mirrors
/
nextcloud
mirror of https://github.com/nextcloud/server.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 987 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
50321 Commits
408 Branches
Tree: 6d20876eb2
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '6d20876eb2'
${ noResults }
nextcloud/core/Controller/LostController.php

LostController.php 12KB
Raw Normal View History

Use appframework
10 years ago
Fix others
7 years ago
Update license headers
9 years ago
Update license headers Signed-off-by: Morris Jobke <hey@morrisjobke.de>
6 years ago
Update license headers
8 years ago
Fix others
7 years ago
Update license headers
8 years ago
Update license headers
9 years ago
Fix others
7 years ago
Update license headers
9 years ago
Use appframework
10 years ago
Revert "Updating license headers" This reverts commit 6a1a4880f0d556fb090f19a5019fec31916f5c36.
9 years ago
move lost controller to core/controller * lostpassword.css is unneeded since #11696 is merged - 1b50d4f7ceb92fffe0d38f823f175cf7e419c69e * js is already in core/js * css is moved to core/css/lostpassword * template is moved to core/templates/lostpassword
8 years ago
Use appframework
10 years ago
Clean pending 2FA authentication on password reset When a password is reste we should make sure that all users are properly logged in. Pending states should be cleared. For example a session where the 2FA code is not entered yet should be cleared. The token is now removed so the session will be killed the next time this is checked (within 5 minutes). Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
5 years ago
Use proper exception in lostController There is no need to log the expcetion of most of the stuff here. We should properly log them but an exception is excessive. This moves it to a proper exception which we can catch and then log. The other exceptions will still be fully logged. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
4 years ago
Fix translation bug on lost password page Fix nextcloud/password_policy#26 Signed-off-by: Rémy Jacquin <remy@remyj.fr>
6 years ago
Use appframework
10 years ago
Adjust existing bruteforce protection code - Moves code to annotation - Adds the `throttle()` call on the responses on existing annotations Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
7 years ago
Use appframework
10 years ago
Expire token after 12h and if user logged-in again As an hardening measure we should expire password reset tokens after 12h and if the user has logged-in again successfully after the token was requested.
8 years ago
Move OC_Defaults to OCP\Defaults * currently there are two ways to access default values: OCP\Defaults or OC_Defaults (which is extended by OCA\Theming\ThemingDefaults) * our code used a mixture of both of them, which made it hard to work on theme values * this extended the public interface with the missing methods and uses them everywhere to only rely on the public interface Signed-off-by: Morris Jobke <hey@morrisjobke.de>
7 years ago
only warn about data lose on password reset if per-user keys are used Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
5 years ago
Use magic DI for core controllers Signed-off-by: Joas Schilling <coding@schilljs.com>
7 years ago
Move actual password reset to vue Signed-off-by: Julius Härtl <jus@bitgrid.net>
4 years ago
Generic message on password reset There is no need to inform the user if the account existed or not. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
5 years ago
use more stuff from core :)
10 years ago
Allow to reset the password with the email as an input Signed-off-by: Joas Schilling <coding@schilljs.com>
7 years ago
Warn for password reset when files_encryption is enabled This patch wil warn the user of the consequences when resetting the password and requires checking a checkbox (as we had in the past) to reset a password. Furthermore I updated the code to use our new classes and added some unit tests for it :dancers: Fixes https://github.com/owncloud/core/issues/11438
9 years ago
Use new IMailer and add unit-tests for lostcontroller
9 years ago
[WIP] Use mail for encrypting the password reset token as well
7 years ago
Warn for password reset when files_encryption is enabled This patch wil warn the user of the consequences when resetting the password and requires checking a checkbox (as we had in the past) to reset a password. Furthermore I updated the code to use our new classes and added some unit tests for it :dancers: Fixes https://github.com/owncloud/core/issues/11438
9 years ago
Return first value from $users Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
4 years ago
Use appframework
10 years ago
Warn for password reset when files_encryption is enabled This patch wil warn the user of the consequences when resetting the password and requires checking a checkbox (as we had in the past) to reset a password. Furthermore I updated the code to use our new classes and added some unit tests for it :dancers: Fixes https://github.com/owncloud/core/issues/11438
9 years ago
Add "postPasswordReset" hook
9 years ago
move lost controller to core/controller * lostpassword.css is unneeded since #11696 is merged - 1b50d4f7ceb92fffe0d38f823f175cf7e419c69e * js is already in core/js * css is moved to core/css/lostpassword * template is moved to core/templates/lostpassword
8 years ago
Warn for password reset when files_encryption is enabled This patch wil warn the user of the consequences when resetting the password and requires checking a checkbox (as we had in the past) to reset a password. Furthermore I updated the code to use our new classes and added some unit tests for it :dancers: Fixes https://github.com/owncloud/core/issues/11438
9 years ago
Use appframework
10 years ago
Warn for password reset when files_encryption is enabled This patch wil warn the user of the consequences when resetting the password and requires checking a checkbox (as we had in the past) to reset a password. Furthermore I updated the code to use our new classes and added some unit tests for it :dancers: Fixes https://github.com/owncloud/core/issues/11438
9 years ago
Use appframework
10 years ago
Warn for password reset when files_encryption is enabled This patch wil warn the user of the consequences when resetting the password and requires checking a checkbox (as we had in the past) to reset a password. Furthermore I updated the code to use our new classes and added some unit tests for it :dancers: Fixes https://github.com/owncloud/core/issues/11438
9 years ago
use more stuff from core :)
10 years ago
Move OC_Defaults to OCP\Defaults * currently there are two ways to access default values: OCP\Defaults or OC_Defaults (which is extended by OCA\Theming\ThemingDefaults) * our code used a mixture of both of them, which made it hard to work on theme values * this extended the public interface with the missing methods and uses them everywhere to only rely on the public interface Signed-off-by: Morris Jobke <hey@morrisjobke.de>
7 years ago
Changes according to review
10 years ago
