aboutsummaryrefslogtreecommitdiffstats
path: root/lib/private/AppFramework/Middleware/Security
Commit message (Collapse)AuthorAgeFilesLines
* fix: Use login name to check the passwordartonge/fix/use_loginname_to_check_passwordLouis Chemineau2025-04-021-1/+2
| | | | Signed-off-by: Louis Chemineau <louis@chmn.me>
* fix(l10n): Improve english source stringsJoas Schilling2025-02-261-3/+3
| | | | | | | - No leading/trailing whitespace - Use asci single quote Signed-off-by: Joas Schilling <coding@schilljs.com>
* fix(ratelimit): Allow to bypass rate-limit from bruteforce allowlistbugfix/noid/allow-ratelimit-bypassJoas Schilling2025-01-271-0/+9
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* feat: Use inline password confirmation in external storage settingsLouis Chemineau2024-11-281-66/+57
| | | | Signed-off-by: Louis Chemineau <louis@chmn.me>
* fix(Middleware): log deprecation when annotation was actually usedfix/noid/deprecation-correct-caseArthur Schiwon2024-11-121-1/+1
| | | | Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
* chore(deps): Update nextcloud/coding-standard to v1.3.1provokateurin2024-09-192-3/+5
| | | | Signed-off-by: provokateurin <kate@provokateurin.de>
* chore: fix typo in `SameSiteCookieMiddleware`Ferdinand Thiessen2024-08-311-4/+4
| | | | Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
* chore: Remove unused `CsrfTokenManager` from `CSPMiddleware`Ferdinand Thiessen2024-08-311-16/+7
| | | | Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
* style: update codestyle for coding-standard 1.2.3Daniel Kesselberg2024-08-253-4/+4
| | | | Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
* perf: delay getting (sub)admin status for user in the security middleware ↵Robin Appelman2024-08-231-7/+28
| | | | | | untill we need it Signed-off-by: Robin Appelman <robin@icewind.nl>
* fix: Use `CSP_NONCE` env variable in ContentSecurity HeaderHolger Hees2024-08-131-1/+1
| | | | | | We should use 'cspNonceManager' for requesting the NONCE value, because it is doing the same as before, except that it honors a CPS_NONCE environment variable if available. Signed-off-by: Holger Hees <holger.hees@gmail.com>
* feat(security): Add public API to allow validating IP Ranges and checking ↵Joas Schilling2024-07-191-5/+5
| | | | | | | for "in range" Signed-off-by: Joas Schilling <coding@schilljs.com> Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com>
* feat(security): restrict admin actions to IP rangesBenjamin Gaussorgues2024-07-192-53/+53
| | | | Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com>
* chore: use "app_api" session key, "app_api_system" is deprecatedAndrey Borysenko2024-07-181-2/+3
| | | | Signed-off-by: Andrey Borysenko <andrey18106x@gmail.com>
* feat: allow for ExApps to call Admin endpoints marked with specific attrAlexander Piskun2024-07-181-6/+15
| | | | Signed-off-by: Alexander Piskun <bigcat88@icloud.com>
* feat(Security): Warn about using annotations instead of attributesprovokateurin2024-07-183-1/+9
| | | | Signed-off-by: provokateurin <kate@provokateurin.de>
* feat(AppFramework): Add ExAppRequired attributeprovokateurin2024-07-012-1/+27
| | | | Signed-off-by: provokateurin <kate@provokateurin.de>
* refactor(Token): introduce scope constantsArthur Schiwon2024-06-051-1/+2
| | | | Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
* fix(Session): avoid password confirmation on SSOArthur Schiwon2024-06-051-2/+24
| | | | | | | | | | | SSO backends like SAML and OIDC tried a trick to suppress password confirmations as they are not possible by design. At least for SAML it was not reliable when existing user backends where used as user repositories. Now we are setting a special scope with the token, and also make sure that the scope is taken over when tokens are regenerated. Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
* chore: Add SPDX headerAndy Scherzinger2024-05-2418-381/+46
| | | | Signed-off-by: Andy Scherzinger <info@andy-scherzinger.de>
* fix: add check for app_api_system session flag to bypass rate limitFlorian Klinger2024-03-181-0/+7
| | | | | Signed-off-by: Florian Klinger <florian.klinger@nextcloud.com> Signed-off-by: Andrey Borysenko <andrey18106x@gmail.com>
* feat: rename users to account or personVincent Petry2024-02-131-3/+3
| | | | | | Replace translated text in most locations Signed-off-by: Vincent Petry <vincent@nextcloud.com>
* chore: apply changes from Nextcloud coding standards 1.1.1Joas Schilling2023-11-235-21/+21
| | | | | Signed-off-by: Joas Schilling <coding@schilljs.com> Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com>
* fixed Drone testAlexander Piskun2023-10-061-1/+2
| | | | Signed-off-by: Alexander Piskun <bigcat88@icloud.com>
* added CORS skip if session was created by AppAPIAlexander Piskun2023-10-021-0/+4
| | | | Signed-off-by: Alexander Piskun <bigcat88@icloud.com>
* feat(appframework): Expose programmatic rate limiterChristoph Wurst2023-09-201-0/+3
| | | | Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* techdebt(DI): Use public IThrottler interface which exists since Nextcloud 25Joas Schilling2023-08-282-11/+5
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* fix(middleware): Fix header injection for bruteforce middlewareJoas Schilling2023-08-221-5/+1
| | | | | | | Calling setHeaders(getHeaders()) breaks the CSP nonce for unknown reasons So shifting back to old standard practise for now Signed-off-by: Joas Schilling <coding@schilljs.com>
* feat: Add a header which signals that the request was throttledJoas Schilling2023-08-211-4/+14
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* Rewrite OCS CSRF check to be readablejld31032023-08-161-7/+15
| | | | Signed-off-by: jld3103 <jld3103yt@gmail.com>
* Merge pull request #38261 from fsamapoor/replace_strpos_calls_in_lib_privateRobin Appelman2023-06-011-1/+1
|\ | | | | Refactors "strpos" calls in lib/private to improve code readability.
