Iām trying to check if a given username/password pair is valid in nextcloud, from a server-side program.
I simply need a true/false query of if the given username or email/password pair is valid from nextcloud - no tokens etc. necessary. This will be running server-side, so I have access to occ, PHP, etc. and donāt need to worry abour transferring over the network.
Iād rather not try to query the database myself, but, is there some function I can call into that can verify the given credentials without needing to go via the login page? For now, I am making a dummy DAV request and using the returned code here, but this is probably too slow.
Honestly, I am unsure what the use-case is. Why would you want to do this? The installed mechanisms are in fact already there and tested by means of security.
My first fear was that someone build a trojan, somehow smuggles this into a NC server and brute-forces the passwords.
Once you have admin permissions on the server, itās a bit late and there are more efficient ways than bruteforce the passwords.
If you donāt want to rely on passwords alone, 2FA will help.
You are not alone. Like this it sounds a bit like something that should be achieved by other ways.
As I realised after posting this that the occ command for resetting a password implemented all that is needed. And as mentioned, the PHP API turned out to be a lot easier to use than I was expecting.
The use-case is we have a lightweight application on the same server and want people to be able to use the same set of credentials. This application provides for an authentication helper, so I simply plugged this in to call the occ command in the PR.
I am also going on the vein of āadmin permissionsā - possibly this approach has some holes - but if the container is compromised, then thereās not much to be done, and I have bigger issues to sort!
No, you are in fact trying to use NC as a Auth provider.
This is perfectly fine. Have a look at OAuth2! That is the way to go as it is standardized and you could extend with other authentication sources as well. There should be libraries for almost all programming languages available, I guess.
I think I saw an app that allows to authenticate external services. If not, that would be a valid app but I did not find it in a quick glance.
Thatās the aim here. The app receives credentials from the user. I will assume that this app is sufficiently secure - i.e. it has secured the credentials from the client to the point they pop out on the server. It then can slot into different authentication providers rather than use its own database. So I wrote a small helper program that will check against NC and return true if the user is registered. Thatās all that is needed in this case, we donāt need to link the accounts more deeply than that.
LDAP, OAuth etc. would be overkill for this situation, although agree in larger scenarios this would probably be more sensible or standardised. Itās also happening server-side; I donāt need these callback flows or to assume the app Iām installing is not trusted to handle the credentials, as is the case with some third-party sites that authenticate with e.g. google or facebook. Also the design of OAuth is the web-based flow, and this wonāt work with this application. Users wouldnāt be able to open a browser and follow through getting a token - rather, the username and password pair will be included in requests so I simply want to verify those against the same store in nextcloud rather than maintain a separate one, a little bit like how DAV integration is performed, except thatās within nextcloudās source and this is coming from a different application container.
Anyway, this works for now, thanks for the suggestions! I have no idea if the PR will prove useful, but itās there in case someone can benefit from it. There may be more standard usecases where an administrator with access to the server CLI would want to do this, Iām not sure.