mirrors
/
nextcloud
mirror of https://github.com/nextcloud/server.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 984 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
71649 Commits
400 Branches
Tree: 26d343d33a
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '26d343d33a'
${ noResults }
nextcloud/core/Middleware/TwoFactorMiddleware.php

TwoFactorMiddleware.php 5.2KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149 
  1. <?php

  2. 

  3. declare(strict_types=1);

  4. 

  5. /**

  6.  * @copyright Copyright (c) 2016, ownCloud, Inc.

  7.  *

  8.  * @author Christoph Wurst <christoph@winzerhof-wurst.at>

  9.  * @author Joas Schilling <coding@schilljs.com>

  10.  * @author Lukas Reschke <lukas@statuscode.ch>

  11.  * @author Roeland Jago Douma <roeland@famdouma.nl>

  12.  *

  13.  * @license AGPL-3.0

  14.  *

  15.  * This code is free software: you can redistribute it and/or modify

  16.  * it under the terms of the GNU Affero General Public License, version 3,

  17.  * as published by the Free Software Foundation.

  18.  *

  19.  * This program is distributed in the hope that it will be useful,

  20.  * but WITHOUT ANY WARRANTY; without even the implied warranty of

  21.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

  22.  * GNU Affero General Public License for more details.

  23.  *

  24.  * You should have received a copy of the GNU Affero General Public License, version 3,

  25.  * along with this program. If not, see <http://www.gnu.org/licenses/>

  26.  *

  27.  */

  28. namespace OC\Core\Middleware;

  29. 

  30. use Exception;

  31. use OC\Authentication\Exceptions\TwoFactorAuthRequiredException;

  32. use OC\Authentication\Exceptions\UserAlreadyLoggedInException;

  33. use OC\Authentication\TwoFactorAuth\Manager;

  34. use OC\Core\Controller\LoginController;

  35. use OC\Core\Controller\TwoFactorChallengeController;

  36. use OC\User\Session;

  37. use OCA\TwoFactorNextcloudNotification\Controller\APIController;

  38. use OCP\AppFramework\Controller;

  39. use OCP\AppFramework\Http\RedirectResponse;

  40. use OCP\AppFramework\Middleware;

  41. use OCP\AppFramework\Utility\IControllerMethodReflector;

  42. use OCP\Authentication\TwoFactorAuth\ALoginSetupController;

  43. use OCP\IRequest;

  44. use OCP\ISession;

  45. use OCP\IURLGenerator;

  46. use OCP\IUser;

  47. 

  48. class TwoFactorMiddleware extends Middleware {

  49. 	public function __construct(

  50. 		private Manager $twoFactorManager,

  51. 		private Session $userSession,

  52. 		private ISession $session,

  53. 		private IURLGenerator $urlGenerator,

  54. 		private IControllerMethodReflector $reflector,

  55. 		private IRequest $request,

  56. 	) {

  57. 	}

  58. 

  59. 	/**

  60. 	 * @param Controller $controller

  61. 	 * @param string $methodName

  62. 	 */

  63. 	public function beforeController($controller, $methodName) {

  64. 		if ($this->reflector->hasAnnotation('NoTwoFactorRequired')) {

  65. 			// Route handler explicitly marked to work without finished 2FA are

  66. 			// not blocked

  67. 			return;

  68. 		}

  69. 

  70. 		if ($controller instanceof APIController && $methodName === 'poll') {

  71. 			// Allow polling the twofactor nextcloud notifications state

  72. 			return;

  73. 		}

  74. 

  75. 		if ($controller instanceof TwoFactorChallengeController

  76. 			&& $this->userSession->getUser() !== null

  77. 			&& !$this->reflector->hasAnnotation('TwoFactorSetUpDoneRequired')) {

  78. 			$providers = $this->twoFactorManager->getProviderSet($this->userSession->getUser());

  79. 

  80. 			if (!($providers->getPrimaryProviders() === [] && !$providers->isProviderMissing())) {

  81. 				throw new TwoFactorAuthRequiredException();

  82. 			}

  83. 		}

  84. 

  85. 		if ($controller instanceof ALoginSetupController

  86. 			&& $this->userSession->getUser() !== null

  87. 			&& $this->twoFactorManager->needsSecondFactor($this->userSession->getUser())) {

  88. 			$providers = $this->twoFactorManager->getProviderSet($this->userSession->getUser());

  89. 

  90. 			if ($providers->getPrimaryProviders() === [] && !$providers->isProviderMissing()) {

  91. 				return;

  92. 			}

  93. 		}

  94. 

  95. 		if ($controller instanceof LoginController && $methodName === 'logout') {

  96. 			// Don't block the logout page, to allow canceling the 2FA

  97. 			return;

  98. 		}

  99. 

  100. 		if ($this->userSession->isLoggedIn()) {

  101. 			$user = $this->userSession->getUser();

  102. 

  103. 			if ($this->session->exists('app_password')  // authenticated using an app password

  104. 				|| $this->session->exists('app_api')  // authenticated using an AppAPI Auth

  105. 				|| $this->twoFactorManager->isTwoFactorAuthenticated($user)) {

  106. 

  107. 				$this->checkTwoFactor($controller, $methodName, $user);

  108. 			} elseif ($controller instanceof TwoFactorChallengeController) {

  109. 				// Allow access to the two-factor controllers only if two-factor authentication

  110. 				// is in progress.

  111. 				throw new UserAlreadyLoggedInException();

  112. 			}

  113. 		}

  114. 		// TODO: dont check/enforce 2FA if a auth token is used

  115. 	}

  116. 

  117. 	private function checkTwoFactor(Controller $controller, $methodName, IUser $user) {

  118. 		// If two-factor auth is in progress disallow access to any controllers

  119. 		// defined within "LoginController".

  120. 		$needsSecondFactor = $this->twoFactorManager->needsSecondFactor($user);

  121. 		$twoFactor = $controller instanceof TwoFactorChallengeController;

  122. 

  123. 		// Disallow access to any controller if 2FA needs to be checked

  124. 		if ($needsSecondFactor && !$twoFactor) {

  125. 			throw new TwoFactorAuthRequiredException();

  126. 		}

  127. 

  128. 		// Allow access to the two-factor controllers only if two-factor authentication

  129. 		// is in progress.

  130. 		if (!$needsSecondFactor && $twoFactor) {

  131. 			throw new UserAlreadyLoggedInException();

  132. 		}

  133. 	}

  134. 

  135. 	public function afterException($controller, $methodName, Exception $exception) {

  136. 		if ($exception instanceof TwoFactorAuthRequiredException) {

  137. 			$params = [];

  138. 			if (isset($this->request->server['REQUEST_URI'])) {

  139. 				$params['redirect_url'] = $this->request->server['REQUEST_URI'];

  140. 			}

  141. 			return new RedirectResponse($this->urlGenerator->linkToRoute('core.TwoFactorChallenge.selectChallenge', $params));

  142. 		}

  143. 		if ($exception instanceof UserAlreadyLoggedInException) {

  144. 			return new RedirectResponse($this->urlGenerator->linkToRoute('files.view.index'));

  145. 		}

  146. 

  147. 		throw $exception;

  148. 	}

  149. }