mirrors
/
nextcloud
mirror of https://github.com/nextcloud/server.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 1005 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
49609 Commits
408 Branches
Tree: df072471a7
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'df072471a7'
${ noResults }
nextcloud/core/Controller/LostController.php

LostController.php 12KB
Raw Normal View History

Use appframework
10 years ago
Fix others
8 years ago
Update license headers
9 years ago
Update license headers Signed-off-by: Morris Jobke <hey@morrisjobke.de>
6 years ago
Update license headers
8 years ago
Fix others
8 years ago
Update license headers
8 years ago
Update license headers
9 years ago
Fix others
8 years ago
Update license headers
9 years ago
Use appframework
10 years ago
Revert "Updating license headers" This reverts commit 6a1a4880f0d556fb090f19a5019fec31916f5c36.
9 years ago
move lost controller to core/controller * lostpassword.css is unneeded since #11696 is merged - 1b50d4f7ceb92fffe0d38f823f175cf7e419c69e * js is already in core/js * css is moved to core/css/lostpassword * template is moved to core/templates/lostpassword
8 years ago
Use appframework
10 years ago
Clean pending 2FA authentication on password reset When a password is reste we should make sure that all users are properly logged in. Pending states should be cleared. For example a session where the 2FA code is not entered yet should be cleared. The token is now removed so the session will be killed the next time this is checked (within 5 minutes). Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
5 years ago
Fix translation bug on lost password page Fix nextcloud/password_policy#26 Signed-off-by: Rémy Jacquin <remy@remyj.fr>
6 years ago
Use appframework
10 years ago
Adjust existing bruteforce protection code - Moves code to annotation - Adds the `throttle()` call on the responses on existing annotations Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
7 years ago
Use appframework
10 years ago
Expire token after 12h and if user logged-in again As an hardening measure we should expire password reset tokens after 12h and if the user has logged-in again successfully after the token was requested.
8 years ago
Move OC_Defaults to OCP\Defaults * currently there are two ways to access default values: OCP\Defaults or OC_Defaults (which is extended by OCA\Theming\ThemingDefaults) * our code used a mixture of both of them, which made it hard to work on theme values * this extended the public interface with the missing methods and uses them everywhere to only rely on the public interface Signed-off-by: Morris Jobke <hey@morrisjobke.de>
7 years ago
only warn about data lose on password reset if per-user keys are used Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
5 years ago
Use magic DI for core controllers Signed-off-by: Joas Schilling <coding@schilljs.com>
7 years ago
Generic message on password reset There is no need to inform the user if the account existed or not. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
5 years ago
use more stuff from core :)
10 years ago
Allow to reset the password with the email as an input Signed-off-by: Joas Schilling <coding@schilljs.com>
7 years ago
Warn for password reset when files_encryption is enabled This patch wil warn the user of the consequences when resetting the password and requires checking a checkbox (as we had in the past) to reset a password. Furthermore I updated the code to use our new classes and added some unit tests for it :dancers: Fixes https://github.com/owncloud/core/issues/11438
9 years ago
Use new IMailer and add unit-tests for lostcontroller
9 years ago
[WIP] Use mail for encrypting the password reset token as well
7 years ago
Warn for password reset when files_encryption is enabled This patch wil warn the user of the consequences when resetting the password and requires checking a checkbox (as we had in the past) to reset a password. Furthermore I updated the code to use our new classes and added some unit tests for it :dancers: Fixes https://github.com/owncloud/core/issues/11438
9 years ago
Use appframework
10 years ago
Warn for password reset when files_encryption is enabled This patch wil warn the user of the consequences when resetting the password and requires checking a checkbox (as we had in the past) to reset a password. Furthermore I updated the code to use our new classes and added some unit tests for it :dancers: Fixes https://github.com/owncloud/core/issues/11438
9 years ago
Add "postPasswordReset" hook
9 years ago
move lost controller to core/controller * lostpassword.css is unneeded since #11696 is merged - 1b50d4f7ceb92fffe0d38f823f175cf7e419c69e * js is already in core/js * css is moved to core/css/lostpassword * template is moved to core/templates/lostpassword
8 years ago
Warn for password reset when files_encryption is enabled This patch wil warn the user of the consequences when resetting the password and requires checking a checkbox (as we had in the past) to reset a password. Furthermore I updated the code to use our new classes and added some unit tests for it :dancers: Fixes https://github.com/owncloud/core/issues/11438
9 years ago
Use appframework
10 years ago
Warn for password reset when files_encryption is enabled This patch wil warn the user of the consequences when resetting the password and requires checking a checkbox (as we had in the past) to reset a password. Furthermore I updated the code to use our new classes and added some unit tests for it :dancers: Fixes https://github.com/owncloud/core/issues/11438
9 years ago
Use appframework
10 years ago
Warn for password reset when files_encryption is enabled This patch wil warn the user of the consequences when resetting the password and requires checking a checkbox (as we had in the past) to reset a password. Furthermore I updated the code to use our new classes and added some unit tests for it :dancers: Fixes https://github.com/owncloud/core/issues/11438
9 years ago
use more stuff from core :)
10 years ago
Move OC_Defaults to OCP\Defaults * currently there are two ways to access default values: OCP\Defaults or OC_Defaults (which is extended by OCA\Theming\ThemingDefaults) * our code used a mixture of both of them, which made it hard to work on theme values * this extended the public interface with the missing methods and uses them everywhere to only rely on the public interface Signed-off-by: Morris Jobke <hey@morrisjobke.de>
7 years ago
Changes according to review
10 years ago
