From 214ec5c10666e4ff5bc981ecd80ca0b3572fd871 Mon Sep 17 00:00:00 2001 From: Sebastian Sterk Date: Wed, 20 Jan 2021 19:52:33 +0100 Subject: [PATCH 1/8] Add files via upload Signed-off-by: Sebastian --- lib/http.php | 76 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 76 insertions(+) create mode 100644 lib/http.php diff --git a/lib/http.php b/lib/http.php new file mode 100644 index 0000000..b2bb551 --- /dev/null +++ b/lib/http.php @@ -0,0 +1,76 @@ + + * This file is licensed under the Affero General Public License version 3 or + * later. + * See the COPYING-README file. + */ + +/** + * User authentication against a generic HTTP auth interface + * + * @category Apps + * @package UserExternal + * @author Sebastian Sterk https://wiuwiu.de/Imprint + * @license http://www.gnu.org/licenses/agpl AGPL + */ +class OC_User_HTTP extends \OCA\user_external\Base { + private $hashAlgo; + private $accessKey; + private $authenticationEndpoint; + + public function __construct($authenticationEndpoint, $hashAlgo, $accessKey) { + parent::__construct($authenticationEndpoint); + $this->authenticationEndpoint = $authenticationEndpoint; + $this->hashAlgo = $hashAlgo; + $this->accessKey = $accessKey; + } + + public function sendUserData($user, $password){ + if($this->hashAlgo !== false){ + $password = $this->hashPassword($password); + } + $ch = curl_init(); + curl_setopt($ch, CURLOPT_URL, $this->authenticationEndpoint); + curl_setopt($ch, CURLOPT_HEADER, true); + curl_setopt($ch, CURLOPT_NOBODY, true); + curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); + curl_setopt($ch, CURLOPT_POST, 1); + curl_setopt($ch, CURLOPT_POSTFIELDS, + http_build_query(array( + 'accessKey' => $this->accessKey, + 'user' => $user, + 'password' => $password + ) + ) + ); + $response = curl_exec($ch); + $httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE); + curl_close($ch); + if($httpCode == 202){ + return true; + } else{ + return false; + } + + } + + public function hashPassword($password){ + return hash($this->hashAlgo, $password); + } + + public function checkPassword($uid, $password){ + if(isset($uid) + && isset($password)) { + + $authenticationStatus = $this->sendUserData($uid, $password); + if ($authenticationStatus) { + $uid = mb_strtolower($uid); + $this->storeUser($uid); + return $uid; + } else { + return false; + } + } + } +} From e68834488059c039d376a9f3b596d2023420ec50 Mon Sep 17 00:00:00 2001 From: Sebastian Sterk Date: Wed, 20 Jan 2021 20:06:05 +0100 Subject: [PATCH 2/8] Update README.md Signed-off-by: Sebastian --- README.md | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/README.md b/README.md index 0bad94b..4d39c47 100644 --- a/README.md +++ b/README.md @@ -215,6 +215,34 @@ Add the following to your `config.php`: **⚠⚠ Warning:** If you need to set *5 (Hashed Password in Database)* to false, your Prosody Instance is storing passwords in plaintext. This is insecure and not recommended. We highly recommend that you change your Prosody configuration to protect the passwords of your Prosody users. ⚠⚠ +HTTP +---- +Authenticate Nextcloud users against a generic HTTP interface. +A user and password need to be given for the Nextcloud login. If the configured HTTP interface responds with HTTP Status Code *202*, the user is authenticated successfully. + + +### Configuration +Add the following to your `config.php`: + + 'user_backends' => array ( + 0 => array ( + 'class' => 'OC_User_HTTP', + 'arguments' => array ( + 0 => 'https://example.com/authenticate.php', + 1 => 'sha1', + 2 => 'GbTESTexHJyWYs3Yr9WiUwIuJgH7zsJSax', + ), + ), + ), + +0 - Authentication Endpoint + (Required) This is the URL to your authentication endpoint. You are fully responsible for doing proper authentication on your authentication endpoint's side. If the authentication was successful, your authentication endpoint must respond with HTTP status code *202*, any other HTTP status code will be detected as unauthenticated. +1 - Hash Algorithm + (Optional) By default, the user's password is sent in plaintext your authentication endpoint. If you set a hash algorithm, only the hashed password is sent to your authentication endpoint. Supportet algorithms: https://www.php.net/manual/en/function.hash-algos.php +2 - Access Key + (Optional) If you have secured your authentication endpoint you can define an access key. This key is sent to your authentication endpoint when Nextcloud tries to send requests to your authentication endpoint. + + Alternatives ------------ Other extensions allow connecting to external user databases directly via SQL, which may be faster: From 16e4fc558115e291536ee504571802e8b6e4f09d Mon Sep 17 00:00:00 2001 From: Sebastian Sterk Date: Wed, 20 Jan 2021 20:07:54 +0100 Subject: [PATCH 3/8] Update README.md Signed-off-by: Sebastian --- README.md | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 4d39c47..8aa8d81 100644 --- a/README.md +++ b/README.md @@ -235,12 +235,9 @@ Add the following to your `config.php`: ), ), -0 - Authentication Endpoint - (Required) This is the URL to your authentication endpoint. You are fully responsible for doing proper authentication on your authentication endpoint's side. If the authentication was successful, your authentication endpoint must respond with HTTP status code *202*, any other HTTP status code will be detected as unauthenticated. -1 - Hash Algorithm - (Optional) By default, the user's password is sent in plaintext your authentication endpoint. If you set a hash algorithm, only the hashed password is sent to your authentication endpoint. Supportet algorithms: https://www.php.net/manual/en/function.hash-algos.php -2 - Access Key - (Optional) If you have secured your authentication endpoint you can define an access key. This key is sent to your authentication endpoint when Nextcloud tries to send requests to your authentication endpoint. +0 - (Required) Authentication Endpoint: This is the URL to your authentication endpoint. You are fully responsible for doing proper authentication on your authentication endpoint's side. If the authentication was successful, your authentication endpoint must respond with HTTP status code *202*, any other HTTP status code will be detected as unauthenticated. +1 - (Optional) Hash Algorithm: By default, the user's password is sent in plaintext your authentication endpoint. If you set a hash algorithm, only the hashed password is sent to your authentication endpoint. Supportet algorithms: https://www.php.net/manual/en/function.hash-algos.php +2 - (Optional) Access Key: If you have secured your authentication endpoint you can define an access key. This key is sent to your authentication endpoint when Nextcloud tries to send requests to your authentication endpoint. Alternatives From 23accc3e0258a6cfb1d9fa7207ef10e7e089cfbb Mon Sep 17 00:00:00 2001 From: Sebastian Sterk Date: Wed, 20 Jan 2021 20:09:32 +0100 Subject: [PATCH 4/8] Update README.md Signed-off-by: Sebastian --- README.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index 8aa8d81..1b000a9 100644 --- a/README.md +++ b/README.md @@ -205,12 +205,12 @@ Add the following to your `config.php`: ), ), -0 - Database Host -1 - Prosody Database Name -2 - Database User -3 - Database User Password -4 - XMPP Domain -5 - Hashed Passwords in Database (true) / Plaintext Passwords in Database (false) +- 0 - Database Host +- 1 - Prosody Database Name +- 2 - Database User +- 3 - Database User Password +- 4 - XMPP Domain +- 5 - Hashed Passwords in Database (true) / Plaintext Passwords in Database (false) **⚠⚠ Warning:** If you need to set *5 (Hashed Password in Database)* to false, your Prosody Instance is storing passwords in plaintext. This is insecure and not recommended. We highly recommend that you change your Prosody configuration to protect the passwords of your Prosody users. ⚠⚠ @@ -235,9 +235,9 @@ Add the following to your `config.php`: ), ), -0 - (Required) Authentication Endpoint: This is the URL to your authentication endpoint. You are fully responsible for doing proper authentication on your authentication endpoint's side. If the authentication was successful, your authentication endpoint must respond with HTTP status code *202*, any other HTTP status code will be detected as unauthenticated. -1 - (Optional) Hash Algorithm: By default, the user's password is sent in plaintext your authentication endpoint. If you set a hash algorithm, only the hashed password is sent to your authentication endpoint. Supportet algorithms: https://www.php.net/manual/en/function.hash-algos.php -2 - (Optional) Access Key: If you have secured your authentication