feat(federatedfilesharing): create refresh tokens and sign token exchange

Co-authored-by: Micke Nordin <kano@sunet.se>
Signed-off-by: Micke Nordin <kano@sunet.se>
Signed-off-by: Enrique Pérez Arnaud <enrique@cazalla.net>

Author: enriquepablo

apps/federatedfilesharing/composer/composer/autoload_classmap.php

@@ -17,6 +17,7 @@
     'OCA\\FederatedFileSharing\\Listeners\\LoadAdditionalScriptsListener' => $baseDir . '/../lib/Listeners/LoadAdditionalScriptsListener.php',
     'OCA\\FederatedFileSharing\\Migration\\Version1010Date20200630191755' => $baseDir . '/../lib/Migration/Version1010Date20200630191755.php',
     'OCA\\FederatedFileSharing\\Migration\\Version1011Date20201120125158' => $baseDir . '/../lib/Migration/Version1011Date20201120125158.php',
+    'OCA\\FederatedFileSharing\\Migration\\Version1012Date20260306120000' => $baseDir . '/../lib/Migration/Version1012Date20260306120000.php',
     'OCA\\FederatedFileSharing\\Notifications' => $baseDir . '/../lib/Notifications.php',
     'OCA\\FederatedFileSharing\\Notifier' => $baseDir . '/../lib/Notifier.php',
     'OCA\\FederatedFileSharing\\OCM\\CloudFederationProviderFiles' => $baseDir . '/../lib/OCM/CloudFederationProviderFiles.php',

apps/federatedfilesharing/composer/composer/autoload_static.php

@@ -32,6 +32,7 @@ class ComposerStaticInitFederatedFileSharing
         'OCA\\FederatedFileSharing\\Listeners\\LoadAdditionalScriptsListener' => __DIR__ . '/..' . '/../lib/Listeners/LoadAdditionalScriptsListener.php',
         'OCA\\FederatedFileSharing\\Migration\\Version1010Date20200630191755' => __DIR__ . '/..' . '/../lib/Migration/Version1010Date20200630191755.php',
         'OCA\\FederatedFileSharing\\Migration\\Version1011Date20201120125158' => __DIR__ . '/..' . '/../lib/Migration/Version1011Date20201120125158.php',
+        'OCA\\FederatedFileSharing\\Migration\\Version1012Date20260306120000' => __DIR__ . '/..' . '/../lib/Migration/Version1012Date20260306120000.php',
         'OCA\\FederatedFileSharing\\Notifications' => __DIR__ . '/..' . '/../lib/Notifications.php',
         'OCA\\FederatedFileSharing\\Notifier' => __DIR__ . '/..' . '/../lib/Notifier.php',
         'OCA\\FederatedFileSharing\\OCM\\CloudFederationProviderFiles' => __DIR__ . '/..' . '/../lib/OCM/CloudFederationProviderFiles.php',

apps/federatedfilesharing/lib/Controller/RequestHandlerController.php

@@ -399,7 +399,7 @@ public function move(int $id, ?string $token = null, ?string $remote = null, ?st
 			->set('owner', $qb->createNamedParameter($cloudId->getUser()))
 			->set('remote_id', $qb->createNamedParameter($newRemoteId))
 			->where($qb->expr()->eq('remote_id', $qb->createNamedParameter($id)))
-			->andWhere($qb->expr()->eq('share_token', $qb->createNamedParameter($token)));
+			->andWhere($qb->expr()->eq('refresh_token', $qb->createNamedParameter($token)));
 		$affected = $query->executeStatement();
 
 		if ($affected > 0) {

apps/federatedfilesharing/lib/FederatedShareProvider.php

@@ -7,8 +7,12 @@
  */
 namespace OCA\FederatedFileSharing;
 
