nextcloud / server

lib/public/AppFramework/AuthPublicShareController.php

Indentation +201 added lines, -201 removed lines

@@ -30,205 +30,205 @@
  * @since 14.0.0
  */
 abstract class AuthPublicShareController extends PublicShareController {
-	/** @var IURLGenerator */
-	protected $urlGenerator;
-
-	/**
-	 * @since 14.0.0
-	 */
-	public function __construct(string $appName,
-		IRequest $request,
-		ISession $session,
-		IURLGenerator $urlGenerator) {
-		parent::__construct($appName, $request, $session);
-
-		$this->urlGenerator = $urlGenerator;
-	}
-
-	/**
-	 * Show the authentication page
-	 * The form has to submit to the authenticate method route
-	 *
-	 * @since 14.0.0
-	 */
-	#[NoCSRFRequired]
-	#[PublicPage]
-	public function showAuthenticate(): TemplateResponse {
-		return new TemplateResponse('core', 'publicshareauth', [], 'guest');
-	}
-
-	/**
-	 * The template to show when authentication failed
-	 *
-	 * @since 14.0.0
-	 */
-	protected function showAuthFailed(): TemplateResponse {
-		return new TemplateResponse('core', 'publicshareauth', ['wrongpw' => true], 'guest');
-	}
-
-	/**
-	 * The template to show after user identification
-	 *
-	 * @since 24.0.0
-	 */
-	protected function showIdentificationResult(bool $success): TemplateResponse {
-		return new TemplateResponse('core', 'publicshareauth', ['identityOk' => $success], 'guest');
-	}
-
-	/**
-	 * Validates that the provided identity is allowed to receive a temporary password
-	 *
-	 * @since 24.0.0
-	 */
-	protected function validateIdentity(?string $identityToken = null): bool {
-		return false;
-	}
-
-	/**
-	 * Generates a password
-	 *
-	 * @since 24.0.0
-	 */
-	protected function generatePassword(): void {
-	}
-
-	/**
-	 * Verify the password
-	 *
-	 * @since 24.0.0
-	 */
-	protected function verifyPassword(string $password): bool {
-		return false;
-	}
-
-	/**
-	 * Function called after failed authentication
-	 *
-	 * You can use this to do some logging for example
-	 *
-	 * @since 14.0.0
-	 */
-	protected function authFailed() {
-	}
-
-	/**
-	 * Function called after successful authentication
-	 *
-	 * You can use this to do some logging for example
-	 *
-	 * @since 14.0.0
-	 */
-	protected function authSucceeded() {
-	}
-
-	/**
-	 * Authenticate the share
-	 *
-	 * @since 14.0.0
-	 */
-	#[BruteForceProtection(action: 'publicLinkAuth')]
-	#[PublicPage]
-	#[UseSession]
-	final public function authenticate(string $password = '', string $passwordRequest = 'no', string $identityToken = '') {
-		// Already authenticated
-		if ($this->isAuthenticated()) {
-			return $this->getRedirect();
-		}
-
-		// Is user requesting a temporary password?
-		if ($passwordRequest == '') {
-			if ($this->validateIdentity($identityToken)) {
-				$this->generatePassword();
-				$response = $this->showIdentificationResult(true);
-				return $response;
-			} else {
-				$response = $this->showIdentificationResult(false);
-				$response->throttle();
-				return $response;
-			}
-		}
-
-		if (!$this->verifyPassword($password)) {
-			$this->authFailed();
-			$response = $this->showAuthFailed();
-			$response->throttle();
-			return $response;
-		}
-
-		$this->session->regenerateId(true, true);
-		$response = $this->getRedirect();
-
-		$this->storeTokenSession($this->getToken(), $this->getPasswordHash());
-
-		$this->authSucceeded();
-
-		return $response;
-	}
-
-	/**
-	 * Default landing page
-	 *
-	 * @since 14.0.0
-	 */
-	abstract public function showShare(): TemplateResponse;
-
-	/**
-	 * @since 14.0.0
-	 */
-	final public function getAuthenticationRedirect(string $redirect): RedirectResponse {
-		return new RedirectResponse(
-			$this->urlGenerator->linkToRoute($this->getRoute('showAuthenticate'), ['token' => $this->getToken(), 'redirect' => $redirect])
-		);
-	}
-
-
-	/**
-	 * @since 14.0.0
-	 */
-	private function getRoute(string $function): string {
-		$app = strtolower($this->appName);
-		$class = (new \ReflectionClass($this))->getShortName();
-		if (str_ends_with($class, 'Controller')) {
-			$class = substr($class, 0, -10);
-		}
-		return $app . '.' . $class . '.' . $function;
-	}
-
-	/**
-	 * @since 14.0.0
-	 */
-	private function getRedirect(): RedirectResponse {
-		//Get all the stored redirect parameters:
-		$params = $this->session->get('public_link_authenticate_redirect');
-
-		$route = $this->getRoute('showShare');
-
-		if ($params === null) {
-			$params = [
-				'token' => $this->getToken(),
-			];
-		} else {
-			$params = json_decode($params, true);
-			if (isset($params['_route'])) {
-				$route = $params['_route'];
-				unset($params['_route']);
-			}
-
-			// If the token doesn't match the rest of the arguments can't be trusted either
-			if (isset($params['token']) && $params['token'] !== $this->getToken()) {
-				$params = [
-					'token' => $this->getToken(),
-				];
-			}
-
-			// We need a token
-			if (!isset($params['token'])) {
-				$params = [
-					'token' => $this->getToken(),
-				];
-			}
-		}
-
-		return new RedirectResponse($this->urlGenerator->linkToRoute($route, $params));
-	}
+    /** @var IURLGenerator */
+    protected $urlGenerator;
+
+    /**
+     * @since 14.0.0
+     */
+    public function __construct(string $appName,
+        IRequest $request,
+        ISession $session,
+        IURLGenerator $urlGenerator) {
+        parent::__construct($appName, $request, $session);
+
+        $this->urlGenerator = $urlGenerator;
+    }
+
+    /**
+     * Show the authentication page
+     * The form has to submit to the authenticate method route
+     *
+     * @since 14.0.0
+     */
+    #[NoCSRFRequired]
+    #[PublicPage]
+    public function showAuthenticate(): TemplateResponse {
+        return new TemplateResponse('core', 'publicshareauth', [], 'guest');
+    }
+
+    /**
+     * The template to show when authentication failed
+     *
+     * @since 14.0.0
+     */
+    protected function showAuthFailed(): TemplateResponse {
+        return new TemplateResponse('core', 'publicshareauth', ['wrongpw' => true], 'guest');
+    }
+
+    /**
+     * The template to show after user identification
+     *
+     * @since 24.0.0
+     */
+    protected function showIdentificationResult(bool $success): TemplateResponse {
+        return new TemplateResponse('core', 'publicshareauth', ['identityOk' => $success], 'guest');
+    }
+
+    /**
+     * Validates that the provided identity is allowed to receive a temporary password
+     *
+     * @since 24.0.0
+     */
+    protected function validateIdentity(?string $identityToken = null): bool {
+        return false;
+    }
+
+    /**
+     * Generates a password
+     *
+     * @since 24.0.0
+     */
+    protected function generatePassword(): void {
+    }
+
+    /**
+     * Verify the password
+     *
+     * @since 24.0.0
+     */
+    protected function verifyPassword(string $password): bool {
+        return false;
+    }
+
+    /**
+     * Function called after failed authentication
+     *
+     * You can use this to do some logging for example
+     *
+     * @since 14.0.0
+     */
+    protected function authFailed() {
+    }
+
+    /**
+     * Function called after successful authentication
+     *
+     * You can use this to do some logging for example
+     *
+     * @since 14.0.0
+     */
+    protected function authSucceeded() {
+    }
+
+    /**
+     * Authenticate the share
+     *
+     * @since 14.0.0
+     */
+    #[BruteForceProtection(action: 'publicLinkAuth')]
+    #[PublicPage]
+    #[UseSession]
+    final public function authenticate(string $password = '', string $passwordRequest = 'no', string $identityToken = '') {
+        // Already authenticated
+        if ($this->isAuthenticated()) {
+            return $this->getRedirect();
+        }
+
+        // Is user requesting a temporary password?
+        if ($passwordRequest == '') {
+            if ($this->validateIdentity($identityToken)) {
+                $this->generatePassword();
+                $response = $this->showIdentificationResult(true);
+                return $response;
+            } else {
+                $response = $this->showIdentificationResult(false);
+                $response->throttle();
+                return $response;
+            }
+        }
+
+        if (!$this->verifyPassword($password)) {
+            $this->authFailed();
+            $response = $this->showAuthFailed();
+            $response->throttle();
+            return $response;
+        }
+
+        $this->session->regenerateId(true, true);
+        $response = $this->getRedirect();
+
+        $this->storeTokenSession($this->getToken(), $this->getPasswordHash());
+
+        $this->authSucceeded();
+
+        return $response;
+    }
+
+    /**
+     * Default landing page
+     *
+     * @since 14.0.0
+     */
+    abstract public function showShare(): TemplateResponse;
+
+    /**
+     * @since 14.0.0
+     */
+    final public function getAuthenticationRedirect(string $redirect): RedirectResponse {
+        return new RedirectResponse(
+            $this->urlGenerator->linkToRoute($this->getRoute('showAuthenticate'), ['token' => $this->getToken(), 'redirect' => $redirect])
+        );
+    }
+
+
+    /**
+     * @since 14.0.0
+     */
+    private function getRoute(string $function): string {
+        $app = strtolower($this->appName);
+        $class = (new \ReflectionClass($this))->getShortName();
+        if (str_ends_with($class, 'Controller')) {
+            $class = substr($class, 0, -10);
+        }
+        return $app . '.' . $class . '.' . $function;
+    }
+
+    /**
+     * @since 14.0.0
+     */
+    private function getRedirect(): RedirectResponse {
+        //Get all the stored redirect parameters:
+        $params = $this->session->get('public_link_authenticate_redirect');
+
+        $route = $this->getRoute('showShare');
+
+        if ($params === null) {
+            $params = [
+                'token' => $this->getToken(),
+            ];
+        } else {
+            $params = json_decode($params, true);
+            if (isset($params['_route'])) {
+                $route = $params['_route'];
+                unset($params['_route']);
+            }
+
+            // If the token doesn't match the rest of the arguments can't be trusted either
+            if (isset($params['token']) && $params['token'] !== $this->getToken()) {
+                $params = [
+                    'token' => $this->getToken(),
+                ];
+            }
+
+            // We need a token
+            if (!isset($params['token'])) {
+                $params = [
+                    'token' => $this->getToken(),
+                ];
+            }
+        }
+
+        return new RedirectResponse($this->urlGenerator->linkToRoute($route, $params));
+    }
 }

lib/public/AppFramework/PublicShareController.php

Indentation +116 added lines, -116 removed lines

@@ -26,120 +26,120 @@
  */
 abstract class PublicShareController extends Controller {
 
-	public const DAV_AUTHENTICATED_FRONTEND = 'public_link_authenticated_frontend';
-
-	/** @var string */
-	private $token;
-
-	/**
-	 * @since 14.0.0
-	 */
-	public function __construct(
-		string $appName,
-		IRequest $request,
-		protected ISession $session,
-	) {
-		parent::__construct($appName, $request);
-	}
-
-	/**
-	 * Middleware set the token for the request
-	 *
-	 * @since 14.0.0
-	 */
-	final public function setToken(string $token) {
-		$this->token = $token;
-	}
-
-	/**
-	 * Get the token for this request
-	 *
-	 * @since 14.0.0
-	 */
-	final public function getToken(): string {
-		return $this->token;
-	}
-
-	/**
-	 * Get a hash of the password for this share
-	 *
-	 * To ensure access is blocked when the password to a share is changed we store
-	 * a hash of the password for this token.
-	 *
-	 * @since 14.0.0
-	 */
-	abstract protected function getPasswordHash(): ?string;
-
-	/**
-	 * Is the provided token a valid token
-	 *
-	 * This function is already called from the middleware directly after setting the token.
-	 *
-	 * @since 14.0.0
-	 */
-	abstract public function isValidToken(): bool;
-
-	/**
-	 * Is a share with this token password protected
-	 *
-	 * @since 14.0.0
-	 */
-	abstract protected function isPasswordProtected(): bool;
-
-	/**
-	 * Check if a share is authenticated or not
-	 *
-	 * @since 14.0.0
-	 */
-	public function isAuthenticated(): bool {
-		// Always authenticated against non password protected shares
-		if (!$this->isPasswordProtected()) {
-			return true;
-		}
-
-		// If we are authenticated properly
-		if ($this->validateTokenSession($this->getToken(), $this->getPasswordHash())) {
-			return true;
-		}
-
-		// Fail by default if nothing matches
-		return false;
-	}
-
-	/**
-	 * Function called if the share is not found.
-	 *
-	 * You can use this to do some logging for example
-	 *
-	 * @since 14.0.0
-	 */
-	public function shareNotFound() {
-	}
-
-	/**
-	 * Validate the token and password hash stored in session
-	 */
-	protected function validateTokenSession(string $token, string $passwordHash): bool {
-		$allowedTokensJSON = $this->session->get(self::DAV_AUTHENTICATED_FRONTEND) ?? '[]';
-		$allowedTokens = json_decode($allowedTokensJSON, true);
-		if (!is_array($allowedTokens)) {
-			$allowedTokens = [];
-		}
-
-		return ($allowedTokens[$token] ?? '') === $passwordHash;
-	}
-
-	/**
-	 * Store the token and password hash in session
-	 */
-	protected function storeTokenSession(string $token, string $passwordHash = ''): void {
-		$allowedTokensJSON = $this->session->get(self::DAV_AUTHENTICATED_FRONTEND) ?? '[]';
-		$allowedTokens = json_decode($allowedTokensJSON, true);
-		if (!is_array($allowedTokens)) {
-			$allowedTokens = [];
-		}
-
-		$allowedTokens[$token] = $passwordHash;
-		$this->session->set(self::DAV_AUTHENTICATED_FRONTEND, json_encode($allowedTokens));
-	}
+    public const DAV_AUTHENTICATED_FRONTEND = 'public_link_authenticated_frontend';
+
+    /** @var string */
+    private $token;
+
+    /**
+     * @since 14.0.0
+     */
+    public function __construct(
+        string $appName,
+        IRequest $request,
+        protected ISession $session,
+    ) {
+        parent::__construct($appName, $request);
+    }
+
+    /**
+     * Middleware set the token for the request
+     *
+     * @since 14.0.0
+     */
+    final public function setToken(string $token) {
+        $this->token = $token;
+    }
+
+    /**
+     * Get the token for this request
+     *
+     * @since 14.0.0
+     */
+    final public function getToken(): string {
+        return $this->token;
+    }
+
+    /**
+     * Get a hash of the password for this share
+     *
+     * To ensure access is blocked when the password to a share is changed we store
+     * a hash of the password for this token.
+     *
+     * @since 14.0.0
+     */
+    abstract protected function getPasswordHash(): ?string;
+
+    /**
+     * Is the provided token a valid token
+     *
+     * This function is already called from the middleware directly after setting the token.
+     *
+     * @since 14.0.0
+     */
+    abstract public function isValidToken(): bool;
+
+    /**
+     * Is a share with this token password protected
+     *
+     * @since 14.0.0
+     */
+    abstract protected function isPasswordProtected(): bool;
+
+    /**
+     * Check if a share is authenticated or not
+     *
+     * @since 14.0.0
+     */
+    public function isAuthenticated(): bool {
+        // Always authenticated against non password protected shares
+        if (!$this->isPasswordProtected()) {
+            return true;
+        }
+
+        // If we are authenticated properly
+        if ($this->validateTokenSession($this->getToken(), $this->getPasswordHash())) {
+            return true;
+        }
+
+        // Fail by default if nothing matches
+        return false;
+    }
+
+    /**
+     * Function called if the share is not found.
+     *
+     * You can use this to do some logging for example
+     *
+     * @since 14.0.0
+     */
+    public function shareNotFound() {
+    }
+
+    /**
+     * Validate the token and password hash stored in session
+     */
+    protected function validateTokenSession(string $token, string $passwordHash): bool {
+        $allowedTokensJSON = $this->session->get(self::DAV_AUTHENTICATED_FRONTEND) ?? '[]';
+        $allowedTokens = json_decode($allowedTokensJSON, true);
+        if (!is_array($allowedTokens)) {
+            $allowedTokens = [];
+        }
+
+        return ($allowedTokens[$token] ?? '') === $passwordHash;
+    }
+
+    /**
+     * Store the token and password hash in session
+     */
+    protected function storeTokenSession(string $token, string $passwordHash = ''): void {
+        $allowedTokensJSON = $this->session->get(self::DAV_AUTHENTICATED_FRONTEND) ?? '[]';
+        $allowedTokens = json_decode($allowedTokensJSON, true);
+        if (!is_array($allowedTokens)) {
+            $allowedTokens = [];
+        }
+
+        $allowedTokens[$token] = $passwordHash;
+        $this->session->set(self::DAV_AUTHENTICATED_FRONTEND, json_encode($allowedTokens));
+    }
 }

