Merge pull request #1393 from nextcloud/enh/ai-safety-api-key

enh: Require API-Key for webDAV API

Author: marcelklehr

appinfo/info.xml

@@ -132,8 +132,5 @@ The app does not send any sensitive data to cloud providers or similar services.
 		<collections>
 			<collection>OCA\Recognize\Dav\RootCollection</collection>
 		</collections>
-		<plugins>
-			<plugin>OCA\Recognize\Dav\Faces\PropFindPlugin</plugin>
-		</plugins>
 	</sabre>
 </info>

lib/AppInfo/Application.php

@@ -8,6 +8,7 @@
 namespace OCA\Recognize\AppInfo;
 
 use OCA\DAV\Connector\Sabre\Principal;
+use OCA\Recognize\Dav\Faces\PropFindPlugin;
 use OCA\Recognize\Hooks\FileListener;
 use OCP\AppFramework\App;
 use OCP\AppFramework\Bootstrap\IBootContext;
@@ -21,6 +22,7 @@
 use OCP\Files\Events\Node\NodeDeletedEvent;
 use OCP\Files\Events\Node\NodeRenamedEvent;
 use OCP\Files\Events\NodeRemovedFromCache;
+use OCP\SabrePluginEvent;
 use OCP\Share\Events\ShareCreatedEvent;
 use OCP\Share\Events\ShareDeletedEvent;
 
@@ -65,5 +67,16 @@ public function register(IRegistrationContext $context): void {
 	 * @throws \Throwable
 	 */
 	public function boot(IBootContext $context): void {
+		$eventDispatcher = \OCP\Server::get(IEventDispatcher::class);
+		$eventDispatcher->addListener('OCA\DAV\Connector\Sabre::addPlugin', function (SabrePluginEvent $event): void {
+			$server = $event->getServer();
+
+			if ($server !== null) {
+				// We have to register the PropFindPlugin here and not info.xml,
+				// because info.xml plugins are loaded, after the
+				// beforeMethod:* hook has already been emitted.
+				$server->addPlugin($this->getContainer()->get(PropFindPlugin::class));
+			}
+		});
 	}
 }

lib/Dav/Faces/PropFindPlugin.php

@@ -15,14 +15,19 @@
 use OCA\Recognize\Db\FaceDetectionWithTitle;
 use OCP\AppFramework\Db\DoesNotExistException;
 use OCP\AppFramework\Db\MultipleObjectsReturnedException;
+use OCP\AppFramework\Utility\ITimeFactory;
 use OCP\DB\Exception;
 use OCP\Files\DavUtil;
 use OCP\IPreview;
+use OCP\Security\ICrypto;
+use Psr\Log\LoggerInterface;
 use Sabre\DAV\Exception\Forbidden;
 use Sabre\DAV\INode;
 use Sabre\DAV\PropFind;
 use Sabre\DAV\Server;
 use Sabre\DAV\ServerPlugin;
+use Sabre\HTTP\RequestInterface;
+use Sabre\HTTP\ResponseInterface;
 
 final class PropFindPlugin extends ServerPlugin {
 	public const FACE_DETECTIONS_PROPERTYNAME = '{http://nextcloud.org/ns}face-detections';
@@ -31,12 +36,17 @@ final class PropFindPlugin extends ServerPlugin {
 	public const NBITEMS_PROPERTYNAME = '{http://nextcloud.org/ns}nbItems';
 	public const FACE_PREVIEW_IMAGE_PROPERTYNAME = '{http://nextcloud.org/ns}face-preview-image';
 
+	public const API_KEY_TIMEOUT = 60 * 60 * 24;
+
 	private Server $server;
 
 	public function __construct(
 		private FaceDetectionMapper $faceDetectionMapper,
 		private IPreview $previewManager,
 		private FaceClusterMapper $faceClusterMapper,
+		private ICrypto $crypto,
+		private LoggerInterface $logger,
+		private ITimeFactory $timeFactory,
 	) {
 	}
 
