[Web] Auto-generated app passwords for Apple configuration profiles (#4316)

* Auto-generated app passwords for Apple configuration profiles * Change password modal: add warning about app passwords
2021-11-14 20:09:39 +01:00 · 2021-11-14 20:09:39 +01:00 · 9bfb74bb1d
parent 618e00f302
commit 9bfb74bb1d
6 changed files with 63 additions and 0 deletions
--- a/data/web/lang/lang.de.json
+++ b/data/web/lang/lang.de.json
@ -1000,7 +1000,9 @@
        "apple_connection_profile": "Apple-Verbindungsprofil",
        "apple_connection_profile_complete": "Dieses Verbindungsprofil beinhaltet neben IMAP- und SMTP-Konfigurationen auch Pfade für die Konfiguration von CalDAV (Kalender) und CardDAV (Adressbücher) für ein Apple-Gerät.",
        "apple_connection_profile_mailonly": "Dieses Verbindungsprofil beinhaltet IMAP- und SMTP-Konfigurationen für ein Apple-Gerät.",
+        "apple_connection_profile_with_app_password": "Es wird ein neues App-Passwort erzeugt und in das Profil eingefügt, damit bei der Einrichtung kein Passwort eingegeben werden muss. Geben Sie das Profil nicht weiter, da es einen vollständigen Zugriff auf Ihr Postfach ermöglicht.",
        "change_password": "Passwort ändern",
+        "change_password_hint_app_passwords": "Ihre Mailbox hat {{number_of_app_passwords}} App-Passwörter, die nicht geändert werden. Um diese zu verwalten, gehen Sie bitte zum App-Passwörter-Tab.",
        "clear_recent_successful_connections": "Alle erfolgreichen Verbindungen bereinigen",
        "client_configuration": "Konfigurationsanleitungen für E-Mail-Programme und Smartphones anzeigen",
        "create_app_passwd": "Erstelle App-Passwort",
@ -1123,6 +1125,7 @@
        "week": "Woche",
        "weekly": "Wöchentlich",
        "weeks": "Wochen",
+        "with_app_password": "mit App-Passwort",
        "year": "Jahr",
        "years": "Jahren"
    },
--- a/data/web/lang/lang.en.json
+++ b/data/web/lang/lang.en.json
@ -1042,7 +1042,9 @@
        "apple_connection_profile": "Apple connection profile",
        "apple_connection_profile_complete": "This connection profile includes IMAP and SMTP parameters as well as CalDAV (calendars) and CardDAV (contacts) paths for an Apple device.",
        "apple_connection_profile_mailonly": "This connection profile includes IMAP and SMTP configuration parameters for an Apple device.",
+        "apple_connection_profile_with_app_password": "A new app password is generated and added to the profile so that no password needs to be entered when setting up your device. Please do not share the file as it grants full access to your mailbox.",
        "change_password": "Change password",
+        "change_password_hint_app_passwords": "Your account has {{number_of_app_passwords}} app passwords that will not be changed. To manage these, go to the App passwords tab.",
        "clear_recent_successful_connections": "Clear seen successful connections",
        "client_configuration": "Show configuration guides for email clients and smartphones",
        "create_app_passwd": "Create app password",
@ -1175,6 +1177,7 @@
        "week": "week",
        "weekly": "Weekly",
        "weeks": "weeks",
+        "with_app_password": "with app password",
        "year": "year",
        "years": "years"
    },
--- a/data/web/mobileconfig.php
+++ b/data/web/mobileconfig.php
@ -8,6 +8,7 @@ if (!isset($_SESSION['mailcow_cc_role']) || $_SESSION['mailcow_cc_role'] != 'use
  session_destroy();
  // probably better than appending the whole current http query string
  $append_get = (isset($_GET['only_email'])) ? '&only_email' : '';
+  $append_get .= (isset($_GET['app_password'])) ? '&app_password' : '';
  header('Location: index.php?mobileconfig' . $append_get);
  die();
 }
@ -38,6 +39,34 @@ if (isset($_GET['only_email'])) {
  $onlyEmailAccount = false;
  $description = 'IMAP, CalDAV, CardDAV'; 
 }
+if (isset($_GET['app_password'])) {
+  $app_password = true;
+  $description .= ' with application password';
+  
+  if (strpos($_SERVER['HTTP_USER_AGENT'], 'iPad') !== FALSE)
+      $platform = 'iPad';
+  elseif (strpos($_SERVER['HTTP_USER_AGENT'], 'iPhone') !== FALSE)
+      $platform = 'iPhone';
+  elseif (strpos($_SERVER['HTTP_USER_AGENT'], 'Macintosh') !== FALSE)
+      $platform = 'Mac';
+  else
+      $platform = $_SERVER['HTTP_USER_AGENT'];
+  
+  $password = bin2hex(openssl_random_pseudo_bytes(16));
+  $attr = array(
+      'app_name' => $platform,
+      'app_passwd' => $password,
+      'app_passwd2' => $password,
+      'active' => 1,
+      'protocols' => array('imap_access', 'smtp_access'),
+  );
+  if (!$onlyEmailAccount) {
+      $attr['protocols'][] = 'dav_access';
+  }
+  app_passwd("add", $attr);
+} else {
+  $app_password = false;
+}

