mirrors
/
nextcloud
mirror of https://github.com/nextcloud/server.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 1005 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
73011 Commits
408 Branches
Tree: c7813bfdaf
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'c7813bfdaf'
${ noResults }
nextcloud/core/Controller/AppPasswordController.php

AppPasswordController.php 6.6KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209 
  1. <?php

  2. 

  3. declare(strict_types=1);

  4. 

  5. /**

  6.  * @copyright Copyright (c) 2018, Roeland Jago Douma <roeland@famdouma.nl>

  7.  *

  8.  * @author Christoph Wurst <christoph@winzerhof-wurst.at>

  9.  * @author Daniel Kesselberg <mail@danielkesselberg.de>

  10.  * @author Roeland Jago Douma <roeland@famdouma.nl>

  11.  * @author Kate Döen <kate.doeen@nextcloud.com>

  12.  *

  13.  * @license GNU AGPL version 3 or any later version

  14.  *

  15.  * This program is free software: you can redistribute it and/or modify

  16.  * it under the terms of the GNU Affero General Public License as

  17.  * published by the Free Software Foundation, either version 3 of the

  18.  * License, or (at your option) any later version.

  19.  *

  20.  * This program is distributed in the hope that it will be useful,

  21.  * but WITHOUT ANY WARRANTY; without even the implied warranty of

  22.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

  23.  * GNU Affero General Public License for more details.

  24.  *

  25.  * You should have received a copy of the GNU Affero General Public License

  26.  * along with this program. If not, see <http://www.gnu.org/licenses/>.

  27.  *

  28.  */

  29. namespace OC\Core\Controller;

  30. 

  31. use OC\Authentication\Events\AppPasswordCreatedEvent;

  32. use OC\Authentication\Token\IProvider;

  33. use OC\Authentication\Token\IToken;

  34. use OC\User\Session;

  35. use OCP\AppFramework\Http;

  36. use OCP\AppFramework\Http\Attribute\ApiRoute;

  37. use OCP\AppFramework\Http\Attribute\UseSession;

  38. use OCP\AppFramework\Http\DataResponse;

  39. use OCP\AppFramework\OCS\OCSForbiddenException;

  40. use OCP\Authentication\Exceptions\CredentialsUnavailableException;

  41. use OCP\Authentication\Exceptions\InvalidTokenException;

  42. use OCP\Authentication\Exceptions\PasswordUnavailableException;

  43. use OCP\Authentication\LoginCredentials\IStore;

  44. use OCP\EventDispatcher\IEventDispatcher;

  45. use OCP\IRequest;

  46. use OCP\ISession;

  47. use OCP\IUserManager;

  48. use OCP\Security\Bruteforce\IThrottler;

  49. use OCP\Security\ISecureRandom;

  50. 

  51. class AppPasswordController extends \OCP\AppFramework\OCSController {

  52. 	public function __construct(

  53. 		string $appName,

  54. 		IRequest $request,

  55. 		private ISession $session,

  56. 		private ISecureRandom $random,

  57. 		private IProvider $tokenProvider,

  58. 		private IStore $credentialStore,

  59. 		private IEventDispatcher $eventDispatcher,

  60. 		private Session $userSession,

  61. 		private IUserManager $userManager,

  62. 		private IThrottler $throttler,

  63. 	) {

  64. 		parent::__construct($appName, $request);

  65. 	}

  66. 

  67. 	/**

  68. 	 * @NoAdminRequired

  69. 	 * @PasswordConfirmationRequired

  70. 	 *

  71. 	 * Create app password

  72. 	 *

  73. 	 * @return DataResponse<Http::STATUS_OK, array{apppassword: string}, array{}>

  74. 	 * @throws OCSForbiddenException Creating app password is not allowed

  75. 	 *

  76. 	 * 200: App password returned

  77. 	 */

  78. 	#[ApiRoute(verb: 'GET', url: '/getapppassword', root: '/core')]

  79. 	public function getAppPassword(): DataResponse {

  80. 		// We do not allow the creation of new tokens if this is an app password

  81. 		if ($this->session->exists('app_password')) {

  82. 			throw new OCSForbiddenException('You cannot request an new apppassword with an apppassword');

  83. 		}

  84. 

  85. 		try {

  86. 			$credentials = $this->credentialStore->getLoginCredentials();

  87. 		} catch (CredentialsUnavailableException $e) {

  88. 			throw new OCSForbiddenException();

  89. 		}

  90. 

  91. 		try {

  92. 			$password = $credentials->getPassword();

  93. 		} catch (PasswordUnavailableException $e) {

  94. 			$password = null;

  95. 		}

  96. 

  97. 		$userAgent = $this->request->getHeader('USER_AGENT');

  98. 

  99. 		$token = $this->random->generate(72, ISecureRandom::CHAR_UPPER.ISecureRandom::CHAR_LOWER.ISecureRandom::CHAR_DIGITS);

  100. 

