feat(files_sharing): store and refresh OCM access tokens for external shares

Co-authored-by: Micke Nordin <kano@sunet.se>
Signed-off-by: Micke Nordin <kano@sunet.se>
Signed-off-by: Enrique Pérez Arnaud <enrique@cazalla.net>

Author: enriquepablo

apps/files_sharing/composer/composer/autoload_classmap.php

@@ -88,6 +88,8 @@
     'OCA\\Files_Sharing\\Migration\\Version31000Date20240821142813' => $baseDir . '/../lib/Migration/Version31000Date20240821142813.php',
     'OCA\\Files_Sharing\\Migration\\Version32000Date20251017081948' => $baseDir . '/../lib/Migration/Version32000Date20251017081948.php',
     'OCA\\Files_Sharing\\Migration\\Version33000Date20251030081948' => $baseDir . '/../lib/Migration/Version33000Date20251030081948.php',
+    'OCA\\Files_Sharing\\Migration\\Version33000Date20260306120000' => $baseDir . '/../lib/Migration/Version33000Date20260306120000.php',
+    'OCA\\Files_Sharing\\Migration\\Version33000Date20260306150000' => $baseDir . '/../lib/Migration/Version33000Date20260306150000.php',
     'OCA\\Files_Sharing\\MountProvider' => $baseDir . '/../lib/MountProvider.php',
     'OCA\\Files_Sharing\\Notification\\Listener' => $baseDir . '/../lib/Notification/Listener.php',
     'OCA\\Files_Sharing\\Notification\\Notifier' => $baseDir . '/../lib/Notification/Notifier.php',

apps/files_sharing/composer/composer/autoload_static.php

@@ -103,6 +103,8 @@ class ComposerStaticInitFiles_Sharing
         'OCA\\Files_Sharing\\Migration\\Version31000Date20240821142813' => __DIR__ . '/..' . '/../lib/Migration/Version31000Date20240821142813.php',
         'OCA\\Files_Sharing\\Migration\\Version32000Date20251017081948' => __DIR__ . '/..' . '/../lib/Migration/Version32000Date20251017081948.php',
         'OCA\\Files_Sharing\\Migration\\Version33000Date20251030081948' => __DIR__ . '/..' . '/../lib/Migration/Version33000Date20251030081948.php',
+        'OCA\\Files_Sharing\\Migration\\Version33000Date20260306120000' => __DIR__ . '/..' . '/../lib/Migration/Version33000Date20260306120000.php',
+        'OCA\\Files_Sharing\\Migration\\Version33000Date20260306150000' => __DIR__ . '/..' . '/../lib/Migration/Version33000Date20260306150000.php',
         'OCA\\Files_Sharing\\MountProvider' => __DIR__ . '/..' . '/../lib/MountProvider.php',
         'OCA\\Files_Sharing\\Notification\\Listener' => __DIR__ . '/..' . '/../lib/Notification/Listener.php',
         'OCA\\Files_Sharing\\Notification\\Notifier' => __DIR__ . '/..' . '/../lib/Notification/Notifier.php',

apps/files_sharing/lib/Command/CleanupRemoteStorages.php

@@ -160,7 +160,7 @@ private function getRemoteStorages(): array {
 	 */
 	private function getRemoteShareIds(): array {
 		$queryBuilder = $this->connection->getQueryBuilder();
-		$queryBuilder->select(['id', 'share_token', 'owner', 'remote'])
+		$queryBuilder->select(['id', 'refresh_token', 'owner', 'remote'])
 			->from('share_external');
 		$result = $queryBuilder->executeQuery();
 
@@ -169,7 +169,7 @@ private function getRemoteShareIds(): array {
 		while ($row = $result->fetchAssociative()) {
 			$cloudId = $this->cloudIdManager->getCloudId($row['owner'], $row['remote']);
 			$remote = $cloudId->getRemote();
-			$remoteShareIds[$row['id']] = 'shared::' . md5($row['share_token'] . '@' . $remote);
+			$remoteShareIds[$row['id']] = 'shared::' . md5($row['refresh_token'] . '@' . $remote);
 		}
 		$result->closeCursor();
 

