feat: token deletion logic

Signed-off-by: Jana Peper <jana.peper@nextcloud.com>

Author: janepie

apps/webhook_listeners/appinfo/info.xml

@@ -18,7 +18,7 @@ Administrators can configure webhook listeners via the app's OCS API. The app al
         ]]>
     </description>
 
-    <version>1.4.1</version>
+    <version>1.4.2</version>
     <licence>agpl</licence>
     <author>Côme Chilliet</author>
     <namespace>WebhookListeners</namespace>
@@ -49,4 +49,8 @@ Administrators can configure webhook listeners via the app's OCS API. The app al
         <admin-delegation>OCA\WebhookListeners\Settings\Admin</admin-delegation>
         <admin-delegation-section>OCA\WebhookListeners\Settings\AdminSection</admin-delegation-section>
     </settings>
+
+    <background-jobs>
+		<job>OCA\WebhookListeners\BackgroundJobs\WebhookTokenCleanup</job>
+	</background-jobs>
 </info>

apps/webhook_listeners/composer/composer/autoload_classmap.php

@@ -9,9 +9,12 @@
     'Composer\\InstalledVersions' => $vendorDir . '/composer/InstalledVersions.php',
     'OCA\\WebhookListeners\\AppInfo\\Application' => $baseDir . '/../lib/AppInfo/Application.php',
     'OCA\\WebhookListeners\\BackgroundJobs\\WebhookCall' => $baseDir . '/../lib/BackgroundJobs/WebhookCall.php',
+    'OCA\\WebhookListeners\\BackgroundJobs\\WebhookTokenCleanup' => $baseDir . '/../lib/BackgroundJobs/WebhookTokenCleanup.php',
     'OCA\\WebhookListeners\\Command\\ListWebhooks' => $baseDir . '/../lib/Command/ListWebhooks.php',
     'OCA\\WebhookListeners\\Controller\\WebhooksController' => $baseDir . '/../lib/Controller/WebhooksController.php',
     'OCA\\WebhookListeners\\Db\\AuthMethod' => $baseDir . '/../lib/Db/AuthMethod.php',
+    'OCA\\WebhookListeners\\Db\\TemporaryToken' => $baseDir . '/../lib/Db/TemporaryToken.php',
+    'OCA\\WebhookListeners\\Db\\TemporaryTokenMapper' => $baseDir . '/../lib/Db/TemporaryTokenMapper.php',
     'OCA\\WebhookListeners\\Db\\WebhookListener' => $baseDir . '/../lib/Db/WebhookListener.php',
     'OCA\\WebhookListeners\\Db\\WebhookListenerMapper' => $baseDir . '/../lib/Db/WebhookListenerMapper.php',
     'OCA\\WebhookListeners\\Listener\\WebhooksEventListener' => $baseDir . '/../lib/Listener/WebhooksEventListener.php',

apps/webhook_listeners/composer/composer/autoload_static.php

@@ -24,9 +24,12 @@ class ComposerStaticInitWebhookListeners
         'Composer\\InstalledVersions' => __DIR__ . '/..' . '/composer/InstalledVersions.php',
         'OCA\\WebhookListeners\\AppInfo\\Application' => __DIR__ . '/..' . '/../lib/AppInfo/Application.php',
         'OCA\\WebhookListeners\\BackgroundJobs\\WebhookCall' => __DIR__ . '/..' . '/../lib/BackgroundJobs/WebhookCall.php',
+        'OCA\\WebhookListeners\\BackgroundJobs\\WebhookTokenCleanup' => __DIR__ . '/..' . '/../lib/BackgroundJobs/WebhookTokenCleanup.php',
         'OCA\\WebhookListeners\\Command\\ListWebhooks' => __DIR__ . '/..' . '/../lib/Command/ListWebhooks.php',
         'OCA\\WebhookListeners\\Controller\\WebhooksController' => __DIR__ . '/..' . '/../lib/Controller/WebhooksController.php',
         'OCA\\WebhookListeners\\Db\\AuthMethod' => __DIR__ . '/..' . '/../lib/Db/AuthMethod.php',
+        'OCA\\WebhookListeners\\Db\\TemporaryToken' => __DIR__ . '/..' . '/../lib/Db/TemporaryToken.php',
+        'OCA\\WebhookListeners\\Db\\TemporaryTokenMapper' => __DIR__ . '/..' . '/../lib/Db/TemporaryTokenMapper.php',
         'OCA\\WebhookListeners\\Db\\WebhookListener' => __DIR__ . '/..' . '/../lib/Db/WebhookListener.php',
         'OCA\\WebhookListeners\\Db\\WebhookListenerMapper' => __DIR__ . '/..' . '/../lib/Db/WebhookListenerMapper.php',
         'OCA\\WebhookListeners\\Listener\\WebhooksEventListener' => __DIR__ . '/..' . '/../lib/Listener/WebhooksEventListener.php',

