nextcloud-server

Commit Graph

Author	SHA1	Message	Date
Christoph Wurst	a143337791	Emit an error log when the app token login name does not match Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	4 years ago
John Molakvoæ (skjnldsv)	215aef3cbd	Update php licenses Signed-off-by: John Molakvoæ (skjnldsv) <skjnldsv@protonmail.com>	5 years ago
Joas Schilling	521bb30541	Throw "401 Unauthenticated" when authentication is provided but invalid E.g. with an AppToken that has been revoked Signed-off-by: Joas Schilling <coding@schilljs.com>	5 years ago
Lionel Elie Mamane	f99f463834	token login: emit preLogin event with LoginName to bring it in line with normal (non-token) login. Signed-off-by: Lionel Elie Mamane <lionel@mamane.lu>	5 years ago
Christoph Wurst	d89a75be0b	Update all license headers for Nextcloud 21 Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	5 years ago
Morris Jobke	5cc348ae72	Fix typo Signed-off-by: Morris Jobke <hey@morrisjobke.de>	5 years ago
Roeland Jago Douma	48b4b83b5a	Remember me is not an app_password While technically they are stored the same. This session variable is used to indicate that a user is using an app password to authenticate. Like from a client. Or when having it generated automatically. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	5 years ago
Roeland Jago Douma	e93823cba0	Bearer must be in the start of the auth header Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	5 years ago
Christoph Wurst	1f7f93a695	Update license headers for Nextcloud 20 (again) There are still lots of outdated headers, so time for another round of updates. Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	5 years ago
Lionel Elie Mamane	ac8b40b8b1	Return correct loginname in credentials, even when token is invalid or has no password. Returning the uid as loginname is wrong, and leads to problems when these differ. E.g. the getapppassword API was creating app token with the uid as loginname. In a scenario with external authentication (such as LDAP), these tokens were then invalidated next time their underlying password was checked, and systematically ceased to function. Co-authored-by: kesselb <mail@danielkesselberg.de> for: switch to consistent camelCase Signed-off-by: Lionel Elie Mamane <lionel@mamane.lu>	5 years ago
Christoph Wurst	5b92f35fe2	Log why a token is not valid during password check Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	6 years ago
Christoph Wurst	caff1023ea	Format control structures, classes, methods and function To continue this formatting madness, here's a tiny patch that adds unified formatting for control structures like if and loops as well as classes, their methods and anonymous functions. This basically forces the constructs to start on the same line. This is not exactly what PSR2 wants, but I think we can have a few exceptions with "our" style. The starting of braces on the same line is pracrically standard for our code. This also removes and empty lines from method/function bodies at the beginning and end. Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	6 years ago
Christoph Wurst	14c996d982	Use elseif instead of else if Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	6 years ago
Christoph Wurst	44577e4345	Remove trailing and in between spaces Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	6 years ago
Christoph Wurst	85e369cddb	Fix multiline comments Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	6 years ago
Christoph Wurst	c4998efcfc	Migrate to PSR1 coding style Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	6 years ago
Roeland Jago Douma	84f3d2ddeb	[POC] Event for failed login attempts Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	6 years ago
Christoph Wurst	b80ebc9674	Use the short array syntax, everywhere Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	6 years ago
Christoph Wurst	df9e2b828a	Fix mismatching docblock return types Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	6 years ago
Christoph Wurst	d808f9c053	Add typed events for all user hooks and legacy events Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	6 years ago
Christoph Wurst	5bf3d1bb38	Update license headers Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	6 years ago
Christoph Wurst	535000aac6	Make the post login event public Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	6 years ago
Roeland Jago Douma	5122629bb0	Make renewSessionToken return the new token Avoids directly getting the token again. We just inserted it so it and have all the info. So that query is just a waste. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	6 years ago
Greta Doci	0a874c51af	Disable app token creation for impersonated people, ref #15539 Signed-off-by: Greta Doci <gretadoci@gmail.com>	6 years ago
Roeland Jago Douma	ba60fafb9a	Add proper PostLoginEvent This can be used by othr mechanisms to listen for this event in a lazy fashion. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	7 years ago
Christoph Wurst	ad5a658e0c	Add isTokenLogin argument to post login hook/event Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	7 years ago
Roeland Jago Douma	6980ecf7ab	Throttle with correct metadata Fixes #13202 Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	7 years ago
Roeland Jago Douma	c2beb36bfc	Bearer tokens are app token Fixes #12498 This means that we set that it is a proper app token once it is validated. This will allow the 2FA middleware to just run the same check. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	7 years ago
Roeland Jago Douma	2223d19997	Error out early on an expired token Fixes #12131 If we hit an expired token there is no need to continue checking. Since we know it is a token. We also should not register this with the bruteforce throttler as it is actually a valid token. Just expired. Instead the authentication should fail. And buisness continues as usual. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	7 years ago
Roeland Jago Douma	d9febae5b2	Update all the publickey tokens if needed on web login * On weblogin check if we have invalid public key tokens * If so update them all with the new token This ensures that your marked as invalid tokens work again if you once login on the web. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	7 years ago
Roeland Jago Douma	00e99af586	Mark token as invalid if the password doesn't match Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	7 years ago
Roeland Jago Douma	9a7265babf	Make authenticated cookies lax This protects our cookies a bit more. It makes sure that when a 3rdparty websites embededs a public alendar for example. That all the users see this in anonymous mode there. It adds a small helper function. In the future we can think about protecting other cookies like this as well. But for now this is sufficient to not have the user logged in at all when doing 3rdparty requests. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	7 years ago
Roeland Jago Douma	ac4735a4f2	Update the scope of the lockdownmanager We have the token anyway. So better the scope as well. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	7 years ago
Roeland Jago Douma	8c47a632e0	Allow updating the token on session regeneration Sometimes when we force a session regeneration we want to update the current token for this session. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	8 years ago
Arthur Schiwon	373a1d5391	more consistent naming Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>	8 years ago
Arthur Schiwon	2ebf26e444	admin_audit and dav listen to announce and revoke signals also place them in doc Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>	8 years ago
Morris Jobke	d3d045dd5c	Remove unused import statements Signed-off-by: Morris Jobke <hey@morrisjobke.de>	8 years ago
Morris Jobke	16a558871c	Use proper code flow instead of not needed else branch Signed-off-by: Morris Jobke <hey@morrisjobke.de>	8 years ago
Roeland Jago Douma	ef127a30ec	Fix tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	8 years ago
Roeland Jago Douma	0660e57b1f	Don't polute log when loggin into dav with email * We first try the email as username but this fails * Then we get the uid from the email and try again We should not log the first attempt since it polutes the log with failed login attempts while the login actually is valid. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	8 years ago
Morris Jobke	0eebff152a	Update license headers Signed-off-by: Morris Jobke <hey@morrisjobke.de>	8 years ago
Christoph Wurst	87aeae21e3	Fix failing csp/nonce check due to timed out session The CSP nonce is based on the CSRF token. This token does not change, unless you log in (or out). In case of the session data being lost, e.g. because php gets rid of old sessions, a new CSRF token is gen- erated. While this is fine in theory, it actually caused some annoying problems where the browser restored a tab and Nextcloud js was blocked due to an outdated nonce. The main problem here is that, while processing the request, we write out security headers relatively early. At that point the CSRF token is known/generated and transformed into a CSP nonce. During this request, however, we also log the user in because the session information was lost. At that point we also refresh the CSRF token, which eventually causes the browser to block any scripts as the nonce in the header does not match the one which is used to include scripts. This patch adds a flag to indicate whether the CSRF token should be refreshed or not. It is assumed that refreshing is only necessary if we want to re-generate the session id too. To my knowledge, this case only happens on fresh logins, not when we recover from a deleted session file. Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	8 years ago
Lukas Reschke	5f71805c35	Add basic implementation for OAuth 2.0 Authorization Code Flow Signed-off-by: Lukas Reschke <lukas@statuscode.ch>	9 years ago
Christoph Wurst	0a43c259c4	Fix encryption + remembered login due to missing login hook The encryption app relies on the post_login hook to initialize its keys. Since we do not emit it on a remembered login, the keys were always un- initialized and the user was asked to log out and in again. This patch translates the postRememberedLogin hook to a post_login hook. Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	9 years ago
Robin Appelman	2b0da0f218	handle permissions errors when copying the skeleton for a read only user Signed-off-by: Robin Appelman <robin@icewind.nl>	9 years ago
Morris Jobke	ac05d6dd67	Improve PHPDoc Signed-off-by: Morris Jobke <hey@morrisjobke.de>	9 years ago
Arthur Schiwon	fbadb37b9b	use known LockdownManager Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>	9 years ago
Arthur Schiwon	0a463e55ae	Save correct login name Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>	9 years ago
Arthur Schiwon	daf9d23547	don't regenerate Session ID twice, also fixes tests Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>	9 years ago
Arthur Schiwon	50844e8c47	regenerate session id on successful login, fixes integration test Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>	9 years ago

1 2 3

124 Commits (1f42657bb9ea76353fbc02ee100cff5755b6384d)