Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow accessing CORS routes on ApiControllers if a proper CSRF token is provided #19354

Closed
wants to merge 2 commits into from

Conversation

juliusknorr
Copy link
Member

@juliusknorr juliusknorr commented Feb 7, 2020

The current implementation always requires basic auth when @CORS annotated routes are accessed. That leads to apps implementing basically two endpoints that have the same implementation but one with @CORS @NoCSRFRequired and one without those.

This PR would basically allow apps to provide one API endpoint for both internal usage in Nextcloud as well as external API calls, but the CORSMiddleware doesn't block the request if a valid CSRF token is provided.

I think this should cover the CSRF attack vectors that are described in

// ensure that @CORS annotated API routes are not used in conjunction
// with session authentication since this enables CSRF attack vectors
or am I missing something?


The second commit is just for checking if username and password are actually provided so that the type hint added in

public function __construct(string $username, string $password) {
doesn't cause a TypeError to be thrown but when calling logClientIn in the CORSMiddleware.

@juliusknorr juliusknorr added this to the Nextcloud 19 milestone Feb 7, 2020
@juliusknorr juliusknorr changed the title llow accessing CORS routes if on ApiControllers if a proper CSRF token is provided Allow accessing CORS routes if on ApiControllers if a proper CSRF token is provided Feb 7, 2020
@juliusknorr juliusknorr changed the title Allow accessing CORS routes if on ApiControllers if a proper CSRF token is provided Allow accessing CORS routes on ApiControllers if a proper CSRF token is provided Feb 7, 2020
@juliusknorr juliusknorr requested a review from kesselb February 7, 2020 15:24
@nickvergessen
Copy link
Member

And just using the OCS api internally as well does not work because?

@juliusknorr
Copy link
Member Author

And just using the OCS api internally as well does not work because?

Yes that would also work of course. But this is not documented anywhere, while the app tutorial explains how the CORS routes work. Personally I also don't see any benefit in wrapping my apps API routes in to the OCS wrapper - is there any?

If we want to encourage app developers to use OCS then we need to explain that better.

@nickvergessen
Copy link
Member

is there any?

Well it makes sure thet stuff works with mobile apps for free :)

That is exactly why we built OCS and OCS-Resources even. In Talk the full API is OCS. I think this should just be the way to go instead.

@juliusknorr
Copy link
Member Author

That is exactly why we built OCS and OCS-Resources even. In Talk the full API is OCS. I think this should just be the way to go instead.

Could you provide some more insights on the decision back then? As to me the current way that API access is limited to OCS endpoints feels more like an artificial barrier, so app developers are pinned to the way OCS responses are structured.

Just one thing I encountered as of today is that with the current way OCSResponses are implemented it is not possible to emit a proper OCS response in a middleware that catches exceptions in order to convert them into responses. I use that approach for catching exceptions during controller execution in deck so the API returns a standardized error response and there is less duplicated code for the exception handling in the various controller methods.

@rullzer
Copy link
Member

rullzer commented Apr 4, 2020

That is exactly why we built OCS and OCS-Resources even. In Talk the full API is OCS. I think this should just be the way to go instead.

Could you provide some more insights on the decision back then? As to me the current way that API access is limited to OCS endpoints feels more like an artificial barrier, so app developers are pinned to the way OCS responses are structured.

Just one thing I encountered as of today is that with the current way OCSResponses are implemented it is not possible to emit a proper OCS response in a middleware that catches exceptions in order to convert them into responses. I use that approach for catching exceptions during controller execution in deck so the API returns a standardized error response and there is less duplicated code for the exception handling in the various controller methods.

Then we'd need to fix that. However the OCS endpoints are public by definition. So i would propose to first fix cors there.

@rullzer rullzer mentioned this pull request Apr 4, 2020
80 tasks
@juliusknorr
Copy link
Member Author

Ok, so I guess we don't do that then.

@juliusknorr juliusknorr closed this Apr 9, 2020
@juliusknorr
Copy link
Member Author

Could you provide some more insights on the decision back then? As to me the current way that API access is limited to OCS endpoints feels more like an artificial barrier, so app developers are pinned to the way OCS responses are structured.

I'd still be interested in some reasoning about the OCS enforcement, I'd be happy to make that clearer in our developer docs then.

@kesselb kesselb deleted the enh/cors-csrf branch May 25, 2023 16:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants