mapper->getToken($this->hashToken($tokenId));
+                $this->cache[$token->getToken()] = $token;
+            } catch (DoesNotExistException $ex) {
+                $this->cache[$tokenHash] = $ex;
+                throw new InvalidTokenException("Token does not exist: " . $ex->getMessage(), 0, $ex);
+            }
+        }
+
+        if ((int)$token->getExpires() !== 0 && $token->getExpires() < $this->time->getTime()) {
+            throw new ExpiredTokenException($token);
+        }
+
+        if ($token->getType() === IToken::WIPE_TOKEN) {
+            throw new WipeTokenException($token);
+        }
+
+        if ($token->getPasswordInvalid() === true) {
+            //The password is invalid we should throw an TokenPasswordExpiredException
+            throw new TokenPasswordExpiredException($token);
+        }
+
+        return $token;
+    }
+
+    public function getTokenById(int $tokenId): IToken {
+        try {
+            $token = $this->mapper->getTokenById($tokenId);
+        } catch (DoesNotExistException $ex) {
+            throw new InvalidTokenException("Token with ID $tokenId does not exist: " . $ex->getMessage(), 0, $ex);
+        }
+
+        if ((int)$token->getExpires() !== 0 && $token->getExpires() < $this->time->getTime()) {
+            throw new ExpiredTokenException($token);
+        }
+
+        if ($token->getType() === IToken::WIPE_TOKEN) {
+            throw new WipeTokenException($token);
+        }
+
+        if ($token->getPasswordInvalid() === true) {
+            //The password is invalid we should throw an TokenPasswordExpiredException
+            throw new TokenPasswordExpiredException($token);
+        }
+
+        return $token;
+    }
+
+    public function renewSessionToken(string $oldSessionId, string $sessionId): IToken {
+        $this->cache->clear();
+
+        $token = $this->getToken($oldSessionId);
+
+        if (!($token instanceof PublicKeyToken)) {
+            throw new InvalidTokenException("Invalid token type");
+        }
+
+        $password = null;
+        if (!is_null($token->getPassword())) {
+            $privateKey = $this->decrypt($token->getPrivateKey(), $oldSessionId);
+            $password = $this->decryptPassword($token->getPassword(), $privateKey);
+        }
+
+        $newToken = $this->generateToken(
+            $sessionId,
+            $token->getUID(),
+            $token->getLoginName(),
+            $password,
+            $token->getName(),
+            IToken::TEMPORARY_TOKEN,
+            $token->getRemember()
+        );
+
+        $this->mapper->delete($token);
+
+        return $newToken;
+    }
+
+    public function invalidateToken(string $token) {
+        $this->cache->clear();
+
+        $this->mapper->invalidate($this->hashToken($token));
+    }
+
+    public function invalidateTokenById(string $uid, int $id) {
+        $this->cache->clear();
+
+        $this->mapper->deleteById($uid, $id);
+    }
+
+    public function invalidateOldTokens() {
+        $this->cache->clear();
+
+        $olderThan = $this->time->getTime() - (int) $this->config->getSystemValue('session_lifetime', 60 * 60 * 24);
+        $this->logger->debug('Invalidating session tokens older than ' . date('c', $olderThan), ['app' => 'cron']);
+        $this->mapper->invalidateOld($olderThan, IToken::DO_NOT_REMEMBER);
+        $rememberThreshold = $this->time->getTime() - (int) $this->config->getSystemValue('remember_login_cookie_lifetime', 60 * 60 * 24 * 15);
+        $this->logger->debug('Invalidating remembered session tokens older than ' . date('c', $rememberThreshold), ['app' => 'cron']);
+        $this->mapper->invalidateOld($rememberThreshold, IToken::REMEMBER);
+    }
+
+    public function updateToken(IToken $token) {
+        $this->cache->clear();
+
+        if (!($token instanceof PublicKeyToken)) {
+            throw new InvalidTokenException("Invalid token type");
+        }
+        $this->mapper->update($token);
+    }
+
+    public function updateTokenActivity(IToken $token) {
+        $this->cache->clear();
+
+        if (!($token instanceof PublicKeyToken)) {
+            throw new InvalidTokenException("Invalid token type");
+        }
+
+        $activityInterval = $this->config->getSystemValueInt('token_auth_activity_update', 60);
+        $activityInterval = min(max($activityInterval, 0), 300);
+
+        /** @var PublicKeyToken $token */
+        $now = $this->time->getTime();
+        if ($token->getLastActivity() < ($now - $activityInterval)) {
+            $token->setLastActivity($now);
+            $this->mapper->updateActivity($token, $now);
+        }
+    }
+
+    public function getTokenByUser(string $uid): array {
+        return $this->mapper->getTokenByUser($uid);
+    }
+
+    public function getPassword(IToken $savedToken, string $tokenId): string {
+        if (!($savedToken instanceof PublicKeyToken)) {
+            throw new InvalidTokenException("Invalid token type");
+        }
+
+        if ($savedToken->getPassword() === null) {
+            throw new PasswordlessTokenException();
+        }
+
+        // Decrypt private key with tokenId
+        $privateKey = $this->decrypt($savedToken->getPrivateKey(), $tokenId);
+
+        // Decrypt password with private key
+        return $this->decryptPassword($savedToken->getPassword(), $privateKey);
+    }
+
+    public function setPassword(IToken $token, string $tokenId, string $password) {
+        $this->cache->clear();
+
+        if (!($token instanceof PublicKeyToken)) {
+            throw new InvalidTokenException("Invalid token type");
+        }
+
+        // When changing passwords all temp tokens are deleted
