Check for AppAPI Auth header (#251)

1. In `AppAPIAuthMiddleware` we should check for `AUTHORIZATION-APP-API` header to not first perform request to DB. 2. In `validateExAppRequestToNC` we should do the same but for 'EX-APP-ID' header. 3. Removed debug log from `getExApp`, to not spam logs. --------- Signed-off-by: Alexander Piskun <[email protected]>
nextcloud · Mar 18, 2024 · e0779c9 · e0779c9
1 parent 0fbc77e
commit e0779c9
Show file tree

Hide file tree

Showing 5 changed files with 16 additions and 7 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,12 +5,17 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/)
 and this project adheres to [Semantic Versioning](http://semver.org/).
 
-## [2.3.1 - 2024-03-2x]
+## [2.3.1 - 2024-03-18]
 
 ## Added 
 
 - `TEXT_PROCESSING` and `MACHINE_TRANSLATION` API scopes. #249
 
+## Fixed
+
+- Added missing check for the presence of a header for AppAPI authentication, which could lead to increased load on the server. #251
+- Bump follow-redirects package from `1.15.5` to `1.15.6` #250
+
 ## [2.3.0 - 2024-03-13]
 
 ### Added

diff --git a/appinfo/info.xml b/appinfo/info.xml
@@ -43,7 +43,7 @@ to join us in shaping a more versatile, stable, and secure app landscape.
 *Your insights, suggestions, and contributions are invaluable to us.*
 
 	]]></description>
-	<version>2.3.0</version>
+	<version>2.3.1</version>
 	<licence>agpl</licence>
 	<author mail="[email protected]" homepage="https://github.com/andrey18106">Andrey Borysenko</author>
 	<author mail="[email protected]" homepage="https://github.com/bigcat88">Alexander Piskun</author>

diff --git a/lib/Middleware/AppAPIAuthMiddleware.php b/lib/Middleware/AppAPIAuthMiddleware.php
@@ -38,6 +38,9 @@ public function beforeController($controller, $methodName) {
 
 		$isAppAPIAuth = !empty($reflectionMethod->getAttributes(AppAPIAuth::class));
 		if ($isAppAPIAuth) {
+			if (!$this->request->getHeader('AUTHORIZATION-APP-API')) {
+				throw new AppAPIAuthNotValidException($this->l->t('AppAPI authentication failed'), Http::STATUS_UNAUTHORIZED);
+			}
 			if (!$this->service->validateExAppRequestToNC($this->request)) {
 				throw new AppAPIAuthNotValidException($this->l->t('AppAPI authentication failed'), Http::STATUS_UNAUTHORIZED);
 			}

diff --git a/lib/Service/AppAPIService.php b/lib/Service/AppAPIService.php
@@ -168,7 +168,11 @@ private function getUriEncodedParams(array $params): string {
 	public function validateExAppRequestToNC(IRequest $request, bool $isDav = false): bool {
 		$this->throttler->sleepDelayOrThrowOnMax($request->getRemoteAddress(), Application::APP_ID);
 
-		$exApp = $this->exAppService->getExApp($request->getHeader('EX-APP-ID'));
+		$exAppId = $request->getHeader('EX-APP-ID');
+		if (!$exAppId) {
+			return false;
+		}
+		$exApp = $this->exAppService->getExApp($exAppId);
 		if ($exApp === null) {
 			$this->logger->error(sprintf('ExApp with appId %s not found.', $request->getHeader('EX-APP-ID')));
 			// Protection for guessing installed ExApps list

diff --git a/lib/Service/ExAppService.php b/lib/Service/ExAppService.php
@@ -68,10 +68,7 @@ public function getExApp(string $appId): ?ExApp {
 			$exApp = $this->exAppMapper->findByAppId($appId);
 			$this->cache->set($cacheKey, $exApp, self::CACHE_TTL);
 			return $exApp;
-		} catch (Exception | MultipleObjectsReturnedException | DoesNotExistException $e) {
-			$this->logger->debug(
-				sprintf('Failed to get ExApp %s. Error: %s', $appId, $e->getMessage()), ['exception' => $e]
-			);
+		} catch (Exception | MultipleObjectsReturnedException | DoesNotExistException) {
 		}
 		return null;
 	}