Chris Coutinho
daabd90359
Implemented 6 critical security fixes identified during PR #401 review: 1. Token Rotation Race Condition (Issue 1) - Added in-progress marker pattern to prevent concurrent refresh - Prevents token invalidation when multiple requests refresh simultaneously - File: token_broker.py:324, 343-390 2. Hardcoded Localhost URL (Issue 2) - Added getNextcloudBaseUrl() with fallback chain - Supports overwrite.cli.url, trusted_domains, and localhost fallback - File: IdpTokenRefresher.php:38-61, 116 3. Error Information Leakage (Issue 3) - Replaced 13 instances of str(e) with sanitized errors - Prevents exposure of stack traces, paths, and tokens - File: management.py:368, 444, 492, 510, 546, 571, 625, 643, 695, 750, 919, 956, 1121 4. Input Validation Gaps (Issue 4) - Added validation helpers: _parse_int_param, _parse_float_param, _validate_query_string - Applied bounds checking to get_chunk_context and unified_search - File: management.py:119-164, 807-835, 1197-1212 5. PHP Refresh Token Validation (Issue 5) - Added explicit refresh_token presence check - Prevents silent token rotation failures - File: IdpTokenRefresher.php:122-132 6. Cookie Security Configuration (Issue 6) - Added _should_use_secure_cookies() with auto-detection - Supports explicit COOKIE_SECURE env var or auto-detect from NEXTCLOUD_HOST - Files: browser_oauth_routes.py:27-44, 470; env.sample:54-57 Testing: - Unit tests: 195 passed - Integration tests: 102 passed, 4 skipped - OAuth tests: 9 passed - All linting and type checks passed Follow-up work tracked in issues #408-#417 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
171 lines
5.2 KiB
PHP
171 lines
5.2 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
namespace OCA\Astrolabe\Service;
|
|
|
|
use OCP\Http\Client\IClientService;
|
|
use OCP\IConfig;
|
|
use Psr\Log\LoggerInterface;
|
|
|
|
/**
|
|
* Refreshes OAuth tokens directly with the Identity Provider.
|
|
*
|
|
* Works with both Nextcloud OIDC and external IdPs like Keycloak.
|
|
* Uses OIDC discovery to find the token endpoint automatically.
|
|
*
|
|
* This service is only used for confidential clients (with client_secret).
|
|
* Public clients without client_secret cannot refresh tokens.
|
|
*/
|
|
class IdpTokenRefresher {
|
|
private $config;
|
|
private $httpClient;
|
|
private $logger;
|
|
private $mcpServerClient;
|
|
|
|
public function __construct(
|
|
IConfig $config,
|
|
IClientService $clientService,
|
|
LoggerInterface $logger,
|
|
McpServerClient $mcpServerClient,
|
|
) {
|
|
$this->config = $config;
|
|
$this->httpClient = $clientService->newClient();
|
|
$this->logger = $logger;
|
|
$this->mcpServerClient = $mcpServerClient;
|
|
}
|
|
|
|
/**
|
|
* Get Nextcloud base URL for constructing internal OIDC endpoint URLs.
|
|
*
|
|
* @return string Base URL (e.g., "https://nextcloud.example.com")
|
|
*/
|
|
private function getNextcloudBaseUrl(): string {
|
|
// Prefer explicit CLI URL override
|
|
$baseUrl = $this->config->getSystemValue('overwrite.cli.url', '');
|
|
|
|
if (!empty($baseUrl)) {
|
|
return rtrim($baseUrl, '/');
|
|
}
|
|
|
|
// Fallback to first trusted domain with protocol
|
|
$trustedDomains = $this->config->getSystemValue('trusted_domains', []);
|
|
if (!empty($trustedDomains)) {
|
|
$protocol = $this->config->getSystemValue('overwriteprotocol', 'https');
|
|
return $protocol . '://' . $trustedDomains[0];
|
|
}
|
|
|
|
// Last resort: localhost (log warning)
|
|
$this->logger->warning('IdpTokenRefresher: No Nextcloud URL configured, using localhost fallback');
|
|
return 'http://localhost';
|
|
}
|
|
|
|
/**
|
|
* Refresh access token using refresh token.
|
|
*
|
|
* Calls IdP's token endpoint directly (NOT MCP server).
|
|
*
|
|
* @param string $refreshToken The refresh token
|
|
* @return array|null New token data or null on failure
|
|
*/
|
|
public function refreshAccessToken(string $refreshToken): ?array {
|
|
// Check if confidential client secret is configured
|
|
$clientSecret = $this->config->getSystemValue('astrolabe_client_secret', '');
|
|
|
|
if (empty($clientSecret)) {
|
|
$this->logger->warning('Cannot refresh: no client secret configured. Confidential client required for token refresh.');
|
|
return null;
|
|
}
|
|
|
|
try {
|
|
// Get MCP server URL
|
|
$mcpServerUrl = $this->config->getSystemValue('mcp_server_url', '');
|
|
if (empty($mcpServerUrl)) {
|
|
throw new \Exception('MCP server URL not configured');
|
|
}
|
|
|
|
// Query MCP server to discover which IdP it's configured to use
|
|
$statusResponse = $this->httpClient->get($mcpServerUrl . '/api/v1/status');
|
|
$statusData = json_decode($statusResponse->getBody(), true);
|
|
|
|
if (json_last_error() !== JSON_ERROR_NONE) {
|
|
throw new \RuntimeException('Invalid status response from MCP server');
|
|
}
|
|
|
|
// Determine OIDC discovery URL and token endpoint
|
|
$useInternalNextcloud = !isset($statusData['oidc']['discovery_url']);
|
|
|
|
if (!$useInternalNextcloud) {
|
|
// External IdP configured - use OIDC discovery
|
|
$discoveryUrl = $statusData['oidc']['discovery_url'];
|
|
|
|
$this->logger->info('IdpTokenRefresher: Using external IdP', [
|
|
'discovery_url' => $discoveryUrl,
|
|
]);
|
|
|
|
$discoveryResponse = $this->httpClient->get($discoveryUrl);
|
|
$discovery = json_decode($discoveryResponse->getBody(), true);
|
|
|
|
if (json_last_error() !== JSON_ERROR_NONE || !isset($discovery['token_endpoint'])) {
|
|
throw new \RuntimeException('Invalid OIDC discovery response');
|
|
}
|
|
|
|
$tokenEndpoint = $discovery['token_endpoint'];
|
|
} else {
|
|
// Nextcloud's OIDC app - use internal URL
|
|
$tokenEndpoint = $this->getNextcloudBaseUrl() . '/apps/oidc/token';
|
|
|
|
$this->logger->info('IdpTokenRefresher: Using Nextcloud OIDC app', [
|
|
'token_endpoint' => $tokenEndpoint,
|
|
]);
|
|
}
|
|
|
|
// Call IdP's token endpoint with refresh_token grant
|
|
$postData = [
|
|
'grant_type' => 'refresh_token',
|
|
'refresh_token' => $refreshToken,
|
|
'client_id' => $this->mcpServerClient->getClientId(),
|
|
'client_secret' => $clientSecret,
|
|
];
|
|
|
|
$this->logger->info('IdpTokenRefresher: Requesting token refresh');
|
|
|
|
$response = $this->httpClient->post($tokenEndpoint, [
|
|
'body' => http_build_query($postData),
|
|
'headers' => [
|
|
'Content-Type' => 'application/x-www-form-urlencoded',
|
|
'Accept' => 'application/json',
|
|
],
|
|
]);
|
|
|
|
$tokenData = json_decode($response->getBody(), true);
|
|
|
|
if (json_last_error() !== JSON_ERROR_NONE || !isset($tokenData['access_token'])) {
|
|
throw new \RuntimeException('Invalid token response from IdP');
|
|
}
|
|
|
|
// Validate refresh_token is present (required for token rotation)
|
|
if (!isset($tokenData['refresh_token'])) {
|
|
$this->logger->error(
|
|
'IdpTokenRefresher: No refresh token in response - token rotation will fail',
|
|
[
|
|
'has_access_token' => isset($tokenData['access_token']),
|
|
'response_keys' => array_keys($tokenData),
|
|
]
|
|
);
|
|
return null;
|
|
}
|
|
|
|
$this->logger->info('IdpTokenRefresher: Token refresh successful');
|
|
|
|
return $tokenData;
|
|
|
|
} catch (\Exception $e) {
|
|
$this->logger->error('IdpTokenRefresher: Token refresh failed', [
|
|
'error' => $e->getMessage(),
|
|
]);
|
|
return null;
|
|
}
|
|
}
|
|
}
|