Merge pull request #79 from theCalcaholic/fix/password-protected-share

Fix password protected shares on NC 32+

Author: theCalcaholic

composer.json

@@ -8,17 +8,11 @@
 			"name": "Tobias Knöppler"
 		}
 	],
-	"repositories": [
-		{
-			"type": "vcs",
-			"url": "https://github.com/nextcloud/openapi-extractor"
-		}
-	],
 	"require-dev": {
 		"bamarni/composer-bin-plugin": "^1.8",
+		"nextcloud/coding-standard": "^v1.2.1",
 		"nextcloud/ocp": "dev-master",
-		"nextcloud/openapi-extractor": "dev-main",
-		"nextcloud/coding-standard": "^v1.2.1"
+		"nextcloud/openapi-extractor": "^1.4"
 	},
 	"scripts": {
 		"bin": "echo 'bin not installed'",

composer.lock

@@ -24,7 +24,7 @@ public function __construct(IRequest $request, IManager $notificationManager, IU
 		parent::__construct(Application::APP_ID, $request);
 		$this->notificationManager = $notificationManager;
 		$this->userId = $userSession->getUser()?->getUID();
-		$this->debug = $config->getSystemValueBool("debug");
+		$this->debug = $config->getSystemValueBool('debug');
 	}
 
 	/**
@@ -33,12 +33,12 @@ public function __construct(IRequest $request, IManager $notificationManager, IU
 	 * @NoCSRFRequired
 	 *
 	 * @return TemplateResponse<Http::STATUS_OK, string>
-	 * 200: Return secrets page
+	 *                                                   200: Return secrets page
 	 */
 	public function index(): TemplateResponse {
 		Util::addScript(Application::APP_ID, 'secrets-main');
 
-		return new TemplateResponse(Application::APP_ID, 'main', ["debug" => $this->debug]);
+		return new TemplateResponse(Application::APP_ID, 'main', ['debug' => $this->debug]);
 	}
 
 	/**
@@ -48,7 +48,7 @@ public function index(): TemplateResponse {
 	 *
 	 * @param string $uuid The uuid of the secret
 	 * @return TemplateResponse<Http::STATUS_OK, string>
-	 * 200: Return secrets page and show specific secret
+	 *                                                   200: Return secrets page and show specific secret
 	 */
 	public function show(string $uuid): TemplateResponse {
 		$notification = $this->notificationManager->createNotification();

lib/Controller/PageController.php

@@ -20,7 +20,7 @@ class RedirectController extends Controller {
 	 * @NoCSRFRequired
 	 *
 	 * @return TemplateResponse<Http::STATUS_OK, string>
-	 * 200: Show secret share page
+	 *                                                   200: Show secret share page
 	 */
 	public function share(): TemplateResponse {
 		Util::addScript(Application::APP_ID, 'redirect');

lib/Controller/RedirectController.php

@@ -37,15 +37,15 @@ class SecretApiController extends OCSController {
 
 	use Errors;
 
-	public function __construct(IRequest             $request,
-		SecretService        $service,
+	public function __construct(IRequest $request,
+		SecretService $service,
 		ISession $session,
-		NotificationService  $notificationService,
+		NotificationService $notificationService,
 		INotificationManager $notificationManager,
-		IURLGenerator        $urlGenerator,
-		IAppManager          $appManager,
-		LoggerInterface      $logger,
-		?string              $userId) {
+		IURLGenerator $urlGenerator,
+		IAppManager $appManager,
+		LoggerInterface $logger,
+		?string $userId) {
 		parent::__construct(Application::APP_ID, $request);
 		$this->service = $service;
 		$this->notificationService = $notificationService;
@@ -54,7 +54,7 @@ public function __construct(IRequest             $request,
 		$this->urlGenerator = $urlGenerator;
 		$this->logger = $logger;
 		$this->session = $session;
-		$this->appVersion = $appManager->getAppInfo(Application::APP_ID)["version"];
+		$this->appVersion = $appManager->getAppInfo(Application::APP_ID)['version'];
 	}
 
