nextcloud / server

core/Controller/LoginController.php

Indentation +327 added lines, -327 removed lines

@@ -61,331 +61,331 @@
 use OCP\Util;
 
 class LoginController extends Controller {
-	public const LOGIN_MSG_INVALIDPASSWORD = 'invalidpassword';
-	public const LOGIN_MSG_USERDISABLED = 'userdisabled';
-
-	private IUserManager $userManager;
-	private IConfig $config;
-	private ISession $session;
-	/** @var IUserSession|Session */
-	private $userSession;
-	private IURLGenerator $urlGenerator;
-	private Defaults $defaults;
-	private Throttler $throttler;
-	private IInitialStateService $initialStateService;
-	private WebAuthnManager $webAuthnManager;
-	private IManager $manager;
-	private IL10N $l10n;
-
-	public function __construct(?string $appName,
-								IRequest $request,
-								IUserManager $userManager,
-								IConfig $config,
-								ISession $session,
-								IUserSession $userSession,
-								IURLGenerator $urlGenerator,
-								Defaults $defaults,
-								Throttler $throttler,
-								IInitialStateService $initialStateService,
-								WebAuthnManager $webAuthnManager,
-								IManager $manager,
-								IL10N $l10n) {
-		parent::__construct($appName, $request);
-		$this->userManager = $userManager;
-		$this->config = $config;
-		$this->session = $session;
-		$this->userSession = $userSession;
-		$this->urlGenerator = $urlGenerator;
-		$this->defaults = $defaults;
-		$this->throttler = $throttler;
-		$this->initialStateService = $initialStateService;
-		$this->webAuthnManager = $webAuthnManager;
-		$this->manager = $manager;
-		$this->l10n = $l10n;
-	}
-
-	/**
-	 * @NoAdminRequired
-	 *
-	 * @return RedirectResponse
-	 */
-	#[UseSession]
-	public function logout() {
-		$loginToken = $this->request->getCookie('nc_token');
-		if (!is_null($loginToken)) {
-			$this->config->deleteUserValue($this->userSession->getUser()->getUID(), 'login_token', $loginToken);
-		}
-		$this->userSession->logout();
-
-		$response = new RedirectResponse($this->urlGenerator->linkToRouteAbsolute(
-			'core.login.showLoginForm',
-			['clear' => true] // this param the code in login.js may be removed when the "Clear-Site-Data" is working in the browsers
-		));
-
-		$this->session->set('clearingExecutionContexts', '1');
-		$this->session->close();
-
-		if (!$this->request->isUserAgent([Request::USER_AGENT_CHROME, Request::USER_AGENT_ANDROID_MOBILE_CHROME])) {
-			$response->addHeader('Clear-Site-Data', '"cache", "storage"');
-		}
-
-		return $response;
-	}
-
-	/**
-	 * @PublicPage
-	 * @NoCSRFRequired
-	 *
-	 * @param string $user
-	 * @param string $redirect_url
-	 *
-	 * @return TemplateResponse|RedirectResponse
-	 */
-	#[UseSession]
-	public function showLoginForm(string $user = null, string $redirect_url = null): Http\Response {
-		if ($this->userSession->isLoggedIn()) {
-			return new RedirectResponse($this->urlGenerator->linkToDefaultPageUrl());
-		}
-
-		$loginMessages = $this->session->get('loginMessages');
-		if (!$this->manager->isFairUseOfFreePushService()) {
-			if (!is_array($loginMessages)) {
-				$loginMessages = [[], []];
-			}
-			$loginMessages[1][] = $this->l10n->t('This community release of Nextcloud is unsupported and push notifications are limited.');
-		}
-		if (is_array($loginMessages)) {
-			[$errors, $messages] = $loginMessages;
-			$this->initialStateService->provideInitialState('core', 'loginMessages', $messages);
-			$this->initialStateService->provideInitialState('core', 'loginErrors', $errors);
-		}
-		$this->session->remove('loginMessages');
-
-		if ($user !== null && $user !== '') {
-			$this->initialStateService->provideInitialState('core', 'loginUsername', $user);
-		} else {
-			$this->initialStateService->provideInitialState('core', 'loginUsername', '');
-		}
-
-		$this->initialStateService->provideInitialState(
-			'core',
-			'loginAutocomplete',
-			$this->config->getSystemValue('login_form_autocomplete', true) === true
-		);
-
-		if (!empty($redirect_url)) {
-			[$url, ] = explode('?', $redirect_url);
-			if ($url !== $this->urlGenerator->linkToRoute('core.login.logout')) {
-				$this->initialStateService->provideInitialState('core', 'loginRedirectUrl', $redirect_url);
-			}
-		}
-
-		$this->initialStateService->provideInitialState(
-			'core',
-			'loginThrottleDelay',
-			$this->throttler->getDelay($this->request->getRemoteAddress())
-		);
-
-		$this->setPasswordResetInitialState($user);
-
-		$this->initialStateService->provideInitialState('core', 'webauthn-available', $this->webAuthnManager->isWebAuthnAvailable());
-
-		$this->initialStateService->provideInitialState('core', 'hideLoginForm', $this->config->getSystemValueBool('hide_login_form', false));
-
-		// OpenGraph Support: http://ogp.me/
-		Util::addHeader('meta', ['property' => 'og:title', 'content' => Util::sanitizeHTML($this->defaults->getName())]);
-		Util::addHeader('meta', ['property' => 'og:description', 'content' => Util::sanitizeHTML($this->defaults->getSlogan())]);
-		Util::addHeader('meta', ['property' => 'og:site_name', 'content' => Util::sanitizeHTML($this->defaults->getName())]);
-		Util::addHeader('meta', ['property' => 'og:url', 'content' => $this->urlGenerator->getAbsoluteURL('/')]);
-		Util::addHeader('meta', ['property' => 'og:type', 'content' => 'website']);
-		Util::addHeader('meta', ['property' => 'og:image', 'content' => $this->urlGenerator->getAbsoluteURL($this->urlGenerator->imagePath('core', 'favicon-touch.png'))]);
-
-		$parameters = [
-			'alt_login' => OC_App::getAlternativeLogIns(),
-			'pageTitle' => $this->l10n->t('Login'),
-		];
-
-		$this->initialStateService->provideInitialState('core', 'countAlternativeLogins', count($parameters['alt_login']));
-		$this->initialStateService->provideInitialState('core', 'alternativeLogins', $parameters['alt_login']);
-
-		return new TemplateResponse(
-			$this->appName,
-			'login',
-			$parameters,
-			TemplateResponse::RENDER_AS_GUEST,
-		);
-	}
-
-	/**
-	 * Sets the password reset state
-	 *
-	 * @param string $username
-	 */
-	private function setPasswordResetInitialState(?string $username): void {
-		if ($username !== null && $username !== '') {
-			$user = $this->userManager->get($username);
-		} else {
-			$user = null;
-		}
-
-		$passwordLink = $this->config->getSystemValueString('lost_password_link', '');
-
-		$this->initialStateService->provideInitialState(
-			'core',
-			'loginResetPasswordLink',
-			$passwordLink
-		);
-
-		$this->initialStateService->provideInitialState(
-			'core',
-			'loginCanResetPassword',
-			$this->canResetPassword($passwordLink, $user)
-		);
-	}
-
-	/**
-	 * @param string|null $passwordLink
-	 * @param IUser|null $user
-	 *
-	 * Users may not change their passwords if:
-	 * - The account is disabled
-	 * - The backend doesn't support password resets
-	 * - The password reset function is disabled
-	 *
-	 * @return bool
-	 */
-	private function canResetPassword(?string $passwordLink, ?IUser $user): bool {
-		if ($passwordLink === 'disabled') {
-			return false;
-		}
-
-		if (!$passwordLink && $user !== null) {
-			return $user->canChangePassword();
-		}
-
-		if ($user !== null && $user->isEnabled() === false) {
-			return false;
-		}
-
-		return true;
-	}
-
-	private function generateRedirect(?string $redirectUrl): RedirectResponse {
-		if ($redirectUrl !== null && $this->userSession->isLoggedIn()) {
-			$location = $this->urlGenerator->getAbsoluteURL($redirectUrl);
-			// Deny the redirect if the URL contains a @
-			// This prevents unvalidated redirects like ?redirect_url=:user@domain.com
-			if (strpos($location, '@') === false) {
-				return new RedirectResponse($location);
-			}
-		}
-		return new RedirectResponse($this->urlGenerator->linkToDefaultPageUrl());
-	}
-
-	/**
-	 * @PublicPage
-	 * @NoCSRFRequired
-	 * @BruteForceProtection(action=login)
-	 *
-	 * @return RedirectResponse
-	 */
-	#[UseSession]
-	public function tryLogin(Chain $loginChain,
-							 string $user,
-							 string $password,
-							 string $redirect_url = null,
-							 string $timezone = '',
-							 string $timezone_offset = ''): RedirectResponse {
-		if (!$this->request->passesCSRFCheck()) {
-			if ($this->userSession->isLoggedIn()) {
-				// If the user is already logged in and the CSRF check does not pass then
-				// simply redirect the user to the correct page as required. This is the
-				// case when a user has already logged-in, in another tab.
-				return $this->generateRedirect($redirect_url);
-			}
-
-			// Clear any auth remnants like cookies to ensure a clean login
-			// For the next attempt
-			$this->userSession->logout();
-			return $this->createLoginFailedResponse(
-				$user,
-				$user,
-				$redirect_url,
-				$this->l10n->t('Please try again')
-			);
-		}
-
-		$data = new LoginData(
-			$this->request,
-			trim($user),
-			$password,
-			$redirect_url,
-			$timezone,
-			$timezone_offset
-		);
-		$result = $loginChain->process($data);
-		if (!$result->isSuccess()) {
-			return $this->createLoginFailedResponse(
-				$data->getUsername(),
-				$user,
-				$redirect_url,
-				$result->getErrorMessage()
-			);
-		}
-
-		if ($result->getRedirectUrl() !== null) {
-			return new RedirectResponse($result->getRedirectUrl());
-		}
-		return $this->generateRedirect($redirect_url);
-	}
-
-	/**
-	 * Creates a login failed response.
-	 *
-	 * @param string $user
-	 * @param string $originalUser
-	 * @param string $redirect_url
-	 * @param string $loginMessage
-	 *
-	 * @return RedirectResponse
-	 */
-	private function createLoginFailedResponse(
-		$user, $originalUser, $redirect_url, string $loginMessage) {
-		// Read current user and append if possible we need to
-		// return the unmodified user otherwise we will leak the login name
-		$args = $user !== null ? ['user' => $originalUser, 'direct' => 1] : [];
-		if ($redirect_url !== null) {
-			$args['redirect_url'] = $redirect_url;
-		}
-		$response = new RedirectResponse(
-			$this->urlGenerator->linkToRoute('core.login.showLoginForm', $args)
-		);
-		$response->throttle(['user' => substr($user, 0, 64)]);
-		$this->session->set('loginMessages', [
-			[$loginMessage], []
-		]);
-		return $response;
-	}
-
-	/**
-	 * @NoAdminRequired
-	 * @BruteForceProtection(action=sudo)
-	 *
-	 * @license GNU AGPL version 3 or any later version
-	 *
-	 */
-	#[UseSession]
-	public function confirmPassword(string $password): DataResponse {
-		$loginName = $this->userSession->getLoginName();
-		$loginResult = $this->userManager->checkPassword($loginName, $password);
-		if ($loginResult === false) {
-			$response = new DataResponse([], Http::STATUS_FORBIDDEN);
-			$response->throttle();
-			return $response;
-		}
-
-		$confirmTimestamp = time();
-		$this->session->set('last-password-confirm', $confirmTimestamp);
-		return new DataResponse(['lastLogin' => $confirmTimestamp], Http::STATUS_OK);
-	}
+    public const LOGIN_MSG_INVALIDPASSWORD = 'invalidpassword';
+    public const LOGIN_MSG_USERDISABLED = 'userdisabled';
+
+    private IUserManager $userManager;
+    private IConfig $config;
+    private ISession $session;
+    /** @var IUserSession|Session */
+    private $userSession;
+    private IURLGenerator $urlGenerator;
+    private Defaults $defaults;
+    private Throttler $throttler;
+    private IInitialStateService $initialStateService;
+    private WebAuthnManager $webAuthnManager;
+    private IManager $manager;
+    private IL10N $l10n;
+
+    public function __construct(?string $appName,
+                                IRequest $request,
+                                IUserManager $userManager,
+                                IConfig $config,
+                                ISession $session,
+                                IUserSession $userSession,
+                                IURLGenerator $urlGenerator,
