Improved attempt for #1746

This commit is contained in:
the-djmaze 2024-09-16 13:49:59 +02:00
parent f8520c27a2
commit 6f4f6bfd03
2 changed files with 47 additions and 50 deletions

View file

@ -90,27 +90,23 @@ class SnappyMailHelper
} }
*/ */
if ($doLogin && $aCredentials[1] && $aCredentials[2]) { if ($doLogin && $aCredentials[1] && $aCredentials[2]) {
$isOIDC = \str_starts_with($aCredentials[2], 'oidc_login|');
try { try {
$ocSession = \OC::$server->getSession(); $ocSession = \OC::$server->getSession();
if (true === $aCredentials[2]) { $oAccount = $oActions->LoginProcess($aCredentials[1], $aCredentials[2]);
// OIDC if (!$isOIDC && $oAccount
$pwd = new \SnappyMail\SensitiveString($aCredentials[1]); && $oConfig->Get('login', 'sign_me_auto', \RainLoop\Enumerations\SignMeType::DefaultOff) === \RainLoop\Enumerations\SignMeType::DefaultOn
$oAccount = $oActions->LoginProcess($aCredentials[1], $pwd); ) {
if ($oAccount) { $oActions->SetSignMeToken($oAccount);
$oActions->SetSignMeToken($oAccount);
}
} else {
$oAccount = $oActions->LoginProcess($aCredentials[1], $aCredentials[2]);
if ($oAccount && $oConfig->Get('login', 'sign_me_auto', \RainLoop\Enumerations\SignMeType::DefaultOff) === \RainLoop\Enumerations\SignMeType::DefaultOn) {
$oActions->SetSignMeToken($oAccount);
}
} }
} catch (\Throwable $e) { } catch (\Throwable $e) {
// Login failure, reset password to prevent more attempts // Login failure, reset password to prevent more attempts
$sUID = \OC::$server->getUserSession()->getUser()->getUID(); if (!$isOIDC) {
\OC::$server->getSession()['snappymail-passphrase'] = ''; $sUID = \OC::$server->getUserSession()->getUser()->getUID();
\OC::$server->getConfig()->setUserValue($sUID, 'snappymail', 'passphrase', ''); \OC::$server->getSession()['snappymail-passphrase'] = '';
\SnappyMail\Log::error('Nextcloud', $e->getMessage()); \OC::$server->getConfig()->setUserValue($sUID, 'snappymail', 'passphrase', '');
\SnappyMail\Log::error('Nextcloud', $e->getMessage());
}
} }
} }
} }
@ -127,6 +123,32 @@ class SnappyMailHelper
} }
} }
// Check if OpenID Connect (OIDC) is enabled and used for login
// https://apps.nextcloud.com/apps/oidc_login
public static function isOIDCLogin() : bool
{
$config = \OC::$server->getConfig();
if ($config->getAppValue('snappymail', 'snappymail-autologin-oidc', false)) {
// Check if the OIDC Login app is enabled
if (\OC::$server->getAppManager()->isEnabledForUser('oidc_login')) {
// Check if session is an OIDC Login
$ocSession = \OC::$server->getSession();
if ($ocSession->get('is_oidc')) {
// IToken->getPassword() ???
if ($ocSession->get('oidc_access_token')) {
return true;
}
\SnappyMail\Log::debug('Nextcloud', 'OIDC access_token missing');
} else {
\SnappyMail\Log::debug('Nextcloud', 'No OIDC login');
}
} else {
\SnappyMail\Log::debug('Nextcloud', 'OIDC login disabled');
}
}
return false;
}
private static function getLoginCredentials() : array private static function getLoginCredentials() : array
{ {
$sUID = \OC::$server->getUserSession()->getUser()->getUID(); $sUID = \OC::$server->getUserSession()->getUser()->getUID();
@ -152,18 +174,9 @@ class SnappyMailHelper
if ($ocSession['snappymail-nc-uid'] == $sUID) { if ($ocSession['snappymail-nc-uid'] == $sUID) {
// If OpenID Connect (OIDC) is enabled and used for login, use this. // If OpenID Connect (OIDC) is enabled and used for login, use this.
// https://apps.nextcloud.com/apps/oidc_login if (static::isOIDCLogin()) {
if ($config->getAppValue('snappymail', 'snappymail-autologin-oidc', false)) { $sEmail = $config->getUserValue($sUID, 'settings', 'email');
if ($ocSession->get('is_oidc')) { return [$sUID, $sEmail, "oidc_login|{$sUID}"];
// IToken->getPassword() ???
if ($ocSession->get('oidc_access_token')) {
$sEmail = $config->getUserValue($sUID, 'settings', 'email');
return [$sUID, $sEmail, true];
}
\SnappyMail\Log::debug('Nextcloud', 'OIDC access_token missing');
} else {
\SnappyMail\Log::debug('Nextcloud', 'No OIDC login');
}
} }
// Only use the user's password in the current session if they have // Only use the user's password in the current session if they have

View file

@ -90,33 +90,17 @@ class NextcloudPlugin extends \RainLoop\Plugins\AbstractPlugin
public function beforeLogin(\RainLoop\Model\Account $oAccount, \MailSo\Net\NetClient $oClient, \MailSo\Net\ConnectSettings $oSettings) : void public function beforeLogin(\RainLoop\Model\Account $oAccount, \MailSo\Net\NetClient $oClient, \MailSo\Net\ConnectSettings $oSettings) : void
{ {
// https://apps.nextcloud.com/apps/oidc_login
$config = \OC::$server->getConfig();
$oUser = \OC::$server->getUserSession()->getUser();
$sUID = $oUser->getUID();
$sEmail = $config->getUserValue($sUID, 'snappymail', 'snappymail-email');
$sPassword = $config->getUserValue($sUID, 'snappymail', 'passphrase')
?: $config->getUserValue($sUID, 'snappymail', 'snappymail-password');
$bAccountDefinedExplicitly = ($sEmail && $sPassword) && $sEmail === $oSettings->username;
$sNcEmail = $oUser->getEMailAddress() ?: $oUser->getPrimaryEMailAddress();
// Only login with OIDC access token if // Only login with OIDC access token if
// it is enabled in config, the user is currently logged in with OIDC, // it is enabled in config, the user is currently logged in with OIDC,
// the current snappymail account is the OIDC account and no account defined explicitly // the current snappymail account is the OIDC account and no account defined explicitly
if (\OC::$server->getConfig()->getAppValue('snappymail', 'snappymail-autologin-oidc', false) if ($oAccount instanceof \RainLoop\Model\MainAccount
&& \OC::$server->getSession()->get('is_oidc') && \OCA\SnappyMail\Util\SnappyMailHelper::isOIDCLogin()
&& $sNcEmail === $oSettings->username
&& !$bAccountDefinedExplicitly
&& $oAccount instanceof \RainLoop\Model\MainAccount
// && $oClient->supportsAuthType('OAUTHBEARER') // v2.28 // && $oClient->supportsAuthType('OAUTHBEARER') // v2.28
&& \str_starts_with($oSettings->passphrase, 'oidc_login|')
) { ) {
$sAccessToken = \OC::$server->getSession()->get('oidc_access_token'); // $oSettings->passphrase = \OC::$server->getSession()->get('snappymail-passphrase');
if ($sAccessToken) { $oSettings->passphrase = \OC::$server->getSession()->get('oidc_access_token');
$oSettings->passphrase = $sAccessToken; \array_unshift($oSettings->SASLMechanisms, 'OAUTHBEARER');
\array_unshift($oSettings->SASLMechanisms, 'OAUTHBEARER');
}
} }
} }