From a4aded02083e213742fb8758a30a9b4ead94c082 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=B4me=20Chilliet?= Date: Thu, 4 Jan 2024 11:55:58 +0100 Subject: [PATCH 1/2] Inherit private Exception from OCP to fix class hierarchy MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fix regression of authentication workflow because class hierarchy changed when moving Exception to OCP Signed-off-by: Côme Chilliet --- lib/public/Authentication/Exceptions/ExpiredTokenException.php | 2 +- lib/public/Authentication/Exceptions/WipeTokenException.php | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/public/Authentication/Exceptions/ExpiredTokenException.php b/lib/public/Authentication/Exceptions/ExpiredTokenException.php index 5c1f4a30541ca..e0969fde74027 100644 --- a/lib/public/Authentication/Exceptions/ExpiredTokenException.php +++ b/lib/public/Authentication/Exceptions/ExpiredTokenException.php @@ -30,7 +30,7 @@ /** * @since 28.0.0 */ -class ExpiredTokenException extends InvalidTokenException { +class ExpiredTokenException extends \OC\Authentication\Exceptions\InvalidTokenException { /** * @since 28.0.0 */ diff --git a/lib/public/Authentication/Exceptions/WipeTokenException.php b/lib/public/Authentication/Exceptions/WipeTokenException.php index 81ea2dc57ad7d..2fb7b38d71061 100644 --- a/lib/public/Authentication/Exceptions/WipeTokenException.php +++ b/lib/public/Authentication/Exceptions/WipeTokenException.php @@ -30,7 +30,7 @@ /** * @since 28.0.0 */ -class WipeTokenException extends InvalidTokenException { +class WipeTokenException extends \OC\Authentication\Exceptions\InvalidTokenException { /** * @since 28.0.0 */ From d99a104c48ec9c68a0232bfeeae207f35cf4e029 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=B4me=20Chilliet?= Date: Thu, 4 Jan 2024 12:20:14 +0100 Subject: [PATCH 2/2] Always catch OCP versions of authentication exceptions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit And always throw OC versions for BC Signed-off-by: Côme Chilliet --- apps/oauth2/lib/Controller/OauthApiController.php | 4 ++-- apps/oauth2/lib/Migration/SetTokenExpiration.php | 2 +- .../lib/Controller/AuthSettingsController.php | 12 +++++++----- .../lib/Settings/Personal/Security/Authtokens.php | 2 +- core/Controller/AppPasswordController.php | 2 +- core/Controller/ClientFlowLoginController.php | 5 +++-- core/Controller/ClientFlowLoginV2Controller.php | 5 +++-- core/Controller/WipeController.php | 2 +- core/Service/LoginFlowV2Service.php | 2 +- .../Authentication/LoginCredentials/Store.php | 2 +- lib/private/Authentication/Token/Manager.php | 13 +++++++------ lib/private/Authentication/Token/RemoteWipe.php | 4 ++-- .../Authentication/TwoFactorAuth/Manager.php | 2 +- lib/private/Session/Internal.php | 2 +- lib/private/User/Session.php | 4 ++-- 15 files changed, 34 insertions(+), 29 deletions(-) diff --git a/apps/oauth2/lib/Controller/OauthApiController.php b/apps/oauth2/lib/Controller/OauthApiController.php index dfb952a0951c0..46b68b1d5859a 100644 --- a/apps/oauth2/lib/Controller/OauthApiController.php +++ b/apps/oauth2/lib/Controller/OauthApiController.php @@ -28,8 +28,6 @@ */ namespace OCA\OAuth2\Controller; -use OC\Authentication\Exceptions\ExpiredTokenException; -use OC\Authentication\Exceptions\InvalidTokenException; use OC\Authentication\Token\IProvider as TokenProvider; use OCA\OAuth2\Db\AccessTokenMapper; use