+                                Defaults $defaults,
+                                Throttler $throttler,
+                                IInitialStateService $initialStateService,
+                                WebAuthnManager $webAuthnManager,
+                                IManager $manager,
+                                IL10N $l10n) {
+        parent::__construct($appName, $request);
+        $this->userManager = $userManager;
+        $this->config = $config;
+        $this->session = $session;
+        $this->userSession = $userSession;
+        $this->urlGenerator = $urlGenerator;
+        $this->defaults = $defaults;
+        $this->throttler = $throttler;
+        $this->initialStateService = $initialStateService;
+        $this->webAuthnManager = $webAuthnManager;
+        $this->manager = $manager;
+        $this->l10n = $l10n;
+    }
+
+    /**
+     * @NoAdminRequired
+     *
+     * @return RedirectResponse
+     */
+    #[UseSession]
+    public function logout() {
+        $loginToken = $this->request->getCookie('nc_token');
+        if (!is_null($loginToken)) {
+            $this->config->deleteUserValue($this->userSession->getUser()->getUID(), 'login_token', $loginToken);
+        }
+        $this->userSession->logout();
+
+        $response = new RedirectResponse($this->urlGenerator->linkToRouteAbsolute(
+            'core.login.showLoginForm',
+            ['clear' => true] // this param the code in login.js may be removed when the "Clear-Site-Data" is working in the browsers
+        ));
+
+        $this->session->set('clearingExecutionContexts', '1');
+        $this->session->close();
+
+        if (!$this->request->isUserAgent([Request::USER_AGENT_CHROME, Request::USER_AGENT_ANDROID_MOBILE_CHROME])) {
+            $response->addHeader('Clear-Site-Data', '"cache", "storage"');
+        }
+
+        return $response;
+    }
+
+    /**
+     * @PublicPage
+     * @NoCSRFRequired
+     *
+     * @param string $user
+     * @param string $redirect_url
+     *
+     * @return TemplateResponse|RedirectResponse
+     */
+    #[UseSession]
+    public function showLoginForm(string $user = null, string $redirect_url = null): Http\Response {
+        if ($this->userSession->isLoggedIn()) {
+            return new RedirectResponse($this->urlGenerator->linkToDefaultPageUrl());
+        }
+
+        $loginMessages = $this->session->get('loginMessages');
+        if (!$this->manager->isFairUseOfFreePushService()) {
+            if (!is_array($loginMessages)) {
+                $loginMessages = [[], []];
+            }
+            $loginMessages[1][] = $this->l10n->t('This community release of Nextcloud is unsupported and push notifications are limited.');
+        }
+        if (is_array($loginMessages)) {
+            [$errors, $messages] = $loginMessages;
+            $this->initialStateService->provideInitialState('core', 'loginMessages', $messages);
+            $this->initialStateService->provideInitialState('core', 'loginErrors', $errors);
+        }
+        $this->session->remove('loginMessages');
+
+        if ($user !== null && $user !== '') {
+            $this->initialStateService->provideInitialState('core', 'loginUsername', $user);
+        } else {
+            $this->initialStateService->provideInitialState('core', 'loginUsername', '');
+        }
+
+        $this->initialStateService->provideInitialState(
+            'core',
+            'loginAutocomplete',
+            $this->config->getSystemValue('login_form_autocomplete', true) === true
+        );
+
+        if (!empty($redirect_url)) {
+            [$url, ] = explode('?', $redirect_url);
+            if ($url !== $this->urlGenerator->linkToRoute('core.login.logout')) {
+                $this->initialStateService->provideInitialState('core', 'loginRedirectUrl', $redirect_url);
+            }
+        }
+
+        $this->initialStateService->provideInitialState(
+            'core',
+            'loginThrottleDelay',
+            $this->throttler->getDelay($this->request->getRemoteAddress())
+        );
+
+        $this->setPasswordResetInitialState($user);
+
+        $this->initialStateService->provideInitialState('core', 'webauthn-available', $this->webAuthnManager->isWebAuthnAvailable());
+
+        $this->initialStateService->provideInitialState('core', 'hideLoginForm', $this->config->getSystemValueBool('hide_login_form', false));
+
+        // OpenGraph Support: http://ogp.me/
+        Util::addHeader('meta', ['property' => 'og:title', 'content' => Util::sanitizeHTML($this->defaults->getName())]);
+        Util::addHeader('meta', ['property' => 'og:description', 'content' => Util::sanitizeHTML($this->defaults->getSlogan())]);
+        Util::addHeader('meta', ['property' => 'og:site_name', 'content' => Util::sanitizeHTML($this->defaults->getName())]);
+        Util::addHeader('meta', ['property' => 'og:url', 'content' => $this->urlGenerator->getAbsoluteURL('/')]);
+        Util::addHeader('meta', ['property' => 'og:type', 'content' => 'website']);
+        Util::addHeader('meta', ['property' => 'og:image', 'content' => $this->urlGenerator->getAbsoluteURL($this->urlGenerator->imagePath('core', 'favicon-touch.png'))]);
+
+        $parameters = [
+            'alt_login' => OC_App::getAlternativeLogIns(),
+            'pageTitle' => $this->l10n->t('Login'),
+        ];
+
+        $this->initialStateService->provideInitialState('core', 'countAlternativeLogins', count($parameters['alt_login']));
+        $this->initialStateService->provideInitialState('core', 'alternativeLogins', $parameters['alt_login']);
+
+        return new TemplateResponse(
+            $this->appName,
+            'login',
+            $parameters,
+            TemplateResponse::RENDER_AS_GUEST,
+        );
+    }
+
+    /**
+     * Sets the password reset state
+     *
+     * @param string $username
+     */
+    private function setPasswordResetInitialState(?string $username): void {
+        if ($username !== null && $username !== '') {
+            $user = $this->userManager->get($username);
+        } else {
+            $user = null;
+        }
+
+        $passwordLink = $this->config->getSystemValueString('lost_password_link', '');
+
+        $this->initialStateService->provideInitialState(
+            'core',
+            'loginResetPasswordLink',
+            $passwordLink
+        );
+
+        $this->initialStateService->provideInitialState(
+            'core',
+            'loginCanResetPassword',
+            $this->canResetPassword($passwordLink, $user)
+        );
+    }
+
+    /**
+     * @param string|null $passwordLink
+     * @param IUser|null $user
+     *
+     * Users may not change their passwords if:
+     * - The account is disabled
+     * - The backend doesn't support password resets
+     * - The password reset function is disabled
+     *
+     * @return bool
+     */
+    private function canResetPassword(?string $passwordLink, ?IUser $user): bool {
+        if ($passwordLink === 'disabled') {
+            return false;
+        }
+
+        if (!$passwordLink && $user !== null) {
+            return $user->canChangePassword();
+        }
+
+        if ($user !== null && $user->isEnabled() === false) {
+            return false;
+        }
+
+        return true;
+    }
+
+    private function generateRedirect(?string $redirectUrl): RedirectResponse {
+        if ($redirectUrl !== null && $this->userSession->isLoggedIn()) {
+            $location = $this->urlGenerator->getAbsoluteURL($redirectUrl);
+            // Deny the redirect if the URL contains a @
+            // This prevents unvalidated redirects like ?redirect_url=:user@domain.com
+            if (strpos($location, '@') === false) {
+                return new RedirectResponse($location);
+            }
+        }
+        return new RedirectResponse($this->urlGenerator->linkToDefaultPageUrl());
+    }
+
+    /**
+     * @PublicPage
+     * @NoCSRFRequired
+     * @BruteForceProtection(action=login)
+     *
+     * @return RedirectResponse
+     */
+    #[UseSession]
+    public function tryLogin(Chain $loginChain,
+                                string $user,
+                                string $password,
+                                string $redirect_url = null,
+                                string $timezone = '',
+                                string $timezone_offset = ''): RedirectResponse {
+        if (!$this->request->passesCSRFCheck()) {
+            if ($this->userSession->isLoggedIn()) {
+                // If the user is already logged in and the CSRF check does not pass then
+                // simply redirect the user to the correct page as required. This is the
+                // case when a user has already logged-in, in another tab.
+                return $this->generateRedirect($redirect_url);
+            }
+
+            // Clear any auth remnants like cookies to ensure a clean login
+            // For the next attempt
+            $this->userSession->logout();
+            return $this->createLoginFailedResponse(
+                $user,
+                $user,
+                $redirect_url,
+                $this->l10n->t('Please try again')
+            );
+        }
+
+        $data = new LoginData(
+            $this->request,
+            trim($user),
+            $password,
+            $redirect_url,
+            $timezone,
+            $timezone_offset
+        );
+        $result = $loginChain->process($data);
+        if (!$result->isSuccess()) {
+            return $this->createLoginFailedResponse(
+                $data->getUsername(),
+                $user,
+                $redirect_url,
+                $result->getErrorMessage()
+            );
+        }
+
+        if ($result->getRedirectUrl() !== null) {
+            return new RedirectResponse($result->getRedirectUrl());
+        }
+        return $this->generateRedirect($redirect_url);
+    }
+
+    /**
+     * Creates a login failed response.
+     *
+     * @param string $user
+     * @param string $originalUser
+     * @param string $redirect_url
+     * @param string $loginMessage
+     *
+     * @return RedirectResponse
+     */
+    private function createLoginFailedResponse(
+        $user, $originalUser, $redirect_url, string $loginMessage) {
+        // Read current user and append if possible we need to
+        // return the unmodified user otherwise we will leak the login name
+        $args = $user !== null ? ['user' => $originalUser, 'direct' => 1] : [];
+        if ($redirect_url !== null) {
+            $args['redirect_url'] = $redirect_url;
+        }
+        $response = new RedirectResponse(
+            $this->urlGenerator->linkToRoute('core.login.showLoginForm', $args)
+        );
+        $response->throttle(['user' => substr($user, 0, 64)]);
+        $this->session->set('loginMessages', [
+            [$loginMessage], []
+        ]);
+        return $response;
+    }
+
+    /**
+     * @NoAdminRequired
+     * @BruteForceProtection(action=sudo)
+     *
+     * @license GNU AGPL version 3 or any later version
+     *
+     */
+    #[UseSession]
+    public function confirmPassword(string $password): DataResponse {
+        $loginName = $this->userSession->getLoginName();
+        $loginResult = $this->userManager->checkPassword($loginName, $password);
+        if ($loginResult === false) {
+            $response = new DataResponse([], Http::STATUS_FORBIDDEN);
+            $response->throttle();
+            return $response;
+        }
+
+        $confirmTimestamp = time();
+        $this->session->set('last-password-confirm', $confirmTimestamp);
+        return new DataResponse(['lastLogin' => $confirmTimestamp], Http::STATUS_OK);
+    }
 }

core/Controller/WebAuthnController.php

Indentation +73 added lines, -73 removed lines

@@ -42,77 +42,77 @@
 use Webauthn\PublicKeyCredentialRequestOptions;
 
 class WebAuthnController extends Controller {
-	private const WEBAUTHN_LOGIN = 'webauthn_login';
-	private const WEBAUTHN_LOGIN_UID = 'webauthn_login_uid';
-
-	private Manager $webAuthnManger;
-	private ISession $session;
-	private LoggerInterface $logger;
-	private WebAuthnChain $webAuthnChain;
-	private UrlGenerator $urlGenerator;
-
-	public function __construct($appName, IRequest $request, Manager $webAuthnManger, ISession $session, LoggerInterface $logger, WebAuthnChain $webAuthnChain, URLGenerator $urlGenerator) {
-		parent::__construct($appName, $request);
-
-		$this->webAuthnManger = $webAuthnManger;
-		$this->session = $session;
-		$this->logger = $logger;
-		$this->webAuthnChain = $webAuthnChain;
-		$this->urlGenerator = $urlGenerator;
-	}
-
-	/**
-	 * @NoAdminRequired
-	 * @PublicPage
-	 */
-	#[UseSession]
-	public function startAuthentication(string $loginName): JSONResponse {
-		$this->logger->debug('Starting WebAuthn login');
-
-		$this->logger->debug('Converting login name to UID');
-		$uid = $loginName;
-		Util::emitHook(
-			'\OCA\Files_Sharing\API\Server2Server',
-			'preLoginNameUsedAsUserName',
-			['uid' => &$uid]
-		);
-		$this->logger->debug('Got UID: ' . $uid);
-
-		$publicKeyCredentialRequestOptions = $this->webAuthnManger->startAuthentication($uid, $this->request->getServerHost());
-		$this->session->set(self::WEBAUTHN_LOGIN, json_encode($publicKeyCredentialRequestOptions));
-		$this->session->set(self::WEBAUTHN_LOGIN_UID, $uid);
-
-		return new JSONResponse($publicKeyCredentialRequestOptions);
-	}
-
-	/**
-	 * @NoAdminRequired
-	 * @PublicPage
-	 */
-	#[UseSession]
-	public function finishAuthentication(string $data): JSONResponse {
-		$this->logger->debug('Validating WebAuthn login');
-
-		if (!$this->session->exists(self::WEBAUTHN_LOGIN) || !$this->session->exists(self::WEBAUTHN_LOGIN_UID)) {
-			$this->logger->debug('Trying to finish WebAuthn login without session data');
-			return new JSONResponse([], Http::STATUS_BAD_REQUEST);
-		}
-
-		// Obtain the publicKeyCredentialOptions from when we started the registration
-		$publicKeyCredentialRequestOptions = PublicKeyCredentialRequestOptions::createFromString($this->session->get(self::WEBAUTHN_LOGIN));
-		$uid = $this->session->get(self::WEBAUTHN_LOGIN_UID);
-		$this->webAuthnManger->finishAuthentication($publicKeyCredentialRequestOptions, $data, $uid);
-
-		//TODO: add other parameters
-		$loginData = new LoginData(
-			$this->request,
-			$uid,
-			''
-		);
-		$this->webAuthnChain->process($loginData);
-
-		return new JSONResponse([
-			'defaultRedirectUrl' => $this->urlGenerator->linkToDefaultPageUrl(),
-		]);
-	}
+    private const WEBAUTHN_LOGIN = 'webauthn_login';
+    private const WEBAUTHN_LOGIN_UID = 'webauthn_login_uid';
+
+    private Manager $webAuthnManger;
+    private ISession $session;
+    private LoggerInterface $logger;
+    private WebAuthnChain $webAuthnChain;
+    private UrlGenerator $urlGenerator;
+
+    public function __construct($appName, IRequest $request, Manager $webAuthnManger, ISession $session, LoggerInterface $logger, WebAuthnChain $webAuthnChain, URLGenerator $urlGenerator) {
+        parent::__construct($appName, $request);
+
+        $this->webAuthnManger = $webAuthnManger;
+        $this->session = $session;
+        $this->logger = $logger;
+        $this->webAuthnChain = $webAuthnChain;
+        $this->urlGenerator = $urlGenerator;
+    }
+
+    /**
+     * @NoAdminRequired
+     * @PublicPage
+     */
+    #[UseSession]
+    public function startAuthentication(string $loginName): JSONResponse {
+        $this->logger->debug('Starting WebAuthn login');
+
+        $this->logger->debug('Converting login name to UID');
+        $uid = $loginName;
+        Util::emitHook(
+            '\OCA\Files_Sharing\API\Server2Server',
+            'preLoginNameUsedAsUserName',
+            ['uid' => &$uid]
+        );
+        $this->logger->debug('Got UID: ' . $uid);
+
+        $publicKeyCredentialRequestOptions = $this->webAuthnManger->startAuthentication($uid, $this->request->getServerHost());
+        $this->session->set(self::WEBAUTHN_LOGIN, json_encode($publicKeyCredentialRequestOptions));
+        $this->session->set(self::WEBAUTHN_LOGIN_UID, $uid);
+
+        return new JSONResponse($publicKeyCredentialRequestOptions);
+    }
+
+    /**
+     * @NoAdminRequired
+     * @PublicPage
+     */
+    #[UseSession]
+    public function finishAuthentication(string $data): JSONResponse {
+        $this->logger->debug('Validating WebAuthn login');
+
+        if (!$this->session->exists(self::WEBAUTHN_LOGIN) || !$this->session->exists(self::WEBAUTHN_LOGIN_UID)) {
+            $this->logger->debug('Trying to finish WebAuthn login without session data');
+            return new JSONResponse([], Http::STATUS_BAD_REQUEST);
+        }
+
+        // Obtain the publicKeyCredentialOptions from when we started the registration
+        $publicKeyCredentialRequestOptions = PublicKeyCredentialRequestOptions::createFromString($this->session->get(self::WEBAUTHN_LOGIN));
+        $uid = $this->session->get(self::WEBAUTHN_LOGIN_UID);
+        $this->webAuthnManger->finishAuthentication($publicKeyCredentialRequestOptions, $data, $uid);
+
+        //TODO: add other parameters
+        $loginData = new LoginData(
+            $this->request,
+            $uid,
+            ''
+        );
+        $this->webAuthnChain->process($loginData);
+
+        return new JSONResponse([
+            'defaultRedirectUrl' => $this->urlGenerator->linkToDefaultPageUrl(),
+        ]);
+    }
 }

core/Controller/ClientFlowLoginController.php

Indentation +329 added lines, -329 removed lines

@@ -57,333 +57,333 @@
 use OCP\Session\Exceptions\SessionNotAvailableException;
 
 class ClientFlowLoginController extends Controller {
-	private IUserSession $userSession;
-	private IL10N $l10n;
-	private Defaults $defaults;
-	private ISession $session;
-	private IProvider $tokenProvider;
-	private ISecureRandom $random;
-	private IURLGenerator $urlGenerator;
-	private ClientMapper $clientMapper;
-	private AccessTokenMapper $accessTokenMapper;
-	private ICrypto $crypto;
-	private IEventDispatcher $eventDispatcher;
-
-	public const STATE_NAME = 'client.flow.state.token';
-
-	public function __construct(string $appName,
-								IRequest $request,
-								IUserSession $userSession,
-								IL10N $l10n,
-								Defaults $defaults,
-								ISession $session,
-								IProvider $tokenProvider,
-								ISecureRandom $random,
-								IURLGenerator $urlGenerator,
-								ClientMapper $clientMapper,
-								AccessTokenMapper $accessTokenMapper,
-								ICrypto $crypto,
-								IEventDispatcher $eventDispatcher) {
-		parent::__construct($appName, $request);
-		$this->userSession = $userSession;
-		$this->l10n = $l10n;
-		$this->defaults = $defaults;
-		$this->session = $session;
-		$this->tokenProvider = $tokenProvider;
-		$this->random = $random;
-		$this->urlGenerator = $urlGenerator;
-		$this->clientMapper = $clientMapper;
-		$this->accessTokenMapper = $accessTokenMapper;
-		$this->crypto = $crypto;
-		$this->eventDispatcher = $eventDispatcher;
-	}
-
-	private function getClientName(): string {
-		$userAgent = $this->request->getHeader('USER_AGENT');
-		return $userAgent !== '' ? $userAgent : 'unknown';
-	}
-
-	private function isValidToken(string $stateToken): bool {
-		$currentToken = $this->session->get(self::STATE_NAME);
-		if (!is_string($currentToken)) {
-			return false;
-		}
-		return hash_equals($currentToken, $stateToken);
-	}
-
-	private function stateTokenForbiddenResponse(): StandaloneTemplateResponse {
-		$response = new StandaloneTemplateResponse(
-			$this->appName,
-			'403',
-			[
-				'message' => $this->l10n->t('State token does not match'),
-			],
-			'guest'
-		);
-		$response->setStatus(Http::STATUS_FORBIDDEN);
-		return $response;
-	}
-
-	/**
-	 * @PublicPage
-	 * @NoCSRFRequired
-	 */
-	#[UseSession]
-	public function showAuthPickerPage(string $clientIdentifier = '', string $user = '', int $direct = 0): StandaloneTemplateResponse {
-		$clientName = $this->getClientName();
-		$client = null;
-		if ($clientIdentifier !== '') {
-			$client = $this->clientMapper->getByIdentifier($clientIdentifier);
-			$clientName = $client->getName();
-		}
-
-		// No valid clientIdentifier given and no valid API Request (APIRequest header not set)
-		$clientRequest = $this->request->getHeader('OCS-APIREQUEST');
-		if ($clientRequest !== 'true' && $client === null) {
-			return new StandaloneTemplateResponse(
-				$this->appName,
-				'error',
-				[
-					'errors' =>
-					[
-						[
-							'error' => 'Access Forbidden',
-							'hint' => 'Invalid request',
-						],
-					],
-				],
-				'guest'
-			);
-		}
-
-		$stateToken = $this->random->generate(
-			64,
-			ISecureRandom::CHAR_LOWER.ISecureRandom::CHAR_UPPER.ISecureRandom::CHAR_DIGITS
-		);
-		$this->session->set(self::STATE_NAME, $stateToken);
-
-		$csp = new Http\ContentSecurityPolicy();
-		if ($client) {
-			$csp->addAllowedFormActionDomain($client->getRedirectUri());
-		} else {
-			$csp->addAllowedFormActionDomain('nc://*');
-		}
-
-		$response = new StandaloneTemplateResponse(
-			$this->appName,
-			'loginflow/authpicker',
-			[
-				'client' => $clientName,
-				'clientIdentifier' => $clientIdentifier,
-				'instanceName' => $this->defaults->getName(),
-				'urlGenerator' => $this->urlGenerator,
-				'stateToken' => $stateToken,
-				'serverHost' => $this->getServerPath(),
-				'oauthState' => $this->session->get('oauth.state'),
-				'user' => $user,
-				'direct' => $direct,
-			],
-			'guest'
-		);
-
-		$response->setContentSecurityPolicy($csp);
-		return $response;
-	}
-
-	/**
-	 * @NoAdminRequired
-	 * @NoCSRFRequired
-	 * @NoSameSiteCookieRequired
-	 */
-	#[UseSession]
-	public function grantPage(string $stateToken = '',
-				  string $clientIdentifier = '',
-				  int $direct = 0): StandaloneTemplateResponse {
-		if (!$this->isValidToken($stateToken)) {
-			return $this->stateTokenForbiddenResponse();
-		}
-
-		$clientName = $this->getClientName();
-		$client = null;
-		if ($clientIdentifier !== '') {
-			$client = $this->clientMapper->getByIdentifier($clientIdentifier);
-			$clientName = $client->getName();
-		}
-
-		$csp = new Http\ContentSecurityPolicy();
-		if ($client) {
-			$csp->addAllowedFormActionDomain($client->getRedirectUri());
-		} else {
-			$csp->addAllowedFormActionDomain('nc://*');
-		}
-
-		/** @var IUser $user */
-		$user = $this->userSession->getUser();
-
-		$response = new StandaloneTemplateResponse(
-			$this->appName,
-			'loginflow/grant',
-			[
-				'userId' => $user->getUID(),
-				'userDisplayName' => $user->getDisplayName(),
-				'client' => $clientName,
-				'clientIdentifier' => $clientIdentifier,
-				'instanceName' => $this->defaults->getName(),
-				'urlGenerator' => $this->urlGenerator,
-				'stateToken' => $stateToken,
-				'serverHost' => $this->getServerPath(),
-				'oauthState' => $this->session->get('oauth.state'),
-				'direct' => $direct,
-			],
-			'guest'
-		);
-
-		$response->setContentSecurityPolicy($csp);
-		return $response;
-	}
-
-	/**
-	 * @NoAdminRequired
-	 *
-	 * @return Http\RedirectResponse|Response
-	 */
-	#[UseSession]
-	public function generateAppPassword(string $stateToken,
-										string $clientIdentifier = '') {
-		if (!$this->isValidToken($stateToken)) {
-			$this->session->remove(self::STATE_NAME);
-			return $this->stateTokenForbiddenResponse();
-		}
-
-		$this->session->remove(self::STATE_NAME);
-
-		try {
-			$sessionId = $this->session->getId();
-		} catch (SessionNotAvailableException $ex) {
-			$response = new Response();
-			$response->setStatus(Http::STATUS_FORBIDDEN);
-			return $response;
-		}
-
-		try {
-			$sessionToken = $this->tokenProvider->getToken($sessionId);
-			$loginName = $sessionToken->getLoginName();
-			try {
-				$password = $this->tokenProvider->getPassword($sessionToken, $sessionId);
-			} catch (PasswordlessTokenException $ex) {
-				$password = null;
-			}
-		} catch (InvalidTokenException $ex) {
-			$response = new Response();
-			$response->setStatus(Http::STATUS_FORBIDDEN);
-			return $response;
-		}
-
-		$clientName = $this->getClientName();
-		$client = false;
-		if ($clientIdentifier !== '') {
-			$client = $this->clientMapper->getByIdentifier($clientIdentifier);
-			$clientName = $client->getName();
-		}
-
-		$token = $this->random->generate(72, ISecureRandom::CHAR_UPPER.ISecureRandom::CHAR_LOWER.ISecureRandom::CHAR_DIGITS);
-		$uid = $this->userSession->getUser()->getUID();
-		$generatedToken = $this->tokenProvider->generateToken(
-			$token,
-			$uid,
-			$loginName,
-			$password,
-			$clientName,
-			IToken::PERMANENT_TOKEN,
-			IToken::DO_NOT_REMEMBER
-		);
-
-		if ($client) {
-			$code = $this->random->generate(128, ISecureRandom::CHAR_UPPER.ISecureRandom::CHAR_LOWER.ISecureRandom::CHAR_DIGITS);
-			$accessToken = new AccessToken();
-			$accessToken->setClientId($client->getId());
-			$accessToken->setEncryptedToken($this->crypto->encrypt($token, $code));
-			$accessToken->setHashedCode(hash('sha512', $code));
-			$accessToken->setTokenId($generatedToken->getId());
-			$this->accessTokenMapper->insert($accessToken);
-
-			$redirectUri = $client->getRedirectUri();
-
-			if (parse_url($redirectUri, PHP_URL_QUERY)) {
-				$redirectUri .= '&';
-			} else {
-				$redirectUri .= '?';
-			}
-
-			$redirectUri .= sprintf(
-				'state=%s&code=%s',
-				urlencode($this->session->get('oauth.state')),
-				urlencode($code)
-			);
-			$this->session->remove('oauth.state');
-		} else {
-			$redirectUri = 'nc://login/server:' . $this->getServerPath() . '&user:' . urlencode($loginName) . '&password:' . urlencode($token);
-
-			// Clear the token from the login here
-			$this->tokenProvider->invalidateToken($sessionId);
-		}
-
-		$this->eventDispatcher->dispatchTyped(
-			new AppPasswordCreatedEvent($generatedToken)
-		);
-
-		return new Http\RedirectResponse($redirectUri);
-	}
-
-	/**
-	 * @PublicPage
-	 */
-	public function apptokenRedirect(string $stateToken, string $user, string $password): Response {
-		if (!$this->isValidToken($stateToken)) {
-			return $this->stateTokenForbiddenResponse();
-		}
-
-		try {
-			$token = $this->tokenProvider->getToken($password);
-			if ($token->getLoginName() !== $user) {
-				throw new InvalidTokenException('login name does not match');
-			}
-		} catch (InvalidTokenException $e) {
-			$response = new StandaloneTemplateResponse(
-				$this->appName,
-				'403',
-				[
-					'message' => $this->l10n->t('Invalid app password'),
-				],
-				'guest'
-			);
-			$response->setStatus(Http::STATUS_FORBIDDEN);
-			return $response;
-		}
-
-		$redirectUri = 'nc://login/server:' . $this->getServerPath() . '&user:' . urlencode($user) . '&password:' . urlencode($password);
-		return new Http\RedirectResponse($redirectUri);
-	}
-
-	private function getServerPath(): string {
-		$serverPostfix = '';
-
-		if (strpos($this->request->getRequestUri(), '/index.php') !== false) {
-			$serverPostfix = substr($this->request->getRequestUri(), 0, strpos($this->request->getRequestUri(), '/index.php'));
-		} elseif (strpos($this->request->getRequestUri(), '/login/flow') !== false) {
-			$serverPostfix = substr($this->request->getRequestUri(), 0, strpos($this->request->getRequestUri(), '/login/flow'));
-		}
-
-		$protocol = $this->request->getServerProtocol();
-
-		if ($protocol !== "https") {
-			$xForwardedProto = $this->request->getHeader('X-Forwarded-Proto');
-			$xForwardedSSL = $this->request->getHeader('X-Forwarded-Ssl');
-			if ($xForwardedProto === 'https' || $xForwardedSSL === 'on') {
-				$protocol = 'https';
-			}
-		}
-
-		return $protocol . "://" . $this->request->getServerHost() . $serverPostfix;
-	}
+    private IUserSession $userSession;
+    private IL10N $l10n;
+    private Defaults $defaults;
+    private ISession $session;
+    private IProvider $tokenProvider;
+    private ISecureRandom $random;
+    private IURLGenerator $urlGenerator;
+    private ClientMapper $clientMapper;
+    private AccessTokenMapper $accessTokenMapper;
+    private ICrypto $crypto;
+    private IEventDispatcher $eventDispatcher;
+
+    public const STATE_NAME = 'client.flow.state.token';
+
+    public function __construct(string $appName,
+                                IRequest $request,
+                                IUserSession $userSession,
+                                IL10N $l10n,
+                                Defaults $defaults,
+                                ISession $session,
+                                IProvider $tokenProvider,
+                                ISecureRandom $random,
+                                IURLGenerator $urlGenerator,
+                                ClientMapper $clientMapper,
+                                AccessTokenMapper $accessTokenMapper,
+                                ICrypto $crypto,
+                                IEventDispatcher $eventDispatcher) {
