feat: Add config switch to enable E2EE in browser

Signed-off-by: Louis Chemineau <[email protected]>

Author: artonge

lib/Controller/ConfigController.php

@@ -0,0 +1,44 @@
+<?php
+
+declare(strict_types=1);
+/**
+ * SPDX-FileCopyrightText: 2017 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+namespace OCA\EndToEndEncryption\Controller;
+
+use OCA\EndToEndEncryption\AppInfo\Application;
+use OCP\AppFramework\Controller;
+use OCP\AppFramework\Http;
+use OCP\AppFramework\Http\Attribute\FrontpageRoute;
+use OCP\AppFramework\Http\Attribute\NoAdminRequired;
+use OCP\AppFramework\Http\JSONResponse;
+use OCP\IConfig;
+use OCP\IRequest;
+
+class ConfigController extends Controller {
+
+	public function __construct(
+		string $appName,
+		IRequest $request,
+		private IConfig $config,
+		private ?string $userId,
+	) {
+		parent::__construct($appName, $request);
+	}
+
+	#[NoAdminRequired]
+	#[FrontpageRoute(verb: 'PUT', url: '/api/v1/config/{key}')]
+	public function setUserConfig(string $key, string $value): JSONResponse {
+		if (is_null($this->userId)) {
+			return new JSONResponse([], Http::STATUS_PRECONDITION_FAILED);
+		}
+
+		if (!in_array($key, ['e2eeInBrowserEnabled'])) {
+			return new JSONResponse([], Http::STATUS_PRECONDITION_FAILED);
+		}
+
+		$this->config->setUserValue($this->userId, Application::APP_ID, $key, $value);
+		return new JSONResponse([], Http::STATUS_OK);
+	}
+}

lib/Listener/LoadAdditionalListener.php

@@ -10,23 +10,36 @@
 
 use OCA\EndToEndEncryption\AppInfo\Application;
 use OCA\Files\Event\LoadAdditionalScriptsEvent;
+use OCP\AppFramework\Services\IInitialState;
 use OCP\EventDispatcher\Event;
 use OCP\EventDispatcher\IEventListener;
+use OCP\IConfig;
 use OCP\Util;
 
 /**
  * @template-implements IEventListener<LoadAdditionalScriptsEvent>
  */
 class LoadAdditionalListener implements IEventListener {
 
-	public function __construct() {
+	public function __construct(
+		private IInitialState $initialState,
+		private IConfig $config,
+		private ?string $userId,
+	) {
 	}
 
 	public function handle(Event $event): void {
 		if (!($event instanceof LoadAdditionalScriptsEvent)) {
 			return;
 		}
 
+		$this->initialState->provideInitialState(
+			'userConfig',
+			[
+				'e2eeInBrowserEnabled' => $this->config->getUserValue($this->userId, 'end_to_end_encryption', 'e2eeInBrowserEnabled', 'false') === 'true',
+			]
+		);
+
 		Util::addInitScript(Application::APP_ID, 'end_to_end_encryption-files');
 	}
 }

lib/Settings/Personal.php

@@ -14,22 +14,19 @@
 use OCA\EndToEndEncryption\IKeyStorage;
 use OCP\AppFramework\Http\TemplateResponse;
 use OCP\AppFramework\Services\IInitialState;
+use OCP\IConfig;
 use OCP\IUserSession;
 use OCP\Settings\ISettings;
 
 class Personal implements ISettings {
-	private IKeyStorage $keyStorage;
-	private IInitialState $initialState;
-	private ?string $userId;
-	private IUserSession $userSession;
-	private Config $config;
-
-	public function __construct(IKeyStorage $keyStorage, IInitialState $initialState, ?string $userId, IUserSession $userSession, Config $config) {
-		$this->keyStorage = $keyStorage;
-		$this->initialState = $initialState;
-		$this->userId = $userId;
-		$this->config = $config;
-		$this->userSession = $userSession;
+	public function __construct(
+		private IKeyStorage $keyStorage,
+		private IInitialState $initialState,
+		private ?string $userId,
+		private IUserSession $userSession,
+		private Config $e2eConfig,
+		private IConfig $config,
+	) {
 	}
 
 	public function getForm(): TemplateResponse {
@@ -39,10 +36,17 @@ public function getForm(): TemplateResponse {
 			&& $this->keyStorage->privateKeyExists($this->userId);
 		$this->initialState->provideInitialState('hasKey', $hasKey);
 
+		$this->initialState->provideInitialState(
+			'userConfig',
+			[
+				'e2eeInBrowserEnabled' => $this->config->getUserValue($this->userId, 'end_to_end_encryption', 'e2eeInBrowserEnabled', 'false') === 'true',
+			]
+		);
+
 		return new TemplateResponse(
 			Application::APP_ID,
 			'settings',
-			['canUseApp' => !$this->config->isDisabledForUser($this->userSession->getUser())]
+			['canUseApp' => !$this->e2eConfig->isDisabledForUser($this->userSession->getUser())]
 		);
 	}
 

src/components/MnemonicPromptDialog.vue

@@ -1,29 +1,30 @@
 <!--
-  - SPDX-FileCopyrightText: 2024 Nextcloud GmbH and Nextcloud contributors
-  - SPDX-License-Identifier: AGPL-3.0-or-later
-  -->
+	- SPDX-FileCopyrightText: 2024 Nextcloud GmbH and Nextcloud contributors
+	- SPDX-License-Identifier: AGPL-3.0-or-later
+-->
+
+<!-- eslint-disable jsdoc/require-jsdoc -->
+
 <script setup lang="ts">
 import { computed, ref } from 'vue'
 
 import { t } from '@nextcloud/l10n'
 import NcDialog from '@nextcloud/vue/dist/Components/NcDialog.js'
 import NcTextField from '@nextcloud/vue/dist/Components/NcTextField.js'
+import NcNoteCard from '@nextcloud/vue/dist/Components/NcNoteCard.js'
+import NcCheckboxRadioSwitch from '@nextcloud/vue/dist/Components/NcCheckboxRadioSwitch.js'
 
 const emit = defineEmits<{
 	(e: 'close', mnemonic: string): void
 }>()
 
+const dialogRef = ref()
 const mnemonic = ref('')
+const confirmToggle = ref(false)
 
-/**
- *
- */
-function submit() {
-	// TODO: Implement form validation
-	if (mnemonic.value.trim().split(/\s+/g).length !== 12) {
-		throw new Error('Mnemonic must be 12 words long')
-	}
+const isFormValid = computed(() => confirmToggle.value === true && mnemonic.value.trim().split(/\s+/g).length === 12)
 
+function submit() {
 	emit('close', mnemonic.value)
 }
 
@@ -32,18 +33,34 @@ const buttons = computed(() => [
 		label: t('end_to_en_encryption', 'Submit'),
 		nativeType: 'submit',
 		type: 'primary',
+		disabled: !isFormValid.value,
 		callback: submit,
 	},
 ])
 </script>
 <template>
-	<NcDialog :name="t('end_to_end_encryption', 'Enter your 12 words mnemonic')"
+	<NcDialog ref="dialogRef"
+		:name="t('end_to_end_encryption', 'Enter your 12 words mnemonic')"
 		:buttons="buttons"
 		:is-form="true"
 		@submit="submit">
+		<NcNoteCard type="warning"
+			:show-alert="true"
+			:heading="t('end_to_end_encryption', 'Decrypting your files in the browser can weaken security')">
+			{{ t('end_to_end_encryption', 'The server could serve malicious source code to extract the secret that protects your files.') }}
+
+			<NcCheckboxRadioSwitch v-model="confirmToggle"
+				required="true"
+				data-cy-e2ee-mnemonic-prompt="i_understand_the_risks"
+				type="switch">
+				{{ t('end_to_end_encryption', 'I understand the risks') }}
+			</NcCheckboxRadioSwitch>
+		</NcNoteCard>
+
 		<NcTextField :value.sync="mnemonic"
+			required="true"
+			pattern="^(\w+\s+){11}\w+$"
 			:label="t('end_to_end_encryption', 'Mnemonic')"
-			:autofocus="true"
-			:required="true" />
+			:autofocus="true" />
 	</NcDialog>
 </template>

src/components/SecuritySection.vue

@@ -6,14 +6,60 @@
 <template>
 	<NcSettingsSection :name="t('end_to_end_encryption', 'End-to-end encryption')"
 		:description="encryptionState">
-		<NcButton :disabled="!hasKey || shouldDisplayWarning"
+		<NcButton v-if="!shouldDisplayE2EEInBrowserWarning && userConfig['e2eeInBrowserEnabled'] === false"
+			class="margin-bottom"
+			:disabled="!hasKey"
+			type="secondary"
+			@click="shouldDisplayE2EEInBrowserWarning = true">
+			{{ t('end_to_end_encryption', 'Enable E2EE navigation in browser') }}
+		</NcButton>
+		<NcNoteCard v-else
+			class="notecard"
+			type="warning"
+			:show-alert="true"
+			:heading="t('end_to_end_encryption', 'Enabling E2EE in the browser can weaken security')">
+			<NcButton v-if="userConfig['e2eeInBrowserEnabled'] === false"
+				class="close-button"
+				:aria-label="t('end_to_end_encryption', 'Close')"
+				type="tertiary-no-background"
+				@click="shouldDisplayE2EEInBrowserWarning = false">
+				<template #icon>
+					<IconClose :size="20" />
+				</template>
+			</NcButton>
+
+			{{ t('end_to_end_encryption', 'The server could serve malicious source code to extract the secret that protects your files.') }}
+
+			<NcCheckboxRadioSwitch :disabled="!hasKey"
+				data-cy-e2ee-settings-setting="e2ee_in_browser_enabled"
+				:checked="userConfig.e2eeInBrowserEnabled"
+				class="margin-bottom"
+				type="switch"
+				@update:checked="value => setConfig('e2eeInBrowserEnabled', value)">
+				{{ t('end_to_end_encryption', 'Enable E2EE navigation in browser') }}
+			</NcCheckboxRadioSwitch>
+		</NcNoteCard>
+
+		<NcButton v-if="!shouldDisplayWarning"
+			:disabled="!hasKey"
 			:type="(hasKey && !shouldDisplayWarning) ? 'error' : 'secondary'"
 			@click="startResetProcess()">
 			{{ t('end_to_end_encryption', 'Reset end-to-end encryption') }}
 		</NcButton>
+		<NcNoteCard v-else
+			class="notecard"
+			type="warning"
+			:show-alert="true"
+			:heading="t('end_to_end_encryption', 'Please read carefully before resetting your end-to-end encryption keys')">
+			<NcButton class="close-button"
+				:aria-label="t('end_to_end_encryption', 'Close')"
+				type="tertiary-no-background"
+				@click="shouldDisplayWarning = false">
+				<template #icon>
+					<IconClose :size="20" />
+				</template>
+			</NcButton>
 