apps/dav/lib/Connector/Sabre/Auth.php

Indentation +178 added lines, -178 removed lines

@@ -28,182 +28,182 @@
 use Sabre\HTTP\ResponseInterface;
 
 class Auth extends AbstractBasic {
-	public const DAV_AUTHENTICATED = 'AUTHENTICATED_TO_DAV_BACKEND';
-	private ?string $currentUser = null;
-
-	public function __construct(
-		private ISession $session,
-		private Session $userSession,
-		private IRequest $request,
-		private Manager $twoFactorManager,
-		private IThrottler $throttler,
-		string $principalPrefix = 'principals/users/',
-	) {
-		$this->principalPrefix = $principalPrefix;
-
-		// setup realm
-		$defaults = new Defaults();
-		$this->realm = $defaults->getName() ?: 'Nextcloud';
-	}
-
-	/**
-	 * Whether the user has initially authenticated via DAV
-	 *
-	 * This is required for WebDAV clients that resent the cookies even when the
-	 * account was changed.
-	 *
-	 * @see https://github.com/owncloud/core/issues/13245
-	 */
-	public function isDavAuthenticated(string $username): bool {
-		if (is_null($this->session->get(self::DAV_AUTHENTICATED))) {
-			return false;
-		}
-
-		return $this->session->get(self::DAV_AUTHENTICATED) === $username;
-	}
-
-	/**
-	 * Validates a username and password
-	 *
-	 * This method should return true or false depending on if login
-	 * succeeded.
-	 *
-	 * @param string $username
-	 * @param string $password
-	 * @return bool
-	 * @throws PasswordLoginForbidden
-	 */
-	protected function validateUserPass($username, $password) {
-		if ($this->userSession->isLoggedIn()
-			&& $this->isDavAuthenticated($this->userSession->getUser()->getUID())
-		) {
-			$this->session->close();
-			return true;
-		} else {
-			try {
-				if ($this->userSession->logClientIn($username, $password, $this->request, $this->throttler)) {
-					$this->session->set(self::DAV_AUTHENTICATED, $this->userSession->getUser()->getUID());
-					$this->session->close();
-					return true;
-				} else {
-					$this->session->close();
-					return false;
-				}
-			} catch (PasswordLoginForbiddenException $ex) {
-				$this->session->close();
-				throw new PasswordLoginForbidden();
-			} catch (MaxDelayReached $ex) {
-				$this->session->close();
-				throw new TooManyRequests();
-			}
-		}
-	}
-
-	/**
-	 * @return array{bool, string}
-	 * @throws NotAuthenticated
-	 * @throws ServiceUnavailable
-	 */
-	public function check(RequestInterface $request, ResponseInterface $response) {
-		try {
-			return $this->auth($request, $response);
-		} catch (NotAuthenticated $e) {
-			throw $e;
-		} catch (Exception $e) {
-			$class = get_class($e);
-			$msg = $e->getMessage();
-			Server::get(LoggerInterface::class)->error($e->getMessage(), ['exception' => $e]);
-			throw new ServiceUnavailable("$class: $msg");
-		}
-	}
-
-	/**
-	 * Checks whether a CSRF check is required on the request
-	 */
-	private function requiresCSRFCheck(): bool {
-
-		$methodsWithoutCsrf = ['GET', 'HEAD', 'OPTIONS'];
-		if (in_array($this->request->getMethod(), $methodsWithoutCsrf)) {
-			return false;
-		}
-
-		// Official Nextcloud clients require no checks
-		if ($this->request->isUserAgent([
-			IRequest::USER_AGENT_CLIENT_DESKTOP,
-			IRequest::USER_AGENT_CLIENT_ANDROID,
-			IRequest::USER_AGENT_CLIENT_IOS,
-		])) {
-			return false;
-		}
-
-		// If not logged-in no check is required
-		if (!$this->userSession->isLoggedIn()) {
-			return false;
-		}
-
-		// POST always requires a check
-		if ($this->request->getMethod() === 'POST') {
-			return true;
-		}
-
-		// If logged-in AND DAV authenticated no check is required
-		if ($this->userSession->isLoggedIn()
-			&& $this->isDavAuthenticated($this->userSession->getUser()->getUID())) {
-			return false;
-		}
-
-		return true;
-	}
-
-	/**
-	 * @return array{bool, string}
-	 * @throws NotAuthenticated
-	 */
-	private function auth(RequestInterface $request, ResponseInterface $response): array {
-		$forcedLogout = false;
-
-		if (!$this->request->passesCSRFCheck()
-			&& $this->requiresCSRFCheck()) {
-			// In case of a fail with POST we need to recheck the credentials
-			if ($this->request->getMethod() === 'POST') {
-				$forcedLogout = true;
-			} else {
-				$response->setStatus(Http::STATUS_UNAUTHORIZED);
-				throw new \Sabre\DAV\Exception\NotAuthenticated('CSRF check not passed.');
-			}
-		}
-
-		if ($forcedLogout) {
-			$this->userSession->logout();
-		} else {
-			if ($this->twoFactorManager->needsSecondFactor($this->userSession->getUser())) {
-				throw new \Sabre\DAV\Exception\NotAuthenticated('2FA challenge not passed.');
-			}
-			if (
-				//Fix for broken webdav clients
-				($this->userSession->isLoggedIn() && is_null($this->session->get(self::DAV_AUTHENTICATED)))
-				//Well behaved clients that only send the cookie are allowed
-				|| ($this->userSession->isLoggedIn() && $this->session->get(self::DAV_AUTHENTICATED) === $this->userSession->getUser()->getUID() && empty($request->getHeader('Authorization')))
-				|| \OC_User::handleApacheAuth()
-			) {
-				$user = $this->userSession->getUser()->getUID();
-				$this->currentUser = $user;
-				$this->session->close();
-				return [true, $this->principalPrefix . $user];
-			}
-		}
-
-		$data = parent::check($request, $response);
-		if ($data[0] === true) {
-			$startPos = strrpos($data[1], '/') + 1;
-			$user = $this->userSession->getUser()->getUID();
-			$data[1] = substr_replace($data[1], $user, $startPos);
-		} elseif (in_array('XMLHttpRequest', explode(',', $request->getHeader('X-Requested-With') ?? ''))) {
-			// For ajax requests use dummy auth name to prevent browser popup in case of invalid creditials
-			$response->addHeader('WWW-Authenticate', 'DummyBasic realm="' . $this->realm . '"');
-			$response->setStatus(Http::STATUS_UNAUTHORIZED);
-			throw new \Sabre\DAV\Exception\NotAuthenticated('Cannot authenticate over ajax calls');
-		}
-		return $data;
-	}
+    public const DAV_AUTHENTICATED = 'AUTHENTICATED_TO_DAV_BACKEND';
+    private ?string $currentUser = null;
+
+    public function __construct(
+        private ISession $session,
+        private Session $userSession,
+        private IRequest $request,
+        private Manager $twoFactorManager,
+        private IThrottler $throttler,
+        string $principalPrefix = 'principals/users/',
+    ) {
+        $this->principalPrefix = $principalPrefix;
+
+        // setup realm
+        $defaults = new Defaults();
+        $this->realm = $defaults->getName() ?: 'Nextcloud';
+    }
+
+    /**
+     * Whether the user has initially authenticated via DAV
+     *
+     * This is required for WebDAV clients that resent the cookies even when the
+     * account was changed.
+     *
+     * @see https://github.com/owncloud/core/issues/13245
+     */
+    public function isDavAuthenticated(string $username): bool {
+        if (is_null($this->session->get(self::DAV_AUTHENTICATED))) {
+            return false;
+        }
+
+        return $this->session->get(self::DAV_AUTHENTICATED) === $username;
+    }
+
+    /**
+     * Validates a username and password
+     *
+     * This method should return true or false depending on if login
+     * succeeded.
+     *
+     * @param string $username
+     * @param string $password
+     * @return bool
+     * @throws PasswordLoginForbidden
+     */
+    protected function validateUserPass($username, $password) {
+        if ($this->userSession->isLoggedIn()
+            && $this->isDavAuthenticated($this->userSession->getUser()->getUID())
+        ) {
+            $this->session->close();
+            return true;
+        } else {
+            try {
+                if ($this->userSession->logClientIn($username, $password, $this->request, $this->throttler)) {
+                    $this->session->set(self::DAV_AUTHENTICATED, $this->userSession->getUser()->getUID());
+                    $this->session->close();
+                    return true;
+                } else {
+                    $this->session->close();
+                    return false;
+                }
+            } catch (PasswordLoginForbiddenException $ex) {
+                $this->session->close();
+                throw new PasswordLoginForbidden();
+            } catch (MaxDelayReached $ex) {
+                $this->session->close();
+                throw new TooManyRequests();
+            }
+        }
+    }
+
+    /**
+     * @return array{bool, string}
+     * @throws NotAuthenticated
+     * @throws ServiceUnavailable
+     */
+    public function check(RequestInterface $request, ResponseInterface $response) {
+        try {
+            return $this->auth($request, $response);
+        } catch (NotAuthenticated $e) {
+            throw $e;
+        } catch (Exception $e) {
+            $class = get_class($e);
+            $msg = $e->getMessage();
+            Server::get(LoggerInterface::class)->error($e->getMessage(), ['exception' => $e]);
+            throw new ServiceUnavailable("$class: $msg");
+        }
+    }
+
+    /**
+     * Checks whether a CSRF check is required on the request
+     */
+    private function requiresCSRFCheck(): bool {
+
+        $methodsWithoutCsrf = ['GET', 'HEAD', 'OPTIONS'];
+        if (in_array($this->request->getMethod(), $methodsWithoutCsrf)) {
+            return false;
+        }
+
+        // Official Nextcloud clients require no checks
+        if ($this->request->isUserAgent([
+            IRequest::USER_AGENT_CLIENT_DESKTOP,
+            IRequest::USER_AGENT_CLIENT_ANDROID,
+            IRequest::USER_AGENT_CLIENT_IOS,
+        ])) {
+            return false;
+        }
+
+        // If not logged-in no check is required
+        if (!$this->userSession->isLoggedIn()) {
+            return false;
+        }
+
+        // POST always requires a check
+        if ($this->request->getMethod() === 'POST') {
+            return true;
+        }
+
+        // If logged-in AND DAV authenticated no check is required
+        if ($this->userSession->isLoggedIn()
+            && $this->isDavAuthenticated($this->userSession->getUser()->getUID())) {
+            return false;
+        }
+
+        return true;
+    }
+
+    /**
+     * @return array{bool, string}
+     * @throws NotAuthenticated
+     */
+    private function auth(RequestInterface $request, ResponseInterface $response): array {
+        $forcedLogout = false;
+
+        if (!$this->request->passesCSRFCheck()
+            && $this->requiresCSRFCheck()) {
+            // In case of a fail with POST we need to recheck the credentials
+            if ($this->request->getMethod() === 'POST') {
+                $forcedLogout = true;
+            } else {
+                $response->setStatus(Http::STATUS_UNAUTHORIZED);
+                throw new \Sabre\DAV\Exception\NotAuthenticated('CSRF check not passed.');
+            }
+        }
+
+        if ($forcedLogout) {
+            $this->userSession->logout();
+        } else {
+            if ($this->twoFactorManager->needsSecondFactor($this->userSession->getUser())) {
+                throw new \Sabre\DAV\Exception\NotAuthenticated('2FA challenge not passed.');
+            }
+            if (
+                //Fix for broken webdav clients
+                ($this->userSession->isLoggedIn() && is_null($this->session->get(self::DAV_AUTHENTICATED)))
+                //Well behaved clients that only send the cookie are allowed
+                || ($this->userSession->isLoggedIn() && $this->session->get(self::DAV_AUTHENTICATED) === $this->userSession->getUser()->getUID() && empty($request->getHeader('Authorization')))
+                || \OC_User::handleApacheAuth()
+            ) {
+                $user = $this->userSession->getUser()->getUID();
+                $this->currentUser = $user;
+                $this->session->close();
+                return [true, $this->principalPrefix . $user];
+            }
+        }
+
+        $data = parent::check($request, $response);
+        if ($data[0] === true) {
+            $startPos = strrpos($data[1], '/') + 1;
+            $user = $this->userSession->getUser()->getUID();
+            $data[1] = substr_replace($data[1], $user, $startPos);
+        } elseif (in_array('XMLHttpRequest', explode(',', $request->getHeader('X-Requested-With') ?? ''))) {
+            // For ajax requests use dummy auth name to prevent browser popup in case of invalid creditials
+            $response->addHeader('WWW-Authenticate', 'DummyBasic realm="' . $this->realm . '"');
+            $response->setStatus(Http::STATUS_UNAUTHORIZED);
+            throw new \Sabre\DAV\Exception\NotAuthenticated('Cannot authenticate over ajax calls');
+        }
+        return $data;
+    }
 }

