1
0

OpenLocalEditorController.php 3.9 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128
  1. <?php
  2. declare(strict_types=1);
  3. /**
  4. * SPDX-FileCopyrightText: 2022 Nextcloud GmbH and Nextcloud contributors
  5. * SPDX-License-Identifier: AGPL-3.0-or-later
  6. */
  7. namespace OCA\Files\Controller;
  8. use OCA\Files\Db\OpenLocalEditor;
  9. use OCA\Files\Db\OpenLocalEditorMapper;
  10. use OCP\AppFramework\Db\DoesNotExistException;
  11. use OCP\AppFramework\Http;
  12. use OCP\AppFramework\Http\Attribute\BruteForceProtection;
  13. use OCP\AppFramework\Http\Attribute\NoAdminRequired;
  14. use OCP\AppFramework\Http\Attribute\UserRateLimit;
  15. use OCP\AppFramework\Http\DataResponse;
  16. use OCP\AppFramework\OCSController;
  17. use OCP\AppFramework\Utility\ITimeFactory;
  18. use OCP\DB\Exception;
  19. use OCP\IRequest;
  20. use OCP\Security\ISecureRandom;
  21. use Psr\Log\LoggerInterface;
  22. class OpenLocalEditorController extends OCSController {
  23. public const TOKEN_LENGTH = 128;
  24. public const TOKEN_DURATION = 600; // 10 Minutes
  25. public const TOKEN_RETRIES = 50;
  26. public function __construct(
  27. string $appName,
  28. IRequest $request,
  29. protected ITimeFactory $timeFactory,
  30. protected OpenLocalEditorMapper $mapper,
  31. protected ISecureRandom $secureRandom,
  32. protected LoggerInterface $logger,
  33. protected ?string $userId,
  34. ) {
  35. parent::__construct($appName, $request);
  36. }
  37. /**
  38. * Create a local editor
  39. *
  40. * @param string $path Path of the file
  41. *
  42. * @return DataResponse<Http::STATUS_OK, array{userId: ?string, pathHash: string, expirationTime: int, token: string}, array{}>|DataResponse<Http::STATUS_INTERNAL_SERVER_ERROR, list<empty>, array{}>
  43. *
  44. * 200: Local editor returned
  45. */
  46. #[NoAdminRequired]
  47. #[UserRateLimit(limit: 10, period: 120)]
  48. public function create(string $path): DataResponse {
  49. $pathHash = sha1($path);
  50. $entity = new OpenLocalEditor();
  51. $entity->setUserId($this->userId);
  52. $entity->setPathHash($pathHash);
  53. $entity->setExpirationTime($this->timeFactory->getTime() + self::TOKEN_DURATION); // Expire in 10 minutes
  54. for ($i = 1; $i <= self::TOKEN_RETRIES; $i++) {
  55. $token = $this->secureRandom->generate(self::TOKEN_LENGTH, ISecureRandom::CHAR_ALPHANUMERIC);
  56. $entity->setToken($token);
  57. try {
  58. $this->mapper->insert($entity);
  59. return new DataResponse([
  60. 'userId' => $this->userId,
  61. 'pathHash' => $pathHash,
  62. 'expirationTime' => $entity->getExpirationTime(),
  63. 'token' => $entity->getToken(),
  64. ]);
  65. } catch (Exception $e) {
  66. if ($e->getCode() !== Exception::REASON_UNIQUE_CONSTRAINT_VIOLATION) {
  67. // Only retry on unique constraint violation
  68. throw $e;
  69. }
  70. }
  71. }
  72. $this->logger->error('Giving up after ' . self::TOKEN_RETRIES . ' retries to generate a unique local editor token for path hash: ' . $pathHash);
  73. return new DataResponse([], Http::STATUS_INTERNAL_SERVER_ERROR);
  74. }
  75. /**
  76. * Validate a local editor
  77. *
  78. * @param string $path Path of the file
  79. * @param string $token Token of the local editor
  80. *
  81. * @return DataResponse<Http::STATUS_OK, array{userId: string, pathHash: string, expirationTime: int, token: string}, array{}>|DataResponse<Http::STATUS_NOT_FOUND, list<empty>, array{}>
  82. *
  83. * 200: Local editor validated successfully
  84. * 404: Local editor not found
  85. */
  86. #[NoAdminRequired]
  87. #[BruteForceProtection(action: 'openLocalEditor')]
  88. public function validate(string $path, string $token): DataResponse {
  89. $pathHash = sha1($path);
  90. try {
  91. $entity = $this->mapper->verifyToken($this->userId, $pathHash, $token);
  92. } catch (DoesNotExistException $e) {
  93. $response = new DataResponse([], Http::STATUS_NOT_FOUND);
  94. $response->throttle(['userId' => $this->userId, 'pathHash' => $pathHash]);
  95. return $response;
  96. }
  97. $this->mapper->delete($entity);
  98. if ($entity->getExpirationTime() <= $this->timeFactory->getTime()) {
  99. $response = new DataResponse([], Http::STATUS_NOT_FOUND);
  100. $response->throttle(['userId' => $this->userId, 'pathHash' => $pathHash]);
  101. return $response;
  102. }
  103. return new DataResponse([
  104. 'userId' => $this->userId,
  105. 'pathHash' => $pathHash,
  106. 'expirationTime' => $entity->getExpirationTime(),
  107. 'token' => $entity->getToken(),
  108. ]);
  109. }
  110. }