* @throws OCSForbiddenException Creating app password is not allowed * * 200: App password returned */ #[NoAdminRequired] #[PasswordConfirmationRequired] #[ApiRoute(verb: 'GET', url: '/getapppassword', root: '/core')] public function getAppPassword(): DataResponse { // We do not allow the creation of new tokens if this is an app password if ($this->session->exists('app_password')) { throw new OCSForbiddenException('You cannot request an new apppassword with an apppassword'); } try { $credentials = $this->credentialStore->getLoginCredentials(); } catch (CredentialsUnavailableException $e) { throw new OCSForbiddenException(); } try { $password = $credentials->getPassword(); } catch (PasswordUnavailableException $e) { $password = null; } $userAgent = $this->request->getHeader('USER_AGENT'); $token = $this->random->generate(72, ISecureRandom::CHAR_UPPER.ISecureRandom::CHAR_LOWER.ISecureRandom::CHAR_DIGITS); $generatedToken = $this->tokenProvider->generateToken( $token, $credentials->getUID(), $credentials->getLoginName(), $password, $userAgent, IToken::PERMANENT_TOKEN, IToken::DO_NOT_REMEMBER ); $this->eventDispatcher->dispatchTyped( new AppPasswordCreatedEvent($generatedToken) ); return new DataResponse([ 'apppassword' => $token ]); } /** * Delete app password * * @return DataResponse, array{}> * @throws OCSForbiddenException Deleting app password is not allowed * * 200: App password deleted successfully */ #[NoAdminRequired] #[ApiRoute(verb: 'DELETE', url: '/apppassword', root: '/core')] public function deleteAppPassword(): DataResponse { if (!$this->session->exists('app_password')) { throw new OCSForbiddenException('no app password in use'); } $appPassword = $this->session->get('app_password'); try { $token = $this->tokenProvider->getToken($appPassword); } catch (InvalidTokenException $e) { throw new OCSForbiddenException('could not remove apptoken'); } $this->tokenProvider->invalidateTokenById($token->getUID(), $token->getId()); return new DataResponse(); } /** * Rotate app password * * @return DataResponse * @throws OCSForbiddenException Rotating app password is not allowed * * 200: App password returned */ #[NoAdminRequired] #[ApiRoute(verb: 'POST', url: '/apppassword/rotate', root: '/core')] public function rotateAppPassword(): DataResponse { if (!$this->session->exists('app_password')) { throw new OCSForbiddenException('no app password in use'); } $appPassword = $this->session->get('app_password'); try { $token = $this->tokenProvider->getToken($appPassword); } catch (InvalidTokenException $e) { throw new OCSForbiddenException('could not rotate apptoken'); } $newToken = $this->random->generate(72, ISecureRandom::CHAR_UPPER.ISecureRandom::CHAR_LOWER.ISecureRandom::CHAR_DIGITS); $this->tokenProvider->rotate($token, $appPassword, $newToken); return new DataResponse([ 'apppassword' => $newToken, ]); } /** * Confirm the user password * * @param string $password The password of the user * * @return DataResponse|DataResponse, array{}> * * 200: Password confirmation succeeded * 403: Password confirmation failed */ #[NoAdminRequired] #[BruteForceProtection(action: 'sudo')] #[UseSession] #[ApiRoute(verb: 'PUT', url: '/apppassword/confirm', root: '/core')] public function confirmUserPassword(string $password): DataResponse { $loginName = $this->userSession->getLoginName(); $loginResult = $this->userManager->checkPassword($loginName, $password); if ($loginResult === false) { $response = new DataResponse([], Http::STATUS_FORBIDDEN); $response->throttle(['loginName' => $loginName]); return $response; } $confirmTimestamp = time(); $this->session->set('last-password-confirm', $confirmTimestamp); $this->throttler->resetDelay($this->request->getRemoteAddress(), 'sudo', ['loginName' => $loginName]); return new DataResponse(['lastLogin' => $confirmTimestamp], Http::STATUS_OK); } }