nextcloud-server

Commit Graph

Author	SHA1	Message	Date
Christoph Wurst	87aeae21e3	Fix failing csp/nonce check due to timed out session The CSP nonce is based on the CSRF token. This token does not change, unless you log in (or out). In case of the session data being lost, e.g. because php gets rid of old sessions, a new CSRF token is gen- erated. While this is fine in theory, it actually caused some annoying problems where the browser restored a tab and Nextcloud js was blocked due to an outdated nonce. The main problem here is that, while processing the request, we write out security headers relatively early. At that point the CSRF token is known/generated and transformed into a CSP nonce. During this request, however, we also log the user in because the session information was lost. At that point we also refresh the CSRF token, which eventually causes the browser to block any scripts as the nonce in the header does not match the one which is used to include scripts. This patch adds a flag to indicate whether the CSRF token should be refreshed or not. It is assumed that refreshing is only necessary if we want to re-generate the session id too. To my knowledge, this case only happens on fresh logins, not when we recover from a deleted session file. Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	8 years ago
Lukas Reschke	5f71805c35	Add basic implementation for OAuth 2.0 Authorization Code Flow Signed-off-by: Lukas Reschke <lukas@statuscode.ch>	9 years ago
Christoph Wurst	0a43c259c4	Fix encryption + remembered login due to missing login hook The encryption app relies on the post_login hook to initialize its keys. Since we do not emit it on a remembered login, the keys were always un- initialized and the user was asked to log out and in again. This patch translates the postRememberedLogin hook to a post_login hook. Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	9 years ago
Robin Appelman	2b0da0f218	handle permissions errors when copying the skeleton for a read only user Signed-off-by: Robin Appelman <robin@icewind.nl>	9 years ago
Morris Jobke	ac05d6dd67	Improve PHPDoc Signed-off-by: Morris Jobke <hey@morrisjobke.de>	9 years ago
Arthur Schiwon	fbadb37b9b	use known LockdownManager Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>	9 years ago
Arthur Schiwon	0a463e55ae	Save correct login name Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>	9 years ago
Arthur Schiwon	daf9d23547	don't regenerate Session ID twice, also fixes tests Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>	9 years ago
Arthur Schiwon	50844e8c47	regenerate session id on successful login, fixes integration test Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>	9 years ago
Arthur Schiwon	7b3fdfeeaa	do login routine only once when done via LoginController Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>	9 years ago
Robin Appelman	baec42e80a	Save the scope of an auth token in the session Signed-off-by: Robin Appelman <robin@icewind.nl>	9 years ago
Felix Rupp	e7dc1f4326	Add postLogout hook to finish sessions from external session managers (#27048 ) * Add postLogout hook to finish sessions from external session managers like CAS * Add postLogout hook to finish sessions from external session managers like CAS Signed-off-by: Morris Jobke <hey@morrisjobke.de>	9 years ago
Joas Schilling	7c47f822a1	Save the used token id in the session so it can be used later on Signed-off-by: Joas Schilling <coding@schilljs.com>	9 years ago
Sandro Lutz	9b6f99ab08	Update license header Signed-off-by: Sandro Lutz <sandro.lutz@temparus.ch>	9 years ago
Sandro Lutz	6feff0ceba	Add check if UserManager is of type PublicEmitter before calling preLogin hook Signed-off-by: Sandro Lutz <sandro.lutz@temparus.ch>	9 years ago
Sandro Lutz	e30d28f7eb	Change where preLogin hook gets called Signed-off-by: Sandro Lutz <sandro.lutz@temparus.ch>	9 years ago
Bjoern Schiessle	cdf01feba7	add action to existing brute force protection Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>	9 years ago
Joas Schilling	5aa388bbe2	Make sure the loginname is set when logging in via cookie Signed-off-by: Joas Schilling <coding@schilljs.com>	9 years ago
Roeland Jago Douma	e368a745aa	Set last-login-check on basic auth Else the last-login-check fails hard because the session value is not set and thus defaults to 0. * Started with tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	9 years ago
justin-sleep	25a5c655f7	Move integer casting to the top of the chain Signed-off-by: justin-sleep <justin@quarterfull.com>	9 years ago
justin-sleep	bcadd22480	Explicitly cast $remember to int rather than using identity operator Signed-off-by: justin-sleep <justin@quarterfull.com>	9 years ago
justin-sleep	9ee9d21cfd	Fix #2427 by converting $remember to integer Signed-off-by: justin-sleep <justin@quarterfull.com>	9 years ago
Christoph Wurst	9b808c4014	do not remember session tokens by default We have to respect the value of the remember-me checkbox. Due to an error in the source code the default value for the session token was to remember it. Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	9 years ago
Robin Appelman	0e88b519d1	fix warning with token login Signed-off-by: Robin Appelman <robin@icewind.nl>	9 years ago
Robin Appelman	2389e0f250	read lockdown scope from token Signed-off-by: Robin Appelman <icewind@owncloud.com>	9 years ago
Robin Appelman	b56f2c9ed0	basic lockdown logic Signed-off-by: Robin Appelman <icewind@owncloud.com>	9 years ago
Thomas Müller	506ccdbd8d	Introduce an event for first time login based on the last login time stamp Use firstLogin event to trigger creation of default calendar and default address book Delay login of admin user after setup so that firstLogin event can properly be processed for the admin Fixing tests ... Skeleton files are not copied over -> only 3 cache entries are remaining Use updateLastLoginTimestamp to properly setup lastLogin value for a test user	9 years ago
Christoph Wurst	6f86e468d4	inject ISecureRandom into user session and use injected config too Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	9 years ago
Christoph Wurst	d907666232	bring back remember-me * try to reuse the old session token for remember me login * decrypt/encrypt token password and set the session id accordingly * create remember-me cookies only if checkbox is checked and 2fa solved * adjust db token cleanup to store remembered tokens longer * adjust unit tests Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	9 years ago
Vincent Petry	6d1e858aa4	Fix logClientIn for non-existing users (#26292 ) The check for two factor enforcement would return true for non-existing users. This fix makes it return false in order to be able to perform the regular login which will then fail and return false. This prevents throwing PasswordLoginForbidden for non-existing users.	9 years ago
Robin Appelman	25ed6714c7	dont update the auth token twice Signed-off-by: Robin Appelman <robin@icewind.nl>	9 years ago
Robin Appelman	6c93fe08f5	dont get bruteforce delay twice	9 years ago
Jörn Friedrich Dreyer	291b3fd8b4	missing PHPDoc	10 years ago
Jörn Friedrich Dreyer	da5633c31a	Type compatability	10 years ago
Jörn Friedrich Dreyer	5aef60d2ca	Unreachable statement	10 years ago
Joas Schilling	0215b004da	Update with robin	10 years ago
Joas Schilling	ba87db3fcc	Fix others	10 years ago
Lukas Reschke	c1589f163c	Mitigate race condition	10 years ago
Lukas Reschke	ba4f12baa0	Implement brute force protection Class Throttler implements the bruteforce protection for security actions in Nextcloud. It is working by logging invalid login attempts to the database and slowing down all login attempts from the same subnet. The max delay is 30 seconds and the starting delay are 200 milliseconds. (after the first failed login)	10 years ago
Christoph Wurst	1710de8afb	Login hooks (#25260 ) * fix login hooks * adjust user session tests * fix login return value of successful token logins * trigger preLogin hook earlier; extract method 'loginWithPassword' * call postLogin hook earlier; add PHPDoc	10 years ago
Christoph Wurst	89198e62e8	check login name when authenticating with client token	10 years ago
Christoph Wurst	b805908dca	update session token password on user password change	10 years ago
Christoph Wurst	56199eba37	fix unit test warning/errors	10 years ago
Christoph Wurst	9d74ff02a4	fix nitpick	10 years ago
Christoph Wurst	1889df5c7c	dont create a session token for clients, validate the app password instead	10 years ago
Christoph Wurst	0c0a216f42	store last check timestamp in token instead of session	10 years ago
Christoph Wurst	c4149c59c2	use token last_activity instead of session value	10 years ago
Christoph Wurst	82b50d126c	add PasswordLoginForbiddenException	10 years ago
Christoph Wurst	465807490d	create session token only for clients that support cookies	10 years ago
Christoph Wurst	331d88bcab	create session token on all APIs	10 years ago

1 2

84 Commits (ea3ac4e656408cd564a91ae6916bd7d65c19e922)