Merge pull request #46398 from nextcloud/fix/46165/token-race

blizzz · web-flow · commit 95af299cf58e · 2024-07-11T09:24:24.000+02:00
fix(Session): avoid race conditions on clustered setups
diff --git a/build/psalm-baseline.xml b/build/psalm-baseline.xml
@@ -2881,6 +2881,9 @@
       <code><![CDATA[$request->server]]></code>
       <code><![CDATA[$request->server]]></code>
     </NoInterfaceProperties>
+    <RedundantCondition>
+      <code><![CDATA[$this->manager instanceof PublicEmitter]]></code>
+    </RedundantCondition>
   </file>
   <file src="lib/private/User/User.php">
     <UndefinedInterfaceMethod>
diff --git a/lib/private/Authentication/Token/PublicKeyTokenProvider.php b/lib/private/Authentication/Token/PublicKeyTokenProvider.php
@@ -171,7 +171,7 @@ public function getToken(string $tokenId): OCPIToken {
 	private function getTokenFromCache(string $tokenHash): ?PublicKeyToken {
 		$serializedToken = $this->cache->get($tokenHash);
 		if ($serializedToken === false) {
-			throw new InvalidTokenException('Token does not exist: ' . $tokenHash);
+			return null;
 		}
 
 		if ($serializedToken === null) {
diff --git a/lib/private/Server.php b/lib/private/Server.php
@@ -506,7 +506,7 @@ public function __construct($webRoot, \OC\Config $config) {
 				$c->get(ISecureRandom::class),
 				$c->get('LockdownManager'),
 				$c->get(LoggerInterface::class),
-				$c->get(IEventDispatcher::class)
+				$c->get(IEventDispatcher::class),
 			);
 			/** @deprecated 21.0.0 use BeforeUserCreatedEvent event with the IEventDispatcher instead */
 			$userSession->listen('\OC\User', 'preCreateUser', function ($uid, $password) {
diff --git a/lib/private/User/Session.php b/lib/private/User/Session.php
@@ -19,13 +19,15 @@
 use OC_User;
 use OC_Util;
 use OCA\DAV\Connector\Sabre\Auth;
+use OCP\AppFramework\Db\TTransactional;
 use OCP\AppFramework\Utility\ITimeFactory;
 use OCP\Authentication\Exceptions\ExpiredTokenException;
 use OCP\Authentication\Exceptions\InvalidTokenException;
 use OCP\EventDispatcher\GenericEvent;
 use OCP\EventDispatcher\IEventDispatcher;
 use OCP\Files\NotPermittedException;
 use OCP\IConfig;
+use OCP\IDBConnection;
 use OCP\IRequest;
 use OCP\ISession;
 use OCP\IUser;
@@ -62,53 +64,22 @@
  * @package OC\User
  */
 class Session implements IUserSession, Emitter {
-	/** @var Manager $manager */
-	private $manager;
-
-	/** @var ISession $session */
-	private $session;
-
-	/** @var ITimeFactory */
-	private $timeFactory;
-
-	/** @var IProvider */
-	private $tokenProvider;
-
-	/** @var IConfig */
-	private $config;
+	use TTransactional;
 
 	/** @var User $activeUser */
 	protected $activeUser;
 
-	/** @var ISecureRandom */
-	private $random;
-
-	/** @var ILockdownManager  */
-	private $lockdownManager;
-
-	private LoggerInterface $logger;
-	/** @var IEventDispatcher */
-	private $dispatcher;
-
-	public function __construct(Manager $manager,
-		ISession $session,
-		ITimeFactory $timeFactory,
-		?IProvider $tokenProvider,
-		IConfig $config,
-		ISecureRandom $random,
-		ILockdownManager $lockdownManager,
-		LoggerInterface $logger,
-		IEventDispatcher $dispatcher
+	public function __construct(
+		private Manager          $manager,
+		private ISession         $session,
+		private ITimeFactory     $timeFactory,
+		private ?IProvider       $tokenProvider,
+		private IConfig          $config,
+		private ISecureRandom    $random,
+		private ILockdownManager $lockdownManager,
+		private LoggerInterface  $logger,
+		private IEventDispatcher $dispatcher,
 	) {
-		$this->manager = $manager;
-		$this->session = $session;
-		$this->timeFactory = $timeFactory;
-		$this->tokenProvider = $tokenProvider;
-		$this->config = $config;
-		$this->random = $random;
-		$this->lockdownManager = $lockdownManager;
-		$this->logger = $logger;
-		$this->dispatcher = $dispatcher;
 	}
 
 	/**
@@ -674,8 +645,10 @@ public function createSessionToken(IRequest $request, $uid, $loginName, $passwor
 			$sessionId = $this->session->getId();
 			$pwd = $this->getPassword($password);
 			// Make sure the current sessionId has no leftover tokens
-			$this->tokenProvider->invalidateToken($sessionId);
-			$this->tokenProvider->generateToken($sessionId, $uid, $loginName, $pwd, $name, IToken::TEMPORARY_TOKEN, $remember);
+			$this->atomic(function () use ($sessionId, $uid, $loginName, $pwd, $name, $remember) {
+				$this->tokenProvider->invalidateToken($sessionId);
+				$this->tokenProvider->generateToken($sessionId, $uid, $loginName, $pwd, $name, IToken::TEMPORARY_TOKEN, $remember);
+			}, \OCP\Server::get(IDBConnection::class));
 			return true;
 		} catch (SessionNotAvailableException $ex) {
 			// This can happen with OCC, where a memory session is used

Original file line number	Diff line number	Diff line change
`@@ -171,7 +171,7 @@ public function getToken(string $tokenId): OCPIToken {`
`171`	`171`	`private function getTokenFromCache(string $tokenHash): ?PublicKeyToken {`
`172`	`172`	`$serializedToken = $this->cache->get($tokenHash);`
`173`	`173`	`if ($serializedToken === false) {`
`174`		`- throw new InvalidTokenException('Token does not exist: ' . $tokenHash);`
	`174`	`+ return null;`
`175`	`175`	`}`
`176`	`176`
`177`	`177`	`if ($serializedToken === null) {`