+use OC\Authentication\Token\PublicKeyTokenProvider;
 use OC\Share20\Exception\InvalidShare;
 use OC\Share20\Share;
+use OCA\CloudFederationAPI\Db\OcmTokenMapMapper;
+use OCP\Authentication\Exceptions\InvalidTokenException;
+use OCP\Authentication\Token\IToken;
 use OCP\Constants;
 use OCP\DB\QueryBuilder\IQueryBuilder;
 use OCP\Federation\ICloudFederationProviderManager;
@@ -22,6 +26,8 @@
 use OCP\IDBConnection;
 use OCP\IL10N;
 use OCP\IUserManager;
+use OCP\Security\ISecureRandom;
+use OCP\Server;
 use OCP\Share\Exceptions\GenericShareException;
 use OCP\Share\Exceptions\ShareNotFound;
 use OCP\Share\IShare;
@@ -137,7 +143,7 @@ public function create(IShare $share): IShare {
 			$ownerCloudId = $this->cloudIdManager->getCloudId($remoteShare['owner'], $remoteShare['remote']);
 			$shareId = $this->addShareToDB($itemSource, $itemType, $shareWith, $sharedBy, $ownerCloudId->getId(), $permissions, 'tmp_token_' . time(), $shareType, $expirationDate);
 			[$token, $remoteId] = $this->notifications->requestReShare(
-				$remoteShare['share_token'],
+				$remoteShare['refresh_token'],
 				$remoteShare['remote_id'],
 				$shareId,
 				$remoteShare['remote'],
@@ -170,7 +176,15 @@ public function create(IShare $share): IShare {
 	 * @throws \Exception
 	 */
 	protected function createFederatedShare(IShare $share): string {
-		$token = $this->tokenHandler->generateToken();
+
+		$provider = Server::get(PublicKeyTokenProvider::class);
+		$token = Server::get(ISecureRandom::class)->generate(32, ISecureRandom::CHAR_UPPER . ISecureRandom::CHAR_LOWER . ISecureRandom::CHAR_DIGITS);
+		$uid = $share->getSharedBy();
+		$user = $this->userManager->get($uid);
+		$name = $user?->getDisplayName() ?? $uid;
+		$pass = $share->getPassword();
+
+		$dbToken = $provider->generateToken($token, $uid, $uid, $pass, $name, type: IToken::PERMANENT_TOKEN);
 		$shareId = $this->addShareToDB(
 			$share->getNodeId(),
 			$share->getNodeType(),
@@ -724,6 +738,24 @@ public function getShareByToken(string $token): IShare {
 
 		$data = $cursor->fetchAssociative();
 
+		if ($data === false) {
+			// Token not found as refresh token, try looking it up as access token
+			try {
+				$accessTokenDb = Server::get(PublicKeyTokenProvider::class)->getToken($token);
+				$mapping = Server::get(OcmTokenMapMapper::class)->getByAccessTokenId($accessTokenDb->getId());
+
+				$qb2 = $this->dbConnection->getQueryBuilder();
+				$cursor = $qb2->select('*')
+					->from('share')
+					->where($qb2->expr()->in('share_type', $qb2->createNamedParameter($this->supportedShareType, IQueryBuilder::PARAM_INT_ARRAY)))
+					->andWhere($qb2->expr()->eq('token', $qb2->createNamedParameter($mapping->getRefreshToken())))
+					->executeQuery();
+
+				$data = $cursor->fetch();
+			} catch (InvalidTokenException|\OCP\AppFramework\Db\DoesNotExistException) {
+				// Token is not a valid access token or has no mapping, share not found
+			}
+		}
 		if ($data === false) {
 			throw new ShareNotFound('Share not found', $this->l->t('Could not find share'));
 		}

