diff --git a/apps/oauth2/appinfo/info.xml b/apps/oauth2/appinfo/info.xml
index a9247099988a0..e210222d94f7f 100644
--- a/apps/oauth2/appinfo/info.xml
+++ b/apps/oauth2/appinfo/info.xml
@@ -5,7 +5,7 @@
OAuth 2.0
Allows OAuth2 compatible authentication from other web applications.
The OAuth2 app allows administrators to configure the built-in authentication workflow to also allow OAuth2 compatible authentication from other web applications.
- 1.14.1
+ 1.14.2
agpl
Lukas Reschke
OAuth2
@@ -19,6 +19,10 @@
+
+ OCA\OAuth2\BackgroundJob\CleanupExpiredAuthorizationCode
+
+
OCA\OAuth2\Migration\SetTokenExpiration
diff --git a/apps/oauth2/composer/composer/autoload_classmap.php b/apps/oauth2/composer/composer/autoload_classmap.php
index 09cacb20335f9..b2f24b59c772a 100644
--- a/apps/oauth2/composer/composer/autoload_classmap.php
+++ b/apps/oauth2/composer/composer/autoload_classmap.php
@@ -7,6 +7,7 @@
return array(
'Composer\\InstalledVersions' => $vendorDir . '/composer/InstalledVersions.php',
+ 'OCA\\OAuth2\\BackgroundJob\\CleanupExpiredAuthorizationCode' => $baseDir . '/../lib/BackgroundJob/CleanupExpiredAuthorizationCode.php',
'OCA\\OAuth2\\Controller\\LoginRedirectorController' => $baseDir . '/../lib/Controller/LoginRedirectorController.php',
'OCA\\OAuth2\\Controller\\OauthApiController' => $baseDir . '/../lib/Controller/OauthApiController.php',
'OCA\\OAuth2\\Controller\\SettingsController' => $baseDir . '/../lib/Controller/SettingsController.php',
@@ -20,5 +21,6 @@
'OCA\\OAuth2\\Migration\\Version010401Date20181207190718' => $baseDir . '/../lib/Migration/Version010401Date20181207190718.php',
'OCA\\OAuth2\\Migration\\Version010402Date20190107124745' => $baseDir . '/../lib/Migration/Version010402Date20190107124745.php',
'OCA\\OAuth2\\Migration\\Version011601Date20230522143227' => $baseDir . '/../lib/Migration/Version011601Date20230522143227.php',
+ 'OCA\\OAuth2\\Migration\\Version011603Date20230620111039' => $baseDir . '/../lib/Migration/Version011603Date20230620111039.php',
'OCA\\OAuth2\\Settings\\Admin' => $baseDir . '/../lib/Settings/Admin.php',
);
diff --git a/apps/oauth2/composer/composer/autoload_static.php b/apps/oauth2/composer/composer/autoload_static.php
index 1442093e32fb9..ad4983efbb9ab 100644
--- a/apps/oauth2/composer/composer/autoload_static.php
+++ b/apps/oauth2/composer/composer/autoload_static.php
@@ -22,6 +22,7 @@ class ComposerStaticInitOAuth2
public static $classMap = array (
'Composer\\InstalledVersions' => __DIR__ . '/..' . '/composer/InstalledVersions.php',
+ 'OCA\\OAuth2\\BackgroundJob\\CleanupExpiredAuthorizationCode' => __DIR__ . '/..' . '/../lib/BackgroundJob/CleanupExpiredAuthorizationCode.php',
'OCA\\OAuth2\\Controller\\LoginRedirectorController' => __DIR__ . '/..' . '/../lib/Controller/LoginRedirectorController.php',
'OCA\\OAuth2\\Controller\\OauthApiController' => __DIR__ . '/..' . '/../lib/Controller/OauthApiController.php',
'OCA\\OAuth2\\Controller\\SettingsController' => __DIR__ . '/..' . '/../lib/Controller/SettingsController.php',
@@ -35,6 +36,7 @@ class ComposerStaticInitOAuth2
'OCA\\OAuth2\\Migration\\Version010401Date20181207190718' => __DIR__ . '/..' . '/../lib/Migration/Version010401Date20181207190718.php',
'OCA\\OAuth2\\Migration\\Version010402Date20190107124745' => __DIR__ . '/..' . '/../lib/Migration/Version010402Date20190107124745.php',
'OCA\\OAuth2\\Migration\\Version011601Date20230522143227' => __DIR__ . '/..' . '/../lib/Migration/Version011601Date20230522143227.php',
+ 'OCA\\OAuth2\\Migration\\Version011603Date20230620111039' => __DIR__ . '/..' . '/../lib/Migration/Version011603Date20230620111039.php',
'OCA\\OAuth2\\Settings\\Admin' => __DIR__ . '/..' . '/../lib/Settings/Admin.php',
);
diff --git a/apps/oauth2/lib/BackgroundJob/CleanupExpiredAuthorizationCode.php b/apps/oauth2/lib/BackgroundJob/CleanupExpiredAuthorizationCode.php
new file mode 100644
index 0000000000000..9428424362868
--- /dev/null
+++ b/apps/oauth2/lib/BackgroundJob/CleanupExpiredAuthorizationCode.php
@@ -0,0 +1,61 @@
+
+ *
+ * @author Julien Veyssier
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see .