apps/dav/lib/Connector/Sabre/PublicAuth.php

Indentation +210 added lines, -210 removed lines

@@ -36,214 +36,214 @@
  * @package OCA\DAV\Connector
  */
 class PublicAuth extends AbstractBasic {
-	private const BRUTEFORCE_ACTION = 'public_dav_auth';
-	public const DAV_AUTHENTICATED = 'public_link_authenticated';
-
-	private ?IShare $share = null;
-
-	public function __construct(
-		private IRequest $request,
-		private IManager $shareManager,
-		private ISession $session,
-		private IThrottler $throttler,
-		private LoggerInterface $logger,
-		private IURLGenerator $urlGenerator,
-	) {
-		// setup realm
-		$defaults = new Defaults();
-		$this->realm = $defaults->getName();
-	}
-
-	/**
-	 * @throws NotAuthenticated
-	 * @throws MaxDelayReached
-	 * @throws ServiceUnavailable
-	 */
-	public function check(RequestInterface $request, ResponseInterface $response): array {
-		try {
-			$this->throttler->sleepDelayOrThrowOnMax($this->request->getRemoteAddress(), self::BRUTEFORCE_ACTION);
-
-			if (count($_COOKIE) > 0 && !$this->request->passesStrictCookieCheck() && $this->getShare()->getPassword() !== null) {
-				throw new PreconditionFailed('Strict cookie check failed');
-			}
-
-			$auth = new HTTP\Auth\Basic(
-				$this->realm,
-				$request,
-				$response
-			);
-
-			$userpass = $auth->getCredentials();
-			// If authentication provided, checking its validity
-			if ($userpass && !$this->validateUserPass($userpass[0], $userpass[1])) {
-				return [false, 'Username or password was incorrect'];
-			}
-
-			return $this->checkToken();
-		} catch (NotAuthenticated|MaxDelayReached $e) {
-			$this->throttler->registerAttempt(self::BRUTEFORCE_ACTION, $this->request->getRemoteAddress());
-			throw $e;
-		} catch (PreconditionFailed $e) {
-			$response->setHeader(
-				'Location',
-				$this->urlGenerator->linkToRoute(
-					'files_sharing.share.showShare',
-					[ 'token' => $this->getToken() ],
-				),
-			);
-			throw $e;
-		} catch (\Exception $e) {
-			$class = get_class($e);
-			$msg = $e->getMessage();
-			$this->logger->error($e->getMessage(), ['exception' => $e]);
-			throw new ServiceUnavailable("$class: $msg");
-		}
-	}
-
-	/**
-	 * Extract token from request url
-	 * @throws NotFound
-	 */
-	private function getToken(): string {
-		$path = $this->request->getPathInfo() ?: '';
-		// ['', 'dav', 'files', 'token']
-		$splittedPath = explode('/', $path);
-
-		if (count($splittedPath) < 4 || $splittedPath[3] === '') {
-			throw new NotFound();
-		}
-
-		return $splittedPath[3];
-	}
-
-	/**
-	 * Check token validity
-	 *
-	 * @throws NotFound
-	 * @throws NotAuthenticated
-	 */
-	private function checkToken(): array {
-		$token = $this->getToken();
-
-		try {
-			/** @var IShare $share */
-			$share = $this->shareManager->getShareByToken($token);
-		} catch (ShareNotFound $e) {
-			$this->throttler->registerAttempt(self::BRUTEFORCE_ACTION, $this->request->getRemoteAddress());
-			throw new NotFound();
-		}
-
-		$this->share = $share;
-		\OC_User::setIncognitoMode(true);
-
-		// If already authenticated
-		if ($this->isShareInSession($share)) {
-			return [true, $this->principalPrefix . $token];
-		}
-
-		// If the share is protected but user is not authenticated
-		if ($share->getPassword() !== null) {
-			$this->throttler->registerAttempt(self::BRUTEFORCE_ACTION, $this->request->getRemoteAddress());
-			throw new NotAuthenticated();
-		}
-
-		return [true, $this->principalPrefix . $token];
-	}
-
-	/**
-	 * Validates a username and password
-	 *
-	 * This method should return true or false depending on if login
-	 * succeeded.
-	 *
-	 * @param string $username
-	 * @param string $password
-	 *
-	 * @return bool
-	 * @throws NotAuthenticated
-	 */
-	protected function validateUserPass($username, $password) {
-		$this->throttler->sleepDelayOrThrowOnMax($this->request->getRemoteAddress(), self::BRUTEFORCE_ACTION);
-
-		try {
-			$share = $this->getShare();
-		} catch (ShareNotFound $e) {
-			$this->throttler->registerAttempt(self::BRUTEFORCE_ACTION, $this->request->getRemoteAddress());
-			return false;
-		}
-
-		\OC_User::setIncognitoMode(true);
-
-		// check if the share is password protected
-		if ($share->getPassword() !== null) {
-			if ($share->getShareType() === IShare::TYPE_LINK
-				|| $share->getShareType() === IShare::TYPE_EMAIL
-				|| $share->getShareType() === IShare::TYPE_CIRCLE) {
-				// Validate password if provided
-				if ($this->shareManager->checkPassword($share, $password)) {
-					// If not set, set authenticated session cookie
-					if (!$this->isShareInSession($share)) {
-						$this->addShareToSession($share);
-					}
-					return true;
-				}
-
-				// We are already authenticated for this share in the session
-				if ($this->isShareInSession($share)) {
-					return true;
-				}
-
-				if (in_array('XMLHttpRequest', explode(',', $this->request->getHeader('X-Requested-With')))) {
-					// do not re-authenticate over ajax, use dummy auth name to prevent browser popup
-					http_response_code(401);
-					header('WWW-Authenticate: DummyBasic realm="' . $this->realm . '"');
-					throw new NotAuthenticated('Cannot authenticate over ajax calls');
-				}
-
-				$this->throttler->registerAttempt(self::BRUTEFORCE_ACTION, $this->request->getRemoteAddress());
-				return false;
-			} elseif ($share->getShareType() === IShare::TYPE_REMOTE) {
-				return true;
-			}
-
-			$this->throttler->registerAttempt(self::BRUTEFORCE_ACTION, $this->request->getRemoteAddress());
-			return false;
-		}
-
-		return true;
-	}
-
-	public function getShare(): IShare {
-		$token = $this->getToken();
-
-		if ($this->share === null) {
-			$share = $this->shareManager->getShareByToken($token);
-			$this->share = $share;
-		}
-
-		return $this->share;
-	}
-
-	private function addShareToSession(IShare $share): void {
-		$allowedShareIds = $this->session->get(self::DAV_AUTHENTICATED) ?? [];
-		if (!is_array($allowedShareIds)) {
-			$allowedShareIds = [];
-		}
-
-		$allowedShareIds[] = $share->getId();
-		$this->session->set(self::DAV_AUTHENTICATED, $allowedShareIds);
-	}
-
-	private function isShareInSession(IShare $share): bool {
-		if (!$this->session->exists(self::DAV_AUTHENTICATED)) {
-			return false;
-		}
-
-		$allowedShareIds = $this->session->get(self::DAV_AUTHENTICATED);
-		if (!is_array($allowedShareIds)) {
-			return false;
-		}
-
-		return in_array($share->getId(), $allowedShareIds);
-	}
+    private const BRUTEFORCE_ACTION = 'public_dav_auth';
+    public const DAV_AUTHENTICATED = 'public_link_authenticated';
+
+    private ?IShare $share = null;
+
+    public function __construct(
+        private IRequest $request,
+        private IManager $shareManager,
+        private ISession $session,
+        private IThrottler $throttler,
+        private LoggerInterface $logger,
+        private IURLGenerator $urlGenerator,
+    ) {
+        // setup realm
+        $defaults = new Defaults();
+        $this->realm = $defaults->getName();
+    }
+
+    /**
+     * @throws NotAuthenticated
+     * @throws MaxDelayReached
+     * @throws ServiceUnavailable
+     */
+    public function check(RequestInterface $request, ResponseInterface $response): array {
+        try {
+            $this->throttler->sleepDelayOrThrowOnMax($this->request->getRemoteAddress(), self::BRUTEFORCE_ACTION);
+
+            if (count($_COOKIE) > 0 && !$this->request->passesStrictCookieCheck() && $this->getShare()->getPassword() !== null) {
+                throw new PreconditionFailed('Strict cookie check failed');
+            }
+
+            $auth = new HTTP\Auth\Basic(
+                $this->realm,
+                $request,
+                $response
+            );
+
+            $userpass = $auth->getCredentials();
+            // If authentication provided, checking its validity
+            if ($userpass && !$this->validateUserPass($userpass[0], $userpass[1])) {
+                return [false, 'Username or password was incorrect'];
+            }
+
+            return $this->checkToken();
+        } catch (NotAuthenticated|MaxDelayReached $e) {
+            $this->throttler->registerAttempt(self::BRUTEFORCE_ACTION, $this->request->getRemoteAddress());
+            throw $e;
+        } catch (PreconditionFailed $e) {
+            $response->setHeader(
+                'Location',
+                $this->urlGenerator->linkToRoute(
+                    'files_sharing.share.showShare',
+                    [ 'token' => $this->getToken() ],
+                ),
+            );
+            throw $e;
+        } catch (\Exception $e) {
+            $class = get_class($e);
+            $msg = $e->getMessage();
+            $this->logger->error($e->getMessage(), ['exception' => $e]);
+            throw new ServiceUnavailable("$class: $msg");
+        }
+    }
+
+    /**
+     * Extract token from request url
+     * @throws NotFound
+     */
+    private function getToken(): string {
+        $path = $this->request->getPathInfo() ?: '';
+        // ['', 'dav', 'files', 'token']
+        $splittedPath = explode('/', $path);
+
+        if (count($splittedPath) < 4 || $splittedPath[3] === '') {
+            throw new NotFound();
+        }
+
+        return $splittedPath[3];
+    }
+
+    /**
+     * Check token validity
+     *
+     * @throws NotFound
+     * @throws NotAuthenticated
+     */
+    private function checkToken(): array {
+        $token = $this->getToken();
+
+        try {
+            /** @var IShare $share */
+            $share = $this->shareManager->getShareByToken($token);
+        } catch (ShareNotFound $e) {
+            $this->throttler->registerAttempt(self::BRUTEFORCE_ACTION, $this->request->getRemoteAddress());
+            throw new NotFound();
+        }
+
+        $this->share = $share;
+        \OC_User::setIncognitoMode(true);
+
+        // If already authenticated
+        if ($this->isShareInSession($share)) {
+            return [true, $this->principalPrefix . $token];
+        }
+
+        // If the share is protected but user is not authenticated
+        if ($share->getPassword() !== null) {
+            $this->throttler->registerAttempt(self::BRUTEFORCE_ACTION, $this->request->getRemoteAddress());
+            throw new NotAuthenticated();
+        }
+
+        return [true, $this->principalPrefix . $token];
+    }
+
+    /**
+     * Validates a username and password
+     *
+     * This method should return true or false depending on if login
+     * succeeded.
+     *
+     * @param string $username
+     * @param string $password
+     *
+     * @return bool
+     * @throws NotAuthenticated
+     */
+    protected function validateUserPass($username, $password) {
+        $this->throttler->sleepDelayOrThrowOnMax($this->request->getRemoteAddress(), self::BRUTEFORCE_ACTION);
+
+        try {
+            $share = $this->getShare();
+        } catch (ShareNotFound $e) {
+            $this->throttler->registerAttempt(self::BRUTEFORCE_ACTION, $this->request->getRemoteAddress());
+            return false;
+        }
+
+        \OC_User::setIncognitoMode(true);
+
+        // check if the share is password protected
+        if ($share->getPassword() !== null) {
+            if ($share->getShareType() === IShare::TYPE_LINK
+                || $share->getShareType() === IShare::TYPE_EMAIL
+                || $share->getShareType() === IShare::TYPE_CIRCLE) {
+                // Validate password if provided
+                if ($this->shareManager->checkPassword($share, $password)) {
+                    // If not set, set authenticated session cookie
+                    if (!$this->isShareInSession($share)) {
+                        $this->addShareToSession($share);
+                    }
+                    return true;
+                }
+
+                // We are already authenticated for this share in the session
+                if ($this->isShareInSession($share)) {
+                    return true;
+                }
+
+                if (in_array('XMLHttpRequest', explode(',', $this->request->getHeader('X-Requested-With')))) {
+                    // do not re-authenticate over ajax, use dummy auth name to prevent browser popup
+                    http_response_code(401);
+                    header('WWW-Authenticate: DummyBasic realm="' . $this->realm . '"');
+                    throw new NotAuthenticated('Cannot authenticate over ajax calls');
+                }
+
+                $this->throttler->registerAttempt(self::BRUTEFORCE_ACTION, $this->request->getRemoteAddress());
+                return false;
+            } elseif ($share->getShareType() === IShare::TYPE_REMOTE) {
+                return true;
+            }
+
+            $this->throttler->registerAttempt(self::BRUTEFORCE_ACTION, $this->request->getRemoteAddress());
+            return false;
+        }
+
+        return true;
+    }
+
+    public function getShare(): IShare {
+        $token = $this->getToken();
+
+        if ($this->share === null) {
+            $share = $this->shareManager->getShareByToken($token);
+            $this->share = $share;
+        }
+
+        return $this->share;
+    }
+
+    private function addShareToSession(IShare $share): void {
+        $allowedShareIds = $this->session->get(self::DAV_AUTHENTICATED) ?? [];
+        if (!is_array($allowedShareIds)) {
+            $allowedShareIds = [];
+        }
+
+        $allowedShareIds[] = $share->getId();
+        $this->session->set(self::DAV_AUTHENTICATED, $allowedShareIds);
+    }
+
+    private function isShareInSession(IShare $share): bool {
+        if (!$this->session->exists(self::DAV_AUTHENTICATED)) {
+            return false;
+        }
+
+        $allowedShareIds = $this->session->get(self::DAV_AUTHENTICATED);
+        if (!is_array($allowedShareIds)) {
+            return false;
+        }
+
+        return in_array($share->getId(), $allowedShareIds);
+    }
 }

Spacing +5 added lines, -5 removed lines

@@ -80,7 +80,7 @@ 
 			}
 
 			return $this->checkToken();
-		} catch (NotAuthenticated|MaxDelayReached $e) {
+		} catch (NotAuthenticated | MaxDelayReached $e) {
 			$this->throttler->registerAttempt(self::BRUTEFORCE_ACTION, $this->request->getRemoteAddress());
 			throw $e;
 		} catch (PreconditionFailed $e) {
@@ -88,7 +88,7 @@ 
 				'Location',
 				$this->urlGenerator->linkToRoute(
 					'files_sharing.share.showShare',
-					[ 'token' => $this->getToken() ],
+					['token' => $this->getToken()],
 				),
 			);
 			throw $e;
@@ -138,7 +138,7 @@ 
 
 		// If already authenticated
 		if ($this->isShareInSession($share)) {
-			return [true, $this->principalPrefix . $token];
+			return [true, $this->principalPrefix.$token];
 		}
 
 		// If the share is protected but user is not authenticated
@@ -147,7 +147,7 @@ 
 			throw new NotAuthenticated();
 		}
 
-		return [true, $this->principalPrefix . $token];
+		return [true, $this->principalPrefix.$token];
 	}
 
 	/**
@@ -196,7 +196,7 @@ 
 				if (in_array('XMLHttpRequest', explode(',', $this->request->getHeader('X-Requested-With')))) {
 					// do not re-authenticate over ajax, use dummy auth name to prevent browser popup
 					http_response_code(401);
-					header('WWW-Authenticate: DummyBasic realm="' . $this->realm . '"');
+					header('WWW-Authenticate: DummyBasic realm="'.$this->realm.'"');
 					throw new NotAuthenticated('Cannot authenticate over ajax calls');
 				}
 

apps/dav/tests/unit/Connector/Sabre/PublicAuthTest.php

Indentation +283 added lines, -283 removed lines

@@ -28,357 +28,357 @@
  */
 class PublicAuthTest extends \Test\TestCase {
 
-	private ISession&MockObject $session;
-	private IRequest&MockObject $request;
-	private IManager&MockObject $shareManager;
-	private IThrottler&MockObject $throttler;
-	private LoggerInterface&MockObject $logger;
-	private IURLGenerator&MockObject $urlGenerator;
-	private PublicAuth $auth;
-
-	private bool|string $oldUser;
-
-	protected function setUp(): void {
-		parent::setUp();
-
-		$this->session = $this->createMock(ISession::class);
-		$this->request = $this->createMock(IRequest::class);
-		$this->shareManager = $this->createMock(IManager::class);
-		$this->throttler = $this->createMock(IThrottler::class);
-		$this->logger = $this->createMock(LoggerInterface::class);
-		$this->urlGenerator = $this->createMock(IURLGenerator::class);
-
-		$this->auth = new PublicAuth(
-			$this->request,
-			$this->shareManager,
-			$this->session,
-			$this->throttler,
-			$this->logger,
-			$this->urlGenerator,
-		);
-
-		// Store current user
-		$this->oldUser = \OC_User::getUser();
-	}
-
-	protected function tearDown(): void {
-		\OC_User::setIncognitoMode(false);
-
-		// Set old user
-		\OC_User::setUserId($this->oldUser);
-		if ($this->oldUser !== false) {
-			\OC_Util::setupFS($this->oldUser);
-		}
-
-		parent::tearDown();
-	}
-
-	public function testGetToken(): void {
-		$this->request->method('getPathInfo')
-			->willReturn('/dav/files/GX9HSGQrGE');
-
-		$result = self::invokePrivate($this->auth, 'getToken');
-
-		$this->assertSame('GX9HSGQrGE', $result);
-	}
-
-	public function testGetTokenInvalid(): void {
-		$this->request->method('getPathInfo')
-			->willReturn('/dav/files');
-
-		$this->expectException(\Sabre\DAV\Exception\NotFound::class);
-		self::invokePrivate($this->auth, 'getToken');
-	}
-
-	public function testCheckTokenValidShare(): void {
-		$this->request->method('getPathInfo')
-			->willReturn('/dav/files/GX9HSGQrGE');
-
-		$share = $this->createMock(IShare::class);
-		$share->method('getPassword')->willReturn(null);
-
-		$this->shareManager->expects($this->once())
-			->method('getShareByToken')
-			->with('GX9HSGQrGE')
-			->willReturn($share);
-
-		$result = self::invokePrivate($this->auth, 'checkToken');
-		$this->assertSame([true, 'principals/GX9HSGQrGE'], $result);
-	}
+    private ISession&MockObject $session;
+    private IRequest&MockObject $request;
+    private IManager&MockObject $shareManager;
+    private IThrottler&MockObject $throttler;
+    private LoggerInterface&MockObject $logger;
+    private IURLGenerator&MockObject $urlGenerator;
+    private PublicAuth $auth;
+
+    private bool|string $oldUser;
+
+    protected function setUp(): void {
+        parent::setUp();
+
+        $this->session = $this->createMock(ISession::class);
+        $this->request = $this->createMock(IRequest::class);
+        $this->shareManager = $this->createMock(IManager::class);
+        $this->throttler = $this->createMock(IThrottler::class);
+        $this->logger = $this->createMock(LoggerInterface::class);
+        $this->urlGenerator = $this->createMock(IURLGenerator::class);
+
+        $this->auth = new PublicAuth(
+            $this->request,
+            $this->shareManager,
+            $this->session,
+            $this->throttler,
+            $this->logger,
+            $this->urlGenerator,
+        );
+
+        // Store current user
+        $this->oldUser = \OC_User::getUser();
+    }
+
+    protected function tearDown(): void {
+        \OC_User::setIncognitoMode(false);
+
+        // Set old user
+        \OC_User::setUserId($this->oldUser);
+        if ($this->oldUser !== false) {
+            \OC_Util::setupFS($this->oldUser);
+        }
+
+        parent::tearDown();
+    }
+
+    public function testGetToken(): void {
+        $this->request->method('getPathInfo')
+            ->willReturn('/dav/files/GX9HSGQrGE');
+
+        $result = self::invokePrivate($this->auth, 'getToken');
+
+        $this->assertSame('GX9HSGQrGE', $result);
+    }
+
+    public function testGetTokenInvalid(): void {
+        $this->request->method('getPathInfo')
+            ->willReturn('/dav/files');
+
+        $this->expectException(\Sabre\DAV\Exception\NotFound::class);
+        self::invokePrivate($this->auth, 'getToken');
+    }
+
+    public function testCheckTokenValidShare(): void {
+        $this->request->method('getPathInfo')
+            ->willReturn('/dav/files/GX9HSGQrGE');
+
+        $share = $this->createMock(IShare::class);
+        $share->method('getPassword')->willReturn(null);
+
+        $this->shareManager->expects($this->once())
+            ->method('getShareByToken')
+            ->with('GX9HSGQrGE')
+            ->willReturn($share);
+
+        $result = self::invokePrivate($this->auth, 'checkToken');
+        $this->assertSame([true, 'principals/GX9HSGQrGE'], $result);
+    }
 
-	public function testCheckTokenInvalidShare(): void {
-		$this->request->method('getPathInfo')
-			->willReturn('/dav/files/GX9HSGQrGE');
+    public function testCheckTokenInvalidShare(): void {
+        $this->request->method('getPathInfo')
+            ->willReturn('/dav/files/GX9HSGQrGE');
 
-		$this->shareManager
-			->expects($this->once())
-			->method('getShareByToken')
-			->with('GX9HSGQrGE')
-			->willThrowException(new ShareNotFound());
-
-		$this->expectException(\Sabre\DAV\Exception\NotFound::class);
-		self::invokePrivate($this->auth, 'checkToken');
-	}
-
-	public function testCheckTokenAlreadyAuthenticated(): void {
-		$this->request->method('getPathInfo')
-			->willReturn('/dav/files/GX9HSGQrGE');
+        $this->shareManager
+            ->expects($this->once())
+            ->method('getShareByToken')
+            ->with('GX9HSGQrGE')
+            ->willThrowException(new ShareNotFound());
+
+        $this->expectException(\Sabre\DAV\Exception\NotFound::class);
+        self::invokePrivate($this->auth, 'checkToken');
+    }
+
+    public function testCheckTokenAlreadyAuthenticated(): void {
+        $this->request->method('getPathInfo')
+            ->willReturn('/dav/files/GX9HSGQrGE');
 
-		$share = $this->createMock(IShare::class);
-		$share->method('getShareType')->willReturn(42);
+        $share = $this->createMock(IShare::class);
+        $share->method('getShareType')->willReturn(42);
 
-		$this->shareManager->expects($this->once())
-			->method('getShareByToken')
-			->with('GX9HSGQrGE')
-			->willReturn($share);
+        $this->shareManager->expects($this->once())
+            ->method('getShareByToken')
+            ->with('GX9HSGQrGE')
+            ->willReturn($share);
 
-		$this->session->method('exists')->with('public_link_authenticated')->willReturn(true);
-		$this->session->method('get')->with('public_link_authenticated')->willReturn('42');
+        $this->session->method('exists')->with('public_link_authenticated')->willReturn(true);
+        $this->session->method('get')->with('public_link_authenticated')->willReturn('42');
 
-		$result = self::invokePrivate($this->auth, 'checkToken');
-		$this->assertSame([true, 'principals/GX9HSGQrGE'], $result);
-	}
+        $result = self::invokePrivate($this->auth, 'checkToken');
+        $this->assertSame([true, 'principals/GX9HSGQrGE'], $result);
+    }
 
-	public function testCheckTokenPasswordNotAuthenticated(): void {
-		$this->request->method('getPathInfo')
-			->willReturn('/dav/files/GX9HSGQrGE');
+    public function testCheckTokenPasswordNotAuthenticated(): void {
+        $this->request->method('getPathInfo')
+            ->willReturn('/dav/files/GX9HSGQrGE');
 
-		$share = $this->createMock(IShare::class);
-		$share->method('getPassword')->willReturn('password');
-		$share->method('getShareType')->willReturn(42);
+        $share = $this->createMock(IShare::class);
+        $share->method('getPassword')->willReturn('password');
+        $share->method('getShareType')->willReturn(42);
 
-		$this->shareManager->expects($this->once())
-			->method('getShareByToken')
-			->with('GX9HSGQrGE')
-			->willReturn($share);
+        $this->shareManager->expects($this->once())
+            ->method('getShareByToken')
+            ->with('GX9HSGQrGE')
+            ->willReturn($share);
 
-		$this->session->method('exists')->with('public_link_authenticated')->willReturn(false);
+        $this->session->method('exists')->with('public_link_authenticated')->willReturn(false);
 
-		$this->expectException(\Sabre\DAV\Exception\NotAuthenticated::class);
-		self::invokePrivate($this->auth, 'checkToken');
-	}
+        $this->expectException(\Sabre\DAV\Exception\NotAuthenticated::class);
+        self::invokePrivate($this->auth, 'checkToken');
+    }
 
-	public function testCheckTokenPasswordAuthenticatedWrongShare(): void {
-		$this->request->method('getPathInfo')
-			->willReturn('/dav/files/GX9HSGQrGE');
+    public function testCheckTokenPasswordAuthenticatedWrongShare(): void {
+        $this->request->method('getPathInfo')
+            ->willReturn('/dav/files/GX9HSGQrGE');
 
-		$share = $this->createMock(IShare::class);
-		$share->method('getPassword')->willReturn('password');
-		$share->method('getShareType')->willReturn(42);
+        $share = $this->createMock(IShare::class);
+        $share->method('getPassword')->willReturn('password');
+        $share->method('getShareType')->willReturn(42);
 
-		$this->shareManager->expects($this->once())
-			->method('getShareByToken')
-			->with('GX9HSGQrGE')
-			->willReturn($share);
+        $this->shareManager->expects($this->once())
+            ->method('getShareByToken')
+            ->with('GX9HSGQrGE')
+            ->willReturn($share);
 
-		$this->session->method('exists')->with('public_link_authenticated')->willReturn(false);
-		$this->session->method('get')->with('public_link_authenticated')->willReturn('43');
+        $this->session->method('exists')->with('public_link_authenticated')->willReturn(false);
+        $this->session->method('get')->with('public_link_authenticated')->willReturn('43');
 
-		$this->expectException(\Sabre\DAV\Exception\NotAuthenticated::class);
-		self::invokePrivate($this->auth, 'checkToken');
-	}
+        $this->expectException(\Sabre\DAV\Exception\NotAuthenticated::class);
+        self::invokePrivate($this->auth, 'checkToken');
+    }
 
-	public function testNoShare(): void {
-		$this->request->method('getPathInfo')
-			->willReturn('/dav/files/GX9HSGQrGE');
+    public function testNoShare(): void {
+        $this->request->method('getPathInfo')
+            ->willReturn('/dav/files/GX9HSGQrGE');
 
-		$this->shareManager->expects($this->once())
-			->method('getShareByToken')
-			->with('GX9HSGQrGE')
-			->willThrowException(new ShareNotFound());
+        $this->shareManager->expects($this->once())
+            ->method('getShareByToken')
+            ->with('GX9HSGQrGE')
+            ->willThrowException(new ShareNotFound());
 
-		$result = self::invokePrivate($this->auth, 'validateUserPass', ['username', 'password']);
+        $result = self::invokePrivate($this->auth, 'validateUserPass', ['username', 'password']);
 
-		$this->assertFalse($result);
-	}
+        $this->assertFalse($result);
+    }
 
-	public function testShareNoPassword(): void {
-		$this->request->method('getPathInfo')
-			->willReturn('/dav/files/GX9HSGQrGE');
+    public function testShareNoPassword(): void {
+        $this->request->method('getPathInfo')
+            ->willReturn('/dav/files/GX9HSGQrGE');
 
-		$share = $this->createMock(IShare::class);
-		$share->method('getPassword')->willReturn(null);
+        $share = $this->createMock(IShare::class);
+        $share->method('getPassword')->willReturn(null);
 
-		$this->shareManager->expects($this->once())
-			->method('getShareByToken')
-			->with('GX9HSGQrGE')
-			->willReturn($share);
+        $this->shareManager->expects($this->once())
+            ->method('getShareByToken')
+            ->with('GX9HSGQrGE')
+            ->willReturn($share);
 
-		$result = self::invokePrivate($this->auth, 'validateUserPass', ['username', 'password']);
+        $result = self::invokePrivate($this->auth, 'validateUserPass', ['username', 'password']);
 
-		$this->assertTrue($result);
-	}
+        $this->assertTrue($result);
+    }
 
-	public function testSharePasswordFancyShareType(): void {
-		$this->request->method('getPathInfo')
-			->willReturn('/dav/files/GX9HSGQrGE');
+    public function testSharePasswordFancyShareType(): void {
+        $this->request->method('getPathInfo')
+            ->willReturn('/dav/files/GX9HSGQrGE');
 
-		$share = $this->createMock(IShare::class);
-		$share->method('getPassword')->willReturn('password');
-		$share->method('getShareType')->willReturn(42);
+        $share = $this->createMock(IShare::class);
+        $share->method('getPassword')->willReturn('password');
+        $share->method('getShareType')->willReturn(42);
 
-		$this->shareManager->expects($this->once())
-			->method('getShareByToken')
-			->with('GX9HSGQrGE')
-			->willReturn($share);
+        $this->shareManager->expects($this->once())
+            ->method('getShareByToken')
+            ->with('GX9HSGQrGE')
+            ->willReturn($share);
 
-		$result = self::invokePrivate($this->auth, 'validateUserPass', ['username', 'password']);
+        $result = self::invokePrivate($this->auth, 'validateUserPass', ['username', 'password']);
 
-		$this->assertFalse($result);
-	}
+        $this->assertFalse($result);
+    }
 
 
-	public function testSharePasswordRemote(): void {
-		$this->request->method('getPathInfo')
-			->willReturn('/dav/files/GX9HSGQrGE');
+    public function testSharePasswordRemote(): void {
+        $this->request->method('getPathInfo')
+            ->willReturn('/dav/files/GX9HSGQrGE');
 
-		$share = $this->createMock(IShare::class);
-		$share->method('getPassword')->willReturn('password');
-		$share->method('getShareType')->willReturn(IShare::TYPE_REMOTE);
+        $share = $this->createMock(IShare::class);
+        $share->method('getPassword')->willReturn('password');
+        $share->method('getShareType')->willReturn(IShare::TYPE_REMOTE);
 
