From 6f4f6bfd0325b8cc3054bf77580320fdc019b2cf Mon Sep 17 00:00:00 2001 From: the-djmaze <> Date: Mon, 16 Sep 2024 13:49:59 +0200 Subject: [PATCH] Improved attempt for #1746 --- .../snappymail/lib/Util/SnappyMailHelper.php | 69 +++++++++++-------- plugins/nextcloud/index.php | 28 ++------ 2 files changed, 47 insertions(+), 50 deletions(-) diff --git a/integrations/nextcloud/snappymail/lib/Util/SnappyMailHelper.php b/integrations/nextcloud/snappymail/lib/Util/SnappyMailHelper.php index 2f23916cd..80a93d061 100644 --- a/integrations/nextcloud/snappymail/lib/Util/SnappyMailHelper.php +++ b/integrations/nextcloud/snappymail/lib/Util/SnappyMailHelper.php @@ -90,27 +90,23 @@ class SnappyMailHelper } */ if ($doLogin && $aCredentials[1] && $aCredentials[2]) { + $isOIDC = \str_starts_with($aCredentials[2], 'oidc_login|'); try { $ocSession = \OC::$server->getSession(); - if (true === $aCredentials[2]) { - // OIDC - $pwd = new \SnappyMail\SensitiveString($aCredentials[1]); - $oAccount = $oActions->LoginProcess($aCredentials[1], $pwd); - if ($oAccount) { - $oActions->SetSignMeToken($oAccount); - } - } else { - $oAccount = $oActions->LoginProcess($aCredentials[1], $aCredentials[2]); - if ($oAccount && $oConfig->Get('login', 'sign_me_auto', \RainLoop\Enumerations\SignMeType::DefaultOff) === \RainLoop\Enumerations\SignMeType::DefaultOn) { - $oActions->SetSignMeToken($oAccount); - } + $oAccount = $oActions->LoginProcess($aCredentials[1], $aCredentials[2]); + if (!$isOIDC && $oAccount + && $oConfig->Get('login', 'sign_me_auto', \RainLoop\Enumerations\SignMeType::DefaultOff) === \RainLoop\Enumerations\SignMeType::DefaultOn + ) { + $oActions->SetSignMeToken($oAccount); } } catch (\Throwable $e) { // Login failure, reset password to prevent more attempts - $sUID = \OC::$server->getUserSession()->getUser()->getUID(); - \OC::$server->getSession()['snappymail-passphrase'] = ''; - \OC::$server->getConfig()->setUserValue($sUID, 'snappymail', 'passphrase', ''); - \SnappyMail\Log::error('Nextcloud', $e->getMessage()); + if (!$isOIDC) { + $sUID = \OC::$server->getUserSession()->getUser()->getUID(); + \OC::$server->getSession()['snappymail-passphrase'] = ''; + \OC::$server->getConfig()->setUserValue($sUID, 'snappymail', 'passphrase', ''); + \SnappyMail\Log::error('Nextcloud', $e->getMessage()); + } } } } @@ -127,6 +123,32 @@ class SnappyMailHelper } } + // Check if OpenID Connect (OIDC) is enabled and used for login + // https://apps.nextcloud.com/apps/oidc_login + public static function isOIDCLogin() : bool + { + $config = \OC::$server->getConfig(); + if ($config->getAppValue('snappymail', 'snappymail-autologin-oidc', false)) { + // Check if the OIDC Login app is enabled + if (\OC::$server->getAppManager()->isEnabledForUser('oidc_login')) { + // Check if session is an OIDC Login + $ocSession = \OC::$server->getSession(); + if ($ocSession->get('is_oidc')) { + // IToken->getPassword() ??? + if ($ocSession->get('oidc_access_token')) { + return true; + } + \SnappyMail\Log::debug('Nextcloud', 'OIDC access_token missing'); + } else { + \SnappyMail\Log::debug('Nextcloud', 'No OIDC login'); + } + } else { + \SnappyMail\Log::debug('Nextcloud', 'OIDC login disabled'); + } + } + return false; + } + private static function getLoginCredentials() : array { $sUID = \OC::$server->getUserSession()->getUser()->getUID(); @@ -152,18 +174,9 @@ class SnappyMailHelper if ($ocSession['snappymail-nc-uid'] == $sUID) { // If OpenID Connect (OIDC) is enabled and used for login, use this. - // https://apps.nextcloud.com/apps/oidc_login - if ($config->getAppValue('snappymail', 'snappymail-autologin-oidc', false)) { - if ($ocSession->get('is_oidc')) { - // IToken->getPassword() ??? - if ($ocSession->get('oidc_access_token')) { - $sEmail = $config->getUserValue($sUID, 'settings', 'email'); - return [$sUID, $sEmail, true]; - } - \SnappyMail\Log::debug('Nextcloud', 'OIDC access_token missing'); - } else { - \SnappyMail\Log::debug('Nextcloud', 'No OIDC login'); - } + if (static::isOIDCLogin()) { + $sEmail = $config->getUserValue($sUID, 'settings', 'email'); + return [$sUID, $sEmail, "oidc_login|{$sUID}"]; } // Only use the user's password in the current session if they have diff --git a/plugins/nextcloud/index.php b/plugins/nextcloud/index.php index 971dd29e7..0e76a0cc4 100644 --- a/plugins/nextcloud/index.php +++ b/plugins/nextcloud/index.php @@ -90,33 +90,17 @@ class NextcloudPlugin extends \RainLoop\Plugins\AbstractPlugin public function beforeLogin(\RainLoop\Model\Account $oAccount, \MailSo\Net\NetClient $oClient, \MailSo\Net\ConnectSettings $oSettings) : void { - // https://apps.nextcloud.com/apps/oidc_login - $config = \OC::$server->getConfig(); - $oUser = \OC::$server->getUserSession()->getUser(); - $sUID = $oUser->getUID(); - - $sEmail = $config->getUserValue($sUID, 'snappymail', 'snappymail-email'); - $sPassword = $config->getUserValue($sUID, 'snappymail', 'passphrase') - ?: $config->getUserValue($sUID, 'snappymail', 'snappymail-password'); - $bAccountDefinedExplicitly = ($sEmail && $sPassword) && $sEmail === $oSettings->username; - - $sNcEmail = $oUser->getEMailAddress() ?: $oUser->getPrimaryEMailAddress(); - // Only login with OIDC access token if // it is enabled in config, the user is currently logged in with OIDC, // the current snappymail account is the OIDC account and no account defined explicitly - if (\OC::$server->getConfig()->getAppValue('snappymail', 'snappymail-autologin-oidc', false) - && \OC::$server->getSession()->get('is_oidc') - && $sNcEmail === $oSettings->username - && !$bAccountDefinedExplicitly - && $oAccount instanceof \RainLoop\Model\MainAccount + if ($oAccount instanceof \RainLoop\Model\MainAccount + && \OCA\SnappyMail\Util\SnappyMailHelper::isOIDCLogin() // && $oClient->supportsAuthType('OAUTHBEARER') // v2.28 + && \str_starts_with($oSettings->passphrase, 'oidc_login|') ) { - $sAccessToken = \OC::$server->getSession()->get('oidc_access_token'); - if ($sAccessToken) { - $oSettings->passphrase = $sAccessToken; - \array_unshift($oSettings->SASLMechanisms, 'OAUTHBEARER'); - } +// $oSettings->passphrase = \OC::$server->getSession()->get('snappymail-passphrase'); + $oSettings->passphrase = \OC::$server->getSession()->get('oidc_access_token'); + \array_unshift($oSettings->SASLMechanisms, 'OAUTHBEARER'); } }