Warn for password reset when files_encryption is enabled This patch wil warn the user of the consequences when resetting the password and requires checking a checkbox (as we had in the past) to reset a password. Furthermore I updated the code to use our new classes and added some unit tests for it :dancers: Fixes https://github.com/owncloud/core/issues/11438
9 years ago
Changes according to review
10 years ago
Warn for password reset when files_encryption is enabled This patch wil warn the user of the consequences when resetting the password and requires checking a checkbox (as we had in the past) to reset a password. Furthermore I updated the code to use our new classes and added some unit tests for it :dancers: Fixes https://github.com/owncloud/core/issues/11438
9 years ago
Changes according to review
10 years ago
Use magic DI for core controllers Signed-off-by: Joas Schilling <coding@schilljs.com>
7 years ago
Warn for password reset when files_encryption is enabled This patch wil warn the user of the consequences when resetting the password and requires checking a checkbox (as we had in the past) to reset a password. Furthermore I updated the code to use our new classes and added some unit tests for it :dancers: Fixes https://github.com/owncloud/core/issues/11438
9 years ago
use more stuff from core :)
10 years ago
Warn for password reset when files_encryption is enabled This patch wil warn the user of the consequences when resetting the password and requires checking a checkbox (as we had in the past) to reset a password. Furthermore I updated the code to use our new classes and added some unit tests for it :dancers: Fixes https://github.com/owncloud/core/issues/11438
9 years ago
Use new IMailer and add unit-tests for lostcontroller
9 years ago
Expire token after 12h and if user logged-in again As an hardening measure we should expire password reset tokens after 12h and if the user has logged-in again successfully after the token was requested.
8 years ago
[WIP] Use mail for encrypting the password reset token as well
7 years ago
Generic message on password reset There is no need to inform the user if the account existed or not. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
5 years ago
Clean pending 2FA authentication on password reset When a password is reste we should make sure that all users are properly logged in. Pending states should be cleared. For example a session where the 2FA code is not entered yet should be cleared. The token is now removed so the session will be killed the next time this is checked (within 5 minutes). Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
5 years ago
Move actual password reset to vue Signed-off-by: Julius Härtl <jus@bitgrid.net>
4 years ago
- adding default value for $recoveryPassword - set password correctly in lost password
9 years ago
Warn for password reset when files_encryption is enabled This patch wil warn the user of the consequences when resetting the password and requires checking a checkbox (as we had in the past) to reset a password. Furthermore I updated the code to use our new classes and added some unit tests for it :dancers: Fixes https://github.com/owncloud/core/issues/11438
9 years ago
Add "postPasswordReset" hook
9 years ago
Move OC_Defaults to OCP\Defaults * currently there are two ways to access default values: OCP\Defaults or OC_Defaults (which is extended by OCA\Theming\ThemingDefaults) * our code used a mixture of both of them, which made it hard to work on theme values * this extended the public interface with the missing methods and uses them everywhere to only rely on the public interface Signed-off-by: Morris Jobke <hey@morrisjobke.de>
7 years ago
Warn for password reset when files_encryption is enabled This patch wil warn the user of the consequences when resetting the password and requires checking a checkbox (as we had in the past) to reset a password. Furthermore I updated the code to use our new classes and added some unit tests for it :dancers: Fixes https://github.com/owncloud/core/issues/11438
9 years ago
Use magic DI for core controllers Signed-off-by: Joas Schilling <coding@schilljs.com>
7 years ago
Use new IMailer and add unit-tests for lostcontroller
9 years ago
Expire token after 12h and if user logged-in again As an hardening measure we should expire password reset tokens after 12h and if the user has logged-in again successfully after the token was requested.
8 years ago
[WIP] Use mail for encrypting the password reset token as well
7 years ago
- adding default value for $recoveryPassword - set password correctly in lost password
9 years ago
use more stuff from core :)
10 years ago
Warn for password reset when files_encryption is enabled This patch wil warn the user of the consequences when resetting the password and requires checking a checkbox (as we had in the past) to reset a password. Furthermore I updated the code to use our new classes and added some unit tests for it :dancers: Fixes https://github.com/owncloud/core/issues/11438
9 years ago
Move OC_Defaults to OCP\Defaults * currently there are two ways to access default values: OCP\Defaults or OC_Defaults (which is extended by OCA\Theming\ThemingDefaults) * our code used a mixture of both of them, which made it hard to work on theme values * this extended the public interface with the missing methods and uses them everywhere to only rely on the public interface Signed-off-by: Morris Jobke <hey@morrisjobke.de>
7 years ago
Warn for password reset when files_encryption is enabled This patch wil warn the user of the consequences when resetting the password and requires checking a checkbox (as we had in the past) to reset a password. Furthermore I updated the code to use our new classes and added some unit tests for it :dancers: Fixes https://github.com/owncloud/core/issues/11438
9 years ago
Use magic DI for core controllers Signed-off-by: Joas Schilling <coding@schilljs.com>
7 years ago
Expire token after 12h and if user logged-in again As an hardening measure we should expire password reset tokens after 12h and if the user has logged-in again successfully after the token was requested.
8 years ago
[WIP] Use mail for encrypting the password reset token as well
7 years ago
Generic message on password reset There is no need to inform the user if the account existed or not. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
5 years ago
Clean pending 2FA authentication on password reset When a password is reste we should make sure that all users are properly logged in. Pending states should be cleared. For example a session where the 2FA code is not entered yet should be cleared. The token is now removed so the session will be killed the next time this is checked (within 5 minutes). Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
5 years ago
Move actual password reset to vue Signed-off-by: Julius Härtl <jus@bitgrid.net>
4 years ago
Use appframework
10 years ago
use more stuff from core :)
10 years ago
Changes according to review
10 years ago