 echo '<?xml version="1.0" encoding="UTF-8"?>' . "\n";
 ?>
@ -65,6 +94,10 @@ echo '<?xml version="1.0" encoding="UTF-8"?>' . "\n";
        <true/>
        <key>IncomingMailServerUsername</key>
        <string><?=$email?></string>
+        <?php if($app_password === true): ?>
+        <key>IncomingPassword</key>
+        <string><?=$password?></string>
+        <?php endif; ?>
        <key>OutgoingMailServerAuthentication</key>
        <string>EmailAuthPassword</string>
        <key>OutgoingMailServerHostName</key>
--- a/data/web/templates/modals/user.twig
+++ b/data/web/templates/modals/user.twig
@ -264,6 +264,9 @@
      <div class="modal-header">
        <button type="button" class="close" data-dismiss="modal"><span aria-hidden="true">×</span></button>
        <h3 class="modal-title">{{ lang.user.change_password }}</h3>
+        {% if number_of_app_passwords > 0 %}
+        <p>{{ lang.user.change_password_hint_app_passwords | replace({'{{number_of_app_passwords}}': number_of_app_passwords}) }}</p>
+        {% endif %}
      </div>
      <div class="modal-body">
        <form class="form-horizontal" data-cached-form="false" data-id="pwchange" role="form" method="post" autocomplete="off">
--- a/data/web/templates/user/tab-user-auth.twig
+++ b/data/web/templates/user/tab-user-auth.twig
@ -101,6 +101,17 @@
          {% endif %}
        </div>
      </div>
+      <div class="row">
+        <div class="col-md-3 col-xs-12 text-right text-xs-left space20"><i class="bi bi-file-earmark-text"></i> {{ lang.user.apple_connection_profile }}<br />{{ lang.user.with_app_password }}:</div>
+        <div class="col-md-9 col-xs-12">
+          <p><i class="bi bi-file-earmark-post"></i> <a href="/mobileconfig.php?only_email&amp;app_password">{{ lang.user.email }}</a> <small>IMAP, SMTP</small></p>
+          <p class="help-block">{{ lang.user.apple_connection_profile_mailonly }} {{ lang.user.apple_connection_profile_with_app_password }}</p>
+          {% if not skip_sogo %}
+          <p><i class="bi bi-file-earmark-post"></i> <a href="/mobileconfig.php?app_password">{{ lang.user.email_and_dav }}</a> <small>IMAP, SMTP, Cal/CardDAV</small></p>
+          <p class="help-block">{{ lang.user.apple_connection_profile_complete }} {{ lang.user.apple_connection_profile_with_app_password }}</p>
+          {% endif %}
+        </div>
+      </div>
      <hr>
      <div class="row">
        <div class="col-sm-offset-3 col-sm-9">
--- a/data/web/user.php
+++ b/data/web/user.php
@ -62,6 +62,15 @@ elseif (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == '
  }

  $template = 'user.twig';
+  $number_of_app_passwords = 0;
+  foreach (app_passwd("get") as $app_password)
+  {
+      $app_password = app_passwd("details", $app_password['id']);
+      if ($app_password['active'])
+      {
+          ++$number_of_app_passwords;
+      }
+  }
  $template_data = [
    'acl' => $_SESSION['acl'],
    'acl_json' => json_encode($_SESSION['acl']),
@ -78,6 +87,7 @@ elseif (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == '
    'user_domains' => $user_domains,
    'pushover_data' => $pushover_data,
    'lang_user' => json_encode($lang['user']),
+    'number_of_app_passwords' => $number_of_app_passwords,
  ];
 }