0
0
mirror of https://github.com/nextcloud/server.git synced 2024-11-14 12:26:49 +00:00
nextcloud_server/lib/private/User/Session.php
dependabot[bot] bb598c8451
chore(deps): Bump nextcloud/coding-standard in /vendor-bin/cs-fixer
Bumps [nextcloud/coding-standard](https://github.com/nextcloud/coding-standard) from 1.3.1 to 1.3.2.
- [Release notes](https://github.com/nextcloud/coding-standard/releases)
- [Changelog](https://github.com/nextcloud/coding-standard/blob/master/CHANGELOG.md)
- [Commits](https://github.com/nextcloud/coding-standard/compare/v1.3.1...v1.3.2)

---
updated-dependencies:
- dependency-name: nextcloud/coding-standard
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: provokateurin <kate@provokateurin.de>
2024-10-19 07:57:35 +02:00

1050 lines
29 KiB
PHP

<?php
/**
* SPDX-FileCopyrightText: 2017 Nextcloud GmbH and Nextcloud contributors
* SPDX-FileCopyrightText: 2016 ownCloud, Inc.
* SPDX-License-Identifier: AGPL-3.0-only
*/
namespace OC\User;
use OC;
use OC\Authentication\Exceptions\PasswordlessTokenException;
use OC\Authentication\Exceptions\PasswordLoginForbiddenException;
use OC\Authentication\Token\IProvider;
use OC\Authentication\Token\IToken;
use OC\Authentication\Token\PublicKeyToken;
use OC\Authentication\TwoFactorAuth\Manager as TwoFactorAuthManager;
use OC\Hooks\Emitter;
use OC\Hooks\PublicEmitter;
use OC\Security\CSRF\CsrfTokenManager;
use OC_User;
use OC_Util;
use OCA\DAV\Connector\Sabre\Auth;
use OCP\AppFramework\Db\TTransactional;
use OCP\AppFramework\Utility\ITimeFactory;
use OCP\Authentication\Exceptions\ExpiredTokenException;
use OCP\Authentication\Exceptions\InvalidTokenException;
use OCP\EventDispatcher\GenericEvent;
use OCP\EventDispatcher\IEventDispatcher;
use OCP\Files\NotPermittedException;
use OCP\IConfig;
use OCP\IDBConnection;
use OCP\IRequest;
use OCP\ISession;
use OCP\IUser;
use OCP\IUserSession;
use OCP\Lockdown\ILockdownManager;
use OCP\Security\Bruteforce\IThrottler;
use OCP\Security\ISecureRandom;
use OCP\Session\Exceptions\SessionNotAvailableException;
use OCP\User\Events\PostLoginEvent;
use OCP\User\Events\UserFirstTimeLoggedInEvent;
use OCP\Util;
use Psr\Log\LoggerInterface;
/**
* Class Session
*
* Hooks available in scope \OC\User:
* - preSetPassword(\OC\User\User $user, string $password, string $recoverPassword)
* - postSetPassword(\OC\User\User $user, string $password, string $recoverPassword)
* - preDelete(\OC\User\User $user)
* - postDelete(\OC\User\User $user)
* - preCreateUser(string $uid, string $password)
* - postCreateUser(\OC\User\User $user)
* - assignedUserId(string $uid)
* - preUnassignedUserId(string $uid)
* - postUnassignedUserId(string $uid)
* - preLogin(string $user, string $password)
* - postLogin(\OC\User\User $user, string $loginName, string $password, boolean $isTokenLogin)
* - preRememberedLogin(string $uid)
* - postRememberedLogin(\OC\User\User $user)
* - logout()
* - postLogout()
*
* @package OC\User
*/
class Session implements IUserSession, Emitter {
use TTransactional;
/** @var User $activeUser */
protected $activeUser;
public function __construct(
private Manager $manager,
private ISession $session,
private ITimeFactory $timeFactory,
private ?IProvider $tokenProvider,
private IConfig $config,
private ISecureRandom $random,
private ILockdownManager $lockdownManager,
private LoggerInterface $logger,
private IEventDispatcher $dispatcher,
) {
}
/**
* @param IProvider $provider
*/
public function setTokenProvider(IProvider $provider) {
$this->tokenProvider = $provider;
}
/**
* @param string $scope
* @param string $method
* @param callable $callback
*/
public function listen($scope, $method, callable $callback) {
$this->manager->listen($scope, $method, $callback);
}
/**
* @param string $scope optional
* @param string $method optional
* @param callable $callback optional
*/
public function removeListener($scope = null, $method = null, ?callable $callback = null) {
$this->manager->removeListener($scope, $method, $callback);
}
/**
* get the manager object
*
* @return Manager|PublicEmitter
*/
public function getManager() {
return $this->manager;
}
/**
* get the session object
*
* @return ISession
*/
public function getSession() {
return $this->session;
}
/**
* set the session object
*
* @param ISession $session
*/
public function setSession(ISession $session) {
if ($this->session instanceof ISession) {
$this->session->close();
}
$this->session = $session;
$this->activeUser = null;
}
/**
* set the currently active user
*
* @param IUser|null $user
*/
public function setUser($user) {
if (is_null($user)) {
$this->session->remove('user_id');
} else {
$this->session->set('user_id', $user->getUID());
}
$this->activeUser = $user;
}
/**
* Temporarily set the currently active user without persisting in the session
*
* @param IUser|null $user
*/
public function setVolatileActiveUser(?IUser $user): void {
$this->activeUser = $user;
}
/**
* get the current active user
*
* @return IUser|null Current user, otherwise null
*/
public function getUser() {
// FIXME: This is a quick'n dirty work-around for the incognito mode as
// described at https://github.com/owncloud/core/pull/12912#issuecomment-67391155
if (OC_User::isIncognitoMode()) {
return null;
}
if (is_null($this->activeUser)) {
$uid = $this->session->get('user_id');
if (is_null($uid)) {
return null;
}
$this->activeUser = $this->manager->get($uid);
if (is_null($this->activeUser)) {
return null;
}
$this->validateSession();
}
return $this->activeUser;
}
/**
* Validate whether the current session is valid
*
* - For token-authenticated clients, the token validity is checked
* - For browsers, the session token validity is checked
*/
protected function validateSession() {
$token = null;
$appPassword = $this->session->get('app_password');
if (is_null($appPassword)) {
try {
$token = $this->session->getId();
} catch (SessionNotAvailableException $ex) {
return;
}
} else {
$token = $appPassword;
}
if (!$this->validateToken($token)) {
// Session was invalidated
$this->logout();
}
}
/**
* Checks whether the user is logged in
*
* @return bool if logged in
*/
public function isLoggedIn() {
$user = $this->getUser();
if (is_null($user)) {
return false;
}
return $user->isEnabled();
}
/**
* set the login name
*
* @param string|null $loginName for the logged in user
*/
public function setLoginName($loginName) {
if (is_null($loginName)) {
$this->session->remove('loginname');
} else {
$this->session->set('loginname', $loginName);
}
}
/**
* Get the login name of the current user
*
* @return ?string
*/
public function getLoginName() {
if ($this->activeUser) {
return $this->session->get('loginname');
}
$uid = $this->session->get('user_id');
if ($uid) {
$this->activeUser = $this->manager->get($uid);
return $this->session->get('loginname');
}
return null;
}
/**
* @return null|string
*/
public function getImpersonatingUserID(): ?string {
return $this->session->get('oldUserId');
}
public function setImpersonatingUserID(bool $useCurrentUser = true): void {
if ($useCurrentUser === false) {
$this->session->remove('oldUserId');
return;
}
$currentUser = $this->getUser();
if ($currentUser === null) {
throw new \OC\User\NoUserException();
}
$this->session->set('oldUserId', $currentUser->getUID());
}
/**
* set the token id
*
* @param int|null $token that was used to log in
*/
protected function setToken($token) {
if ($token === null) {
$this->session->remove('token-id');
} else {
$this->session->set('token-id', $token);
}
}
/**
* try to log in with the provided credentials
*
* @param string $uid
* @param string $password
* @return boolean|null
* @throws LoginException
*/
public function login($uid, $password) {
$this->session->regenerateId();
if ($this->validateToken($password, $uid)) {
return $this->loginWithToken($password);
}
return $this->loginWithPassword($uid, $password);
}
/**
* @param IUser $user
* @param array $loginDetails
* @param bool $regenerateSessionId
* @return true returns true if login successful or an exception otherwise
* @throws LoginException
*/
public function completeLogin(IUser $user, array $loginDetails, $regenerateSessionId = true) {
if (!$user->isEnabled()) {
// disabled users can not log in
// injecting l10n does not work - there is a circular dependency between session and \OCP\L10N\IFactory
$message = \OCP\Util::getL10N('lib')->t('Account disabled');
throw new LoginException($message);
}
if ($regenerateSessionId) {
$this->session->regenerateId();
$this->session->remove(Auth::DAV_AUTHENTICATED);
}
$this->setUser($user);
$this->setLoginName($loginDetails['loginName']);
$isToken = isset($loginDetails['token']) && $loginDetails['token'] instanceof IToken;
if ($isToken) {
$this->setToken($loginDetails['token']->getId());
$this->lockdownManager->setToken($loginDetails['token']);
$user->updateLastLoginTimestamp();
$firstTimeLogin = false;
} else {
$this->setToken(null);
$firstTimeLogin = $user->updateLastLoginTimestamp();
}
$this->dispatcher->dispatchTyped(new PostLoginEvent(
$user,
$loginDetails['loginName'],
$loginDetails['password'],
$isToken
));
$this->manager->emit('\OC\User', 'postLogin', [
$user,
$loginDetails['loginName'],
$loginDetails['password'],
$isToken,
]);
if ($this->isLoggedIn()) {
$this->prepareUserLogin($firstTimeLogin, $regenerateSessionId);
return true;
}
$message = \OCP\Util::getL10N('lib')->t('Login canceled by app');
throw new LoginException($message);
}
/**
* Tries to log in a client
*
* Checks token auth enforced
* Checks 2FA enabled
*
* @param string $user
* @param string $password
* @param IRequest $request
* @param IThrottler $throttler
* @throws LoginException
* @throws PasswordLoginForbiddenException
* @return boolean
*/
public function logClientIn($user,
$password,
IRequest $request,
IThrottler $throttler) {
$remoteAddress = $request->getRemoteAddress();
$currentDelay = $throttler->sleepDelayOrThrowOnMax($remoteAddress, 'login');
if ($this->manager instanceof PublicEmitter) {
$this->manager->emit('\OC\User', 'preLogin', [$user, $password]);
}
try {
$isTokenPassword = $this->isTokenPassword($password);
} catch (ExpiredTokenException $e) {
// Just return on an expired token no need to check further or record a failed login
return false;
}
if (!$isTokenPassword && $this->isTokenAuthEnforced()) {
throw new PasswordLoginForbiddenException();
}
if (!$isTokenPassword && $this->isTwoFactorEnforced($user)) {
throw new PasswordLoginForbiddenException();
}
// Try to login with this username and password
if (!$this->login($user, $password)) {
// Failed, maybe the user used their email address
if (!filter_var($user, FILTER_VALIDATE_EMAIL)) {
$this->handleLoginFailed($throttler, $currentDelay, $remoteAddress, $user, $password);
return false;
}
if ($isTokenPassword) {
$dbToken = $this->tokenProvider->getToken($password);
$userFromToken = $this->manager->get($dbToken->getUID());
$isValidEmailLogin = $userFromToken->getEMailAddress() === $user
&& $this->validateTokenLoginName($userFromToken->getEMailAddress(), $dbToken);
} else {
$users = $this->manager->getByEmail($user);
$isValidEmailLogin = (\count($users) === 1 && $this->login($users[0]->getUID(), $password));
}
if (!$isValidEmailLogin) {
$this->handleLoginFailed($throttler, $currentDelay, $remoteAddress, $user, $password);
