Ferdinand Thiessen ea2a469698 fix(SecurityMiddleware): return header to distinguish error type ... Currently we return a 403 (Forbidden) when the password confirmation failed - which itself seems to be inappropriate as its basically a login failing so a 401 (not authorized) is more appropriate. This is especially a problem because APIs might return 403 internally for good reason (e.g. user missing permission) but 401 would not be a problem. But as this is a breaking change so my solution to be able to distinguish API error from password confirmation error is: Add a header inside the response that marks failed password confirmation `X-NC-Auth-NotConfirmed`. Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>		2026-03-12 08:54:26 +00:00
..
Exceptions	chore: apply new CSFixer rules	2025-07-01 16:26:50 +02:00
BruteForceMiddleware.php	chore: Add SPDX header	2024-05-24 13:11:22 +02:00
CORSMiddleware.php	chore: apply new CSFixer rules	2025-07-01 16:26:50 +02:00
CSPMiddleware.php	chore: Remove unused CsrfTokenManager from CSPMiddleware	2024-08-31 00:34:41 +02:00
FeaturePolicyMiddleware.php	chore: Add SPDX header	2024-05-24 13:11:22 +02:00
PasswordConfirmationMiddleware.php	refactor: improve reflection attribute typing	2025-12-04 17:37:47 +01:00
RateLimitingMiddleware.php	feat(rate-limit): Allow overwriting the rate limit	2025-11-12 08:59:40 +01:00
ReloadExecutionMiddleware.php	chore: Add SPDX header	2024-05-24 13:11:22 +02:00
SameSiteCookieMiddleware.php	fix: Make sure Request class can be dependency injected to fix SameSiteCookieMiddleware injection	2025-07-08 13:32:14 +02:00
SecurityMiddleware.php	fix(SecurityMiddleware): return header to distinguish error type	2026-03-12 08:54:26 +00:00