Ferdinand Thiessen 9b54b06de5 fix(SecurityMiddleware): return header to distinguish error type ... Currently we return a 403 (Forbidden) when the password confirmation failed - which itself seems to be inappropriate as its basically a login failing so a 401 (not authorized) is more appropriate. This is especially a problem because APIs might return 403 internally for good reason (e.g. user missing permission) but 401 would not be a problem. But as this is a breaking change so my solution to be able to distinguish API error from password confirmation error is: Add a header inside the response that marks failed password confirmation `X-NC-Auth-NotConfirmed`. Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>		2026-03-11 15:11:29 +01:00
..
Exceptions	feat(rector): Enable SafeDeclareStrictTypesRector	2026-02-09 10:59:31 +01:00
BruteForceMiddleware.php	chore: Add SPDX header	2024-05-24 13:11:22 +02:00
CORSMiddleware.php	refactor: Move hasAnnotationOrAttribute to MiddlewareUtils	2026-01-28 21:48:16 +01:00
CSPMiddleware.php	chore: Remove unused CsrfTokenManager from CSPMiddleware	2024-08-31 00:34:41 +02:00
FeaturePolicyMiddleware.php	refactor: Run rector on lib/private	2026-02-06 13:50:18 +01:00
PasswordConfirmationMiddleware.php	refactor: improve reflection attribute typing	2025-12-04 17:37:47 +01:00
RateLimitingMiddleware.php	feat(rate-limit): Allow overwriting the rate limit	2025-11-12 08:59:40 +01:00
ReloadExecutionMiddleware.php	refactor: Run rector on lib/private	2026-02-06 13:50:18 +01:00
SameSiteCookieMiddleware.php	refactor: Move hasAnnotationOrAttribute to MiddlewareUtils	2026-01-28 21:48:16 +01:00
SecurityMiddleware.php	fix(SecurityMiddleware): return header to distinguish error type	2026-03-11 15:11:29 +01:00