apps/federatedfilesharing/lib/Migration/Version1012Date20260306120000.php

@@ -0,0 +1,119 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * SPDX-FileCopyrightText: 2026 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+namespace OCA\FederatedFileSharing\Migration;
+
+use Closure;
+use OC\Authentication\Token\PublicKeyTokenProvider;
+use OCP\Authentication\Exceptions\InvalidTokenException;
+use OCP\Authentication\Token\IToken;
+use OCP\DB\ISchemaWrapper;
+use OCP\DB\QueryBuilder\IQueryBuilder;
+use OCP\IDBConnection;
+use OCP\IUserManager;
+use OCP\Migration\IOutput;
+use OCP\Migration\SimpleMigrationStep;
+use OCP\Server;
+use OCP\Share\IShare;
+
+/**
+ * Ensure all existing federated share tokens are registered in oc_authtoken
+ * as permanent tokens, which is required for the OCM token exchange flow.
+ *
+ * Shares created before this fork used TokenHandler (15-char tokens) and never
+ * registered in oc_authtoken. Those legacy short tokens are left untouched so
+ * that the receiving instance can continue to authenticate via Basic auth with
+ * the original token. They will never participate in the token exchange flow,
+ * but they will keep working until the share is re-created with a new token.
+ *
+ * Shares created by this fork (32-char tokens) that are somehow missing from
+ * oc_authtoken are silently repaired.
+ */
+class Version1012Date20260306120000 extends SimpleMigrationStep {
+	#[\Override]
+	public function changeSchema(IOutput $output, Closure $schemaClosure, array $options): ?ISchemaWrapper {
+		return null;
+	}
+
+	#[\Override]
+	public function postSchemaChange(IOutput $output, Closure $schemaClosure, array $options): void {
+		$db = Server::get(IDBConnection::class);
+		$tokenProvider = Server::get(PublicKeyTokenProvider::class);
+		$userManager = Server::get(IUserManager::class);
+
+		$qb = $db->getQueryBuilder();
+		$result = $qb->select('id', 'token', 'uid_initiator')
+			->from('share')
+			->where($qb->expr()->in(
+				'share_type',
+				$qb->createNamedParameter(
+					[IShare::TYPE_REMOTE, IShare::TYPE_REMOTE_GROUP],
+					IQueryBuilder::PARAM_INT_ARRAY
+				)
+			))
+			->executeQuery();
+
+		$registered = 0;
+		$skipped = 0;
+
+		while ($row = $result->fetchAssociative()) {
+			$shareId = (int)$row['id'];
+			$token = (string)$row['token'];
+			$uid = (string)$row['uid_initiator'];
+
+			if (strlen($token) < PublicKeyTokenProvider::TOKEN_MIN_LENGTH) {
+				// Old short token from TokenHandler — leave it as-is.
+				// Replacing it would invalidate the token stored on the receiving instance,
+				// breaking Basic-auth access to those shares. These shares keep working via
+				// Basic auth and are simply not eligible for the OCM token exchange flow.
+				$skipped++;
+				continue;
+			}
+
+			// Long token — check if it's already in oc_authtoken.
+			try {
+				$tokenProvider->getToken($token);
+				$skipped++;
+				continue;
+			} catch (InvalidTokenException) {
+				// Not registered yet — fall through to create it.
+			}
+
+			$user = $userManager->get($uid);
+			$name = $user?->getDisplayName() ?? $uid;
+
+			try {
+				$tokenProvider->generateToken(
+					$token,
+					$uid,
+					$uid,
+					null,
+					$name,
+					IToken::PERMANENT_TOKEN,
+				);
+				$registered++;
+			} catch (\Exception $e) {
+				$output->warning(sprintf(
+					'Could not register auth token for share %d (uid=%s): %s',
+					$shareId,
+					$uid,
+					$e->getMessage()
+				));
+			}
+		}
+
+		$result->closeCursor();
+
+		$output->info(sprintf(
+			'Federated share token migration: %d registered, %d skipped (already up-to-date or legacy short token).',
+			$registered,
+			$skipped
+		));
+	}
+}

apps/federatedfilesharing/lib/OCM/CloudFederationProviderFiles.php

@@ -8,6 +8,8 @@
 
 use OC\AppFramework\Http;
 use OC\Files\Filesystem;
+use OC\OCM\OCMSignatoryManager;
+use OC\OCM\Rfc9421SignatoryManager;
 use OCA\FederatedFileSharing\AddressHandler;
 use OCA\FederatedFileSharing\FederatedShareProvider;
 use OCA\Federation\TrustedServers;
@@ -33,12 +35,16 @@
 use OCP\Files\ISetupManager;
 use OCP\Files\NotFoundException;
 use OCP\HintException;
+use OCP\Http\Client\IClientService;
+use OCP\IAppConfig;
 use OCP\IConfig;
 use OCP\IGroupManager;
 use OCP\IURLGenerator;
 use OCP\IUser;
 use OCP\IUserManager;
 use OCP\Notification\IManager as INotificationManager;
+use OCP\OCM\IOCMDiscoveryService;
+use OCP\Security\Signature\ISignatureManager;
 use OCP\Server;
 use OCP\Share\Exceptions\ShareNotFound;
 use OCP\Share\IManager;
@@ -70,6 +76,11 @@ public function __construct(
 		private readonly IProviderFactory $shareProviderFactory,
 		private readonly ISetupManager $setupManager,
 		private readonly ExternalShareMapper $externalShareMapper,
+		private readonly IOCMDiscoveryService $discoveryService,
+		private readonly IClientService $clientService,
+		private readonly ISignatureManager $signatureManager,
+		private readonly OCMSignatoryManager $signatoryManager,
+		private readonly IAppConfig $appConfig,
 	) {
 	}
 
@@ -106,6 +117,30 @@ public function shareReceived(ICloudFederationShare $share): string {
 		$ownerFederatedId = $share->getOwner();
 		$shareType = $this->mapShareTypeToNextcloud($share->getShareType());
 
