feat(auth): Clean-up unused auth tokens and wipe tokens

Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2 weeks ago · f15263ae89
parent 880f33ec2d
commit f15263ae89
3 changed files with 31 additions and 14 deletions
--- a/lib/private/Authentication/Token/PublicKeyTokenMapper.php
+++ b/lib/private/Authentication/Token/PublicKeyTokenMapper.php
@ -55,17 +55,20 @@ class PublicKeyTokenMapper extends QBMapper {

 	/**
 	 * @param int $olderThan
-	 * @param int $remember
+	 * @param int $type
+	 * @param int|null $remember
 	 */
-	public function invalidateOld(int $olderThan, int $remember = IToken::DO_NOT_REMEMBER) {
+	public function invalidateOld(int $olderThan, int $type = IToken::TEMPORARY_TOKEN, int $remember = null) {
 		/* @var $qb IQueryBuilder */
 		$qb = $this->db->getQueryBuilder();
-		$qb->delete($this->tableName)
+		$delete = $qb->delete($this->tableName)
 			->where($qb->expr()->lt('last_activity', $qb->createNamedParameter($olderThan, IQueryBuilder::PARAM_INT)))
-			->andWhere($qb->expr()->eq('type', $qb->createNamedParameter(IToken::TEMPORARY_TOKEN, IQueryBuilder::PARAM_INT)))
-			->andWhere($qb->expr()->eq('remember', $qb->createNamedParameter($remember, IQueryBuilder::PARAM_INT)))
-			->andWhere($qb->expr()->eq('version', $qb->createNamedParameter(PublicKeyToken::VERSION, IQueryBuilder::PARAM_INT)))
-			->execute();
+			->andWhere($qb->expr()->eq('type', $qb->createNamedParameter($type, IQueryBuilder::PARAM_INT)))
+			->andWhere($qb->expr()->eq('version', $qb->createNamedParameter(PublicKeyToken::VERSION, IQueryBuilder::PARAM_INT)));
+		if ($remember !== null) {
+			$delete->andWhere($qb->expr()->eq('remember', $qb->createNamedParameter($remember, IQueryBuilder::PARAM_INT)));
+		}
+		$delete->executeStatement();
 	}

 	public function invalidateLastUsedBefore(string $uid, int $before): int {
--- a/lib/private/Authentication/Token/PublicKeyTokenProvider.php
+++ b/lib/private/Authentication/Token/PublicKeyTokenProvider.php
@ -294,10 +294,19 @@ class PublicKeyTokenProvider implements IProvider {
 	public function invalidateOldTokens() {
 		$olderThan = $this->time->getTime() - $this->config->getSystemValueInt('session_lifetime', 60 * 60 * 24);
 		$this->logger->debug('Invalidating session tokens older than ' . date('c', $olderThan), ['app' => 'cron']);
-		$this->mapper->invalidateOld($olderThan, OCPIToken::DO_NOT_REMEMBER);
+		$this->mapper->invalidateOld($olderThan, OCPIToken::TEMPORARY_TOKEN, OCPIToken::DO_NOT_REMEMBER);
+
 		$rememberThreshold = $this->time->getTime() - $this->config->getSystemValueInt('remember_login_cookie_lifetime', 60 * 60 * 24 * 15);
 		$this->logger->debug('Invalidating remembered session tokens older than ' . date('c', $rememberThreshold), ['app' => 'cron']);
-		$this->mapper->invalidateOld($rememberThreshold, OCPIToken::REMEMBER);
+		$this->mapper->invalidateOld($rememberThreshold, OCPIToken::TEMPORARY_TOKEN, OCPIToken::REMEMBER);
+
+		$wipeThreshold = $this->time->getTime() - $this->config->getSystemValueInt('token_auth_wipe_token_retention', 60 * 60 * 24 * 60);
+		$this->logger->debug('Invalidating auth tokens marked for remote wipe older than ' . date('c', $wipeThreshold), ['app' => 'cron']);
+		$this->mapper->invalidateOld($wipeThreshold, OCPIToken::WIPE_TOKEN);
+
+		$authTokenThreshold = $this->time->getTime() - $this->config->getSystemValueInt('token_auth_token_retention', 60 * 60 * 24 * 365);
+		$this->logger->debug('Invalidating auth tokens older than ' . date('c', $authTokenThreshold), ['app' => 'cron']);
+		$this->mapper->invalidateOld($authTokenThreshold, OCPIToken::PERMANENT_TOKEN);
 	}

 	public function invalidateLastUsedBefore(string $uid, int $before): void {
--- a/tests/lib/Authentication/Token/PublicKeyTokenProviderTest.php
+++ b/tests/lib/Authentication/Token/PublicKeyTokenProviderTest.php
@ -347,20 +347,25 @@ class PublicKeyTokenProviderTest extends TestCase {
 		$this->tokenProvider->invalidateTokenById('uid', $id);
 	}

-	public function testInvalidateOldTokens() {
+	public function testInvalidateOldTokens(): void {
 		$defaultSessionLifetime = 60 * 60 * 24;
 		$defaultRememberMeLifetime = 60 * 60 * 24 * 15;
-		$this->config->expects($this->exactly(2))
+		$wipeTokenLifetime = 60 * 60 * 24 * 60;
+		$this->config->expects($this->exactly(4))
 			->method('getSystemValueInt')
 			->willReturnMap([
 				['session_lifetime', $defaultSessionLifetime, 150],
 				['remember_login_cookie_lifetime', $defaultRememberMeLifetime, 300],
+				['token_auth_wipe_token_retention', $wipeTokenLifetime, 500],
+				['token_auth_token_retention', 60 * 60 * 24 * 365, 800],
 			]);
-		$this->mapper->expects($this->exactly(2))
+		$this->mapper->expects($this->exactly(4))
 			->method('invalidateOld')
 			->withConsecutive(
-				[$this->time - 150],
-				[$this->time - 300]
+				[$this->time - 150, IToken::TEMPORARY_TOKEN, IToken::DO_NOT_REMEMBER],
+				[$this->time - 300, IToken::TEMPORARY_TOKEN, IToken::REMEMBER],
+				[$this->time - 500, IToken::TEMPORARY_TOKEN, null],
+				[$this->time - 800, IToken::TEMPORARY_TOKEN, null],
 			);

 		$this->tokenProvider->invalidateOldTokens();