+        $this->mapper->deleteTempToken($token);
+
+        // Update the password for all tokens
+        $tokens = $this->mapper->getTokenByUser($token->getUID());
+        foreach ($tokens as $t) {
+            $publicKey = $t->getPublicKey();
+            $t->setPassword($this->encryptPassword($password, $publicKey));
+            $this->updateToken($t);
+        }
+    }
+
+    public function rotate(IToken $token, string $oldTokenId, string $newTokenId): IToken {
+        $this->cache->clear();
+
+        if (!($token instanceof PublicKeyToken)) {
+            throw new InvalidTokenException("Invalid token type");
+        }
+
+        // Decrypt private key with oldTokenId
+        $privateKey = $this->decrypt($token->getPrivateKey(), $oldTokenId);
+        // Encrypt with the new token
+        $token->setPrivateKey($this->encrypt($privateKey, $newTokenId));
+
+        $token->setToken($this->hashToken($newTokenId));
+        $this->updateToken($token);
+
+        return $token;
+    }
+
+    private function encrypt(string $plaintext, string $token): string {
+        $secret = $this->config->getSystemValue('secret');
+        return $this->crypto->encrypt($plaintext, $token . $secret);
+    }
+
+    /**
+     * @throws InvalidTokenException
+     */
+    private function decrypt(string $cipherText, string $token): string {
+        $secret = $this->config->getSystemValue('secret');
+        try {
+            return $this->crypto->decrypt($cipherText, $token . $secret);
+        } catch (\Exception $ex) {
+            // Delete the invalid token
+            $this->invalidateToken($token);
+            throw new InvalidTokenException("Could not decrypt token password: " . $ex->getMessage(), 0, $ex);
+        }
+    }
+
+    private function encryptPassword(string $password, string $publicKey): string {
+        openssl_public_encrypt($password, $encryptedPassword, $publicKey, OPENSSL_PKCS1_OAEP_PADDING);
+        $encryptedPassword = base64_encode($encryptedPassword);
+
+        return $encryptedPassword;
+    }
+
+    private function decryptPassword(string $encryptedPassword, string $privateKey): string {
+        $encryptedPassword = base64_decode($encryptedPassword);
+        openssl_private_decrypt($encryptedPassword, $password, $privateKey, OPENSSL_PKCS1_OAEP_PADDING);
+
+        return $password;
+    }
+
+    private function hashToken(string $token): string {
+        $secret = $this->config->getSystemValue('secret');
+        return hash('sha512', $token . $secret);
+    }
+
+    /**
+     * @throws \RuntimeException when OpenSSL reports a problem
+     */
+    private function newToken(string $token,
+                                string $uid,
+                                string $loginName,
+                                $password,
+                                string $name,
+                                int $type,
+                                int $remember): PublicKeyToken {
+        $dbToken = new PublicKeyToken();
+        $dbToken->setUid($uid);
+        $dbToken->setLoginName($loginName);
+
+        $config = array_merge([
+            'digest_alg' => 'sha512',
+            'private_key_bits' => 2048,
+        ], $this->config->getSystemValue('openssl', []));
+
+        // Generate new key
+        $res = openssl_pkey_new($config);
+        if ($res === false) {
+            $this->logOpensslError();
+            throw new \RuntimeException('OpenSSL reported a problem');
+        }
+
+        if (openssl_pkey_export($res, $privateKey, null, $config) === false) {
+            $this->logOpensslError();
+            throw new \RuntimeException('OpenSSL reported a problem');
+        }
+
+        // Extract the public key from $res to $pubKey
+        $publicKey = openssl_pkey_get_details($res);
+        $publicKey = $publicKey['key'];
+
+        $dbToken->setPublicKey($publicKey);
+        $dbToken->setPrivateKey($this->encrypt($privateKey, $token));
+
+        if (!is_null($password)) {
+            $dbToken->setPassword($this->encryptPassword($password, $publicKey));
+        }
+
+        $dbToken->setName($name);
+        $dbToken->setToken($this->hashToken($token));
+        $dbToken->setType($type);
+        $dbToken->setRemember($remember);
+        $dbToken->setLastActivity($this->time->getTime());
+        $dbToken->setLastCheck($this->time->getTime());
+        $dbToken->setVersion(PublicKeyToken::VERSION);
+
+        return $dbToken;
+    }
+
+    public function markPasswordInvalid(IToken $token, string $tokenId) {
+        $this->cache->clear();
+
+        if (!($token instanceof PublicKeyToken)) {
+            throw new InvalidTokenException("Invalid token type");
+        }
+
+        $token->setPasswordInvalid(true);
+        $this->mapper->update($token);
+    }
+
+    public function updatePasswords(string $uid, string $password) {
+        $this->cache->clear();
+
+        // prevent setting an empty pw as result of pw-less-login
+        if ($password === '') {
+            return;
+        }
+
+        // Update the password for all tokens
+        $tokens = $this->mapper->getTokenByUser($uid);
+        foreach ($tokens as $t) {
+            $publicKey = $t->getPublicKey();
+            $t->setPassword($this->encryptPassword($password, $publicKey));
+            $t->setPasswordInvalid(false);
+            $this->updateToken($t);
+        }
+    }
+
+    private function logOpensslError() {
+        $errors = [];
+        while ($error = openssl_error_string()) {
+            $errors[] = $error;
+        }
+        $this->logger->critical('Something is wrong with your openssl setup: ' . implode(', ', $errors));
+    }
 }

