Password confirmation for some actions

apps/twofactor_backupcodes/js/settingsview.js

@@ -89,6 +89,11 @@
 			}.bind(this));
 		},
 		_onGenerateBackupCodes: function () {
+			if (OC.PasswordConfirmation.requiresPasswordConfirmation()) {
+				OC.PasswordConfirmation.requirePasswordConfirmation(_.bind(this._onGenerateBackupCodes, this));
+				return;
+			}
+
 			// Hide old codes
 			this._enabled = false;
 			this.render();

apps/twofactor_backupcodes/lib/Controller/SettingsController.php

@@ -59,15 +59,17 @@ public function state() {
 
 	/**
 	 * @NoAdminRequired
+	 * @PasswordConfirmationRequired
+	 *
 	 * @return JSONResponse
 	 */
 	public function createCodes() {
 		$user = $this->userSession->getUser();
 		$codes = $this->storage->createCodes($user);
-		return [
-		    'codes' => $codes,
-		    'state' => $this->storage->getBackupCodesState($user),
-		];
+		return new JSONResponse([
+			'codes' => $codes,
+			'state' => $this->storage->getBackupCodesState($user),
+		]);
 	}
 
 }

apps/twofactor_backupcodes/tests/Unit/Controller/SettingsControllerTest.php

@@ -24,6 +24,7 @@
 
 use OCA\TwoFactorBackupCodes\Controller\SettingsController;
 use OCA\TwoFactorBackupCodes\Service\BackupCodeStorage;
+use OCP\AppFramework\Http\JSONResponse;
 use OCP\IRequest;
 use OCP\IUser;
 use OCP\IUserSession;
@@ -89,7 +90,9 @@ public function testCreateCodes() {
 			'codes' => $codes,
 			'state' => 'state',
 		];
-		$this->assertEquals($expected, $this->controller->createCodes());
+		$response = $this->controller->createCodes();
+		$this->assertInstanceOf(JSONResponse::class, $response);
+		$this->assertEquals($expected, $response->getData());
 	}
 
 }

apps/workflowengine/js/admin.js

@@ -163,6 +163,11 @@
 				}
 			},
 			delete: function() {
+				if (OC.PasswordConfirmation.requiresPasswordConfirmation()) {
+					OC.PasswordConfirmation.requirePasswordConfirmation(_.bind(this.delete, this));
+					return;
+				}
+
 				this.model.destroy();
 				this.remove();
 			},
@@ -173,6 +178,11 @@
 				this.render();
 			},
 			save: function() {
+				if (OC.PasswordConfirmation.requiresPasswordConfirmation()) {
+					OC.PasswordConfirmation.requirePasswordConfirmation(_.bind(this.save, this));
+					return;
+				}
+
 				var success = function(model, response, options) {
 					this.saving = false;
 					this.originalModel = JSON.parse(JSON.stringify(this.model));

apps/workflowengine/lib/Controller/FlowOperations.php

@@ -58,6 +58,8 @@ public function getOperations($class) {
 	}
 
 	/**
+	 * @PasswordConfirmationRequired
+	 *
 	 * @param string $class
 	 * @param string $name
 	 * @param array[] $checks
@@ -75,6 +77,8 @@ public function addOperation($class, $name, $checks, $operation) {
 	}
 
 	/**
+	 * @PasswordConfirmationRequired
+	 *
 	 * @param int $id
 	 * @param string $name
 	 * @param array[] $checks
@@ -92,6 +96,8 @@ public function updateOperation($id, $name, $checks, $operation) {
 	}
 
 	/**
+	 * @PasswordConfirmationRequired
+	 *
 	 * @param int $id
 	 * @return JSONResponse
 	 */

core/Controller/LoginController.php

@@ -1,5 +1,6 @@
 <?php
 /**
+ * @copyright Copyright (c) 2016 Joas Schilling <coding@schilljs.com>
  * @copyright Copyright (c) 2016, ownCloud, Inc.
  *
  * @author Christoph Wurst <christoph@owncloud.com>
@@ -31,6 +32,8 @@
 use OC_App;
 use OC_Util;
 use OCP\AppFramework\Controller;
+use OCP\AppFramework\Http;
+use OCP\AppFramework\Http\DataResponse;
 use OCP\AppFramework\Http\RedirectResponse;
 use OCP\AppFramework\Http\TemplateResponse;
 use OCP\Authentication\TwoFactorAuth\IProvider;
@@ -242,6 +245,8 @@ public function tryLogin($user, $password, $redirect_url, $remember_login = fals
 		// User has successfully logged in, now remove the password reset link, when it is available
 		$this->config->deleteUserValue($loginResult->getUID(), 'core', 'lostpassword');
 
