Skip to content

[WIP] Support one-time passwords (e.g. for public file shares)#61722

Open
theCalcaholic wants to merge 8 commits into
nextcloud:masterfrom
theCalcaholic:feature/nextcloud-share-otp
Open

[WIP] Support one-time passwords (e.g. for public file shares)#61722
theCalcaholic wants to merge 8 commits into
nextcloud:masterfrom
theCalcaholic:feature/nextcloud-share-otp

Conversation

@theCalcaholic

@theCalcaholic theCalcaholic commented Jul 2, 2026

Copy link
Copy Markdown

Work in-progress

This PR is functional but still in progress. I would very much appreciate architecture and implementation specific feedback while I'm working on polishing and the missing UI portion for OTP protected share creation.

Summary

This PR adds one-time password management to Nextcloud server and integrates them with the files_sharing app.

image

TODO

  • (core) Implement OTP core functionality
  • (core) Implement OTP integration into shares
  • (files_sharing) Implement creation of OTP protected shares via OCS
  • (files_sharing) Implement retrieval of public OTP protected shares via UI
  • (files_sharing) Implement retrieval of public OTP protected shares via OCS
  • (files_sharing) Implement UI for creating OTP protected shares (files->sidebar->sharing)
  • Harden bruteforce settings for endpoints
  • Better email template
  • Tests
  • Linting
  • Regenerate openapi definitions for files_sharing
  • Contribute documentation for the feature

Architecture and Rationale

General concepts

OTPs (one-time password) are short-lived, single use credentials sent to users via an (according to a given threat model) trusted channel (e.g. a specific email address).

OTP Providers define a method of sending OTPs to users.

OTP Recipients are valid address definitions within the scope of an OTP provider that can be sent OTPs.

Core/Server Changes

Generic

One-time passwords are implemented with generic interfaces so that they can be used by other parts of Nextcloud than sharing.

The core functionality for one-time passwords is implemented within the \OCP and \OC namespaces. OTPs are stored within a new database table one_time_password and have a providerID, a recipient string, an expiration date and a password. The idea here is, that the OTP configuration (i.e. provider+recipient) can be long lived, while the credentials (password+expiration date) are (re-)generated per use.
Management of OTPs is implemented in \OC\OneTimePassword\Manager (implementing the injectable interface at \OCP\OneTimePassword\IManager).

\OCP\Security\PasswordContext has been extended by an OTP case to allow the creation of password policies specifically for OTPs.

Events are used to allow apps to register OTP providers. They need to hook into the GetOneTimePasswordProviders and the SendOneTimePassword events to provider their functionality. Providers also need to implement the interface \OCP\OneTimePassword\IOneTimePasswordProvider, which defines methods that allow the Manager to select providers and provide information about them.

Sharing specific

Shares (see \OCP\Share\IShare) have been extended with an one_time_password field.

The \OC\Share20\Manager has been adjusted to prioritize OTPs when checking the authentication for a share.

The template publicshareauth.php has been adjusted to receive and display OTP related information and show a button to request an OTP if it is configured for the share.

files_sharing Changes

The ShareAPIController has been extended to allow creating and updating OTP protected shares and returning the otp configuration when fetching shares. OTPs and passwords are mutually exclusive and an error will be returned when attempting to create a share with both.

The ShareController has been extended to supply template responses for public shares with otp related information.

A new ShareOTPController has been implemented that allows users to request OTPs for a share.

OTP Providers

Two OTP providers have been implemented as (core) apps: debug and email. The former allows logging OTPs to the Nextcloud Logs and the latter allows sending OTPs via email.

Checklist

AI (if applicable)

  • The content of this PR was partly or fully generated using AI

@theCalcaholic theCalcaholic requested review from a team and provokateurin as code owners July 2, 2026 11:40
@theCalcaholic theCalcaholic requested review from Altahrim, ArtificialOwl, leftybournes, nfebe, sorbaugh and susnux and removed request for a team July 2, 2026 11:40
@theCalcaholic theCalcaholic force-pushed the feature/nextcloud-share-otp branch from 3131c6e to 2974b8b Compare July 2, 2026 11:48
@theCalcaholic theCalcaholic force-pushed the feature/nextcloud-share-otp branch from adbd854 to ae1bd6a Compare July 2, 2026 12:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant