Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Skip password confirmation for ocs-apirequest #17434

Closed
wants to merge 1 commit into from
Closed

Skip password confirmation for ocs-apirequest #17434

wants to merge 1 commit into from

Conversation

kinolaev
Copy link
Member

@kinolaev kinolaev commented Oct 6, 2019
edited
Loading

Problem: OAuth client cannot use some part of nextcloud API 30 minutes after authentication because nextcloud requires password confirmation even for requests withocs-apirequest: true and authorization: Bearer ... headers.
Solution: Skip password confirmation for requests with mentioned headers (as already implemented in SecurityMiddleware)

I will add tests later If you find that this is right thing)

Also it will be good to make method isOcsApiRequest to not duplicate this checks in 2 middlewares. Is Request class right place for this?

Related: #6476

@kinolaev kinolaev requested review from rullzer and kesselb October 6, 2019 22:46
@kinolaev
skip password confirmation for ocs-apirequest
c74e9f9 
Signed-off-by: Sergej Nikolaev <kinolaev@gmail.com>
@kinolaev kinolaev force-pushed the skip-password-confirm-for-ocs-apireq branch from ce77c97 to c74e9f9 Compare October 6, 2019 23:33
@rullzer
Copy link
Member

rullzer commented Oct 7, 2019

@kinolaev what requests are this actually?

@kinolaev
Copy link
Member Author

kinolaev commented Oct 7, 2019
edited
Loading

Controllers with PasswordConfirmationRequired annotation are affected. Change quota (doc, code) for example.

@kinolaev
Copy link
Member Author

kinolaev commented Oct 7, 2019
edited
Loading

@rullzer, affected methods are:

  • apps/provisioning_api/lib/Controller/AppConfigController.php: setValue, deleteKey
  • apps/provisioning_api/lib/Controller/AppsController.php: enable, disable
  • apps/provisioning_api/lib/Controller/GroupsController.php: addGroup, updateGroup, deleteGroup
  • apps/provisioning_api/lib/Controller/UsersController.php: addUser, editUser, wipeUserDevices, deleteUser, disableUser, enableUser, addToGroup, removeFromGroup, addSubAdmin, removeSubAdmin, resendWelcomeMessage

There are methods with PasswordConfirmationRequired annotation in other classes, but they don't inherit OCP\AppFramework\OCSController, so password confirmation still required for that methods.

@kinolaev
Copy link
Member Author

kinolaev commented Oct 9, 2019
edited
Loading

Hello @rullzer, do you agree that password confirmation must be removed for ocs-apirequests and oauth client requests?
I mean need I add tests or this PR will not be merged for some reason?

@rullzer
Copy link
Member

rullzer commented Oct 9, 2019

@kinolaev I was just busy with other stuff ;)

So the reason we want password confirmation is that they are sensitive operations (possibly destructive). And there is no real reason that if you have an apppassword this check should be no longer valid.

I would like it better if we could signal back that a password needs to be send as well and then the user just needs to enter their password also when doing this when sending an OCS-APIRequest.

I'll think a bit how that can be done.

@gary-kim gary-kim added 3. to review Waiting for reviews enhancement labels Nov 30, 2019
@danielsss
Copy link

any updates ?

@LukasReschke
Copy link
Member

Closing as there has been no traction on this.

@donquixote donquixote mentioned this pull request Mar 23, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rullzer rullzer Awaiting requested review from rullzer

@kesselb kesselb Awaiting requested review from kesselb

Assignees
No one assigned
Labels
3. to review Waiting for reviews enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@kinolaev @rullzer @danielsss @LukasReschke @gary-kim