return false;
}
}
if ($isTokenPassword) {
$this->session->set('app_password', $password);
} elseif ($this->supportsCookies($request)) {
// Password login, but cookies supported -> create (browser) session token
$this->createSessionToken($request, $this->getUser()->getUID(), $user, $password);
}
return true;
}
private function handleLoginFailed(IThrottler $throttler, int $currentDelay, string $remoteAddress, string $user, ?string $password) {
$this->logger->warning("Login failed: '" . $user . "' (Remote IP: '" . $remoteAddress . "')", ['app' => 'core']);
$throttler->registerAttempt('login', $remoteAddress, ['user' => $user]);
$this->dispatcher->dispatchTyped(new OC\Authentication\Events\LoginFailed($user, $password));
if ($currentDelay === 0) {
$throttler->sleepDelayOrThrowOnMax($remoteAddress, 'login');
}
}
protected function supportsCookies(IRequest $request) {
if (!is_null($request->getCookie('cookie_test'))) {
return true;
}
setcookie('cookie_test', 'test', $this->timeFactory->getTime() + 3600);
return false;
}
private function isTokenAuthEnforced(): bool {
return $this->config->getSystemValueBool('token_auth_enforced', false);
}
protected function isTwoFactorEnforced($username) {
Util::emitHook(
'\OCA\Files_Sharing\API\Server2Server',
'preLoginNameUsedAsUserName',
['uid' => &$username]
);
$user = $this->manager->get($username);
if (is_null($user)) {
$users = $this->manager->getByEmail($username);
if (empty($users)) {
return false;
}
if (count($users) !== 1) {
return true;
}
$user = $users[0];
}
// DI not possible due to cyclic dependencies :'-/
return OC::$server->get(TwoFactorAuthManager::class)->isTwoFactorAuthenticated($user);
}
/**
* Check if the given 'password' is actually a device token
*
* @param string $password
* @return boolean
* @throws ExpiredTokenException
*/
public function isTokenPassword($password) {
try {
$this->tokenProvider->getToken($password);
return true;
} catch (ExpiredTokenException $e) {
throw $e;
} catch (InvalidTokenException $ex) {
$this->logger->debug('Token is not valid: ' . $ex->getMessage(), [
'exception' => $ex,
]);
return false;
}
}
protected function prepareUserLogin($firstTimeLogin, $refreshCsrfToken = true) {
if ($refreshCsrfToken) {
// TODO: mock/inject/use non-static
// Refresh the token
\OC::$server->get(CsrfTokenManager::class)->refreshToken();
}
if ($firstTimeLogin) {
//we need to pass the user name, which may differ from login name
$user = $this->getUser()->getUID();
OC_Util::setupFS($user);
// TODO: lock necessary?
//trigger creation of user home and /files folder
$userFolder = \OC::$server->getUserFolder($user);
try {
// copy skeleton
\OC_Util::copySkeleton($user, $userFolder);
} catch (NotPermittedException $ex) {
// read only uses
}
// trigger any other initialization
\OC::$server->get(IEventDispatcher::class)->dispatch(IUser::class . '::firstLogin', new GenericEvent($this->getUser()));
\OC::$server->get(IEventDispatcher::class)->dispatchTyped(new UserFirstTimeLoggedInEvent($this->getUser()));
}
}
/**
* Tries to login the user with HTTP Basic Authentication
*
* @todo do not allow basic auth if the user is 2FA enforced
* @param IRequest $request
* @param IThrottler $throttler
* @return boolean if the login was successful
*/
public function tryBasicAuthLogin(IRequest $request,
IThrottler $throttler) {
if (!empty($request->server['PHP_AUTH_USER']) && !empty($request->server['PHP_AUTH_PW'])) {
try {
if ($this->logClientIn($request->server['PHP_AUTH_USER'], $request->server['PHP_AUTH_PW'], $request, $throttler)) {
/**
* Add DAV authenticated. This should in an ideal world not be
* necessary but the iOS App reads cookies from anywhere instead
* only the DAV endpoint.
* This makes sure that the cookies will be valid for the whole scope
* @see https://github.com/owncloud/core/issues/22893
*/
$this->session->set(
Auth::DAV_AUTHENTICATED, $this->getUser()->getUID()
);
// Set the last-password-confirm session to make the sudo mode work
$this->session->set('last-password-confirm', $this->timeFactory->getTime());
return true;
}
// If credentials were provided, they need to be valid, otherwise we do boom
throw new LoginException();
} catch (PasswordLoginForbiddenException $ex) {
// Nothing to do
}
}
return false;
}
/**
* Log an user in via login name and password
*
* @param string $uid
* @param string $password
* @return boolean
* @throws LoginException if an app canceld the login process or the user is not enabled
*/
private function loginWithPassword($uid, $password) {
$user = $this->manager->checkPasswordNoLogging($uid, $password);
if ($user === false) {
// Password check failed
return false;
}
return $this->completeLogin($user, ['loginName' => $uid, 'password' => $password], false);
}
/**
* Log an user in with a given token (id)
*
* @param string $token
* @return boolean
* @throws LoginException if an app canceled the login process or the user is not enabled
*/
private function loginWithToken($token) {
try {
$dbToken = $this->tokenProvider->getToken($token);
} catch (InvalidTokenException $ex) {
return false;
}
$uid = $dbToken->getUID();
// When logging in with token, the password must be decrypted first before passing to login hook
$password = '';
try {
$password = $this->tokenProvider->getPassword($dbToken, $token);
} catch (PasswordlessTokenException $ex) {
// Ignore and use empty string instead
}
$this->manager->emit('\OC\User', 'preLogin', [$dbToken->getLoginName(), $password]);
$user = $this->manager->get($uid);
if (is_null($user)) {
// user does not exist
return false;
}
return $this->completeLogin(
$user,
[
'loginName' => $dbToken->getLoginName(),
'password' => $password,
'token' => $dbToken
],
false);
}
/**
* Create a new session token for the given user credentials
*
* @param IRequest $request
* @param string $uid user UID
* @param string $loginName login name
* @param string $password
* @param int $remember
* @return boolean
*/
public function createSessionToken(IRequest $request, $uid, $loginName, $password = null, $remember = IToken::DO_NOT_REMEMBER) {
if (is_null($this->manager->get($uid))) {
// User does not exist
return false;
}
$name = isset($request->server['HTTP_USER_AGENT']) ? mb_convert_encoding($request->server['HTTP_USER_AGENT'], 'UTF-8', 'ISO-8859-1') : 'unknown browser';
try {
$sessionId = $this->session->getId();
$pwd = $this->getPassword($password);
// Make sure the current sessionId has no leftover tokens
$this->atomic(function () use ($sessionId, $uid, $loginName, $pwd, $name, $remember) {
$this->tokenProvider->invalidateToken($sessionId);
$this->tokenProvider->generateToken($sessionId, $uid, $loginName, $pwd, $name, IToken::TEMPORARY_TOKEN, $remember);
}, \OCP\Server::get(IDBConnection::class));
return true;
} catch (SessionNotAvailableException $ex) {
// This can happen with OCC, where a memory session is used
// if a memory session is used, we shouldn't create a session token anyway
return false;
}
}
/**
* Checks if the given password is a token.
* If yes, the password is extracted from the token.
* If no, the same password is returned.
*
* @param string $password either the login password or a device token
* @return string|null the password or null if none was set in the token
*/
private function getPassword($password) {
if (is_null($password)) {
// This is surely no token ;-)
return null;
}
try {
$token = $this->tokenProvider->getToken($password);
try {
return $this->tokenProvider->getPassword($token, $password);
} catch (PasswordlessTokenException $ex) {
return null;
}
} catch (InvalidTokenException $ex) {
return $password;
}
}
/**
* @param IToken $dbToken
* @param string $token
* @return boolean
*/
private function checkTokenCredentials(IToken $dbToken, $token) {
// Check whether login credentials are still valid and the user was not disabled
// This check is performed each 5 minutes
$lastCheck = $dbToken->getLastCheck() ? : 0;
$now = $this->timeFactory->getTime();
if ($lastCheck > ($now - 60 * 5)) {
// Checked performed recently, nothing to do now
return true;
}
try {
$pwd = $this->tokenProvider->getPassword($dbToken, $token);
} catch (InvalidTokenException $ex) {
// An invalid token password was used -> log user out
return false;
} catch (PasswordlessTokenException $ex) {
// Token has no password
if (!is_null($this->activeUser) && !$this->activeUser->isEnabled()) {
$this->tokenProvider->invalidateToken($token);
return false;
}
return true;
}
// Invalidate token if the user is no longer active
if (!is_null($this->activeUser) && !$this->activeUser->isEnabled()) {
$this->tokenProvider->invalidateToken($token);
return false;
}
// If the token password is no longer valid mark it as such
if ($this->manager->checkPassword($dbToken->getLoginName(), $pwd) === false) {
$this->tokenProvider->markPasswordInvalid($dbToken, $token);
// User is logged out
return false;
}
$dbToken->setLastCheck($now);
if ($dbToken instanceof PublicKeyToken) {
$dbToken->setLastActivity($now);
}
$this->tokenProvider->updateToken($dbToken);
return true;
}
/**
* Check if the given token exists and performs password/user-enabled checks
*
* Invalidates the token if checks fail
*
* @param string $token
* @param string $user login name
* @return boolean
*/
private function validateToken($token, $user = null) {
try {
$dbToken = $this->tokenProvider->getToken($token);
} catch (InvalidTokenException $ex) {
$this->logger->debug('Session token is invalid because it does not exist', [
'app' => 'core',
'user' => $user,
'exception' => $ex,
]);
return false;
}
if (!is_null($user) && !$this->validateTokenLoginName($user, $dbToken)) {
return false;
}
if (!$this->checkTokenCredentials($dbToken, $token)) {
$this->logger->warning('Session token credentials are invalid', [
'app' => 'core',
'user' => $user,
]);
return false;
}
// Update token scope
$this->lockdownManager->setToken($dbToken);
$this->tokenProvider->updateTokenActivity($dbToken);
return true;
}
/**
* Check if login names match
*/
private function validateTokenLoginName(?string $loginName, IToken $token): bool {
if ($token->getLoginName() !== $loginName) {
// TODO: this makes it impossible to use different login names on browser and client
// e.g. login by e-mail 'user@example.com' on browser for generating the token will not
// allow to use the client token with the login name 'user'.
