| Age | Commit message (Collapse) | Author |
|---|
|
Signed-off-by: Julius Härtl <jus@bitgrid.net>
|
|
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
|
|
Any `\OCP\Authentication\IApacheBackend` previously had to implement `getLogoutAttribute` which returns a string.
This string is directly injected into the logout `<a>` tag, so returning something like `href="foo"` would result
in `<a href="foo">`.
This is rather error prone and also in Nextcloud 12 broken as the logout entry has been moved with
054e161eb5f4a5c5c13ee322ae8e93ce66f01b13 inside the navigation manager where one cannot simply inject attributes.
Thus this feature is broken in Nextcloud 12 which effectively leads to the bug described at nextcloud/user_saml#112,
people cannot logout anymore when using SAML using SLO. Basically in case of SAML you have a SLO url which redirects
you to the IdP and properly logs you out there as well.
Instead of monkey patching the Navigation manager I decided to instead change `\OCP\Authentication\IApacheBackend` to
use `\OCP\Authentication\IApacheBackend::getLogoutUrl` instead where it can return a string with the appropriate logout
URL. Since this functionality is only prominently used in the SAML plugin. Any custom app would need a small change but
I'm not aware of any and there's simply no way to fix this properly otherwise.
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
|
|
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
|
|
Signed-off-by: Joas Schilling <coding@schilljs.com>
|
|
Signed-off-by: Joas Schilling <coding@schilljs.com>
|
|
Signed-off-by: Joas Schilling <coding@schilljs.com>
|
|
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
|
|
Signed-off-by: Georg Ehrke <developer@georgehrke.com>
|
|
Signed-off-by: Jan-Christoph Borchardt <hey@jancborchardt.net>
|
|
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
|
|
* load list of contacts from the server
* show last message of each contact
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
|
|
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
|
|
This implements the basics for the new app-password based authentication flow for our clients.
The current implementation tries to keep it as simple as possible and works the following way:
1. Unauthenticated client opens `/index.php/login/flow`
2. User will be asked whether they want to grant access to the client
3. If accepted the user has the chance to do so using existing App Token or automatically generate an app password.
If the user chooses to use an existing app token then that one will simply be redirected to the `nc://` protocol handler.
While we can improve on that in the future, I think keeping this smaller at the moment has its advantages. Also, in the
near future we have to think about an automatic migration endpoint so there's that anyways :-)
If the user chooses to use the regular login the following happens:
1. A session state token is written to the session
2. User is redirected to the login page
3. If successfully authenticated they will be redirected to a page redirecting to the POST controller
4. The POST controller will check if the CSRF token as well as the state token is correct, if yes the user will be redirected to the `nc://` protocol handler.
This approach is quite simple but also allows to be extended in the future. One could for example allow external websites to consume this authentication endpoint as well.
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
|
|
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
|
|
* fixes #4383
* improves consistency
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
|
|
nextcloud/adjust-old-bruteforce-protection-annotations
Adjust existing bruteforce protection code
|
|
While the risk is actually quite low because one would already have the user session and could potentially do other havoc it makes sense to throttle here in case of invalid previous password attempts.
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
|
|
- Moves code to annotation
- Adds the `throttle()` call on the responses on existing annotations
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
|
|
This makes the new `@BruteForceProtection` annotation more clever and moves the relevant code into it's own middleware.
Basically you can now set `@BruteForceProtection(action=$key)` as annotation and that will make the controller bruteforce protected. However, the difference to before is that you need to call `$responmse->throttle()` to increase the counter. Before the counter was increased every time which leads to all kind of unexpected problems.
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
|
|
Update email template for lost password email
|
|
nextcloud/fix-login-controller-test-consolidate-login
Fix login controller test and consolidate login
|
|
Dont create a log entry on email login
|
|
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
|
|
* currently there are two ways to access default values:
OCP\Defaults or OC_Defaults (which is extended by
OCA\Theming\ThemingDefaults)
* our code used a mixture of both of them, which made
it hard to work on theme values
* this extended the public interface with the missing
methods and uses them everywhere to only rely on the
public interface
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
|
|
Signed-off-by: Joas Schilling <coding@schilljs.com>
|
|
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
|
|
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
|
|
Allow to reset the password with the email as an input
|
|
* Safari support gzip only if the filename does not
end on .gz - so this renames them to .gzip
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
|
|
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
|
|
Signed-off-by: Joas Schilling <coding@schilljs.com>
|
|
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
|
|
Single user mode basically disables WebDAV, OCS and cron execution. Since
we heavily rely on WebDAV and OCS also in the web UI it's basically useless.
An admin only sees a broken interface and can't even change any settings nor
sees any files. Also sharing is not possible.
As this is at least the case since Nextcloud 9 and we haven't received any
reports for this it seems that this feature is not used at all so I removed it.
The encryption commands now rely on the well tested maintenance mode.
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
|
|
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
|
|
Login credential store
|
|
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
|
|
nextcloud/issue-2915-filter-out-sensitive-appconfigs
Filter out sensitive appconfig values
|
|
create new encryption keys on password reset and backup the old one
|
|
Signed-off-by: Joas Schilling <coding@schilljs.com>
|
|
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
|
|
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
|
|
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
|
|
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
|
|
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
|
|
Adds user controller tests
|
|
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
|
|
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
|
|
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
|
|
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
|
