Skip to content

Commit

Permalink
Merge pull request #42880 from nextcloud/backport/42607/stable26
Browse files Browse the repository at this point in the history
[stable26] fix(session): Avoid useless authtoken DB queries for anonymous requests
  • Loading branch information
blizzz authored Jan 17, 2024
2 parents b1ef967 + d29b239 commit fd421cf
Show file tree
Hide file tree
Showing 2 changed files with 55 additions and 2 deletions.
7 changes: 5 additions & 2 deletions lib/private/User/Session.php
Original file line number Diff line number Diff line change
Expand Up @@ -840,13 +840,16 @@ public function tryTokenLogin(IRequest $request) {
$authHeader = $request->getHeader('Authorization');
if (strpos($authHeader, 'Bearer ') === 0) {
$token = substr($authHeader, 7);
} else {
// No auth header, let's try session id
} elseif ($request->getCookie($this->config->getSystemValueString('instanceid')) !== null) {
// No auth header, let's try session id, but only if this is an existing
// session and the request has a session cookie
try {
$token = $this->session->getId();
} catch (SessionNotAvailableException $ex) {
return false;
}
} else {
return false;
}

if (!$this->loginWithToken($token)) {
Expand Down
50 changes: 50 additions & 0 deletions tests/lib/User/SessionTest.php
Original file line number Diff line number Diff line change
Expand Up @@ -483,6 +483,56 @@ public function testLogClientInNoTokenPasswordNo2fa() {
$userSession->logClientIn('john', 'doe', $request, $this->throttler);
}

public function testTryTokenLoginNoHeaderNoSessionCookie(): void {
$request = $this->createMock(IRequest::class);
$this->config->expects(self::once())
->method('getSystemValueString')
->with('instanceid')
->willReturn('abc123');
$request->method('getHeader')->with('Authorization')->willReturn('');
$request->method('getCookie')->with('abc123')->willReturn(null);
$this->tokenProvider->expects(self::never())
->method('getToken');

$loginResult = $this->userSession->tryTokenLogin($request);

self::assertFalse($loginResult);
}

public function testTryTokenLoginAuthorizationHeaderTokenNotFound(): void {
$request = $this->createMock(IRequest::class);
$request->method('getHeader')->with('Authorization')->willReturn('Bearer abcde-12345');
$this->tokenProvider->expects(self::once())
->method('getToken')
->with('abcde-12345')
->willThrowException(new InvalidTokenException());

$loginResult = $this->userSession->tryTokenLogin($request);

self::assertFalse($loginResult);
}

public function testTryTokenLoginSessionIdTokenNotFound(): void {
$request = $this->createMock(IRequest::class);
$this->config->expects(self::once())
->method('getSystemValueString')
->with('instanceid')
->willReturn('abc123');
$request->method('getHeader')->with('Authorization')->willReturn('');
$request->method('getCookie')->with('abc123')->willReturn('abcde12345');
$this->session->expects(self::once())
->method('getId')
->willReturn('abcde12345');
$this->tokenProvider->expects(self::once())
->method('getToken')
->with('abcde12345')
->willThrowException(new InvalidTokenException());

$loginResult = $this->userSession->tryTokenLogin($request);

self::assertFalse($loginResult);
}

public function testRememberLoginValidToken() {
$session = $this->getMockBuilder(Memory::class)->setConstructorArgs([''])->getMock();
$managerMethods = get_class_methods(Manager::class);
Expand Down

0 comments on commit fd421cf

Please sign in to comment.