search

owncloud / core

:cloud: ownCloud web server core (Files, DAV, etc.)
https://owncloud.com
GNU Affero General Public License v3.0
8.37k stars 2.06k forks source link

Oauth2 token request behaves incorrectly with invalid token #31211

Open IljaN opened 6 years ago

IljaN commented 6 years ago

Request to OCS api with incorrect oauth2-Token:

Authorization: Bearer GmTINDYkByLjFIAQoxHf7KFXr8F3XsPhwApSADkQFRpotfwlnYKeMkj3RHaUNMcZ GET http://localhost:8001/ocs/v2.php/apps/notifications/api/v1/notifications?format=json

:x: Returns 200 with empty body instead of 401 if token is incorrect

Request ajax api with incorrect oauth2-Token: Authorization: Bearer GmTINDYkByLjFIAQoxHf7KFXr8F3XsPhwApSADkQFRpotfwlnYKeMkj3RHaUNMcZ GET http://localhost:8001/index.php/apps/files/ajax/getstoragestats.php?dir=%2F

:x: Returns 500 if token is incorrect

Stacktrace:

[Thu Apr 19 16:46:21 2018] Exception: {"Exception":"Exception","Message":"Invalid token","Code":0,"Trace":"#0 \/home\/ilja\/octestinstances\/owncloud\/lib\/private\/User\/Session.php(830): OCA\\OAuth2\\AuthModule->auth(Object(OC\\AppFramework\\Http\\Request))\n#1 \/home\/ilja\/octestinstances\/owncloud\/lib\/base.php(966): OC\\User\\Session->tryAuthModuleLogin(Object(OC\\AppFramework\\Http\\Request))\n#2 \/home\/ilja\/octestinstances\/owncloud\/lib\/private\/legacy\/json.php(70): OC::handleLogin(Object(OC\\AppFramework\\Http\\Request))\n#3 \/home\/ilja\/octestinstances\/owncloud\/lib\/public\/JSON.php(67): OC_JSON::checkLoggedIn()\n#4 \/home\/ilja\/octestinstances\/owncloud\/apps\/files\/ajax\/getstoragestats.php(31): OCP\\JSON::checkLoggedIn()\n#5 \/home\/ilja\/octestinstances\/owncloud\/lib\/private\/Route\/Route.php(155): require_once('\/home\/ilja\/octe...')\n#6 [internal function]: OC\\Route\\Route->OC\\Route\\{closure}(NULL)\n#7 \/home\/ilja\/octestinstances\/owncloud\/lib\/private\/Route\/Router.php(342): call_user_func(Object(Closure), Array)\n#8 \/home\/ilja\/octestinstances\/owncloud\/lib\/base.php(912): OC\\Route\\Router->match('\/apps\/files\/aja...')\n#9 \/home\/ilja\/octestinstances\/owncloud\/index.php(55): OC::handleRequest()\n#10 {main}","File":"\/home\/ilja\/octestinstances\/owncloud\/apps\/oauth2\/lib\/AuthModule.php","Line":53}
ownclouders commented 6 years ago

GitMate.io thinks the contributor most likely able to help you is @PVince81.

Possibly related issues are https://github.com/owncloud/core/issues/5453 (Make it possible to request an auth token), https://github.com/owncloud/core/issues/3853 (request token is missing on upgrade), https://github.com/owncloud/core/issues/7923 (invalid ticket), https://github.com/owncloud/core/issues/7907 (invalid ticket), and https://github.com/owncloud/core/issues/29779 (Session handling: api and webdav requests with basic auth or oauth2 tokens shall not start a session).

PVince81 commented 6 years ago

moving to backlog, will need rescheduling to finish