averello/nextcloud-server-mirror
1
0
Fork 0
mirror of https://github.com/nextcloud/server.git synced 2026-03-04 18:28:08 +01:00
Code Issues Packages Projects Releases Wiki Activity

feat(EphemeralSessions): Introduce lax period

Browse Source 
Signed-off-by: Louis Chmn <louis@chmn.me>
This commit is contained in:
Louis Chmn
2025-11-05 10:23:29 +01:00
parent aeb887af8d
commit e3d972764e
2 changed files with 18 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
lib/private/AppFramework/Middleware/FlowV2EphemeralSessionsMiddleware.php
View File

@@ -13,6 +13,7 @@ use OC\Core\Controller\TwoFactorChallengeController;
use OCP\AppFramework\Controller;
use OCP\AppFramework\Http\Attribute\PublicPage;
use OCP\AppFramework\Middleware;
use OCP\AppFramework\Utility\ITimeFactory;
use OCP\Authentication\TwoFactorAuth\ALoginSetupController;
use OCP\ISession;
use OCP\IUserSession;
@@ -21,18 +22,31 @@ use ReflectionMethod;
// Will close the session if the user session is ephemeral.
// Happens when the user logs in via the login flow v2.
class FlowV2EphemeralSessionsMiddleware extends Middleware {
private const EPHEMERAL_SESSION_TTL = 5 * 60; // 5 minutes
public function __construct(
private ISession $session,
private IUserSession $userSession,
private ControllerMethodReflector $reflector,
private ITimeFactory $timeFactory,
) {
}
public function beforeController(Controller $controller, string $methodName) {
if (!$this->session->get(ClientFlowLoginV2Controller::EPHEMERAL_NAME)) {
$sessionCreationTime = $this->session->get(ClientFlowLoginV2Controller::EPHEMERAL_NAME);
// Not an ephemeral session.
if ($sessionCreationTime === null) {
return;
}
// Lax enforcement until TTL is reached.
if ($this->timeFactory->getTime() < $sessionCreationTime + self::EPHEMERAL_SESSION_TTL) {
return;
}
// Allow certain controllers/methods to proceed without logging out.
if (
$controller instanceof ClientFlowLoginV2Controller &&
($methodName === 'grantPage' || $methodName === 'generateAppPassword')

4
lib/private/Authentication/Login/FlowV2EphemeralSessionsCommand.php
View File

@@ -9,6 +9,7 @@ declare(strict_types=1);
namespace OC\Authentication\Login;
use OC\Core\Controller\ClientFlowLoginV2Controller;
use OCP\AppFramework\Utility\ITimeFactory;
use OCP\ISession;
use OCP\IURLGenerator;
@@ -16,13 +17,14 @@ class FlowV2EphemeralSessionsCommand extends ALoginCommand {
public function __construct(
private ISession $session,
private IURLGenerator $urlGenerator,
private ITimeFactory $timeFactory,
) {
}
public function process(LoginData $loginData): LoginResult {
$loginV2GrantRoute = $this->urlGenerator->linkToRoute('core.ClientFlowLoginV2.grantPage');
if (str_starts_with($loginData->getRedirectUrl() ?? '', $loginV2GrantRoute)) {
$this->session->set(ClientFlowLoginV2Controller::EPHEMERAL_NAME, true);
$this->session->set(ClientFlowLoginV2Controller::EPHEMERAL_NAME, $this->timeFactory->getTime());
}
return $this->processNextOrFinishSuccessfully($loginData);