aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorArthur Schiwon <blizzz@arthur-schiwon.de>2021-08-28 00:07:23 +0200
committerArthur Schiwon <blizzz@arthur-schiwon.de>2021-09-09 19:23:04 +0200
commit0dee717c94468afeb139d9e8d9322b5fd26974b6 (patch)
tree3a286343cca070b5c3c4473078cebb909af4b7a2
parenta20de15b4388e4d57b0fb26eaeca98cd6ba817f8 (diff)
downloadnextcloud-server-0dee717c94468afeb139d9e8d9322b5fd26974b6.tar.gz
nextcloud-server-0dee717c94468afeb139d9e8d9322b5fd26974b6.zip
Confirm mails only per POST
- this is to avoid automatic confirmation by certain softwares that open links Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
-rw-r--r--apps/provisioning_api/appinfo/routes.php3
-rw-r--r--apps/provisioning_api/lib/Controller/VerificationController.php26
-rw-r--r--core/templates/confirmation.php20
-rw-r--r--lib/private/Security/VerificationToken/VerificationToken.php4
-rw-r--r--lib/public/Security/VerificationToken/IVerificationToken.php7
5 files changed, 57 insertions, 3 deletions
diff --git a/apps/provisioning_api/appinfo/routes.php b/apps/provisioning_api/appinfo/routes.php
index 81a5bb94e02..54d550260b8 100644
--- a/apps/provisioning_api/appinfo/routes.php
+++ b/apps/provisioning_api/appinfo/routes.php
@@ -76,6 +76,7 @@ return [
],
'routes' => [
// Verification
- ['name' => 'Verification#verifyMail', 'url' => '/mailVerification/{key}/{token}/{userId}', 'verb' => 'GET'],
+ ['name' => 'Verification#showVerifyMail', 'url' => '/mailVerification/{key}/{token}/{userId}', 'verb' => 'GET'],
+ ['name' => 'Verification#verifyMail', 'url' => '/mailVerification/{key}/{token}/{userId}', 'verb' => 'POST'],
]
];
diff --git a/apps/provisioning_api/lib/Controller/VerificationController.php b/apps/provisioning_api/lib/Controller/VerificationController.php
index b248d3e8285..c4ddd1e644d 100644
--- a/apps/provisioning_api/lib/Controller/VerificationController.php
+++ b/apps/provisioning_api/lib/Controller/VerificationController.php
@@ -74,6 +74,27 @@ class VerificationController extends Controller {
/**
* @NoCSRFRequired
+ * @NoAdminRequired
+ * @NoSubAdminRequired
+ */
+ public function showVerifyMail(string $token, string $userId, string $key) {
+ if ($this->userSession->getUser()->getUID() !== $userId) {
+ // not a public page, hence getUser() must return an IUser
+ throw new InvalidArgumentException('Logged in user is not mail address owner');
+ }
+ $email = $this->crypto->decrypt($key);
+
+ return new TemplateResponse(
+ 'core', 'confirmation', [
+ 'title' => $this->l10n->t('Email confirmation'),
+ 'message' => $this->l10n->t('To enable the email address %s please click the button below.', [$email]),
+ 'action' => $this->l10n->t('Confirm'),
+ ], TemplateResponse::RENDER_AS_GUEST);
+ }
+
+ /**
+ * @NoAdminRequired
+ * @NoSubAdminRequired
*/
public function verifyMail(string $token, string $userId, string $key) {
try {
@@ -95,6 +116,7 @@ class VerificationController extends Controller {
}
$emailProperty->setLocallyVerified(IAccountManager::VERIFIED);
$this->accountManager->updateAccount($userAccount);
+ $this->verificationToken->delete($token, $user, 'verifyMail' . $ref);
} catch (InvalidTokenException $e) {
$error = $e->getCode() === InvalidTokenException::TOKEN_EXPIRED
? $this->l10n->t('Could not verify mail because the token is expired.')
@@ -109,13 +131,13 @@ class VerificationController extends Controller {
return new TemplateResponse(
'core', 'error', [
'errors' => [['error' => $error]]
- ], 'guest');
+ ], TemplateResponse::RENDER_AS_GUEST);
}
return new TemplateResponse(
'core', 'success', [
'title' => $this->l10n->t('Email confirmation successful'),
'message' => $this->l10n->t('Email confirmation successful'),
- ], 'guest');
+ ], TemplateResponse::RENDER_AS_GUEST);
}
}
diff --git a/core/templates/confirmation.php b/core/templates/confirmation.php
new file mode 100644
index 00000000000..26014cd1e79
--- /dev/null
+++ b/core/templates/confirmation.php
@@ -0,0 +1,20 @@
+<?php
+/** @var array $_ */
+/** @var \OCP\IL10N $l */
+/** @var \OCP\Defaults $theme */
+
+?>
+
+<div class="update">
+ <form method="POST" action="<?php print_unescaped($_['targetUrl']);?>">
+ <h2><?php p($_['title']) ?></h2>
+ <p><?php p($_['message']) ?></p>
+ <div class="buttons">
+ <input type="submit" class="primary" value="<?php p($_['action']); ?>">
+ </div>
+ <?php foreach ($_['parameters'] as $name => $value) {?>
+ <input type="hidden" name="<?php p($name); ?>" value="<?php p($value); ?>">
+ <?php } ?>
+ <input type="hidden" name="requesttoken" value="<?php p($_['requesttoken']) ?>">
+ </form>
+</div>
diff --git a/lib/private/Security/VerificationToken/VerificationToken.php b/lib/private/Security/VerificationToken/VerificationToken.php
index ff3cb90727a..c85e0e7b5a1 100644
--- a/lib/private/Security/VerificationToken/VerificationToken.php
+++ b/lib/private/Security/VerificationToken/VerificationToken.php
@@ -122,4 +122,8 @@ class VerificationToken implements IVerificationToken {
return $token;
}
+
+ public function delete(string $token, IUser $user, string $subject): void {
+ $this->config->deleteUserValue($user->getUID(), 'core', $subject);
+ }
}
diff --git a/lib/public/Security/VerificationToken/IVerificationToken.php b/lib/public/Security/VerificationToken/IVerificationToken.php
index c5f19e5de7f..e1d9203ec3b 100644
--- a/lib/public/Security/VerificationToken/IVerificationToken.php
+++ b/lib/public/Security/VerificationToken/IVerificationToken.php
@@ -52,4 +52,11 @@ interface IVerificationToken {
* @since 23.0.0
*/
public function create(IUser $user, string $subject, string $passwordPrefix = ''): string;
+
+ /**
+ * Deletes the token identified by the provided parameters
+ *
+ * @since 23.0.0
+ */
+ public function delete(string $token, IUser $user, string $subject): void;
}