nextcloud

mirror of https://github.com/nextcloud/server.git synced 2026-06-18 13:10:47 -04:00

Author	SHA1	Message	Date
Joas Schilling	e33b001b39	fix(auth): Allow 2FA challenges for Ephemeral sessions Signed-off-by: Joas Schilling <coding@schilljs.com>	2025-03-18 10:30:58 +01:00
Louis Chemineau	dba818df7b	fix(login): Do not target PublicPage attribute as it does not exists Signed-off-by: Louis Chemineau <louis@chmn.me>	2025-03-05 18:05:00 +01:00
Louis Chemineau	cc6de88dee	fix(login): Also check legacy annotation for ephemeral sessions Signed-off-by: Louis Chemineau <louis@chmn.me>	2025-03-03 12:07:32 +01:00
Louis Chemineau	242164f0fd	feat: Close sessions created for login flow v2 Sessions created during the login flow v2 should be short lived to not leave an unexpected opened session in the browser. This commit add a property to the session object to track its origin, and will close it as soon as possible, i.e., on the first non public page request. Signed-off-by: Louis Chemineau <louis@chmn.me>	2025-03-03 12:07:32 +01:00
Arthur Schiwon	0f5c8f9111	fix(Token): make new scope future compatible - "password-unconfirmable" is the effective name for 30, but a draft name was backported. Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>	2024-06-12 19:35:37 +02:00
Arthur Schiwon	eea5e1cca2	fix(Session): avoid password confirmation on SSO SSO backends like SAML and OIDC tried a trick to suppress password confirmations as they are not possible by design. At least for SAML it was not reliable when existing user backends where used as user repositories. Now we are setting a special scope with the token, and also make sure that the scope is taken over when tokens are regenerated. Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>	2024-06-12 19:35:37 +02:00
Joas Schilling	71d0b4ab42	Reverse X-Forwarded-For list to read the correct proxy remote address Signed-off-by: Joas Schilling <coding@schilljs.com>	2023-11-16 07:50:12 +01:00
Joas Schilling	94211721a6	fix(middleware): Also abort the request when reaching max delay in afterController Signed-off-by: Joas Schilling <coding@schilljs.com>	2023-05-15 16:24:12 +02:00
Julius Härtl	3e63298381	feat(translations): Add translation provider API Signed-off-by: Julius Härtl <jus@bitgrid.net>	2023-02-27 16:52:03 +01:00
Julius Härtl	90d2cb09b1	Merge pull request #36396 from nextcloud/fix/cors	2023-02-17 09:42:08 +01:00
Ferdinand Thiessen	f655f83c84	fix(CORS): CORS should only be bypassed on `PublicPage` if not logged in to prevent CSRF attack vectors Signed-off-by: Ferdinand Thiessen <rpm@fthiessen.de>	2023-02-16 22:55:18 +01:00
Julius Härtl	a705132c8d	Merge pull request #36656 from nextcloud/route-instrumentation	2023-02-14 10:12:19 +01:00
Julius Härtl	610a203d31	Merge pull request #36525 from nextcloud/fix/noid/params-put fix: Only get params from PUT content if possible	2023-02-13 10:25:52 +01:00
Robin Appelman	b68be79464	more routing performance instrumentation Signed-off-by: Robin Appelman <robin@icewind.nl>	2023-02-10 11:12:26 +01:00
Robin Appelman	fe78ef7a38	instrumentation for app booting Signed-off-by: Robin Appelman <robin@icewind.nl>	2023-02-09 17:41:43 +01:00
Robin Appelman	08e7b20c43	add more performance instrumentation for app registering Signed-off-by: Robin Appelman <robin@icewind.nl>	2023-02-09 17:41:43 +01:00
Ferdinand Thiessen	ba8a50c059	fix: Throw `NotFoundExceptionInterface` to fulfill PSR container interface if class not found Signed-off-by: Ferdinand Thiessen <rpm@fthiessen.de>	2023-02-06 14:16:35 +01:00
Julius Härtl	dc3916e27c	fix: Only get params from PUT content if possible Signed-off-by: Julius Härtl <jus@bitgrid.net>	2023-02-03 22:30:04 +01:00
Louis Chemineau	4ab3c16403	Pluggable share provider Signed-off-by: Carl Schwan <carl@carlschwan.eu> Signed-off-by: Louis Chemineau <louis@chmn.me>	2023-02-02 15:41:26 +01:00
Christoph Wurst	20e00cdf17	feat(app-framework): Add UseSession attribute to replace annotation Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2023-01-27 09:40:35 +01:00
Christoph Wurst	8d9af3e262	feat(app-framework): Add support for global middlewares This allows apps to register middlewares that always register, not just for the app's own requests Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2023-01-26 11:54:28 +01:00
Christoph Wurst	907ff68bfc	perf(app-framework): Make the app middleware registration lazy Before this patch, app middlewares were registered on the dispatcher for every app loaded in a Nextcloud process. With the patch, only middlewares belonging to the same app of a dispatcher instance are loaded. Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2023-01-25 09:27:24 +01:00
Côme Chilliet	f5c361cf44	composer run cs:fix Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>	2023-01-20 11:45:08 +01:00
Côme Chilliet	2a5e18b67a	Fix types in OCS json answer (status code is an int) Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>	2023-01-20 11:22:09 +01:00
Côme Chilliet	f2cdc4f47d	Fix crash in OCS when getting info about an application Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>	2023-01-20 11:22:09 +01:00
