Device/Session registry

[danimo]

Purpose

The device registry would keep track of devices that connect to ownCloud (e.g. mobile clients, desktop clients) and stores a unique ID of the device. It can also be used to identify current browser sessions.

Possible use cases

• per-device authentication tokens (login with normal credentials once to fetch a token which is only authorized to do a subset of actions (e.g. webdav only access), limited to a particular device
• Targetted remote wipe
• Device statistics
• Log out remote browser sessions

(This is mostly based from an old proposal that I made in 5.0 times and that I didn't want to get lost. It could fit neatly e.g. with #10400. This also solves the remote wipe issue.)

Stories implemented

• As an administrator, I want to be able to control/view permanently syncing devices and wipe them
• As a user, I do not want to reauthenticate permanently syncing services only because my user password changed.
• As a user I want to see which devices sync my stuff and when they did the last time, similar to https://github.com/settings/tokens
• As a user, I want to be able to log out stale browser sessions that I might have forgotten to properly close down.

/cc @MTRichards @CML @karlitschek

[nickvergessen]

Other story implemented

• As a user I want to see which devices sync my stuff and when they did the last time, similar to https://github.com/settings/tokens

[MorrisJobke]

non-browser devices

I would also do this for browsers. This would enhance the security because we can "remote logout a browser session".

[karlitschek]

good idea. Something for the future :-)

[danimo]

@nickvergessen @MorrisJobke : Added, thanks!

[DeepDiver1975]

this will allow us to invalidate sessions on password change #18410

[MTRichards]

This also solves the remote wipe issue.

Yep, good stuff. I have had it in the backlog for a while, just need to move some stuff off the plate to get this on the plate. Or get a second plate.

[guruz]

We were thinking of sending something like the locally set hostname (e.g. "Markus-MacBookPro") inside the user agent for logging purposes (client issue).
Now I'm thinking we could also send this in a HTTP header and it then gets saved into this registry.

Maybe this is also something that can be reused inside the activity log (@nickvergessen @dragotin)

[ChristophWurst]

This is what I added with pluggable auth, isn't it?
ref #24189

[guruz]

@ChristophWurst Yep indeed looks like it :)

I'm wondering: The table authtoken has name which is for the User-Agent. How would we put in a user defined description?
E.g. "Markus' MacBook" or 'Christop's Android" or whatever.
Hm, maybe something for later.

Please feel free to assign this yourself and close it.

(If @danimo does not disagree)

[ChristophWurst]

@guruz the name attribute is used for the user agent of browser session tokens and for the device name of device tokens. You can already create a device token called "Markus' MacBook" in the personal settings or via the /token/generate route:

core/core/Controller/TokenController.php

Lines 60 to 88 in c0a91dd

	/**
	* Generate a new access token clients can authenticate with
	*
	* @PublicPage
	* @NoCSRFRequired
	*
	* @param string $user
	* @param string $password
	* @param string $name the name of the client
	* @return JSONResponse
	*/
	public function generateToken($user, $password, $name = 'unknown client') {
	if (is_null($user) || is_null($password)) {
	$response = new Response();
	$response->setStatus(Http::STATUS_UNPROCESSABLE_ENTITY);
	return $response;
	}
	$loginResult = $this->userManager->checkPassword($user, $password);
	if ($loginResult === false) {
	$response = new Response();
	$response->setStatus(Http::STATUS_UNAUTHORIZED);
	return $response;
	}
	$token = $this->secureRandom->generate(128);
	$this->tokenProvider->generateToken($token, $loginResult->getUID(), $user, $password, $name, IToken::PERMANENT_TOKEN);
	return [
	'token' => $token,
	];
	}

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.