+ */
+
+
+namespace OCA\OAuth2\BackgroundJob;
+
+use OCA\OAuth2\Db\AccessTokenMapper;
+use OCP\AppFramework\Utility\ITimeFactory;
+use OCP\BackgroundJob\IJob;
+use OCP\BackgroundJob\TimedJob;
+use OCP\DB\Exception;
+use Psr\Log\LoggerInterface;
+
+class CleanupExpiredAuthorizationCode extends TimedJob {
+
+ public function __construct(
+ ITimeFactory $timeFactory,
+ private AccessTokenMapper $accessTokenMapper,
+ private LoggerInterface $logger,
+
+ ) {
+ parent::__construct($timeFactory);
+ // 30 days
+ $this->setInterval(60 * 60 * 24 * 30);
+ $this->setTimeSensitivity(IJob::TIME_INSENSITIVE);
+ }
+
+ /**
+ * @param mixed $argument
+ * @inheritDoc
+ */
+ protected function run($argument): void {
+ try {
+ $this->accessTokenMapper->cleanupExpiredAuthorizationCode();
+ } catch (Exception $e) {
+ $this->logger->warning('Failed to cleanup tokens with expired authorization code', ['exception' => $e]);
+ }
+ }
+}
diff --git a/apps/oauth2/lib/Controller/OauthApiController.php b/apps/oauth2/lib/Controller/OauthApiController.php
index b412e456fa83c..a67e029b57a8e 100644
--- a/apps/oauth2/lib/Controller/OauthApiController.php
+++ b/apps/oauth2/lib/Controller/OauthApiController.php
@@ -27,6 +27,7 @@
*/
namespace OCA\OAuth2\Controller;
+use DateTime;
use OC\Authentication\Exceptions\ExpiredTokenException;
use OC\Authentication\Exceptions\InvalidTokenException;
use OC\Authentication\Token\IProvider as TokenProvider;
@@ -39,12 +40,16 @@
use OCP\AppFramework\Http;
use OCP\AppFramework\Http\JSONResponse;
use OCP\AppFramework\Utility\ITimeFactory;
+use OCP\DB\Exception;
use OCP\IRequest;
use OCP\Security\ICrypto;
use OCP\Security\ISecureRandom;
use Psr\Log\LoggerInterface;
class OauthApiController extends Controller {
+ // the authorization code expires after 10 minutes
+ public const AUTHORIZATION_CODE_EXPIRES_AFTER = 10 * 60;
+
/** @var AccessTokenMapper */
private $accessTokenMapper;
/** @var ClientMapper */
@@ -56,29 +61,31 @@ class OauthApiController extends Controller {
/** @var ISecureRandom */
private $secureRandom;
/** @var ITimeFactory */
- private $time;
+ private $timeFactory;
/** @var Throttler */
private $throttler;
/** @var LoggerInterface */
private $logger;
- public function __construct(string $appName,
- IRequest $request,
- ICrypto $crypto,
- AccessTokenMapper $accessTokenMapper,
- ClientMapper $clientMapper,
- TokenProvider $tokenProvider,
- ISecureRandom $secureRandom,
- ITimeFactory $time,
- LoggerInterface $logger,
- Throttler $throttler) {
+ public function __construct(
+ string $appName,
+ IRequest $request,
+ ICrypto $crypto,
+ AccessTokenMapper $accessTokenMapper,
+ ClientMapper $clientMapper,
+ TokenProvider $tokenProvider,
+ ISecureRandom $secureRandom,
+ ITimeFactory $timeFactory,
+ LoggerInterface $logger,
+ Throttler $throttler
+ ) {
parent::__construct($appName, $request);
$this->crypto = $crypto;
$this->accessTokenMapper = $accessTokenMapper;
$this->clientMapper = $clientMapper;
$this->tokenProvider = $tokenProvider;
$this->secureRandom = $secureRandom;
- $this->time = $time;
+ $this->timeFactory = $timeFactory;
$this->throttler = $throttler;
$this->logger = $logger;
}
