feat: token deletion logic

Signed-off-by: Jana Peper <[email protected]>

Author: janepie

apps/webhook_listeners/appinfo/info.xml

@@ -25,7 +25,7 @@
         ]]>
     </description>
 
-    <version>1.4.1</version>
+    <version>1.4.2</version>
     <licence>agpl</licence>
     <author>Côme Chilliet</author>
     <namespace>WebhookListeners</namespace>
@@ -56,4 +56,8 @@
         <admin-delegation>OCA\WebhookListeners\Settings\Admin</admin-delegation>
         <admin-delegation-section>OCA\WebhookListeners\Settings\AdminSection</admin-delegation-section>
     </settings>
+
+    <background-jobs>
+		<job>OCA\WebhookListeners\BackgroundJobs\WebhookTokenCleanup</job>
+	</background-jobs>
 </info>

apps/webhook_listeners/composer/composer/autoload_classmap.php

@@ -9,9 +9,12 @@
     'Composer\\InstalledVersions' => $vendorDir . '/composer/InstalledVersions.php',
     'OCA\\WebhookListeners\\AppInfo\\Application' => $baseDir . '/../lib/AppInfo/Application.php',
     'OCA\\WebhookListeners\\BackgroundJobs\\WebhookCall' => $baseDir . '/../lib/BackgroundJobs/WebhookCall.php',
+    'OCA\\WebhookListeners\\BackgroundJobs\\WebhookTokenCleanup' => $baseDir . '/../lib/BackgroundJobs/WebhookTokenCleanup.php',
     'OCA\\WebhookListeners\\Command\\ListWebhooks' => $baseDir . '/../lib/Command/ListWebhooks.php',
     'OCA\\WebhookListeners\\Controller\\WebhooksController' => $baseDir . '/../lib/Controller/WebhooksController.php',
     'OCA\\WebhookListeners\\Db\\AuthMethod' => $baseDir . '/../lib/Db/AuthMethod.php',
+    'OCA\\WebhookListeners\\Db\\TemporaryToken' => $baseDir . '/../lib/Db/TemporaryToken.php',
+    'OCA\\WebhookListeners\\Db\\TemporaryTokenMapper' => $baseDir . '/../lib/Db/TemporaryTokenMapper.php',
     'OCA\\WebhookListeners\\Db\\WebhookListener' => $baseDir . '/../lib/Db/WebhookListener.php',
     'OCA\\WebhookListeners\\Db\\WebhookListenerMapper' => $baseDir . '/../lib/Db/WebhookListenerMapper.php',
     'OCA\\WebhookListeners\\Listener\\WebhooksEventListener' => $baseDir . '/../lib/Listener/WebhooksEventListener.php',

apps/webhook_listeners/composer/composer/autoload_static.php

@@ -24,9 +24,12 @@ class ComposerStaticInitWebhookListeners
         'Composer\\InstalledVersions' => __DIR__ . '/..' . '/composer/InstalledVersions.php',
         'OCA\\WebhookListeners\\AppInfo\\Application' => __DIR__ . '/..' . '/../lib/AppInfo/Application.php',
         'OCA\\WebhookListeners\\BackgroundJobs\\WebhookCall' => __DIR__ . '/..' . '/../lib/BackgroundJobs/WebhookCall.php',
+        'OCA\\WebhookListeners\\BackgroundJobs\\WebhookTokenCleanup' => __DIR__ . '/..' . '/../lib/BackgroundJobs/WebhookTokenCleanup.php',
         'OCA\\WebhookListeners\\Command\\ListWebhooks' => __DIR__ . '/..' . '/../lib/Command/ListWebhooks.php',
         'OCA\\WebhookListeners\\Controller\\WebhooksController' => __DIR__ . '/..' . '/../lib/Controller/WebhooksController.php',
         'OCA\\WebhookListeners\\Db\\AuthMethod' => __DIR__ . '/..' . '/../lib/Db/AuthMethod.php',
+        'OCA\\WebhookListeners\\Db\\TemporaryToken' => __DIR__ . '/..' . '/../lib/Db/TemporaryToken.php',
+        'OCA\\WebhookListeners\\Db\\TemporaryTokenMapper' => __DIR__ . '/..' . '/../lib/Db/TemporaryTokenMapper.php',
         'OCA\\WebhookListeners\\Db\\WebhookListener' => __DIR__ . '/..' . '/../lib/Db/WebhookListener.php',
         'OCA\\WebhookListeners\\Db\\WebhookListenerMapper' => __DIR__ . '/..' . '/../lib/Db/WebhookListenerMapper.php',
         'OCA\\WebhookListeners\\Listener\\WebhooksEventListener' => __DIR__ . '/..' . '/../lib/Listener/WebhooksEventListener.php',