Warn for password reset when files_encryption is enabled This patch wil warn the user of the consequences when resetting the password and requires checking a checkbox (as we had in the past) to reset a password. Furthermore I updated the code to use our new classes and added some unit tests for it :dancers: Fixes https://github.com/owncloud/core/issues/11438
9 years ago
Changes according to review
10 years ago
Warn for password reset when files_encryption is enabled This patch wil warn the user of the consequences when resetting the password and requires checking a checkbox (as we had in the past) to reset a password. Furthermore I updated the code to use our new classes and added some unit tests for it :dancers: Fixes https://github.com/owncloud/core/issues/11438
9 years ago
Changes according to review
10 years ago
Use magic DI for core controllers Signed-off-by: Joas Schilling <coding@schilljs.com>
7 years ago
Warn for password reset when files_encryption is enabled This patch wil warn the user of the consequences when resetting the password and requires checking a checkbox (as we had in the past) to reset a password. Furthermore I updated the code to use our new classes and added some unit tests for it :dancers: Fixes https://github.com/owncloud/core/issues/11438
9 years ago
use more stuff from core :)
10 years ago
Warn for password reset when files_encryption is enabled This patch wil warn the user of the consequences when resetting the password and requires checking a checkbox (as we had in the past) to reset a password. Furthermore I updated the code to use our new classes and added some unit tests for it :dancers: Fixes https://github.com/owncloud/core/issues/11438
9 years ago
Use new IMailer and add unit-tests for lostcontroller
9 years ago
Expire token after 12h and if user logged-in again As an hardening measure we should expire password reset tokens after 12h and if the user has logged-in again successfully after the token was requested.
8 years ago
[WIP] Use mail for encrypting the password reset token as well
7 years ago
Generic message on password reset There is no need to inform the user if the account existed or not. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
5 years ago
Clean pending 2FA authentication on password reset When a password is reste we should make sure that all users are properly logged in. Pending states should be cleared. For example a session where the 2FA code is not entered yet should be cleared. The token is now removed so the session will be killed the next time this is checked (within 5 minutes). Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
5 years ago
- adding default value for $recoveryPassword - set password correctly in lost password
10 years ago
Warn for password reset when files_encryption is enabled This patch wil warn the user of the consequences when resetting the password and requires checking a checkbox (as we had in the past) to reset a password. Furthermore I updated the code to use our new classes and added some unit tests for it :dancers: Fixes https://github.com/owncloud/core/issues/11438
9 years ago
Add "postPasswordReset" hook
9 years ago
Move OC_Defaults to OCP\Defaults * currently there are two ways to access default values: OCP\Defaults or OC_Defaults (which is extended by OCA\Theming\ThemingDefaults) * our code used a mixture of both of them, which made it hard to work on theme values * this extended the public interface with the missing methods and uses them everywhere to only rely on the public interface Signed-off-by: Morris Jobke <hey@morrisjobke.de>
7 years ago
Warn for password reset when files_encryption is enabled This patch wil warn the user of the consequences when resetting the password and requires checking a checkbox (as we had in the past) to reset a password. Furthermore I updated the code to use our new classes and added some unit tests for it :dancers: Fixes https://github.com/owncloud/core/issues/11438
9 years ago
Use magic DI for core controllers Signed-off-by: Joas Schilling <coding@schilljs.com>
7 years ago
Use new IMailer and add unit-tests for lostcontroller
9 years ago
Expire token after 12h and if user logged-in again As an hardening measure we should expire password reset tokens after 12h and if the user has logged-in again successfully after the token was requested.
8 years ago
[WIP] Use mail for encrypting the password reset token as well
7 years ago
- adding default value for $recoveryPassword - set password correctly in lost password
10 years ago
use more stuff from core :)
10 years ago
Warn for password reset when files_encryption is enabled This patch wil warn the user of the consequences when resetting the password and requires checking a checkbox (as we had in the past) to reset a password. Furthermore I updated the code to use our new classes and added some unit tests for it :dancers: Fixes https://github.com/owncloud/core/issues/11438
9 years ago
Move OC_Defaults to OCP\Defaults * currently there are two ways to access default values: OCP\Defaults or OC_Defaults (which is extended by OCA\Theming\ThemingDefaults) * our code used a mixture of both of them, which made it hard to work on theme values * this extended the public interface with the missing methods and uses them everywhere to only rely on the public interface Signed-off-by: Morris Jobke <hey@morrisjobke.de>
7 years ago
Warn for password reset when files_encryption is enabled This patch wil warn the user of the consequences when resetting the password and requires checking a checkbox (as we had in the past) to reset a password. Furthermore I updated the code to use our new classes and added some unit tests for it :dancers: Fixes https://github.com/owncloud/core/issues/11438
9 years ago
Use magic DI for core controllers Signed-off-by: Joas Schilling <coding@schilljs.com>
7 years ago
Expire token after 12h and if user logged-in again As an hardening measure we should expire password reset tokens after 12h and if the user has logged-in again successfully after the token was requested.
8 years ago
[WIP] Use mail for encrypting the password reset token as well
7 years ago
Generic message on password reset There is no need to inform the user if the account existed or not. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
5 years ago
Clean pending 2FA authentication on password reset When a password is reste we should make sure that all users are properly logged in. Pending states should be cleared. For example a session where the 2FA code is not entered yet should be cleared. The token is now removed so the session will be killed the next time this is checked (within 5 minutes). Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
