<name>OAuth 2.0</name>
<summary>Allows OAuth2 compatible authentication from other web applications.</summary>
<description>The OAuth2 app allows administrators to configure the built-in authentication workflow to also allow OAuth2 compatible authentication from other web applications.</description>
- <version>1.16.3</version>
+ <version>1.16.4</version>
<licence>agpl</licence>
<author>Lukas Reschke</author>
<namespace>OAuth2</namespace>
'OCA\\OAuth2\\Migration\\Version011601Date20230522143227' => $baseDir . '/../lib/Migration/Version011601Date20230522143227.php',
'OCA\\OAuth2\\Migration\\Version011602Date20230613160650' => $baseDir . '/../lib/Migration/Version011602Date20230613160650.php',
'OCA\\OAuth2\\Migration\\Version011603Date20230620111039' => $baseDir . '/../lib/Migration/Version011603Date20230620111039.php',
+ 'OCA\\OAuth2\\Migration\\Version011901Date20240829164356' => $baseDir . '/../lib/Migration/Version011901Date20240829164356.php',
'OCA\\OAuth2\\Settings\\Admin' => $baseDir . '/../lib/Settings/Admin.php',
);
'OCA\\OAuth2\\Migration\\Version011601Date20230522143227' => __DIR__ . '/..' . '/../lib/Migration/Version011601Date20230522143227.php',
'OCA\\OAuth2\\Migration\\Version011602Date20230613160650' => __DIR__ . '/..' . '/../lib/Migration/Version011602Date20230613160650.php',
'OCA\\OAuth2\\Migration\\Version011603Date20230620111039' => __DIR__ . '/..' . '/../lib/Migration/Version011603Date20230620111039.php',
+ 'OCA\\OAuth2\\Migration\\Version011901Date20240829164356' => __DIR__ . '/..' . '/../lib/Migration/Version011901Date20240829164356.php',
'OCA\\OAuth2\\Settings\\Admin' => __DIR__ . '/..' . '/../lib/Settings/Admin.php',
);
}
try {
- $storedClientSecret = $this->crypto->decrypt($client->getSecret());
+ $storedClientSecretHash = $client->getSecret();
+ $clientSecretHash = bin2hex($this->crypto->calculateHMAC($client_secret));
} catch (\Exception $e) {
$this->logger->error('OAuth client secret decryption error', ['exception' => $e]);
// we don't throttle here because it might not be a bruteforce attack
], Http::STATUS_BAD_REQUEST);
}
// The client id and secret must match. Else we don't provide an access token!
- if ($client->getClientIdentifier() !== $client_id || $storedClientSecret !== $client_secret) {
+ if ($client->getClientIdentifier() !== $client_id || $storedClientSecretHash !== $clientSecretHash) {
$response = new JSONResponse([
'error' => 'invalid_client',
], Http::STATUS_BAD_REQUEST);
$client->setName($name);
$client->setRedirectUri($redirectUri);
$secret = $this->secureRandom->generate(64, self::validChars);
- $encryptedSecret = $this->crypto->encrypt($secret);
- $client->setSecret($encryptedSecret);
+ $hashedSecret = bin2hex($this->crypto->calculateHMAC($secret));
+ $client->setSecret($hashedSecret);
$client->setClientIdentifier($this->secureRandom->generate(64, self::validChars));
$client = $this->clientMapper->insert($client);
--- /dev/null
+<?php
+
+declare(strict_types=1);
+
+/**
+ * SPDX-FileCopyrightText: 2023 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+namespace OCA\OAuth2\Migration;
+
+use Closure;
+use OCP\DB\QueryBuilder\IQueryBuilder;
+use OCP\IDBConnection;
+use OCP\Migration\IOutput;
+use OCP\Migration\SimpleMigrationStep;
+use OCP\Security\ICrypto;
+
+class Version011901Date20240829164356 extends SimpleMigrationStep {
+
+ public function __construct(
+ private IDBConnection $connection,
+ private ICrypto $crypto,
+ ) {
+ }
+
+ public function postSchemaChange(IOutput $output, Closure $schemaClosure, array $options) {
+ $qbUpdate = $this->connection->getQueryBuilder();
+ $qbUpdate->update('oauth2_clients')
+ ->set('secret', $qbUpdate->createParameter('updateSecret'))
+ ->where(
+ $qbUpdate->expr()->eq('id', $qbUpdate->createParameter('updateId'))
+ );
+
+ $qbSelect = $this->connection->getQueryBuilder();
+ $qbSelect->select('id', 'secret')
+ ->from('oauth2_clients');
+ $req = $qbSelect->executeQuery();
+ while ($row = $req->fetch()) {