-		<div v-if="shouldDisplayWarning && hasKey" class="notecard warning" role="alert">
-			<p><strong>{{ t('end_to_end_encryption', 'Please read carefully before resetting your end-to-end encryption keys') }}</strong></p>
 			<ul>
 				<li>{{ t('end_to_end_encryption', 'Once your end-to-end encryption keys are reset, all files stored in your encrypted folder will be inaccessible.') }}</li>
 				<li>{{ t('end_to_end_encryption', 'You should only reset your end-to-end encryption keys if you lost your secure key words (mnemonic).') }}</li>
@@ -28,34 +74,43 @@
 			<NcButton type="error" @click="showDialog">
 				{{ t('end_to_end_encryption', "Confirm and reset end-to-end encryption") }}
 			</NcButton>
-		</div>
+		</NcNoteCard>
 	</NcSettingsSection>
 </template>
 
-<script>
+<script lang="ts">
+import { defineComponent } from 'vue'
+import IconClose from 'vue-material-design-icons/Close.vue'
+
 import axios from '@nextcloud/axios'
+import { translate as t } from '@nextcloud/l10n'
 import NcSettingsSection from '@nextcloud/vue/dist/Components/NcSettingsSection.js'
 import NcCheckboxRadioSwitch from '@nextcloud/vue/dist/Components/NcCheckboxRadioSwitch.js'
 import NcButton from '@nextcloud/vue/dist/Components/NcButton.js'
+import NcNoteCard from '@nextcloud/vue/dist/Components/NcNoteCard.js'
 import { loadState } from '@nextcloud/initial-state'
 import { showError, showSuccess, DialogBuilder } from '@nextcloud/dialogs'
-import { generateOcsUrl } from '@nextcloud/router'
+import { generateOcsUrl, generateUrl } from '@nextcloud/router'
 
 import logger from '../services/logger.js'
 
-export default {
+export default defineComponent({
 	name: 'SecuritySection',
 	components: {
 		NcSettingsSection,
 		NcButton,
 		NcCheckboxRadioSwitch,
+		NcNoteCard,
+		IconClose,
 	},
 
 	data() {
 		return {
 			hasKey: loadState('end_to_end_encryption', 'hasKey'),
 			shouldDisplayWarning: false,
 			deleteEncryptedFiles: false,
+			shouldDisplayE2EEInBrowserWarning: false,
+			userConfig: loadState('end_to_end_encryption', 'userConfig', { e2eeInBrowserEnabled: false }),
 		}
 	},
 
@@ -178,23 +233,27 @@ export default {
 			}
 			return true
 		},
+
+		async setConfig(key: string, value: string) {
+			await axios.put(generateUrl('apps/end_to_end_encryption/api/v1/config/{key}', { key }), {
+				value: (typeof value === 'string') ? value : JSON.stringify(value),
+			})
+			this.userConfig[key] = value
+		},
+
+		t,
 	},
-}
+})
 </script>
 
 <style lang="scss" scoped>
 .notecard {
-	color: var(--color-text-light) !important;
-	background-color: var(--note-background) !important;
-	border: 1px solid var(--color-border);
-	border-left: 4px solid var(--note-theme);
-	border-radius: var(--border-radius);
-	box-shadow: rgba(43, 42, 51, 0.05) 0 1px 2px 0;
-	margin: 1rem 0;
-	padding: 1rem !important;
-	&.warning {
-		--note-background: rgba(var(--color-warning-rgb), 0.2);
-		--note-theme: var(--color-warning);
+	position: relative;
+
+	.close-button {
+		position: absolute;
+		top: 0;
+		right: 0;
 	}
 }
 

src/files.ts

@@ -3,6 +3,12 @@
  * SPDX-License-Identifier: AGPL-3.0-or-later
  */
 
+import { loadState } from '@nextcloud/initial-state'
+
 import { setupWebDavDecryptionProxy } from './services/webDavProxy.ts'
 
-setupWebDavDecryptionProxy()
+const userConfig = loadState('end_to_end_encryption', 'userConfig', { e2eeInBrowserEnabled: false })
+
+if (userConfig.e2eeInBrowserEnabled) {
+	setupWebDavDecryptionProxy()
+}