Merge pull request #80 from nextcloud/fix/safer-auth-settings

fix: hide client credentials from front-end, add password confirmation when saving credentials

lib/Controller/DocusignController.php

@@ -21,6 +21,7 @@
 use OCP\AppFramework\Http\Attribute\FrontpageRoute;
 use OCP\AppFramework\Http\Attribute\NoAdminRequired;
 use OCP\AppFramework\Http\Attribute\NoCSRFRequired;
+use OCP\AppFramework\Http\Attribute\PasswordConfirmationRequired;
 use OCP\AppFramework\Http\DataResponse;
 use OCP\AppFramework\Http\RedirectResponse;
 use OCP\IConfig;
@@ -111,6 +112,7 @@ public function signStandalone(int $fileId, array $targetEmails = [], array $tar
 	 * @param array $values
 	 * @return DataResponse
 	 */
+	#[PasswordConfirmationRequired]
 	#[FrontpageRoute(verb: 'PUT', url: '/docusign-config')]
 	public function setDocusignConfig(array $values): DataResponse {
 		foreach ($values as $key => $value) {

lib/Settings/Admin.php

@@ -84,8 +84,8 @@ public function getForm(): TemplateResponse {
 		$userEmail = $this->config->getAppValue(Application::APP_ID, 'docusign_user_email');
 
 		$adminConfig = [
-			'docusign_client_id' => $clientID,
-			'docusign_client_secret' => $clientSecret,
+			'docusign_client_id' => $clientID ? 'dummyClientNumber' : '',
+			'docusign_client_secret' => $clientSecret ? 'dummyClientSecret' : '',
 			'docusign_token' => $token !== '',
 			'docusign_user_name' => $userName,
 			'docusign_user_email' => $userEmail,

package.json

@@ -41,6 +41,7 @@
     "@nextcloud/initial-state": "^2.1.0",
     "@nextcloud/l10n": "^2.2.0",
     "@nextcloud/moment": "^1.3.1",
+    "@nextcloud/password-confirmation": "^5.1.1",
     "@nextcloud/router": "^3.0.0",
     "@nextcloud/vue": "^8.8.1",
     "@nextcloud/vue-dashboard": "^2.0.1",

src/components/AdminSettings.vue

@@ -77,6 +77,7 @@ import { generateUrl } from '@nextcloud/router'
 import axios from '@nextcloud/axios'
 import { delay } from '../utils.js'
 import { showSuccess, showError } from '@nextcloud/dialogs'
+import { confirmPassword } from '@nextcloud/password-confirmation'
 
 export default {
 	name: 'AdminSettings',
@@ -126,11 +127,17 @@ export default {
 	methods: {
 		onFieldInput() {
 			this.loading = true
-			delay(() => {
-				this.saveOptions({
-					docusign_client_id: this.state.docusign_client_id,
-					docusign_client_secret: this.state.docusign_client_secret,
-				})
+			delay(async () => {
+				await confirmPassword()
+
+				const values = {}
+				if (this.state.docusign_client_id !== 'dummyClientNumber') {
+					values.docusign_client_id = this.state.docusign_client_id
+				}
+				if (this.state.docusign_client_secret !== 'dummyClientSecret') {
+					values.docusign_client_secret = this.state.docusign_client_secret
+				}
+				this.saveOptions(values)
 			}, 2000)()
 		},
 		saveOptions(values) {
@@ -153,6 +160,20 @@ export default {
 				})
 		},
 		onOAuthClick() {
+			let dummyValueProvided = false
+			if (this.state.docusign_client_id === 'dummyClientNumber') {
+				this.state.docusign_client_id = ''
+				dummyValueProvided = true
+			}
+			if (this.state.docusign_client_secret === 'dummyClientSecret') {
+				this.state.docusign_client_secret = ''
+				dummyValueProvided = true
+			}
+			if (dummyValueProvided) {
+				showError(t('integration_docusign', 'For security reasons, please enter your client credentials again'))
+				return
+			}
+
 			const oauthState = Math.random().toString(36).substring(3)
 			const scopes = [
 				'signature',