@@ -89,13 +96,17 @@ public function __construct(string $appName,
* @BruteForceProtection(action=oauth2GetToken)
*
* @param string $grant_type
- * @param string $code
- * @param string $refresh_token
- * @param string $client_id
- * @param string $client_secret
+ * @param string|null $code
+ * @param string|null $refresh_token
+ * @param string|null $client_id
+ * @param string|null $client_secret
* @return JSONResponse
+ * @throws Exception
*/
- public function getToken($grant_type, $code, $refresh_token, $client_id, $client_secret): JSONResponse {
+ public function getToken(
+ string $grant_type, ?string $code, ?string $refresh_token,
+ ?string $client_id, ?string $client_secret
+ ): JSONResponse {
// We only handle two types
if ($grant_type !== 'authorization_code' && $grant_type !== 'refresh_token') {
@@ -121,6 +132,33 @@ public function getToken($grant_type, $code, $refresh_token, $client_id, $client
return $response;
}
+ if ($grant_type === 'authorization_code') {
+ // check this token is in authorization code state
+ $deliveredTokenCount = $accessToken->getTokenCount();
+ if ($deliveredTokenCount > 0) {
+ $response = new JSONResponse([
+ 'error' => 'invalid_request',
+ ], Http::STATUS_BAD_REQUEST);
+ $response->throttle(['invalid_request' => 'authorization_code_received_for_active_token']);
+ return $response;
+ }
+
+ // check authorization code expiration
+ $now = $this->timeFactory->getTime();
+ $codeCreatedAt = $accessToken->getCodeCreatedAt();
+ if ($codeCreatedAt < $now - self::AUTHORIZATION_CODE_EXPIRES_AFTER) {
+ // we know this token is not useful anymore
+ $this->accessTokenMapper->delete($accessToken);
+
+ $response = new JSONResponse([
+ 'error' => 'invalid_request',
+ ], Http::STATUS_BAD_REQUEST);
+ $expiredSince = $now - self::AUTHORIZATION_CODE_EXPIRES_AFTER - $codeCreatedAt;
+ $response->throttle(['invalid_request' => 'authorization_code_expired', 'expired_since' => $expiredSince]);
+ return $response;
+ }
+ }
+
try {
$client = $this->clientMapper->getByUid($accessToken->getClientId());
} catch (ClientNotFoundException $e) {
@@ -181,13 +219,18 @@ public function getToken($grant_type, $code, $refresh_token, $client_id, $client
);
// Expiration is in 1 hour again
- $appToken->setExpires($this->time->getTime() + 3600);
+ $appToken->setExpires($this->timeFactory->getTime() + 3600);
$this->tokenProvider->updateToken($appToken);
// Generate a new refresh token and encrypt the new apptoken in the DB
$newCode = $this->secureRandom->generate(128, ISecureRandom::CHAR_ALPHANUMERIC);
$accessToken->setHashedCode(hash('sha512', $newCode));
$accessToken->setEncryptedToken($this->crypto->encrypt($newToken, $newCode));
+ // increase the number of delivered oauth token
+ // this helps with cleaning up DB access token when authorization code has expired
+ // and it never delivered any oauth token
+ $tokenCount = $accessToken->getTokenCount();
+ $accessToken->setTokenCount($tokenCount + 1);
$this->accessTokenMapper->update($accessToken);
$this->throttler->resetDelay($this->request->getRemoteAddress(), 'login', ['user' => $appToken->getUID()]);
diff --git a/apps/oauth2/lib/Db/AccessToken.php b/apps/oauth2/lib/Db/AccessToken.php
