@@ -662,6 +662,59 @@ public function testTryTokenLoginNotAnAppPassword(): void {
662662 self ::assertTrue ($ loginResult );
663663 }
664664
665+ public function testTryTokenLoginOcmAccessTokenRejectedFromBearerByDefault (): void {
666+ $ request = $ this ->createMock (IRequest::class);
667+ $ request ->method ('getHeader ' )->with ('Authorization ' )->willReturn ('Bearer ocm-access-token ' );
668+ $ dbToken = new PublicKeyToken ();
669+ $ dbToken ->setId (42 );
670+ $ dbToken ->setUid ('alice ' );
671+ $ dbToken ->setLoginName ('alice ' );
672+ $ dbToken ->setLastCheck (0 );
673+ $ dbToken ->setType (IToken::TEMPORARY_TOKEN );
674+ $ dbToken ->setName (IToken::OCM_ACCESS_TOKEN_NAME );
675+ $ this ->tokenProvider ->expects (self ::once ())
676+ ->method ('getToken ' )
677+ ->with ('ocm-access-token ' )
678+ ->willReturn ($ dbToken );
679+ // The guard must reject before any login is attempted.
680+ $ this ->manager ->expects (self ::never ())
681+ ->method ('get ' );
682+
683+ $ loginResult = $ this ->userSession ->tryTokenLogin ($ request );
684+
685+ self ::assertFalse ($ loginResult );
686+ }
687+
688+ public function testTryTokenLoginOcmAccessTokenAllowedFromBearerWhenPermitted (): void {
689+ $ request = $ this ->createMock (IRequest::class);
690+ $ request ->method ('getHeader ' )->with ('Authorization ' )->willReturn ('Bearer ocm-access-token ' );
691+ $ dbToken = new PublicKeyToken ();
692+ $ dbToken ->setId (42 );
693+ $ dbToken ->setUid ('alice ' );
694+ $ dbToken ->setLoginName ('alice ' );
695+ $ dbToken ->setLastCheck (0 );
696+ $ dbToken ->setType (IToken::TEMPORARY_TOKEN );
697+ $ dbToken ->setName (IToken::OCM_ACCESS_TOKEN_NAME );
698+ $ this ->tokenProvider ->method ('getToken ' )
699+ ->with ('ocm-access-token ' )
700+ ->willReturn ($ dbToken );
701+ $ this ->session ->method ('set ' )
702+ ->willReturnCallback (function ($ key , $ value ): void {
703+ if ($ key === 'app_password ' ) {
704+ throw new ExpectationFailedException ('app_password should not be set in session ' );
705+ }
706+ });
707+ $ user = $ this ->createMock (IUser::class);
708+ $ user ->method ('isEnabled ' )->willReturn (true );
709+ $ this ->manager ->method ('get ' )
710+ ->with ('alice ' )
711+ ->willReturn ($ user );
712+
713+ $ loginResult = $ this ->userSession ->tryTokenLogin ($ request , true );
714+
715+ self ::assertTrue ($ loginResult );
716+ }
717+
665718 public function testRememberLoginValidToken (): void {
666719 $ session = $ this ->createMock (Memory::class);
667720 $ managerMethods = get_class_methods (Manager::class);
0 commit comments