sascha
/
nextcloud-server
mirror of https://github.com/nextcloud/server.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
73,623 Commits
620 Branches
1167 Tags
9.0 GiB
Commit Graph

148 Commits (3fede00732c48508c19dd0c6b7ac010b1c735749)

Author SHA1 Message Date
Christoph Wurst 64c4bb5bce
Vueify the login page 
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
 2019-05-29 11:05:16 +07:00
Christoph Wurst 170582d4f5
Add a login chain to reduce the complexity of LoginController::tryLogin 
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
 2019-05-07 18:04:36 +07:00
Roeland Jago Douma 60e5a5eca4
Do not do redirect handling when loggin out 
Fixes #12568
Since the clearing of the execution context causes another reload. We
should not do the redirect_uri handling as this results in redirecting
back to the logout page on login.

This adds a simple middleware that will just check if the
ClearExecutionContext session variable is set. If that is the case it
will just redirect back to the login page.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
 2019-02-06 11:29:32 +07:00
Michael Weimann e083e8abc6
Clears the local storage after logout 
Signed-off-by: Michael Weimann <mail@michael-weimann.eu>
 2019-01-29 09:02:52 +07:00
Roeland Jago Douma e6333c8fe3
Honor remember_login_cookie_lifetime 
If the remember_login_cookie_lifetime is set to 0 this means we do not
want to use remember me at all. In that case we should also not creatae
a remember me cookie and should create a proper temp token.

Further this specifies that is not 0 the remember me time should always
be larger than the session timeout. Because else the behavior is not
really defined.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
 2019-01-23 08:46:24 +07:00
Roeland Jago Douma 43d6ae7476
Respect the disabled setting for lost_password_link 
Fixes #11146
As documented when it is set to disabled the user can't request a lost
password.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
 2018-11-20 13:28:40 +07:00
Rayn0r 85eb43baff added possibility to disable autocomplete in login form 
Signed-off-by: Rayn0r <Andre.Weidemann@web.de>
 2018-10-30 11:36:16 +07:00
Patrick Conrad 1806baaeaf
Remove cookies from Clear-Site-Data Header 
In 2f87fb6b45 this header was introduced. The referenced documentation says:

> When delivered with a response from https://example.com/clear, the following header will cause cookies associated with the origin https://example.com to be cleared, as well as cookies on any origin in the same registered domain (e.g. https://www.example.com/ and https://more.subdomains.example.com/).

This also applies if `https://nextcloud.example.com/` sends the `Clear-Site-Data: "cookies"` header.
This is not the behavior we want at this point!

So I removed the deletion of cookies from the header. This has no effect on the logout process as this header is supported only recently and the logout works in old browsers as well.

Signed-off-by: Patrick Conrad <conrad@iza.org>
 2018-10-15 14:46:06 +07:00
Morris Jobke 7971ba5cc6
Merge pull request #10898 from nextcloud/feature/10684/default-logo-color-theme-colors 
Switches the default logo color depending on the primary color
 2018-10-08 10:33:22 +07:00
Roeland Jago Douma d9febae5b2
Update all the publickey tokens if needed on web login 
* On weblogin check if we have invalid public key tokens
* If so update them all with the new token

This ensures that your marked as invalid tokens work again if you once
login on the web.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
 2018-10-02 19:50:54 +07:00
Michael Weimann d855c38e07
Moves the logo files to logo 
Signed-off-by: Michael Weimann <mail@michael-weimann.eu>
 2018-10-02 08:37:54 +07:00
Christoph Wurst 42300d19e9
Fix max length requirements for the throttler metadata 
If a failed login is logged, we save the username as metadata
in the bruteforce throttler. To prevent database error due to
very long strings, this truncates the username at 64 bytes in
the assumption that no real username is longer than that.long strings,

Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
 2018-08-13 15:52:09 +07:00
Christoph Wurst d8197f2b97
Rename providerset method to get primary providers 
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
 2018-08-08 20:28:21 +07:00
Christoph Wurst c6e47e8a51
Fix login redirection if only one 2FA provider is active 
Fixes https://github.com/nextcloud/server/issues/10500.

Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
 2018-08-08 15:25:59 +07:00
Michael Weimann c92d7429d7 Implements handling for deactivated users 
Signed-off-by: Michael Weimann <mail@michael-weimann.eu>
 2018-07-21 13:05:13 +07:00
Christoph Wurst 13d93f5b25
Make 2FA providers stateful 
This adds persistence to the Nextcloud server 2FA logic so that the server
knows which 2FA providers are enabled for a specific user at any time, even
when the provider is not available.

