From 331d88bcabd4a66b0efc89fa28b90d26e88f4637 Mon Sep 17 00:00:00 2001
From: Christoph Wurst <christoph@owncloud.com>
Date: Mon, 13 Jun 2016 15:38:34 +0200
Subject: [PATCH] create session token on all APIs

---
 apps/dav/lib/Connector/Sabre/Auth.php                    | 3 +--
 .../AppFramework/Middleware/Security/CORSMiddleware.php  | 2 +-
 lib/private/User/Session.php                             | 9 +++++++--
 3 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/apps/dav/lib/Connector/Sabre/Auth.php b/apps/dav/lib/Connector/Sabre/Auth.php
index 653da10bc3c..51f0acbe2ee 100644
--- a/apps/dav/lib/Connector/Sabre/Auth.php
+++ b/apps/dav/lib/Connector/Sabre/Auth.php
@@ -115,8 +115,7 @@ class Auth extends AbstractBasic {
 			return true;
 		} else {
 			\OC_Util::setupFS(); //login hooks may need early access to the filesystem
-			if($this->userSession->logClientIn($username, $password)) {
-				$this->userSession->createSessionToken($this->request, $this->userSession->getUser()->getUID(), $username, $password);
+			if($this->userSession->logClientIn($username, $password, $this->request)) {
 				\OC_Util::setupFS($this->userSession->getUser()->getUID());
 				$this->session->set(self::DAV_AUTHENTICATED, $this->userSession->getUser()->getUID());
 				$this->session->close();
diff --git a/lib/private/AppFramework/Middleware/Security/CORSMiddleware.php b/lib/private/AppFramework/Middleware/Security/CORSMiddleware.php
index d84e9963436..69bfeb5e9bb 100644
--- a/lib/private/AppFramework/Middleware/Security/CORSMiddleware.php
+++ b/lib/private/AppFramework/Middleware/Security/CORSMiddleware.php
@@ -89,7 +89,7 @@ class CORSMiddleware extends Middleware {
 			$pass = $this->request->server['PHP_AUTH_PW'];
 
 			$this->session->logout();
-			if(!$this->session->logClientIn($user, $pass)) {
+			if(!$this->session->logClientIn($user, $pass, $this->request)) {
 				throw new SecurityException('CORS requires basic auth', Http::STATUS_UNAUTHORIZED);
 			}
 		}
diff --git a/lib/private/User/Session.php b/lib/private/User/Session.php
index f560bb4bfc0..0376e81b6dc 100644
--- a/lib/private/User/Session.php
+++ b/lib/private/User/Session.php
@@ -348,10 +348,11 @@ class Session implements IUserSession, Emitter {
 	 *
 	 * @param string $user
 	 * @param string $password
+	 * @param IRequest $request
 	 * @throws LoginException
 	 * @return boolean
 	 */
-	public function logClientIn($user, $password) {
+	public function logClientIn($user, $password, IRequest $request) {
 		$isTokenPassword = $this->isTokenPassword($password);
 		if (!$isTokenPassword && $this->isTokenAuthEnforced()) {
 			// TODO: throw LoginException instead (https://github.com/owncloud/core/pull/24616)
@@ -368,6 +369,9 @@ class Session implements IUserSession, Emitter {
 			}
 			return false;
 		}
+
+		$this->createSessionToken($request, $this->getUser()->getUID(), $user, $password);
+
 		return true;
 	}
 
@@ -428,7 +432,8 @@ class Session implements IUserSession, Emitter {
 	 */
 	public function tryBasicAuthLogin(IRequest $request) {
 		if (!empty($request->server['PHP_AUTH_USER']) && !empty($request->server['PHP_AUTH_PW'])) {
-			$result = $this->logClientIn($request->server['PHP_AUTH_USER'], $request->server['PHP_AUTH_PW']);
+			$request = \OC::$server->getRequest();
+			$result = $this->logClientIn($request->server['PHP_AUTH_USER'], $request->server['PHP_AUTH_PW'], $request);
 			if ($result === true) {
 				/**
 				 * Add DAV authenticated. This should in an ideal world not be
-- 
GitLab