From a8695aef3c23a8cc0f3f48ee44c4db331b5019a5 Mon Sep 17 00:00:00 2001 From: Louis Chmn Date: Wed, 5 Nov 2025 10:23:29 +0100 Subject: [PATCH] feat(EphemeralSessions): Introduce lax period Signed-off-by: Louis Chmn --- .../FlowV2EphemeralSessionsMiddleware.php | 16 +++++++++++++++- .../Login/FlowV2EphemeralSessionsCommand.php | 4 +++- 2 files changed, 18 insertions(+), 2 deletions(-) diff --git a/lib/private/AppFramework/Middleware/FlowV2EphemeralSessionsMiddleware.php b/lib/private/AppFramework/Middleware/FlowV2EphemeralSessionsMiddleware.php index 6c6e0fe2edb..115a8235983 100644 --- a/lib/private/AppFramework/Middleware/FlowV2EphemeralSessionsMiddleware.php +++ b/lib/private/AppFramework/Middleware/FlowV2EphemeralSessionsMiddleware.php @@ -13,6 +13,7 @@ use OC\Core\Controller\TwoFactorChallengeController; use OCP\AppFramework\Controller; use OCP\AppFramework\Http\Attribute\PublicPage; use OCP\AppFramework\Middleware; +use OCP\AppFramework\Utility\ITimeFactory; use OCP\Authentication\TwoFactorAuth\ALoginSetupController; use OCP\ISession; use OCP\IUserSession; @@ -22,19 +23,32 @@ use ReflectionMethod; // Will close the session if the user session is ephemeral. // Happens when the user logs in via the login flow v2. class FlowV2EphemeralSessionsMiddleware extends Middleware { + + private const EPHEMERAL_SESSION_TTL = 5 * 60; // 5 minutes + public function __construct( private ISession $session, private IUserSession $userSession, private ControllerMethodReflector $reflector, private LoggerInterface $logger, + private ITimeFactory $timeFactory, ) { } public function beforeController(Controller $controller, string $methodName) { - if (!$this->session->get(ClientFlowLoginV2Controller::EPHEMERAL_NAME)) { + $sessionCreationTime = $this->session->get(ClientFlowLoginV2Controller::EPHEMERAL_NAME); + + // Not an ephemeral session. + if ($sessionCreationTime === null) { + return; + } + + // Lax enforcement until TTL is reached. + if ($this->timeFactory->getTime() < $sessionCreationTime + self::EPHEMERAL_SESSION_TTL) { return; } + // Allow certain controllers/methods to proceed without logging out. if ( $controller instanceof ClientFlowLoginV2Controller && ($methodName === 'grantPage' || $methodName === 'generateAppPassword') diff --git a/lib/private/Authentication/Login/FlowV2EphemeralSessionsCommand.php b/lib/private/Authentication/Login/FlowV2EphemeralSessionsCommand.php index 82dd829334d..362aab7933e 100644 --- a/lib/private/Authentication/Login/FlowV2EphemeralSessionsCommand.php +++ b/lib/private/Authentication/Login/FlowV2EphemeralSessionsCommand.php @@ -9,6 +9,7 @@ declare(strict_types=1); namespace OC\Authentication\Login; use OC\Core\Controller\ClientFlowLoginV2Controller; +use OCP\AppFramework\Utility\ITimeFactory; use OCP\ISession; use OCP\IURLGenerator; @@ -16,13 +17,14 @@ class FlowV2EphemeralSessionsCommand extends ALoginCommand { public function __construct( private ISession $session, private IURLGenerator $urlGenerator, + private ITimeFactory $timeFactory, ) { } public function process(LoginData $loginData): LoginResult { $loginV2GrantRoute = $this->urlGenerator->linkToRoute('core.ClientFlowLoginV2.grantPage'); if (str_starts_with($loginData->getRedirectUrl() ?? '', $loginV2GrantRoute)) { - $this->session->set(ClientFlowLoginV2Controller::EPHEMERAL_NAME, true); + $this->session->set(ClientFlowLoginV2Controller::EPHEMERAL_NAME, $this->timeFactory->getTime()); } return $this->processNextOrFinishSuccessfully($loginData);