nextcloud

mirror of https://github.com/nextcloud/server.git synced 2026-02-13 15:54:59 -05:00

Author	SHA1	Message	Date
Kate	a1709f576e	Merge pull request #54627 from nextcloud/fix/ocs/accept-header	2025-08-28 14:03:23 +02:00
provokateurin	aab11d35d3	fix(OCS): Add IRequest::getFormat to determine the response Content-Type the same way everywhere Signed-off-by: provokateurin <kate@provokateurin.de>	2025-08-26 09:50:03 +02:00
Joas Schilling	11aa997da3	fix(2fa): Fix 2FA session setup when ephemeral session is used Signed-off-by: Joas Schilling <coding@schilljs.com>	2025-08-25 10:39:17 +02:00
Christoph Wurst	084a2e8859	fix(session): log when ephemeral sessions are closed Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2025-07-23 07:52:06 +02:00
Côme Chilliet	bbe766b07a	fix: Make sure Request class can be dependency injected to fix SameSiteCookieMiddleware injection Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>	2025-07-08 13:32:14 +02:00
Ferdinand Thiessen	5981b7eb51	chore: apply new CSFixer rules Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de> # Conflicts: # apps/settings/lib/SetupChecks/PhpOpcacheSetup.php	2025-07-01 16:26:50 +02:00
Robin Appelman	8b0a3a774d	fix: throw a better error if we don't get an authorization header for secutity confirmation Signed-off-by: Robin Appelman <robin@icewind.nl>	2025-06-24 15:57:20 +02:00
Daniel Kesselberg	be587def0e	fix: use correct format for expires, last-modified, and if-modified-since headers Before: Sat, 10 May 2025 18:17:41 +0000 After: Sat, 10 May 2025 18:17:41 GMT RFC: https://httpwg.org/specs/rfc9110.html#http.date Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>	2025-06-10 13:15:31 +02:00
Joas Schilling	7964f338dc	fix(throttler): Remove the sleep from the throttler that throws The sleep is not adding benefit when it's being aborted with 429 in other cases anyway. Signed-off-by: Joas Schilling <coding@schilljs.com>	2025-05-02 11:27:29 +02:00
Louis Chemineau	3bff9ee3e1	fix: Use login name to check the password Signed-off-by: Louis Chemineau <louis@chmn.me>	2025-04-02 15:50:05 +02:00
Joas Schilling	c9aea8ffdf	fix(auth): Allow 2FA challenges for Ephemeral sessions Signed-off-by: Joas Schilling <coding@schilljs.com>	2025-03-18 09:52:51 +01:00
Louis Chemineau	a163fa08d0	fix(login): Properly target public page with attribute Signed-off-by: Louis Chemineau <louis@chmn.me>	2025-03-05 16:36:26 +01:00
Louis Chemineau	47bd75a052	fix(login): Also check legacy annotation for ephemeral sessions Signed-off-by: Louis Chemineau <louis@chmn.me>	2025-02-27 13:12:55 +01:00
Louis	c7900de4f2	Merge pull request #51051 from nextcloud/artonge/fix/login_flow_v2_sessions_2 feat: Close sessions created for login flow v2	2025-02-27 08:52:00 +01:00
Louis Chemineau	c6293204a2	feat: Close sessions created for login flow v2 Sessions created during the login flow v2 should be short lived to not leave an unexpected opened session in the browser. This commit add a property to the session object to track its origin, and will close it as soon as possible, i.e., on the first non public page request. Signed-off-by: Louis Chemineau <louis@chmn.me>	2025-02-26 13:42:18 +01:00
Joas Schilling	095ab4419e	fix(l10n): Improve english source strings - No leading/trailing whitespace - Use asci single quote Signed-off-by: Joas Schilling <coding@schilljs.com>	2025-02-26 09:54:32 +01:00
Joas Schilling	c1655bcde7	fix(ratelimit): Allow to bypass rate-limit from bruteforce allowlist Signed-off-by: Joas Schilling <coding@schilljs.com>	2025-01-27 12:46:15 +01:00
Louis Chemineau	a2f2f7ce93	feat: Use inline password confirmation in external storage settings Signed-off-by: Louis Chemineau <louis@chmn.me>	2024-11-28 11:01:54 +01:00
Arthur Schiwon	fdd24090ff	fix(Middleware): log deprecation when annotation was actually used Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>	2024-11-12 22:15:08 +01:00
provokateurin	9836e9b164	chore(deps): Update nextcloud/coding-standard to v1.3.1 Signed-off-by: provokateurin <kate@provokateurin.de>	2024-09-19 14:21:20 +02:00
Ferdinand Thiessen	deeccd12a3	chore: fix typo in `SameSiteCookieMiddleware` Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>	2024-08-31 00:34:45 +02:00
Ferdinand Thiessen	92f3f7e2d2	chore: Remove unused `CsrfTokenManager` from `CSPMiddleware` Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>	2024-08-31 00:34:41 +02:00
Daniel Kesselberg	af6de04e9e	style: update codestyle for coding-standard 1.2.3 Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>	2024-08-25 19:34:58 +02:00
Robin Appelman	8b60df1600	perf: delay getting (sub)admin status for user in the security middleware untill we need it Signed-off-by: Robin Appelman <robin@icewind.nl>	2024-08-23 15:26:40 +02:00
Holger Hees	73397cd759	fix: Use `CSP_NONCE` env variable in ContentSecurity Header We should use 'cspNonceManager' for requesting the NONCE value, because it is doing the same as before, except that it honors a CPS_NONCE environment variable if available. Signed-off-by: Holger Hees <holger.hees@gmail.com>	2024-08-13 09:52:08 +02:00
