Add application specific passwords

Fixes https://github.com/nextcloud/user_saml/issues/1

admin.php

@@ -22,4 +22,4 @@
 $app = new \OCA\User_SAML\AppInfo\Application();
 /** @var \OCA\User_SAML\Controller\SettingsController $controller */
 $controller = $app->getContainer()->query('SettingsController');
-return $controller->displayPanel()->render();
+return $controller->displayAdminPanel()->render();

appinfo/app.php

@@ -22,6 +22,7 @@
 require_once __DIR__ . '/../3rdparty/vendor/autoload.php';
 
 \OCP\App::registerAdmin('user_saml', 'admin');
+\OCP\App::registerPersonal('user_saml', 'personal');
 
 $urlGenerator = \OC::$server->getURLGenerator();
 $config = \OC::$server->getConfig();
@@ -30,21 +31,24 @@ $samlSettings = new \OCA\User_SAML\SAMLSettings(
 	$urlGenerator,
 	$config
 );
-try {
-	$oneLoginSettings = new \OneLogin_Saml2_Settings($samlSettings->getOneLoginSettingsArray());
-} catch(OneLogin_Saml2_Error $e) {
-	return;
-}
 
 $userBackend = new \OCA\User_SAML\UserBackend(
 	\OC::$server->getConfig(),
 	\OC::$server->getLogger(),
 	\OC::$server->getURLGenerator(),
-	\OC::$server->getSession()
+	\OC::$server->getSession(),
+	\OC::$server->getDb()
 );
 OC_User::useBackend($userBackend);
 OC_User::handleApacheAuth();
 
+// Setting up the one login config may fail, if so, do not catch the requests later.
+try {
+	$oneLoginSettings = new \OneLogin_Saml2_Settings($samlSettings->getOneLoginSettingsArray());
+} catch(OneLogin_Saml2_Error $e) {
+	return;
+}
+
 // Redirect all requests to the login page to the SAML login
 $currentUrl = substr(explode('?',$request->getRequestUri(), 2)[0], strlen(\OC::$WEBROOT));
 if($currentUrl === '/index.php/login' && !OC_User::isLoggedIn()) {

appinfo/database.xml

@@ -0,0 +1,50 @@
+<?xml version="1.0" encoding="ISO-8859-1" ?>
+<database>
+
+	<name>*dbname*</name>
+	<create>true</create>
+	<overwrite>false</overwrite>
+	<charset>utf8</charset>
+
+	<table>
+		<!-- Copied table from core: Nextcloud 9 does not support application
+		specific passwords and so we -->
+		<name>*dbprefix*user_saml_auth_token</name>
+
+		<declaration>
+			<field>
+				<name>id</name>
+				<type>integer</type>
+				<default>0</default>
+				<notnull>true</notnull>
+				<autoincrement>1</autoincrement>
+				<unsigned>true</unsigned>
+				<length>4</length>
+			</field>
+
+			<!-- Foreign Key users::uid -->
+			<field>
+				<name>uid</name>
+				<type>text</type>
+				<default></default>
+				<notnull>true</notnull>
+				<length>64</length>
+			</field>
+
+			<field>
+				<name>name</name>
+				<type>clob</type>
+				<default></default>
+				<notnull>true</notnull>
+			</field>
+
+			<field>
+				<name>token</name>
+				<type>text</type>
+				<default></default>
+				<notnull>true</notnull>
+				<length>200</length>
+			</field>
+		</declaration>
+	</table>
+</database>

appinfo/info.xml

@@ -7,6 +7,6 @@
 	<author>Nextcloud</author>
 	<version>1.0.0</version>
 	<dependencies>
-		<owncloud min-version="9.0" max-version="9.1" />
+		<owncloud min-version="9.0" max-version="9.0" />
 	</dependencies>
 </info>

appinfo/routes.php

@@ -21,26 +21,36 @@
 
 namespace OCA\User_SAML\AppInfo;
 
-(new \OCP\AppFramework\App('user_saml'))->registerRoutes($this, array('routes' => array(
+(new Application())->registerRoutes(
+	$this,
 	[
-		'name' => 'SAML#login',
-		'url' => '/saml/login',
-		'verb' => 'GET',
-	],
-	[
-		'name' => 'SAML#getMetadata',
-		'url' => '/saml/metadata',
-		'verb' => 'GET',
-	],
-	[
-		'name' => 'SAML#assertionConsumerService',
-		'url' => '/saml/acs',
-		'verb' => 'POST',
-	],
-	[
-		'name' => 'SAML#singleLogoutService',
-		'url' => '/saml/sls',
-		'verb' => 'GET',
-	],
-)));
+		'resources' => [
+			'AuthSettings' => [
+				'url' => '/authtokens'
+			],
+		],
+		'routes' => [
+			[
+				'name' => 'SAML#login',
+				'url' => '/saml/login',
+				'verb' => 'GET',
+			],
+			[
+				'name' => 'SAML#getMetadata',
+				'url' => '/saml/metadata',
+				'verb' => 'GET',
+			],
+			[
+				'name' => 'SAML#assertionConsumerService',
+				'url' => '/saml/acs',
+				'verb' => 'POST',
+			],
+			[
+				'name' => 'SAML#singleLogoutService',
+				'url' => '/saml/sls',
+				'verb' => 'GET',
+			],
+		]
+	]
+);
 

css/personal.css

@@ -0,0 +1,30 @@
+#user-saml-apppasswords table {
+	width: 100%;
+	min-height: 150px;
+	padding-top: 25px;
+}
+#user-saml-appasswords table th {
+	font-weight: 800;
+}
+#user-saml-apppasswords table th,
+#user-saml-apppasswords table td {
+	padding: 10px;
+}
+
+#user-saml-apppasswords .token-list td {
+	border-top: 1px solid #DDD;
+	text-overflow: ellipsis;
+	max-width: 200px;
+	white-space: nowrap;
+	overflow: hidden;
+}
+#user-saml-apppasswords .token-list td a.icon-delete {
+	display: block;
+	opacity: 0.6;
+}
+
+#user-saml-new-app-password {
+	width: 186px;
+	font-family: monospace;
+	background-color: lightyellow;
+}

js/admin.js

@@ -1,4 +1,3 @@
-
 function setSAMLConfigValue(category, setting, value) {
 	OC.msg.startSaving('#user-saml-save-indicator');
 	OC.AppConfig.setValue('user_saml', category+'-'+setting, value);

js/personal.js

@@ -0,0 +1,9 @@
+$(function() {
+
+	// Show token views
+	var collection = new OCA.User_SAML.AuthTokenCollection();
+	var view = new OCA.User_SAML.AuthTokenView({
+		collection: collection
+	});
+	view.reload();
+});

js/personal/authtoken-collection.js

@@ -0,0 +1,52 @@
+/* global Backbone */
+
+/**
+ * @author Christoph Wurst <christoph@owncloud.com>
+ *
+ * @copyright Copyright (c) 2016, ownCloud, Inc.
+ * @license AGPL-3.0
+ *
+ * This code is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License, version 3,
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License, version 3,
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>
+ *
+ */
+
+(function(OCA, Backbone) {
+	'use strict';
+
+	OCA.User_SAML = OCA.User_SAML || {};
+
+	var AuthTokenCollection = Backbone.Collection.extend({
+
+		model: OCA.User_SAML.AuthToken,
+
+		/**
+		 * Show recently used sessions/devices first
+		 *
+		 * @param {OCA.User_SAML.AuthToken} t1
+		 * @param {OCA.User_SAML.AuthToken} t2
+		 * @returns {Boolean}
+		 */
+		comparator: function (t1, t2) {
+			var ts1 = parseInt(t1.get('lastActivity'), 10);
+			var ts2 = parseInt(t2.get('lastActivity'), 10);
+			return ts1 < ts2;
+		},
+
+		tokenType: null,
+
+		url: OC.generateUrl('/apps/user_saml/authtokens')
+	});
+
+	OCA.User_SAML.AuthTokenCollection = AuthTokenCollection;
+
+})(OCA, Backbone);

