Commit message (Collapse) | Author | Age | Files | Lines | |
---|---|---|---|---|---|
* | fix: Use login name to check the passwordartonge/fix/use_loginname_to_check_password | Louis Chemineau | 2025-04-02 | 1 | -1/+2 |
| | | | | Signed-off-by: Louis Chemineau <louis@chmn.me> | ||||
* | fix(l10n): Improve english source strings | Joas Schilling | 2025-02-26 | 1 | -3/+3 |
| | | | | | | | - No leading/trailing whitespace - Use asci single quote Signed-off-by: Joas Schilling <coding@schilljs.com> | ||||
* | fix(ratelimit): Allow to bypass rate-limit from bruteforce allowlistbugfix/noid/allow-ratelimit-bypass | Joas Schilling | 2025-01-27 | 1 | -0/+9 |
| | | | | Signed-off-by: Joas Schilling <coding@schilljs.com> | ||||
* | feat: Use inline password confirmation in external storage settings | Louis Chemineau | 2024-11-28 | 1 | -66/+57 |
| | | | | Signed-off-by: Louis Chemineau <louis@chmn.me> | ||||
* | fix(Middleware): log deprecation when annotation was actually usedfix/noid/deprecation-correct-case | Arthur Schiwon | 2024-11-12 | 1 | -1/+1 |
| | | | | Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de> | ||||
* | chore(deps): Update nextcloud/coding-standard to v1.3.1 | provokateurin | 2024-09-19 | 2 | -3/+5 |
| | | | | Signed-off-by: provokateurin <kate@provokateurin.de> | ||||
* | chore: fix typo in `SameSiteCookieMiddleware` | Ferdinand Thiessen | 2024-08-31 | 1 | -4/+4 |
| | | | | Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de> | ||||
* | chore: Remove unused `CsrfTokenManager` from `CSPMiddleware` | Ferdinand Thiessen | 2024-08-31 | 1 | -16/+7 |
| | | | | Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de> | ||||
* | style: update codestyle for coding-standard 1.2.3 | Daniel Kesselberg | 2024-08-25 | 3 | -4/+4 |
| | | | | Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de> | ||||
* | perf: delay getting (sub)admin status for user in the security middleware ↵ | Robin Appelman | 2024-08-23 | 1 | -7/+28 |
| | | | | | | untill we need it Signed-off-by: Robin Appelman <robin@icewind.nl> | ||||
* | fix: Use `CSP_NONCE` env variable in ContentSecurity Header | Holger Hees | 2024-08-13 | 1 | -1/+1 |
| | | | | | | We should use 'cspNonceManager' for requesting the NONCE value, because it is doing the same as before, except that it honors a CPS_NONCE environment variable if available. Signed-off-by: Holger Hees <holger.hees@gmail.com> | ||||
* | feat(security): Add public API to allow validating IP Ranges and checking ↵ | Joas Schilling | 2024-07-19 | 1 | -5/+5 |
| | | | | | | | for "in range" Signed-off-by: Joas Schilling <coding@schilljs.com> Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com> | ||||
* | feat(security): restrict admin actions to IP ranges | Benjamin Gaussorgues | 2024-07-19 | 2 | -53/+53 |
| | | | | Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com> | ||||
* | chore: use "app_api" session key, "app_api_system" is deprecated | Andrey Borysenko | 2024-07-18 | 1 | -2/+3 |
| | | | | Signed-off-by: Andrey Borysenko <andrey18106x@gmail.com> | ||||
* | feat: allow for ExApps to call Admin endpoints marked with specific attr | Alexander Piskun | 2024-07-18 | 1 | -6/+15 |
| | | | | Signed-off-by: Alexander Piskun <bigcat88@icloud.com> | ||||
* | feat(Security): Warn about using annotations instead of attributes | provokateurin | 2024-07-18 | 3 | -1/+9 |
| | | | | Signed-off-by: provokateurin <kate@provokateurin.de> | ||||
* | feat(AppFramework): Add ExAppRequired attribute | provokateurin | 2024-07-01 | 2 | -1/+27 |
| | | | | Signed-off-by: provokateurin <kate@provokateurin.de> | ||||
* | refactor(Token): introduce scope constants | Arthur Schiwon | 2024-06-05 | 1 | -1/+2 |
| | | | | Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de> | ||||
* | fix(Session): avoid password confirmation on SSO | Arthur Schiwon | 2024-06-05 | 1 | -2/+24 |
| | | | | | | | | | | | SSO backends like SAML and OIDC tried a trick to suppress password confirmations as they are not possible by design. At least for SAML it was not reliable when existing user backends where used as user repositories. Now we are setting a special scope with the token, and also make sure that the scope is taken over when tokens are regenerated. Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de> | ||||
* | chore: Add SPDX header | Andy Scherzinger | 2024-05-24 | 18 | -381/+46 |
| | | | | Signed-off-by: Andy Scherzinger <info@andy-scherzinger.de> | ||||
* | fix: add check for app_api_system session flag to bypass rate limit | Florian Klinger | 2024-03-18 | 1 | -0/+7 |
| | | | | | Signed-off-by: Florian Klinger <florian.klinger@nextcloud.com> Signed-off-by: Andrey Borysenko <andrey18106x@gmail.com> | ||||
* | feat: rename users to account or person | Vincent Petry | 2024-02-13 | 1 | -3/+3 |
| | | | | | | Replace translated text in most locations Signed-off-by: Vincent Petry <vincent@nextcloud.com> | ||||
* | chore: apply changes from Nextcloud coding standards 1.1.1 | Joas Schilling | 2023-11-23 | 5 | -21/+21 |
| | | | | | Signed-off-by: Joas Schilling <coding@schilljs.com> Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com> | ||||
* | fixed Drone test | Alexander Piskun | 2023-10-06 | 1 | -1/+2 |
| | | | | Signed-off-by: Alexander Piskun <bigcat88@icloud.com> | ||||
* | added CORS skip if session was created by AppAPI | Alexander Piskun | 2023-10-02 | 1 | -0/+4 |
| | | | | Signed-off-by: Alexander Piskun <bigcat88@icloud.com> | ||||
* | feat(appframework): Expose programmatic rate limiter | Christoph Wurst | 2023-09-20 | 1 | -0/+3 |
| | | | | Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at> | ||||
* | techdebt(DI): Use public IThrottler interface which exists since Nextcloud 25 | Joas Schilling | 2023-08-28 | 2 | -11/+5 |
| | | | | Signed-off-by: Joas Schilling <coding@schilljs.com> | ||||
* | fix(middleware): Fix header injection for bruteforce middleware | Joas Schilling | 2023-08-22 | 1 | -5/+1 |
| | | | | | | | Calling setHeaders(getHeaders()) breaks the CSP nonce for unknown reasons So shifting back to old standard practise for now Signed-off-by: Joas Schilling <coding@schilljs.com> | ||||
* | feat: Add a header which signals that the request was throttled | Joas Schilling | 2023-08-21 | 1 | -4/+14 |
| | | | | Signed-off-by: Joas Schilling <coding@schilljs.com> | ||||
* | Rewrite OCS CSRF check to be readable | jld3103 | 2023-08-16 | 1 | -7/+15 |
| | | | | Signed-off-by: jld3103 <jld3103yt@gmail.com> | ||||
* | Merge pull request #38261 from fsamapoor/replace_strpos_calls_in_lib_private | Robin Appelman | 2023-06-01 | 1 | -1/+1 |
|\ | | | | | Refactors "strpos" calls in lib/private to improve code readability. | ||||
| * | Refactors "strpos" calls in lib/private to improve code readability. | Faraz Samapoor | 2023-05-15 | 1 | -1/+1 |
