AuthPublicShareController.php 6.2 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253
  1. <?php
  2. declare(strict_types=1);
  3. /**
  4. * @copyright 2018, Roeland Jago Douma <roeland@famdouma.nl>
  5. *
  6. * @author Joas Schilling <coding@schilljs.com>
  7. * @author Roeland Jago Douma <roeland@famdouma.nl>
  8. * @author Tim Obert <tobert@w-commerce.de>
  9. * @author TimObert <tobert@w-commerce.de>
  10. *
  11. * @license GNU AGPL version 3 or any later version
  12. *
  13. * This program is free software: you can redistribute it and/or modify
  14. * it under the terms of the GNU Affero General Public License as
  15. * published by the Free Software Foundation, either version 3 of the
  16. * License, or (at your option) any later version.
  17. *
  18. * This program is distributed in the hope that it will be useful,
  19. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  20. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  21. * GNU Affero General Public License for more details.
  22. *
  23. * You should have received a copy of the GNU Affero General Public License
  24. * along with this program. If not, see <http://www.gnu.org/licenses/>.
  25. *
  26. */
  27. namespace OCP\AppFramework;
  28. use OCP\AppFramework\Http\RedirectResponse;
  29. use OCP\AppFramework\Http\TemplateResponse;
  30. use OCP\IRequest;
  31. use OCP\ISession;
  32. use OCP\IURLGenerator;
  33. /**
  34. * Base controller for interactive public shares
  35. *
  36. * It will verify if the user is properly authenticated to the share. If not the
  37. * user will be redirected to an authentication page.
  38. *
  39. * Use this for a controller that is to be called directly by a user. So the
  40. * normal public share page for files/calendars etc.
  41. *
  42. * @since 14.0.0
  43. */
  44. abstract class AuthPublicShareController extends PublicShareController {
  45. /** @var IURLGenerator */
  46. protected $urlGenerator;
  47. /**
  48. * @since 14.0.0
  49. */
  50. public function __construct(string $appName,
  51. IRequest $request,
  52. ISession $session,
  53. IURLGenerator $urlGenerator) {
  54. parent::__construct($appName, $request, $session);
  55. $this->urlGenerator = $urlGenerator;
  56. }
  57. /**
  58. * @PublicPage
  59. * @NoCSRFRequired
  60. *
  61. * Show the authentication page
  62. * The form has to submit to the authenticate method route
  63. *
  64. * @since 14.0.0
  65. */
  66. public function showAuthenticate(): TemplateResponse {
  67. return new TemplateResponse('core', 'publicshareauth', [], 'guest');
  68. }
  69. /**
  70. * The template to show when authentication failed
  71. *
  72. * @since 14.0.0
  73. */
  74. protected function showAuthFailed(): TemplateResponse {
  75. return new TemplateResponse('core', 'publicshareauth', ['wrongpw' => true], 'guest');
  76. }
  77. /**
  78. * The template to show after user identification
  79. *
  80. * @since 24.0.0
  81. */
  82. protected function showIdentificationResult(bool $success): TemplateResponse {
  83. return new TemplateResponse('core', 'publicshareauth', ['identityOk' => $success], 'guest');
  84. }
  85. /**
  86. * Validates that the provided identity is allowed to receive a temporary password
  87. *
  88. * @since 24.0.0
  89. */
  90. protected function validateIdentity(?string $identityToken = null): bool {
  91. return false;
  92. }
  93. /**
  94. * Generates a password
  95. *
  96. * @since 24.0.0
  97. */
  98. protected function generatePassword(): void {
  99. }
  100. /**
  101. * Verify the password
  102. *
  103. * @since 24.0.0
  104. */
  105. protected function verifyPassword(string $password): bool {
  106. return false;
  107. }
  108. /**
  109. * Function called after failed authentication
  110. *
  111. * You can use this to do some logging for example
  112. *
  113. * @since 14.0.0
  114. */
  115. protected function authFailed() {
  116. }
  117. /**
  118. * Function called after successfull authentication
  119. *
  120. * You can use this to do some logging for example
  121. *
  122. * @since 14.0.0
  123. */
  124. protected function authSucceeded() {
  125. }
  126. /**
  127. * @UseSession
  128. * @PublicPage
  129. * @BruteForceProtection(action=publicLinkAuth)
  130. *
  131. * Authenticate the share
  132. *
  133. * @since 14.0.0
  134. */
  135. final public function authenticate(string $password = '', string $passwordRequest = 'no', string $identityToken = '') {
  136. // Already authenticated
  137. if ($this->isAuthenticated()) {
  138. return $this->getRedirect();
  139. }
  140. // Is user requesting a temporary password?
  141. if ($passwordRequest == '') {
  142. if ($this->validateIdentity($identityToken)) {
  143. $this->generatePassword();
  144. $response = $this->showIdentificationResult(true);
  145. return $response;
  146. } else {
  147. $response = $this->showIdentificationResult(false);
  148. $response->throttle();
  149. return $response;
  150. }
  151. }
  152. if (!$this->verifyPassword($password)) {
  153. $this->authFailed();
  154. $response = $this->showAuthFailed();
  155. $response->throttle();
  156. return $response;
  157. }
  158. $this->session->regenerateId(true, true);
  159. $response = $this->getRedirect();
  160. $this->session->set('public_link_authenticated_token', $this->getToken());
  161. $this->session->set('public_link_authenticated_password_hash', $this->getPasswordHash());
  162. $this->authSucceeded();
  163. return $response;
  164. }
  165. /**
  166. * Default landing page
  167. *
  168. * @since 14.0.0
  169. */
  170. abstract public function showShare(): TemplateResponse;
  171. /**
  172. * @since 14.0.0
  173. */
  174. final public function getAuthenticationRedirect(string $redirect): RedirectResponse {
  175. return new RedirectResponse(
  176. $this->urlGenerator->linkToRoute($this->getRoute('showAuthenticate'), ['token' => $this->getToken(), 'redirect' => $redirect])
  177. );
  178. }
  179. /**
  180. * @since 14.0.0
  181. */
  182. private function getRoute(string $function): string {
  183. $app = strtolower($this->appName);
  184. $class = (new \ReflectionClass($this))->getShortName();
  185. if (substr($class, -10) === 'Controller') {
  186. $class = substr($class, 0, -10);
  187. }
  188. return $app .'.'. $class .'.'. $function;
  189. }
  190. /**
  191. * @since 14.0.0
  192. */
  193. private function getRedirect(): RedirectResponse {
  194. //Get all the stored redirect parameters:
  195. $params = $this->session->get('public_link_authenticate_redirect');
  196. $route = $this->getRoute('showShare');
  197. if ($params === null) {
  198. $params = [
  199. 'token' => $this->getToken(),
  200. ];
  201. } else {
  202. $params = json_decode($params, true);
  203. if (isset($params['_route'])) {
  204. $route = $params['_route'];
  205. unset($params['_route']);
  206. }
  207. // If the token doesn't match the rest of the arguments can't be trusted either
  208. if (isset($params['token']) && $params['token'] !== $this->getToken()) {
  209. $params = [
  210. 'token' => $this->getToken(),
  211. ];
  212. }
  213. // We need a token
  214. if (!isset($params['token'])) {
  215. $params = [
  216. 'token' => $this->getToken(),
  217. ];
  218. }
  219. }
  220. return new RedirectResponse($this->urlGenerator->linkToRoute($route, $params));
  221. }
  222. }