Warn for password reset when files_encryption is enabled This patch wil warn the user of the consequences when resetting the password and requires checking a checkbox (as we had in the past) to reset a password. Furthermore I updated the code to use our new classes and added some unit tests for it :dancers: Fixes https://github.com/owncloud/core/issues/11438
9 years ago
Use magic DI for core controllers Signed-off-by: Joas Schilling <coding@schilljs.com>
7 years ago
use more stuff from core :)
10 years ago
Use new IMailer and add unit-tests for lostcontroller
9 years ago
Expire token after 12h and if user logged-in again As an hardening measure we should expire password reset tokens after 12h and if the user has logged-in again successfully after the token was requested.
8 years ago
[WIP] Use mail for encrypting the password reset token as well
7 years ago
Generic message on password reset There is no need to inform the user if the account existed or not. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
5 years ago
Clean pending 2FA authentication on password reset When a password is reste we should make sure that all users are properly logged in. Pending states should be cleared. For example a session where the 2FA code is not entered yet should be cleared. The token is now removed so the session will be killed the next time this is checked (within 5 minutes). Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
5 years ago
Move actual password reset to vue Signed-off-by: Julius Härtl <jus@bitgrid.net>
4 years ago
Use appframework
10 years ago
use more stuff from core :)
10 years ago
Use appframework
10 years ago
use more stuff from core :)
10 years ago
Changes according to review
10 years ago
complete renaming uid to userId
10 years ago
Warn for password reset when files_encryption is enabled This patch wil warn the user of the consequences when resetting the password and requires checking a checkbox (as we had in the past) to reset a password. Furthermore I updated the code to use our new classes and added some unit tests for it :dancers: Fixes https://github.com/owncloud/core/issues/11438
9 years ago
Use appframework
10 years ago
complete renaming uid to userId
10 years ago
Disable the API endpoints as well Signed-off-by: Joas Schilling <coding@schilljs.com>
7 years ago
Show error messages if a password reset link is invalid or expired - Moved token validation to method checkPasswordResetToken - Render error with message from exceptions
8 years ago
Move actual password reset to vue Signed-off-by: Julius Härtl <jus@bitgrid.net>
4 years ago
Show error messages if a password reset link is invalid or expired - Moved token validation to method checkPasswordResetToken - Render error with message from exceptions
8 years ago
use more stuff from core :)
10 years ago
move lost controller to core/controller * lostpassword.css is unneeded since #11696 is merged - 1b50d4f7ceb92fffe0d38f823f175cf7e419c69e * js is already in core/js * css is moved to core/css/lostpassword * template is moved to core/templates/lostpassword
8 years ago
Move actual password reset to vue Signed-off-by: Julius Härtl <jus@bitgrid.net>
4 years ago
use more stuff from core :)
10 years ago
Use appframework
10 years ago
use more stuff from core :)
10 years ago
Show error messages if a password reset link is invalid or expired - Moved token validation to method checkPasswordResetToken - Render error with message from exceptions
8 years ago
Minor cleanup in core Controllers
7 years ago
Show error messages if a password reset link is invalid or expired - Moved token validation to method checkPasswordResetToken - Render error with message from exceptions
8 years ago
fix password reset if encryption is enabled Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
7 years ago
Show error messages if a password reset link is invalid or expired - Moved token validation to method checkPasswordResetToken - Render error with message from exceptions
8 years ago
No password reset for disabled users Signed-off-by: Joas Schilling <coding@schilljs.com>
6 years ago
[WIP] Use mail for encrypting the password reset token as well
7 years ago
Stop if there is no encrypted token Fix Argument 1 passed to OC\Security\Crypto::decrypt() must be of the type string, null given Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
4 years ago
[WIP] Use mail for encrypting the password reset token as well
7 years ago
Show error messages if a password reset link is invalid or expired - Moved token validation to method checkPasswordResetToken - Render error with message from exceptions
8 years ago
[WIP] Use mail for encrypting the password reset token as well
7 years ago
Show error messages if a password reset link is invalid or expired - Moved token validation to method checkPasswordResetToken - Render error with message from exceptions
8 years ago
Change password expiration time from 12h to 7d We use the same logic for creating accounts without a password and there the 12h is a bit short. Users don't expect that the signup link needs to be clicked within 12h - 7d should be a more expected behavior. Signed-off-by: Morris Jobke <hey@morrisjobke.de>
5 years ago
Show error messages if a password reset link is invalid or expired - Moved token validation to method checkPasswordResetToken - Render error with message from exceptions
8 years ago
Minor cleanup in core Controllers
7 years ago
Show error messages if a password reset link is invalid or expired - Moved token validation to method checkPasswordResetToken - Render error with message from exceptions
8 years ago
Warn for password reset when files_encryption is enabled This patch wil warn the user of the consequences when resetting the password and requires checking a checkbox (as we had in the past) to reset a password. Furthermore I updated the code to use our new classes and added some unit tests for it :dancers: Fixes https://github.com/owncloud/core/issues/11438
9 years ago
more style fixes
10 years ago
use array_merge for merging arrays in PHP
10 years ago
more style fixes
10 years ago
Warn for password reset when files_encryption is enabled This patch wil warn the user of the consequences when resetting the password and requires checking a checkbox (as we had in the past) to reset a password. Furthermore I updated the code to use our new classes and added some unit tests for it :dancers: Fixes https://github.com/owncloud/core/issues/11438
9 years ago
prefill userid for login after password reset Signed-off-by: Robin Appelman <robin@icewind.nl>
6 years ago
Warn for password reset when files_encryption is enabled This patch wil warn the user of the consequences when resetting the password and requires checking a checkbox (as we had in the past) to reset a password. Furthermore I updated the code to use our new classes and added some unit tests for it :dancers: Fixes https://github.com/owncloud/core/issues/11438
9 years ago
prefill userid for login after password reset Signed-off-by: Robin Appelman <robin@icewind.nl>
6 years ago
more style fixes
10 years ago
Changes according to review
10 years ago