index 26c830c64adf1..e0da141af3fd6 100644
--- a/apps/oauth2/lib/Db/AccessToken.php
+++ b/apps/oauth2/lib/Db/AccessToken.php
@@ -34,6 +34,10 @@
* @method void setEncryptedToken(string $token)
* @method string getHashedCode()
* @method void setHashedCode(string $token)
+ * @method int getCodeCreatedAt()
+ * @method void setCodeCreatedAt(int $createdAt)
+ * @method int getTokenCount()
+ * @method void setTokenCount(int $tokenCount)
*/
class AccessToken extends Entity {
/** @var int */
@@ -44,6 +48,10 @@ class AccessToken extends Entity {
protected $hashedCode;
/** @var string */
protected $encryptedToken;
+ /** @var int */
+ protected $codeCreatedAt;
+ /** @var int */
+ protected $tokenCount;
public function __construct() {
$this->addType('id', 'int');
@@ -51,5 +59,7 @@ public function __construct() {
$this->addType('clientId', 'int');
$this->addType('hashedCode', 'string');
$this->addType('encryptedToken', 'string');
+ $this->addType('codeCreatedAt', 'int');
+ $this->addType('tokenCount', 'int');
}
}
diff --git a/apps/oauth2/lib/Db/AccessTokenMapper.php b/apps/oauth2/lib/Db/AccessTokenMapper.php
index da351d5d4966f..45d8836204220 100644
--- a/apps/oauth2/lib/Db/AccessTokenMapper.php
+++ b/apps/oauth2/lib/Db/AccessTokenMapper.php
@@ -28,9 +28,12 @@
*/
namespace OCA\OAuth2\Db;
+use DateTime;
+use OCA\OAuth2\Controller\OauthApiController;
use OCA\OAuth2\Exceptions\AccessTokenNotFoundException;
use OCP\AppFramework\Db\IMapperException;
use OCP\AppFramework\Db\QBMapper;
+use OCP\DB\Exception;
use OCP\DB\QueryBuilder\IQueryBuilder;
use OCP\IDBConnection;
@@ -39,10 +42,9 @@
*/
class AccessTokenMapper extends QBMapper {
- /**
- * @param IDBConnection $db
- */
- public function __construct(IDBConnection $db) {
+ public function __construct(
+ IDBConnection $db,
+ ) {
parent::__construct($db, 'oauth2_access_tokens');
}
@@ -79,4 +81,24 @@ public function deleteByClientId(int $id) {
->where($qb->expr()->eq('client_id', $qb->createNamedParameter($id, IQueryBuilder::PARAM_INT)));
$qb->executeStatement();
}
+
+ /**
+ * Delete access tokens that have an expired authorization code
+ * -> those that are old enough
+ * and which never delivered any oauth token (still in authorization state)
+ *
+ * @return void
+ * @throws Exception
+ */
+ public function cleanupExpiredAuthorizationCode(): void {
+ $now = (new DateTime())->getTimestamp();
+ $maxTokenCreationTs = $now - OauthApiController::AUTHORIZATION_CODE_EXPIRES_AFTER;
+
+ $qb = $this->db->getQueryBuilder();
+ $qb
+ ->delete($this->tableName)
+ ->where($qb->expr()->eq('token_count', $qb->createNamedParameter(0, IQueryBuilder::PARAM_INT)))
+ ->andWhere($qb->expr()->lt('code_created_at', $qb->createNamedParameter($maxTokenCreationTs, IQueryBuilder::PARAM_INT)));
+ $qb->executeStatement();
+ }
}
diff --git a/apps/oauth2/lib/Migration/Version011603Date20230620111039.php b/apps/oauth2/lib/Migration/Version011603Date20230620111039.php
new file mode 100644
index 0000000000000..b694963b0f75d
--- /dev/null
+++ b/apps/oauth2/lib/Migration/Version011603Date20230620111039.php
@@ -0,0 +1,86 @@
+
+ *
+ * @author Julien Veyssier
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see .
