nextcloud-server

Commit Graph

Author	SHA1	Message	Date
Ferdinand Thiessen	3fede00732	feat(login): Clear login form (password) after IDLE timeout For security reasons it is recommended to stop the login process at a defined time, this could prevent password leaks by e.g. user forgetting that they entered their password on public devices. Enforced e.g. by the BSI ORP.4.A13 rule. Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>	2024-03-25 12:22:53 +07:00
fenn-cs	2792d8b3f5	feat: Limit email input on auth pages to 255 chars Excessively long emails reported make server unresponsive. We could at some point, consider adding a configuration for sysadmins to bypass this setting on their instance if they want. Signed-off-by: fenn-cs <fenn25.fn@gmail.com>	2024-03-21 10:34:55 +07:00
Eduardo Morales	0de6cc7472	feat: added login's initial possible email-states Signed-off-by: Eduardo Morales <emoral435@gmail.com>	2024-03-10 10:32:21 +07:00
provokateurin	2c51933b6b	refactor(core): Switch to attribute based routing Signed-off-by: provokateurin <kate@provokateurin.de>	2024-02-21 12:07:50 +07:00
provokateurin	d95e500e45	feat(core): Expose the confirm password endpoint Signed-off-by: provokateurin <kate@provokateurin.de>	2024-02-20 08:04:13 +07:00
provokateurin	b64ab5fba8	refactor: Migrate IgnoreOpenAPI attributes to OpenAPI Signed-off-by: provokateurin <kate@provokateurin.de>	2024-01-18 16:14:17 +07:00
Gaspard d'Hautefeuille	08ff644f3c	Keep https check https://github.com/nextcloud/server/issues/41196 + keep https check Co-authored-by: Louis <louis@chmn.me> Signed-off-by: Gaspard d'Hautefeuille <github@dhautefeuille.eu>	2024-01-05 04:20:26 +07:00
Gaspard d'Hautefeuille	85911cbab2	Cancel PR #37405 , remove regression code Signed-off-by: Gaspard d'Hautefeuille <github@dhautefeuille.eu>	2024-01-05 04:20:26 +07:00
Joas Schilling	aa5f037af7	chore: apply changes from Nextcloud coding standards 1.1.1 Signed-off-by: Joas Schilling <coding@schilljs.com> Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com>	2023-11-23 10:36:13 +07:00
Christoph Wurst	a5422a3998	fix: Show error message when CSRF check fails at login Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2023-11-08 15:18:34 +07:00
Marcel Müller	c2393fb712	Reset BFP for sudo action Signed-off-by: Marcel Müller <marcel-mueller@gmx.de>	2023-10-28 18:36:43 +07:00
Joas Schilling	25309bcb45	techdebt(DI): Use public IThrottler interface which exists since Nextcloud 25 Signed-off-by: Joas Schilling <coding@schilljs.com>	2023-08-28 15:50:45 +07:00
jld3103	1be836273d	core: Add OpenAPI spec Signed-off-by: jld3103 <jld3103yt@gmail.com>	2023-07-13 07:24:15 +07:00
Faraz Samapoor	d64aa85b04	Applies agreed-upon indentation convention to the changed controllers. Based on https://github.com/nextcloud/server/pull/38636#discussion_r1218167753 Signed-off-by: Faraz Samapoor <f.samapoor@gmail.com>	2023-06-16 19:29:40 +07:00
Faraz Samapoor	73b7096850	Fixes psalm error. Signed-off-by: Faraz Samapoor <f.samapoor@gmail.com>	2023-06-16 19:29:40 +07:00
Faraz Samapoor	468aefc649	Fixes php-cs-fixer error. Signed-off-by: Faraz Samapoor <f.samapoor@gmail.com>	2023-06-16 19:29:40 +07:00
Faraz Samapoor	4bf610ebaf	Refactors controllers by using PHP8's constructor property promotion. Signed-off-by: Faraz Samapoor <f.samapoor@gmail.com>	2023-06-16 19:29:40 +07:00
Faraz Samapoor	a1ef0285f8	Refactors "strpos" calls in /core to improve code readability. Signed-off-by: Faraz Samapoor <f.samapoor@gmail.com>	2023-06-02 13:13:19 +07:00
jld3103	02f9c3a06f	Use implementations instead of interfaces for accessing private methods Signed-off-by: jld3103 <jld3103yt@gmail.com>	2023-03-30 12:33:46 +07:00
Git'Fellow	cfd7a57184	Send header to all browsers under HTTPS Signed-off-by: Git'Fellow <12234510+solracsf@users.noreply.github.com> Don't send Clear-Site-Data to Safari Signed-off-by: Git'Fellow <12234510+solracsf@users.noreply.github.com> Fix lint Signed-off-by: Git'Fellow <12234510+solracsf@users.noreply.github.com>	2023-03-26 15:29:01 +07:00
