Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Machine-detectable response code for "Password confirmation is required" #37377

Open
donquixote opened this issue Mar 23, 2023 · 5 comments
Open

Machine-detectable response code for "Password confirmation is required" #37377

donquixote opened this issue Mar 23, 2023 · 5 comments
Labels
0. Needs triage Pending check for reproducibility or if it fits our roadmap developer experience enhancement feature: authentication

Comments

@donquixote
Copy link

How to use GitHub

  • Please use the 👍 reaction to show that you are interested into the same feature.
  • Please don't comment if you have no relevant information to add. It's just extra noise for everyone subscribed to this issue.
  • Subscribe to receive notifications on status change and new comments.

Background

I am using the Nextcloud API to create users, groups and similar from an external software (a Drupal website).
I noticed that cookie auth is the fastest, token auth is a bit slower, basic auth is a lot slower.
With both cookie auth and token auth, I get responses "Password confirmation is required" on routes annotated with @PasswordConfirmationRequired every 30 minutes.
The response json is like this:

{"ocs":{"meta":{"status":"failure","statuscode":403,"message":"Password confirmation is required","totalitems":"","itemsperpage":""},"data":[]}}

In my code I am checking for $data['ocs']['meta']['statuscode'] === 403 && $data['ocs']['meta']['message'] === "Password confirmation is required". If the check is positive, I clear the cookies and send another request.
(I am using cookie auth, but the same would happen with token auth)

Problem

My check relies on a user interface string, which might change in future versions of Nextcloud.

Request

Send another special string with the response, that is more reliable to detect.
BUT
Don't remove any of the existing parts of the response, so not to break other clients.
OR
Make a commitment that the string "Password confirmation is required" is not going to change, ever.
@donquixote donquixote added 0. Needs triage Pending check for reproducibility or if it fits our roadmap enhancement labels Mar 23, 2023
@donquixote
Copy link
Author

See also #7753, #6476, #17434

@donquixote
Copy link
Author

Another option would be to detect if the request already contains basic auth credentials, and if so, to use these to refresh the 'last-password-confirm' in the session.

@ChristophWurst
Copy link
Member

I did something similar for maintenance mode: #33173

@donquixote
Copy link
Author

A header, ok :)
Not part of the ocs response json.
I suppose https://lukasreschke.github.io/OpenCloudMeshSpecification/#ocs-responses is already full, we cannot invent another slot here. So ok to use a header.
This also allows to implement this check as a middleware in Guzzle client, without parsing the json.

Of course another option when implementing a client would be to clear the session cookies every 30 minutes.

@donquixote
Copy link
Author

Btw how does the js front-end currently do this check? Or does it always ask for a password for these special operations?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
0. Needs triage Pending check for reproducibility or if it fits our roadmap developer experience enhancement feature: authentication
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@donquixote @ChristophWurst @joshtrichards