apps/files_sharing/lib/External/ExternalShare.php

@@ -26,10 +26,14 @@
  * @method void setRemote(string $remote)
  * @method string getRemoteId()
  * @method void setRemoteId(string $remoteId)
- * @method string getShareToken()
- * @method void setShareToken(string $shareToken)
+ * @method string getRefreshToken()
+ * @method void setRefreshToken(string $refreshToken)
  * @method string|null getPassword()
  * @method void setPassword(?string $password)
+ * @method string|null getAccessToken()
+ * @method void setAccessToken(?string $accessToken)
+ * @method int|null getAccessTokenExpires()
+ * @method void setAccessTokenExpires(?int $accessTokenExpires)
  * @method string getName()
  * @method string getOwner()
  * @method void setOwner(string $owner)
@@ -48,8 +52,10 @@ class ExternalShare extends SnowflakeAwareEntity implements \JsonSerializable {
 	protected ?int $shareType = null;
 	protected ?string $remote = null;
 	protected ?string $remoteId = null;
-	protected ?string $shareToken = null;
+	protected ?string $refreshToken = null;
 	protected ?string $password = null;
+	protected ?string $accessToken = null;
+	protected ?int $accessTokenExpires = null;
 	protected ?string $name = null;
 	protected ?string $owner = null;
 	protected ?string $user = null;
@@ -63,8 +69,10 @@ public function __construct() {
 		$this->addType('shareType', Types::INTEGER);
 		$this->addType('remote', Types::STRING);
 		$this->addType('remoteId', Types::STRING);
-		$this->addType('shareToken', Types::STRING);
+		$this->addType('refreshToken', Types::STRING);
 		$this->addType('password', Types::STRING);
+		$this->addType('accessToken', Types::STRING);
+		$this->addType('accessTokenExpires', Types::INTEGER);
 		$this->addType('name', Types::STRING);
 		$this->addType('owner', Types::STRING);
 		$this->addType('user', Types::STRING);
@@ -99,7 +107,7 @@ public function jsonSerialize(): array {
 			'share_type' => $this->getShareType() ?? IShare::TYPE_USER, // unfortunately nullable on the DB level, but never null.
 			'remote' => $this->getRemote(),
 			'remote_id' => $this->getRemoteId(),
-			'share_token' => $this->getShareToken(),
+			'refresh_token' => $this->getRefreshToken(),
 			'name' => $this->getName(),
 			'owner' => $this->getOwner(),
 			'user' => $this->getUser(),
@@ -126,7 +134,7 @@ public function clone(): self {
 		$newShare->setShareType($this->getShareType());
 		$newShare->setRemote($this->getRemote());
 		$newShare->setRemoteId($this->getRemoteId());
-		$newShare->setShareToken($this->getShareToken());
+		$newShare->setRefreshToken($this->getRefreshToken());
 		$newShare->setPassword($this->getPassword());
 		$newShare->setName($this->getName());
 		$newShare->setOwner($this->getOwner());

apps/files_sharing/lib/External/ExternalShareMapper.php

@@ -55,7 +55,7 @@ public function getShareByToken(string $token): ExternalShare {
 		$qb = $this->db->getQueryBuilder();
 		$qb->select('*')
 			->from(self::TABLE_NAME)
-			->where($qb->expr()->eq('share_token', $qb->createNamedParameter($token, IQueryBuilder::PARAM_STR)))
+			->where($qb->expr()->eq('refresh_token', $qb->createNamedParameter($token, IQueryBuilder::PARAM_STR)))
 			->setMaxResults(1);
 		return $this->findEntity($qb);
 	}
@@ -238,7 +238,7 @@ public function getShareByRemoteIdAndToken(string $id, mixed $token): ?ExternalS
 			->where(
 				$qb->expr()->andX(
 					$qb->expr()->eq('remote_id', $qb->createNamedParameter($id)),
-					$qb->expr()->eq('share_token', $qb->createNamedParameter($token))
+					$qb->expr()->eq('refresh_token', $qb->createNamedParameter($token))
 				)
 			);
 

apps/files_sharing/lib/External/Manager.php

@@ -111,8 +111,10 @@ public function addShare(ExternalShare $externalShare, IUser|IGroup|null $shareW
 
 		$options = [
 			'remote' => $externalShare->getRemote(),
-			'token' => $externalShare->getShareToken(),
+			'token' => $externalShare->getRefreshToken(),
 			'password' => $externalShare->getPassword(),
+			'access_token' => $externalShare->getAccessToken(),
+			'access_token_expires' => $externalShare->getAccessTokenExpires(),
 			'mountpoint' => $externalShare->getMountpoint(),
 			'owner' => $externalShare->getOwner(),
 			'verify' => !$this->config->getSystemValueBool('sharing.federation.allowSelfSignedCertificates'),
@@ -190,6 +192,7 @@ private function updateSubShare(ExternalShare $externalShare, IUser $user, ?stri
 				$subShare->generateId();
 				$subShare->setRemote($externalShare->getRemote());
 				$subShare->setPassword($externalShare->getPassword());
+				$subShare->setAccessToken($externalShare->getAccessToken());
 				$subShare->setName($externalShare->getName());
 				$subShare->setOwner($externalShare->getOwner());
 				$subShare->setUser($user->getUID());
@@ -198,7 +201,7 @@ private function updateSubShare(ExternalShare $externalShare, IUser $user, ?stri
 				$subShare->setRemoteId($externalShare->getRemoteId());
 				$subShare->setParent((string)$externalShare->getId());
 				$subShare->setShareType($externalShare->getShareType());
-				$subShare->setShareToken($externalShare->getShareToken());
+				$subShare->setRefreshToken($externalShare->getRefreshToken());
 				$this->externalShareMapper->insert($subShare);
 			}
 		}
@@ -337,7 +340,7 @@ private function sendFeedbackToRemote(ExternalShare $externalShare, string $feed
 		$endpoint = $federationEndpoints['share'] ?? '/ocs/v2.php/cloud/shares';
 
 		$url = rtrim($externalShare->getRemote(), '/') . $endpoint . '/' . $externalShare->getRemoteId() . '/' . $feedback . '?format=json';
-		$fields = ['token' => $externalShare->getShareToken()];
+		$fields = ['token' => $externalShare->getRefreshToken()];
 
 		$client = $this->clientService->newClient();
 
@@ -373,7 +376,7 @@ protected function tryOCMEndPoint(ExternalShare $externalShare, string $feedback
 					'file',
 					$externalShare->getRemoteId(),
 					[
-						'sharedSecret' => $externalShare->getShareToken(),
+						'sharedSecret' => $externalShare->getRefreshToken(),
 						'message' => 'Recipient accept the share'
 					]
 
@@ -386,7 +389,7 @@ protected function tryOCMEndPoint(ExternalShare $externalShare, string $feedback
 					'file',
 					$externalShare->getRemoteId(),
 					[
-						'sharedSecret' => $externalShare->getShareToken(),
+						'sharedSecret' => $externalShare->getRefreshToken(),
 						'message' => 'Recipient declined the share'
 					]
 				);
@@ -566,4 +569,24 @@ public function getAcceptedShares(): array {
 			return [];
 		}
 	}
+
+	/**
+	 * Update the access token for a share.
+	 *
+	 * @param string $refreshToken The refresh token to identify the share
+	 * @param string $accessToken The new access token to store
+	 */
+	public function updateAccessToken(string $refreshToken, string $accessToken, int $expiresAt): void {
+		try {
+			$share = $this->externalShareMapper->getShareByToken($refreshToken);
+			$share->setAccessToken($accessToken);
+			$share->setAccessTokenExpires($expiresAt);
+			$this->externalShareMapper->update($share);
+			$this->logger->debug('Updated access token for share', ['shareId' => $share->getId()]);
+		} catch (DoesNotExistException $e) {
+			$this->logger->warning('Could not find share to update access token', ['exception' => $e]);
+		} catch (Exception $e) {
+			$this->logger->error('Failed to update access token', ['exception' => $e]);
+		}
+	}
 }

apps/files_sharing/lib/External/MountProvider.php

@@ -60,15 +60,15 @@ private function getMount(IUser $user, array $data, IStorageFactory $storageFact
 	#[\Override]
 	public function getMountsForUser(IUser $user, IStorageFactory $loader): array {
 		$qb = $this->connection->getQueryBuilder();
-		$qb->select('id', 'remote', 'share_token', 'password', 'mountpoint', 'owner')
+		$qb->select('id', 'remote', 'refresh_token', 'password', 'access_token', 'access_token_expires', 'mountpoint', 'owner')
 			->from('share_external')
 			->where($qb->expr()->eq('user', $qb->createNamedParameter($user->getUID())))
 			->andWhere($qb->expr()->eq('accepted', $qb->createNamedParameter(IShare::STATUS_ACCEPTED, IQueryBuilder::PARAM_INT)));
 		$result = $qb->executeQuery();
 		$mounts = [];
 		while ($row = $result->fetchAssociative()) {
 			$row['manager'] = $this;
-			$row['token'] = $row['share_token'];
+			$row['token'] = $row['refresh_token'];
 			$mounts[] = $this->getMount($user, $row, $loader);
 		}
 		$result->closeCursor();
@@ -101,7 +101,7 @@ public function getMountsForPath(
 		}
 