@@ -45,6 +55,7 @@ public function initialize(Server $server) {
 
 		$this->server->on('propFind', [$this, 'propFind']);
 		$this->server->on('beforeMove', [$this, 'beforeMove']);
+		$this->server->on('beforeMethod:*', [$this, 'beforeMethod'], 1);
 	}
 
 
@@ -113,4 +124,38 @@ public function beforeMove($source, $target) {
 		}
 		return true;
 	}
+
+	public function beforeMethod(RequestInterface $request, ResponseInterface $response) {
+		if (!str_starts_with($request->getPath(), 'recognize')) {
+			return;
+		}
+		$key = $request->getHeader('X-Recognize-Api-Key');
+		if ($key === null) {
+			throw new Forbidden('You must provide a valid X-Recognize-Api-Key');
+		}
+		try {
+			$json = $this->crypto->decrypt($key);
+		} catch (\Exception $e) {
+			$this->logger->warning('Failed to decrypt recognize API key. Denying entry.', ['exception' => $e]);
+			throw new Forbidden('You must provide a valid X-Recognize-Api-Key');
+		}
+		try {
+			$data = json_decode($json, true, 512, JSON_THROW_ON_ERROR);
+		} catch (\JsonException $e) {
+			$this->logger->warning('Failed to decode recognize API key. Denying entry.', ['exception' => $e]);
+			throw new Forbidden('You must provide a valid X-Recognize-Api-Key');
+		}
+
+		if (!isset($data['type']) || $data['type'] !== 'recognize-api-key' || !isset($data['version']) || $data['version'] !== 1 || !isset($data['timestamp'])) {
+			$this->logger->warning('Failed to validate recognize API key.', ['data' => $data]);
+			throw new Forbidden('You must provide a valid X-Recognize-Api-Key');
+		}
+
+		if ($this->timeFactory->now()->getTimestamp() - (int)$data['timestamp'] < self::API_KEY_TIMEOUT) {
+			return;
+		}
+
+		$this->logger->info('API key is too old, denying entry', ['data' => $data]);
+		throw new Forbidden('You must provide a valid X-Recognize-Api-Key');
+	}
 }

lib/Public/ApiKeyManager.php

@@ -0,0 +1,30 @@
+<?php
+
+/*
+ * Copyright (c) 2025 The Recognize contributors.
+ * This file is licensed under the Affero General Public License version 3 or later. See the COPYING file.
+ */
+
+namespace OCA\Recognize\Public;
+
+use OCP\AppFramework\Utility\ITimeFactory;
+use OCP\Security\ICrypto;
+
+/**
+ * @api
+ */
+class ApiKeyManager {
+
+	public function __construct(
+		private ICrypto $crypto,
+		private ITimeFactory $timeFactory,
+	) {
+	}
+
+	/**
+	 * @throws \JsonException
+	 */
+	public function generateApiKey(): string {
+		return $this->crypto->encrypt(json_encode(['type' => 'recognize-api-key', 'version' => 1, 'timestamp' => $this->timeFactory->now()->getTimestamp()], JSON_THROW_ON_ERROR));
+	}
+}

psalm-baseline.xml

@@ -4,12 +4,20 @@
     <DeprecatedInterface>
       <code><![CDATA[$this->getContainer()]]></code>
     </DeprecatedInterface>
+    <MissingDependency>
+      <code><![CDATA[PropFindPlugin]]></code>
+    </MissingDependency>
     <MixedArgument>
       <code><![CDATA[Principal::class]]></code>
+      <code><![CDATA[PropFindPlugin::class]]></code>
     </MixedArgument>
     <UndefinedClass>
       <code><![CDATA[Principal]]></code>
     </UndefinedClass>
+    <UndefinedDocblockClass>
+      <code><![CDATA[$event->getServer()]]></code>
+      <code><![CDATA[$server]]></code>
+    </UndefinedDocblockClass>
   </file>
   <file src="lib/BackgroundJobs/ClassifierJob.php">
     <ArgumentTypeCoercion>