skjnldsv	db28aa8cd1	fix(files_sharing): show proper share not found error message Signed-off-by: skjnldsv <skjnldsv@protonmail.com>	2024-08-06 16:25:10 +02:00
Joas Schilling	047479ccf9	feat(security): Add public API to allow validating IP Ranges and checking for "in range" Signed-off-by: Joas Schilling <coding@schilljs.com> Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com>	2024-07-19 16:28:03 +02:00
Benjamin Gaussorgues	202e5b1e95	feat(security): restrict admin actions to IP ranges Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com>	2024-07-19 16:28:03 +02:00
Andrey Borysenko	40f820470a	chore: use "app_api" session key, "app_api_system" is deprecated Signed-off-by: Andrey Borysenko <andrey18106x@gmail.com>	2024-07-18 17:16:57 +03:00
Alexander Piskun	b7af6ec200	feat: allow for ExApps to call Admin endpoints marked with specific attr Signed-off-by: Alexander Piskun <bigcat88@icloud.com>	2024-07-18 15:11:39 +03:00
provokateurin	e5dcdfb9e0	feat(Security): Warn about using annotations instead of attributes Signed-off-by: provokateurin <kate@provokateurin.de>	2024-07-18 11:25:32 +02:00
provokateurin	5aefdc399e	feat(AppFramework): Add ExAppRequired attribute Signed-off-by: provokateurin <kate@provokateurin.de>	2024-07-01 14:41:20 +02:00
Arthur Schiwon	f6d6efef3a	refactor(Token): introduce scope constants Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>	2024-06-05 19:01:14 +02:00
Arthur Schiwon	340939e688	fix(Session): avoid password confirmation on SSO SSO backends like SAML and OIDC tried a trick to suppress password confirmations as they are not possible by design. At least for SAML it was not reliable when existing user backends where used as user repositories. Now we are setting a special scope with the token, and also make sure that the scope is taken over when tokens are regenerated. Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>	2024-06-05 19:01:13 +02:00
Andy Scherzinger	dae7c159f7	chore: Add SPDX header Signed-off-by: Andy Scherzinger <info@andy-scherzinger.de>	2024-05-24 13:11:22 +02:00
Florian Klinger	f3a4abd98c	fix: add check for app_api_system session flag to bypass rate limit Signed-off-by: Florian Klinger <florian.klinger@nextcloud.com> Signed-off-by: Andrey Borysenko <andrey18106x@gmail.com>	2024-03-18 20:09:15 +02:00
Vincent Petry	839ddaa354	feat: rename users to account or person Replace translated text in most locations Signed-off-by: Vincent Petry <vincent@nextcloud.com>	2024-02-13 21:06:30 +01:00
Joas Schilling	ce583cb67b	techdebt(Middleware): Add more specific array types so its clickable in IDEs Signed-off-by: Joas Schilling <coding@schilljs.com>	2023-11-30 12:27:08 +01:00
Joas Schilling	aa5f037af7	chore: apply changes from Nextcloud coding standards 1.1.1 Signed-off-by: Joas Schilling <coding@schilljs.com> Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com>	2023-11-23 10:36:13 +01:00
Alexander Piskun	0b8a3b578d	fixed Drone test Signed-off-by: Alexander Piskun <bigcat88@icloud.com>	2023-10-06 13:46:37 +03:00
Alexander Piskun	f16c9f42c6	added CORS skip if session was created by AppAPI Signed-off-by: Alexander Piskun <bigcat88@icloud.com>	2023-10-02 11:08:21 +03:00
Christoph Wurst	e477bb7eaf	feat(appframework): Expose programmatic rate limiter Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2023-09-20 20:25:27 +02:00
Joas Schilling	25309bcb45	techdebt(DI): Use public IThrottler interface which exists since Nextcloud 25 Signed-off-by: Joas Schilling <coding@schilljs.com>	2023-08-28 15:50:45 +02:00
Joas Schilling	381c35080d	fix(middleware): Fix header injection for bruteforce middleware Calling setHeaders(getHeaders()) breaks the CSP nonce for unknown reasons So shifting back to old standard practise for now Signed-off-by: Joas Schilling <coding@schilljs.com>	2023-08-22 16:00:39 +02:00
Joas Schilling	2f06f2355d	feat: Add a header which signals that the request was throttled Signed-off-by: Joas Schilling <coding@schilljs.com>	2023-08-21 16:36:04 +02:00
Robin Appelman	ccf57e0715	add separate event for rendering login page template Signed-off-by: Robin Appelman <robin@icewind.nl>	2023-08-17 10:57:56 +02:00
jld3103	12f8543815	Rewrite OCS CSRF check to be readable Signed-off-by: jld3103 <jld3103yt@gmail.com>	2023-08-16 15:52:36 +02:00
Joas Schilling	1b387bb341	fix!: Remove legacy event dispatching Symfony's GenericEvent from AdditionalScripts Signed-off-by: Joas Schilling <coding@schilljs.com>	2023-07-27 09:57:52 +02:00
Robin Appelman	9f1d497a0b	Merge pull request #38261 from fsamapoor/replace_strpos_calls_in_lib_private Refactors "strpos" calls in lib/private to improve code readability.	2023-06-01 23:10:00 +02:00
Joas Schilling	3a6bc7aba2	fix(middleware): Also abort the request when reaching max delay in afterController Signed-off-by: Joas Schilling <coding@schilljs.com>	2023-05-15 16:20:19 +02:00

1 2 3 4

174 commits