Skip to content

feat(login-flow-v2): Restrict allowed apps by user agent check #50650

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Apr 24, 2025
Merged

feat(login-flow-v2): Restrict allowed apps by user agent check #50650

merged 1 commit into from
Apr 24, 2025
+199 −2

Conversation

printminion-co
Copy link
Contributor

@printminion-co printminion-co commented Feb 4, 2025
edited
Loading

add config value to config.php:

	"core.login_flow_v2.allowed_user_agents" => [
			'/Custom Foo/i'
	],

or via occ

./occ config:system:set core.login_flow_v2.allowed_user_agents 0  --value '/Custom Foo/i'

Test Allowed client

curl -s -A "Custom Foo Curl Client/1.0" -X POST http://localhost:8080/index.php/login/v2 | jq

click on generated login url.

Test Forbidden client

curl -s -A "Rogue Curl Client/1.0" -X POST http://localhost:8080/index.php/login/v2 | jq

click on generated login url.
observe
Selection_20250204-003

Unitests

  • Run tests with coverage
  • Add test suite phpunit-autotest-core.xml file
phpunit-autotest-core.xml 
<?xml version="1.0" encoding="utf-8" ?>
<phpunit xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
		 bootstrap="bootstrap.php"
		 verbose="true"
		 backupGlobals="false"
		 timeoutForSmallTests="900"
		 timeoutForMediumTests="900"
		 timeoutForLargeTests="900"
		 convertDeprecationsToExceptions="true"
		 xsi:noNamespaceSchemaLocation="https://schema.phpunit.de/9.6/phpunit.xsd">
	<testsuite name='test LoginFlowV2'>
		<directory suffix=".php">./Core/Controller/ClientFlowLoginV2ControllerTest.php</directory>
		<directory suffix=".php">./Core/Service/LoginFlowV2ServiceUnitTest.php</directory>
	</testsuite>
	<coverage>
		<include>
			<directory suffix=".php">../core/*</directory>
		</include>
		<exclude>
			<directory suffix=".js">../**/</directory>

			<directory suffix=".php">../3rdparty/**/*</directory>
			<directory suffix=".php">../apps/**/*</directory>
			<directory suffix=".php">../apps-custom/**/*</directory>
			<directory suffix=".php">../apps-external/**/*</directory>
			<directory suffix=".php">../custom-npms/**/*</directory>
			<directory suffix=".php">../build</directory>
			<directory suffix=".php">../IONOS/**/*</directory>
			<directory suffix=".php">../lib/composer</directory>
			<directory suffix=".php">../vendor/**/*</directory>
			<directory suffix=".php">../tests</directory>
		</exclude>
	</coverage>
	<listeners>
		<listener class="StartSessionListener" file="startsessionlistener.php" />
	</listeners>
</phpunit>
  • run tests
export XDEBUG_MODE=coverage && phpunit --configuration tests/phpunit-autotest-core.xml --coverage-html coverage
  • observe coverage in ./coverage folder

Checklist

@printminion-co printminion-co mentioned this pull request Feb 4, 2025
Merged
4 tasks
@susnux susnux requested a review from juliusknorr February 4, 2025 17:08
@AndyScherzinger AndyScherzinger added the 3. to review Waiting for reviews label Feb 4, 2025
@susnux susnux requested a review from come-nc February 4, 2025 17:14
@susnux susnux added this to the Nextcloud 32 milestone Feb 4, 2025
come-nc
come-nc approved these changes Feb 6, 2025
View reviewed changes
Copy link
Contributor

@come-nc come-nc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure either, but apart from that code looks fine.

@come-nc come-nc requested a review from nickvergessen February 6, 2025 16:37
@printminion-co printminion-co force-pushed the feat/login_flow_v2-user_agents-allow-list branch 2 times, most recently from 1ce7ca2 to 4777ede Compare February 10, 2025 12:22
@sorbaugh sorbaugh requested a review from susnux February 11, 2025 09:18
@github-actions GitHub Actions
Copy link
Contributor

Hello there,
Thank you so much for taking the time and effort to create a pull request to our Nextcloud project.

We hope that the review process is going smooth and is helpful for you. We want to ensure your pull request is reviewed to your satisfaction. If you have a moment, our community management team would very much appreciate your feedback on your experience with this PR review process.

Your feedback is valuable to us as we continuously strive to improve our community developer experience. Please take a moment to complete our short survey by clicking on the following link: https://cloud.nextcloud.com/apps/forms/s/i9Ago4EQRZ7TWxjfmeEpPkf6

Thank you for contributing to Nextcloud and we hope to hear from you soon!

(If you believe you should not receive this message, you can add yourself to the blocklist.)

@printminion-co printminion-co requested a review from a team as a code owner April 17, 2025 13:29
@printminion-co printminion-co requested review from icewind1991 and Altahrim and removed request for a team April 17, 2025 13:29
@printminion-co printminion-co force-pushed the feat/login_flow_v2-user_agents-allow-list branch from 074fcdf to dca825f Compare April 22, 2025 16:14
@printminion-co
Copy link
Contributor Author

  • fixed broken rebase on master
  • fixed License header
  • executed cs:fix

@printminion-co printminion-co force-pushed the feat/login_flow_v2-user_agents-allow-list branch from dca825f to bc2d8f0 Compare April 23, 2025 07:44
@printminion-co
Copy link
Contributor Author

Updated autoloaders ./build/autoloaderchecker.sh

@printminion-co
feat(login-flow-v2): Restrict allowed apps by user agent check
d1a94f3 
Enable via:
./occ config:system:set core.login_flow_v2.allowed_user_agents 0  --value '/Custom Foo Client/i'
./occ config:system:set core.login_flow_v2.allowed_user_agents 1  --value '/Custom Bar Client/i'

if user agent string is unknown
the template with "Access forbidden"-"Please use original client" will be displayed

Signed-off-by: Misha M.-Kupriyanov <[email protected]>
@printminion-co printminion-co force-pushed the feat/login_flow_v2-user_agents-allow-list branch from bc2d8f0 to d1a94f3 Compare April 23, 2025 07:45
@sorbaugh sorbaugh merged commit aa8c0a6 into nextcloud:master Apr 24, 2025
173 of 180 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@susnux susnux susnux approved these changes

@come-nc come-nc come-nc approved these changes

@juliusknorr juliusknorr Awaiting requested review from juliusknorr

@sorbaugh sorbaugh Awaiting requested review from sorbaugh

@nickvergessen nickvergessen Awaiting requested review from nickvergessen

@icewind1991 icewind1991 Awaiting requested review from icewind1991 icewind1991 is a code owner automatically assigned from nextcloud/server-backend

@Altahrim Altahrim Awaiting requested review from Altahrim Altahrim is a code owner automatically assigned from nextcloud/server-backend

Assignees
No one assigned
Labels
3. to review Waiting for reviews enhancement feature: authentication feedback-requested
Projects
None yet
Milestone
Nextcloud 32
Development

Successfully merging this pull request may close these issues.
6 participants
@printminion-co @susnux @juliusknorr @come-nc @AndyScherzinger @sorbaugh