session.php 8.6 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316
  1. <?php
  2. /**
  3. * @author Arthur Schiwon <blizzz@owncloud.com>
  4. * @author Bernhard Posselt <dev@bernhard-posselt.com>
  5. * @author Joas Schilling <nickvergessen@owncloud.com>
  6. * @author Jörn Friedrich Dreyer <jfd@butonic.de>
  7. * @author Lukas Reschke <lukas@owncloud.com>
  8. * @author Morris Jobke <hey@morrisjobke.de>
  9. * @author Robin Appelman <icewind@owncloud.com>
  10. * @author Robin McCorkell <rmccorkell@karoshi.org.uk>
  11. * @author Thomas Müller <thomas.mueller@tmit.eu>
  12. * @author Vincent Petry <pvince81@owncloud.com>
  13. *
  14. * @copyright Copyright (c) 2015, ownCloud, Inc.
  15. * @license AGPL-3.0
  16. *
  17. * This code is free software: you can redistribute it and/or modify
  18. * it under the terms of the GNU Affero General Public License, version 3,
  19. * as published by the Free Software Foundation.
  20. *
  21. * This program is distributed in the hope that it will be useful,
  22. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  23. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  24. * GNU Affero General Public License for more details.
  25. *
  26. * You should have received a copy of the GNU Affero General Public License, version 3,
  27. * along with this program. If not, see <http://www.gnu.org/licenses/>
  28. *
  29. */
  30. namespace OC\User;
  31. use OC\Hooks\Emitter;
  32. use OCP\IUserSession;
  33. /**
  34. * Class Session
  35. *
  36. * Hooks available in scope \OC\User:
  37. * - preSetPassword(\OC\User\User $user, string $password, string $recoverPassword)
  38. * - postSetPassword(\OC\User\User $user, string $password, string $recoverPassword)
  39. * - preDelete(\OC\User\User $user)
  40. * - postDelete(\OC\User\User $user)
  41. * - preCreateUser(string $uid, string $password)
  42. * - postCreateUser(\OC\User\User $user)
  43. * - preLogin(string $user, string $password)
  44. * - postLogin(\OC\User\User $user, string $password)
  45. * - preRememberedLogin(string $uid)
  46. * - postRememberedLogin(\OC\User\User $user)
  47. * - logout()
  48. *
  49. * @package OC\User
  50. */
  51. class Session implements IUserSession, Emitter {
  52. /**
  53. * @var \OC\User\Manager $manager
  54. */
  55. private $manager;
  56. /**
  57. * @var \OC\Session\Session $session
  58. */
  59. private $session;
  60. /**
  61. * @var \OC\User\User $activeUser
  62. */
  63. protected $activeUser;
  64. /**
  65. * @param \OCP\IUserManager $manager
  66. * @param \OCP\ISession $session
  67. */
  68. public function __construct(\OCP\IUserManager $manager, \OCP\ISession $session) {
  69. $this->manager = $manager;
  70. $this->session = $session;
  71. }
  72. /**
  73. * @param string $scope
  74. * @param string $method
  75. * @param callable $callback
  76. */
  77. public function listen($scope, $method, callable $callback) {
  78. $this->manager->listen($scope, $method, $callback);
  79. }
  80. /**
  81. * @param string $scope optional
  82. * @param string $method optional
  83. * @param callable $callback optional
  84. */
  85. public function removeListener($scope = null, $method = null, callable $callback = null) {
  86. $this->manager->removeListener($scope, $method, $callback);
  87. }
  88. /**
  89. * get the manager object
  90. *
  91. * @return \OC\User\Manager
  92. */
  93. public function getManager() {
  94. return $this->manager;
  95. }
  96. /**
  97. * get the session object
  98. *
  99. * @return \OCP\ISession
  100. */
  101. public function getSession() {
  102. return $this->session;
  103. }
  104. /**
  105. * set the session object
  106. *
  107. * @param \OCP\ISession $session
  108. */
  109. public function setSession(\OCP\ISession $session) {
  110. if ($this->session instanceof \OCP\ISession) {
  111. $this->session->close();
  112. }
  113. $this->session = $session;
  114. $this->activeUser = null;
  115. }
  116. /**
  117. * set the currently active user
  118. *
  119. * @param \OC\User\User|null $user
  120. */
  121. public function setUser($user) {
  122. if (is_null($user)) {
  123. $this->session->remove('user_id');
  124. } else {
  125. $this->session->set('user_id', $user->getUID());
  126. }
  127. $this->activeUser = $user;
  128. }
  129. /**
  130. * get the current active user
  131. *
  132. * @return \OCP\IUser|null Current user, otherwise null
  133. */
  134. public function getUser() {
  135. // FIXME: This is a quick'n dirty work-around for the incognito mode as
  136. // described at https://github.com/owncloud/core/pull/12912#issuecomment-67391155
  137. if (\OC_User::isIncognitoMode()) {
  138. return null;
  139. }
  140. if ($this->activeUser) {
  141. return $this->activeUser;
  142. } else {
  143. $uid = $this->session->get('user_id');
  144. if ($uid !== null) {
  145. $this->activeUser = $this->manager->get($uid);
  146. return $this->activeUser;
  147. } else {
  148. return null;
  149. }
  150. }
  151. }
  152. /**
  153. * Checks whether the user is logged in
  154. *
  155. * @return bool if logged in
  156. */
  157. public function isLoggedIn() {
  158. return $this->getUser() !== null;
  159. }
  160. /**
  161. * set the login name
  162. *
  163. * @param string|null $loginName for the logged in user
  164. */
  165. public function setLoginName($loginName) {
  166. if (is_null($loginName)) {
  167. $this->session->remove('loginname');
  168. } else {
  169. $this->session->set('loginname', $loginName);
  170. }
  171. }
  172. /**
  173. * get the login name of the current user
  174. *
  175. * @return string
  176. */
  177. public function getLoginName() {
  178. if ($this->activeUser) {
  179. return $this->session->get('loginname');
  180. } else {
  181. $uid = $this->session->get('user_id');
  182. if ($uid) {
  183. $this->activeUser = $this->manager->get($uid);
  184. return $this->session->get('loginname');
  185. } else {
  186. return null;
  187. }
  188. }
  189. }
  190. /**
  191. * try to login with the provided credentials
  192. *
  193. * @param string $uid
  194. * @param string $password
  195. * @return boolean|null
  196. * @throws LoginException
  197. */
  198. public function login($uid, $password) {
  199. $this->manager->emit('\OC\User', 'preLogin', array($uid, $password));
  200. $user = $this->manager->checkPassword($uid, $password);
  201. if ($user !== false) {
  202. if (!is_null($user)) {
  203. if ($user->isEnabled()) {
  204. $this->setUser($user);
  205. $this->setLoginName($uid);
  206. $this->manager->emit('\OC\User', 'postLogin', array($user, $password));
  207. if ($this->isLoggedIn()) {
  208. return true;
  209. } else {
  210. throw new LoginException('Login canceled by app');
  211. }
  212. } else {
  213. return false;
  214. }
  215. }
  216. } else {
  217. return false;
  218. }
  219. }
  220. /**
  221. * perform login using the magic cookie (remember login)
  222. *
  223. * @param string $uid the username
  224. * @param string $currentToken
  225. * @return bool
  226. */
  227. public function loginWithCookie($uid, $currentToken) {
  228. $this->manager->emit('\OC\User', 'preRememberedLogin', array($uid));
  229. $user = $this->manager->get($uid);
  230. if (is_null($user)) {
  231. // user does not exist
  232. return false;
  233. }
  234. // get stored tokens
  235. $tokens = \OC::$server->getConfig()->getUserKeys($uid, 'login_token');
  236. // test cookies token against stored tokens
  237. if (!in_array($currentToken, $tokens, true)) {
  238. return false;
  239. }
  240. // replace successfully used token with a new one
  241. \OC::$server->getConfig()->deleteUserValue($uid, 'login_token', $currentToken);
  242. $newToken = \OC::$server->getSecureRandom()->getMediumStrengthGenerator()->generate(32);
  243. \OC::$server->getConfig()->setUserValue($uid, 'login_token', $newToken, time());
  244. $this->setMagicInCookie($user->getUID(), $newToken);
  245. //login
  246. $this->setUser($user);
  247. $this->manager->emit('\OC\User', 'postRememberedLogin', array($user));
  248. return true;
  249. }
  250. /**
  251. * logout the user from the session
  252. */
  253. public function logout() {
  254. $this->manager->emit('\OC\User', 'logout');
  255. $this->setUser(null);
  256. $this->setLoginName(null);
  257. $this->unsetMagicInCookie();
  258. $this->session->clear();
  259. }
  260. /**
  261. * Set cookie value to use in next page load
  262. *
  263. * @param string $username username to be set
  264. * @param string $token
  265. */
  266. public function setMagicInCookie($username, $token) {
  267. $secureCookie = \OC::$server->getRequest()->getServerProtocol() === 'https';
  268. $expires = time() + \OC_Config::getValue('remember_login_cookie_lifetime', 60 * 60 * 24 * 15);
  269. setcookie("oc_username", $username, $expires, \OC::$WEBROOT, '', $secureCookie, true);
  270. setcookie("oc_token", $token, $expires, \OC::$WEBROOT, '', $secureCookie, true);
  271. setcookie("oc_remember_login", "1", $expires, \OC::$WEBROOT, '', $secureCookie, true);
  272. }
  273. /**
  274. * Remove cookie for "remember username"
  275. */
  276. public function unsetMagicInCookie() {
  277. //TODO: DI for cookies and OC_Config
  278. $secureCookie = \OC_Config::getValue('forcessl', false);
  279. unset($_COOKIE["oc_username"]); //TODO: DI
  280. unset($_COOKIE["oc_token"]);
  281. unset($_COOKIE["oc_remember_login"]);
  282. setcookie('oc_username', '', time() - 3600, \OC::$WEBROOT, '',$secureCookie, true);
  283. setcookie('oc_token', '', time() - 3600, \OC::$WEBROOT, '', $secureCookie, true);
  284. setcookie('oc_remember_login', '', time() - 3600, \OC::$WEBROOT, '', $secureCookie, true);
  285. // old cookies might be stored under /webroot/ instead of /webroot
  286. // and Firefox doesn't like it!
  287. setcookie('oc_username', '', time() - 3600, \OC::$WEBROOT . '/', '', $secureCookie, true);
  288. setcookie('oc_token', '', time() - 3600, \OC::$WEBROOT . '/', '', $secureCookie, true);
  289. setcookie('oc_remember_login', '', time() - 3600, \OC::$WEBROOT . '/', '', $secureCookie, true);
  290. }
  291. }