5 years ago
Use appframework
10 years ago
use more stuff from core :)
10 years ago
Changes according to review
10 years ago
Warn for password reset when files_encryption is enabled This patch wil warn the user of the consequences when resetting the password and requires checking a checkbox (as we had in the past) to reset a password. Furthermore I updated the code to use our new classes and added some unit tests for it :dancers: Fixes https://github.com/owncloud/core/issues/11438
9 years ago
Use magic DI for core controllers Signed-off-by: Joas Schilling <coding@schilljs.com>
7 years ago
use more stuff from core :)
10 years ago
Use new IMailer and add unit-tests for lostcontroller
9 years ago
Expire token after 12h and if user logged-in again As an hardening measure we should expire password reset tokens after 12h and if the user has logged-in again successfully after the token was requested.
8 years ago
[WIP] Use mail for encrypting the password reset token as well
7 years ago
Generic message on password reset There is no need to inform the user if the account existed or not. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
5 years ago
Clean pending 2FA authentication on password reset When a password is reste we should make sure that all users are properly logged in. Pending states should be cleared. For example a session where the 2FA code is not entered yet should be cleared. The token is now removed so the session will be killed the next time this is checked (within 5 minutes). Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
5 years ago
Use appframework
10 years ago
use more stuff from core :)
10 years ago
Use appframework
10 years ago
use more stuff from core :)
10 years ago
Changes according to review
10 years ago
complete renaming uid to userId
10 years ago
Warn for password reset when files_encryption is enabled This patch wil warn the user of the consequences when resetting the password and requires checking a checkbox (as we had in the past) to reset a password. Furthermore I updated the code to use our new classes and added some unit tests for it :dancers: Fixes https://github.com/owncloud/core/issues/11438
9 years ago
Use appframework
10 years ago
complete renaming uid to userId
10 years ago
Disable the API endpoints as well Signed-off-by: Joas Schilling <coding@schilljs.com>
7 years ago
Show error messages if a password reset link is invalid or expired - Moved token validation to method checkPasswordResetToken - Render error with message from exceptions
8 years ago
use more stuff from core :)
10 years ago
move lost controller to core/controller * lostpassword.css is unneeded since #11696 is merged - 1b50d4f7ceb92fffe0d38f823f175cf7e419c69e * js is already in core/js * css is moved to core/css/lostpassword * template is moved to core/templates/lostpassword
8 years ago
use more stuff from core :)
10 years ago
Warn for password reset when files_encryption is enabled This patch wil warn the user of the consequences when resetting the password and requires checking a checkbox (as we had in the past) to reset a password. Furthermore I updated the code to use our new classes and added some unit tests for it :dancers: Fixes https://github.com/owncloud/core/issues/11438
9 years ago
use more stuff from core :)
10 years ago
Use appframework
10 years ago
use more stuff from core :)
10 years ago
Show error messages if a password reset link is invalid or expired - Moved token validation to method checkPasswordResetToken - Render error with message from exceptions
8 years ago
Minor cleanup in core Controllers
7 years ago
Show error messages if a password reset link is invalid or expired - Moved token validation to method checkPasswordResetToken - Render error with message from exceptions
8 years ago
fix password reset if encryption is enabled Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
7 years ago
Show error messages if a password reset link is invalid or expired - Moved token validation to method checkPasswordResetToken - Render error with message from exceptions
8 years ago
No password reset for disabled users Signed-off-by: Joas Schilling <coding@schilljs.com>
6 years ago
[WIP] Use mail for encrypting the password reset token as well
7 years ago
Show error messages if a password reset link is invalid or expired - Moved token validation to method checkPasswordResetToken - Render error with message from exceptions
8 years ago
[WIP] Use mail for encrypting the password reset token as well
7 years ago
Show error messages if a password reset link is invalid or expired - Moved token validation to method checkPasswordResetToken - Render error with message from exceptions
8 years ago
Change password expiration time from 12h to 7d We use the same logic for creating accounts without a password and there the 12h is a bit short. Users don't expect that the signup link needs to be clicked within 12h - 7d should be a more expected behavior. Signed-off-by: Morris Jobke <hey@morrisjobke.de>
5 years ago
Show error messages if a password reset link is invalid or expired - Moved token validation to method checkPasswordResetToken - Render error with message from exceptions
8 years ago
Minor cleanup in core Controllers
7 years ago
Show error messages if a password reset link is invalid or expired - Moved token validation to method checkPasswordResetToken - Render error with message from exceptions
8 years ago
Warn for password reset when files_encryption is enabled This patch wil warn the user of the consequences when resetting the password and requires checking a checkbox (as we had in the past) to reset a password. Furthermore I updated the code to use our new classes and added some unit tests for it :dancers: Fixes https://github.com/owncloud/core/issues/11438
9 years ago
more style fixes
10 years ago
use array_merge for merging arrays in PHP
10 years ago
more style fixes
10 years ago
Warn for password reset when files_encryption is enabled This patch wil warn the user of the consequences when resetting the password and requires checking a checkbox (as we had in the past) to reset a password. Furthermore I updated the code to use our new classes and added some unit tests for it :dancers: Fixes https://github.com/owncloud/core/issues/11438
9 years ago
prefill userid for login after password reset Signed-off-by: Robin Appelman <robin@icewind.nl>
6 years ago