+		// Check for must-exchange-token requirement
+		$requirements = $protocol['webdav']['requirements'] ?? $protocol['options']['requirements'] ?? [];
+		$mustExchangeToken = in_array('must-exchange-token', $requirements);
+		$accessToken = '';
+
+		if ($mustExchangeToken) {
+			// Exchange the sharedSecret for an access token (required)
+			$accessToken = $this->exchangeToken($remote, $token);
+			if ($accessToken === null) {
+				throw new ProviderCouldNotAddShareException('Failed to exchange token as required by must-exchange-token', '', Http::STATUS_BAD_REQUEST);
+			}
+		} else {
+			// Check if remote has exchange-token capability and try to exchange (optional)
+			try {
+				$ocmProvider = $this->discoveryService->discover(rtrim($remote, '/'));
+				if ($ocmProvider->getCapabilities()->hasExchangeToken()) {
+					$accessToken = $this->exchangeToken($remote, $token) ?? '';
+					$this->logger->debug('Exchanged token for remote with exchange-token capability', ['remote' => $remote, 'success' => !empty($accessToken)]);
+				}
+			} catch (\Exception $e) {
+				$this->logger->debug('Could not discover remote capabilities for token exchange', ['remote' => $remote, 'exception' => $e]);
+			}
+		}
+
 		// if no explicit information about the person who created the share was sent
 		// we assume that the share comes from the owner
 		if ($sharedByFederatedId === null) {
@@ -146,8 +181,8 @@ public function shareReceived(ICloudFederationShare $share): string {
 			$externalShare->generateId();
 			$externalShare->setRemote($remote);
 			$externalShare->setRemoteId($remoteId);
-			$externalShare->setShareToken($token);
-			$externalShare->setPassword('');
+			$externalShare->setRefreshToken($token);  // refresh token (sharedSecret)
+			$externalShare->setAccessToken($accessToken ?: null);
 			$externalShare->setName($name);
 			$externalShare->setOwner($owner);
 			$externalShare->setShareType($shareType);
@@ -687,4 +722,98 @@ public function getFederationIdFromSharedSecret(
 			return $share->getShareOwner();
 		}
 	}
+
+	/**
+	 * Exchange a sharedSecret (refresh token) for an access token via the remote server's token endpoint
+	 *
+	 * @param string $remote The remote server URL
+	 * @param string $sharedSecret The shared secret to exchange
+	 * @return string|null The access token, or null on failure
+	 */
+	private function exchangeToken(string $remote, #[SensitiveParameter] string $sharedSecret): ?string {
+		try {
+			$ocmProvider = $this->discoveryService->discover(rtrim($remote, '/'));
+			$tokenEndpoint = $ocmProvider->getTokenEndPoint();
+
+			if ($tokenEndpoint === '') {
+				$this->logger->warning('Remote server does not expose tokenEndPoint', ['remote' => $remote]);
+				return null;
+			}
+
+			$client = $this->clientService->newClient();
+			$clientId = parse_url($this->urlGenerator->getAbsoluteURL('/'), PHP_URL_HOST);
+
+			$payload = [
+				'grant_type' => 'authorization_code',
+				'client_id' => $clientId,
+				'code' => $sharedSecret,
+			];
+
+			$options = [
+				'body' => http_build_query($payload),
+				'headers' => [
+					'Content-Type' => 'application/x-www-form-urlencoded',
+				],
+				'timeout' => 10,
+				'connect_timeout' => 10,
+			];
+
+			try {
+				$options = $this->signatureManager->signOutgoingRequestIClientPayload(
+					new Rfc9421SignatoryManager($this->signatoryManager),
+					$options,
+					'post',
+					$tokenEndpoint
+				);
+				$this->logger->debug('Token request signed successfully', ['remote' => $remote]);
+			} catch (\Exception $e) {
+				$this->logger->error('Failed to sign token request', [
+					'remote' => $remote,
+					'exception' => $e,
+					'endpoint' => $tokenEndpoint,
+				]);
+				return null;
+			}
+
+			$response = $client->post($tokenEndpoint, $options);
+
+			$statusCode = $response->getStatusCode();
+			if ($statusCode !== 200) {
+				$this->logger->warning('Token exchange returned unexpected HTTP status', [
+					'remote' => $remote,
+					'status' => $statusCode,
+				]);
+				return null;
+			}
+
+			$data = json_decode($response->getBody(), true);
+
+			if (!is_array($data)) {
+				$this->logger->warning('Token exchange response is not valid JSON', ['remote' => $remote]);
+				return null;
+			}
+
+			$accessToken = $data['access_token'] ?? null;
+			$tokenType = $data['token_type'] ?? null;
+
+			if (!is_string($accessToken) || $accessToken === '') {
+				$this->logger->warning('Token exchange response missing or invalid access_token', ['remote' => $remote]);
+				return null;
+			}
+
+			if (!is_string($tokenType) || strtolower($tokenType) !== 'bearer') {
+				$this->logger->warning('Token exchange response has unexpected token_type', [
+					'remote' => $remote,
+					'token_type' => $tokenType,
+				]);
+				return null;
+			}
+
+			$this->logger->debug('Successfully exchanged token for access token', ['remote' => $remote]);
+			return $accessToken;
+		} catch (\Exception $e) {
+			$this->logger->warning('Failed to exchange token', ['remote' => $remote, 'exception' => $e]);
+			return null;
+		}
+	}
 }