aboutsummaryrefslogtreecommitdiffstats
path: root/lib/private/AppFramework/Middleware/Security
diff options
context:
space:
mode:
authorMorris Jobke <hey@morrisjobke.de>2016-11-18 15:42:30 +0100
committerGitHub <noreply@github.com>2016-11-18 15:42:30 +0100
commit332eaec4c01356d0b2119d4ec8fe07fa492d031b (patch)
tree3f89772129059801fd6768985aed9f7785a1791c /lib/private/AppFramework/Middleware/Security
parentfaee255ff47873ed2f8908c7d6b6e603ded11618 (diff)
parent3ffd9a755f60761d6a1f5fa3d02d07b4c2e68972 (diff)
downloadnextcloud-server-332eaec4c01356d0b2119d4ec8fe07fa492d031b.tar.gz
nextcloud-server-332eaec4c01356d0b2119d4ec8fe07fa492d031b.zip
Merge pull request #1447 from nextcloud/password-confirmation-for-some-actions
Password confirmation for some actions
Diffstat (limited to 'lib/private/AppFramework/Middleware/Security')
-rw-r--r--lib/private/AppFramework/Middleware/Security/Exceptions/NotConfirmedException.php37
-rw-r--r--lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php14
2 files changed, 51 insertions, 0 deletions
diff --git a/lib/private/AppFramework/Middleware/Security/Exceptions/NotConfirmedException.php b/lib/private/AppFramework/Middleware/Security/Exceptions/NotConfirmedException.php
new file mode 100644
index 00000000000..1ecd463b004
--- /dev/null
+++ b/lib/private/AppFramework/Middleware/Security/Exceptions/NotConfirmedException.php
@@ -0,0 +1,37 @@
+<?php
+
+/**
+ * @copyright Copyright (c) 2016 Joas Schilling <coding@schilljs.com>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+namespace OC\AppFramework\Middleware\Security\Exceptions;
+
+use OCP\AppFramework\Http;
+
+/**
+ * Class NotConfirmedException is thrown when a resource has been requested by a
+ * user that has not confirmed their password in the last 30 minutes.
+ *
+ * @package OC\AppFramework\Middleware\Security\Exceptions
+ */
+class NotConfirmedException extends SecurityException {
+ public function __construct() {
+ parent::__construct('Password confirmation is required', Http::STATUS_FORBIDDEN);
+ }
+}
diff --git a/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php b/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php
index 183e55740ea..d5f7a7660a7 100644
--- a/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php
+++ b/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php
@@ -32,6 +32,7 @@ namespace OC\AppFramework\Middleware\Security;
use OC\AppFramework\Middleware\Security\Exceptions\AppNotEnabledException;
use OC\AppFramework\Middleware\Security\Exceptions\CrossSiteRequestForgeryException;
use OC\AppFramework\Middleware\Security\Exceptions\NotAdminException;
+use OC\AppFramework\Middleware\Security\Exceptions\NotConfirmedException;
use OC\AppFramework\Middleware\Security\Exceptions\NotLoggedInException;
use OC\AppFramework\Middleware\Security\Exceptions\StrictCookieMissingException;
use OC\AppFramework\Utility\ControllerMethodReflector;
@@ -47,6 +48,7 @@ use OCP\AppFramework\Http\Response;
use OCP\AppFramework\Http\JSONResponse;
use OCP\AppFramework\OCSController;
use OCP\INavigationManager;
+use OCP\ISession;
use OCP\IURLGenerator;
use OCP\IRequest;
use OCP\ILogger;
@@ -73,6 +75,8 @@ class SecurityMiddleware extends Middleware {
private $urlGenerator;
/** @var ILogger */
private $logger;
+ /** @var ISession */
+ private $session;
/** @var bool */
private $isLoggedIn;
/** @var bool */
@@ -90,6 +94,7 @@ class SecurityMiddleware extends Middleware {
* @param INavigationManager $navigationManager
* @param IURLGenerator $urlGenerator
* @param ILogger $logger
+ * @param ISession $session
* @param string $appName
* @param bool $isLoggedIn
* @param bool $isAdminUser
@@ -102,6 +107,7 @@ class SecurityMiddleware extends Middleware {
INavigationManager $navigationManager,
IURLGenerator $urlGenerator,
ILogger $logger,
+ ISession $session,
$appName,
$isLoggedIn,
$isAdminUser,
@@ -114,6 +120,7 @@ class SecurityMiddleware extends Middleware {
$this->appName = $appName;
$this->urlGenerator = $urlGenerator;
$this->logger = $logger;
+ $this->session = $session;
$this->isLoggedIn = $isLoggedIn;
$this->isAdminUser = $isAdminUser;
$this->contentSecurityPolicyManager = $contentSecurityPolicyManager;
@@ -150,6 +157,13 @@ class SecurityMiddleware extends Middleware {
}
}
+ if ($this->reflector->hasAnnotation('PasswordConfirmationRequired')) {
+ $lastConfirm = (int) $this->session->get('last-password-confirm');
+ if ($lastConfirm < (time() - (30 * 60 + 15))) { // allow 15 seconds delay
+ throw new NotConfirmedException();
+ }
+ }
+
// Check for strict cookie requirement
if($this->reflector->hasAnnotation('StrictCookieRequired') || !$this->reflector->hasAnnotation('NoCSRFRequired')) {
if(!$this->request->passesStrictCookieCheck()) {