[Bug]: Two useless authtoken database queries for every anonymous request

[ChristophWurst]

⚠️ This issue respects the following points: ⚠️

• This is a bug, not a question or a configuration/webserver/proxy issue.
• This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
• Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
• I agree to follow Nextcloud's Code of Conduct.

Bug description

Reading query logs I noticed

 primary SELECT * FROM `oc_appconfig`
 replica SELECT * FROM `oc_authtoken` WHERE (`token` = :dcValue1) AND (`version` = :dcValue2)
 replica SELECT * FROM `oc_authtoken` WHERE (`token` = :dcValue1) AND (`version` = :dcValue2)

for every anonymous request.

The problem is that \OC\User\Session::tryTokenLogin tries to find a token for the current PHP session. \OC\Authentication\Token\PublicKeyTokenProvider::getToken does up to two lookups when the instance has an instance secret set. There will never be a hit. The only exception would be a hash collision of the new session ID and a previous one.

The solution would be to check if the request had sent a cookie with the instance id as name. Those are used for the PHP session. If there is no cookie, this is a new session, and there won't be a token.

Steps to reproduce

1. curl https://localhost/login

Expected behavior

 primary SELECT * FROM `oc_appconfig`

Installation method

None

Nextcloud Server version

26

Operating system

None

PHP engine version

None

Web server

None

Database engine version

None

Is this bug present after an update or on a fresh install?

None

Are you using the Nextcloud Server Encryption module?

None

What user-backends are you using?

• Default user-backend (database)
• LDAP/ Active Directory
• SSO - SAML
• Other

Configuration report

No response

List of activated Apps

No response

Nextcloud Signing status

No response

Nextcloud Logs

No response

Additional info

No response

[solracsf]

Could this fix it?

server/lib/private/User/Session.php

Lines 861 to 866 in 7502c19

	try {
	$dbToken = $this->tokenProvider->getToken($token);
	} catch (InvalidTokenException $e) {
	// Can't really happen but better save than sorry
	return true;
	}

// Check if the request had sent a cookie with the instance id as name
// If there is no cookie, this is a new session

$instanceId = \OC::$server->getConfig()->getSystemValueString('instanceid');
if (!is_null($request->getCookie($instanceId))) {
	try {
		$dbToken = $this->tokenProvider->getToken($token);
	} catch (InvalidTokenException $e) {
		// Can't really happen but better save than sorry
		return true;
	}
}

[ChristophWurst]

Yes, something like that should do the trick

[solracsf]

Should i PR it? :)

[ChristophWurst]

Yes please :)

Two suggestions:

1. You have access to IConfig in Session. Use it instead of the service locator.
2. Don't wrap the try-catch with an if but exit early with false.