[stable25] feat: Close sessions created for login flow v2

.github/workflows/performance.yml

@@ -79,7 +79,7 @@ jobs:
 
       - name: Upload profiles
         if: always()
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1
         with:
           name: profiles
           path: |

core/Controller/ClientFlowLoginV2Controller.php

@@ -49,6 +49,8 @@
 class ClientFlowLoginV2Controller extends Controller {
 	public const TOKEN_NAME = 'client.flow.v2.login.token';
 	public const STATE_NAME = 'client.flow.v2.state.token';
+	// Denotes that the session was created for the login flow and should therefore be ephemeral.
+	public const EPHEMERAL_NAME = 'client.flow.v2.state.ephemeral';
 
 	private LoginFlowV2Service $loginFlowV2Service;
 	private IURLGenerator $urlGenerator;

lib/composer/composer/autoload_classmap.php

@@ -686,6 +686,7 @@
     'OC\\AppFramework\\Logger' => $baseDir . '/lib/private/AppFramework/Logger.php',
     'OC\\AppFramework\\Middleware\\AdditionalScriptsMiddleware' => $baseDir . '/lib/private/AppFramework/Middleware/AdditionalScriptsMiddleware.php',
     'OC\\AppFramework\\Middleware\\CompressionMiddleware' => $baseDir . '/lib/private/AppFramework/Middleware/CompressionMiddleware.php',
+    'OC\\AppFramework\\Middleware\\FlowV2EphemeralSessionsMiddleware' => $baseDir . '/lib/private/AppFramework/Middleware/FlowV2EphemeralSessionsMiddleware.php',
     'OC\\AppFramework\\Middleware\\MiddlewareDispatcher' => $baseDir . '/lib/private/AppFramework/Middleware/MiddlewareDispatcher.php',
     'OC\\AppFramework\\Middleware\\NotModifiedMiddleware' => $baseDir . '/lib/private/AppFramework/Middleware/NotModifiedMiddleware.php',
     'OC\\AppFramework\\Middleware\\OCSMiddleware' => $baseDir . '/lib/private/AppFramework/Middleware/OCSMiddleware.php',
@@ -779,6 +780,7 @@
     'OC\\Authentication\\Login\\CreateSessionTokenCommand' => $baseDir . '/lib/private/Authentication/Login/CreateSessionTokenCommand.php',
     'OC\\Authentication\\Login\\EmailLoginCommand' => $baseDir . '/lib/private/Authentication/Login/EmailLoginCommand.php',
     'OC\\Authentication\\Login\\FinishRememberedLoginCommand' => $baseDir . '/lib/private/Authentication/Login/FinishRememberedLoginCommand.php',
+    'OC\\Authentication\\Login\\FlowV2EphemeralSessionsCommand' => $baseDir . '/lib/private/Authentication/Login/FlowV2EphemeralSessionsCommand.php',
     'OC\\Authentication\\Login\\LoggedInCheckCommand' => $baseDir . '/lib/private/Authentication/Login/LoggedInCheckCommand.php',
     'OC\\Authentication\\Login\\LoginData' => $baseDir . '/lib/private/Authentication/Login/LoginData.php',
     'OC\\Authentication\\Login\\LoginResult' => $baseDir . '/lib/private/Authentication/Login/LoginResult.php',

