Fix Nextcloud login flaws

crates/nextcloud_login/Cargo.toml

@@ -0,0 +1,25 @@
+[package]
+name = "rustical_nextcloud_login"
+version.workspace = true
+edition.workspace = true
+description.workspace = true
+repository.workspace = true
+publish = false
+
+[dependencies]
+askama.workspace = true
+askama_actix = { workspace = true }
+actix-session = { workspace = true }
+serde = { workspace = true }
+thiserror = { workspace = true }
+tokio = { workspace = true }
+actix-web = { workspace = true }
+rustical_store = { workspace = true }
+rust-embed.workspace = true
+futures-core.workspace = true
+hex.workspace = true
+mime_guess.workspace = true
+rand.workspace = true
+dashmap.workspace = true
+uuid.workspace = true
+chrono.workspace = true

crates/nextcloud_login/askama.toml

@@ -0,0 +1,2 @@
+[general]
+dirs = ["public/templates"]

crates/nextcloud_login/public/assets/style.css

@@ -0,0 +1,7 @@
+body {
+  font-family: sans-serif;
+}
+
+* {
+  box-sizing: border-box;
+}

crates/nextcloud_login/public/templates/layouts/default.html

@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+<html lang="en">
+
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <title>{% block title %}RustiCal{% endblock %}</title>
+  <link rel="stylesheet" href="/frontend/assets/style.css" />
+  {% block imports %}{% endblock %}
+</head>
+
+<body>
+  <div id="app">
+    {% block content %}<p>Placeholder</p>{% endblock %}
+  </div>
+</body>
+</html>

crates/nextcloud_login/public/templates/pages/nextcloud_login_form.html

@@ -0,0 +1,13 @@
+{% extends "layouts/default.html" %}
+
+{% block imports %}
+{% endblock %}
+
+{% block content %}
+<p>Authorize application to act on your behalf, {{ username }}?</p>
+<form method="POST">
+  <label for="app_name">App name</label>
+  <input type="text" value="{{ app_name }}" name="app_name"/>
+  <button type="submit">Authorize</button>
+</form>
+{% endblock %}

crates/nextcloud_login/public/templates/pages/nextcloud_login_success.html

@@ -0,0 +1,8 @@
+{% extends "layouts/default.html" %}
+
+{% block imports %}
+{% endblock %}
+
+{% block content %}
+  <p>Authorized app {{ app_name }}, you may now close this page.</p>
+{% endblock %}

crates/nextcloud_login/src/assets.rs

@@ -0,0 +1,113 @@
+use std::marker::PhantomData;
+
+use actix_web::{
+    body::BoxBody,
+    dev::{
+        HttpServiceFactory, ResourceDef, Service, ServiceFactory, ServiceRequest, ServiceResponse,
+    },
+    http::{header, Method},
+    HttpResponse,
+};
+use futures_core::future::LocalBoxFuture;
+use rust_embed::RustEmbed;
+
+#[derive(RustEmbed)]
+#[folder = "public/assets"]
+pub struct Assets;
+
+pub struct EmbedService<E>
+where
+    E: 'static + RustEmbed,
+{
+    _embed: PhantomData<E>,
+    prefix: String,
+}
+
+impl<E> EmbedService<E>
+where
+    E: 'static + RustEmbed,
+{
+    pub fn new(prefix: String) -> Self {
+        Self {
+            prefix,
+            _embed: PhantomData,
+        }
+    }
+}
+
+impl<E> HttpServiceFactory for EmbedService<E>
+where
+    E: 'static + RustEmbed,
+{
+    fn register(self, config: &mut actix_web::dev::AppService) {
+        let resource_def = if config.is_root() {
+            ResourceDef::root_prefix(&self.prefix)
+        } else {
+            ResourceDef::prefix(&self.prefix)
+        };
+        config.register_service(resource_def, None, self, None);
+    }
+}
+
+impl<E> ServiceFactory<ServiceRequest> for EmbedService<E>
+where
+    E: 'static + RustEmbed,
+{
+    type Response = ServiceResponse;
+    type Error = actix_web::Error;
+    type Config = ();
+    type Service = EmbedService<E>;
+    type InitError = ();
+    type Future = LocalBoxFuture<'static, Result<Self::Service, Self::InitError>>;
+
+    fn new_service(&self, _: ()) -> Self::Future {
+        let prefix = self.prefix.clone();
+        Box::pin(async move {
+            Ok(Self {
+                prefix,
+                _embed: PhantomData,
+            })
+        })
+    }
+}
+
+impl<E> Service<ServiceRequest> for EmbedService<E>
+where
+    E: 'static + RustEmbed,
+{
+    type Response = ServiceResponse<BoxBody>;
+    type Error = actix_web::Error;
+    type Future = LocalBoxFuture<'static, Result<Self::Response, Self::Error>>;
+
+    actix_web::dev::always_ready!();
+
+    fn call(&self, req: ServiceRequest) -> Self::Future {
+        Box::pin(async move {
+            if req.method() != Method::GET && req.method() != Method::HEAD {
+                return Ok(req.into_response(HttpResponse::MethodNotAllowed()));
+            }
+            let path = req.match_info().unprocessed().trim_start_matches('/');
+
+            match E::get(path) {
+                Some(file) => {
+                    let data = file.data;
+                    let hash = hex::encode(file.metadata.sha256_hash());
+                    let mime = mime_guess::from_path(path).first_or_octet_stream();
+
+                    let body = if req.method() == Method::HEAD {
+                        Default::default()
+                    } else {
+                        data
+                    };
+                    Ok(req.into_response(
+                        HttpResponse::Ok()
+                            .content_type(mime)
+                            .insert_header((header::ETAG, hash))
+                            .body(body),
+                    ))
+                }
+                None => Ok(req.into_response(HttpResponse::NotFound())),
+            }
+        })
+    }
+}

crates/nextcloud_login/src/lib.rs

@@ -0,0 +1,229 @@
+use actix_web::{
+    http::header::{self},
+    web::{self, Data, Form, Json, Path, ServiceConfig},
+    HttpRequest, HttpResponse, Responder,
+};
+use askama::Template;
+use assets::{Assets, EmbedService};
+use chrono::{DateTime, Duration, Utc};
+use rand::{distributions::Alphanumeric, Rng};
+use rustical_store::auth::{AuthenticationMiddleware, AuthenticationProvider, User};
+use serde::{Deserialize, Serialize};
+use std::{collections::HashMap, sync::Arc};
+use tokio::sync::RwLock;
+mod assets;
+
+#[derive(Debug, Clone)]
+struct NextcloudFlow {
+    app_name: String,
+    created_at: DateTime<Utc>,
+    token: String,
+    response: Option<NextcloudSuccessResponse>,
+}
+
+#[derive(Debug, Default)]
+pub struct NextcloudFlows {
+    flows: RwLock<HashMap<String, NextcloudFlow>>,
+}
+
+#[derive(Debug, Clone, Deserialize, Serialize)]
+#[serde(rename_all = "camelCase")]
+struct NextcloudLoginPoll {
+    token: String,
+    endpoint: String,
+}
+
+#[derive(Debug, Clone, Deserialize, Serialize)]
+#[serde(rename_all = "camelCase")]
+struct NextcloudLoginResponse {
+    poll: NextcloudLoginPoll,
+    login: String,
+}
+
+async fn post_nextcloud_login(
+    req: HttpRequest,
+    state: Data<NextcloudFlows>,
+) -> Json<NextcloudLoginResponse> {
+    let flow_id = uuid::Uuid::new_v4().to_string();
+    let token = uuid::Uuid::new_v4().to_string();
+    let poll_url = req
+        .resource_map()
+        .url_for(&req, "nc_login_poll", [&flow_id])
+        .unwrap();
+    let flow_url = req
+        .resource_map()
+        .url_for(&req, "nc_login_flow", [&flow_id])
+        .unwrap();
+
+    let app_name = req
+        .headers()
+        .get(header::USER_AGENT)
+        .map(|val| val.to_str().unwrap_or("Unknown client"))
+        .unwrap_or("Unknown client");
+
+    let mut flows = state.flows.write().await;
+    // Flows must not last longer than 10 minutes
+    // We also enforce that condition here to prevent a memory leak where unpolled flows would
+    // never be cleaned up
+    flows.retain(|_, flow| Utc::now() - flow.created_at < Duration::minutes(10));
+    flows.insert(
+        flow_id,
+        NextcloudFlow {
+            app_name: app_name.to_owned(),
+            created_at: Utc::now(),
+            token: token.to_owned(),
+            response: None,
+        },
+    );
+    Json(NextcloudLoginResponse {
+        login: flow_url.to_string(),
+        poll: NextcloudLoginPoll {
+            token,
+            endpoint: poll_url.to_string(),
+        },
+    })
+}
+
+#[derive(Debug, Clone, Deserialize, Serialize)]
+#[serde(rename_all = "camelCase")]
+struct NextcloudSuccessResponse {
+    server: String,
+    login_name: String,
+    app_password: String,
+}
+
+#[derive(Debug, Clone, Deserialize, Serialize)]
+#[serde(rename_all = "camelCase")]
+struct NextcloudPollForm {
+    token: String,
+}
+
+async fn post_nextcloud_poll<AP: AuthenticationProvider>(
+    state: Data<NextcloudFlows>,
+    form: Form<NextcloudPollForm>,
+    path: Path<String>,
+    auth_provider: Data<AP>,
+    req: HttpRequest,
+) -> Result<HttpResponse, rustical_store::Error> {
+    let flow_id = path.into_inner();
+    let mut flows = state.flows.write().await;
+
+    // Flows must not last longer than 10 minutes
+    flows.retain(|_, flow| Utc::now() - flow.created_at < Duration::minutes(10));
+
+    if let Some(flow) = flows.get(&flow_id).cloned() {
+        if flow.token != form.token {
+            return Ok(HttpResponse::Unauthorized().body("Unauthorized"));
+        }
+        if let Some(response) = &flow.response {
+            auth_provider
+                .add_app_token(
+                    &response.login_name,
+                    flow.app_name.to_owned(),
+                    response.app_password.to_owned(),
+                )
+                .await?;
+            flows.remove(&flow_id);
+            Ok(Json(response).respond_to(&req).map_into_boxed_body())
+        } else {
+            // Not done yet, re-insert flow
+            Ok(HttpResponse::NotFound().finish())
+        }
+    } else {
+        Ok(HttpResponse::Unauthorized().body("Unauthorized"))
+    }
+}
+
+fn generate_app_token() -> String {
+    rand::thread_rng()
+        .sample_iter(Alphanumeric)
+        .map(char::from)
+        .take(64)
+        .collect()
+}
+
+#[derive(Template)]
+#[template(path = "pages/nextcloud_login_form.html")]
+struct NextcloudLoginPage {
+    username: String,
+    app_name: String,
+}
+
+async fn get_nextcloud_flow(
+    user: User,
+    state: Data<NextcloudFlows>,
+    path: Path<String>,
+    req: HttpRequest,
+) -> Result<impl Responder, rustical_store::Error> {
+    let flow_id = path.into_inner();
+    if let Some(flow) = state.flows.read().await.get(&flow_id) {
+        Ok(NextcloudLoginPage {
+            username: user.displayname.unwrap_or(user.id),
+            app_name: flow.app_name.to_owned(),
+        }
+        .respond_to(&req))
+    } else {
+        Ok(HttpResponse::NotFound().body("Login flow not found"))
+    }
+}
+
+#[derive(Debug, Clone, Deserialize, Serialize)]
+struct NextcloudAuthorizeForm {
+    app_name: String,
+}
+
+#[derive(Template)]
+#[template(path = "pages/nextcloud_login_success.html")]
+struct NextcloudLoginSuccessPage {
+    app_name: String,
+}
+
+async fn post_nextcloud_flow(
+    user: User,
+    state: Data<NextcloudFlows>,
+    path: Path<String>,
+    req: HttpRequest,
+    form: Form<NextcloudAuthorizeForm>,
+) -> Result<impl Responder, rustical_store::Error> {
+    let flow_id = path.into_inner();
+    if let Some(flow) = state.flows.write().await.get_mut(&flow_id) {
+        flow.app_name = form.into_inner().app_name;
+        flow.response = Some(NextcloudSuccessResponse {
+            server: req.full_url().origin().unicode_serialization(),
+            login_name: user.id.to_owned(),
+            app_password: generate_app_token(),
+        });
+        Ok(NextcloudLoginSuccessPage {
+            app_name: flow.app_name.to_owned(),
+        }
+        .respond_to(&req))
+    } else {
+        Ok(HttpResponse::NotFound().body("Login flow not found"))
+    }
+}
+
+pub fn configure_nextcloud_login<AP: AuthenticationProvider>(
+    cfg: &mut ServiceConfig,
+    nextcloud_flows_state: Arc<NextcloudFlows>,
+    auth_provider: Arc<AP>,
+) {
+    cfg.service(
+        web::scope("")
+            .wrap(AuthenticationMiddleware::new(auth_provider.clone()))
+            .app_data(Data::from(nextcloud_flows_state))
+            .app_data(Data::from(auth_provider.clone()))
+            .service(EmbedService::<Assets>::new("/assets".to_owned()))
+            .service(web::resource("/index.php/login/v2").post(post_nextcloud_login))
+            .service(
+                web::resource("/login/v2/poll/{flow}")
+                    .name("nc_login_poll")
+                    .post(post_nextcloud_poll::<AP>),
+            )
+            .service(
+                web::resource("/login/v2/flow/{flow}")
+                    .name("nc_login_flow")
+                    .get(get_nextcloud_flow)
+                    .post(post_nextcloud_flow),
+            ),
+    );
+}