lib/private/Authentication/Token/Manager.php

Indentation +205 added lines, -205 removed lines

@@ -35,209 +35,209 @@
 
 class Manager implements IProvider {
 
-	/** @var PublicKeyTokenProvider */
-	private $publicKeyTokenProvider;
-
-	public function __construct(PublicKeyTokenProvider $publicKeyTokenProvider) {
-		$this->publicKeyTokenProvider = $publicKeyTokenProvider;
-	}
-
-	/**
-	 * Create and persist a new token
-	 *
-	 * @param string $token
-	 * @param string $uid
-	 * @param string $loginName
-	 * @param string|null $password
-	 * @param string $name
-	 * @param int $type token type
-	 * @param int $remember whether the session token should be used for remember-me
-	 * @return IToken
-	 */
-	public function generateToken(string $token,
-								  string $uid,
-								  string $loginName,
-								  $password,
-								  string $name,
-								  int $type = IToken::TEMPORARY_TOKEN,
-								  int $remember = IToken::DO_NOT_REMEMBER): IToken {
-		if (mb_strlen($name) > 128) {
-			throw new InvalidTokenException('The given name is too long');
-		}
-
-		try {
-			return $this->publicKeyTokenProvider->generateToken(
-				$token,
-				$uid,
-				$loginName,
-				$password,
-				$name,
-				$type,
-				$remember
-			);
-		} catch (UniqueConstraintViolationException $e) {
-			// It's rare, but if two requests of the same session (e.g. env-based SAML)
-			// try to create the session token they might end up here at the same time
-			// because we use the session ID as token and the db token is created anew
-			// with every request.
-			//
-			// If the UIDs match, then this should be fine.
-			$existing = $this->getToken($token);
-			if ($existing->getUID() !== $uid) {
-				throw new \Exception('Token conflict handled, but UIDs do not match. This should not happen', 0, $e);
-			}
-			return $existing;
-		}
-	}
-
-	/**
-	 * Save the updated token
-	 *
-	 * @param IToken $token
-	 * @throws InvalidTokenException
-	 */
-	public function updateToken(IToken $token) {
-		$provider = $this->getProvider($token);
-		$provider->updateToken($token);
-	}
-
-	/**
-	 * Update token activity timestamp
-	 *
-	 * @throws InvalidTokenException
-	 * @param IToken $token
-	 */
-	public function updateTokenActivity(IToken $token) {
-		$provider = $this->getProvider($token);
-		$provider->updateTokenActivity($token);
-	}
-
-	/**
-	 * @param string $uid
-	 * @return IToken[]
-	 */
-	public function getTokenByUser(string $uid): array {
-		return $this->publicKeyTokenProvider->getTokenByUser($uid);
-	}
-
-	/**
-	 * Get a token by token
-	 *
-	 * @param string $tokenId
-	 * @throws InvalidTokenException
-	 * @throws \RuntimeException when OpenSSL reports a problem
-	 * @return IToken
-	 */
-	public function getToken(string $tokenId): IToken {
-		try {
-			return $this->publicKeyTokenProvider->getToken($tokenId);
-		} catch (WipeTokenException $e) {
-			throw $e;
-		} catch (ExpiredTokenException $e) {
-			throw $e;
-		} catch (InvalidTokenException $e) {
-			throw $e;
-		}
-	}
-
-	/**
-	 * Get a token by token id
-	 *
-	 * @param int $tokenId
-	 * @throws InvalidTokenException
-	 * @return IToken
-	 */
-	public function getTokenById(int $tokenId): IToken {
-		try {
-			return $this->publicKeyTokenProvider->getTokenById($tokenId);
-		} catch (ExpiredTokenException $e) {
-			throw $e;
-		} catch (WipeTokenException $e) {
-			throw $e;
-		} catch (InvalidTokenException $e) {
-			throw $e;
-		}
-	}
-
-	/**
-	 * @param string $oldSessionId
-	 * @param string $sessionId
-	 * @throws InvalidTokenException
-	 * @return IToken
-	 */
-	public function renewSessionToken(string $oldSessionId, string $sessionId): IToken {
-		try {
-			return $this->publicKeyTokenProvider->renewSessionToken($oldSessionId, $sessionId);
-		} catch (ExpiredTokenException $e) {
-			throw $e;
-		} catch (InvalidTokenException $e) {
-			throw $e;
-		}
-	}
-
-	/**
-	 * @param IToken $savedToken
-	 * @param string $tokenId session token
-	 * @throws InvalidTokenException
-	 * @throws PasswordlessTokenException
-	 * @return string
-	 */
-	public function getPassword(IToken $savedToken, string $tokenId): string {
-		$provider = $this->getProvider($savedToken);
-		return $provider->getPassword($savedToken, $tokenId);
-	}
-
-	public function setPassword(IToken $token, string $tokenId, string $password) {
-		$provider = $this->getProvider($token);
-		$provider->setPassword($token, $tokenId, $password);
-	}
-
-	public function invalidateToken(string $token) {
-		$this->publicKeyTokenProvider->invalidateToken($token);
-	}
-
-	public function invalidateTokenById(string $uid, int $id) {
-		$this->publicKeyTokenProvider->invalidateTokenById($uid, $id);
-	}
-
-	public function invalidateOldTokens() {
-		$this->publicKeyTokenProvider->invalidateOldTokens();
-	}
-
-	/**
-	 * @param IToken $token
-	 * @param string $oldTokenId
-	 * @param string $newTokenId
-	 * @return IToken
-	 * @throws InvalidTokenException
-	 * @throws \RuntimeException when OpenSSL reports a problem
-	 */
-	public function rotate(IToken $token, string $oldTokenId, string $newTokenId): IToken {
-		if ($token instanceof PublicKeyToken) {
-			return $this->publicKeyTokenProvider->rotate($token, $oldTokenId, $newTokenId);
-		}
-
-		throw new InvalidTokenException();
-	}
-
-	/**
-	 * @param IToken $token
-	 * @return IProvider
-	 * @throws InvalidTokenException
-	 */
-	private function getProvider(IToken $token): IProvider {
-		if ($token instanceof PublicKeyToken) {
-			return $this->publicKeyTokenProvider;
-		}
-		throw new InvalidTokenException();
-	}
-
-
-	public function markPasswordInvalid(IToken $token, string $tokenId) {
-		$this->getProvider($token)->markPasswordInvalid($token, $tokenId);
-	}
-
-	public function updatePasswords(string $uid, string $password) {
-		$this->publicKeyTokenProvider->updatePasswords($uid, $password);
-	}
+    /** @var PublicKeyTokenProvider */
+    private $publicKeyTokenProvider;
+
+    public function __construct(PublicKeyTokenProvider $publicKeyTokenProvider) {
+        $this->publicKeyTokenProvider = $publicKeyTokenProvider;
+    }
+
+    /**
+     * Create and persist a new token
+     *
+     * @param string $token
+     * @param string $uid
+     * @param string $loginName
+     * @param string|null $password
+     * @param string $name
+     * @param int $type token type
+     * @param int $remember whether the session token should be used for remember-me
+     * @return IToken
+     */
+    public function generateToken(string $token,
+                                    string $uid,
+                                    string $loginName,
+                                    $password,
+                                    string $name,
+                                    int $type = IToken::TEMPORARY_TOKEN,
+                                    int $remember = IToken::DO_NOT_REMEMBER): IToken {
+        if (mb_strlen($name) > 128) {
+            throw new InvalidTokenException('The given name is too long');
+        }
+
+        try {
+            return $this->publicKeyTokenProvider->generateToken(
+                $token,
+                $uid,
+                $loginName,
+                $password,
+                $name,
+                $type,
+                $remember
+            );
+        } catch (UniqueConstraintViolationException $e) {
+            // It's rare, but if two requests of the same session (e.g. env-based SAML)
+            // try to create the session token they might end up here at the same time
+            // because we use the session ID as token and the db token is created anew
+            // with every request.
+            //
+            // If the UIDs match, then this should be fine.
+            $existing = $this->getToken($token);
+            if ($existing->getUID() !== $uid) {
+                throw new \Exception('Token conflict handled, but UIDs do not match. This should not happen', 0, $e);
+            }
+            return $existing;
+        }
+    }
+
+    /**
+     * Save the updated token
+     *
+     * @param IToken $token
+     * @throws InvalidTokenException
+     */
+    public function updateToken(IToken $token) {
+        $provider = $this->getProvider($token);
+        $provider->updateToken($token);
+    }
+
+    /**
+     * Update token activity timestamp
+     *
+     * @throws InvalidTokenException
+     * @param IToken $token
+     */
+    public function updateTokenActivity(IToken $token) {
+        $provider = $this->getProvider($token);
+        $provider->updateTokenActivity($token);
+    }
+
+    /**
+     * @param string $uid
+     * @return IToken[]
+     */
+    public function getTokenByUser(string $uid): array {
+        return $this->publicKeyTokenProvider->getTokenByUser($uid);
+    }
+
+    /**
+     * Get a token by token
+     *
+     * @param string $tokenId
+     * @throws InvalidTokenException
+     * @throws \RuntimeException when OpenSSL reports a problem
+     * @return IToken
+     */
+    public function getToken(string $tokenId): IToken {
+        try {
+            return $this->publicKeyTokenProvider->getToken($tokenId);
+        } catch (WipeTokenException $e) {
+            throw $e;
+        } catch (ExpiredTokenException $e) {
+            throw $e;
+        } catch (InvalidTokenException $e) {
+            throw $e;
+        }
+    }
+
+    /**
+     * Get a token by token id
+     *
+     * @param int $tokenId
+     * @throws InvalidTokenException
+     * @return IToken
+     */
+    public function getTokenById(int $tokenId): IToken {
+        try {
+            return $this->publicKeyTokenProvider->getTokenById($tokenId);
+        } catch (ExpiredTokenException $e) {
+            throw $e;
+        } catch (WipeTokenException $e) {
+            throw $e;
+        } catch (InvalidTokenException $e) {
+            throw $e;
+        }
+    }
+
+    /**
+     * @param string $oldSessionId
+     * @param string $sessionId
+     * @throws InvalidTokenException
+     * @return IToken
+     */
+    public function renewSessionToken(string $oldSessionId, string $sessionId): IToken {
+        try {
+            return $this->publicKeyTokenProvider->renewSessionToken($oldSessionId, $sessionId);
+        } catch (ExpiredTokenException $e) {
+            throw $e;
+        } catch (InvalidTokenException $e) {
+            throw $e;
+        }
+    }
+
+    /**
+     * @param IToken $savedToken
+     * @param string $tokenId session token
+     * @throws InvalidTokenException
+     * @throws PasswordlessTokenException
+     * @return string
+     */
+    public function getPassword(IToken $savedToken, string $tokenId): string {
+        $provider = $this->getProvider($savedToken);
+        return $provider->getPassword($savedToken, $tokenId);
+    }
+
+    public function setPassword(IToken $token, string $tokenId, string $password) {
+        $provider = $this->getProvider($token);
+        $provider->setPassword($token, $tokenId, $password);
+    }
+
+    public function invalidateToken(string $token) {
+        $this->publicKeyTokenProvider->invalidateToken($token);
+    }
+
+    public function invalidateTokenById(string $uid, int $id) {
+        $this->publicKeyTokenProvider->invalidateTokenById($uid, $id);
+    }
+
+    public function invalidateOldTokens() {
+        $this->publicKeyTokenProvider->invalidateOldTokens();
+    }
+
+    /**
+     * @param IToken $token
+     * @param string $oldTokenId
+     * @param string $newTokenId
+     * @return IToken
+     * @throws InvalidTokenException
+     * @throws \RuntimeException when OpenSSL reports a problem
+     */
+    public function rotate(IToken $token, string $oldTokenId, string $newTokenId): IToken {
+        if ($token instanceof PublicKeyToken) {
+            return $this->publicKeyTokenProvider->rotate($token, $oldTokenId, $newTokenId);
+        }
+
+        throw new InvalidTokenException();
+    }
+
+    /**
+     * @param IToken $token
+     * @return IProvider
+     * @throws InvalidTokenException
+     */
+    private function getProvider(IToken $token): IProvider {
+        if ($token instanceof PublicKeyToken) {
+            return $this->publicKeyTokenProvider;
+        }
+        throw new InvalidTokenException();
+    }
+
+
+    public function markPasswordInvalid(IToken $token, string $tokenId) {
+        $this->getProvider($token)->markPasswordInvalid($token, $tokenId);
+    }
+
+    public function updatePasswords(string $uid, string $password) {
+        $this->publicKeyTokenProvider->updatePasswords($uid, $password);
+    }
 }

apps/settings/lib/Controller/AuthSettingsController.php

Indentation +271 added lines, -271 removed lines

@@ -54,275 +54,275 @@
 
 class AuthSettingsController extends Controller {
 
-	/** @var IProvider */
-	private $tokenProvider;
-
-	/** @var ISession */
-	private $session;
-
-	/** IUserSession */
-	private $userSession;
-
-	/** @var string */
-	private $uid;
-
-	/** @var ISecureRandom */
-	private $random;
-
-	/** @var IManager */
-	private $activityManager;
-
-	/** @var RemoteWipe */
-	private $remoteWipe;
-
-	/** @var LoggerInterface */
-	private $logger;
-
-	/**
-	 * @param string $appName
-	 * @param IRequest $request
-	 * @param IProvider $tokenProvider
-	 * @param ISession $session
-	 * @param ISecureRandom $random
-	 * @param string|null $userId
-	 * @param IUserSession $userSession
-	 * @param IManager $activityManager
-	 * @param RemoteWipe $remoteWipe
-	 * @param LoggerInterface $logger
-	 */
-	public function __construct(string $appName,
-								IRequest $request,
-								IProvider $tokenProvider,
-								ISession $session,
-								ISecureRandom $random,
-								?string $userId,
-								IUserSession $userSession,
-								IManager $activityManager,
-								RemoteWipe $remoteWipe,
-								LoggerInterface $logger) {
-		parent::__construct($appName, $request);
-		$this->tokenProvider = $tokenProvider;
-		$this->uid = $userId;
-		$this->userSession = $userSession;
-		$this->session = $session;
-		$this->random = $random;
-		$this->activityManager = $activityManager;
-		$this->remoteWipe = $remoteWipe;
-		$this->logger = $logger;
-	}
-
-	/**
-	 * @NoAdminRequired
-	 * @NoSubAdminRequired
-	 * @PasswordConfirmationRequired
-	 *
-	 * @param string $name
-	 * @return JSONResponse
-	 */
-	public function create($name) {
-		if ($this->checkAppToken()) {
-			return $this->getServiceNotAvailableResponse();
-		}
-
-		try {
-			$sessionId = $this->session->getId();
-		} catch (SessionNotAvailableException $ex) {
-			return $this->getServiceNotAvailableResponse();
-		}
-		if ($this->userSession->getImpersonatingUserID() !== null) {
-			return $this->getServiceNotAvailableResponse();
-		}
-
-		try {
-			$sessionToken = $this->tokenProvider->getToken($sessionId);
-			$loginName = $sessionToken->getLoginName();
-			try {
-				$password = $this->tokenProvider->getPassword($sessionToken, $sessionId);
-			} catch (PasswordlessTokenException $ex) {
-				$password = null;
-			}
-		} catch (InvalidTokenException $ex) {
-			return $this->getServiceNotAvailableResponse();
-		}
-
-		if (mb_strlen($name) > 128) {
-			$name = mb_substr($name, 0, 120) . '…';
-		}
-
-		$token = $this->generateRandomDeviceToken();
-		$deviceToken = $this->tokenProvider->generateToken($token, $this->uid, $loginName, $password, $name, IToken::PERMANENT_TOKEN);
-		$tokenData = $deviceToken->jsonSerialize();
-		$tokenData['canDelete'] = true;
-		$tokenData['canRename'] = true;
-
-		$this->publishActivity(Provider::APP_TOKEN_CREATED, $deviceToken->getId(), ['name' => $deviceToken->getName()]);
-
-		return new JSONResponse([
-			'token' => $token,
-			'loginName' => $loginName,
-			'deviceToken' => $tokenData,
-		]);
-	}
-
-	/**
-	 * @return JSONResponse
-	 */
-	private function getServiceNotAvailableResponse() {
-		$resp = new JSONResponse();
-		$resp->setStatus(Http::STATUS_SERVICE_UNAVAILABLE);
-		return $resp;
-	}
-
-	/**
-	 * Return a 25 digit device password
-	 *
-	 * Example: AbCdE-fGhJk-MnPqR-sTwXy-23456
-	 *
-	 * @return string
-	 */
-	private function generateRandomDeviceToken() {
-		$groups = [];
-		for ($i = 0; $i < 5; $i++) {
-			$groups[] = $this->random->generate(5, ISecureRandom::CHAR_HUMAN_READABLE);
-		}
-		return implode('-', $groups);
-	}
-
-	private function checkAppToken(): bool {
-		return $this->session->exists('app_password');
-	}
-
-	/**
-	 * @NoAdminRequired
-	 * @NoSubAdminRequired
-	 *
-	 * @param int $id
-	 * @return array|JSONResponse
-	 */
-	public function destroy($id) {
-		if ($this->checkAppToken()) {
-			return new JSONResponse([], Http::STATUS_BAD_REQUEST);
-		}
-
-		try {
-			$token = $this->findTokenByIdAndUser($id);
-		} catch (WipeTokenException $e) {
-			//continue as we can destroy tokens in wipe
-			$token = $e->getToken();
