nextcloud/apps/encryption/lib/Controller/RecoveryController.php

<?php

/**
 * SPDX-FileCopyrightText: 2019-2024 Nextcloud GmbH and Nextcloud contributors
 * SPDX-FileCopyrightText: 2016 ownCloud, Inc.
 * SPDX-License-Identifier: AGPL-3.0-only
 */
namespace OCA\Encryption\Controller;

use OCA\Encryption\Recovery;
use OCP\AppFramework\Controller;
use OCP\AppFramework\Http;
use OCP\AppFramework\Http\Attribute\NoAdminRequired;
use OCP\AppFramework\Http\DataResponse;
use OCP\Encryption\Exceptions\GenericEncryptionException;
use OCP\IL10N;
use OCP\IRequest;
use Psr\Log\LoggerInterface;

class RecoveryController extends Controller {
	public function __construct(
		string $appName,
		IRequest $request,
		private IL10N $l,
		private Recovery $recovery,
		private LoggerInterface $logger,
	) {
		parent::__construct($appName, $request);
	}

	public function adminRecovery(string $recoveryPassword, string $confirmPassword, bool $adminEnableRecovery): DataResponse {
		// Check if both passwords are the same
		if (empty($recoveryPassword)) {
			$errorMessage = $this->l->t('Missing recovery key password');
			return new DataResponse(['data' => ['message' => $errorMessage]],
				Http::STATUS_BAD_REQUEST);
		}

		if (empty($confirmPassword)) {
			$errorMessage = $this->l->t('Please repeat the recovery key password');
			return new DataResponse(['data' => ['message' => $errorMessage]],
				Http::STATUS_BAD_REQUEST);
		}

		if ($recoveryPassword !== $confirmPassword) {
			$errorMessage = $this->l->t('Repeated recovery key password does not match the provided recovery key password');
			return new DataResponse(['data' => ['message' => $errorMessage]],
				Http::STATUS_BAD_REQUEST);
		}

		try {
			if ($adminEnableRecovery) {
				if ($this->recovery->enableAdminRecovery($recoveryPassword)) {
					return new DataResponse(['data' => ['message' => $this->l->t('Recovery key successfully enabled')]]);
				}
				return new DataResponse(['data' => ['message' => $this->l->t('Could not enable recovery key. Please check your recovery key password!')]], Http::STATUS_BAD_REQUEST);
			} else {
				if ($this->recovery->disableAdminRecovery($recoveryPassword)) {
					return new DataResponse(['data' => ['message' => $this->l->t('Recovery key successfully disabled')]]);
				}
				return new DataResponse(['data' => ['message' => $this->l->t('Could not disable recovery key. Please check your recovery key password!')]], Http::STATUS_BAD_REQUEST);
			}
		} catch (\Exception $e) {
			$this->logger->error('Error enabling or disabling recovery key', ['exception' => $e]);
			if ($e instanceof GenericEncryptionException) {
				return new DataResponse(['data' => ['message' => $e->getMessage()]], Http::STATUS_INTERNAL_SERVER_ERROR);
			}
			return new DataResponse([], Http::STATUS_INTERNAL_SERVER_ERROR);
		}
	}

	public function changeRecoveryPassword(string $newPassword, string $oldPassword, string $confirmPassword): DataResponse {
		//check if both passwords are the same
		if (empty($oldPassword)) {
			$errorMessage = $this->l->t('Please provide the old recovery password');
			return new DataResponse(['data' => ['message' => $errorMessage]], Http::STATUS_BAD_REQUEST);
		}

		if (empty($newPassword)) {
			$errorMessage = $this->l->t('Please provide a new recovery password');
			return new DataResponse(['data' => ['message' => $errorMessage]], Http::STATUS_BAD_REQUEST);
		}

		if (empty($confirmPassword)) {
			$errorMessage = $this->l->t('Please repeat the new recovery password');
			return new DataResponse(['data' => ['message' => $errorMessage]], Http::STATUS_BAD_REQUEST);
		}

		if ($newPassword !== $confirmPassword) {
			$errorMessage = $this->l->t('Repeated recovery key password does not match the provided recovery key password');
			return new DataResponse(['data' => ['message' => $errorMessage]], Http::STATUS_BAD_REQUEST);
		}

		try {
			$result = $this->recovery->changeRecoveryKeyPassword($newPassword,
				$oldPassword);

			if ($result) {
				return new DataResponse(
					[
						'data' => [
							'message' => $this->l->t('Password successfully changed.')]
					]
				);
			}
			return new DataResponse([
				'data' => [
					'message' => $this->l->t('Could not change the password. Maybe the old password was not correct.')
				]
			], Http::STATUS_BAD_REQUEST);
		} catch (\Exception $e) {
			$this->logger->error('Error changing recovery password', ['exception' => $e]);
			if ($e instanceof GenericEncryptionException) {
				return new DataResponse(['data' => ['message' => $e->getMessage()]], Http::STATUS_INTERNAL_SERVER_ERROR);
			}
			return new DataResponse([], Http::STATUS_INTERNAL_SERVER_ERROR);
		}
	}

	/**
	 * @param string $userEnableRecovery
	 * @return DataResponse
	 */
	#[NoAdminRequired]
	public function userSetRecovery($userEnableRecovery) {
		if ($userEnableRecovery === '0' || $userEnableRecovery === '1') {
			$result = $this->recovery->setRecoveryForUser($userEnableRecovery);

			if ($result) {
				if ($userEnableRecovery === '0') {
					return new DataResponse(
						[
							'data' => [
								'message' => $this->l->t('Recovery Key disabled')]
						]
					);
				}
				return new DataResponse(
					[
						'data' => [
							'message' => $this->l->t('Recovery Key enabled')]
					]
				);
			}
		}
		return new DataResponse(
			[
				'data' => [
					'message' => $this->l->t('Could not enable the recovery key, please try again or contact your administrator')
				]
			], Http::STATUS_BAD_REQUEST);
	}
}
Initial commit 2015-02-24 13:05:19 -05:00			`<?php`
chore: Add SPDX header Signed-off-by: Andy Scherzinger <info@andy-scherzinger.de> 2024-05-28 10:42:42 -04:00
Initial commit 2015-02-24 13:05:19 -05:00			`/**`
chore: Add SPDX header Signed-off-by: Andy Scherzinger <info@andy-scherzinger.de> 2024-05-28 10:42:42 -04:00			`* SPDX-FileCopyrightText: 2019-2024 Nextcloud GmbH and Nextcloud contributors`
			`* SPDX-FileCopyrightText: 2016 ownCloud, Inc.`
			`* SPDX-License-Identifier: AGPL-3.0-only`
Initial commit 2015-02-24 13:05:19 -05:00			`*/`
			`namespace OCA\Encryption\Controller;`

			`use OCA\Encryption\Recovery;`
			`use OCP\AppFramework\Controller;`
fix messages from settings crontroller 2015-04-22 13:26:06 -04:00			`use OCP\AppFramework\Http;`
refactor(encryption): Replace security annotations with respective attributes Signed-off-by: provokateurin <kate@provokateurin.de> 2024-07-25 07:14:45 -04:00			`use OCP\AppFramework\Http\Attribute\NoAdminRequired;`
Some php-cs fixes * Order the imports * No leading slash on imports * Empty line before namespace * One line per import * Empty after imports * Emmpty line at bottom of file Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2019-11-22 14:52:10 -05:00			`use OCP\AppFramework\Http\DataResponse;`
refactor(encryption): migrate to Vue 3 and Typescript and script setup Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de> 2026-01-13 08:44:53 -05:00			`use OCP\Encryption\Exceptions\GenericEncryptionException;`
Initial commit 2015-02-24 13:05:19 -05:00			`use OCP\IL10N;`
			`use OCP\IRequest;`
refactor(encryption): migrate to Vue 3 and Typescript and script setup Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de> 2026-01-13 08:44:53 -05:00			`use Psr\Log\LoggerInterface;`
Initial commit 2015-02-24 13:05:19 -05:00
			`class RecoveryController extends Controller {`
refactor(apps): Use constructor property promotion when possible Signed-off-by: provokateurin <kate@provokateurin.de> 2024-10-18 06:04:22 -04:00			`public function __construct(`
refactor(encryption): migrate to Vue 3 and Typescript and script setup Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de> 2026-01-13 08:44:53 -05:00			`string $appName,`
chore: apply changes from Nextcloud coding standards 1.1.1 Signed-off-by: Joas Schilling <coding@schilljs.com> Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com> 2023-11-23 04:22:34 -05:00			`IRequest $request,`
refactor(apps): Use constructor property promotion when possible Signed-off-by: provokateurin <kate@provokateurin.de> 2024-10-18 06:04:22 -04:00			`private IL10N $l,`
			`private Recovery $recovery,`
refactor(encryption): migrate to Vue 3 and Typescript and script setup Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de> 2026-01-13 08:44:53 -05:00			`private LoggerInterface $logger,`
refactor(apps): Use constructor property promotion when possible Signed-off-by: provokateurin <kate@provokateurin.de> 2024-10-18 06:04:22 -04:00			`) {`
refactor: Apply rector Nextcloud 26 set Signed-off-by: provokateurin <kate@provokateurin.de> 2025-09-27 13:02:16 -04:00			`parent::__construct($appName, $request);`
Initial commit 2015-02-24 13:05:19 -05:00			`}`

