Open donquixote opened 1 year ago
See also #7753, #6476, #17434
Another option would be to detect if the request already contains basic auth credentials, and if so, to use these to refresh the 'last-password-confirm'
in the session.
I did something similar for maintenance mode: https://github.com/nextcloud/server/pull/33173
A header, ok :) Not part of the ocs response json. I suppose https://lukasreschke.github.io/OpenCloudMeshSpecification/#ocs-responses is already full, we cannot invent another slot here. So ok to use a header. This also allows to implement this check as a middleware in Guzzle client, without parsing the json.
Of course another option when implementing a client would be to clear the session cookies every 30 minutes.
Btw how does the js front-end currently do this check? Or does it always ask for a password for these special operations?
How to use GitHub
Background
I am using the Nextcloud API to create users, groups and similar from an external software (a Drupal website). I noticed that cookie auth is the fastest, token auth is a bit slower, basic auth is a lot slower. With both cookie auth and token auth, I get responses "Password confirmation is required" on routes annotated with
@PasswordConfirmationRequired
every 30 minutes. The response json is like this:In my code I am checking for
$data['ocs']['meta']['statuscode'] === 403 && $data['ocs']['meta']['message'] === "Password confirmation is required"
. If the check is positive, I clear the cookies and send another request. (I am using cookie auth, but the same would happen with token auth)Problem
My check relies on a user interface string, which might change in future versions of Nextcloud.
Request
Send another special string with the response, that is more reliable to detect. BUT Don't remove any of the existing parts of the response, so not to break other clients. OR Make a commitment that the string "Password confirmation is required" is not going to change, ever.