-		$this->shareManager->expects($this->once())
-			->method('getShareByToken')
-			->with('GX9HSGQrGE')
-			->willReturn($share);
+        $this->shareManager->expects($this->once())
+            ->method('getShareByToken')
+            ->with('GX9HSGQrGE')
+            ->willReturn($share);
 
-		$result = self::invokePrivate($this->auth, 'validateUserPass', ['username', 'password']);
+        $result = self::invokePrivate($this->auth, 'validateUserPass', ['username', 'password']);
 
-		$this->assertTrue($result);
-	}
+        $this->assertTrue($result);
+    }
 
-	public function testSharePasswordLinkValidPassword(): void {
-		$this->request->method('getPathInfo')
-			->willReturn('/dav/files/GX9HSGQrGE');
+    public function testSharePasswordLinkValidPassword(): void {
+        $this->request->method('getPathInfo')
+            ->willReturn('/dav/files/GX9HSGQrGE');
 
-		$share = $this->createMock(IShare::class);
-		$share->method('getPassword')->willReturn('password');
-		$share->method('getShareType')->willReturn(IShare::TYPE_LINK);
+        $share = $this->createMock(IShare::class);
+        $share->method('getPassword')->willReturn('password');
+        $share->method('getShareType')->willReturn(IShare::TYPE_LINK);
 
-		$this->shareManager->expects($this->once())
-			->method('getShareByToken')
-			->with('GX9HSGQrGE')
-			->willReturn($share);
+        $this->shareManager->expects($this->once())
+            ->method('getShareByToken')
+            ->with('GX9HSGQrGE')
+            ->willReturn($share);
 
-		$this->shareManager->expects($this->once())
-			->method('checkPassword')->with(
-				$this->equalTo($share),
-				$this->equalTo('password')
-			)->willReturn(true);
+        $this->shareManager->expects($this->once())
+            ->method('checkPassword')->with(
+                $this->equalTo($share),
+                $this->equalTo('password')
+            )->willReturn(true);
 
-		$result = self::invokePrivate($this->auth, 'validateUserPass', ['username', 'password']);
+        $result = self::invokePrivate($this->auth, 'validateUserPass', ['username', 'password']);
 
-		$this->assertTrue($result);
-	}
+        $this->assertTrue($result);
+    }
 
-	public function testSharePasswordMailValidPassword(): void {
-		$this->request->method('getPathInfo')
-			->willReturn('/dav/files/GX9HSGQrGE');
+    public function testSharePasswordMailValidPassword(): void {
+        $this->request->method('getPathInfo')
+            ->willReturn('/dav/files/GX9HSGQrGE');
 
-		$share = $this->createMock(IShare::class);
-		$share->method('getPassword')->willReturn('password');
-		$share->method('getShareType')->willReturn(IShare::TYPE_EMAIL);
+        $share = $this->createMock(IShare::class);
+        $share->method('getPassword')->willReturn('password');
+        $share->method('getShareType')->willReturn(IShare::TYPE_EMAIL);
 
-		$this->shareManager->expects($this->once())
-			->method('getShareByToken')
-			->with('GX9HSGQrGE')
-			->willReturn($share);
+        $this->shareManager->expects($this->once())
+            ->method('getShareByToken')
+            ->with('GX9HSGQrGE')
+            ->willReturn($share);
 
-		$this->shareManager->expects($this->once())
-			->method('checkPassword')->with(
-				$this->equalTo($share),
-				$this->equalTo('password')
-			)->willReturn(true);
+        $this->shareManager->expects($this->once())
+            ->method('checkPassword')->with(
+                $this->equalTo($share),
+                $this->equalTo('password')
+            )->willReturn(true);
 
-		$result = self::invokePrivate($this->auth, 'validateUserPass', ['username', 'password']);
+        $result = self::invokePrivate($this->auth, 'validateUserPass', ['username', 'password']);
 
-		$this->assertTrue($result);
-	}
+        $this->assertTrue($result);
+    }
 
-	public function testInvalidSharePasswordLinkValidSession(): void {
-		$this->request->method('getPathInfo')
-			->willReturn('/dav/files/GX9HSGQrGE');
+    public function testInvalidSharePasswordLinkValidSession(): void {
+        $this->request->method('getPathInfo')
+            ->willReturn('/dav/files/GX9HSGQrGE');
 
-		$share = $this->createMock(IShare::class);
-		$share->method('getPassword')->willReturn('password');
-		$share->method('getShareType')->willReturn(IShare::TYPE_LINK);
-		$share->method('getId')->willReturn('42');
+        $share = $this->createMock(IShare::class);
+        $share->method('getPassword')->willReturn('password');
+        $share->method('getShareType')->willReturn(IShare::TYPE_LINK);
+        $share->method('getId')->willReturn('42');
 
-		$this->shareManager->expects($this->once())
-			->method('getShareByToken')
-			->with('GX9HSGQrGE')
-			->willReturn($share);
+        $this->shareManager->expects($this->once())
+            ->method('getShareByToken')
+            ->with('GX9HSGQrGE')
+            ->willReturn($share);
 
-		$this->shareManager->expects($this->once())
-			->method('checkPassword')
-			->with(
-				$this->equalTo($share),
-				$this->equalTo('password')
-			)->willReturn(false);
+        $this->shareManager->expects($this->once())
+            ->method('checkPassword')
+            ->with(
+                $this->equalTo($share),
+                $this->equalTo('password')
+            )->willReturn(false);
 
-		$this->session->method('exists')->with('public_link_authenticated')->willReturn(true);
-		$this->session->method('get')->with('public_link_authenticated')->willReturn(['42']);
+        $this->session->method('exists')->with('public_link_authenticated')->willReturn(true);
+        $this->session->method('get')->with('public_link_authenticated')->willReturn(['42']);
 
-		$result = self::invokePrivate($this->auth, 'validateUserPass', ['username', 'password']);
+        $result = self::invokePrivate($this->auth, 'validateUserPass', ['username', 'password']);
 
-		$this->assertTrue($result);
-	}
+        $this->assertTrue($result);
+    }
 
-	public function testSharePasswordLinkInvalidSession(): void {
-		$this->request->method('getPathInfo')
-			->willReturn('/dav/files/GX9HSGQrGE');
+    public function testSharePasswordLinkInvalidSession(): void {
+        $this->request->method('getPathInfo')
+            ->willReturn('/dav/files/GX9HSGQrGE');
 
-		$share = $this->createMock(IShare::class);
-		$share->method('getPassword')->willReturn('password');
-		$share->method('getShareType')->willReturn(IShare::TYPE_LINK);
-		$share->method('getId')->willReturn('42');
+        $share = $this->createMock(IShare::class);
+        $share->method('getPassword')->willReturn('password');
+        $share->method('getShareType')->willReturn(IShare::TYPE_LINK);
+        $share->method('getId')->willReturn('42');
 
-		$this->shareManager->expects($this->once())
-			->method('getShareByToken')
-			->with('GX9HSGQrGE')
-			->willReturn($share);
+        $this->shareManager->expects($this->once())
+            ->method('getShareByToken')
+            ->with('GX9HSGQrGE')
+            ->willReturn($share);
 
-		$this->shareManager->expects($this->once())
-			->method('checkPassword')
-			->with(
-				$this->equalTo($share),
-				$this->equalTo('password')
-			)->willReturn(false);
+        $this->shareManager->expects($this->once())
+            ->method('checkPassword')
+            ->with(
+                $this->equalTo($share),
+                $this->equalTo('password')
+            )->willReturn(false);
 
-		$this->session->method('exists')->with('public_link_authenticated')->willReturn(true);
-		$this->session->method('get')->with('public_link_authenticated')->willReturn('43');
+        $this->session->method('exists')->with('public_link_authenticated')->willReturn(true);
+        $this->session->method('get')->with('public_link_authenticated')->willReturn('43');
 
-		$result = self::invokePrivate($this->auth, 'validateUserPass', ['username', 'password']);
+        $result = self::invokePrivate($this->auth, 'validateUserPass', ['username', 'password']);
 
-		$this->assertFalse($result);
-	}
+        $this->assertFalse($result);
+    }
 
 
-	public function testSharePasswordMailInvalidSession(): void {
-		$this->request->method('getPathInfo')
-			->willReturn('/dav/files/GX9HSGQrGE');
+    public function testSharePasswordMailInvalidSession(): void {
+        $this->request->method('getPathInfo')
+            ->willReturn('/dav/files/GX9HSGQrGE');
 
-		$share = $this->createMock(IShare::class);
-		$share->method('getPassword')->willReturn('password');
-		$share->method('getShareType')->willReturn(IShare::TYPE_EMAIL);
-		$share->method('getId')->willReturn('42');
+        $share = $this->createMock(IShare::class);
+        $share->method('getPassword')->willReturn('password');
+        $share->method('getShareType')->willReturn(IShare::TYPE_EMAIL);
+        $share->method('getId')->willReturn('42');
 
-		$this->shareManager->expects($this->once())
-			->method('getShareByToken')
-			->with('GX9HSGQrGE')
-			->willReturn($share);
+        $this->shareManager->expects($this->once())
+            ->method('getShareByToken')
+            ->with('GX9HSGQrGE')
+            ->willReturn($share);
 
-		$this->shareManager->expects($this->once())
-			->method('checkPassword')
-			->with(
-				$this->equalTo($share),
-				$this->equalTo('password')
-			)->willReturn(false);
+        $this->shareManager->expects($this->once())
+            ->method('checkPassword')
+            ->with(
+                $this->equalTo($share),
+                $this->equalTo('password')
+            )->willReturn(false);
 
-		$this->session->method('exists')->with('public_link_authenticated')->willReturn(true);
-		$this->session->method('get')->with('public_link_authenticated')->willReturn('43');
+        $this->session->method('exists')->with('public_link_authenticated')->willReturn(true);
+        $this->session->method('get')->with('public_link_authenticated')->willReturn('43');
 
-		$result = self::invokePrivate($this->auth, 'validateUserPass', ['username', 'password']);
+        $result = self::invokePrivate($this->auth, 'validateUserPass', ['username', 'password']);
 
-		$this->assertFalse($result);
-	}
+        $this->assertFalse($result);
+    }
 }

