diff --git a/app/controllers/api/account.php b/app/controllers/api/account.php index 737b424527..edb6876c83 100644 --- a/app/controllers/api/account.php +++ b/app/controllers/api/account.php @@ -1140,11 +1140,13 @@ App::put('/v1/account/sessions/token') ->action(function (string $userId, string $secret, Request $request, Response $response, Document $user, Database $dbForProject, Document $project, Locale $locale, Reader $geodb, Event $events) { /** @var Utopia\Database\Document $user */ $userFromRequest = Authorization::skip(fn () => $dbForProject->getDocument('users', $userId)); + if ($userFromRequest->isEmpty()) { throw new Exception(Exception::USER_NOT_FOUND); } $verifiedToken = Auth::tokenVerify($userFromRequest->getAttribute('tokens', []), null, $secret); + if (!$verifiedToken) { throw new Exception(Exception::USER_INVALID_TOKEN); } @@ -1156,15 +1158,13 @@ App::put('/v1/account/sessions/token') $record = $geodb->get($request->getIP()); $secret = Auth::tokenGenerator(); $expire = DateTime::formatTz(DateTime::addSeconds(new \DateTime(), $duration)); - $provider = Auth::getSessionProviderByTokenType($verifiedToken->getAttribute('type')); - $session = new Document(array_merge( [ '$id' => ID::unique(), 'userId' => $user->getId(), 'userInternalId' => $user->getInternalId(), - 'provider' => Auth::SESSION_PROVIDER_UNIVERSAL, + 'provider' => Auth::getSessionProviderByTokenType($verifiedToken->getAttribute('type')), 'secret' => Auth::hash($secret), // One way hash encryption to protect DB leak 'userAgent' => $request->getUserAgent('UNKNOWN'), 'ip' => $request->getIP(), @@ -1185,7 +1185,7 @@ App::put('/v1/account/sessions/token') ])); $dbForProject->deleteCachedDocument('users', $user->getId()); - $dbForProject->deleteDocument('tokens', $token); + Authorization::skip(fn () => $dbForProject->deleteDocument('tokens', $verifiedToken->getId())); $dbForProject->deleteCachedDocument('users', $user->getId()); try { @@ -3147,3 +3147,6 @@ App::put('/v1/account/verification/phone') $response->dynamic($verificationDocument, Response::MODEL_TOKEN); }); + + + \ No newline at end of file diff --git a/app/controllers/api/users.php b/app/controllers/api/users.php index 15f0bdb842..2fc601561b 100644 --- a/app/controllers/api/users.php +++ b/app/controllers/api/users.php @@ -1107,7 +1107,7 @@ App::post('/v1/users/:userId/tokens') throw new Exception(Exception::USER_NOT_FOUND); } - $loginSecret = Auth::tokenGenerator(); + $secret = Auth::tokenGenerator(); $expire = DateTime::formatTz(DateTime::addSeconds(new \DateTime(), Auth::TOKEN_EXPIRATION_CONFIRM)); $token = new Document([ @@ -1115,13 +1115,16 @@ App::post('/v1/users/:userId/tokens') 'userId' => $user->getId(), 'userInternalId' => $user->getInternalId(), 'type' => Auth::TOKEN_TYPE_UNIVERSAL, - 'secret' => Auth::hash($loginSecret), // One way hash encryption to protect DB leak + 'secret' => Auth::hash($secret), // One way hash encryption to protect DB leak 'expire' => $expire, 'userAgent' => 'UNKNOWN', 'ip' => 'UNKNOWN', ]); $token = $dbForProject->createDocument('tokens', $token); + $dbForProject->deleteCachedDocument('users', $user->getId()); + + $token->setAttribute('secret', $secret); $events ->setParam('userId', $user->getId()) diff --git a/src/Appwrite/Auth/Auth.php b/src/Appwrite/Auth/Auth.php index a4e4e910e9..1edae7f1e5 100644 --- a/src/Appwrite/Auth/Auth.php +++ b/src/Appwrite/Auth/Auth.php @@ -340,7 +340,8 @@ class Auth if ( $token->isSet('secret') && $token->isSet('expire') && - ($type === null || $token->isSet('type') && $token->getAttribute('type') === $type) && + $token->isSet('type') && + ($type === null || $token->getAttribute('type') === $type) && $token->getAttribute('secret') === self::hash($secret) && DateTime::formatTz($token->getAttribute('expire')) >= DateTime::formatTz(DateTime::now()) ) {