nextcloud/lib/private/AppFramework/Middleware/Security/PasswordConfirmationMiddleware.php

<?php
/**
 * @copyright 2018, Roeland Jago Douma <roeland@famdouma.nl>
 *
 * @author Bjoern Schiessle <bjoern@schiessle.org>
 * @author Roeland Jago Douma <roeland@famdouma.nl>
 *
 * @license GNU AGPL version 3 or any later version
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License as
 * published by the Free Software Foundation, either version 3 of the
 * License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 * GNU Affero General Public License for more details.
 *
 * You should have received a copy of the GNU Affero General Public License
 * along with this program. If not, see <http://www.gnu.org/licenses/>.
 *
 */
namespace OC\AppFramework\Middleware\Security;

use OC\AppFramework\Middleware\Security\Exceptions\NotConfirmedException;
use OC\AppFramework\Utility\ControllerMethodReflector;
use OC\Authentication\Token\IProvider;
use OC\User\Manager;
use OCP\AppFramework\Controller;
use OCP\AppFramework\Http\Attribute\PasswordConfirmationRequired;
use OCP\AppFramework\Middleware;
use OCP\AppFramework\Utility\ITimeFactory;
use OCP\Authentication\Exceptions\ExpiredTokenException;
use OCP\Authentication\Exceptions\InvalidTokenException;
use OCP\Authentication\Exceptions\WipeTokenException;
use OCP\IRequest;
use OCP\ISession;
use OCP\IUserSession;
use OCP\Session\Exceptions\SessionNotAvailableException;
use OCP\User\Backend\IPasswordConfirmationBackend;
use Psr\Log\LoggerInterface;
use ReflectionMethod;

class PasswordConfirmationMiddleware extends Middleware {
	private array $excludedUserBackEnds = ['user_saml' => true, 'user_globalsiteselector' => true];

	public function __construct(
		private ControllerMethodReflector $reflector,
		private ISession $session,
		private IUserSession $userSession,
		private ITimeFactory $timeFactory,
		private IProvider $tokenProvider,
		private LoggerInterface $logger,
		private IRequest $request,
		private Manager $userManager,
	) {
	}

	/**
	 * @throws NotConfirmedException
	 */
	public function beforeController(Controller $controller, string $methodName) {
		$reflectionMethod = new ReflectionMethod($controller, $methodName);

		if (!$this->needsPasswordConfirmation($reflectionMethod)) {
			return;
		}

		$user = $this->userSession->getUser();
		$backendClassName = '';
		if ($user !== null) {
			$backend = $user->getBackend();
			if ($backend instanceof IPasswordConfirmationBackend) {
				if (!$backend->canConfirmPassword($user->getUID())) {
					return;
				}
			}

			$backendClassName = $user->getBackendClassName();
		}

		try {
			$sessionId = $this->session->getId();
			$token = $this->tokenProvider->getToken($sessionId);
		} catch (SessionNotAvailableException|InvalidTokenException|WipeTokenException|ExpiredTokenException) {
			// States we do not deal with here.
			return;
		}

		$scope = $token->getScopeAsArray();
		if (isset($scope['password-unconfirmable']) && $scope['password-unconfirmable'] === true) {
			// Users logging in from SSO backends cannot confirm their password by design
			return;
		}

		if ($this->isPasswordConfirmationStrict($reflectionMethod)) {
			$authHeader = $this->request->getHeader('Authorization');
			[, $password] = explode(':', base64_decode(substr($authHeader, 6)), 2);
			$loginResult = $this->userManager->checkPassword($user->getUid(), $password);
			if ($loginResult === false) {
				throw new NotConfirmedException();
			}

			$this->session->set('last-password-confirm', $this->timeFactory->getTime());
		} else {
			$lastConfirm = (int) $this->session->get('last-password-confirm');
			// TODO: confirm excludedUserBackEnds can go away and remove it
			if (!isset($this->excludedUserBackEnds[$backendClassName]) && $lastConfirm < ($this->timeFactory->getTime() - (30 * 60 + 15))) { // allow 15 seconds delay
				throw new NotConfirmedException();
			}
		}
	}

	private function needsPasswordConfirmation(ReflectionMethod $reflectionMethod): bool {
		$attributes = $reflectionMethod->getAttributes(PasswordConfirmationRequired::class);
		if (!empty($attributes)) {
			return true;
		}

