From f15263ae8975de7ca11eab3e3193a79d07551e38 Mon Sep 17 00:00:00 2001 From: Christoph Wurst Date: Tue, 7 May 2024 19:30:11 +0200 Subject: [PATCH] feat(auth): Clean-up unused auth tokens and wipe tokens Signed-off-by: Christoph Wurst --- .../Token/PublicKeyTokenMapper.php | 17 ++++++++++------- .../Token/PublicKeyTokenProvider.php | 13 +++++++++++-- .../Token/PublicKeyTokenProviderTest.php | 15 ++++++++++----- 3 files changed, 31 insertions(+), 14 deletions(-) diff --git a/lib/private/Authentication/Token/PublicKeyTokenMapper.php b/lib/private/Authentication/Token/PublicKeyTokenMapper.php index 8f3f54075ae71..2a86bbc1320ae 100644 --- a/lib/private/Authentication/Token/PublicKeyTokenMapper.php +++ b/lib/private/Authentication/Token/PublicKeyTokenMapper.php @@ -55,17 +55,20 @@ public function invalidate(string $token) { /** * @param int $olderThan - * @param int $remember + * @param int $type + * @param int|null $remember */ - public function invalidateOld(int $olderThan, int $remember = IToken::DO_NOT_REMEMBER) { + public function invalidateOld(int $olderThan, int $type = IToken::TEMPORARY_TOKEN, int $remember = null) { /* @var $qb IQueryBuilder */ $qb = $this->db->getQueryBuilder(); - $qb->delete($this->tableName) + $delete = $qb->delete($this->tableName) ->where($qb->expr()->lt('last_activity', $qb->createNamedParameter($olderThan, IQueryBuilder::PARAM_INT))) - ->andWhere($qb->expr()->eq('type', $qb->createNamedParameter(IToken::TEMPORARY_TOKEN, IQueryBuilder::PARAM_INT))) - ->andWhere($qb->expr()->eq('remember', $qb->createNamedParameter($remember, IQueryBuilder::PARAM_INT))) - ->andWhere($qb->expr()->eq('version', $qb->createNamedParameter(PublicKeyToken::VERSION, IQueryBuilder::PARAM_INT))) - ->execute(); + ->andWhere($qb->expr()->eq('type', $qb->createNamedParameter($type, IQueryBuilder::PARAM_INT))) + ->andWhere($qb->expr()->eq('version', $qb->createNamedParameter(PublicKeyToken::VERSION, IQueryBuilder::PARAM_INT))); + if ($remember !== null) { + $delete->andWhere($qb->expr()->eq('remember', $qb->createNamedParameter($remember, IQueryBuilder::PARAM_INT))); + } + $delete->executeStatement(); } public function invalidateLastUsedBefore(string $uid, int $before): int { diff --git a/lib/private/Authentication/Token/PublicKeyTokenProvider.php b/lib/private/Authentication/Token/PublicKeyTokenProvider.php index 3a15ba006d461..dbba2117b49e0 100644 --- a/lib/private/Authentication/Token/PublicKeyTokenProvider.php +++ b/lib/private/Authentication/Token/PublicKeyTokenProvider.php @@ -294,10 +294,19 @@ public function invalidateTokenById(string $uid, int $id) { public function invalidateOldTokens() { $olderThan = $this->time->getTime() - $this->config->getSystemValueInt('session_lifetime', 60 * 60 * 24); $this->logger->debug('Invalidating session tokens older than ' . date('c', $olderThan), ['app' => 'cron']); - $this->mapper->invalidateOld($olderThan, OCPIToken::DO_NOT_REMEMBER); + $this->mapper->invalidateOld($olderThan, OCPIToken::TEMPORARY_TOKEN, OCPIToken::DO_NOT_REMEMBER); + $rememberThreshold = $this->time->getTime() - $this->config->getSystemValueInt('remember_login_cookie_lifetime', 60 * 60 * 24 * 15); $this->logger->debug('Invalidating remembered session tokens older than ' . date('c', $rememberThreshold), ['app' => 'cron']); - $this->mapper->invalidateOld($rememberThreshold, OCPIToken::REMEMBER); + $this->mapper->invalidateOld($rememberThreshold, OCPIToken::TEMPORARY_TOKEN, OCPIToken::REMEMBER); + + $wipeThreshold = $this->time->getTime() - $this->config->getSystemValueInt('token_auth_wipe_token_retention', 60 * 60 * 24 * 60); + $this->logger->debug('Invalidating auth tokens marked for remote wipe older than ' . date('c', $wipeThreshold), ['app' => 'cron']); + $this->mapper->invalidateOld($wipeThreshold, OCPIToken::WIPE_TOKEN); + + $authTokenThreshold = $this->time->getTime() - $this->config->getSystemValueInt('token_auth_token_retention', 60 * 60 * 24 * 365); + $this->logger->debug('Invalidating auth tokens older than ' . date('c', $authTokenThreshold), ['app' => 'cron']); + $this->mapper->invalidateOld($authTokenThreshold, OCPIToken::PERMANENT_TOKEN); } public function invalidateLastUsedBefore(string $uid, int $before): void { diff --git a/tests/lib/Authentication/Token/PublicKeyTokenProviderTest.php b/tests/lib/Authentication/Token/PublicKeyTokenProviderTest.php index 99d058f22a6e5..965fd774224a7 100644 --- a/tests/lib/Authentication/Token/PublicKeyTokenProviderTest.php +++ b/tests/lib/Authentication/Token/PublicKeyTokenProviderTest.php @@ -347,20 +347,25 @@ public function testInvalidateTokenById() { $this->tokenProvider->invalidateTokenById('uid', $id); } - public function testInvalidateOldTokens() { + public function testInvalidateOldTokens(): void { $defaultSessionLifetime = 60 * 60 * 24; $defaultRememberMeLifetime = 60 * 60 * 24 * 15; - $this->config->expects($this->exactly(2)) + $wipeTokenLifetime = 60 * 60 * 24 * 60; + $this->config->expects($this->exactly(4)) ->method('getSystemValueInt') ->willReturnMap([ ['session_lifetime', $defaultSessionLifetime, 150], ['remember_login_cookie_lifetime', $defaultRememberMeLifetime, 300], + ['token_auth_wipe_token_retention', $wipeTokenLifetime, 500], + ['token_auth_token_retention', 60 * 60 * 24 * 365, 800], ]); - $this->mapper->expects($this->exactly(2)) + $this->mapper->expects($this->exactly(4)) ->method('invalidateOld') ->withConsecutive( - [$this->time - 150], - [$this->time - 300] + [$this->time - 150, IToken::TEMPORARY_TOKEN, IToken::DO_NOT_REMEMBER], + [$this->time - 300, IToken::TEMPORARY_TOKEN, IToken::REMEMBER], + [$this->time - 500, IToken::TEMPORARY_TOKEN, null], + [$this->time - 800, IToken::TEMPORARY_TOKEN, null], ); $this->tokenProvider->invalidateOldTokens();