+ *
+ */
+namespace OCA\OAuth2\Migration;
+
+use Closure;
+use OCP\DB\ISchemaWrapper;
+use OCP\DB\QueryBuilder\IQueryBuilder;
+use OCP\DB\Types;
+use OCP\IDBConnection;
+use OCP\Migration\IOutput;
+use OCP\Migration\SimpleMigrationStep;
+
+class Version011603Date20230620111039 extends SimpleMigrationStep {
+
+ public function __construct(
+ private IDBConnection $connection,
+ ) {
+ }
+
+ public function changeSchema(IOutput $output, Closure $schemaClosure, array $options): ?ISchemaWrapper {
+ /** @var ISchemaWrapper $schema */
+ $schema = $schemaClosure();
+
+ if ($schema->hasTable('oauth2_access_tokens')) {
+ $table = $schema->getTable('oauth2_access_tokens');
+ $dbChanged = false;
+ if (!$table->hasColumn('code_created_at')) {
+ $table->addColumn('code_created_at', Types::BIGINT, [
+ 'notnull' => true,
+ 'default' => 0,
+ 'unsigned' => true,
+ ]);
+ $dbChanged = true;
+ }
+ if (!$table->hasColumn('token_count')) {
+ $table->addColumn('token_count', Types::BIGINT, [
+ 'notnull' => true,
+ 'default' => 0,
+ 'unsigned' => true,
+ ]);
+ $dbChanged = true;
+ }
+ if (!$table->hasIndex('oauth2_tk_c_created_idx')) {
+ $table->addIndex(['token_count', 'code_created_at'], 'oauth2_tk_c_created_idx');
+ $dbChanged = true;
+ }
+ if ($dbChanged) {
+ return $schema;
+ }
+ }
+
+ return null;
+ }
+
+ public function postSchemaChange(IOutput $output, Closure $schemaClosure, array $options): void {
+ // we consider that existing access_tokens have already produced at least one oauth token
+ // which prevents cleaning them up
+ $qbUpdate = $this->connection->getQueryBuilder();
+ $qbUpdate->update('oauth2_access_tokens')
+ ->set('token_count', $qbUpdate->createNamedParameter(1, IQueryBuilder::PARAM_INT));
+ $qbUpdate->executeStatement();
+ }
+}
diff --git a/apps/oauth2/tests/Controller/OauthApiControllerTest.php b/apps/oauth2/tests/Controller/OauthApiControllerTest.php
index c65302532a937..e4fe720c47eec 100644
--- a/apps/oauth2/tests/Controller/OauthApiControllerTest.php
+++ b/apps/oauth2/tests/Controller/OauthApiControllerTest.php
@@ -65,7 +65,7 @@ class OauthApiControllerTest extends TestCase {
/** @var ISecureRandom|\PHPUnit\Framework\MockObject\MockObject */
private $secureRandom;
/** @var ITimeFactory|\PHPUnit\Framework\MockObject\MockObject */
- private $time;
+ private $timeFactory;
/** @var Throttler|\PHPUnit\Framework\MockObject\MockObject */
private $throttler;
/** @var LoggerInterface|\PHPUnit\Framework\MockObject\MockObject */
@@ -82,7 +82,7 @@ protected function setUp(): void {
$this->clientMapper = $this->createMock(ClientMapper::class);
$this->tokenProvider = $this->createMock(TokenProvider::class);
$this->secureRandom = $this->createMock(ISecureRandom::class);
- $this->time = $this->createMock(ITimeFactory::class);
+ $this->timeFactory = $this->createMock(ITimeFactory::class);
$this->throttler = $this->createMock(Throttler::class);
$this->logger = $this->createMock(LoggerInterface::class);
@@ -94,7 +94,7 @@ protected function setUp(): void {
$this->clientMapper,
$this->tokenProvider,
$this->secureRandom,
- $this->time,
+ $this->timeFactory,
$this->logger,
$this->throttler
);
@@ -122,7 +122,87 @@ public function testGetTokenInvalidCode() {
$this->assertEquals($expected, $this->oauthApiController->getToken('authorization_code', 'invalidcode', null, null, null));
}
- public function testGetTokenInvalidRefreshToken() {
+ public function testGetTokenExpiredCode() {
+ $codeCreatedAt = 100;
+ $expiredSince = 123;
