This repository was archived by the owner on May 29, 2026. It is now read-only.
retrofit: reverse-spec auth-system (5 new REQs, 22 methods)#1785
Open
rubenvdlinde wants to merge 1 commit into
Open
retrofit: reverse-spec auth-system (5 new REQs, 22 methods)#1785rubenvdlinde wants to merge 1 commit into
rubenvdlinde wants to merge 1 commit into
Conversation
Extends the existing auth-system capability spec with five sub-behaviour REQs observed in the runtime: - REQ-AUTH-100: validatePayload time semantics (iat required, exp defaults to iat+1h, expired payload throws) - REQ-AUTH-101: authorizeOAuth observed-behaviour is Bearer-prefix + isLoggedIn() only -- token is NOT parsed (SECURITY DRIFT flag) - REQ-AUTH-102: authorizeBasic + authorizeApiKey trust Nextcloud user resolution; authorizeBasic's allow-list params are dead code (SECURITY DRIFT flag) - REQ-AUTH-103: PropertyRbacHandler rule dispatch + admin bypass + public/authenticated pseudo-groups + PATCH-unchanged short-circuit - REQ-AUTH-104: RbacTable + PermissionMatrix Vue surface (flat vs nested authorization, store-driven loadData) Annotates four files at the file-top / method docblock: - lib/Service/AuthorizationService.php (task-1..3) - lib/Service/PropertyRbacHandler.php (task-4) - src/components/RbacTable.vue (task-5) - src/views/settings/sections/PermissionMatrix.vue (task-5) Of the 57 scanned cluster methods, 35 are triaged DROP (Solr backend belongs to search-index; remainder were correctly attached to auth-system here), 22 are annotated, one (showRebaseDialog) was already annotated against the 2026-04-23 retrofit and left alone. Per the security-critical guardrail, two observed fail-open patterns (authorizeOAuth not parsing the bearer token; authorizeBasic dead allow-list params) are captured as observed behaviour with explicit Notes -- NOT silently patched in the spec. Hardening tracked in the existing 'Not implemented' block of the main auth-system spec. Source: openspec/coverage-report.md cluster scan 2026-05-24 Cluster: auth-system (57 methods / 7 files; 22 in-scope after DROP triage)
Contributor
Quality Report — ConductionNL/openregister @
|
| Check | PHP | Vue | Security | License | Tests |
|---|---|---|---|---|---|
| lint | ✅ | ||||
| phpcs | ❌ | ||||
| phpmd | ✅ | ||||
| psalm | ✅ | ||||
| phpstan | ✅ | ||||
| phpmetrics | ✅ | ||||
| eslint | ❌ | ||||
| stylelint | ❌ | ||||
| composer | ✅ | ✅ 162/162 | |||
| npm | ✅ | ✅ 532/532 | |||
| PHPUnit | ⏭️ | ||||
| Newman | ⏭️ | ||||
| Playwright | ⏭️ |
Quality workflow — 2026-05-24 19:13 UTC
Download the full PDF report from the workflow artifacts.
This was referenced May 24, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Retrofit-spec pass for the auth-system capability cluster
(Bucket 2a). Extends the existing
auth-systemspec with 5 newREQs capturing observed sub-behaviour, and annotates 22 in-scope
methods across 4 files. No behavioural code changes.
belongs to
search-index; the rest were sibling-cap fragmentscorrectly reattached here)
RbacConfiguration.vue::showRebaseDialog) was alreadyannotated against the 2026-04-23 retrofit and left alone
New REQs (all ADDED on
auth-system)validatePayloadtime semantics (iatrequired,expdefaults toiat + 1h, past-expiry rejection)authorizeOAuthobserved behaviour isBearer-prefix +IUserSession::isLoggedIn()only; the bearertoken is NOT parsed (security drift flagged)
authorizeBasic+authorizeApiKeydelegateto Nextcloud;
authorizeBasic's$users/$groupsallow-listparameters are dead code (security drift flagged)
PropertyRbacHandlerrule dispatch + adminbypass +
public/authenticatedpseudo-groups + PATCH-unchangedstrict-equality short-circuit
RbacTable+PermissionMatrixVue surface:flat vs nested authorization shape; store-driven
loadDataSECURITY-CRITICAL observations (NOT silently fixed)
Per the security-critical retrofit guardrail, the following observed
fail-open / dead-code patterns are documented verbatim. Hardening
should be tracked as follow-up issues against the existing main
spec's "Not implemented" block.
authorizeOAuthdoes not validate the bearer token. Themethod only checks the
Bearerprefix and thatIUserSession::isLoggedIn()is already true. The token string isnever parsed or matched against a Consumer. Any
Authorization: Bearer …value passes when a session cookie hasalready authenticated the request.
authorizeBasic($header, $users=[], $groups=[])accepts$usersand$groupsallow-list parameters but never consultsthem — every Nextcloud user with valid credentials passes
regardless of what the caller intended.
getUnauthorizedPropertiesstrict-equality short-circuit.PATCH operations that echo a protected field's existing value
bypass the authorization check entirely. Benign for value-equality
fields; a side-channel for cases where knowing the value matters
(audit/ETag/replay).
These three observations are spelled out in
proposal.md → Notesandin the relevant REQ bodies.
Validation
Test plan
openspec validate --strictpassesopen hardening issues against
auth-systemgreen