/**
* This is being run in normal order before the controller is being
* called which allows several modifications and checks
*
* @param Controller $controller the controller that is being called
* @param string $methodName the name of the method that will be called on
* the controller
* @throws SecurityException
* @since 6.0.0
*/
public function beforeController($controller, $methodName)
{
// ensure that @CORS annotated API routes are not used in conjunction
// with session authentication since this enables CSRF attack vectors
if ($this->reflector->hasAnnotation('CORS') && !$this->reflector->hasAnnotation('PublicPage')) {
$user = $this->request->server['PHP_AUTH_USER'];
$pass = $this->request->server['PHP_AUTH_PW'];
$this->session->logout();
if (!$this->session->logClientIn($user, $pass, $this->request)) {
throw new SecurityException('CORS requires basic auth', Http::STATUS_UNAUTHORIZED);
}
}
}
/**
* Validates a username and password
*
* This method should return true or false depending on if login
* succeeded.
*
* @param string $username
* @param string $password
* @return bool
*/
protected function validateUserPass($username, $password)
{
if ($this->userSession->isLoggedIn() && $this->isDavAuthenticated($this->userSession->getUser()->getUID())) {
\OC_Util::setupFS($this->userSession->getUser()->getUID());
$this->session->close();
return true;
} else {
\OC_Util::setupFS();
//login hooks may need early access to the filesystem
try {
if ($this->userSession->logClientIn($username, $password, $this->request)) {
\OC_Util::setupFS($this->userSession->getUser()->getUID());
$this->session->set(self::DAV_AUTHENTICATED, $this->userSession->getUser()->getUID());
$this->session->close();
return true;
} else {
$this->session->close();
return false;
}
} catch (PasswordLoginForbiddenException $ex) {
$this->session->close();
throw new PasswordLoginForbidden();
}
}
}
