Store / retrieve temporary passwords from database

This makes them much shorter. Downside: They're no longer stateless :(

appinfo/database.xml

@@ -0,0 +1,41 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<database>
+	<name>*dbname*</name>
+	<create>true</create>
+	<overwrite>false</overwrite>
+	<charset>utf8</charset>
+	<table>
+		<name>*dbprefix*spreedme_tps</name>
+		<declaration>
+			<field>
+				<name>id</name>
+				<type>integer</type>
+				<autoincrement>1</autoincrement>
+			</field>
+			<field>
+				<name>tp</name>
+				<type>text</type>
+				<notnull>true</notnull>
+				<length>64</length>
+			</field>
+			<field>
+				<name>userid</name>
+				<type>text</type>
+				<notnull>true</notnull>
+				<length>64</length>
+			</field>
+			<field>
+				<name>expiration</name>
+				<type>timestamp</type>
+				<notnull>true</notnull>
+			</field>
+			<index>
+				<name>spreedme_tps_tp</name>
+				<unique>true</unique>
+				<field>
+					<name>tp</name>
+				</field>
+			</index>
+		</declaration>
+	</table>
+</database>

appinfo/info.xml

@@ -10,15 +10,15 @@
         <user>https://github.com/strukturag/nextcloud-spreedme/blob/master/README.md</user>
         <admin>https://github.com/strukturag/nextcloud-spreedme/blob/master/README.md</admin>
     </documentation>
-    <version>0.3.10</version>
+    <version>0.3.11</version>
     <namespace>SpreedME</namespace>
     <category>tools</category>
     <bugs>https://github.com/strukturag/nextcloud-spreedme/issues</bugs>
     <repository type="git">https://github.com/strukturag/nextcloud-spreedme.git</repository>
     <ocsid>174436</ocsid>
     <dependencies>
         <owncloud min-version="8.1" max-version="9.2" />
-        <nextcloud min-version="9" max-version="12" />
+        <nextcloud min-version="9" max-version="13" />
     </dependencies>
     <screenshot>https://raw.githubusercontent.com/strukturag/nextcloud-spreedme/master/screenshots/appstore/conference.gif</screenshot>
     <screenshot>https://raw.githubusercontent.com/strukturag/nextcloud-spreedme/master/screenshots/appstore/presentation.png</screenshot>

appinfo/routes.php

@@ -19,18 +19,18 @@
 		['name' => 'page#debug', 'url' => '/admin/debug', 'verb' => 'GET'],
 		['name' => 'page#generate_temporary_password', 'url' => '/admin/tp', 'verb' => 'GET'],
 
-		// API
+		// General API
 		['name' => 'api#get_config', 'url' => '/api/v1/config', 'verb' => 'GET'],
 		['name' => 'api#get_user_config', 'url' => '/api/v1/user/config', 'verb' => 'GET'],
 		['name' => 'api#get_token', 'url' => '/api/v1/user/token', 'verb' => 'GET'],
-		['name' => 'api#get_token_with_temporary_password', 'url' => '/api/v1/token/withtp', 'verb' => 'POST'],
-		['name' => 'api#generate_temporary_password', 'url' => '/api/v1/admin/tp', 'verb' => 'POST'],
 		['name' => 'api#save_config', 'url' => '/api/v1/admin/config', 'verb' => 'PATCH'],
 		['name' => 'api#regenerate_shared_secret', 'url' => '/api/v1/admin/config/regenerate/sharedsecret', 'verb' => 'POST'],
-		['name' => 'api#regenerate_temporary_password_signing_key', 'url' => '/api/v1/admin/config/regenerate/tp-key', 'verb' => 'POST'],
 		['name' => 'api#generate_spreed_webrtc_config', 'url' => '/api/v1/admin/config/generate/spreed-webrtc-config', 'verb' => 'POST'],
 		['name' => 'api#download_file', 'url' => '/api/v1/file/download', 'verb' => 'GET'],
-		// File Transfer
+		// Temporary password API
+		['name' => 'temporarypassword#generate_temporary_password', 'url' => '/api/v1/admin/tp', 'verb' => 'POST'],
+		['name' => 'temporarypassword#get_token_with_temporary_password', 'url' => '/api/v1/token/withtp', 'verb' => 'POST'],
+		// File transfer API
 		['name' => 'filesharing#uploadAndShare', 'url' => '/api/v1/filetransfers', 'verb' => 'POST'],
 		['name' => 'filesharing#listShares', 'url' => '/api/v1/filetransfers', 'verb' => 'GET'],
 	],