+
+ $expected = new JSONResponse([
+ 'error' => 'invalid_request',
+ ], Http::STATUS_BAD_REQUEST);
+ $expected->throttle(['invalid_request' => 'authorization_code_expired', 'expired_since' => $expiredSince]);
+
+ $accessToken = new AccessToken();
+ $accessToken->setClientId(42);
+ $accessToken->setCodeCreatedAt($codeCreatedAt);
+
+ $this->accessTokenMapper->method('getByCode')
+ ->with('validcode')
+ ->willReturn($accessToken);
+
+ $tsNow = $codeCreatedAt + OauthApiController::AUTHORIZATION_CODE_EXPIRES_AFTER + $expiredSince;
+ $this->timeFactory->method('getTime')
+ ->willReturn($tsNow);
+
+ $this->assertEquals($expected, $this->oauthApiController->getToken('authorization_code', 'validcode', null, null, null));
+ }
+
+ public function testGetTokenWithCodeForActiveToken() {
+ // if a token has already delivered oauth tokens,
+ // it should not be possible to get a new oauth token from a valid authorization code
+ $codeCreatedAt = 100;
+
+ $expected = new JSONResponse([
+ 'error' => 'invalid_request',
+ ], Http::STATUS_BAD_REQUEST);
+ $expected->throttle(['invalid_request' => 'authorization_code_received_for_active_token']);
+
+ $accessToken = new AccessToken();
+ $accessToken->setClientId(42);
+ $accessToken->setCodeCreatedAt($codeCreatedAt);
+ $accessToken->setTokenCount(1);
+
+ $this->accessTokenMapper->method('getByCode')
+ ->with('validcode')
+ ->willReturn($accessToken);
+
+ $tsNow = $codeCreatedAt + 1;
+ $this->timeFactory->method('getTime')
+ ->willReturn($tsNow);
+
+ $this->assertEquals($expected, $this->oauthApiController->getToken('authorization_code', 'validcode', null, null, null));
+ }
+
+ public function testGetTokenClientDoesNotExist() {
+ // In this test, the token's authorization code is valid and has not expired
+ // and we check what happens when the associated Oauth client does not exist
+ $codeCreatedAt = 100;
+
+ $expected = new JSONResponse([
+ 'error' => 'invalid_request',
+ ], Http::STATUS_BAD_REQUEST);
+ $expected->throttle(['invalid_request' => 'client not found', 'client_id' => 42]);
+
+ $accessToken = new AccessToken();
+ $accessToken->setClientId(42);
+ $accessToken->setCodeCreatedAt($codeCreatedAt);
+
+ $this->accessTokenMapper->method('getByCode')
+ ->with('validcode')
+ ->willReturn($accessToken);
+
+ // 'now' is before the token's authorization code expiration
+ $tsNow = $codeCreatedAt + OauthApiController::AUTHORIZATION_CODE_EXPIRES_AFTER - 1;
+ $this->timeFactory->method('getTime')
+ ->willReturn($tsNow);
+
+ $this->clientMapper->method('getByUid')
+ ->with(42)
+ ->willThrowException(new ClientNotFoundException());
+
+ $this->assertEquals($expected, $this->oauthApiController->getToken('authorization_code', 'validcode', null, null, null));
+ }
+
+ public function testRefreshTokenInvalidRefreshToken() {
$expected = new JSONResponse([
'error' => 'invalid_request',
], Http::STATUS_BAD_REQUEST);
@@ -135,7 +215,7 @@ public function testGetTokenInvalidRefreshToken() {
$this->assertEquals($expected, $this->oauthApiController->getToken('refresh_token', null, 'invalidrefresh', null, null));
}
- public function testGetTokenClientDoesNotExist() {
+ public function testRefreshTokenClientDoesNotExist() {
$expected = new JSONResponse([
'error' => 'invalid_request',
], Http::STATUS_BAD_REQUEST);
@@ -169,7 +249,7 @@ public function invalidClientProvider() {
* @param string $clientId
* @param string $clientSecret
*/
- public function testGetTokenInvalidClient($clientId, $clientSecret) {
