mirrors
/
nextcloud
mirror of https://github.com/nextcloud/server.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 1008 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
36406 Commits
416 Branches
Tree: 55bf9e3f71
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '55bf9e3f71'
${ noResults }
nextcloud/core/Controller/LoginController.php

LoginController.php 10KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320 
  1. <?php

  2. /**

  3.  * @copyright Copyright (c) 2016 Joas Schilling <coding@schilljs.com>

  4.  * @copyright Copyright (c) 2016, ownCloud, Inc.

  5.  *

  6.  * @author Christoph Wurst <christoph@owncloud.com>

  7.  * @author Joas Schilling <coding@schilljs.com>

  8.  * @author Lukas Reschke <lukas@statuscode.ch>

  9.  * @author Thomas Müller <thomas.mueller@tmit.eu>

  10.  *

  11.  * @license AGPL-3.0

  12.  *

  13.  * This code is free software: you can redistribute it and/or modify

  14.  * it under the terms of the GNU Affero General Public License, version 3,

  15.  * as published by the Free Software Foundation.

  16.  *

  17.  * This program is distributed in the hope that it will be useful,

  18.  * but WITHOUT ANY WARRANTY; without even the implied warranty of

  19.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

  20.  * GNU Affero General Public License for more details.

  21.  *

  22.  * You should have received a copy of the GNU Affero General Public License, version 3,

  23.  * along with this program.  If not, see <http://www.gnu.org/licenses/>

  24.  *

  25.  */

  26. 

  27. namespace OC\Core\Controller;

  28. 

  29. use OC\Authentication\TwoFactorAuth\Manager;

  30. use OC\Security\Bruteforce\Throttler;

  31. use OC\User\Session;

  32. use OC_App;

  33. use OC_Util;

  34. use OCP\AppFramework\Controller;

  35. use OCP\AppFramework\Http;

  36. use OCP\AppFramework\Http\DataResponse;

  37. use OCP\AppFramework\Http\RedirectResponse;

  38. use OCP\AppFramework\Http\TemplateResponse;

  39. use OCP\Authentication\TwoFactorAuth\IProvider;

  40. use OCP\IConfig;

  41. use OCP\IRequest;

  42. use OCP\ISession;

  43. use OCP\IURLGenerator;

  44. use OCP\IUser;

  45. use OCP\IUserManager;

  46. use OCP\IUserSession;

  47. 

  48. class LoginController extends Controller {

  49. 	/** @var IUserManager */

  50. 	private $userManager;

  51. 	/** @var IConfig */

  52. 	private $config;

  53. 	/** @var ISession */

  54. 	private $session;

  55. 	/** @var IUserSession|Session */

  56. 	private $userSession;

  57. 	/** @var IURLGenerator */

  58. 	private $urlGenerator;

  59. 	/** @var Manager */

  60. 	private $twoFactorManager;

  61. 	/** @var Throttler */

  62. 	private $throttler;

  63. 

  64. 	/**

  65. 	 * @param string $appName

  66. 	 * @param IRequest $request

  67. 	 * @param IUserManager $userManager

  68. 	 * @param IConfig $config

  69. 	 * @param ISession $session

  70. 	 * @param IUserSession $userSession

  71. 	 * @param IURLGenerator $urlGenerator

  72. 	 * @param Manager $twoFactorManager

  73. 	 * @param Throttler $throttler

  74. 	 */

  75. 	function __construct($appName,

  76. 						 IRequest $request,

  77. 						 IUserManager $userManager,

  78. 						 IConfig $config,

  79. 						 ISession $session,

  80. 						 IUserSession $userSession,

  81. 						 IURLGenerator $urlGenerator,

  82. 						 Manager $twoFactorManager,

  83. 						 Throttler $throttler) {

  84. 		parent::__construct($appName, $request);

  85. 		$this->userManager = $userManager;

  86. 		$this->config = $config;

  87. 		$this->session = $session;

  88. 		$this->userSession = $userSession;

  89. 		$this->urlGenerator = $urlGenerator;

  90. 		$this->twoFactorManager = $twoFactorManager;

  91. 		$this->throttler = $throttler;

  92. 	}

  93. 

  94. 	/**

  95. 	 * @NoAdminRequired

  96. 	 * @UseSession

  97. 	 *

  98. 	 * @return RedirectResponse

  99. 	 */

  100. 	public function logout() {

  101. 		$loginToken = $this->request->getCookie('oc_token');

  102. 		if (!is_null($loginToken)) {

  103. 			$this->config->deleteUserValue($this->userSession->getUser()->getUID(), 'login_token', $loginToken);

  104. 		}

  105. 		$this->userSession->logout();

  106. 

  107. 		return new RedirectResponse($this->urlGenerator->linkToRouteAbsolute('core.login.showLoginForm'));

  108. 	}

  109. 

