|
14 | 14 | use OC\Authentication\Token\IProvider; |
15 | 15 | use OC\Authentication\Token\RemoteWipe; |
16 | 16 | use OCA\Settings\Activity\Provider; |
| 17 | +use OCA\Settings\ConfigLexicon; |
17 | 18 | use OCP\Activity\IManager; |
18 | 19 | use OCP\AppFramework\Controller; |
19 | 20 | use OCP\AppFramework\Http; |
20 | 21 | use OCP\AppFramework\Http\Attribute\NoAdminRequired; |
21 | 22 | use OCP\AppFramework\Http\Attribute\PasswordConfirmationRequired; |
22 | 23 | use OCP\AppFramework\Http\JSONResponse; |
| 24 | +use OCP\AppFramework\Services\IAppConfig; |
23 | 25 | use OCP\Authentication\Exceptions\ExpiredTokenException; |
24 | 26 | use OCP\Authentication\Exceptions\InvalidTokenException; |
25 | 27 | use OCP\Authentication\Exceptions\WipeTokenException; |
26 | 28 | use OCP\Authentication\Token\IToken; |
| 29 | +use OCP\IConfig; |
| 30 | +use OCP\IL10N; |
27 | 31 | use OCP\IRequest; |
28 | 32 | use OCP\ISession; |
29 | 33 | use OCP\IUserSession; |
|
32 | 36 | use Psr\Log\LoggerInterface; |
33 | 37 |
|
34 | 38 | class AuthSettingsController extends Controller { |
35 | | - /** @var IProvider */ |
36 | | - private $tokenProvider; |
37 | 39 |
|
38 | | - /** @var RemoteWipe */ |
39 | | - private $remoteWipe; |
40 | | - |
41 | | - /** |
42 | | - * @param string $appName |
43 | | - * @param IRequest $request |
44 | | - * @param IProvider $tokenProvider |
45 | | - * @param ISession $session |
46 | | - * @param ISecureRandom $random |
47 | | - * @param string|null $userId |
48 | | - * @param IUserSession $userSession |
49 | | - * @param IManager $activityManager |
50 | | - * @param RemoteWipe $remoteWipe |
51 | | - * @param LoggerInterface $logger |
52 | | - */ |
53 | 40 | public function __construct( |
54 | 41 | string $appName, |
55 | 42 | IRequest $request, |
56 | | - IProvider $tokenProvider, |
| 43 | + private IProvider $tokenProvider, |
57 | 44 | private ISession $session, |
58 | 45 | private ISecureRandom $random, |
59 | 46 | private ?string $userId, |
60 | 47 | private IUserSession $userSession, |
61 | 48 | private IManager $activityManager, |
62 | | - RemoteWipe $remoteWipe, |
| 49 | + private IAppConfig $appConfig, |
| 50 | + private RemoteWipe $remoteWipe, |
63 | 51 | private LoggerInterface $logger, |
| 52 | + private IConfig $serverConfig, |
| 53 | + private IL10N $l, |
64 | 54 | ) { |
65 | 55 | parent::__construct($appName, $request); |
66 | | - $this->tokenProvider = $tokenProvider; |
67 | | - $this->remoteWipe = $remoteWipe; |
68 | 56 | } |
69 | 57 |
|
70 | 58 | /** |
71 | 59 | * @NoSubAdminRequired |
72 | 60 | * |
73 | | - * @param string $name |
74 | | - * @return JSONResponse |
| 61 | + * @param bool $qrcodeLogin If set to true, the returned token could be (depending on server settings) a onetime password, that can only be used to get the actual app password a single time |
75 | 62 | */ |
76 | 63 | #[NoAdminRequired] |
77 | | - #[PasswordConfirmationRequired] |
78 | | - public function create($name) { |
| 64 | + #[PasswordConfirmationRequired(strict: true)] |
| 65 | + public function create(string $name = '', bool $qrcodeLogin = false): JSONResponse { |
79 | 66 | if ($this->checkAppToken()) { |
80 | 67 | return $this->getServiceNotAvailableResponse(); |
81 | 68 | } |
82 | 69 |
|
83 | 70 | try { |
84 | 71 | $sessionId = $this->session->getId(); |
85 | | - } catch (SessionNotAvailableException $ex) { |
| 72 | + } catch (SessionNotAvailableException) { |
86 | 73 | return $this->getServiceNotAvailableResponse(); |
87 | 74 | } |
88 | 75 | if ($this->userSession->getImpersonatingUserID() !== null) { |
89 | 76 | return $this->getServiceNotAvailableResponse(); |
90 | 77 | } |
91 | 78 |
|
| 79 | + if (!$this->serverConfig->getSystemValueBool('auth_can_create_app_token', true)) { |
| 80 | + return $this->getServiceNotAvailableResponse(); |
| 81 | + } |
| 82 | + |
92 | 83 | try { |
93 | 84 | $sessionToken = $this->tokenProvider->getToken($sessionId); |
94 | 85 | $loginName = $sessionToken->getLoginName(); |
95 | 86 | try { |
96 | 87 | $password = $this->tokenProvider->getPassword($sessionToken, $sessionId); |
97 | | - } catch (PasswordlessTokenException $ex) { |
| 88 | + } catch (PasswordlessTokenException) { |
98 | 89 | $password = null; |
99 | 90 | } |
100 | | - } catch (InvalidTokenException $ex) { |
| 91 | + } catch (InvalidTokenException) { |
| 92 | + return $this->getServiceNotAvailableResponse(); |
| 93 | + } |
| 94 | + |
| 95 | + if ($qrcodeLogin) { |
| 96 | + if ($this->appConfig->getAppValueBool(ConfigLexicon::LOGIN_QRCODE_ONETIME)) { |
| 97 | + // TRANSLATORS Fallback name for the temporary app password when using the QR code login |
| 98 | + $name = $this->l->t('One time login'); |
| 99 | + $type = IToken::ONETIME_TOKEN; |
| 100 | + $scope = []; |
| 101 | + } else { |
| 102 | + // TRANSLATORS Fallback name for the app password when using the QR code login |
| 103 | + $name = $this->l->t('QR Code login'); |
| 104 | + $type = IToken::PERMANENT_TOKEN; |
| 105 | + $scope = null; |
| 106 | + } |
| 107 | + } elseif ($name === '') { |
| 108 | + // No name is only allowed for one time logins |
101 | 109 | return $this->getServiceNotAvailableResponse(); |
| 110 | + } else { |
| 111 | + $type = IToken::PERMANENT_TOKEN; |
| 112 | + $scope = null; |
102 | 113 | } |
103 | 114 |
|
104 | 115 | if (mb_strlen($name) > 128) { |
105 | 116 | $name = mb_substr($name, 0, 120) . '…'; |
106 | 117 | } |
107 | 118 |
|
108 | 119 | $token = $this->generateRandomDeviceToken(); |
109 | | - $deviceToken = $this->tokenProvider->generateToken($token, $this->userId, $loginName, $password, $name, IToken::PERMANENT_TOKEN); |
| 120 | + $deviceToken = $this->tokenProvider->generateToken( |
| 121 | + $token, |
| 122 | + $this->userId, |
| 123 | + $loginName, |
| 124 | + $password, |
| 125 | + $name, |
| 126 | + $type, |
| 127 | + scope: $scope, |
| 128 | + ); |
110 | 129 | $tokenData = $deviceToken->jsonSerialize(); |
111 | 130 | $tokenData['canDelete'] = true; |
112 | 131 | $tokenData['canRename'] = true; |
|
0 commit comments