Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Apptoken v3: imrpove token handling on external password change #11390

Merged
merged 4 commits into from
Oct 2, 2018
Merged

Apptoken v3: imrpove token handling on external password change #11390

merged 4 commits into from
Oct 2, 2018

Conversation

rullzer
Copy link
Member

@rullzer rullzer commented Sep 26, 2018
edited
Loading

Fixes #11043

Easiest to review per commit

  1. Add the new column
  2. Mark the token as invalid if needed
  3. Update the tokens on web login

Todo:

  • Testing
  • Tests

@rullzer rullzer added this to the Nextcloud 15 milestone Sep 26, 2018
ChristophWurst
ChristophWurst reviewed Sep 26, 2018
View reviewed changes
Copy link
Member

@ChristophWurst ChristophWurst left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good so far! 🚀

lib/private/Authentication/Token/DefaultTokenProvider.php
@@ -338,4 +338,10 @@ private function decryptPassword(string $password, string $token): string {
}
}

public function markPasswordInvalid(IToken $token, string $tokenId) {
//No need to mark as invalid. We just invalide default tokens
$this->invalidateToken($tokenId);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You don't check the concrete class here …

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I should be consitent yes. However I do check it in the PublicKeyTokenProvider since we use a function that is only available on this function always works. Anyway let me be consistent ;)

lib/private/Authentication/Token/PublicKeyTokenProvider.php Outdated

$token->setPasswordInvalid(true);
$this->mapper->update($token);
return $token;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

return value is neither in the interface nor does the manager pass it on

lib/private/User/Session.php Outdated
@@ -694,12 +694,18 @@ private function checkTokenCredentials(IToken $dbToken, $token) {
return true;
}

if ($this->manager->checkPassword($dbToken->getLoginName(), $pwd) === false
|| (!is_null($this->activeUser) && !$this->activeUser->isEnabled())) {
// Invalidate tken if the user is no longer active
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

typo: "tken" -> "token"

lib/private/User/Session.php
@@ -922,5 +922,9 @@ public function updateSessionTokenPassword($password) {
}
}

public function updateTokens(string $uid, string $password) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

At some point we should discuss a refactoring of this user session class. This will soon be unmaintainable due to its complexity 🙈

@ChristophWurst ChristophWurst mentioned this pull request Sep 26, 2018
Closed
@rullzer rullzer force-pushed the feature/11043/apptoken_v3 branch from ab9c5ec to 0c7d5ee Compare September 26, 2018 18:19
@rullzer
Copy link
Member Author

rullzer commented Sep 28, 2018

@blizzz could you give this a test with LDAP?

  1. Create a user
  2. Login
  3. Create an app password
  4. see the the apppassword works curl -u <USER>:<APPPASS> <server>/remote.php/dav -X PROPFIND
  5. Change the password in LDAP
  6. see that the apppassword fails (might need a timeout of 5min to kick in)
  7. Relogin on the web
  8. See that the apppassword works again.

@blizzz
Copy link
Member

blizzz commented Sep 28, 2018

@blizzz could you give this a test with LDAP?

Will do today.

@blizzz
Copy link
Member

blizzz commented Sep 28, 2018

@rullzer tested, workz!

@rullzer rullzer force-pushed the feature/11043/apptoken_v3 branch from 000dae4 to 6477843 Compare October 2, 2018 14:41
@rullzer rullzer added 3. to review Waiting for reviews and removed 2. developing Work in progress labels Oct 2, 2018
@rullzer rullzer requested a review from MorrisJobke October 2, 2018 17:00
@rullzer
Copy link
Member Author

rullzer commented Oct 2, 2018

Ready for review :)

ChristophWurst
ChristophWurst approved these changes Oct 2, 2018
View reviewed changes
Copy link
Member

@ChristophWurst ChristophWurst left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

lib/private/Authentication/Token/PublicKeyTokenMapper.php Outdated
$qb->select('*')
->from('authtoken')
->where($qb->expr()->eq('uid', $qb->createNamedParameter($uid)))
->andWhere($qb->expr()->eq('password_invalid', $qb->createNamedParameter(true)))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

better specify the type (bool) here

rullzer added 4 commits October 2, 2018 19:50
@rullzer
Add column to DB to store expired passwords
efef053 
Signed-off-by: Roeland Jago Douma <[email protected]>
@rullzer
Mark token as invalid if the password doesn't match
00e99af 
Signed-off-by: Roeland Jago Douma <[email protected]>
@rullzer
Update all the publickey tokens if needed on web login
d9febae 
* On weblogin check if we have invalid public key tokens
* If so update them all with the new token

This ensures that your marked as invalid tokens work again if you once
login on the web.

Signed-off-by: Roeland Jago Douma <[email protected]>
@rullzer
Add tests
19f84f7 
Signed-off-by: Roeland Jago Douma <[email protected]>
@rullzer rullzer force-pushed the feature/11043/apptoken_v3 branch from 6477843 to 19f84f7 Compare October 2, 2018 17:51
MorrisJobke
MorrisJobke approved these changes Oct 2, 2018
View reviewed changes
Copy link
Member

@MorrisJobke MorrisJobke left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested and works 👍

@MorrisJobke MorrisJobke added 4. to release Ready to be released and/or waiting for tests to finish and removed 3. to review Waiting for reviews labels Oct 2, 2018
@MorrisJobke MorrisJobke merged commit 6b730b4 into master Oct 2, 2018
@MorrisJobke MorrisJobke deleted the feature/11043/apptoken_v3 branch October 2, 2018 19:45
This was referenced Oct 2, 2018
Closed
Open
@MorrisJobke MorrisJobke mentioned this pull request Nov 27, 2018
Merged
@ChristophWurst ChristophWurst mentioned this pull request Jan 27, 2020
Open
@tuxcrafter tuxcrafter mentioned this pull request Mar 7, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@MorrisJobke MorrisJobke MorrisJobke approved these changes

@ChristophWurst ChristophWurst ChristophWurst approved these changes

@blizzz blizzz Awaiting requested review from blizzz

Assignees
No one assigned
Labels
4. to release Ready to be released and/or waiting for tests to finish enhancement feature: authentication
Projects
None yet
Milestone
Nextcloud 15
Development

Successfully merging this pull request may close these issues.
4 participants
@rullzer @blizzz @MorrisJobke @ChristophWurst