lib/composer/composer/autoload_static.php

@@ -719,6 +719,7 @@ class ComposerStaticInit749170dad3f5e7f9ca158f5a9f04f6a2
         'OC\\AppFramework\\Logger' => __DIR__ . '/../../..' . '/lib/private/AppFramework/Logger.php',
         'OC\\AppFramework\\Middleware\\AdditionalScriptsMiddleware' => __DIR__ . '/../../..' . '/lib/private/AppFramework/Middleware/AdditionalScriptsMiddleware.php',
         'OC\\AppFramework\\Middleware\\CompressionMiddleware' => __DIR__ . '/../../..' . '/lib/private/AppFramework/Middleware/CompressionMiddleware.php',
+        'OC\\AppFramework\\Middleware\\FlowV2EphemeralSessionsMiddleware' => __DIR__ . '/../../..' . '/lib/private/AppFramework/Middleware/FlowV2EphemeralSessionsMiddleware.php',
         'OC\\AppFramework\\Middleware\\MiddlewareDispatcher' => __DIR__ . '/../../..' . '/lib/private/AppFramework/Middleware/MiddlewareDispatcher.php',
         'OC\\AppFramework\\Middleware\\NotModifiedMiddleware' => __DIR__ . '/../../..' . '/lib/private/AppFramework/Middleware/NotModifiedMiddleware.php',
         'OC\\AppFramework\\Middleware\\OCSMiddleware' => __DIR__ . '/../../..' . '/lib/private/AppFramework/Middleware/OCSMiddleware.php',
@@ -812,6 +813,7 @@ class ComposerStaticInit749170dad3f5e7f9ca158f5a9f04f6a2
         'OC\\Authentication\\Login\\CreateSessionTokenCommand' => __DIR__ . '/../../..' . '/lib/private/Authentication/Login/CreateSessionTokenCommand.php',
         'OC\\Authentication\\Login\\EmailLoginCommand' => __DIR__ . '/../../..' . '/lib/private/Authentication/Login/EmailLoginCommand.php',
         'OC\\Authentication\\Login\\FinishRememberedLoginCommand' => __DIR__ . '/../../..' . '/lib/private/Authentication/Login/FinishRememberedLoginCommand.php',
+        'OC\\Authentication\\Login\\FlowV2EphemeralSessionsCommand' => __DIR__ . '/../../..' . '/lib/private/Authentication/Login/FlowV2EphemeralSessionsCommand.php',
         'OC\\Authentication\\Login\\LoggedInCheckCommand' => __DIR__ . '/../../..' . '/lib/private/Authentication/Login/LoggedInCheckCommand.php',
         'OC\\Authentication\\Login\\LoginData' => __DIR__ . '/../../..' . '/lib/private/Authentication/Login/LoginData.php',
         'OC\\Authentication\\Login\\LoginResult' => __DIR__ . '/../../..' . '/lib/private/Authentication/Login/LoginResult.php',

lib/private/AppFramework/DependencyInjection/DIContainer.php

@@ -37,6 +37,7 @@
 use OC\AppFramework\Http;
 use OC\AppFramework\Http\Dispatcher;
 use OC\AppFramework\Http\Output;
+use OC\AppFramework\Middleware\FlowV2EphemeralSessionsMiddleware;
 use OC\AppFramework\Middleware\MiddlewareDispatcher;
 use OC\AppFramework\Middleware\OCSMiddleware;
 use OC\AppFramework\Middleware\Security\CORSMiddleware;
@@ -236,7 +237,7 @@ public function __construct($appName, $urlParams = [], ServerContainer $server =
 				)
 			);
 
-
+			$dispatcher->registerMiddleware($c->get(FlowV2EphemeralSessionsMiddleware::class));
 
 			$securityMiddleware = new SecurityMiddleware(
 				$c->get(IRequest::class),

lib/private/AppFramework/Middleware/FlowV2EphemeralSessionsMiddleware.php

@@ -0,0 +1,52 @@
+<?php
+
+declare(strict_types=1);
+/**
+ * SPDX-FileCopyrightText: 2025 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+namespace OC\AppFramework\Middleware;
+
+use OC\AppFramework\Utility\ControllerMethodReflector;
+use OC\Core\Controller\ClientFlowLoginV2Controller;
+use OCP\AppFramework\Middleware;
+use OCP\ISession;
+use OCP\IUserSession;
+
+// Will close the session if the user session is ephemeral.
+// Happens when the user logs in via the login flow v2.
+class FlowV2EphemeralSessionsMiddleware extends Middleware {
+	private ISession $session;
+	private IUserSession $userSession;
+	private ControllerMethodReflector $reflector;
+
+	public function __construct(
+		ISession $session,
+		IUserSession $userSession,
+		ControllerMethodReflector $reflector
+	) {
+		$this->session = $session;
+		$this->userSession = $userSession;
+		$this->reflector = $reflector;
+	}
+
+	public function beforeController($controller, $methodName) {
+		if (!$this->session->get(ClientFlowLoginV2Controller::EPHEMERAL_NAME)) {
+			return;
+		}
+
+		if (
+			$controller instanceof ClientFlowLoginV2Controller &&
+			($methodName === 'grantPage' || $methodName === 'generateAppPassword')
+		) {
+			return;
+		}
+
+		if ($this->reflector->hasAnnotation('PublicPage')) {
+			return;
+		}
+
+		$this->userSession->logout();
+		$this->session->close();
+	}
+}

lib/private/Authentication/Login/Chain.php

@@ -63,6 +63,9 @@ class Chain {
 	/** @var FinishRememberedLoginCommand */
 	private $finishRememberedLoginCommand;
 
