UsersController.php 19 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548
  1. <?php
  2. declare(strict_types=1);
  3. /**
  4. * SPDX-FileCopyrightText: 2019-2024 Nextcloud GmbH and Nextcloud contributors
  5. * SPDX-FileCopyrightText: 2016 ownCloud, Inc.
  6. * SPDX-License-Identifier: AGPL-3.0-only
  7. */
  8. namespace OCA\Settings\Controller;
  9. use InvalidArgumentException;
  10. use OC\AppFramework\Http;
  11. use OC\Encryption\Exceptions\ModuleDoesNotExistsException;
  12. use OC\ForbiddenException;
  13. use OC\KnownUser\KnownUserService;
  14. use OC\Security\IdentityProof\Manager;
  15. use OC\User\Manager as UserManager;
  16. use OCA\Settings\BackgroundJobs\VerifyUserData;
  17. use OCA\Settings\Events\BeforeTemplateRenderedEvent;
  18. use OCA\User_LDAP\User_Proxy;
  19. use OCP\Accounts\IAccount;
  20. use OCP\Accounts\IAccountManager;
  21. use OCP\Accounts\PropertyDoesNotExistException;
  22. use OCP\App\IAppManager;
  23. use OCP\AppFramework\Controller;
  24. use OCP\AppFramework\Http\Attribute\OpenAPI;
  25. use OCP\AppFramework\Http\DataResponse;
  26. use OCP\AppFramework\Http\JSONResponse;
  27. use OCP\AppFramework\Http\TemplateResponse;
  28. use OCP\AppFramework\Services\IInitialState;
  29. use OCP\BackgroundJob\IJobList;
  30. use OCP\Encryption\IManager;
  31. use OCP\EventDispatcher\IEventDispatcher;
  32. use OCP\IConfig;
  33. use OCP\IGroupManager;
  34. use OCP\IL10N;
  35. use OCP\IRequest;
  36. use OCP\IUser;
  37. use OCP\IUserSession;
  38. use OCP\L10N\IFactory;
  39. use OCP\Mail\IMailer;
  40. use function in_array;
  41. #[OpenAPI(scope: OpenAPI::SCOPE_IGNORE)]
  42. class UsersController extends Controller {
  43. public function __construct(
  44. string $appName,
  45. IRequest $request,
  46. private UserManager $userManager,
  47. private IGroupManager $groupManager,
  48. private IUserSession $userSession,
  49. private IConfig $config,
  50. private IL10N $l10n,
  51. private IMailer $mailer,
  52. private IFactory $l10nFactory,
  53. private IAppManager $appManager,
  54. private IAccountManager $accountManager,
  55. private Manager $keyManager,
  56. private IJobList $jobList,
  57. private IManager $encryptionManager,
  58. private KnownUserService $knownUserService,
  59. private IEventDispatcher $dispatcher,
  60. private IInitialState $initialState,
  61. ) {
  62. parent::__construct($appName, $request);
  63. }
  64. /**
  65. * @NoCSRFRequired
  66. * @NoAdminRequired
  67. *
  68. * Display users list template
  69. *
  70. * @return TemplateResponse
  71. */
  72. public function usersListByGroup(): TemplateResponse {
  73. return $this->usersList();
  74. }
  75. /**
  76. * @NoCSRFRequired
  77. * @NoAdminRequired
  78. *
  79. * Display users list template
  80. *
  81. * @return TemplateResponse
  82. */
  83. public function usersList(): TemplateResponse {
  84. $user = $this->userSession->getUser();
  85. $uid = $user->getUID();
  86. $isAdmin = $this->groupManager->isAdmin($uid);
  87. \OC::$server->getNavigationManager()->setActiveEntry('core_users');
  88. /* SORT OPTION: SORT_USERCOUNT or SORT_GROUPNAME */
  89. $sortGroupsBy = \OC\Group\MetaData::SORT_USERCOUNT;
  90. $isLDAPUsed = false;
  91. if ($this->config->getSystemValueBool('sort_groups_by_name', false)) {
  92. $sortGroupsBy = \OC\Group\MetaData::SORT_GROUPNAME;
  93. } else {
  94. if ($this->appManager->isEnabledForUser('user_ldap')) {
  95. $isLDAPUsed =
  96. $this->groupManager->isBackendUsed('\OCA\User_LDAP\Group_Proxy');
  97. if ($isLDAPUsed) {
  98. // LDAP user count can be slow, so we sort by group name here
