diff options
| author | Joas Schilling <coding@schilljs.com> | 2016-09-19 16:03:03 +0200 |
|---|---|---|
| committer | Lukas Reschke <lukas@statuscode.ch> | 2016-11-18 11:57:16 +0100 |
| commit | 827b6a610e877969f8b6ab294f71a27657788ef0 (patch) | |
| tree | 84c617eefd7f4b434199bfeb1b1fc6fa59255356 /lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php | |
| parent | d75e35b75e9d70e511bee2c9fc830825363a4fd6 (diff) | |
| download | nextcloud-server-827b6a610e877969f8b6ab294f71a27657788ef0.tar.gz nextcloud-server-827b6a610e877969f8b6ab294f71a27657788ef0.zip | |
Introduce PasswordConfirmRequired annotation
Signed-off-by: Joas Schilling <coding@schilljs.com>
Diffstat (limited to 'lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php')
| -rw-r--r-- | lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php b/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php index 183e55740ea..81cc09c7f54 100644 --- a/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php +++ b/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php @@ -32,6 +32,7 @@ namespace OC\AppFramework\Middleware\Security; use OC\AppFramework\Middleware\Security\Exceptions\AppNotEnabledException; use OC\AppFramework\Middleware\Security\Exceptions\CrossSiteRequestForgeryException; use OC\AppFramework\Middleware\Security\Exceptions\NotAdminException; +use OC\AppFramework\Middleware\Security\Exceptions\NotConfirmedException; use OC\AppFramework\Middleware\Security\Exceptions\NotLoggedInException; use OC\AppFramework\Middleware\Security\Exceptions\StrictCookieMissingException; use OC\AppFramework\Utility\ControllerMethodReflector; @@ -47,6 +48,7 @@ use OCP\AppFramework\Http\Response; use OCP\AppFramework\Http\JSONResponse; use OCP\AppFramework\OCSController; use OCP\INavigationManager; +use OCP\ISession; use OCP\IURLGenerator; use OCP\IRequest; use OCP\ILogger; @@ -73,6 +75,8 @@ class SecurityMiddleware extends Middleware { private $urlGenerator; /** @var ILogger */ private $logger; + /** @var ISession */ + private $session; /** @var bool */ private $isLoggedIn; /** @var bool */ @@ -90,6 +94,7 @@ class SecurityMiddleware extends Middleware { * @param INavigationManager $navigationManager * @param IURLGenerator $urlGenerator * @param ILogger $logger + * @param ISession $session * @param string $appName * @param bool $isLoggedIn * @param bool $isAdminUser @@ -102,6 +107,7 @@ class SecurityMiddleware extends Middleware { INavigationManager $navigationManager, IURLGenerator $urlGenerator, ILogger $logger, + ISession $session, $appName, $isLoggedIn, $isAdminUser, @@ -114,6 +120,7 @@ class SecurityMiddleware extends Middleware { $this->appName = $appName; $this->urlGenerator = $urlGenerator; $this->logger = $logger; + $this->session = $session; $this->isLoggedIn = $isLoggedIn; $this->isAdminUser = $isAdminUser; $this->contentSecurityPolicyManager = $contentSecurityPolicyManager; @@ -150,6 +157,13 @@ class SecurityMiddleware extends Middleware { } } + if ($this->reflector->hasAnnotation('PasswordConfirmationRequired')) { + $lastConfirm = (int) $this->session->get('last-password-confirm'); + if ($lastConfirm < (time() - 30 * 60 + 15)) { // allow 15 seconds delay + throw new NotConfirmedException(); + } + } + // Check for strict cookie requirement if($this->reflector->hasAnnotation('StrictCookieRequired') || !$this->reflector->hasAnnotation('NoCSRFRequired')) { if(!$this->request->passesStrictCookieCheck()) { |