+		$this->session->set('last-password-confirm', $loginResult->getLastLogin());
+
 		if ($this->twoFactorManager->isTwoFactorAuthenticated($loginResult)) {
 			$this->twoFactorManager->prepareTwoFactorLogin($loginResult, $remember_login);
 
@@ -273,4 +278,36 @@ public function tryLogin($user, $password, $redirect_url, $remember_login = fals
 		return $this->generateRedirect($redirect_url);
 	}
 
+	/**
+	 * @NoAdminRequired
+	 * @UseSession
+	 *
+	 * @license GNU AGPL version 3 or any later version
+	 *
+	 * @param string $password
+	 * @return DataResponse
+	 */
+	public function confirmPassword($password) {
+		$currentDelay = $this->throttler->getDelay($this->request->getRemoteAddress());
+		$this->throttler->sleepDelay($this->request->getRemoteAddress());
+
+		$user = $this->userSession->getUser();
+		if (!$user instanceof IUser) {
+			return new DataResponse([], Http::STATUS_UNAUTHORIZED);
+		}
+
+		$loginResult = $this->userManager->checkPassword($user->getUID(), $password);
+		if ($loginResult === false) {
+			$this->throttler->registerAttempt('sudo', $this->request->getRemoteAddress(), ['user' => $user->getUID()]);
+			if ($currentDelay === 0) {
+				$this->throttler->sleepDelay($this->request->getRemoteAddress());
+			}
+
+			return new DataResponse([], Http::STATUS_FORBIDDEN);
+		}
+
+		$confirmTimestamp = time();
+		$this->session->set('last-password-confirm', $confirmTimestamp);
+		return new DataResponse(['lastLogin' => $confirmTimestamp], Http::STATUS_OK);
+	}
 }

core/Controller/OCJSController.php

@@ -32,6 +32,7 @@
 use OCP\IGroupManager;
 use OCP\IL10N;
 use OCP\IRequest;
+use OCP\ISession;
 use OCP\IURLGenerator;
 use OCP\IUserSession;
 
@@ -48,7 +49,8 @@ class OCJSController extends Controller {
 	 * @param IL10N $l
 	 * @param \OC_Defaults $defaults
 	 * @param IAppManager $appManager
-	 * @param IUserSession $session
+	 * @param ISession $session
+	 * @param IUserSession $userSession
 	 * @param IConfig $config
 	 * @param IGroupManager $groupManager
 	 * @param IniGetWrapper $iniWrapper
@@ -59,7 +61,8 @@ public function __construct($appName,
 								IL10N $l,
 								\OC_Defaults $defaults,
 								IAppManager $appManager,
-								IUserSession $session,
+								ISession $session,
+								IUserSession $userSession,
 								IConfig $config,
 								IGroupManager $groupManager,
 								IniGetWrapper $iniWrapper,
@@ -70,7 +73,8 @@ public function __construct($appName,
 			$l,
 			$defaults,
 			$appManager,
-			$session->getUser(),
+			$session,
+			$userSession->getUser(),
 			$config,
 			$groupManager,
 			$iniWrapper,

core/css/jquery.ocdialog.css

@@ -22,7 +22,6 @@
 .oc-dialog-buttonrow {
 	display: block;
 	background: transparent;
-	position: absolute;
 	right: 0;
 	bottom: 0;
 	padding: 10px;

core/js/js.js

@@ -1512,8 +1512,80 @@ function initCore() {
 			$(this).text(OC.Util.relativeModifiedDate(parseInt($(this).attr('data-timestamp'), 10)));
 		});
 	}, 30 * 1000);
+
+	OC.PasswordConfirmation.init();
 }
 