-		} catch (InvalidTokenException $e) {
-			return new JSONResponse([], Http::STATUS_NOT_FOUND);
-		}
-
-		$this->tokenProvider->invalidateTokenById($this->uid, $token->getId());
-		$this->publishActivity(Provider::APP_TOKEN_DELETED, $token->getId(), ['name' => $token->getName()]);
-		return [];
-	}
-
-	/**
-	 * @NoAdminRequired
-	 * @NoSubAdminRequired
-	 *
-	 * @param int $id
-	 * @param array $scope
-	 * @param string $name
-	 * @return array|JSONResponse
-	 */
-	public function update($id, array $scope, string $name) {
-		if ($this->checkAppToken()) {
-			return new JSONResponse([], Http::STATUS_BAD_REQUEST);
-		}
-
-		try {
-			$token = $this->findTokenByIdAndUser($id);
-		} catch (InvalidTokenException $e) {
-			return new JSONResponse([], Http::STATUS_NOT_FOUND);
-		}
-
-		$currentName = $token->getName();
-
-		if ($scope !== $token->getScopeAsArray()) {
-			$token->setScope(['filesystem' => $scope['filesystem']]);
-			$this->publishActivity($scope['filesystem'] ? Provider::APP_TOKEN_FILESYSTEM_GRANTED : Provider::APP_TOKEN_FILESYSTEM_REVOKED, $token->getId(), ['name' => $currentName]);
-		}
-
-		if (mb_strlen($name) > 128) {
-			$name = mb_substr($name, 0, 120) . '…';
-		}
-
-		if ($token instanceof INamedToken && $name !== $currentName) {
-			$token->setName($name);
-			$this->publishActivity(Provider::APP_TOKEN_RENAMED, $token->getId(), ['name' => $currentName, 'newName' => $name]);
-		}
-
-		$this->tokenProvider->updateToken($token);
-		return [];
-	}
-
-	/**
-	 * @param string $subject
-	 * @param int $id
-	 * @param array $parameters
-	 */
-	private function publishActivity(string $subject, int $id, array $parameters = []): void {
-		$event = $this->activityManager->generateEvent();
-		$event->setApp('settings')
-			->setType('security')
-			->setAffectedUser($this->uid)
-			->setAuthor($this->uid)
-			->setSubject($subject, $parameters)
-			->setObject('app_token', $id, 'App Password');
-
-		try {
-			$this->activityManager->publish($event);
-		} catch (BadMethodCallException $e) {
-			$this->logger->warning('could not publish activity', ['exception' => $e]);
-		}
-	}
-
-	/**
-	 * Find a token by given id and check if uid for current session belongs to this token
-	 *
-	 * @param int $id
-	 * @return IToken
-	 * @throws InvalidTokenException
-	 */
-	private function findTokenByIdAndUser(int $id): IToken {
-		try {
-			$token = $this->tokenProvider->getTokenById($id);
-		} catch (ExpiredTokenException $e) {
-			$token = $e->getToken();
-		}
-		if ($token->getUID() !== $this->uid) {
-			throw new InvalidTokenException('This token does not belong to you!');
-		}
-		return $token;
-	}
-
-	/**
-	 * @NoAdminRequired
-	 * @NoSubAdminRequired
-	 * @PasswordConfirmationRequired
-	 *
-	 * @param int $id
-	 * @return JSONResponse
-	 * @throws InvalidTokenException
-	 * @throws \OC\Authentication\Exceptions\ExpiredTokenException
-	 */
-	public function wipe(int $id): JSONResponse {
-		if ($this->checkAppToken()) {
-			return new JSONResponse([], Http::STATUS_BAD_REQUEST);
-		}
-
-		try {
-			$token = $this->findTokenByIdAndUser($id);
-		} catch (InvalidTokenException $e) {
-			return new JSONResponse([], Http::STATUS_NOT_FOUND);
-		}
-
-		if (!$this->remoteWipe->markTokenForWipe($token)) {
-			return new JSONResponse([], Http::STATUS_BAD_REQUEST);
-		}
-
-		return new JSONResponse([]);
-	}
+    /** @var IProvider */
+    private $tokenProvider;
+
+    /** @var ISession */
+    private $session;
+
+    /** IUserSession */
+    private $userSession;
+
+    /** @var string */
+    private $uid;
+
+    /** @var ISecureRandom */
+    private $random;
+
+    /** @var IManager */
+    private $activityManager;
+
+    /** @var RemoteWipe */
+    private $remoteWipe;
+
+    /** @var LoggerInterface */
+    private $logger;
+
+    /**
+     * @param string $appName
+     * @param IRequest $request
+     * @param IProvider $tokenProvider
+     * @param ISession $session
+     * @param ISecureRandom $random
+     * @param string|null $userId
+     * @param IUserSession $userSession
+     * @param IManager $activityManager
+     * @param RemoteWipe $remoteWipe
+     * @param LoggerInterface $logger
+     */