js/personal/authtoken.js

@@ -0,0 +1,33 @@
+/* global Backbone */
+
+/**
+ * @author Christoph Wurst <christoph@owncloud.com>
+ *
+ * @copyright Copyright (c) 2016, ownCloud, Inc.
+ * @license AGPL-3.0
+ *
+ * This code is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License, version 3,
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License, version 3,
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>
+ *
+ */
+
+(function(OCA, Backbone) {
+	'use strict';
+
+	OCA.User_SAML = OCA.User_SAML || {};
+
+	var AuthToken = Backbone.Model.extend({
+	});
+
+	OCA.User_SAML.AuthToken = AuthToken;
+
+})(OCA, Backbone);

js/personal/authtoken_view.js

@@ -0,0 +1,230 @@
+/* global Backbone, Handlebars, moment */
+
+/**
+ * @author Christoph Wurst <christoph@owncloud.com>
+ *
+ * @copyright Copyright (c) 2016, ownCloud, Inc.
+ * @license AGPL-3.0
+ *
+ * This code is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License, version 3,
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License, version 3,
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>
+ *
+ */
+
+(function(OCA, _, Backbone, $, Handlebars, moment) {
+	'use strict';
+
+	OCA.User_SAML = OCA.User_SAML|| {};
+
+	var TEMPLATE_TOKEN =
+		'<tr data-id="{{id}}">'
+		+ '<td class="has-tooltip" title="{{name}}"><span class="token-name">{{name}}</span></td>'
+		+ '<td><a class="icon-delete has-tooltip" title="' + t('core', 'Disconnect') + '"></a></td>'
+		+ '<tr>';
+
+	var SubView = Backbone.View.extend({
+		collection: null,
+		type: 0,
+		_template: undefined,
+
+		template: function(data) {
+			if (_.isUndefined(this._template)) {
+				this._template = Handlebars.compile(TEMPLATE_TOKEN);
+			}
+
+			return this._template(data);
+		},
+
+		initialize: function(options) {
+			this.type = options.type;
+			this.collection = options.collection;
+
+			this.on(this.collection, 'change', this.render);
+		},
+
+		render: function() {
+			var _this = this;
+
+			var list = this.$('.token-list');
+			var tokens = this.collection.filter(function(token) {
+				return parseInt(token.get('type'), 10) === _this.type;
+			});
+			list.html('');
+
+			// Show header only if there are tokens to show
+			this._toggleHeader(tokens.length > 0);
+
+			tokens.forEach(function(token) {
+				var viewData = token.toJSON();
+				var ts = viewData.lastActivity * 1000;
+				viewData.lastActivity = OC.Util.relativeModifiedDate(ts);
+				viewData.lastActivityTime = OC.Util.formatDate(ts, 'LLL');
+				var html = _this.template(viewData);
+				var $html = $(html);
+				$html.find('.has-tooltip').tooltip({container: 'body'});
+				list.append($html);
+			});
+		},
+
+		toggleLoading: function(state) {
+			this.$('.token-list').toggleClass('icon-loading', state);
+		},
+
+		_toggleHeader: function(show) {
+			this.$('.hidden-when-empty').toggleClass('hidden', !show);
+		}
+	});
+
+	var AuthTokenView = Backbone.View.extend({
+		collection: null,
+
+		_views: [],
+
+		_form: undefined,
+
+		_tokenName: undefined,
+
+		_addAppPasswordBtn: undefined,
+
+		_result: undefined,
+
+		_newAppPassword: undefined,
+
+		_hideAppPasswordBtn: undefined,
+
+		_addingToken: false,
+
+		initialize: function(options) {
+			this.collection = options.collection;
+
+			var tokenTypes = [0, 1];
+			var _this = this;
+			_.each(tokenTypes, function(type) {