  99. $sortGroupsBy = \OC\Group\MetaData::SORT_GROUPNAME;
  100. }
  101. }
  102. }
  103. $canChangePassword = $this->canAdminChangeUserPasswords();
  104. /* GROUPS */
  105. $groupsInfo = new \OC\Group\MetaData(
  106. $uid,
  107. $isAdmin,
  108. $this->groupManager,
  109. $this->userSession
  110. );
  111. $groupsInfo->setSorting($sortGroupsBy);
  112. [$adminGroup, $groups] = $groupsInfo->get();
  113. if (!$isLDAPUsed && $this->appManager->isEnabledForUser('user_ldap')) {
  114. $isLDAPUsed = (bool)array_reduce($this->userManager->getBackends(), function ($ldapFound, $backend) {
  115. return $ldapFound || $backend instanceof User_Proxy;
  116. });
  117. }
  118. $disabledUsers = -1;
  119. $userCount = 0;
  120. if (!$isLDAPUsed) {
  121. if ($isAdmin) {
  122. $disabledUsers = $this->userManager->countDisabledUsers();
  123. $userCount = array_reduce($this->userManager->countUsers(), function ($v, $w) {
  124. return $v + (int)$w;
  125. }, 0);
  126. } else {
  127. // User is subadmin !
  128. // Map group list to names to retrieve the countDisabledUsersOfGroups
  129. $userGroups = $this->groupManager->getUserGroups($user);
  130. $groupsNames = [];
  131. foreach ($groups as $key => $group) {
  132. // $userCount += (int)$group['usercount'];
  133. $groupsNames[] = $group['name'];
  134. // we prevent subadmins from looking up themselves
  135. // so we lower the count of the groups he belongs to
  136. if (array_key_exists($group['id'], $userGroups)) {
  137. $groups[$key]['usercount']--;
  138. $userCount -= 1; // we also lower from one the total count
  139. }
  140. }
  141. $userCount += $this->userManager->countUsersOfGroups($groupsInfo->getGroups());
  142. $disabledUsers = $this->userManager->countDisabledUsersOfGroups($groupsNames);
  143. }
  144. $userCount -= $disabledUsers;
  145. }
  146. $disabledUsersGroup = [
  147. 'id' => 'disabled',
  148. 'name' => 'Disabled accounts',
  149. 'usercount' => $disabledUsers
  150. ];
  151. /* QUOTAS PRESETS */
  152. $quotaPreset = $this->parseQuotaPreset($this->config->getAppValue('files', 'quota_preset', '1 GB, 5 GB, 10 GB'));
  153. $allowUnlimitedQuota = $this->config->getAppValue('files', 'allow_unlimited_quota', '1') === '1';
  154. if (!$allowUnlimitedQuota && count($quotaPreset) > 0) {
  155. $defaultQuota = $this->config->getAppValue('files', 'default_quota', $quotaPreset[0]);
  156. } else {
  157. $defaultQuota = $this->config->getAppValue('files', 'default_quota', 'none');
  158. }
  159. $event = new BeforeTemplateRenderedEvent();
  160. $this->dispatcher->dispatch('OC\Settings\Users::loadAdditionalScripts', $event);
  161. $this->dispatcher->dispatchTyped($event);
  162. /* LANGUAGES */
  163. $languages = $this->l10nFactory->getLanguages();
  164. /** Using LDAP or admins (system config) can enfore sorting by group name, in this case the frontend setting is overwritten */
  165. $forceSortGroupByName = $sortGroupsBy === \OC\Group\MetaData::SORT_GROUPNAME;
  166. /* FINAL DATA */
  167. $serverData = [];
  168. // groups
  169. $serverData['groups'] = array_merge_recursive($adminGroup, [$disabledUsersGroup], $groups);
  170. // Various data
  171. $serverData['isAdmin'] = $isAdmin;
  172. $serverData['sortGroups'] = $forceSortGroupByName
  173. ? \OC\Group\MetaData::SORT_GROUPNAME
  174. : (int)$this->config->getAppValue('core', 'group.sortBy', (string)\OC\Group\MetaData::SORT_USERCOUNT);
  175. $serverData['forceSortGroupByName'] = $forceSortGroupByName;
  176. $serverData['quotaPreset'] = $quotaPreset;