		if ($this->reflector->hasAnnotation('PasswordConfirmationRequired')) {
			$this->logger->debug($reflectionMethod->getDeclaringClass()->getName() . '::' . $reflectionMethod->getName() . ' uses the @' . 'PasswordConfirmationRequired' . ' annotation and should use the #[PasswordConfirmationRequired] attribute instead');
			return true;
		}

		return false;
	}

	private function isPasswordConfirmationStrict(ReflectionMethod $reflectionMethod): bool {
		$attributes = $reflectionMethod->getAttributes(PasswordConfirmationRequired::class);
		return !empty($attributes) && ($attributes[0]->newInstance()->getStrict());
	}
}
Move passwordconfirmation to its own midleware Add tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2018-01-02 15:13:32 -05:00			`<?php`
			`/**`
			`* @copyright 2018, Roeland Jago Douma <roeland@famdouma.nl>`
			`*`
Update license headers Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at> 2019-12-03 13:57:53 -05:00			`* @author Bjoern Schiessle <bjoern@schiessle.org>`
Move passwordconfirmation to its own midleware Add tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2018-01-02 15:13:32 -05:00			`* @author Roeland Jago Douma <roeland@famdouma.nl>`
			`*`
			`* @license GNU AGPL version 3 or any later version`
			`*`
			`* This program is free software: you can redistribute it and/or modify`
			`* it under the terms of the GNU Affero General Public License as`
			`* published by the Free Software Foundation, either version 3 of the`
			`* License, or (at your option) any later version.`
			`*`
			`* This program is distributed in the hope that it will be useful,`
			`* but WITHOUT ANY WARRANTY; without even the implied warranty of`
Update php licenses Signed-off-by: John Molakvoæ (skjnldsv) <skjnldsv@protonmail.com> 2021-06-04 15:52:51 -04:00			`* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
Move passwordconfirmation to its own midleware Add tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2018-01-02 15:13:32 -05:00			`* GNU Affero General Public License for more details.`
			`*`
			`* You should have received a copy of the GNU Affero General Public License`
Update license headers Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at> 2019-12-03 13:57:53 -05:00			`* along with this program. If not, see <http://www.gnu.org/licenses/>.`
Move passwordconfirmation to its own midleware Add tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2018-01-02 15:13:32 -05:00			`*`
			`*/`
			`namespace OC\AppFramework\Middleware\Security;`

			`use OC\AppFramework\Middleware\Security\Exceptions\NotConfirmedException;`
			`use OC\AppFramework\Utility\ControllerMethodReflector;`
fix(Session): avoid password confirmation on SSO SSO backends like SAML and OIDC tried a trick to suppress password confirmations as they are not possible by design. At least for SAML it was not reliable when existing user backends where used as user repositories. Now we are setting a special scope with the token, and also make sure that the scope is taken over when tokens are regenerated. Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de> 2024-03-01 12:37:47 -05:00			`use OC\Authentication\Token\IProvider;`
feat: Use inline password confirmation in external storage settings Signed-off-by: Louis Chemineau <louis@chmn.me> 2025-02-11 05:28:31 -05:00			`use OC\User\Manager;`
Move passwordconfirmation to its own midleware Add tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2018-01-02 15:13:32 -05:00			`use OCP\AppFramework\Controller;`
feat(security): Add PHP \Attribute for remaining security annotations Signed-off-by: Joas Schilling <coding@schilljs.com> 2023-04-24 11:13:18 -04:00			`use OCP\AppFramework\Http\Attribute\PasswordConfirmationRequired;`
Move passwordconfirmation to its own midleware Add tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2018-01-02 15:13:32 -05:00			`use OCP\AppFramework\Middleware;`
			`use OCP\AppFramework\Utility\ITimeFactory;`
fix(Session): avoid password confirmation on SSO SSO backends like SAML and OIDC tried a trick to suppress password confirmations as they are not possible by design. At least for SAML it was not reliable when existing user backends where used as user repositories. Now we are setting a special scope with the token, and also make sure that the scope is taken over when tokens are regenerated. Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de> 2024-03-01 12:37:47 -05:00			`use OCP\Authentication\Exceptions\ExpiredTokenException;`
			`use OCP\Authentication\Exceptions\InvalidTokenException;`
			`use OCP\Authentication\Exceptions\WipeTokenException;`
feat: Use inline password confirmation in external storage settings Signed-off-by: Louis Chemineau <louis@chmn.me> 2025-02-11 05:28:31 -05:00			`use OCP\IRequest;`
Move passwordconfirmation to its own midleware Add tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2018-01-02 15:13:32 -05:00			`use OCP\ISession;`
			`use OCP\IUserSession;`
fix(Session): avoid password confirmation on SSO SSO backends like SAML and OIDC tried a trick to suppress password confirmations as they are not possible by design. At least for SAML it was not reliable when existing user backends where used as user repositories. Now we are setting a special scope with the token, and also make sure that the scope is taken over when tokens are regenerated. Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de> 2024-03-01 12:37:47 -05:00			`use OCP\Session\Exceptions\SessionNotAvailableException;`
Update password confirmation middleware If the userbackend doesn't allow validating the password for a given uid then there is no need to perform this check. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2018-10-11 15:56:24 -04:00			`use OCP\User\Backend\IPasswordConfirmationBackend;`
feat: Use inline password confirmation in external storage settings Signed-off-by: Louis Chemineau <louis@chmn.me> 2025-02-11 05:28:31 -05:00			`use Psr\Log\LoggerInterface;`
feat(security): Add PHP \Attribute for remaining security annotations Signed-off-by: Joas Schilling <coding@schilljs.com> 2023-04-24 11:13:18 -04:00			`use ReflectionMethod;`
Move passwordconfirmation to its own midleware Add tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2018-01-02 15:13:32 -05:00
			`class PasswordConfirmationMiddleware extends Middleware {`
feat: Use inline password confirmation in external storage settings Signed-off-by: Louis Chemineau <louis@chmn.me> 2025-02-11 05:28:31 -05:00			`private array $excludedUserBackEnds = ['user_saml' => true, 'user_globalsiteselector' => true];`
Move passwordconfirmation to its own midleware Add tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2018-01-02 15:13:32 -05:00
feat: Use inline password confirmation in external storage settings Signed-off-by: Louis Chemineau <louis@chmn.me> 2025-02-11 05:28:31 -05:00			`public function __construct(`
			`private ControllerMethodReflector $reflector,`
			`private ISession $session,`
			`private IUserSession $userSession,`
			`private ITimeFactory $timeFactory,`
			`private IProvider $tokenProvider,`
			`private LoggerInterface $logger,`
			`private IRequest $request,`
			`private Manager $userManager,`
fix(Session): avoid password confirmation on SSO SSO backends like SAML and OIDC tried a trick to suppress password confirmations as they are not possible by design. At least for SAML it was not reliable when existing user backends where used as user repositories. Now we are setting a special scope with the token, and also make sure that the scope is taken over when tokens are regenerated. Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de> 2024-03-01 12:37:47 -05:00			`) {`
Move passwordconfirmation to its own midleware Add tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2018-01-02 15:13:32 -05:00			`}`

			`/**`
			`* @throws NotConfirmedException`
			`*/`
feat: Use inline password confirmation in external storage settings Signed-off-by: Louis Chemineau <louis@chmn.me> 2025-02-11 05:28:31 -05:00			`public function beforeController(Controller $controller, string $methodName) {`
feat(security): Add PHP \Attribute for remaining security annotations Signed-off-by: Joas Schilling <coding@schilljs.com> 2023-04-24 11:13:18 -04:00			`$reflectionMethod = new ReflectionMethod($controller, $methodName);`

feat: Use inline password confirmation in external storage settings Signed-off-by: Louis Chemineau <louis@chmn.me> 2025-02-11 05:28:31 -05:00			`if (!$this->needsPasswordConfirmation($reflectionMethod)) {`
			`return;`
			`}`
Update password confirmation middleware If the userbackend doesn't allow validating the password for a given uid then there is no need to perform this check. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2018-10-11 15:56:24 -04:00
feat: Use inline password confirmation in external storage settings Signed-off-by: Louis Chemineau <louis@chmn.me> 2025-02-11 05:28:31 -05:00			`$user = $this->userSession->getUser();`
			`$backendClassName = '';`
			`if ($user !== null) {`
			`$backend = $user->getBackend();`
			`if ($backend instanceof IPasswordConfirmationBackend) {`
			`if (!$backend->canConfirmPassword($user->getUID())) {`
			`return;`
			`}`
Move passwordconfirmation to its own midleware Add tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2018-01-02 15:13:32 -05:00			`}`

feat: Use inline password confirmation in external storage settings Signed-off-by: Louis Chemineau <louis@chmn.me> 2025-02-11 05:28:31 -05:00			`$backendClassName = $user->getBackendClassName();`
			`}`

			`try {`
			`$sessionId = $this->session->getId();`
			`$token = $this->tokenProvider->getToken($sessionId);`
			`} catch (SessionNotAvailableException\|InvalidTokenException\|WipeTokenException\|ExpiredTokenException) {`
			`// States we do not deal with here.`
			`return;`
			`}`

