f7f9a47ceb
fix: Do not set last-password-confirm for apptoken sessions
...
Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com >
2026-06-16 11:59:13 +02:00
8325e6981b
revert: "Do not do redirect handling when loggin out"
...
This reverts commit 60e5a5eca4https://github.com/nextcloud/server/pull/16310
Signed-off-by: Sebastian Hasler <sebastian.hasler@stuvus.uni-stuttgart.de >
2026-06-09 17:49:00 +02:00
1ab09ec753
chore: Apply new coding standard to all files
...
The diff can be checked using: git diff --ignore-all-space --ignore-blank-lines
To see only the changes not related to blank lines.
Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com >
2026-06-01 13:46:39 +02:00
e21b7d1121
feat: Add generate session token to CsrfTokenManager
...
Signed-off-by: Carl Schwan <carlschwan@kde.org >
2026-05-12 18:24:12 +02:00
279bface8e
refactor: Delete deprecated code from OC_Util
...
Signed-off-by: Carl Schwan <carlschwan@kde.org >
2026-05-12 18:24:12 +02:00
32bc6f54d3
refactor: Replace old Utils::callRegister with new API
...
Signed-off-by: Carl Schwan <carlschwan@kde.org >
2026-05-12 18:24:12 +02:00
e0ba4d71b6
chore: add missing Override attribute to OC
...
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de >
2026-04-28 21:29:27 +02:00
1b504bf4ec
Merge pull request #58863 from nextcloud/fix/annotation-attributes-fix
2026-03-18 08:46:31 +01:00
9b54b06de5
fix(SecurityMiddleware): return header to distinguish error type
...
Currently we return a 403 (Forbidden) when the password confirmation
failed - which itself seems to be inappropriate as its basically a login
failing so a 401 (not authorized) is more appropriate.
This is especially a problem because APIs might return 403 internally
for good reason (e.g. user missing permission) but 401 would not be a
problem.
But as this is a breaking change so my solution to be able to
distinguish API error from password confirmation error is:
Add a header inside the response that marks failed password confirmation
`X-NC-Auth-NotConfirmed`.
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de >
2026-03-11 15:11:29 +01:00
447ee17759
fix: Remove code duplication by using the new method
...
Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com >
2026-03-11 11:36:01 +01:00
f12cecb684
feat(rector): Enable SafeDeclareStrictTypesRector
...
Signed-off-by: provokateurin <kate@provokateurin.de >
2026-02-09 10:59:31 +01:00
65e769a861
refactor: Apply comments
...
Signed-off-by: Carl Schwan <carl.schwan@nextcloud.com >
2026-02-06 13:50:46 +01:00
7b6078875b
refactor: Run rector on lib/private
...
Signed-off-by: Carl Schwan <carl.schwan@nextcloud.com >
2026-02-06 13:50:18 +01:00
f81475445d
refactor: Move hasAnnotationOrAttribute to MiddlewareUtils
...
Signed-off-by: Carl Schwan <carlschwan@kde.org >
2026-01-28 21:48:16 +01:00
6408ed0b51
feat(AppFramework): Add missing NoSameSiteCookieRequired attribute
...
Allow to replace the old annotation.
Signed-off-by: Carl Schwan <carl.schwan@nextcloud.com >
2026-01-28 21:48:16 +01:00
8a581c230b
refactor: improve reflection attribute typing
...
This allows tools to see the correct usage of
PasswordConfirmationRequired::getStrict
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at >
2025-12-04 17:37:47 +01:00
2b9083ab29
feat(rate-limit): Allow overwriting the rate limit
...
Signed-off-by: Joas Schilling <coding@schilljs.com >
2025-11-12 08:59:40 +01:00
bbe766b07a
fix: Make sure Request class can be dependency injected to fix SameSiteCookieMiddleware injection
...
Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com >
2025-07-08 13:32:14 +02:00
5981b7eb51
chore: apply new CSFixer rules
...
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de >
# Conflicts:
# apps/settings/lib/SetupChecks/PhpOpcacheSetup.php
2025-07-01 16:26:50 +02:00
8b0a3a774d
fix: throw a better error if we don't get an authorization header for secutity confirmation
...
Signed-off-by: Robin Appelman <robin@icewind.nl >
2025-06-24 15:57:20 +02:00
3bff9ee3e1
fix: Use login name to check the password
...
Signed-off-by: Louis Chemineau <louis@chmn.me >
2025-04-02 15:50:05 +02:00
095ab4419e
fix(l10n): Improve english source strings
...
- No leading/trailing whitespace
- Use asci single quote
Signed-off-by: Joas Schilling <coding@schilljs.com >
2025-02-26 09:54:32 +01:00
c1655bcde7
fix(ratelimit): Allow to bypass rate-limit from bruteforce allowlist
...
Signed-off-by: Joas Schilling <coding@schilljs.com >
2025-01-27 12:46:15 +01:00
a2f2f7ce93
feat: Use inline password confirmation in external storage settings
...
Signed-off-by: Louis Chemineau <louis@chmn.me >
2024-11-28 11:01:54 +01:00
fdd24090ff
fix(Middleware): log deprecation when annotation was actually used
...
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de >
2024-11-12 22:15:08 +01:00
9836e9b164
chore(deps): Update nextcloud/coding-standard to v1.3.1
...
Signed-off-by: provokateurin <kate@provokateurin.de >
2024-09-19 14:21:20 +02:00
deeccd12a3
chore: fix typo in SameSiteCookieMiddleware
...
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de >
2024-08-31 00:34:45 +02:00
92f3f7e2d2
chore: Remove unused CsrfTokenManager from CSPMiddleware
...
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de >
2024-08-31 00:34:41 +02:00
af6de04e9e
style: update codestyle for coding-standard 1.2.3
...
Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de >
2024-08-25 19:34:58 +02:00
8b60df1600
perf: delay getting (sub)admin status for user in the security middleware untill we need it
...
Signed-off-by: Robin Appelman <robin@icewind.nl >
2024-08-23 15:26:40 +02:00
73397cd759
fix: Use CSP_NONCE env variable in ContentSecurity Header
...
We should use 'cspNonceManager' for requesting the NONCE value, because it is doing the same as before, except that it honors a CPS_NONCE environment variable if available.
Signed-off-by: Holger Hees <holger.hees@gmail.com >
2024-08-13 09:52:08 +02:00
047479ccf9
feat(security): Add public API to allow validating IP Ranges and checking for "in range"
...
Signed-off-by: Joas Schilling <coding@schilljs.com >
Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com >
2024-07-19 16:28:03 +02:00
202e5b1e95
feat(security): restrict admin actions to IP ranges
...
Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com >
2024-07-19 16:28:03 +02:00
40f820470a
chore: use "app_api" session key, "app_api_system" is deprecated
...
Signed-off-by: Andrey Borysenko <andrey18106x@gmail.com >
2024-07-18 17:16:57 +03:00
b7af6ec200
feat: allow for ExApps to call Admin endpoints marked with specific attr
...
Signed-off-by: Alexander Piskun <bigcat88@icloud.com >
2024-07-18 15:11:39 +03:00
e5dcdfb9e0
feat(Security): Warn about using annotations instead of attributes
...
Signed-off-by: provokateurin <kate@provokateurin.de >
2024-07-18 11:25:32 +02:00
5aefdc399e
feat(AppFramework): Add ExAppRequired attribute
...
Signed-off-by: provokateurin <kate@provokateurin.de >
2024-07-01 14:41:20 +02:00
f6d6efef3a
refactor(Token): introduce scope constants
...
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de >
2024-06-05 19:01:14 +02:00
340939e688
fix(Session): avoid password confirmation on SSO
...
SSO backends like SAML and OIDC tried a trick to suppress password
confirmations as they are not possible by design. At least for SAML it was
not reliable when existing user backends where used as user repositories.
Now we are setting a special scope with the token, and also make sure that
the scope is taken over when tokens are regenerated.
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de >
2024-06-05 19:01:13 +02:00
dae7c159f7
chore: Add SPDX header
...
Signed-off-by: Andy Scherzinger <info@andy-scherzinger.de >
2024-05-24 13:11:22 +02:00
f3a4abd98c
fix: add check for app_api_system session flag to bypass rate limit
...
Signed-off-by: Florian Klinger <florian.klinger@nextcloud.com >
Signed-off-by: Andrey Borysenko <andrey18106x@gmail.com >
2024-03-18 20:09:15 +02:00
839ddaa354
feat: rename users to account or person
...
Replace translated text in most locations
Signed-off-by: Vincent Petry <vincent@nextcloud.com >
2024-02-13 21:06:30 +01:00
aa5f037af7
chore: apply changes from Nextcloud coding standards 1.1.1
...
Signed-off-by: Joas Schilling <coding@schilljs.com >
Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com >
2023-11-23 10:36:13 +01:00
0b8a3b578d
fixed Drone test
...
Signed-off-by: Alexander Piskun <bigcat88@icloud.com >
2023-10-06 13:46:37 +03:00
f16c9f42c6
added CORS skip if session was created by AppAPI
...
Signed-off-by: Alexander Piskun <bigcat88@icloud.com >
2023-10-02 11:08:21 +03:00
e477bb7eaf
feat(appframework): Expose programmatic rate limiter
...
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at >
2023-09-20 20:25:27 +02:00
25309bcb45
techdebt(DI): Use public IThrottler interface which exists since Nextcloud 25
...
Signed-off-by: Joas Schilling <coding@schilljs.com >
2023-08-28 15:50:45 +02:00
381c35080d
fix(middleware): Fix header injection for bruteforce middleware
...
Calling setHeaders(getHeaders()) breaks the CSP nonce for unknown reasons
So shifting back to old standard practise for now
Signed-off-by: Joas Schilling <coding@schilljs.com >
2023-08-22 16:00:39 +02:00
2f06f2355d
feat: Add a header which signals that the request was throttled
...
Signed-off-by: Joas Schilling <coding@schilljs.com >
2023-08-21 16:36:04 +02:00
12f8543815
Rewrite OCS CSRF check to be readable
...
Signed-off-by: jld3103 <jld3103yt@gmail.com >
2023-08-16 15:52:36 +02:00
Côme Chilliet
Sebastian Hasler
Carl Schwan
Ferdinand Thiessen
Benjamin Gaussorgues
provokateurin
Carl Schwan
Christoph Wurst
Joas Schilling
Robin Appelman
Louis Chemineau
Arthur Schiwon
Daniel Kesselberg
Holger Hees
Andrey Borysenko
Alexander Piskun
Andy Scherzinger
Florian Klinger
Vincent Petry
Alexander Piskun
jld3103