Merge pull request #42640 from nextcloud/fix/fix-authentication-exceptions-2

come-nc · web-flow · commit f78973292277 · 2024-01-11T18:51:43.000+01:00
Always catch OCP versions of authentication exceptions
diff --git a/apps/oauth2/lib/Controller/OauthApiController.php b/apps/oauth2/lib/Controller/OauthApiController.php
@@ -28,8 +28,6 @@
  */
 namespace OCA\OAuth2\Controller;
 
-use OC\Authentication\Exceptions\ExpiredTokenException;
-use OC\Authentication\Exceptions\InvalidTokenException;
 use OC\Authentication\Token\IProvider as TokenProvider;
 use OCA\OAuth2\Db\AccessTokenMapper;
 use OCA\OAuth2\Db\ClientMapper;
@@ -39,6 +37,8 @@
 use OCP\AppFramework\Http;
 use OCP\AppFramework\Http\JSONResponse;
 use OCP\AppFramework\Utility\ITimeFactory;
+use OCP\Authentication\Exceptions\ExpiredTokenException;
+use OCP\Authentication\Exceptions\InvalidTokenException;
 use OCP\DB\Exception;
 use OCP\IRequest;
 use OCP\Security\Bruteforce\IThrottler;
diff --git a/apps/oauth2/lib/Migration/SetTokenExpiration.php b/apps/oauth2/lib/Migration/SetTokenExpiration.php
@@ -26,10 +26,10 @@
  */
 namespace OCA\OAuth2\Migration;
 
-use OC\Authentication\Exceptions\InvalidTokenException;
 use OC\Authentication\Token\IProvider as TokenProvider;
 use OCA\OAuth2\Db\AccessToken;
 use OCP\AppFramework\Utility\ITimeFactory;
+use OCP\Authentication\Exceptions\InvalidTokenException;
 use OCP\IDBConnection;
 use OCP\Migration\IOutput;
 use OCP\Migration\IRepairStep;
diff --git a/apps/settings/lib/Controller/AuthSettingsController.php b/apps/settings/lib/Controller/AuthSettingsController.php
@@ -32,19 +32,20 @@
 namespace OCA\Settings\Controller;
 
 use BadMethodCallException;
-use OC\Authentication\Exceptions\ExpiredTokenException;
-use OC\Authentication\Exceptions\InvalidTokenException;
+use OC\Authentication\Exceptions\InvalidTokenException as OcInvalidTokenException;
 use OC\Authentication\Exceptions\PasswordlessTokenException;
-use OC\Authentication\Exceptions\WipeTokenException;
 use OC\Authentication\Token\INamedToken;
 use OC\Authentication\Token\IProvider;
-use OC\Authentication\Token\IToken;
 use OC\Authentication\Token\RemoteWipe;
 use OCA\Settings\Activity\Provider;
 use OCP\Activity\IManager;
 use OCP\AppFramework\Controller;
 use OCP\AppFramework\Http;
 use OCP\AppFramework\Http\JSONResponse;
+use OCP\Authentication\Exceptions\ExpiredTokenException;
+use OCP\Authentication\Exceptions\InvalidTokenException;
+use OCP\Authentication\Exceptions\WipeTokenException;
+use OCP\Authentication\Token\IToken;
 use OCP\IRequest;
 use OCP\ISession;
 use OCP\IUserSession;
@@ -292,7 +293,8 @@ private function findTokenByIdAndUser(int $id): IToken {
 			$token = $e->getToken();
 		}
 		if ($token->getUID() !== $this->uid) {
-			throw new InvalidTokenException('This token does not belong to you!');
+			/** @psalm-suppress DeprecatedClass We have to throw the OC version so both OC and OCP catches catch it */
+			throw new OcInvalidTokenException('This token does not belong to you!');
 		}
 		return $token;
 	}
@@ -305,7 +307,7 @@ private function findTokenByIdAndUser(int $id): IToken {
 	 * @param int $id
 	 * @return JSONResponse
 	 * @throws InvalidTokenException
-	 * @throws \OC\Authentication\Exceptions\ExpiredTokenException
+	 * @throws ExpiredTokenException
 	 */
 	public function wipe(int $id): JSONResponse {
 		if ($this->checkAppToken()) {
diff --git a/apps/settings/lib/Settings/Personal/Security/Authtokens.php b/apps/settings/lib/Settings/Personal/Security/Authtokens.php
@@ -25,12 +25,12 @@
  */
 namespace OCA\Settings\Settings\Personal\Security;
 
