fixup! feat: Use inline password confirmation in external storage set…

…tings
nextcloud · Nov 28, 2024 · 6e2110a · 6e2110a
1 parent 44f94f3
commit 6e2110a
Showing 1 changed file with 16 additions and 5 deletions.
diff --git a/lib/private/AppFramework/Middleware/Security/PasswordConfirmationMiddleware.php b/lib/private/AppFramework/Middleware/Security/PasswordConfirmationMiddleware.php
@@ -99,10 +99,21 @@ public function beforeController(Controller $controller, string $methodName) {
 				return;
 			}
 
-			$lastConfirm = (int) $this->session->get('last-password-confirm');
-			// TODO: confirm excludedUserBackEnds can go away and remove it
-			if (!isset($this->excludedUserBackEnds[$backendClassName]) && $lastConfirm < ($this->timeFactory->getTime() - (30 * 60 + 15))) { // allow 15 seconds delay
-				throw new NotConfirmedException();
+			if ($this->isPasswordConfirmationStrict($reflectionMethod)) {
+				$authHeader = $this->request->getHeader('Authorization');
+				[, $password] = explode(':', base64_decode(substr($authHeader, 6)), 2);
+				$loginResult = $this->userManager->checkPassword($user->getUid(), $password);
+				if ($loginResult === false) {
+					throw new NotConfirmedException();
+				}
+
+				$this->session->set('last-password-confirm', $this->timeFactory->getTime());
+			} else {
+				$lastConfirm = (int) $this->session->get('last-password-confirm');
+				// TODO: confirm excludedUserBackEnds can go away and remove it
+				if (!isset($this->excludedUserBackEnds[$backendClassName]) && $lastConfirm < ($this->timeFactory->getTime() - (30 * 60 + 15))) { // allow 15 seconds delay
+					throw new NotConfirmedException();
+				}
 			}
 		}
 	}
@@ -113,7 +124,7 @@ private function needsPasswordConfirmation(ReflectionMethod $reflectionMethod):
 			return true;
 		}
 
-		if ($this->reflector->hasAnnotation($annotationName)) {
+		if ($this->reflector->hasAnnotation('PasswordConfirmationRequired')) {
 			return true;
 		}