Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(core): Expose the confirm password endpoint #43000

Closed
wants to merge 1 commit into from
Closed

feat(core): Expose the confirm password endpoint #43000

wants to merge 1 commit into from

Conversation

provokateurin
Copy link
Member

Summary

This allows non-web clients to confirm the password in order to use endpoints that require it.

Checklist

@provokateurin provokateurin added this to the Nextcloud 29 milestone Jan 21, 2024
@provokateurin provokateurin mentioned this pull request Jan 21, 2024
Closed
@provokateurin provokateurin force-pushed the feat/core/expose-confirm-password-endpoint branch from fa8f01d to a84c71d Compare January 21, 2024 21:11
nickvergessen
nickvergessen requested changes Jan 22, 2024
View reviewed changes
Copy link
Member

@nickvergessen nickvergessen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sending auth data should pass the password check:

server/lib/private/User/Session.php

Line 605 in 7f2fdd8

$this->session->set('last-password-confirm', $this->timeFactory->getTime());

The problem is you are sending auth + cookies, so we use the cookies only and the line above is never ran. We should fix the PasswordConfirmMiddleware to check if auth data was provided with the request.

@provokateurin provokateurin marked this pull request as draft January 22, 2024 09:44
@provokateurin
Copy link
Member Author

My testing confirms:

  • Basic auth without cookies works
  • Bearer auth never works (regardless of cookies)

@ChristophWurst ChristophWurst deleted the feat/core/expose-confirm-password-endpoint branch January 22, 2024 16:44
@provokateurin provokateurin mentioned this pull request Jan 22, 2024
Closed
4 tasks
@provokateurin provokateurin restored the feat/core/expose-confirm-password-endpoint branch February 20, 2024 07:03
@provokateurin
Copy link
Member Author

After the discussions in #43034 we came to the conclusion that this PR makes more sense and is less susceptible to any additional security holes the other PR could open up.

@provokateurin
Copy link
Member Author

Bleh should have re-opened before pushing, will create a new PR

@provokateurin provokateurin mentioned this pull request Feb 20, 2024
Merged
4 tasks
@skjnldsv skjnldsv removed this from the Nextcloud 29 milestone Feb 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nickvergessen nickvergessen nickvergessen requested changes

@come-nc come-nc come-nc approved these changes

@ChristophWurst ChristophWurst Awaiting requested review from ChristophWurst

@juliusknorr juliusknorr Awaiting requested review from juliusknorr

@kesselb kesselb Awaiting requested review from kesselb

@skjnldsv skjnldsv Awaiting requested review from skjnldsv

Assignees
No one assigned
Labels
3. to review Waiting for reviews enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@provokateurin @nickvergessen @come-nc @skjnldsv