apps/webhook_listeners/lib/BackgroundJobs/WebhookTokenCleanup.php

@@ -0,0 +1,38 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * SPDX-FileCopyrightText: 2025 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+namespace OCA\WebhookListeners\BackgroundJobs;
+
+use OCA\WebhookListeners\Db\TemporaryTokenMapper;
+use OCP\AppFramework\Utility\ITimeFactory;
+use OCP\BackgroundJob\TimedJob;
+
+class WebhookTokenCleanup extends TimedJob {
+
+	public function __construct(
+		private TemporaryTokenMapper $tokenMapper, 
+		ITimeFactory $timeFactory,
+	) {
+		parent::__construct($timeFactory);
+		// every 5 min
+		$this->setInterval(1 * 5 * 60);
+	}
+
+	/**
+	 * @param array $argument
+	 */
+	protected function run($argument): void {
+
+		$this->tokenMapper->invalidateOldTokens();
+
+
+	}
+
+
+}

apps/webhook_listeners/lib/Db/TemporaryToken.php

@@ -0,0 +1,68 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * SPDX-FileCopyrightText: 2025 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+namespace OCA\WebhookListeners\Db;
+
+use OCP\AppFramework\Db\Entity;
+use OCP\Security\ICrypto;
+use OCP\Server;
+
+
+/**
+ * @method int getTokenId()
+ * @method string getToken()
+ * @method ?string getUserId()
+ * @method int getCreationDatetime()
+ * @psalm-suppress PropertyNotSetInConstructor
+ */
+class TemporaryToken extends Entity implements \JsonSerializable {
+	/**
+	 * @var int id of the token that was created for a webhook
+	 */
+	protected $tokenId;
+
+	/**
+	 * @var string the token
+	 */
+	protected $token;
+
+	/**
+	 * @var ?string id of the user wich the token belongs to
+	 * @psalm-suppress PropertyNotSetInConstructor
+	 */
+	protected $userId = null;
+
+	/**
+	 * @var int
+	 * @psalm-suppress PropertyNotSetInConstructor
+	 */
+	protected $creationDatetime;
+
+
+
+
+	public function __construct() {
+		$this->addType('tokenId', 'integer');
+		$this->addType('token', 'string');
+		$this->addType('userId', 'string');
+		$this->addType('creationDatetime', 'integer');
+	}
+
+	public function jsonSerialize(): array {
+		$fields = array_keys($this->getFieldTypes());
+		return array_combine(
+			$fields,
+			array_map(
+				fn ($field) => $this->getter($field),
+				$fields
+			)
+		);
+	}
+
+}

apps/webhook_listeners/lib/Db/TemporaryTokenMapper.php

@@ -0,0 +1,124 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * SPDX-FileCopyrightText: 2025 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+namespace OCA\WebhookListeners\Db;
+
+use OCP\AppFramework\Db\DoesNotExistException;
+use OCP\AppFramework\Db\MultipleObjectsReturnedException;
+use OCP\AppFramework\Db\QBMapper;
+use OCP\AppFramework\Utility\ITimeFactory;
+use OC\Authentication\Token\PublicKeyTokenMapper;
+use OCP\DB\Exception;
+use OCP\DB\QueryBuilder\IQueryBuilder;
+use OCP\IDBConnection;
+use Psr\Log\LoggerInterface;
+
+/**
+ * @template-extends QBMapper<TemporaryToken>
+ */
+
+class TemporaryTokenMapper extends QBMapper {
+	public const TABLE_NAME = 'webhook_tokens';
+	public const TOKEN_LIFETIME = 1 * 1 * 60; // one hour in seconds
+	
+
+	public function __construct(
+		IDBConnection $db,
+		private LoggerInterface $logger,
+		private ITimeFactory $time,
+		private PublicKeyTokenMapper $tokenMapper,
+	) {
+		parent::__construct($db, self::TABLE_NAME, TemporaryToken::class);
+	}
+
+	/**
+	 * @throws DoesNotExistException
+	 * @throws MultipleObjectsReturnedException
+	 * @throws Exception
+	 */
+	public function getById(int $id): TemporaryToken {
+		$qb = $this->db->getQueryBuilder();
+
+		$qb->select('*')
+			->from($this->getTableName())
+			->where($qb->expr()->eq('id', $qb->createNamedParameter($id, IQueryBuilder::PARAM_INT)));
+
+		return $this->findEntity($qb);
+	}
+
+	/**
+	 * @throws Exception
+	 * @return WebhookListener[]
+	 */
+	public function getAll(): array {
+		$qb = $this->db->getQueryBuilder();
+
+		$qb->select('*')
+			->from($this->getTableName());
+
+		return $this->findEntities($qb);
+	}
+
+	public function getOlderThan($olderThan): array {
+		$qb = $this->db->getQueryBuilder();
+
+		$qb->select('*')
+			->from($this->getTableName())
+			->where($qb->expr()->lt('creation_datetime', $qb->createNamedParameter($olderThan, IQueryBuilder::PARAM_INT)));
+
+		return $this->findEntities($qb);
+	}
+
+
+	/**
+	 * @throws Exception
+	 */
+	public function addTemporaryToken(
+		int $tokenId,
+		string $token,
+		?string $userId,
+		int $creationDatetime,
+	): TemporaryToken {
+		$tempToken = TemporaryToken::fromParams(
+			[
+				'tokenId' => $tokenId,
+				'token' => $token,
+				'userId' => $userId,
+				'creationDatetime' => $creationDatetime,
+			]
+		);
+		return $this->insert($tempToken);
+	}
+
+	/**
+	 * @throws Exception
+	 */
+	public function deleteByTokenId(int $tokenId): bool {
+		$qb = $this->db->getQueryBuilder();
+
+		$qb->delete($this->getTableName())
+			->where($qb->expr()->eq('token_id', $qb->createNamedParameter($tokenId, IQueryBuilder::PARAM_INT)));
+
+		return $qb->executeStatement() > 0;
+	}
+
+	public function invalidateOldTokens(int $token_lifetime = self::TOKEN_LIFETIME) {
+		$olderThan = $this->time->getTime() - $token_lifetime;
+		error_log("OLDER THAN");
+		$tokensToDelete = $this->getOlderThan($olderThan);
+		error_log(json_encode($tokensToDelete));
+
+		$this->logger->debug('Invalidating temporary webhook tokens older than ' . date('c', $olderThan), ['app' => 'cron']);
+		foreach ($tokensToDelete as $token) {
+			$this->tokenMapper->invalidate($token->getToken()); // delete token itself
+			$this->deleteByTokenId($token->getTokenId()); // delete db row in webhook_temporary_tokens
+		}
+
+	}
+}

apps/webhook_listeners/lib/Migration/Version1500Date20251007130000.php

@@ -11,6 +11,7 @@
 
 use Closure;
 use OCA\WebhookListeners\Db\WebhookListenerMapper;
+use OCA\WebhookListeners\Db\TemporaryTokenMapper;
 use OCP\DB\ISchemaWrapper;
 use OCP\DB\Types;
 use OCP\Migration\IOutput;
@@ -34,9 +35,38 @@ public function changeSchema(IOutput $output, Closure $schemaClosure, array $opt
 					'notnull' => false,
 				]);
 			}
+		}
 
-			return $schema;
+		if (!$schema->hasTable(TemporaryTokenMapper::TABLE_NAME)) {
+			$table = $schema->createTable(TemporaryTokenMapper::TABLE_NAME);
+			$table->addColumn('id', 'integer', [
+				'autoincrement' => true,
+				'notnull' => true,
+			]);
+			
+			$table->addColumn('token_id', 'integer', [
+				'notnull' => true,
+				'length' => 4,
+				'unsigned' => true,
+			]);
+			$table->addColumn('token', 'string', [
+				'notnull' => false,
+				'length' => 200,
+			]);
+			$table->addColumn('user_id', 'string', [
+				'notnull' => false,
+				'length' => 64,
+			]);
+			$table->addColumn('creation_datetime', 'integer', [
+				'notnull' => true,
+				'length' => 4,
+				'unsigned' => true,
+			]);
+			
+			$table->setPrimaryKey(['id']);
+			
 		}
-		return null;
+		return $schema;
+
 	}
 }

apps/webhook_listeners/lib/Service/TokenService.php

@@ -8,14 +8,18 @@
 namespace OCA\WebhookListeners\Service;
 
 use OC\Authentication\Token\IProvider;
+use OCA\WebhookListeners\Db\TemporaryTokenMapper;
 use OCA\WebhookListeners\Db\WebhookListener;
+use OCP\AppFramework\Utility\ITimeFactory;
 use OCP\Authentication\Token\IToken;
 use OCP\Security\ISecureRandom;
 
 class TokenService {
 	public function __construct(
 		private IProvider $tokenProvider,
 		private ISecureRandom $random,
+		private TemporaryTokenMapper $tokenMapper,
+		private ITimeFactory $time,
 	) {
 	}
 
@@ -77,6 +81,7 @@ private function createTemporaryToken(string $userId): string {
 		$name = 'Ephemeral webhook authentication';
 		$password = null;
 		$deviceToken = $this->tokenProvider->generateToken($token, $userId, $userId, $password, $name, IToken::PERMANENT_TOKEN);
+		$this->tokenMapper->addTemporaryToken($deviceToken->getId(), $deviceToken->getToken(), $userId, $this->time->getTime());
 		return $token;
 	}
 

apps/webhook_listeners/openapi.json

@@ -92,6 +92,12 @@
                         "additionalProperties": {
                             "type": "object"
                         }
+                    },
+                    "tokenNeeded": {
+                        "type": "object",
+                        "additionalProperties": {
+                            "type": "object"
+                        }
                     }
                 }
             }
@@ -304,6 +310,15 @@
                                         "additionalProperties": {
                                             "type": "object"
                                         }
+                                    },
+                                    "tokenNeeded": {
+                                        "type": "object",
+                                        "nullable": true,
+                                        "default": null,
+                                        "description": "List of user ids for which to include auth tokens in the event. Has two fields: \"users\" list of user uids for which tokens are needed, \"functions\" list of functions for which tokens can be included. Possible functions: \"owner\" for the user creating the webhook, \"trigger\" for the user triggering the webhook call",
+                                        "additionalProperties": {
+                                            "type": "object"
+                                        }
                                     }
                                 }
                             }
@@ -703,6 +718,15 @@
                                         "additionalProperties": {
                                             "type": "object"
                                         }
+                                    },
+                                    "tokenNeeded": {
+                                        "type": "object",
+                                        "nullable": true,
+                                        "default": null,
+                                        "description": "List of user ids for which to include auth tokens in the event. Has two fields: \"users\" list of user uids for which tokens are needed, \"functions\" list of functions for which tokens can be included. Possible functions: \"owner\" for the user creating the webhook, \"trigger\" for the user triggering the webhook call",
+                                        "additionalProperties": {
+                                            "type": "object"
+                                        }
                                     }
                                 }
                             }