Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Clarify the description of REST vs OCS in accordance to sugestions discussed #12264

Draft
wants to merge 7 commits into
base: master
Choose a base branch
from

Conversation

christianlupus
Copy link
Contributor

☑️ Resolves

  • The statement about OCS to be legacy is removed
  • A comparison with (plain) REST is made

🖼️ Screenshots

T.B.D.

@christianlupus
Copy link
Contributor Author

@provokateurin I started to rephrase the "do not use OCS" in this PR. Does this sound reasonable or am I going completely the wrong direction? I know I need to eventually write a few more words and I for sure have to check the table entries (and wanted to explain them a bit more).

What do you think, makes this sense? Is this to be discussed with some guys from the core team before merging (as it reverts some basic strategic statement)?

Copy link
Member

@provokateurin provokateurin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks a lot, this is already super helpful!
The RST syntax for the table really messed with my brain, I need to take a closer look at it in proper table shape.

developer_manual/basics/controllers.rst Outdated Show resolved Hide resolved
developer_manual/conf.py Show resolved Hide resolved
developer_manual/digging_deeper/rest_apis.rst Show resolved Hide resolved
developer_manual/digging_deeper/rest_apis.rst Show resolved Hide resolved
The following combinations of attributes might be useful for various scenarios:

#. Plain frontend route: No special attribute related to CSRF or CORS
#. Plain Frontend with CRSF checks disabled: Add the ``#[NoCSRFRequired]`` attribute
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CSRF checks should only be disabled when absolutely necessary, this line should have a big warning

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These are some of the few words I wanted to add...

developer_manual/digging_deeper/rest_apis.rst Outdated Show resolved Hide resolved
The following combinations of attributes might be useful for various scenarios:

#. Plain frontend route: No special attribute related to CSRF or CORS
#. Plain Frontend with CRSF checks disabled: Add the ``#[NoCSRFRequired]`` attribute
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
#. Plain Frontend with CRSF checks disabled: Add the ``#[NoCSRFRequired]`` attribute
#. Plain Frontend with CRSF checks disabled: ``Controller`` class and ``#[NoCSRFRequired]`` attribute on the method

developer_manual/digging_deeper/rest_apis.rst Outdated Show resolved Hide resolved
developer_manual/digging_deeper/rest_apis.rst Outdated Show resolved Hide resolved
#. Plain frontend route: No special attribute related to CSRF or CORS
#. Plain Frontend with CRSF checks disabled: Add the ``#[NoCSRFRequired]`` attribute
#. REST route with CORS enabled: Add the ``#[CORS]`` attribute
#. OCS-based route
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is another case with OCS+CSRF

@christianlupus
Copy link
Contributor Author

I tried to address the points discussed here. I decided that the CORS should be better put in a separate section as it seems orthogonal to the original question (what should I use Controller or OCSController?).

For simpler reading, I put screenshots of the current state here:

grafik


grafik

@christianlupus christianlupus mentioned this pull request Oct 7, 2024
Copy link
Member

@provokateurin provokateurin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks pretty good now!

developer_manual/basics/controllers.rst Outdated Show resolved Hide resolved
#. Plain frontend route: ``Controller`` class
#. Plain Frontend with CRSF checks disabled: ``Controller`` class and ``#[NoCSRFRequired]`` attribute on the method
#. OCS-based route: ``OCSController`` class
#. OCS-based route with CSRF disabled: ``OCSController`` class and ``#[NoCSRFRequired]`` attribute on the method
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this case doesn't exist, NoCSRFRequired should not have an effect on OCSController, but I will have to check that in the code to be sure.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was thinking back and forth on this as well. In the end, I decided to keep the case as there is a certain difference (at least from the implementation):

For methods with NoCSRFRequired, this section is doing nothing.

For the case where the attribute is not given, the strict cookie check boils down to a check on the OCS-APIREQUEST header or no valid session token.

With the header in place (as the OCS controller generally expects), the second part is also skipped: The CSRF check is hardcoded to true, thus isInvalidCSRFRequired returns false.

When the header is not set, you enter the second if block and will check the inner if. The check isinstance OCSController is obviously true. The isValidOCSRequest is somewhat redundant as it can only be reached with the header unset. Alternatively, a bearer authorization header is sufficient to make the CSRF checker happy (even without OCS header and without NoCSRFRequired attribute).

I was adding this case as a reaction on your statement

There is another case with OCS+CSRF

In my opinion the last case could be dropped (and was never planned in the first round) but I do not see clearly the motivation of it, to be honest. Did I misunderstand your statement above?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In my opinion the last case could be dropped (and was never planned in the first round) but I do not see clearly the motivation of it, to be honest. Did I misunderstand your statement above?

I messed up, I meant OCS+CORS...
Currently the CORS cases are completely missing in the list.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, okay, then that makes more sense. I can read the cors posts and extend by the OCS+cors as well.

I will add a warning about cors in general similar to csrf of you do not mind.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you have any idea how to describe the case Access from external website more precisely or otherwise better, feel free to comment 😉.

@christianlupus christianlupus force-pushed the fix/clarification-rest-ocs branch from 08e4aab to ca6794c Compare October 8, 2024 22:33
@christianlupus
Copy link
Contributor Author

Updated text:

grafik

Copy link
Contributor

Hello there,
Thank you so much for taking the time and effort to create a pull request to our Nextcloud project.

We hope that the review process is going smooth and is helpful for you. We want to ensure your pull request is reviewed to your satisfaction. If you have a moment, our community management team would very much appreciate your feedback on your experience with this PR review process.

Your feedback is valuable to us as we continuously strive to improve our community developer experience. Please take a moment to complete our short survey by clicking on the following link: https://cloud.nextcloud.com/apps/forms/s/i9Ago4EQRZ7TWxjfmeEpPkf6

Thank you for contributing to Nextcloud and we hope to hear from you soon!

(If you believe you should not receive this message, you can add yourself to the blocklist.)

@christianlupus
Copy link
Contributor Author

@provokateurin are you still looking some things up, is there any action from my side required at the moment, or was there simply no time to review/prepare merging?

@provokateurin
Copy link
Member

No sorry, I was just busy with other things. I'll take another look in the coming days 👍

Copy link
Member

@provokateurin provokateurin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

developer_manual/basics/controllers.rst Outdated Show resolved Hide resolved
developer_manual/basics/controllers.rst Outdated Show resolved Hide resolved
developer_manual/basics/controllers.rst Outdated Show resolved Hide resolved
developer_manual/digging_deeper/rest_apis.rst Outdated Show resolved Hide resolved
developer_manual/digging_deeper/rest_apis.rst Outdated Show resolved Hide resolved
Comment on lines +115 to +116
- *Access from an external app* indicates that the user is not using the normal browser (as logged in) but directly navigates a certain URL.
This can be in a new browser tab or an external program (like an Android app or simply a curl command line).
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't understand what these two cases have in common.
Security wise they are also a bit different, since you need CSRF protection to prevent redirect attacks via GET while this is completely irrelevant for non-browser use cases like curl.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

They have in common that the CSRF token is not (guaranteed to be) known as part of the Cookie header and that the user is doing a dedicated action to navigate there (not by using a JS/AJAX request).
You are right these might be considered as separate cases. From user perspective (what can be done? not what is secure?), both navigate to an arbitrary URL and fetch the data. Examples:

I have not worked out the security side of this. What do you mean by redirect attacks via GET?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"requests from non-browser"

developer_manual/digging_deeper/rest_apis.rst Outdated Show resolved Hide resolved
developer_manual/digging_deeper/rest_apis.rst Outdated Show resolved Hide resolved
developer_manual/digging_deeper/rest_apis.rst Outdated Show resolved Hide resolved
developer_manual/digging_deeper/rest_apis.rst Outdated Show resolved Hide resolved
christianlupus and others added 7 commits December 22, 2024 15:56
Signed-off-by: Christian Wolf <[email protected]>
Co-authored-by: Kate <[email protected]>
Signed-off-by: Christian Wolf <[email protected]>
Signed-off-by: Christian Wolf <[email protected]>
Signed-off-by: Christian Wolf <[email protected]>
Fix typos and other errors in the code as suggested by review process

Co-authored-by: Kate <[email protected]>
Signed-off-by: Christian Wolf <[email protected]>
@christianlupus christianlupus force-pushed the fix/clarification-rest-ocs branch from adef92f to b7ee67f Compare December 26, 2024 12:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants