Error out early on an expired token

Fixes nextcloud#12131 If we hit an expired token there is no need to continue checking. Since we know it is a token. We also should not register this with the bruteforce throttler as it is actually a valid token. Just expired. Instead the authentication should fail. And buisness continues as usual. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
Dagefoerde · Oct 31, 2018 · 9a007f6 · 9a007f6
1 parent dc5e0c8
commit 9a007f6
Showing 1 changed file with 11 additions and 1 deletion.
diff --git a/lib/private/User/Session.php b/lib/private/User/Session.php
@@ -38,6 +38,7 @@
 namespace OC\User;
 
 use OC;
+use OC\Authentication\Exceptions\ExpiredTokenException;
 use OC\Authentication\Exceptions\InvalidTokenException;
 use OC\Authentication\Exceptions\PasswordlessTokenException;
 use OC\Authentication\Exceptions\PasswordLoginForbiddenException;
@@ -401,7 +402,13 @@ public function logClientIn($user,
 			$this->manager->emit('\OC\User', 'preLogin', array($user, $password));
 		}
 
-		$isTokenPassword = $this->isTokenPassword($password);
+		try {
+			$isTokenPassword = $this->isTokenPassword($password);
+		} catch (ExpiredTokenException $e) {
+			// Just return on an expired token no need to check further or record a failed login
+			return false;
+		}
+
 		if (!$isTokenPassword && $this->isTokenAuthEnforced()) {
 			throw new PasswordLoginForbiddenException();
 		}
@@ -474,11 +481,14 @@ protected function isTwoFactorEnforced($username) {
 	 *
 	 * @param string $password
 	 * @return boolean
+	 * @throws ExpiredTokenException
 	 */
 	public function isTokenPassword($password) {
 		try {
 			$this->tokenProvider->getToken($password);
 			return true;
+		} catch (ExpiredTokenException $e) {
+			throw $e;
 		} catch (InvalidTokenException $ex) {
 			return false;
 		}