Page MenuHomePhorge
Differential D5074

Token validation when providing it as a password
ClosedPublic
Actions

Authored by mollekopf on Jan 2 2025, 12:00 AM.
Tags
None
Referenced Files
Unknown Object (File)
Sat, Feb 8, 12:54 AM
Unknown Object (File)
Sat, Feb 8, 12:54 AM
Unknown Object (File)
Sat, Feb 8, 12:54 AM
Unknown Object (File)
Sat, Feb 8, 12:54 AM
Unknown Object (File)
Sat, Feb 8, 12:54 AM
Unknown Object (File)
Sat, Feb 8, 12:54 AM
Unknown Object (File)
Sat, Feb 8, 12:54 AM
Unknown Object (File)
Fri, Feb 7, 11:50 PM
View All 44 Files
Subscribers
machniak

Details

Reviewers
machniak
Group Reviewers
Restricted Project
Commits
rK77ced2efb642: Token validation when providing it as a password
Summary

We rely on this because the roundcube files plugin uses the auth/login
route to obtain a token using the password, which is a different token
in case of SSO.

Diff Detail

Repository
rK kolab
Branch
dev/mollekopf
Lint
Lint Skipped
Unit
No Test Coverage
Build Status
Buildable 52562
Build 18632: arc lint + arc unit

Event Timeline

mollekopf requested review of this revision.Jan 2 2025, 12:00 AM
mollekopf created this revision.
Harbormaster completed remote builds in B52550: Diff 14536.Jan 2 2025, 12:00 AM
mollekopf added a reviewer: Restricted Project.Jan 2 2025, 12:02 AM
machniak requested changes to this revision.Jan 2 2025, 8:56 AM
machniak subscribed.

Placing this in User::validateCredentials() maybe is not a bad idea, but it creates some redundancy. See NGINXController::authorizeRequest() - AuthUtils::tokenValidate() now will be called twice. Also, test this new case in Unit/UserTest::testPasswordValidation().

This revision now requires changes to proceed.Jan 2 2025, 8:56 AM
mollekopf updated this revision to Diff 14546.Jan 6 2025, 9:34 AM

Addressed comments

Harbormaster completed remote builds in B52562: Diff 14546.Jan 6 2025, 9:35 AM
machniak requested changes to this revision.Jan 6 2025, 10:27 AM
machniak added inline comments.
src/tests/Unit/UserTest.php
69

It should be assertTrue(), right? A test for "valid token of another user" would be nice too.

This revision now requires changes to proceed.Jan 6 2025, 10:27 AM
mollekopf updated this revision to Diff 14548.Jan 6 2025, 11:10 AM

Now with an actual test

Harbormaster completed remote builds in B52564: Diff 14548.Jan 6 2025, 11:10 AM
mollekopf updated this revision to Diff 14550.Jan 6 2025, 11:11 AM

Comment style

Harbormaster completed remote builds in B52566: Diff 14550.Jan 6 2025, 11:11 AM
machniak requested changes to this revision.Jan 6 2025, 11:34 AM

After another look I think we might be doing something wrong here. A valid token should disable/skip 2FA use. Current User::findAndAuthenticate() will not skip 2FA if the password is a valid token.

This revision now requires changes to proceed.Jan 6 2025, 11:34 AM
mollekopf updated this revision to Diff 14552.Jan 6 2025, 12:24 PM

Moved the token validation to findAndAuthenticate, so we can skip mfa when a token has been validated.

Harbormaster completed remote builds in B52568: Diff 14552.Jan 6 2025, 12:24 PM
machniak accepted this revision.Jan 6 2025, 12:35 PM
This revision is now accepted and ready to land.Jan 6 2025, 12:35 PM
Closed by commit rK77ced2efb642: Token validation when providing it as a password (authored by mollekopf). · Explain WhyJan 6 2025, 12:42 PM
This revision was automatically updated to reflect the committed changes.
mollekopf added a commit: rK77ced2efb642: Token validation when providing it as a password.

Revision Contents
Changeset List

PathSize
src/
app/
Http/
Controllers/
API/
V4/
9 lines
8 lines
tests/
Unit/
6 lines

Diff 14546

View Options

src/app/Http/Controllers/API/V4/NGINXController.php

Loading...
View Options

src/app/User.php

Loading...
View Options

src/tests/Unit/UserTest.php

Loading...