apps/federatedfilesharing/lib/Controller/MountPublicLinkController.php

Indentation +149 added lines, -149 removed lines

@@ -38,153 +38,153 @@
  * @package OCA\FederatedFileSharing\Controller
  */
 class MountPublicLinkController extends Controller {
-	/**
-	 * MountPublicLinkController constructor.
-	 */
-	public function __construct(
-		string $appName,
-		IRequest $request,
-		private FederatedShareProvider $federatedShareProvider,
-		private IManager $shareManager,
-		private AddressHandler $addressHandler,
-		private ISession $session,
-		private IL10N $l,
-		private IUserSession $userSession,
-		private IClientService $clientService,
-		private ICloudIdManager $cloudIdManager,
-		private LoggerInterface $logger,
-	) {
-		parent::__construct($appName, $request);
-	}
-
-	/**
-	 * send federated share to a user of a public link
-	 *
-	 * @param string $shareWith Username to share with
-	 * @param string $token Token of the share
-	 * @param string $password Password of the share
-	 * @return JSONResponse<Http::STATUS_OK, array{remoteUrl: string}, array{}>|JSONResponse<Http::STATUS_BAD_REQUEST, array{message: string}, array{}>
-	 *
-	 * 200: Remote URL returned
-	 * 400: Creating share is not possible
-	 */
-	#[NoCSRFRequired]
-	#[PublicPage]
-	#[BruteForceProtection(action: 'publicLink2FederatedShare')]
-	#[OpenAPI(scope: OpenAPI::SCOPE_FEDERATION)]
-	public function createFederatedShare($shareWith, $token, $password = '') {
-		if (!$this->federatedShareProvider->isOutgoingServer2serverShareEnabled()) {
-			return new JSONResponse(
-				['message' => 'This server doesn\'t support outgoing federated shares'],
-				Http::STATUS_BAD_REQUEST
-			);
-		}
-
-		try {
-			[, $server] = $this->addressHandler->splitUserRemote($shareWith);
-			$share = $this->shareManager->getShareByToken($token);
-		} catch (HintException $e) {
-			$response = new JSONResponse(['message' => $e->getHint()], Http::STATUS_BAD_REQUEST);
-			$response->throttle();
-			return $response;
-		}
-
-		// make sure that user is authenticated in case of a password protected link
-		$allowedShareIds = $this->session->get(PublicAuth::DAV_AUTHENTICATED);
-		if (!is_array($allowedShareIds)) {
-			$allowedShareIds = [];
-		}
-
-		$authenticated = in_array($share->getId(), $allowedShareIds)
-			|| $this->shareManager->checkPassword($share, $password);
-
-		$storedPassword = $share->getPassword();
-		if (!empty($storedPassword) && !$authenticated) {
-			$response = new JSONResponse(
-				['message' => 'No permission to access the share'],
-				Http::STATUS_BAD_REQUEST
-			);
-			$response->throttle();
-			return $response;
-		}
-
-		if (($share->getPermissions() & Constants::PERMISSION_READ) === 0) {
-			$response = new JSONResponse(
-				['message' => 'Mounting file drop not supported'],
-				Http::STATUS_BAD_REQUEST
-			);
-			$response->throttle();
-			return $response;
-		}
-
-		$share->setSharedWith($shareWith);
-		$share->setShareType(IShare::TYPE_REMOTE);
-
-		try {
-			$this->federatedShareProvider->create($share);
-		} catch (\Exception $e) {
-			$this->logger->warning($e->getMessage(), [
-				'app' => 'federatedfilesharing',
-				'exception' => $e,
-			]);
-			return new JSONResponse(['message' => $e->getMessage()], Http::STATUS_BAD_REQUEST);
-		}
-
-		return new JSONResponse(['remoteUrl' => $server]);
-	}
-
-	/**
-	 * ask other server to get a federated share
-	 *
-	 * @param string $token
-	 * @param string $remote
-	 * @param string $password
-	 * @param string $owner (only for legacy reasons, can be removed with legacyMountPublicLink())
-	 * @param string $ownerDisplayName (only for legacy reasons, can be removed with legacyMountPublicLink())
-	 * @param string $name (only for legacy reasons, can be removed with legacyMountPublicLink())
-	 * @return JSONResponse
-	 */
-	#[NoAdminRequired]
-	public function askForFederatedShare($token, $remote, $password = '', $owner = '', $ownerDisplayName = '', $name = '') {
-		// check if server admin allows to mount public links from other servers
-		if ($this->federatedShareProvider->isIncomingServer2serverShareEnabled() === false) {
-			return new JSONResponse(['message' => $this->l->t('Server to server sharing is not enabled on this server')], Http::STATUS_BAD_REQUEST);
-		}
-
-		$cloudId = $this->cloudIdManager->getCloudId($this->userSession->getUser()->getUID(), $this->addressHandler->generateRemoteURL());
-
-		$httpClient = $this->clientService->newClient();
-
-		try {
-			$response = $httpClient->post($remote . '/index.php/apps/federatedfilesharing/createFederatedShare',
-				[
-					'body' => [
-						'token' => $token,
-						'shareWith' => rtrim($cloudId->getId(), '/'),
-						'password' => $password
-					],
-					'connect_timeout' => 10,
-				]
-			);
-		} catch (\Exception $e) {
-			if (empty($password)) {
-				$message = $this->l->t("Couldn't establish a federated share.");
-			} else {
-				$message = $this->l->t("Couldn't establish a federated share, maybe the password was wrong.");
-			}
-			return new JSONResponse(['message' => $message], Http::STATUS_BAD_REQUEST);
-		}
-
-		$body = $response->getBody();
-		$result = json_decode($body, true);
-
-		if (is_array($result) && isset($result['remoteUrl'])) {
-			return new JSONResponse(['message' => $this->l->t('Federated Share request sent, you will receive an invitation. Check your notifications.')]);
-		}
-
-		// if we doesn't get the expected response we assume that we try to add
-		// a federated share from a Nextcloud <= 9 server
-		$message = $this->l->t("Couldn't establish a federated share, it looks like the server to federate with is too old (Nextcloud <= 9).");
-		return new JSONResponse(['message' => $message], Http::STATUS_BAD_REQUEST);
-	}
+    /**
+     * MountPublicLinkController constructor.
+     */
+    public function __construct(
+        string $appName,
+        IRequest $request,
+        private FederatedShareProvider $federatedShareProvider,
+        private IManager $shareManager,
+        private AddressHandler $addressHandler,
+        private ISession $session,
+        private IL10N $l,
+        private IUserSession $userSession,
+        private IClientService $clientService,
+        private ICloudIdManager $cloudIdManager,
+        private LoggerInterface $logger,
+    ) {
+        parent::__construct($appName, $request);
+    }
+
+    /**
+     * send federated share to a user of a public link
+     *
+     * @param string $shareWith Username to share with
+     * @param string $token Token of the share
+     * @param string $password Password of the share
+     * @return JSONResponse<Http::STATUS_OK, array{remoteUrl: string}, array{}>|JSONResponse<Http::STATUS_BAD_REQUEST, array{message: string}, array{}>
+     *
+     * 200: Remote URL returned
+     * 400: Creating share is not possible
+     */
+    #[NoCSRFRequired]
+    #[PublicPage]
+    #[BruteForceProtection(action: 'publicLink2FederatedShare')]
+    #[OpenAPI(scope: OpenAPI::SCOPE_FEDERATION)]
+    public function createFederatedShare($shareWith, $token, $password = '') {
+        if (!$this->federatedShareProvider->isOutgoingServer2serverShareEnabled()) {
+            return new JSONResponse(
+                ['message' => 'This server doesn\'t support outgoing federated shares'],
+                Http::STATUS_BAD_REQUEST
+            );
+        }
+
+        try {
+            [, $server] = $this->addressHandler->splitUserRemote($shareWith);
+            $share = $this->shareManager->getShareByToken($token);
+        } catch (HintException $e) {
+            $response = new JSONResponse(['message' => $e->getHint()], Http::STATUS_BAD_REQUEST);
+            $response->throttle();
+            return $response;
+        }
+
+        // make sure that user is authenticated in case of a password protected link
+        $allowedShareIds = $this->session->get(PublicAuth::DAV_AUTHENTICATED);
+        if (!is_array($allowedShareIds)) {
+            $allowedShareIds = [];
+        }
+
+        $authenticated = in_array($share->getId(), $allowedShareIds)
+            || $this->shareManager->checkPassword($share, $password);
+
+        $storedPassword = $share->getPassword();
+        if (!empty($storedPassword) && !$authenticated) {
+            $response = new JSONResponse(
+                ['message' => 'No permission to access the share'],
+                Http::STATUS_BAD_REQUEST
+            );
+            $response->throttle();
+            return $response;
+        }
+
+        if (($share->getPermissions() & Constants::PERMISSION_READ) === 0) {
+            $response = new JSONResponse(
+                ['message' => 'Mounting file drop not supported'],
+                Http::STATUS_BAD_REQUEST
+            );
+            $response->throttle();
+            return $response;
+        }
+
+        $share->setSharedWith($shareWith);
+        $share->setShareType(IShare::TYPE_REMOTE);
+
+        try {
+            $this->federatedShareProvider->create($share);
+        } catch (\Exception $e) {
+            $this->logger->warning($e->getMessage(), [
+                'app' => 'federatedfilesharing',
+                'exception' => $e,
+            ]);
+            return new JSONResponse(['message' => $e->getMessage()], Http::STATUS_BAD_REQUEST);
+        }
+
+        return new JSONResponse(['remoteUrl' => $server]);
+    }
+
+    /**
+     * ask other server to get a federated share
+     *
+     * @param string $token
+     * @param string $remote
+     * @param string $password
+     * @param string $owner (only for legacy reasons, can be removed with legacyMountPublicLink())
+     * @param string $ownerDisplayName (only for legacy reasons, can be removed with legacyMountPublicLink())
+     * @param string $name (only for legacy reasons, can be removed with legacyMountPublicLink())
+     * @return JSONResponse
+     */
+    #[NoAdminRequired]
+    public function askForFederatedShare($token, $remote, $password = '', $owner = '', $ownerDisplayName = '', $name = '') {
+        // check if server admin allows to mount public links from other servers
+        if ($this->federatedShareProvider->isIncomingServer2serverShareEnabled() === false) {
+            return new JSONResponse(['message' => $this->l->t('Server to server sharing is not enabled on this server')], Http::STATUS_BAD_REQUEST);
+        }
+
+        $cloudId = $this->cloudIdManager->getCloudId($this->userSession->getUser()->getUID(), $this->addressHandler->generateRemoteURL());
+
+        $httpClient = $this->clientService->newClient();
+
+        try {
+            $response = $httpClient->post($remote . '/index.php/apps/federatedfilesharing/createFederatedShare',
+                [
+                    'body' => [
+                        'token' => $token,
+                        'shareWith' => rtrim($cloudId->getId(), '/'),
+                        'password' => $password
+                    ],
+                    'connect_timeout' => 10,
+                ]
+            );
+        } catch (\Exception $e) {
+            if (empty($password)) {
+                $message = $this->l->t("Couldn't establish a federated share.");
+            } else {
+                $message = $this->l->t("Couldn't establish a federated share, maybe the password was wrong.");
+            }
+            return new JSONResponse(['message' => $message], Http::STATUS_BAD_REQUEST);
+        }
+
+        $body = $response->getBody();
+        $result = json_decode($body, true);
+
+        if (is_array($result) && isset($result['remoteUrl'])) {
+            return new JSONResponse(['message' => $this->l->t('Federated Share request sent, you will receive an invitation. Check your notifications.')]);
+        }
+
+        // if we doesn't get the expected response we assume that we try to add
+        // a federated share from a Nextcloud <= 9 server
+        $message = $this->l->t("Couldn't establish a federated share, it looks like the server to federate with is too old (Nextcloud <= 9).");
+        return new JSONResponse(['message' => $message], Http::STATUS_BAD_REQUEST);
+    }
 }

apps/files_sharing/lib/Controller/ShareController.php

Indentation +354 added lines, -354 removed lines

@@ -51,358 +51,358 @@
  */
 #[OpenAPI(scope: OpenAPI::SCOPE_IGNORE)]
 class ShareController extends AuthPublicShareController {
-	protected ?IShare $share = null;
-
-	public const SHARE_ACCESS = 'access';
-	public const SHARE_AUTH = 'auth';
-	public const SHARE_DOWNLOAD = 'download';
-
-	public function __construct(
-		string $appName,
-		IRequest $request,
-		protected IConfig $config,
-		IURLGenerator $urlGenerator,
-		protected IUserManager $userManager,
-		protected \OCP\Activity\IManager $activityManager,
-		protected ShareManager $shareManager,
-		ISession $session,
-		protected IPreview $previewManager,
-		protected IRootFolder $rootFolder,
-		protected FederatedShareProvider $federatedShareProvider,
-		protected IAccountManager $accountManager,
-		protected IEventDispatcher $eventDispatcher,
-		protected IL10N $l10n,
-		protected ISecureRandom $secureRandom,
-		protected Defaults $defaults,
-		private IPublicShareTemplateFactory $publicShareTemplateFactory,
-	) {
-		parent::__construct($appName, $request, $session, $urlGenerator);
-	}
-
-	/**
-	 * Show the authentication page
-	 * The form has to submit to the authenticate method route
-	 */
-	#[PublicPage]
-	#[NoCSRFRequired]
-	public function showAuthenticate(): TemplateResponse {
-		$templateParameters = ['share' => $this->share];
-
-		$this->eventDispatcher->dispatchTyped(new BeforeTemplateRenderedEvent($this->share, BeforeTemplateRenderedEvent::SCOPE_PUBLIC_SHARE_AUTH));
-
-		$response = new TemplateResponse('core', 'publicshareauth', $templateParameters, 'guest');
-		if ($this->share->getSendPasswordByTalk()) {
-			$csp = new ContentSecurityPolicy();
-			$csp->addAllowedConnectDomain('*');
-			$csp->addAllowedMediaDomain('blob:');
-			$response->setContentSecurityPolicy($csp);
-		}
-
-		return $response;
-	}
-
-	/**
-	 * The template to show when authentication failed
-	 */
-	protected function showAuthFailed(): TemplateResponse {
-		$templateParameters = ['share' => $this->share, 'wrongpw' => true];
-
-		$this->eventDispatcher->dispatchTyped(new BeforeTemplateRenderedEvent($this->share, BeforeTemplateRenderedEvent::SCOPE_PUBLIC_SHARE_AUTH));
-
-		$response = new TemplateResponse('core', 'publicshareauth', $templateParameters, 'guest');
-		if ($this->share->getSendPasswordByTalk()) {
-			$csp = new ContentSecurityPolicy();
-			$csp->addAllowedConnectDomain('*');
-			$csp->addAllowedMediaDomain('blob:');
-			$response->setContentSecurityPolicy($csp);
-		}
-
-		return $response;
-	}
-
-	/**
-	 * The template to show after user identification
-	 */
-	protected function showIdentificationResult(bool $success = false): TemplateResponse {
-		$templateParameters = ['share' => $this->share, 'identityOk' => $success];
-
-		$this->eventDispatcher->dispatchTyped(new BeforeTemplateRenderedEvent($this->share, BeforeTemplateRenderedEvent::SCOPE_PUBLIC_SHARE_AUTH));
-
-		$response = new TemplateResponse('core', 'publicshareauth', $templateParameters, 'guest');
-		if ($this->share->getSendPasswordByTalk()) {
-			$csp = new ContentSecurityPolicy();
-			$csp->addAllowedConnectDomain('*');
-			$csp->addAllowedMediaDomain('blob:');
-			$response->setContentSecurityPolicy($csp);
-		}
-
-		return $response;
-	}
-
-	/**
-	 * Validate the identity token of a public share
-	 *
-	 * @param ?string $identityToken
-	 * @return bool
-	 */
-	protected function validateIdentity(?string $identityToken = null): bool {
-		if ($this->share->getShareType() !== IShare::TYPE_EMAIL) {
-			return false;
-		}
-
-		if ($identityToken === null || $this->share->getSharedWith() === null) {
-			return false;
-		}
-
-		return $identityToken === $this->share->getSharedWith();
-	}
-
-	/**
-	 * Generates a password for the share, respecting any password policy defined
-	 */
-	protected function generatePassword(): void {
-		$event = new GenerateSecurePasswordEvent(PasswordContext::SHARING);
-		$this->eventDispatcher->dispatchTyped($event);
-		$password = $event->getPassword() ?? $this->secureRandom->generate(20);
-
-		$this->share->setPassword($password);
-		$this->shareManager->updateShare($this->share);
-	}
-
-	protected function verifyPassword(string $password): bool {
-		return $this->shareManager->checkPassword($this->share, $password);
-	}
-
-	protected function getPasswordHash(): ?string {
-		return $this->share->getPassword();
-	}
-
-	public function isValidToken(): bool {
-		try {
-			$this->share = $this->shareManager->getShareByToken($this->getToken());
-		} catch (ShareNotFound $e) {
-			return false;
-		}
-
-		return true;
-	}
-
-	protected function isPasswordProtected(): bool {
-		return $this->share->getPassword() !== null;
-	}
-
-	protected function authSucceeded() {
-		if ($this->share === null) {
-			throw new NotFoundException();
-		}
-
-		// For share this was always set so it is still used in other apps
-		$allowedShareIds = $this->session->get(PublicAuth::DAV_AUTHENTICATED);
-		if (!is_array($allowedShareIds)) {
-			$allowedShareIds = [];
-		}
-
-		$this->session->set(PublicAuth::DAV_AUTHENTICATED, array_merge($allowedShareIds, [$this->share->getId()]));
-	}
-
-	protected function authFailed() {
-		$this->emitAccessShareHook($this->share, 403, 'Wrong password');
-		$this->emitShareAccessEvent($this->share, self::SHARE_AUTH, 403, 'Wrong password');
-	}
-
-	/**
-	 * throws hooks when a share is attempted to be accessed
-	 *
-	 * @param IShare|string $share the Share instance if available,
-	 *                             otherwise token
-	 * @param int $errorCode
-	 * @param string $errorMessage
-	 *
-	 * @throws HintException
-	 * @throws \OC\ServerNotAvailableException
-	 *
-	 * @deprecated use OCP\Files_Sharing\Event\ShareLinkAccessedEvent
-	 */
-	protected function emitAccessShareHook($share, int $errorCode = 200, string $errorMessage = '') {
-		$itemType = $itemSource = $uidOwner = '';
-		$token = $share;
-		$exception = null;
-		if ($share instanceof IShare) {
-			try {
-				$token = $share->getToken();
-				$uidOwner = $share->getSharedBy();
-				$itemType = $share->getNodeType();
-				$itemSource = $share->getNodeId();
-			} catch (\Exception $e) {
-				// we log what we know and pass on the exception afterwards
-				$exception = $e;
-			}
-		}
-
-		\OC_Hook::emit(Share::class, 'share_link_access', [
-			'itemType' => $itemType,
-			'itemSource' => $itemSource,
-			'uidOwner' => $uidOwner,
-			'token' => $token,
-			'errorCode' => $errorCode,
-			'errorMessage' => $errorMessage
-		]);
-
-		if (!is_null($exception)) {
-			throw $exception;
-		}
-	}
-
-	/**
-	 * Emit a ShareLinkAccessedEvent event when a share is accessed, downloaded, auth...
-	 */
-	protected function emitShareAccessEvent(IShare $share, string $step = '', int $errorCode = 200, string $errorMessage = ''): void {
-		if ($step !== self::SHARE_ACCESS
-			&& $step !== self::SHARE_AUTH
-			&& $step !== self::SHARE_DOWNLOAD) {
-			return;
-		}
-		$this->eventDispatcher->dispatchTyped(new ShareLinkAccessedEvent($share, $step, $errorCode, $errorMessage));
-	}
-
-	/**
-	 * Validate the permissions of the share
-	 *
-	 * @param Share\IShare $share
-	 * @return bool
-	 */
-	private function validateShare(IShare $share) {
-		// If the owner is disabled no access to the link is granted
-		$owner = $this->userManager->get($share->getShareOwner());
-		if ($owner === null || !$owner->isEnabled()) {
-			return false;
-		}
-
-		// If the initiator of the share is disabled no access is granted
-		$initiator = $this->userManager->get($share->getSharedBy());
-		if ($initiator === null || !$initiator->isEnabled()) {
-			return false;
-		}
-
-		return $share->getNode()->isReadable() && $share->getNode()->isShareable();
-	}
-
-	/**
-	 * @param string $path
-	 * @return TemplateResponse
-	 * @throws NotFoundException
-	 * @throws \Exception
-	 */
-	#[PublicPage]
-	#[NoCSRFRequired]
-	public function showShare($path = ''): TemplateResponse {
-		\OC_User::setIncognitoMode(true);
-
-		// Check whether share exists
-		try {
-			$share = $this->shareManager->getShareByToken($this->getToken());
-		} catch (ShareNotFound $e) {
-			// The share does not exists, we do not emit an ShareLinkAccessedEvent
-			$this->emitAccessShareHook($this->getToken(), 404, 'Share not found');
-			throw new NotFoundException($this->l10n->t('This share does not exist or is no longer available'));
-		}
-
-		if (!$this->validateShare($share)) {
-			throw new NotFoundException($this->l10n->t('This share does not exist or is no longer available'));
-		}
-
-		$shareNode = $share->getNode();
-
-		try {
-			$templateProvider = $this->publicShareTemplateFactory->getProvider($share);
-			$response = $templateProvider->renderPage($share, $this->getToken(), $path);
-		} catch (NotFoundException $e) {
-			$this->emitAccessShareHook($share, 404, 'Share not found');
-			$this->emitShareAccessEvent($share, ShareController::SHARE_ACCESS, 404, 'Share not found');
-			throw new NotFoundException($this->l10n->t('This share does not exist or is no longer available'));
-		}
-
-		// We can't get the path of a file share
-		try {
-			if ($shareNode instanceof File && $path !== '') {
-				$this->emitAccessShareHook($share, 404, 'Share not found');
-				$this->emitShareAccessEvent($share, self::SHARE_ACCESS, 404, 'Share not found');
-				throw new NotFoundException($this->l10n->t('This share does not exist or is no longer available'));
-			}
-		} catch (\Exception $e) {
-			$this->emitAccessShareHook($share, 404, 'Share not found');
-			$this->emitShareAccessEvent($share, self::SHARE_ACCESS, 404, 'Share not found');
-			throw $e;
-		}
-
-
-		$this->emitAccessShareHook($share);
-		$this->emitShareAccessEvent($share, self::SHARE_ACCESS);
-
-		return $response;
-	}
-
-	/**
-	 * @NoSameSiteCookieRequired
-	 *
-	 * @param string $token
-	 * @param string|null $files
-	 * @param string $path
-	 * @return void|Response
-	 * @throws NotFoundException
-	 * @deprecated 31.0.0 Users are encouraged to use the DAV endpoint
-	 */
-	#[PublicPage]
-	#[NoCSRFRequired]
-	public function downloadShare($token, $files = null, $path = '') {
-		\OC_User::setIncognitoMode(true);
-
-		$share = $this->shareManager->getShareByToken($token);
-
-		if (!($share->getPermissions() & Constants::PERMISSION_READ)) {
-			return new DataResponse('Share has no read permission');
-		}
-
-		$attributes = $share->getAttributes();
-		if ($attributes?->getAttribute('permissions', 'download') === false) {
-			return new DataResponse('Share has no download permission');
-		}
-
-		if (!$this->validateShare($share)) {
-			throw new NotFoundException();
-		}
-
-		$node = $share->getNode();
-		if ($node instanceof Folder) {
-			// Directory share
-
-			// Try to get the path
-			if ($path !== '') {
-				try {
-					$node = $node->get($path);
-				} catch (NotFoundException $e) {
-					$this->emitAccessShareHook($share, 404, 'Share not found');
-					$this->emitShareAccessEvent($share, self::SHARE_DOWNLOAD, 404, 'Share not found');
-					return new NotFoundResponse();
-				}
-			}
-
-			if ($node instanceof Folder) {
-				if ($files === null || $files === '') {
-					if ($share->getHideDownload()) {
-						throw new NotFoundException('Downloading a folder');
-					}
-				}
-			}
-		}
-
-		$this->emitAccessShareHook($share);
-		$this->emitShareAccessEvent($share, self::SHARE_DOWNLOAD);
-
-		$davUrl = '/public.php/dav/files/' . $token . '/?accept=zip';
-		if ($files !== null) {
-			$davUrl .= '&files=' . $files;
-		}
-		return new RedirectResponse($this->urlGenerator->getAbsoluteURL($davUrl));
-	}
+    protected ?IShare $share = null;
+
+    public const SHARE_ACCESS = 'access';
+    public const SHARE_AUTH = 'auth';
+    public const SHARE_DOWNLOAD = 'download';
+
+    public function __construct(
+        string $appName,
+        IRequest $request,
+        protected IConfig $config,
+        IURLGenerator $urlGenerator,
+        protected IUserManager $userManager,
+        protected \OCP\Activity\IManager $activityManager,
+        protected ShareManager $shareManager,
+        ISession $session,
+        protected IPreview $previewManager,
+        protected IRootFolder $rootFolder,
+        protected FederatedShareProvider $federatedShareProvider,
+        protected IAccountManager $accountManager,
+        protected IEventDispatcher $eventDispatcher,
+        protected IL10N $l10n,
+        protected ISecureRandom $secureRandom,
+        protected Defaults $defaults,
+        private IPublicShareTemplateFactory $publicShareTemplateFactory,
+    ) {
+        parent::__construct($appName, $request, $session, $urlGenerator);
+    }
+
+    /**
+     * Show the authentication page
+     * The form has to submit to the authenticate method route
+     */
+    #[PublicPage]
+    #[NoCSRFRequired]
+    public function showAuthenticate(): TemplateResponse {
+        $templateParameters = ['share' => $this->share];
+
+        $this->eventDispatcher->dispatchTyped(new BeforeTemplateRenderedEvent($this->share, BeforeTemplateRenderedEvent::SCOPE_PUBLIC_SHARE_AUTH));
+
+        $response = new TemplateResponse('core', 'publicshareauth', $templateParameters, 'guest');
+        if ($this->share->getSendPasswordByTalk()) {
+            $csp = new ContentSecurityPolicy();
+            $csp->addAllowedConnectDomain('*');
+            $csp->addAllowedMediaDomain('blob:');
+            $response->setContentSecurityPolicy($csp);
+        }
+
+        return $response;
+    }
+
+    /**
+     * The template to show when authentication failed
+     */
+    protected function showAuthFailed(): TemplateResponse {
+        $templateParameters = ['share' => $this->share, 'wrongpw' => true];
+
+        $this->eventDispatcher->dispatchTyped(new BeforeTemplateRenderedEvent($this->share, BeforeTemplateRenderedEvent::SCOPE_PUBLIC_SHARE_AUTH));
+
+        $response = new TemplateResponse('core', 'publicshareauth', $templateParameters, 'guest');
+        if ($this->share->getSendPasswordByTalk()) {
+            $csp = new ContentSecurityPolicy();
+            $csp->addAllowedConnectDomain('*');
+            $csp->addAllowedMediaDomain('blob:');
+            $response->setContentSecurityPolicy($csp);
+        }
+
+        return $response;
+    }
+
+    /**
+     * The template to show after user identification
+     */
+    protected function showIdentificationResult(bool $success = false): TemplateResponse {
+        $templateParameters = ['share' => $this->share, 'identityOk' => $success];
+
+        $this->eventDispatcher->dispatchTyped(new BeforeTemplateRenderedEvent($this->share, BeforeTemplateRenderedEvent::SCOPE_PUBLIC_SHARE_AUTH));
+
+        $response = new TemplateResponse('core', 'publicshareauth', $templateParameters, 'guest');
+        if ($this->share->getSendPasswordByTalk()) {
+            $csp = new ContentSecurityPolicy();
+            $csp->addAllowedConnectDomain('*');
+            $csp->addAllowedMediaDomain('blob:');
+            $response->setContentSecurityPolicy($csp);
+        }
+
+        return $response;
+    }
+
+    /**
+     * Validate the identity token of a public share
+     *
+     * @param ?string $identityToken
+     * @return bool
+     */
+    protected function validateIdentity(?string $identityToken = null): bool {
+        if ($this->share->getShareType() !== IShare::TYPE_EMAIL) {
+            return false;
+        }
+
+        if ($identityToken === null || $this->share->getSharedWith() === null) {
+            return false;
+        }
+
+        return $identityToken === $this->share->getSharedWith();
+    }
+
+    /**
+     * Generates a password for the share, respecting any password policy defined
+     */
+    protected function generatePassword(): void {
+        $event = new GenerateSecurePasswordEvent(PasswordContext::SHARING);
+        $this->eventDispatcher->dispatchTyped($event);
+        $password = $event->getPassword() ?? $this->secureRandom->generate(20);
+
+        $this->share->setPassword($password);
+        $this->shareManager->updateShare($this->share);
+    }
+
+    protected function verifyPassword(string $password): bool {
+        return $this->shareManager->checkPassword($this->share, $password);
+    }
+
+    protected function getPasswordHash(): ?string {
+        return $this->share->getPassword();
+    }
+
+    public function isValidToken(): bool {
+        try {
+            $this->share = $this->shareManager->getShareByToken($this->getToken());
+        } catch (ShareNotFound $e) {
+            return false;
+        }
+
+        return true;
+    }
+
+    protected function isPasswordProtected(): bool {
+        return $this->share->getPassword() !== null;
+    }
+
+    protected function authSucceeded() {
+        if ($this->share === null) {
+            throw new NotFoundException();
+        }
+
+        // For share this was always set so it is still used in other apps
+        $allowedShareIds = $this->session->get(PublicAuth::DAV_AUTHENTICATED);
+        if (!is_array($allowedShareIds)) {
+            $allowedShareIds = [];
+        }
+
+        $this->session->set(PublicAuth::DAV_AUTHENTICATED, array_merge($allowedShareIds, [$this->share->getId()]));
+    }
+
+    protected function authFailed() {
+        $this->emitAccessShareHook($this->share, 403, 'Wrong password');
+        $this->emitShareAccessEvent($this->share, self::SHARE_AUTH, 403, 'Wrong password');
+    }
+
+    /**
+     * throws hooks when a share is attempted to be accessed
+     *
+     * @param IShare|string $share the Share instance if available,
+     *                             otherwise token
+     * @param int $errorCode
+     * @param string $errorMessage
+     *
+     * @throws HintException
+     * @throws \OC\ServerNotAvailableException
+     *
+     * @deprecated use OCP\Files_Sharing\Event\ShareLinkAccessedEvent
+     */
+    protected function emitAccessShareHook($share, int $errorCode = 200, string $errorMessage = '') {
+        $itemType = $itemSource = $uidOwner = '';
+        $token = $share;
+        $exception = null;
+        if ($share instanceof IShare) {
+            try {
+                $token = $share->getToken();
+                $uidOwner = $share->getSharedBy();
+                $itemType = $share->getNodeType();
+                $itemSource = $share->getNodeId();
+            } catch (\Exception $e) {
+                // we log what we know and pass on the exception afterwards
+                $exception = $e;
+            }
+        }
+
+        \OC_Hook::emit(Share::class, 'share_link_access', [
+            'itemType' => $itemType,
+            'itemSource' => $itemSource,
+            'uidOwner' => $uidOwner,
+            'token' => $token,
+            'errorCode' => $errorCode,
+            'errorMessage' => $errorMessage
+        ]);
+
+        if (!is_null($exception)) {
+            throw $exception;
+        }
+    }
+
+    /**
+     * Emit a ShareLinkAccessedEvent event when a share is accessed, downloaded, auth...
+     */
+    protected function emitShareAccessEvent(IShare $share, string $step = '', int $errorCode = 200, string $errorMessage = ''): void {
+        if ($step !== self::SHARE_ACCESS
+            && $step !== self::SHARE_AUTH
+            && $step !== self::SHARE_DOWNLOAD) {
+            return;
+        }
+        $this->eventDispatcher->dispatchTyped(new ShareLinkAccessedEvent($share, $step, $errorCode, $errorMessage));
+    }
+
+    /**
+     * Validate the permissions of the share
+     *
+     * @param Share\IShare $share
+     * @return bool
+     */
+    private function validateShare(IShare $share) {
+        // If the owner is disabled no access to the link is granted
+        $owner = $this->userManager->get($share->getShareOwner());
+        if ($owner === null || !$owner->isEnabled()) {
+            return false;
+        }
+
+        // If the initiator of the share is disabled no access is granted
+        $initiator = $this->userManager->get($share->getSharedBy());
+        if ($initiator === null || !$initiator->isEnabled()) {
+            return false;
+        }
+
+        return $share->getNode()->isReadable() && $share->getNode()->isShareable();
+    }
+
+    /**
+     * @param string $path
+     * @return TemplateResponse
+     * @throws NotFoundException
+     * @throws \Exception
+     */
+    #[PublicPage]
+    #[NoCSRFRequired]
+    public function showShare($path = ''): TemplateResponse {
+        \OC_User::setIncognitoMode(true);
+
+        // Check whether share exists
+        try {
+            $share = $this->shareManager->getShareByToken($this->getToken());
+        } catch (ShareNotFound $e) {
+            // The share does not exists, we do not emit an ShareLinkAccessedEvent
+            $this->emitAccessShareHook($this->getToken(), 404, 'Share not found');
+            throw new NotFoundException($this->l10n->t('This share does not exist or is no longer available'));
+        }
+
+        if (!$this->validateShare($share)) {
+            throw new NotFoundException($this->l10n->t('This share does not exist or is no longer available'));
+        }
+
+        $shareNode = $share->getNode();
+
+        try {
+            $templateProvider = $this->publicShareTemplateFactory->getProvider($share);
+            $response = $templateProvider->renderPage($share, $this->getToken(), $path);
+        } catch (NotFoundException $e) {
+            $this->emitAccessShareHook($share, 404, 'Share not found');
+            $this->emitShareAccessEvent($share, ShareController::SHARE_ACCESS, 404, 'Share not found');
+            throw new NotFoundException($this->l10n->t('This share does not exist or is no longer available'));
+        }
+
+        // We can't get the path of a file share
+        try {
+            if ($shareNode instanceof File && $path !== '') {
+                $this->emitAccessShareHook($share, 404, 'Share not found');
+                $this->emitShareAccessEvent($share, self::SHARE_ACCESS, 404, 'Share not found');
+                throw new NotFoundException($this->l10n->t('This share does not exist or is no longer available'));
+            }
+        } catch (\Exception $e) {
+            $this->emitAccessShareHook($share, 404, 'Share not found');
+            $this->emitShareAccessEvent($share, self::SHARE_ACCESS, 404, 'Share not found');
+            throw $e;
+        }
+
+
+        $this->emitAccessShareHook($share);
+        $this->emitShareAccessEvent($share, self::SHARE_ACCESS);
+
+        return $response;
+    }
+
+    /**
+     * @NoSameSiteCookieRequired
+     *
+     * @param string $token
+     * @param string|null $files
+     * @param string $path
+     * @return void|Response
+     * @throws NotFoundException
+     * @deprecated 31.0.0 Users are encouraged to use the DAV endpoint
+     */
+    #[PublicPage]
+    #[NoCSRFRequired]
+    public function downloadShare($token, $files = null, $path = '') {
+        \OC_User::setIncognitoMode(true);
+
+        $share = $this->shareManager->getShareByToken($token);
+
+        if (!($share->getPermissions() & Constants::PERMISSION_READ)) {
+            return new DataResponse('Share has no read permission');
+        }
+
+        $attributes = $share->getAttributes();
+        if ($attributes?->getAttribute('permissions', 'download') === false) {
+            return new DataResponse('Share has no download permission');
+        }
+
+        if (!$this->validateShare($share)) {
+            throw new NotFoundException();
+        }
+
+        $node = $share->getNode();
+        if ($node instanceof Folder) {
+            // Directory share
+
+            // Try to get the path
+            if ($path !== '') {
+                try {
+                    $node = $node->get($path);
+                } catch (NotFoundException $e) {
+                    $this->emitAccessShareHook($share, 404, 'Share not found');
+                    $this->emitShareAccessEvent($share, self::SHARE_DOWNLOAD, 404, 'Share not found');
+                    return new NotFoundResponse();
+                }
+            }
+
+            if ($node instanceof Folder) {
+                if ($files === null || $files === '') {
+                    if ($share->getHideDownload()) {
+                        throw new NotFoundException('Downloading a folder');
+                    }
+                }
+            }
+        }
+
+        $this->emitAccessShareHook($share);
+        $this->emitShareAccessEvent($share, self::SHARE_DOWNLOAD);
+
+        $davUrl = '/public.php/dav/files/' . $token . '/?accept=zip';
+        if ($files !== null) {
+            $davUrl .= '&files=' . $files;
+        }
+        return new RedirectResponse($this->urlGenerator->getAbsoluteURL($davUrl));
+    }
 }

