update session token password on user password change

b805908d · Christoph Wurst · 0e575c7e · b805908d · b805908d · b805908d
Unverified Commit b805908d authored Jun 21, 2016 by Christoph Wurst
--- a/lib/private/Authentication/Token/DefaultTokenProvider.php
+++ b/lib/private/Authentication/Token/DefaultTokenProvider.php
@@ -150,6 +150,23 @@ class DefaultTokenProvider implements IProvider {
 		return $this->decryptPassword($password, $tokenId);
 	}

+	/**
+	 * Encrypt and set the password of the given token
+	 *
+	 * @param IToken $token
+	 * @param string $tokenId
+	 * @param string $password
+	 * @throws InvalidTokenException
+	 */
+	public function setPassword(IToken $token, $tokenId, $password) {
+		if (!($token instanceof DefaultToken)) {
+			throw new InvalidTokenException();
+		}
+		/** @var DefaultToken $token */
+		$token->setPassword($this->encryptPassword($password, $tokenId));
+		$this->mapper->update($token);
+	}
+
 	/**
 	 * Invalidate (delete) the given session token
 	 *

--- a/lib/private/Authentication/Token/IProvider.php
+++ b/lib/private/Authentication/Token/IProvider.php
@@ -99,4 +99,14 @@ interface IProvider {
 	 * @return string
 	 */
 	public function getPassword(IToken $token, $tokenId);
+
+	/**
+	 * Encrypt and set the password of the given token
+	 *
+	 * @param IToken $token
+	 * @param string $tokenId
+	 * @param string $password
+	 * @throws InvalidTokenException
+	 */
+	public function setPassword(IToken $token, $tokenId, $password);
 }
--- a/lib/private/User/Session.php
+++ b/lib/private/User/Session.php
@@ -676,4 +676,21 @@ class Session implements IUserSession, Emitter {
 		setcookie('oc_remember_login', '', time() - 3600, OC::$WEBROOT . '/', '', $secureCookie, true);
 	}

+	/**
+	 * Update password of the browser session token if there is one
+	 *
+	 * @param string $password
+	 */
+	public function updateSessionTokenPassword($password) {
+		try {
+			$sessionId = $this->session->getId();
+			$token = $this->tokenProvider->getToken($sessionId);
+			$this->tokenProvider->setPassword($token, $sessionId, $password);
+		} catch (SessionNotAvailableException $ex) {
+			// Nothing to do
+		} catch (InvalidTokenException $ex) {
+			// Nothing to do
+		}
+	}
+
 }
--- a/settings/ChangePassword/Controller.php
+++ b/settings/ChangePassword/Controller.php
@@ -46,6 +46,7 @@ class Controller {
 			exit();
 		}
 		if (!is_null($password) && \OC_User::setPassword($username, $password)) {
+			\OC::$server->getUserSession()->updateSessionTokenPassword($username, $password);
 			\OC_JSON::success();
 		} else {
 			\OC_JSON::error();

--- a/tests/lib/Authentication/Token/DefaultTokenProviderTest.php
+++ b/tests/lib/Authentication/Token/DefaultTokenProviderTest.php
@@ -175,6 +175,39 @@ class DefaultTokenProviderTest extends TestCase {
 		$tokenProvider->getPassword($tk, $token);
 	}

+	public function testSetPassword() {
+		$token = new DefaultToken();
+		$tokenId = 'token123';
+		$password = '123456';
+
+		$this->config->expects($this->once())
+			->method('getSystemValue')
+			->with('secret')
+			->will($this->returnValue('ocsecret'));
+		$this->crypto->expects($this->once())
+			->method('encrypt')
+			->with($password, $tokenId . 'ocsecret')
+			->will($this->returnValue('encryptedpassword'));
+		$this->mapper->expects($this->once())
+			->method('update')
+			->with($token);
+
+		$this->tokenProvider->setPassword($token, $tokenId, $password);
+
+		$this->assertEquals('encryptedpassword', $token->getPassword());
+	}
+
+	/**
+	 * @expectedException \OC\Authentication\Exceptions\InvalidTokenException
+	 */
+	public function testSetPasswordInvalidToken() {
+		$token = $this->getMock('\OC\Authentication\Token\IToken');
+		$tokenId = 'token123';
+		$password = '123456';
+
+		$this->tokenProvider->setPassword($token, $tokenId, $password);
+	}
+
 	public function testInvalidateToken() {
 		$this->mapper->expects($this->once())
 			->method('invalidate')

--- a/tests/lib/User/SessionTest.php
+++ b/tests/lib/User/SessionTest.php
@@ -818,4 +818,69 @@ class SessionTest extends \Test\TestCase {
 		$this->invokePrivate($userSession, 'validateSession', [$user]);
 	}

+	public function testUpdateSessionTokenPassword() {
+		$userManager = $this->getMock('\OCP\IUserManager');
+		$session = $this->getMock('\OCP\ISession');
+		$timeFactory = $this->getMock('\OCP\AppFramework\Utility\ITimeFactory');
+		$tokenProvider = $this->getMock('\OC\Authentication\Token\IProvider');
+		$userSession = new \OC\User\Session($userManager, $session, $timeFactory, $tokenProvider, $this->config);
+
+		$password = '123456';
+		$sessionId ='session1234';
+		$token = new \OC\Authentication\Token\DefaultToken();
+
+		$session->expects($this->once())
+			->method('getId')
+			->will($this->returnValue($sessionId));
+		$tokenProvider->expects($this->once())
+			->method('getToken')
+			->with($sessionId)
+			->will($this->returnValue($token));
+		$tokenProvider->expects($this->once())
+			->method('setPassword')
+			->with($token, $sessionId, $password);
+
+		$userSession->updateSessionTokenPassword($password);
+	}
+
+	public function testUpdateSessionTokenPasswordNoSessionAvailable() {
+		$userManager = $this->getMock('\OCP\IUserManager');
+		$session = $this->getMock('\OCP\ISession');
+		$timeFactory = $this->getMock('\OCP\AppFramework\Utility\ITimeFactory');
+		$tokenProvider = $this->getMock('\OC\Authentication\Token\IProvider');
+		$userSession = new \OC\User\Session($userManager, $session, $timeFactory, $tokenProvider, $this->config);
+
+		$session->expects($this->once())
+			->method('getId')
+			->will($this->throwException(new \OCP\Session\Exceptions\SessionNotAvailableException()));
+
+		$userSession->updateSessionTokenPassword('1234');
+	}
+
+	public function testUpdateSessionTokenPasswordInvalidTokenException() {
+		$userManager = $this->getMock('\OCP\IUserManager');
+		$session = $this->getMock('\OCP\ISession');
+		$timeFactory = $this->getMock('\OCP\AppFramework\Utility\ITimeFactory');
+		$tokenProvider = $this->getMock('\OC\Authentication\Token\IProvider');
+		$userSession = new \OC\User\Session($userManager, $session, $timeFactory, $tokenProvider, $this->config);
+
+		$password = '123456';
+		$sessionId ='session1234';
+		$token = new \OC\Authentication\Token\DefaultToken();
+
+		$session->expects($this->once())
+			->method('getId')
+			->will($this->returnValue($sessionId));
+		$tokenProvider->expects($this->once())
+			->method('getToken')
+			->with($sessionId)
+			->will($this->returnValue($token));
+		$tokenProvider->expects($this->once())
+			->method('setPassword')
+			->with($token, $sessionId, $password)
+			->will($this->throwException(new \OC\Authentication\Exceptions\InvalidTokenException()));
+
+		$userSession->updateSessionTokenPassword($password);
+	}
+
 }