averello/nextcloud-server-mirror
1
0
Fork 0
mirror of https://github.com/nextcloud/server.git synced 2026-06-29 12:24:50 +02:00
Code Issues Packages Projects Releases Wiki Activity
88,512 Commits 1,008 Branches 1,229 Tags
executeUpdateRemove
Commit Graph

198 Commits

Author SHA1 Message Date
Côme Chilliet f7f9a47ceb fix: Do not set last-password-confirm for apptoken sessions 
Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
 2026-06-16 11:59:13 +02:00
Côme Chilliet 802bce0a77 fix: Use token expiration for ephemeral sessions 
This simplifies the code a lot.

Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
 2026-06-15 15:28:38 +02:00
Sebastian Hasler 8325e6981b revert: "Do not do redirect handling when loggin out" 
This reverts commit 60e5a5eca4.
That commit was only required due to "executionContext" which has
since been removed. See: https://github.com/nextcloud/server/pull/16310

Signed-off-by: Sebastian Hasler <sebastian.hasler@stuvus.uni-stuttgart.de>
 2026-06-09 17:49:00 +02:00
Côme Chilliet 1ab09ec753 chore: Apply new coding standard to all files 
The diff can be checked using: git diff --ignore-all-space --ignore-blank-lines
To see only the changes not related to blank lines.

Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
 2026-06-01 13:46:39 +02:00
Carl Schwan e21b7d1121 feat: Add generate session token to CsrfTokenManager 
Signed-off-by: Carl Schwan <carlschwan@kde.org>
 2026-05-12 18:24:12 +02:00
Carl Schwan 279bface8e refactor: Delete deprecated code from OC_Util 
Signed-off-by: Carl Schwan <carlschwan@kde.org>
 2026-05-12 18:24:12 +02:00
Carl Schwan 32bc6f54d3 refactor: Replace old Utils::callRegister with new API 
Signed-off-by: Carl Schwan <carlschwan@kde.org>
 2026-05-12 18:24:12 +02:00
Ferdinand Thiessen e0ba4d71b6 chore: add missing Override attribute to OC 
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
 2026-04-28 21:29:27 +02:00
Benjamin Gaussorgues 1b504bf4ec Merge pull request #58863 from nextcloud/fix/annotation-attributes-fix 2026-03-18 08:46:31 +01:00
Joas Schilling 5f80f26799 chore: Fix SPDX header 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2026-03-16 08:38:16 +01:00
David Dreschner 2bb9524c84 fix: Remove deprecated RFC7231 constant to avoid warnings on PHP 8.5 
Signed-off-by: David Dreschner <david.dreschner@nextcloud.com>
 2026-03-13 10:43:38 +01:00
Ferdinand Thiessen 9b54b06de5 fix(SecurityMiddleware): return header to distinguish error type 
Currently we return a 403 (Forbidden) when the password confirmation
failed - which itself seems to be inappropriate as its basically a login
failing so a 401 (not authorized) is more appropriate.

This is especially a problem because APIs might return 403 internally
for good reason (e.g. user missing permission) but 401 would not be a
problem.

But as this is a breaking change so my solution to be able to
distinguish API error from password confirmation error is:

Add a header inside the response that marks failed password confirmation
`X-NC-Auth-NotConfirmed`.

Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
 2026-03-11 15:11:29 +01:00
Côme Chilliet 447ee17759 fix: Remove code duplication by using the new method 
Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
 2026-03-11 11:36:01 +01:00
Côme Chilliet 520878338f fix: Move hasAnnotationOrAttribute to the reflector 
Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
 2026-03-11 11:16:26 +01:00
provokateurin f12cecb684 feat(rector): Enable SafeDeclareStrictTypesRector 
Signed-off-by: provokateurin <kate@provokateurin.de>
 2026-02-09 10:59:31 +01:00
Carl Schwan 65e769a861 refactor: Apply comments 
Signed-off-by: Carl Schwan <carl.schwan@nextcloud.com>
 2026-02-06 13:50:46 +01:00
Carl Schwan 7b6078875b refactor: Run rector on lib/private 
Signed-off-by: Carl Schwan <carl.schwan@nextcloud.com>
 2026-02-06 13:50:18 +01:00
Carl Schwan f81475445d refactor: Move hasAnnotationOrAttribute to MiddlewareUtils 
Signed-off-by: Carl Schwan <carlschwan@kde.org>
 2026-01-28 21:48:16 +01:00
Carl Schwan 6408ed0b51 feat(AppFramework): Add missing NoSameSiteCookieRequired attribute 
Allow to replace the old annotation.

Signed-off-by: Carl Schwan <carl.schwan@nextcloud.com>
 2026-01-28 21:48:16 +01:00
Christoph Wurst 8a581c230b refactor: improve reflection attribute typing 
This allows tools to see the correct usage of
PasswordConfirmationRequired::getStrict

Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
 2025-12-04 17:37:47 +01:00
Kate e5f50dafcb Merge pull request #55620 from nextcloud/fix/appframework/check-reponder-existence 2025-11-12 11:46:08 +01:00
provokateurin f720925b06 fix(AppFramework): Check for responder existence 
Signed-off-by: provokateurin <kate@provokateurin.de>
 2025-11-12 09:39:53 +01:00
Joas Schilling 2b9083ab29 feat(rate-limit): Allow overwriting the rate limit 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2025-11-12 08:59:40 +01:00
Louis Chmn ed4a1708f2 feat(EphemeralSessions): Introduce lax period 
Signed-off-by: Louis Chmn <louis@chmn.me>
 2025-11-05 16:08:13 +01:00
Kate a1709f576e Merge pull request #54627 from nextcloud/fix/ocs/accept-header 2025-08-28 14:03:23 +02:00
provokateurin aab11d35d3 fix(OCS): Add IRequest::getFormat to determine the response Content-Type the same way everywhere 
Signed-off-by: provokateurin <kate@provokateurin.de>
 2025-08-26 09:50:03 +02:00
Joas Schilling 11aa997da3 fix(2fa): Fix 2FA session setup when ephemeral session is used 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2025-08-25 10:39:17 +02:00
Christoph Wurst 084a2e8859 fix(session): log when ephemeral sessions are closed 
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
 2025-07-23 07:52:06 +02:00
Côme Chilliet bbe766b07a fix: Make sure Request class can be dependency injected to fix SameSiteCookieMiddleware injection 
Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
 2025-07-08 13:32:14 +02:00
Ferdinand Thiessen 5981b7eb51 chore: apply new CSFixer rules 
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>

# Conflicts:
#	apps/settings/lib/SetupChecks/PhpOpcacheSetup.php
 2025-07-01 16:26:50 +02:00
Robin Appelman 8b0a3a774d fix: throw a better error if we don't get an authorization header for secutity confirmation 
Signed-off-by: Robin Appelman <robin@icewind.nl>
 2025-06-24 15:57:20 +02:00
Daniel Kesselberg be587def0e fix: use correct format for expires, last-modified, and if-modified-since headers 
Before: Sat, 10 May 2025 18:17:41 +0000
After: Sat, 10 May 2025 18:17:41 GMT

RFC: https://httpwg.org/specs/rfc9110.html#http.date

Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
 2025-06-10 13:15:31 +02:00
Joas Schilling 7964f338dc fix(throttler): Remove the sleep from the throttler that throws 
The sleep is not adding benefit when it's being aborted with 429
in other cases anyway.

Signed-off-by: Joas Schilling <coding@schilljs.com>
 2025-05-02 11:27:29 +02:00
Louis Chemineau 3bff9ee3e1 fix: Use login name to check the password 
Signed-off-by: Louis Chemineau <louis@chmn.me>
 2025-04-02 15:50:05 +02:00
Joas Schilling c9aea8ffdf fix(auth): Allow 2FA challenges for Ephemeral sessions 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2025-03-18 09:52:51 +01:00
Louis Chemineau a163fa08d0 fix(login): Properly target public page with attribute 
Signed-off-by: Louis Chemineau <louis@chmn.me>
 2025-03-05 16:36:26 +01:00
Louis Chemineau 47bd75a052 fix(login): Also check legacy annotation for ephemeral sessions 
Signed-off-by: Louis Chemineau <louis@chmn.me>
 2025-02-27 13:12:55 +01:00
Louis c7900de4f2 Merge pull request #51051 from nextcloud/artonge/fix/login_flow_v2_sessions_2 
feat: Close sessions created for login flow v2
 2025-02-27 08:52:00 +01:00
Louis Chemineau c6293204a2 feat: Close sessions created for login flow v2 
Sessions created during the login flow v2 should be short lived to not leave an unexpected opened session in the browser.

This commit add a property to the session object to track its origin, and will close it as soon as possible, i.e., on the first non public page request.

Signed-off-by: Louis Chemineau <louis@chmn.me>
 2025-02-26 13:42:18 +01:00
Joas Schilling 095ab4419e fix(l10n): Improve english source strings 
- No leading/trailing whitespace
- Use asci single quote

Signed-off-by: Joas Schilling <coding@schilljs.com>
 2025-02-26 09:54:32 +01:00
Joas Schilling c1655bcde7 fix(ratelimit): Allow to bypass rate-limit from bruteforce allowlist 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2025-01-27 12:46:15 +01:00
Louis Chemineau a2f2f7ce93 feat: Use inline password confirmation in external storage settings 
Signed-off-by: Louis Chemineau <louis@chmn.me>
 2024-11-28 11:01:54 +01:00
Arthur Schiwon fdd24090ff fix(Middleware): log deprecation when annotation was actually used 
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
 2024-11-12 22:15:08 +01:00
provokateurin 9836e9b164 chore(deps): Update nextcloud/coding-standard to v1.3.1 
Signed-off-by: provokateurin <kate@provokateurin.de>
 2024-09-19 14:21:20 +02:00
Ferdinand Thiessen deeccd12a3 chore: fix typo in SameSiteCookieMiddleware 
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
 2024-08-31 00:34:45 +02:00
Ferdinand Thiessen 92f3f7e2d2 chore: Remove unused CsrfTokenManager from CSPMiddleware 
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
 2024-08-31 00:34:41 +02:00
Daniel Kesselberg af6de04e9e style: update codestyle for coding-standard 1.2.3 
Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
 2024-08-25 19:34:58 +02:00
Robin Appelman 8b60df1600 perf: delay getting (sub)admin status for user in the security middleware untill we need it 
Signed-off-by: Robin Appelman <robin@icewind.nl>
 2024-08-23 15:26:40 +02:00
Holger Hees 73397cd759 fix: Use CSP_NONCE env variable in ContentSecurity Header 
We should use 'cspNonceManager' for requesting the NONCE value, because it is doing the same as before, except that it honors a CPS_NONCE environment variable if available.

Signed-off-by: Holger Hees <holger.hees@gmail.com>
 2024-08-13 09:52:08 +02:00
skjnldsv db28aa8cd1 fix(files_sharing): show proper share not found error message 
Signed-off-by: skjnldsv <skjnldsv@protonmail.com>
 2024-08-06 16:25:10 +02:00