+ public function testRefreshTokenInvalidClient($clientId, $clientSecret) {
$expected = new JSONResponse([
'error' => 'invalid_client',
], Http::STATUS_BAD_REQUEST);
@@ -192,7 +272,7 @@ public function testGetTokenInvalidClient($clientId, $clientSecret) {
$this->assertEquals($expected, $this->oauthApiController->getToken('refresh_token', null, 'validrefresh', $clientId, $clientSecret));
}
- public function testGetTokenInvalidAppToken() {
+ public function testRefreshTokenInvalidAppToken() {
$expected = new JSONResponse([
'error' => 'invalid_request',
], Http::STATUS_BAD_REQUEST);
@@ -236,7 +316,7 @@ public function testGetTokenInvalidAppToken() {
$this->assertEquals($expected, $this->oauthApiController->getToken('refresh_token', null, 'validrefresh', 'clientId', 'clientSecret'));
}
- public function testGetTokenValidAppToken() {
+ public function testRefreshTokenValidAppToken() {
$accessToken = new AccessToken();
$accessToken->setClientId(42);
$accessToken->setTokenId(1337);
@@ -287,7 +367,7 @@ public function testGetTokenValidAppToken() {
'random72'
)->willReturn($appToken);
- $this->time->method('getTime')
+ $this->timeFactory->method('getTime')
->willReturn(1000);
$this->tokenProvider->expects($this->once())
@@ -333,7 +413,7 @@ public function testGetTokenValidAppToken() {
$this->assertEquals($expected, $this->oauthApiController->getToken('refresh_token', null, 'validrefresh', 'clientId', 'clientSecret'));
}
- public function testGetTokenValidAppTokenBasicAuth() {
+ public function testRefreshTokenValidAppTokenBasicAuth() {
$accessToken = new AccessToken();
$accessToken->setClientId(42);
$accessToken->setTokenId(1337);
@@ -384,7 +464,7 @@ public function testGetTokenValidAppTokenBasicAuth() {
'random72'
)->willReturn($appToken);
- $this->time->method('getTime')
+ $this->timeFactory->method('getTime')
->willReturn(1000);
$this->tokenProvider->expects($this->once())
@@ -433,7 +513,7 @@ public function testGetTokenValidAppTokenBasicAuth() {
$this->assertEquals($expected, $this->oauthApiController->getToken('refresh_token', null, 'validrefresh', null, null));
}
- public function testGetTokenExpiredAppToken() {
+ public function testRefreshTokenExpiredAppToken() {
$accessToken = new AccessToken();
$accessToken->setClientId(42);
$accessToken->setTokenId(1337);
@@ -484,7 +564,7 @@ public function testGetTokenExpiredAppToken() {
'random72'
)->willReturn($appToken);
- $this->time->method('getTime')
+ $this->timeFactory->method('getTime')
->willReturn(1000);
$this->tokenProvider->expects($this->once())
diff --git a/core/Controller/ClientFlowLoginController.php b/core/Controller/ClientFlowLoginController.php
index 85a793bd92b1f..6a5115c94cda4 100644
--- a/core/Controller/ClientFlowLoginController.php
+++ b/core/Controller/ClientFlowLoginController.php
@@ -31,6 +31,7 @@
*/
namespace OC\Core\Controller;
+use DateTime;
use OC\Authentication\Events\AppPasswordCreatedEvent;
use OC\Authentication\Exceptions\InvalidTokenException;
use OC\Authentication\Exceptions\PasswordlessTokenException;
@@ -305,6 +306,7 @@ public function generateAppPassword(string $stateToken,
$accessToken->setEncryptedToken($this->crypto->encrypt($token, $code));
$accessToken->setHashedCode(hash('sha512', $code));
$accessToken->setTokenId($generatedToken->getId());
+ $accessToken->setCodeCreatedAt((new DateTime())->getTimestamp());
$this->accessTokenMapper->insert($accessToken);
$redirectUri = $client->getRedirectUri();