From f84789f88bee0b5a6f83f9729b99a299cc64665c Mon Sep 17 00:00:00 2001 From: Roeland Jago Douma Date: Mon, 11 Jun 2018 10:45:19 +0200 Subject: [PATCH] Allow updating the token on session regeneration Sometimes when we force a session regeneration we want to update the current token for this session. Signed-off-by: Roeland Jago Douma --- .../lib/Controller/ShareController.php | 2 +- lib/private/Session/CryptoSessionData.php | 5 +-- lib/private/Session/Internal.php | 33 ++++++++++++++++++- lib/private/Session/Memory.php | 2 +- lib/private/User/Session.php | 2 ++ lib/public/ISession.php | 5 +-- 6 files changed, 42 insertions(+), 7 deletions(-) diff --git a/apps/files_sharing/lib/Controller/ShareController.php b/apps/files_sharing/lib/Controller/ShareController.php index f8749526900ed..859873de1a21b 100644 --- a/apps/files_sharing/lib/Controller/ShareController.php +++ b/apps/files_sharing/lib/Controller/ShareController.php @@ -204,7 +204,7 @@ public function authenticate($token, $password = '') { private function linkShareAuth(\OCP\Share\IShare $share, $password = null) { if ($password !== null) { if ($this->shareManager->checkPassword($share, $password)) { - $this->session->regenerateId(); + $this->session->regenerateId(true, true); $this->session->set('public_link_authenticated', (string)$share->getId()); } else { $this->emitAccessShareHook($share, 403, 'Wrong password'); diff --git a/lib/private/Session/CryptoSessionData.php b/lib/private/Session/CryptoSessionData.php index 272e82ef49624..24582b3518664 100644 --- a/lib/private/Session/CryptoSessionData.php +++ b/lib/private/Session/CryptoSessionData.php @@ -149,10 +149,11 @@ public function clear() { * Wrapper around session_regenerate_id * * @param bool $deleteOldSession Whether to delete the old associated session file or not. + * @param bool $updateToken Wheater to update the associated auth token * @return void */ - public function regenerateId($deleteOldSession = true) { - $this->session->regenerateId($deleteOldSession); + public function regenerateId($deleteOldSession = true, $updateToken = false) { + $this->session->regenerateId($deleteOldSession, $updateToken); } /** diff --git a/lib/private/Session/Internal.php b/lib/private/Session/Internal.php index d137d72a04822..20230acebe8d8 100644 --- a/lib/private/Session/Internal.php +++ b/lib/private/Session/Internal.php @@ -29,6 +29,10 @@ namespace OC\Session; +use OC\Authentication\Exceptions\InvalidTokenException; +use OC\Authentication\Token\IProvider; +use OC\SystemConfig; +use OCP\IConfig; use OCP\Session\Exceptions\SessionNotAvailableException; /** @@ -110,14 +114,41 @@ public function close() { * Wrapper around session_regenerate_id * * @param bool $deleteOldSession Whether to delete the old associated session file or not. + * @param bool $updateToken Wheater to update the associated auth token * @return void */ - public function regenerateId($deleteOldSession = true) { + public function regenerateId($deleteOldSession = true, $updateToken = false) { + $oldId = null; + + if ($updateToken) { + // Get the old id to update the token + try { + $oldId = $this->getId(); + } catch (SessionNotAvailableException $e) { + // We can't update a token if there is no previous id + $updateToken = false; + } + } + try { @session_regenerate_id($deleteOldSession); } catch (\Error $e) { $this->trapError($e->getCode(), $e->getMessage()); } + + if ($updateToken) { + // Get the new id to update the token + $newId = $this->getId(); + + /** @var IProvider $tokenProvider */ + $tokenProvider = \OC::$server->query(IProvider::class); + + try { + $tokenProvider->renewSessionToken($oldId, $newId); + } catch (InvalidTokenException $e) { + // Just ignore + } + } } /** diff --git a/lib/private/Session/Memory.php b/lib/private/Session/Memory.php index 22d6ffa0110b9..8975d8dfe0bfe 100644 --- a/lib/private/Session/Memory.php +++ b/lib/private/Session/Memory.php @@ -90,7 +90,7 @@ public function clear() { * * @param bool $deleteOldSession */ - public function regenerateId($deleteOldSession = true) {} + public function regenerateId($deleteOldSession = true, $updateToken = false) {} /** * Wrapper around session_id diff --git a/lib/private/User/Session.php b/lib/private/User/Session.php index 34319760c86d8..489f3cc0d3df3 100644 --- a/lib/private/User/Session.php +++ b/lib/private/User/Session.php @@ -624,6 +624,8 @@ public function createSessionToken(IRequest $request, $uid, $loginName, $passwor try { $sessionId = $this->session->getId(); $pwd = $this->getPassword($password); + // Make sure the current sessionId has no leftover tokens + $this->tokenProvider->invalidateToken($sessionId); $this->tokenProvider->generateToken($sessionId, $uid, $loginName, $pwd, $name, IToken::TEMPORARY_TOKEN, $remember); return true; } catch (SessionNotAvailableException $ex) { diff --git a/lib/public/ISession.php b/lib/public/ISession.php index 2d234976862d2..36d855afbffac 100644 --- a/lib/public/ISession.php +++ b/lib/public/ISession.php @@ -93,10 +93,11 @@ public function close(); * Wrapper around session_regenerate_id * * @param bool $deleteOldSession Whether to delete the old associated session file or not. + * @param bool $updateToken Wheater to update the associated auth token * @return void - * @since 9.0.0 + * @since 9.0.0, $updateToken added in 14.0.0 */ - public function regenerateId($deleteOldSession = true); + public function regenerateId($deleteOldSession = true, $updateToken = false); /** * Wrapper around session_id