aboutsummaryrefslogtreecommitdiffstats
path: root/lib/private/AppFramework/Middleware/Security
Commit message (Collapse)AuthorAgeFilesLines
* fix: add check for app_api_system session flag to bypass rate limitFlorian Klinger2024-03-181-0/+7
| | | | | Signed-off-by: Florian Klinger <florian.klinger@nextcloud.com> Signed-off-by: Andrey Borysenko <andrey18106x@gmail.com>
* feat: rename users to account or personVincent Petry2024-02-131-3/+3
| | | | | | Replace translated text in most locations Signed-off-by: Vincent Petry <vincent@nextcloud.com>
* chore: apply changes from Nextcloud coding standards 1.1.1Joas Schilling2023-11-235-21/+21
| | | | | Signed-off-by: Joas Schilling <coding@schilljs.com> Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com>
* fixed Drone testAlexander Piskun2023-10-061-1/+2
| | | | Signed-off-by: Alexander Piskun <bigcat88@icloud.com>
* added CORS skip if session was created by AppAPIAlexander Piskun2023-10-021-0/+4
| | | | Signed-off-by: Alexander Piskun <bigcat88@icloud.com>
* feat(appframework): Expose programmatic rate limiterChristoph Wurst2023-09-201-0/+3
| | | | Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* techdebt(DI): Use public IThrottler interface which exists since Nextcloud 25Joas Schilling2023-08-282-11/+5
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* fix(middleware): Fix header injection for bruteforce middlewareJoas Schilling2023-08-221-5/+1
| | | | | | | Calling setHeaders(getHeaders()) breaks the CSP nonce for unknown reasons So shifting back to old standard practise for now Signed-off-by: Joas Schilling <coding@schilljs.com>
* feat: Add a header which signals that the request was throttledJoas Schilling2023-08-211-4/+14
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* Rewrite OCS CSRF check to be readablejld31032023-08-161-7/+15
| | | | Signed-off-by: jld3103 <jld3103yt@gmail.com>
* Merge pull request #38261 from fsamapoor/replace_strpos_calls_in_lib_privateRobin Appelman2023-06-011-1/+1
|\ | | | | Refactors "strpos" calls in lib/private to improve code readability.
| * Refactors "strpos" calls in lib/private to improve code readability.Faraz Samapoor2023-05-151-1/+1
| | | | | | | | Signed-off-by: Faraz Samapoor <fsamapoor@gmail.com>
* | fix(middleware): Also abort the request when reaching max delay in ↵Joas Schilling2023-05-151-22/+30
|/ | | | | | afterController Signed-off-by: Joas Schilling <coding@schilljs.com>
* feat(security): Add PHP \Attribute for remaining security annotationsJoas Schilling2023-04-254-27/+132
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* feat(ratelimit): Add Attributes support to rate limit middlewareJoas Schilling2023-04-241-41/+77
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* fix(security)!: Use consistent HTTP status for strict cookie checksChristoph Wurst2023-04-171-0/+3
| | | | | | | Before: 503/412 Now: 412 + json body explaining the error Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* Add a debug message when throttling without definingJoas Schilling2023-03-081-10/+9
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* feat(middleware): Migrate BruteForceProtection annotation to PHP Attribute ↵Joas Schilling2023-03-081-5/+43
| | | | | | and allow multiple Signed-off-by: Joas Schilling <coding@schilljs.com>
* fix(CORS): CORS should only be bypassed on `PublicPage` if not logged in to ↵Ferdinand Thiessen2023-02-161-1/+1
| | | | | | prevent CSRF attack vectors Signed-off-by: Ferdinand Thiessen <rpm@fthiessen.de>
* composer run cs:fixCôme Chilliet2023-01-205-10/+5
| | | | Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
* Allow CSRF on CORS routesJonas Rittershofer2022-09-211-0/+4
| | | | | | Co-authored-by: Julius Härtl <jus@bitgrid.net> Co-authored-by: Andreas Brinner <andreas@everlanes.net> Signed-off-by: Jonas Rittershofer <jotoeri@users.noreply.github.com>
* Update core to PHP 7.4 standardCarl Schwan2022-05-201-11/+3
| | | | | | | - Typed properties - Port to LoggerInterface Signed-off-by: Carl Schwan <carl@carlschwan.eu>
* Add direct arg to login flowVincent Petry2022-03-281-0/+3
| | | | | Signed-off-by: Vincent Petry <vincent@nextcloud.com> Co-Authored-by: Carl Schwan <carl@carlschwan.eu>
* Check style updateCarl Schwan2022-01-131-1/+1
| | | | Signed-off-by: Carl Schwan <carl@carlschwan.eu>
* Pass username prefill through unauthenticated request redirectsJulius Härtl2021-12-291-0/+4
| | | | Signed-off-by: Julius Härtl <jus@bitgrid.net>
* Add admin privilege delegation for admin settingsCarl Schwan2021-09-291-5/+42
