/** * This is being run in normal order before the controller is being * called which allows several modifications and checks * * @param Controller $controller the controller that is being called * @param string $methodName the name of the method that will be called on * the controller * @throws SecurityException * @since 6.0.0 */ public function beforeController($controller, $methodName) { // ensure that @CORS annotated API routes are not used in conjunction // with session authentication since this enables CSRF attack vectors if ($this->reflector->hasAnnotation('CORS') && !$this->reflector->hasAnnotation('PublicPage')) { $user = $this->request->server['PHP_AUTH_USER']; $pass = $this->request->server['PHP_AUTH_PW']; $this->session->logout(); if (!$this->session->logClientIn($user, $pass, $this->request)) { throw new SecurityException('CORS requires basic auth', Http::STATUS_UNAUTHORIZED); } } }
public function testAuthenticateInvalidCredentials() { $server = $this->getMockBuilder('\\Sabre\\DAV\\Server')->disableOriginalConstructor()->getMock(); $server->httpRequest = $this->getMockBuilder('\\Sabre\\HTTP\\RequestInterface')->disableOriginalConstructor()->getMock(); $server->httpRequest->expects($this->at(0))->method('getHeader')->with('X-Requested-With')->will($this->returnValue(null)); $server->httpRequest->expects($this->at(1))->method('getHeader')->with('Authorization')->will($this->returnValue('basic dXNlcm5hbWU6cGFzc3dvcmQ=')); $server->httpResponse = $this->getMockBuilder('\\Sabre\\HTTP\\ResponseInterface')->disableOriginalConstructor()->getMock(); $this->userSession->expects($this->once())->method('logClientIn')->with('username', 'password')->will($this->returnValue(false)); $response = $this->auth->check($server->httpRequest, $server->httpResponse); $this->assertEquals([false, 'Username or password was incorrect'], $response); }
public function removeShare($mountPoint) { $user = $this->userSession->getUser(); $mountPoint = $this->stripPath($mountPoint); $hash = md5($mountPoint); $query = $this->connection->prepare(' DELETE FROM `*PREFIX*share_external` WHERE `mountpoint_hash` = ? AND `user` = ? '); return (bool) $query->execute(array($hash, $user->getUID())); }
/** * Send a mail to test the settings * @return array */ public function sendTestMail() { $email = $this->config->getUserValue($this->userSession->getUser()->getUID(), $this->appName, 'email', ''); if (!empty($email)) { try { $this->mail->send($email, $this->userSession->getUser()->getDisplayName(), $this->l10n->t('test email settings'), $this->l10n->t('If you received this email, the settings seem to be correct.'), $this->defaultMailAddress, $this->defaults->getName()); } catch (\Exception $e) { return array('data' => array('message' => (string) $this->l10n->t('A problem occurred while sending the email. Please revise your settings.')), 'status' => 'error'); } return array('data' => array('message' => (string) $this->l10n->t('Email sent')), 'status' => 'success'); } return array('data' => array('message' => (string) $this->l10n->t('You need to set your user email before being able to send test emails.')), 'status' => 'error'); }
/** * @param Controller $controller * @param string $methodName */ public function beforeController($controller, $methodName) { if ($this->reflector->hasAnnotation('PublicPage')) { // Don't block public pages return; } if ($controller instanceof \OC\Core\Controller\LoginController && $methodName === 'logout') { // Don't block the logout page, to allow canceling the 2FA return; } if ($this->userSession->isLoggedIn()) { $user = $this->userSession->getUser(); if ($this->twoFactorManager->isTwoFactorAuthenticated($user)) { $this->checkTwoFactor($controller, $methodName); } else { if ($controller instanceof TwoFactorChallengeController) { // Allow access to the two-factor controllers only if two-factor authentication // is in progress. throw new UserAlreadyLoggedInException(); } } } // TODO: dont check/enforce 2FA if a auth token is used }
/** * Send a mail to test the settings * @return array */ public function sendTestMail() { $email = $this->config->getUserValue($this->userSession->getUser()->getUID(), $this->appName, 'email', ''); if (!empty($email)) { try { $message = $this->mailer->createMessage(); $message->setTo([$email => $this->userSession->getUser()->getDisplayName()]); $message->setFrom([$this->defaultMailAddress]); $message->setSubject($this->l10n->t('test email settings')); $message->setPlainBody('If you received this email, the settings seem to be correct.'); $this->mailer->send($message); } catch (\Exception $e) { return ['data' => ['message' => (string) $this->l10n->t('A problem occurred while sending the email. Please revise your settings. (Error: %s)', [$e->getMessage()])], 'status' => 'error']; } return array('data' => array('message' => (string) $this->l10n->t('Email sent')), 'status' => 'success'); } return array('data' => array('message' => (string) $this->l10n->t('You need to set your user email before being able to send test emails.')), 'status' => 'error'); }
