when regenerating using refresh tokens, username needs to be derived from the refresh token, as no session would exist
This commit is contained in:
parent
304192472d
commit
8e1037458a
|
@ -49,7 +49,7 @@ class HostController extends AppController {
|
|||
$cred = $this->_getCredentials(true); // generate refresh
|
||||
}
|
||||
else {
|
||||
$cred = $this->_getCredentials(false); // don't generate refresh
|
||||
$cred = $this->_getCredentials(false, $mToken); // don't generate refresh
|
||||
}
|
||||
|
||||
$login_array = array (
|
||||
|
@ -114,7 +114,7 @@ class HostController extends AppController {
|
|||
}
|
||||
}
|
||||
|
||||
private function _getCredentials($generate_refresh_token=false) {
|
||||
private function _getCredentials($generate_refresh_token=false, $mToken='') {
|
||||
$credentials = '';
|
||||
$this->loadModel('Config');
|
||||
|
||||
|
@ -127,6 +127,17 @@ class HostController extends AppController {
|
|||
throw new ForbiddenException(__('Please create a valid AUTH_HASH_SECRET in ZoneMinder'));
|
||||
}
|
||||
|
||||
if ($mToken) {
|
||||
// If we have a token, we need to derive username from there
|
||||
$ret = validateToken($mToken, 'refresh');
|
||||
$mUser = $ret[0]['Username'];
|
||||
|
||||
} else {
|
||||
$mUser = $_SESSION['username'];
|
||||
}
|
||||
|
||||
ZM\Info("Creating token for \"$mUser\"");
|
||||
|
||||
/* we won't support AUTH_HASH_IPS in token mode
|
||||
reasons:
|
||||
a) counter-intuitive for mobile consumers
|
||||
|
@ -149,7 +160,7 @@ class HostController extends AppController {
|
|||
"iss" => "ZoneMinder",
|
||||
"iat" => $access_issued_at,
|
||||
"exp" => $access_expire_at,
|
||||
"user" => $_SESSION['username'],
|
||||
"user" => $mUser,
|
||||
"type" => "access"
|
||||
);
|
||||
|
||||
|
@ -167,7 +178,7 @@ class HostController extends AppController {
|
|||
"iss" => "ZoneMinder",
|
||||
"iat" => $refresh_issued_at,
|
||||
"exp" => $refresh_expire_at,
|
||||
"user" => $_SESSION['username'],
|
||||
"user" => $mUser,
|
||||
"type" => "refresh"
|
||||
);
|
||||
$jwt_refresh_token = \Firebase\JWT\JWT::encode($refresh_token, $key, 'HS256');
|
||||
|
|
|
@ -244,7 +244,7 @@ function validateToken ($token, $allowed_token_type='access') {
|
|||
$minIssuedAt = $saved_user_details['TokenMinExpiry'];
|
||||
|
||||
if ($issuedAt < $minIssuedAt) {
|
||||
ZM\Error ("Token revoked for $username. Please generate a new token");
|
||||
ZM\Error ("Token revoked for \"$username\". Please generate a new token");
|
||||
$_SESSION['loginFailed'] = true;
|
||||
unset($user);
|
||||
return array(false, "Token revoked. Please re-generate");
|
||||
|
@ -253,7 +253,7 @@ function validateToken ($token, $allowed_token_type='access') {
|
|||
$user = $saved_user_details;
|
||||
return array($user, "OK");
|
||||
} else {
|
||||
ZM\Error ("Could not retrieve user $username details");
|
||||
ZM\Error ("Could not retrieve user \"$username\" details");
|
||||
$_SESSION['loginFailed'] = true;
|
||||
unset($user);
|
||||
return array(false, "No such user/credentials");
|
||||
|
|
Loading…
Reference in New Issue