  177. $serverData['allowUnlimitedQuota'] = $allowUnlimitedQuota;
  178. $serverData['userCount'] = $userCount;
  179. $serverData['languages'] = $languages;
  180. $serverData['defaultLanguage'] = $this->config->getSystemValue('default_language', 'en');
  181. $serverData['forceLanguage'] = $this->config->getSystemValue('force_language', false);
  182. // Settings
  183. $serverData['defaultQuota'] = $defaultQuota;
  184. $serverData['canChangePassword'] = $canChangePassword;
  185. $serverData['newUserGenerateUserID'] = $this->config->getAppValue('core', 'newUser.generateUserID', 'no') === 'yes';
  186. $serverData['newUserRequireEmail'] = $this->config->getAppValue('core', 'newUser.requireEmail', 'no') === 'yes';
  187. $serverData['newUserSendEmail'] = $this->config->getAppValue('core', 'newUser.sendEmail', 'yes') === 'yes';
  188. $this->initialState->provideInitialState('usersSettings', $serverData);
  189. \OCP\Util::addStyle('settings', 'settings');
  190. \OCP\Util::addScript('settings', 'vue-settings-apps-users-management');
  191. return new TemplateResponse('settings', 'settings/empty', ['pageTitle' => $this->l10n->t('Settings')]);
  192. }
  193. /**
  194. * @param string $key
  195. * @param string $value
  196. *
  197. * @return JSONResponse
  198. */
  199. public function setPreference(string $key, string $value): JSONResponse {
  200. $allowed = ['newUser.sendEmail', 'group.sortBy'];
  201. if (!in_array($key, $allowed, true)) {
  202. return new JSONResponse([], Http::STATUS_FORBIDDEN);
  203. }
  204. $this->config->setAppValue('core', $key, $value);
  205. return new JSONResponse([]);
  206. }
  207. /**
  208. * Parse the app value for quota_present
  209. *
  210. * @param string $quotaPreset
  211. * @return array
  212. */
  213. protected function parseQuotaPreset(string $quotaPreset): array {
  214. // 1 GB, 5 GB, 10 GB => [1 GB, 5 GB, 10 GB]
  215. $presets = array_filter(array_map('trim', explode(',', $quotaPreset)));
  216. // Drop default and none, Make array indexes numerically
  217. return array_values(array_diff($presets, ['default', 'none']));
  218. }
  219. /**
  220. * check if the admin can change the users password
  221. *
  222. * The admin can change the passwords if:
  223. *
  224. * - no encryption module is loaded and encryption is disabled
  225. * - encryption module is loaded but it doesn't require per user keys
  226. *
  227. * The admin can not change the passwords if:
  228. *
  229. * - an encryption module is loaded and it uses per-user keys
  230. * - encryption is enabled but no encryption modules are loaded
  231. *
  232. * @return bool
  233. */
  234. protected function canAdminChangeUserPasswords(): bool {
  235. $isEncryptionEnabled = $this->encryptionManager->isEnabled();
  236. try {
  237. $noUserSpecificEncryptionKeys = !$this->encryptionManager->getEncryptionModule()->needDetailedAccessList();
  238. $isEncryptionModuleLoaded = true;
  239. } catch (ModuleDoesNotExistsException $e) {
  240. $noUserSpecificEncryptionKeys = true;
  241. $isEncryptionModuleLoaded = false;
  242. }
  243. $canChangePassword = ($isEncryptionModuleLoaded && $noUserSpecificEncryptionKeys)
  244. || (!$isEncryptionModuleLoaded && !$isEncryptionEnabled);
  245. return $canChangePassword;
  246. }
  247. /**
  248. * @NoAdminRequired
  249. * @NoSubAdminRequired
  250. * @PasswordConfirmationRequired
  251. *
  252. * @param string|null $avatarScope
  253. * @param string|null $displayname
  254. * @param string|null $displaynameScope
  255. * @param string|null $phone
  256. * @param string|null $phoneScope
