fix(Session): restore session data after cookie login

when a browser is closed and the session lost, a new session might be
started with the help of the remember me cookie. For we keep some data in
the session, like the IdP identifier, and some SAML data needed for SLO,
those were lost in this process. This made especially logout behaviour
not acting as expected.

Now we keep the required data also in the database and can restore it on
a cookie login event.

Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>

Author: blizzz

appinfo/info.xml

@@ -20,7 +20,7 @@ The following providers are supported and tested at the moment:
 	* Any other provider that authenticates using the environment variable
 
 While theoretically any other authentication provider implementing either one of those standards is compatible, we like to note that they are not part of any internal test matrix.]]></description>
-	<version>7.1.1</version>
+	<version>7.1.2-beta.1</version>
 	<licence>agpl</licence>
 	<author>Lukas Reschke</author>
 	<namespace>User_SAML</namespace>

lib/AppInfo/Application.php

@@ -16,10 +16,12 @@
 use OCA\User_SAML\DavPlugin;
 use OCA\User_SAML\GroupBackend;
 use OCA\User_SAML\GroupManager;
+use OCA\User_SAML\Listener\CookieLoginEventListener;
 use OCA\User_SAML\Listener\LoadAdditionalScriptsListener;
 use OCA\User_SAML\Listener\SabrePluginEventListener;
 use OCA\User_SAML\Middleware\OnlyLoggedInMiddleware;
 use OCA\User_SAML\SAMLSettings;
+use OCA\User_SAML\Service\SessionService;
 use OCA\User_SAML\UserBackend;
 use OCP\AppFramework\App;
 use OCP\AppFramework\Bootstrap\IBootContext;
@@ -38,6 +40,8 @@
 use OCP\IUserSession;
 use OCP\L10N\IFactory;
 use OCP\Server;
+use OCP\User\Events\BeforeUserLoggedInWithCookieEvent;
+use OCP\User\Events\UserLoggedInWithCookieEvent;
 use Psr\Container\ContainerInterface;
 use Psr\Log\LoggerInterface;
 use Throwable;
@@ -53,11 +57,14 @@ public function register(IRegistrationContext $context): void {
 		$context->registerMiddleware(OnlyLoggedInMiddleware::class);
 		$context->registerEventListener(BeforeTemplateRenderedEvent::class, LoadAdditionalScriptsListener::class);
 		$context->registerEventListener(SabrePluginAddEvent::class, SabrePluginEventListener::class);
+		$context->registerEventListener(BeforeUserLoggedInWithCookieEvent::class, CookieLoginEventListener::class);
+		$context->registerEventListener(UserLoggedInWithCookieEvent::class, CookieLoginEventListener::class);
 		$context->registerService(DavPlugin::class, fn (ContainerInterface $c) => new DavPlugin(
 			$c->get(ISession::class),
 			$c->get(IConfig::class),
 			$_SERVER,
-			$c->get(SAMLSettings::class)
+			$c->get(SAMLSettings::class),
+			$c->get(SessionService::class),
 		));
 	}
 

lib/Controller/SAMLController.php

@@ -17,6 +17,7 @@
 use OCA\User_SAML\Exceptions\UserFilterViolationException;
 use OCA\User_SAML\Helper\TXmlHelper;
 use OCA\User_SAML\SAMLSettings;
+use OCA\User_SAML\Service\SessionService;
 use OCA\User_SAML\UserBackend;
 use OCA\User_SAML\UserData;
 use OCA\User_SAML\UserResolver;
@@ -57,6 +58,7 @@ public function __construct(
 		private UserData $userData,
 		private ICrypto $crypto,
 		private ITrustedDomainHelper $trustedDomainHelper,
+		private SessionService $sessionService,
 	) {
 		parent::__construct($appName, $request);
 	}
@@ -232,7 +234,7 @@ public function login(int $idp = 1): Http\RedirectResponse|Http\TemplateResponse
 				if (empty($ssoUrl)) {
 					$ssoUrl = $this->urlGenerator->getAbsoluteURL('/');
 				}
-				$this->session->set('user_saml.samlUserData', $_SERVER);
+				$this->sessionService->prepareEnvironmentBasedSession($_SERVER);
 				try {
 					$this->userData->setAttributes($this->session->get('user_saml.samlUserData'));
 					$this->autoprovisionIfPossible();
@@ -335,8 +337,8 @@ public function assertionConsumerService(): Http\RedirectResponse {
 		$AuthNRequestID = $data['AuthNRequestID'];
 		$idp = $data['Idp'];
 		// need to keep the IdP config ID during session lifetime (SAMLSettings::getPrefix)
-		$this->session->set('user_saml.Idp', $idp);
-		if (is_null($AuthNRequestID) || $AuthNRequestID === '' || is_null($idp)) {
+		$this->sessionService->storeIdentityProviderInSession($idp);
+		if (is_null($AuthNRequestID) || $AuthNRequestID === '') {
 			$this->logger->debug('Invalid auth payload', ['app' => 'user_saml']);
 			return new Http\RedirectResponse($this->urlGenerator->getAbsoluteURL('/'));
 		}
@@ -383,14 +385,8 @@ public function assertionConsumerService(): Http\RedirectResponse {
 			return $response;
 		}
 
-		$this->session->set('user_saml.samlUserData', $auth->getAttributes());
-		$this->session->set('user_saml.samlNameId', $auth->getNameId());
-		$this->session->set('user_saml.samlNameIdFormat', $auth->getNameIdFormat());
-		$this->session->set('user_saml.samlNameIdNameQualifier', $auth->getNameIdNameQualifier());
-		$this->session->set('user_saml.samlNameIdSPNameQualifier', $auth->getNameIdSPNameQualifier());
-		$this->session->set('user_saml.samlSessionIndex', $auth->getSessionIndex());
-		$this->session->set('user_saml.samlSessionExpiration', $auth->getSessionExpiration());
-		$this->logger->debug('Session values set', ['app' => 'user_saml']);
+		$this->sessionService->prepareSession($auth);
+
 		try {
 			$user = $this->userResolver->findExistingUser($this->userBackend->getCurrentUserId());
 			$firstLogin = $user->updateLastLoginTimestamp();
@@ -510,14 +506,14 @@ public function singleLogoutService(): Http\RedirectResponse {
 	 */
 	private function tryProcessSLOResponse(?int $idp): array {
 		$idps = ($idp !== null) ? [$idp] : array_keys($this->samlSettings->getListOfIdps());
-		foreach ($idps as $idp) {
+		foreach ($idps as $identityProviderId) {
 			try {
-				$auth = new Auth($this->samlSettings->getOneLoginSettingsArray($idp));
+				$auth = new Auth($this->samlSettings->getOneLoginSettingsArray($identityProviderId));
 				// validator (called with processSLO()) needs an XML entity loader
 				$targetUrl = $this->callWithXmlEntityLoader(fn (): string => $auth->processSLO(
 					true, // do not let processSLO to delete the entire session. Let userSession->logout do the job
 					null,
-					$this->samlSettings->usesSloWebServerDecode($idp),
+					$this->samlSettings->usesSloWebServerDecode($identityProviderId),
 					null,
 					true
 				));

lib/DavPlugin.php

@@ -8,40 +8,41 @@
 namespace OCA\User_SAML;
 
 use OCA\DAV\Connector\Sabre\Auth;
-use OCP\IConfig;
+use OCA\User_SAML\Service\SessionService;
+use OCP\AppFramework\Services\IAppConfig;
 use OCP\ISession;
 use Sabre\DAV\Server;
 use Sabre\DAV\ServerPlugin;
 use Sabre\HTTP\RequestInterface;
 use Sabre\HTTP\ResponseInterface;
 
 class DavPlugin extends ServerPlugin {
-	/** @var Server */
-	private $server;
+	/** @noinspection PhpPropertyOnlyWrittenInspection */
+	private Server $server;
 
 	public function __construct(
 		private readonly ISession $session,
-		private readonly IConfig $config,
-		private array $auth,
+		private readonly IAppConfig $config,
+		private readonly array $auth,
 		private readonly SAMLSettings $samlSettings,
+		private readonly SessionService $sessionService,
 	) {
 	}
 
-	public function initialize(Server $server) {
-		// before auth
+	public function initialize(Server $server): void {
 		$server->on('beforeMethod:*', $this->beforeMethod(...), 9);
 		$this->server = $server;
 	}
 
-	public function beforeMethod(RequestInterface $request, ResponseInterface $response) {
+	public function beforeMethod(RequestInterface $request, ResponseInterface $response): void {
 		if (
-			$this->config->getAppValue('user_saml', 'type') === 'environment-variable'
+			$this->config->getAppValueString('type', 'unset') === 'environment-variable'
 			&& !$this->session->exists('user_saml.samlUserData')
 		) {
 			$uidMapping = $this->samlSettings->get(1)['general-uid_mapping'];
 			if (isset($this->auth[$uidMapping])) {
 				$this->session->set(Auth::DAV_AUTHENTICATED, $this->auth[$uidMapping]);
-				$this->session->set('user_saml.samlUserData', $this->auth);
+				$this->sessionService->prepareEnvironmentBasedSession($this->auth);
 			}
 		}
 	}