refactor(encryption): migrate to Vue 3 and Typescript and script setup Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de> 2026-01-13 08:44:53 -05:00			`public function adminRecovery(string $recoveryPassword, string $confirmPassword, bool $adminEnableRecovery): DataResponse {`
Initial commit 2015-02-24 13:05:19 -05:00			`// Check if both passwords are the same`
			`if (empty($recoveryPassword)) {`
Remove unneeded casts that were found by Psalm In preparation of the update of Psalm from 4.2.1 to 4.3.1+ (see https://github.com/nextcloud/server/pull/24521) Signed-off-by: Morris Jobke <hey@morrisjobke.de> 2021-01-11 06:57:03 -05:00			`$errorMessage = $this->l->t('Missing recovery key password');`
fixing return values and adding tests 2015-04-20 10:23:09 -04:00			`return new DataResponse(['data' => ['message' => $errorMessage]],`
change error codes to 400 2015-04-24 09:42:02 -04:00			`Http::STATUS_BAD_REQUEST);`
Initial commit 2015-02-24 13:05:19 -05:00			`}`

			`if (empty($confirmPassword)) {`
Remove unneeded casts that were found by Psalm In preparation of the update of Psalm from 4.2.1 to 4.3.1+ (see https://github.com/nextcloud/server/pull/24521) Signed-off-by: Morris Jobke <hey@morrisjobke.de> 2021-01-11 06:57:03 -05:00			`$errorMessage = $this->l->t('Please repeat the recovery key password');`
fixing return values and adding tests 2015-04-20 10:23:09 -04:00			`return new DataResponse(['data' => ['message' => $errorMessage]],`
change error codes to 400 2015-04-24 09:42:02 -04:00			`Http::STATUS_BAD_REQUEST);`
Initial commit 2015-02-24 13:05:19 -05:00			`}`

			`if ($recoveryPassword !== $confirmPassword) {`
Remove unneeded casts that were found by Psalm In preparation of the update of Psalm from 4.2.1 to 4.3.1+ (see https://github.com/nextcloud/server/pull/24521) Signed-off-by: Morris Jobke <hey@morrisjobke.de> 2021-01-11 06:57:03 -05:00			`$errorMessage = $this->l->t('Repeated recovery key password does not match the provided recovery key password');`
fixing return values and adding tests 2015-04-20 10:23:09 -04:00			`return new DataResponse(['data' => ['message' => $errorMessage]],`
change error codes to 400 2015-04-24 09:42:02 -04:00			`Http::STATUS_BAD_REQUEST);`
Initial commit 2015-02-24 13:05:19 -05:00			`}`

refactor(encryption): migrate to Vue 3 and Typescript and script setup Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de> 2026-01-13 08:44:53 -05:00			`try {`
			`if ($adminEnableRecovery) {`
			`if ($this->recovery->enableAdminRecovery($recoveryPassword)) {`
			`return new DataResponse(['data' => ['message' => $this->l->t('Recovery key successfully enabled')]]);`
			`}`
			`return new DataResponse(['data' => ['message' => $this->l->t('Could not enable recovery key. Please check your recovery key password!')]], Http::STATUS_BAD_REQUEST);`
			`} else {`
			`if ($this->recovery->disableAdminRecovery($recoveryPassword)) {`
			`return new DataResponse(['data' => ['message' => $this->l->t('Recovery key successfully disabled')]]);`
			`}`
			`return new DataResponse(['data' => ['message' => $this->l->t('Could not disable recovery key. Please check your recovery key password!')]], Http::STATUS_BAD_REQUEST);`
Initial commit 2015-02-24 13:05:19 -05:00			`}`
refactor(encryption): migrate to Vue 3 and Typescript and script setup Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de> 2026-01-13 08:44:53 -05:00			`} catch (\Exception $e) {`
			`$this->logger->error('Error enabling or disabling recovery key', ['exception' => $e]);`
			`if ($e instanceof GenericEncryptionException) {`
			`return new DataResponse(['data' => ['message' => $e->getMessage()]], Http::STATUS_INTERNAL_SERVER_ERROR);`
Initial commit 2015-02-24 13:05:19 -05:00			`}`
refactor(encryption): migrate to Vue 3 and Typescript and script setup Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de> 2026-01-13 08:44:53 -05:00			`return new DataResponse([], Http::STATUS_INTERNAL_SERVER_ERROR);`
fix set recovery key and implement change password 2015-03-31 07:48:03 -04:00			`}`
			`}`

refactor(encryption): migrate to Vue 3 and Typescript and script setup Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de> 2026-01-13 08:44:53 -05:00			`public function changeRecoveryPassword(string $newPassword, string $oldPassword, string $confirmPassword): DataResponse {`
fix set recovery key and implement change password 2015-03-31 07:48:03 -04:00			`//check if both passwords are the same`
			`if (empty($oldPassword)) {`
Remove unneeded casts that were found by Psalm In preparation of the update of Psalm from 4.2.1 to 4.3.1+ (see https://github.com/nextcloud/server/pull/24521) Signed-off-by: Morris Jobke <hey@morrisjobke.de> 2021-01-11 06:57:03 -05:00			`$errorMessage = $this->l->t('Please provide the old recovery password');`
change error codes to 400 2015-04-24 09:42:02 -04:00			`return new DataResponse(['data' => ['message' => $errorMessage]], Http::STATUS_BAD_REQUEST);`
fix set recovery key and implement change password 2015-03-31 07:48:03 -04:00			`}`

			`if (empty($newPassword)) {`
Remove unneeded casts that were found by Psalm In preparation of the update of Psalm from 4.2.1 to 4.3.1+ (see https://github.com/nextcloud/server/pull/24521) Signed-off-by: Morris Jobke <hey@morrisjobke.de> 2021-01-11 06:57:03 -05:00			`$errorMessage = $this->l->t('Please provide a new recovery password');`
Remove spaces after method or function call Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at> 2020-04-09 10:05:56 -04:00			`return new DataResponse(['data' => ['message' => $errorMessage]], Http::STATUS_BAD_REQUEST);`
fix set recovery key and implement change password 2015-03-31 07:48:03 -04:00			`}`

			`if (empty($confirmPassword)) {`
Remove unneeded casts that were found by Psalm In preparation of the update of Psalm from 4.2.1 to 4.3.1+ (see https://github.com/nextcloud/server/pull/24521) Signed-off-by: Morris Jobke <hey@morrisjobke.de> 2021-01-11 06:57:03 -05:00			`$errorMessage = $this->l->t('Please repeat the new recovery password');`
change error codes to 400 2015-04-24 09:42:02 -04:00			`return new DataResponse(['data' => ['message' => $errorMessage]], Http::STATUS_BAD_REQUEST);`
fix set recovery key and implement change password 2015-03-31 07:48:03 -04:00			`}`

			`if ($newPassword !== $confirmPassword) {`
Remove unneeded casts that were found by Psalm In preparation of the update of Psalm from 4.2.1 to 4.3.1+ (see https://github.com/nextcloud/server/pull/24521) Signed-off-by: Morris Jobke <hey@morrisjobke.de> 2021-01-11 06:57:03 -05:00			`$errorMessage = $this->l->t('Repeated recovery key password does not match the provided recovery key password');`
change error codes to 400 2015-04-24 09:42:02 -04:00			`return new DataResponse(['data' => ['message' => $errorMessage]], Http::STATUS_BAD_REQUEST);`
fix set recovery key and implement change password 2015-03-31 07:48:03 -04:00			`}`