 	/**
@@ -82,8 +82,8 @@ public function getAll(): DataResponse {
 	 * @param string $uuid The uuid of the secret
 	 *
 	 * @return DataResponse<Http::STATUS_OK, SecretsData, array{}>|DataResponse<Http::STATUS_NOT_FOUND, array{message: string}, array{}>
-	 * 200: Return secret with given uuid
-	 * 404: Secret not found
+	 *                                                                                                                                   200: Return secret with given uuid
+	 *                                                                                                                                   404: Secret not found
 	 */
 	public function get(string $uuid): DataResponse {
 		return $this->handleNotFound(function () use ($uuid) {
@@ -98,7 +98,7 @@ public function get(string $uuid): DataResponse {
 	 * @NoCSRFRequired
 	 *
 	 * @return DataResponse<Http::STATUS_OK, array{version: string}, array{}>
-	 * 200: Return application/api version
+	 *                                                                        200: Return application/api version
 	 *
 	 */
 	#[AnonRateLimit(limit: 120, period: 60)]
@@ -116,9 +116,9 @@ public function getVersion(): DataResponse {
 	 * @param string|null $password The password for the secret share
 	 *
 	 * @return DataResponse<Http::STATUS_NOT_FOUND, array{message: string}, array{}>|DataResponse<Http::STATUS_UNAUTHORIZED, array{message: string}, array{}>|DataResponse<Http::STATUS_OK, array{iv: string, encrypted: string}, array{}>
-	 * 200: Return requested secret
-	 * 404: Secret not found for uuid
-	 * 401: Unauthorized
+	 *                                                                                                                                                                                                                                     200: Return requested secret
+	 *                                                                                                                                                                                                                                     404: Secret not found for uuid
+	 *                                                                                                                                                                                                                                     401: Unauthorized
 	 *
 	 */
 	#[UserRateLimit(limit: 500, period: 60)]
@@ -128,22 +128,25 @@ public function getVersion(): DataResponse {
 	public function retrieveSharedSecret(string $uuid, ?string $password): DataResponse {
 
 		$pwHash = null;
-		$pwHashLegacy = null;
 		if ($password) {
-			$pwHashLegacy = hash("sha256", $password . $uuid);
 			$pwHash = $this->service->verifyPassword($uuid, $password);
+			if ($pwHash === null) {
+				$pwHash = hash('sha256', $password . $uuid);
+			}
 		} elseif ($this->session->get('public_link_authenticated_token') === $uuid) {
 			$pwHash = $this->session->get('public_link_authenticated_password_hash');
-			$pwHashLegacy = $this->session->get('public_link_authenticated_password_hash_legacy');
+		} elseif ($this->session->get('public_link_authenticated_frontend')) {
+			$authPayload = json_decode($this->session->get('public_link_authenticated_frontend'));
+			$pwHash = $authPayload->$uuid;
 		}
 		try {
-			$secret = $this->service->retrieveAndInvalidateSecret($uuid, $pwHash, $pwHashLegacy);
+			$secret = $this->service->retrieveAndInvalidateSecret($uuid, $pwHash);
 		} catch (SecretNotFound $e) {
-			$resp = new DataResponse(["message" => "No secret with the given uuid was found"], Http::STATUS_NOT_FOUND);
+			$resp = new DataResponse(['message' => 'No secret with the given uuid was found'], Http::STATUS_NOT_FOUND);
 			$resp->throttle(['action' => 'retrieval']);
 			return $resp;
 		} catch (UnauthorizedException $e) {
-			$resp = new DataResponse(["message" => "Forbidden"], Http::STATUS_UNAUTHORIZED);
+			$resp = new DataResponse(['message' => 'Forbidden'], Http::STATUS_UNAUTHORIZED);
 			$resp->throttle(['action' => 'password']);
 			return $resp;
 		}
@@ -169,8 +172,8 @@ public function retrieveSharedSecret(string $uuid, ?string $password): DataRespo
 	 * @param ?string $password (Optional) password to protect the secret share
 	 *
 	 * @return DataResponse<Http::STATUS_CREATED, SecretsData, array{}>|DataResponse<Http::STATUS_UNAUTHORIZED, array{message: string}, array{}>
-	 * 201: Secret created
-	 * 401: Unauthorized
+	 *                                                                                                                                           201: Secret created
+	 *                                                                                                                                           401: Unauthorized
 	 */
 	public function createSecret(string $title, string $encrypted, string $iv, ?string $expires, ?string $password) {
 		if (!$this->userId) {
@@ -187,8 +190,8 @@ public function createSecret(string $title, string $encrypted, string $iv, ?stri
 	 * @param string $title The new title of the secret
 	 *
 	 * @return DataResponse<Http::STATUS_OK, SecretsData, array{}>|DataResponse<Http::STATUS_NOT_FOUND, array{message: string}, array{}>
-	 * 200: Return updated secret
-	 * 404: Secret not found
+	 *                                                                                                                                   200: Return updated secret
+	 *                                                                                                                                   404: Secret not found
 	 */
 	public function updateTitle(string $uuid, string $title): DataResponse {
 		return $this->handleNotFound(function () use ($uuid, $title) {
@@ -203,8 +206,8 @@ public function updateTitle(string $uuid, string $title): DataResponse {
 	 * @param string $uuid The uuid of the secret
 	 *
 	 * @return DataResponse<Http::STATUS_OK, array{message: string}, array{}>|DataResponse<Http::STATUS_NOT_FOUND, array{message: string}, array{}>
-	 * 200: Secret deleted
-	 * 404: Secret not found
+	 *                                                                                                                                              200: Secret deleted
+	 *                                                                                                                                              404: Secret not found
 	 */
 	public function delete(string $uuid): DataResponse {
 		try {

