mirror of
https://github.com/the-djmaze/snappymail.git
synced 2026-07-13 03:27:39 +03:00
Improved attempt for #1746
This commit is contained in:
parent
f8520c27a2
commit
6f4f6bfd03
2 changed files with 47 additions and 50 deletions
|
|
@ -90,23 +90,18 @@ class SnappyMailHelper
|
||||||
}
|
}
|
||||||
*/
|
*/
|
||||||
if ($doLogin && $aCredentials[1] && $aCredentials[2]) {
|
if ($doLogin && $aCredentials[1] && $aCredentials[2]) {
|
||||||
|
$isOIDC = \str_starts_with($aCredentials[2], 'oidc_login|');
|
||||||
try {
|
try {
|
||||||
$ocSession = \OC::$server->getSession();
|
$ocSession = \OC::$server->getSession();
|
||||||
if (true === $aCredentials[2]) {
|
|
||||||
// OIDC
|
|
||||||
$pwd = new \SnappyMail\SensitiveString($aCredentials[1]);
|
|
||||||
$oAccount = $oActions->LoginProcess($aCredentials[1], $pwd);
|
|
||||||
if ($oAccount) {
|
|
||||||
$oActions->SetSignMeToken($oAccount);
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
$oAccount = $oActions->LoginProcess($aCredentials[1], $aCredentials[2]);
|
$oAccount = $oActions->LoginProcess($aCredentials[1], $aCredentials[2]);
|
||||||
if ($oAccount && $oConfig->Get('login', 'sign_me_auto', \RainLoop\Enumerations\SignMeType::DefaultOff) === \RainLoop\Enumerations\SignMeType::DefaultOn) {
|
if (!$isOIDC && $oAccount
|
||||||
|
&& $oConfig->Get('login', 'sign_me_auto', \RainLoop\Enumerations\SignMeType::DefaultOff) === \RainLoop\Enumerations\SignMeType::DefaultOn
|
||||||
|
) {
|
||||||
$oActions->SetSignMeToken($oAccount);
|
$oActions->SetSignMeToken($oAccount);
|
||||||
}
|
}
|
||||||
}
|
|
||||||
} catch (\Throwable $e) {
|
} catch (\Throwable $e) {
|
||||||
// Login failure, reset password to prevent more attempts
|
// Login failure, reset password to prevent more attempts
|
||||||
|
if (!$isOIDC) {
|
||||||
$sUID = \OC::$server->getUserSession()->getUser()->getUID();
|
$sUID = \OC::$server->getUserSession()->getUser()->getUID();
|
||||||
\OC::$server->getSession()['snappymail-passphrase'] = '';
|
\OC::$server->getSession()['snappymail-passphrase'] = '';
|
||||||
\OC::$server->getConfig()->setUserValue($sUID, 'snappymail', 'passphrase', '');
|
\OC::$server->getConfig()->setUserValue($sUID, 'snappymail', 'passphrase', '');
|
||||||
|
|
@ -114,6 +109,7 @@ class SnappyMailHelper
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if ($handle) {
|
if ($handle) {
|
||||||
\header_remove('Content-Security-Policy');
|
\header_remove('Content-Security-Policy');
|
||||||
|
|
@ -127,6 +123,32 @@ class SnappyMailHelper
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Check if OpenID Connect (OIDC) is enabled and used for login
|
||||||
|
// https://apps.nextcloud.com/apps/oidc_login
|
||||||
|
public static function isOIDCLogin() : bool
|
||||||
|
{
|
||||||
|
$config = \OC::$server->getConfig();
|
||||||
|
if ($config->getAppValue('snappymail', 'snappymail-autologin-oidc', false)) {
|
||||||
|
// Check if the OIDC Login app is enabled
|
||||||
|
if (\OC::$server->getAppManager()->isEnabledForUser('oidc_login')) {
|
||||||
|
// Check if session is an OIDC Login
|
||||||
|
$ocSession = \OC::$server->getSession();
|
||||||
|
if ($ocSession->get('is_oidc')) {
|
||||||
|
// IToken->getPassword() ???
|
||||||
|
if ($ocSession->get('oidc_access_token')) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
\SnappyMail\Log::debug('Nextcloud', 'OIDC access_token missing');
|
||||||
|
} else {
|
||||||
|
\SnappyMail\Log::debug('Nextcloud', 'No OIDC login');
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
\SnappyMail\Log::debug('Nextcloud', 'OIDC login disabled');
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
private static function getLoginCredentials() : array
|
private static function getLoginCredentials() : array
|
||||||
{
|
{
|
||||||
$sUID = \OC::$server->getUserSession()->getUser()->getUID();
|
$sUID = \OC::$server->getUserSession()->getUser()->getUID();
|
||||||
|
|
@ -152,18 +174,9 @@ class SnappyMailHelper
|
||||||
if ($ocSession['snappymail-nc-uid'] == $sUID) {
|
if ($ocSession['snappymail-nc-uid'] == $sUID) {
|
||||||
|
|
||||||
// If OpenID Connect (OIDC) is enabled and used for login, use this.