+    public function __construct(string $appName,
+                                IRequest $request,
+                                IProvider $tokenProvider,
+                                ISession $session,
+                                ISecureRandom $random,
+                                ?string $userId,
+                                IUserSession $userSession,
+                                IManager $activityManager,
+                                RemoteWipe $remoteWipe,
+                                LoggerInterface $logger) {
+        parent::__construct($appName, $request);
+        $this->tokenProvider = $tokenProvider;
+        $this->uid = $userId;
+        $this->userSession = $userSession;
+        $this->session = $session;
+        $this->random = $random;
+        $this->activityManager = $activityManager;
+        $this->remoteWipe = $remoteWipe;
+        $this->logger = $logger;
+    }
+
+    /**
+     * @NoAdminRequired
+     * @NoSubAdminRequired
+     * @PasswordConfirmationRequired
+     *
+     * @param string $name
+     * @return JSONResponse
+     */
+    public function create($name) {
+        if ($this->checkAppToken()) {
+            return $this->getServiceNotAvailableResponse();
+        }
+
+        try {
+            $sessionId = $this->session->getId();
+        } catch (SessionNotAvailableException $ex) {
+            return $this->getServiceNotAvailableResponse();
+        }
+        if ($this->userSession->getImpersonatingUserID() !== null) {
+            return $this->getServiceNotAvailableResponse();
+        }
+
+        try {
+            $sessionToken = $this->tokenProvider->getToken($sessionId);
+            $loginName = $sessionToken->getLoginName();
+            try {
+                $password = $this->tokenProvider->getPassword($sessionToken, $sessionId);
+            } catch (PasswordlessTokenException $ex) {
+                $password = null;
+            }
+        } catch (InvalidTokenException $ex) {
+            return $this->getServiceNotAvailableResponse();
+        }
+
+        if (mb_strlen($name) > 128) {
+            $name = mb_substr($name, 0, 120) . '…';
+        }
+
+        $token = $this->generateRandomDeviceToken();
+        $deviceToken = $this->tokenProvider->generateToken($token, $this->uid, $loginName, $password, $name, IToken::PERMANENT_TOKEN);
+        $tokenData = $deviceToken->jsonSerialize();
+        $tokenData['canDelete'] = true;
+        $tokenData['canRename'] = true;
+
+        $this->publishActivity(Provider::APP_TOKEN_CREATED, $deviceToken->getId(), ['name' => $deviceToken->getName()]);
+
+        return new JSONResponse([
+            'token' => $token,
+            'loginName' => $loginName,
+            'deviceToken' => $tokenData,
+        ]);
+    }
+
+    /**
+     * @return JSONResponse
+     */
+    private function getServiceNotAvailableResponse() {
+        $resp = new JSONResponse();
+        $resp->setStatus(Http::STATUS_SERVICE_UNAVAILABLE);
+        return $resp;
+    }
+
+    /**
+     * Return a 25 digit device password
+     *
+     * Example: AbCdE-fGhJk-MnPqR-sTwXy-23456
+     *
+     * @return string
+     */
+    private function generateRandomDeviceToken() {
+        $groups = [];
+        for ($i = 0; $i < 5; $i++) {
+            $groups[] = $this->random->generate(5, ISecureRandom::CHAR_HUMAN_READABLE);
+        }
+        return implode('-', $groups);
+    }
+
+    private function checkAppToken(): bool {
+        return $this->session->exists('app_password');
+    }
+
+    /**
+     * @NoAdminRequired
+     * @NoSubAdminRequired
+     *
+     * @param int $id
+     * @return array|JSONResponse
+     */
+    public function destroy($id) {
+        if ($this->checkAppToken()) {
+            return new JSONResponse([], Http::STATUS_BAD_REQUEST);
+        }
+
+        try {
+            $token = $this->findTokenByIdAndUser($id);
+        } catch (WipeTokenException $e) {
+            //continue as we can destroy tokens in wipe
+            $token = $e->getToken();
+        } catch (InvalidTokenException $e) {
+            return new JSONResponse([], Http::STATUS_NOT_FOUND);
+        }
+
+        $this->tokenProvider->invalidateTokenById($this->uid, $token->getId());
