Fix passwordless app token generation

[julien-nc]

Even with #29122, we still face the app token invalidation issue after 5 minutes.

An app token generated in AppPasswordController with an empty string as the password parameter has a non empty password. It can be observed there

server/lib/private/Authentication/Token/PublicKeyTokenProvider.php

Line 239 in da1b97d

if ($savedToken->getPassword() === null) {

when using the token like that for example:
curl -H "Authorization: Bearer APP_TOKEN_GENERATED_USING_OIDC_TOKEN_TO_AUTHENTICATE" "https://what.e.ver/ocs/v1.php/cloud/users/number6" -H "OCS-APIRequest: true"

I don't know if this is a proper way to fix this but setting a null password when generating an app token seems a safe way to make it passwordless and fixes the invalidation issue.

[ChristophWurst]

This indeed seems to rather fix the symptoms than the causes. As I understand the problem is that the password is set to an empty string when no password is available for OIDC. The real solution is to set the password to null for those sessions. Do you know where we create those tokens?

[juliusknorr]

For that it would be

server/lib/private/legacy/OC_User.php

Line 181 in 57a816a

$userSession->createSessionToken($request, $uid, $uid);

which is a bit odd there as it creates the session token with null, but maybe through the login hook/event below the token gets updated or a new sessino token gets created.

[julien-nc]

The real solution is to set the password to null for those sessions.

Very true 😁.

which is a bit odd there as it creates the session token with null, but maybe through the login hook/event below the token gets updated or a new sessino token gets created.

Same conclusion for me. Correctly setting the password to null in OC_Hook::emit() fixes the issue.

But the password can't be set to null in the UserLoggedInEvent constructor because of the type constraints. I pushed a second commit here allowing a null password in the event. It might break something further. It seems to work fine considering how the credentials manager stores and retrieve the credentials.

[ChristophWurst]

It might break something further. It seems to work fine considering how the credentials manager stores and retrieve the credentials.

Let's document this at #27846. PhpStorm doesn't find any other usages but the credentials update listener. The non-nullable password was a mistake when the event was created. Passwords have always been optional.

[summersab]

I'm concerned with this fix. Do a quick search of the server source for string $password, and you will see over a dozen core libraries and functions that typecast the password argument as a string. Setting the password to null may lead to issues similar to the conversation I'm having here: #27929 (comment). I agree with Christoph that this may be a fix of the symptoms rather than the root cause.

That said, smarter minds than mine should probably chime in.