From 496608e87f34ea2af44265ffc12a2298707a8d2e Mon Sep 17 00:00:00 2001
From: Jan-Hendrik Willms <tleilax+github@gmail.com>
Date: Thu, 8 Aug 2024 10:09:19 +0200
Subject: remove nonce check and allow short signature method names for signing
 requests, re #4463

---
 db/migrations/6.0.13_add_oauth1_nonces_table.php | 27 ----------------
 lib/classes/OAuth1.php                           | 41 +++++-------------------
 2 files changed, 8 insertions(+), 60 deletions(-)
 delete mode 100644 db/migrations/6.0.13_add_oauth1_nonces_table.php

diff --git a/db/migrations/6.0.13_add_oauth1_nonces_table.php b/db/migrations/6.0.13_add_oauth1_nonces_table.php
deleted file mode 100644
index a20ffb0..0000000
--- a/db/migrations/6.0.13_add_oauth1_nonces_table.php
+++ /dev/null
@@ -1,27 +0,0 @@
-<?php
-/**
- * @see https://gitlab.studip.de/studip/studip/-/issues/4463
- */
-return new class extends Migration
-{
-    public function description()
-    {
-        return 'Adds a database that stores the already used oauth1 nonces';
-    }
-
-    protected function up()
-    {
-        $query = "CREATE TABLE `oauth1_nonces` (
-                     `timestamp` TIMESTAMP NOT NULL,
-                     `nonce` VARCHAR(128) NOT NULL,
-                     PRIMARY KEY (`timestamp`, `nonce`)
-                  )";
-        DBManager::get()->exec($query);
-    }
-
-    protected function down()
-    {
-        $query = "DROP TABLE `oauth1_nonces`";
-        DBManager::get()->exec($query);
-    }
-};
diff --git a/lib/classes/OAuth1.php b/lib/classes/OAuth1.php
index 413bd63..e1c7633 100644
--- a/lib/classes/OAuth1.php
+++ b/lib/classes/OAuth1.php
@@ -33,8 +33,14 @@ final class OAuth1
             throw new RuntimeException(self::class . ' only supports OAuth 1.0 requests');
         }
 
+        $allowed_replacements_methods = [
+            'sha1'   => 'hmac-sha1',
+            'sha256' => 'hmac-sha256',
+            'sha512' => 'hmac-sha512',
+        ];
+
         return self::hash(
-            $method,
+            $allowed_replacements_methods[$method] ?? $method,
             self::getSignatureBaseString($request),
             rawurlencode($consumerSecret) . '&' . rawurlencode($tokenSecret)
         );
@@ -52,11 +58,7 @@ final class OAuth1
     ): bool {
         $parameters = self::extractParameters($request);
 
-        if ($parameters['oauth_timestamp'] < time() - 3600) {
-            return false;
-        }
-
-        if (!self::checkNonce($parameters['oauth_nonce'], $parameters['oauth_timestamp'])) {
+        if ($parameters['oauth_timestamp'] < time() - 5 * 60) {
             return false;
         }
 
@@ -171,31 +173,4 @@ final class OAuth1
             default => throw new RuntimeException('Unsupported sigature method "' . $method . '"'),
         };
     }
-
-    /**
-     * Checks whether the combination of nonce and timestamp has already been
-     * used. If not, the combination will be stored for future checks.
-     */
-    public static function checkNonce(string $nonce, int $timestamp): bool
-    {
-        // Remove all outdated entries from nonces table
-        $query = "DELETE FROM `oauth1_nonces`
-                  WHERE `timestamp` < NOW() - INTERVAL 5 MINUTE";
-        DBManager::get()->exec($query);
-
-        // Query if the combination of nonce and timestamp has already been used
-        $query = "SELECT 1
-                  FROM `oauth1_nonces`
-                  WHERE `timestamp` = FROM_UNIXTIME(?)
-                    AND `nonce` = ?";
-        if (DBManager::get()->fetchColumn($query, [$nonce, $timestamp])) {
-            return false;
-        }
-
-        // Store combination of nonce and timestamp
-        $query = "INSERT INTO `oauth1_nonces` VALUES (FROM_UNIXTIME(?), ?)";
-        DBManager::get()->execute($query, [$timestamp, $nonce]);
-
-        return true;
-    }
 }
-- 
cgit v1.0