Bugfix/owncloud/oauth2#103 #30365
Bugfix/owncloud/oauth2#103 #30365
Conversation
cadc772 to
e838056
Compare
Codecov Report
@@ Coverage Diff @@
## master #30365 +/- ##
============================================
+ Coverage 60.86% 60.89% +0.03%
- Complexity 18584 18597 +13
============================================
Files 1093 1093
Lines 61371 61405 +34
============================================
+ Hits 37351 37393 +42
+ Misses 24020 24012 -8
Continue to review full report at Codecov.
|
lib/private/User/BasicAuthModule.php
Outdated
| $user = $this->manager->checkPassword($request->server['PHP_AUTH_USER'], $request->server['PHP_AUTH_PW']); | ||
| if ($user instanceof IUser) { | ||
| return $user; | ||
| // reuse logClientIn because this method |
There was a problem hiding this comment.
because this method... yes ?
lib/private/User/BasicAuthModule.php
Outdated
| @@ -66,6 +63,10 @@ public function getUserPassword(IRequest $request) { | |||
| return ''; | |||
| } | |||
|
|
|||
| if ($this->session->getSession()->exists('app_password')) { | |||
| // TODO: use proper password | |||
| throw new \Exception('Not implemented yet'); | |||
There was a problem hiding this comment.
Not at the moment - this is a safety exception which will punch us in the face as soon as we use it accidentally.
Actually the whole method should not yet be called ... we could just throw the exception right away
lib/private/User/Session.php
Outdated
| $user = $module->auth($request); | ||
| if ($user !== null) { | ||
| if ($this->isLoggedIn() && $this->getUser()->getUID() !== $user->getUID()) { | ||
| throw new Exception(); |
There was a problem hiding this comment.
would be nice to have a message, especially if we don't have a proper type.
no more auto-logout of bad sessions ?
There was a problem hiding this comment.
these exceptions are basically just to jump out of the loop and do the logout in the catch block - I'm not to happy with this .....
|
As someone unfamiliar with this code, it would be nice to have a more detailed description that tells why you went to make the changes you made. The commit says something about reordering auth modules but the PR does more than this: it seems to replace API calls with other ones and throw exceptions instead of returning. Are these latter changes part of the bugfix or are they more about cleaning up ? |
e838056 to
84d3242
Compare
|
looks good, yes |
84d3242 to
c06cbbc
Compare
|
@SamuAlfageme can you retest auth issue with this ? |
|
CI fails ? :-/ |
drone has network issues |
|
jenkins has failing integration tests |
|
the integration tests seem completely unrelated. trashbin ?! 🙈 |
|
oh wait... trashbin result says Either we broke something or the test was passing by chance before |
|
I better have a look .... |
|
|
The requests as executed by the integration tests are not reusing the session cookies - which might have a side effect ... |
d4a9a90 to
c90f461
Compare
| } | ||
| return $this->manager->checkPassword($users[0]->getUID(), $request->server['PHP_AUTH_PW']); | ||
| throw new \Exception('Invalid credentials'); |
There was a problem hiding this comment.
return false ? Throwing could cause other side effects...
There was a problem hiding this comment.
in TokenAuthModule we return null, let's stay consistent
There was a problem hiding this comment.
null is returned if there is no authentication header to be evaluated aka handled by this module.
exception is throws if credentials are wrong
user object is returned if creds are valid
There was a problem hiding this comment.
But you are right - this logic seems to be missing in the token auch module ....
lib/private/User/TokenAuthModule.php
Outdated
| * @return null|IToken | ||
| */ | ||
| private function getTokenForAppPassword(IRequest $request, &$token) { | ||
| if (empty($request->server['PHP_AUTH_USER']) || empty($request->server['PHP_AUTH_PW'])) { |
There was a problem hiding this comment.
not afraid of "0" users ?
There was a problem hiding this comment.
