Merge pull request #4266 from nextcloud/chore/session-middleware

Author: juliusknorr

composer/composer/autoload_classmap.php

@@ -9,6 +9,7 @@
     'Composer\\InstalledVersions' => $vendorDir . '/composer/InstalledVersions.php',
     'OCA\\Text\\AppInfo\\Application' => $baseDir . '/../lib/AppInfo/Application.php',
     'OCA\\Text\\Command\\ResetDocument' => $baseDir . '/../lib/Command/ResetDocument.php',
+    'OCA\\Text\\Controller\\ASessionAwareController' => $baseDir . '/../lib/Controller/ASessionAwareController.php',
     'OCA\\Text\\Controller\\AttachmentController' => $baseDir . '/../lib/Controller/AttachmentController.php',
     'OCA\\Text\\Controller\\NavigationController' => $baseDir . '/../lib/Controller/NavigationController.php',
     'OCA\\Text\\Controller\\PublicSessionController' => $baseDir . '/../lib/Controller/PublicSessionController.php',
@@ -29,6 +30,7 @@
     'OCA\\Text\\Event\\LoadEditor' => $baseDir . '/../lib/Event/LoadEditor.php',
     'OCA\\Text\\Exception\\DocumentHasUnsavedChangesException' => $baseDir . '/../lib/Exception/DocumentHasUnsavedChangesException.php',
     'OCA\\Text\\Exception\\DocumentSaveConflictException' => $baseDir . '/../lib/Exception/DocumentSaveConflictException.php',
+    'OCA\\Text\\Exception\\InvalidSessionException' => $baseDir . '/../lib/Exception/InvalidSessionException.php',
     'OCA\\Text\\Exception\\UploadException' => $baseDir . '/../lib/Exception/UploadException.php',
     'OCA\\Text\\Exception\\VersionMismatchException' => $baseDir . '/../lib/Exception/VersionMismatchException.php',
     'OCA\\Text\\Listeners\\BeforeNodeDeletedListener' => $baseDir . '/../lib/Listeners/BeforeNodeDeletedListener.php',
@@ -39,6 +41,8 @@
     'OCA\\Text\\Listeners\\LoadViewerListener' => $baseDir . '/../lib/Listeners/LoadViewerListener.php',
     'OCA\\Text\\Listeners\\NodeCopiedListener' => $baseDir . '/../lib/Listeners/NodeCopiedListener.php',
     'OCA\\Text\\Listeners\\RegisterDirectEditorEventListener' => $baseDir . '/../lib/Listeners/RegisterDirectEditorEventListener.php',
+    'OCA\\Text\\Middleware\\Attribute\\RequireDocumentSession' => $baseDir . '/../lib/Middleware/Attribute/RequireDocumentSession.php',
+    'OCA\\Text\\Middleware\\SessionMiddleware' => $baseDir . '/../lib/Middleware/SessionMiddleware.php',
     'OCA\\Text\\Migration\\ResetSessionsBeforeYjs' => $baseDir . '/../lib/Migration/ResetSessionsBeforeYjs.php',
     'OCA\\Text\\Migration\\Version010000Date20190617184535' => $baseDir . '/../lib/Migration/Version010000Date20190617184535.php',
     'OCA\\Text\\Migration\\Version030001Date20200402075029' => $baseDir . '/../lib/Migration/Version030001Date20200402075029.php',

composer/composer/autoload_static.php

@@ -24,6 +24,7 @@ class ComposerStaticInitText
         'Composer\\InstalledVersions' => __DIR__ . '/..' . '/composer/InstalledVersions.php',
         'OCA\\Text\\AppInfo\\Application' => __DIR__ . '/..' . '/../lib/AppInfo/Application.php',
         'OCA\\Text\\Command\\ResetDocument' => __DIR__ . '/..' . '/../lib/Command/ResetDocument.php',
+        'OCA\\Text\\Controller\\ASessionAwareController' => __DIR__ . '/..' . '/../lib/Controller/ASessionAwareController.php',
         'OCA\\Text\\Controller\\AttachmentController' => __DIR__ . '/..' . '/../lib/Controller/AttachmentController.php',
         'OCA\\Text\\Controller\\NavigationController' => __DIR__ . '/..' . '/../lib/Controller/NavigationController.php',
         'OCA\\Text\\Controller\\PublicSessionController' => __DIR__ . '/..' . '/../lib/Controller/PublicSessionController.php',
@@ -44,6 +45,7 @@ class ComposerStaticInitText
         'OCA\\Text\\Event\\LoadEditor' => __DIR__ . '/..' . '/../lib/Event/LoadEditor.php',
         'OCA\\Text\\Exception\\DocumentHasUnsavedChangesException' => __DIR__ . '/..' . '/../lib/Exception/DocumentHasUnsavedChangesException.php',
         'OCA\\Text\\Exception\\DocumentSaveConflictException' => __DIR__ . '/..' . '/../lib/Exception/DocumentSaveConflictException.php',
+        'OCA\\Text\\Exception\\InvalidSessionException' => __DIR__ . '/..' . '/../lib/Exception/InvalidSessionException.php',
         'OCA\\Text\\Exception\\UploadException' => __DIR__ . '/..' . '/../lib/Exception/UploadException.php',
         'OCA\\Text\\Exception\\VersionMismatchException' => __DIR__ . '/..' . '/../lib/Exception/VersionMismatchException.php',
         'OCA\\Text\\Listeners\\BeforeNodeDeletedListener' => __DIR__ . '/..' . '/../lib/Listeners/BeforeNodeDeletedListener.php',
@@ -54,6 +56,8 @@ class ComposerStaticInitText
         'OCA\\Text\\Listeners\\LoadViewerListener' => __DIR__ . '/..' . '/../lib/Listeners/LoadViewerListener.php',
         'OCA\\Text\\Listeners\\NodeCopiedListener' => __DIR__ . '/..' . '/../lib/Listeners/NodeCopiedListener.php',
         'OCA\\Text\\Listeners\\RegisterDirectEditorEventListener' => __DIR__ . '/..' . '/../lib/Listeners/RegisterDirectEditorEventListener.php',
+        'OCA\\Text\\Middleware\\Attribute\\RequireDocumentSession' => __DIR__ . '/..' . '/../lib/Middleware/Attribute/RequireDocumentSession.php',
+        'OCA\\Text\\Middleware\\SessionMiddleware' => __DIR__ . '/..' . '/../lib/Middleware/SessionMiddleware.php',
         'OCA\\Text\\Migration\\ResetSessionsBeforeYjs' => __DIR__ . '/..' . '/../lib/Migration/ResetSessionsBeforeYjs.php',
         'OCA\\Text\\Migration\\Version010000Date20190617184535' => __DIR__ . '/..' . '/../lib/Migration/Version010000Date20190617184535.php',
         'OCA\\Text\\Migration\\Version030001Date20200402075029' => __DIR__ . '/..' . '/../lib/Migration/Version030001Date20200402075029.php',