  257. * @param string|null $email
  258. * @param string|null $emailScope
  259. * @param string|null $website
  260. * @param string|null $websiteScope
  261. * @param string|null $address
  262. * @param string|null $addressScope
  263. * @param string|null $twitter
  264. * @param string|null $twitterScope
  265. * @param string|null $fediverse
  266. * @param string|null $fediverseScope
  267. * @param string|null $birthdate
  268. * @param string|null $birthdateScope
  269. *
  270. * @return DataResponse
  271. */
  272. public function setUserSettings(?string $avatarScope = null,
  273. ?string $displayname = null,
  274. ?string $displaynameScope = null,
  275. ?string $phone = null,
  276. ?string $phoneScope = null,
  277. ?string $email = null,
  278. ?string $emailScope = null,
  279. ?string $website = null,
  280. ?string $websiteScope = null,
  281. ?string $address = null,
  282. ?string $addressScope = null,
  283. ?string $twitter = null,
  284. ?string $twitterScope = null,
  285. ?string $fediverse = null,
  286. ?string $fediverseScope = null,
  287. ?string $birthdate = null,
  288. ?string $birthdateScope = null,
  289. ) {
  290. $user = $this->userSession->getUser();
  291. if (!$user instanceof IUser) {
  292. return new DataResponse(
  293. [
  294. 'status' => 'error',
  295. 'data' => [
  296. 'message' => $this->l10n->t('Invalid account')
  297. ]
  298. ],
  299. Http::STATUS_UNAUTHORIZED
  300. );
  301. }
  302. $email = !is_null($email) ? strtolower($email) : $email;
  303. if (!empty($email) && !$this->mailer->validateMailAddress($email)) {
  304. return new DataResponse(
  305. [
  306. 'status' => 'error',
  307. 'data' => [
  308. 'message' => $this->l10n->t('Invalid mail address')
  309. ]
  310. ],
  311. Http::STATUS_UNPROCESSABLE_ENTITY
  312. );
  313. }
  314. $userAccount = $this->accountManager->getAccount($user);
  315. $oldPhoneValue = $userAccount->getProperty(IAccountManager::PROPERTY_PHONE)->getValue();
  316. $updatable = [
  317. IAccountManager::PROPERTY_AVATAR => ['value' => null, 'scope' => $avatarScope],
  318. IAccountManager::PROPERTY_DISPLAYNAME => ['value' => $displayname, 'scope' => $displaynameScope],
  319. IAccountManager::PROPERTY_EMAIL => ['value' => $email, 'scope' => $emailScope],
  320. IAccountManager::PROPERTY_WEBSITE => ['value' => $website, 'scope' => $websiteScope],
  321. IAccountManager::PROPERTY_ADDRESS => ['value' => $address, 'scope' => $addressScope],
  322. IAccountManager::PROPERTY_PHONE => ['value' => $phone, 'scope' => $phoneScope],
  323. IAccountManager::PROPERTY_TWITTER => ['value' => $twitter, 'scope' => $twitterScope],
  324. IAccountManager::PROPERTY_FEDIVERSE => ['value' => $fediverse, 'scope' => $fediverseScope],
  325. IAccountManager::PROPERTY_BIRTHDATE => ['value' => $birthdate, 'scope' => $birthdateScope],
  326. ];
  327. $allowUserToChangeDisplayName = $this->config->getSystemValueBool('allow_user_to_change_display_name', true);
  328. foreach ($updatable as $property => $data) {
  329. if ($allowUserToChangeDisplayName === false
  330. && in_array($property, [IAccountManager::PROPERTY_DISPLAYNAME, IAccountManager::PROPERTY_EMAIL], true)) {
  331. continue;
  332. }
  333. $property = $userAccount->getProperty($property);
  334. if ($data['value'] !== null) {
  335. $property->setValue($data['value']);
  336. }
  337. if ($data['scope'] !== null) {
  338. $property->setScope($data['scope']);
  339. }
  340. }
  341. try {
  342. $this->saveUserSettings($userAccount);
  343. if ($oldPhoneValue !== $userAccount->getProperty(IAccountManager::PROPERTY_PHONE)->getValue()) {