-use OC\Authentication\Exceptions\InvalidTokenException;
 use OC\Authentication\Token\INamedToken;
 use OC\Authentication\Token\IProvider as IAuthTokenProvider;
 use OC\Authentication\Token\IToken;
 use OCP\AppFramework\Http\TemplateResponse;
 use OCP\AppFramework\Services\IInitialState;
+use OCP\Authentication\Exceptions\InvalidTokenException;
 use OCP\ISession;
 use OCP\IUserSession;
 use OCP\Session\Exceptions\SessionNotAvailableException;
diff --git a/core/Controller/AppPasswordController.php b/core/Controller/AppPasswordController.php
@@ -29,13 +29,13 @@
 namespace OC\Core\Controller;
 
 use OC\Authentication\Events\AppPasswordCreatedEvent;
-use OC\Authentication\Exceptions\InvalidTokenException;
 use OC\Authentication\Token\IProvider;
 use OC\Authentication\Token\IToken;
 use OCP\AppFramework\Http;
 use OCP\AppFramework\Http\DataResponse;
 use OCP\AppFramework\OCS\OCSForbiddenException;
 use OCP\Authentication\Exceptions\CredentialsUnavailableException;
+use OCP\Authentication\Exceptions\InvalidTokenException;
 use OCP\Authentication\Exceptions\PasswordUnavailableException;
 use OCP\Authentication\LoginCredentials\IStore;
 use OCP\EventDispatcher\IEventDispatcher;
diff --git a/core/Controller/ClientFlowLoginController.php b/core/Controller/ClientFlowLoginController.php
@@ -33,7 +33,6 @@
 namespace OC\Core\Controller;
 
 use OC\Authentication\Events\AppPasswordCreatedEvent;
-use OC\Authentication\Exceptions\InvalidTokenException;
 use OC\Authentication\Exceptions\PasswordlessTokenException;
 use OC\Authentication\Token\IProvider;
 use OC\Authentication\Token\IToken;
@@ -47,6 +46,7 @@
 use OCP\AppFramework\Http\Response;
 use OCP\AppFramework\Http\StandaloneTemplateResponse;
 use OCP\AppFramework\Utility\ITimeFactory;
+use OCP\Authentication\Exceptions\InvalidTokenException;
 use OCP\Defaults;
 use OCP\EventDispatcher\IEventDispatcher;
 use OCP\IL10N;
diff --git a/core/Controller/ClientFlowLoginV2Controller.php b/core/Controller/ClientFlowLoginV2Controller.php
@@ -27,7 +27,6 @@
  */
 namespace OC\Core\Controller;
 
-use OC\Authentication\Exceptions\InvalidTokenException;
 use OC\Core\Db\LoginFlowV2;
 use OC\Core\Exception\LoginFlowV2NotFoundException;
 use OC\Core\Service\LoginFlowV2Service;
@@ -40,6 +39,7 @@
 use OCP\AppFramework\Http\RedirectResponse;
 use OCP\AppFramework\Http\Response;
 use OCP\AppFramework\Http\StandaloneTemplateResponse;
+use OCP\Authentication\Exceptions\InvalidTokenException;
 use OCP\Defaults;
 use OCP\IL10N;
 use OCP\IRequest;
diff --git a/core/Controller/WipeController.php b/core/Controller/WipeController.php
@@ -26,11 +26,11 @@
  */
 namespace OC\Core\Controller;
 
-use OC\Authentication\Exceptions\InvalidTokenException;
 use OC\Authentication\Token\RemoteWipe;
 use OCP\AppFramework\Controller;
 use OCP\AppFramework\Http;
 use OCP\AppFramework\Http\JSONResponse;
+use OCP\Authentication\Exceptions\InvalidTokenException;
 use OCP\IRequest;
 
 class WipeController extends Controller {
diff --git a/core/Service/LoginFlowV2Service.php b/core/Service/LoginFlowV2Service.php
@@ -26,7 +26,6 @@
  */
 namespace OC\Core\Service;
 