apps/webhook_listeners/lib/BackgroundJobs/WebhookCall.php

@@ -47,7 +47,6 @@ protected function run($argument): void {
 
 		// adding temporary auth tokens to the call
 		$data['tokens'] = $this->tokenService->getTokens($webhookListener, $data['user']['uid']);
-		error_log(json_encode($data['tokens']));
 		$options = [
 			'verify' => $this->certificateManager->getAbsoluteBundlePath(),
 			'headers' => $webhookListener->getHeaders() ?? [],

apps/webhook_listeners/lib/BackgroundJobs/WebhookTokenCleanup.php

@@ -0,0 +1,38 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * SPDX-FileCopyrightText: 2025 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+namespace OCA\WebhookListeners\BackgroundJobs;
+
+use OCA\WebhookListeners\Db\TemporaryTokenMapper;
+use OCP\AppFramework\Utility\ITimeFactory;
+use OCP\BackgroundJob\TimedJob;
+
+class WebhookTokenCleanup extends TimedJob {
+
+	public function __construct(
+		private TemporaryTokenMapper $tokenMapper,
+		ITimeFactory $timeFactory,
+	) {
+		parent::__construct($timeFactory);
+		// every 5 min
+		$this->setInterval(1 * 5 * 60);
+	}
+
+	/**
+	 * @param array $argument
+	 */
+	protected function run($argument): void {
+
+		$this->tokenMapper->invalidateOldTokens();
+
+
+	}
+
+
+}

apps/webhook_listeners/lib/Db/TemporaryToken.php

@@ -0,0 +1,65 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * SPDX-FileCopyrightText: 2025 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+namespace OCA\WebhookListeners\Db;
+
+use OCP\AppFramework\Db\Entity;
+
+/**
+ * @method int getTokenId()
+ * @method string getToken()
+ * @method ?string getUserId()
+ * @method int getCreationDatetime()
+ * @psalm-suppress PropertyNotSetInConstructor
+ */
+class TemporaryToken extends Entity implements \JsonSerializable {
+	/**
+	 * @var int id of the token that was created for a webhook
+	 */
+	protected $tokenId;
+
+	/**
+	 * @var string the token
+	 */
+	protected $token;
+
+	/**
+	 * @var ?string id of the user wich the token belongs to
+	 * @psalm-suppress PropertyNotSetInConstructor
+	 */
+	protected $userId = null;
+
+	/**
+	 * @var int
+	 * @psalm-suppress PropertyNotSetInConstructor
+	 */
+	protected $creationDatetime;
+
+
+
+
+	public function __construct() {
+		$this->addType('tokenId', 'integer');
+		$this->addType('token', 'string');
+		$this->addType('userId', 'string');
+		$this->addType('creationDatetime', 'integer');
+	}
+
+	public function jsonSerialize(): array {
+		$fields = array_keys($this->getFieldTypes());
+		return array_combine(
+			$fields,
+			array_map(
+				fn ($field) => $this->getter($field),
+				$fields
+			)
+		);
+	}
+
+}

apps/webhook_listeners/lib/Db/TemporaryTokenMapper.php

@@ -0,0 +1,122 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * SPDX-FileCopyrightText: 2025 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+namespace OCA\WebhookListeners\Db;
+
+use OC\Authentication\Token\PublicKeyTokenMapper;
+use OCP\AppFramework\Db\DoesNotExistException;
+use OCP\AppFramework\Db\MultipleObjectsReturnedException;
+use OCP\AppFramework\Db\QBMapper;
+use OCP\AppFramework\Utility\ITimeFactory;
+use OCP\DB\Exception;
+use OCP\DB\QueryBuilder\IQueryBuilder;
+use OCP\IDBConnection;
+use Psr\Log\LoggerInterface;
+
+/**
+ * @template-extends QBMapper<TemporaryToken>
+ */
+
+class TemporaryTokenMapper extends QBMapper {
+	public const TABLE_NAME = 'webhook_tokens';
+	public const TOKEN_LIFETIME = 1 * 1 * 60; // one hour in seconds
+
+
+	public function __construct(
+		IDBConnection $db,
+		private LoggerInterface $logger,
+		private ITimeFactory $time,
+		private PublicKeyTokenMapper $tokenMapper,
+	) {
+		parent::__construct($db, self::TABLE_NAME, TemporaryToken::class);
+	}
+
+	/**
+	 * @throws DoesNotExistException
+	 * @throws MultipleObjectsReturnedException
+	 * @throws Exception
+	 */
+	public function getById(int $id): TemporaryToken {
+		$qb = $this->db->getQueryBuilder();
+
+		$qb->select('*')
+			->from($this->getTableName())
+			->where($qb->expr()->eq('id', $qb->createNamedParameter($id, IQueryBuilder::PARAM_INT)));
+
+		return $this->findEntity($qb);
+	}
+
+	/**
+	 * @throws Exception
+	 * @return WebhookListener[]
+	 */
+	public function getAll(): array {
+		$qb = $this->db->getQueryBuilder();
+
+		$qb->select('*')
+			->from($this->getTableName());
+
+		return $this->findEntities($qb);
+	}
+
+	public function getOlderThan($olderThan): array {
+		$qb = $this->db->getQueryBuilder();
+
+		$qb->select('*')
+			->from($this->getTableName())
+			->where($qb->expr()->lt('creation_datetime', $qb->createNamedParameter($olderThan, IQueryBuilder::PARAM_INT)));
+
+		return $this->findEntities($qb);
+	}
+
+
+	/**
+	 * @throws Exception
+	 */
+	public function addTemporaryToken(
+		int $tokenId,
+		string $token,
+		?string $userId,
+		int $creationDatetime,
+	): TemporaryToken {
+		$tempToken = TemporaryToken::fromParams(
+			[
+				'tokenId' => $tokenId,
+				'token' => $token,
+				'userId' => $userId,
+				'creationDatetime' => $creationDatetime,
+			]
+		);
+		return $this->insert($tempToken);
+	}
+
+	/**
+	 * @throws Exception
+	 */
+	public function deleteByTokenId(int $tokenId): bool {
+		$qb = $this->db->getQueryBuilder();
+
+		$qb->delete($this->getTableName())
+			->where($qb->expr()->eq('token_id', $qb->createNamedParameter($tokenId, IQueryBuilder::PARAM_INT)));
+
+		return $qb->executeStatement() > 0;
+	}
+
+	public function invalidateOldTokens(int $token_lifetime = self::TOKEN_LIFETIME) {
+		$olderThan = $this->time->getTime() - $token_lifetime;
+		$tokensToDelete = $this->getOlderThan($olderThan);
+
+		$this->logger->debug('Invalidating temporary webhook tokens older than ' . date('c', $olderThan), ['app' => 'cron']);
+		foreach ($tokensToDelete as $token) {
+			$this->tokenMapper->invalidate($token->getToken()); // delete token itself
+			$this->deleteByTokenId($token->getTokenId()); // delete db row in webhook_temporary_tokens
+		}
+
+	}
+}

apps/webhook_listeners/lib/Migration/Version1500Date20251007130000.php

@@ -10,6 +10,7 @@
 namespace OCA\WebhookListeners\Migration;
 
 use Closure;
+use OCA\WebhookListeners\Db\TemporaryTokenMapper;
 use OCA\WebhookListeners\Db\WebhookListenerMapper;
 use OCP\DB\ISchemaWrapper;
 use OCP\DB\Types;
@@ -34,9 +35,38 @@ public function changeSchema(IOutput $output, Closure $schemaClosure, array $opt
 					'notnull' => false,
 				]);
 			}
+		}
+
+		if (!$schema->hasTable(TemporaryTokenMapper::TABLE_NAME)) {
+			$table = $schema->createTable(TemporaryTokenMapper::TABLE_NAME);
+			$table->addColumn('id', 'integer', [
+				'autoincrement' => true,
+				'notnull' => true,
+			]);
+
+			$table->addColumn('token_id', 'integer', [
+				'notnull' => true,
+				'length' => 4,
+				'unsigned' => true,
+			]);
+			$table->addColumn('token', 'string', [
+				'notnull' => false,
+				'length' => 200,
+			]);
+			$table->addColumn('user_id', 'string', [
+				'notnull' => false,
+				'length' => 64,
+			]);
+			$table->addColumn('creation_datetime', 'integer', [
+				'notnull' => true,
+				'length' => 4,
+				'unsigned' => true,
+			]);
+
+			$table->setPrimaryKey(['id']);
 
-			return $schema;
 		}
-		return null;
+		return $schema;
+
 	}
 }

apps/webhook_listeners/lib/Service/TokenService.php

@@ -8,14 +8,18 @@
 namespace OCA\WebhookListeners\Service;
 
 use OC\Authentication\Token\IProvider;
+use OCA\WebhookListeners\Db\TemporaryTokenMapper;
 use OCA\WebhookListeners\Db\WebhookListener;
+use OCP\AppFramework\Utility\ITimeFactory;
 use OCP\Authentication\Token\IToken;
 use OCP\Security\ISecureRandom;
 
 class TokenService {
 	public function __construct(
 		private IProvider $tokenProvider,
 		private ISecureRandom $random,
+		private TemporaryTokenMapper $tokenMapper,
+		private ITimeFactory $time,
 	) {
 	}
 
@@ -42,7 +46,6 @@ public function getTokens(WebhookListener $webhookListener, ?string $triggerUser
 			}
 		}
 		if (isset($tokenNeeded['users'])) {
-			error_log(json_encode($tokenNeeded));
 			foreach ($tokenNeeded['functions'] as $function) {
 				switch ($function) {
 					case 'owner':
@@ -77,6 +80,7 @@ private function createTemporaryToken(string $userId): string {
 		$name = 'Ephemeral webhook authentication';
 		$password = null;
 		$deviceToken = $this->tokenProvider->generateToken($token, $userId, $userId, $password, $name, IToken::PERMANENT_TOKEN);
+		$this->tokenMapper->addTemporaryToken($deviceToken->getId(), $deviceToken->getToken(), $userId, $this->time->getTime());
 		return $token;
 	}