lib/Controller/SecretApiController.php

@@ -27,15 +27,15 @@ class SecretShareController extends AuthPublicShareController {
 	private Secret $secret;
 	private bool $debug;
 
-	public function __construct(IRequest      $request,
-		ISession        $session,
-		SecretService   $service,
-		IURLGenerator   $urlGenerator,
-		IConfig         $config,
+	public function __construct(IRequest $request,
+		ISession $session,
+		SecretService $service,
+		IURLGenerator $urlGenerator,
+		IConfig $config,
 		LoggerInterface $logger) {
 		parent::__construct(Application::APP_ID, $request, $session, $urlGenerator);
 		$this->service = $service;
-		$this->debug = $config->getSystemValueBool("debug");
+		$this->debug = $config->getSystemValueBool('debug');
 	}
 
 	/**
@@ -53,7 +53,7 @@ protected function getPasswordHash(): string {
 	private function getSecret(): ?Secret {
 		if (!isset($this->secret)) {
 			if (!$this->getToken()) {
-				throw new InvalidArgumentException("secret uuid is not defined");
+				throw new InvalidArgumentException('secret uuid is not defined');
 			}
 			$this->secret = $this->service->findPublic($this->getToken());
 		}
@@ -81,9 +81,9 @@ protected function isPasswordProtected(): bool {
 	protected function verifyPassword(string $password): bool {
 		try {
 			$pwHash = $this->service->verifyPassword($this->secret->getUuid(), $password);
-			return $pwHash !== null ||
+			return $pwHash !== null
 				# for backwards compatibility. TODO: remove after some time
-				hash("sha256", $password . $this->getSecret()->getUuid()) === $this->getPasswordHash();
+				|| hash('sha256', $password . $this->getSecret()->getUuid()) === $this->getPasswordHash();
 		} catch (SecretNotFound $e) {
 			return false;
 		}
@@ -97,20 +97,20 @@ protected function verifyPassword(string $password): bool {
 	 * @NoCSRFRequired
 	 *
 	 * @return TemplateResponse<Http::STATUS_OK, string>
-	 * 200: Show authentication page
+	 *                                                   200: Show authentication page
 	 *
 	 * @since 14.0.0
 	 */
 	public function showAuthenticate(): TemplateResponse {
 		return new TemplateResponse('secrets', 'publicshareauth',
-			["debug" => $this->debug], 'guest');
+			['debug' => $this->debug], 'guest');
 	}
 
