Merge pull request #58013 from nextcloud/backport/58009/stable32

[stable32] fix(federation): Don't ask the database for an empty url

Author: nickvergessen

apps/federation/lib/Controller/OCSAuthAPIController.php

@@ -163,7 +163,10 @@ public function getSharedSecret(string $url, string $token): DataResponse {
 	}
 
 	protected function isValidToken(string $url, string $token): bool {
+		if ($url === '' || $token === '') {
+			return false;
+		}
 		$storedToken = $this->dbHandler->getToken($url);
-		return hash_equals($storedToken, $token);
+		return $storedToken !== '' && hash_equals($storedToken, $token);
 	}
 }

apps/federation/tests/Controller/OCSAuthAPIControllerTest.php

@@ -110,28 +110,24 @@ public function testGetSharedSecret(bool $isTrustedServer, bool $isValidToken, b
 		$token = 'token';
 
 		/** @var OCSAuthAPIController&MockObject $ocsAuthApi */
-		$ocsAuthApi = $this->getMockBuilder(OCSAuthAPIController::class)
-			->setConstructorArgs(
-				[
-					'federation',
-					$this->request,
-					$this->secureRandom,
-					$this->jobList,
-					$this->trustedServers,
-					$this->dbHandler,
-					$this->logger,
-					$this->timeFactory,
-					$this->throttler
-				]
-			)
-			->onlyMethods(['isValidToken'])
-			->getMock();
+		$ocsAuthApi = new OCSAuthAPIController(
+			'federation',
+			$this->request,
+			$this->secureRandom,
+			$this->jobList,
+			$this->trustedServers,
+			$this->dbHandler,
+			$this->logger,
+			$this->timeFactory,
+			$this->throttler,
+		);
 
 		$this->trustedServers
 			->expects($this->any())
 			->method('isTrustedServer')->with($url)->willReturn($isTrustedServer);
-		$ocsAuthApi->expects($this->any())
-			->method('isValidToken')->with($url, $token)->willReturn($isValidToken);
+		$this->dbHandler->method('getToken')
+			->with($url)
+			->willReturn($isValidToken ? $token : 'not $token');
 
 		if ($ok) {
 			$this->secureRandom->expects($this->once())->method('generate')->with(32)