Machine-detectable response code for "Password confirmation is required"

donquixote commented 1 year ago

How to use GitHub

Please use the 👍 reaction to show that you are interested into the same feature.
Please don't comment if you have no relevant information to add. It's just extra noise for everyone subscribed to this issue.
Subscribe to receive notifications on status change and new comments.

Background

I am using the Nextcloud API to create users, groups and similar from an external software (a Drupal website). I noticed that cookie auth is the fastest, token auth is a bit slower, basic auth is a lot slower. With both cookie auth and token auth, I get responses "Password confirmation is required" on routes annotated with @PasswordConfirmationRequired every 30 minutes. The response json is like this:

{"ocs":{"meta":{"status":"failure","statuscode":403,"message":"Password confirmation is required","totalitems":"","itemsperpage":""},"data":[]}}

In my code I am checking for $data['ocs']['meta']['statuscode'] === 403 && $data['ocs']['meta']['message'] === "Password confirmation is required". If the check is positive, I clear the cookies and send another request. (I am using cookie auth, but the same would happen with token auth)

Problem

My check relies on a user interface string, which might change in future versions of Nextcloud.

Request

Send another special string with the response, that is more reliable to detect. BUT Don't remove any of the existing parts of the response, so not to break other clients. OR Make a commitment that the string "Password confirmation is required" is not going to change, ever.

donquixote commented 1 year ago

See also #7753, #6476, #17434

donquixote commented 1 year ago

Another option would be to detect if the request already contains basic auth credentials, and if so, to use these to refresh the 'last-password-confirm' in the session.

ChristophWurst commented 1 year ago

I did something similar for maintenance mode: https://github.com/nextcloud/server/pull/33173

donquixote commented 1 year ago

A header, ok :) Not part of the ocs response json. I suppose https://lukasreschke.github.io/OpenCloudMeshSpecification/#ocs-responses is already full, we cannot invent another slot here. So ok to use a header. This also allows to implement this check as a middleware in Guzzle client, without parsing the json.

Of course another option when implementing a client would be to clear the session cookies every 30 minutes.

donquixote commented 1 year ago

Btw how does the js front-end currently do this check? Or does it always ask for a password for these special operations?

nextcloud / server