chore: Mark IUserConfig entries as lazy

lib/AppInfo/Application.php

@@ -22,7 +22,7 @@
 
 use OCP\AppFramework\Bootstrap\IRegistrationContext;
 use OCP\Collaboration\Reference\RenderReferenceEvent;
-use OCP\IConfig;
+use OCP\Config\IUserConfig;
 use OCP\IL10N;
 use OCP\INavigationManager;
 
@@ -33,13 +33,13 @@
 class Application extends App implements IBootstrap {
 
 	public const APP_ID = 'integration_zammad';
-	private IConfig $config;
+	private IUserConfig $userConfig;
 
 	public function __construct(array $urlParams = []) {
 		parent::__construct(self::APP_ID, $urlParams);
 
 		$container = $this->getContainer();
-		$this->config = $container->get(IConfig::class);
+		$this->userConfig = $container->get(IUserConfig::class);
 
 		$manager = $container->get(INotificationManager::class);
 		$manager->registerNotifierService(Notifier::class);
@@ -63,8 +63,8 @@ public function registerNavigation(IUserSession $userSession): void {
 			$userId = $user->getUID();
 			$container = $this->getContainer();
 
-			if ($this->config->getUserValue($userId, self::APP_ID, 'navigation_enabled', '0') === '1') {
-				$zammadUrl = $this->config->getUserValue($userId, self::APP_ID, 'url', '');
+			if ($this->userConfig->getValueString($userId, self::APP_ID, 'navigation_enabled', '0') === '1') {
+				$zammadUrl = $this->userConfig->getValueString($userId, self::APP_ID, 'url', '');
 				if ($zammadUrl !== '') {
 					$container->get(INavigationManager::class)->add(function () use ($container, $zammadUrl) {
 						$urlGenerator = $container->get(IURLGenerator::class);

lib/Controller/ConfigController.php

@@ -23,8 +23,8 @@
 use OCP\AppFramework\Http\Attribute\PasswordConfirmationRequired;
 use OCP\AppFramework\Http\DataResponse;
 use OCP\AppFramework\Http\RedirectResponse;
+use OCP\Config\IUserConfig;
 use OCP\IAppConfig;
-use OCP\IConfig;
 use OCP\IL10N;
 use OCP\IRequest;
 
@@ -37,7 +37,7 @@ class ConfigController extends Controller {
 	public function __construct(
 		string $appName,
 		IRequest $request,
-		private IConfig $config,
+		private IUserConfig $userConfig,
 		private IAppConfig $appConfig,
 		private IURLGenerator $urlGenerator,
 		private IL10N $l,
@@ -62,7 +62,8 @@ public function setConfig(array $values): DataResponse {
 			if (in_array($key, ['token', 'token_type', 'url', 'oauth_state', 'redirect_uri'], true)) {
 				return new DataResponse([], Http::STATUS_BAD_REQUEST);
 			}
-			$this->config->setUserValue($this->userId, Application::APP_ID, $key, trim($value));
+			$lazy = $key !== 'url';
+			$this->userConfig->setValueString($this->userId, Application::APP_ID, $key, trim($value), lazy: $lazy);
 		}
 
 		return new DataResponse([]);
@@ -80,10 +81,9 @@ public function setConfig(array $values): DataResponse {
 	public function setSensitiveConfig(array $values): DataResponse {
 		foreach ($values as $key => $value) {
 			if ($key === 'token' && $value !== '') {
-				$encryptedValue = $this->crypto->encrypt(trim($value));
-				$this->config->setUserValue($this->userId, Application::APP_ID, $key, $encryptedValue);
+				$this->userConfig->setValueString($this->userId, Application::APP_ID, $key, $value, lazy: true, flags: IUserConfig::FLAG_SENSITIVE);
 			} else {
-				$this->config->setUserValue($this->userId, Application::APP_ID, $key, trim($value));
+				$this->userConfig->setValueString($this->userId, Application::APP_ID, $key, trim($value), lazy: true);
 			}
 		}
 		$result = [];
@@ -92,17 +92,17 @@ public function setSensitiveConfig(array $values): DataResponse {
 			if ($values['token'] && $values['token'] !== '') {
 				$result = $this->storeUserInfo();
 			} else {
-				$this->config->deleteUserValue($this->userId, Application::APP_ID, 'user_id');
-				$this->config->deleteUserValue($this->userId, Application::APP_ID, 'user_name');
-				$this->config->deleteUserValue($this->userId, Application::APP_ID, 'last_open_check');
-				$this->config->deleteUserValue($this->userId, Application::APP_ID, 'token_type');
+				$this->userConfig->deleteUserConfig($this->userId, Application::APP_ID, 'user_id');
+				$this->userConfig->deleteUserConfig($this->userId, Application::APP_ID, 'user_name');
+				$this->userConfig->deleteUserConfig($this->userId, Application::APP_ID, 'last_open_check');
+				$this->userConfig->deleteUserConfig($this->userId, Application::APP_ID, 'token_type');
 				$result = [
 					'user_name' => '',
 				];
 			}
 			$this->zammadReferenceProvider->invalidateUserCache($this->userId);
-			$this->config->deleteUserValue($this->userId, Application::APP_ID, 'refresh_token');
-			$this->config->deleteUserValue($this->userId, Application::APP_ID, 'token_expires_at');
+			$this->userConfig->deleteUserConfig($this->userId, Application::APP_ID, 'refresh_token');
+			$this->userConfig->deleteUserConfig($this->userId, Application::APP_ID, 'token_expires_at');
 		}
 		if (isset($result['error'])) {
 			return new DataResponse($result, Http::STATUS_UNAUTHORIZED);
@@ -122,7 +122,8 @@ public function setAdminConfig(array $values): DataResponse {
 			if (in_array($key, ['client_id', 'client_secret', 'oauth_instance_url'], true)) {
 				return new DataResponse([], Http::STATUS_BAD_REQUEST);
 			}
-			$this->appConfig->setValueString(Application::APP_ID, $key, $value, lazy: true);
+			$lazy = $key !== 'oauth_instance_url';
+			$this->appConfig->setValueString(Application::APP_ID, $key, $value, lazy: $lazy);
 		}
 		return new DataResponse([]);
 	}
@@ -156,17 +157,17 @@ public function setSensitiveAdminConfig(array $values): DataResponse {
 	#[NoAdminRequired]
 	#[NoCSRFRequired]
 	public function oauthRedirect(string $code = '', string $state = ''): RedirectResponse {
-		$configState = $this->config->getUserValue($this->userId, Application::APP_ID, 'oauth_state');
+		$configState = $this->userConfig->getValueString($this->userId, Application::APP_ID, 'oauth_state', lazy: true);
 		$clientID = $this->appConfig->getValueString(Application::APP_ID, 'client_id', lazy: true);
 		$clientSecret = $this->appConfig->getValueString(Application::APP_ID, 'client_secret', lazy: true);
 
 		// anyway, reset state
-		$this->config->setUserValue($this->userId, Application::APP_ID, 'oauth_state', '');
+		$this->userConfig->setValueString($this->userId, Application::APP_ID, 'oauth_state', '', lazy: true);
 
-		$adminZammadOauthUrl = $this->appConfig->getValueString(Application::APP_ID, 'oauth_instance_url', lazy: true);
+		$adminZammadOauthUrl = $this->appConfig->getValueString(Application::APP_ID, 'oauth_instance_url');
 
 		if ($clientID && $clientSecret && $configState !== '' && $configState === $state) {
-			$redirect_uri = $this->config->getUserValue($this->userId, Application::APP_ID, 'redirect_uri');
+			$redirect_uri = $this->userConfig->getValueString($this->userId, Application::APP_ID, 'redirect_uri', lazy: true);
 			$result = $this->zammadAPIService->requestOAuthAccessToken($adminZammadOauthUrl, [
 				'client_id' => $clientID,
 				'client_secret' => $clientSecret,
@@ -177,16 +178,14 @@ public function oauthRedirect(string $code = '', string $state = ''): RedirectRe
 			if (isset($result['access_token'])) {
 				$this->zammadReferenceProvider->invalidateUserCache($this->userId);
 				$accessToken = $result['access_token'];
-				$encryptedAccessToken = $accessToken === '' ? '' : $this->crypto->encrypt($accessToken);
-				$this->config->setUserValue($this->userId, Application::APP_ID, 'token', $encryptedAccessToken);
-				$this->config->setUserValue($this->userId, Application::APP_ID, 'token_type', 'oauth');
+				$this->userConfig->setValueString($this->userId, Application::APP_ID, 'token', $accessToken, lazy: true, flags: IUserConfig::FLAG_SENSITIVE);
+				$this->userConfig->setValueString($this->userId, Application::APP_ID, 'token_type', 'oauth', lazy: true);
 				$refreshToken = $result['refresh_token'];
-				$encryptedRefreshToken = $refreshToken === '' ? '' : $this->crypto->encrypt($refreshToken);
-				$this->config->setUserValue($this->userId, Application::APP_ID, 'refresh_token', $encryptedRefreshToken);
+				$this->userConfig->setValueString($this->userId, Application::APP_ID, 'refresh_token', $refreshToken, lazy: true, flags: IUserConfig::FLAG_SENSITIVE);
 				if (isset($result['expires_in'])) {
 					$nowTs = (new Datetime())->getTimestamp();
 					$expiresAt = $nowTs + (int)$result['expires_in'];
-					$this->config->setUserValue($this->userId, Application::APP_ID, 'token_expires_at', (string)$expiresAt);
+					$this->userConfig->setValueString($this->userId, Application::APP_ID, 'token_expires_at', (string)$expiresAt, lazy: true);
 				}
 				// get user info
 				$this->storeUserInfo();
@@ -210,8 +209,8 @@ public function oauthRedirect(string $code = '', string $state = ''): RedirectRe
 	 * @throws PreConditionNotMetException
 	 */
 	private function storeUserInfo(): array {
-		$adminZammadOauthUrl = $this->appConfig->getValueString(Application::APP_ID, 'oauth_instance_url', lazy: true);
-		$zammadUrl = $this->config->getUserValue($this->userId, Application::APP_ID, 'url') ?: $adminZammadOauthUrl;
+		$adminZammadOauthUrl = $this->appConfig->getValueString(Application::APP_ID, 'oauth_instance_url');
+		$zammadUrl = $this->userConfig->getValueString($this->userId, Application::APP_ID, 'url') ?: $adminZammadOauthUrl;
 
 		if (!$zammadUrl || !preg_match('/^(https?:\/\/)?[^.]+\.[^.].*/', $zammadUrl)) {
 			return ['error' => 'Zammad URL is invalid'];
@@ -220,12 +219,12 @@ private function storeUserInfo(): array {
 		$info = $this->zammadAPIService->request($this->userId, 'users/me');
 		if (isset($info['lastname'], $info['firstname'], $info['id'])) {
 			$fullName = $info['firstname'] . ' ' . $info['lastname'];
-			$this->config->setUserValue($this->userId, Application::APP_ID, 'user_id', $info['id']);
-			$this->config->setUserValue($this->userId, Application::APP_ID, 'user_name', $fullName);
+			$this->userConfig->setValueString($this->userId, Application::APP_ID, 'user_id', $info['id'], lazy: true);
+			$this->userConfig->setValueString($this->userId, Application::APP_ID, 'user_name', $fullName, lazy: true);
 			return ['user_name' => $fullName];
 		} else {
-			$this->config->deleteUserValue($this->userId, Application::APP_ID, 'user_id');
-			$this->config->deleteUserValue($this->userId, Application::APP_ID, 'user_name');
+			$this->userConfig->deleteUserConfig($this->userId, Application::APP_ID, 'user_id');
+			$this->userConfig->deleteUserConfig($this->userId, Application::APP_ID, 'user_name');
 			return $info;
 		}
 	}

lib/Controller/ZammadAPIController.php

@@ -21,7 +21,7 @@
 use OCP\AppFramework\Http\DataDisplayResponse;
 use OCP\AppFramework\Http\DataResponse;
 
-use OCP\IConfig;
+use OCP\Config\IUserConfig;
 use OCP\IRequest;
 use OCP\PreConditionNotMetException;
 
@@ -30,7 +30,7 @@ class ZammadAPIController extends Controller {
 	public function __construct(
 		string $appName,
 		IRequest $request,
-		private IConfig $config,
+		private IUserConfig $userConfig,
 		private ZammadAPIService $zammadAPIService,
 		private ?string $userId,
 	) {
@@ -44,7 +44,7 @@ public function __construct(
 	 */
 	#[NoAdminRequired]
 	public function getZammadUrl(): DataResponse {
-		$zammadUrl = $this->config->getUserValue($this->userId, Application::APP_ID, 'url');
+		$zammadUrl = $this->userConfig->getValueString($this->userId, Application::APP_ID, 'url');
 		return new DataResponse($zammadUrl);
 	}
 
@@ -80,7 +80,7 @@ public function getZammadAvatar(string $imageId = ''): DataDisplayResponse {
 	 */
 	#[NoAdminRequired]
 	public function getNotifications(?string $since = null): DataResponse {
-		$hasAccessToken = $this->config->getUserValue($this->userId, Application::APP_ID, 'token') !== '';
+		$hasAccessToken = $this->userConfig->getValueString($this->userId, Application::APP_ID, 'token', lazy: true) !== '';
 		$zammadUrl = $this->zammadAPIService->getZammadUrl($this->userId);
 		if (!$hasAccessToken || !preg_match('/^(https?:\/\/)?[^.]+\.[^.].*/', $zammadUrl)) {
 			return new DataResponse('connection_impossible', Http::STATUS_BAD_REQUEST);

lib/Migration/Version040000Date20260129225956.php

@@ -0,0 +1,60 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * SPDX-FileCopyrightText: 2025 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+namespace OCA\Zammad\Migration;
+
+use Closure;
+use OCA\Zammad\AppInfo\Application;
+use OCP\Config\IUserConfig;
+use OCP\IAppConfig;
+use OCP\Migration\IOutput;
+use OCP\Migration\SimpleMigrationStep;
+use OCP\Security\ICrypto;
+
+class Version040000Date20260129225956 extends SimpleMigrationStep {
+
+	public function __construct(
+		private ICrypto $crypto,
+		private IUserConfig $userConfig,
+		private IAppConfig $appConfig,
+	) {
+	}
+
+	/**
+	 * @param IOutput $output
+	 * @param Closure $schemaClosure The `\Closure` returns a `ISchemaWrapper`
+	 * @param array $options
+	 */
+	public function postSchemaChange(IOutput $output, Closure $schemaClosure, array $options) {
+		foreach ($this->userConfig->getUserIds(Application::APP_ID) as $userId) {
+			// store user config as lazy and sensitive
+			foreach (['token', 'refresh_token'] as $key) {
+				if ($this->userConfig->hasKey($userId, Application::APP_ID, $key)) {
+					$value = $this->userConfig->getValueString($userId, Application::APP_ID, $key);
+					$decryptedValue = $this->crypto->decrypt($value);
+					$this->userConfig->setValueString($userId, Application::APP_ID, $key, $decryptedValue, lazy: true, flags: IUserConfig::FLAG_SENSITIVE);
+				}
+			}
+			// store user config as lazy (except 'navigation_enabled' and 'url')
+			foreach (['token_type', 'token_expires_at', 'oauth_state', 'redirect_uri', 'search_enabled', 'link_preview_enabled', 'notification_enabled', 'user_id', 'user_name', 'last_open_check'] as $key) {
+				if ($this->userConfig->hasKey($userId, Application::APP_ID, $key)) {
+					$value = $this->userConfig->getValueString($userId, Application::APP_ID, $key);
+					$this->userConfig->setValueString($userId, Application::APP_ID, $key, $value, lazy: true);
+				}
+			}
+		}
+
+		// store oauth_instance_url as non-lazy
+		foreach (['oauth_instance_url'] as $key) {
+			if ($this->appConfig->hasKey(Application::APP_ID, $key, lazy: true)) {
+				$this->appConfig->deleteKey(Application::APP_ID, $key);
+				$this->appConfig->setValueString(Application::APP_ID, $key, $value, lazy: false);
+			}
+		}
+	}
+}

lib/Reference/ZammadReferenceProvider.php

@@ -31,8 +31,8 @@
 use OCP\Collaboration\Reference\IReferenceManager;
 use OCP\Collaboration\Reference\ISearchableReferenceProvider;
 use OCP\Collaboration\Reference\Reference;
+use OCP\Config\IUserConfig;
 use OCP\IAppConfig;
-use OCP\IConfig;
 use OCP\IL10N;
 use OCP\IURLGenerator;
 use OCP\PreConditionNotMetException;
@@ -41,7 +41,7 @@ class ZammadReferenceProvider extends ADiscoverableReferenceProvider implements
 
 	public function __construct(
 		private ZammadAPIService $zammadAPIService,
-		private IConfig $config,
+		private IUserConfig $userConfig,
 		private IAppConfig $appConfig,
 		private IReferenceManager $referenceManager,
 		private IURLGenerator $urlGenerator,
@@ -86,7 +86,7 @@ public function getIconUrl(): string {
 	public function getSupportedSearchProviderIds(): array {
 		if ($this->userId !== null) {
 			$ids = [];
-			$searchEnabled = $this->config->getUserValue($this->userId, Application::APP_ID, 'search_enabled', '0') === '1';
+			$searchEnabled = $this->userConfig->getValueString($this->userId, Application::APP_ID, 'search_enabled', '0', lazy: true) === '1';
 			if ($searchEnabled) {
 				$ids[] = 'zammad-search';
 			}
@@ -105,7 +105,7 @@ private function isMatching(string $referenceText, string $url): bool {
 	 */
 	public function matchReference(string $referenceText): bool {
 		if ($this->userId !== null) {
-			$linkPreviewEnabled = $this->config->getUserValue($this->userId, Application::APP_ID, 'link_preview_enabled', '1') === '1';
+			$linkPreviewEnabled = $this->userConfig->getValueString($this->userId, Application::APP_ID, 'link_preview_enabled', '1', lazy: true) === '1';
 			if (!$linkPreviewEnabled) {
 				return false;
 			}
@@ -115,8 +115,8 @@ public function matchReference(string $referenceText): bool {
 			return false;
 		}
 
