/**
* This is being run in normal order before the controller is being
* called which allows several modifications and checks
*
* @param Controller $controller the controller that is being called
* @param string $methodName the name of the method that will be called on
* the controller
* @throws SecurityException
* @since 6.0.0
*/
public function beforeController($controller, $methodName)
{
// ensure that @CORS annotated API routes are not used in conjunction
// with session authentication since this enables CSRF attack vectors
if ($this->reflector->hasAnnotation('CORS') && !$this->reflector->hasAnnotation('PublicPage')) {
$user = $this->request->server['PHP_AUTH_USER'];
$pass = $this->request->server['PHP_AUTH_PW'];
$this->session->logout();
if (!$this->session->logClientIn($user, $pass, $this->request)) {
throw new SecurityException('CORS requires basic auth', Http::STATUS_UNAUTHORIZED);
}
}
}
public function testAuthenticateInvalidCredentials()
{
$server = $this->getMockBuilder('\\Sabre\\DAV\\Server')->disableOriginalConstructor()->getMock();
$server->httpRequest = $this->getMockBuilder('\\Sabre\\HTTP\\RequestInterface')->disableOriginalConstructor()->getMock();
$server->httpRequest->expects($this->at(0))->method('getHeader')->with('X-Requested-With')->will($this->returnValue(null));
$server->httpRequest->expects($this->at(1))->method('getHeader')->with('Authorization')->will($this->returnValue('basic dXNlcm5hbWU6cGFzc3dvcmQ='));
$server->httpResponse = $this->getMockBuilder('\\Sabre\\HTTP\\ResponseInterface')->disableOriginalConstructor()->getMock();
$this->userSession->expects($this->once())->method('logClientIn')->with('username', 'password')->will($this->returnValue(false));
$response = $this->auth->check($server->httpRequest, $server->httpResponse);
$this->assertEquals([false, 'Username or password was incorrect'], $response);
}
public function removeShare($mountPoint)
{
$user = $this->userSession->getUser();
$mountPoint = $this->stripPath($mountPoint);
$hash = md5($mountPoint);
$query = $this->connection->prepare('
DELETE FROM `*PREFIX*share_external`
WHERE `mountpoint_hash` = ?
AND `user` = ?
');
return (bool) $query->execute(array($hash, $user->getUID()));
}
/**
* Send a mail to test the settings
* @return array
*/
public function sendTestMail()
{
$email = $this->config->getUserValue($this->userSession->getUser()->getUID(), $this->appName, 'email', '');
if (!empty($email)) {
try {
$this->mail->send($email, $this->userSession->getUser()->getDisplayName(), $this->l10n->t('test email settings'), $this->l10n->t('If you received this email, the settings seem to be correct.'), $this->defaultMailAddress, $this->defaults->getName());
} catch (\Exception $e) {
return array('data' => array('message' => (string) $this->l10n->t('A problem occurred while sending the email. Please revise your settings.')), 'status' => 'error');
}
return array('data' => array('message' => (string) $this->l10n->t('Email sent')), 'status' => 'success');
}
return array('data' => array('message' => (string) $this->l10n->t('You need to set your user email before being able to send test emails.')), 'status' => 'error');
}
/**
* @param Controller $controller
* @param string $methodName
*/
public function beforeController($controller, $methodName)
{
if ($this->reflector->hasAnnotation('PublicPage')) {
// Don't block public pages
return;
}
if ($controller instanceof \OC\Core\Controller\LoginController && $methodName === 'logout') {
// Don't block the logout page, to allow canceling the 2FA
return;
}
if ($this->userSession->isLoggedIn()) {
$user = $this->userSession->getUser();
if ($this->twoFactorManager->isTwoFactorAuthenticated($user)) {
$this->checkTwoFactor($controller, $methodName);
} else {
if ($controller instanceof TwoFactorChallengeController) {
// Allow access to the two-factor controllers only if two-factor authentication
// is in progress.
throw new UserAlreadyLoggedInException();
}
}
}
// TODO: dont check/enforce 2FA if a auth token is used
}
/**
* Send a mail to test the settings
* @return array
*/
public function sendTestMail()
{
$email = $this->config->getUserValue($this->userSession->getUser()->getUID(), $this->appName, 'email', '');
if (!empty($email)) {
try {
$message = $this->mailer->createMessage();
$message->setTo([$email => $this->userSession->getUser()->getDisplayName()]);
$message->setFrom([$this->defaultMailAddress]);
$message->setSubject($this->l10n->t('test email settings'));
$message->setPlainBody('If you received this email, the settings seem to be correct.');
$this->mailer->send($message);
} catch (\Exception $e) {
return ['data' => ['message' => (string) $this->l10n->t('A problem occurred while sending the email. Please revise your settings. (Error: %s)', [$e->getMessage()])], 'status' => 'error'];
}
return array('data' => array('message' => (string) $this->l10n->t('Email sent')), 'status' => 'success');
}
return array('data' => array('message' => (string) $this->l10n->t('You need to set your user email before being able to send test emails.')), 'status' => 'error');
}
/**
* @PublicPage
* @UseSession
*
* @param string $user
* @param string $password
* @param string $redirect_url
* @return RedirectResponse
*/
public function tryLogin($user, $password, $redirect_url)
{
$originalUser = $user;
// TODO: Add all the insane error handling
/* @var $loginResult IUser */
$loginResult = $this->userManager->checkPassword($user, $password);
if ($loginResult === false) {
$users = $this->userManager->getByEmail($user);
// we only allow login by email if unique
if (count($users) === 1) {
$user = $users[0]->getUID();
$loginResult = $this->userManager->checkPassword($user, $password);
}
}
if ($loginResult === false) {
$this->session->set('loginMessages', [['invalidpassword']]);
// Read current user and append if possible - we need to return the unmodified user otherwise we will leak the login name
$args = !is_null($user) ? ['user' => $originalUser] : [];
return new RedirectResponse($this->urlGenerator->linkToRoute('core.login.showLoginForm', $args));
}
// TODO: remove password checks from above and let the user session handle failures
// requires https://github.com/owncloud/core/pull/24616
$this->userSession->login($user, $password);
$this->userSession->createSessionToken($this->request, $loginResult->getUID(), $user, $password);
if ($this->twoFactorManager->isTwoFactorAuthenticated($loginResult)) {
$this->twoFactorManager->prepareTwoFactorLogin($loginResult);
if (!is_null($redirect_url)) {
return new RedirectResponse($this->urlGenerator->linkToRoute('core.TwoFactorChallenge.selectChallenge', ['redirect_url' => $redirect_url]));
}
return new RedirectResponse($this->urlGenerator->linkToRoute('core.TwoFactorChallenge.selectChallenge'));
}
if (!is_null($redirect_url) && $this->userSession->isLoggedIn()) {
$location = $this->urlGenerator->getAbsoluteURL(urldecode($redirect_url));
// Deny the redirect if the URL contains a @
// This prevents unvalidated redirects like ?redirect_url=:user@domain.com
if (strpos($location, '@') === false) {
return new RedirectResponse($location);
}
}
return new RedirectResponse($this->urlGenerator->linkToRoute('files.view.index'));
}
/**
* @param RequestInterface $request
* @param ResponseInterface $response
* @return array
* @throws NotAuthenticated
*/
private function auth(RequestInterface $request, ResponseInterface $response)
{
$forcedLogout = false;
if (!$this->request->passesCSRFCheck() && $this->requiresCSRFCheck()) {
// In case of a fail with POST we need to recheck the credentials
if ($this->request->getMethod() === 'POST') {
$forcedLogout = true;
} else {
$response->setStatus(401);
throw new \Sabre\DAV\Exception\NotAuthenticated('CSRF check not passed.');
}
}
if ($forcedLogout) {
$this->userSession->logout();
} else {
if ($this->twoFactorManager->needsSecondFactor()) {
throw new \Sabre\DAV\Exception\NotAuthenticated('2FA challenge not passed.');
}
if (\OC_User::handleApacheAuth() || $this->userSession->isLoggedIn() && is_null($this->session->get(self::DAV_AUTHENTICATED)) || $this->userSession->isLoggedIn() && $this->session->get(self::DAV_AUTHENTICATED) === $this->userSession->getUser()->getUID() && $request->getHeader('Authorization') === null) {
$user = $this->userSession->getUser()->getUID();
\OC_Util::setupFS($user);
$this->currentUser = $user;
$this->session->close();
return [true, $this->principalPrefix . $user];
}
}
if (!$this->userSession->isLoggedIn() && in_array('XMLHttpRequest', explode(',', $request->getHeader('X-Requested-With')))) {
// do not re-authenticate over ajax, use dummy auth name to prevent browser popup
$response->addHeader('WWW-Authenticate', 'DummyBasic realm="' . $this->realm . '"');
$response->setStatus(401);
throw new \Sabre\DAV\Exception\NotAuthenticated('Cannot authenticate over ajax calls');
}
$data = parent::check($request, $response);
if ($data[0] === true) {
$startPos = strrpos($data[1], '/') + 1;
$user = $this->userSession->getUser()->getUID();
$data[1] = substr_replace($data[1], $user, $startPos);
}
return $data;
}
/**
* return a list of shares which are not yet accepted by the user
*
* @return array list of open server-to-server shares
*/
public function getOpenShares()
{
$openShares = $this->connection->prepare('SELECT * FROM `*PREFIX*share_external` WHERE `accepted` = ? AND `user` = ?');
$result = $openShares->execute(array(0, $this->userSession->getUser()->getUID()));
return $result ? $openShares->fetchAll() : array();
}