-use OC\Authentication\Exceptions\InvalidTokenException;
 use OC\Authentication\Exceptions\PasswordlessTokenException;
 use OC\Authentication\Token\IProvider;
 use OC\Authentication\Token\IToken;
@@ -37,6 +36,7 @@
 use OC\Core\Exception\LoginFlowV2NotFoundException;
 use OCP\AppFramework\Db\DoesNotExistException;
 use OCP\AppFramework\Utility\ITimeFactory;
+use OCP\Authentication\Exceptions\InvalidTokenException;
 use OCP\IConfig;
 use OCP\Security\ICrypto;
 use OCP\Security\ISecureRandom;
diff --git a/lib/private/Authentication/Events/AppPasswordCreatedEvent.php b/lib/private/Authentication/Events/AppPasswordCreatedEvent.php
@@ -25,16 +25,14 @@
  */
 namespace OC\Authentication\Events;
 
-use OC\Authentication\Token\IToken;
+use OCP\Authentication\Token\IToken;
 use OCP\EventDispatcher\Event;
 
 class AppPasswordCreatedEvent extends Event {
-	/** @var IToken */
-	private $token;
-
-	public function __construct(IToken $token) {
+	public function __construct(
+		private IToken $token,
+	) {
 		parent::__construct();
-		$this->token = $token;
 	}
 
 	public function getToken(): IToken {
diff --git a/lib/private/Authentication/LoginCredentials/Store.php b/lib/private/Authentication/LoginCredentials/Store.php
@@ -26,10 +26,10 @@
  */
 namespace OC\Authentication\LoginCredentials;
 
-use OC\Authentication\Exceptions\InvalidTokenException;
 use OC\Authentication\Exceptions\PasswordlessTokenException;
 use OC\Authentication\Token\IProvider;
 use OCP\Authentication\Exceptions\CredentialsUnavailableException;
+use OCP\Authentication\Exceptions\InvalidTokenException;
 use OCP\Authentication\LoginCredentials\ICredentials;
 use OCP\Authentication\LoginCredentials\IStore;
 use OCP\ISession;
diff --git a/lib/private/Authentication/Token/IProvider.php b/lib/private/Authentication/Token/IProvider.php
@@ -29,10 +29,11 @@
  */
 namespace OC\Authentication\Token;
 
-use OC\Authentication\Exceptions\ExpiredTokenException;
-use OC\Authentication\Exceptions\InvalidTokenException;
 use OC\Authentication\Exceptions\PasswordlessTokenException;
-use OC\Authentication\Exceptions\WipeTokenException;
+use OCP\Authentication\Exceptions\ExpiredTokenException;
+use OCP\Authentication\Exceptions\InvalidTokenException;
+use OCP\Authentication\Exceptions\WipeTokenException;
+use OCP\Authentication\Token\IToken as OCPIToken;
 
 interface IProvider {
 	/**
@@ -45,16 +46,16 @@ interface IProvider {
 	 * @param string $name Name will be trimmed to 120 chars when longer
 	 * @param int $type token type
 	 * @param int $remember whether the session token should be used for remember-me
-	 * @return IToken
+	 * @return OCPIToken
 	 * @throws \RuntimeException when OpenSSL reports a problem
 	 */
 	public function generateToken(string $token,
 		string $uid,
 		string $loginName,
 		?string $password,
 		string $name,
-		int $type = IToken::TEMPORARY_TOKEN,
-		int $remember = IToken::DO_NOT_REMEMBER): IToken;
+		int $type = OCPIToken::TEMPORARY_TOKEN,
+		int $remember = OCPIToken::DO_NOT_REMEMBER): OCPIToken;
 
 	/**
 	 * Get a token by token id
@@ -63,9 +64,9 @@ public function generateToken(string $token,
 	 * @throws InvalidTokenException
 	 * @throws ExpiredTokenException
 	 * @throws WipeTokenException
-	 * @return IToken
+	 * @return OCPIToken
 	 */
-	public function getToken(string $tokenId): IToken;
+	public function getToken(string $tokenId): OCPIToken;
 
 	/**
 	 * Get a token by token id
@@ -74,9 +75,9 @@ public function getToken(string $tokenId): IToken;
 	 * @throws InvalidTokenException
 	 * @throws ExpiredTokenException
 	 * @throws WipeTokenException
-	 * @return IToken
+	 * @return OCPIToken
 	 */
-	public function getTokenById(int $tokenId): IToken;
+	public function getTokenById(int $tokenId): OCPIToken;
 