config/config.php.in

@@ -42,10 +42,6 @@ class Config {
 	// You can generate such a temporary password at: /index.php/apps/spreedme/admin/tp (Nextcloud admin user account required)
 	const OWNCLOUD_TEMPORARY_PASSWORD_LOGIN_ENABLED = false;
 
-	// If 'OWNCLOUD_TEMPORARY_PASSWORD_LOGIN_ENABLED' is set to true, you also have to provide a signing key here (64-character HEX string)
-	// Generate it using `xxd -ps -l 32 -c 32 /dev/random` (better) or `openssl rand -hex 32`
-	const OWNCLOUD_TEMPORARY_PASSWORD_SIGNING_KEY = 'f20e1b84781d80570fef6e2969f61ba91ccb56922398a45eXXXXXXXXXXXXXXXX';
-
 	private function __construct() {
 
 	}

controller/apicontroller.php

@@ -87,51 +87,6 @@ public function getToken() {
 		return new DataResponse($_response);
 	}
 
-	/**
-	 * @NoAdminRequired
-	 * @NoCSRFRequired
-	 */
-	public function generateTemporaryPassword($userid, $expiration) {
-		$_response = array('success' => false);
-		// TODO(leon): Move this to user.php
-		if ($this->user->isSpreedMeAdmin() && $userid !== null && $expiration !== null) {
-			try {
-				$_response['tp'] = base64_encode(Security::generateTemporaryPassword($userid, $expiration));
-				$_response['success'] = true;
-			} catch (\Exception $e) {
-				$_response['error'] = $e->getCode();
-			}
-		}
-
-		return new DataResponse($_response);
-	}
-
-	/**
-	 * @NoAdminRequired
-	 * @NoCSRFRequired
-	 * @PublicPage
-	 */
-	public function getTokenWithTemporaryPassword($tp) {
-		$tmp = base64_decode($tp, true);
-		// We support both base64 encoded and unencoded TPs
-		if ($tmp !== false) {
-			$tp = $tmp;
-		}
-
-		$_response = array('success' => false);
-		if ($tp) {
-			try {
-				$token = Security::getSignedComboFromTemporaryPassword($tp);
-				$_response = array_merge($_response, $token);
-				$_response['success'] = true;
-			} catch (\Exception $e) {
-				$_response['error'] = $e->getCode();
-			}
-		}
-
-		return new DataResponse($_response);
-	}
-
 	public function saveConfig($config) {
 		$allowedKeys = array(
 			'SPREED_WEBRTC_ORIGIN',
@@ -155,12 +110,6 @@ public function saveConfig($config) {
 								Helper::createServiceUserUnlessExists();
 							}
 							break;
-						case 'OWNCLOUD_TEMPORARY_PASSWORD_LOGIN_ENABLED':
-							if ($value === 'true' && Helper::getDatabaseConfigValue('OWNCLOUD_TEMPORARY_PASSWORD_SIGNING_KEY') === '') {
-								// Also generate a 'Temporary Password signing key'
-								Security::regenerateTemporaryPasswordSigningKey();
-							}
-							break;
 					}
 				}
 			}
@@ -186,19 +135,6 @@ public function regenerateSharedSecret() {
 		return new DataResponse($_response);
 	}
 