  110. 	/**

  111. 	 * @PublicPage

  112. 	 * @NoCSRFRequired

  113. 	 * @UseSession

  114. 	 *

  115. 	 * @param string $user

  116. 	 * @param string $redirect_url

  117. 	 * @param string $remember_login

  118. 	 *

  119. 	 * @return TemplateResponse|RedirectResponse

  120. 	 */

  121. 	public function showLoginForm($user, $redirect_url, $remember_login) {

  122. 		if ($this->userSession->isLoggedIn()) {

  123. 			return new RedirectResponse(OC_Util::getDefaultPageUrl());

  124. 		}

  125. 

  126. 		$parameters = array();

  127. 		$loginMessages = $this->session->get('loginMessages');

  128. 		$errors = [];

  129. 		$messages = [];

  130. 		if (is_array($loginMessages)) {

  131. 			list($errors, $messages) = $loginMessages;

  132. 		}

  133. 		$this->session->remove('loginMessages');

  134. 		foreach ($errors as $value) {

  135. 			$parameters[$value] = true;

  136. 		}

  137. 

  138. 		$parameters['messages'] = $messages;

  139. 		if (!is_null($user) && $user !== '') {

  140. 			$parameters['loginName'] = $user;

  141. 			$parameters['user_autofocus'] = false;

  142. 		} else {

  143. 			$parameters['loginName'] = '';

  144. 			$parameters['user_autofocus'] = true;

  145. 		}

  146. 		if (!empty($redirect_url)) {

  147. 			$parameters['redirect_url'] = $redirect_url;

  148. 		}

  149. 

  150. 		$parameters['canResetPassword'] = true;

  151. 		$parameters['resetPasswordLink'] = $this->config->getSystemValue('lost_password_link', '');

  152. 		if (!$parameters['resetPasswordLink']) {

  153. 			if (!is_null($user) && $user !== '') {

  154. 				$userObj = $this->userManager->get($user);

  155. 				if ($userObj instanceof IUser) {

  156. 					$parameters['canResetPassword'] = $userObj->canChangePassword();

  157. 				}

  158. 			}

  159. 		}

  160. 

  161. 		$parameters['alt_login'] = OC_App::getAlternativeLogIns();

  162. 		$parameters['rememberLoginAllowed'] = OC_Util::rememberLoginAllowed();

  163. 		$parameters['rememberLoginState'] = !empty($remember_login) ? $remember_login : 0;

  164. 

  165. 		if (!is_null($user) && $user !== '') {

  166. 			$parameters['loginName'] = $user;

  167. 			$parameters['user_autofocus'] = false;

  168. 		} else {

  169. 			$parameters['loginName'] = '';

  170. 			$parameters['user_autofocus'] = true;

  171. 		}

  172. 

  173. 		return new TemplateResponse(

  174. 			$this->appName, 'login', $parameters, 'guest'

  175. 		);

  176. 	}

  177. 

  178. 	/**

  179. 	 * @param string $redirectUrl

  180. 	 * @return RedirectResponse

  181. 	 */

  182. 	private function generateRedirect($redirectUrl) {

  183. 		if (!is_null($redirectUrl) && $this->userSession->isLoggedIn()) {

  184. 			$location = $this->urlGenerator->getAbsoluteURL(urldecode($redirectUrl));

  185. 			// Deny the redirect if the URL contains a @

  186. 			// This prevents unvalidated redirects like ?redirect_url=:user@domain.com

  187. 			if (strpos($location, '@') === false) {

  188. 				return new RedirectResponse($location);

  189. 			}

  190. 		}

  191. 		return new RedirectResponse(OC_Util::getDefaultPageUrl());

  192. 	}

  193. 

  194. 	/**

  195. 	 * @PublicPage

  196. 	 * @UseSession

  197. 	 * @NoCSRFRequired

  198. 	 *

  199. 	 * @param string $user

  200. 	 * @param string $password

  201. 	 * @param string $redirect_url

  202. 	 * @param boolean $remember_login

  203. 	 * @param string $timezone

  204. 	 * @param string $timezone_offset

  205. 	 * @return RedirectResponse

  206. 	 */

  207. 	public function tryLogin($user, $password, $redirect_url, $remember_login = false, $timezone = '', $timezone_offset = '') {

  208. 		$currentDelay = $this->throttler->getDelay($this->request->getRemoteAddress());

  209. 		$this->throttler->sleepDelay($this->request->getRemoteAddress());

  210. 

  211. 		// If the user is already logged in and the CSRF check does not pass then

  212. 		// simply redirect the user to the correct page as required. This is the

  213. 		// case when an user has already logged-in, in another tab.

  214. 		if(!$this->request->passesCSRFCheck()) {

  215. 			return $this->generateRedirect($redirect_url);

  216. 		}

  217. 

  218. 		$originalUser = $user;

  219. 		// TODO: Add all the insane error handling

  220. 		/* @var $loginResult IUser */

  221. 		$loginResult = $this->userManager->checkPassword($user, $password);

  222. 		if ($loginResult === false) {

  223. 			$users = $this->userManager->getByEmail($user);

  224. 			// we only allow login by email if unique

  225. 			if (count($users) === 1) {

  226. 				$user = $users[0]->getUID();

  227. 				$loginResult = $this->userManager->checkPassword($user, $password);

  228. 			}

  229. 		}

  230. 		if ($loginResult === false) {

  231. 			$this->throttler->registerAttempt('login', $this->request->getRemoteAddress(), ['user' => $originalUser]);

  232. 			if($currentDelay === 0) {

  233. 				$this->throttler->sleepDelay($this->request->getRemoteAddress());

  234. 			}

  235. 			$this->session->set('loginMessages', [

  236. 				['invalidpassword'], []

  237. 			]);

  238. 			// Read current user and append if possible - we need to return the unmodified user otherwise we will leak the login name

  239. 			$args = !is_null($user) ? ['user' => $originalUser] : [];

  240. 			return new RedirectResponse($this->urlGenerator->linkToRoute('core.login.showLoginForm', $args));

  241. 		}

  242. 		// TODO: remove password checks from above and let the user session handle failures

  243. 		// requires https://github.com/owncloud/core/pull/24616

  244. 		$this->userSession->login($user, $password);

  245. 		$this->userSession->createSessionToken($this->request, $loginResult->getUID(), $user, $password, (int)$remember_login);

  246. 

  247. 		// User has successfully logged in, now remove the password reset link, when it is available

  248. 		$this->config->deleteUserValue($loginResult->getUID(), 'core', 'lostpassword');

  249. 

  250. 		$this->session->set('last-password-confirm', $loginResult->getLastLogin());

  251. 

  252. 		if ($timezone_offset !== '') {

  253. 			$this->config->setUserValue($loginResult->getUID(), 'core', 'timezone', $timezone);

  254. 			$this->session->set('timezone', $timezone_offset);

  255. 		}

  256. 

  257. 		if ($this->twoFactorManager->isTwoFactorAuthenticated($loginResult)) {

  258. 			$this->twoFactorManager->prepareTwoFactorLogin($loginResult, $remember_login);

  259. 

  260. 			$providers = $this->twoFactorManager->getProviders($loginResult);

  261. 			if (count($providers) === 1) {

  262. 				// Single provider, hence we can redirect to that provider's challenge page directly

  263. 				/* @var $provider IProvider */

  264. 				$provider = array_pop($providers);

  265. 				$url = 'core.TwoFactorChallenge.showChallenge';

  266. 				$urlParams = [

  267. 					'challengeProviderId' => $provider->getId(),

  268. 				];

  269. 			} else {

  270. 				$url = 'core.TwoFactorChallenge.selectChallenge';

  271. 				$urlParams = [];

  272. 			}

  273. 

  274. 			if (!is_null($redirect_url)) {

  275. 				$urlParams['redirect_url'] = $redirect_url;

  276. 			}

  277. 

  278. 			return new RedirectResponse($this->urlGenerator->linkToRoute($url, $urlParams));

  279. 		}

  280. 

  281. 		if ($remember_login) {

  282. 			$this->userSession->createRememberMeToken($loginResult);

  283. 		}

  284. 

  285. 		return $this->generateRedirect($redirect_url);

  286. 	}

  287. 

  288. 	/**

  289. 	 * @NoAdminRequired

  290. 	 * @UseSession

  291. 	 *

  292. 	 * @license GNU AGPL version 3 or any later version

  293. 	 *

  294. 	 * @param string $password

  295. 	 * @return DataResponse

  296. 	 */

  297. 	public function confirmPassword($password) {

  298. 		$currentDelay = $this->throttler->getDelay($this->request->getRemoteAddress());

  299. 		$this->throttler->sleepDelay($this->request->getRemoteAddress());

  300. 

  301. 		$user = $this->userSession->getUser();

  302. 		if (!$user instanceof IUser) {

  303. 			return new DataResponse([], Http::STATUS_UNAUTHORIZED);

  304. 		}

  305. 

  306. 		$loginResult = $this->userManager->checkPassword($user->getUID(), $password);

  307. 		if ($loginResult === false) {

  308. 			$this->throttler->registerAttempt('sudo', $this->request->getRemoteAddress(), ['user' => $user->getUID()]);

  309. 			if ($currentDelay === 0) {

  310. 				$this->throttler->sleepDelay($this->request->getRemoteAddress());

  311. 			}

  312. 

  313. 			return new DataResponse([], Http::STATUS_FORBIDDEN);

  314. 		}

  315. 

  316. 		$confirmTimestamp = time();

  317. 		$this->session->set('last-password-confirm', $confirmTimestamp);

  318. 		return new DataResponse(['lastLogin' => $confirmTimestamp], Http::STATUS_OK);

  319. 	}

  320. }