/**
* Validates a username and password
*
* This method should return true or false depending on if login
* succeeded.
*
* @param string $username
* @param string $password
* @return bool
*/
protected function validateUserPass($username, $password)
{
if ($this->userSession->isLoggedIn() && $this->isDavAuthenticated($this->userSession->getUser()->getUID())) {
\OC_Util::setupFS($this->userSession->getUser()->getUID());
$this->session->close();
return true;
} else {
\OC_Util::setupFS();
//login hooks may need early access to the filesystem
try {
if ($this->userSession->logClientIn($username, $password, $this->request)) {
\OC_Util::setupFS($this->userSession->getUser()->getUID());
$this->session->set(self::DAV_AUTHENTICATED, $this->userSession->getUser()->getUID());
$this->session->close();
return true;
} else {
$this->session->close();
return false;
}
} catch (PasswordLoginForbiddenException $ex) {
$this->session->close();
throw new PasswordLoginForbidden();
}
}
}
/**
* Close the session and release the lock, also writes all changed data in batch
*/
public function close()
{
if ($this->isModified) {
$encryptedValue = $this->crypto->encrypt(json_encode($this->sessionValues), $this->passphrase);
$this->session->set(self::encryptedSessionName, $encryptedValue);
$this->isModified = false;
}
$this->session->close();
}
/**
* @param IToken $token
*/
private function updateToken(IToken $token)
{
// To save unnecessary DB queries, this is only done once a minute
$lastTokenUpdate = $this->session->get('last_token_update') ?: 0;
$now = $this->timeFacory->getTime();
if ($lastTokenUpdate < $now - 60) {
$this->tokenProvider->updateToken($token);
$this->session->set('last_token_update', $now);
}
}
/**
* Validates the given password
*
* @param array|bool $linkItem
* @param string $password
*
* @throws ServiceException
*/
private function checkPassword($linkItem, $password)
{
$newHash = '';
if ($this->hasher->verify($password, $linkItem['share_with'], $newHash)) {
// Save item id in session for future requests
$this->session->set('public_link_authenticated', $linkItem['id']);
if (!empty($newHash)) {
// For future use
}
} else {
$this->logAndThrow("Wrong password", Http::STATUS_UNAUTHORIZED);
}
}
/**
* Validates the given password
*
* @param array|bool $linkItem
* @param string $password
*
* @throws CheckException
*/
private function checkPassword($linkItem, $password)
{
$newHash = '';
if ($this->hasher->verify($password, $linkItem['share_with'], $newHash)) {
// Save item id in session for future requests
$this->session->set('public_link_authenticated', $linkItem['id']);
// @codeCoverageIgnoreStart
if (!empty($newHash)) {
// For future use
}
// @codeCoverageIgnoreEnd
} else {
throw new CheckException("Wrong password", Http::STATUS_UNAUTHORIZED);
}
}
/**
* Validates the given password
*
* @fixme @LukasReschke says: Migrate old hashes to new hash format
* Due to the fact that there is no reasonable functionality to update the password
* of an existing share no migration is yet performed there.
* The only possibility is to update the existing share which will result in a new
* share ID and is a major hack.
*
* In the future the migration should be performed once there is a proper method
* to update the share's password. (for example `$share->updatePassword($password)`
*
* @link https://github.com/owncloud/core/issues/10671
*
* @param IShare $share
* @param string $password
*
* @throws CheckException
*/
private function checkPassword($share, $password)
{
$newHash = '';
if ($this->shareManager->checkPassword($share, $password)) {
// Save item id in session for future requests
$this->session->set('public_link_authenticated', (string) $share->getId());
// @codeCoverageIgnoreStart
if (!empty($newHash)) {
// For future use
}
// @codeCoverageIgnoreEnd
} else {
throw new CheckException("Wrong password", Http::STATUS_UNAUTHORIZED);
}
}
/**
* Authenticate a link item with the given password.
* Or use the session if no password is provided.
*
* This is a modified version of Helper::authenticate
* TODO: Try to merge back eventually with Helper::authenticate
*
* @param \OCP\Share\IShare $share
* @param string|null $password
* @return bool
*/
private function linkShareAuth(\OCP\Share\IShare $share, $password = null)
{
if ($password !== null) {
if ($this->shareManager->checkPassword($share, $password)) {
$this->session->set('public_link_authenticated', (string) $share->getId());
} else {
return false;
}
} else {
// not authenticated ?
if (!$this->session->exists('public_link_authenticated') || $this->session->get('public_link_authenticated') !== (string) $share->getId()) {
return false;
}
}
return true;
}
/**
* @NoAdminRequired
* @NoCSRFRequired
* @UseSession
*
* @param string $challengeProviderId
* @param string $challenge
* @param string $redirect_url
* @return RedirectResponse
*/
public function solveChallenge($challengeProviderId, $challenge, $redirect_url = null)
{
$user = $this->userSession->getUser();
$provider = $this->twoFactorManager->getProvider($user, $challengeProviderId);
if (is_null($provider)) {
return new RedirectResponse($this->urlGenerator->linkToRoute('core.TwoFactorChallenge.selectChallenge'));
}
if ($this->twoFactorManager->verifyChallenge($challengeProviderId, $user, $challenge)) {
if (!is_null($redirect_url)) {
return new RedirectResponse($this->urlGenerator->getAbsoluteURL(urldecode($redirect_url)));
}
return new RedirectResponse($this->urlGenerator->linkToRoute('files.view.index'));
}
$this->session->set('two_factor_auth_error', true);
return new RedirectResponse($this->urlGenerator->linkToRoute('core.TwoFactorChallenge.showChallenge', ['challengeProviderId' => $provider->getId(), 'redirect_url' => $redirect_url]));
}
/**
* Validates a username and password
*
* This method should return true or false depending on if login
* succeeded.
*
* @param string $username
* @param string $password
* @return bool
*/
protected function validateUserPass($username, $password)
{
if ($this->userSession->isLoggedIn() && $this->isDavAuthenticated($this->userSession->getUser()->getUID())) {
\OC_Util::setupFS($this->userSession->getUser()->getUID());
$this->session->close();
return true;
} else {
\OC_Util::setUpFS();
//login hooks may need early access to the filesystem
if ($this->userSession->login($username, $password)) {
\OC_Util::setUpFS($this->userSession->getUser()->getUID());
$this->session->set(self::DAV_AUTHENTICATED, $this->userSession->getUser()->getUID());
$this->session->close();
return true;
} else {
$this->session->close();
return false;
}
}
}
/**
* @PublicPage
* @UseSession
*
* @param string $user
* @param string $password
* @param string $redirect_url
* @return RedirectResponse
*/
public function tryLogin($user, $password, $redirect_url)
{
$originalUser = $user;
// TODO: Add all the insane error handling
/* @var $loginResult IUser */
$loginResult = $this->userManager->checkPassword($user, $password);
if ($loginResult === false) {
$users = $this->userManager->getByEmail($user);
// we only allow login by email if unique
if (count($users) === 1) {
$user = $users[0]->getUID();
$loginResult = $this->userManager->checkPassword($user, $password);
}
}
if ($loginResult === false) {
$this->session->set('loginMessages', [['invalidpassword']]);
// Read current user and append if possible - we need to return the unmodified user otherwise we will leak the login name
$args = !is_null($user) ? ['user' => $originalUser] : [];
return new RedirectResponse($this->urlGenerator->linkToRoute('core.login.showLoginForm', $args));
}
// TODO: remove password checks from above and let the user session handle failures
// requires https://github.com/owncloud/core/pull/24616
$this->userSession->login($user, $password);
$this->userSession->createSessionToken($this->request, $loginResult->getUID(), $user, $password);
if ($this->twoFactorManager->isTwoFactorAuthenticated($loginResult)) {
$this->twoFactorManager->prepareTwoFactorLogin($loginResult);
if (!is_null($redirect_url)) {
return new RedirectResponse($this->urlGenerator->linkToRoute('core.TwoFactorChallenge.selectChallenge', ['redirect_url' => $redirect_url]));
}
return new RedirectResponse($this->urlGenerator->linkToRoute('core.TwoFactorChallenge.selectChallenge'));
}
if (!is_null($redirect_url) && $this->userSession->isLoggedIn()) {
$location = $this->urlGenerator->getAbsoluteURL(urldecode($redirect_url));
// Deny the redirect if the URL contains a @
// This prevents unvalidated redirects like ?redirect_url=:user@domain.com
if (strpos($location, '@') === false) {
return new RedirectResponse($location);
}
}
return new RedirectResponse($this->urlGenerator->linkToRoute('files.view.index'));
}
/**
* Tries to login the user with HTTP Basic Authentication
*
* @todo do not allow basic auth if the user is 2FA enforced
* @param IRequest $request
* @return boolean if the login was successful
*/
public function tryBasicAuthLogin(IRequest $request)
{
if (!empty($request->server['PHP_AUTH_USER']) && !empty($request->server['PHP_AUTH_PW'])) {
try {
if ($this->logClientIn($request->server['PHP_AUTH_USER'], $request->server['PHP_AUTH_PW'], $request)) {
/**
* Add DAV authenticated. This should in an ideal world not be
* necessary but the iOS App reads cookies from anywhere instead
* only the DAV endpoint.
* This makes sure that the cookies will be valid for the whole scope
* @see https://github.com/owncloud/core/issues/22893
*/
$this->session->set(Auth::DAV_AUTHENTICATED, $this->getUser()->getUID());
return true;
}
} catch (PasswordLoginForbiddenException $ex) {
// Nothing to do
}
}
return false;
}
/**
* store data needed for the decrypt all operation in the session
*
* @param string $user
* @param string $key
*/
public function prepareDecryptAll($user, $key)
{
$this->session->set('decryptAll', true);
$this->session->set('decryptAllKey', $key);
$this->session->set('decryptAllUid', $user);
}
/**
* Hook listener on post login
*
* @param array $params
*/
public function authenticate(array $params)
{
$this->session->set('password::sessioncredentials/credentials', $this->crypto->encrypt(json_encode($params)));
}
/**
* Sets user private key to session
*
* @param string $key users private key
*
* @note this should only be set on login
*/
public function setPrivateKey($key)
{
$this->session->set('privateKey', $key);
}
/**
* Set the valid current token to $value.
*
* @param string $value
*/
public function setToken($value)
{
$this->session->set('requesttoken', $value);
}
/**
* Prepare the 2FA login (set session value)
*
* @param IUser $user
*/
public function prepareTwoFactorLogin(IUser $user)
{
$this->session->set(self::SESSION_UID_KEY, $user->getUID());
}
/**
* Set a value in the session
*
* @param string $key
* @param mixed $value
*/
public function set($key, $value)
{
$encryptedValue = $this->crypto->encrypt(json_encode($value), $this->passphrase);
$this->session->set($key, $encryptedValue);
}