| | | | | | | | | Signed-off-by: Faraz Samapoor <fsamapoor@gmail.com> | ||||
* | | fix(middleware): Also abort the request when reaching max delay in ↵ | Joas Schilling | 2023-05-15 | 1 | -22/+30 |
|/ | | | | | | afterController Signed-off-by: Joas Schilling <coding@schilljs.com> | ||||
* | feat(security): Add PHP \Attribute for remaining security annotations | Joas Schilling | 2023-04-25 | 4 | -27/+132 |
| | | | | Signed-off-by: Joas Schilling <coding@schilljs.com> | ||||
* | feat(ratelimit): Add Attributes support to rate limit middleware | Joas Schilling | 2023-04-24 | 1 | -41/+77 |
| | | | | Signed-off-by: Joas Schilling <coding@schilljs.com> | ||||
* | fix(security)!: Use consistent HTTP status for strict cookie checks | Christoph Wurst | 2023-04-17 | 1 | -0/+3 |
| | | | | | | | Before: 503/412 Now: 412 + json body explaining the error Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at> | ||||
* | Add a debug message when throttling without defining | Joas Schilling | 2023-03-08 | 1 | -10/+9 |
| | | | | Signed-off-by: Joas Schilling <coding@schilljs.com> | ||||
* | feat(middleware): Migrate BruteForceProtection annotation to PHP Attribute ↵ | Joas Schilling | 2023-03-08 | 1 | -5/+43 |
| | | | | | | and allow multiple Signed-off-by: Joas Schilling <coding@schilljs.com> | ||||
* | fix(CORS): CORS should only be bypassed on `PublicPage` if not logged in to ↵ | Ferdinand Thiessen | 2023-02-16 | 1 | -1/+1 |
| | | | | | | prevent CSRF attack vectors Signed-off-by: Ferdinand Thiessen <rpm@fthiessen.de> | ||||
* | composer run cs:fix | Côme Chilliet | 2023-01-20 | 5 | -10/+5 |
| | | | | Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com> | ||||
* | Allow CSRF on CORS routes | Jonas Rittershofer | 2022-09-21 | 1 | -0/+4 |
| | | | | | | Co-authored-by: Julius Härtl <jus@bitgrid.net> Co-authored-by: Andreas Brinner <andreas@everlanes.net> Signed-off-by: Jonas Rittershofer <jotoeri@users.noreply.github.com> | ||||
* | Update core to PHP 7.4 standard | Carl Schwan | 2022-05-20 | 1 | -11/+3 |
| | | | | | | | - Typed properties - Port to LoggerInterface Signed-off-by: Carl Schwan <carl@carlschwan.eu> | ||||
* | Add direct arg to login flow | Vincent Petry | 2022-03-28 | 1 | -0/+3 |
| | | | | | Signed-off-by: Vincent Petry <vincent@nextcloud.com> Co-Authored-by: Carl Schwan <carl@carlschwan.eu> | ||||
* | Check style update | Carl Schwan | 2022-01-13 | 1 | -1/+1 |
| | | | | Signed-off-by: Carl Schwan <carl@carlschwan.eu> | ||||
* | Pass username prefill through unauthenticated request redirects | Julius Härtl | 2021-12-29 | 1 | -0/+4 |
| | | | | Signed-off-by: Julius Härtl <jus@bitgrid.net> | ||||
* | Add admin privilege delegation for admin settings | Carl Schwan | 2021-09-29 | 1 | -5/+42 |
| | | | | | | | This makes it possible for selected groups to access some settings pages. Signed-off-by: Carl Schwan <carl@carlschwan.eu> | ||||
* | Update php licenses | John Molakvoæ (skjnldsv) | 2021-06-04 | 18 | -31/+14 |
| | | | | Signed-off-by: John Molakvoæ (skjnldsv) <skjnldsv@protonmail.com> | ||||
* | fix error when using CORS with no auth credentials | korelstar | 2021-05-18 | 1 | -5/+4 |
| | |||||
* | Merge pull request #26591 from nextcloud/techdebt/noid/less-ilogger | Christoph Wurst | 2021-04-27 | 1 | -6/+5 |
|\ | | | | | Less ILogger | ||||
| * | Less ILogger | Joas Schilling | 2021-04-27 | 1 | -6/+5 |
| | | | | | | | | Signed-off-by: Joas Schilling <coding@schilljs.com> |