Warn for password reset when files_encryption is enabled This patch wil warn the user of the consequences when resetting the password and requires checking a checkbox (as we had in the past) to reset a password. Furthermore I updated the code to use our new classes and added some unit tests for it :dancers: Fixes https://github.com/owncloud/core/issues/11438
9 years ago
prefill userid for login after password reset Signed-off-by: Robin Appelman <robin@icewind.nl>
6 years ago
more style fixes
10 years ago
Changes according to review
10 years ago
Add support for ratelimiting via annotations This allows adding rate limiting via annotations to controllers, as one example: ``` @UserRateThrottle(limit=5, period=100) @AnonRateThrottle(limit=1, period=100) ``` Would mean that logged-in users can access the page 5 times within 100 seconds, and anonymous users 1 time within 100 seconds. If only an AnonRateThrottle is specified that one will also be applied to logged-in users. Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
7 years ago
Add at most 10 password reset requests per 5 minutes and IP range Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
7 years ago
use more stuff from core :)
10 years ago
Adjust existing bruteforce protection code - Moves code to annotation - Adds the `throttle()` call on the responses on existing annotations Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
7 years ago
Changes according to review
10 years ago
Warn for password reset when files_encryption is enabled This patch wil warn the user of the consequences when resetting the password and requires checking a checkbox (as we had in the past) to reset a password. Furthermore I updated the code to use our new classes and added some unit tests for it :dancers: Fixes https://github.com/owncloud/core/issues/11438
9 years ago
Disable the API endpoints as well Signed-off-by: Joas Schilling <coding@schilljs.com>
7 years ago
never translate login names when requiring with a user id where appropriate, the preLoginNameUsedAsUserName hook should be thrown. Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
6 years ago
use more stuff from core :)
10 years ago
Changes according to review
10 years ago
Warn for password reset when files_encryption is enabled This patch wil warn the user of the consequences when resetting the password and requires checking a checkbox (as we had in the past) to reset a password. Furthermore I updated the code to use our new classes and added some unit tests for it :dancers: Fixes https://github.com/owncloud/core/issues/11438
9 years ago
Generic message on password reset There is no need to inform the user if the account existed or not. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
5 years ago
Changes according to review
10 years ago
use more stuff from core :)
10 years ago
Adjust existing bruteforce protection code - Moves code to annotation - Adds the `throttle()` call on the responses on existing annotations Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
7 years ago
Changes according to review
10 years ago
use more stuff from core :)
10 years ago
Changes according to review
10 years ago
Warn for password reset when files_encryption is enabled This patch wil warn the user of the consequences when resetting the password and requires checking a checkbox (as we had in the past) to reset a password. Furthermore I updated the code to use our new classes and added some unit tests for it :dancers: Fixes https://github.com/owncloud/core/issues/11438
9 years ago
Changes according to review
10 years ago
Warn for password reset when files_encryption is enabled This patch wil warn the user of the consequences when resetting the password and requires checking a checkbox (as we had in the past) to reset a password. Furthermore I updated the code to use our new classes and added some unit tests for it :dancers: Fixes https://github.com/owncloud/core/issues/11438
9 years ago
Disable the API endpoints as well Signed-off-by: Joas Schilling <coding@schilljs.com>
7 years ago
Use magic DI for core controllers Signed-off-by: Joas Schilling <coding@schilljs.com>
7 years ago
only warn about data lose on password reset if per-user keys are used Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
5 years ago
Warn for password reset when files_encryption is enabled This patch wil warn the user of the consequences when resetting the password and requires checking a checkbox (as we had in the past) to reset a password. Furthermore I updated the code to use our new classes and added some unit tests for it :dancers: Fixes https://github.com/owncloud/core/issues/11438
9 years ago
Changes according to review
10 years ago
Show error messages if a password reset link is invalid or expired - Moved token validation to method checkPasswordResetToken - Render error with message from exceptions
8 years ago
more style fixes
10 years ago
use more stuff from core :)
10 years ago
create new encryption keys on password reset and backup the old one Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
7 years ago
- adding default value for $recoveryPassword - set password correctly in lost password
10 years ago
use more stuff from core :)
10 years ago
Changes according to review
10 years ago
use more stuff from core :)
10 years ago
add password as parameter to the signal so that the encryption can create a new key-pair
9 years ago
Add "postPasswordReset" hook
9 years ago
Clean pending 2FA authentication on password reset When a password is reste we should make sure that all users are properly logged in. Pending states should be cleared. For example a session where the 2FA code is not entered yet should be cleared. The token is now removed so the session will be killed the next time this is checked (within 5 minutes). Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
5 years ago
Move the reset token to core app
7 years ago
Cleanup legacy user class from unused methods Signed-off-by: Morris Jobke <hey@morrisjobke.de>
7 years ago
Fix translation bug on lost password page Fix nextcloud/password_policy#26 Signed-off-by: Rémy Jacquin <remy@remyj.fr>
6 years ago
use more stuff from core :)
10 years ago
more style fixes
10 years ago
Changes according to review
10 years ago
use more stuff from core :)
10 years ago
prefill userid for login after password reset Signed-off-by: Robin Appelman <robin@icewind.nl>
6 years ago
Changes according to review
10 years ago
use more stuff from core :)
10 years ago