The `IStatefulProvider` interface was added as tagging interface for providers
that are compatible with this new API.

Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
 2018-06-20 08:30:26 +07:00
Roeland Jago Douma a07f6d46e3
Use proper types 
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
 2018-04-11 00:21:25 +07:00
Morris Jobke fd3c97b93b
Avoid to leak a user ID that is not a string to reach a user backend 
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
 2018-04-11 00:03:30 +07:00
Roeland Jago Douma 33b93db953
Remove unused parameter 
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
 2018-04-06 21:44:23 +07:00
Roeland Jago Douma 2b7d4d5069
Fix tests 
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
 2018-04-06 19:58:37 +07:00
Roeland Jago Douma caee215120
Always remember me 
Fixes #8004

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
 2018-04-06 15:44:28 +07:00
Arthur Schiwon ffc05e2fed
don't try login with the same name that just failed 
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
 2018-02-22 13:05:48 +07:00
Roeland Jago Douma 7cab7feb38
Display message when connection is throttled on logi page 
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
 2018-01-15 21:43:09 +07:00
Julius Härtl f5f6ed664d
Hide stay logged in checkbox when flow authentication is used 
Signed-off-by: Julius Härtl <jus@bitgrid.net>
 2017-12-28 11:15:26 +07:00
Morris Jobke 0eebff152a
Update license headers 
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
 2017-11-06 16:56:19 +07:00
Lukas Reschke 0bccd5a0d9
Fix "Uninitialized string offset: 0 at \/media\/psf\/stable9\/lib\/private\/URLGenerator.php#224" 
The URLGenerator doesn't support `` as target for absolute URLs, we need to link to `/` thus.

Regression introduced with 46229a00f3

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
 2017-09-07 08:34:02 +07:00
Morris Jobke 30ca3b70ed Merge pull request #6196 from nextcloud/downstream-26539-2 
Handle invalid ext storage backend to keep mount point visible
 2017-09-04 14:17:28 +07:00
Morris Jobke 0326c2c54f
Fix broken tests 
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
 2017-09-04 14:17:03 +07:00
Julius Härtl 46229a00f3
Add rich link preview to the login page 
Signed-off-by: Julius Härtl <jus@bitgrid.net>
 2017-09-02 21:39:38 +07:00
Lukas Reschke f22ab3e665
Add metadata to \OCP\AppFramework\Http\Response::throttle 
Fixes https://github.com/nextcloud/server/issues/5891

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
 2017-07-27 14:17:45 +07:00
Lukas Reschke 2f87fb6b45
Add Clear-Site-Data header 
This adds a Clear-Site-Data header to the logout response which will delete all relevant data in the caches which may contain potentially sensitive content.

See https://w3c.github.io/webappsec-clear-site-data/#header for the definition of the types.

Ref https://twitter.com/mikewest/status/877149667909406723

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
 2017-06-20 19:46:10 +07:00
Ujjwal Bhardwaj 7c23414eef
Disable reset password link. Issue: #27440 2017-05-11 10:27:33 +07:00
Christoph Wurst bb1d191f82
Fix remember redirect_url on failed login attempts 
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
 2017-04-25 09:38:19 +07:00
Lukas Reschke 8149945a91
Make BruteForceProtection annotation more clever 
This makes the new `@BruteForceProtection` annotation more clever and moves the relevant code into it's own middleware.

Basically you can now set `@BruteForceProtection(action=$key)` as annotation and that will make the controller bruteforce protected. However, the difference to before is that you need to call `$responmse->throttle()` to increase the counter. Before the counter was increased every time which leads to all kind of unexpected problems.

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
 2017-04-13 23:05:33 +07:00
Morris Jobke d36751ee38 Merge pull request #2424 from nextcloud/fix-login-controller-test-consolidate-login 
Fix login controller test and consolidate login
 2017-04-13 12:16:38 +07:00
Joas Schilling 7ad791efb4
Dont create a log entry on email login 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2017-04-07 10:15:20 +07:00
Arthur Schiwon 7b3fdfeeaa
do login routine only once when done via LoginController 
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
 2017-04-06 15:22:42 +07:00
Arthur Schiwon 2994cbc586
fix login controller tests 
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
 2017-04-06 15:20:17 +07:00
blizzz 19fc68cbdc Merge pull request #2606 from temparus/master 
Add preLoginValidation hook
 2017-02-15 21:47:47 +07:00
Joas Schilling ac841ee002 Merge pull request #3362 from nextcloud/fix/nc-token-cookie-name 
oc_token should be nc_token
 2017-02-09 10:07:59 +07:00
Sandro Lutz 9b6f99ab08 Update license header 
Signed-off-by: Sandro Lutz <sandro.lutz@temparus.ch>
 2017-02-07 01:25:39 +07:00
Sandro Lutz fa1d607bfa Merge remote-tracking branch 'nextcloud/master' 
Signed-off-by: Sandro Lutz <sandro.lutz@temparus.ch>
 2017-02-07 00:15:30 +07:00
Sandro Lutz ff3fa538e4 Add missing use statement for PublicEmitter 
Signed-off-by: Sandro Lutz <sandro.lutz@temparus.ch>
 2017-02-07 00:12:19 +07:00
Christoph Wurst 5e728d0eda oc_token should be nc_token 
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
 2017-02-02 21:56:44 +07:00
Sandro Lutz 20f878b014 Fix typo for UserManager variable 
Signed-off-by: Sandro Lutz <sandro.lutz@temparus.ch>
 2017-02-01 21:54:00 +07:00
Sandro Lutz 6feff0ceba Add check if UserManager is of type PublicEmitter before calling preLogin hook 
Signed-off-by: Sandro Lutz <sandro.lutz@temparus.ch>
 2017-02-01 21:53:50 +07:00
Sandro Lutz e30d28f7eb Change where preLogin hook gets called 
Signed-off-by: Sandro Lutz <sandro.lutz@temparus.ch>
 2017-02-01 21:53:42 +07:00
Sandro Lutz 6ab0a3215d Remove preLoginValidation hook 
Signed-off-by: Sandro Lutz <sandro.lutz@temparus.ch>
 2017-02-01 21:53:29 +07:00
Sandro Lutz e14d50eb1f Fix indentation 
Signed-off-by: Sandro Lutz <sandro.lutz@temparus.ch>
 2017-02-01 21:50:47 +07:00
Sandro Lutz 4ebcd5ac0b Add preLoginValidation hook 
Signed-off-by: Sandro Lutz <sandro.lutz@temparus.ch>
 2017-02-01 21:50:25 +07:00
John Molakvoæ (skjnldsv) 2c9d7eeb76
Fix public page css fallback loading 
Signed-off-by: John Molakvoæ (skjnldsv) <skjnldsv@protonmail.com>
 2017-02-01 18:03:51 +07:00
Morris Jobke 5bad417e57 Merge pull request #2044 from nextcloud/login-credential-store 
Login credential store
 2017-01-30 19:30:04 +07:00
Lukas Reschke bde1150d04 Merge pull request #3004 from nextcloud/fix-installation-css 
Fixed installation page
 2017-01-22 18:28:33 +07:00
Bjoern Schiessle cdf01feba7
add action to existing brute force protection 
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
 2017-01-18 15:25:16 +07:00
Christoph Wurst 140555b786
always allow remembered login 
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
 2017-01-11 19:20:11 +07:00
John Molakvoæ (skjnldsv) e4b3ba6590
Create unified css file and merge all needed data into this file 
Signed-off-by: John Molakvoæ (skjnldsv) <skjnldsv@protonmail.com>
 2017-01-10 17:50:29 +07:00
Joas Schilling 2f21eaaf47
Use login name to fix password confirm with ldap users 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2017-01-05 12:17:30 +07:00
Joas Schilling 924358ef96
Save the timezone on login again 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2016-12-08 10:45:24 +07:00
justin-sleep 25a5c655f7 Move integer casting to the top of the chain 
Signed-off-by: justin-sleep <justin@quarterfull.com>
 2016-12-02 14:07:45 +07:00
Joas Schilling d75e35b75e
Introduce the UI for password confirmation 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2016-11-18 11:57:16 +07:00
Christoph Wurst d907666232
bring back remember-me 
* try to reuse the old session token for remember me login
* decrypt/encrypt token password and set the session id accordingly
* create remember-me cookies only if checkbox is checked and 2fa solved
* adjust db token cleanup to store remembered tokens longer
* adjust unit tests

Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
 2016-11-02 13:39:16 +07:00
Joas Schilling 877cb06bfe
Use magic DI for core controllers 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2016-09-30 10:00:26 +07:00
Morris Jobke e341bde8b9 Merge pull request #1172 from nextcloud/core_cleanup 
Core controller cleanup
 2016-08-30 08:32:55 +07:00
Roeland Jago Douma f6423f74e3
Minor cleanup in core Controllers 2016-08-29 21:52:09 +07:00
Christoph Wurst 291dd0bd31 redirect to 2fa provider if there's only one active for the user 2016-08-29 18:36:39 +07:00
Joas Schilling 736e884e9a
Move the reset token to core app 2016-08-23 15:01:38 +07:00
Joas Schilling 139fb8de94
Remove "password reset token" after successful login 2016-08-23 12:54:45 +07:00
Lukas Reschke 9ca25e857c
Redirect users when already logged-in on login form 2016-08-11 15:22:29 +07:00
Thomas Müller 4cf2f97a16
Add missing array element - fixes #25714 2016-08-10 11:11:23 +07:00
Bjoern Schiessle 4ecd16c555
Redirect to default page after login 2016-07-27 12:11:58 +07:00
Joas Schilling ba87db3fcc
Fix others 2016-07-21 18:13:57 +07:00
Lukas Reschke c1589f163c
Mitigate race condition 2016-07-20 23:09:27 +07:00
Lukas Reschke ba4f12baa0
Implement brute force protection 
Class Throttler implements the bruteforce protection for security actions in
Nextcloud.

It is working by logging invalid login attempts to the database and slowing
down all login attempts from the same subnet. The max delay is 30 seconds and
the starting delay are 200 milliseconds. (after the first failed login)
 2016-07-20 22:08:56 +07:00
Thomas Müller 232d735893
Do not leak the login name - fixes #25047 2016-06-09 16:44:31 +07:00
Christoph Wurst 5e71d23ded
remember redirect_url when solving the 2FA challenge 2016-06-01 14:43:47 +07:00
Vincent Petry 235f03da64 Merge pull request #24795 from owncloud/issue-24789-reset-password-link-new-window 
Allow opening the password reset link in a new window when its a URL
 2016-05-31 10:12:30 +07:00
Lukas Reschke aba539703c
Update license headers 2016-05-26 19:57:24 +07:00
Christoph Wurst ad10485cec
when generating browser/device token, save the login name for later password checks 2016-05-24 11:49:15 +07:00
Christoph Wurst 4128b853e5
login explicitly 2016-05-24 09:48:02 +07:00
Joas Schilling 5c063cf7c9
Allow opening the password reset link in a new window when its a URL 2016-05-24 09:23:25 +07:00
Christoph Wurst dfb4d426c2
Add two factor auth to core 2016-05-23 11:21:10 +07:00
Christoph Wurst e077d78ec9 Show login error message correctly (#24599) 2016-05-12 16:53:50 +07:00
Lukas Reschke ee0ebd192a Use proper URL generation function (#24576) 
Fixes the redirection after login, otherwise `core/files/index` is opened which fails.
 2016-05-11 19:39:57 +07:00
Christoph Wurst 0486d750aa
use the UID for creating the session token, not the login name 2016-05-11 13:36:46 +07:00
Christoph Wurst 214aa6639c
fix login with email 2016-05-11 13:36:46 +07:00
Christoph Wurst 46bdf6ea2b
fix PHPDoc and other minor issues 2016-05-11 13:36:46 +07:00
Christoph Wurst 3ffa7d986a
show login error 2016-05-11 13:36:46 +07:00
Christoph Wurst aa85edd224
increase token column width 
add some range to time() assertions
 2016-05-11 13:36:46 +07:00
Christoph Wurst aafd660b97
fix LoginController unit tests 2016-05-11 13:36:46 +07:00
Christoph Wurst 7aa16e1559
fix setup 2016-05-11 13:36:46 +07:00
Christoph Wurst fdc2cd7554
Add token auth for OCS APIs 2016-05-11 13:36:46 +07:00
Christoph Wurst 3ab922601a
Check if session token is valid and log user out if the check fails 
* Update last_activity timestamp of the session token
* Check user backend credentials once in 5 minutes
 2016-05-11 13:36:46 +07:00
Christoph Wurst d8cde414bd
token based auth 
* Add InvalidTokenException
* add DefaultTokenMapper and use it to check if a auth token exists
* create new token for the browser session if none exists
hash stored token; save user agent
* encrypt login password when creating the token
 2016-05-11 13:36:46 +07:00
Lukas Reschke 8222ad5157
Move logout to controller 
Testable code. Yay.
 2016-04-18 21:21:52 +07:00
Lukas Reschke d4a93893bb
Also check for an empty string 
PHP. Yay.
 2016-04-15 19:53:14 +07:00
Lukas Reschke fee95084ae
Rename `username` to `loginName` 
UID and login name are two different things.
 2016-04-15 19:02:19 +07:00
Lukas Reschke 8a650a51be
Use !== instead of empty 
Users can be named null
 2016-04-15 18:57:11 +07:00
Lukas Reschke 331e4efacb
Move login form into controller 
First step on getting the authorisation stuff cleaned up. This is only for the login form, all other stuff is still where it is.
 2016-04-15 17:36:23 +07:00