endpoint you can define an access key. This key is sent to your authentication endpoint when Nextcloud tries to send requests to your authentication endpoint. +- 0 - (Required) Authentication Endpoint: This is the URL to your authentication endpoint. You are fully responsible for doing proper authentication on your authentication endpoint's side. If the authentication was successful, your authentication endpoint must respond with HTTP status code *202*, any other HTTP status code will be detected as unauthenticated. +- 1 - (Optional) Hash Algorithm: By default, the user's password is sent in plaintext your authentication endpoint. If you set a hash algorithm, only the hashed password is sent to your authentication endpoint. Supportet algorithms: https://www.php.net/manual/en/function.hash-algos.php +- 2 - (Optional) Access Key: If you have secured your authentication endpoint you can define an access key. This key is sent to your authentication endpoint when Nextcloud tries to send requests to your authentication endpoint. Alternatives From 22a641ede2d12db07e737916c26f006ba25f344b Mon Sep 17 00:00:00 2001 From: Sebastian Sterk Date: Wed, 20 Jan 2021 20:11:12 +0100 Subject: [PATCH 5/8] Update http.php Signed-off-by: Sebastian --- lib/http.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/http.php b/lib/http.php index b2bb551..8c33851 100644 --- a/lib/http.php +++ b/lib/http.php @@ -19,7 +19,7 @@ class OC_User_HTTP extends \OCA\user_external\Base { private $accessKey; private $authenticationEndpoint; - public function __construct($authenticationEndpoint, $hashAlgo, $accessKey) { + public function __construct($authenticationEndpoint, $hashAlgo = false, $accessKey = '') { parent::__construct($authenticationEndpoint); $this->authenticationEndpoint = $authenticationEndpoint; $this->hashAlgo = $hashAlgo; From a9411323427ed6a5588541a29d0467a8b68c21e2 Mon Sep 17 00:00:00 2001 From: Sebastian Sterk Date: Wed, 20 Jan 2021 20:11:59 +0100 Subject: [PATCH 6/8] Update info.xml Signed-off-by: Sebastian --- appinfo/info.xml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/appinfo/info.xml b/appinfo/info.xml index a8f7fa4..4e11269 100644 --- a/appinfo/info.xml +++ b/appinfo/info.xml @@ -3,7 +3,7 @@ xsi:noNamespaceSchemaLocation="https://apps.nextcloud.com/schema/apps/info.xsd"> user_external External user authentication - Use external user authentication methods like IMAP, SMB, FTP, WebDAV, HTTP BasicAuth, SSH and XMPP + Use external user authentication methods like IMAP, SMB, FTP, WebDAV, HTTP BasicAuth, SSH, XMPP and HTTP From 3310be79effa8c251661c2361145ee973988c414 Mon Sep 17 00:00:00 2001 From: Sebastian Date: Wed, 20 Jan 2021 20:31:50 +0100 Subject: [PATCH 7/8] Update appinfo, fix indentation Signed-off-by: Sebastian --- appinfo/info.xml | 2 +- lib/http.php | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/appinfo/info.xml b/appinfo/info.xml index 4e11269..fa26c0b 100644 --- a/appinfo/info.xml +++ b/appinfo/info.xml @@ -17,7 +17,7 @@ Read the [documentation](https://github.com/nextcloud/user_external#readme) to learn how to configure it! ]]> - 1.0.0 + 1.0.1 agpl Robin Appelman diff --git a/lib/http.php b/lib/http.php index 8c33851..5e3a671 100644 --- a/lib/http.php +++ b/lib/http.php @@ -1,6 +1,6 @@ + * Copyright (c) 2021 Sebastian Sterk * This file is licensed under the Affero General Public License version 3 or * later. * See the COPYING-README file. @@ -34,7 +34,7 @@ public function sendUserData($user, $password){ curl_setopt($ch, CURLOPT_URL, $this->authenticationEndpoint); curl_setopt($ch, CURLOPT_HEADER, true); curl_setopt($ch, CURLOPT_NOBODY, true); - curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); + curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(array( From c593566886c1110b3a738896ee7b93e314a2ff34 Mon Sep 17 00:00:00 2001 From: Sebastian Sterk Date: Tue, 1 Feb 2022 12:48:26 +0100 Subject: [PATCH 8/8] change public function to private class --- lib/http.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/http.php b/lib/http.php index 5e3a671..08df787 100644 --- a/lib/http.php +++ b/lib/http.php @@ -55,7 +55,7 @@ public function sendUserData($user, $password){ } - public function hashPassword($password){ + private function hashPassword($password){ return hash($this->hashAlgo, $password); }