From 287df4a3dac269eda337b0d6c88ec6b9ab56b9ef Mon Sep 17 00:00:00 2001
From: Carl Schwan <carl@carlschwan.eu>
Date: Fri, 27 May 2022 11:54:47 +0200
Subject: [PATCH] Support password-less public key token

The idea is that we would add a mode in which Nextcloud doesn't stores
encrypted user password in the database. This would be opt-in and
disable some Nextcloud features (e.g. external storages)

Todos:

- Replace true condition with system config

Test plan:

- Login in webui and desktop client
- Apply this patch
- User is still logged in in both webui and desktop client

Signed-off-by: Carl Schwan <carl@carlschwan.eu>
---
 .../Token/PublicKeyTokenProvider.php          | 50 ++++++++++++-------
 1 file changed, 33 insertions(+), 17 deletions(-)

diff --git a/lib/private/Authentication/Token/PublicKeyTokenProvider.php b/lib/private/Authentication/Token/PublicKeyTokenProvider.php
index a1d75828e2758..a9a3ec349dffe 100644
--- a/lib/private/Authentication/Token/PublicKeyTokenProvider.php
+++ b/lib/private/Authentication/Token/PublicKeyTokenProvider.php
@@ -262,6 +262,10 @@ public function setPassword(IToken $token, string $tokenId, string $password) {
 			throw new InvalidTokenException("Invalid token type");
 		}
 
+		if (true) {
+			return;
+		}
+
 		// When changing passwords all temp tokens are deleted
 		$this->mapper->deleteTempToken($token);
 
@@ -281,6 +285,10 @@ public function rotate(IToken $token, string $oldTokenId, string $newTokenId): I
 			throw new InvalidTokenException("Invalid token type");
 		}
 
+		if (true) {
+			return $token;
+		}
+
 		// Decrypt private key with oldTokenId
 		$privateKey = $this->decrypt($token->getPrivateKey(), $oldTokenId);
 		// Encrypt with the new token
@@ -349,28 +357,32 @@ private function newToken(string $token,
 			'private_key_bits' => 2048,
 		], $this->config->getSystemValue('openssl', []));
 
-		// Generate new key
-		$res = openssl_pkey_new($config);
-		if ($res === false) {
-			$this->logOpensslError();
-			throw new \RuntimeException('OpenSSL reported a problem');
-		}
+		if (true) {
+			// Generate new key
+			$res = openssl_pkey_new($config);
+			if ($res === false) {
+				$this->logOpensslError();
+				throw new \RuntimeException('OpenSSL reported a problem');
+			}
 
-		if (openssl_pkey_export($res, $privateKey, null, $config) === false) {
-			$this->logOpensslError();
-			throw new \RuntimeException('OpenSSL reported a problem');
-		}
+			if (openssl_pkey_export($res, $privateKey, null, $config) === false) {
+				$this->logOpensslError();
+				throw new \RuntimeException('OpenSSL reported a problem');
+			}
 
-		// Extract the public key from $res to $pubKey
-		$publicKey = openssl_pkey_get_details($res);
-		$publicKey = $publicKey['key'];
+			// Extract the public key from $res to $pubKey
+			$publicKey = openssl_pkey_get_details($res);
+			$publicKey = $publicKey['key'];
 
-		$dbToken->setPublicKey($publicKey);
-		$dbToken->setPrivateKey($this->encrypt($privateKey, $token));
+			$dbToken->setPublicKey($publicKey);
+			$dbToken->setPrivateKey($this->encrypt($privateKey, $token));
 
-		if (!is_null($password)) {
-			$dbToken->setPassword($this->encryptPassword($password, $publicKey));
+			if (!is_null($password)) {
+				$dbToken->setPassword($this->encryptPassword($password, $publicKey));
+			}
 		}
+		$dbToken->setPublicKey('');
+		$dbToken->setPrivateKey('');
 
 		$dbToken->setName($name);
 		$dbToken->setToken($this->hashToken($token));
@@ -402,6 +414,10 @@ public function updatePasswords(string $uid, string $password) {
 			return;
 		}
 
+		if (true) {
+			return;
+		}
+
 		// Update the password for all tokens
 		$tokens = $this->mapper->getTokenByUser($uid);
 		foreach ($tokens as $t) {