Error out early on an expired token

Fixes #12131 If we hit an expired token there is no need to continue checking. Since we know it is a token. We also should not register this with the bruteforce throttler as it is actually a valid token. Just expired. Instead the authentication should fail. And buisness continues as usual. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
nextcloud · Oct 30, 2018 · 8e8163c · 8e8163c
1 parent a4ce0fe
commit 8e8163c
Showing 1 changed file with 11 additions and 1 deletion.
diff --git a/lib/private/User/Session.php b/lib/private/User/Session.php
@@ -38,6 +38,7 @@
 namespace OC\User;
 
 use OC;
+use OC\Authentication\Exceptions\ExpiredTokenException;
 use OC\Authentication\Exceptions\InvalidTokenException;
 use OC\Authentication\Exceptions\PasswordlessTokenException;
 use OC\Authentication\Exceptions\PasswordLoginForbiddenException;
@@ -401,7 +402,13 @@ public function logClientIn($user,
  $this->manager->emit('\OC\User', 'preLogin', array($user, $password));
  }
 
- $isTokenPassword = $this->isTokenPassword($password);
+ try {
+ $isTokenPassword = $this->isTokenPassword($password);
+ } catch (ExpiredTokenException $e) {
+ // Just return on an expired token no need to check further or record a failed login
+ return false;
+ }
+
  if (!$isTokenPassword && $this->isTokenAuthEnforced()) {
  throw new PasswordLoginForbiddenException();
  }
@@ -474,11 +481,14 @@ protected function isTwoFactorEnforced($username) {
  *
  * @param string $password
  * @return boolean
+ * @throws ExpiredTokenException
  */
  public function isTokenPassword($password) {
  try {
  $this->tokenProvider->getToken($password);
  return true;
+ } catch (ExpiredTokenException $e) {
+ throw $e;
  } catch (InvalidTokenException $ex) {
  return false;
  }