+        $this->publishActivity(Provider::APP_TOKEN_DELETED, $token->getId(), ['name' => $token->getName()]);
+        return [];
+    }
+
+    /**
+     * @NoAdminRequired
+     * @NoSubAdminRequired
+     *
+     * @param int $id
+     * @param array $scope
+     * @param string $name
+     * @return array|JSONResponse
+     */
+    public function update($id, array $scope, string $name) {
+        if ($this->checkAppToken()) {
+            return new JSONResponse([], Http::STATUS_BAD_REQUEST);
+        }
+
+        try {
+            $token = $this->findTokenByIdAndUser($id);
+        } catch (InvalidTokenException $e) {
+            return new JSONResponse([], Http::STATUS_NOT_FOUND);
+        }
+
+        $currentName = $token->getName();
+
+        if ($scope !== $token->getScopeAsArray()) {
+            $token->setScope(['filesystem' => $scope['filesystem']]);
+            $this->publishActivity($scope['filesystem'] ? Provider::APP_TOKEN_FILESYSTEM_GRANTED : Provider::APP_TOKEN_FILESYSTEM_REVOKED, $token->getId(), ['name' => $currentName]);
+        }
+
+        if (mb_strlen($name) > 128) {
+            $name = mb_substr($name, 0, 120) . '…';
+        }
+
+        if ($token instanceof INamedToken && $name !== $currentName) {
+            $token->setName($name);
+            $this->publishActivity(Provider::APP_TOKEN_RENAMED, $token->getId(), ['name' => $currentName, 'newName' => $name]);
+        }
+
+        $this->tokenProvider->updateToken($token);
+        return [];
+    }
+
+    /**
+     * @param string $subject
+     * @param int $id
+     * @param array $parameters
+     */
+    private function publishActivity(string $subject, int $id, array $parameters = []): void {
+        $event = $this->activityManager->generateEvent();
+        $event->setApp('settings')
+            ->setType('security')
+            ->setAffectedUser($this->uid)
+            ->setAuthor($this->uid)
+            ->setSubject($subject, $parameters)
+            ->setObject('app_token', $id, 'App Password');
+
+        try {
+            $this->activityManager->publish($event);
+        } catch (BadMethodCallException $e) {
+            $this->logger->warning('could not publish activity', ['exception' => $e]);
+        }
+    }
+
+    /**
+     * Find a token by given id and check if uid for current session belongs to this token
+     *
+     * @param int $id
+     * @return IToken
+     * @throws InvalidTokenException
+     */
+    private function findTokenByIdAndUser(int $id): IToken {
+        try {
+            $token = $this->tokenProvider->getTokenById($id);
+        } catch (ExpiredTokenException $e) {
+            $token = $e->getToken();
+        }
+        if ($token->getUID() !== $this->uid) {
+            throw new InvalidTokenException('This token does not belong to you!');
+        }
+        return $token;
+    }
+
+    /**
+     * @NoAdminRequired
+     * @NoSubAdminRequired
+     * @PasswordConfirmationRequired
+     *
+     * @param int $id
+     * @return JSONResponse
+     * @throws InvalidTokenException
+     * @throws \OC\Authentication\Exceptions\ExpiredTokenException
+     */
+    public function wipe(int $id): JSONResponse {
+        if ($this->checkAppToken()) {
+            return new JSONResponse([], Http::STATUS_BAD_REQUEST);
+        }
+
+        try {
+            $token = $this->findTokenByIdAndUser($id);
+        } catch (InvalidTokenException $e) {
+            return new JSONResponse([], Http::STATUS_NOT_FOUND);
+        }
+
+        if (!$this->remoteWipe->markTokenForWipe($token)) {
+            return new JSONResponse([], Http::STATUS_BAD_REQUEST);
+        }
+
+        return new JSONResponse([]);
+    }
 }

Spacing +2 added lines, -2 removed lines

@@ -146,7 +146,7 @@ 
 		}
 
 		if (mb_strlen($name) > 128) {
-			$name = mb_substr($name, 0, 120) . '…';
+			$name = mb_substr($name, 0, 120).'…';
 		}
 
 		$token = $this->generateRandomDeviceToken();
@@ -246,7 +246,7 @@ 
 		}
 
 		if (mb_strlen($name) > 128) {
-			$name = mb_substr($name, 0, 120) . '…';
+			$name = mb_substr($name, 0, 120).'…';
 		}
 
 		if ($token instanceof INamedToken && $name !== $currentName) {