Unverified Commit db346716 authored by Christoph Wurst's avatar Christoph Wurst
Browse files

check login name when authenticating with client token

parent 04e3da0c
......@@ -280,7 +280,7 @@ class Session implements IUserSession, Emitter {
*/
public function login($uid, $password) {
$this->session->regenerateId();
if ($this->validateToken($password)) {
if ($this->validateToken($password, $uid)) {
// When logging in with token, the password must be decrypted first before passing to login hook
try {
$token = $this->tokenProvider->getToken($password);
......@@ -584,15 +584,24 @@ class Session implements IUserSession, Emitter {
* Invalidates the token if checks fail
*
* @param string $token
* @param string $user login name
* @return boolean
*/
private function validateToken($token) {
private function validateToken($token, $user = null) {
try {
$dbToken = $this->tokenProvider->getToken($token);
} catch (InvalidTokenException $ex) {
return false;
}
// Check if login names match
if (!is_null($user) && $dbToken->getLoginName() !== $user) {
// TODO: this makes it imposssible to use different login names on browser and client
// e.g. login by e-mail 'user@example.com' on browser for generating the token will not
// allow to use the client token with the login name 'user'.
return false;
}
if (!$this->checkTokenCredentials($dbToken, $token)) {
return false;
}
......
......@@ -314,6 +314,36 @@ class SessionTest extends \Test\TestCase {
$userSession->login('foo', 'bar');
}
/**
* When using a device token, the loginname must match the one that was used
* when generating the token on the browser.
*/
public function testLoginWithDifferentTokenLoginName() {
$session = $this->getMock('\OC\Session\Memory', array(), array(''));
$manager = $this->getMock('\OC\User\Manager');
$backend = $this->getMock('\Test\Util\User\Dummy');
$userSession = new \OC\User\Session($manager, $session, $this->timeFactory, $this->tokenProvider, $this->config);
$username = 'user123';
$token = new \OC\Authentication\Token\DefaultToken();
$token->setLoginName($username);
$session->expects($this->never())
->method('set');
$session->expects($this->once())
->method('regenerateId');
$this->tokenProvider->expects($this->once())
->method('getToken')
->with('bar')
->will($this->returnValue($token));
$manager->expects($this->once())
->method('checkPassword')
->with('foo', 'bar')
->will($this->returnValue(false));
$userSession->login('foo', 'bar');
}
/**
* @expectedException \OC\Authentication\Exceptions\PasswordLoginForbiddenException
*/
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment