Don't perform CSRF check on OCS routes with Bearer auth

[rullzer]

Fixes #5694

Todo:

• Validate if this works
  • @daita has it working 🎈
  • @pierreozoux has it working too
  • @Dagefoerde has it working as well :)
• Fix tests
• Extend tests

@daita please verify
@Dagefoerde could you also check this out? THNX.

[ArtificialOwl]

clean nc14 (with the fix)+moodle34+plugin for moodle from owncloud :

nextcloud.log:

 {
  "reqId": "0RVGuWfh1lauoLRxJaXi",
  "level": 2,
  "time": "2018-01-16T10:54:30+00:00",
  "remoteAddr": "165.90.126.124",
  "user": "--",
  "app": "core",
  "method": "POST",
  "url": "/index.php/apps/oauth2/api/v1/token",
  "message": "Login failed: 'MQvMykk8q2JuLDs8tuMx6gRpDmOiyS7AqZl0f8PJ8bimg33SQ6bAuLMMuoDkFeYz' (Remote IP: '165.90.126.124')",
  "userAgent": "MoodleBot/1.0",
  "version": "14.0.0.0"
}

apache:

165.90.126.124 - - [16/Jan/2018:10:54:24 +0000] "GET /index.php/apps/oauth2/authorize?client_id=MQvMykk8q2JuLDs8tuMx6gRpDmOiyS7AqZl0f8PJ8bimg33SQ6bAuLMMuoDkFeYz&response_type=code&redirect_uri=http%3A%2F%2Fmoodle%2Fadmin%2Foauth2callback.php&state=%2Frepository%2Frepository_callback.php%3Fcallback%3Dyes%26repo_id%3D19%26sesskey%3DkHGEq3wjlO&scope=openid%20profile%20email%20files%20ocs HTTP/2.0" 303 -
165.90.126.124 - - [16/Jan/2018:10:54:24 +0000] "GET /index.php/login/flow?clientIdentifier=MQvMykk8q2JuLDs8tuMx6gRpDmOiyS7AqZl0f8PJ8bimg33SQ6bAuLMMuoDkFeYz HTTP/2.0" 200 2912
165.90.126.124 - - [16/Jan/2018:10:54:25 +0000] "GET /core/css/login/authpicker.css?v=ad8161bf-0 HTTP/2.0" 200 146
165.90.126.124 - - [16/Jan/2018:10:54:25 +0000] "GET /core/css/guest.css?v=ad8161bf-0 HTTP/2.0" 200 4758
165.90.126.124 - - [16/Jan/2018:10:54:25 +0000] "GET /core/js/login/authpicker.js?v=ad8161bf-0 HTTP/2.0" 200 274
165.90.126.124 - - [16/Jan/2018:10:54:26 +0000] "GET /core/img/background.jpg?v=0 HTTP/2.0" 302 -
165.90.126.124 - - [16/Jan/2018:10:54:26 +0000] "GET /core/img/actions/confirm-white.svg?v=2 HTTP/2.0" 200 405
165.90.126.124 - - [16/Jan/2018:10:54:26 +0000] "GET /index.php/apps/files/ HTTP/2.0" 200 5912
165.90.126.124 - - [16/Jan/2018:10:54:28 +0000] "GET /index.php/login/flow/redirect?stateToken=Mj1KtGayVkdRVUFN4kSv5mcL6KoIfdLyK88nPxrafCSiTy6EuY3xqurhaq2QrhgQ&clientIdentifier=MQvMykk8q2JuLDs8tuMx6gRpDmOiyS7AqZl0f8PJ8bimg33SQ6bAuLMMuoDkFeYz&oauthState=/repository/repository_callback.php%3Fcallback%3Dyes%26repo_id%3D19%26sesskey%3DkHGEq3wjlO HTTP/2.0" 200 2709
165.90.126.124 - - [16/Jan/2018:10:54:28 +0000] "GET /core/js/login/redirect.js?v=ad8161bf-0 HTTP/2.0" 200 102
165.90.126.124 - - [16/Jan/2018:10:54:28 +0000] "GET /core/img/background.jpg?v=0 HTTP/2.0" 302 -
165.90.126.124 - - [16/Jan/2018:10:54:29 +0000] "POST /index.php/login/flow HTTP/2.0" 303 -
165.90.126.124 - - [16/Jan/2018:10:54:29 +0000] "GET /index.php/apps/files/ HTTP/2.0" 401 43
165.90.126.124 - MQvMykk8q2JuLDs8tuMx6gRpDmOiyS7AqZl0f8PJ8bimg33SQ6bAuLMMuoDkFeYz [16/Jan/2018:10:54:30 +0000] "POST /index.php/apps/oauth2/api/v1/token HTTP/1.1" 200 296
165.90.126.124 - - [16/Jan/2018:10:54:31 +0000] "PROPFIND /index.php/remote.php/webdav/ HTTP/1.1" 405 -
165.90.126.124 - - [16/Jan/2018:10:54:35 +0000] "PROPFIND /index.php/remote.php/webdav/ HTTP/1.1" 405 -

[ArtificialOwl]

nevermind, wrong endpoint for the webdav

[rullzer]

@pierreozoux maybe you can test this as well?

