averello/nextcloud-server-mirror
1
0
Fork 0
mirror of https://github.com/nextcloud/server.git synced 2026-03-04 18:28:08 +01:00
Code Issues Packages Projects Releases Wiki Activity
35,631 Commits 712 Branches 1,186 Tags
311531ecce497663960877fc536ba94deff27bc0
Commit Graph

78 Commits

Author SHA1 Message Date
Robin Appelman
2389e0f250 read lockdown scope from token 
Signed-off-by: Robin Appelman <icewind@owncloud.com>
 2016-11-16 15:24:27 +01:00
Robin Appelman
b56f2c9ed0 basic lockdown logic 
Signed-off-by: Robin Appelman <icewind@owncloud.com>
 2016-11-16 15:24:23 +01:00
Roeland Jago Douma
f07d75a4dd @since 9.2.0 to @since 11.0.0 
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
 2016-11-15 18:51:52 +01:00
Thomas Müller
506ccdbd8d Introduce an event for first time login based on the last login time stamp 
Use firstLogin event to trigger creation of default calendar and default address book

Delay login of admin user after setup so that firstLogin event can properly be processed for the admin

Fixing tests ...

Skeleton files are not copied over -> only 3 cache entries are remaining

Use updateLastLoginTimestamp to properly setup lastLogin value for a test user
 2016-11-14 14:50:10 +01:00
Christoph Wurst
6f86e468d4 inject ISecureRandom into user session and use injected config too 
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
 2016-11-02 13:39:16 +01:00
Christoph Wurst
d907666232 bring back remember-me 
* try to reuse the old session token for remember me login
* decrypt/encrypt token password and set the session id accordingly
* create remember-me cookies only if checkbox is checked and 2fa solved
* adjust db token cleanup to store remembered tokens longer
* adjust unit tests

Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
 2016-11-02 13:39:16 +01:00
Roeland Jago Douma
f722640a32 Proper DI of config 
* Fixed comments

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
 2016-10-28 10:13:35 +02:00
Jörn Friedrich Dreyer
f8352fcb8d introduce callForSeenUsers and countSeenUsers (#26361) 
* introduce callForSeenUsers and countSeenUsers

* add tests

* oracle should support not null on clob

* since 9.2.0
 2016-10-28 08:44:05 +02:00
Vincent Petry
6d1e858aa4 Fix logClientIn for non-existing users (#26292) 
The check for two factor enforcement would return true for non-existing
users. This fix makes it return false in order to be able to perform
the regular login which will then fail and return false.

This prevents throwing PasswordLoginForbidden for non-existing users.
 2016-10-25 09:34:27 +02:00
Robin Appelman
25ed6714c7 dont update the auth token twice 
Signed-off-by: Robin Appelman <robin@icewind.nl>
 2016-10-11 11:05:25 +02:00
Roeland Jago Douma
1273d82e8b Cache non existing DB user 
We always query the database backend. Even if we use a different one
(ldap for example). Now we do this everytime we try to get a user object
so caching that a user is not in the DB safes some queries on each
request then (at least 2 what I found).

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
 2016-10-10 09:30:36 +02:00
Joas Schilling
4d1acfd4ef Only trigger postDelete hooks when the user was deleted... 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2016-09-29 15:40:53 +02:00
Joas Schilling
5b7b8f8dac Remove notifications upon user deletion 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2016-09-29 15:40:52 +02:00
Lukas Reschke
57f9117843 Merge pull request #1087 from nextcloud/get-delay-twice 
dont get bruteforce delay twice
 2016-08-30 18:43:01 +02:00
Thomas Müller
82e8762c84 Fix issues where some user settings cannot be loaded when the user id differs in case sensitivity - fixes #25684 (#25686) 2016-08-29 14:33:16 +02:00
Robin Appelman
6c93fe08f5 dont get bruteforce delay twice 2016-08-29 13:36:49 +02:00
Roeland Jago Douma
6c360ad79f Add PHPdoc 2016-08-15 11:14:28 +02:00
Jörn Friedrich Dreyer
291b3fd8b4 missing PHPDoc 2016-08-14 19:37:52 +02:00
Jörn Friedrich Dreyer
da5633c31a Type compatability 2016-08-14 19:37:37 +02:00
Jörn Friedrich Dreyer
3593668413 Method is deprecated 2016-08-14 19:37:11 +02:00
Jörn Friedrich Dreyer
5aef60d2ca Unreachable statement 2016-08-14 19:36:42 +02:00
Jörn Friedrich Dreyer
d2a16c4dc8 Unnecessary fully qualified names 2016-08-14 19:36:06 +02:00
michag86
5fb39bd0cb Apply password policy on user creation 2016-08-03 11:52:15 +02:00
Joas Schilling
0215b004da Update with robin 2016-07-21 18:13:58 +02:00
Joas Schilling
ba87db3fcc Fix others 2016-07-21 18:13:57 +02:00
Lukas Reschke
c1589f163c Mitigate race condition 2016-07-20 23:09:27 +02:00
Lukas Reschke
ba4f12baa0 Implement brute force protection 
Class Throttler implements the bruteforce protection for security actions in
Nextcloud.

It is working by logging invalid login attempts to the database and slowing
down all login attempts from the same subnet. The max delay is 30 seconds and
the starting delay are 200 milliseconds. (after the first failed login)
 2016-07-20 22:08:56 +02:00
Lukas Reschke
179a355b2c Merge remote-tracking branch 'upstream/master' into master-sync-upstream 2016-07-01 11:36:35 +02:00
Christoph Wurst
1710de8afb Login hooks (#25260) 
* fix login hooks

* adjust user session tests

* fix login return value of successful token logins

* trigger preLogin hook earlier; extract method 'loginWithPassword'

* call postLogin hook earlier; add PHPDoc
 2016-06-27 22:16:22 +02:00
Lukas Reschke
6670d37658 Merge remote-tracking branch 'upstream/master' into master-sync-upstream 2016-06-27 18:23:00 +02:00
Bjoern Schiessle
2a990a0db5 verify user password on change 2016-06-27 14:08:11 +02:00
Christoph Wurst
89198e62e8 check login name when authenticating with client token 2016-06-24 13:57:09 +02:00
Vincent Petry
3db5de95bd Merge pull request #25172 from owncloud/token-login-validation 
Token login validation
 2016-06-22 13:58:56 +02:00
Christoph Wurst
b805908dca update session token password on user password change 2016-06-21 10:24:25 +02:00
Christoph Wurst
56199eba37 fix unit test warning/errors 2016-06-20 10:41:23 +02:00
Christoph Wurst
9d74ff02a4 fix nitpick 2016-06-20 09:13:47 +02:00
Christoph Wurst
1889df5c7c dont create a session token for clients, validate the app password instead 2016-06-17 15:42:28 +02:00
Christoph Wurst
0c0a216f42 store last check timestamp in token instead of session 2016-06-17 15:42:28 +02:00
Christoph Wurst
c4149c59c2 use token last_activity instead of session value 2016-06-17 15:42:28 +02:00
Christoph Wurst
82b50d126c add PasswordLoginForbiddenException 2016-06-17 11:02:07 +02:00
Christoph Wurst
465807490d create session token only for clients that support cookies 2016-06-13 19:44:05 +02:00
Christoph Wurst
331d88bcab create session token on all APIs 2016-06-13 15:38:34 +02:00
Vincent Petry
6ba18934e6 Merge pull request #25000 from owncloud/fix-email-login-dav 
Allow login by email address via webdav as well
 2016-06-09 16:28:06 +02:00
Thomas Müller
f20c617154 Allow login by email address via webdav as well - fixes #24791 2016-06-09 12:08:49 +02:00
Christoph Wurst
46e26f6b49 catch sessionnotavailable exception if memory session is used 2016-06-08 15:03:15 +02:00
Christoph Wurst
ec929f07f2 When creating a session token, make sure it's the login password and not a device token 2016-06-08 13:31:55 +02:00
Christoph Wurst
c58d8159d7 Create session tokens for apache auth users 2016-05-31 17:07:49 +02:00
Lukas Reschke
aba539703c Update license headers 2016-05-26 19:57:24 +02:00
Christoph Wurst
a922957f76 add default token auth config on install, upgrade and add it to sample config 2016-05-24 18:02:52 +02:00
Christoph Wurst
28ce7dd262 do not allow client password logins if token auth is enforced or 2FA is enabled 2016-05-24 17:54:02 +02:00