Côme Chilliet	0c466b7ff5	Attempt at reducing psalm errors Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>	2023-01-20 11:22:09 +01:00
Christoph Wurst	20fcfb5739	feat(app framework)!: Inject services into controller methods Usually Nextcloud DI goes through constructor injection. This has the implication that each instance of a class builds the full DI tree. That is the injected services, their services, etc. Occasionally there is a service that is only needed for one controller method. Then the DI tree is build regardless if used or not. If services are injected into the method, we only build the DI tree if that method gets executed. This is also how Laravel allows injection. Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2023-01-18 14:00:38 +01:00
Joas Schilling	0af4e9d4fe	Merge pull request #34172 from audriga/add-scim-json-support Add support for application/scim+json	2022-12-20 08:58:33 +01:00
Côme Chilliet	cf508c1e47	Use strict typing in base.php Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>	2022-12-19 09:10:40 +00:00
Stanimir Bozhilov	7dcd6eb561	Merge branch 'master' into add-scim-json-support Signed-off-by: Stanimir Bozhilov <stanimir.bozhilov.1998@gmail.com>	2022-12-19 09:07:38 +01:00
Vincent Petry	7adfdf5248	Merge pull request #35537 from nextcloud/fix/dependency-injection-error Improve dependency injection error message	2022-12-16 16:49:23 +01:00
Vincent Petry	ae6fe874ed	Merge pull request #35780 from nextcloud/fix/http-dispatcher-double-parameter-cast Fix missing cast of double controller parameters	2022-12-16 16:18:35 +01:00
Christoph Wurst	b6dd1a1d7b	fix(app framework): Fix missing cast of double controller parameters ``settype`` allows 'double' as alias of 'float'. Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2022-12-15 09:33:52 +01:00
Artur Neumann	81f2857f34	check if params given to API are really an array Signed-off-by: Artur Neumann <artur@jankaritech.com>	2022-12-15 13:45:22 +05:45
Stanimir Bozhilov	b44befa881	Move JSON content type regex to IRequest and make it a const	2022-12-08 15:11:23 +01:00
Julius Härtl	f0a0bfaaee	Move to str_starts_with Signed-off-by: Julius Härtl <jus@bitgrid.net>	2022-12-07 22:32:06 +01:00
Julius Härtl	3899de12b7	Skip querying the app container for server namespace Signed-off-by: Julius Härtl <jus@bitgrid.net>	2022-12-07 22:32:05 +01:00
Julius Härtl	d7ecbe32d2	Avoid container dance for appName Sicne the appName is always passed for the DIContainer we can avoid using the container query logic and instead store and use a property Signed-off-by: Julius Härtl <jus@bitgrid.net>	2022-12-07 22:32:04 +01:00
Julien Veyssier	4a3f3beb0b	use bruteforce protection on all methods wrapped by PublicShareMiddleware if an invalid token is provided or when share password is wrong Signed-off-by: Julien Veyssier <julien-nc@posteo.net>	2022-12-07 13:24:50 +01:00
Carl Schwan	2a864ec13c	Improve dependency injection error message Change from display the name of the parameter to the type of the parameter. This is that in most cases is usefull. Signed-off-by: Carl Schwan <carl@carlschwan.eu>	2022-12-01 12:46:01 +01:00
Christoph Wurst	41b2466d35	Clean up and deprecate app container aliases Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2022-11-02 19:42:09 +01:00
Julius Härtl	cea2f79bbd	Improve container return type annotations Signed-off-by: Julius Härtl <jus@bitgrid.net>	2022-10-14 10:45:16 +02:00
Stanimir Bozhilov	46c10c77e1	Fix the JSON content type regex to match all MIME types Signed-off-by: Stanimir Bozhilov <stanimir@audriga.com>	2022-09-26 11:51:44 +02:00
Stanimir Bozhilov	d80f8f6c82	Type hint JSON content type regex and use preg_match less Signed-off-by: Stanimir Bozhilov <stanimir@audriga.com>	2022-09-22 11:25:39 +02:00
Stanimir Bozhilov	f286a9d6ac	Use regex for all JSON-related content types Signed-off-by: Stanimir Bozhilov <stanimir@audriga.com>	2022-09-21 16:36:01 +02:00
Stanimir Bozhilov	0ace70488a	Treat application/json and application/scim+json in same if-block Signed-off-by: Stanimir Bozhilov <stanimir@audriga.com>	2022-09-21 15:31:50 +02:00
Jonas Rittershofer	c8b7a233a5	Allow CSRF on CORS routes Co-authored-by: Julius Härtl <jus@bitgrid.net> Co-authored-by: Andreas Brinner <andreas@everlanes.net> Signed-off-by: Jonas Rittershofer <jotoeri@users.noreply.github.com>	2022-09-21 10:42:00 +00:00
Stanimir Bozhilov	f0dbe1148a	Add support for application/scim+json content type Signed-off-by: Stanimir Bozhilov <stanimir@audriga.com>	2022-09-20 16:18:52 +02:00
Julius Härtl	68d0038eb0	Move registration to IBootstrap Signed-off-by: Julius Härtl <jus@bitgrid.net>	2022-08-31 16:20:06 +02:00
Julius Härtl	9b4b72826a	Reopen sessions if we need to write to them instead of keeping them open Sessions are a locking operation until we write close them, so close them early and reopen later in case we want to write to them Signed-off-by: Julius Härtl <jus@bitgrid.net>	2022-08-17 12:10:26 +02:00

1 2 3 4 5 ...

463 commits