Commit Graph

48 Commits

Author SHA1 Message Date
Joas Schilling 0215b004da Update with robin 2016-07-21 18:13:58 +02:00
Joas Schilling ba87db3fcc Fix others 2016-07-21 18:13:57 +02:00
Lukas Reschke c1589f163c Mitigate race condition 2016-07-20 23:09:27 +02:00
Lukas Reschke ba4f12baa0 Implement brute force protection
Class Throttler implements the bruteforce protection for security actions in
Nextcloud.

It is working by logging invalid login attempts to the database and slowing
down all login attempts from the same subnet. The max delay is 30 seconds and
the starting delay are 200 milliseconds. (after the first failed login)
2016-07-20 22:08:56 +02:00
Joas Schilling 2c988ecbf4 Use the themed Defaults everywhere 2016-07-15 09:17:30 +02:00
Morris Jobke 2791b8f00d Revert "occ web executor (#24957)"
This reverts commit 854352d9a0.
2016-07-07 12:14:45 +02:00
Lukas Reschke 7a9d60d87e Merge remote-tracking branch 'upstream/master' into master-upstream-sync 2016-06-26 12:55:05 +02:00
VicDeo 854352d9a0 occ web executor (#24957)
* Initial web executor

* Fix PHPDoc

Fix broken integration test

OccControllerTests do not require database access - moch them all!

Kill unused sprintf
2016-06-22 13:12:36 +02:00
Arthur Schiwon 42c66efea5 Merge branch 'master' of https://github.com/owncloud/core into downstream-160611 2016-06-11 15:34:43 +02:00
Lukas Reschke 5fdde426eb Add fancy layout 2016-06-09 17:55:26 +02:00
Thomas Müller 232d735893 Do not leak the login name - fixes #25047 2016-06-09 16:44:31 +02:00
Joas Schilling 7f88645eab Allow to cancel 2FA after login 2016-06-09 14:00:02 +02:00
Christoph Wurst 60e15e934c do not generate device token if 2FA is enable for user 2016-06-09 14:00:00 +02:00
Vincent Petry 7dcc47dc94 Merge pull request #25011 from owncloud/issue-24745-allow-to-cancel-2fa
Allow to cancel 2FA after login
2016-06-08 10:27:21 +02:00
Joas Schilling 3e3b326c85 Allow to cancel 2FA after login 2016-06-07 18:17:29 +02:00
Christoph Wurst 8f7a4aaa4d do not generate device token if 2FA is enable for user 2016-06-07 09:09:51 +02:00
Christoph Wurst 5e71d23ded remember redirect_url when solving the 2FA challenge 2016-06-01 14:43:47 +02:00
Vincent Petry 235f03da64 Merge pull request #24795 from owncloud/issue-24789-reset-password-link-new-window
Allow opening the password reset link in a new window when its a URL
2016-05-31 10:12:30 +02:00
Lukas Reschke aba539703c Update license headers 2016-05-26 19:57:24 +02:00
Vincent Petry 25e6026fa6 Merge pull request #24735 from juliushaertl/passwordreset-invalid
Show error messages if a password reset link is invalid or expired
2016-05-25 11:08:46 +02:00
Christoph Wurst ad10485cec when generating browser/device token, save the login name for later password checks 2016-05-24 11:49:15 +02:00
Christoph Wurst a0ccebfdcb generate device token for UID, not login name
fixes #24785
2016-05-24 09:49:40 +02:00
Christoph Wurst 4128b853e5 login explicitly 2016-05-24 09:48:02 +02:00
Joas Schilling 5c063cf7c9 Allow opening the password reset link in a new window when its a URL 2016-05-24 09:23:25 +02:00
Julius Haertl 8ee2cb47d0 Show error messages if a password reset link is invalid or expired
- Moved token validation to method checkPasswordResetToken
- Render error with message from exceptions
2016-05-23 16:48:10 +02:00
Christoph Wurst dfb4d426c2 Add two factor auth to core 2016-05-23 11:21:10 +02:00
Christoph Wurst e077d78ec9 Show login error message correctly (#24599) 2016-05-12 16:53:50 +02:00
Lukas Reschke ee0ebd192a Use proper URL generation function (#24576)
Fixes the redirection after login, otherwise `core/files/index` is opened which fails.
2016-05-11 19:39:57 +02:00
Christoph Wurst 0486d750aa use the UID for creating the session token, not the login name 2016-05-11 13:36:46 +02:00
Christoph Wurst 214aa6639c fix login with email 2016-05-11 13:36:46 +02:00
Christoph Wurst 46bdf6ea2b fix PHPDoc and other minor issues 2016-05-11 13:36:46 +02:00
Christoph Wurst 3ffa7d986a show login error 2016-05-11 13:36:46 +02:00
Christoph Wurst f0f8bdd495 PHPDoc and other minor fixes 2016-05-11 13:36:46 +02:00
Christoph Wurst fbb5768587 add unit tests for all new classes 2016-05-11 13:36:46 +02:00
Christoph Wurst aa85edd224 increase token column width
add some range to time() assertions
2016-05-11 13:36:46 +02:00
Christoph Wurst aafd660b97 fix LoginController unit tests 2016-05-11 13:36:46 +02:00
Christoph Wurst 7aa16e1559 fix setup 2016-05-11 13:36:46 +02:00
Christoph Wurst fdc2cd7554 Add token auth for OCS APIs 2016-05-11 13:36:46 +02:00
Christoph Wurst 8d48502187 Add index on 'last_activity'
add token type column and delete only temporary tokens in the background job

debounce token updates; fix wrong class import
2016-05-11 13:36:46 +02:00
Christoph Wurst 53636c73d6 Add controller to generate client tokens 2016-05-11 13:36:46 +02:00
Christoph Wurst 3ab922601a Check if session token is valid and log user out if the check fails
* Update last_activity timestamp of the session token
* Check user backend credentials once in 5 minutes
2016-05-11 13:36:46 +02:00
Christoph Wurst d8cde414bd token based auth
* Add InvalidTokenException
* add DefaultTokenMapper and use it to check if a auth token exists
* create new token for the browser session if none exists
hash stored token; save user agent
* encrypt login password when creating the token
2016-05-11 13:36:46 +02:00
Lukas Reschke 8222ad5157 Move logout to controller
Testable code. Yay.
2016-04-18 21:21:52 +02:00
Lukas Reschke d4a93893bb Also check for an empty string
PHP. Yay.
2016-04-15 19:53:14 +02:00
Lukas Reschke fee95084ae Rename username to loginName
UID and login name are two different things.
2016-04-15 19:02:19 +02:00
Lukas Reschke 8a650a51be Use !== instead of empty
Users can be named null
2016-04-15 18:57:11 +02:00
Lukas Reschke 331e4efacb Move login form into controller
First step on getting the authorisation stuff cleaned up. This is only for the login form, all other stuff is still where it is.
2016-04-15 17:36:23 +02:00
Lukas Reschke a4b19a5b1e Rename files to be PSR-4 compliant 2016-04-06 11:00:52 +02:00