upstream/nextcloud
1
0
Fork 0
mirror of https://github.com/nextcloud/server.git synced 2026-02-03 20:41:22 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions 37
41797 commits 651 branches 1179 tags 8.1 GiB
Commit graph

74 commits

Author SHA1 Message Date
Morris Jobke
0eebff152a
Update license headers 
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
 2017-11-06 16:56:19 +01:00
Lukas Reschke
0bccd5a0d9
Fix "Uninitialized string offset: 0 at \/media\/psf\/stable9\/lib\/private\/URLGenerator.php#224" 
The URLGenerator doesn't support `` as target for absolute URLs, we need to link to `/` thus.

Regression introduced with 46229a00f3

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
 2017-09-07 08:34:02 +02:00
Morris Jobke
30ca3b70ed Merge pull request #6196 from nextcloud/downstream-26539-2 
Handle invalid ext storage backend to keep mount point visible
 2017-09-04 14:17:28 +02:00
Morris Jobke
0326c2c54f
Fix broken tests 
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
 2017-09-04 14:17:03 +02:00
Julius Härtl
46229a00f3
Add rich link preview to the login page 
Signed-off-by: Julius Härtl <jus@bitgrid.net>
 2017-09-02 21:39:38 +02:00
Lukas Reschke
f22ab3e665
Add metadata to \OCP\AppFramework\Http\Response::throttle 
Fixes https://github.com/nextcloud/server/issues/5891

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
 2017-07-27 14:17:45 +02:00
Lukas Reschke
2f87fb6b45
Add Clear-Site-Data header 
This adds a Clear-Site-Data header to the logout response which will delete all relevant data in the caches which may contain potentially sensitive content.

See https://w3c.github.io/webappsec-clear-site-data/#header for the definition of the types.

Ref https://twitter.com/mikewest/status/877149667909406723

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
 2017-06-20 19:46:10 +02:00
Ujjwal Bhardwaj
7c23414eef
Disable reset password link. Issue: #27440 2017-05-11 10:27:33 +02:00
Christoph Wurst
bb1d191f82
Fix remember redirect_url on failed login attempts 
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
 2017-04-25 09:38:19 +02:00
Lukas Reschke
8149945a91
Make BruteForceProtection annotation more clever 
This makes the new `@BruteForceProtection` annotation more clever and moves the relevant code into it's own middleware.

Basically you can now set `@BruteForceProtection(action=$key)` as annotation and that will make the controller bruteforce protected. However, the difference to before is that you need to call `$responmse->throttle()` to increase the counter. Before the counter was increased every time which leads to all kind of unexpected problems.

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
 2017-04-13 23:05:33 +02:00
Morris Jobke
d36751ee38 Merge pull request #2424 from nextcloud/fix-login-controller-test-consolidate-login 
Fix login controller test and consolidate login
 2017-04-13 12:16:38 -05:00
Joas Schilling
7ad791efb4
Dont create a log entry on email login 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2017-04-07 10:15:20 +02:00
Arthur Schiwon
7b3fdfeeaa
do login routine only once when done via LoginController 
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
 2017-04-06 15:22:42 +02:00
Arthur Schiwon
2994cbc586
fix login controller tests 
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
 2017-04-06 15:20:17 +02:00
blizzz
19fc68cbdc Merge pull request #2606 from temparus/master 
Add preLoginValidation hook
 2017-02-15 21:47:47 +01:00
Joas Schilling
ac841ee002 Merge pull request #3362 from nextcloud/fix/nc-token-cookie-name 
oc_token should be nc_token
 2017-02-09 10:07:59 +01:00
Sandro Lutz
9b6f99ab08 Update license header 
Signed-off-by: Sandro Lutz <sandro.lutz@temparus.ch>
 2017-02-07 01:25:39 +01:00
Sandro Lutz
fa1d607bfa Merge remote-tracking branch 'nextcloud/master' 
Signed-off-by: Sandro Lutz <sandro.lutz@temparus.ch>
 2017-02-07 00:15:30 +01:00
Sandro Lutz
ff3fa538e4 Add missing use statement for PublicEmitter 
Signed-off-by: Sandro Lutz <sandro.lutz@temparus.ch>
 2017-02-07 00:12:19 +01:00
Christoph Wurst
5e728d0eda oc_token should be nc_token 
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
 2017-02-02 21:56:44 +01:00
Sandro Lutz
20f878b014 Fix typo for UserManager variable 
Signed-off-by: Sandro Lutz <sandro.lutz@temparus.ch>
 2017-02-01 21:54:00 +01:00
Sandro Lutz
6feff0ceba Add check if UserManager is of type PublicEmitter before calling preLogin hook 
Signed-off-by: Sandro Lutz <sandro.lutz@temparus.ch>
 2017-02-01 21:53:50 +01:00
Sandro Lutz
e30d28f7eb Change where preLogin hook gets called 
Signed-off-by: Sandro Lutz <sandro.lutz@temparus.ch>
 2017-02-01 21:53:42 +01:00
Sandro Lutz
6ab0a3215d Remove preLoginValidation hook 
Signed-off-by: Sandro Lutz <sandro.lutz@temparus.ch>
 2017-02-01 21:53:29 +01:00
Sandro Lutz
e14d50eb1f Fix indentation 
Signed-off-by: Sandro Lutz <sandro.lutz@temparus.ch>
 2017-02-01 21:50:47 +01:00
Sandro Lutz
4ebcd5ac0b Add preLoginValidation hook 
Signed-off-by: Sandro Lutz <sandro.lutz@temparus.ch>
 2017-02-01 21:50:25 +01:00
John Molakvoæ (skjnldsv)
2c9d7eeb76
Fix public page css fallback loading 
Signed-off-by: John Molakvoæ (skjnldsv) <skjnldsv@protonmail.com>
 2017-02-01 18:03:51 +01:00
Morris Jobke
5bad417e57 Merge pull request #2044 from nextcloud/login-credential-store 
Login credential store
 2017-01-30 19:30:04 -06:00
Lukas Reschke
bde1150d04 Merge pull request #3004 from nextcloud/fix-installation-css 
Fixed installation page
 2017-01-22 18:28:33 +01:00
Bjoern Schiessle
cdf01feba7
add action to existing brute force protection 
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
 2017-01-18 15:25:16 +01:00
Christoph Wurst
140555b786
always allow remembered login 
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
 2017-01-11 19:20:11 +01:00
John Molakvoæ (skjnldsv)
e4b3ba6590
Create unified css file and merge all needed data into this file 
Signed-off-by: John Molakvoæ (skjnldsv) <skjnldsv@protonmail.com>
 2017-01-10 17:50:29 +01:00
Joas Schilling
2f21eaaf47
Use login name to fix password confirm with ldap users 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2017-01-05 12:17:30 +01:00
Joas Schilling
924358ef96
Save the timezone on login again 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2016-12-08 10:45:24 +01:00
justin-sleep
25a5c655f7 Move integer casting to the top of the chain 
Signed-off-by: justin-sleep <justin@quarterfull.com>
 2016-12-02 14:07:45 -06:00
Joas Schilling
d75e35b75e
Introduce the UI for password confirmation 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2016-11-18 11:57:16 +01:00
Christoph Wurst
d907666232
bring back remember-me 
* try to reuse the old session token for remember me login
* decrypt/encrypt token password and set the session id accordingly
* create remember-me cookies only if checkbox is checked and 2fa solved
* adjust db token cleanup to store remembered tokens longer
* adjust unit tests

Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
 2016-11-02 13:39:16 +01:00
Joas Schilling
877cb06bfe
Use magic DI for core controllers 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2016-09-30 10:00:26 +02:00
Morris Jobke
e341bde8b9 Merge pull request #1172 from nextcloud/core_cleanup 
Core controller cleanup
 2016-08-30 08:32:55 +02:00
Roeland Jago Douma
f6423f74e3
Minor cleanup in core Controllers 2016-08-29 21:52:09 +02:00
Christoph Wurst
291dd0bd31 redirect to 2fa provider if there's only one active for the user 2016-08-29 18:36:39 +02:00
Joas Schilling
736e884e9a
Move the reset token to core app 2016-08-23 15:01:38 +02:00
Joas Schilling
139fb8de94
Remove "password reset token" after successful login 2016-08-23 12:54:45 +02:00
Lukas Reschke
9ca25e857c
Redirect users when already logged-in on login form 2016-08-11 15:22:29 +02:00
Thomas Müller
4cf2f97a16
Add missing array element - fixes #25714 2016-08-10 11:11:23 +02:00
Bjoern Schiessle
4ecd16c555
Redirect to default page after login 2016-07-27 12:11:58 +02:00
Joas Schilling
ba87db3fcc
Fix others 2016-07-21 18:13:57 +02:00
Lukas Reschke
c1589f163c
Mitigate race condition 2016-07-20 23:09:27 +02:00
Lukas Reschke
ba4f12baa0
Implement brute force protection 
Class Throttler implements the bruteforce protection for security actions in
Nextcloud.

It is working by logging invalid login attempts to the database and slowing
down all login attempts from the same subnet. The max delay is 30 seconds and
the starting delay are 200 milliseconds. (after the first failed login)
 2016-07-20 22:08:56 +02:00
Thomas Müller
232d735893
Do not leak the login name - fixes #25047 2016-06-09 16:44:31 +02:00