tests/lib/AppFramework/Controller/PublicShareControllerTest.php

Indentation +63 added lines, -63 removed lines

@@ -15,70 +15,70 @@
 use PHPUnit\Framework\MockObject\MockObject;
 
 class TestController extends PublicShareController {
-	public function __construct(
-		string $appName,
-		IRequest $request,
-		ISession $session,
-		private string $hash,
-		private bool $isProtected,
-	) {
-		parent::__construct($appName, $request, $session);
-	}
-
-	protected function getPasswordHash(): string {
-		return $this->hash;
-	}
-
-	public function isValidToken(): bool {
-		return false;
-	}
-
-	protected function isPasswordProtected(): bool {
-		return $this->isProtected;
-	}
+    public function __construct(
+        string $appName,
+        IRequest $request,
+        ISession $session,
+        private string $hash,
+        private bool $isProtected,
+    ) {
+        parent::__construct($appName, $request, $session);
+    }
+
+    protected function getPasswordHash(): string {
+        return $this->hash;
+    }
+
+    public function isValidToken(): bool {
+        return false;
+    }
+
+    protected function isPasswordProtected(): bool {
+        return $this->isProtected;
+    }
 }
 
 class PublicShareControllerTest extends \Test\TestCase {
-	private IRequest&MockObject $request;
-	private ISession&MockObject $session;
-
-	protected function setUp(): void {
-		parent::setUp();
-
-		$this->request = $this->createMock(IRequest::class);
-		$this->session = $this->createMock(ISession::class);
-	}
-
-	public function testGetToken(): void {
-		$controller = new TestController('app', $this->request, $this->session, 'hash', false);
-
-		$controller->setToken('test');
-		$this->assertEquals('test', $controller->getToken());
-	}
-
-	public static function dataIsAuthenticated(): array {
-		return [
-			[false, 'token1', 'token1', 'hash1', 'hash1',  true],
-			[false, 'token1', 'token1', 'hash1', 'hash2',  true],
-			[false, 'token1', 'token2', 'hash1', 'hash1',  true],
-			[false, 'token1', 'token2', 'hash1', 'hash2',  true],
-			[ true, 'token1', 'token1', 'hash1', 'hash1',  true],
-			[ true, 'token1', 'token1', 'hash1', 'hash2', false],
-			[ true, 'token1', 'token2', 'hash1', 'hash1', false],
-			[ true, 'token1', 'token2', 'hash1', 'hash2', false],
-		];
-	}
-
-	#[\PHPUnit\Framework\Attributes\DataProvider('dataIsAuthenticated')]
-	public function testIsAuthenticatedNotPasswordProtected(bool $protected, string $token1, string $token2, string $hash1, string $hash2, bool $expected): void {
-		$controller = new TestController('app', $this->request, $this->session, $hash2, $protected);
-
-		$this->session->method('get')
-			->with(PublicShareController::DAV_AUTHENTICATED_FRONTEND)
-			->willReturn("{\"$token1\":\"$hash1\"}");
-
-		$controller->setToken($token2);
-
-		$this->assertEquals($expected, $controller->isAuthenticated());
-	}
+    private IRequest&MockObject $request;
+    private ISession&MockObject $session;
+
+    protected function setUp(): void {
+        parent::setUp();
+
+        $this->request = $this->createMock(IRequest::class);
+        $this->session = $this->createMock(ISession::class);
+    }
+
+    public function testGetToken(): void {
+        $controller = new TestController('app', $this->request, $this->session, 'hash', false);
+
+        $controller->setToken('test');
+        $this->assertEquals('test', $controller->getToken());
+    }
+
+    public static function dataIsAuthenticated(): array {
+        return [
+            [false, 'token1', 'token1', 'hash1', 'hash1',  true],
+            [false, 'token1', 'token1', 'hash1', 'hash2',  true],
+            [false, 'token1', 'token2', 'hash1', 'hash1',  true],
+            [false, 'token1', 'token2', 'hash1', 'hash2',  true],
+            [ true, 'token1', 'token1', 'hash1', 'hash1',  true],
+            [ true, 'token1', 'token1', 'hash1', 'hash2', false],
+            [ true, 'token1', 'token2', 'hash1', 'hash1', false],
+            [ true, 'token1', 'token2', 'hash1', 'hash2', false],
+        ];
+    }
+
+    #[\PHPUnit\Framework\Attributes\DataProvider('dataIsAuthenticated')]
+    public function testIsAuthenticatedNotPasswordProtected(bool $protected, string $token1, string $token2, string $hash1, string $hash2, bool $expected): void {
+        $controller = new TestController('app', $this->request, $this->session, $hash2, $protected);
+
+        $this->session->method('get')
+            ->with(PublicShareController::DAV_AUTHENTICATED_FRONTEND)
+            ->willReturn("{\"$token1\":\"$hash1\"}");
+
+        $controller->setToken($token2);
+
+        $this->assertEquals($expected, $controller->isAuthenticated());
+    }
 }

tests/lib/AppFramework/Controller/AuthPublicShareControllerTest.php

Indentation +116 added lines, -116 removed lines

@@ -18,120 +18,120 @@
 use PHPUnit\Framework\MockObject\MockObject;
 
 class AuthPublicShareControllerTest extends \Test\TestCase {
-	private IRequest&MockObject $request;
-	private ISession&MockObject $session;
-	private IURLGenerator&MockObject $urlGenerator;
-	private AuthPublicShareController&MockObject $controller;
-
-
-	protected function setUp(): void {
-		parent::setUp();
-
-		$this->request = $this->createMock(IRequest::class);
-		$this->session = $this->createMock(ISession::class);
-		$this->urlGenerator = $this->createMock(IURLGenerator::class);
-
-		$this->controller = $this->getMockBuilder(AuthPublicShareController::class)
-			->setConstructorArgs([
-				'app',
-				$this->request,
-				$this->session,
-				$this->urlGenerator
-			])->onlyMethods([
-				'authFailed',
-				'getPasswordHash',
-				'isAuthenticated',
-				'isPasswordProtected',
-				'isValidToken',
-				'showShare',
-				'verifyPassword',
-				'validateIdentity',
-				'generatePassword'
-			])->getMock();
-	}
-
-	public function testShowAuthenticate(): void {
-		$expects = new TemplateResponse('core', 'publicshareauth', [], 'guest');
-
-		$this->assertEquals($expects, $this->controller->showAuthenticate());
-	}
-
-	public function testAuthenticateAuthenticated(): void {
-		$this->controller->method('isAuthenticated')
-			->willReturn(true);
-
-		$this->controller->setToken('myToken');
-
-		$this->session->method('get')
-			->willReturnMap([
-				['public_link_authenticate_redirect', json_encode(['foo' => 'bar'])],
-			]);
-
-		$this->urlGenerator->method('linkToRoute')
-			->willReturn('myLink!');
-
-		$result = $this->controller->authenticate('password');
-		$this->assertInstanceOf(RedirectResponse::class, $result);
-		$this->assertSame('myLink!', $result->getRedirectURL());
-	}
-
-	public function testAuthenticateInvalidPassword(): void {
-		$this->controller->setToken('token');
-		$this->controller->method('isPasswordProtected')
-			->willReturn(true);
-
-		$this->controller->method('verifyPassword')
-			->with('password')
-			->willReturn(false);
-
-		$this->controller->expects($this->once())
-			->method('authFailed');
-
-		$expects = new TemplateResponse('core', 'publicshareauth', ['wrongpw' => true], 'guest');
-		$expects->throttle();
-
-		$result = $this->controller->authenticate('password');
-
-		$this->assertEquals($expects, $result);
-	}
-
-	public function testAuthenticateValidPassword(): void {
-		$this->controller->setToken('token');
-		$this->controller->method('isPasswordProtected')
-			->willReturn(true);
-		$this->controller->method('verifyPassword')
-			->with('password')
-			->willReturn(true);
-		$this->controller->method('getPasswordHash')
-			->willReturn('hash');
-
-		$this->session->expects($this->once())
-			->method('regenerateId');
-		$this->session->method('get')
-			->willReturnMap([
-				['public_link_authenticate_redirect', json_encode(['foo' => 'bar'])],
-			]);
-
-		$tokenStored = false;
-		$this->session
-			->method('set')
-			->willReturnCallback(function ($key, $value) use (&$tokenStored) {
-				if ($key === AuthPublicShareController::DAV_AUTHENTICATED_FRONTEND) {
-					$decoded = json_decode($value, true);
-					if (isset($decoded['token']) && $decoded['token'] === 'hash') {
-						$tokenStored = true;
-					}
-					return true;
-				}
-				return false;
-			});
-
-		$this->urlGenerator->method('linkToRoute')
-			->willReturn('myLink!');
-
-		$result = $this->controller->authenticate('password');
-		$this->assertInstanceOf(RedirectResponse::class, $result);
-		$this->assertSame('myLink!', $result->getRedirectURL());
-		$this->assertTrue($tokenStored);
-	}
+    private IRequest&MockObject $request;
+    private ISession&MockObject $session;
+    private IURLGenerator&MockObject $urlGenerator;
+    private AuthPublicShareController&MockObject $controller;
+
+
+    protected function setUp(): void {
+        parent::setUp();
+
+        $this->request = $this->createMock(IRequest::class);
+        $this->session = $this->createMock(ISession::class);
+        $this->urlGenerator = $this->createMock(IURLGenerator::class);
+
+        $this->controller = $this->getMockBuilder(AuthPublicShareController::class)
+            ->setConstructorArgs([
+                'app',
+                $this->request,
+                $this->session,
+                $this->urlGenerator
+            ])->onlyMethods([
+                'authFailed',
+                'getPasswordHash',
+                'isAuthenticated',
+                'isPasswordProtected',
+                'isValidToken',
+                'showShare',
+                'verifyPassword',
+                'validateIdentity',
+                'generatePassword'
+            ])->getMock();
+    }
+
+    public function testShowAuthenticate(): void {
+        $expects = new TemplateResponse('core', 'publicshareauth', [], 'guest');
+
+        $this->assertEquals($expects, $this->controller->showAuthenticate());
+    }
+
+    public function testAuthenticateAuthenticated(): void {
+        $this->controller->method('isAuthenticated')
+            ->willReturn(true);
+
+        $this->controller->setToken('myToken');
+
+        $this->session->method('get')
+            ->willReturnMap([
+                ['public_link_authenticate_redirect', json_encode(['foo' => 'bar'])],
+            ]);
+
+        $this->urlGenerator->method('linkToRoute')
+            ->willReturn('myLink!');
+
+        $result = $this->controller->authenticate('password');
+        $this->assertInstanceOf(RedirectResponse::class, $result);
+        $this->assertSame('myLink!', $result->getRedirectURL());
+    }
+
+    public function testAuthenticateInvalidPassword(): void {
+        $this->controller->setToken('token');
+        $this->controller->method('isPasswordProtected')
+            ->willReturn(true);
+
+        $this->controller->method('verifyPassword')
+            ->with('password')
+            ->willReturn(false);
+
+        $this->controller->expects($this->once())
+            ->method('authFailed');
+
+        $expects = new TemplateResponse('core', 'publicshareauth', ['wrongpw' => true], 'guest');
+        $expects->throttle();
+
+        $result = $this->controller->authenticate('password');
+
+        $this->assertEquals($expects, $result);
+    }
+
+    public function testAuthenticateValidPassword(): void {
+        $this->controller->setToken('token');
+        $this->controller->method('isPasswordProtected')
+            ->willReturn(true);
+        $this->controller->method('verifyPassword')
+            ->with('password')
+            ->willReturn(true);
+        $this->controller->method('getPasswordHash')
+            ->willReturn('hash');
+
+        $this->session->expects($this->once())
+            ->method('regenerateId');
+        $this->session->method('get')
+            ->willReturnMap([
+                ['public_link_authenticate_redirect', json_encode(['foo' => 'bar'])],
+            ]);
+
+        $tokenStored = false;
+        $this->session
+            ->method('set')
+            ->willReturnCallback(function ($key, $value) use (&$tokenStored) {
+                if ($key === AuthPublicShareController::DAV_AUTHENTICATED_FRONTEND) {
+                    $decoded = json_decode($value, true);
+                    if (isset($decoded['token']) && $decoded['token'] === 'hash') {
+                        $tokenStored = true;
+                    }
+                    return true;
+                }
+                return false;
+            });
+
+        $this->urlGenerator->method('linkToRoute')
+            ->willReturn('myLink!');
+
+        $result = $this->controller->authenticate('password');
+        $this->assertInstanceOf(RedirectResponse::class, $result);
+        $this->assertSame('myLink!', $result->getRedirectURL());
+        $this->assertTrue($tokenStored);
+    }
 }

Spacing +1 added lines, -1 removed lines

@@ -115,7 +115,7 @@
 		$tokenStored = false;
 		$this->session
 			->method('set')
-			->willReturnCallback(function ($key, $value) use (&$tokenStored) {
+			->willReturnCallback(function($key, $value) use (&$tokenStored) {
 				if ($key === AuthPublicShareController::DAV_AUTHENTICATED_FRONTEND) {
 					$decoded = json_decode($value, true);
 					if (isset($decoded['token']) && $decoded['token'] === 'hash') {