feat(login-flow-v2): Restrict allowed apps by user agent check #50650

printminion-co · 2025-02-04T16:35:35Z

add config value to config.php:

	"core.login_flow_v2.allowed_user_agents" => [
			'/Custom Foo/i'
	],

or via occ

./occ config:system:set core.login_flow_v2.allowed_user_agents 0  --value '/Custom Foo/i'

Test Allowed client

curl -s -A "Custom Foo Curl Client/1.0" -X POST http://localhost:8080/index.php/login/v2 | jq

click on generated login url.

Test Forbidden client

curl -s -A "Rogue Curl Client/1.0" -X POST http://localhost:8080/index.php/login/v2 | jq

click on generated login url.
observe

Unitests

Run tests with coverage
Add test suite phpunit-autotest-core.xml file

phpunit-autotest-core.xml

<?xml version="1.0" encoding="utf-8" ?>
<phpunit xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
		 bootstrap="bootstrap.php"
		 verbose="true"
		 backupGlobals="false"
		 timeoutForSmallTests="900"
		 timeoutForMediumTests="900"
		 timeoutForLargeTests="900"
		 convertDeprecationsToExceptions="true"
		 xsi:noNamespaceSchemaLocation="https://schema.phpunit.de/9.6/phpunit.xsd">
	<testsuite name='test LoginFlowV2'>
		<directory suffix=".php">./Core/Controller/ClientFlowLoginV2ControllerTest.php</directory>
		<directory suffix=".php">./Core/Service/LoginFlowV2ServiceUnitTest.php</directory>
	</testsuite>
	<coverage>
		<include>
			<directory suffix=".php">../core/*</directory>
		</include>
		<exclude>
			<directory suffix=".js">../**/</directory>

			<directory suffix=".php">../3rdparty/**/*</directory>
			<directory suffix=".php">../apps/**/*</directory>
			<directory suffix=".php">../apps-custom/**/*</directory>
			<directory suffix=".php">../apps-external/**/*</directory>
			<directory suffix=".php">../custom-npms/**/*</directory>
			<directory suffix=".php">../build</directory>
			<directory suffix=".php">../IONOS/**/*</directory>
			<directory suffix=".php">../lib/composer</directory>
			<directory suffix=".php">../vendor/**/*</directory>
			<directory suffix=".php">../tests</directory>
		</exclude>
	</coverage>
	<listeners>
		<listener class="StartSessionListener" file="startsessionlistener.php" />
	</listeners>
</phpunit>

run tests

export XDEBUG_MODE=coverage && phpunit --configuration tests/phpunit-autotest-core.xml --coverage-html coverage

observe coverage in ./coverage folder

Checklist

Code is properly formatted
Sign-off message is added to all commits
Tests (unit, integration, api and/or acceptance) are included
Screenshots before/after for front-end changes
Documentation (manuals or wiki) has been updated or is not required
Backports requested where applicable (ex: critical bugfixes)

susnux · 2025-02-04T17:14:31Z

core/Service/LoginFlowV2Service.php

 		} catch (DoesNotExistException $e) {
 			throw new LoginFlowV2NotFoundException('Login token invalid');
 		}
+
+		$allowedAgents = $this->config->getSystemValue('core.login_flow_v2.allowed_user_agents', []);


Not sure if this should be an app or system config value.
But if this should be, as it is now, a system config value then please add it with documentation to config/config.sample.php

Would say system config is good once documented 👍

@juliusknorr @susnux
I've added documentation. Observe https://github.com/nextcloud/server/pull/50650/files#diff-3bbe91e1f85eec5dbd0031642dfb0ad6749b550fc3b94af7aa68a98210b78738R2441

come-nc

Not sure either, but apart from that code looks fine.

Enable via: ./occ config:system:set core.login_flow_v2.allowed_user_agents 0 --value '/Custom Foo Client/i' ./occ config:system:set core.login_flow_v2.allowed_user_agents 1 --value '/Custom Bar Client/i' if user agent string is unknown the template with "Access forbidden"-"Please use original client" will be displayed Signed-off-by: Misha M.-Kupriyanov <[email protected]>

printminion-co mentioned this pull request Feb 4, 2025

IONOS(login-flow-v2): reject unknown api clients by user agent IONOS-Productivity/nc-server#98

Merged

4 tasks

susnux requested a review from juliusknorr February 4, 2025 17:08

AndyScherzinger added the 3. to review Waiting for reviews label Feb 4, 2025

AndyScherzinger requested a review from sorbaugh February 4, 2025 17:13

susnux reviewed Feb 4, 2025

View reviewed changes

susnux added the enhancement label Feb 4, 2025

susnux requested a review from come-nc February 4, 2025 17:14

susnux added the feature: authentication label Feb 4, 2025

susnux added this to the Nextcloud 32 milestone Feb 4, 2025

come-nc approved these changes Feb 6, 2025

View reviewed changes

come-nc requested a review from nickvergessen February 6, 2025 16:37

printminion-co force-pushed the feat/login_flow_v2-user_agents-allow-list branch from b467dcc to 1ce7ca2 Compare February 7, 2025 14:03

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat(login-flow-v2): Restrict allowed apps by user agent check #50650

feat(login-flow-v2): Restrict allowed apps by user agent check #50650

printminion-co commented Feb 4, 2025 •

edited

Loading

susnux Feb 4, 2025

juliusknorr Feb 6, 2025

printminion-co Feb 7, 2025

come-nc left a comment

feat(login-flow-v2): Restrict allowed apps by user agent check #50650

Are you sure you want to change the base?

feat(login-flow-v2): Restrict allowed apps by user agent check #50650

Conversation

printminion-co commented Feb 4, 2025 • edited Loading

Test Allowed client

Test Forbidden client

Unitests

Checklist

susnux Feb 4, 2025

Choose a reason for hiding this comment

juliusknorr Feb 6, 2025

Choose a reason for hiding this comment

printminion-co Feb 7, 2025

Choose a reason for hiding this comment

come-nc left a comment

Choose a reason for hiding this comment

printminion-co commented Feb 4, 2025 •

edited

Loading