Check Credentials Programatically Server-Side

Hi,

I’m trying to check if a given username/password pair is valid in nextcloud, from a server-side program.

I simply need a true/false query of if the given username or email/password pair is valid from nextcloud - no tokens etc. necessary. This will be running server-side, so I have access to occ, PHP, etc. and don’t need to worry abour transferring over the network.

I’d rather not try to query the database myself, but, is there some function I can call into that can verify the given credentials without needing to go via the login page? For now, I am making a dummy DAV request and using the returned code here, but this is probably too slow.

Thanks

Honestly, I am unsure what the use-case is. Why would you want to do this? The installed mechanisms are in fact already there and tested by means of security.

My first fear was that someone build a trojan, somehow smuggles this into a NC server and brute-forces the passwords.

https://docs.nextcloud.com/server/stable/developer_manual/client_apis/OCS/ocs-api-overview.html

Once you have admin permissions on the server, it’s a bit late and there are more efficient ways than bruteforce the passwords.
If you don’t want to rely on passwords alone, 2FA will help.

You are not alone. Like this it sounds a bit like something that should be achieved by other ways.

1 Like

You can check the nextcloud API over here: https://nextcloud-server.netlify.app/

This might be what you’re looking for: Nextcloud PHP API (master)

Whether what you’re trying to do is a good idea, you’ll have to decide for yourself.

I ended up implementing a pull request:

As I realised after posting this that the occ command for resetting a password implemented all that is needed. And as mentioned, the PHP API turned out to be a lot easier to use than I was expecting.

The use-case is we have a lightweight application on the same server and want people to be able to use the same set of credentials. This application provides for an authentication helper, so I simply plugged this in to call the occ command in the PR.

I am also going on the vein of “admin permissions” - possibly this approach has some holes - but if the container is compromised, then there’s not much to be done, and I have bigger issues to sort!

No, you are in fact trying to use NC as a Auth provider.

This is perfectly fine. Have a look at OAuth2! That is the way to go as it is standardized and you could extend with other authentication sources as well. There should be libraries for almost all programming languages available, I guess.
I think I saw an app that allows to authenticate external services. If not, that would be a valid app but I did not find it in a quick glance.

That’s the aim here. The app receives credentials from the user. I will assume that this app is sufficiently secure - i.e. it has secured the credentials from the client to the point they pop out on the server. It then can slot into different authentication providers rather than use its own database. So I wrote a small helper program that will check against NC and return true if the user is registered. That’s all that is needed in this case, we don’t need to link the accounts more deeply than that.

LDAP, OAuth etc. would be overkill for this situation, although agree in larger scenarios this would probably be more sensible or standardised. It’s also happening server-side; I don’t need these callback flows or to assume the app I’m installing is not trusted to handle the credentials, as is the case with some third-party sites that authenticate with e.g. google or facebook. Also the design of OAuth is the web-based flow, and this won’t work with this application. Users wouldn’t be able to open a browser and follow through getting a token - rather, the username and password pair will be included in requests so I simply want to verify those against the same store in nextcloud rather than maintain a separate one, a little bit like how DAV integration is performed, except that’s within nextcloud’s source and this is coming from a different application container.

Anyway, this works for now, thanks for the suggestions! I have no idea if the PR will prove useful, but it’s there in case someone can benefit from it. There may be more standard usecases where an administrator with access to the server CLI would want to do this, I’m not sure.