nextcloud-server

Commit Graph

Author	SHA1	Message	Date
Roeland Jago Douma	6dc179ee12	Fix login flow form actions So fun fact. Chrome considers a redirect after submitting a form part of the form actions. Since we redirect to a new protocol (nc://login/). Causing the form submission to work but the redirect failing hard. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	7 years ago
Daniel Kesselberg	c583c5e7e2	Emit event if app password created Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>	7 years ago
Daniel Kesselberg	149a98edf6	Publish activity for app token created by client login flow Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>	7 years ago
Roeland Jago Douma	b68567e9ba	Add StandaloneTemplateResponse This can be used by pages that do not have the full Nextcloud UI. So notifications etc do not load there. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	7 years ago
Roeland Jago Douma	66367797df	Fix template paramter Else we get shown an error page instead of the correct 403. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	7 years ago
Roeland Jago Douma	e6ac233947	Fix loginflow with apptoken enter on iOS It seems iOS doesn't like us to change the location. So now we submit it to the server that geneartes the redirect. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	7 years ago
Roeland Jago Douma	763b52d402	Fix SAML Client login flow on Apple devices Because the redirect from the SAML/SSO endpoint is a POST the lax/strict cookies are not properly send. Note that it is not strictly requried on this endpoint as we do not need the remember me data. Only the real session info is enough. The endpoint is also already protected by a state token. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	7 years ago
John Molakvoæ (skjnldsv)	5e4990fadd	Remove redirect page Signed-off-by: John Molakvoæ (skjnldsv) <skjnldsv@protonmail.com>	7 years ago
Roeland Jago Douma	92582a350d	Use the proper server for the apptoken flow login If a user can't authenticate normally (because they have 2FA that is not available on their devices for example). The redirect that is generated should be of the proper format. This means 1. Include the protocol 2. Include the possible subfolder Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	7 years ago
Roeland Jago Douma	be2d8cc4e9	Do not invalidate main token on OAuth Fixes #10584 We deleted the main token when using the login flow else mutliple tokens would show up for a single user. However in the case of OAuth this is perfectly fine as the authentication happens really in your browser: 1. You are already logged in, no need to log you out 2. You are not logged in yet, but since you log in into the exact same browser the expected behavior is to stay logged in. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	7 years ago
Roeland Jago Douma	5a97148863	Don't use special chars to avoid confusion Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	8 years ago
Roeland Jago Douma	177c8972cc	Improve login flow * Add page explaining you are about to grant access * Show grant access page after login Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	8 years ago
Morris Jobke	4ef302c0be	Request->getHeader() should always return a string PHPDoc (of the public API) says that this method returns string but it also returns null, which is not allowed in some method calls. This fixes that behaviour and returns an empty string and fixes all code paths that explicitly checked for null to be still compliant. Found while enabling the strict_typing for lib/private for the PHP7+ migration. Signed-off-by: Morris Jobke <hey@morrisjobke.de>	8 years ago
Mario Danic	cc742ce9e7	Fix bug with proxies Signed-off-by: Mario Danic <mario@lovelyhq.com>	8 years ago
Roeland Jago Douma	82f03e1314	Clear login token once apppassword is generated Fixes #7697 When using the new login flow a token will be generated since we login. However after that we generate yet another token to return (as we should). However we should kill the current session token as we are done with it. And will never use it again. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	8 years ago
Mario Danic	c2cd5fc5d3	Fix flow Signed-off-by: Mario Danic <mario@lovelyhq.com>	8 years ago
Julius Härtl	cd1bfea8c4	Theming: theme flow redirection page Signed-off-by: Julius Härtl <jus@bitgrid.net>	8 years ago
Morris Jobke	0eebff152a	Update license headers Signed-off-by: Morris Jobke <hey@morrisjobke.de>	8 years ago
Morris Jobke	504c1abee0	Fix undefined index oauthState Signed-off-by: Morris Jobke <hey@morrisjobke.de>	8 years ago
Lukas Reschke	26ee889fec	Add tests for ClientFlowLoginController Signed-off-by: Lukas Reschke <lukas@statuscode.ch>	9 years ago
Lukas Reschke	b07a0f51ba	Add OAuth state to session Signed-off-by: Lukas Reschke <lukas@statuscode.ch>	9 years ago
Bjoern Schiessle	23b296b66e	use name of oauth app to identify auth token Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>	9 years ago
Bjoern Schiessle	a74d67b69c	show error page if no valid client identifier is given and if it is not a API request Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>	9 years ago
Lukas Reschke	e86749121c	Remove special characters Signed-off-by: Lukas Reschke <lukas@statuscode.ch>	9 years ago
Lukas Reschke	5f71805c35	Add basic implementation for OAuth 2.0 Authorization Code Flow Signed-off-by: Lukas Reschke <lukas@statuscode.ch>	9 years ago
Mario Danic	e4aac15a92	Update login flow redirection Signed-off-by: Lukas Reschke <lukas@statuscode.ch>	9 years ago
Roeland Jago Douma	aae079aa29	AppToken to 72 chars Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	9 years ago
Roeland Jago Douma	bb5e5efa6d	Do not remove the state token to early we should check the stateToken before we remove it. Else the check will always fail. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	9 years ago
Lukas Reschke	6a16df7288	Add new auth flow This implements the basics for the new app-password based authentication flow for our clients. The current implementation tries to keep it as simple as possible and works the following way: 1. Unauthenticated client opens `/index.php/login/flow` 2. User will be asked whether they want to grant access to the client 3. If accepted the user has the chance to do so using existing App Token or automatically generate an app password. If the user chooses to use an existing app token then that one will simply be redirected to the `nc://` protocol handler. While we can improve on that in the future, I think keeping this smaller at the moment has its advantages. Also, in the near future we have to think about an automatic migration endpoint so there's that anyways :-) If the user chooses to use the regular login the following happens: 1. A session state token is written to the session 2. User is redirected to the login page 3. If successfully authenticated they will be redirected to a page redirecting to the POST controller 4. The POST controller will check if the CSRF token as well as the state token is correct, if yes the user will be redirected to the `nc://` protocol handler. This approach is quite simple but also allows to be extended in the future. One could for example allow external websites to consume this authentication endpoint as well. Signed-off-by: Lukas Reschke <lukas@statuscode.ch>	9 years ago

29 Commits (6dc179ee12fe86a6e70ff53630d60da3e5aecc60)