  344. $this->knownUserService->deleteByContactUserId($user->getUID());
  345. }
  346. return new DataResponse(
  347. [
  348. 'status' => 'success',
  349. 'data' => [
  350. 'userId' => $user->getUID(),
  351. 'avatarScope' => $userAccount->getProperty(IAccountManager::PROPERTY_AVATAR)->getScope(),
  352. 'displayname' => $userAccount->getProperty(IAccountManager::PROPERTY_DISPLAYNAME)->getValue(),
  353. 'displaynameScope' => $userAccount->getProperty(IAccountManager::PROPERTY_DISPLAYNAME)->getScope(),
  354. 'phone' => $userAccount->getProperty(IAccountManager::PROPERTY_PHONE)->getValue(),
  355. 'phoneScope' => $userAccount->getProperty(IAccountManager::PROPERTY_PHONE)->getScope(),
  356. 'email' => $userAccount->getProperty(IAccountManager::PROPERTY_EMAIL)->getValue(),
  357. 'emailScope' => $userAccount->getProperty(IAccountManager::PROPERTY_EMAIL)->getScope(),
  358. 'website' => $userAccount->getProperty(IAccountManager::PROPERTY_WEBSITE)->getValue(),
  359. 'websiteScope' => $userAccount->getProperty(IAccountManager::PROPERTY_WEBSITE)->getScope(),
  360. 'address' => $userAccount->getProperty(IAccountManager::PROPERTY_ADDRESS)->getValue(),
  361. 'addressScope' => $userAccount->getProperty(IAccountManager::PROPERTY_ADDRESS)->getScope(),
  362. 'twitter' => $userAccount->getProperty(IAccountManager::PROPERTY_TWITTER)->getValue(),
  363. 'twitterScope' => $userAccount->getProperty(IAccountManager::PROPERTY_TWITTER)->getScope(),
  364. 'fediverse' => $userAccount->getProperty(IAccountManager::PROPERTY_FEDIVERSE)->getValue(),
  365. 'fediverseScope' => $userAccount->getProperty(IAccountManager::PROPERTY_FEDIVERSE)->getScope(),
  366. 'birthdate' => $userAccount->getProperty(IAccountManager::PROPERTY_BIRTHDATE)->getValue(),
  367. 'birthdateScope' => $userAccount->getProperty(IAccountManager::PROPERTY_BIRTHDATE)->getScope(),
  368. 'message' => $this->l10n->t('Settings saved'),
  369. ],
  370. ],
  371. Http::STATUS_OK
  372. );
  373. } catch (ForbiddenException | InvalidArgumentException | PropertyDoesNotExistException $e) {
  374. return new DataResponse([
  375. 'status' => 'error',
  376. 'data' => [
  377. 'message' => $e->getMessage()
  378. ],
  379. ]);
  380. }
  381. }
  382. /**
  383. * update account manager with new user data
  384. *
  385. * @throws ForbiddenException
  386. * @throws InvalidArgumentException
  387. */
  388. protected function saveUserSettings(IAccount $userAccount): void {
  389. // keep the user back-end up-to-date with the latest display name and email
  390. // address
  391. $oldDisplayName = $userAccount->getUser()->getDisplayName();
  392. if ($oldDisplayName !== $userAccount->getProperty(IAccountManager::PROPERTY_DISPLAYNAME)->getValue()) {
  393. $result = $userAccount->getUser()->setDisplayName($userAccount->getProperty(IAccountManager::PROPERTY_DISPLAYNAME)->getValue());
  394. if ($result === false) {
  395. throw new ForbiddenException($this->l10n->t('Unable to change full name'));
  396. }
  397. }
  398. $oldEmailAddress = $userAccount->getUser()->getSystemEMailAddress();
  399. $oldEmailAddress = strtolower((string)$oldEmailAddress);
  400. if ($oldEmailAddress !== strtolower($userAccount->getProperty(IAccountManager::PROPERTY_EMAIL)->getValue())) {
  401. // this is the only permission a backend provides and is also used
  402. // for the permission of setting a email address
  403. if (!$userAccount->getUser()->canChangeDisplayName()) {
  404. throw new ForbiddenException($this->l10n->t('Unable to change email address'));
  405. }
