AuthPublicShareController.php 5.5 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235
  1. <?php
  2. declare(strict_types=1);
  3. /**
  4. * SPDX-FileCopyrightText: 2018 Nextcloud GmbH and Nextcloud contributors
  5. * SPDX-License-Identifier: AGPL-3.0-or-later
  6. */
  7. namespace OCP\AppFramework;
  8. use OCP\AppFramework\Http\Attribute\BruteForceProtection;
  9. use OCP\AppFramework\Http\Attribute\NoCSRFRequired;
  10. use OCP\AppFramework\Http\Attribute\PublicPage;
  11. use OCP\AppFramework\Http\Attribute\UseSession;
  12. use OCP\AppFramework\Http\RedirectResponse;
  13. use OCP\AppFramework\Http\TemplateResponse;
  14. use OCP\IRequest;
  15. use OCP\ISession;
  16. use OCP\IURLGenerator;
  17. /**
  18. * Base controller for interactive public shares
  19. *
  20. * It will verify if the user is properly authenticated to the share. If not the
  21. * user will be redirected to an authentication page.
  22. *
  23. * Use this for a controller that is to be called directly by a user. So the
  24. * normal public share page for files/calendars etc.
  25. *
  26. * @since 14.0.0
  27. */
  28. abstract class AuthPublicShareController extends PublicShareController {
  29. /** @var IURLGenerator */
  30. protected $urlGenerator;
  31. /**
  32. * @since 14.0.0
  33. */
  34. public function __construct(string $appName,
  35. IRequest $request,
  36. ISession $session,
  37. IURLGenerator $urlGenerator) {
  38. parent::__construct($appName, $request, $session);
  39. $this->urlGenerator = $urlGenerator;
  40. }
  41. /**
  42. * Show the authentication page
  43. * The form has to submit to the authenticate method route
  44. *
  45. * @since 14.0.0
  46. */
  47. #[NoCSRFRequired]
  48. #[PublicPage]
  49. public function showAuthenticate(): TemplateResponse {
  50. return new TemplateResponse('core', 'publicshareauth', [], 'guest');
  51. }
  52. /**
  53. * The template to show when authentication failed
  54. *
  55. * @since 14.0.0
  56. */
  57. protected function showAuthFailed(): TemplateResponse {
  58. return new TemplateResponse('core', 'publicshareauth', ['wrongpw' => true], 'guest');
  59. }
  60. /**
  61. * The template to show after user identification
  62. *
  63. * @since 24.0.0
  64. */
  65. protected function showIdentificationResult(bool $success): TemplateResponse {
  66. return new TemplateResponse('core', 'publicshareauth', ['identityOk' => $success], 'guest');
  67. }
  68. /**
  69. * Validates that the provided identity is allowed to receive a temporary password
  70. *
  71. * @since 24.0.0
  72. */
  73. protected function validateIdentity(?string $identityToken = null): bool {
  74. return false;
  75. }
  76. /**
  77. * Generates a password
  78. *
  79. * @since 24.0.0
  80. */
  81. protected function generatePassword(): void {
  82. }
  83. /**
  84. * Verify the password
  85. *
  86. * @since 24.0.0
  87. */
  88. protected function verifyPassword(string $password): bool {
  89. return false;
  90. }
  91. /**
  92. * Function called after failed authentication
  93. *
  94. * You can use this to do some logging for example
  95. *
  96. * @since 14.0.0
  97. */
  98. protected function authFailed() {
  99. }
  100. /**
  101. * Function called after successful authentication
  102. *
  103. * You can use this to do some logging for example
  104. *
  105. * @since 14.0.0
  106. */
  107. protected function authSucceeded() {
  108. }
  109. /**
  110. * Authenticate the share
  111. *
  112. * @since 14.0.0
  113. */
  114. #[BruteForceProtection(action: 'publicLinkAuth')]
  115. #[PublicPage]
  116. #[UseSession]
  117. final public function authenticate(string $password = '', string $passwordRequest = 'no', string $identityToken = '') {
  118. // Already authenticated
  119. if ($this->isAuthenticated()) {
  120. return $this->getRedirect();
  121. }
  122. // Is user requesting a temporary password?
  123. if ($passwordRequest == '') {
  124. if ($this->validateIdentity($identityToken)) {
  125. $this->generatePassword();
  126. $response = $this->showIdentificationResult(true);
  127. return $response;
  128. } else {
  129. $response = $this->showIdentificationResult(false);
  130. $response->throttle();
  131. return $response;
  132. }
  133. }
  134. if (!$this->verifyPassword($password)) {
  135. $this->authFailed();
  136. $response = $this->showAuthFailed();
  137. $response->throttle();
  138. return $response;
  139. }
  140. $this->session->regenerateId(true, true);
  141. $response = $this->getRedirect();
  142. $this->session->set('public_link_authenticated_token', $this->getToken());
  143. $this->session->set('public_link_authenticated_password_hash', $this->getPasswordHash());
  144. $this->authSucceeded();
  145. return $response;
  146. }
  147. /**
  148. * Default landing page
  149. *
  150. * @since 14.0.0
  151. */
  152. abstract public function showShare(): TemplateResponse;
  153. /**
  154. * @since 14.0.0
  155. */
  156. final public function getAuthenticationRedirect(string $redirect): RedirectResponse {
  157. return new RedirectResponse(
  158. $this->urlGenerator->linkToRoute($this->getRoute('showAuthenticate'), ['token' => $this->getToken(), 'redirect' => $redirect])
  159. );
  160. }
  161. /**
  162. * @since 14.0.0
  163. */
  164. private function getRoute(string $function): string {
  165. $app = strtolower($this->appName);
  166. $class = (new \ReflectionClass($this))->getShortName();
  167. if (str_ends_with($class, 'Controller')) {
  168. $class = substr($class, 0, -10);
  169. }
  170. return $app .'.'. $class .'.'. $function;
  171. }
  172. /**
  173. * @since 14.0.0
  174. */
  175. private function getRedirect(): RedirectResponse {
  176. //Get all the stored redirect parameters:
  177. $params = $this->session->get('public_link_authenticate_redirect');
  178. $route = $this->getRoute('showShare');
  179. if ($params === null) {
  180. $params = [
  181. 'token' => $this->getToken(),
  182. ];
  183. } else {
  184. $params = json_decode($params, true);
  185. if (isset($params['_route'])) {
  186. $route = $params['_route'];
  187. unset($params['_route']);
  188. }
  189. // If the token doesn't match the rest of the arguments can't be trusted either
  190. if (isset($params['token']) && $params['token'] !== $this->getToken()) {
  191. $params = [
  192. 'token' => $this->getToken(),
  193. ];
  194. }
  195. // We need a token
  196. if (!isset($params['token'])) {
  197. $params = [
  198. 'token' => $this->getToken(),
  199. ];
  200. }
  201. }
  202. return new RedirectResponse($this->urlGenerator->linkToRoute($route, $params));
  203. }
  204. }