08f869dda9
fix: broken password reset form
...
Signed-off-by: Anna Larch <anna@nextcloud.com>
2025-05-26 19:22:07 +07:00
82fb8f8508
refactor: Extend rector to core/
...
Signed-off-by: provokateurin <kate@provokateurin.de>
2025-05-15 00:16:54 +07:00
af6de04e9e
style: update codestyle for coding-standard 1.2.3
...
Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
2024-08-25 19:34:58 +07:00
bc5c0262af
refactor(core): Make all attribute arguments named
...
Signed-off-by: provokateurin <kate@provokateurin.de>
2024-07-27 22:36:18 +07:00
c57c3c1573
refactor(core): Replace security annotations with respective attributes
...
Signed-off-by: provokateurin <kate@provokateurin.de>
2024-07-26 07:30:45 +07:00
e07a190641
chore: Add SPDX header
...
Signed-off-by: Andy Scherzinger <info@andy-scherzinger.de>
2024-05-27 14:53:40 +07:00
2792d8b3f5
feat: Limit email input on auth pages to 255 chars
...
Excessively long emails reported make server unresponsive.
We could at some point, consider adding a configuration for sysadmins to bypass this setting
on their instance if they want.
Signed-off-by: fenn-cs <fenn25.fn@gmail.com>
2024-03-21 10:34:55 +07:00
2c51933b6b
refactor(core): Switch to attribute based routing
...
Signed-off-by: provokateurin <kate@provokateurin.de>
2024-02-21 12:07:50 +07:00
839ddaa354
feat: rename users to account or person
...
Replace translated text in most locations
Signed-off-by: Vincent Petry <vincent@nextcloud.com>
2024-02-13 21:06:30 +07:00
b64ab5fba8
refactor: Migrate IgnoreOpenAPI attributes to OpenAPI
...
Signed-off-by: provokateurin <kate@provokateurin.de>
2024-01-18 16:14:17 +07:00
aa5f037af7
chore: apply changes from Nextcloud coding standards 1.1.1
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com>
2023-11-23 10:36:13 +07:00
1be836273d
core: Add OpenAPI spec
...
Signed-off-by: jld3103 <jld3103yt@gmail.com>
2023-07-13 07:24:15 +07:00
d64aa85b04
Applies agreed-upon indentation convention to the changed controllers.
...
Based on https://github.com/nextcloud/server/pull/38636#discussion_r1218167753
Signed-off-by: Faraz Samapoor <f.samapoor@gmail.com>
2023-06-16 19:29:40 +07:00
4bf610ebaf
Refactors controllers by using PHP8's constructor property promotion.
...
Signed-off-by: Faraz Samapoor <f.samapoor@gmail.com>
2023-06-16 19:29:40 +07:00
7ee81b6555
fix(lostpassword): Also rate limit the setPassword endpoint
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2023-05-15 09:21:07 +07:00
9899b12478
Trim user earlier
...
Signed-off-by: Josh Richards <josh.t.richards@gmail.com>
2023-04-04 10:03:15 +07:00
203b9131ec
Trim the user/email provided for password resets
...
Signed-off-by: Josh Richards <josh.t.richards@gmail.com>
2023-03-30 11:59:13 +07:00
704eb3aa6c
Add bruteforce protection to password reset page
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2023-02-02 06:13:49 +07:00
b4a29644cc
Add a const for the max user password length
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2023-01-04 11:23:43 +07:00
9cfaf27142
Also limit the password length on reset
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2023-01-03 16:36:01 +07:00
71ee292650
Add rate limiting on lost password emails
...
Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
2022-10-18 14:49:02 +07:00
b03aedf128
Update core/Controller/LostController.php
...
Co-authored-by: John Molakvoæ <skjnldsv@users.noreply.github.com>
Signed-off-by: NoSleep82 <52562874+NoSleep82@users.noreply.github.com>
2022-08-21 13:16:23 +07:00
61548c520b
Update LostController.php
...
i would be useful to know who is trying to reset the password (misspelled username or email, ex user or some sort of attack)
Signed-off-by: NoSleep82 <52562874+NoSleep82@users.noreply.github.com>
2022-08-19 18:30:32 +07:00
abe5ff3654
Make LostController use IInitialState and LoggerInterface
...
Signed-off-by: Thomas Citharel <tcit@tcit.fr>
2022-06-10 16:41:41 +07:00
44e13848a1
Add password reset typed events
...
These hooks are only used in the Encryption app from what I can see.
Signed-off-by: Thomas Citharel <tcit@tcit.fr>
2022-06-10 16:41:41 +07:00
b70c6a128f
Update core to PHP 7.4 standard
...
- Typed properties
- Port to LoggerInterface
Signed-off-by: Carl Schwan <carl@carlschwan.eu>
2022-05-20 22:18:06 +07:00
3a94d7c2ea
Merge pull request #28794 from nextcloud/fix/noid/guest-activation-pwd-reset-disabled
...
allow using of disabled password reset mechanism for special cases
2021-09-14 18:29:10 +07:00
a843d3c5db
allow using of disabled password reset mechanism for special cases
...
- LostController has three endpoints
- door opener email() still rejects
- resetform(), reachable from mail, checks the token first and may report
that password reset is disabled
- setPassword() got its check removed as it is behind CSFR anyway and still
requires a valid token
- this allows special cases like activating a freshly created guest account
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2021-09-10 22:48:16 +07:00
6857136f06
fixes missing prefix to validate password reset token
...
- also fixes the test which missed asserting the presence of it
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2021-09-10 19:06:50 +07:00
a20de15b43
add a job to clean up expired verification tokens
...
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2021-09-09 14:03:35 +07:00
19cc757531
move verification token logic out of lost password controller
...
- to make it reusable
- needed for local email verification
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2021-09-09 14:03:29 +07:00
b78f3a57d1
Migrate HintException to OCP
...
Signed-off-by: Gary Kim <gary@garykim.dev>
2021-06-30 15:28:02 +07:00
215aef3cbd
Update php licenses
...
Signed-off-by: John Molakvoæ (skjnldsv) <skjnldsv@protonmail.com>
2021-06-04 22:02:41 +07:00
6ed4aaeeea
Send emails on password reset to the displayname
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2021-02-18 12:38:43 +07:00
d9015a8c94
Format code to a single space around binary operators
...
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-10-05 20:25:24 +07:00
caff1023ea
Format control structures, classes, methods and function
...
To continue this formatting madness, here's a tiny patch that adds
unified formatting for control structures like if and loops as well as
classes, their methods and anonymous functions. This basically forces
the constructs to start on the same line. This is not exactly what PSR2
wants, but I think we can have a few exceptions with "our" style. The
starting of braces on the same line is pracrically standard for our
code.
This also removes and empty lines from method/function bodies at the
beginning and end.
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-04-10 14:19:56 +07:00
afbd9c4e6e
Unify function spacing to PSR2 recommendation
...
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-04-09 13:54:22 +07:00
2fbad1ed72
Fix (array) indent style to always use one tab
...
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-04-09 10:16:08 +07:00
1a9330cd69
Update the license headers for Nextcloud 19
...
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-03-31 14:52:54 +07:00
b80ebc9674
Use the short array syntax, everywhere
...
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-03-26 16:34:56 +07:00
5bf3d1bb38
Update license headers
...
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2019-12-05 15:38:45 +07:00
68748d4f85
Some php-cs fixes
...
* Order the imports
* No leading slash on imports
* Empty line before namespace
* One line per import
* Empty after imports
* Emmpty line at bottom of file
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-11-22 20:52:10 +07:00
e32b2c4b76
Stop if there is no encrypted token
...
Fix Argument 1 passed to OC\Security\Crypto::decrypt() must be of the type string, null given
Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
2019-08-18 19:58:50 +07:00
436f7b92d5
Merge pull request #16544 from nextcloud/bugfix/16540
...
Add missing password reset page to vue
2019-07-31 11:02:20 +07:00
3b0d13944a
Move actual password reset to vue
...
Signed-off-by: Julius Härtl <jus@bitgrid.net>
2019-07-31 09:19:07 +07:00
b6dd2ebd39
Use proper exception in lostController
...
There is no need to log the expcetion of most of the stuff here.
We should properly log them but an exception is excessive.
This moves it to a proper exception which we can catch and then log.
The other exceptions will still be fully logged.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-07-27 20:12:16 +07:00
d57540ac84
Return first value from $users
...
Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
2019-07-09 19:29:14 +07:00
ac8a6e2244
Clean pending 2FA authentication on password reset
...
When a password is reste we should make sure that all users are properly
logged in. Pending states should be cleared. For example a session where
the 2FA code is not entered yet should be cleared.
The token is now removed so the session will be killed the next time
this is checked (within 5 minutes).
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-01-29 13:08:56 +07:00
d0397f9b53
Generic message on password reset
...
There is no need to inform the user if the account existed or not.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-01-15 15:53:43 +07:00
ef97ef72f6
Merge pull request #10743 from danielkesselberg/bugfix/noid/allow-password-reset-for-duplicate-email
...
Enable password reset for user with same email address when only one is active
2018-09-13 10:48:30 +07:00
Anna Larch
provokateurin
Daniel Kesselberg
Andy Scherzinger
fenn-cs
Vincent Petry
Joas Schilling
jld3103
Faraz Samapoor
Josh Richards
Côme Chilliet
NoSleep82
Thomas Citharel
Carl Schwan
Pytal
Arthur Schiwon
Gary Kim
John Molakvoæ (skjnldsv)
Christoph Wurst
Roeland Jago Douma
Roeland Jago Douma
Julius Härtl