 		$qb = $this->connection->getQueryBuilder();
-		$qb->select('id', 'remote', 'share_token', 'password', 'mountpoint', 'owner')
+		$qb->select('id', 'remote', 'refresh_token', 'password', 'access_token', 'access_token_expires', 'mountpoint', 'owner')
 			->from('share_external')
 			->where($qb->expr()->eq('user', $qb->createNamedParameter($user->getUID())))
 			->andWhere($qb->expr()->eq('accepted', $qb->createNamedParameter(IShare::STATUS_ACCEPTED, IQueryBuilder::PARAM_INT)));
@@ -117,7 +117,7 @@ public function getMountsForPath(
 		$mounts = [];
 		while ($row = $result->fetchAssociative()) {
 			$row['manager'] = $this;
-			$row['token'] = $row['share_token'];
+			$row['token'] = $row['refresh_token'];
 			$mount = $this->getMount($user, $row, $loader);
 			$mounts[$mount->getMountPoint()] = $mount;
 		}

apps/files_sharing/lib/External/Storage.php

@@ -50,11 +50,21 @@ class Storage extends DAV implements ISharedStorage, IDisableEncryptionStorage,
 	private bool $updateChecked = false;
 	private ExternalShareManager $manager;
 	private IConfig $config;
-	private IAppConfig $appConfig;
+	protected IAppConfig $appConfig;
 	private IShareManager $shareManager;
+	private bool $tokenRefreshed = false;
+	/** Unix timestamp until which the current access token is considered valid (0 = unknown/expired) */
+	private int $tokenExpiresAt = 0;
+	/** Number of consecutive token exchange failures (resets on success or DB-reuse) */
+	private int $refreshFailureCount = 0;
+	/** Unix timestamp before which the next exchange attempt must not be made (0 = no wait) */
+	private int $refreshBackoffUntil = 0;
+
+	private const REFRESH_MAX_ATTEMPTS = 3;
+	private const REFRESH_BACKOFF_SECONDS = 5;
 
 	/**
-	 * @param array{HttpClientService: IClientService, manager: ExternalShareManager, cloudId: ICloudId, mountpoint: string, token: string, password: ?string}|array $options
+	 * @param array{HttpClientService: IClientService, manager: ExternalShareManager, cloudId: ICloudId, mountpoint: string, token: string, access_token: ?string, access_token_expires: ?int}|array $options
 	 */
 	public function __construct($options) {
 		$this->memcacheFactory = Server::get(ICacheFactory::class);
@@ -72,14 +82,30 @@ public function __construct($options) {
 			$ocmProvider = $discoveryService->discover($this->cloudId->getRemote());
 			$webDavEndpoint = $ocmProvider->extractProtocolEntry('file', 'webdav');
 			$remote = $ocmProvider->getEndPoint();
+			$authType = \Sabre\DAV\Client::AUTH_BASIC;
 		} catch (OCMProviderException|OCMArgumentException $e) {
 			$this->logger->notice('exception while retrieving webdav endpoint', ['exception' => $e]);
 			$webDavEndpoint = '/public.php/webdav';
 			$remote = $this->cloudId->getRemote();
+			$authType = \Sabre\DAV\Client::AUTH_BASIC;
+		}
+
+		// Only use Bearer auth when an access token is already stored.
+		// Shares created before the exchange-token capability was introduced have no
+		// stored token and must keep using basic auth for backwards compatibility.
+		if (!empty($options['access_token'])) {
+			$authType = \OC\Files\Storage\BearerAuthAwareSabreClient::AUTH_BEARER;
 		}
 
 		$host = parse_url($remote, PHP_URL_HOST);
+		// If host extraction fails (e.g., endpoint has no scheme), fall back to cloudId's remote
+		if ($host === null) {
+			$host = parse_url($this->cloudId->getRemote(), PHP_URL_HOST);
+		}
 		$port = parse_url($remote, PHP_URL_PORT);
+		if ($port === null) {
+			$port = parse_url($this->cloudId->getRemote(), PHP_URL_PORT);
+		}
 		$host .= ($port === null) ? '' : ':' . $port; // we add port if available
 
 		// in case remote NC is on a sub folder and using deprecated ocm provider
@@ -90,20 +116,105 @@ public function __construct($options) {
 