@PVince81 as requested: fuck php
bbf4193 to
ee3c057
Compare
…over all modules and allow each of them to verify the headers and in case something is terribly wrong the user will be logged out and the session will be destroyed. The BasicAuthModule now handles app passwords as well - this was missing before and caused users being locked out of ldap. Solves OAuth token expiry issue - fixes owncloud/oauth2#103
ee3c057 to
80fe030
Compare
|
@DeepDiver1975 initial tests suggest the problem no longer reproduces with this + owncloud/oauth2#112; great news! 🎉
Would a traversal unit test like this one make sense to be included in the OAuth2 test pool? Will focus now on trying to reproduce owncloud/oauth2#103 on the mobile apps; with and without these patches. |
|
@DeepDiver1975 can you check if the scope of this patch can be extended to the old WebDAV endpoint? After some more tests, I believe the original cause of owncloud/oauth2#103 is the logic for the old endpoint. Take these 2
Replaying the iOS request any number of times results on 2XX, while desktop gets the correct 401 (after the token is expired; as described in my previous #30365 (comment)) |
|
Hm. Forcing the use of the old endpoint on the Desktop client (setting env. Appart from the endpoints there are a few apparent (but not relevant) differences between iOS and Desktop Desktop:curl \
-H 'Depth:0' \
-H 'Authorization:Bearer VBvulBvRbhOpaA5BLkaLl7H7AdeatO5kwGyDNqfwYf2XRnsJTz0sEagLwgSuT3U3' \
-H 'User-Agent:Mozilla/5.0 (Macintosh) mirall/2.4.0 (build 8836)' \
-H 'Accept:*/*' \
-H 'Content-Type:text/xml; charset=utf-8' \
-H 'X-Request-ID:83fd38fa-395b-429e-a1be-80aad5fc9c32' \
-H 'Cookie:oc_sessionPassphrase=fnebJi6XYVoOIsvNDYO9KMec7ZI8qYbD3m0D0kYi5UJhoXh%2FviUkj7hqrvuPkXpaFgzSW0UqemP4JIOjFUMjmR2tWh%2Bt1DjRkr8uXnypprsGZvRoy7EGWdSwGemssovV; oc3kizzp7f7d=plgcob981he5sjek79r7avjqp1' \
-H 'Content-Length:147' \
-H 'Connection:Keep-Alive' \
-H 'Accept-Encoding:gzip, deflate' \
-H 'Accept-Language:en-US,*' \
-H 'Host:alfageme.solidgear.prv:4443' \
-X PROPFIND 'https://alfageme.solidgear.prv:4443/remote.php/webdav/' \
--data-binary '<?xml version="1.0" ?>
<d:propfind xmlns:d="DAV:">
<d:prop>
<d:quota-available-bytes />
<d:quota-used-bytes />
</d:prop>
</d:propfind>
'iOS:curl \
-H 'Host:alfageme.solidgear.prv:4443' \
-H 'Content-Type:application/xml' \
-H 'Depth:1' \
-H 'Accept:*/*' \
-H 'Accept-Encoding:gzip, deflate' \
-H 'Connection:keep-alive' \
-H 'Cookie:oc3kizzp7f7d=6ds6rnc8mcl5jg31dkmdnpqli6; oc_sessionPassphrase=9sWpKyFrO8B59uXHo%2F4BRmHB3X2q6qJDtpS17D2Zx7BcFPp0s4yPdWiZBPqmzkmWvo4yoBW9XJ7%2BwzgtfCVWfmy%2F0TzJwWUVbROzy0LDGHFPM9543cKTkWnf6%2FqoFcB1' \
-H 'User-Agent:Mozilla/5.0 (iOS) ownCloud-iOS/3.7.0' \
-H 'Accept-Language:en-US;q=1, es-US;q=0.9, zh-Hant-US;q=0.8, en-GB;q=0.7, en;q=0.6' \
-H 'Authorization:Bearer fVbLupKEkYi4Yr6tzALsAZlMZIjMDEkpjZXr5kcwYR6HMKvjDy0RQPoXS4dJ7QSl' \
-H 'Content-Length:383' \
-X PROPFIND 'https://alfageme.solidgear.prv:4443/remote.php/webdav/' \
--data-binary '<?xml version="1.0" encoding="UTF-8"?><D:propfind xmlns:D="DAV:"><D:prop><D:resourcetype/><D:getlastmodified/><size xmlns="http://owncloud.org/ns"/><D:creationdate/><id xmlns="http://owncloud.org/ns"/><D:getcontentlength/><D:displayname/><D:quota-available-bytes/><D:getetag/><permissions xmlns="http://owncloud.org/ns"/><D:quota-used-bytes/><D:getcontenttype/></D:prop></D:propfind>'Diffs:
Will play with these differences and report back when I find the one that messes with the auth. middleware. |
|
I honestly question if oauth works at all on the old endpoint ....... |
|
If we didn't break more stuff that wasn't broken before I'd suggest moving forward with the PR and get it released as it adresses the more critical issue. Then investigate this detail separately ? |
|
As discussed with @DeepDiver1975 and @owncloud/ios-developers, in the end, owncloud/oauth2#103 was all about the iOS app circumventing the webview's sandbox (I haven't had the chance to check with Android's implementation, tho). This means the client was reusing cookies obtained during the authentication steps delegated to the browser (which goes against the end goal of the OAuth2 mechanism: isolation from this); those were bounded to the browser's activity; just like if they were obtained on safari or any other mobile browser, and valid as long as them (not dependent on the After all the tests performed, all the basic access/refresh/revoke scenarios look sane enough. I'll go for the merge here. 👍 |
|
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
Description
Related Issue
fixes owncloud/oauth2#103
Motivation and Context
How Has This Been Tested?
Screenshots (if appropriate):
Types of changes
Checklist: