Loading Dockerfile +11 −9 Original line number Diff line number Diff line Loading @@ -205,6 +205,16 @@ ARG LDAP_WRITE_SUPPORT_VERSION="1.9.0" ARG OIDC_LOGIN_VERSION="3.0.2" ARG IS_SELFHOST=false RUN curl -fsSL -o ldap_write_support.tar.gz \ "https://github.com/nextcloud-releases/ldap_write_support/releases/download/v${LDAP_WRITE_SUPPORT_VERSION}/ldap_write_support-v${LDAP_WRITE_SUPPORT_VERSION}.tar.gz" && \ tar -xf ldap_write_support.tar.gz -C ${BASE_DIR}/custom_apps && \ rm ldap_write_support.tar.gz RUN curl -fsSL -o oidc_login.tar.gz \ "https://github.com/pulsejet/nextcloud-oidc-login/releases/download/v${OIDC_LOGIN_VERSION}/oidc_login.tar.gz" && \ tar -xf oidc_login.tar.gz -C ${BASE_DIR}/custom_apps && \ rm oidc_login.tar.gz # Patches COPY patches/ ${TMP_PATCH_DIR}/ RUN patch -u ${BASE_DIR}/core/templates/layout.user.php -i ${TMP_PATCH_DIR}/003-contact-search-removal.patch Loading @@ -218,17 +228,9 @@ RUN patch -u ${BASE_DIR}/apps/dav/lib/Connector/Sabre/Principal.php -i ${TMP_PAT RUN patch -u ${BASE_DIR}/apps/dav/lib/HookManager.php -i ${TMP_PATCH_DIR}/028-default-task-calendar.patch RUN patch -u ${BASE_DIR}/apps/provisioning_api/lib/Controller/UsersController.php -i ${TMP_PATCH_DIR}/029-restrict-user-to-change-primary-email.patch RUN patch -u ${BASE_DIR}/lib/private/Security/VerificationToken/VerificationToken.php -i ${TMP_PATCH_DIR}/033-verification-token-private.patch RUN patch -u ${BASE_DIR}/lib/private/AppFramework/Middleware/Security/CORSMiddleware.php -i ${TMP_PATCH_DIR}/034-oidc-bearer-token-auth.patch RUN rm -rf ${TMP_PATCH_DIR} RUN curl -fsSL -o ldap_write_support.tar.gz \ "https://github.com/nextcloud-releases/ldap_write_support/releases/download/v${LDAP_WRITE_SUPPORT_VERSION}/ldap_write_support-v${LDAP_WRITE_SUPPORT_VERSION}.tar.gz" && \ tar -xf ldap_write_support.tar.gz -C ${BASE_DIR}/custom_apps && \ rm ldap_write_support.tar.gz RUN curl -fsSL -o oidc_login.tar.gz \ "https://github.com/pulsejet/nextcloud-oidc-login/releases/download/v${OIDC_LOGIN_VERSION}/oidc_login.tar.gz" && \ tar -xf oidc_login.tar.gz -C ${BASE_DIR}/custom_apps && \ rm oidc_login.tar.gz # Remove user avatar generation for system addressbook card RUN sed -i 's/$this->getAvatarImage($user)/null/' ${BASE_DIR}/apps/dav/lib/CardDAV/Converter.php Loading patches/034-oidc-bearer-token-auth.patch 0 → 100644 +13 −0 Original line number Diff line number Diff line --- lib/private/AppFramework/Middleware/Security/CORSMiddleware.php 2024-04-08 08:53:20.410444998 +0530 +++ lib/private/AppFramework/Middleware/Security/CORSMiddleware-new.php 2024-04-09 19:05:21.133629632 +0530 @@ -97,6 +97,10 @@ // Allow to use the current session if a CSRF token is provided if ($this->request->passesCSRFCheck()) { return; + } + // Skip CORS check for requests with oidc token auth. + if ($this->session->getSession() instanceof ISession && $this->session->getSession()->get('is_oidc_token_login') === 1) { + return; } // Skip CORS check for requests with AppAPI auth. if ($this->session->getSession() instanceof ISession && $this->session->getSession()->get('app_api') === true) { Loading
Dockerfile +11 −9 Original line number Diff line number Diff line Loading @@ -205,6 +205,16 @@ ARG LDAP_WRITE_SUPPORT_VERSION="1.9.0" ARG OIDC_LOGIN_VERSION="3.0.2" ARG IS_SELFHOST=false RUN curl -fsSL -o ldap_write_support.tar.gz \ "https://github.com/nextcloud-releases/ldap_write_support/releases/download/v${LDAP_WRITE_SUPPORT_VERSION}/ldap_write_support-v${LDAP_WRITE_SUPPORT_VERSION}.tar.gz" && \ tar -xf ldap_write_support.tar.gz -C ${BASE_DIR}/custom_apps && \ rm ldap_write_support.tar.gz RUN curl -fsSL -o oidc_login.tar.gz \ "https://github.com/pulsejet/nextcloud-oidc-login/releases/download/v${OIDC_LOGIN_VERSION}/oidc_login.tar.gz" && \ tar -xf oidc_login.tar.gz -C ${BASE_DIR}/custom_apps && \ rm oidc_login.tar.gz # Patches COPY patches/ ${TMP_PATCH_DIR}/ RUN patch -u ${BASE_DIR}/core/templates/layout.user.php -i ${TMP_PATCH_DIR}/003-contact-search-removal.patch Loading @@ -218,17 +228,9 @@ RUN patch -u ${BASE_DIR}/apps/dav/lib/Connector/Sabre/Principal.php -i ${TMP_PAT RUN patch -u ${BASE_DIR}/apps/dav/lib/HookManager.php -i ${TMP_PATCH_DIR}/028-default-task-calendar.patch RUN patch -u ${BASE_DIR}/apps/provisioning_api/lib/Controller/UsersController.php -i ${TMP_PATCH_DIR}/029-restrict-user-to-change-primary-email.patch RUN patch -u ${BASE_DIR}/lib/private/Security/VerificationToken/VerificationToken.php -i ${TMP_PATCH_DIR}/033-verification-token-private.patch RUN patch -u ${BASE_DIR}/lib/private/AppFramework/Middleware/Security/CORSMiddleware.php -i ${TMP_PATCH_DIR}/034-oidc-bearer-token-auth.patch RUN rm -rf ${TMP_PATCH_DIR} RUN curl -fsSL -o ldap_write_support.tar.gz \ "https://github.com/nextcloud-releases/ldap_write_support/releases/download/v${LDAP_WRITE_SUPPORT_VERSION}/ldap_write_support-v${LDAP_WRITE_SUPPORT_VERSION}.tar.gz" && \ tar -xf ldap_write_support.tar.gz -C ${BASE_DIR}/custom_apps && \ rm ldap_write_support.tar.gz RUN curl -fsSL -o oidc_login.tar.gz \ "https://github.com/pulsejet/nextcloud-oidc-login/releases/download/v${OIDC_LOGIN_VERSION}/oidc_login.tar.gz" && \ tar -xf oidc_login.tar.gz -C ${BASE_DIR}/custom_apps && \ rm oidc_login.tar.gz # Remove user avatar generation for system addressbook card RUN sed -i 's/$this->getAvatarImage($user)/null/' ${BASE_DIR}/apps/dav/lib/CardDAV/Converter.php Loading
patches/034-oidc-bearer-token-auth.patch 0 → 100644 +13 −0 Original line number Diff line number Diff line --- lib/private/AppFramework/Middleware/Security/CORSMiddleware.php 2024-04-08 08:53:20.410444998 +0530 +++ lib/private/AppFramework/Middleware/Security/CORSMiddleware-new.php 2024-04-09 19:05:21.133629632 +0530 @@ -97,6 +97,10 @@ // Allow to use the current session if a CSRF token is provided if ($this->request->passesCSRFCheck()) { return; + } + // Skip CORS check for requests with oidc token auth. + if ($this->session->getSession() instanceof ISession && $this->session->getSession()->get('is_oidc_token_login') === 1) { + return; } // Skip CORS check for requests with AppAPI auth. if ($this->session->getSession() instanceof ISession && $this->session->getSession()->get('app_api') === true) {