			`$scope = $token->getScopeAsArray();`
			`if (isset($scope['password-unconfirmable']) && $scope['password-unconfirmable'] === true) {`
			`// Users logging in from SSO backends cannot confirm their password by design`
			`return;`
			`}`

			`if ($this->isPasswordConfirmationStrict($reflectionMethod)) {`
			`$authHeader = $this->request->getHeader('Authorization');`
			`[, $password] = explode(':', base64_decode(substr($authHeader, 6)), 2);`
			`$loginResult = $this->userManager->checkPassword($user->getUid(), $password);`
			`if ($loginResult === false) {`
			`throw new NotConfirmedException();`
fix(Session): avoid password confirmation on SSO SSO backends like SAML and OIDC tried a trick to suppress password confirmations as they are not possible by design. At least for SAML it was not reliable when existing user backends where used as user repositories. Now we are setting a special scope with the token, and also make sure that the scope is taken over when tokens are regenerated. Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de> 2024-03-01 12:37:47 -05:00			`}`

feat: Use inline password confirmation in external storage settings Signed-off-by: Louis Chemineau <louis@chmn.me> 2025-02-11 05:28:31 -05:00			`$this->session->set('last-password-confirm', $this->timeFactory->getTime());`
			`} else {`
Move passwordconfirmation to its own midleware Add tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2018-01-02 15:13:32 -05:00			`$lastConfirm = (int) $this->session->get('last-password-confirm');`
fix(Session): avoid password confirmation on SSO SSO backends like SAML and OIDC tried a trick to suppress password confirmations as they are not possible by design. At least for SAML it was not reliable when existing user backends where used as user repositories. Now we are setting a special scope with the token, and also make sure that the scope is taken over when tokens are regenerated. Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de> 2024-03-01 12:37:47 -05:00			`// TODO: confirm excludedUserBackEnds can go away and remove it`
add global site selector as user back-end which doesn't support password confirmation Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org> 2018-10-27 09:43:51 -04:00			`if (!isset($this->excludedUserBackEnds[$backendClassName]) && $lastConfirm < ($this->timeFactory->getTime() - (30 * 60 + 15))) { // allow 15 seconds delay`
Move passwordconfirmation to its own midleware Add tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2018-01-02 15:13:32 -05:00			`throw new NotConfirmedException();`
			`}`
			`}`
			`}`
feat(security): Add PHP \Attribute for remaining security annotations Signed-off-by: Joas Schilling <coding@schilljs.com> 2023-04-24 11:13:18 -04:00
feat: Use inline password confirmation in external storage settings Signed-off-by: Louis Chemineau <louis@chmn.me> 2025-02-11 05:28:31 -05:00			`private function needsPasswordConfirmation(ReflectionMethod $reflectionMethod): bool {`
			`$attributes = $reflectionMethod->getAttributes(PasswordConfirmationRequired::class);`
			`if (!empty($attributes)) {`
feat(security): Add PHP \Attribute for remaining security annotations Signed-off-by: Joas Schilling <coding@schilljs.com> 2023-04-24 11:13:18 -04:00			`return true;`
			`}`

feat: Use inline password confirmation in external storage settings Signed-off-by: Louis Chemineau <louis@chmn.me> 2025-02-11 05:28:31 -05:00			`if ($this->reflector->hasAnnotation('PasswordConfirmationRequired')) {`
			`$this->logger->debug($reflectionMethod->getDeclaringClass()->getName() . '::' . $reflectionMethod->getName() . ' uses the @' . 'PasswordConfirmationRequired' . ' annotation and should use the #[PasswordConfirmationRequired] attribute instead');`
feat(security): Add PHP \Attribute for remaining security annotations Signed-off-by: Joas Schilling <coding@schilljs.com> 2023-04-24 11:13:18 -04:00			`return true;`
			`}`

			`return false;`
			`}`
feat: Use inline password confirmation in external storage settings Signed-off-by: Louis Chemineau <louis@chmn.me> 2025-02-11 05:28:31 -05:00
			`private function isPasswordConfirmationStrict(ReflectionMethod $reflectionMethod): bool {`
			`$attributes = $reflectionMethod->getAttributes(PasswordConfirmationRequired::class);`
			`return !empty($attributes) && ($attributes[0]->newInstance()->getStrict());`
			`}`
Move passwordconfirmation to its own midleware Add tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2018-01-02 15:13:32 -05:00			`}`