+OC.PasswordConfirmation = {
+	callback: null,
+
+	init: function() {
+		$('.password-confirm-required').on('click', _.bind(this.requirePasswordConfirmation, this));
+	},
+
+	requiresPasswordConfirmation: function() {
+		var timeSinceLogin = moment.now() - nc_lastLogin * 1000;
+		return timeSinceLogin > 10 * 1000; // 30 minutes
+		return timeSinceLogin > 30 * 60 * 1000; // 30 minutes
+	},
+
+	/**
+	 * @param {function} callback
+	 */
+	requirePasswordConfirmation: function(callback) {
+		var self = this;
+
+		if (this.requiresPasswordConfirmation()) {
+			OC.dialogs.prompt(
+				t(
+					'core',
+					'This action requires you to confirm your password'
+				),
+				t('core','Authentication required'),
+				function (result, password) {
+					if (result && password !== '') {
+						self._confirmPassword(password);
+					}
+				},
+				true,
+				t('core','Password'),
+				true
+			).then(function() {
+				var $dialog = $('.oc-dialog:visible');
+				$dialog.find('.ui-icon').remove();
+
+				var $buttons = $dialog.find('button');
+				$buttons.eq(0).text(t('core', 'Cancel'));
+				$buttons.eq(1).text(t('core', 'Confirm'));
+			});
+		}
+
+		this.callback = callback;
+	},
+
+	_confirmPassword: function(password) {
+		var self = this;
+
+		$.ajax({
+			url: OC.generateUrl('/login/confirm'),
+			data: {
+				password: password
+			},
+			type: 'POST',
+			success: function(response) {
+				nc_lastLogin = response.lastLogin;
+
+				if (_.isFunction(self.callback)) {
+					self.callback();
+				}
+			},
+			error: function() {
+				OC.Notification.showTemporary(t('core', 'Failed to authenticate, try again'));
+			}
+		});
+	}
+};
+
 $(document).ready(initCore);
 
 /**

core/js/public/appconfig.js

@@ -33,6 +33,10 @@ OCP.AppConfig = {
 	 * @internal
 	 */
 	_call: function(method, endpoint, options) {
+		if ((method === 'post' || method === 'delete') && OC.PasswordConfirmation.requiresPasswordConfirmation()) {
+			OC.PasswordConfirmation.requirePasswordConfirmation(_.bind(this._call, this, method, endpoint, options));
+			return;
+		}
 
 		$.ajax({
 			type: method.toUpperCase(),

core/routes.php

@@ -46,6 +46,7 @@
 		['name' => 'avatar#getTmpAvatar', 'url' => '/avatar/tmp', 'verb' => 'GET'],
 		['name' => 'avatar#postAvatar', 'url' => '/avatar/', 'verb' => 'POST'],
 		['name' => 'login#tryLogin', 'url' => '/login', 'verb' => 'POST'],
+		['name' => 'login#confirmPassword', 'url' => '/login/confirm', 'verb' => 'POST'],
 		['name' => 'login#showLoginForm', 'url' => '/login', 'verb' => 'GET'],
 		['name' => 'login#logout', 'url' => '/logout', 'verb' => 'GET'],
 		['name' => 'TwoFactorChallenge#selectChallenge', 'url' => '/login/selectchallenge', 'verb' => 'GET'],

core/templates/layout.user.php

@@ -146,6 +146,14 @@
 			</div>
 		</div></nav>
 
+		<div id="sudo-login-background" class="hidden"></div>
+		<div id="sudo-login-form" class="hidden">
+			<?php p($l->t('This action requires you to confirm your password:')); ?><br>
+			<input type="password" class="question" autocomplete="off" name="question" value=" <?php /* Hack against firefox ignoring autocomplete="off" */ ?>"
+				placeholder="<?php p($l->t('Confirm your password')); ?>" />
+			<input class="confirm icon-confirm" title="<?php p($l->t('Confirm')); ?>" value="" type="submit">
+		</div>
+
 		<div id="content-wrapper">
 			<div id="content" class="app-<?php p($_['appid']) ?>" role="main">
 				<?php print_unescaped($_['content']); ?>