[codecov]

Codecov Report

Merging #7873 into master will decrease coverage by <.01%.
The diff coverage is 60%.

@@             Coverage Diff             @@
##             master   #7873      +/-   ##
===========================================
- Coverage      51.7%   51.7%   -0.01%     
- Complexity    25426   25427       +1     
===========================================
  Files          1598    1598              
  Lines         95236   95239       +3     
  Branches       1376    1376              
===========================================
+ Hits          49243   49244       +1     
- Misses        45993   45995       +2

Impacted Files	Coverage Δ	Complexity Δ
...amework/Middleware/Security/SecurityMiddleware.php	78.04% <60%> (-1.7%)	26 <0> (+1)
apps/files_trashbin/lib/Trashbin.php	72.46% <0%> (-0.25%)	136% <0%> (ø)
apps/files_trashbin/lib/Expiration.php	91.93% <0%> (+1.61%)	29% <0%> (ø)	⬇️

[pierreozoux]

I confirm it works! Thanks for the proper fix :)
(sorry, I'm a bit new to this code, so it is difficult for me, I thought that it was not that much of a big deal to allow people on this route :) )

[rullzer]

@pierreozoux thanks for testing! And also thanks for your first PR, getting to know the code indeed takes time. Looking forward to the next one 😄 !

[Dagefoerde]

Hi @rullzer, I tested your fix and it seems to work ok on Nextcloud 12.0.5 (+applied patch) in combination with the Moodle plugin. Thanks a lot for fixing this issue!! 👍

Some general remarks:

• Why limit this to requests to OCSController? If requests are authenticated via a Bearer token then we can rule out CSRF issues. I feel that this should be extended towards all endpoints, not just OCS ones.
• Is the documentation on the OCS API outdated? NC 12 docs and NC 13 docs say that the response format defaults to XML, but without the format=xml parameter the returned result was JSON. Of course this will lead to problems with our users as we assumed that the specification was correct and therefore relied on XML. Or am I experiencing a configuration issue? (unlikely as this was a fresh install of Nextcloud).
• https://github.com/nextcloud/server/pull/7873/files#diff-0bb5cca5abd6cda96b669c31856a3f59R174 says that "we allow Bearer authenticated requests to fail on OCS routes", but it's the check that we allow to fail (but we let the request succeed regardless).

[rullzer]

@Dagefoerde thanks for testing!

Why limit this to requests to OCSController? If requests are authenticated via a Bearer token then we can rule out CSRF issues. I feel that this should be extended towards all endpoints, not just OCS ones.

Because basically the OCS endpoints and the webdav endpoints are the 'official' endpoints we use. If you need more we can look into it. But I'd like to keep the rest of the system as locked down as possible ;)

Is the documentation on the OCS API outdated? NC 12 docs and NC 13 docs say that the response format defaults to XML, but without the format=xml parameter the returned result was JSON. Of course this will lead to problems with our users as we assumed that the specification was correct and therefore relied on XML. Or am I experiencing a configuration issue? (unlikely as this was a fresh install of Nextcloud).

Mmmm maybe you set Accept headers?
Can you show me the call you made?

https://github.com/nextcloud/server/pull/7873/files#diff-0bb5cca5abd6cda96b669c31856a3f59R174 says that "we allow Bearer authenticated requests to fail on OCS routes", but it's the check that we allow to fail (but we let the request succeed regardless).

My bad. Fixed!

[Dagefoerde]

If you need more we can look into it.

Not yet, but thank you. This was just intended as a general remark because I was wondering what would be the "right" extent of this patch.

Mmmm maybe you set Accept headers?
Can you show me the call you made?

Fair enough. Moodle's API sets an accept header (see below). Does Nextcloud use the value of this header? Thanks for the hint, I should be able to change that.

‌array (
  0 => 'Content-type: multipart/form-data',
  1 => 'Authorization: Bearer <>',
  2 => 'Accept: application/json',
)

[rullzer]

Yes we use the accept header :) I shall fire of an issue to the doc repo to clarify this

[rullzer]

nextcloud/documentation#659

[nickvergessen]

Fine by me 👍

[MorrisJobke]

@rullzer Backport to stable13?