nextcloud/core/Middleware/TwoFactorMiddleware.php

<?php

declare(strict_types=1);

/**
 * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors
 * SPDX-FileCopyrightText: 2016 ownCloud, Inc.
 * SPDX-License-Identifier: AGPL-3.0-only
 */
namespace OC\Core\Middleware;

use Exception;
use OC\Authentication\Exceptions\TwoFactorAuthRequiredException;
use OC\Authentication\Exceptions\UserAlreadyLoggedInException;
use OC\Authentication\TwoFactorAuth\Manager;
use OC\Core\Controller\LoginController;
use OC\Core\Controller\TwoFactorChallengeController;
use OC\User\Session;
use OCA\TwoFactorNextcloudNotification\Controller\APIController;
use OCP\AppFramework\Controller;
use OCP\AppFramework\Http\RedirectResponse;
use OCP\AppFramework\Middleware;
use OCP\AppFramework\Utility\IControllerMethodReflector;
use OCP\Authentication\TwoFactorAuth\ALoginSetupController;
use OCP\IRequest;
use OCP\ISession;
use OCP\IURLGenerator;
use OCP\IUser;

class TwoFactorMiddleware extends Middleware {
	public function __construct(
		private Manager $twoFactorManager,
		private Session $userSession,
		private ISession $session,
		private IURLGenerator $urlGenerator,
		private IControllerMethodReflector $reflector,
		private IRequest $request,
	) {
	}

	/**
	 * @param Controller $controller
	 * @param string $methodName
	 */
	public function beforeController($controller, $methodName) {
		if ($this->reflector->hasAnnotation('NoTwoFactorRequired')) {
			// Route handler explicitly marked to work without finished 2FA are
			// not blocked
			return;
		}

		if ($controller instanceof APIController && $methodName === 'poll') {
			// Allow polling the twofactor nextcloud notifications state
			return;
		}

		if ($controller instanceof TwoFactorChallengeController
			&& $this->userSession->getUser() !== null
			&& !$this->reflector->hasAnnotation('TwoFactorSetUpDoneRequired')) {
			$providers = $this->twoFactorManager->getProviderSet($this->userSession->getUser());

			if (!($providers->getPrimaryProviders() === [] && !$providers->isProviderMissing())) {
				throw new TwoFactorAuthRequiredException();
			}
		}

		if ($controller instanceof ALoginSetupController
			&& $this->userSession->getUser() !== null
			&& $this->twoFactorManager->needsSecondFactor($this->userSession->getUser())) {
			$providers = $this->twoFactorManager->getProviderSet($this->userSession->getUser());

			if ($providers->getPrimaryProviders() === [] && !$providers->isProviderMissing()) {
				return;
			}
		}

		if ($controller instanceof LoginController && $methodName === 'logout') {
			// Don't block the logout page, to allow canceling the 2FA
			return;
		}

		if ($this->userSession->isLoggedIn()) {
			$user = $this->userSession->getUser();

			if ($this->session->exists('app_password')  // authenticated using an app password
				|| $this->session->exists('app_api')  // authenticated using an AppAPI Auth
				|| $this->twoFactorManager->isTwoFactorAuthenticated($user)) {

				$this->checkTwoFactor($controller, $methodName, $user);
			} elseif ($controller instanceof TwoFactorChallengeController) {
				// Allow access to the two-factor controllers only if two-factor authentication
				// is in progress.
				throw new UserAlreadyLoggedInException();
			}
		}
		// TODO: dont check/enforce 2FA if a auth token is used
	}

	private function checkTwoFactor(Controller $controller, $methodName, IUser $user) {
		// If two-factor auth is in progress disallow access to any controllers
		// defined within "LoginController".
		$needsSecondFactor = $this->twoFactorManager->needsSecondFactor($user);
		$twoFactor = $controller instanceof TwoFactorChallengeController;

		// Disallow access to any controller if 2FA needs to be checked
		if ($needsSecondFactor && !$twoFactor) {
			throw new TwoFactorAuthRequiredException();
		}

		// Allow access to the two-factor controllers only if two-factor authentication
		// is in progress.
		if (!$needsSecondFactor && $twoFactor) {
			throw new UserAlreadyLoggedInException();
		}
	}

	public function afterException($controller, $methodName, Exception $exception) {
		if ($exception instanceof TwoFactorAuthRequiredException) {
			$params = [
				'redirect_url' => $this->request->getParam('redirect_url'),
			];
			if (!isset($params['redirect_url']) && isset($this->request->server['REQUEST_URI'])) {
				$params['redirect_url'] = $this->request->server['REQUEST_URI'];
			}
			return new RedirectResponse($this->urlGenerator->linkToRoute('core.TwoFactorChallenge.selectChallenge', $params));
		}
		if ($exception instanceof UserAlreadyLoggedInException) {
			return new RedirectResponse($this->urlGenerator->linkToRoute('files.view.index'));
		}

		throw $exception;
	}
}
Add two factor auth to core 2016-05-11 05:23:25 -04:00			`<?php`
Enable strict types for the 2FA middleware Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at> 2021-12-16 07:58:25 -05:00
			`declare(strict_types=1);`

Add two factor auth to core 2016-05-11 05:23:25 -04:00			`/**`
chore: Add SPDX header Signed-off-by: Andy Scherzinger <info@andy-scherzinger.de> 2024-05-27 04:08:53 -04:00			`* SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors`
			`* SPDX-FileCopyrightText: 2016 ownCloud, Inc.`
			`* SPDX-License-Identifier: AGPL-3.0-only`
Add two factor auth to core 2016-05-11 05:23:25 -04:00			`*/`
			`namespace OC\Core\Middleware;`

			`use Exception;`
			`use OC\Authentication\Exceptions\TwoFactorAuthRequiredException;`
			`use OC\Authentication\Exceptions\UserAlreadyLoggedInException;`
			`use OC\Authentication\TwoFactorAuth\Manager;`
prevent infinite redirect loops if the there is no 2fa provider to pass This fixes infinite loops that are caused whenever a user is about to solve a 2FA challenge, but the provider app is disabled at the same time. Since the session value usually indicates that the challenge needs to be solved before we grant access we have to remove that value instead in this special case. 2016-08-24 04:42:07 -04:00			`use OC\Core\Controller\LoginController;`
Add two factor auth to core 2016-05-11 05:23:25 -04:00			`use OC\Core\Controller\TwoFactorChallengeController;`
			`use OC\User\Session;`
Allow "TwoFactor Nextcloud Notifications" to pull the state of the 2FA again Signed-off-by: Joas Schilling <coding@schilljs.com> 2021-10-04 03:54:58 -04:00			`use OCA\TwoFactorNextcloudNotification\Controller\APIController;`
Add two factor auth to core 2016-05-11 05:23:25 -04:00			`use OCP\AppFramework\Controller;`
			`use OCP\AppFramework\Http\RedirectResponse;`
			`use OCP\AppFramework\Middleware;`
			`use OCP\AppFramework\Utility\IControllerMethodReflector;`
Allow 2FA to be setup on first login Once 2FA is enforced for a user and they have no 2FA setup yet this will now prompt them with a setup screen. Given that providers are enabled that allow setup then. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at> 2019-04-05 12:21:08 -04:00			`use OCP\Authentication\TwoFactorAuth\ALoginSetupController;`
remember redirect_url when solving the 2FA challenge 2016-06-01 07:54:08 -04:00			`use OCP\IRequest;`
Add two factor auth to core 2016-05-11 05:23:25 -04:00			`use OCP\ISession;`
			`use OCP\IURLGenerator;`
prevent infinite redirect loops if the there is no 2fa provider to pass This fixes infinite loops that are caused whenever a user is about to solve a 2FA challenge, but the provider app is disabled at the same time. Since the session value usually indicates that the challenge needs to be solved before we grant access we have to remove that value instead in this special case. 2016-08-24 04:42:07 -04:00			`use OCP\IUser;`
Add two factor auth to core 2016-05-11 05:23:25 -04:00
			`class TwoFactorMiddleware extends Middleware {`
Uses PHP8's constructor property promotion. Signed-off-by: Faraz Samapoor <fsa@adlas.at> 2023-06-23 15:33:56 -04:00			`public function __construct(`
			`private Manager $twoFactorManager,`
			`private Session $userSession,`
			`private ISession $session,`
			`private IURLGenerator $urlGenerator,`
			`private IControllerMethodReflector $reflector,`
			`private IRequest $request,`
			`) {`
Add two factor auth to core 2016-05-11 05:23:25 -04:00			`}`

			`/**`
			`* @param Controller $controller`
			`* @param string $methodName`
			`*/`
Remove explicit type hints for Controller This is public API and breaks the middlewares of existing apps. Since this also requires maintaining two different code paths for 12 and 13 I'm at the moment voting for reverting this change. Signed-off-by: Lukas Reschke <lukas@statuscode.ch> 2017-08-01 11:32:03 -04:00			`public function beforeController($controller, $methodName) {`
Explicitly allow some routes without 2FA Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at> 2021-11-17 12:42:21 -05:00			`if ($this->reflector->hasAnnotation('NoTwoFactorRequired')) {`
			`// Route handler explicitly marked to work without finished 2FA are`
			`// not blocked`
			`return;`
			`}`

Allow "TwoFactor Nextcloud Notifications" to pull the state of the 2FA again Signed-off-by: Joas Schilling <coding@schilljs.com> 2021-10-04 03:54:58 -04:00			`if ($controller instanceof APIController && $methodName === 'poll') {`
			`// Allow polling the twofactor nextcloud notifications state`
			`return;`
			`}`

Harden middleware check These annotations will allow for extra checks. And thus make it harder to break things. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2019-10-25 08:42:00 -04:00			`if ($controller instanceof TwoFactorChallengeController`
			`&& $this->userSession->getUser() !== null`
			`&& !$this->reflector->hasAnnotation('TwoFactorSetUpDoneRequired')) {`
			`$providers = $this->twoFactorManager->getProviderSet($this->userSession->getUser());`

Fix setting up 2FA providers when 2FA is enforced and bc are generated When a user has backup codes generated and got their 2FA enforced then they should be able to set up TOTP and similar providers during the login. Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at> 2021-07-30 12:29:23 -04:00			`if (!($providers->getPrimaryProviders() === [] && !$providers->isProviderMissing())) {`
Harden middleware check These annotations will allow for extra checks. And thus make it harder to break things. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2019-10-25 08:42:00 -04:00			`throw new TwoFactorAuthRequiredException();`
			`}`
			`}`

Allow 2FA to be setup on first login Once 2FA is enforced for a user and they have no 2FA setup yet this will now prompt them with a setup screen. Given that providers are enabled that allow setup then. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at> 2019-04-05 12:21:08 -04:00			`if ($controller instanceof ALoginSetupController`
			`&& $this->userSession->getUser() !== null`
			`&& $this->twoFactorManager->needsSecondFactor($this->userSession->getUser())) {`
Improve provider check Check if there is a provider missing. Signed-off-by: Lukas Reschke <lukas@statuscode.ch> 2021-07-21 03:58:17 -04:00			`$providers = $this->twoFactorManager->getProviderSet($this->userSession->getUser());`

Fix setting up 2FA when no providers are set up but backup codes 2FA set up is allowed when only backup codes are set up but no other provider and no provider is failing. This patch syncs up the login controller check with the challenge controller check 10 lines above. Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at> 2021-12-10 05:35:36 -05:00			`if ($providers->getPrimaryProviders() === [] && !$providers->isProviderMissing()) {`
Improve provider check Check if there is a provider missing. Signed-off-by: Lukas Reschke <lukas@statuscode.ch> 2021-07-21 03:58:17 -04:00			`return;`
			`}`
Allow 2FA to be setup on first login Once 2FA is enforced for a user and they have no 2FA setup yet this will now prompt them with a setup screen. Given that providers are enabled that allow setup then. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at> 2019-04-05 12:21:08 -04:00			`}`

prevent infinite redirect loops if the there is no 2fa provider to pass This fixes infinite loops that are caused whenever a user is about to solve a 2FA challenge, but the provider app is disabled at the same time. Since the session value usually indicates that the challenge needs to be solved before we grant access we have to remove that value instead in this special case. 2016-08-24 04:42:07 -04:00			`if ($controller instanceof LoginController && $methodName === 'logout') {`
Allow to cancel 2FA after login 2016-06-07 11:53:00 -04:00			`// Don't block the logout page, to allow canceling the 2FA`
			`return;`
			`}`

Add two factor auth to core 2016-05-11 05:23:25 -04:00			`if ($this->userSession->isLoggedIn()) {`
			`$user = $this->userSession->getUser();`

AppAPI: allowed to bypass Two-Factor Signed-off-by: Alexander Piskun <bigcat88@icloud.com> 2023-12-25 10:12:54 -05:00			`if ($this->session->exists('app_password') // authenticated using an app password`
			`\|\| $this->session->exists('app_api') // authenticated using an AppAPI Auth`
			`\|\| $this->twoFactorManager->isTwoFactorAuthenticated($user)) {`

prevent infinite redirect loops if the there is no 2fa provider to pass This fixes infinite loops that are caused whenever a user is about to solve a 2FA challenge, but the provider app is disabled at the same time. Since the session value usually indicates that the challenge needs to be solved before we grant access we have to remove that value instead in this special case. 2016-08-24 04:42:07 -04:00			`$this->checkTwoFactor($controller, $methodName, $user);`
Use elseif instead of else if Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at> 2020-04-10 04:35:09 -04:00			`} elseif ($controller instanceof TwoFactorChallengeController) {`
add OCC command to enable/disable 2FA for a user 2016-05-17 09:48:41 -04:00			`// Allow access to the two-factor controllers only if two-factor authentication`
			`// is in progress.`
			`throw new UserAlreadyLoggedInException();`
Add two factor auth to core 2016-05-11 05:23:25 -04:00			`}`
			`}`
			`// TODO: dont check/enforce 2FA if a auth token is used`
			`}`

Fix middleware implementations signatures Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2017-07-26 03:03:04 -04:00			`private function checkTwoFactor(Controller $controller, $methodName, IUser $user) {`
Add two factor auth to core 2016-05-11 05:23:25 -04:00			`// If two-factor auth is in progress disallow access to any controllers`
			`// defined within "LoginController".`
prevent infinite redirect loops if the there is no 2fa provider to pass This fixes infinite loops that are caused whenever a user is about to solve a 2FA challenge, but the provider app is disabled at the same time. Since the session value usually indicates that the challenge needs to be solved before we grant access we have to remove that value instead in this special case. 2016-08-24 04:42:07 -04:00			`$needsSecondFactor = $this->twoFactorManager->needsSecondFactor($user);`
Add two factor auth to core 2016-05-11 05:23:25 -04:00			`$twoFactor = $controller instanceof TwoFactorChallengeController;`

			`// Disallow access to any controller if 2FA needs to be checked`
			`if ($needsSecondFactor && !$twoFactor) {`
			`throw new TwoFactorAuthRequiredException();`
			`}`

			`// Allow access to the two-factor controllers only if two-factor authentication`
			`// is in progress.`
			`if (!$needsSecondFactor && $twoFactor) {`
			`throw new UserAlreadyLoggedInException();`
			`}`
			`}`

Remove explicit type hints for Controller This is public API and breaks the middlewares of existing apps. Since this also requires maintaining two different code paths for 12 and 13 I'm at the moment voting for reverting this change. Signed-off-by: Lukas Reschke <lukas@statuscode.ch> 2017-08-01 11:32:03 -04:00			`public function afterException($controller, $methodName, Exception $exception) {`
Add two factor auth to core 2016-05-11 05:23:25 -04:00			`if ($exception instanceof TwoFactorAuthRequiredException) {`
fix(auth): Keep redirect URL during 2FA setup and challenge Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at> 2024-04-09 02:12:21 -04:00			`$params = [`
			`'redirect_url' => $this->request->getParam('redirect_url'),`
			`];`
			`if (!isset($params['redirect_url']) && isset($this->request->server['REQUEST_URI'])) {`
Check whether the $_SERVER['REQUEST_*'] vars exist before using them Signed-off-by: Joas Schilling <coding@schilljs.com> 2017-05-15 08:33:27 -04:00			`$params['redirect_url'] = $this->request->server['REQUEST_URI'];`
			`}`
			`return new RedirectResponse($this->urlGenerator->linkToRoute('core.TwoFactorChallenge.selectChallenge', $params));`
Add two factor auth to core 2016-05-11 05:23:25 -04:00			`}`
			`if ($exception instanceof UserAlreadyLoggedInException) {`
			`return new RedirectResponse($this->urlGenerator->linkToRoute('files.view.index'));`
			`}`
Throw exception if you don't handle it 2016-08-12 06:33:31 -04:00
			`throw $exception;`
Add two factor auth to core 2016-05-11 05:23:25 -04:00			`}`
			`}`