Check the user on remote wipe

Signed-off-by: Joas Schilling <coding@schilljs.com>

apps/settings/lib/Controller/AuthSettingsController.php

@@ -289,7 +289,13 @@ class AuthSettingsController extends Controller {
 	 * @throws \OC\Authentication\Exceptions\ExpiredTokenException
 	 */
 	public function wipe(int $id): JSONResponse {
-		if (!$this->remoteWipe->markTokenForWipe($id)) {
+		try {
+			$token = $this->findTokenByIdAndUser($id);
+		} catch (InvalidTokenException $e) {
+			return new JSONResponse([], Http::STATUS_NOT_FOUND);
+		}
+
+		if (!$this->remoteWipe->markTokenForWipe($token)) {
 			return new JSONResponse([], Http::STATUS_BAD_REQUEST);
 		}
 

apps/settings/tests/Controller/AuthSettingsControllerTest.php

@@ -36,6 +36,7 @@ use OC\Authentication\Exceptions\InvalidTokenException;
 use OC\Authentication\Token\DefaultToken;
 use OC\Authentication\Token\IProvider;
 use OC\Authentication\Token\IToken;
+use OC\Authentication\Token\IWipeableToken;
 use OC\Authentication\Token\RemoteWipe;
 use OCA\Settings\Controller\AuthSettingsController;
 use OCP\Activity\IEvent;
@@ -428,9 +429,15 @@ class AuthSettingsControllerTest extends TestCase {
 	}
 
 	public function testRemoteWipeNotSuccessful(): void {
+		$token = $this->createMock(IToken::class);
+		$token->expects($this->once())
+			->method('getUID')
+			->willReturn($this->uid);
+		$this->mockGetTokenById(123, $token);
+
 		$this->remoteWipe->expects($this->once())
 			->method('markTokenForWipe')
-			->with(123)
+			->with($token)
 			->willReturn(false);
 
 		$response = $this->controller->wipe(123);
@@ -439,10 +446,32 @@ class AuthSettingsControllerTest extends TestCase {
 		$this->assertEquals($expected, $response);
 	}
 
+	public function testRemoteWipeWrongUser(): void {
+		$token = $this->createMock(IToken::class);
+		$token->expects($this->once())
+			->method('getUID')
+			->willReturn('definetly-not-' . $this->uid);
+		$this->mockGetTokenById(123, $token);
+
+		$this->remoteWipe->expects($this->never())
+			->method('markTokenForWipe');
+
+		$response = $this->controller->wipe(123);
+
+		$expected = new JSONResponse([], Http::STATUS_NOT_FOUND);
+		$this->assertEquals($expected, $response);
+	}
+
 	public function testRemoteWipeSuccessful(): void {
+		$token = $this->createMock(IWipeableToken::class);
+		$token->expects($this->once())
+			->method('getUID')
+			->willReturn($this->uid);
+		$this->mockGetTokenById(123, $token);
+
 		$this->remoteWipe->expects($this->once())
 			->method('markTokenForWipe')
-			->with(123)
+			->with($token)
 			->willReturn(true);
 
 		$response = $this->controller->wipe(123);

lib/private/Authentication/Token/RemoteWipe.php

@@ -57,18 +57,14 @@ class RemoteWipe {
 	}
 
 	/**
-	 * @param int $id
-	 *
+	 * @param IToken $token
 	 * @return bool
 	 *
 	 * @throws InvalidTokenException
 	 * @throws WipeTokenException
-	 * @throws ExpiredTokenException
 	 */
-	public function markTokenForWipe(int $id): bool {
-		$token = $this->tokenProvider->getTokenById($id);
-
-		if (!($token instanceof IWipeableToken)) {
+	public function markTokenForWipe(IToken $token): bool {
+		if (!$token instanceof IWipeableToken) {
 			return false;
 		}
 

tests/lib/Authentication/Token/RemoteWipeTest.php

@@ -67,30 +67,20 @@ class RemoteWipeTest extends TestCase {
 
 	public function testMarkNonWipableTokenForWipe(): void {
 		$token = $this->createMock(IToken::class);
-		$this->tokenProvider->expects($this->once())
-			->method('getTokenById')
-			->with(123)
-			->willReturn($token);
-
-		$result = $this->remoteWipe->markTokenForWipe(123);
-
+		$result = $this->remoteWipe->markTokenForWipe($token);
 		$this->assertFalse($result);
 	}
 
 	public function testMarkTokenForWipe(): void {
 		$token = $this->createMock(IWipeableToken::class);
-		$this->tokenProvider->expects($this->once())
-			->method('getTokenById')
-			->with(123)
-			->willReturn($token);
 		$token->expects($this->once())
 			->method('wipe');
+
 		$this->tokenProvider->expects($this->once())
 			->method('updateToken')
 			->with($token);
 
-		$result = $this->remoteWipe->markTokenForWipe(123);
-
+		$result = $this->remoteWipe->markTokenForWipe($token);
 		$this->assertTrue($result);
 	}