diff options
Diffstat (limited to 'apps/provisioning_api/lib/Controller/VerificationController.php')
| -rw-r--r-- | apps/provisioning_api/lib/Controller/VerificationController.php | 84 |
1 files changed, 33 insertions, 51 deletions
diff --git a/apps/provisioning_api/lib/Controller/VerificationController.php b/apps/provisioning_api/lib/Controller/VerificationController.php index f16f50385e7..70535c4906c 100644 --- a/apps/provisioning_api/lib/Controller/VerificationController.php +++ b/apps/provisioning_api/lib/Controller/VerificationController.php @@ -3,25 +3,8 @@ declare(strict_types=1); /** - * @copyright Copyright (c) 2021 Arthur Schiwon <blizzz@arthur-schiwon.de> - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <https://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2021 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ namespace OCA\Provisioning_API\Controller; @@ -30,6 +13,10 @@ use InvalidArgumentException; use OC\Security\Crypto; use OCP\Accounts\IAccountManager; use OCP\AppFramework\Controller; +use OCP\AppFramework\Http\Attribute\BruteForceProtection; +use OCP\AppFramework\Http\Attribute\NoAdminRequired; +use OCP\AppFramework\Http\Attribute\NoCSRFRequired; +use OCP\AppFramework\Http\Attribute\OpenAPI; use OCP\AppFramework\Http\TemplateResponse; use OCP\IL10N; use OCP\IRequest; @@ -38,49 +25,35 @@ use OCP\IUserSession; use OCP\Security\VerificationToken\InvalidTokenException; use OCP\Security\VerificationToken\IVerificationToken; +#[OpenAPI(scope: OpenAPI::SCOPE_IGNORE)] class VerificationController extends Controller { - /** @var IVerificationToken */ - private $verificationToken; - /** @var IUserManager */ - private $userManager; - /** @var IL10N */ - private $l10n; - /** @var IUserSession */ - private $userSession; - /** @var IAccountManager */ - private $accountManager; /** @var Crypto */ private $crypto; public function __construct( string $appName, IRequest $request, - IVerificationToken $verificationToken, - IUserManager $userManager, - IL10N $l10n, - IUserSession $userSession, - IAccountManager $accountManager, - Crypto $crypto + private IVerificationToken $verificationToken, + private IUserManager $userManager, + private IL10N $l10n, + private IUserSession $userSession, + private IAccountManager $accountManager, + Crypto $crypto, ) { parent::__construct($appName, $request); - $this->verificationToken = $verificationToken; - $this->userManager = $userManager; - $this->l10n = $l10n; - $this->userSession = $userSession; - $this->accountManager = $accountManager; $this->crypto = $crypto; } /** - * @NoCSRFRequired - * @NoAdminRequired * @NoSubAdminRequired */ - public function showVerifyMail(string $token, string $userId, string $key) { + #[NoAdminRequired] + #[NoCSRFRequired] + public function showVerifyMail(string $token, string $userId, string $key): TemplateResponse { if ($this->userSession->getUser()->getUID() !== $userId) { // not a public page, hence getUser() must return an IUser - throw new InvalidArgumentException('Logged in user is not mail address owner'); + throw new InvalidArgumentException('Logged in account is not mail address owner'); } $email = $this->crypto->decrypt($key); @@ -93,13 +66,15 @@ class VerificationController extends Controller { } /** - * @NoAdminRequired * @NoSubAdminRequired */ - public function verifyMail(string $token, string $userId, string $key) { + #[NoAdminRequired] + #[BruteForceProtection(action: 'emailVerification')] + public function verifyMail(string $token, string $userId, string $key): TemplateResponse { + $throttle = false; try { if ($this->userSession->getUser()->getUID() !== $userId) { - throw new InvalidArgumentException('Logged in user is not mail address owner'); + throw new InvalidArgumentException('Logged in account is not mail address owner'); } $email = $this->crypto->decrypt($key); $ref = \substr(hash('sha256', $email), 0, 8); @@ -118,9 +93,12 @@ class VerificationController extends Controller { $this->accountManager->updateAccount($userAccount); $this->verificationToken->delete($token, $user, 'verifyMail' . $ref); } catch (InvalidTokenException $e) { - $error = $e->getCode() === InvalidTokenException::TOKEN_EXPIRED - ? $this->l10n->t('Could not verify mail because the token is expired.') - : $this->l10n->t('Could not verify mail because the token is invalid.'); + if ($e->getCode() === InvalidTokenException::TOKEN_EXPIRED) { + $error = $this->l10n->t('Could not verify mail because the token is expired.'); + } else { + $throttle = true; + $error = $this->l10n->t('Could not verify mail because the token is invalid.'); + } } catch (InvalidArgumentException $e) { $error = $e->getMessage(); } catch (\Exception $e) { @@ -128,10 +106,14 @@ class VerificationController extends Controller { } if (isset($error)) { - return new TemplateResponse( + $response = new TemplateResponse( 'core', 'error', [ 'errors' => [['error' => $error]] ], TemplateResponse::RENDER_AS_GUEST); + if ($throttle) { + $response->throttle(); + } + return $response; } return new TemplateResponse( |