|
// If OpenID Connect (OIDC) is enabled and used for login, use this.
|
||||||
// https://apps.nextcloud.com/apps/oidc_login
|
if (static::isOIDCLogin()) {
|
||||||
if ($config->getAppValue('snappymail', 'snappymail-autologin-oidc', false)) {
|
|
||||||
if ($ocSession->get('is_oidc')) {
|
|
||||||
// IToken->getPassword() ???
|
|
||||||
if ($ocSession->get('oidc_access_token')) {
|
|
||||||
$sEmail = $config->getUserValue($sUID, 'settings', 'email');
|
$sEmail = $config->getUserValue($sUID, 'settings', 'email');
|
||||||
return [$sUID, $sEmail, true];
|
return [$sUID, $sEmail, "oidc_login|{$sUID}"];
|
||||||
}
|
|
||||||
\SnappyMail\Log::debug('Nextcloud', 'OIDC access_token missing');
|
|
||||||
} else {
|
|
||||||
\SnappyMail\Log::debug('Nextcloud', 'No OIDC login');
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// Only use the user's password in the current session if they have
|
// Only use the user's password in the current session if they have
|
||||||
|
|
|
||||||
|
|
@ -90,35 +90,19 @@ class NextcloudPlugin extends \RainLoop\Plugins\AbstractPlugin
|
||||||
|
|
||||||
public function beforeLogin(\RainLoop\Model\Account $oAccount, \MailSo\Net\NetClient $oClient, \MailSo\Net\ConnectSettings $oSettings) : void
|
public function beforeLogin(\RainLoop\Model\Account $oAccount, \MailSo\Net\NetClient $oClient, \MailSo\Net\ConnectSettings $oSettings) : void
|
||||||
{
|
{
|
||||||
// https://apps.nextcloud.com/apps/oidc_login
|
|
||||||
$config = \OC::$server->getConfig();
|
|
||||||
$oUser = \OC::$server->getUserSession()->getUser();
|
|
||||||
$sUID = $oUser->getUID();
|
|
||||||
|
|
||||||
$sEmail = $config->getUserValue($sUID, 'snappymail', 'snappymail-email');
|
|
||||||
$sPassword = $config->getUserValue($sUID, 'snappymail', 'passphrase')
|
|
||||||
?: $config->getUserValue($sUID, 'snappymail', 'snappymail-password');
|
|
||||||
$bAccountDefinedExplicitly = ($sEmail && $sPassword) && $sEmail === $oSettings->username;
|
|
||||||
|
|
||||||
$sNcEmail = $oUser->getEMailAddress() ?: $oUser->getPrimaryEMailAddress();
|
|
||||||
|
|
||||||
// Only login with OIDC access token if
|
// Only login with OIDC access token if
|
||||||
// it is enabled in config, the user is currently logged in with OIDC,
|
// it is enabled in config, the user is currently logged in with OIDC,
|
||||||
// the current snappymail account is the OIDC account and no account defined explicitly
|
// the current snappymail account is the OIDC account and no account defined explicitly
|
||||||
if (\OC::$server->getConfig()->getAppValue('snappymail', 'snappymail-autologin-oidc', false)
|
if ($oAccount instanceof \RainLoop\Model\MainAccount
|
||||||
&& \OC::$server->getSession()->get('is_oidc')
|
&& \OCA\SnappyMail\Util\SnappyMailHelper::isOIDCLogin()
|
||||||
&& $sNcEmail === $oSettings->username
|
|
||||||
&& !$bAccountDefinedExplicitly
|
|
||||||
&& $oAccount instanceof \RainLoop\Model\MainAccount
|
|
||||||
// && $oClient->supportsAuthType('OAUTHBEARER') // v2.28
|
// && $oClient->supportsAuthType('OAUTHBEARER') // v2.28
|
||||||
|
&& \str_starts_with($oSettings->passphrase, 'oidc_login|')
|
||||||
) {
|
) {
|
||||||
$sAccessToken = \OC::$server->getSession()->get('oidc_access_token');
|
// $oSettings->passphrase = \OC::$server->getSession()->get('snappymail-passphrase');
|
||||||
if ($sAccessToken) {
|
$oSettings->passphrase = \OC::$server->getSession()->get('oidc_access_token');
|
||||||
$oSettings->passphrase = $sAccessToken;
|
|
||||||
\array_unshift($oSettings->SASLMechanisms, 'OAUTHBEARER');
|
\array_unshift($oSettings->SASLMechanisms, 'OAUTHBEARER');
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
\OC::$server->getCalendarManager();
|
\OC::$server->getCalendarManager();
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue