How to override Basic Auth mechanism on Public Page or Public API call

sebastiank · October 16, 2023, 1:11am

Hi Everyone,

I am working on a app to feed contacts data to devices like SIP phones, so far everything is working pretty well.

But I am now trying to add a layer of security using basic auth. Yes, I know basic auth is very insecure, but I have no choice in this, as most SIP devices only support basic auth.

I want to use a custom authentication list/table for these request instead of the user’s credentials, as using the users credentials would stop the feed from functioning ever time the user changed their password.

The problem I have come across is that if I send a request to NC with a basic auth header, NC ends up processing the login, and does not fire my method unless I enter the NC users credentials.

So what are my options to get around this?

A. is there a way to disable the NC authentication process on certain paths?
B. Is there a way to create something like application credentials?
c. Is there any other solution?

Sebastian

christianlupus · October 16, 2023, 4:30am

Hello,

I have read your other related post but had no direct clear answer for you. I wanted to verify a few things in the server core.

To get you on the same page, I give you a few guesses by me. These are not checked and not verified. So take them with caution.

The security middleware might be responsible for analyzing the credentials.
You might need to define the page as public
It might be a good idea to define your custom middleware to check the credentials
GitHub, code search or step debugging might be an option to get to the point where the core analyses the credentials.
There are other options, you could have a look at: guest app

Here on the mobile phone, it is hard to inspect code die to the small display. Maybe I can look later into it once I am in front of a full monitor.

Christian

sebastiank · October 16, 2023, 5:47am

Hey @christianlupus ,

So, I’ve already tried most of these, unfortunately.

Not sure if its security middleware, but this definitely something in NC. When I use a Basic Auth that dose NOT match a NC user, the request gets terminated even before the application.php and routes.php get processed. I have confirmed this with xdebug, unfortunately I have not stepped through the entire load process yet.
The method is defined as public.

github.com

ksainc/data/blob/3cd760d50260aa51900d00606b60d335aaaa67f0/lib/Controller/DataController.php#L163


      
          		// collect meta data
          		$meta = [];
          		$meta['token'] = $token;
          		$meta['address'] = $this->request->__get('server')['REMOTE_ADDR'];
          		$meta['agent'] = $this->request->__get('server')['HTTP_USER_AGENT'];
          		$meta['mac'] = \OCA\Data\Utile\Extractor::mac($meta['agent'], true);
          
          		return $this->device($id, $token, $meta, 'text/xml; charset=UTF-8');
          
          	}
          	/**
          	 * @PublicPage
               * @NoCSRFRequired
               */
          	#[CORS]
          	public function grandstream(string $id) {
          		
          		if (empty($this->request->__get('server')['HTTP_AUTHORIZATION']) ||
          			str_starts_with($this->request->__get('server')['HTTP_AUTHORIZATION'], 'Basic ') === false) {
          			return null;
          		}

I have tried creating a middleware class, unfortunately, this also does not get triggered, when I use a Basic Auth that dose NOT match a NC user.

github.com

ksainc/data/blob/3cd760d50260aa51900d00606b60d335aaaa67f0/lib/Middleware/AuthMiddleware.php#L9


      
          <?php
          
          namespace OCA\Data\Middleware;
          
          use \OCP\AppFramework\Middleware;
          
          class AuthMiddleware extends Middleware {
          
              public function beforeController($controller, $methodName) {
                  return 'blahblahblah';
              }
          
          }

I have looked at the code for most of the relevant apps for NC but it seems no one has tried this before. Yay me. Lol
I had a look at the guest app, yes it uses a custom user backend, BUT, the authentication is still handled through the standard WebUI, and basic auth seems to be handled at a even lower lever since it does not even trigger the application.php or the routes.php which are pretty much the bottom of the stack.

Maybe you can shot the dev guys a message and see what they think?

Sebastian

christianlupus · October 16, 2023, 10:38am

OK, I will relay your question, no problem.

Haven looked at the guests backend code, you might be able to create also a backend for fake users just for handling the SIP requests. That is not nice IMHO but might work. Let’s see, what the others might bring for an idea…

sebastiank · October 16, 2023, 12:37pm

Morning!

Thank you, that would be fantastic. I did read through the load process this morning, looks like the auth headers are getting picked off in the main init routine in the server base.php.

github.com

nextcloud/server/blob/c932c94fdd18a0799c522e4e25cca197724d9f2f/lib/base.php#L673


      
          		if (intval(@ini_get('max_input_time') ?? 0) < 3600) {
          			@ini_set('max_input_time', strval(3600));
          		}
          
          		//try to set the maximum execution time to the largest time limit we have
          		if (strpos(@ini_get('disable_functions'), 'set_time_limit') === false) {
          			@set_time_limit(max(intval(@ini_get('max_execution_time')), intval(@ini_get('max_input_time'))));
          		}
          
          		self::setRequiredIniValues();
          		self::handleAuthHeaders();
          		$systemConfig = Server::get(\OC\SystemConfig::class);
          		self::registerAutoloaderCache($systemConfig);
          
          		// initialize intl fallback if necessary
          		OC_Util::isSetLocaleWorking();
          
          		$config = Server::get(\OCP\IConfig::class);
          		if (!defined('PHPUNIT_RUN')) {
          			$errorHandler = new OC\Log\ErrorHandler(
          				\OCP\Server::get(\Psr\Log\LoggerInterface::class),

And then the login check is performed in the same class,

github.com

nextcloud/server/blob/c932c94fdd18a0799c522e4e25cca197724d9f2f/lib/base.php#L1134


      
          				$l->t('404'),
          				$l->t('The page could not be found on the server.'),
          				404
          			);
          		}
          	}
          
          	/**
          	 * Check login: apache auth, auth token, basic auth
          	 */
          	public static function handleLogin(OCP\IRequest $request): bool {
          		if ($request->getHeader('X-Nextcloud-Federation')) {
          			return false;
          		}
          		$userSession = Server::get(\OC\User\Session::class);
          		if (OC_User::handleApacheAuth()) {
          			return true;
          		}
          		if (self::tryAppAPILogin($request)) {
          			return true;
          		}

And I agree, having to create a back end just for this would be a pain.

Sebastian