Sessions created during the login flow v2 should be short lived to not leave an unexpected opened session in the browser.
This commit add a property to the session object to track its origin, and will close it as soon as possible, i.e., on the first non public page request.
Signed-off-by: Louis Chemineau <louis@chmn.me>
SSO backends like SAML and OIDC tried a trick to suppress password
confirmations as they are not possible by design. At least for SAML it was
not reliable when existing user backends where used as user repositories.
Now we are setting a special scope with the token, and also make sure that
the scope is taken over when tokens are regenerated.
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
This allows apps to register middlewares that always register, not just
for the app's own requests
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
Before this patch, app middlewares were registered on the dispatcher for
every app loaded in a Nextcloud process. With the patch, only
middlewares belonging to the same app of a dispatcher instance are
loaded.
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
Usually Nextcloud DI goes through constructor injection. This has the
implication that each instance of a class builds the full DI tree. That
is the injected services, their services, etc. Occasionally there is a
service that is only needed for one controller method. Then the DI tree
is build regardless if used or not.
If services are injected into the method, we only build the DI tree if
that method gets executed.
This is also how Laravel allows injection.
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
Sicne the appName is always passed for the DIContainer we can avoid
using the container query logic and instead store and use a property
Signed-off-by: Julius Härtl <jus@bitgrid.net>
Psalm found an issue. However the issue found was because of lying
docblocks. Fixed those and did some typing to make it all better.
For #25839
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
Just like for ILogger we should have a version that has the app ID
pre-set for the context (unless overwritten) so that each log entry can
be traced back to the app that produced it.
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* We can't just register an alias as the services need the appId to be
injected. if we just register an alias this blows up since the main
container doesn't have the appId.
* Moved the Authtokens over to show the PoC works
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
9 out of 10 cases apps want to access their own appconfig. Hence it
would be nice not to have to enter the app id all the time. This simple
wrapper just passes on the appid in all calls.
Basically this allows for simpler code in the apps.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
To continue this formatting madness, here's a tiny patch that adds
unified formatting for control structures like if and loops as well as
classes, their methods and anonymous functions. This basically forces
the constructs to start on the same line. This is not exactly what PSR2
wants, but I think we can have a few exceptions with "our" style. The
starting of braces on the same line is pracrically standard for our
code.
This also removes and empty lines from method/function bodies at the
beginning and end.
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
