From 6a16df728858de1a021d27c1406c2cf1dfd86784 Mon Sep 17 00:00:00 2001
From: Lukas Reschke <lukas@statuscode.ch>
Date: Mon, 24 Apr 2017 21:11:48 +0200
Subject: Add new auth flow

This implements the basics for the new app-password based authentication flow for our clients.
The current implementation tries to keep it as simple as possible and works the following way:

1. Unauthenticated client opens `/index.php/login/flow`
2. User will be asked whether they want to grant access to the client
3. If accepted the user has the chance to do so using existing App Token or automatically generate an app password.

If the user chooses to use an existing app token then that one will simply be redirected to the `nc://` protocol handler.
While we can improve on that in the future, I think keeping this smaller at the moment has its advantages. Also, in the
near future we have to think about an automatic migration endpoint so there's that anyways :-)

If the user chooses to use the regular login the following happens:

1. A session state token is written to the session
2. User is redirected to the login page
3. If successfully authenticated they will be redirected to a page redirecting to the POST controller
4. The POST controller will check if the CSRF token as well as the state token is correct, if yes the user will be redirected to the `nc://` protocol handler.

This approach is quite simple but also allows to be extended in the future. One could for example allow external websites to consume this authentication endpoint as well.

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
---
 core/templates/loginflow/authpicker.php | 57 +++++++++++++++++++++++++++++++++
 core/templates/loginflow/redirect.php   | 34 ++++++++++++++++++++
 2 files changed, 91 insertions(+)
 create mode 100644 core/templates/loginflow/authpicker.php
 create mode 100644 core/templates/loginflow/redirect.php

(limited to 'core/templates')

diff --git a/core/templates/loginflow/authpicker.php b/core/templates/loginflow/authpicker.php
new file mode 100644
index 00000000000..c5eb6cb316d
--- /dev/null
+++ b/core/templates/loginflow/authpicker.php
@@ -0,0 +1,57 @@
+<?php
+/**
+ * @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+script('core', 'login/authpicker');
+style('core', 'login/authpicker');
+
+/** @var array $_ */
+/** @var \OCP\IURLGenerator $urlGenerator */
+$urlGenerator = $_['urlGenerator'];
+?>
+
+<div class="picker-window">
+	<p class="info">
+		<?php p($l->t('You are about to grant "%s" access to your %s account.', [$_['client'], $_['instanceName']])) ?>
+	</p>
+
+	<br/>
+
+	<p id="redirect-link">
+		<a href="<?php p($urlGenerator->linkToRouteAbsolute('core.ClientFlowLogin.redirectPage', ['stateToken' => $_['stateToken']])) ?>">
+			<input type="submit" class="login primary icon-confirm-white" value="<?php p('Grant access') ?>">
+		</a>
+	</p>
+
+	<fieldset id="app-token-login-field" class="hidden">
+		<p class="grouptop">
+			<input type="text" name="user" id="user" placeholder="<?php p($l->t('Username')) ?>">
+			<label for="user" class="infield"><?php p($l->t('Username')) ?></label>
+		</p>
+		<p class="groupbottom">
+			<input type="password" name="password" id="password" placeholder="<?php p($l->t('App token')) ?>">
+			<label for="password" class="infield"><?php p($l->t('Password')) ?></label>
+		</p>
+		<input type="hidden" id="serverHost" value="<?php p($_['serverHost']) ?>" />
+		<input id="submit-app-token-login" type="submit" class="login primary icon-confirm-white" value="<?php p('Grant access') ?>">
+	</fieldset>
+</div>
+
+<a id="app-token-login" class="warning" href="#"><?php p($l->t('Alternative login using app token')) ?></a>
diff --git a/core/templates/loginflow/redirect.php b/core/templates/loginflow/redirect.php
new file mode 100644
index 00000000000..544dcab8312
--- /dev/null
+++ b/core/templates/loginflow/redirect.php
@@ -0,0 +1,34 @@
+<?php
+/**
+ * @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+script('core', 'login/redirect');
+
+/** @var array $_ */
+/** @var \OCP\IURLGenerator $urlGenerator */
+$urlGenerator = $_['urlGenerator'];
+?>
+
+<?php p($l->t('Redirecting…')) ?>
+
+<form method="POST" action="<?php p($urlGenerator->linkToRouteAbsolute('core.ClientFlowLogin.generateAppPassword')) ?>">
+	<input type="hidden" name="requesttoken" value="<?php p($_['requesttoken']) ?>" />
+	<input type="hidden" name="statetoken" value="<?php p($_['stateToken']) ?>" />
+	<input id="submit-redirect-form" type="submit" class="hidden "/>
+</form>
-- 
cgit v1.2.3