-	public function regenerateTemporaryPasswordSigningKey() {
-		// TODO(leon): Should we also allow Spreed.ME group admins to regenerate the signing key?
-		$_response = array('success' => false);
-		try {
-			Security::regenerateTemporaryPasswordSigningKey();
-			$_response['success'] = true;
-		} catch (\Exception $e) {
-			$_response['error'] = $e->getCode();
-		}
-
-		return new DataResponse($_response);
-	}
-
 	public function generateSpreedWebRTCConfig() {
 		$_response = array('success' => false);
 		try {

controller/temporarypasswordcontroller.php

@@ -0,0 +1,75 @@
+<?php
+/**
+ * Nextcloud - spreedme
+ *
+ * This file is licensed under the Affero General Public License version 3 or
+ * later. See the COPYING file.
+ *
+ * @author Leon <[email protected]>
+ * @copyright struktur AG 2016
+ */
+
+namespace OCA\SpreedME\Controller;
+
+use OCA\SpreedME\Security\TemporaryPasswordManager;
+use OCA\SpreedME\User\User;
+use OCP\AppFramework\Controller;
+use OCP\AppFramework\Http\DataResponse;
+use OCP\IDBConnection;
+use OCP\IRequest;
+
+class TemporaryPasswordController extends Controller {
+
+	private $user;
+	private $temporaryPasswordManager;
+
+	public function __construct($appName, IRequest $request, IDBConnection $db) {
+		parent::__construct($appName, $request);
+
+		if (!empty($userId)) {
+			$this->user = new User($userId);
+		} else {
+			$this->user = new User();
+		}
+
+		$this->temporaryPasswordManager = new TemporaryPasswordManager($db);
+	}
+
+	/**
+	 * @NoAdminRequired
+	 */
+	public function generateTemporaryPassword($userid, $expiration) {
+		$_response = array('success' => false);
+		if ($this->user->isSpreedMeAdmin() && $userid !== null && $expiration !== null) {
+			try {
+				$_response['tp'] = $this->temporaryPasswordManager->generateTemporaryPassword($userid, $expiration);
+				$_response['success'] = true;
+			} catch (\Exception $e) {
+				$_response['error'] = $e->getCode();
+			}
+		}
+
+		return new DataResponse($_response);
+	}
+
+	/**
+	 * @NoAdminRequired
+	 * @NoCSRFRequired
+	 * @PublicPage
+	 */
+	public function getTokenWithTemporaryPassword($tp) {
+		$_response = array('success' => false);
+		if ($tp) {
+			try {
+				$token = $this->temporaryPasswordManager->getSignedComboFromTemporaryPassword($tp);
+				$_response = array_merge($_response, $token);
+				$_response['success'] = true;
+			} catch (\Exception $e) {
+				$_response['error'] = $e->getCode();
+			}
+		}
+
+		return new DataResponse($_response);
+	}
+
+}

debug/debug.php

@@ -57,16 +57,6 @@ private static function testOwncloudPhpConfigFile() {
 		if (!ctype_xdigit(Helper::getConfigValue('SPREED_WEBRTC_SHAREDSECRET'))) {
 			return 'Invalid SPREED_WEBRTC_SHAREDSECRET in config/config.php. Secret may only contain hexadecimal characters.';
 		}
-
-		if (Helper::getConfigValue('OWNCLOUD_TEMPORARY_PASSWORD_LOGIN_ENABLED') === true) {
-			if (strlen(Helper::getConfigValue('OWNCLOUD_TEMPORARY_PASSWORD_SIGNING_KEY')) !== 64) {
-				return 'OWNCLOUD_TEMPORARY_PASSWORD_SIGNING_KEY in config/config.php must be a 64 character hexadecimal string.';
-			}
-
-			if (!ctype_xdigit(Helper::getConfigValue('OWNCLOUD_TEMPORARY_PASSWORD_SIGNING_KEY'))) {
-				return 'Invalid OWNCLOUD_TEMPORARY_PASSWORD_SIGNING_KEY in config/config.php. Key may only contain hexadecimal characters.';
-			}
-		}
 	}
 
