Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature Request: allow querying password_policy validate api #141

Open
DanRiess opened this issue Dec 13, 2023 · 5 comments
Open

Feature Request: allow querying password_policy validate api #141

DanRiess opened this issue Dec 13, 2023 · 5 comments
Labels
question Further information is requested

Comments

@DanRiess
Copy link
Contributor

DanRiess commented Dec 13, 2023
edited
Loading

Hi,

when creating shares of existing files with your app, the requests will get rejected if the password does not conform to the corresponding NextCloud's password policy. In my case, I don't get an error message, the fetch just fails without any additional info.

It would be cool if you could integrate a route (e. g. /apps/webapppassword/api/v1/shares/validate-password) that queries the internal password_policy app's /validate endpoint and return that result. I used to do this in my internal Nextcloud app as well.

Here is an example request that I would send from a third-party website:

const result = await fetch(`${this.server}/index.php/apps/webapppassword/api/v1/shares/validate-password`, {
	method: 'POST',
	headers: {
		Authorization: `Bearer ${webAppPasswordToken}`,
		'Content-Type': 'application/json',
		'OCS-APIRequest': 'true',
	},
	body: JSON.stringify({ password: 'Taco' }),
})

Here is what I used to send in a Nextcloud app:

const result = await fetch(`${generateOcsUrl('apps/password_policy/api/v1/validate')}`, {
	method: 'POST',
	body: JSON.stringify({ password: 'Taco' }),
})

And the result would be something like this:

{
    "meta": {
        "status": "ok",
        "statuscode": 200,
        "message": "OK"
    },
    "data": {
        "passed": false,
        "reason": "Password is among the 1,000,000 most common ones. Please make it unique. Password needs to be at least 10 characters long. Password is present in compromised password list. Please choose a different password."
    }
}

Would that be possible?

Best regards,
Daniel
@pbek pbek added enhancement New feature or request help wanted Extra attention is needed labels Dec 14, 2023
@pbek
Copy link
Member

pbek commented Dec 14, 2023

The share API was contributed by @aleixq in #61.

Hm, https://github.com/nextcloud/password_policy is an external app. Maybe it would really be a better idea to talk to the developers of the app about CORS policies to make the app accessible in browsers.

@pbek pbek added question Further information is requested and removed enhancement New feature or request help wanted Extra attention is needed labels Dec 14, 2023
@pbek
Copy link
Member

pbek commented Dec 14, 2023

Maybe just try to open an issue at https://github.com/nextcloud/password_policy/issues.

@DanRiess
Copy link
Contributor Author

Password policy is an internal app that is present in probably every Nextcloud instance. While I think that you're right in saying that Nextcloud really should implement global CORS policies, the fact that you had to build this app right here suggests that is not going to happen.

@aleixq
Copy link
Contributor

aleixq commented Dec 15, 2023
edited
Loading

A global strategy to configure CORS, was suggested in PR nextcloud/server#37896 and issue nextcloud/server#37716 , the PR needs mentorship or attention (elsewhere I need time to rebase it) .

@pbek
Copy link
Member

pbek commented Dec 15, 2023

At least https://github.com/nextcloud/password_policy is a different app. Maybe one has more luck asking there...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@pbek @aleixq @DanRiess