 		$this->mountPoint = $options['mountpoint'];
 		$this->token = $options['token'];
+		$this->tokenExpiresAt = (int)($options['access_token_expires'] ?? 0);
+
+		// Determine scheme - fall back to cloudId's remote if $remote has no scheme
+		$scheme = parse_url($remote, PHP_URL_SCHEME) ?? parse_url($this->cloudId->getRemote(), PHP_URL_SCHEME) ?? 'https';
 
 		parent::__construct(
 			[
-				'secure' => ((parse_url($remote, PHP_URL_SCHEME) ?? 'https') === 'https'),
+				'secure' => ($scheme === 'https'),
 				'verify' => !$this->config->getSystemValueBool('sharing.federation.allowSelfSignedCertificates', false),
 				'host' => $host,
 				'root' => $webDavEndpoint,
 				'user' => $options['token'],
-				'authType' => \Sabre\DAV\Client::AUTH_BASIC,
-				'password' => (string)$options['password']
+				'authType' => $authType,
+				'password' => $authType === \OC\Files\Storage\BearerAuthAwareSabreClient::AUTH_BEARER
+					? (string)($options['access_token'] ?? '')
+					: (string)($options['password'] ?? ''),
+				'discoveryService' => $discoveryService,
 			]
 		);
 	}
 
+	/**
+	 * Refresh the access token. Extends parent to also persist to database.
+	 *
+	 * Uses expiry timestamps instead of a boolean flag so that concurrent
+	 * processes can detect that another process already obtained a fresh token
+	 * and reuse it rather than performing a redundant exchange.
+	 *
+	 * After a failed exchange, a 60-second backoff is applied so that
+	 * subsequent file operations do not hammer the remote token endpoint.
+	 * The DB is still consulted during backoff in case a concurrent process
+	 * succeeded; only the outgoing exchange call is suppressed.
+	 *
+	 * @return string|null the access token (freshly exchanged or reused from
+	 *                     DB), or null if refresh is currently not possible
+	 */
+	#[\Override]
+	protected function refreshAccessToken(): ?string {
+		$now = time();
+
+		// Fast path: in-memory token is still valid (single-process guard).
+		if ($this->tokenExpiresAt > $now && !empty($this->password)) {
+			return $this->password;
+		}
+
+		// Slow path: check DB — a concurrent process may have already refreshed.
+		$share = $this->manager->getShareByToken($this->token);
+		if ($share !== false) {
+			$dbExpiry = $share->getAccessTokenExpires();
+			$dbToken = $share->getAccessToken();
+			if ($dbExpiry !== null && $dbExpiry > $now && $dbToken !== null) {
+				// Another process already refreshed — reuse DB token and reset failure state.
+				$this->password = $dbToken;
+				$this->bearerToken = $dbToken;
+				$this->tokenExpiresAt = $dbExpiry;
+				$this->refreshFailureCount = 0;
+				$this->refreshBackoffUntil = 0;
+				$this->logger->debug('Reused access token refreshed by another process', ['app' => 'files_sharing']);
+				return $dbToken;
+			}
+		}
+
+		// Gave up after max attempts: stop trying for the lifetime of this instance.
+		if ($this->refreshFailureCount >= self::REFRESH_MAX_ATTEMPTS) {
+			return null;
+		}
+
+		// Still within the inter-attempt wait: don't hit the endpoint yet.
+		if ($this->refreshBackoffUntil > $now) {
+			return null;
+		}
+
+		// No valid token in DB — perform the exchange ourselves.
+		try {
+			$expiresAt = $now + 3600; // access tokens are valid for 1 hour
+			$newAccessToken = $this->exchangeRefreshToken();
+			$this->password = $newAccessToken;
+			$this->bearerToken = $newAccessToken;
+			$this->tokenExpiresAt = $expiresAt;
+			$this->refreshFailureCount = 0;
+			$this->refreshBackoffUntil = 0;
+
+			$this->manager->updateAccessToken($this->token, $newAccessToken, $expiresAt);
+
+			$this->logger->debug('Successfully refreshed access token', ['app' => 'files_sharing']);
+			return $newAccessToken;
+		} catch (\Exception $e) {
+			$this->refreshFailureCount++;
+			$this->refreshBackoffUntil = $now + self::REFRESH_BACKOFF_SECONDS;
+			$this->logger->warning('Failed to refresh access token (attempt {attempt}/{max})', [
+				'app' => 'files_sharing',
+				'attempt' => $this->refreshFailureCount,
+				'max' => self::REFRESH_MAX_ATTEMPTS,
+				'exception' => $e,
+			]);
+			return null;
+		}
+	}
+
 	#[\Override]
 	public function getWatcher(string $path = '', ?IStorage $storage = null): IWatcher {
 		if (!$storage) {