Use is_oidc_token_login and session check

ARG OIDC_LOGIN_VERSION="3.0.2"

ARG IS_SELFHOST=false

RUN curl -fsSL -o ldap_write_support.tar.gz \

    "https://github.com/nextcloud-releases/ldap_write_support/releases/download/v${LDAP_WRITE_SUPPORT_VERSION}/ldap_write_support-v${LDAP_WRITE_SUPPORT_VERSION}.tar.gz" && \

    tar -xf ldap_write_support.tar.gz -C ${BASE_DIR}/custom_apps && \

    rm ldap_write_support.tar.gz

RUN curl -fsSL -o oidc_login.tar.gz \

    "https://github.com/pulsejet/nextcloud-oidc-login/releases/download/v${OIDC_LOGIN_VERSION}/oidc_login.tar.gz" && \

    tar -xf oidc_login.tar.gz -C ${BASE_DIR}/custom_apps && \

    rm oidc_login.tar.gz

# Patches

COPY patches/ ${TMP_PATCH_DIR}/

RUN patch -u ${BASE_DIR}/core/templates/layout.user.php -i ${TMP_PATCH_DIR}/003-contact-search-removal.patch

RUN patch -u ${BASE_DIR}/apps/dav/lib/HookManager.php -i ${TMP_PATCH_DIR}/028-default-task-calendar.patch

RUN patch -u ${BASE_DIR}/apps/provisioning_api/lib/Controller/UsersController.php -i ${TMP_PATCH_DIR}/029-restrict-user-to-change-primary-email.patch

RUN patch -u ${BASE_DIR}/lib/private/Security/VerificationToken/VerificationToken.php -i ${TMP_PATCH_DIR}/033-verification-token-private.patch

RUN patch -u ${BASE_DIR}/lib/private/AppFramework/Middleware/Security/CORSMiddleware.php -i ${TMP_PATCH_DIR}/034-oidc-bearer-token-auth.patch

RUN rm -rf ${TMP_PATCH_DIR}

RUN curl -fsSL -o ldap_write_support.tar.gz \

    "https://github.com/nextcloud-releases/ldap_write_support/releases/download/v${LDAP_WRITE_SUPPORT_VERSION}/ldap_write_support-v${LDAP_WRITE_SUPPORT_VERSION}.tar.gz" && \

    tar -xf ldap_write_support.tar.gz -C ${BASE_DIR}/custom_apps && \

    rm ldap_write_support.tar.gz

RUN curl -fsSL -o oidc_login.tar.gz \

    "https://github.com/pulsejet/nextcloud-oidc-login/releases/download/v${OIDC_LOGIN_VERSION}/oidc_login.tar.gz" && \

    tar -xf oidc_login.tar.gz -C ${BASE_DIR}/custom_apps && \

    rm oidc_login.tar.gz

# Remove user avatar generation for system addressbook card

RUN sed -i 's/$this->getAvatarImage($user)/null/' ${BASE_DIR}/apps/dav/lib/CardDAV/Converter.php

--- lib/private/AppFramework/Middleware/Security/CORSMiddleware.php	2024-04-08 08:53:20.410444998 +0530

+++ lib/private/AppFramework/Middleware/Security/CORSMiddleware-new.php	2024-04-09 19:05:21.133629632 +0530

@@ -93,6 +93,22 @@

 			(!$this->hasAnnotationOrAttribute($reflectionMethod, 'PublicPage', PublicPage::class) || $this->session->isLoggedIn())) {

 			$user = array_key_exists('PHP_AUTH_USER', $this->request->server) ? $this->request->server['PHP_AUTH_USER'] : null;

 			$pass = array_key_exists('PHP_AUTH_PW', $this->request->server) ? $this->request->server['PHP_AUTH_PW'] : null;

+			

+			$authHeader = $this->request->getHeader('Authorization');

+			$bearerToken = substr($authHeader, 7);

+			$appManager = \OC::$server->get(OCP\App\IAppManager);

+

+			if  ($this->session->getSession() instanceof ISession && $this->session->getSession()->exists('is_oidc')

+				&& $this->request->getHeader('OIDC-LOGIN-WITH-TOKEN') === 'true' && !empty($bearerToken) && $appManager->isEnabledForUser('oidc_login') ) {

+				try {

+					$loginService = \OC::$server->get(OCA\OIDCLogin\Service\LoginService::class);

+					$loginService->loginWithBearerToken($bearerToken);

+					$this->session->set('is_oidc', 1);

+					return;

+				} catch (\Exception $e) {

+					$this->logger->debug("WebDAV bearer token validation failed with: {$e->getMessage()}", $this->context);

+				}

+			}

@@ -97,6 +97,10 @@

 			// Allow to use the current session if a CSRF token is provided

 			if ($this->request->passesCSRFCheck()) {

 				return;

+			}			

+			// Skip CORS check for requests with oidc token auth.

+			if ($this->session->getSession() instanceof ISession && $this->session->getSession()->get('is_oidc_token_login') === 1) {

+				return;

 			}

 			// Skip CORS check for requests with AppAPI auth.

 			if ($this->session->getSession() instanceof ISession && $this->session->getSession()->get('app_api') === true) {