Warn for password reset when files_encryption is enabled This patch wil warn the user of the consequences when resetting the password and requires checking a checkbox (as we had in the past) to reset a password. Furthermore I updated the code to use our new classes and added some unit tests for it :dancers: Fixes https://github.com/owncloud/core/issues/11438
9 years ago
Allow to reset the password with the email as an input Signed-off-by: Joas Schilling <coding@schilljs.com>
7 years ago
Warn for password reset when files_encryption is enabled This patch wil warn the user of the consequences when resetting the password and requires checking a checkbox (as we had in the past) to reset a password. Furthermore I updated the code to use our new classes and added some unit tests for it :dancers: Fixes https://github.com/owncloud/core/issues/11438
9 years ago
Allow to reset the password with the email as an input Signed-off-by: Joas Schilling <coding@schilljs.com>
7 years ago
use more stuff from core :)
10 years ago
Changes according to review
10 years ago
use more stuff from core :)
10 years ago
User IUser::getEMailAddress() all over the place
8 years ago
use more stuff from core :)
10 years ago
Changes according to review
10 years ago
use more stuff from core :)
10 years ago
[WIP] Use mail for encrypting the password reset token as well
7 years ago
Warn for password reset when files_encryption is enabled This patch wil warn the user of the consequences when resetting the password and requires checking a checkbox (as we had in the past) to reset a password. Furthermore I updated the code to use our new classes and added some unit tests for it :dancers: Fixes https://github.com/owncloud/core/issues/11438
9 years ago
[WIP] Use mail for encrypting the password reset token as well
7 years ago
Allow to reset the password with the email as an input Signed-off-by: Joas Schilling <coding@schilljs.com>
7 years ago
Warn for password reset when files_encryption is enabled This patch wil warn the user of the consequences when resetting the password and requires checking a checkbox (as we had in the past) to reset a password. Furthermore I updated the code to use our new classes and added some unit tests for it :dancers: Fixes https://github.com/owncloud/core/issues/11438
9 years ago
Allow to reset the password with the email as an input Signed-off-by: Joas Schilling <coding@schilljs.com>
7 years ago
use more stuff from core :)
10 years ago
Merge setMetaData into constructor This ensures that the meta data is set in the beginning Signed-off-by: Joas Schilling <coding@schilljs.com>
6 years ago
Also for reset password Signed-off-by: Joas Schilling <coding@schilljs.com>
6 years ago
Update email template for lost password email Signed-off-by: Morris Jobke <hey@morrisjobke.de>
7 years ago
Set the subject with the email template to allow theming Signed-off-by: Joas Schilling <coding@schilljs.com>
6 years ago
Update email template for lost password email Signed-off-by: Morris Jobke <hey@morrisjobke.de>
7 years ago
Fix existing usages Signed-off-by: Joas Schilling <coding@schilljs.com>
6 years ago
Update email template for lost password email Signed-off-by: Morris Jobke <hey@morrisjobke.de>
7 years ago
Fix existing usages Signed-off-by: Joas Schilling <coding@schilljs.com>
6 years ago
Update email template for lost password email Signed-off-by: Morris Jobke <hey@morrisjobke.de>
7 years ago
use more stuff from core :)
10 years ago
Changes according to review
10 years ago
Use new IMailer and add unit-tests for lostcontroller
9 years ago
Allow to reset the password with the email as an input Signed-off-by: Joas Schilling <coding@schilljs.com>
7 years ago
Use new IMailer and add unit-tests for lostcontroller
9 years ago
Set the data from the template Signed-off-by: Joas Schilling <coding@schilljs.com>
6 years ago
Use new IMailer and add unit-tests for lostcontroller
9 years ago
Changes according to review
10 years ago
more style fixes
10 years ago
Migrate ´ to '
10 years ago
more style fixes
10 years ago
Changes according to review
10 years ago
Use appframework
10 years ago
Allow to reset the password with the email as an input Signed-off-by: Joas Schilling <coding@schilljs.com>
7 years ago
No password reset for disabled users Signed-off-by: Joas Schilling <coding@schilljs.com>
6 years ago
Allow to reset the password with the email as an input Signed-off-by: Joas Schilling <coding@schilljs.com>
7 years ago
Enable password reset for user with same email address when only one is active When two or more user share the same email address its not possible to reset password by email. Even when only one account is active. This pr reduce list of users returned by getByEmail by disabled users. Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
5 years ago
Allow to reset the password with the email as an input Signed-off-by: Joas Schilling <coding@schilljs.com>
7 years ago
No password reset for disabled users Signed-off-by: Joas Schilling <coding@schilljs.com>
6 years ago
Enable password reset for user with same email address when only one is active When two or more user share the same email address its not possible to reset password by email. Even when only one account is active. This pr reduce list of users returned by getByEmail by disabled users. Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
5 years ago
No password reset for disabled users Signed-off-by: Joas Schilling <coding@schilljs.com>
6 years ago
Allow to reset the password with the email as an input Signed-off-by: Joas Schilling <coding@schilljs.com>
7 years ago
No password reset for disabled users Signed-off-by: Joas Schilling <coding@schilljs.com>
6 years ago
Enable password reset for user with same email address when only one is active When two or more user share the same email address its not possible to reset password by email. Even when only one account is active. This pr reduce list of users returned by getByEmail by disabled users. Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
5 years ago
Allow to reset the password with the email as an input Signed-off-by: Joas Schilling <coding@schilljs.com>
7 years ago
Enable password reset for user with same email address when only one is active When two or more user share the same email address its not possible to reset password by email. Even when only one account is active. This pr reduce list of users returned by getByEmail by disabled users. Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
5 years ago
Allow to reset the password with the email as an input Signed-off-by: Joas Schilling <coding@schilljs.com>
7 years ago
Use appframework
10 years ago
 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402 
  1. <?php

