aboutsummaryrefslogtreecommitdiffstats
path: root/core/Command/User/AuthTokens
diff options
context:
space:
mode:
Diffstat (limited to 'core/Command/User/AuthTokens')
-rw-r--r--core/Command/User/AuthTokens/Add.php104
-rw-r--r--core/Command/User/AuthTokens/Delete.php104
-rw-r--r--core/Command/User/AuthTokens/ListCommand.php84
3 files changed, 292 insertions, 0 deletions
diff --git a/core/Command/User/AuthTokens/Add.php b/core/Command/User/AuthTokens/Add.php
new file mode 100644
index 00000000000..89b20535c63
--- /dev/null
+++ b/core/Command/User/AuthTokens/Add.php
@@ -0,0 +1,104 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * SPDX-FileCopyrightText: 2020 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+namespace OC\Core\Command\User\AuthTokens;
+
+use OC\Authentication\Events\AppPasswordCreatedEvent;
+use OC\Authentication\Token\IProvider;
+use OC\Authentication\Token\IToken;
+use OCP\EventDispatcher\IEventDispatcher;
+use OCP\IUserManager;
+use OCP\Security\ISecureRandom;
+use Symfony\Component\Console\Command\Command;
+use Symfony\Component\Console\Helper\QuestionHelper;
+use Symfony\Component\Console\Input\InputArgument;
+use Symfony\Component\Console\Input\InputInterface;
+use Symfony\Component\Console\Input\InputOption;
+use Symfony\Component\Console\Output\OutputInterface;
+use Symfony\Component\Console\Question\Question;
+
+class Add extends Command {
+ public function __construct(
+ protected IUserManager $userManager,
+ protected IProvider $tokenProvider,
+ private ISecureRandom $random,
+ private IEventDispatcher $eventDispatcher,
+ ) {
+ parent::__construct();
+ }
+
+ protected function configure() {
+ $this
+ ->setName('user:auth-tokens:add')
+ ->setAliases(['user:add-app-password'])
+ ->setDescription('Add app password for the named account')
+ ->addArgument(
+ 'user',
+ InputArgument::REQUIRED,
+ 'Login to add app password for'
+ )
+ ->addOption(
+ 'password-from-env',
+ null,
+ InputOption::VALUE_NONE,
+ 'Read password from environment variable NC_PASS/OC_PASS. Alternatively it will be asked for interactively or an app password without the login password will be created.'
+ )
+ ;
+ }
+
+ protected function execute(InputInterface $input, OutputInterface $output): int {
+ $username = $input->getArgument('user');
+ $password = null;
+
+ $user = $this->userManager->get($username);
+ if (is_null($user)) {
+ $output->writeln('<error>Account does not exist</error>');
+ return 1;
+ }
+
+ if ($input->getOption('password-from-env')) {
+ $password = getenv('NC_PASS') ?: getenv('OC_PASS');
+ if (!$password) {
+ $output->writeln('<error>--password-from-env given, but NC_PASS/OC_PASS is empty!</error>');
+ return 1;
+ }
+ } elseif ($input->isInteractive()) {
+ /** @var QuestionHelper $helper */
+ $helper = $this->getHelper('question');
+
+ $question = new Question('Enter the account password: ');
+ $question->setHidden(true);
+ /** @var null|string $password */
+ $password = $helper->ask($input, $output, $question);
+ }
+
+ if ($password === null) {
+ $output->writeln('<info>No password provided. The generated app password will therefore have limited capabilities. Any operation that requires the login password will fail.</info>');
+ }
+
+ $token = $this->random->generate(72, ISecureRandom::CHAR_UPPER . ISecureRandom::CHAR_LOWER . ISecureRandom::CHAR_DIGITS);
+ $generatedToken = $this->tokenProvider->generateToken(
+ $token,
+ $user->getUID(),
+ $user->getUID(),
+ $password,
+ 'cli',
+ IToken::PERMANENT_TOKEN,
+ IToken::DO_NOT_REMEMBER
+ );
+
+ $this->eventDispatcher->dispatchTyped(
+ new AppPasswordCreatedEvent($generatedToken)
+ );
+
+ $output->writeln('app password:');
+ $output->writeln($token);
+
+ return 0;
+ }
+}
diff --git a/core/Command/User/AuthTokens/Delete.php b/core/Command/User/AuthTokens/Delete.php
new file mode 100644
index 00000000000..2047d2eae2a
--- /dev/null
+++ b/core/Command/User/AuthTokens/Delete.php
@@ -0,0 +1,104 @@
+<?php
+
+/**
+ * SPDX-FileCopyrightText: 2023 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+namespace OC\Core\Command\User\AuthTokens;
+
+use DateTimeImmutable;
+use OC\Authentication\Token\IProvider;
+use OC\Core\Command\Base;
+use Symfony\Component\Console\Command\Command;
+use Symfony\Component\Console\Exception\RuntimeException;
+use Symfony\Component\Console\Input\InputArgument;
+use Symfony\Component\Console\Input\InputInterface;
+use Symfony\Component\Console\Input\InputOption;
+use Symfony\Component\Console\Output\OutputInterface;
+
+class Delete extends Base {
+ public function __construct(
+ protected IProvider $tokenProvider,
+ ) {
+ parent::__construct();
+ }
+
+ protected function configure(): void {
+ $this
+ ->setName('user:auth-tokens:delete')
+ ->setDescription('Deletes an authentication token')
+ ->addArgument(
+ 'uid',
+ InputArgument::REQUIRED,
+ 'ID of the user to delete tokens for'
+ )
+ ->addArgument(
+ 'id',
+ InputArgument::OPTIONAL,
+ 'ID of the auth token to delete'
+ )
+ ->addOption(
+ 'last-used-before',
+ null,
+ InputOption::VALUE_REQUIRED,
+ 'Delete tokens last used before a given date.'
