From c66d515a2c4c8864aa43434a0b2e09ca6ea0ca68 Mon Sep 17 00:00:00 2001
From: Louis Chemineau <louis@chmn.me>
Date: Thu, 28 Nov 2024 12:45:47 +0100
Subject: [PATCH] fixup! feat: Use inline password confirmation in external
 storage settings

---
 .../PasswordConfirmationMiddleware.php        | 22 +++++++++++++++----
 1 file changed, 18 insertions(+), 4 deletions(-)

diff --git a/lib/private/AppFramework/Middleware/Security/PasswordConfirmationMiddleware.php b/lib/private/AppFramework/Middleware/Security/PasswordConfirmationMiddleware.php
index 51dd79a230227..0fe7dace48a3b 100644
--- a/lib/private/AppFramework/Middleware/Security/PasswordConfirmationMiddleware.php
+++ b/lib/private/AppFramework/Middleware/Security/PasswordConfirmationMiddleware.php
@@ -83,6 +83,8 @@ public function beforeController(Controller $controller, string $methodName) {
 				}
 			}
 
+			$backendClassName = $user->getBackendClassName();
+
 			try {
 				$sessionId = $this->session->getId();
 				$token = $this->tokenProvider->getToken($sessionId);
@@ -90,16 +92,28 @@ public function beforeController(Controller $controller, string $methodName) {
 				// States we do not deal with here.
 				return;
 			}
+
 			$scope = $token->getScopeAsArray();
 			if (isset($scope['password-unconfirmable']) && $scope['password-unconfirmable'] === true) {
 				// Users logging in from SSO backends cannot confirm their password by design
 				return;
 			}
 
-			$lastConfirm = (int) $this->session->get('last-password-confirm');
-			// TODO: confirm excludedUserBackEnds can go away and remove it
-			if (!isset($this->excludedUserBackEnds[$backendClassName]) && $lastConfirm < ($this->timeFactory->getTime() - (30 * 60 + 15))) { // allow 15 seconds delay
-				throw new NotConfirmedException();
+			if ($this->isPasswordConfirmationStrict($reflectionMethod)) {
+				$authHeader = $this->request->getHeader('Authorization');
+				[, $password] = explode(':', base64_decode(substr($authHeader, 6)), 2);
+				$loginResult = $this->userManager->checkPassword($user->getUid(), $password);
+				if ($loginResult === false) {
+					throw new NotConfirmedException();
+				}
+
+				$this->session->set('last-password-confirm', $this->timeFactory->getTime());
+			} else {
+				$lastConfirm = (int) $this->session->get('last-password-confirm');
+				// TODO: confirm excludedUserBackEnds can go away and remove it
+				if (!isset($this->excludedUserBackEnds[$backendClassName]) && $lastConfirm < ($this->timeFactory->getTime() - (30 * 60 + 15))) { // allow 15 seconds delay
+					throw new NotConfirmedException();
+				}
 			}
 		}
 	}