Skip to content
This repository was archived by the owner on May 29, 2026. It is now read-only.

retrofit: reverse-spec auth-system (5 new REQs, 22 methods)#1785

Open
rubenvdlinde wants to merge 1 commit into
developmentfrom
retrofit/rspec-auth-system-2026-05-24
Open

retrofit: reverse-spec auth-system (5 new REQs, 22 methods)#1785
rubenvdlinde wants to merge 1 commit into
developmentfrom
retrofit/rspec-auth-system-2026-05-24

Conversation

@rubenvdlinde

Copy link
Copy Markdown
Contributor

Summary

Retrofit-spec pass for the auth-system capability cluster
(Bucket 2a). Extends the existing auth-system spec with 5 new
REQs
capturing observed sub-behaviour, and annotates 22 in-scope
methods
across 4 files. No behavioural code changes.

  • Cluster batch: 57 methods / 7 files (35 triaged DROP — Solr backend
    belongs to search-index; the rest were sibling-cap fragments
    correctly reattached here)
  • One method (RbacConfiguration.vue::showRebaseDialog) was already
    annotated against the 2026-04-23 retrofit and left alone

New REQs (all ADDED on auth-system)

  • REQ-AUTH-100validatePayload time semantics (iat required,
    exp defaults to iat + 1h, past-expiry rejection)
  • REQ-AUTH-101authorizeOAuth observed behaviour is
    Bearer-prefix + IUserSession::isLoggedIn() only; the bearer
    token is NOT parsed (security drift flagged)
  • REQ-AUTH-102authorizeBasic + authorizeApiKey delegate
    to Nextcloud; authorizeBasic's $users/$groups allow-list
    parameters are dead code (security drift flagged)
  • REQ-AUTH-103PropertyRbacHandler rule dispatch + admin
    bypass + public/authenticated pseudo-groups + PATCH-unchanged
    strict-equality short-circuit
  • REQ-AUTH-104RbacTable + PermissionMatrix Vue surface:
    flat vs nested authorization shape; store-driven loadData

SECURITY-CRITICAL observations (NOT silently fixed)

Per the security-critical retrofit guardrail, the following observed
fail-open / dead-code patterns are documented verbatim. Hardening
should be tracked as follow-up issues against the existing main
spec's "Not implemented" block.

  1. authorizeOAuth does not validate the bearer token. The
    method only checks the Bearer prefix and that
    IUserSession::isLoggedIn() is already true. The token string is
    never parsed or matched against a Consumer. Any
    Authorization: Bearer … value passes when a session cookie has
    already authenticated the request.

  2. authorizeBasic($header, $users=[], $groups=[]) accepts
    $users and $groups allow-list parameters but never consults
    them — every Nextcloud user with valid credentials passes
    regardless of what the caller intended.

  3. getUnauthorizedProperties strict-equality short-circuit.
    PATCH operations that echo a protected field's existing value
    bypass the authorization check entirely. Benign for value-equality
    fields; a side-channel for cases where knowing the value matters
    (audit/ETag/replay).

These three observations are spelled out in proposal.md → Notes and
in the relevant REQ bodies.

Validation

$ openspec validate retrofit-2026-05-24-auth-system --strict
Change 'retrofit-2026-05-24-auth-system' is valid

Test plan

  • openspec validate --strict passes
  • Review the three flagged security drifts; decide whether to
    open hardening issues against auth-system
  • No code-behaviour changes — existing test suite SHOULD remain
    green

Extends the existing auth-system capability spec with five
sub-behaviour REQs observed in the runtime:

- REQ-AUTH-100: validatePayload time semantics (iat required, exp
  defaults to iat+1h, expired payload throws)
- REQ-AUTH-101: authorizeOAuth observed-behaviour is Bearer-prefix
  + isLoggedIn() only -- token is NOT parsed (SECURITY DRIFT flag)
- REQ-AUTH-102: authorizeBasic + authorizeApiKey trust Nextcloud
  user resolution; authorizeBasic's allow-list params are dead
  code (SECURITY DRIFT flag)
- REQ-AUTH-103: PropertyRbacHandler rule dispatch + admin bypass +
  public/authenticated pseudo-groups + PATCH-unchanged short-circuit
- REQ-AUTH-104: RbacTable + PermissionMatrix Vue surface (flat vs
  nested authorization, store-driven loadData)

Annotates four files at the file-top / method docblock:
- lib/Service/AuthorizationService.php (task-1..3)
- lib/Service/PropertyRbacHandler.php (task-4)
- src/components/RbacTable.vue (task-5)
- src/views/settings/sections/PermissionMatrix.vue (task-5)

Of the 57 scanned cluster methods, 35 are triaged DROP (Solr backend
belongs to search-index; remainder were correctly attached to
auth-system here), 22 are annotated, one (showRebaseDialog) was
already annotated against the 2026-04-23 retrofit and left alone.

Per the security-critical guardrail, two observed fail-open patterns
(authorizeOAuth not parsing the bearer token; authorizeBasic dead
allow-list params) are captured as observed behaviour with explicit
Notes -- NOT silently patched in the spec. Hardening tracked in the
existing 'Not implemented' block of the main auth-system spec.

Source: openspec/coverage-report.md cluster scan 2026-05-24
Cluster: auth-system (57 methods / 7 files; 22 in-scope after DROP triage)
@github-actions

Copy link
Copy Markdown
Contributor

Quality Report — ConductionNL/openregister @ 812e752

Check PHP Vue Security License Tests
lint
phpcs
phpmd
psalm
phpstan
phpmetrics
eslint
stylelint
composer ✅ 162/162
npm ✅ 532/532
PHPUnit ⏭️
Newman ⏭️
Playwright ⏭️

Quality workflow — 2026-05-24 19:13 UTC

Download the full PDF report from the workflow artifacts.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant