Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Harmonize user session creation #50194

Open
julien-nc opened this issue Jan 15, 2025 · 2 comments
Open

Harmonize user session creation #50194

julien-nc opened this issue Jan 15, 2025 · 2 comments
Labels
0. Needs triage Pending check for reproducibility or if it fits our roadmap feature: authentication ♻️ refactor Refactor code (not a bug fix, not a feature just refactoring)

Comments

@julien-nc
Copy link
Member

Context

While implementing Oidc support in global scale, we checked how Saml was supported. The GSS master node actually listens to OCP\User\Events\BeforeUserLoggedInEvent. This event is emitted when authenticating via user_saml because the user session is created by user_saml's IApacheBackend user backend. This can be considered as a trick as a user backend should implement IApacheBackend only to deal with authentication during API requests using headers or session variables to get credentials.
The user_oidc app has a different approach to create the user session on login, it manipulates the user session:

$this->userSession->setUser($user);
$this->userSession->completeLogin($user, ['loginName' => $user->getUID(), 'password' => '']);
$this->userSession->createSessionToken($this->request, $user->getUID(), $user->getUID());
$this->userSession->createRememberMeToken($user);

This actually does not dispatch OCP\User\Events\BeforeUserLoggedInEvent so we had to manually dispatch it.

Suggestion

It would be nice to find a way to make sure all the apps implementing a user backend emit the correct events and complete the login process correctly. Event dispatching could be moved somewhere in the IUserSession implementation for example.

The goal would be to prevent breaking apps that took OC_User::loginWithApache as inspiration to implement their login logic when there is a change in the server.

cc @juliusknorr
@julien-nc julien-nc added 0. Needs triage Pending check for reproducibility or if it fits our roadmap feature: authentication ♻️ refactor Refactor code (not a bug fix, not a feature just refactoring) labels Jan 15, 2025
@julien-nc julien-nc mentioned this issue Jan 15, 2025
Merged
@juliusknorr
Copy link
Member

Thanks for filing. We may also want to consider adapting this more towards the "normal" login steps were @ChristophWurst implemented a command chain:

server/lib/private/Authentication/Login/Chain.php

Lines 76 to 90 in 1202843

$chain = $this->preLoginHookCommand;
$chain
->setNext($this->userDisabledCheckCommand)
->setNext($this->uidLoginCommand)
->setNext($this->emailLoginCommand)
->setNext($this->loggedInCheckCommand)
->setNext($this->completeLoginCommand)
->setNext($this->createSessionTokenCommand)
->setNext($this->clearLostPasswordTokensCommand)
->setNext($this->updateLastPasswordConfirmCommand)
->setNext($this->setUserTimezoneCommand)
->setNext($this->twoFactorCommand)
->setNext($this->finishRememberedLoginCommand);
return $chain->process($loginData);

That seems like a nice pattern that could be adapted and where probably a lot of logic can just be reused

@joshtrichards
Copy link
Member

Related: #21119

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
0. Needs triage Pending check for reproducibility or if it fits our roadmap feature: authentication ♻️ refactor Refactor code (not a bug fix, not a feature just refactoring)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@joshtrichards @juliusknorr @julien-nc