+				var el = '#user-saml-apppasswords';
+				_this._views.push(new SubView({
+					el: el,
+					type: type,
+					collection: _this.collection
+				}));
+
+				var $el = $(el);
+				$el.on('click', 'a.icon-delete', _.bind(_this._onDeleteToken, _this));
+			});
+
+			this._form = $('#user-saml-app-password-form');
+			this._tokenName = $('#user-saml-app-password-name');
+			this._addAppPasswordBtn = $('#user-saml-add-app-password');
+			this._addAppPasswordBtn.click(_.bind(this._addAppPassword, this));
+
+			this._result = $('#user-saml-app-password-result');
+			this._newAppPassword = $('#user-saml-new-app-password');
+			this._newAppPassword.on('focus', _.bind(this._onNewTokenFocus, this));
+			this._hideAppPasswordBtn = $('#user-saml-app-password-hide');
+			this._hideAppPasswordBtn.click(_.bind(this._hideToken, this));
+		},
+
+		render: function() {
+			_.each(this._views, function(view) {
+				view.render();
+				view.toggleLoading(false);
+			});
+		},
+
+		reload: function() {
+			var _this = this;
+
+			_.each(this._views, function(view) {
+				view.toggleLoading(true);
+			});
+
+			var loadingTokens = this.collection.fetch();
+
+			$.when(loadingTokens).done(function() {
+				_this.render();
+			});
+			$.when(loadingTokens).fail(function() {
+				OC.Notification.showTemporary(t('core', 'Error while loading browser sessions and device tokens'));
+			});
+		},
+
+		_addAppPassword: function() {
+			var _this = this;
+			this._toggleAddingToken(true);
+
+			var deviceName = this._tokenName.val();
+			var creatingToken = $.ajax(OC.generateUrl('/apps/user_saml/authtokens'), {
+				method: 'POST',
+				data: {
+					name: deviceName
+				}
+			});
+
+			$.when(creatingToken).done(function(resp) {
+				_this.collection.add(resp.deviceToken);
+				_this.render();
+				_this._newAppPassword.val(resp.token);
+				_this._toggleFormResult(false);
+				_this._newAppPassword.select();
+				_this._tokenName.val('');
+			});
+			$.when(creatingToken).fail(function() {
+				OC.Notification.showTemporary(t('core', 'Error while creating device token'));
+			});
+			$.when(creatingToken).always(function() {
+				_this._toggleAddingToken(false);
+			});
+		},
+
+		_onNewTokenFocus: function() {
+			this._newAppPassword.select();
+		},
+
+		_hideToken: function() {
+			this._toggleFormResult(true);
+		},
+
+		_toggleAddingToken: function(state) {
+			this._addingToken = state;
+			this._addAppPasswordBtn.toggleClass('icon-loading-small', state);
+		},
+
+		_onDeleteToken: function(event) {
+			var $target = $(event.target);
+			var $row = $target.closest('tr');
+			var id = $row.data('id');
+
+			var token = this.collection.get(id);
+			if (_.isUndefined(token)) {
+				// Ignore event
+				return;
+			}
+
+			var destroyingToken = token.destroy();
+
+			var _this = this;
+			$.when(destroyingToken).fail(function() {
+				OC.Notification.showTemporary(t('core', 'Error while deleting the token'));
+			});
+			$.when(destroyingToken).always(function() {
+				_this.render();
+			});
+		},
+
+		_toggleFormResult: function(showForm) {
+			this._form.toggleClass('hidden', !showForm);
+			this._result.toggleClass('hidden', showForm);
+		}
+	});
+
+	OCA.User_SAML.AuthTokenView = AuthTokenView;
+
+})(OCA, _, Backbone, $, Handlebars, moment);

lib/appinfo/application.php

@@ -21,6 +21,7 @@
 
 namespace OCA\User_SAML\AppInfo;
 
+use OCA\User_SAML\Controller\AuthSettingsController;
 use OCA\User_SAML\Controller\SAMLController;
 use OCA\User_SAML\Controller\SettingsController;
 use OCA\User_SAML\SAMLSettings;
@@ -35,6 +36,19 @@ class Application extends App {
 		/**
 		 * Controller
 		 */
+		$container->registerService('AuthSettingsController', function(IAppContainer $c) {
+			/** @var \OC\Server $server */
+			$server = $c->query('ServerContainer');
+			return new AuthSettingsController(
+				$c->getAppName(),
+				$server->getRequest(),
+				$server->getUserManager(),
+				$server->getSession(),
+				$server->getSecureRandom(),
+				$server->getDb(),
+				$server->getUserSession()->getUser()->getUID()
+			);
+		});
 		$container->registerService('SettingsController', function(IAppContainer $c) {
 			/** @var \OC\Server $server */
 			$server = $c->query('ServerContainer');

lib/controller/authsettingscontroller.php

@@ -0,0 +1,167 @@
+<?php
+/**
+ * @author Christoph Wurst <christoph@owncloud.com>
+ *
+ * @copyright Copyright (c) 2016, ownCloud, Inc.
+ * @license AGPL-3.0
+ *
+ * This code is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License, version 3,
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License, version 3,
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>
+ *
+ */
+namespace OCA\User_SAML\Controller;
+
+use OC\AppFramework\Http;
+use OCP\AppFramework\Controller;
+use OCP\AppFramework\Http\JSONResponse;
+use OCP\DB\QueryBuilder\IQueryBuilder;
+use OCP\IDb;
+use OCP\IRequest;
+use OCP\ISession;
+use OCP\IUserManager;
+use OCP\Security\ISecureRandom;
+
+class AuthSettingsController extends Controller {
+	/** @var IUserManager */
+	private $userManager;
+	/** @var ISession */
+	private $session;
+	/** @var string */
+	private $uid;
+	/** @var ISecureRandom */
+	private $random;
+	/** @var IDb */
+	private $db;
+
+	/**
+	 * @param string $appName
+	 * @param IRequest $request
+	 * @param IUserManager $userManager
+	 * @param ISession $session
+	 * @param ISecureRandom $random
+	 * @param IDb $db
+	 * @param string $uid
+	 */
+	public function __construct($appName,
+								IRequest $request,
+								IUserManager $userManager,
+								ISession $session,
+								ISecureRandom $random,
+								IDb $db,
+								$uid) {
+		parent::__construct($appName, $request);
+		$this->userManager = $userManager;
+		$this->uid = $uid;
+		$this->session = $session;
+		$this->random = $random;
+		$this->db = $db;
+	}
+	/**
+	 * @NoAdminRequired
+	 *
+	 * @return JSONResponse
+	 */
+	public function index() {
+		$user = $this->userManager->get($this->uid);
+		if (is_null($user)) {
+			return [];
+		}
+
+		/* @var $qb IQueryBuilder */
+		$qb = $this->db->getQueryBuilder();
+		$qb->select('id', 'uid', 'name', 'token')
+			->from('user_saml_auth_token')
+			->where($qb->expr()->eq('uid', $qb->createNamedParameter($user->getUID())))
+			->setMaxResults(1000);
+		$result = $qb->execute();
+		$data = $result->fetchAll();
+		$result->closeCursor();
+
+		foreach($data as $key => $entry) {
+			unset($data[$key]['token']);
+			unset($data[$key]['uid']);
+			$data[$key]['id'] = (int)$data[$key]['id'];
+			$data[$key]['type'] = 1;
+		}
+
+		return $data;
+	}
+
+	/**
+	 * @NoAdminRequired
+	 *
+	 * @param string $name
+	 * @return JSONResponse
+	 */
+	public function create($name) {
+		$token = $this->generateRandomDeviceToken();
+
+		$values = [
+			'uid' => $this->uid,
+			'name' => $name,
+			'token' => password_hash($token, PASSWORD_DEFAULT),
+		];
+
+		/* @var $qb IQueryBuilder */
+		$qb = $this->db->getQueryBuilder();
+		$qb->insert('user_saml_auth_token');
+		foreach($values as $column => $value) {
+			$qb->setValue($column, $qb->createNamedParameter($value));
+		}
+		$qb->execute();
+
+		return [
+			'token' => $token,
+			'loginName' => $name,
+			'deviceToken' => [
+				'id' => $qb->getLastInsertId(),
+				'name' => $name,
+				'type' => 1,
+ 			],
+		];
+	}
+	/**
+	 * Return a 20 digit device password
+	 *
+	 * Example: ABCDE-FGHIJ-KLMNO-PQRST
+	 *
+	 * @return string
+	 */
+	private function generateRandomDeviceToken() {
+		$groups = [];
+		for ($i = 0; $i < 4; $i++) {
+			$groups[] = $this->random->generate(5, implode('', range('A', 'Z')));
+		}
+		return implode('-', $groups);
+	}
+	/**
+	 * @NoAdminRequired
+	 *
+	 * @param string $id
+	 * @return JSONResponse
+	 */
+	public function destroy($id) {
+		$user = $this->userManager->get($this->uid);
+		if (is_null($user)) {
+			return [];
+		}
+
+		/* @var $qb IQueryBuilder */
+		$qb = $this->db->getQueryBuilder();
+		$qb->delete('user_saml_auth_token')
+			->where($qb->expr()->eq('id', $qb->createNamedParameter($id)))
+			->andWhere($qb->expr()->eq('uid', $qb->createNamedParameter($user->getUID())));
+		$qb->execute();
+
+		return [];
+	}
+}

lib/controller/settingscontroller.php

@@ -45,7 +45,17 @@ class SettingsController extends Controller {
 		$this->l10n = $l10n;
 	}
 
-	public function displayPanel() {
+	/**
+	 * @return Http\TemplateResponse
+	 */
+	public function displayPersonalPanel() {
+		return new Http\TemplateResponse($this->appName, 'personal', [], 'blank');
+	}
+
+	/**
+	 * @return Http\TemplateResponse
+	 */
+	public function displayAdminPanel() {
 		$serviceProviderFields = [
 			'x509cert' => $this->l10n->t('X.509 certificate of the Service Provider'),
 			'privateKey' => $this->l10n->t('Private key of the Service Provider'),
@@ -80,7 +90,7 @@ class SettingsController extends Controller {
 			'general' => $generalSettings,
 		];
 
-		return new Http\TemplateResponse($this->appName, 'settings', $params, 'blank');
+		return new Http\TemplateResponse($this->appName, 'admin', $params, 'blank');
 	}
 
 }

lib/userbackend.php

@@ -22,6 +22,8 @@
 namespace OCA\User_SAML;
 
 use OCP\Authentication\IApacheBackend;
+use OCP\DB\QueryBuilder\IQueryBuilder;
+use OCP\IDb;
 use OCP\UserInterface;
 use OCP\IUserBackend;
 use OCP\IConfig;
@@ -38,21 +40,26 @@ class UserBackend implements IApacheBackend, UserInterface, IUserBackend {
 	private $urlGenerator;
 	/** @var ISession */
 	private $session;
+	/** @var IDb */
+	private $db;
 
 	/**
 	 * @param IConfig $config
 	 * @param ILogger $logger
 	 * @param IURLGenerator $urlGenerator
 	 * @param ISession $session
+	 * @param IDb $db
 	 */
 	public function __construct(IConfig $config,
 								ILogger $logger,
 								IURLGenerator $urlGenerator,
-								ISession $session) {
+								ISession $session,
+								IDb $db) {
 		$this->config = $config;
 		$this->logger = $logger;
 		$this->urlGenerator = $urlGenerator;
 		$this->session = $session;
+		$this->db = $db;
 	}
 
 	/**
@@ -65,9 +72,40 @@ class UserBackend implements IApacheBackend, UserInterface, IUserBackend {
 	 * @since 4.5.0
 	 */
 	public function implementsActions($actions) {
+		return (bool)((\OC_User_Backend::CHECK_PASSWORD | \OC_User_Backend::GET_DISPLAYNAME)
+			& $actions);
+	}
+
+	/**
+	 * Check if the provided token is correct
+	 * @param string $uid The username
+	 * @param string $password The password
+	 * @return string
+	 *
+	 * Check if the password is correct without logging in the user
+	 * returns the user id or false
+	 */
+	public function checkPassword($uid, $password) {
+		/* @var $qb IQueryBuilder */
+		$qb = $this->db->getQueryBuilder();
+		$qb->select('token')
+			->from('user_saml_auth_token')
+			->where($qb->expr()->eq('uid', $qb->createNamedParameter($uid)))
+			->setMaxResults(1000);
+		$result = $qb->execute();
+		$data = $result->fetchAll();
+		$result->closeCursor();
+
+		foreach($data as $passwords) {
+			if(password_verify($password, $passwords['token'])) {
+				return $uid;
+			}
+		}
+
 		return false;
 	}
 
+
 	/**
 	 * delete a user
 	 * @param string $uid The username of the user to delete

personal.php

@@ -0,0 +1,25 @@
+<?php
+/**
+ * @copyright Copyright (c) 2016 Lukas Reschke <lukas@statuscode.ch>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+$app = new \OCA\User_SAML\AppInfo\Application();
+/** @var \OCA\User_SAML\Controller\SettingsController $controller */
+$controller = $app->getContainer()->query('SettingsController');
+return $controller->displayPersonalPanel()->render();

templates/admin.php

@@ -1,6 +1,6 @@
 <?php
-script('user_saml', 'settings');
-style('user_saml', 'settings');
+script('user_saml', 'admin');
+style('user_saml', 'admin');
 
 /** @var array $_ */
 ?>

templates/personal.php

@@ -0,0 +1,40 @@
+<?php
+style('user_saml', 'personal');
+
+script('user_saml', [
+	'personal/authtoken',
+	'personal/authtoken-collection',
+	'personal/authtoken_view',
+	'personal',
+]);
+
+/** @var array $_ */
+?>
+
+<div id="user-saml-apppasswords" class="section">
+	<h2><?php p($l->t('App passwords'));?></h2>
+	<span class="hidden-when-empty"><?php p($l->t("You've linked these apps."));?></span>
+	<table>
+		<thead class="hidden-when-empty">
+		<tr>
+			<th><?php p($l->t('Name'));?></th>
+			<th></th>
+		</tr>
+		</thead>
+		<tbody class="token-list icon-loading">
+		</tbody>
+	</table>
+	<p><?php p($l->t('An app password is a passcode that gives an app or device permissions to access your %s account.', [$theme->getName()]));?></p>
+	<div id="user-saml-app-password-form">
+		<input id="user-saml-app-password-name" type="text" placeholder="<?php p($l->t('App name')); ?>">
+		<button id="user-saml-add-app-password" class="button"><?php p($l->t('Create new app password')); ?></button>
+	</div>
+	<div id="user-saml-app-password-result" class="hidden">
+		<span><?php p($l->t('Use the credentials below to configure your app or device.')); ?></span>
+		<div class="user-saml-app-password-row">
+			<span class="user-saml-app-password-label"><?php p($l->t('Password')); ?></span>
+			<input id="user-saml-new-app-password" type="text" readonly="readonly"/>
+			<button id="user-saml-app-password-hide" class="button"><?php p($l->t('Done')); ?></button>
+		</div>
+	</div>
+</div>