| | | | | | | This makes it possible for selected groups to access some settings pages. Signed-off-by: Carl Schwan <carl@carlschwan.eu>
* Update php licensesJohn Molakvoæ (skjnldsv)2021-06-0418-31/+14
| | | | Signed-off-by: John Molakvoæ (skjnldsv) <skjnldsv@protonmail.com>
* fix error when using CORS with no auth credentialskorelstar2021-05-181-5/+4
|
* Merge pull request #26591 from nextcloud/techdebt/noid/less-iloggerChristoph Wurst2021-04-271-6/+5
|\ | | | | Less ILogger
| * Less ILoggerJoas Schilling2021-04-271-6/+5
| | | | | | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* | Fix ratelimit templateJoas Schilling2021-04-271-14/+7
|/ | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* Format code to a single space around binary operatorsChristoph Wurst2020-10-052-2/+2
| | | | Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* Update the license headers for Nextcloud 20Christoph Wurst2020-08-242-0/+3
| | | | Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* Fix CSJoas Schilling2020-08-191-0/+1
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* Send "429 Too Many Requests" in case of brute force protectionJoas Schilling2020-08-191-1/+27
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* Update SecurityMiddleware.phpHolger Hees2020-07-061-1/+1
| | | | | | OC::$WEBROOT can be empty in case if your nextcloud installation has no url prefix. This will result in an empty Location Header. in other areas OC::$WEBROOT is always used together with an /
* Update license headers for 19Christoph Wurst2020-04-295-0/+5
| | | | Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* Format control structures, classes, methods and functionChristoph Wurst2020-04-109-32/+28
| | | | | | | | | | | | | | | To continue this formatting madness, here's a tiny patch that adds unified formatting for control structures like if and loops as well as classes, their methods and anonymous functions. This basically forces the constructs to start on the same line. This is not exactly what PSR2 wants, but I think we can have a few exceptions with "our" style. The starting of braces on the same line is pracrically standard for our code. This also removes and empty lines from method/function bodies at the beginning and end. Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* Unify function spacing to PSR2 recommendationChristoph Wurst2020-04-091-3/+3
| | | | Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* Fix (array) indent style to always use one tabChristoph Wurst2020-04-091-1/+1
| | | | Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* Remove unused importsChristoph Wurst2020-03-251-5/+0
| | | | Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* Fix loaded controller checkJoas Schilling2020-01-211-1/+1
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* Update license headersChristoph Wurst2019-12-0518-21/+37
| | | | Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* Some php-cs fixesRoeland Jago Douma2019-11-223-7/+8
| | | | | | | | | | | * Order the imports * No leading slash on imports * Empty line before namespace * One line per import * Empty after imports * Emmpty line at bottom of file Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Merge pull request #17850 from ↵Joas Schilling2019-11-201-0/+6
|\ | | | | | | | | nextcloud/bugfix/noid/mark-spreed-as-active-on-call-urls Mark "Talk" active on /call/token URLs
| * Make phan happy ;)Daniel Kesselberg2019-11-191-1/+2
| | | | | | | | Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
| * Mark "Talk" active on /call/token URLsJoas Schilling2019-11-121-0/+5
| | | | | | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* | Fixes a 500 without useridArthur Schiwon2019-11-161-5/+0
|/ | | | | | plus cleanup of unused use statements Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
* Add feature policy headerRoeland Jago Douma2019-08-101-0/+70
| | | | | | | This adds the events and the classes to modify the feature policy. It also adds a default restricted feature policy. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Split up security middlewareRoeland Jago Douma2019-07-272-40/+80
| | | | | | | | | | With upcoming work for the feature policy header. Splitting this in smaller classes that just do 1 thing makes sense. I rather have a few small classes that are tiny and do 1 thing right (and we all understand what is going on) than have big ones. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
generated by cgit v1.2.3 (git 2.39.1) at 2025-07-02 11:55:55 +0000