nextcloud/lib/private/AppFramework/Middleware/Security/PasswordConfirmationMiddleware.php

<?php

/**
 * SPDX-FileCopyrightText: 2018 Nextcloud GmbH and Nextcloud contributors
 * SPDX-License-Identifier: AGPL-3.0-or-later
 */
namespace OC\AppFramework\Middleware\Security;

use OC\AppFramework\Middleware\Security\Exceptions\NotConfirmedException;
use OC\AppFramework\Utility\ControllerMethodReflector;
use OC\Authentication\Token\IProvider;
use OC\User\Manager;
use OCP\AppFramework\Controller;
use OCP\AppFramework\Http\Attribute\PasswordConfirmationRequired;
use OCP\AppFramework\Middleware;
use OCP\AppFramework\Utility\ITimeFactory;
use OCP\Authentication\Exceptions\ExpiredTokenException;
use OCP\Authentication\Exceptions\InvalidTokenException;
use OCP\Authentication\Exceptions\WipeTokenException;
use OCP\Authentication\Token\IToken;
use OCP\IRequest;
use OCP\ISession;
use OCP\IUserSession;
use OCP\Session\Exceptions\SessionNotAvailableException;
use OCP\User\Backend\IPasswordConfirmationBackend;
use Psr\Log\LoggerInterface;
use ReflectionMethod;

class PasswordConfirmationMiddleware extends Middleware {
	private array $excludedUserBackEnds = ['user_saml' => true, 'user_globalsiteselector' => true];

	public function __construct(
		private ControllerMethodReflector $reflector,
		private ISession $session,
		private IUserSession $userSession,
		private ITimeFactory $timeFactory,
		private IProvider $tokenProvider,
		private readonly LoggerInterface $logger,
		private readonly IRequest $request,
		private readonly Manager $userManager,
	) {
	}

	/**
	 * @throws NotConfirmedException
	 */
	public function beforeController(Controller $controller, string $methodName) {
		$reflectionMethod = new ReflectionMethod($controller, $methodName);

		if (!$this->needsPasswordConfirmation($reflectionMethod)) {
			return;
		}

		$user = $this->userSession->getUser();
		$backendClassName = '';
		if ($user !== null) {
			$backend = $user->getBackend();
			if ($backend instanceof IPasswordConfirmationBackend) {
				if (!$backend->canConfirmPassword($user->getUID())) {
					return;
				}
			}

			$backendClassName = $user->getBackendClassName();
		}

		try {
			$sessionId = $this->session->getId();
			$token = $this->tokenProvider->getToken($sessionId);
		} catch (SessionNotAvailableException|InvalidTokenException|WipeTokenException|ExpiredTokenException) {
			// States we do not deal with here.
			return;
		}

		$scope = $token->getScopeAsArray();
		if (isset($scope[IToken::SCOPE_SKIP_PASSWORD_VALIDATION]) && $scope[IToken::SCOPE_SKIP_PASSWORD_VALIDATION] === true) {
			// Users logging in from SSO backends cannot confirm their password by design
			return;
		}

		if ($this->isPasswordConfirmationStrict($reflectionMethod)) {
			$authHeader = $this->request->getHeader('Authorization');
			if (!str_starts_with(strtolower($authHeader), 'basic ')) {
				throw new NotConfirmedException('Required authorization header missing');
			}
			[, $password] = explode(':', base64_decode(substr($authHeader, 6)), 2);
			$loginName = $this->session->get('loginname');
			$loginResult = $this->userManager->checkPassword($loginName, $password);
			if ($loginResult === false) {
				throw new NotConfirmedException();
			}

			$this->session->set('last-password-confirm', $this->timeFactory->getTime());
		} else {
			$lastConfirm = (int)$this->session->get('last-password-confirm');
			// TODO: confirm excludedUserBackEnds can go away and remove it
			if (!isset($this->excludedUserBackEnds[$backendClassName]) && $lastConfirm < ($this->timeFactory->getTime() - (30 * 60 + 15))) { // allow 15 seconds delay
				throw new NotConfirmedException();
			}
		}
	}

	private function needsPasswordConfirmation(ReflectionMethod $reflectionMethod): bool {
		$attributes = $reflectionMethod->getAttributes(PasswordConfirmationRequired::class);
		if (!empty($attributes)) {
			return true;
		}

		if ($this->reflector->hasAnnotation('PasswordConfirmationRequired')) {
			$this->logger->debug($reflectionMethod->getDeclaringClass()->getName() . '::' . $reflectionMethod->getName() . ' uses the @' . 'PasswordConfirmationRequired' . ' annotation and should use the #[PasswordConfirmationRequired] attribute instead');
			return true;
		}

		return false;
	}

	private function isPasswordConfirmationStrict(ReflectionMethod $reflectionMethod): bool {
		$attributes = $reflectionMethod->getAttributes(PasswordConfirmationRequired::class);
		return !empty($attributes) && ($attributes[0]->newInstance()->getStrict());
	}
}
Move passwordconfirmation to its own midleware Add tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2018-01-02 15:13:32 -05:00			`<?php`
chore: apply new CSFixer rules Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de> # Conflicts: # apps/settings/lib/SetupChecks/PhpOpcacheSetup.php 2025-06-30 09:04:05 -04:00
Move passwordconfirmation to its own midleware Add tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2018-01-02 15:13:32 -05:00			`/**`
chore: Add SPDX header Signed-off-by: Andy Scherzinger <info@andy-scherzinger.de> 2024-05-23 03:26:56 -04:00			`* SPDX-FileCopyrightText: 2018 Nextcloud GmbH and Nextcloud contributors`
			`* SPDX-License-Identifier: AGPL-3.0-or-later`
Move passwordconfirmation to its own midleware Add tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2018-01-02 15:13:32 -05:00			`*/`
			`namespace OC\AppFramework\Middleware\Security;`

			`use OC\AppFramework\Middleware\Security\Exceptions\NotConfirmedException;`
			`use OC\AppFramework\Utility\ControllerMethodReflector;`
fix(Session): avoid password confirmation on SSO SSO backends like SAML and OIDC tried a trick to suppress password confirmations as they are not possible by design. At least for SAML it was not reliable when existing user backends where used as user repositories. Now we are setting a special scope with the token, and also make sure that the scope is taken over when tokens are regenerated. Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de> 2024-03-01 12:37:47 -05:00			`use OC\Authentication\Token\IProvider;`
feat: Use inline password confirmation in external storage settings Signed-off-by: Louis Chemineau <louis@chmn.me> 2024-11-27 11:01:25 -05:00			`use OC\User\Manager;`
Move passwordconfirmation to its own midleware Add tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2018-01-02 15:13:32 -05:00			`use OCP\AppFramework\Controller;`
feat(security): Add PHP \Attribute for remaining security annotations Signed-off-by: Joas Schilling <coding@schilljs.com> 2023-04-24 11:13:18 -04:00			`use OCP\AppFramework\Http\Attribute\PasswordConfirmationRequired;`
Move passwordconfirmation to its own midleware Add tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2018-01-02 15:13:32 -05:00			`use OCP\AppFramework\Middleware;`
			`use OCP\AppFramework\Utility\ITimeFactory;`
fix(Session): avoid password confirmation on SSO SSO backends like SAML and OIDC tried a trick to suppress password confirmations as they are not possible by design. At least for SAML it was not reliable when existing user backends where used as user repositories. Now we are setting a special scope with the token, and also make sure that the scope is taken over when tokens are regenerated. Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de> 2024-03-01 12:37:47 -05:00			`use OCP\Authentication\Exceptions\ExpiredTokenException;`
			`use OCP\Authentication\Exceptions\InvalidTokenException;`
			`use OCP\Authentication\Exceptions\WipeTokenException;`
refactor(Token): introduce scope constants Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de> 2024-03-15 07:51:31 -04:00			`use OCP\Authentication\Token\IToken;`
feat: Use inline password confirmation in external storage settings Signed-off-by: Louis Chemineau <louis@chmn.me> 2024-11-27 11:01:25 -05:00			`use OCP\IRequest;`
Move passwordconfirmation to its own midleware Add tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2018-01-02 15:13:32 -05:00			`use OCP\ISession;`
			`use OCP\IUserSession;`
fix(Session): avoid password confirmation on SSO SSO backends like SAML and OIDC tried a trick to suppress password confirmations as they are not possible by design. At least for SAML it was not reliable when existing user backends where used as user repositories. Now we are setting a special scope with the token, and also make sure that the scope is taken over when tokens are regenerated. Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de> 2024-03-01 12:37:47 -05:00			`use OCP\Session\Exceptions\SessionNotAvailableException;`
Update password confirmation middleware If the userbackend doesn't allow validating the password for a given uid then there is no need to perform this check. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2018-10-11 15:56:24 -04:00			`use OCP\User\Backend\IPasswordConfirmationBackend;`
feat(Security): Warn about using annotations instead of attributes Signed-off-by: provokateurin <kate@provokateurin.de> 2024-07-15 09:25:45 -04:00			`use Psr\Log\LoggerInterface;`
feat(security): Add PHP \Attribute for remaining security annotations Signed-off-by: Joas Schilling <coding@schilljs.com> 2023-04-24 11:13:18 -04:00			`use ReflectionMethod;`
Move passwordconfirmation to its own midleware Add tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2018-01-02 15:13:32 -05:00
			`class PasswordConfirmationMiddleware extends Middleware {`
feat: Use inline password confirmation in external storage settings Signed-off-by: Louis Chemineau <louis@chmn.me> 2024-11-27 11:01:25 -05:00			`private array $excludedUserBackEnds = ['user_saml' => true, 'user_globalsiteselector' => true];`
Move passwordconfirmation to its own midleware Add tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2018-01-02 15:13:32 -05:00
			`public function __construct(`
feat: Use inline password confirmation in external storage settings Signed-off-by: Louis Chemineau <louis@chmn.me> 2024-11-27 11:01:25 -05:00			`private ControllerMethodReflector $reflector,`
			`private ISession $session,`
			`private IUserSession $userSession,`
			`private ITimeFactory $timeFactory,`
			`private IProvider $tokenProvider,`
feat(Security): Warn about using annotations instead of attributes Signed-off-by: provokateurin <kate@provokateurin.de> 2024-07-15 09:25:45 -04:00			`private readonly LoggerInterface $logger,`
feat: Use inline password confirmation in external storage settings Signed-off-by: Louis Chemineau <louis@chmn.me> 2024-11-27 11:01:25 -05:00			`private readonly IRequest $request,`
			`private readonly Manager $userManager,`
fix(Session): avoid password confirmation on SSO SSO backends like SAML and OIDC tried a trick to suppress password confirmations as they are not possible by design. At least for SAML it was not reliable when existing user backends where used as user repositories. Now we are setting a special scope with the token, and also make sure that the scope is taken over when tokens are regenerated. Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de> 2024-03-01 12:37:47 -05:00			`) {`
Move passwordconfirmation to its own midleware Add tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2018-01-02 15:13:32 -05:00			`}`

			`/**`
			`* @throws NotConfirmedException`
			`*/`
feat: Use inline password confirmation in external storage settings Signed-off-by: Louis Chemineau <louis@chmn.me> 2024-11-27 11:01:25 -05:00			`public function beforeController(Controller $controller, string $methodName) {`
feat(security): Add PHP \Attribute for remaining security annotations Signed-off-by: Joas Schilling <coding@schilljs.com> 2023-04-24 11:13:18 -04:00			`$reflectionMethod = new ReflectionMethod($controller, $methodName);`

feat: Use inline password confirmation in external storage settings Signed-off-by: Louis Chemineau <louis@chmn.me> 2024-11-27 11:01:25 -05:00			`if (!$this->needsPasswordConfirmation($reflectionMethod)) {`
			`return;`
			`}`
Update password confirmation middleware If the userbackend doesn't allow validating the password for a given uid then there is no need to perform this check. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2018-10-11 15:56:24 -04:00
feat: Use inline password confirmation in external storage settings Signed-off-by: Louis Chemineau <louis@chmn.me> 2024-11-27 11:01:25 -05:00			`$user = $this->userSession->getUser();`
			`$backendClassName = '';`
			`if ($user !== null) {`
			`$backend = $user->getBackend();`
			`if ($backend instanceof IPasswordConfirmationBackend) {`
			`if (!$backend->canConfirmPassword($user->getUID())) {`
			`return;`
			`}`
Move passwordconfirmation to its own midleware Add tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2018-01-02 15:13:32 -05:00			`}`

feat: Use inline password confirmation in external storage settings Signed-off-by: Louis Chemineau <louis@chmn.me> 2024-11-27 11:01:25 -05:00			`$backendClassName = $user->getBackendClassName();`
			`}`

			`try {`
			`$sessionId = $this->session->getId();`
			`$token = $this->tokenProvider->getToken($sessionId);`
			`} catch (SessionNotAvailableException\|InvalidTokenException\|WipeTokenException\|ExpiredTokenException) {`
			`// States we do not deal with here.`
			`return;`
			`}`

			`$scope = $token->getScopeAsArray();`
			`if (isset($scope[IToken::SCOPE_SKIP_PASSWORD_VALIDATION]) && $scope[IToken::SCOPE_SKIP_PASSWORD_VALIDATION] === true) {`
			`// Users logging in from SSO backends cannot confirm their password by design`
			`return;`
			`}`

