webapppassword icon indicating copy to clipboard operation
webapppassword copied to clipboard

Published 20 hours ago verified publisher icon digital-blueprint

Feature Request: allow querying password_policy validate api

Open DanRiess opened this issue 1 year ago • 5 comments

Hi,

when creating shares of existing files with your app, the requests will get rejected if the password does not conform to the corresponding NextCloud's password policy. In my case, I don't get an error message, the fetch just fails without any additional info.

It would be cool if you could integrate a route (e. g. /apps/webapppassword/api/v1/shares/validate-password) that queries the internal password_policy app's /validate endpoint and return that result. I used to do this in my internal Nextcloud app as well.

Here is an example request that I would send from a third-party website:

const result = await fetch(`${this.server}/index.php/apps/webapppassword/api/v1/shares/validate-password`, {
	method: 'POST',
	headers: {
		Authorization: `Bearer ${webAppPasswordToken}`,
		'Content-Type': 'application/json',
		'OCS-APIRequest': 'true',
	},
	body: JSON.stringify({ password: 'Taco' }),
})

Here is what I used to send in a Nextcloud app:

const result = await fetch(`${generateOcsUrl('apps/password_policy/api/v1/validate')}`, {
	method: 'POST',
	body: JSON.stringify({ password: 'Taco' }),
})

And the result would be something like this:

{
    "meta": {
        "status": "ok",
        "statuscode": 200,
        "message": "OK"
    },
    "data": {
        "passed": false,
        "reason": "Password is among the 1,000,000 most common ones. Please make it unique. Password needs to be at least 10 characters long. Password is present in compromised password list. Please choose a different password."
    }
}

Would that be possible?

Best regards, Daniel

DanRiess avatar Dec 13 '23 04:12 DanRiess

The share API was contributed by @aleixq in #61.

Hm, https://github.com/nextcloud/password_policy is an external app. Maybe it would really be a better idea to talk to the developers of the app about CORS policies to make the app accessible in browsers.

pbek avatar Dec 14 '23 09:12 pbek

Maybe just try to open an issue at https://github.com/nextcloud/password_policy/issues.

pbek avatar Dec 14 '23 09:12 pbek

Password policy is an internal app that is present in probably every Nextcloud instance. While I think that you're right in saying that Nextcloud really should implement global CORS policies, the fact that you had to build this app right here suggests that is not going to happen.

DanRiess avatar Dec 15 '23 09:12 DanRiess

A global strategy to configure CORS, was suggested in PR https://github.com/nextcloud/server/pull/37896 and issue https://github.com/nextcloud/server/issues/37716 , the PR needs mentorship or attention (elsewhere I need time to rebase it) .

aleixq avatar Dec 15 '23 10:12 aleixq

At least https://github.com/nextcloud/password_policy is a different app. Maybe one has more luck asking there...

pbek avatar Dec 15 '23 12:12 pbek