  406. $userAccount->getUser()->setSystemEMailAddress($userAccount->getProperty(IAccountManager::PROPERTY_EMAIL)->getValue());
  407. }
  408. try {
  409. $this->accountManager->updateAccount($userAccount);
  410. } catch (InvalidArgumentException $e) {
  411. if ($e->getMessage() === IAccountManager::PROPERTY_PHONE) {
  412. throw new InvalidArgumentException($this->l10n->t('Unable to set invalid phone number'));
  413. }
  414. if ($e->getMessage() === IAccountManager::PROPERTY_WEBSITE) {
  415. throw new InvalidArgumentException($this->l10n->t('Unable to set invalid website'));
  416. }
  417. throw new InvalidArgumentException($this->l10n->t('Some account data was invalid'));
  418. }
  419. }
  420. /**
  421. * Set the mail address of a user
  422. *
  423. * @NoAdminRequired
  424. * @NoSubAdminRequired
  425. * @PasswordConfirmationRequired
  426. *
  427. * @param string $account
  428. * @param bool $onlyVerificationCode only return verification code without updating the data
  429. * @return DataResponse
  430. */
  431. public function getVerificationCode(string $account, bool $onlyVerificationCode): DataResponse {
  432. $user = $this->userSession->getUser();
  433. if ($user === null) {
  434. return new DataResponse([], Http::STATUS_BAD_REQUEST);
  435. }
  436. $userAccount = $this->accountManager->getAccount($user);
  437. $cloudId = $user->getCloudId();
  438. $message = 'Use my Federated Cloud ID to share with me: ' . $cloudId;
  439. $signature = $this->signMessage($user, $message);
  440. $code = $message . ' ' . $signature;
  441. $codeMd5 = $message . ' ' . md5($signature);
  442. switch ($account) {
  443. case 'verify-twitter':
  444. $msg = $this->l10n->t('In order to verify your Twitter account, post the following tweet on Twitter (please make sure to post it without any line breaks):');
  445. $code = $codeMd5;
  446. $type = IAccountManager::PROPERTY_TWITTER;
  447. break;
  448. case 'verify-website':
  449. $msg = $this->l10n->t('In order to verify your Website, store the following content in your web-root at \'.well-known/CloudIdVerificationCode.txt\' (please make sure that the complete text is in one line):');
  450. $type = IAccountManager::PROPERTY_WEBSITE;
  451. break;
  452. default:
  453. return new DataResponse([], Http::STATUS_BAD_REQUEST);
  454. }
  455. $userProperty = $userAccount->getProperty($type);
  456. $userProperty
  457. ->setVerified(IAccountManager::VERIFICATION_IN_PROGRESS)
  458. ->setVerificationData($signature);
  459. if ($onlyVerificationCode === false) {
  460. $this->accountManager->updateAccount($userAccount);
  461. $this->jobList->add(VerifyUserData::class,
  462. [
  463. 'verificationCode' => $code,
  464. 'data' => $userProperty->getValue(),
  465. 'type' => $type,
  466. 'uid' => $user->getUID(),
  467. 'try' => 0,
  468. 'lastRun' => $this->getCurrentTime()
  469. ]
  470. );
  471. }
  472. return new DataResponse(['msg' => $msg, 'code' => $code]);
  473. }
  474. /**
  475. * get current timestamp
  476. *
  477. * @return int
  478. */
  479. protected function getCurrentTime(): int {
  480. return time();
  481. }
  482. /**
  483. * sign message with users private key
  484. *
  485. * @param IUser $user
  486. * @param string $message
  487. *
  488. * @return string base64 encoded signature
  489. */
  490. protected function signMessage(IUser $user, string $message): string {
  491. $privateKey = $this->keyManager->getKey($user)->getPrivate();
  492. openssl_sign(json_encode($message), $signature, $privateKey, OPENSSL_ALGO_SHA512);
  493. return base64_encode($signature);
  494. }
  495. }