Skip to content

Commit

Permalink
feat(auth): Clean-up unused auth tokens and wipe tokens
Browse files Browse the repository at this point in the history
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
  • Loading branch information
ChristophWurst authored and AndyScherzinger committed Aug 1, 2024
1 parent 13921ca commit ab9831a
Show file tree
Hide file tree
Showing 3 changed files with 31 additions and 14 deletions.
17 changes: 10 additions & 7 deletions lib/private/Authentication/Token/PublicKeyTokenMapper.php
Original file line number Diff line number Diff line change
Expand Up @@ -36,17 +36,20 @@ public function invalidate(string $token) {

/**
* @param int $olderThan
* @param int $remember
* @param int $type
* @param int|null $remember
*/
public function invalidateOld(int $olderThan, int $remember = IToken::DO_NOT_REMEMBER) {
public function invalidateOld(int $olderThan, int $type = IToken::TEMPORARY_TOKEN, int $remember = null) {
/* @var $qb IQueryBuilder */
$qb = $this->db->getQueryBuilder();
$qb->delete($this->tableName)
$delete = $qb->delete($this->tableName)
->where($qb->expr()->lt('last_activity', $qb->createNamedParameter($olderThan, IQueryBuilder::PARAM_INT)))
->andWhere($qb->expr()->eq('type', $qb->createNamedParameter(IToken::TEMPORARY_TOKEN, IQueryBuilder::PARAM_INT)))
->andWhere($qb->expr()->eq('remember', $qb->createNamedParameter($remember, IQueryBuilder::PARAM_INT)))
->andWhere($qb->expr()->eq('version', $qb->createNamedParameter(PublicKeyToken::VERSION, IQueryBuilder::PARAM_INT)))
->execute();
->andWhere($qb->expr()->eq('type', $qb->createNamedParameter($type, IQueryBuilder::PARAM_INT)))
->andWhere($qb->expr()->eq('version', $qb->createNamedParameter(PublicKeyToken::VERSION, IQueryBuilder::PARAM_INT)));
if ($remember !== null) {
$delete->andWhere($qb->expr()->eq('remember', $qb->createNamedParameter($remember, IQueryBuilder::PARAM_INT)));
}
$delete->executeStatement();
}

public function invalidateLastUsedBefore(string $uid, int $before): int {
Expand Down
13 changes: 11 additions & 2 deletions lib/private/Authentication/Token/PublicKeyTokenProvider.php
Original file line number Diff line number Diff line change
Expand Up @@ -281,10 +281,19 @@ public function invalidateTokenById(string $uid, int $id) {
public function invalidateOldTokens() {
$olderThan = $this->time->getTime() - $this->config->getSystemValueInt('session_lifetime', 60 * 60 * 24);
$this->logger->debug('Invalidating session tokens older than ' . date('c', $olderThan), ['app' => 'cron']);
$this->mapper->invalidateOld($olderThan, OCPIToken::DO_NOT_REMEMBER);
$this->mapper->invalidateOld($olderThan, OCPIToken::TEMPORARY_TOKEN, OCPIToken::DO_NOT_REMEMBER);

$rememberThreshold = $this->time->getTime() - $this->config->getSystemValueInt('remember_login_cookie_lifetime', 60 * 60 * 24 * 15);
$this->logger->debug('Invalidating remembered session tokens older than ' . date('c', $rememberThreshold), ['app' => 'cron']);
$this->mapper->invalidateOld($rememberThreshold, OCPIToken::REMEMBER);
$this->mapper->invalidateOld($rememberThreshold, OCPIToken::TEMPORARY_TOKEN, OCPIToken::REMEMBER);

$wipeThreshold = $this->time->getTime() - $this->config->getSystemValueInt('token_auth_wipe_token_retention', 60 * 60 * 24 * 60);
$this->logger->debug('Invalidating auth tokens marked for remote wipe older than ' . date('c', $wipeThreshold), ['app' => 'cron']);
$this->mapper->invalidateOld($wipeThreshold, OCPIToken::WIPE_TOKEN);

$authTokenThreshold = $this->time->getTime() - $this->config->getSystemValueInt('token_auth_token_retention', 60 * 60 * 24 * 365);
$this->logger->debug('Invalidating auth tokens older than ' . date('c', $authTokenThreshold), ['app' => 'cron']);
$this->mapper->invalidateOld($authTokenThreshold, OCPIToken::PERMANENT_TOKEN);
}

public function invalidateLastUsedBefore(string $uid, int $before): void {
Expand Down
15 changes: 10 additions & 5 deletions tests/lib/Authentication/Token/PublicKeyTokenProviderTest.php
Original file line number Diff line number Diff line change
Expand Up @@ -330,20 +330,25 @@ public function testInvalidateTokenById() {
$this->tokenProvider->invalidateTokenById('uid', $id);
}

public function testInvalidateOldTokens() {
public function testInvalidateOldTokens(): void {
$defaultSessionLifetime = 60 * 60 * 24;
$defaultRememberMeLifetime = 60 * 60 * 24 * 15;
$this->config->expects($this->exactly(2))
$wipeTokenLifetime = 60 * 60 * 24 * 60;
$this->config->expects($this->exactly(4))
->method('getSystemValueInt')
->willReturnMap([
['session_lifetime', $defaultSessionLifetime, 150],
['remember_login_cookie_lifetime', $defaultRememberMeLifetime, 300],
['token_auth_wipe_token_retention', $wipeTokenLifetime, 500],
['token_auth_token_retention', 60 * 60 * 24 * 365, 800],
]);
$this->mapper->expects($this->exactly(2))
$this->mapper->expects($this->exactly(4))
->method('invalidateOld')
->withConsecutive(
[$this->time - 150],
[$this->time - 300]
[$this->time - 150, IToken::TEMPORARY_TOKEN, IToken::DO_NOT_REMEMBER],
[$this->time - 300, IToken::TEMPORARY_TOKEN, IToken::REMEMBER],
[$this->time - 500, IToken::TEMPORARY_TOKEN, null],
[$this->time - 800, IToken::TEMPORARY_TOKEN, null],
);

$this->tokenProvider->invalidateOldTokens();
Expand Down

0 comments on commit ab9831a

Please sign in to comment.