OCA\OAuth2\Db\ClientMapper; @@ -39,6 +37,8 @@ use OCP\AppFramework\Http; use OCP\AppFramework\Http\JSONResponse; use OCP\AppFramework\Utility\ITimeFactory; +use OCP\Authentication\Exceptions\ExpiredTokenException; +use OCP\Authentication\Exceptions\InvalidTokenException; use OCP\DB\Exception; use OCP\IRequest; use OCP\Security\Bruteforce\IThrottler; diff --git a/apps/oauth2/lib/Migration/SetTokenExpiration.php b/apps/oauth2/lib/Migration/SetTokenExpiration.php index 696d3b7f04afa..5a5c5ff478193 100644 --- a/apps/oauth2/lib/Migration/SetTokenExpiration.php +++ b/apps/oauth2/lib/Migration/SetTokenExpiration.php @@ -26,10 +26,10 @@ */ namespace OCA\OAuth2\Migration; -use OC\Authentication\Exceptions\InvalidTokenException; use OC\Authentication\Token\IProvider as TokenProvider; use OCA\OAuth2\Db\AccessToken; use OCP\AppFramework\Utility\ITimeFactory; +use OCP\Authentication\Exceptions\InvalidTokenException; use OCP\IDBConnection; use OCP\Migration\IOutput; use OCP\Migration\IRepairStep; diff --git a/apps/settings/lib/Controller/AuthSettingsController.php b/apps/settings/lib/Controller/AuthSettingsController.php index c0dc8cbac8517..cfff65820740d 100644 --- a/apps/settings/lib/Controller/AuthSettingsController.php +++ b/apps/settings/lib/Controller/AuthSettingsController.php @@ -32,10 +32,8 @@ namespace OCA\Settings\Controller; use BadMethodCallException; -use OC\Authentication\Exceptions\ExpiredTokenException; -use OC\Authentication\Exceptions\InvalidTokenException; +use OC\Authentication\Exceptions\InvalidTokenException as OcInvalidTokenException; use OC\Authentication\Exceptions\PasswordlessTokenException; -use OC\Authentication\Exceptions\WipeTokenException; use OC\Authentication\Token\INamedToken; use OC\Authentication\Token\IProvider; use OC\Authentication\Token\IToken; @@ -45,6 +43,9 @@ use OCP\AppFramework\Controller; use OCP\AppFramework\Http; use OCP\AppFramework\Http\JSONResponse; +use OCP\Authentication\Exceptions\ExpiredTokenException; +use OCP\Authentication\Exceptions\InvalidTokenException; +use OCP\Authentication\Exceptions\WipeTokenException; use OCP\IRequest; use OCP\ISession; use OCP\IUserSession; @@ -292,7 +293,8 @@ private function findTokenByIdAndUser(int $id): IToken { $token = $e->getToken(); } if ($token->getUID() !== $this->uid) { - throw new InvalidTokenException('This token does not belong to you!'); + /* We have to throw the OC version so both OC and OCP catches catch it */ + throw new OcInvalidTokenException('This token does not belong to you!'); } return $token; } @@ -305,7 +307,7 @@ private function findTokenByIdAndUser(int $id): IToken { * @param int $id * @return JSONResponse * @throws InvalidTokenException - * @throws \OC\Authentication\Exceptions\ExpiredTokenException + * @throws ExpiredTokenException */ public function wipe(int $id): JSONResponse { if ($this->checkAppToken()) { diff --git a/apps/settings/lib/Settings/Personal/Security/Authtokens.php b/apps/settings/lib/Settings/Personal/Security/Authtokens.php index e713344ce88ce..9a7405fb7a22a 100644 --- a/apps/settings/lib/Settings/Personal/Security/Authtokens.php +++ b/apps/settings/lib/Settings/Personal/Security/Authtokens.php @@ -25,12 +25,12 @@ */ namespace OCA\Settings\Settings\Personal\Security; -use OC\Authentication\Exceptions\InvalidTokenException; use OC\Authentication\Token\INamedToken; use OC\Authentication\Token\IProvider as IAuthTokenProvider; use OC\Authentication\Token\IToken; use OCP\AppFramework\Http\TemplateResponse; use OCP\AppFramework\Services\IInitialState; +use OCP\Authentication\Exceptions\InvalidTokenException; use OCP\ISession; use OCP\IUserSession; use OCP\Session\Exceptions\SessionNotAvailableException; diff --git a/core/Controller/AppPasswordController.php b/core/Controller/AppPasswordController.php index 205381e83c11d..a4b7791997ab8 100644 --- a/core/Controller/AppPasswordController.php +++ b/core/Controller/AppPasswordController.php @@ -29,13 +29,13 @@ namespace OC\Core\Controller; use OC\Authentication\Events\AppPasswordCreatedEvent; -use OC\Authentication\Exceptions\InvalidTokenException; use OC\Authentication\Token\IProvider; use OC\Authentication\Token\IToken; use OCP\AppFramework\Http; use OCP\AppFramework\Http\DataResponse; use OCP\AppFramework\OCS\OCSForbiddenException; use OCP\Authentication\Exceptions\CredentialsUnavailableException; +use OCP\Authentication\Exceptions\InvalidTokenException; use OCP\Authentication\Exceptions\PasswordUnavailableException; use OCP\Authentication\LoginCredentials\IStore; use OCP\EventDispatcher\IEventDispatcher; diff --git a/core/Controller/ClientFlowLoginController.php b/core/Controller/ClientFlowLoginController.php index 07a78ba368b47..57f57bbf88744 100644 --- a/core/Controller/ClientFlowLoginController.php +++ b/core/Controller/ClientFlowLoginController.php @@ -33,7 +33,7 @@ namespace OC\Core\Controller; use OC\Authentication\Events\AppPasswordCreatedEvent; -use OC\Authentication\Exceptions\InvalidTokenException; +use OC\Authentication\Exceptions\InvalidTokenException as OcInvalidTokenException; use OC\Authentication\Exceptions\PasswordlessTokenException; use OC\Authentication\Token\IProvider; use OC\Authentication\Token\IToken; @@ -47,6 +47,7 @@ use OCP\AppFramework\Http\Response; use OCP\AppFramework\Http\StandaloneTemplateResponse; use OCP\AppFramework\Utility\ITimeFactory; +use OCP\Authentication\Exceptions\InvalidTokenException; use OCP\Defaults; use OCP\EventDispatcher\IEventDispatcher; use OCP\IL10N; @@ -331,7 +332,7 @@ public function apptokenRedirect(string $stateToken, string $user, string $passw try { $token = $this->tokenProvider->getToken($password); if ($token->getLoginName() !== $user) { - throw new InvalidTokenException('login name does not match'); + throw new OcInvalidTokenException('login name does not match'); } } catch (InvalidTokenException $e) { $response = new StandaloneTemplateResponse( diff --git a/core/Controller/ClientFlowLoginV2Controller.php b/core/Controller/ClientFlowLoginV2Controller.php index 8aafabf9892cb..df52209627216 100644 --- a/core/Controller/ClientFlowLoginV2Controller.php +++ b/core/Controller/ClientFlowLoginV2Controller.php @@ -27,7 +27,7 @@ */ namespace OC\Core\Controller; -use OC\Authentication\Exceptions\InvalidTokenException; +use OC\Authentication\Exceptions\InvalidTokenException as OcInvalidTokenException; use OC\Core\Db\LoginFlowV2; use OC\Core\Exception\LoginFlowV2NotFoundException; use OC\Core\Service\LoginFlowV2Service; @@ -40,6 +40,7 @@ use OCP\AppFramework\Http\RedirectResponse; use OCP\AppFramework\Http\Response; use OCP\AppFramework\Http\StandaloneTemplateResponse; +use OCP\Authentication\Exceptions\InvalidTokenException; use OCP\Defaults; use OCP\IL10N; use OCP\IRequest; @@ -211,7 +212,7 @@ public function apptokenRedirect(?string $stateToken, string $user, string $pass try { $token = \OC::$server->get(\OC\Authentication\Token\IProvider::class)->getToken($password); if ($token->getLoginName() !== $user) { - throw new InvalidTokenException('login name does not match'); + throw new OcInvalidTokenException('login name does not match'); } } catch (InvalidTokenException $e) { $response = new StandaloneTemplateResponse( diff --git a/core/Controller/WipeController.php b/core/Controller/WipeController.php index 537fd7126f67e..c18b74e4b9618 100644 --- a/core/Controller/WipeController.php +++ b/core/Controller/WipeController.php @@ -26,11 +26,11 @@ */ namespace OC\Core\Controller; -use OC\Authentication\Exceptions\InvalidTokenException; use OC\Authentication\Token\RemoteWipe; use OCP\AppFramework\Controller; use OCP\AppFramework\Http; use OCP\AppFramework\Http\JSONResponse; +use OCP\Authentication\Exceptions\InvalidTokenException; use OCP\IRequest; class WipeController extends Controller { diff --git a/core/Service/LoginFlowV2Service.php b/core/Service/LoginFlowV2Service.php index 7e254672ebdc6..e6a2d93b77da4 100644 --- a/core/Service/LoginFlowV2Service.php +++ b/core/Service/LoginFlowV2Service.php @@ -26,7 +26,6 @@ */ namespace OC\Core\Service; -use OC\Authentication\Exceptions\InvalidTokenException; use OC\Authentication\Exceptions\PasswordlessTokenException; use OC\Authentication\Token\IProvider; use OC\Authentication\Token\IToken; @@ -37,6 +36,7 @@ use OC\Core\Exception\LoginFlowV2NotFoundException; use OCP\AppFramework\Db\DoesNotExistException; use OCP\AppFramework\Utility\ITimeFactory; +use OCP\Authentication\Exceptions\InvalidTokenException; use OCP\IConfig; use OCP\Security\ICrypto; use OCP\Security\ISecureRandom; diff --git a/lib/private/Authentication/LoginCredentials/Store.php b/lib/private/Authentication/LoginCredentials/Store.php index e1e2994644619..2e00ac211c1c9 100644 --- a/lib/private/Authentication/LoginCredentials/Store.php +++ b/lib/private/Authentication/LoginCredentials/Store.php @@ -26,10 +26,10 @@ */ namespace OC\Authentication\LoginCredentials; -use OC\Authentication\Exceptions\InvalidTokenException; use OC\Authentication\Exceptions\PasswordlessTokenException; use OC\Authentication\Token\IProvider; use OCP\Authentication\Exceptions\CredentialsUnavailableException; +use OCP\Authentication\Exceptions\InvalidTokenException; use OCP\Authentication\LoginCredentials\ICredentials; use OCP\Authentication\LoginCredentials\IStore; use OCP\ISession; diff --git a/lib/private/Authentication/Token/Manager.php b/lib/private/Authentication/Token/Manager.php index 18ec687cac29a..9154092f25aee 100644 --- a/lib/private/Authentication/Token/Manager.php +++ b/lib/private/Authentication/Token/Manager.php @@ -28,10 +28,11 @@ namespace OC\Authentication\Token; use Doctrine\DBAL\Exception\UniqueConstraintViolationException; -use OC\Authentication\Exceptions\ExpiredTokenException; -use OC\Authentication\Exceptions\InvalidTokenException; -use OC\Authentication\Exceptions\PasswordlessTokenException; -use OC\Authentication\Exceptions\WipeTokenException; +use OC\Authentication\Exceptions\InvalidTokenException as OcInvalidTokenException; +use OCP\Authentication\Exceptions\ExpiredTokenException; +use OCP\Authentication\Exceptions\InvalidTokenException; +use OCP\Authentication\Exceptions\PasswordlessTokenException; +use OCP\Authentication\Exceptions\WipeTokenException; use OCP\Authentication\Token\IProvider as OCPIProvider; class Manager implements IProvider, OCPIProvider { @@ -221,7 +222,7 @@ public function rotate(IToken $token, string $oldTokenId, string $newTokenId): I return $this->publicKeyTokenProvider->rotate($token, $oldTokenId, $newTokenId); } - throw new InvalidTokenException(); + throw new OcInvalidTokenException(); } /** @@ -233,7 +234,7 @@ private function getProvider(IToken $token): IProvider { if ($token instanceof PublicKeyToken) { return $this->publicKeyTokenProvider; } - throw new InvalidTokenException(); + throw new OcInvalidTokenException(); } diff --git a/lib/private/Authentication/Token/RemoteWipe.php b/lib/private/Authentication/Token/RemoteWipe.php index e4882f678d979..f5267764e24ca 100644 --- a/lib/private/Authentication/Token/RemoteWipe.php +++ b/lib/private/Authentication/Token/RemoteWipe.php @@ -29,8 +29,8 @@ use OC\Authentication\Events\RemoteWipeFinished; use OC\Authentication\Events\RemoteWipeStarted; -use OC\Authentication\Exceptions\InvalidTokenException; -use OC\Authentication\Exceptions\WipeTokenException; +use OCP\Authentication\Exceptions\InvalidTokenException; +use OCP\Authentication\Exceptions\WipeTokenException; use OCP\EventDispatcher\IEventDispatcher; use OCP\IUser; use Psr\Log\LoggerInterface; diff --git a/lib/private/Authentication/TwoFactorAuth/Manager.php b/lib/private/Authentication/TwoFactorAuth/Manager.php index 4defcb9a58502..3870c797f8dcf 100644 --- a/lib/private/Authentication/TwoFactorAuth/Manager.php +++ b/lib/private/Authentication/TwoFactorAuth/Manager.php @@ -29,10 +29,10 @@ use BadMethodCallException; use Exception; -use OC\Authentication\Exceptions\InvalidTokenException; use OC\Authentication\Token\IProvider as TokenProvider; use OCP\Activity\IManager; use OCP\AppFramework\Utility\ITimeFactory; +use OCP\Authentication\Exceptions\InvalidTokenException; use OCP\Authentication\TwoFactorAuth\IActivatableAtLogin; use OCP\Authentication\TwoFactorAuth\IProvider; use OCP\Authentication\TwoFactorAuth\IRegistry; diff --git a/lib/private/Session/Internal.php b/lib/private/Session/Internal.php index e8e2a4f2d8e43..5fb9b05c5f4f3 100644 --- a/lib/private/Session/Internal.php +++ b/lib/private/Session/Internal.php @@ -33,8 +33,8 @@ */ namespace OC\Session; -use OC\Authentication\Exceptions\InvalidTokenException; use OC\Authentication\Token\IProvider; +use OCP\Authentication\Exceptions\InvalidTokenException; use OCP\Session\Exceptions\SessionNotAvailableException; /** diff --git a/lib/private/User/Session.php b/lib/private/User/Session.php index 5689de3995f76..02a7a7e9e16d7 100644 --- a/lib/private/User/Session.php +++ b/lib/private/User/Session.php @@ -39,8 +39,6 @@ namespace OC\User; use OC; -use OC\Authentication\Exceptions\ExpiredTokenException; -use OC\Authentication\Exceptions\InvalidTokenException; use OC\Authentication\Exceptions\PasswordlessTokenException; use OC\Authentication\Exceptions\PasswordLoginForbiddenException; use OC\Authentication\Token\IProvider; @@ -51,6 +49,8 @@ use OC_Util; use OCA\DAV\Connector\Sabre\Auth; use OCP\AppFramework\Utility\ITimeFactory; +use OCP\Authentication\Exceptions\ExpiredTokenException; +use OCP\Authentication\Exceptions\InvalidTokenException; use OCP\EventDispatcher\GenericEvent; use OCP\EventDispatcher\IEventDispatcher; use OCP\Files\NotPermittedException;