 	private static function testOwncloudJavascriptConfigFile() {

doc/API.txt

@@ -96,7 +96,7 @@ Available endpoints with request methods and content-type:
       Response 200:
         {
           "success": true,
-          "tp": "MTQ3MTk0ODUwMDpleHQvdGVzdC81N2JjMGFjMTgzNWQ2NS4xNzIwNTQ2NjoyOmlxYUphS2duYVRVdUhySHZjR1lkY0xmaVNxMk5ZMGR6OVZVSU5oOU1sMzg9"
+          "tp": "Sp4hgnQRXm"
         }
 
 
@@ -144,18 +144,6 @@ Available endpoints with request methods and content-type:
         }
 
 
-  /api/v1/admin/config/regenerate/tp-key
-
-    The admin/config/regenerate/tp-key endpoint generates and stores a new OWNCLOUD_TEMPORARY_PASSWORD_SIGNING_KEY.
-    This endpoint requires admin authentication + a valid Nextcloud CSRF requesttoken.
-
-    POST application/x-www-form-urlencoded
-      Response 200:
-        {
-          "success": true
-        }
-
-
   /api/v1/filetransfers
 
     The filetransfers endpoint allows admins list existing and create new shares.

errors/errorcodes.php

@@ -17,6 +17,7 @@ class ErrorCodes {
 	const TEMPORARY_PASSWORD_NOT_ENABLED = 50101;
 	const TEMPORARY_PASSWORD_INVALID = 50102;
 	const TEMPORARY_PASSWORD_INVALID_USERID = 50103;
+	const TEMPORARY_PASSWORD_USERID_TOO_LONG = 50104;
 	const DB_CONFIG_ERROR_CONFIG_PHP_EXISTS = 50201;
 	const REMOTE_CONFIG_EMPTY = 50301;
 	const REMOTE_CONFIG_INVALID_JSON = 50302;

helper/helper.php

@@ -224,9 +224,9 @@ public static function generateSpreedWebRTCConfig() {
 		}
 		$replace = array(
 			'/webrtc/' => self::getDatabaseConfigValueOrDefault('SPREED_WEBRTC_BASEPATH'),
-			'the-default-secret-do-not-keep-me' => Security::getRandomHexString(256 / 4), // 256 bit
-			'the-default-encryption-block-key' => Security::getRandomHexString(256 / 4), // 256 bit
-			'i-did-not-change-the-public-token-boo' => Security::getRandomHexString(256 / 4), // 256 bit
+			'the-default-secret-do-not-keep-me' => Security::getRandomString(256 / 4), // 256 bit
+			'the-default-encryption-block-key' => Security::getRandomString(256 / 4), // 256 bit
+			'i-did-not-change-the-public-token-boo' => Security::getRandomString(256 / 4), // 256 bit
 			'/absolute/path/to/nextcloud/apps/spreedme/extra' => self::getOwnAppPath() . 'extra',
 			'some-secret-do-not-keep' => self::getDatabaseConfigValue('SPREED_WEBRTC_SHAREDSECRET'),
 		);

js/settings-admin.js

@@ -123,14 +123,6 @@ $(document).ready(function() {
 
 		});
 	});
-	$c.find('[name="REGENERATE_OWNCLOUD_TEMPORARY_PASSWORD_SIGNING_KEY"]').click(function(e) {
-		regenerateTemporaryPasswordSigningKey(function() {
-			$c.find('.OWNCLOUD_TEMPORARY_PASSWORD_SIGNING_KEY')
-				.removeClass('hidden');
-		}, function(error) {
-
-		});
-	});
 	$c.find('[name="GENERATE_SPREED_WEBRTC_CONFIG"]').click(function(e) {
 		generateSpreedWebRTCConfig(function(config) {
 			$c.find('.SPREED_WEBRTC_CONFIG')