$this->logger->error('App token login name does not match', [
'tokenLoginName' => $token->getLoginName(),
'sessionLoginName' => $loginName,
'app' => 'core',
'user' => $token->getUID(),
]);
return false;
}
return true;
}
/**
* Tries to login the user with auth token header
*
* @param IRequest $request
* @todo check remember me cookie
* @return boolean
*/
public function tryTokenLogin(IRequest $request) {
$authHeader = $request->getHeader('Authorization');
if (str_starts_with($authHeader, 'Bearer ')) {
$token = substr($authHeader, 7);
} elseif ($request->getCookie($this->config->getSystemValueString('instanceid')) !== null) {
// No auth header, let's try session id, but only if this is an existing
// session and the request has a session cookie
try {
$token = $this->session->getId();
} catch (SessionNotAvailableException $ex) {
return false;
}
} else {
return false;
}
if (!$this->loginWithToken($token)) {
return false;
}
if (!$this->validateToken($token)) {
return false;
}
try {
$dbToken = $this->tokenProvider->getToken($token);
} catch (InvalidTokenException $e) {
// Can't really happen but better save than sorry
return true;
}
// Remember me tokens are not app_passwords
if ($dbToken->getRemember() === IToken::DO_NOT_REMEMBER) {
// Set the session variable so we know this is an app password
$this->session->set('app_password', $token);
}
return true;
}
/**
* perform login using the magic cookie (remember login)
*
* @param string $uid the username
* @param string $currentToken
* @param string $oldSessionId
* @return bool
*/
public function loginWithCookie($uid, $currentToken, $oldSessionId) {
$this->session->regenerateId();
$this->manager->emit('\OC\User', 'preRememberedLogin', [$uid]);
$user = $this->manager->get($uid);
if (is_null($user)) {
// user does not exist
return false;
}
// get stored tokens
$tokens = $this->config->getUserKeys($uid, 'login_token');
// test cookies token against stored tokens
if (!in_array($currentToken, $tokens, true)) {
$this->logger->info('Tried to log in but could not verify token', [
'app' => 'core',
'user' => $uid,
]);
return false;
}
// replace successfully used token with a new one
$this->config->deleteUserValue($uid, 'login_token', $currentToken);
$newToken = $this->random->generate(32);
$this->config->setUserValue($uid, 'login_token', $newToken, (string)$this->timeFactory->getTime());
$this->logger->debug('Remember-me token replaced', [
'app' => 'core',
'user' => $uid,
]);
try {
$sessionId = $this->session->getId();
$token = $this->tokenProvider->renewSessionToken($oldSessionId, $sessionId);
$this->logger->debug('Session token replaced', [
'app' => 'core',
'user' => $uid,
]);
} catch (SessionNotAvailableException $ex) {
$this->logger->critical('Could not renew session token for {uid} because the session is unavailable', [
'app' => 'core',
'uid' => $uid,
'user' => $uid,
]);
return false;
} catch (InvalidTokenException $ex) {
$this->logger->error('Renewing session token failed: ' . $ex->getMessage(), [
'app' => 'core',
'user' => $uid,
'exception' => $ex,
]);
return false;
}
$this->setMagicInCookie($user->getUID(), $newToken);
//login
$this->setUser($user);
$this->setLoginName($token->getLoginName());
$this->setToken($token->getId());
$this->lockdownManager->setToken($token);
$user->updateLastLoginTimestamp();
$password = null;
try {
$password = $this->tokenProvider->getPassword($token, $sessionId);
} catch (PasswordlessTokenException $ex) {
// Ignore
}
$this->manager->emit('\OC\User', 'postRememberedLogin', [$user, $password]);
return true;
}
/**
* @param IUser $user
*/
public function createRememberMeToken(IUser $user) {
$token = $this->random->generate(32);
$this->config->setUserValue($user->getUID(), 'login_token', $token, (string)$this->timeFactory->getTime());
$this->setMagicInCookie($user->getUID(), $token);
}
/**
* logout the user from the session
*/
public function logout() {
$user = $this->getUser();
$this->manager->emit('\OC\User', 'logout', [$user]);
if ($user !== null) {
try {
$token = $this->session->getId();
$this->tokenProvider->invalidateToken($token);
$this->logger->debug('Session token invalidated before logout', [
'user' => $user->getUID(),
]);
} catch (SessionNotAvailableException $ex) {
}
}
$this->logger->debug('Logging out', [
'user' => $user === null ? null : $user->getUID(),
]);
$this->setUser(null);
$this->setLoginName(null);
$this->setToken(null);
$this->unsetMagicInCookie();
$this->session->clear();
$this->manager->emit('\OC\User', 'postLogout', [$user]);
}
/**
* Set cookie value to use in next page load
*
* @param string $username username to be set
* @param string $token
*/
public function setMagicInCookie($username, $token) {
$secureCookie = OC::$server->getRequest()->getServerProtocol() === 'https';
$webRoot = \OC::$WEBROOT;
if ($webRoot === '') {
$webRoot = '/';
}
$maxAge = $this->config->getSystemValueInt('remember_login_cookie_lifetime', 60 * 60 * 24 * 15);
\OC\Http\CookieHelper::setCookie(
'nc_username',
$username,
$maxAge,
$webRoot,
'',
$secureCookie,
true,
\OC\Http\CookieHelper::SAMESITE_LAX
);
\OC\Http\CookieHelper::setCookie(
'nc_token',
$token,
$maxAge,
$webRoot,
'',
$secureCookie,
true,
\OC\Http\CookieHelper::SAMESITE_LAX
);
try {
\OC\Http\CookieHelper::setCookie(
'nc_session_id',
$this->session->getId(),
$maxAge,
$webRoot,
'',
$secureCookie,
true,
\OC\Http\CookieHelper::SAMESITE_LAX
);
} catch (SessionNotAvailableException $ex) {
// ignore
}
}
/**
* Remove cookie for "remember username"
*/
public function unsetMagicInCookie() {
//TODO: DI for cookies and IRequest
$secureCookie = OC::$server->getRequest()->getServerProtocol() === 'https';
unset($_COOKIE['nc_username']); //TODO: DI
unset($_COOKIE['nc_token']);
unset($_COOKIE['nc_session_id']);
setcookie('nc_username', '', $this->timeFactory->getTime() - 3600, OC::$WEBROOT, '', $secureCookie, true);
setcookie('nc_token', '', $this->timeFactory->getTime() - 3600, OC::$WEBROOT, '', $secureCookie, true);
setcookie('nc_session_id', '', $this->timeFactory->getTime() - 3600, OC::$WEBROOT, '', $secureCookie, true);
// old cookies might be stored under /webroot/ instead of /webroot
// and Firefox doesn't like it!
setcookie('nc_username', '', $this->timeFactory->getTime() - 3600, OC::$WEBROOT . '/', '', $secureCookie, true);
setcookie('nc_token', '', $this->timeFactory->getTime() - 3600, OC::$WEBROOT . '/', '', $secureCookie, true);
setcookie('nc_session_id', '', $this->timeFactory->getTime() - 3600, OC::$WEBROOT . '/', '', $secureCookie, true);
}
/**
* Update password of the browser session token if there is one
*
* @param string $password
*/
public function updateSessionTokenPassword($password) {
try {
$sessionId = $this->session->getId();
$token = $this->tokenProvider->getToken($sessionId);
$this->tokenProvider->setPassword($token, $sessionId, $password);
} catch (SessionNotAvailableException $ex) {
// Nothing to do
} catch (InvalidTokenException $ex) {
// Nothing to do
}
}
public function updateTokens(string $uid, string $password) {
$this->tokenProvider->updatePasswords($uid, $password);
}
}