-		$adminZammadOauthUrl = $this->appConfig->getValueString(Application::APP_ID, 'oauth_instance_url', lazy: true);
-		$zammadUrl = $this->config->getUserValue($this->userId, Application::APP_ID, 'url') ?: $adminZammadOauthUrl;
+		$adminZammadOauthUrl = $this->appConfig->getValueString(Application::APP_ID, 'oauth_instance_url');
+		$zammadUrl = $this->userConfig->getValueString($this->userId, Application::APP_ID, 'url') ?: $adminZammadOauthUrl;
 
 		return $this->isMatching($referenceText, $zammadUrl);
 	}
@@ -125,8 +125,8 @@ public function matchReference(string $referenceText): bool {
 	 * @inheritDoc
 	 */
 	public function resolveReference(string $referenceText): ?IReference {
-		$adminZammadOauthUrl = $this->appConfig->getValueString(Application::APP_ID, 'oauth_instance_url', lazy: true);
-		$zammadUrl = $this->config->getUserValue($this->userId, Application::APP_ID, 'url') ?: $adminZammadOauthUrl;
+		$adminZammadOauthUrl = $this->appConfig->getValueString(Application::APP_ID, 'oauth_instance_url');
+		$zammadUrl = $this->userConfig->getValueString($this->userId, Application::APP_ID, 'url') ?: $adminZammadOauthUrl;
 		if ($zammadUrl !== '') {
 			$parts = $this->getLinkParts($zammadUrl, $referenceText);
 			if ($parts !== null) {

lib/Search/ZammadSearchProvider.php

@@ -28,8 +28,8 @@
 use OCA\Zammad\AppInfo\Application;
 use OCA\Zammad\Service\ZammadAPIService;
 use OCP\App\IAppManager;
+use OCP\Config\IUserConfig;
 use OCP\IAppConfig;
-use OCP\IConfig;
 use OCP\IDateTimeFormatter;
 use OCP\IL10N;
 use OCP\IURLGenerator;
@@ -44,7 +44,7 @@ class ZammadSearchProvider implements IProvider, IExternalProvider {
 	public function __construct(
 		private IAppManager $appManager,
 		private IL10N $l10n,
-		private IConfig $config,
+		private IUserConfig $userConfig,
 		private IAppConfig $appConfig,
 		private IURLGenerator $urlGenerator,
 		private IDateTimeFormatter $dateTimeFormatter,
@@ -95,16 +95,16 @@ public function search(IUser $user, ISearchQuery $query): SearchResult {
 		$offset = $query->getCursor();
 		$offset = $offset ? intval($offset) : 0;
 
-		$theme = $this->config->getUserValue($user->getUID(), 'accessibility', 'theme');
+		$theme = $this->userConfig->getValueString($user->getUID(), 'accessibility', 'theme');
 		$thumbnailUrl = ($theme === 'dark')
 			? $this->urlGenerator->imagePath(Application::APP_ID, 'app.svg')
 			: $this->urlGenerator->imagePath(Application::APP_ID, 'app-dark.svg');
 
-		$adminZammadOauthUrl = $this->appConfig->getValueString(Application::APP_ID, 'oauth_instance_url', lazy: true);
-		$zammadUrl = $this->config->getUserValue($user->getUID(), Application::APP_ID, 'url') ?: $adminZammadOauthUrl;
-		$hasAccessToken = $this->config->getUserValue($user->getUID(), Application::APP_ID, 'token') !== '';
+		$adminZammadOauthUrl = $this->appConfig->getValueString(Application::APP_ID, 'oauth_instance_url');
+		$zammadUrl = $this->userConfig->getValueString($user->getUID(), Application::APP_ID, 'url') ?: $adminZammadOauthUrl;
+		$hasAccessToken = $this->userConfig->getValueString($user->getUID(), Application::APP_ID, 'token', lazy: true) !== '';
 
-		$searchEnabled = $this->config->getUserValue($user->getUID(), Application::APP_ID, 'search_enabled', '0') === '1';
+		$searchEnabled = $this->userConfig->getValueString($user->getUID(), Application::APP_ID, 'search_enabled', '0', lazy: true) === '1';
 		if (!$hasAccessToken || !$searchEnabled) {
 			return SearchResult::paginated($this->getName(), [], 0);
 		}