Add support for ratelimiting via annotations This allows adding rate limiting via annotations to controllers, as one example: ``` @UserRateThrottle(limit=5, period=100) @AnonRateThrottle(limit=1, period=100) ``` Would mean that logged-in users can access the page 5 times within 100 seconds, and anonymous users 1 time within 100 seconds. If only an AnonRateThrottle is specified that one will also be applied to logged-in users. Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
7 years ago
Add at most 10 password reset requests per 5 minutes and IP range Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
7 years ago
use more stuff from core :)
10 years ago
Adjust existing bruteforce protection code - Moves code to annotation - Adds the `throttle()` call on the responses on existing annotations Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
7 years ago
Changes according to review
10 years ago
Warn for password reset when files_encryption is enabled This patch wil warn the user of the consequences when resetting the password and requires checking a checkbox (as we had in the past) to reset a password. Furthermore I updated the code to use our new classes and added some unit tests for it :dancers: Fixes https://github.com/owncloud/core/issues/11438
9 years ago
Disable the API endpoints as well Signed-off-by: Joas Schilling <coding@schilljs.com>
7 years ago
never translate login names when requiring with a user id where appropriate, the preLoginNameUsedAsUserName hook should be thrown. Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
6 years ago
use more stuff from core :)
10 years ago
Changes according to review
10 years ago
Warn for password reset when files_encryption is enabled This patch wil warn the user of the consequences when resetting the password and requires checking a checkbox (as we had in the past) to reset a password. Furthermore I updated the code to use our new classes and added some unit tests for it :dancers: Fixes https://github.com/owncloud/core/issues/11438
9 years ago
Use proper exception in lostController There is no need to log the expcetion of most of the stuff here. We should properly log them but an exception is excessive. This moves it to a proper exception which we can catch and then log. The other exceptions will still be fully logged. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
4 years ago
Generic message on password reset There is no need to inform the user if the account existed or not. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
5 years ago
Use proper exception in lostController There is no need to log the expcetion of most of the stuff here. We should properly log them but an exception is excessive. This moves it to a proper exception which we can catch and then log. The other exceptions will still be fully logged. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
4 years ago
Changes according to review
10 years ago
use more stuff from core :)
10 years ago
Adjust existing bruteforce protection code - Moves code to annotation - Adds the `throttle()` call on the responses on existing annotations Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
7 years ago
Changes according to review
10 years ago
use more stuff from core :)
10 years ago
Changes according to review
10 years ago
Warn for password reset when files_encryption is enabled This patch wil warn the user of the consequences when resetting the password and requires checking a checkbox (as we had in the past) to reset a password. Furthermore I updated the code to use our new classes and added some unit tests for it :dancers: Fixes https://github.com/owncloud/core/issues/11438
9 years ago
Changes according to review
10 years ago
Warn for password reset when files_encryption is enabled This patch wil warn the user of the consequences when resetting the password and requires checking a checkbox (as we had in the past) to reset a password. Furthermore I updated the code to use our new classes and added some unit tests for it :dancers: Fixes https://github.com/owncloud/core/issues/11438
9 years ago
Disable the API endpoints as well Signed-off-by: Joas Schilling <coding@schilljs.com>
7 years ago
Use magic DI for core controllers Signed-off-by: Joas Schilling <coding@schilljs.com>
7 years ago
only warn about data lose on password reset if per-user keys are used Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
5 years ago
Warn for password reset when files_encryption is enabled This patch wil warn the user of the consequences when resetting the password and requires checking a checkbox (as we had in the past) to reset a password. Furthermore I updated the code to use our new classes and added some unit tests for it :dancers: Fixes https://github.com/owncloud/core/issues/11438
9 years ago
Changes according to review
10 years ago
Show error messages if a password reset link is invalid or expired - Moved token validation to method checkPasswordResetToken - Render error with message from exceptions
8 years ago
more style fixes
10 years ago
use more stuff from core :)
10 years ago
create new encryption keys on password reset and backup the old one Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
7 years ago
- adding default value for $recoveryPassword - set password correctly in lost password
9 years ago
use more stuff from core :)
10 years ago
Changes according to review
10 years ago
use more stuff from core :)
10 years ago
add password as parameter to the signal so that the encryption can create a new key-pair
9 years ago
Add "postPasswordReset" hook
9 years ago
Clean pending 2FA authentication on password reset When a password is reste we should make sure that all users are properly logged in. Pending states should be cleared. For example a session where the 2FA code is not entered yet should be cleared. The token is now removed so the session will be killed the next time this is checked (within 5 minutes). Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
5 years ago
Move the reset token to core app
7 years ago
Cleanup legacy user class from unused methods Signed-off-by: Morris Jobke <hey@morrisjobke.de>
6 years ago
Fix translation bug on lost password page Fix nextcloud/password_policy#26 Signed-off-by: Rémy Jacquin <remy@remyj.fr>
6 years ago
use more stuff from core :)
10 years ago
more style fixes
10 years ago
Changes according to review
10 years ago
use more stuff from core :)
10 years ago
prefill userid for login after password reset Signed-off-by: Robin Appelman <robin@icewind.nl>
6 years ago
Changes according to review
10 years ago
use more stuff from core :)
10 years ago
Warn for password reset when files_encryption is enabled This patch wil warn the user of the consequences when resetting the password and requires checking a checkbox (as we had in the past) to reset a password. Furthermore I updated the code to use our new classes and added some unit tests for it :dancers: Fixes https://github.com/owncloud/core/issues/11438
9 years ago
Allow to reset the password with the email as an input Signed-off-by: Joas Schilling <coding@schilljs.com>