 	/**
 	 * Duplicate an existing session token
@@ -85,9 +86,9 @@ public function getTokenById(int $tokenId): IToken;
 	 * @param string $sessionId
 	 * @throws InvalidTokenException
 	 * @throws \RuntimeException when OpenSSL reports a problem
-	 * @return IToken The new token
+	 * @return OCPIToken The new token
 	 */
-	public function renewSessionToken(string $oldSessionId, string $sessionId): IToken;
+	public function renewSessionToken(string $oldSessionId, string $sessionId): OCPIToken;
 
 	/**
 	 * Invalidate (delete) the given session token
@@ -117,16 +118,16 @@ public function invalidateLastUsedBefore(string $uid, int $before): void;
 	/**
 	 * Save the updated token
 	 *
-	 * @param IToken $token
+	 * @param OCPIToken $token
 	 */
-	public function updateToken(IToken $token);
+	public function updateToken(OCPIToken $token);
 
 	/**
 	 * Update token activity timestamp
 	 *
-	 * @param IToken $token
+	 * @param OCPIToken $token
 	 */
-	public function updateTokenActivity(IToken $token);
+	public function updateTokenActivity(OCPIToken $token);
 
 	/**
 	 * Get all tokens of a user
@@ -135,49 +136,49 @@ public function updateTokenActivity(IToken $token);
 	 * where a high number of (session) tokens is generated
 	 *
 	 * @param string $uid
-	 * @return IToken[]
+	 * @return OCPIToken[]
 	 */
 	public function getTokenByUser(string $uid): array;
 
 	/**
 	 * Get the (unencrypted) password of the given token
 	 *
-	 * @param IToken $savedToken
+	 * @param OCPIToken $savedToken
 	 * @param string $tokenId
 	 * @throws InvalidTokenException
 	 * @throws PasswordlessTokenException
 	 * @return string
 	 */
-	public function getPassword(IToken $savedToken, string $tokenId): string;
+	public function getPassword(OCPIToken $savedToken, string $tokenId): string;
 
 	/**
 	 * Encrypt and set the password of the given token
 	 *
-	 * @param IToken $token
+	 * @param OCPIToken $token
 	 * @param string $tokenId
 	 * @param string $password
 	 * @throws InvalidTokenException
 	 */
-	public function setPassword(IToken $token, string $tokenId, string $password);
+	public function setPassword(OCPIToken $token, string $tokenId, string $password);
 
 	/**
 	 * Rotate the token. Useful for for example oauth tokens
 	 *
-	 * @param IToken $token
+	 * @param OCPIToken $token
 	 * @param string $oldTokenId
 	 * @param string $newTokenId
-	 * @return IToken
+	 * @return OCPIToken
 	 * @throws \RuntimeException when OpenSSL reports a problem
 	 */
-	public function rotate(IToken $token, string $oldTokenId, string $newTokenId): IToken;
+	public function rotate(OCPIToken $token, string $oldTokenId, string $newTokenId): OCPIToken;
 
 	/**
 	 * Marks a token as having an invalid password.
 	 *
-	 * @param IToken $token
+	 * @param OCPIToken $token
 	 * @param string $tokenId
 	 */
-	public function markPasswordInvalid(IToken $token, string $tokenId);
+	public function markPasswordInvalid(OCPIToken $token, string $tokenId);
 
 	/**
 	 * Update all the passwords of $uid if required
diff --git a/lib/private/Authentication/Token/Manager.php b/lib/private/Authentication/Token/Manager.php
diff --git a/lib/private/Authentication/Token/PublicKeyTokenProvider.php b/lib/private/Authentication/Token/PublicKeyTokenProvider.php
diff --git a/lib/private/Authentication/Token/RemoteWipe.php b/lib/private/Authentication/Token/RemoteWipe.php
diff --git a/lib/private/Authentication/TwoFactorAuth/Manager.php b/lib/private/Authentication/TwoFactorAuth/Manager.php
diff --git a/lib/private/Session/Internal.php b/lib/private/Session/Internal.php
diff --git a/lib/private/User/Session.php b/lib/private/User/Session.php