lib/Db/SessionData.php

@@ -0,0 +1,38 @@
+<?php
+
+declare(strict_types=1);
+/**
+ * SPDX-FileCopyrightText: 2025 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+namespace OCA\User_SAML\Db;
+
+use OCA\User_SAML\Model\SessionData as SessionDataModel;
+use OCP\AppFramework\Db\Entity;
+use OCP\DB\Types;
+
+class SessionData extends Entity {
+	/** @var string */
+	public $id;
+	public ?string $data = null;
+
+	public function __construct() {
+		$this->addType('id', Types::STRING);
+		$this->addType('data', Types::TEXT);
+	}
+
+	public function setId(string $id): void {
+		$this->id = $id;
+		$this->markFieldUpdated('id');
+	}
+
+	public function setData(SessionDataModel $input): void {
+		$this->data = json_encode($input);
+		$this->markFieldUpdated('data');
+	}
+
+	public function getData(): SessionDataModel {
+		$deserialized = json_decode($this->data, true);
+		return SessionDataModel::fromInputArray($deserialized);
+	}
+}

lib/Db/SessionDataMapper.php

@@ -0,0 +1,36 @@
+<?php
+
+declare(strict_types=1);
+/**
+ * SPDX-FileCopyrightText: 2025 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+namespace OCA\User_SAML\Db;
+
+use OCP\AppFramework\Db\DoesNotExistException;
+use OCP\AppFramework\Db\MultipleObjectsReturnedException;
+use OCP\AppFramework\Db\QBMapper;
+use OCP\DB\Exception;
+use OCP\IDBConnection;
+
+/** @template-extends QBMapper<SessionData> */
+class SessionDataMapper extends QBMapper {
+	public const SESSION_DATA_TABLE_NAME = 'user_saml_session_data';
+
+	public function __construct(IDBConnection $db) {
+		parent::__construct($db, self::SESSION_DATA_TABLE_NAME, SessionData::class);
+	}
+
+	/**
+	 * @throws DoesNotExistException
+	 * @throws MultipleObjectsReturnedException
+	 * @throws Exception
+	 */
+	public function retrieve(string $sessionId): SessionData {
+		$qb = $this->db->getQueryBuilder();
+		$qb->select('*')
+			->from(self::SESSION_DATA_TABLE_NAME)
+			->where($qb->expr()->eq('id', $qb->createNamedParameter($sessionId)));
+		return $this->findEntity($qb);
+	}
+}

lib/Listener/CookieLoginEventListener.php

@@ -0,0 +1,48 @@
+<?php
+
+declare(strict_types=1);
+/**
+ * SPDX-FileCopyrightText: 2025 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+namespace OCA\User_SAML\Listener;
+
+use OCA\User_SAML\Service\SessionService;
+use OCP\EventDispatcher\Event;
+use OCP\EventDispatcher\IEventListener;
+use OCP\User\Events\BeforeUserLoggedInWithCookieEvent;
+use OCP\User\Events\UserLoggedInWithCookieEvent;
+
+/** @template-implements IEventListener<BeforeUserLoggedInWithCookieEvent|UserLoggedInWithCookieEvent|Event> */
+class CookieLoginEventListener implements IEventListener {
+	protected ?string $oldSessionId = null;
+
+	public function __construct(
+		protected readonly SessionService $sessionService,
+	) {
+	}
+
+	public function handle(Event $event): void {
+		if ($event instanceof BeforeUserLoggedInWithCookieEvent) {
+			$this->prepareRestoreOfSession();
+			return;
+		}
+
+		if ($event instanceof UserLoggedInWithCookieEvent) {
+			$this->restoreSession();
+			return;
+		}
+	}
+
+	protected function prepareRestoreOfSession(): void {
+		if (isset($_COOKIE['nc_session_id'])) {
+			$this->oldSessionId = $_COOKIE['nc_session_id'];
+		}
+	}
+
+	protected function restoreSession(): void {
+		if ($this->oldSessionId !== null) {
+			$this->sessionService->restoreSession($this->oldSessionId);
+		}
+	}
+}

lib/Migration/Version7001Date20251215192613.php

@@ -0,0 +1,44 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * SPDX-FileCopyrightText: 2025 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+namespace OCA\User_SAML\Migration;
+
+use Closure;
+use OCP\DB\ISchemaWrapper;
+use OCP\DB\Types;
+use OCP\Migration\IOutput;
+use OCP\Migration\SimpleMigrationStep;
+use Override;
+
+class Version7001Date20251215192613 extends SimpleMigrationStep {
+	public const SESSION_DATA_TABLE_NAME = 'user_saml_session_data';
+
+	#[Override]
+	public function changeSchema(IOutput $output, Closure $schemaClosure, array $options): ?ISchemaWrapper {
+		/** @var ISchemaWrapper $schema */
+		$schema = $schemaClosure();
+
+		if ($schema->hasTable(self::SESSION_DATA_TABLE_NAME)) {
+			return null;
+		}
+
+		$table = $schema->createTable(self::SESSION_DATA_TABLE_NAME);
+		$table->addColumn('id', Types::STRING, [
+			'notnull' => true,
+			'length' => 200,
+		]);
+		$table->addColumn('data', Types::TEXT, [
+			'notnull' => true,
+		]);
+		$table->setPrimaryKey(['id']);
+
+		return $schema;
+	}
+
+}