7 years ago
Use proper exception in lostController There is no need to log the expcetion of most of the stuff here. We should properly log them but an exception is excessive. This moves it to a proper exception which we can catch and then log. The other exceptions will still be fully logged. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
4 years ago
Warn for password reset when files_encryption is enabled This patch wil warn the user of the consequences when resetting the password and requires checking a checkbox (as we had in the past) to reset a password. Furthermore I updated the code to use our new classes and added some unit tests for it :dancers: Fixes https://github.com/owncloud/core/issues/11438
9 years ago
Allow to reset the password with the email as an input Signed-off-by: Joas Schilling <coding@schilljs.com>
7 years ago
use more stuff from core :)
10 years ago
Changes according to review
10 years ago
Use proper exception in lostController There is no need to log the expcetion of most of the stuff here. We should properly log them but an exception is excessive. This moves it to a proper exception which we can catch and then log. The other exceptions will still be fully logged. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
4 years ago
Changes according to review
10 years ago
use more stuff from core :)
10 years ago
[WIP] Use mail for encrypting the password reset token as well
7 years ago
Warn for password reset when files_encryption is enabled This patch wil warn the user of the consequences when resetting the password and requires checking a checkbox (as we had in the past) to reset a password. Furthermore I updated the code to use our new classes and added some unit tests for it :dancers: Fixes https://github.com/owncloud/core/issues/11438
9 years ago
[WIP] Use mail for encrypting the password reset token as well
7 years ago
Allow to reset the password with the email as an input Signed-off-by: Joas Schilling <coding@schilljs.com>
7 years ago
Warn for password reset when files_encryption is enabled This patch wil warn the user of the consequences when resetting the password and requires checking a checkbox (as we had in the past) to reset a password. Furthermore I updated the code to use our new classes and added some unit tests for it :dancers: Fixes https://github.com/owncloud/core/issues/11438
9 years ago
Allow to reset the password with the email as an input Signed-off-by: Joas Schilling <coding@schilljs.com>
7 years ago
use more stuff from core :)
10 years ago
Merge setMetaData into constructor This ensures that the meta data is set in the beginning Signed-off-by: Joas Schilling <coding@schilljs.com>
6 years ago
Also for reset password Signed-off-by: Joas Schilling <coding@schilljs.com>
6 years ago
Update email template for lost password email Signed-off-by: Morris Jobke <hey@morrisjobke.de>
7 years ago
Set the subject with the email template to allow theming Signed-off-by: Joas Schilling <coding@schilljs.com>
6 years ago
Update email template for lost password email Signed-off-by: Morris Jobke <hey@morrisjobke.de>
7 years ago
Fix existing usages Signed-off-by: Joas Schilling <coding@schilljs.com>
6 years ago
Update email template for lost password email Signed-off-by: Morris Jobke <hey@morrisjobke.de>
7 years ago
Fix existing usages Signed-off-by: Joas Schilling <coding@schilljs.com>
6 years ago
Update email template for lost password email Signed-off-by: Morris Jobke <hey@morrisjobke.de>
7 years ago
use more stuff from core :)
10 years ago
Changes according to review
10 years ago
Use new IMailer and add unit-tests for lostcontroller
9 years ago
Allow to reset the password with the email as an input Signed-off-by: Joas Schilling <coding@schilljs.com>
7 years ago
Use new IMailer and add unit-tests for lostcontroller
9 years ago
Set the data from the template Signed-off-by: Joas Schilling <coding@schilljs.com>
6 years ago
Use new IMailer and add unit-tests for lostcontroller
9 years ago
Changes according to review
10 years ago
Use proper exception in lostController There is no need to log the expcetion of most of the stuff here. We should properly log them but an exception is excessive. This moves it to a proper exception which we can catch and then log. The other exceptions will still be fully logged. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
4 years ago
Changes according to review
10 years ago
Use appframework
10 years ago
Allow to reset the password with the email as an input Signed-off-by: Joas Schilling <coding@schilljs.com>
7 years ago
Use proper exception in lostController There is no need to log the expcetion of most of the stuff here. We should properly log them but an exception is excessive. This moves it to a proper exception which we can catch and then log. The other exceptions will still be fully logged. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
4 years ago
Allow to reset the password with the email as an input Signed-off-by: Joas Schilling <coding@schilljs.com>
7 years ago
No password reset for disabled users Signed-off-by: Joas Schilling <coding@schilljs.com>
6 years ago
Use proper exception in lostController There is no need to log the expcetion of most of the stuff here. We should properly log them but an exception is excessive. This moves it to a proper exception which we can catch and then log. The other exceptions will still be fully logged. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
4 years ago
No password reset for disabled users Signed-off-by: Joas Schilling <coding@schilljs.com>
6 years ago
Allow to reset the password with the email as an input Signed-off-by: Joas Schilling <coding@schilljs.com>
7 years ago
No password reset for disabled users Signed-off-by: Joas Schilling <coding@schilljs.com>
6 years ago
Return first value from $users Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
4 years ago
Enable password reset for user with same email address when only one is active When two or more user share the same email address its not possible to reset password by email. Even when only one account is active. This pr reduce list of users returned by getByEmail by disabled users. Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
5 years ago
Return first value from $users Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
4 years ago
Allow to reset the password with the email as an input Signed-off-by: Joas Schilling <coding@schilljs.com>
7 years ago
Use proper exception in lostController There is no need to log the expcetion of most of the stuff here. We should properly log them but an exception is excessive. This moves it to a proper exception which we can catch and then log. The other exceptions will still be fully logged. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
4 years ago
Allow to reset the password with the email as an input Signed-off-by: Joas Schilling <coding@schilljs.com>
7 years ago
Use appframework
10 years ago
 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411 
  1. <?php

  2. /**

  3.  * @copyright Copyright (c) 2016, ownCloud, Inc.

  4.  *

  5.  * @author Bernhard Posselt <dev@bernhard-posselt.com>

  6.  * @author Bjoern Schiessle <bjoern@schiessle.org>

  7.  * @author Björn Schießle <bjoern@schiessle.org>

  8.  * @author Joas Schilling <coding@schilljs.com>

  9.  * @author Julius Haertl <jus@bitgrid.net>

  10.  * @author Lukas Reschke <lukas@statuscode.ch>

  11.  * @author Morris Jobke <hey@morrisjobke.de>

  12.  * @author Roeland Jago Douma <roeland@famdouma.nl>

  13.  * @author Thomas Müller <thomas.mueller@tmit.eu>

  14.  * @author Victor Dubiniuk <dubiniuk@owncloud.com>

  15.  *

  16.  * @license AGPL-3.0

  17.  *

  18.  * This code is free software: you can redistribute it and/or modify

  19.  * it under the terms of the GNU Affero General Public License, version 3,

  20.  * as published by the Free Software Foundation.

  21.  *

  22.  * This program is distributed in the hope that it will be useful,

  23.  * but WITHOUT ANY WARRANTY; without even the implied warranty of

  24.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

  25.  * GNU Affero General Public License for more details.

  26.  *

  27.  * You should have received a copy of the GNU Affero General Public License, version 3,

  28.  * along with this program.  If not, see <http://www.gnu.org/licenses/>

  29.  *

  30.  */

  31. 

  32. namespace OC\Core\Controller;

  33. 

  34. use OC\Authentication\TwoFactorAuth\Manager;

  35. use OC\Core\Exception\ResetPasswordException;

  36. use OC\HintException;

  37. use \OCP\AppFramework\Controller;

  38. use OCP\AppFramework\Http\JSONResponse;

  39. use \OCP\AppFramework\Http\TemplateResponse;

  40. use OCP\AppFramework\Utility\ITimeFactory;

  41. use OCP\Defaults;

  42. use OCP\Encryption\IEncryptionModule;

  43. use OCP\Encryption\IManager;

  44. use OCP\IInitialStateService;

  45. use OCP\ILogger;

  46. use \OCP\IURLGenerator;

  47. use \OCP\IRequest;

  48. use \OCP\IL10N;

  49. use \OCP\IConfig;

  50. use OCP\IUser;

  51. use OCP\IUserManager;

  52. use OCP\Mail\IMailer;

  53. use OCP\Security\ICrypto;

  54. use OCP\Security\ISecureRandom;

  55. use function array_filter;

  56. use function count;

  57. use function reset;

  58. 

  59. /**

  60.  * Class LostController

  61.  *

  62.  * Successfully changing a password will emit the post_passwordReset hook.

  63.  *

  64.  * @package OC\Core\Controller

  65.  */

  66. class LostController extends Controller {

  67. 	/** @var IURLGenerator */

  68. 	protected $urlGenerator;

  69. 	/** @var IUserManager */

  70. 	protected $userManager;

  71. 	/** @var Defaults */

  72. 	protected $defaults;

  73. 	/** @var IL10N */

  74. 	protected $l10n;

  75. 	/** @var string */

  76. 	protected $from;

  77. 	/** @var IManager */

  78. 	protected $encryptionManager;

  79. 	/** @var IConfig */

  80. 	protected $config;

  81. 	/** @var ISecureRandom */

  82. 	protected $secureRandom;

  83. 	/** @var IMailer */

  84. 	protected $mailer;

  85. 	/** @var ITimeFactory */

  86. 	protected $timeFactory;

  87. 	/** @var ICrypto */

  88. 	protected $crypto;

  89. 	/** @var ILogger */

  90. 	private $logger;

  91. 	/** @var Manager */

  92. 	private $twoFactorManager;

  93. 	/** @var IInitialStateService */

  94. 	private $initialStateService;

  95. 

  96. 	/**

  97. 	 * @param string $appName

  98. 	 * @param IRequest $request

  99. 	 * @param IURLGenerator $urlGenerator

  100. 	 * @param IUserManager $userManager

  101. 	 * @param Defaults $defaults

  102. 	 * @param IL10N $l10n

  103. 	 * @param IConfig $config

  104. 	 * @param ISecureRandom $secureRandom

  105. 	 * @param string $defaultMailAddress

  106. 	 * @param IManager $encryptionManager

  107. 	 * @param IMailer $mailer

  108. 	 * @param ITimeFactory $timeFactory

  109. 	 * @param ICrypto $crypto

  110. 	 */

  111. 	public function __construct($appName,

  112. 								IRequest $request,

  113. 								IURLGenerator $urlGenerator,

  114. 								IUserManager $userManager,

  115. 								Defaults $defaults,

  116. 								IL10N $l10n,

  117. 								IConfig $config,

  118. 								ISecureRandom $secureRandom,

  119. 								$defaultMailAddress,

  120. 								IManager $encryptionManager,

  121. 								IMailer $mailer,

  122. 								ITimeFactory $timeFactory,

  123. 								ICrypto $crypto,

  124. 								ILogger $logger,

  125. 								Manager $twoFactorManager,

  126. 								IInitialStateService $initialStateService) {

  127. 		parent::__construct($appName, $request);

  128. 		$this->urlGenerator = $urlGenerator;

  129. 		$this->userManager = $userManager;

  130. 		$this->defaults = $defaults;

  131. 		$this->l10n = $l10n;

  132. 		$this->secureRandom = $secureRandom;

  133. 		$this->from = $defaultMailAddress;

  134. 		$this->encryptionManager = $encryptionManager;

  135. 		$this->config = $config;

  136. 		$this->mailer = $mailer;

  137. 		$this->timeFactory = $timeFactory;

  138. 		$this->crypto = $crypto;

  139. 		$this->logger = $logger;

  140. 		$this->twoFactorManager = $twoFactorManager;

  141. 		$this->initialStateService = $initialStateService;

  142. 	}

  143. 