+ );
+ }
+
+ protected function execute(InputInterface $input, OutputInterface $output): int {
+ $uid = $input->getArgument('uid');
+ $id = (int)$input->getArgument('id');
+ $before = $input->getOption('last-used-before');
+
+ if ($before) {
+ if ($id) {
+ throw new RuntimeException('Option --last-used-before cannot be used with [<id>]');
+ }
+
+ return $this->deleteLastUsedBefore($uid, $before);
+ }
+
+ if (!$id) {
+ throw new RuntimeException('Not enough arguments. Specify the token <id> or use the --last-used-before option.');
+ }
+ return $this->deleteById($uid, $id);
+ }
+
+ protected function deleteById(string $uid, int $id): int {
+ $this->tokenProvider->invalidateTokenById($uid, $id);
+
+ return Command::SUCCESS;
+ }
+
+ protected function deleteLastUsedBefore(string $uid, string $before): int {
+ $date = $this->parseDateOption($before);
+ if (!$date) {
+ throw new RuntimeException('Invalid date format. Acceptable formats are: ISO8601 (w/o fractions), "YYYY-MM-DD" and Unix time in seconds.');
+ }
+
+ $this->tokenProvider->invalidateLastUsedBefore($uid, $date->getTimestamp());
+
+ return Command::SUCCESS;
+ }
+
+ /**
+ * @return \DateTimeImmutable|false
+ */
+ protected function parseDateOption(string $input) {
+ $date = false;
+
+ // Handle Unix timestamp
+ if (filter_var($input, FILTER_VALIDATE_INT)) {
+ return new DateTimeImmutable('@' . $input);
+ }
+
+ // ISO8601
+ $date = DateTimeImmutable::createFromFormat(DateTimeImmutable::ATOM, $input);
+ if ($date) {
+ return $date;
+ }
+
+ // YYYY-MM-DD
+ return DateTimeImmutable::createFromFormat('!Y-m-d', $input);
+ }
+}
diff --git a/core/Command/User/AuthTokens/ListCommand.php b/core/Command/User/AuthTokens/ListCommand.php
new file mode 100644
index 00000000000..b36aa717505
--- /dev/null
+++ b/core/Command/User/AuthTokens/ListCommand.php
@@ -0,0 +1,84 @@
+<?php
+
+/**
+ * SPDX-FileCopyrightText: 2023 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+namespace OC\Core\Command\User\AuthTokens;
+
+use OC\Authentication\Token\IProvider;
+use OC\Authentication\Token\IToken;
+use OC\Core\Command\Base;
+use OCP\IUserManager;
+use Symfony\Component\Console\Input\InputArgument;
+use Symfony\Component\Console\Input\InputInterface;
+use Symfony\Component\Console\Output\OutputInterface;
+
+class ListCommand extends Base {
+ public function __construct(
+ protected IUserManager $userManager,
+ protected IProvider $tokenProvider,
+ ) {
+ parent::__construct();
+ }
+
+ protected function configure(): void {
+ parent::configure();
+
+ $this
+ ->setName('user:auth-tokens:list')
+ ->setDescription('List authentication tokens of an user')
+ ->addArgument(
+ 'user',
+ InputArgument::REQUIRED,
+ 'User to list auth tokens for'
+ );
+ }
+
+ protected function execute(InputInterface $input, OutputInterface $output): int {
+ $user = $this->userManager->get($input->getArgument('user'));
+
+ if (is_null($user)) {
+ $output->writeln('<error>user not found</error>');
+ return 1;
+ }
+
+ $tokens = $this->tokenProvider->getTokenByUser($user->getUID());
+
+ $tokens = array_map(function (IToken $token) use ($input): mixed {
+ $sensitive = [
+ 'password',
+ 'password_hash',
+ 'token',
+ 'public_key',
+ 'private_key',
+ ];
+ $data = array_diff_key($token->jsonSerialize(), array_flip($sensitive));
+
+ if ($input->getOption('output') === self::OUTPUT_FORMAT_PLAIN) {
+ $data = $this->formatTokenForPlainOutput($data);
+ }
+
+ return $data;
+ }, $tokens);
+
+ $this->writeTableInOutputFormat($input, $output, $tokens);
+
+ return 0;
+ }
+
+ public function formatTokenForPlainOutput(array $token): array {
+ $token['scope'] = implode(', ', array_keys(array_filter($token['scope'] ?? [])));
+
+ $token['lastActivity'] = date(DATE_ATOM, $token['lastActivity']);
+
+ $token['type'] = match ($token['type']) {
+ IToken::TEMPORARY_TOKEN => 'temporary',
+ IToken::PERMANENT_TOKEN => 'permanent',
+ IToken::WIPE_TOKEN => 'wipe',
+ default => $token['type'],
+ };
+
+ return $token;
+ }
+}
generated by cgit v1.2.3 (git 2.39.1) at 2025-08-15 08:10:53 +0000