diff options
author | Arthur Schiwon <blizzz@arthur-schiwon.de> | 2021-08-28 00:07:23 +0200 |
---|---|---|
committer | Arthur Schiwon <blizzz@arthur-schiwon.de> | 2021-09-09 19:23:04 +0200 |
commit | 0dee717c94468afeb139d9e8d9322b5fd26974b6 (patch) | |
tree | 3a286343cca070b5c3c4473078cebb909af4b7a2 | |
parent | a20de15b4388e4d57b0fb26eaeca98cd6ba817f8 (diff) | |
download | nextcloud-server-0dee717c94468afeb139d9e8d9322b5fd26974b6.tar.gz nextcloud-server-0dee717c94468afeb139d9e8d9322b5fd26974b6.zip |
Confirm mails only per POST
- this is to avoid automatic confirmation by certain softwares that open
links
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
5 files changed, 57 insertions, 3 deletions
diff --git a/apps/provisioning_api/appinfo/routes.php b/apps/provisioning_api/appinfo/routes.php index 81a5bb94e02..54d550260b8 100644 --- a/apps/provisioning_api/appinfo/routes.php +++ b/apps/provisioning_api/appinfo/routes.php @@ -76,6 +76,7 @@ return [ ], 'routes' => [ // Verification - ['name' => 'Verification#verifyMail', 'url' => '/mailVerification/{key}/{token}/{userId}', 'verb' => 'GET'], + ['name' => 'Verification#showVerifyMail', 'url' => '/mailVerification/{key}/{token}/{userId}', 'verb' => 'GET'], + ['name' => 'Verification#verifyMail', 'url' => '/mailVerification/{key}/{token}/{userId}', 'verb' => 'POST'], ] ]; diff --git a/apps/provisioning_api/lib/Controller/VerificationController.php b/apps/provisioning_api/lib/Controller/VerificationController.php index b248d3e8285..c4ddd1e644d 100644 --- a/apps/provisioning_api/lib/Controller/VerificationController.php +++ b/apps/provisioning_api/lib/Controller/VerificationController.php @@ -74,6 +74,27 @@ class VerificationController extends Controller { /** * @NoCSRFRequired + * @NoAdminRequired + * @NoSubAdminRequired + */ + public function showVerifyMail(string $token, string $userId, string $key) { + if ($this->userSession->getUser()->getUID() !== $userId) { + // not a public page, hence getUser() must return an IUser + throw new InvalidArgumentException('Logged in user is not mail address owner'); + } + $email = $this->crypto->decrypt($key); + + return new TemplateResponse( + 'core', 'confirmation', [ + 'title' => $this->l10n->t('Email confirmation'), + 'message' => $this->l10n->t('To enable the email address %s please click the button below.', [$email]), + 'action' => $this->l10n->t('Confirm'), + ], TemplateResponse::RENDER_AS_GUEST); + } + + /** + * @NoAdminRequired + * @NoSubAdminRequired */ public function verifyMail(string $token, string $userId, string $key) { try { @@ -95,6 +116,7 @@ class VerificationController extends Controller { } $emailProperty->setLocallyVerified(IAccountManager::VERIFIED); $this->accountManager->updateAccount($userAccount); + $this->verificationToken->delete($token, $user, 'verifyMail' . $ref); } catch (InvalidTokenException $e) { $error = $e->getCode() === InvalidTokenException::TOKEN_EXPIRED ? $this->l10n->t('Could not verify mail because the token is expired.') @@ -109,13 +131,13 @@ class VerificationController extends Controller { return new TemplateResponse( 'core', 'error', [ 'errors' => [['error' => $error]] - ], 'guest'); + ], TemplateResponse::RENDER_AS_GUEST); } return new TemplateResponse( 'core', 'success', [ 'title' => $this->l10n->t('Email confirmation successful'), 'message' => $this->l10n->t('Email confirmation successful'), - ], 'guest'); + ], TemplateResponse::RENDER_AS_GUEST); } } diff --git a/core/templates/confirmation.php b/core/templates/confirmation.php new file mode 100644 index 00000000000..26014cd1e79 --- /dev/null +++ b/core/templates/confirmation.php @@ -0,0 +1,20 @@ +<?php +/** @var array $_ */ +/** @var \OCP\IL10N $l */ +/** @var \OCP\Defaults $theme */ + +?> + +<div class="update"> + <form method="POST" action="<?php print_unescaped($_['targetUrl']);?>"> + <h2><?php p($_['title']) ?></h2> + <p><?php p($_['message']) ?></p> + <div class="buttons"> + <input type="submit" class="primary" value="<?php p($_['action']); ?>"> + </div> + <?php foreach ($_['parameters'] as $name => $value) {?> + <input type="hidden" name="<?php p($name); ?>" value="<?php p($value); ?>"> + <?php } ?> + <input type="hidden" name="requesttoken" value="<?php p($_['requesttoken']) ?>"> + </form> +</div> diff --git a/lib/private/Security/VerificationToken/VerificationToken.php b/lib/private/Security/VerificationToken/VerificationToken.php index ff3cb90727a..c85e0e7b5a1 100644 --- a/lib/private/Security/VerificationToken/VerificationToken.php +++ b/lib/private/Security/VerificationToken/VerificationToken.php @@ -122,4 +122,8 @@ class VerificationToken implements IVerificationToken { return $token; } + + public function delete(string $token, IUser $user, string $subject): void { + $this->config->deleteUserValue($user->getUID(), 'core', $subject); + } } diff --git a/lib/public/Security/VerificationToken/IVerificationToken.php b/lib/public/Security/VerificationToken/IVerificationToken.php index c5f19e5de7f..e1d9203ec3b 100644 --- a/lib/public/Security/VerificationToken/IVerificationToken.php +++ b/lib/public/Security/VerificationToken/IVerificationToken.php @@ -52,4 +52,11 @@ interface IVerificationToken { * @since 23.0.0 */ public function create(IUser $user, string $subject, string $passwordPrefix = ''): string; + + /** + * Deletes the token identified by the provided parameters + * + * @since 23.0.0 + */ + public function delete(string $token, IUser $user, string $subject): void; } |