/** * @PublicPage * @UseSession * * @param string $user * @param string $password * @param string $redirect_url * @return RedirectResponse */ public function tryLogin($user, $password, $redirect_url) { $originalUser = $user; // TODO: Add all the insane error handling /* @var $loginResult IUser */ $loginResult = $this->userManager->checkPassword($user, $password); if ($loginResult === false) { $users = $this->userManager->getByEmail($user); // we only allow login by email if unique if (count($users) === 1) { $user = $users[0]->getUID(); $loginResult = $this->userManager->checkPassword($user, $password); } } if ($loginResult === false) { $this->session->set('loginMessages', [['invalidpassword']]); // Read current user and append if possible - we need to return the unmodified user otherwise we will leak the login name $args = !is_null($user) ? ['user' => $originalUser] : []; return new RedirectResponse($this->urlGenerator->linkToRoute('core.login.showLoginForm', $args)); } // TODO: remove password checks from above and let the user session handle failures // requires https://github.com/owncloud/core/pull/24616 $this->userSession->login($user, $password); $this->userSession->createSessionToken($this->request, $loginResult->getUID(), $user, $password); if ($this->twoFactorManager->isTwoFactorAuthenticated($loginResult)) { $this->twoFactorManager->prepareTwoFactorLogin($loginResult); if (!is_null($redirect_url)) { return new RedirectResponse($this->urlGenerator->linkToRoute('core.TwoFactorChallenge.selectChallenge', ['redirect_url' => $redirect_url])); } return new RedirectResponse($this->urlGenerator->linkToRoute('core.TwoFactorChallenge.selectChallenge')); } if (!is_null($redirect_url) && $this->userSession->isLoggedIn()) { $location = $this->urlGenerator->getAbsoluteURL(urldecode($redirect_url)); // Deny the redirect if the URL contains a @ // This prevents unvalidated redirects like ?redirect_url=:user@domain.com if (strpos($location, '@') === false) { return new RedirectResponse($location); } } return new RedirectResponse($this->urlGenerator->linkToRoute('files.view.index')); }
/** * @param RequestInterface $request * @param ResponseInterface $response * @return array * @throws NotAuthenticated */ private function auth(RequestInterface $request, ResponseInterface $response) { $forcedLogout = false; if (!$this->request->passesCSRFCheck() && $this->requiresCSRFCheck()) { // In case of a fail with POST we need to recheck the credentials if ($this->request->getMethod() === 'POST') { $forcedLogout = true; } else { $response->setStatus(401); throw new \Sabre\DAV\Exception\NotAuthenticated('CSRF check not passed.'); } } if ($forcedLogout) { $this->userSession->logout(); } else { if ($this->twoFactorManager->needsSecondFactor()) { throw new \Sabre\DAV\Exception\NotAuthenticated('2FA challenge not passed.'); } if (\OC_User::handleApacheAuth() || $this->userSession->isLoggedIn() && is_null($this->session->get(self::DAV_AUTHENTICATED)) || $this->userSession->isLoggedIn() && $this->session->get(self::DAV_AUTHENTICATED) === $this->userSession->getUser()->getUID() && $request->getHeader('Authorization') === null) { $user = $this->userSession->getUser()->getUID(); \OC_Util::setupFS($user); $this->currentUser = $user; $this->session->close(); return [true, $this->principalPrefix . $user]; } } if (!$this->userSession->isLoggedIn() && in_array('XMLHttpRequest', explode(',', $request->getHeader('X-Requested-With')))) { // do not re-authenticate over ajax, use dummy auth name to prevent browser popup $response->addHeader('WWW-Authenticate', 'DummyBasic realm="' . $this->realm . '"'); $response->setStatus(401); throw new \Sabre\DAV\Exception\NotAuthenticated('Cannot authenticate over ajax calls'); } $data = parent::check($request, $response); if ($data[0] === true) { $startPos = strrpos($data[1], '/') + 1; $user = $this->userSession->getUser()->getUID(); $data[1] = substr_replace($data[1], $user, $startPos); } return $data; }
/** * return a list of shares which are not yet accepted by the user * * @return array list of open server-to-server shares */ public function getOpenShares() { $openShares = $this->connection->prepare('SELECT * FROM `*PREFIX*share_external` WHERE `accepted` = ? AND `user` = ?'); $result = $openShares->execute(array(0, $this->userSession->getUser()->getUID())); return $result ? $openShares->fetchAll() : array(); }