+        parent::__construct($appName, $request);
+        $this->userSession = $userSession;
+        $this->l10n = $l10n;
+        $this->defaults = $defaults;
+        $this->session = $session;
+        $this->tokenProvider = $tokenProvider;
+        $this->random = $random;
+        $this->urlGenerator = $urlGenerator;
+        $this->clientMapper = $clientMapper;
+        $this->accessTokenMapper = $accessTokenMapper;
+        $this->crypto = $crypto;
+        $this->eventDispatcher = $eventDispatcher;
+    }
+
+    private function getClientName(): string {
+        $userAgent = $this->request->getHeader('USER_AGENT');
+        return $userAgent !== '' ? $userAgent : 'unknown';
+    }
+
+    private function isValidToken(string $stateToken): bool {
+        $currentToken = $this->session->get(self::STATE_NAME);
+        if (!is_string($currentToken)) {
+            return false;
+        }
+        return hash_equals($currentToken, $stateToken);
+    }
+
+    private function stateTokenForbiddenResponse(): StandaloneTemplateResponse {
+        $response = new StandaloneTemplateResponse(
+            $this->appName,
+            '403',
+            [
+                'message' => $this->l10n->t('State token does not match'),
+            ],
+            'guest'
+        );
+        $response->setStatus(Http::STATUS_FORBIDDEN);
+        return $response;
+    }
+
+    /**
+     * @PublicPage
+     * @NoCSRFRequired
+     */
+    #[UseSession]
+    public function showAuthPickerPage(string $clientIdentifier = '', string $user = '', int $direct = 0): StandaloneTemplateResponse {
+        $clientName = $this->getClientName();
+        $client = null;
+        if ($clientIdentifier !== '') {
+            $client = $this->clientMapper->getByIdentifier($clientIdentifier);
+            $clientName = $client->getName();
+        }
+
+        // No valid clientIdentifier given and no valid API Request (APIRequest header not set)
+        $clientRequest = $this->request->getHeader('OCS-APIREQUEST');
+        if ($clientRequest !== 'true' && $client === null) {
+            return new StandaloneTemplateResponse(
+                $this->appName,
+                'error',
+                [
+                    'errors' =>
+                    [
+                        [
+                            'error' => 'Access Forbidden',
+                            'hint' => 'Invalid request',
+                        ],
+                    ],
+                ],
+                'guest'
+            );
+        }
+
+        $stateToken = $this->random->generate(
+            64,
+            ISecureRandom::CHAR_LOWER.ISecureRandom::CHAR_UPPER.ISecureRandom::CHAR_DIGITS
+        );
+        $this->session->set(self::STATE_NAME, $stateToken);
+
+        $csp = new Http\ContentSecurityPolicy();
+        if ($client) {
+            $csp->addAllowedFormActionDomain($client->getRedirectUri());
+        } else {
+            $csp->addAllowedFormActionDomain('nc://*');
+        }
+
+        $response = new StandaloneTemplateResponse(
+            $this->appName,
+            'loginflow/authpicker',
+            [
+                'client' => $clientName,
+                'clientIdentifier' => $clientIdentifier,
+                'instanceName' => $this->defaults->getName(),
+                'urlGenerator' => $this->urlGenerator,
+                'stateToken' => $stateToken,
+                'serverHost' => $this->getServerPath(),
+                'oauthState' => $this->session->get('oauth.state'),
+                'user' => $user,
+                'direct' => $direct,
+            ],
+            'guest'
+        );
+
+        $response->setContentSecurityPolicy($csp);
+        return $response;
+    }
+
+    /**
+     * @NoAdminRequired
+     * @NoCSRFRequired
+     * @NoSameSiteCookieRequired
+     */
+    #[UseSession]
+    public function grantPage(string $stateToken = '',
+                    string $clientIdentifier = '',
+                    int $direct = 0): StandaloneTemplateResponse {
+        if (!$this->isValidToken($stateToken)) {
+            return $this->stateTokenForbiddenResponse();
+        }
+
+        $clientName = $this->getClientName();
+        $client = null;
+        if ($clientIdentifier !== '') {
+            $client = $this->clientMapper->getByIdentifier($clientIdentifier);
+            $clientName = $client->getName();
+        }
+
+        $csp = new Http\ContentSecurityPolicy();
+        if ($client) {
+            $csp->addAllowedFormActionDomain($client->getRedirectUri());
+        } else {
+            $csp->addAllowedFormActionDomain('nc://*');
+        }
+
+        /** @var IUser $user */
+        $user = $this->userSession->getUser();
+
+        $response = new StandaloneTemplateResponse(
+            $this->appName,
+            'loginflow/grant',
+            [
+                'userId' => $user->getUID(),
+                'userDisplayName' => $user->getDisplayName(),
+                'client' => $clientName,
+                'clientIdentifier' => $clientIdentifier,
+                'instanceName' => $this->defaults->getName(),
+                'urlGenerator' => $this->urlGenerator,
+                'stateToken' => $stateToken,
+                'serverHost' => $this->getServerPath(),
+                'oauthState' => $this->session->get('oauth.state'),
+                'direct' => $direct,
+            ],
+            'guest'
+        );
+
+        $response->setContentSecurityPolicy($csp);
+        return $response;
+    }
+
+    /**
+     * @NoAdminRequired
+     *
+     * @return Http\RedirectResponse|Response
+     */
+    #[UseSession]
+    public function generateAppPassword(string $stateToken,
+                                        string $clientIdentifier = '') {
+        if (!$this->isValidToken($stateToken)) {
+            $this->session->remove(self::STATE_NAME);
+            return $this->stateTokenForbiddenResponse();
+        }
+
+        $this->session->remove(self::STATE_NAME);
+
+        try {
+            $sessionId = $this->session->getId();
+        } catch (SessionNotAvailableException $ex) {
+            $response = new Response();
+            $response->setStatus(Http::STATUS_FORBIDDEN);
+            return $response;
+        }
+
+        try {
+            $sessionToken = $this->tokenProvider->getToken($sessionId);
+            $loginName = $sessionToken->getLoginName();
+            try {
+                $password = $this->tokenProvider->getPassword($sessionToken, $sessionId);
+            } catch (PasswordlessTokenException $ex) {
+                $password = null;
+            }
+        } catch (InvalidTokenException $ex) {
+            $response = new Response();
+            $response->setStatus(Http::STATUS_FORBIDDEN);
+            return $response;
+        }
+
+        $clientName = $this->getClientName();
+        $client = false;
+        if ($clientIdentifier !== '') {
+            $client = $this->clientMapper->getByIdentifier($clientIdentifier);
+            $clientName = $client->getName();
+        }
+
+        $token = $this->random->generate(72, ISecureRandom::CHAR_UPPER.ISecureRandom::CHAR_LOWER.ISecureRandom::CHAR_DIGITS);
+        $uid = $this->userSession->getUser()->getUID();
+        $generatedToken = $this->tokenProvider->generateToken(
+            $token,
+            $uid,
+            $loginName,
+            $password,
+            $clientName,
+            IToken::PERMANENT_TOKEN,
+            IToken::DO_NOT_REMEMBER
+        );
+
+        if ($client) {
+            $code = $this->random->generate(128, ISecureRandom::CHAR_UPPER.ISecureRandom::CHAR_LOWER.ISecureRandom::CHAR_DIGITS);
+            $accessToken = new AccessToken();
+            $accessToken->setClientId($client->getId());
+            $accessToken->setEncryptedToken($this->crypto->encrypt($token, $code));
+            $accessToken->setHashedCode(hash('sha512', $code));
+            $accessToken->setTokenId($generatedToken->getId());
+            $this->accessTokenMapper->insert($accessToken);
+
+            $redirectUri = $client->getRedirectUri();
+
+            if (parse_url($redirectUri, PHP_URL_QUERY)) {
+                $redirectUri .= '&';
+            } else {
+                $redirectUri .= '?';
+            }
+
+            $redirectUri .= sprintf(
+                'state=%s&code=%s',
+                urlencode($this->session->get('oauth.state')),
+                urlencode($code)
+            );
+            $this->session->remove('oauth.state');
+        } else {
+            $redirectUri = 'nc://login/server:' . $this->getServerPath() . '&user:' . urlencode($loginName) . '&password:' . urlencode($token);
+
+            // Clear the token from the login here
+            $this->tokenProvider->invalidateToken($sessionId);
+        }
+
+        $this->eventDispatcher->dispatchTyped(
+            new AppPasswordCreatedEvent($generatedToken)
+        );
+
+        return new Http\RedirectResponse($redirectUri);
+    }
+
+    /**
+     * @PublicPage
+     */
+    public function apptokenRedirect(string $stateToken, string $user, string $password): Response {
+        if (!$this->isValidToken($stateToken)) {
+            return $this->stateTokenForbiddenResponse();
+        }
+
+        try {
+            $token = $this->tokenProvider->getToken($password);
+            if ($token->getLoginName() !== $user) {
+                throw new InvalidTokenException('login name does not match');
+            }
+        } catch (InvalidTokenException $e) {
+            $response = new StandaloneTemplateResponse(
+                $this->appName,
+                '403',
+                [
+                    'message' => $this->l10n->t('Invalid app password'),
+                ],
+                'guest'
+            );
+            $response->setStatus(Http::STATUS_FORBIDDEN);
+            return $response;
+        }
+
+        $redirectUri = 'nc://login/server:' . $this->getServerPath() . '&user:' . urlencode($user) . '&password:' . urlencode($password);
+        return new Http\RedirectResponse($redirectUri);
+    }
+
+    private function getServerPath(): string {
+        $serverPostfix = '';
+
+        if (strpos($this->request->getRequestUri(), '/index.php') !== false) {
+            $serverPostfix = substr($this->request->getRequestUri(), 0, strpos($this->request->getRequestUri(), '/index.php'));
+        } elseif (strpos($this->request->getRequestUri(), '/login/flow') !== false) {
+            $serverPostfix = substr($this->request->getRequestUri(), 0, strpos($this->request->getRequestUri(), '/login/flow'));
+        }
+
+        $protocol = $this->request->getServerProtocol();
+
+        if ($protocol !== "https") {
+            $xForwardedProto = $this->request->getHeader('X-Forwarded-Proto');
+            $xForwardedSSL = $this->request->getHeader('X-Forwarded-Ssl');
+            if ($xForwardedProto === 'https' || $xForwardedSSL === 'on') {
+                $protocol = 'https';
+            }
+        }
+
+        return $protocol . "://" . $this->request->getServerHost() . $serverPostfix;
+    }
 }

core/Controller/ClientFlowLoginV2Controller.php

Indentation +301 added lines, -301 removed lines

@@ -48,305 +48,305 @@
 use OCP\Security\ISecureRandom;
 
 class ClientFlowLoginV2Controller extends Controller {
-	public const TOKEN_NAME = 'client.flow.v2.login.token';
-	public const STATE_NAME = 'client.flow.v2.state.token';
-
-	private LoginFlowV2Service $loginFlowV2Service;
-	private IURLGenerator $urlGenerator;
-	private IUserSession $userSession;
-	private ISession $session;
-	private ISecureRandom $random;
-	private Defaults $defaults;
-	private ?string $userId;
-	private IL10N $l10n;
-
-	public function __construct(string $appName,
-								IRequest $request,
-								LoginFlowV2Service $loginFlowV2Service,
-								IURLGenerator $urlGenerator,
-								ISession $session,
-								IUserSession $userSession,
-								ISecureRandom $random,
-								Defaults $defaults,
-								?string $userId,
-								IL10N $l10n) {
-		parent::__construct($appName, $request);
-		$this->loginFlowV2Service = $loginFlowV2Service;
-		$this->urlGenerator = $urlGenerator;
-		$this->session = $session;
-		$this->userSession = $userSession;
-		$this->random = $random;
-		$this->defaults = $defaults;
-		$this->userId = $userId;
-		$this->l10n = $l10n;
-	}
-
-	/**
-	 * @NoCSRFRequired
-	 * @PublicPage
-	 */
-	public function poll(string $token): JSONResponse {
-		try {
-			$creds = $this->loginFlowV2Service->poll($token);
-		} catch (LoginFlowV2NotFoundException $e) {
-			return new JSONResponse([], Http::STATUS_NOT_FOUND);
-		}
-
-		return new JSONResponse($creds);
-	}
-
-	/**
-	 * @NoCSRFRequired
-	 * @PublicPage
-	 */
-	#[UseSession]
-	public function landing(string $token, $user = ''): Response {
-		if (!$this->loginFlowV2Service->startLoginFlow($token)) {
-			return $this->loginTokenForbiddenResponse();
-		}
-
-		$this->session->set(self::TOKEN_NAME, $token);
-
-		return new RedirectResponse(
-			$this->urlGenerator->linkToRouteAbsolute('core.ClientFlowLoginV2.showAuthPickerPage', ['user' => $user])
-		);
-	}
-
-	/**
-	 * @NoCSRFRequired
-	 * @PublicPage
-	 */
-	#[UseSession]
-	public function showAuthPickerPage($user = ''): StandaloneTemplateResponse {
-		try {
-			$flow = $this->getFlowByLoginToken();
-		} catch (LoginFlowV2NotFoundException $e) {
-			return $this->loginTokenForbiddenResponse();
-		}
-
-		$stateToken = $this->random->generate(
-			64,
-			ISecureRandom::CHAR_LOWER.ISecureRandom::CHAR_UPPER.ISecureRandom::CHAR_DIGITS
-		);
-		$this->session->set(self::STATE_NAME, $stateToken);
-
-		return new StandaloneTemplateResponse(
-			$this->appName,
-			'loginflowv2/authpicker',
-			[
-				'client' => $flow->getClientName(),
-				'instanceName' => $this->defaults->getName(),
-				'urlGenerator' => $this->urlGenerator,
-				'stateToken' => $stateToken,
-				'user' => $user,
-			],
-			'guest'
-		);
-	}
-
-	/**
-	 * @NoAdminRequired
-	 * @NoCSRFRequired
-	 * @NoSameSiteCookieRequired
-	 */
-	#[UseSession]
-	public function grantPage(string $stateToken): StandaloneTemplateResponse {
-		if (!$this->isValidStateToken($stateToken)) {
-			return $this->stateTokenForbiddenResponse();
-		}
-
-		try {
-			$flow = $this->getFlowByLoginToken();
-		} catch (LoginFlowV2NotFoundException $e) {
-			return $this->loginTokenForbiddenResponse();
-		}
-
-		/** @var IUser $user */
-		$user = $this->userSession->getUser();
-
-		return new StandaloneTemplateResponse(
-			$this->appName,
-			'loginflowv2/grant',
-			[
-				'userId' => $user->getUID(),
-				'userDisplayName' => $user->getDisplayName(),
-				'client' => $flow->getClientName(),
-				'instanceName' => $this->defaults->getName(),
-				'urlGenerator' => $this->urlGenerator,
-				'stateToken' => $stateToken,
-			],
-			'guest'
-		);
-	}
-
-	/**
-	 * @PublicPage
-	 */
-	public function apptokenRedirect(string $stateToken, string $user, string $password) {
-		if (!$this->isValidStateToken($stateToken)) {
-			return $this->stateTokenForbiddenResponse();
-		}
-
-		try {
-			$this->getFlowByLoginToken();
-		} catch (LoginFlowV2NotFoundException $e) {
-			return $this->loginTokenForbiddenResponse();
-		}
-
-		$loginToken = $this->session->get(self::TOKEN_NAME);
-
-		// Clear session variables
-		$this->session->remove(self::TOKEN_NAME);
-		$this->session->remove(self::STATE_NAME);
-
-		try {
-			$token = \OC::$server->get(\OC\Authentication\Token\IProvider::class)->getToken($password);
-			if ($token->getLoginName() !== $user) {
-				throw new InvalidTokenException('login name does not match');
-			}
-		} catch (InvalidTokenException $e) {
-			$response = new StandaloneTemplateResponse(
-				$this->appName,
-				'403',
-				[
-					'message' => $this->l10n->t('Invalid app password'),
-				],
-				'guest'
-			);
-			$response->setStatus(Http::STATUS_FORBIDDEN);
-			return $response;
-		}
-
-		$result = $this->loginFlowV2Service->flowDoneWithAppPassword($loginToken, $this->getServerPath(), $token->getLoginName(), $password);
-		return $this->handleFlowDone($result);
-	}
-
-	/**
-	 * @NoAdminRequired
-	 */
-	#[UseSession]
-	public function generateAppPassword(string $stateToken): Response {
-		if (!$this->isValidStateToken($stateToken)) {
-			return $this->stateTokenForbiddenResponse();
-		}
-
-		try {
-			$this->getFlowByLoginToken();
-		} catch (LoginFlowV2NotFoundException $e) {
-			return $this->loginTokenForbiddenResponse();
-		}
-
-		$loginToken = $this->session->get(self::TOKEN_NAME);
-
-		// Clear session variables
-		$this->session->remove(self::TOKEN_NAME);
-		$this->session->remove(self::STATE_NAME);
-		$sessionId = $this->session->getId();
-
-		$result = $this->loginFlowV2Service->flowDone($loginToken, $sessionId, $this->getServerPath(), $this->userId);
-		return $this->handleFlowDone($result);
-	}
-
-	private function handleFlowDone(bool $result): StandaloneTemplateResponse {
-		if ($result) {
-			return new StandaloneTemplateResponse(
-				$this->appName,
-				'loginflowv2/done',
-				[],
-				'guest'
-			);
-		}
-
-		$response = new StandaloneTemplateResponse(
-			$this->appName,
-			'403',
-			[
-				'message' => $this->l10n->t('Could not complete login'),
-			],
-			'guest'
-		);
-		$response->setStatus(Http::STATUS_FORBIDDEN);
-		return $response;
-	}
-
-	/**
-	 * @NoCSRFRequired
-	 * @PublicPage
-	 */
-	public function init(): JSONResponse {
-		// Get client user agent
-		$userAgent = $this->request->getHeader('USER_AGENT');
-
-		$tokens = $this->loginFlowV2Service->createTokens($userAgent);
-
-		$data = [
-			'poll' => [
-				'token' => $tokens->getPollToken(),
-				'endpoint' => $this->urlGenerator->linkToRouteAbsolute('core.ClientFlowLoginV2.poll')
-			],
-			'login' => $this->urlGenerator->linkToRouteAbsolute('core.ClientFlowLoginV2.landing', ['token' => $tokens->getLoginToken()]),
-		];
-
-		return new JSONResponse($data);
-	}
-
-	private function isValidStateToken(string $stateToken): bool {
-		$currentToken = $this->session->get(self::STATE_NAME);
-		if (!is_string($stateToken) || !is_string($currentToken)) {
-			return false;
-		}
-		return hash_equals($currentToken, $stateToken);
-	}
-
-	private function stateTokenForbiddenResponse(): StandaloneTemplateResponse {
-		$response = new StandaloneTemplateResponse(
-			$this->appName,
-			'403',
-			[
-				'message' => $this->l10n->t('State token does not match'),
-			],
-			'guest'
-		);
-		$response->setStatus(Http::STATUS_FORBIDDEN);
-		return $response;
-	}
-
-	/**
-	 * @return LoginFlowV2
-	 * @throws LoginFlowV2NotFoundException
-	 */
-	private function getFlowByLoginToken(): LoginFlowV2 {
-		$currentToken = $this->session->get(self::TOKEN_NAME);
-		if (!is_string($currentToken)) {
-			throw new LoginFlowV2NotFoundException('Login token not set in session');
-		}
-
-		return $this->loginFlowV2Service->getByLoginToken($currentToken);
-	}
-
-	private function loginTokenForbiddenResponse(): StandaloneTemplateResponse {
-		$response = new StandaloneTemplateResponse(
-			$this->appName,
-			'403',
-			[
-				'message' => $this->l10n->t('Your login token is invalid or has expired'),
-			],
-			'guest'
-		);
-		$response->setStatus(Http::STATUS_FORBIDDEN);
-		return $response;
-	}
-
-	private function getServerPath(): string {
-		$serverPostfix = '';
-
-		if (strpos($this->request->getRequestUri(), '/index.php') !== false) {
-			$serverPostfix = substr($this->request->getRequestUri(), 0, strpos($this->request->getRequestUri(), '/index.php'));
-		} elseif (strpos($this->request->getRequestUri(), '/login/v2') !== false) {
-			$serverPostfix = substr($this->request->getRequestUri(), 0, strpos($this->request->getRequestUri(), '/login/v2'));
-		}
-
-		$protocol = $this->request->getServerProtocol();
-		return $protocol . '://' . $this->request->getServerHost() . $serverPostfix;
-	}
+    public const TOKEN_NAME = 'client.flow.v2.login.token';
+    public const STATE_NAME = 'client.flow.v2.state.token';
+
+    private LoginFlowV2Service $loginFlowV2Service;
+    private IURLGenerator $urlGenerator;
+    private IUserSession $userSession;
+    private ISession $session;
+    private ISecureRandom $random;
+    private Defaults $defaults;
+    private ?string $userId;
+    private IL10N $l10n;
+
+    public function __construct(string $appName,
+                                IRequest $request,
+                                LoginFlowV2Service $loginFlowV2Service,
+                                IURLGenerator $urlGenerator,
+                                ISession $session,
+                                IUserSession $userSession,
+                                ISecureRandom $random,
+                                Defaults $defaults,
+                                ?string $userId,
+                                IL10N $l10n) {
+        parent::__construct($appName, $request);
+        $this->loginFlowV2Service = $loginFlowV2Service;
+        $this->urlGenerator = $urlGenerator;
+        $this->session = $session;
+        $this->userSession = $userSession;
+        $this->random = $random;
+        $this->defaults = $defaults;
+        $this->userId = $userId;
+        $this->l10n = $l10n;
+    }
+
+    /**
+     * @NoCSRFRequired
+     * @PublicPage
+     */
+    public function poll(string $token): JSONResponse {
+        try {
+            $creds = $this->loginFlowV2Service->poll($token);
+        } catch (LoginFlowV2NotFoundException $e) {
+            return new JSONResponse([], Http::STATUS_NOT_FOUND);
+        }
+
+        return new JSONResponse($creds);
+    }
+
+    /**
+     * @NoCSRFRequired
+     * @PublicPage
+     */
+    #[UseSession]
+    public function landing(string $token, $user = ''): Response {
+        if (!$this->loginFlowV2Service->startLoginFlow($token)) {
+            return $this->loginTokenForbiddenResponse();
+        }
+
+        $this->session->set(self::TOKEN_NAME, $token);
+
+        return new RedirectResponse(
+            $this->urlGenerator->linkToRouteAbsolute('core.ClientFlowLoginV2.showAuthPickerPage', ['user' => $user])
+        );
+    }
+
+    /**
+     * @NoCSRFRequired
+     * @PublicPage
+     */
+    #[UseSession]
+    public function showAuthPickerPage($user = ''): StandaloneTemplateResponse {
+        try {
+            $flow = $this->getFlowByLoginToken();
+        } catch (LoginFlowV2NotFoundException $e) {
+            return $this->loginTokenForbiddenResponse();
+        }
+
+        $stateToken = $this->random->generate(
+            64,
+            ISecureRandom::CHAR_LOWER.ISecureRandom::CHAR_UPPER.ISecureRandom::CHAR_DIGITS
+        );
+        $this->session->set(self::STATE_NAME, $stateToken);
+
+        return new StandaloneTemplateResponse(
+            $this->appName,
+            'loginflowv2/authpicker',
+            [
+                'client' => $flow->getClientName(),
+                'instanceName' => $this->defaults->getName(),
+                'urlGenerator' => $this->urlGenerator,
+                'stateToken' => $stateToken,
+                'user' => $user,
+            ],
+            'guest'
+        );
+    }
+
+    /**
+     * @NoAdminRequired
+     * @NoCSRFRequired
+     * @NoSameSiteCookieRequired
+     */
+    #[UseSession]
+    public function grantPage(string $stateToken): StandaloneTemplateResponse {
+        if (!$this->isValidStateToken($stateToken)) {
+            return $this->stateTokenForbiddenResponse();
+        }
+
+        try {
+            $flow = $this->getFlowByLoginToken();
+        } catch (LoginFlowV2NotFoundException $e) {
+            return $this->loginTokenForbiddenResponse();
+        }
+
+        /** @var IUser $user */
+        $user = $this->userSession->getUser();
+
+        return new StandaloneTemplateResponse(
+            $this->appName,
+            'loginflowv2/grant',
+            [
+                'userId' => $user->getUID(),
+                'userDisplayName' => $user->getDisplayName(),
+                'client' => $flow->getClientName(),
+                'instanceName' => $this->defaults->getName(),
+                'urlGenerator' => $this->urlGenerator,
+                'stateToken' => $stateToken,
+            ],
+            'guest'
+        );
+    }
+
+    /**
+     * @PublicPage
+     */
+    public function apptokenRedirect(string $stateToken, string $user, string $password) {
+        if (!$this->isValidStateToken($stateToken)) {
+            return $this->stateTokenForbiddenResponse();
+        }
+
+        try {
+            $this->getFlowByLoginToken();
+        } catch (LoginFlowV2NotFoundException $e) {
+            return $this->loginTokenForbiddenResponse();
+        }
+
+        $loginToken = $this->session->get(self::TOKEN_NAME);
+
+        // Clear session variables
+        $this->session->remove(self::TOKEN_NAME);
+        $this->session->remove(self::STATE_NAME);
+
+        try {
+            $token = \OC::$server->get(\OC\Authentication\Token\IProvider::class)->getToken($password);
+            if ($token->getLoginName() !== $user) {
+                throw new InvalidTokenException('login name does not match');
+            }
+        } catch (InvalidTokenException $e) {
+            $response = new StandaloneTemplateResponse(
+                $this->appName,
+                '403',
+                [
+                    'message' => $this->l10n->t('Invalid app password'),
+                ],
+                'guest'
+            );
+            $response->setStatus(Http::STATUS_FORBIDDEN);
+            return $response;
+        }
+
+        $result = $this->loginFlowV2Service->flowDoneWithAppPassword($loginToken, $this->getServerPath(), $token->getLoginName(), $password);
+        return $this->handleFlowDone($result);
+    }
+
+    /**
+     * @NoAdminRequired
+     */
+    #[UseSession]
+    public function generateAppPassword(string $stateToken): Response {
+        if (!$this->isValidStateToken($stateToken)) {
+            return $this->stateTokenForbiddenResponse();
+        }
+
+        try {
+            $this->getFlowByLoginToken();
+        } catch (LoginFlowV2NotFoundException $e) {
+            return $this->loginTokenForbiddenResponse();
+        }
+
+        $loginToken = $this->session->get(self::TOKEN_NAME);
+
+        // Clear session variables
+        $this->session->remove(self::TOKEN_NAME);
+        $this->session->remove(self::STATE_NAME);
+        $sessionId = $this->session->getId();
+
+        $result = $this->loginFlowV2Service->flowDone($loginToken, $sessionId, $this->getServerPath(), $this->userId);
+        return $this->handleFlowDone($result);
+    }
+
+    private function handleFlowDone(bool $result): StandaloneTemplateResponse {
+        if ($result) {
+            return new StandaloneTemplateResponse(
+                $this->appName,
+                'loginflowv2/done',
+                [],
+                'guest'
+            );
+        }
+
+        $response = new StandaloneTemplateResponse(
+            $this->appName,
+            '403',
+            [
+                'message' => $this->l10n->t('Could not complete login'),
+            ],
+            'guest'
+        );
+        $response->setStatus(Http::STATUS_FORBIDDEN);
+        return $response;
+    }
+
+    /**
+     * @NoCSRFRequired
+     * @PublicPage
+     */
+    public function init(): JSONResponse {
+        // Get client user agent
+        $userAgent = $this->request->getHeader('USER_AGENT');
+
+        $tokens = $this->loginFlowV2Service->createTokens($userAgent);
+
+        $data = [
+            'poll' => [
+                'token' => $tokens->getPollToken(),
+                'endpoint' => $this->urlGenerator->linkToRouteAbsolute('core.ClientFlowLoginV2.poll')
+            ],
+            'login' => $this->urlGenerator->linkToRouteAbsolute('core.ClientFlowLoginV2.landing', ['token' => $tokens->getLoginToken()]),
+        ];
+
+        return new JSONResponse($data);
+    }
+
+    private function isValidStateToken(string $stateToken): bool {
+        $currentToken = $this->session->get(self::STATE_NAME);
+        if (!is_string($stateToken) || !is_string($currentToken)) {
+            return false;
+        }
+        return hash_equals($currentToken, $stateToken);
+    }
+
+    private function stateTokenForbiddenResponse(): StandaloneTemplateResponse {
+        $response = new StandaloneTemplateResponse(
+            $this->appName,
+            '403',
+            [
+                'message' => $this->l10n->t('State token does not match'),
+            ],
+            'guest'
+        );
+        $response->setStatus(Http::STATUS_FORBIDDEN);
+        return $response;
+    }
+
+    /**
+     * @return LoginFlowV2
+     * @throws LoginFlowV2NotFoundException
+     */
+    private function getFlowByLoginToken(): LoginFlowV2 {
+        $currentToken = $this->session->get(self::TOKEN_NAME);
+        if (!is_string($currentToken)) {
+            throw new LoginFlowV2NotFoundException('Login token not set in session');
+        }
+
+        return $this->loginFlowV2Service->getByLoginToken($currentToken);
+    }
+
+    private function loginTokenForbiddenResponse(): StandaloneTemplateResponse {
+        $response = new StandaloneTemplateResponse(
+            $this->appName,
+            '403',
+            [
+                'message' => $this->l10n->t('Your login token is invalid or has expired'),
+            ],
+            'guest'
+        );
+        $response->setStatus(Http::STATUS_FORBIDDEN);
+        return $response;
+    }
+
+    private function getServerPath(): string {
+        $serverPostfix = '';
+
+        if (strpos($this->request->getRequestUri(), '/index.php') !== false) {
+            $serverPostfix = substr($this->request->getRequestUri(), 0, strpos($this->request->getRequestUri(), '/index.php'));
+        } elseif (strpos($this->request->getRequestUri(), '/login/v2') !== false) {
+            $serverPostfix = substr($this->request->getRequestUri(), 0, strpos($this->request->getRequestUri(), '/login/v2'));
+        }
+
+        $protocol = $this->request->getServerProtocol();
+        return $protocol . '://' . $this->request->getServerHost() . $serverPostfix;
+    }
 }

core/Controller/TwoFactorChallengeController.php

Indentation +199 added lines, -199 removed lines

@@ -42,228 +42,228 @@
 use Psr\Log\LoggerInterface;
 
 class TwoFactorChallengeController extends Controller {
-	private Manager $twoFactorManager;
-	private IUserSession $userSession;
-	private ISession $session;
-	private LoggerInterface $logger;
-	private IURLGenerator $urlGenerator;
+    private Manager $twoFactorManager;
+    private IUserSession $userSession;
+    private ISession $session;
+    private LoggerInterface $logger;
+    private IURLGenerator $urlGenerator;
 
-	public function __construct($appName, IRequest $request, Manager $twoFactorManager, IUserSession $userSession,
-		ISession $session, IURLGenerator $urlGenerator, LoggerInterface $logger) {
-		parent::__construct($appName, $request);
-		$this->twoFactorManager = $twoFactorManager;
-		$this->userSession = $userSession;
-		$this->session = $session;
-		$this->urlGenerator = $urlGenerator;
-		$this->logger = $logger;
-	}
+    public function __construct($appName, IRequest $request, Manager $twoFactorManager, IUserSession $userSession,
+        ISession $session, IURLGenerator $urlGenerator, LoggerInterface $logger) {
+        parent::__construct($appName, $request);
+        $this->twoFactorManager = $twoFactorManager;
+        $this->userSession = $userSession;
+        $this->session = $session;
+        $this->urlGenerator = $urlGenerator;
+        $this->logger = $logger;
+    }
 
-	/**
-	 * @return string
-	 */
-	protected function getLogoutUrl() {
-		return OC_User::getLogoutUrl($this->urlGenerator);
-	}
+    /**
+     * @return string
+     */
+    protected function getLogoutUrl() {
+        return OC_User::getLogoutUrl($this->urlGenerator);
+    }
 
-	/**
-	 * @param IProvider[] $providers
-	 */
-	private function splitProvidersAndBackupCodes(array $providers): array {
-		$regular = [];
-		$backup = null;
-		foreach ($providers as $provider) {
-			if ($provider->getId() === 'backup_codes') {
-				$backup = $provider;
-			} else {
-				$regular[] = $provider;
-			}
-		}
+    /**
+     * @param IProvider[] $providers
+     */
+    private function splitProvidersAndBackupCodes(array $providers): array {
+        $regular = [];
+        $backup = null;
+        foreach ($providers as $provider) {
+            if ($provider->getId() === 'backup_codes') {
+                $backup = $provider;
+            } else {
+                $regular[] = $provider;
+            }
+        }
 
-		return [$regular, $backup];
-	}
+        return [$regular, $backup];
+    }
 
-	/**
-	 * @NoAdminRequired
-	 * @NoCSRFRequired
-	 * @TwoFactorSetUpDoneRequired
-	 *
-	 * @param string $redirect_url
-	 * @return StandaloneTemplateResponse
-	 */
-	public function selectChallenge($redirect_url) {
-		$user = $this->userSession->getUser();
-		$providerSet = $this->twoFactorManager->getProviderSet($user);
-		$allProviders = $providerSet->getProviders();
-		[$providers, $backupProvider] = $this->splitProvidersAndBackupCodes($allProviders);
-		$setupProviders = $this->twoFactorManager->getLoginSetupProviders($user);
+    /**
+     * @NoAdminRequired
+     * @NoCSRFRequired
+     * @TwoFactorSetUpDoneRequired
+     *
+     * @param string $redirect_url
+     * @return StandaloneTemplateResponse
+     */
+    public function selectChallenge($redirect_url) {
+        $user = $this->userSession->getUser();
+        $providerSet = $this->twoFactorManager->getProviderSet($user);
+        $allProviders = $providerSet->getProviders();
+        [$providers, $backupProvider] = $this->splitProvidersAndBackupCodes($allProviders);
+        $setupProviders = $this->twoFactorManager->getLoginSetupProviders($user);
 
-		$data = [
-			'providers' => $providers,
-			'backupProvider' => $backupProvider,
-			'providerMissing' => $providerSet->isProviderMissing(),
-			'redirect_url' => $redirect_url,
-			'logout_url' => $this->getLogoutUrl(),
-			'hasSetupProviders' => !empty($setupProviders),
-		];
-		return new StandaloneTemplateResponse($this->appName, 'twofactorselectchallenge', $data, 'guest');
-	}
+        $data = [
+            'providers' => $providers,
+            'backupProvider' => $backupProvider,
+            'providerMissing' => $providerSet->isProviderMissing(),
+            'redirect_url' => $redirect_url,
+            'logout_url' => $this->getLogoutUrl(),
+            'hasSetupProviders' => !empty($setupProviders),
+        ];
+        return new StandaloneTemplateResponse($this->appName, 'twofactorselectchallenge', $data, 'guest');
+    }
 
-	/**
-	 * @NoAdminRequired
-	 * @NoCSRFRequired
-	 * @TwoFactorSetUpDoneRequired
-	 *
-	 * @param string $challengeProviderId
-	 * @param string $redirect_url
-	 * @return StandaloneTemplateResponse|RedirectResponse
-	 */
-	#[UseSession]
-	public function showChallenge($challengeProviderId, $redirect_url) {
-		$user = $this->userSession->getUser();
-		$providerSet = $this->twoFactorManager->getProviderSet($user);
-		$provider = $providerSet->getProvider($challengeProviderId);
+    /**
+     * @NoAdminRequired
+     * @NoCSRFRequired
+     * @TwoFactorSetUpDoneRequired
+     *
+     * @param string $challengeProviderId
+     * @param string $redirect_url
+     * @return StandaloneTemplateResponse|RedirectResponse
+     */
+    #[UseSession]
+    public function showChallenge($challengeProviderId, $redirect_url) {
+        $user = $this->userSession->getUser();
+        $providerSet = $this->twoFactorManager->getProviderSet($user);
+        $provider = $providerSet->getProvider($challengeProviderId);
 
-		if (is_null($provider)) {
-			return new RedirectResponse($this->urlGenerator->linkToRoute('core.TwoFactorChallenge.selectChallenge'));
-		}
+        if (is_null($provider)) {
+            return new RedirectResponse($this->urlGenerator->linkToRoute('core.TwoFactorChallenge.selectChallenge'));
+        }
 
-		$backupProvider = $providerSet->getProvider('backup_codes');
-		if (!is_null($backupProvider) && $backupProvider->getId() === $provider->getId()) {
-			// Don't show the backup provider link if we're already showing that provider's challenge
-			$backupProvider = null;
-		}
+        $backupProvider = $providerSet->getProvider('backup_codes');
+        if (!is_null($backupProvider) && $backupProvider->getId() === $provider->getId()) {
+            // Don't show the backup provider link if we're already showing that provider's challenge
+            $backupProvider = null;
+        }
 
-		$errorMessage = '';
-		$error = false;
-		if ($this->session->exists('two_factor_auth_error')) {
-			$this->session->remove('two_factor_auth_error');
-			$error = true;
-			$errorMessage = $this->session->get("two_factor_auth_error_message");
-			$this->session->remove('two_factor_auth_error_message');
-		}
-		$tmpl = $provider->getTemplate($user);
-		$tmpl->assign('redirect_url', $redirect_url);
-		$data = [
-			'error' => $error,
-			'error_message' => $errorMessage,
-			'provider' => $provider,
-			'backupProvider' => $backupProvider,
-			'logout_url' => $this->getLogoutUrl(),
-			'redirect_url' => $redirect_url,
-			'template' => $tmpl->fetchPage(),
-		];
-		$response = new StandaloneTemplateResponse($this->appName, 'twofactorshowchallenge', $data, 'guest');
-		if ($provider instanceof IProvidesCustomCSP) {
-			$response->setContentSecurityPolicy($provider->getCSP());
-		}
-		return $response;
-	}
+        $errorMessage = '';
+        $error = false;
+        if ($this->session->exists('two_factor_auth_error')) {
+            $this->session->remove('two_factor_auth_error');
+            $error = true;
+            $errorMessage = $this->session->get("two_factor_auth_error_message");
+            $this->session->remove('two_factor_auth_error_message');
+        }
+        $tmpl = $provider->getTemplate($user);
+        $tmpl->assign('redirect_url', $redirect_url);
+        $data = [
+            'error' => $error,
+            'error_message' => $errorMessage,
+            'provider' => $provider,
+            'backupProvider' => $backupProvider,
+            'logout_url' => $this->getLogoutUrl(),
+            'redirect_url' => $redirect_url,
+            'template' => $tmpl->fetchPage(),
+        ];
+        $response = new StandaloneTemplateResponse($this->appName, 'twofactorshowchallenge', $data, 'guest');
+        if ($provider instanceof IProvidesCustomCSP) {
+            $response->setContentSecurityPolicy($provider->getCSP());
+        }
+        return $response;
+    }
 
