Allow anonymous access to photos from public albums

Signed-off-by: Dariusz Olszewski <[email protected]>
nextcloud · artonge · Feb 8, 2023 · Jan 22, 2023 · Jan 22, 2023 · Jan 22, 2023
commit 502809c10402c6863d012d7a9ee390cee76212c4
diff --git a/lib/Sabre/PublicAlbumAuthBackend.php b/lib/Sabre/PublicAlbumAuthBackend.php
@@ -24,43 +24,59 @@
 use OC\Security\Bruteforce\Throttler;
 use OCA\Photos\Album\AlbumMapper;
 use OCP\IRequest;
-use Sabre\DAV\Auth\Backend\AbstractBasic;
+use Sabre\DAV\Auth\Backend\BackendInterface;
+use Sabre\HTTP\RequestInterface;
+use Sabre\HTTP\ResponseInterface;
 
-class PublicAlbumAuthBackend extends AbstractBasic {
-	private const BRUTEFORCE_ACTION = 'publicphotos_webdav_auth';
-	private IRequest $request;
-	private AlbumMapper $albumMapper;
-	private Throttler $throttler;
+class PublicAlbumAuthBackend implements BackendInterface {
 
-	public function __construct(
-		IRequest $request,
-		AlbumMapper $albumMapper,
-		Throttler $throttler
-	) {
-		$this->request = $request;
-		$this->albumMapper = $albumMapper;
-		$this->throttler = $throttler;
+	public function __construct() {
 	}
 
 	/**
-	 * Validates the token.
+	 * When this method is called, the backend must check if authentication was
+	 * successful.
 	 *
-	 * @param string $username
-	 * @return bool
-	 * @throws \Sabre\DAV\Exception\NotAuthenticated
+	 * The returned value must be one of the following
+	 *
+	 * [true, "principals/username"]
+	 * [false, "reason for failure"]
+	 *
+	 * If authentication was successful, it's expected that the authentication
+	 * backend returns a so-called principal url.
+	 *
+	 * Examples of a principal url:
+	 *
+	 * principals/admin
+	 * principals/user1
+	 * principals/users/joe
+	 * principals/uid/123457
+	 *
+	 * If you don't use WebDAV ACL (RFC3744) we recommend that you simply
+	 * return a string such as:
+	 *
+	 * principals/users/[username]
+	 *
+	 * @return array
 	 */
-	protected function validateUserPass($username, $password) {
-		$this->throttler->sleepDelayOrThrowOnMax($this->request->getRemoteAddress(), self::BRUTEFORCE_ACTION);
-
-		$albums = $this->albumMapper->getSharedAlbumsForCollaboratorWithFiles($username, AlbumMapper::TYPE_LINK);
-
-		if (count($albums) !== 1) {
-			$this->throttler->registerAttempt(self::BRUTEFORCE_ACTION, $this->request->getRemoteAddress());
-			return false;
-		}
-
-		\OC_User::setIncognitoMode(true);
+	public function check(RequestInterface $request, ResponseInterface $response) {
+		\OC_User::setIncognitoMode(true); // ???
+		return [true, "principals/token"];
+	}
 
-		return true;
+	/**
+	 * This method is called when a user could not be authenticated, and
+	 * authentication was required for the current request.
+	 *
+	 * This gives you the opportunity to set authentication headers. The 401
+	 * status code will already be set.
+	 *
+	 * Keep in mind that in the case of multiple authentication backends, other
+	 * WWW-Authenticate headers may already have been set, and you'll want to
+	 * append your own WWW-Authenticate header instead of overwriting the
+	 * existing one.
+	 */
+	public function challenge(RequestInterface $request, ResponseInterface $response) {
+		// This is intended to be public - there is no need to set WWW-Authenticate header
 	}
 }