/** * @NoAdminRequired * @UseSession * * @return RedirectResponse */ public function logout() { $loginToken = $this->request->getCookie('oc_token'); if (!is_null($loginToken)) { $this->config->deleteUserValue($this->userSession->getUser()->getUID(), 'login_token', $loginToken); } $this->userSession->logout(); return new RedirectResponse($this->urlGenerator->linkToRouteAbsolute('core.login.showLoginForm')); }
/** * This is being run in normal order before the controller is being * called which allows several modifications and checks * * @param Controller $controller the controller that is being called * @param string $methodName the name of the method that will be called on * the controller * @throws SecurityException * @since 6.0.0 */ public function beforeController($controller, $methodName) { // ensure that @CORS annotated API routes are not used in conjunction // with session authentication since this enables CSRF attack vectors if ($this->reflector->hasAnnotation('CORS') && !$this->reflector->hasAnnotation('PublicPage')) { $user = $this->request->server['PHP_AUTH_USER']; $pass = $this->request->server['PHP_AUTH_PW']; $this->session->logout(); if (!$this->session->login($user, $pass)) { throw new SecurityException('CORS requires basic auth', Http::STATUS_UNAUTHORIZED); } } }
/** * This is being run in normal order before the controller is being * called which allows several modifications and checks * * @param Controller $controller the controller that is being called * @param string $methodName the name of the method that will be called on * the controller * @throws SecurityException * @since 6.0.0 */ public function beforeController($controller, $methodName) { // ensure that @SSOCORS annotated API routes are not used in conjunction // with session authentication since this enables CSRF attack vectors if ($this->reflector->hasAnnotation('SSOCORS') && !$this->reflector->hasAnnotation('PublicPage')) { $authInfo = AuthInfo::get(); if (!\OC::$server->getSystemConfig()->getValue("sso_one_time_password")) { $tokenVaildator = \OCA\SingleSignOn\RequestManager::send(\OCA\SingleSignOn\ISingleSignOnRequest::VALIDTOKEN, $authInfo); if (!$tokenVaildator) { throw new SecurityException('Token expired!', Http::STATUS_UNAUTHORIZED); } } $userInfo = \OCA\SingleSignOn\RequestManager::getRequest(\OCA\SingleSignOn\ISingleSignOnRequest::INFO); $this->session->logout(); if (!\OCA\SingleSignOn\Util::login($userInfo, $authInfo)) { throw new SecurityException('SSO CORS requires basic auth', Http::STATUS_UNAUTHORIZED); } } }
/** * @param RequestInterface $request * @param ResponseInterface $response * @return array * @throws NotAuthenticated */ private function auth(RequestInterface $request, ResponseInterface $response) { $forcedLogout = false; if (!$this->request->passesCSRFCheck() && $this->requiresCSRFCheck()) { // In case of a fail with POST we need to recheck the credentials if ($this->request->getMethod() === 'POST') { $forcedLogout = true; } else { $response->setStatus(401); throw new \Sabre\DAV\Exception\NotAuthenticated('CSRF check not passed.'); } } if ($forcedLogout) { $this->userSession->logout(); } else { if (\OC_User::handleApacheAuth() || $this->userSession->isLoggedIn() && is_null($this->session->get(self::DAV_AUTHENTICATED)) || $this->userSession->isLoggedIn() && $this->session->get(self::DAV_AUTHENTICATED) === $this->userSession->getUser()->getUID() && $request->getHeader('Authorization') === null) { $user = $this->userSession->getUser()->getUID(); \OC_Util::setupFS($user); $this->currentUser = $user; $this->session->close(); return [true, $this->principalPrefix . $user]; } } if (!$this->userSession->isLoggedIn() && in_array('XMLHttpRequest', explode(',', $request->getHeader('X-Requested-With')))) { // do not re-authenticate over ajax, use dummy auth name to prevent browser popup $response->addHeader('WWW-Authenticate', 'DummyBasic realm="' . $this->realm . '"'); $response->setStatus(401); throw new \Sabre\DAV\Exception\NotAuthenticated('Cannot authenticate over ajax calls'); } $data = parent::check($request, $response); if ($data[0] === true) { $startPos = strrpos($data[1], '/') + 1; $user = $this->userSession->getUser()->getUID(); $data[1] = substr_replace($data[1], $user, $startPos); } return $data; }