AuthPublicShareController.php 6.5 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262
  1. <?php
  2. declare(strict_types=1);
  3. /**
  4. * @copyright 2018, Roeland Jago Douma <roeland@famdouma.nl>
  5. *
  6. * @author Joas Schilling <coding@schilljs.com>
  7. * @author Roeland Jago Douma <roeland@famdouma.nl>
  8. * @author Tim Obert <tobert@w-commerce.de>
  9. * @author TimObert <tobert@w-commerce.de>
  10. *
  11. * @license GNU AGPL version 3 or any later version
  12. *
  13. * This program is free software: you can redistribute it and/or modify
  14. * it under the terms of the GNU Affero General Public License as
  15. * published by the Free Software Foundation, either version 3 of the
  16. * License, or (at your option) any later version.
  17. *
  18. * This program is distributed in the hope that it will be useful,
  19. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  20. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  21. * GNU Affero General Public License for more details.
  22. *
  23. * You should have received a copy of the GNU Affero General Public License
  24. * along with this program. If not, see <http://www.gnu.org/licenses/>.
  25. *
  26. */
  27. namespace OCP\AppFramework;
  28. use OCP\AppFramework\Http\Attribute\BruteForceProtection;
  29. use OCP\AppFramework\Http\Attribute\NoCSRFRequired;
  30. use OCP\AppFramework\Http\Attribute\PublicPage;
  31. use OCP\AppFramework\Http\Attribute\UseSession;
  32. use OCP\AppFramework\Http\RedirectResponse;
  33. use OCP\AppFramework\Http\TemplateResponse;
  34. use OCP\IRequest;
  35. use OCP\ISession;
  36. use OCP\IURLGenerator;
  37. /**
  38. * Base controller for interactive public shares
  39. *
  40. * It will verify if the user is properly authenticated to the share. If not the
  41. * user will be redirected to an authentication page.
  42. *
  43. * Use this for a controller that is to be called directly by a user. So the
  44. * normal public share page for files/calendars etc.
  45. *
  46. * @since 14.0.0
  47. */
  48. abstract class AuthPublicShareController extends PublicShareController {
  49. /** @var IURLGenerator */
  50. protected $urlGenerator;
  51. /**
  52. * @since 14.0.0
  53. */
  54. public function __construct(string $appName,
  55. IRequest $request,
  56. ISession $session,
  57. IURLGenerator $urlGenerator) {
  58. parent::__construct($appName, $request, $session);
  59. $this->urlGenerator = $urlGenerator;
  60. }
  61. /**
  62. * @PublicPage
  63. * @NoCSRFRequired
  64. *
  65. * Show the authentication page
  66. * The form has to submit to the authenticate method route
  67. *
  68. * @since 14.0.0
  69. */
  70. #[NoCSRFRequired]
  71. #[PublicPage]
  72. public function showAuthenticate(): TemplateResponse {
  73. return new TemplateResponse('core', 'publicshareauth', [], 'guest');
  74. }
  75. /**
  76. * The template to show when authentication failed
  77. *
  78. * @since 14.0.0
  79. */
  80. protected function showAuthFailed(): TemplateResponse {
  81. return new TemplateResponse('core', 'publicshareauth', ['wrongpw' => true], 'guest');
  82. }
  83. /**
  84. * The template to show after user identification
  85. *
  86. * @since 24.0.0
  87. */
  88. protected function showIdentificationResult(bool $success): TemplateResponse {
  89. return new TemplateResponse('core', 'publicshareauth', ['identityOk' => $success], 'guest');
  90. }
  91. /**
  92. * Validates that the provided identity is allowed to receive a temporary password
  93. *
  94. * @since 24.0.0
  95. */
  96. protected function validateIdentity(?string $identityToken = null): bool {
  97. return false;
  98. }
  99. /**
  100. * Generates a password
  101. *
  102. * @since 24.0.0
  103. */
  104. protected function generatePassword(): void {
  105. }
  106. /**
  107. * Verify the password
  108. *
  109. * @since 24.0.0
  110. */
  111. protected function verifyPassword(string $password): bool {
  112. return false;
  113. }
  114. /**
  115. * Function called after failed authentication
  116. *
  117. * You can use this to do some logging for example
  118. *
  119. * @since 14.0.0
  120. */
  121. protected function authFailed() {
  122. }
  123. /**
  124. * Function called after successful authentication
  125. *
  126. * You can use this to do some logging for example
  127. *
  128. * @since 14.0.0
  129. */
  130. protected function authSucceeded() {
  131. }
  132. /**
  133. * @UseSession
  134. * @PublicPage
  135. * @BruteForceProtection(action=publicLinkAuth)
  136. *
  137. * Authenticate the share
  138. *
  139. * @since 14.0.0
  140. */
  141. #[BruteForceProtection(action: 'publicLinkAuth')]
  142. #[PublicPage]
  143. #[UseSession]
  144. final public function authenticate(string $password = '', string $passwordRequest = 'no', string $identityToken = '') {
  145. // Already authenticated
  146. if ($this->isAuthenticated()) {
  147. return $this->getRedirect();
  148. }
  149. // Is user requesting a temporary password?