+	/** @var FlowV2EphemeralSessionsCommand */
+	private $flowV2EphemeralSessionsCommand;
+
 	public function __construct(PreLoginHookCommand $preLoginHookCommand,
 								UserDisabledCheckCommand $userDisabledCheckCommand,
 								UidLoginCommand $uidLoginCommand,
@@ -74,20 +77,9 @@ public function __construct(PreLoginHookCommand $preLoginHookCommand,
 								UpdateLastPasswordConfirmCommand $updateLastPasswordConfirmCommand,
 								SetUserTimezoneCommand $setUserTimezoneCommand,
 								TwoFactorCommand $twoFactorCommand,
-								FinishRememberedLoginCommand $finishRememberedLoginCommand
+								FinishRememberedLoginCommand $finishRememberedLoginCommand,
+								FlowV2EphemeralSessionsCommand $flowV2EphemeralSessionsCommand
 	) {
-		$this->preLoginHookCommand = $preLoginHookCommand;
-		$this->userDisabledCheckCommand = $userDisabledCheckCommand;
-		$this->uidLoginCommand = $uidLoginCommand;
-		$this->emailLoginCommand = $emailLoginCommand;
-		$this->loggedInCheckCommand = $loggedInCheckCommand;
-		$this->completeLoginCommand = $completeLoginCommand;
-		$this->createSessionTokenCommand = $createSessionTokenCommand;
-		$this->clearLostPasswordTokensCommand = $clearLostPasswordTokensCommand;
-		$this->updateLastPasswordConfirmCommand = $updateLastPasswordConfirmCommand;
-		$this->setUserTimezoneCommand = $setUserTimezoneCommand;
-		$this->twoFactorCommand = $twoFactorCommand;
-		$this->finishRememberedLoginCommand = $finishRememberedLoginCommand;
 	}
 
 	public function process(LoginData $loginData): LoginResult {
@@ -98,6 +90,7 @@ public function process(LoginData $loginData): LoginResult {
 			->setNext($this->emailLoginCommand)
 			->setNext($this->loggedInCheckCommand)
 			->setNext($this->completeLoginCommand)
+			->setNext($this->flowV2EphemeralSessionsCommand)
 			->setNext($this->createSessionTokenCommand)
 			->setNext($this->clearLostPasswordTokensCommand)
 			->setNext($this->updateLastPasswordConfirmCommand)

lib/private/Authentication/Login/FlowV2EphemeralSessionsCommand.php

@@ -0,0 +1,35 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * SPDX-FileCopyrightText: 2025 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+namespace OC\Authentication\Login;
+
+use OC\Core\Controller\ClientFlowLoginV2Controller;
+use OCP\ISession;
+use OCP\IURLGenerator;
+
+class FlowV2EphemeralSessionsCommand extends ALoginCommand {
+	private ISession $session;
+	private IURLGenerator $urlGenerator;
+
+	public function __construct(
+		ISession $session,
+		IURLGenerator $urlGenerator
+	) {
+		$this->session = $session;
+		$this->urlGenerator = $urlGenerator;
+	}
+
+	public function process(LoginData $loginData): LoginResult {
+		$loginV2GrantRoute = $this->urlGenerator->linkToRoute('core.ClientFlowLoginV2.grantPage');
+		if (str_starts_with($loginData->getRedirectUrl() ?? '', $loginV2GrantRoute)) {
+			$this->session->set(ClientFlowLoginV2Controller::EPHEMERAL_NAME, true);
+		}
+
+		return $this->processNextOrFinishSuccessfully($loginData);
+	}
+}