Allow API endpoint access with a predefined token

Signed-off-by: Vincent Petry <vincent@nextcloud.com>
nextcloud · Jan 19, 2021 · d98386b · d98386b
1 parent 84939ef
commit d98386b
Show file tree

Hide file tree

Showing 2 changed files with 62 additions and 0 deletions.
diff --git a/lib/Controller/ApiController.php b/lib/Controller/ApiController.php
@@ -28,15 +28,28 @@
 use OCA\ServerInfo\ShareStatistics;
 use OCA\ServerInfo\StorageStatistics;
 use OCA\ServerInfo\SystemStatistics;
+use OCP\AppFramework\Http;
 use OCP\AppFramework\Http\DataResponse;
 use OCP\AppFramework\OCSController;
+use OCP\IConfig;
+use OCP\IGroupManager;
 use OCP\IRequest;
+use OCP\IUserSession;
 
 class ApiController extends OCSController {
 
 	/** @var Os */
 	private $os;
 
+	/** @var IConfig */
+	private $config;
+
+	/** @var IGroupManager */
+	private $groupManager;
+
+	/** @var IUserSession */
+	private $userSession;
+
 	/** @var SystemStatistics */
 	private $systemStatistics;
 
@@ -60,6 +73,9 @@ class ApiController extends OCSController {
 	 *
 	 * @param string $appName
 	 * @param IRequest $request
+	 * @param IConfig $config
+	 * @param IGroupManager $groupManager
+	 * @param IUserSession $userSession
 	 * @param Os $os
 	 * @param SystemStatistics $systemStatistics
 	 * @param StorageStatistics $storageStatistics
@@ -70,6 +86,9 @@ class ApiController extends OCSController {
 	 */
 	public function __construct($appName,
 								IRequest $request,
+								IConfig $config,
+								IGroupManager $groupManager,
+								IUserSession $userSession,
 								Os $os,
 								SystemStatistics $systemStatistics,
 								StorageStatistics $storageStatistics,
@@ -79,6 +98,9 @@ public function __construct($appName,
 								SessionStatistics $sessionStatistics) {
 		parent::__construct($appName, $request);
 
+		$this->config             = $config;
+		$this->groupManager       = $groupManager;
+		$this->userSession        = $userSession;
 		$this->os                 = $os;
 		$this->systemStatistics   = $systemStatistics;
 		$this->storageStatistics  = $storageStatistics;
@@ -88,12 +110,45 @@ public function __construct($appName,
 		$this->sessionStatistics  = $sessionStatistics;
 	}
 
+	private function checkAuthorized() {
+		$token = $this->request->getHeader('OC-Token');
+		if (!empty($token)) {
+			$storedToken = $this->config->getAppValue('serverinfo', 'token', null);
+			if ($storedToken === $token) {
+				return true;
+			}
+		}
+
+		$userSession = $this->userSession;
+		if ($userSession === null) {
+			return false;
+		}
+
+		$user = $userSession->getUser();
+		if ($user === null) {
+			return false;
+		}
+
+		if (!$this->groupManager->isAdmin($user->getUID())) {
+			return false;
+		};
+
+		return true;
+	}
+
 	/**
 	 * @NoCSRFRequired
+	 * @NoAdminRequired
+	 * @PublicPage
 	 *
 	 * @return DataResponse
 	 */
 	public function info() {
+		if (!$this->checkAuthorized()) {
+			$response = new DataResponse(['message' => 'Unauthorized']);
+			$response->setStatus(Http::STATUS_UNAUTHORIZED);
+			return $response;
+		}
 		return new DataResponse([
 			'nextcloud' => [
 				'system'  => $this->systemStatistics->getSystemStatistics(),

diff --git a/templates/settings-admin.php b/templates/settings-admin.php
@@ -333,6 +333,13 @@ class="barchart"
 				<p class="settings-hint">
 					<?php p($l->t('Appending "?format=json" at the end of the URL gives you the result in JSON.')); ?>
 				</p>
+				<p>
+					<?php p($l->t('To use an access token please generate one then set it using the following command:')); ?>
+					<div><i>occ config:app:set serverinfo token --value yourtoken</i></div>
+				</p>
+				<p>
+					<?php p($l->t('Then pass the token with the "OC-Token" header when querying the above URL.')); ?>
+				</p>
 			</div>
 		</div>
 	</div>