  2. /**

  3.  * @copyright Copyright (c) 2016, ownCloud, Inc.

  4.  *

  5.  * @author Bernhard Posselt <dev@bernhard-posselt.com>

  6.  * @author Bjoern Schiessle <bjoern@schiessle.org>

  7.  * @author Björn Schießle <bjoern@schiessle.org>

  8.  * @author Joas Schilling <coding@schilljs.com>

  9.  * @author Julius Haertl <jus@bitgrid.net>

  10.  * @author Lukas Reschke <lukas@statuscode.ch>

  11.  * @author Morris Jobke <hey@morrisjobke.de>

  12.  * @author Roeland Jago Douma <roeland@famdouma.nl>

  13.  * @author Thomas Müller <thomas.mueller@tmit.eu>

  14.  * @author Victor Dubiniuk <dubiniuk@owncloud.com>

  15.  *

  16.  * @license AGPL-3.0

  17.  *

  18.  * This code is free software: you can redistribute it and/or modify

  19.  * it under the terms of the GNU Affero General Public License, version 3,

  20.  * as published by the Free Software Foundation.

  21.  *

  22.  * This program is distributed in the hope that it will be useful,

  23.  * but WITHOUT ANY WARRANTY; without even the implied warranty of

  24.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

  25.  * GNU Affero General Public License for more details.

  26.  *

  27.  * You should have received a copy of the GNU Affero General Public License, version 3,

  28.  * along with this program.  If not, see <http://www.gnu.org/licenses/>

  29.  *

  30.  */

  31. 

  32. namespace OC\Core\Controller;

  33. 

  34. use OC\Authentication\TwoFactorAuth\Manager;

  35. use OC\HintException;

  36. use \OCP\AppFramework\Controller;

  37. use OCP\AppFramework\Http\JSONResponse;

  38. use \OCP\AppFramework\Http\TemplateResponse;

  39. use OCP\AppFramework\Utility\ITimeFactory;

  40. use OCP\Defaults;

  41. use OCP\Encryption\IEncryptionModule;

  42. use OCP\Encryption\IManager;

  43. use OCP\ILogger;

  44. use \OCP\IURLGenerator;

  45. use \OCP\IRequest;

  46. use \OCP\IL10N;

  47. use \OCP\IConfig;

  48. use OCP\IUser;

  49. use OCP\IUserManager;

  50. use OCP\Mail\IMailer;

  51. use OCP\Security\ICrypto;

  52. use OCP\Security\ISecureRandom;

  53. 

  54. /**

  55.  * Class LostController

  56.  *

  57.  * Successfully changing a password will emit the post_passwordReset hook.

  58.  *

  59.  * @package OC\Core\Controller

  60.  */

  61. class LostController extends Controller {

  62. 	/** @var IURLGenerator */

  63. 	protected $urlGenerator;

  64. 	/** @var IUserManager */

  65. 	protected $userManager;

  66. 	/** @var Defaults */

  67. 	protected $defaults;

  68. 	/** @var IL10N */

  69. 	protected $l10n;

  70. 	/** @var string */

  71. 	protected $from;

  72. 	/** @var IManager */

  73. 	protected $encryptionManager;

  74. 	/** @var IConfig */

  75. 	protected $config;

  76. 	/** @var ISecureRandom */

  77. 	protected $secureRandom;

  78. 	/** @var IMailer */

  79. 	protected $mailer;

  80. 	/** @var ITimeFactory */

  81. 	protected $timeFactory;

  82. 	/** @var ICrypto */

  83. 	protected $crypto;

  84. 	/** @var ILogger */

  85. 	private $logger;

  86. 	/** @var Manager */

  87. 	private $twoFactorManager;

  88. 

  89. 	/**

  90. 	 * @param string $appName

  91. 	 * @param IRequest $request

  92. 	 * @param IURLGenerator $urlGenerator

  93. 	 * @param IUserManager $userManager

  94. 	 * @param Defaults $defaults

  95. 	 * @param IL10N $l10n

  96. 	 * @param IConfig $config

  97. 	 * @param ISecureRandom $secureRandom

  98. 	 * @param string $defaultMailAddress

  99. 	 * @param IManager $encryptionManager

  100. 	 * @param IMailer $mailer

  101. 	 * @param ITimeFactory $timeFactory

  102. 	 * @param ICrypto $crypto

  103. 	 */

  104. 	public function __construct($appName,

  105. 								IRequest $request,

  106. 								IURLGenerator $urlGenerator,

  107. 								IUserManager $userManager,

  108. 								Defaults $defaults,

  109. 								IL10N $l10n,

  110. 								IConfig $config,

  111. 								ISecureRandom $secureRandom,

  112. 								$defaultMailAddress,

  113. 								IManager $encryptionManager,

  114. 								IMailer $mailer,

  115. 								ITimeFactory $timeFactory,

  116. 								ICrypto $crypto,

  117. 								ILogger $logger,

  118. 								Manager $twoFactorManager) {

  119. 		parent::__construct($appName, $request);

  120. 		$this->urlGenerator = $urlGenerator;

  121. 		$this->userManager = $userManager;

  122. 		$this->defaults = $defaults;

  123. 		$this->l10n = $l10n;

  124. 		$this->secureRandom = $secureRandom;

  125. 		$this->from = $defaultMailAddress;

  126. 		$this->encryptionManager = $encryptionManager;

  127. 		$this->config = $config;

  128. 		$this->mailer = $mailer;

  129. 		$this->timeFactory = $timeFactory;

  130. 		$this->crypto = $crypto;

  131. 		$this->logger = $logger;

  132. 		$this->twoFactorManager = $twoFactorManager;

  133. 	}

  134. 

  135. 	/**

  136. 	 * Someone wants to reset their password:

  137. 	 *

  138. 	 * @PublicPage

  139. 	 * @NoCSRFRequired

  140. 	 *

  141. 	 * @param string $token

  142. 	 * @param string $userId

  143. 	 * @return TemplateResponse

  144. 	 */

  145. 	public function resetform($token, $userId) {

  146. 		if ($this->config->getSystemValue('lost_password_link', '') !== '') {

  147. 			return new TemplateResponse('core', 'error', [

  148. 					'errors' => [['error' => $this->l10n->t('Password reset is disabled')]]

  149. 				],

  150. 				'guest'

  151. 			);

  152. 		}

  153. 

  154. 		try {

  155. 			$this->checkPasswordResetToken($token, $userId);

  156. 		} catch (\Exception $e) {

  157. 			return new TemplateResponse(

  158. 				'core', 'error', [

  159. 					"errors" => array(array("error" => $e->getMessage()))

  160. 				],

  161. 				'guest'

  162. 			);

  163. 		}

  164. 

  165. 		return new TemplateResponse(

  166. 			'core',

  167. 			'lostpassword/resetpassword',

  168. 			array(

  169. 				'link' => $this->urlGenerator->linkToRouteAbsolute('core.lost.setPassword', array('userId' => $userId, 'token' => $token)),

  170. 			),

  171. 			'guest'

  172. 		);

  173. 	}

  174. 

  175. 	/**

  176. 	 * @param string $token

  177. 	 * @param string $userId

  178. 	 * @throws \Exception

  179. 	 */

  180. 	protected function checkPasswordResetToken($token, $userId) {

  181. 		$user = $this->userManager->get($userId);

  182. 		if($user === null || !$user->isEnabled()) {

  183. 			throw new \Exception($this->l10n->t('Couldn\'t reset password because the token is invalid'));

  184. 		}

  185. 

  186. 		try {

  187. 			$encryptedToken = $this->config->getUserValue($userId, 'core', 'lostpassword', null);

  188. 			$mailAddress = !is_null($user->getEMailAddress()) ? $user->getEMailAddress() : '';

  189. 			$decryptedToken = $this->crypto->decrypt($encryptedToken, $mailAddress.$this->config->getSystemValue('secret'));

  190. 		} catch (\Exception $e) {

  191. 			throw new \Exception($this->l10n->t('Couldn\'t reset password because the token is invalid'));

  192. 		}

  193. 

  194. 		$splittedToken = explode(':', $decryptedToken);

  195. 		if(count($splittedToken) !== 2) {

  196. 			throw new \Exception($this->l10n->t('Couldn\'t reset password because the token is invalid'));

  197. 		}

  198. 

  199. 		if ($splittedToken[0] < ($this->timeFactory->getTime() - 60*60*24*7) ||

  200. 			$user->getLastLogin() > $splittedToken[0]) {

  201. 			throw new \Exception($this->l10n->t('Couldn\'t reset password because the token is expired'));

  202. 		}

  203. 

  204. 		if (!hash_equals($splittedToken[1], $token)) {

  205. 			throw new \Exception($this->l10n->t('Couldn\'t reset password because the token is invalid'));

  206. 		}

  207. 	}

  208. 

  209. 	/**

  210. 	 * @param $message

  211. 	 * @param array $additional

  212. 	 * @return array

  213. 	 */

  214. 	private function error($message, array $additional=array()) {

  215. 		return array_merge(array('status' => 'error', 'msg' => $message), $additional);

  216. 	}

  217. 

  218. 	/**

  219. 	 * @param array $data

  220. 	 * @return array

  221. 	 */

  222. 	private function success($data = []) {

  223. 		return array_merge($data, ['status'=>'success']);

  224. 	}

  225. 

  226. 	/**

  227. 	 * @PublicPage

  228. 	 * @BruteForceProtection(action=passwordResetEmail)

  229. 	 * @AnonRateThrottle(limit=10, period=300)

  230. 	 *

  231. 	 * @param string $user

  232. 	 * @return JSONResponse

  233. 	 */

  234. 	public function email($user){

  235. 		if ($this->config->getSystemValue('lost_password_link', '') !== '') {

  236. 			return new JSONResponse($this->error($this->l10n->t('Password reset is disabled')));

  237. 		}

  238. 

  239. 		\OCP\Util::emitHook(

  240. 			'\OCA\Files_Sharing\API\Server2Server',

  241. 			'preLoginNameUsedAsUserName',

  242. 			['uid' => &$user]

  243. 		);

  244. 

  245. 		// FIXME: use HTTP error codes

  246. 		try {

  247. 			$this->sendEmail($user);

  248. 		} catch (\Exception $e) {

  249. 			// Ignore the error since we do not want to leak this info

  250. 			$this->logger->logException($e, [

  251. 				'level' => ILogger::WARN

  252. 			]);

  253. 		}

  254. 

  255. 		$response = new JSONResponse($this->success());

  256. 		$response->throttle();

  257. 		return $response;

  258. 	}

  259. 

  260. 	/**

  261. 	 * @PublicPage

  262. 	 * @param string $token

  263. 	 * @param string $userId

  264. 	 * @param string $password

  265. 	 * @param boolean $proceed

  266. 	 * @return array

  267. 	 */

  268. 	public function setPassword($token, $userId, $password, $proceed) {

  269. 		if ($this->config->getSystemValue('lost_password_link', '') !== '') {

  270. 			return $this->error($this->l10n->t('Password reset is disabled'));

  271. 		}

  272. 