  101. 		$generatedToken = $this->tokenProvider->generateToken(

  102. 			$token,

  103. 			$credentials->getUID(),

  104. 			$credentials->getLoginName(),

  105. 			$password,

  106. 			$userAgent,

  107. 			IToken::PERMANENT_TOKEN,

  108. 			IToken::DO_NOT_REMEMBER

  109. 		);

  110. 

  111. 		$this->eventDispatcher->dispatchTyped(

  112. 			new AppPasswordCreatedEvent($generatedToken)

  113. 		);

  114. 

  115. 		return new DataResponse([

  116. 			'apppassword' => $token

  117. 		]);

  118. 	}

  119. 

  120. 	/**

  121. 	 * @NoAdminRequired

  122. 	 *

  123. 	 * Delete app password

  124. 	 *

  125. 	 * @return DataResponse<Http::STATUS_OK, array<empty>, array{}>

  126. 	 * @throws OCSForbiddenException Deleting app password is not allowed

  127. 	 *

  128. 	 * 200: App password deleted successfully

  129. 	 */

  130. 	#[ApiRoute(verb: 'DELETE', url: '/apppassword', root: '/core')]

  131. 	public function deleteAppPassword(): DataResponse {

  132. 		if (!$this->session->exists('app_password')) {

  133. 			throw new OCSForbiddenException('no app password in use');

  134. 		}

  135. 

  136. 		$appPassword = $this->session->get('app_password');

  137. 

  138. 		try {

  139. 			$token = $this->tokenProvider->getToken($appPassword);

  140. 		} catch (InvalidTokenException $e) {

  141. 			throw new OCSForbiddenException('could not remove apptoken');

  142. 		}

  143. 

  144. 		$this->tokenProvider->invalidateTokenById($token->getUID(), $token->getId());

  145. 		return new DataResponse();

  146. 	}

  147. 

  148. 	/**

  149. 	 * @NoAdminRequired

  150. 	 *

  151. 	 * Rotate app password

  152. 	 *

  153. 	 * @return DataResponse<Http::STATUS_OK, array{apppassword: string}, array{}>

  154. 	 * @throws OCSForbiddenException Rotating app password is not allowed

  155. 	 *

  156. 	 * 200: App password returned

  157. 	 */

  158. 	#[ApiRoute(verb: 'POST', url: '/apppassword/rotate', root: '/core')]

  159. 	public function rotateAppPassword(): DataResponse {

  160. 		if (!$this->session->exists('app_password')) {

  161. 			throw new OCSForbiddenException('no app password in use');

  162. 		}

  163. 

  164. 		$appPassword = $this->session->get('app_password');

  165. 

  166. 		try {

  167. 			$token = $this->tokenProvider->getToken($appPassword);

  168. 		} catch (InvalidTokenException $e) {

  169. 			throw new OCSForbiddenException('could not rotate apptoken');

  170. 		}

  171. 

  172. 		$newToken = $this->random->generate(72, ISecureRandom::CHAR_UPPER.ISecureRandom::CHAR_LOWER.ISecureRandom::CHAR_DIGITS);

  173. 		$this->tokenProvider->rotate($token, $appPassword, $newToken);

  174. 

  175. 		return new DataResponse([

  176. 			'apppassword' => $newToken,

  177. 		]);

  178. 	}

  179. 

  180. 	/**

  181. 	 * Confirm the user password

  182. 	 *

  183. 	 * @NoAdminRequired

  184. 	 * @BruteForceProtection(action=sudo)

  185. 	 *

  186. 	 * @param string $password The password of the user

  187. 	 *

  188. 	 * @return DataResponse<Http::STATUS_OK, array{lastLogin: int}, array{}>|DataResponse<Http::STATUS_FORBIDDEN, array<empty>, array{}>

  189. 	 *

  190. 	 * 200: Password confirmation succeeded

  191. 	 * 403: Password confirmation failed

  192. 	 */

  193. 	#[UseSession]

  194. 	#[ApiRoute(verb: 'PUT', url: '/apppassword/confirm', root: '/core')]

  195. 	public function confirmUserPassword(string $password): DataResponse {

  196. 		$loginName = $this->userSession->getLoginName();

  197. 		$loginResult = $this->userManager->checkPassword($loginName, $password);

  198. 		if ($loginResult === false) {

  199. 			$response = new DataResponse([], Http::STATUS_FORBIDDEN);

  200. 			$response->throttle(['loginName' => $loginName]);

  201. 			return $response;

  202. 		}

  203. 

  204. 		$confirmTimestamp = time();

  205. 		$this->session->set('last-password-confirm', $confirmTimestamp);

  206. 		$this->throttler->resetDelay($this->request->getRemoteAddress(), 'sudo', ['loginName' => $loginName]);

  207. 		return new DataResponse(['lastLogin' => $confirmTimestamp], Http::STATUS_OK);

  208. 	}

  209. }