ask password confirmation for sensitive admin settings

Signed-off-by: Julien Veyssier <[email protected]>
nextcloud · Oct 16, 2024 · 1d51680 · 1d51680
1 parent 601dc3d
commit 1d51680
Show file tree

Hide file tree

Showing 6 changed files with 62 additions and 8 deletions.
diff --git a/appinfo/routes.php b/appinfo/routes.php
@@ -9,6 +9,7 @@
 		['name' => 'config#oauthRedirect', 'url' => '/oauth-redirect', 'verb' => 'GET'],
 		['name' => 'config#setConfig', 'url' => '/config', 'verb' => 'PUT'],
 		['name' => 'config#setAdminConfig', 'url' => '/admin-config', 'verb' => 'PUT'],
+		['name' => 'config#setSensitiveAdminConfig', 'url' => '/sensitive-admin-config', 'verb' => 'PUT'],
 		['name' => 'config#popupSuccessPage', 'url' => '/popup-success', 'verb' => 'GET'],
 
 		['name' => 'githubAPI#getNotifications', 'url' => '/notifications', 'verb' => 'GET'],

diff --git a/lib/Controller/ConfigController.php b/lib/Controller/ConfigController.php
@@ -11,8 +11,10 @@
 use OCA\Github\Service\GithubAPIService;
 use OCA\Github\Service\SecretService;
 use OCP\AppFramework\Controller;
+use OCP\AppFramework\Http;
 use OCP\AppFramework\Http\Attribute\NoAdminRequired;
 use OCP\AppFramework\Http\Attribute\NoCSRFRequired;
+use OCP\AppFramework\Http\Attribute\PasswordConfirmationRequired;
 use OCP\AppFramework\Http\DataResponse;
 use OCP\AppFramework\Http\RedirectResponse;
 use OCP\AppFramework\Http\TemplateResponse;
@@ -100,14 +102,32 @@ public function setConfig(array $values): DataResponse {
 	 * @return DataResponse
 	 */
 	public function setAdminConfig(array $values): DataResponse {
+		foreach ($values as $key => $value) {
+			if (in_array($key, ['client_id', 'client_secret', 'default_link_token'], true)) {
+				return new DataResponse([], Http::STATUS_BAD_REQUEST);
+			} else {
+				$this->config->setAppValue(Application::APP_ID, $key, $value);
+			}
+		}
+		return new DataResponse([]);
+	}
+
+	/**
+	 * Set admin config values
+	 *
+	 * @param array $values key/value pairs to store in app config
+	 * @return DataResponse
+	 */
+	#[PasswordConfirmationRequired]
+	public function setSensitiveAdminConfig(array $values): DataResponse {
 		foreach ($values as $key => $value) {
 			if (in_array($key, ['client_id', 'client_secret', 'default_link_token'], true)) {
 				$this->secretService->setEncryptedAppValue($key, $value);
 			} else {
 				$this->config->setAppValue(Application::APP_ID, $key, $value);
 			}
 		}
-		return new DataResponse(1);
+		return new DataResponse([]);
 	}
 
 	/**

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -6,7 +6,7 @@
 	"directories": {
 		"test": "tests"
 	},
-  "type": "module",
+	"type": "module",
 	"scripts": {
 		"build": "NODE_ENV=production vite --mode production build",
 		"dev": "NODE_ENV=development vite --mode development build",
@@ -44,6 +44,7 @@
 		"@nextcloud/initial-state": "^2.1.0",
 		"@nextcloud/l10n": "^3.1.0",
 		"@nextcloud/moment": "^1.3.1",
+		"@nextcloud/password-confirmation": "^5.1.1",
 		"@nextcloud/router": "^3.0.0",
 		"@nextcloud/vue": "^8.8.1",
 		"highlight.js": "^11.9.0",

diff --git a/src/components/AdminSettings.vue b/src/components/AdminSettings.vue
@@ -111,13 +111,15 @@ import KeyIcon from 'vue-material-design-icons/Key.vue'
 
 import GithubIcon from './icons/GithubIcon.vue'
 
+import NcCheckboxRadioSwitch from '@nextcloud/vue/dist/Components/NcCheckboxRadioSwitch.js'
+
 import { loadState } from '@nextcloud/initial-state'
 import { generateUrl } from '@nextcloud/router'
 import axios from '@nextcloud/axios'
-import { delay } from '../utils.js'
 import { showSuccess, showError } from '@nextcloud/dialogs'
+import { confirmPassword } from '@nextcloud/password-confirmation'
 
-import NcCheckboxRadioSwitch from '@nextcloud/vue/dist/Components/NcCheckboxRadioSwitch.js'
+import { delay } from '../utils.js'
 
 export default {
 	name: 'AdminSettings',
@@ -150,22 +152,27 @@ export default {
 	methods: {
 		onCheckboxChanged(newValue, key) {
 			this.state[key] = newValue
-			this.saveOptions({ [key]: this.state[key] ? '1' : '0' })
+			this.saveOptions({ [key]: this.state[key] ? '1' : '0' }, false)
 		},
 		onInput() {
 			delay(() => {
 				this.saveOptions({
 					client_id: this.state.client_id,
 					client_secret: this.state.client_secret,
 					default_link_token: this.state.default_link_token,
-				})
+				}, true)
 			}, 2000)()
 		},
-		saveOptions(values) {
+		async saveOptions(values, sensitive = true) {
+			if (sensitive) {
+				await confirmPassword()
+			}
 			const req = {
 				values,
 			}
-			const url = generateUrl('/apps/integration_github/admin-config')
+			const url = sensitive
+				? generateUrl('/apps/integration_github/sensitive-admin-config')
+				: generateUrl('/apps/integration_github/admin-config')
 			axios.put(url, req)
 				.then((response) => {
 					showSuccess(t('integration_github', 'GitHub admin options saved'))

diff --git a/vite.config.ts b/vite.config.ts
@@ -20,6 +20,11 @@ export default createAppConfig({
 			modules: {
 				localsConvention: 'camelCase',
 			},
+			preprocessorOptions: {
+				scss: {
+					api: 'modern-compiler',
+				},
+			},
 		},
 		plugins: [eslint(), stylelint()],
 	},