+ $id = $row['id'];
+ $storedEncryptedSecret = $row['secret'];
+ $secret = $this->crypto->decrypt($storedEncryptedSecret);
+ $hashedSecret = bin2hex($this->crypto->calculateHMAC($secret));
+ $qbUpdate->setParameter('updateSecret', $hashedSecret, IQueryBuilder::PARAM_STR);
+ $qbUpdate->setParameter('updateId', $id, IQueryBuilder::PARAM_INT);
+ $qbUpdate->executeStatement();
+ }
+ $req->closeCursor();
+ }
+}
use OCP\AppFramework\Http\TemplateResponse;
use OCP\AppFramework\Services\IInitialState;
use OCP\IURLGenerator;
-use OCP\Security\ICrypto;
use OCP\Settings\ISettings;
use Psr\Log\LoggerInterface;
private IInitialState $initialState,
private ClientMapper $clientMapper,
private IURLGenerator $urlGenerator,
- private ICrypto $crypto,
private LoggerInterface $logger,
) {
}
foreach ($clients as $client) {
try {
- $secret = $this->crypto->decrypt($client->getSecret());
$result[] = [
'id' => $client->getId(),
'name' => $client->getName(),
'redirectUri' => $client->getRedirectUri(),
'clientId' => $client->getClientIdentifier(),
- 'clientSecret' => $secret,
+ 'clientSecret' => '',
];
} catch (\Exception $e) {
$this->logger->error('[Settings] OAuth client secret decryption error', ['exception' => $e]);
@delete="deleteClient" />
</tbody>
</table>
+ <NcNoteCard v-if="showSecretWarning"
+ type="warning">
+ {{ t('oauth2', 'Make sure you store the secret key, it cannot be recovered.') }}
+ </NcNoteCard>
<br>
<h3>{{ t('oauth2', 'Add client') }}</h3>
import { getCapabilities } from '@nextcloud/capabilities'
import NcSettingsSection from '@nextcloud/vue/dist/Components/NcSettingsSection.js'
import NcButton from '@nextcloud/vue/dist/Components/NcButton.js'
+import NcNoteCard from '@nextcloud/vue/dist/Components/NcNoteCard.js'
import { loadState } from '@nextcloud/initial-state'
import NcTextField from '@nextcloud/vue/dist/Components/NcTextField.js'
NcSettingsSection,
NcButton,
NcTextField,
+ NcNoteCard,
},
props: {
clients: {
error: false,
},
oauthDocLink: loadState('oauth2', 'oauth2-doc-link'),
+ showSecretWarning: false,
}
},
computed: {
).then(response => {
// eslint-disable-next-line vue/no-mutating-props
this.clients.push(response.data)
+ this.showSecretWarning = true
this.newClient.name = ''
this.newClient.redirectUri = ''
<td>
<div class="action-secret">
<code>{{ renderedSecret }}</code>
- <NcButton type="tertiary-no-background"
+ <NcButton v-if="clientSecret !== ''"
+ type="tertiary-no-background"
:aria-label="toggleAriaLabel"
@click="toggleSecret">
<template #icon>
->with('validrefresh')
->willReturn($accessToken);
+ $this->crypto
+ ->method('calculateHMAC')
+ ->with($this->callback(function (string $text) {
+ return $text === 'clientSecret' || $text === 'invalidClientSecret';
+ }))
+ ->willReturnCallback(function (string $text) {
+ return $text === 'clientSecret'
+ ? 'hashedClientSecret'
+ : 'hashedInvalidClientSecret';
+ });
+
$client = new Client();
$client->setClientIdentifier('clientId');
- $client->setSecret('clientSecret');
+ $client->setSecret('hashedClientSecret');
$this->clientMapper->method('getByUid')
->with(42)
->willReturn($client);
$client = new Client();
$client->setClientIdentifier('clientId');
- $client->setSecret('encryptedClientSecret');
+ $client->setSecret('hashedClientSecret');
$this->clientMapper->method('getByUid')
->with(42)
->willReturn($client);
$this->crypto
->method('decrypt')
- ->with($this->callback(function (string $text) {
- return $text === 'encryptedClientSecret' || $text === 'encryptedToken';
- }))
- ->willReturnCallback(function (string $text) {
- return $text === 'encryptedClientSecret'
- ? 'clientSecret'
- : ($text === 'encryptedToken' ? 'decryptedToken' : '');
- });
+ ->with('encryptedToken')
+ ->willReturn('decryptedToken');
+
+ $this->crypto
+ ->method('calculateHMAC')
+ ->with('clientSecret')
+ ->willReturn('hashedClientSecret');
$this->tokenProvider->method('getTokenById')
->with(1337)
$client = new Client();
$client->setClientIdentifier('clientId');
