feat(auth): support permanent OCM refresh tokens and bearer login

Co-authored-by: Micke Nordin <kano@sunet.se>
Signed-off-by: Micke Nordin <kano@sunet.se>
Signed-off-by: Enrique Pérez Arnaud <enrique@cazalla.net>

Author: enriquepablo

lib/private/Authentication/Token/PublicKeyToken.php

@@ -204,6 +204,11 @@ public function getRemember(): int {
 		return parent::getRemember();
 	}
 
+	#[\Override]
+	public function getType(): int {
+		return $this->getter('type');
+	}
+
 	#[\Override]
 	public function setToken(string $token): void {
 		parent::setToken($token);

lib/private/User/Session.php

@@ -838,7 +838,10 @@ public function tryTokenLogin(IRequest $request) {
 			return false;
 		}
 
-		if ($dbToken instanceof PublicKeyToken && $dbToken->getType() === IToken::TEMPORARY_TOKEN && !$tokenFromCookie) {
+		if ($dbToken instanceof PublicKeyToken
+			&& $dbToken->getType() === IToken::TEMPORARY_TOKEN
+			&& !$tokenFromCookie
+			&& $dbToken->getName() !== IToken::OCM_ACCESS_TOKEN_NAME) {
 			// Session token but from Bearer header, not allowed
 			return false;
 		}

lib/public/Authentication/Token/IToken.php

@@ -47,6 +47,15 @@ interface IToken extends JsonSerializable {
 	 */
 	public const SCOPE_SKIP_PASSWORD_VALIDATION = 'password-unconfirmable';
 
+	/**
+	 * Token name used for OCM access tokens issued via the
+	 * federated token endpoint. Marks a TEMPORARY_TOKEN as legitimate
+	 * Bearer-header auth (vs. a browser session id leaked into a header).
+	 *
+	 * @since 33.0.0
+	 */
+	public const OCM_ACCESS_TOKEN_NAME = 'OCM Access Token';
+
 	/**
 	 * Get the token ID
 	 * @since 28.0.0
@@ -130,4 +139,11 @@ public function setPassword(string $password): void;
 	 * @since 28.0.0
 	 */
 	public function setExpires(?int $expires): void;
+
+	/**
+	 * Get the type of the token
+	 * @return int One of IToken::TEMPORARY_TOKEN, IToken::PERMANENT_TOKEN, or IToken::WIPE_TOKEN
+	 * @since 32.0.0
+	 */
+	public function getType(): int;
 }

tests/lib/Authentication/Token/PublicKeyTokenProviderTest.php

@@ -452,6 +452,7 @@ public function testRenewSessionTokenWithPassword(): void {
 
 	public function testGetToken(): void {
 		$token = new PublicKeyToken();
+		$token->setType(IToken::TEMPORARY_TOKEN);
 
 		$this->config->method('getSystemValue')
 			->with('secret')

tests/lib/User/SessionTest.php

@@ -332,11 +332,17 @@ public function testPasswordlessLoginNoLastCheckUpdate(): void {
 			->getMock();
 		$userSession = new Session($manager, $session, $this->timeFactory, $this->tokenProvider, $this->config, $this->random, $this->lockdownManager, $this->logger, $this->dispatcher);
 
-		$session->expects($this->never())
-			->method('set');
+		$user = $this->createMock(IUser::class);
+		$user->method('getUID')->willReturn('foo');
+		$user->method('isEnabled')->willReturn(true);
+		$manager->method('get')
+			->with('foo')
+			->willReturn($user);
+
 		$session->expects($this->once())
 			->method('regenerateId');
 		$token = new PublicKeyToken();
+		$token->setId(1);
 		$token->setLoginName('foo');
 		$token->setLastCheck(0); // Never
 		$token->setUid('foo');
@@ -370,11 +376,17 @@ public function testLoginLastCheckUpdate(): void {
 			->getMock();
 		$userSession = new Session($manager, $session, $this->timeFactory, $this->tokenProvider, $this->config, $this->random, $this->lockdownManager, $this->logger, $this->dispatcher);
 
-		$session->expects($this->never())
-			->method('set');
+		$user = $this->createMock(IUser::class);
+		$user->method('getUID')->willReturn('foo');
+		$user->method('isEnabled')->willReturn(true);
+		$manager->method('get')
+			->with('foo')
+			->willReturn($user);
+
 		$session->expects($this->once())
 			->method('regenerateId');
 		$token = new PublicKeyToken();
+		$token->setId(1);
 		$token->setLoginName('foo');
 		$token->setLastCheck(0); // Never
 		$token->setUid('foo');
@@ -1325,4 +1337,5 @@ public function testLogClientInThrottlerEmail(): void {
 
 		$this->assertFalse($userSession->logClientIn('john@foo.bar', 'I-AM-A-PASSWORD', $request, $this->throttler));
 	}
+
 }