1
0

AuthPublicShareController.php 5.7 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242
  1. <?php
  2. declare(strict_types=1);
  3. /**
  4. * SPDX-FileCopyrightText: 2018 Nextcloud GmbH and Nextcloud contributors
  5. * SPDX-License-Identifier: AGPL-3.0-or-later
  6. */
  7. namespace OCP\AppFramework;
  8. use OCP\AppFramework\Http\Attribute\BruteForceProtection;
  9. use OCP\AppFramework\Http\Attribute\NoCSRFRequired;
  10. use OCP\AppFramework\Http\Attribute\PublicPage;
  11. use OCP\AppFramework\Http\Attribute\UseSession;
  12. use OCP\AppFramework\Http\RedirectResponse;
  13. use OCP\AppFramework\Http\TemplateResponse;
  14. use OCP\IRequest;
  15. use OCP\ISession;
  16. use OCP\IURLGenerator;
  17. /**
  18. * Base controller for interactive public shares
  19. *
  20. * It will verify if the user is properly authenticated to the share. If not the
  21. * user will be redirected to an authentication page.
  22. *
  23. * Use this for a controller that is to be called directly by a user. So the
  24. * normal public share page for files/calendars etc.
  25. *
  26. * @since 14.0.0
  27. */
  28. abstract class AuthPublicShareController extends PublicShareController {
  29. /** @var IURLGenerator */
  30. protected $urlGenerator;
  31. /**
  32. * @since 14.0.0
  33. */
  34. public function __construct(string $appName,
  35. IRequest $request,
  36. ISession $session,
  37. IURLGenerator $urlGenerator) {
  38. parent::__construct($appName, $request, $session);
  39. $this->urlGenerator = $urlGenerator;
  40. }
  41. /**
  42. * @PublicPage
  43. * @NoCSRFRequired
  44. *
  45. * Show the authentication page
  46. * The form has to submit to the authenticate method route
  47. *
  48. * @since 14.0.0
  49. */
  50. #[NoCSRFRequired]
  51. #[PublicPage]
  52. public function showAuthenticate(): TemplateResponse {
  53. return new TemplateResponse('core', 'publicshareauth', [], 'guest');
  54. }
  55. /**
  56. * The template to show when authentication failed
  57. *
  58. * @since 14.0.0
  59. */
  60. protected function showAuthFailed(): TemplateResponse {
  61. return new TemplateResponse('core', 'publicshareauth', ['wrongpw' => true], 'guest');
  62. }
  63. /**
  64. * The template to show after user identification
  65. *
  66. * @since 24.0.0
  67. */
  68. protected function showIdentificationResult(bool $success): TemplateResponse {
  69. return new TemplateResponse('core', 'publicshareauth', ['identityOk' => $success], 'guest');
  70. }
  71. /**
  72. * Validates that the provided identity is allowed to receive a temporary password
  73. *
  74. * @since 24.0.0
  75. */
  76. protected function validateIdentity(?string $identityToken = null): bool {
  77. return false;
  78. }
  79. /**
  80. * Generates a password
  81. *
  82. * @since 24.0.0
  83. */
  84. protected function generatePassword(): void {
  85. }
  86. /**
  87. * Verify the password
  88. *
  89. * @since 24.0.0
  90. */
  91. protected function verifyPassword(string $password): bool {
  92. return false;
  93. }
  94. /**
  95. * Function called after failed authentication
  96. *
  97. * You can use this to do some logging for example
  98. *
  99. * @since 14.0.0
  100. */
  101. protected function authFailed() {
  102. }
  103. /**
  104. * Function called after successful authentication
  105. *
  106. * You can use this to do some logging for example
  107. *
  108. * @since 14.0.0
  109. */
  110. protected function authSucceeded() {
  111. }
  112. /**
  113. * @UseSession
  114. * @PublicPage
  115. * @BruteForceProtection(action=publicLinkAuth)
  116. *
  117. * Authenticate the share
  118. *
  119. * @since 14.0.0
  120. */
  121. #[BruteForceProtection(action: 'publicLinkAuth')]
  122. #[PublicPage]
  123. #[UseSession]
  124. final public function authenticate(string $password = '', string $passwordRequest = 'no', string $identityToken = '') {
  125. // Already authenticated
  126. if ($this->isAuthenticated()) {
  127. return $this->getRedirect();
  128. }
  129. // Is user requesting a temporary password?
  130. if ($passwordRequest == '') {
  131. if ($this->validateIdentity($identityToken)) {
  132. $this->generatePassword();
  133. $response = $this->showIdentificationResult(true);
  134. return $response;
  135. } else {
  136. $response = $this->showIdentificationResult(false);
  137. $response->throttle();
  138. return $response;
  139. }
  140. }
  141. if (!$this->verifyPassword($password)) {
  142. $this->authFailed();
  143. $response = $this->showAuthFailed();
  144. $response->throttle();
  145. return $response;
  146. }
  147. $this->session->regenerateId(true, true);
  148. $response = $this->getRedirect();
  149. $this->session->set('public_link_authenticated_token', $this->getToken());
  150. $this->session->set('public_link_authenticated_password_hash', $this->getPasswordHash());
  151. $this->authSucceeded();
  152. return $response;
  153. }
  154. /**
  155. * Default landing page
  156. *
  157. * @since 14.0.0
  158. */
  159. abstract public function showShare(): TemplateResponse;
  160. /**
  161. * @since 14.0.0
  162. */
  163. final public function getAuthenticationRedirect(string $redirect): RedirectResponse {
  164. return new RedirectResponse(
  165. $this->urlGenerator->linkToRoute($this->getRoute('showAuthenticate'), ['token' => $this->getToken(), 'redirect' => $redirect])
  166. );
  167. }
  168. /**
  169. * @since 14.0.0
  170. */
  171. private function getRoute(string $function): string {
  172. $app = strtolower($this->appName);
  173. $class = (new \ReflectionClass($this))->getShortName();
  174. if (substr($class, -10) === 'Controller') {
  175. $class = substr($class, 0, -10);
  176. }
  177. return $app .'.'. $class .'.'. $function;
  178. }
  179. /**
  180. * @since 14.0.0
  181. */
  182. private function getRedirect(): RedirectResponse {
  183. //Get all the stored redirect parameters:
  184. $params = $this->session->get('public_link_authenticate_redirect');
  185. $route = $this->getRoute('showShare');
  186. if ($params === null) {
  187. $params = [
  188. 'token' => $this->getToken(),
  189. ];
  190. } else {
  191. $params = json_decode($params, true);
  192. if (isset($params['_route'])) {
  193. $route = $params['_route'];
  194. unset($params['_route']);
  195. }
  196. // If the token doesn't match the rest of the arguments can't be trusted either
  197. if (isset($params['token']) && $params['token'] !== $this->getToken()) {
  198. $params = [
  199. 'token' => $this->getToken(),
  200. ];
  201. }
  202. // We need a token
  203. if (!isset($params['token'])) {
  204. $params = [
  205. 'token' => $this->getToken(),
  206. ];
  207. }
  208. }
  209. return new RedirectResponse($this->urlGenerator->linkToRoute($route, $params));
  210. }
  211. }