cypress/e2e/SessionApi.spec.js cypress/e2e/api/SessionApi.spec.jscypress/e2e/SessionApi.spec.js renamed to cypress/e2e/api/SessionApi.spec.js

@@ -20,7 +20,7 @@
  *
  */
 
-import { randUser } from '../utils/index.js'
+import { randUser } from '../../utils/index.js'
 
 const user = randUser()
 const messages = {

cypress/e2e/api/UsersApi.spec.js

@@ -0,0 +1,112 @@
+/*
+ * @copyright Copyright (c) 2022 Max <[email protected]>
+ * @copyright Copyright (c) 2023 Julius Härtl <[email protected]>
+ *
+ * @author Max <[email protected]>
+ * @author Julius Härtl <[email protected]>
+ *
+ * @license AGPL-3.0-or-later
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+import { randUser } from '../../utils/index.js'
+
+const user = randUser()
+
+describe('The user mention API', function() {
+
+	before(function() {
+		cy.createUser(user)
+		window.OC = {
+			config: { modRewriteWorking: false },
+			webroot: '',
+		}
+	})
+
+	let fileId
+	let requesttoken
+
+	beforeEach(function() {
+		cy.login(user)
+		cy.prepareSessionApi().then((token) => {
+			requesttoken = token
+			cy.uploadTestFile('test.md')
+				.then(id => {
+					fileId = id
+				})
+		})
+	})
+
+	it('fetches users with valid session', function() {
+		cy.createTextSession(fileId).then(connection => {
+			cy.wrap(connection)
+				.its('document.id')
+				.should('equal', fileId)
+			const requestData = {
+				method: 'POST',
+				url: '/apps/text/api/v1/users',
+				body: {
+					documentId: connection.document.id,
+					sessionId: connection.session.id,
+					sessionToken: connection.session.token,
+					requesttoken,
+				},
+				failOnStatusCode: false,
+			}
+
+			cy.request(requestData).then(({ status }) => {
+				expect(status).to.eq(200)
+			})
+
+			const invalidRequestData = { ...requestData }
+			cy.wrap(() => {
+				invalidRequestData.body = {
+					...requestData.body,
+					sessionToken: 'invalid',
+				}
+			})
+			cy.request(invalidRequestData).then(({ status }) => {
+				expect(status).to.eq(403)
+			})
+
+			cy.wrap(() => {
+				invalidRequestData.body = {
+					...requestData.body,
+					sessionId: 0,
+				}
+			})
+			cy.request(invalidRequestData).then(({ status }) => {
+				expect(status).to.eq(403)
+			})
+
+			cy.wrap(() => {
+				invalidRequestData.body = {
+					...requestData.body,
+					documentId: 0,
+				}
+			})
+			cy.request(invalidRequestData).then(({ status }) => {
+				expect(status).to.eq(403)
+			})
+
+			cy.wrap(connection.close())
+
+			cy.request(requestData).then(({ status, body }) => {
+				expect(status).to.eq(403)
+			})
+		})
+	})
+})

cypress/support/sessions.js

@@ -23,9 +23,12 @@
 import SessionApi from '../../src/services/SessionApi.js'
 import { emit } from '@nextcloud/event-bus'
 
-Cypress.Commands.add('prepareSessionApi', (fileId) => {
+Cypress.Commands.add('prepareSessionApi', () => {
 	return cy.request('/csrftoken')
-		.then(({ body }) => emit('csrf-token-update', body))
+		.then(({ body }) => {
+			emit('csrf-token-update', body)
+			return body.token
+		})
 })
 
 Cypress.Commands.add('createTextSession', (fileId, options = {}) => {