lib/composer/composer/autoload_classmap.php

@@ -265,6 +265,7 @@
     'OC\\AppFramework\\Middleware\\Security\\Exceptions\\AppNotEnabledException' => $baseDir . '/lib/private/AppFramework/Middleware/Security/Exceptions/AppNotEnabledException.php',
     'OC\\AppFramework\\Middleware\\Security\\Exceptions\\CrossSiteRequestForgeryException' => $baseDir . '/lib/private/AppFramework/Middleware/Security/Exceptions/CrossSiteRequestForgeryException.php',
     'OC\\AppFramework\\Middleware\\Security\\Exceptions\\NotAdminException' => $baseDir . '/lib/private/AppFramework/Middleware/Security/Exceptions/NotAdminException.php',
+    'OC\\AppFramework\\Middleware\\Security\\Exceptions\\NotConfirmedException' => $baseDir . '/lib/private/AppFramework/Middleware/Security/Exceptions/NotConfirmedException.php',
     'OC\\AppFramework\\Middleware\\Security\\Exceptions\\NotLoggedInException' => $baseDir . '/lib/private/AppFramework/Middleware/Security/Exceptions/NotLoggedInException.php',
     'OC\\AppFramework\\Middleware\\Security\\Exceptions\\SecurityException' => $baseDir . '/lib/private/AppFramework/Middleware/Security/Exceptions/SecurityException.php',
     'OC\\AppFramework\\Middleware\\Security\\Exceptions\\StrictCookieMissingException' => $baseDir . '/lib/private/AppFramework/Middleware/Security/Exceptions/StrictCookieMissingException.php',

lib/composer/composer/autoload_static.php

@@ -295,6 +295,7 @@ class ComposerStaticInit53792487c5a8370acc0b06b1a864ff4c
         'OC\\AppFramework\\Middleware\\Security\\Exceptions\\AppNotEnabledException' => __DIR__ . '/../../..' . '/lib/private/AppFramework/Middleware/Security/Exceptions/AppNotEnabledException.php',
         'OC\\AppFramework\\Middleware\\Security\\Exceptions\\CrossSiteRequestForgeryException' => __DIR__ . '/../../..' . '/lib/private/AppFramework/Middleware/Security/Exceptions/CrossSiteRequestForgeryException.php',
         'OC\\AppFramework\\Middleware\\Security\\Exceptions\\NotAdminException' => __DIR__ . '/../../..' . '/lib/private/AppFramework/Middleware/Security/Exceptions/NotAdminException.php',
+        'OC\\AppFramework\\Middleware\\Security\\Exceptions\\NotConfirmedException' => __DIR__ . '/../../..' . '/lib/private/AppFramework/Middleware/Security/Exceptions/NotConfirmedException.php',
         'OC\\AppFramework\\Middleware\\Security\\Exceptions\\NotLoggedInException' => __DIR__ . '/../../..' . '/lib/private/AppFramework/Middleware/Security/Exceptions/NotLoggedInException.php',
         'OC\\AppFramework\\Middleware\\Security\\Exceptions\\SecurityException' => __DIR__ . '/../../..' . '/lib/private/AppFramework/Middleware/Security/Exceptions/SecurityException.php',
         'OC\\AppFramework\\Middleware\\Security\\Exceptions\\StrictCookieMissingException' => __DIR__ . '/../../..' . '/lib/private/AppFramework/Middleware/Security/Exceptions/StrictCookieMissingException.php',

lib/private/AppFramework/DependencyInjection/DIContainer.php

@@ -383,6 +383,7 @@ public function __construct($appName, $urlParams = array()){
 				$app->getServer()->getNavigationManager(),
 				$app->getServer()->getURLGenerator(),
 				$app->getServer()->getLogger(),
+				$app->getServer()->getSession(),
 				$c['AppName'],
 				$app->isLoggedIn(),
 				$app->isAdminUser(),

lib/private/AppFramework/Middleware/Security/Exceptions/NotConfirmedException.php

@@ -0,0 +1,37 @@
+<?php
+
+/**
+ * @copyright Copyright (c) 2016 Joas Schilling <coding@schilljs.com>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+namespace OC\AppFramework\Middleware\Security\Exceptions;
+
+use OCP\AppFramework\Http;
+
+/**
+ * Class NotConfirmedException is thrown when a resource has been requested by a
+ * user that has not confirmed their password in the last 30 minutes.
+ *
+ * @package OC\AppFramework\Middleware\Security\Exceptions
+ */
+class NotConfirmedException extends SecurityException {
+	public function __construct() {
+		parent::__construct('Password confirmation is required', Http::STATUS_FORBIDDEN);
+	}
+}