			`if ($this->isPasswordConfirmationStrict($reflectionMethod)) {`
			`$authHeader = $this->request->getHeader('Authorization');`
fix: throw a better error if we don't get an authorization header for secutity confirmation Signed-off-by: Robin Appelman <robin@icewind.nl> 2025-06-23 12:13:39 -04:00			`if (!str_starts_with(strtolower($authHeader), 'basic ')) {`
			`throw new NotConfirmedException('Required authorization header missing');`
			`}`
feat: Use inline password confirmation in external storage settings Signed-off-by: Louis Chemineau <louis@chmn.me> 2024-11-27 11:01:25 -05:00			`[, $password] = explode(':', base64_decode(substr($authHeader, 6)), 2);`
fix: Use login name to check the password Signed-off-by: Louis Chemineau <louis@chmn.me> 2025-04-02 09:50:05 -04:00			`$loginName = $this->session->get('loginname');`
			`$loginResult = $this->userManager->checkPassword($loginName, $password);`
feat: Use inline password confirmation in external storage settings Signed-off-by: Louis Chemineau <louis@chmn.me> 2024-11-27 11:01:25 -05:00			`if ($loginResult === false) {`
			`throw new NotConfirmedException();`
fix(Session): avoid password confirmation on SSO SSO backends like SAML and OIDC tried a trick to suppress password confirmations as they are not possible by design. At least for SAML it was not reliable when existing user backends where used as user repositories. Now we are setting a special scope with the token, and also make sure that the scope is taken over when tokens are regenerated. Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de> 2024-03-01 12:37:47 -05:00			`}`

feat: Use inline password confirmation in external storage settings Signed-off-by: Louis Chemineau <louis@chmn.me> 2024-11-27 11:01:25 -05:00			`$this->session->set('last-password-confirm', $this->timeFactory->getTime());`
			`} else {`
Move passwordconfirmation to its own midleware Add tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2018-01-02 15:13:32 -05:00			`$lastConfirm = (int)$this->session->get('last-password-confirm');`
fix(Session): avoid password confirmation on SSO SSO backends like SAML and OIDC tried a trick to suppress password confirmations as they are not possible by design. At least for SAML it was not reliable when existing user backends where used as user repositories. Now we are setting a special scope with the token, and also make sure that the scope is taken over when tokens are regenerated. Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de> 2024-03-01 12:37:47 -05:00			`// TODO: confirm excludedUserBackEnds can go away and remove it`
add global site selector as user back-end which doesn't support password confirmation Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org> 2018-10-27 09:43:51 -04:00			`if (!isset($this->excludedUserBackEnds[$backendClassName]) && $lastConfirm < ($this->timeFactory->getTime() - (30 * 60 + 15))) { // allow 15 seconds delay`
Move passwordconfirmation to its own midleware Add tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2018-01-02 15:13:32 -05:00			`throw new NotConfirmedException();`
			`}`
			`}`
			`}`
feat(security): Add PHP \Attribute for remaining security annotations Signed-off-by: Joas Schilling <coding@schilljs.com> 2023-04-24 11:13:18 -04:00
feat: Use inline password confirmation in external storage settings Signed-off-by: Louis Chemineau <louis@chmn.me> 2024-11-27 11:01:25 -05:00			`private function needsPasswordConfirmation(ReflectionMethod $reflectionMethod): bool {`
			`$attributes = $reflectionMethod->getAttributes(PasswordConfirmationRequired::class);`
			`if (!empty($attributes)) {`
feat(security): Add PHP \Attribute for remaining security annotations Signed-off-by: Joas Schilling <coding@schilljs.com> 2023-04-24 11:13:18 -04:00			`return true;`
			`}`

feat: Use inline password confirmation in external storage settings Signed-off-by: Louis Chemineau <louis@chmn.me> 2024-11-27 11:01:25 -05:00			`if ($this->reflector->hasAnnotation('PasswordConfirmationRequired')) {`
			`$this->logger->debug($reflectionMethod->getDeclaringClass()->getName() . '::' . $reflectionMethod->getName() . ' uses the @' . 'PasswordConfirmationRequired' . ' annotation and should use the #[PasswordConfirmationRequired] attribute instead');`
feat(security): Add PHP \Attribute for remaining security annotations Signed-off-by: Joas Schilling <coding@schilljs.com> 2023-04-24 11:13:18 -04:00			`return true;`
			`}`

			`return false;`
			`}`
feat: Use inline password confirmation in external storage settings Signed-off-by: Louis Chemineau <louis@chmn.me> 2024-11-27 11:01:25 -05:00
			`private function isPasswordConfirmationStrict(ReflectionMethod $reflectionMethod): bool {`
			`$attributes = $reflectionMethod->getAttributes(PasswordConfirmationRequired::class);`
			`return !empty($attributes) && ($attributes[0]->newInstance()->getStrict());`
			`}`
Move passwordconfirmation to its own midleware Add tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2018-01-02 15:13:32 -05:00			`}`