Confirm mails only per POST

- this is to avoid automatic confirmation by certain softwares that open links Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
nextcloud · Aug 30, 2021 · 38a7645 · 38a7645
1 parent 68b21f8
commit 38a7645
Show file tree

Hide file tree

Showing 4 changed files with 34 additions and 1 deletion.
diff --git a/apps/provisioning_api/appinfo/routes.php b/apps/provisioning_api/appinfo/routes.php
@@ -76,6 +76,7 @@
 	],
 	'routes' => [
 		// Verification
-		['name' => 'Verification#verifyMail', 'url' => '/mailVerification/{key}/{token}/{userId}', 'verb' => 'GET'],
+		['name' => 'Verification#showVerifyMail', 'url' => '/mailVerification/{key}/{token}/{userId}', 'verb' => 'GET'],
+		['name' => 'Verification#verifyMail', 'url' => '/mailVerification/{key}/{token}/{userId}', 'verb' => 'POST'],
 	]
 ];
diff --git a/apps/provisioning_api/lib/Controller/VerificationController.php b/apps/provisioning_api/lib/Controller/VerificationController.php
@@ -74,6 +74,26 @@ public function __construct(
 
 	/**
 	 * @NoCSRFRequired
+	 * @NoAdminRequired
+	 * @NoSubAdminRequired
+	 */
+	public function showVerifyMail(string $token, string $userId, string $key) {
+		if ($this->userSession->getUser()->getUID() !== $userId) {
+			throw new InvalidArgumentException('Logged in user is not mail address owner');
+		}
+		$email = $this->crypto->decrypt($key);
+
+		return new TemplateResponse(
+			'core', 'confirmation', [
+				'title' => $this->l10n->t('Email confirmation'),
+				'message' => $this->l10n->t('To enable the email address %s please click the button below.', [$email]),
+				'action' => $this->l10n->t('Confirm'),
+			], 'guest');
+	}
+
+	/**
+	 * @NoAdminRequired
+	 * @NoSubAdminRequired
 	 */
 	public function verifyMail(string $token, string $userId, string $key) {
 		try {
@@ -95,6 +115,7 @@ public function verifyMail(string $token, string $userId, string $key) {
 			}
 			$emailProperty->setLocallyVerified(IAccountManager::VERIFIED);
 			$this->accountManager->updateAccount($userAccount);
+			$this->verificationToken->delete($token, $user, 'verifyMail' . $ref);
 		} catch (InvalidTokenException $e) {
 			$error = $e->getCode() === InvalidTokenException::TOKEN_EXPIRED
 				? $this->l10n->t('Could not verify mail because the token is expired.')

diff --git a/lib/private/Security/VerificationToken/VerificationToken.php b/lib/private/Security/VerificationToken/VerificationToken.php
@@ -122,4 +122,8 @@ public function create(IUser $user, string $subject, string $passwordPrefix = ''
 
 		return $token;
 	}
+
+	public function delete(string $token, IUser $user, string $subject): void {
+		$this->config->deleteUserValue($user->getUID(), 'core', $subject);
+	}
 }
diff --git a/lib/public/Security/VerificationToken/IVerificationToken.php b/lib/public/Security/VerificationToken/IVerificationToken.php
@@ -52,4 +52,11 @@ public function check(string $token, ?IUser $user, string $subject, string $pass
 	 * @since 23.0.0
 	 */
 	public function create(IUser $user, string $subject, string $passwordPrefix = ''): string;
+
+	/**
+	 * Deletes the token identified by the provided parameters
+	 *
+	 * @since 23.0.0
+	 */
+	public function delete(string $token, IUser $user, string $subject): void;
 }