 	/**
 	 * The template to show when authentication failed
 	 *
 	 * @return TemplateResponse<Http::STATUS_OK, string>
-	 * 200: Show authentication failure page
+	 *                                                   200: Show authentication failure page
 	 *
 	 * @since 14.0.0
 	 *
@@ -123,7 +123,7 @@ protected function showAuthFailed(): TemplateResponse {
 	 * The template to show after user identification
 	 *
 	 * @return TemplateResponse<Http::STATUS_OK, string>
-	 * 200: Show user identification success page
+	 *                                                   200: Show user identification success page
 	 *
 	 * @since 24.0.0
 	 */
@@ -138,7 +138,7 @@ protected function showIdentificationResult(bool $success): TemplateResponse {
 	 * @NoCSRFRequired
 	 *
 	 * @return TemplateResponse<Http::STATUS_OK, string>
-	 * 200: Show secret share page
+	 *                                                   200: Show secret share page
 	 */
 	public function showShare(): TemplateResponse {
 		Util::addScript(Application::APP_ID, 'secrets-public');

lib/Controller/SecretShareController.php

@@ -29,7 +29,7 @@ public function __construct(ITimeFactory $time, SecretService $service, LoggerIn
 	 * @throws Exception
 	 */
 	protected function run($argument) {
-		$this->logger->info("CRON: Cleaning expired secrets...");
+		$this->logger->info('CRON: Cleaning expired secrets...');
 		$dt = new DateTime('now');
 		$dt = $dt->sub(new DateInterval('P7D'));
 		$this->service->deleteExpiredAfter($dt->format('Y-m-d'));

lib/Cron/SecretCleanup.php

@@ -63,7 +63,7 @@ public function findPublic(string $uuid): Secret {
 			->from('secrets')
 			->where($qb->expr()->eq('uuid', $qb->createNamedParameter($uuid)))
 			->andWhere($qb->expr()->isNotNull('encrypted'))
-			->andWhere($qb->expr()->gt('expires', $qb->createNamedParameter(date("Y-m-d"))));
+			->andWhere($qb->expr()->gt('expires', $qb->createNamedParameter(date('Y-m-d'))));
 		return $this->findEntity($qb);
 	}
 

lib/Db/SecretMapper.php

@@ -57,11 +57,11 @@ public function __construct(IDBConnection $connection) {
 	 */
 	public function changeSchema(IOutput $output, Closure $schemaClosure, array $options): ?ISchemaWrapper {
 		$schema = $schemaClosure();
-		$table = $schema->getTable("secrets");
-		if ($table->hasColumn("iv_str")) {
+		$table = $schema->getTable('secrets');
+		if ($table->hasColumn('iv_str')) {
 			return null;
 		}
-		$table->addColumn("iv_str", Types::TEXT, ['notnull' => false, 'length' => null, 'default' => '']);
+		$table->addColumn('iv_str', Types::TEXT, ['notnull' => false, 'length' => null, 'default' => '']);
 		return $schema;
 	}
 
@@ -78,7 +78,7 @@ public function postSchemaChange(IOutput $output, Closure $schemaClosure, array
 			->executeQuery();
 		while ($secret = $results->fetch()) {
 			$qb = $this->connection->getQueryBuilder();
-			$qb->update("secrets")
+			$qb->update('secrets')
 				->where($qb->expr()->eq('id', $qb->createNamedParameter($secret['id'])))
 				->set('iv_str', $qb->createNamedParameter(self::fixSerialization($secret['iv'])));
 			$qb->executeStatement();

lib/Migration/Version1001Date20230122142756.php

@@ -57,12 +57,12 @@ public function __construct(IDBConnection $connection) {
 	 */
 	public function changeSchema(IOutput $output, Closure $schemaClosure, array $options): ?ISchemaWrapper {
 		$schema = $schemaClosure();
-		$table = $schema->getTable("secrets");
-		if (!$table->hasColumn("iv_str")) {
+		$table = $schema->getTable('secrets');
+		if (!$table->hasColumn('iv_str')) {
 			return null;
 		}
-		$table->dropColumn("iv");
-		$table->addColumn("iv", Types::TEXT, ['notnull' => false, 'length' => null, 'default' => '']);
+		$table->dropColumn('iv');
+		$table->addColumn('iv', Types::TEXT, ['notnull' => false, 'length' => null, 'default' => '']);
 		return $schema;
 	}