when regenerating using refresh tokens, username needs to be derived from the refresh token, as no session would exist

This commit is contained in:
Pliable Pixels 2019-05-18 11:23:16 -04:00
parent 304192472d
commit 8e1037458a
2 changed files with 17 additions and 6 deletions

View File

@ -49,7 +49,7 @@ class HostController extends AppController {
$cred = $this->_getCredentials(true); // generate refresh
}
else {
$cred = $this->_getCredentials(false); // don't generate refresh
$cred = $this->_getCredentials(false, $mToken); // don't generate refresh
}
$login_array = array (
@ -114,7 +114,7 @@ class HostController extends AppController {
}
}
private function _getCredentials($generate_refresh_token=false) {
private function _getCredentials($generate_refresh_token=false, $mToken='') {
$credentials = '';
$this->loadModel('Config');
@ -127,6 +127,17 @@ class HostController extends AppController {
throw new ForbiddenException(__('Please create a valid AUTH_HASH_SECRET in ZoneMinder'));
}
if ($mToken) {
// If we have a token, we need to derive username from there
$ret = validateToken($mToken, 'refresh');
$mUser = $ret[0]['Username'];
} else {
$mUser = $_SESSION['username'];
}
ZM\Info("Creating token for \"$mUser\"");
/* we won't support AUTH_HASH_IPS in token mode
reasons:
a) counter-intuitive for mobile consumers
@ -149,7 +160,7 @@ class HostController extends AppController {
"iss" => "ZoneMinder",
"iat" => $access_issued_at,
"exp" => $access_expire_at,
"user" => $_SESSION['username'],
"user" => $mUser,
"type" => "access"
);
@ -167,7 +178,7 @@ class HostController extends AppController {
"iss" => "ZoneMinder",
"iat" => $refresh_issued_at,
"exp" => $refresh_expire_at,
"user" => $_SESSION['username'],
"user" => $mUser,
"type" => "refresh"
);
$jwt_refresh_token = \Firebase\JWT\JWT::encode($refresh_token, $key, 'HS256');

View File

@ -244,7 +244,7 @@ function validateToken ($token, $allowed_token_type='access') {
$minIssuedAt = $saved_user_details['TokenMinExpiry'];
if ($issuedAt < $minIssuedAt) {
ZM\Error ("Token revoked for $username. Please generate a new token");
ZM\Error ("Token revoked for \"$username\". Please generate a new token");
$_SESSION['loginFailed'] = true;
unset($user);
return array(false, "Token revoked. Please re-generate");
@ -253,7 +253,7 @@ function validateToken ($token, $allowed_token_type='access') {
$user = $saved_user_details;
return array($user, "OK");
} else {
ZM\Error ("Could not retrieve user $username details");
ZM\Error ("Could not retrieve user \"$username\" details");
$_SESSION['loginFailed'] = true;
unset($user);
return array(false, "No such user/credentials");