  144. 	/**

  145. 	 * Someone wants to reset their password:

  146. 	 *

  147. 	 * @PublicPage

  148. 	 * @NoCSRFRequired

  149. 	 *

  150. 	 * @param string $token

  151. 	 * @param string $userId

  152. 	 * @return TemplateResponse

  153. 	 */

  154. 	public function resetform($token, $userId) {

  155. 		if ($this->config->getSystemValue('lost_password_link', '') !== '') {

  156. 			return new TemplateResponse('core', 'error', [

  157. 					'errors' => [['error' => $this->l10n->t('Password reset is disabled')]]

  158. 				],

  159. 				'guest'

  160. 			);

  161. 		}

  162. 

  163. 		try {

  164. 			$this->checkPasswordResetToken($token, $userId);

  165. 		} catch (\Exception $e) {

  166. 			return new TemplateResponse(

  167. 				'core', 'error', [

  168. 					"errors" => array(array("error" => $e->getMessage()))

  169. 				],

  170. 				'guest'

  171. 			);

  172. 		}

  173. 		$this->initialStateService->provideInitialState('core', 'resetPasswordUser', $userId);

  174. 		$this->initialStateService->provideInitialState('core', 'resetPasswordTarget',

  175. 			$this->urlGenerator->linkToRouteAbsolute('core.lost.setPassword', ['userId' => $userId, 'token' => $token])

  176. 		);

  177. 

  178. 		return new TemplateResponse(

  179. 			'core',

  180. 			'login',

  181. 			[],

  182. 			'guest'

  183. 		);

  184. 	}

  185. 

  186. 	/**

  187. 	 * @param string $token

  188. 	 * @param string $userId

  189. 	 * @throws \Exception

  190. 	 */

  191. 	protected function checkPasswordResetToken($token, $userId) {

  192. 		$user = $this->userManager->get($userId);

  193. 		if($user === null || !$user->isEnabled()) {

  194. 			throw new \Exception($this->l10n->t('Couldn\'t reset password because the token is invalid'));

  195. 		}

  196. 

  197. 		$encryptedToken = $this->config->getUserValue($userId, 'core', 'lostpassword', null);

  198. 		if ($encryptedToken === null) {

  199. 			throw new \Exception($this->l10n->t('Couldn\'t reset password because the token is invalid'));

  200. 		}

  201. 

  202. 		try {

  203. 			$mailAddress = !is_null($user->getEMailAddress()) ? $user->getEMailAddress() : '';

  204. 			$decryptedToken = $this->crypto->decrypt($encryptedToken, $mailAddress.$this->config->getSystemValue('secret'));

  205. 		} catch (\Exception $e) {

  206. 			throw new \Exception($this->l10n->t('Couldn\'t reset password because the token is invalid'));

  207. 		}

  208. 

  209. 		$splittedToken = explode(':', $decryptedToken);

  210. 		if(count($splittedToken) !== 2) {

  211. 			throw new \Exception($this->l10n->t('Couldn\'t reset password because the token is invalid'));

  212. 		}

  213. 

  214. 		if ($splittedToken[0] < ($this->timeFactory->getTime() - 60*60*24*7) ||

  215. 			$user->getLastLogin() > $splittedToken[0]) {

  216. 			throw new \Exception($this->l10n->t('Couldn\'t reset password because the token is expired'));

  217. 		}

  218. 

  219. 		if (!hash_equals($splittedToken[1], $token)) {

  220. 			throw new \Exception($this->l10n->t('Couldn\'t reset password because the token is invalid'));

  221. 		}

  222. 	}

  223. 

  224. 	/**

  225. 	 * @param $message

  226. 	 * @param array $additional

  227. 	 * @return array

  228. 	 */

  229. 	private function error($message, array $additional=array()) {

  230. 		return array_merge(array('status' => 'error', 'msg' => $message), $additional);

  231. 	}

  232. 

  233. 	/**

  234. 	 * @param array $data

  235. 	 * @return array

  236. 	 */

  237. 	private function success($data = []) {

  238. 		return array_merge($data, ['status'=>'success']);

  239. 	}

  240. 

  241. 	/**

  242. 	 * @PublicPage

  243. 	 * @BruteForceProtection(action=passwordResetEmail)

  244. 	 * @AnonRateThrottle(limit=10, period=300)

  245. 	 *

  246. 	 * @param string $user

  247. 	 * @return JSONResponse

  248. 	 */

  249. 	public function email($user){

  250. 		if ($this->config->getSystemValue('lost_password_link', '') !== '') {

  251. 			return new JSONResponse($this->error($this->l10n->t('Password reset is disabled')));

  252. 		}

  253. 

  254. 		\OCP\Util::emitHook(

  255. 			'\OCA\Files_Sharing\API\Server2Server',

  256. 			'preLoginNameUsedAsUserName',

  257. 			['uid' => &$user]

  258. 		);

  259. 

  260. 		// FIXME: use HTTP error codes

  261. 		try {

  262. 			$this->sendEmail($user);

  263. 		} catch (ResetPasswordException $e) {

  264. 			// Ignore the error since we do not want to leak this info

  265. 			$this->logger->warning('Could not send password reset email: ' . $e->getMessage());

  266. 		} catch (\Exception $e) {

  267. 			$this->logger->logException($e);

  268. 		}

  269. 

  270. 		$response = new JSONResponse($this->success());

  271. 		$response->throttle();

  272. 		return $response;

  273. 	}

  274. 

  275. 	/**

  276. 	 * @PublicPage

  277. 	 * @param string $token

  278. 	 * @param string $userId

  279. 	 * @param string $password

  280. 	 * @param boolean $proceed

  281. 	 * @return array

  282. 	 */

  283. 	public function setPassword($token, $userId, $password, $proceed) {

  284. 		if ($this->config->getSystemValue('lost_password_link', '') !== '') {

  285. 			return $this->error($this->l10n->t('Password reset is disabled'));

  286. 		}

  287. 

  288. 		if ($this->encryptionManager->isEnabled() && !$proceed) {

  289. 			$encryptionModules = $this->encryptionManager->getEncryptionModules();

  290. 			foreach ($encryptionModules as $module) {

  291. 				/** @var IEncryptionModule $instance */

  292. 				$instance = call_user_func($module['callback']);

  293. 				// this way we can find out whether per-user keys are used or a system wide encryption key

  294. 				if ($instance->needDetailedAccessList()) {

  295. 					return $this->error('', array('encryption' => true));

  296. 				}

  297. 			}

  298. 		}

  299. 

  300. 		try {

  301. 			$this->checkPasswordResetToken($token, $userId);

  302. 			$user = $this->userManager->get($userId);

  303. 

  304. 			\OC_Hook::emit('\OC\Core\LostPassword\Controller\LostController', 'pre_passwordReset', array('uid' => $userId, 'password' => $password));

  305. 

  306. 			if (!$user->setPassword($password)) {

  307. 				throw new \Exception();

  308. 			}

  309. 

  310. 			\OC_Hook::emit('\OC\Core\LostPassword\Controller\LostController', 'post_passwordReset', array('uid' => $userId, 'password' => $password));

  311. 

  312. 			$this->twoFactorManager->clearTwoFactorPending($userId);

  313. 

  314. 			$this->config->deleteUserValue($userId, 'core', 'lostpassword');

  315. 			@\OC::$server->getUserSession()->unsetMagicInCookie();

  316. 		} catch (HintException $e){

  317. 			return $this->error($e->getHint());

  318. 		} catch (\Exception $e){

  319. 			return $this->error($e->getMessage());

  320. 		}

  321. 

  322. 		return $this->success(['user' => $userId]);

  323. 	}

  324. 

  325. 	/**

  326. 	 * @param string $input

  327. 	 * @throws ResetPasswordException

  328. 	 * @throws \OCP\PreConditionNotMetException

  329. 	 */

  330. 	protected function sendEmail($input) {

  331. 		$user = $this->findUserByIdOrMail($input);

  332. 		$email = $user->getEMailAddress();

  333. 

  334. 		if (empty($email)) {

  335. 			throw new ResetPasswordException('Could not send reset e-mail since there is no email for username ' . $input);

  336. 		}

  337. 

  338. 		// Generate the token. It is stored encrypted in the database with the

  339. 		// secret being the users' email address appended with the system secret.

  340. 		// This makes the token automatically invalidate once the user changes

  341. 		// their email address.

  342. 		$token = $this->secureRandom->generate(

  343. 			21,

  344. 			ISecureRandom::CHAR_DIGITS.

  345. 			ISecureRandom::CHAR_LOWER.

  346. 			ISecureRandom::CHAR_UPPER

  347. 		);

  348. 		$tokenValue = $this->timeFactory->getTime() .':'. $token;

  349. 		$encryptedValue = $this->crypto->encrypt($tokenValue, $email . $this->config->getSystemValue('secret'));

  350. 		$this->config->setUserValue($user->getUID(), 'core', 'lostpassword', $encryptedValue);

  351. 

  352. 		$link = $this->urlGenerator->linkToRouteAbsolute('core.lost.resetform', array('userId' => $user->getUID(), 'token' => $token));

  353. 

  354. 		$emailTemplate = $this->mailer->createEMailTemplate('core.ResetPassword', [

  355. 			'link' => $link,

  356. 		]);

  357. 

  358. 		$emailTemplate->setSubject($this->l10n->t('%s password reset', [$this->defaults->getName()]));

  359. 		$emailTemplate->addHeader();

  360. 		$emailTemplate->addHeading($this->l10n->t('Password reset'));

  361. 

  362. 		$emailTemplate->addBodyText(

  363. 			htmlspecialchars($this->l10n->t('Click the following button to reset your password. If you have not requested the password reset, then ignore this email.')),

  364. 			$this->l10n->t('Click the following link to reset your password. If you have not requested the password reset, then ignore this email.')

  365. 		);

  366. 

  367. 		$emailTemplate->addBodyButton(

  368. 			htmlspecialchars($this->l10n->t('Reset your password')),

  369. 			$link,

  370. 			false

  371. 		);

  372. 		$emailTemplate->addFooter();

  373. 

  374. 		try {

  375. 			$message = $this->mailer->createMessage();

  376. 			$message->setTo([$email => $user->getUID()]);

  377. 			$message->setFrom([$this->from => $this->defaults->getName()]);

  378. 			$message->useTemplate($emailTemplate);

  379. 			$this->mailer->send($message);

  380. 		} catch (\Exception $e) {

  381. 			// Log the exception and continue

  382. 			$this->logger->logException($e);

  383. 		}

  384. 	}

  385. 

  386. 	/**

  387. 	 * @param string $input

  388. 	 * @return IUser

  389. 	 * @throws ResetPasswordException

  390. 	 */

  391. 	protected function findUserByIdOrMail($input) {

  392. 		$user = $this->userManager->get($input);

  393. 		if ($user instanceof IUser) {

  394. 			if (!$user->isEnabled()) {

  395. 				throw new ResetPasswordException('User is disabled');

  396. 			}

  397. 

  398. 			return $user;

  399. 		}

  400. 

  401. 		$users = array_filter($this->userManager->getByEmail($input), function (IUser $user) {

  402. 			return $user->isEnabled();

  403. 		});

  404. 

  405. 		if (count($users) === 1) {

  406. 			return reset($users);

  407. 		}

  408. 

  409. 		throw new ResetPasswordException('Could not find user');

  410. 	}

  411. }