refactor(encryption): migrate to Vue 3 and Typescript and script setup Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de> 2026-01-13 08:44:53 -05:00			`try {`
			`$result = $this->recovery->changeRecoveryKeyPassword($newPassword,`
			`$oldPassword);`
fix set recovery key and implement change password 2015-03-31 07:48:03 -04:00
refactor(encryption): migrate to Vue 3 and Typescript and script setup Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de> 2026-01-13 08:44:53 -05:00			`if ($result) {`
			`return new DataResponse(`
			`[`
			`'data' => [`
			`'message' => $this->l->t('Password successfully changed.')]`
			`]`
			`);`
			`}`
			`return new DataResponse([`
destupify tests 2015-04-20 13:49:21 -04:00			`'data' => [`
Remove unneeded casts that were found by Psalm In preparation of the update of Psalm from 4.2.1 to 4.3.1+ (see https://github.com/nextcloud/server/pull/24521) Signed-off-by: Morris Jobke <hey@morrisjobke.de> 2021-01-11 06:57:03 -05:00			`'message' => $this->l->t('Could not change the password. Maybe the old password was not correct.')`
destupify tests 2015-04-20 13:49:21 -04:00			`]`
change error codes to 400 2015-04-24 09:42:02 -04:00			`], Http::STATUS_BAD_REQUEST);`
refactor(encryption): migrate to Vue 3 and Typescript and script setup Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de> 2026-01-13 08:44:53 -05:00			`} catch (\Exception $e) {`
			`$this->logger->error('Error changing recovery password', ['exception' => $e]);`
			`if ($e instanceof GenericEncryptionException) {`
			`return new DataResponse(['data' => ['message' => $e->getMessage()]], Http::STATUS_INTERNAL_SERVER_ERROR);`
			`}`
			`return new DataResponse([], Http::STATUS_INTERNAL_SERVER_ERROR);`
			`}`
Initial commit 2015-02-24 13:05:19 -05:00			`}`

make recovery key work 2015-04-01 08:24:56 -04:00			`/**`
Fix code style 2015-04-09 04:46:46 -04:00			`* @param string $userEnableRecovery`
			`* @return DataResponse`
make recovery key work 2015-04-01 08:24:56 -04:00			`*/`
refactor(encryption): Replace security annotations with respective attributes Signed-off-by: provokateurin <kate@provokateurin.de> 2024-07-25 07:14:45 -04:00			`#[NoAdminRequired]`
add helper class accessible for encryption modules to ask for a list of users with access to a file, needed to apply the recovery key to all files 2015-03-31 10:23:31 -04:00			`public function userSetRecovery($userEnableRecovery) {`
			`if ($userEnableRecovery === '0' \|\| $userEnableRecovery === '1') {`
			`$result = $this->recovery->setRecoveryForUser($userEnableRecovery);`

			`if ($result) {`
remove status's and adjust js 2015-04-22 10:41:47 -04:00			`if ($userEnableRecovery === '0') {`
			`return new DataResponse(`
			`[`
			`'data' => [`
Remove unneeded casts that were found by Psalm In preparation of the update of Psalm from 4.2.1 to 4.3.1+ (see https://github.com/nextcloud/server/pull/24521) Signed-off-by: Morris Jobke <hey@morrisjobke.de> 2021-01-11 06:57:03 -05:00			`'message' => $this->l->t('Recovery Key disabled')]`
remove status's and adjust js 2015-04-22 10:41:47 -04:00			`]`
			`);`
			`}`
add helper class accessible for encryption modules to ask for a list of users with access to a file, needed to apply the recovery key to all files 2015-03-31 10:23:31 -04:00			`return new DataResponse(`
remove status's and adjust js 2015-04-22 10:41:47 -04:00			`[`
destupify tests 2015-04-20 13:49:21 -04:00			`'data' => [`
Remove unneeded casts that were found by Psalm In preparation of the update of Psalm from 4.2.1 to 4.3.1+ (see https://github.com/nextcloud/server/pull/24521) Signed-off-by: Morris Jobke <hey@morrisjobke.de> 2021-01-11 06:57:03 -05:00			`'message' => $this->l->t('Recovery Key enabled')]`
remove status's and adjust js 2015-04-22 10:41:47 -04:00			`]`
add helper class accessible for encryption modules to ask for a list of users with access to a file, needed to apply the recovery key to all files 2015-03-31 10:23:31 -04:00			`);`
			`}`
			`}`
destupify tests 2015-04-20 13:49:21 -04:00			`return new DataResponse(`
remove status's and adjust js 2015-04-22 10:41:47 -04:00			`[`
destupify tests 2015-04-20 13:49:21 -04:00			`'data' => [`
Remove unneeded casts that were found by Psalm In preparation of the update of Psalm from 4.2.1 to 4.3.1+ (see https://github.com/nextcloud/server/pull/24521) Signed-off-by: Morris Jobke <hey@morrisjobke.de> 2021-01-11 06:57:03 -05:00			`'message' => $this->l->t('Could not enable the recovery key, please try again or contact your administrator')`
destupify tests 2015-04-20 13:49:21 -04:00			`]`
change error codes to 400 2015-04-24 09:42:02 -04:00			`], Http::STATUS_BAD_REQUEST);`
add helper class accessible for encryption modules to ask for a list of users with access to a file, needed to apply the recovery key to all files 2015-03-31 10:23:31 -04:00			`}`
Initial commit 2015-02-24 13:05:19 -05:00			`}`