| * Refactors "strpos" calls in lib/private to improve code readability.Faraz Samapoor2023-05-151-1/+1
| | | | | | | | Signed-off-by: Faraz Samapoor <fsamapoor@gmail.com>
* | fix(middleware): Also abort the request when reaching max delay in ↵Joas Schilling2023-05-151-22/+30
|/ | | | | | afterController Signed-off-by: Joas Schilling <coding@schilljs.com>
* feat(security): Add PHP \Attribute for remaining security annotationsJoas Schilling2023-04-254-27/+132
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* feat(ratelimit): Add Attributes support to rate limit middlewareJoas Schilling2023-04-241-41/+77
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* fix(security)!: Use consistent HTTP status for strict cookie checksChristoph Wurst2023-04-171-0/+3
| | | | | | | Before: 503/412 Now: 412 + json body explaining the error Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* Add a debug message when throttling without definingJoas Schilling2023-03-081-10/+9
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* feat(middleware): Migrate BruteForceProtection annotation to PHP Attribute ↵Joas Schilling2023-03-081-5/+43
| | | | | | and allow multiple Signed-off-by: Joas Schilling <coding@schilljs.com>
* fix(CORS): CORS should only be bypassed on `PublicPage` if not logged in to ↵Ferdinand Thiessen2023-02-161-1/+1
| | | | | | prevent CSRF attack vectors Signed-off-by: Ferdinand Thiessen <rpm@fthiessen.de>
* composer run cs:fixCôme Chilliet2023-01-205-10/+5
| | | | Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
* Allow CSRF on CORS routesJonas Rittershofer2022-09-211-0/+4
| | | | | | Co-authored-by: Julius Härtl <jus@bitgrid.net> Co-authored-by: Andreas Brinner <andreas@everlanes.net> Signed-off-by: Jonas Rittershofer <jotoeri@users.noreply.github.com>
* Update core to PHP 7.4 standardCarl Schwan2022-05-201-11/+3
| | | | | | | - Typed properties - Port to LoggerInterface Signed-off-by: Carl Schwan <carl@carlschwan.eu>
* Add direct arg to login flowVincent Petry2022-03-281-0/+3
| | | | | Signed-off-by: Vincent Petry <vincent@nextcloud.com> Co-Authored-by: Carl Schwan <carl@carlschwan.eu>
* Check style updateCarl Schwan2022-01-131-1/+1
| | | | Signed-off-by: Carl Schwan <carl@carlschwan.eu>
* Pass username prefill through unauthenticated request redirectsJulius Härtl2021-12-291-0/+4
| | | | Signed-off-by: Julius Härtl <jus@bitgrid.net>
* Add admin privilege delegation for admin settingsCarl Schwan2021-09-291-5/+42
| | | | | | | This makes it possible for selected groups to access some settings pages. Signed-off-by: Carl Schwan <carl@carlschwan.eu>
* Update php licensesJohn Molakvoæ (skjnldsv)2021-06-0418-31/+14
| | | | Signed-off-by: John Molakvoæ (skjnldsv) <skjnldsv@protonmail.com>
* fix error when using CORS with no auth credentialskorelstar2021-05-181-5/+4
|
* Merge pull request #26591 from nextcloud/techdebt/noid/less-iloggerChristoph Wurst2021-04-271-6/+5
|\ | | | | Less ILogger
| * Less ILoggerJoas Schilling2021-04-271-6/+5
| | | | | | | | Signed-off-by: Joas Schilling <coding@schilljs.com>