webdav Basic auth: login with user token

[azmeuk]

This is a port of #154 for BasicAuthBackend.php

[sirkrypt0]

Now that we have this piece of code three times, we should move it to some function to make adjusting it easier. I think of something like a completeLogin function in the LoginService, which is then called at the end of the this->loginService->login() call.
As the logic requires the userSession and request, we should pass that to the this->loginService->login call.

[azmeuk]

I factorized those bits of code.

[sirkrypt0]

Tested all three (web-based, bearer, basic auth) operations and they work for me now. Please make sure to properly test your code before sending it out for a review :)

[azmeuk]

Yes, sorry for that. My current development workflow is prone to errors, I should work on this. Thank you for your time.

[sirkrypt0]

My current development workflow is prone to errors

If it helps, here is my local setup:

I basically use the following docker-compose file to spin up a local Nextcloud I can play around with. It maps this plugin's source directory to the custom_apps folder, so changes I make locally directly affect the running instance.

version: '3'

volumes:
  nextcloud:
  db:

services:
  db:
    image: mariadb
    command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW --skip-innodb-read-only-compressed
    volumes:
      - db:/var/lib/mysql
    environment:
      - MYSQL_ROOT_PASSWORD=
      - MYSQL_PASSWORD=
      - MYSQL_DATABASE=nextcloud
      - MYSQL_USER=nextcloud

  app:
    image: nextcloud:stable
    ports:
      - 8081:80
    links:
      - db
    volumes:
      - nextcloud:/var/www/html
      - ./nextcloud-oidc-login:/var/www/html/custom_apps/oidc_login
      - ./oidc.config.php:/var/www/html/config/oidc.config.php
    environment:
      - OVERWRITEPROTOCOL=http
      - MYSQL_PASSWORD=
      - MYSQL_DATABASE=nextcloud
      - MYSQL_USER=nextcloud
      - MYSQL_HOST=db

Then, to test bearer and basic authentication, I use the following Bash script. It is not ideal, but it works. However, it assumes that you use Keycloak. If not, you need to adjust the TOKEN_ENDPOINT to match your IdP's.

#!/bin/bash

# Keycloak base address (e.g. http://localhost:8080/auth)
KC_BASE=""
# Keycloak username
KC_USERNAME=""
# Keycloak password
KC_PASSWORD=""
# Keycloak client id
KC_CLIENT=""
# Keycloak client secret
KC_SECRET=""
# Keycloak realm
KC_REALM=""

TOKEN_ENDPOINT="$KC_BASE/realms/$KC_REALM/protocol/openid-connect/token"

# Nextcloud base url (e.g. http://localhost:8081)
NC_BASE=""
# User id of the Nextcloud user that is associated with the Keycloak user above.
# Can be found by logging in as the admin user and listing all users.
# (e.g. bc07e521-184d-448d-a743-5ebe6cfb6c9b)
NC_UID=""

resp=$(curl -s -X POST "$TOKEN_ENDPOINT" \
 -H "Content-Type: application/x-www-form-urlencoded" \
 -d 'grant_type=password' \
 -d "client_id=$KC_CLIENT" -d "client_secret=$KC_SECRET" \
 -d "username=$KC_USERNAME" -d "password=$KC_PASSWORD" \
 -d "scope=openid")

token=$(echo $resp | jq -r .access_token)

if [ "$token" == "null" ]; then
    echo $resp
    exit 1
fi

echo "Testing token authentication"
curl -X PROPFIND \
    -H "Depth: 1" \
    -H "Authorization: Bearer $token" \
    $NC_BASE/remote.php/dav/files/$NC_UID/

echo "Testing basic authentication"
curl -X PROPFIND \
    -H "Depth: 1" \
    -u "$KC_USERNAME:$KC_PASSWORD" \
    $NC_BASE/remote.php/dav/files/$NC_UID/

[azmeuk]

Thank you for sharing the configuration.
I wonder if we could automate some checks with github actions.
Maybe we can take some inspiration from nextcloud/news https://github.com/nextcloud/news/blob/master/.github/workflows/api-integration-tests.yml