From 79dcb5ae76959645ad3b944a1e69f7dae1a472b9 Mon Sep 17 00:00:00 2001 From: Arthur Schiwon Date: Fri, 19 Jul 2024 15:53:46 +0200 Subject: [PATCH] fix(Token): take over scope in token refresh with login by cookie Signed-off-by: Arthur Schiwon --- lib/private/Authentication/Token/IProvider.php | 4 +++- lib/private/Authentication/Token/Manager.php | 7 +++++-- .../Token/PublicKeyTokenProvider.php | 14 +++++++++++--- 3 files changed, 19 insertions(+), 6 deletions(-) diff --git a/lib/private/Authentication/Token/IProvider.php b/lib/private/Authentication/Token/IProvider.php index fcec8cecac1ba..f11977a9b8d71 100644 --- a/lib/private/Authentication/Token/IProvider.php +++ b/lib/private/Authentication/Token/IProvider.php @@ -55,7 +55,9 @@ public function generateToken(string $token, ?string $password, string $name, int $type = OCPIToken::TEMPORARY_TOKEN, - int $remember = OCPIToken::DO_NOT_REMEMBER): OCPIToken; + int $remember = OCPIToken::DO_NOT_REMEMBER, + ?array $scope = null, + ): OCPIToken; /** * Get a token by token id diff --git a/lib/private/Authentication/Token/Manager.php b/lib/private/Authentication/Token/Manager.php index e0b0e2dd14b61..bc28f0cde2862 100644 --- a/lib/private/Authentication/Token/Manager.php +++ b/lib/private/Authentication/Token/Manager.php @@ -62,7 +62,9 @@ public function generateToken(string $token, $password, string $name, int $type = OCPIToken::TEMPORARY_TOKEN, - int $remember = OCPIToken::DO_NOT_REMEMBER): OCPIToken { + int $remember = OCPIToken::DO_NOT_REMEMBER, + ?array $scope = null, + ): OCPIToken { if (mb_strlen($name) > 128) { $name = mb_substr($name, 0, 120) . '…'; } @@ -75,7 +77,8 @@ public function generateToken(string $token, $password, $name, $type, - $remember + $remember, + $scope, ); } catch (UniqueConstraintViolationException $e) { // It's rare, but if two requests of the same session (e.g. env-based SAML) diff --git a/lib/private/Authentication/Token/PublicKeyTokenProvider.php b/lib/private/Authentication/Token/PublicKeyTokenProvider.php index 2f3a1236d44a8..afdd450a64f07 100644 --- a/lib/private/Authentication/Token/PublicKeyTokenProvider.php +++ b/lib/private/Authentication/Token/PublicKeyTokenProvider.php @@ -107,7 +107,9 @@ public function generateToken(string $token, ?string $password, string $name, int $type = OCPIToken::TEMPORARY_TOKEN, - int $remember = OCPIToken::DO_NOT_REMEMBER): OCPIToken { + int $remember = OCPIToken::DO_NOT_REMEMBER, + ?array $scope = null, + ): OCPIToken { if (strlen($token) < self::TOKEN_MIN_LENGTH) { $exception = new InvalidTokenException('Token is too short, minimum of ' . self::TOKEN_MIN_LENGTH . ' characters is required, ' . strlen($token) . ' characters given'); $this->logger->error('Invalid token provided when generating new token', ['exception' => $exception]); @@ -129,6 +131,10 @@ public function generateToken(string $token, $dbToken->setPasswordHash($randomOldToken->getPasswordHash()); } + if ($scope !== null) { + $dbToken->setScope($scope); + } + $this->mapper->insert($dbToken); if (!$oldTokenMatches && $password !== null) { @@ -256,6 +262,8 @@ public function renewSessionToken(string $oldSessionId, string $sessionId): OCPI $privateKey = $this->decrypt($token->getPrivateKey(), $oldSessionId); $password = $this->decryptPassword($token->getPassword(), $privateKey); } + + $scope = $token->getScope() === '' ? null : $token->getScopeAsArray(); $newToken = $this->generateToken( $sessionId, $token->getUID(), @@ -263,9 +271,9 @@ public function renewSessionToken(string $oldSessionId, string $sessionId): OCPI $password, $token->getName(), OCPIToken::TEMPORARY_TOKEN, - $token->getRemember() + $token->getRemember(), + $scope, ); - $newToken->setScope($token->getScopeAsArray()); $this->cacheToken($newToken); $this->cacheInvalidHash($token->getToken());