Merge pull request nextcloud#54545 from nextcloud/enh/noid/add-token-invalidated-event

Dispatch new event when invalidating an authentication token

Author: julien-nc

lib/composer/composer/autoload_classmap.php

@@ -157,6 +157,7 @@
     'OCP\\App\\ManagerEvent' => $baseDir . '/lib/public/App/ManagerEvent.php',
     'OCP\\Authentication\\Events\\AnyLoginFailedEvent' => $baseDir . '/lib/public/Authentication/Events/AnyLoginFailedEvent.php',
     'OCP\\Authentication\\Events\\LoginFailedEvent' => $baseDir . '/lib/public/Authentication/Events/LoginFailedEvent.php',
+    'OCP\\Authentication\\Events\\TokenInvalidatedEvent' => $baseDir . '/lib/public/Authentication/Events/TokenInvalidatedEvent.php',
     'OCP\\Authentication\\Exceptions\\CredentialsUnavailableException' => $baseDir . '/lib/public/Authentication/Exceptions/CredentialsUnavailableException.php',
     'OCP\\Authentication\\Exceptions\\ExpiredTokenException' => $baseDir . '/lib/public/Authentication/Exceptions/ExpiredTokenException.php',
     'OCP\\Authentication\\Exceptions\\InvalidTokenException' => $baseDir . '/lib/public/Authentication/Exceptions/InvalidTokenException.php',

lib/composer/composer/autoload_static.php

@@ -198,6 +198,7 @@ class ComposerStaticInit749170dad3f5e7f9ca158f5a9f04f6a2
         'OCP\\App\\ManagerEvent' => __DIR__ . '/../../..' . '/lib/public/App/ManagerEvent.php',
         'OCP\\Authentication\\Events\\AnyLoginFailedEvent' => __DIR__ . '/../../..' . '/lib/public/Authentication/Events/AnyLoginFailedEvent.php',
         'OCP\\Authentication\\Events\\LoginFailedEvent' => __DIR__ . '/../../..' . '/lib/public/Authentication/Events/LoginFailedEvent.php',
+        'OCP\\Authentication\\Events\\TokenInvalidatedEvent' => __DIR__ . '/../../..' . '/lib/public/Authentication/Events/TokenInvalidatedEvent.php',
         'OCP\\Authentication\\Exceptions\\CredentialsUnavailableException' => __DIR__ . '/../../..' . '/lib/public/Authentication/Exceptions/CredentialsUnavailableException.php',
         'OCP\\Authentication\\Exceptions\\ExpiredTokenException' => __DIR__ . '/../../..' . '/lib/public/Authentication/Exceptions/ExpiredTokenException.php',
         'OCP\\Authentication\\Exceptions\\InvalidTokenException' => __DIR__ . '/../../..' . '/lib/public/Authentication/Exceptions/InvalidTokenException.php',

lib/private/Authentication/Token/PublicKeyTokenProvider.php

@@ -15,7 +15,9 @@
 use OCP\AppFramework\Db\DoesNotExistException;
 use OCP\AppFramework\Db\TTransactional;
 use OCP\AppFramework\Utility\ITimeFactory;
+use OCP\Authentication\Events\TokenInvalidatedEvent;
 use OCP\Authentication\Token\IToken as OCPIToken;
+use OCP\EventDispatcher\IEventDispatcher;
 use OCP\ICache;
 use OCP\ICacheFactory;
 use OCP\IConfig;
@@ -55,14 +57,18 @@ class PublicKeyTokenProvider implements IProvider {
 	/** @var IHasher */
 	private $hasher;
 
+	private IEventDispatcher $eventDispatcher;
+
 	public function __construct(PublicKeyTokenMapper $mapper,
 		ICrypto $crypto,
 		IConfig $config,
 		IDBConnection $db,
 		LoggerInterface $logger,
 		ITimeFactory $time,
 		IHasher $hasher,
-		ICacheFactory $cacheFactory) {
+		ICacheFactory $cacheFactory,
+		IEventDispatcher $eventDispatcher,
+	) {
 		$this->mapper = $mapper;
 		$this->crypto = $crypto;
 		$this->config = $config;
@@ -74,6 +80,7 @@ public function __construct(PublicKeyTokenMapper $mapper,
 			? $cacheFactory->createLocal('authtoken_')
 			: $cacheFactory->createInMemory();
 		$this->hasher = $hasher;
+		$this->eventDispatcher = $eventDispatcher;
 	}
 
 	/**
@@ -263,9 +270,17 @@ public function renewSessionToken(string $oldSessionId, string $sessionId): OCPI
 
 	public function invalidateToken(string $token) {
 		$tokenHash = $this->hashToken($token);
+		$tokenEntry = null;
+		try {
+			$tokenEntry = $this->mapper->getToken($tokenHash);
+		} catch (DoesNotExistException) {
+		}
 		$this->mapper->invalidate($this->hashToken($token));
 		$this->mapper->invalidate($this->hashTokenWithEmptySecret($token));
 		$this->cacheInvalidHash($tokenHash);
+		if ($tokenEntry !== null) {
+			$this->eventDispatcher->dispatchTyped(new TokenInvalidatedEvent($tokenEntry));
+		}
 	}
 
 	public function invalidateTokenById(string $uid, int $id) {
@@ -275,7 +290,7 @@ public function invalidateTokenById(string $uid, int $id) {
 		}
 		$this->mapper->invalidate($token->getToken());
 		$this->cacheInvalidHash($token->getToken());
-
+		$this->eventDispatcher->dispatchTyped(new TokenInvalidatedEvent($token));
 	}
 
 	public function invalidateOldTokens() {

lib/public/Authentication/Events/TokenInvalidatedEvent.php

@@ -0,0 +1,38 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * SPDX-FileCopyrightText: 2025 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+namespace OCP\Authentication\Events;
+
+use OCP\Authentication\Token\IToken;
+use OCP\EventDispatcher\Event;
+
+/**
+ * Emitted when an authentication token is invalidated
+ *
+ * @since 32.0.0
+ */
+class TokenInvalidatedEvent extends Event {
+
+	/**
+	 * @since 32.0.0
+	 */
+	public function __construct(
+		private IToken $token,
+	) {
+		parent::__construct();
+	}
+
+	/**
+	 * returns the token that has been invalidated
+	 *
+	 * @since 32.0.0
+	 */
+	public function getToken(): IToken {
+		return $this->token;
+	}
+}

tests/lib/Authentication/Token/PublicKeyTokenProviderTest.php

@@ -18,6 +18,7 @@
 use OCP\AppFramework\Db\DoesNotExistException;
 use OCP\AppFramework\Utility\ITimeFactory;
 use OCP\Authentication\Token\IToken;
+use OCP\EventDispatcher\IEventDispatcher;
 use OCP\ICacheFactory;
 use OCP\IConfig;
 use OCP\IDBConnection;
@@ -49,6 +50,8 @@ class PublicKeyTokenProviderTest extends TestCase {
 	private $cacheFactory;
 	/** @var int */
 	private $time;
+	/** @var IEventDispatcher */
+	private $eventDispatcher;
 
 	protected function setUp(): void {
 		parent::setUp();
@@ -72,6 +75,7 @@ protected function setUp(): void {
 		$this->timeFactory->method('getTime')
 			->willReturn($this->time);
 		$this->cacheFactory = $this->createMock(ICacheFactory::class);
+		$this->eventDispatcher = Server::get(IEventDispatcher::class);
 
 		$this->tokenProvider = new PublicKeyTokenProvider(
 			$this->mapper,
@@ -82,6 +86,7 @@ protected function setUp(): void {
 			$this->timeFactory,
 			$this->hasher,
 			$this->cacheFactory,
+			$this->eventDispatcher,
 		);
 	}