  150. if ($passwordRequest == '') {
  151. if ($this->validateIdentity($identityToken)) {
  152. $this->generatePassword();
  153. $response = $this->showIdentificationResult(true);
  154. return $response;
  155. } else {
  156. $response = $this->showIdentificationResult(false);
  157. $response->throttle();
  158. return $response;
  159. }
  160. }
  161. if (!$this->verifyPassword($password)) {
  162. $this->authFailed();
  163. $response = $this->showAuthFailed();
  164. $response->throttle();
  165. return $response;
  166. }
  167. $this->session->regenerateId(true, true);
  168. $response = $this->getRedirect();
  169. $this->session->set('public_link_authenticated_token', $this->getToken());
  170. $this->session->set('public_link_authenticated_password_hash', $this->getPasswordHash());
  171. $this->authSucceeded();
  172. return $response;
  173. }
  174. /**
  175. * Default landing page
  176. *
  177. * @since 14.0.0
  178. */
  179. abstract public function showShare(): TemplateResponse;
  180. /**
  181. * @since 14.0.0
  182. */
  183. final public function getAuthenticationRedirect(string $redirect): RedirectResponse {
  184. return new RedirectResponse(
  185. $this->urlGenerator->linkToRoute($this->getRoute('showAuthenticate'), ['token' => $this->getToken(), 'redirect' => $redirect])
  186. );
  187. }
  188. /**
  189. * @since 14.0.0
  190. */
  191. private function getRoute(string $function): string {
  192. $app = strtolower($this->appName);
  193. $class = (new \ReflectionClass($this))->getShortName();
  194. if (substr($class, -10) === 'Controller') {
  195. $class = substr($class, 0, -10);
  196. }
  197. return $app .'.'. $class .'.'. $function;
  198. }
  199. /**
  200. * @since 14.0.0
  201. */
  202. private function getRedirect(): RedirectResponse {
  203. //Get all the stored redirect parameters:
  204. $params = $this->session->get('public_link_authenticate_redirect');
  205. $route = $this->getRoute('showShare');
  206. if ($params === null) {
  207. $params = [
  208. 'token' => $this->getToken(),
  209. ];
  210. } else {
  211. $params = json_decode($params, true);
  212. if (isset($params['_route'])) {
  213. $route = $params['_route'];
  214. unset($params['_route']);
  215. }
  216. // If the token doesn't match the rest of the arguments can't be trusted either
  217. if (isset($params['token']) && $params['token'] !== $this->getToken()) {
  218. $params = [
  219. 'token' => $this->getToken(),
  220. ];
  221. }
  222. // We need a token
  223. if (!isset($params['token'])) {
  224. $params = [
  225. 'token' => $this->getToken(),
  226. ];
  227. }
  228. }
  229. return new RedirectResponse($this->urlGenerator->linkToRoute($route, $params));
  230. }
  231. }