  273. 		if ($this->encryptionManager->isEnabled() && !$proceed) {

  274. 			$encryptionModules = $this->encryptionManager->getEncryptionModules();

  275. 			foreach ($encryptionModules as $module) {

  276. 				/** @var IEncryptionModule $instance */

  277. 				$instance = call_user_func($module['callback']);

  278. 				// this way we can find out whether per-user keys are used or a system wide encryption key

  279. 				if ($instance->needDetailedAccessList()) {

  280. 					return $this->error('', array('encryption' => true));

  281. 				}

  282. 			}

  283. 		}

  284. 

  285. 		try {

  286. 			$this->checkPasswordResetToken($token, $userId);

  287. 			$user = $this->userManager->get($userId);

  288. 

  289. 			\OC_Hook::emit('\OC\Core\LostPassword\Controller\LostController', 'pre_passwordReset', array('uid' => $userId, 'password' => $password));

  290. 

  291. 			if (!$user->setPassword($password)) {

  292. 				throw new \Exception();

  293. 			}

  294. 

  295. 			\OC_Hook::emit('\OC\Core\LostPassword\Controller\LostController', 'post_passwordReset', array('uid' => $userId, 'password' => $password));

  296. 

  297. 			$this->twoFactorManager->clearTwoFactorPending($userId);

  298. 

  299. 			$this->config->deleteUserValue($userId, 'core', 'lostpassword');

  300. 			@\OC::$server->getUserSession()->unsetMagicInCookie();

  301. 		} catch (HintException $e){

  302. 			return $this->error($e->getHint());

  303. 		} catch (\Exception $e){

  304. 			return $this->error($e->getMessage());

  305. 		}

  306. 

  307. 		return $this->success(['user' => $userId]);

  308. 	}

  309. 

  310. 	/**

  311. 	 * @param string $input

  312. 	 * @throws \Exception

  313. 	 */

  314. 	protected function sendEmail($input) {

  315. 		$user = $this->findUserByIdOrMail($input);

  316. 		$email = $user->getEMailAddress();

  317. 

  318. 		if (empty($email)) {

  319. 			throw new \Exception(

  320. 				$this->l10n->t('Could not send reset email because there is no email address for this username. Please contact your administrator.')

  321. 			);

  322. 		}

  323. 

  324. 		// Generate the token. It is stored encrypted in the database with the

  325. 		// secret being the users' email address appended with the system secret.

  326. 		// This makes the token automatically invalidate once the user changes

  327. 		// their email address.

  328. 		$token = $this->secureRandom->generate(

  329. 			21,

  330. 			ISecureRandom::CHAR_DIGITS.

  331. 			ISecureRandom::CHAR_LOWER.

  332. 			ISecureRandom::CHAR_UPPER

  333. 		);

  334. 		$tokenValue = $this->timeFactory->getTime() .':'. $token;

  335. 		$encryptedValue = $this->crypto->encrypt($tokenValue, $email . $this->config->getSystemValue('secret'));

  336. 		$this->config->setUserValue($user->getUID(), 'core', 'lostpassword', $encryptedValue);

  337. 

  338. 		$link = $this->urlGenerator->linkToRouteAbsolute('core.lost.resetform', array('userId' => $user->getUID(), 'token' => $token));

  339. 

  340. 		$emailTemplate = $this->mailer->createEMailTemplate('core.ResetPassword', [

  341. 			'link' => $link,

  342. 		]);

  343. 

  344. 		$emailTemplate->setSubject($this->l10n->t('%s password reset', [$this->defaults->getName()]));

  345. 		$emailTemplate->addHeader();

  346. 		$emailTemplate->addHeading($this->l10n->t('Password reset'));

  347. 

  348. 		$emailTemplate->addBodyText(

  349. 			htmlspecialchars($this->l10n->t('Click the following button to reset your password. If you have not requested the password reset, then ignore this email.')),

  350. 			$this->l10n->t('Click the following link to reset your password. If you have not requested the password reset, then ignore this email.')

  351. 		);

  352. 

  353. 		$emailTemplate->addBodyButton(

  354. 			htmlspecialchars($this->l10n->t('Reset your password')),

  355. 			$link,

  356. 			false

  357. 		);

  358. 		$emailTemplate->addFooter();

  359. 

  360. 		try {

  361. 			$message = $this->mailer->createMessage();

  362. 			$message->setTo([$email => $user->getUID()]);

  363. 			$message->setFrom([$this->from => $this->defaults->getName()]);

  364. 			$message->useTemplate($emailTemplate);

  365. 			$this->mailer->send($message);

  366. 		} catch (\Exception $e) {

  367. 			throw new \Exception($this->l10n->t(

  368. 				'Couldn\'t send reset email. Please contact your administrator.'

  369. 			));

  370. 		}

  371. 	}

  372. 

  373. 	/**

  374. 	 * @param string $input

  375. 	 * @return IUser

  376. 	 * @throws \InvalidArgumentException

  377. 	 */

  378. 	protected function findUserByIdOrMail($input) {

  379. 		$userNotFound = new \InvalidArgumentException(

  380. 			$this->l10n->t('Couldn\'t send reset email. Please make sure your username is correct.')

  381. 		);

  382. 

  383. 		$user = $this->userManager->get($input);

  384. 		if ($user instanceof IUser) {

  385. 			if (!$user->isEnabled()) {

  386. 				throw $userNotFound;

  387. 			}

  388. 

  389. 			return $user;

  390. 		}

  391. 

  392. 		$users = \array_filter($this->userManager->getByEmail($input), function (IUser $user) {

  393. 			return $user->isEnabled();

  394. 		});

  395. 

  396. 		if (\count($users) === 1) {

  397. 			return $users[0];

  398. 		}

  399. 

  400. 		throw $userNotFound;

  401. 	}

  402. }