- $client->setSecret('encryptedClientSecret');
+ $client->setSecret('hashedClientSecret');
$this->clientMapper->method('getByUid')
->with(42)
->willReturn($client);
$this->crypto
->method('decrypt')
- ->with($this->callback(function (string $text) {
- return $text === 'encryptedClientSecret' || $text === 'encryptedToken';
- }))
- ->willReturnCallback(function (string $text) {
- return $text === 'encryptedClientSecret'
- ? 'clientSecret'
- : ($text === 'encryptedToken' ? 'decryptedToken' : '');
- });
+ ->with('encryptedToken')
+ ->willReturn('decryptedToken');
+
+ $this->crypto
+ ->method('calculateHMAC')
+ ->with('clientSecret')
+ ->willReturn('hashedClientSecret');
$appToken = new PublicKeyToken();
$appToken->setUid('userId');
$client = new Client();
$client->setClientIdentifier('clientId');
- $client->setSecret('encryptedClientSecret');
+ $client->setSecret('hashedClientSecret');
$this->clientMapper->method('getByUid')
->with(42)
->willReturn($client);
$this->crypto
->method('decrypt')
- ->with($this->callback(function (string $text) {
- return $text === 'encryptedClientSecret' || $text === 'encryptedToken';
- }))
- ->willReturnCallback(function (string $text) {
- return $text === 'encryptedClientSecret'
- ? 'clientSecret'
- : ($text === 'encryptedToken' ? 'decryptedToken' : '');
- });
+ ->with('encryptedToken')
+ ->willReturn('decryptedToken');
+
+ $this->crypto
+ ->method('calculateHMAC')
+ ->with('clientSecret')
+ ->willReturn('hashedClientSecret');
$appToken = new PublicKeyToken();
$appToken->setUid('userId');
$client = new Client();
$client->setClientIdentifier('clientId');
- $client->setSecret('encryptedClientSecret');
+ $client->setSecret('hashedClientSecret');
$this->clientMapper->method('getByUid')
->with(42)
->willReturn($client);
$this->crypto
->method('decrypt')
- ->with($this->callback(function (string $text) {
- return $text === 'encryptedClientSecret' || $text === 'encryptedToken';
- }))
- ->willReturnCallback(function (string $text) {
- return $text === 'encryptedClientSecret'
- ? 'clientSecret'
- : ($text === 'encryptedToken' ? 'decryptedToken' : '');
- });
+ ->with('encryptedToken')
+ ->willReturn('decryptedToken');
+
+ $this->crypto
+ ->method('calculateHMAC')
+ ->with('clientSecret')
+ ->willReturn('hashedClientSecret');
$appToken = new PublicKeyToken();
$appToken->setUid('userId');
$this->crypto
->expects($this->once())
- ->method('encrypt')
- ->willReturn('MyEncryptedSecret');
+ ->method('calculateHMAC')
+ ->willReturn('MyHashedSecret');
$client = new Client();
$client->setName('My Client Name');
$client->setRedirectUri('https://example.com/');
- $client->setSecret('MySecret');
+ $client->setSecret('MyHashedSecret');
$client->setClientIdentifier('MyClientIdentifier');
$this->clientMapper
->with($this->callback(function (Client $c) {
return $c->getName() === 'My Client Name' &&
$c->getRedirectUri() === 'https://example.com/' &&
- $c->getSecret() === 'MyEncryptedSecret' &&
+ $c->getSecret() === 'MyHashedSecret' &&
$c->getClientIdentifier() === 'MyClientIdentifier';
}))->willReturnCallback(function (Client $c) {
$c->setId(42);
$client->setId(123);
$client->setName('My Client Name');
$client->setRedirectUri('https://example.com/');
- $client->setSecret('MySecret');
+ $client->setSecret('MyHashedSecret');
$client->setClientIdentifier('MyClientIdentifier');
$this->clientMapper
use OCP\AppFramework\Http\TemplateResponse;
use OCP\AppFramework\Services\IInitialState;
use OCP\IURLGenerator;
-use OCP\Security\ICrypto;
use PHPUnit\Framework\MockObject\MockObject;
use Psr\Log\LoggerInterface;
use Test\TestCase;
/** @var Admin|MockObject */
private $admin;
- /** @var IInitialStateService|MockObject */
+ /** @var IInitialState|MockObject */
private $initialState;
/** @var ClientMapper|MockObject */
$this->initialState,
$this->clientMapper,
$this->createMock(IURLGenerator::class),
- $this->createMock(ICrypto::class),
$this->createMock(LoggerInterface::class)
);
}