From 05e1092c44196d840d02657f54c15e91bf3b0622 Mon Sep 17 00:00:00 2001
From: Roeland Jago Douma <roeland@famdouma.nl>
Date: Tue, 25 Apr 2017 09:50:07 +0200
Subject: Correctly case the stateToken

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
---
 core/templates/loginflow/redirect.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'core/templates')

diff --git a/core/templates/loginflow/redirect.php b/core/templates/loginflow/redirect.php
index 544dcab8312..9e51d1fcb26 100644
--- a/core/templates/loginflow/redirect.php
+++ b/core/templates/loginflow/redirect.php
@@ -29,6 +29,6 @@ $urlGenerator = $_['urlGenerator'];
 
 <form method="POST" action="<?php p($urlGenerator->linkToRouteAbsolute('core.ClientFlowLogin.generateAppPassword')) ?>">
 	<input type="hidden" name="requesttoken" value="<?php p($_['requesttoken']) ?>" />
-	<input type="hidden" name="statetoken" value="<?php p($_['stateToken']) ?>" />
+	<input type="hidden" name="stateToken" value="<?php p($_['stateToken']) ?>" />
 	<input id="submit-redirect-form" type="submit" class="hidden "/>
 </form>
-- 
cgit v1.2.3


From 61af3f41f028103be677e0363cebf13bd6b582ea Mon Sep 17 00:00:00 2001
From: Jan-Christoph Borchardt <hey@jancborchardt.net>
Date: Tue, 25 Apr 2017 15:47:08 +0200
Subject: Fix auth flow background color and redirect view layout

Signed-off-by: Jan-Christoph Borchardt <hey@jancborchardt.net>
---
 core/css/login/authpicker.css         | 10 +++++++---
 core/templates/loginflow/redirect.php |  5 ++++-
 2 files changed, 11 insertions(+), 4 deletions(-)

(limited to 'core/templates')

diff --git a/core/css/login/authpicker.css b/core/css/login/authpicker.css
index d0f32173d25..85016ee6a0e 100644
--- a/core/css/login/authpicker.css
+++ b/core/css/login/authpicker.css
@@ -1,5 +1,9 @@
 .picker-window {
-	background: rgba(255,255,255,0.3);
+	display: block;
+	padding: 10px;
+	margin-bottom: 20px;
+	background-color: rgba(0,0,0,.3);
+	color: #fff;
 	border-radius: 3px;
-	margin-bottom:20px;
-}
\ No newline at end of file
+	cursor: default;
+}
diff --git a/core/templates/loginflow/redirect.php b/core/templates/loginflow/redirect.php
index 9e51d1fcb26..7ef0184f61f 100644
--- a/core/templates/loginflow/redirect.php
+++ b/core/templates/loginflow/redirect.php
@@ -19,13 +19,16 @@
  *
  */
 script('core', 'login/redirect');
+style('core', 'login/authpicker');
 
 /** @var array $_ */
 /** @var \OCP\IURLGenerator $urlGenerator */
 $urlGenerator = $_['urlGenerator'];
 ?>
 
-<?php p($l->t('Redirecting…')) ?>
+<div class="picker-window">
+	<p class="info"><?php p($l->t('Redirecting …')) ?></p>
+</div>
 
 <form method="POST" action="<?php p($urlGenerator->linkToRouteAbsolute('core.ClientFlowLogin.generateAppPassword')) ?>">
 	<input type="hidden" name="requesttoken" value="<?php p($_['requesttoken']) ?>" />
-- 
cgit v1.2.3