-	/**
-	 * @NoAdminRequired
-	 * @NoCSRFRequired
-	 * @TwoFactorSetUpDoneRequired
-	 *
-	 * @UserRateThrottle(limit=5, period=100)
-	 *
-	 * @param string $challengeProviderId
-	 * @param string $challenge
-	 * @param string $redirect_url
-	 * @return RedirectResponse
-	 */
-	#[UseSession]
-	public function solveChallenge($challengeProviderId, $challenge, $redirect_url = null) {
-		$user = $this->userSession->getUser();
-		$provider = $this->twoFactorManager->getProvider($user, $challengeProviderId);
-		if (is_null($provider)) {
-			return new RedirectResponse($this->urlGenerator->linkToRoute('core.TwoFactorChallenge.selectChallenge'));
-		}
+    /**
+     * @NoAdminRequired
+     * @NoCSRFRequired
+     * @TwoFactorSetUpDoneRequired
+     *
+     * @UserRateThrottle(limit=5, period=100)
+     *
+     * @param string $challengeProviderId
+     * @param string $challenge
+     * @param string $redirect_url
+     * @return RedirectResponse
+     */
+    #[UseSession]
+    public function solveChallenge($challengeProviderId, $challenge, $redirect_url = null) {
+        $user = $this->userSession->getUser();
+        $provider = $this->twoFactorManager->getProvider($user, $challengeProviderId);
+        if (is_null($provider)) {
+            return new RedirectResponse($this->urlGenerator->linkToRoute('core.TwoFactorChallenge.selectChallenge'));
+        }
 
-		try {
-			if ($this->twoFactorManager->verifyChallenge($challengeProviderId, $user, $challenge)) {
-				if (!is_null($redirect_url)) {
-					return new RedirectResponse($this->urlGenerator->getAbsoluteURL(urldecode($redirect_url)));
-				}
-				return new RedirectResponse($this->urlGenerator->linkToDefaultPageUrl());
-			}
-		} catch (TwoFactorException $e) {
-			/*
+        try {
+            if ($this->twoFactorManager->verifyChallenge($challengeProviderId, $user, $challenge)) {
+                if (!is_null($redirect_url)) {
+                    return new RedirectResponse($this->urlGenerator->getAbsoluteURL(urldecode($redirect_url)));
+                }
+                return new RedirectResponse($this->urlGenerator->linkToDefaultPageUrl());
+            }
+        } catch (TwoFactorException $e) {
+            /*
 			 * The 2FA App threw an TwoFactorException. Now we display more
 			 * information to the user. The exception text is stored in the
 			 * session to be used in showChallenge()
 			 */
-			$this->session->set('two_factor_auth_error_message', $e->getMessage());
-		}
+            $this->session->set('two_factor_auth_error_message', $e->getMessage());
+        }
 
-		$ip = $this->request->getRemoteAddress();
-		$uid = $user->getUID();
-		$this->logger->warning("Two-factor challenge failed: $uid (Remote IP: $ip)");
-		$this->session->set('two_factor_auth_error', true);
-		return new RedirectResponse($this->urlGenerator->linkToRoute('core.TwoFactorChallenge.showChallenge', [
-			'challengeProviderId' => $provider->getId(),
-			'redirect_url' => $redirect_url,
-		]));
-	}
+        $ip = $this->request->getRemoteAddress();
+        $uid = $user->getUID();
+        $this->logger->warning("Two-factor challenge failed: $uid (Remote IP: $ip)");
+        $this->session->set('two_factor_auth_error', true);
+        return new RedirectResponse($this->urlGenerator->linkToRoute('core.TwoFactorChallenge.showChallenge', [
+            'challengeProviderId' => $provider->getId(),
+            'redirect_url' => $redirect_url,
+        ]));
+    }
 
-	/**
-	 * @NoAdminRequired
-	 * @NoCSRFRequired
-	 */
-	public function setupProviders(): StandaloneTemplateResponse {
-		$user = $this->userSession->getUser();
-		$setupProviders = $this->twoFactorManager->getLoginSetupProviders($user);
+    /**
+     * @NoAdminRequired
+     * @NoCSRFRequired
+     */
+    public function setupProviders(): StandaloneTemplateResponse {
+        $user = $this->userSession->getUser();
+        $setupProviders = $this->twoFactorManager->getLoginSetupProviders($user);
 
-		$data = [
-			'providers' => $setupProviders,
-			'logout_url' => $this->getLogoutUrl(),
-		];
+        $data = [
+            'providers' => $setupProviders,
+            'logout_url' => $this->getLogoutUrl(),
+        ];
 
-		return new StandaloneTemplateResponse($this->appName, 'twofactorsetupselection', $data, 'guest');
-	}
+        return new StandaloneTemplateResponse($this->appName, 'twofactorsetupselection', $data, 'guest');
+    }
 
-	/**
-	 * @NoAdminRequired
-	 * @NoCSRFRequired
-	 */
-	public function setupProvider(string $providerId) {
-		$user = $this->userSession->getUser();
-		$providers = $this->twoFactorManager->getLoginSetupProviders($user);
+    /**
+     * @NoAdminRequired
+     * @NoCSRFRequired
+     */
+    public function setupProvider(string $providerId) {
+        $user = $this->userSession->getUser();
+        $providers = $this->twoFactorManager->getLoginSetupProviders($user);
 
-		$provider = null;
-		foreach ($providers as $p) {
-			if ($p->getId() === $providerId) {
-				$provider = $p;
-				break;
-			}
-		}
+        $provider = null;
+        foreach ($providers as $p) {
+            if ($p->getId() === $providerId) {
+                $provider = $p;
+                break;
+            }
+        }
 
-		if ($provider === null) {
-			return new RedirectResponse($this->urlGenerator->linkToRoute('core.TwoFactorChallenge.selectChallenge'));
-		}
+        if ($provider === null) {
+            return new RedirectResponse($this->urlGenerator->linkToRoute('core.TwoFactorChallenge.selectChallenge'));
+        }
 
-		/** @var IActivatableAtLogin $provider */
-		$tmpl = $provider->getLoginSetup($user)->getBody();
-		$data = [
-			'provider' => $provider,
-			'logout_url' => $this->getLogoutUrl(),
-			'template' => $tmpl->fetchPage(),
-		];
-		$response = new StandaloneTemplateResponse($this->appName, 'twofactorsetupchallenge', $data, 'guest');
-		return $response;
-	}
+        /** @var IActivatableAtLogin $provider */
+        $tmpl = $provider->getLoginSetup($user)->getBody();
+        $data = [
+            'provider' => $provider,
+            'logout_url' => $this->getLogoutUrl(),
+            'template' => $tmpl->fetchPage(),
+        ];
+        $response = new StandaloneTemplateResponse($this->appName, 'twofactorsetupchallenge', $data, 'guest');
+        return $response;
+    }
 
-	/**
-	 * @NoAdminRequired
-	 * @NoCSRFRequired
-	 *
-	 * @todo handle the extreme edge case of an invalid provider ID and redirect to the provider selection page
-	 */
-	public function confirmProviderSetup(string $providerId) {
-		return new RedirectResponse($this->urlGenerator->linkToRoute(
-			'core.TwoFactorChallenge.showChallenge',
-			[
-				'challengeProviderId' => $providerId,
-			]
-		));
-	}
+    /**
+     * @NoAdminRequired
+     * @NoCSRFRequired
+     *
+     * @todo handle the extreme edge case of an invalid provider ID and redirect to the provider selection page
+     */
+    public function confirmProviderSetup(string $providerId) {
+        return new RedirectResponse($this->urlGenerator->linkToRoute(
+            'core.TwoFactorChallenge.showChallenge',
+            [
+                'challengeProviderId' => $providerId,
+            ]
+        ));
+    }
 }

lib/private/AppFramework/Middleware/SessionMiddleware.php

Indentation +50 added lines, -50 removed lines

@@ -37,61 +37,61 @@
 use ReflectionMethod;
 
 class SessionMiddleware extends Middleware {
-	/** @var ControllerMethodReflector */
-	private $reflector;
+    /** @var ControllerMethodReflector */
+    private $reflector;
 
-	/** @var ISession */
-	private $session;
+    /** @var ISession */
+    private $session;
 
-	public function __construct(ControllerMethodReflector $reflector,
-								ISession $session) {
-		$this->reflector = $reflector;
-		$this->session = $session;
-	}
+    public function __construct(ControllerMethodReflector $reflector,
+                                ISession $session) {
+        $this->reflector = $reflector;
+        $this->session = $session;
+    }
 
-	/**
-	 * @param Controller $controller
-	 * @param string $methodName
-	 */
-	public function beforeController($controller, $methodName) {
-		/**
-		 * Annotation deprecated with Nextcloud 26
-		 */
-		$hasAnnotation = $this->reflector->hasAnnotation('UseSession');
-		if ($hasAnnotation) {
-			$this->session->reopen();
-			return;
-		}
+    /**
+     * @param Controller $controller
+     * @param string $methodName
+     */
+    public function beforeController($controller, $methodName) {
+        /**
+         * Annotation deprecated with Nextcloud 26
+         */
+        $hasAnnotation = $this->reflector->hasAnnotation('UseSession');
+        if ($hasAnnotation) {
+            $this->session->reopen();
+            return;
+        }
 
-		$reflectionMethod = new ReflectionMethod($controller, $methodName);
-		$hasAttribute = !empty($reflectionMethod->getAttributes(UseSession::class));
-		if ($hasAttribute) {
-			$this->session->reopen();
-		}
-	}
+        $reflectionMethod = new ReflectionMethod($controller, $methodName);
+        $hasAttribute = !empty($reflectionMethod->getAttributes(UseSession::class));
+        if ($hasAttribute) {
+            $this->session->reopen();
+        }
+    }
 
-	/**
-	 * @param Controller $controller
-	 * @param string $methodName
-	 * @param Response $response
-	 * @return Response
-	 */
-	public function afterController($controller, $methodName, Response $response) {
-		/**
-		 * Annotation deprecated with Nextcloud 26
-		 */
-		$hasAnnotation = $this->reflector->hasAnnotation('UseSession');
-		if ($hasAnnotation) {
-			$this->session->close();
-			return $response;
-		}
+    /**
+     * @param Controller $controller
+     * @param string $methodName
+     * @param Response $response
+     * @return Response
+     */
+    public function afterController($controller, $methodName, Response $response) {
+        /**
+         * Annotation deprecated with Nextcloud 26
+         */
+        $hasAnnotation = $this->reflector->hasAnnotation('UseSession');
+        if ($hasAnnotation) {
+            $this->session->close();
+            return $response;
+        }
 
-		$reflectionMethod = new ReflectionMethod($controller, $methodName);
-		$hasAttribute = !empty($reflectionMethod->getAttributes(UseSession::class));
-		if ($hasAttribute) {
-			$this->session->close();
-		}
+        $reflectionMethod = new ReflectionMethod($controller, $methodName);
+        $hasAttribute = !empty($reflectionMethod->getAttributes(UseSession::class));
+        if ($hasAttribute) {
+            $this->session->close();
+        }
 
-		return $response;
-	}
+        return $response;
+    }
 }