nextcloud-server

Commit Graph

Author	SHA1	Message	Date
Christoph Wurst	ad5a658e0c	Add isTokenLogin argument to post login hook/event Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	7 years ago
Roeland Jago Douma	6980ecf7ab	Throttle with correct metadata Fixes #13202 Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	7 years ago
Roeland Jago Douma	c2beb36bfc	Bearer tokens are app token Fixes #12498 This means that we set that it is a proper app token once it is validated. This will allow the 2FA middleware to just run the same check. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	7 years ago
Roeland Jago Douma	2223d19997	Error out early on an expired token Fixes #12131 If we hit an expired token there is no need to continue checking. Since we know it is a token. We also should not register this with the bruteforce throttler as it is actually a valid token. Just expired. Instead the authentication should fail. And buisness continues as usual. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	7 years ago
Roeland Jago Douma	d9febae5b2	Update all the publickey tokens if needed on web login * On weblogin check if we have invalid public key tokens * If so update them all with the new token This ensures that your marked as invalid tokens work again if you once login on the web. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	7 years ago
Roeland Jago Douma	00e99af586	Mark token as invalid if the password doesn't match Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	7 years ago
Roeland Jago Douma	9a7265babf	Make authenticated cookies lax This protects our cookies a bit more. It makes sure that when a 3rdparty websites embededs a public alendar for example. That all the users see this in anonymous mode there. It adds a small helper function. In the future we can think about protecting other cookies like this as well. But for now this is sufficient to not have the user logged in at all when doing 3rdparty requests. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	7 years ago
Roeland Jago Douma	ac4735a4f2	Update the scope of the lockdownmanager We have the token anyway. So better the scope as well. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	7 years ago
Roeland Jago Douma	8c47a632e0	Allow updating the token on session regeneration Sometimes when we force a session regeneration we want to update the current token for this session. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	8 years ago
Arthur Schiwon	373a1d5391	more consistent naming Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>	8 years ago
Arthur Schiwon	2ebf26e444	admin_audit and dav listen to announce and revoke signals also place them in doc Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>	8 years ago
Morris Jobke	d3d045dd5c	Remove unused import statements Signed-off-by: Morris Jobke <hey@morrisjobke.de>	8 years ago
Morris Jobke	16a558871c	Use proper code flow instead of not needed else branch Signed-off-by: Morris Jobke <hey@morrisjobke.de>	8 years ago
Roeland Jago Douma	ef127a30ec	Fix tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	8 years ago
Roeland Jago Douma	0660e57b1f	Don't polute log when loggin into dav with email * We first try the email as username but this fails * Then we get the uid from the email and try again We should not log the first attempt since it polutes the log with failed login attempts while the login actually is valid. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	8 years ago
Morris Jobke	0eebff152a	Update license headers Signed-off-by: Morris Jobke <hey@morrisjobke.de>	8 years ago
Christoph Wurst	87aeae21e3	Fix failing csp/nonce check due to timed out session The CSP nonce is based on the CSRF token. This token does not change, unless you log in (or out). In case of the session data being lost, e.g. because php gets rid of old sessions, a new CSRF token is gen- erated. While this is fine in theory, it actually caused some annoying problems where the browser restored a tab and Nextcloud js was blocked due to an outdated nonce. The main problem here is that, while processing the request, we write out security headers relatively early. At that point the CSRF token is known/generated and transformed into a CSP nonce. During this request, however, we also log the user in because the session information was lost. At that point we also refresh the CSRF token, which eventually causes the browser to block any scripts as the nonce in the header does not match the one which is used to include scripts. This patch adds a flag to indicate whether the CSRF token should be refreshed or not. It is assumed that refreshing is only necessary if we want to re-generate the session id too. To my knowledge, this case only happens on fresh logins, not when we recover from a deleted session file. Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	8 years ago
Lukas Reschke	5f71805c35	Add basic implementation for OAuth 2.0 Authorization Code Flow Signed-off-by: Lukas Reschke <lukas@statuscode.ch>	9 years ago
Christoph Wurst	0a43c259c4	Fix encryption + remembered login due to missing login hook The encryption app relies on the post_login hook to initialize its keys. Since we do not emit it on a remembered login, the keys were always un- initialized and the user was asked to log out and in again. This patch translates the postRememberedLogin hook to a post_login hook. Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	9 years ago
Robin Appelman	2b0da0f218	handle permissions errors when copying the skeleton for a read only user Signed-off-by: Robin Appelman <robin@icewind.nl>	9 years ago
Morris Jobke	ac05d6dd67	Improve PHPDoc Signed-off-by: Morris Jobke <hey@morrisjobke.de>	9 years ago
Arthur Schiwon	fbadb37b9b	use known LockdownManager Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>	9 years ago
Arthur Schiwon	0a463e55ae	Save correct login name Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>	9 years ago
Arthur Schiwon	daf9d23547	don't regenerate Session ID twice, also fixes tests Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>	9 years ago
Arthur Schiwon	50844e8c47	regenerate session id on successful login, fixes integration test Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>	9 years ago
Arthur Schiwon	7b3fdfeeaa	do login routine only once when done via LoginController Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>	9 years ago
Robin Appelman	baec42e80a	Save the scope of an auth token in the session Signed-off-by: Robin Appelman <robin@icewind.nl>	9 years ago
Felix Rupp	e7dc1f4326	Add postLogout hook to finish sessions from external session managers (#27048 ) * Add postLogout hook to finish sessions from external session managers like CAS * Add postLogout hook to finish sessions from external session managers like CAS Signed-off-by: Morris Jobke <hey@morrisjobke.de>	9 years ago
Joas Schilling	7c47f822a1	Save the used token id in the session so it can be used later on Signed-off-by: Joas Schilling <coding@schilljs.com>	9 years ago
Sandro Lutz	9b6f99ab08	Update license header Signed-off-by: Sandro Lutz <sandro.lutz@temparus.ch>	9 years ago
Sandro Lutz	6feff0ceba	Add check if UserManager is of type PublicEmitter before calling preLogin hook Signed-off-by: Sandro Lutz <sandro.lutz@temparus.ch>	9 years ago
Sandro Lutz	e30d28f7eb	Change where preLogin hook gets called Signed-off-by: Sandro Lutz <sandro.lutz@temparus.ch>	9 years ago
Bjoern Schiessle	cdf01feba7	add action to existing brute force protection Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>	9 years ago
Joas Schilling	5aa388bbe2	Make sure the loginname is set when logging in via cookie Signed-off-by: Joas Schilling <coding@schilljs.com>	9 years ago
Roeland Jago Douma	e368a745aa	Set last-login-check on basic auth Else the last-login-check fails hard because the session value is not set and thus defaults to 0. * Started with tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	9 years ago
justin-sleep	25a5c655f7	Move integer casting to the top of the chain Signed-off-by: justin-sleep <justin@quarterfull.com>	9 years ago
justin-sleep	bcadd22480	Explicitly cast $remember to int rather than using identity operator Signed-off-by: justin-sleep <justin@quarterfull.com>	9 years ago
justin-sleep	9ee9d21cfd	Fix #2427 by converting $remember to integer Signed-off-by: justin-sleep <justin@quarterfull.com>	9 years ago
Christoph Wurst	9b808c4014	do not remember session tokens by default We have to respect the value of the remember-me checkbox. Due to an error in the source code the default value for the session token was to remember it. Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	9 years ago
Robin Appelman	0e88b519d1	fix warning with token login Signed-off-by: Robin Appelman <robin@icewind.nl>	9 years ago
Robin Appelman	2389e0f250	read lockdown scope from token Signed-off-by: Robin Appelman <icewind@owncloud.com>	9 years ago
Robin Appelman	b56f2c9ed0	basic lockdown logic Signed-off-by: Robin Appelman <icewind@owncloud.com>	9 years ago
Thomas Müller	506ccdbd8d	Introduce an event for first time login based on the last login time stamp Use firstLogin event to trigger creation of default calendar and default address book Delay login of admin user after setup so that firstLogin event can properly be processed for the admin Fixing tests ... Skeleton files are not copied over -> only 3 cache entries are remaining Use updateLastLoginTimestamp to properly setup lastLogin value for a test user	9 years ago
Christoph Wurst	6f86e468d4	inject ISecureRandom into user session and use injected config too Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	9 years ago
Christoph Wurst	d907666232	bring back remember-me * try to reuse the old session token for remember me login * decrypt/encrypt token password and set the session id accordingly * create remember-me cookies only if checkbox is checked and 2fa solved * adjust db token cleanup to store remembered tokens longer * adjust unit tests Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	9 years ago
Vincent Petry	6d1e858aa4	Fix logClientIn for non-existing users (#26292 ) The check for two factor enforcement would return true for non-existing users. This fix makes it return false in order to be able to perform the regular login which will then fail and return false. This prevents throwing PasswordLoginForbidden for non-existing users.	9 years ago
Robin Appelman	25ed6714c7	dont update the auth token twice Signed-off-by: Robin Appelman <robin@icewind.nl>	9 years ago
Robin Appelman	6c93fe08f5	dont get bruteforce delay twice	9 years ago
Jörn Friedrich Dreyer	291b3fd8b4	missing PHPDoc	10 years ago
Jörn Friedrich Dreyer	da5633c31a	Type compatability	10 years ago

1 2

100 Commits (83b00a99fa7fed776ceadfbfbb653832c6076688)