Simon L	6496748971	fix the login log entry Signed-off-by: Simon L <szaimen@e.mail.de>	2023-01-30 17:07:44 +07:00
Christoph Wurst	20e00cdf17	feat(app-framework): Add UseSession attribute to replace annotation Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2023-01-27 09:40:35 +07:00
Christoph Wurst	20fcfb5739	feat(app framework)!: Inject services into controller methods Usually Nextcloud DI goes through constructor injection. This has the implication that each instance of a class builds the full DI tree. That is the injected services, their services, etc. Occasionally there is a service that is only needed for one controller method. Then the DI tree is build regardless if used or not. If services are injected into the method, we only build the DI tree if that method gets executed. This is also how Laravel allows injection. Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2023-01-18 14:00:38 +07:00
Christoph Wurst	f22101d421	Fix login loop if login CSRF fails and user is not logged in If CSRF fails but the user is logged in that they probably logged in in another tab. This is fine. We can just redirect. If CSRF fails and the user is also not logged in then something is fishy. E.g. because Nextcloud contantly regenrates the session and the CSRF token and the user is stuck in an endless login loop. Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2023-01-18 09:39:17 +07:00
Joas Schilling	9cfaf27142	Also limit the password length on reset Signed-off-by: Joas Schilling <coding@schilljs.com>	2023-01-03 16:36:01 +07:00
Christoph Wurst	138deec333	chore: Make the LoginController strict Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2022-12-15 10:52:28 +07:00
Joas Schilling	85eb3b2920	Fix wording of undeliverable push notifications Signed-off-by: Joas Schilling <coding@schilljs.com>	2022-08-31 12:42:31 +07:00
Carl Schwan	253118298d	Redesign guest pages for better accessibility - Use white box and put content on it - Improve focus indicator Signed-off-by: Carl Schwan <carl@carlschwan.eu>	2022-07-27 10:43:21 +07:00
Christopher Ng	92500e810f	Identify the login page explicitly by the page title Signed-off-by: Christopher Ng <chrng8@gmail.com>	2022-07-20 23:55:50 +07:00
Carl Schwan	b70c6a128f	Update core to PHP 7.4 standard - Typed properties - Port to LoggerInterface Signed-off-by: Carl Schwan <carl@carlschwan.eu>	2022-05-20 22:18:06 +07:00
Vitor Mattos	d613b32045	add check isFairUseOfFreePushService on login Signed-off-by: Vitor Mattos <vitor@php.rio>	2021-10-23 00:54:50 +07:00
Daniel Rudolf	e478db9161	Deprecate RedirectToDefaultAppResponse Signed-off-by: Daniel Rudolf <github.com@daniel-rudolf.de>	2021-07-01 15:13:08 +07:00
Daniel Rudolf	12059eb65b	Add IUrlGenerator::linkToDefaultPageUrl() Replaces the deprecated \OC_Util::getDefaultPageUrl() and makes this API public. Signed-off-by: Daniel Rudolf <github.com@daniel-rudolf.de>	2021-06-30 16:20:57 +07:00
John Molakvoæ (skjnldsv)	215aef3cbd	Update php licenses Signed-off-by: John Molakvoæ (skjnldsv) <skjnldsv@protonmail.com>	2021-06-04 22:02:41 +07:00
Joas Schilling	69290781ff	Handle device login like an alternative login Signed-off-by: Joas Schilling <coding@schilljs.com>	2021-04-20 09:11:33 +07:00
Roeland Jago Douma	4076dfb019	Allow admins to disable the login form In case they want to not allow this because they use SSO (and do not want the users to enter their credentials there by accident). ?direct=1 still works. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2021-03-08 15:36:47 +07:00
dependabot-preview[bot]	eb502c02ff	Bump nextcloud/coding-standard from 0.3.0 to 0.5.0 Bumps [nextcloud/coding-standard](https://github.com/nextcloud/coding-standard) from 0.3.0 to 0.5.0. - [Release notes](https://github.com/nextcloud/coding-standard/releases) - [Changelog](https://github.com/nextcloud/coding-standard/blob/master/CHANGELOG.md) - [Commits](https://github.com/nextcloud/coding-standard/compare/v0.3.0...v0.5.0) Signed-off-by: dependabot-preview[bot] <support@dependabot.com> Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2021-02-18 13:31:24 +07:00
Julius Härtl	d7a80293ab	Keep direct login active when redirecting Signed-off-by: Julius Härtl <jus@bitgrid.net>	2021-02-01 14:25:56 +07:00
Roeland Jago Douma	f57b93098b	Do not redirect to logout after login This can happen when the session was killed due to a timeout. Then logout was triggered. Nobody wants to login only to be logged out again. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2021-01-15 09:35:51 +07:00
Christoph Wurst	cb057829f7	Update license headers for 19 Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2020-04-29 11:57:22 +07:00
Roeland Jago Douma	95ad9ab4ac	Merge pull request #20401 from nextcloud/fix/login-sso-redirct Fix absolute redirect	2020-04-15 11:28:40 +07:00
Christoph Wurst	28f8eb5dba	Add visibility to all constants Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2020-04-10 16:54:27 +07:00
Christoph Wurst	caff1023ea	Format control structures, classes, methods and function To continue this formatting madness, here's a tiny patch that adds unified formatting for control structures like if and loops as well as classes, their methods and anonymous functions. This basically forces the constructs to start on the same line. This is not exactly what PSR2 wants, but I think we can have a few exceptions with "our" style. The starting of braces on the same line is pracrically standard for our code. This also removes and empty lines from method/function bodies at the beginning and end. Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2020-04-10 14:19:56 +07:00
John Molakvoæ (skjnldsv)	6c49dc2d1f	Fix absolute redirect Signed-off-by: John Molakvoæ (skjnldsv) <skjnldsv@protonmail.com>	2020-04-10 08:58:54 +07:00
Roeland Jago Douma	53db05a1f6	Start with webauthn Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> Signed-off-by: npmbuildbot[bot] <npmbuildbot[bot]@users.noreply.github.com>	2020-03-31 22:17:07 +07:00
Roeland Jago Douma	87104ce510	Merge pull request #17784 from nextcloud/enh/disable-clear-site-data-via-config Disable Clear-Site-Data for Chrom* (and Opera, Brave, etc)	2019-12-12 21:59:42 +07:00
Christoph Wurst	5bf3d1bb38	Update license headers Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2019-12-05 15:38:45 +07:00
Daniel Kesselberg	9378a6b411	Send Clear-Site-Data expect for Chrome Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>	2019-11-30 15:17:22 +07:00
Christoph Wurst	81e35d0c8a	Trim the login name Otherwise we keep on using it with leading or trailing whitespaces for app tokens and other logic. The reason this doesn't throw an error immediately with local users is that (My)SQL compares strings regardless of their padding by default. So we look up 'uid ' and get the row for the user 'uid'. Other back-ends will lead to a hard error, though, and the user is unable to log out as all request fail. Ref https://stackoverflow.com/a/10495807/2239067 Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2019-11-28 20:52:05 +07:00
Daniel Kesselberg	6235a66aac	Don't send executionContexts for Clear-Site-Data There are plans to remove executionContexts from the spec: https://github.com/w3c/webappsec-clear-site-data/issues/59 Firefox already removed it https://bugzilla.mozilla.org/show_bug.cgi?id=1548034 Chromium implementation is not finish: https://bugs.chromium.org/p/chromium/issues/detail?id=898503&q=clear-site-data&sort=-modified&colspec=ID%20Pri%20M%20Stars%20ReleaseBlock%20Component%20Status%20Owner%20Summary%20OS%20Modified Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>	2019-07-09 15:08:25 +07:00

1 2 3

148 Commits (3fede00732c48508c19dd0c6b7ac010b1c735749)