diff options
Diffstat (limited to 'apps/files/lib/Controller/OpenLocalEditorController.php')
| -rw-r--r-- | apps/files/lib/Controller/OpenLocalEditorController.php | 135 |
1 files changed, 135 insertions, 0 deletions
diff --git a/apps/files/lib/Controller/OpenLocalEditorController.php b/apps/files/lib/Controller/OpenLocalEditorController.php new file mode 100644 index 00000000000..ff39c1fe0e7 --- /dev/null +++ b/apps/files/lib/Controller/OpenLocalEditorController.php @@ -0,0 +1,135 @@ +<?php + +declare(strict_types=1); + +/** + * @copyright Copyright (c) 2022 Joas Schilling <coding@schilljs.com> + * + * @author Joas Schilling <coding@schilljs.com> + * + * @license GNU AGPL version 3 or any later version + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as + * published by the Free Software Foundation, either version 3 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + */ + +namespace OCA\Files\Controller; + +use OCA\Files\Db\OpenLocalEditor; +use OCA\Files\Db\OpenLocalEditorMapper; +use OCP\AppFramework\Db\DoesNotExistException; +use OCP\AppFramework\Http; +use OCP\AppFramework\Http\DataResponse; +use OCP\AppFramework\OCSController; +use OCP\AppFramework\Utility\ITimeFactory; +use OCP\DB\Exception; +use OCP\IRequest; +use OCP\Security\ISecureRandom; +use Psr\Log\LoggerInterface; + +class OpenLocalEditorController extends OCSController { + public const TOKEN_LENGTH = 128; + public const TOKEN_DURATION = 600; // 10 Minutes + public const TOKEN_RETRIES = 50; + + protected ITimeFactory $timeFactory; + protected OpenLocalEditorMapper $mapper; + protected ISecureRandom $secureRandom; + protected LoggerInterface $logger; + protected ?string $userId; + + public function __construct( + string $appName, + IRequest $request, + ITimeFactory $timeFactory, + OpenLocalEditorMapper $mapper, + ISecureRandom $secureRandom, + LoggerInterface $logger, + ?string $userId + ) { + parent::__construct($appName, $request); + + $this->timeFactory = $timeFactory; + $this->mapper = $mapper; + $this->secureRandom = $secureRandom; + $this->logger = $logger; + $this->userId = $userId; + } + + /** + * @NoAdminRequired + * @UserRateThrottle(limit=10, period=120) + */ + public function create(string $path): DataResponse { + $pathHash = sha1($path); + + $entity = new OpenLocalEditor(); + $entity->setUserId($this->userId); + $entity->setPathHash($pathHash); + $entity->setExpirationTime($this->timeFactory->getTime() + self::TOKEN_DURATION); // Expire in 10 minutes + + for ($i = 1; $i <= self::TOKEN_RETRIES; $i++) { + $token = $this->secureRandom->generate(self::TOKEN_LENGTH, ISecureRandom::CHAR_ALPHANUMERIC); + $entity->setToken($token); + + try { + $this->mapper->insert($entity); + + return new DataResponse([ + 'userId' => $this->userId, + 'pathHash' => $pathHash, + 'expirationTime' => $entity->getExpirationTime(), + 'token' => $entity->getToken(), + ]); + } catch (Exception $e) { + if ($e->getCode() !== Exception::REASON_UNIQUE_CONSTRAINT_VIOLATION) { + // Only retry on unique constraint violation + throw $e; + } + } + } + + $this->logger->error('Giving up after ' . self::TOKEN_RETRIES . ' retries to generate a unique local editor token for path hash: ' . $pathHash); + return new DataResponse([], Http::STATUS_INTERNAL_SERVER_ERROR); + } + + /** + * @NoAdminRequired + * @BruteForceProtection(action=openLocalEditor) + */ + public function validate(string $path, string $token): DataResponse { + $pathHash = sha1($path); + + try { + $entity = $this->mapper->verifyToken($this->userId, $pathHash, $token); + } catch (DoesNotExistException $e) { + $response = new DataResponse([], Http::STATUS_NOT_FOUND); + $response->throttle(['userId' => $this->userId, 'pathHash' => $pathHash]); + return $response; + } + + if ($entity->getExpirationTime() <= $this->timeFactory->getTime()) { + $this->mapper->delete($entity); + return new DataResponse([], Http::STATUS_NOT_FOUND); + } + + return new DataResponse([ + 'userId' => $this->userId, + 'pathHash' => $pathHash, + 'expirationTime' => $entity->getExpirationTime(), + 'token' => $entity->getToken(), + ]); + } + +} |