aboutsummaryrefslogtreecommitdiffstats
path: root/lib/private/AppFramework/Middleware
Commit message (Collapse)AuthorAgeFilesLines
...
* | Do not do redirect handling when loggin outRoeland Jago Douma2019-02-062-0/+97
|/ | | | | | | | | | | | | Fixes #12568 Since the clearing of the execution context causes another reload. We should not do the redirect_uri handling as this results in redirecting back to the logout page on login. This adds a simple middleware that will just check if the ClearExecutionContext session variable is set. If that is the case it will just redirect back to the login page. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Emit to load additionalscriptsRoeland Jago Douma2019-01-311-0/+56
| | | | | | | | | | | | | Fixes #13662 This will fire of an event after a Template Response has been returned. There is an event for the generic loading and one when logged in. So apps can chose to load only on loged in pages. This is a more generic approach than the files app event. As some things we might want to load on other pages as well besides the files app. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Update password confirmation middlewareRoeland Jago Douma2018-11-021-0/+8
| | | | | | | If the userbackend doesn't allow validating the password for a given uid then there is no need to perform this check. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* add global site selector as user back-end which doesn't support password ↵Bjoern Schiessle2018-10-271-1/+3
| | | | | | confirmation Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
* Do not use file as template parameterRoeland Jago Douma2018-08-091-1/+1
| | | | | | | | Using file will overwrite the $file parameter in the template base. Leading to trying to include a file that is the exception message. Which will of course fail. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Add PublicShareMiddlewareTestRoeland Jago Douma2018-06-201-1/+1
| | | | Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Don't allow public share pages if link sharing is disabledRoeland Jago Douma2018-06-201-1/+27
| | | | Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Move public preview endpoint overRoeland Jago Douma2018-06-201-1/+2
| | | | Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Add the new PublicShareController and PublicShareMiddlewareRoeland Jago Douma2018-06-202-0/+92
| | | | Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* move log constants to ILoggerArthur Schiwon2018-04-261-1/+1
| | | | Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
* Add testsRoeland Jago Douma2018-03-081-18/+8
| | | | Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Make SecurityMiddleware strictRoeland Jago Douma2018-03-081-10/+9
| | | | Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Do not throw AppNotEnabledException for app public pages - refs #6962, refs ↵Julien Veyssier2018-02-281-1/+2
| | | | | | | | #5309 It allows non-logged user to access public pages of applications restricted to a group Signed-off-by: Julien Veyssier <eneiluj@posteo.net>
* Provide translated error message for permission errorMorris Jobke2018-02-262-3/+10
| | | | Signed-off-by: Morris Jobke <hey@morrisjobke.de>
* Fix testsRoeland Jago Douma2018-02-211-1/+1
| | | | Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Make the middlewareDispatcher strictRoeland Jago Douma2018-02-211-9/+10
| | | | Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Remove unused import statementsMorris Jobke2018-02-142-2/+0
| | | | Signed-off-by: Morris Jobke <hey@morrisjobke.de>
* Don't perform CSRF check on OCS routes with Bearer authRoeland Jago Douma2018-01-291-2/+8
| | | | | | Fixes #5694 Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Use $var[] = $a instead of array_push - 2x fasterMorris Jobke2018-01-251-1/+1
| | | | Signed-off-by: Morris Jobke <hey@morrisjobke.de>
* Properly log the full exception instead of only the messageMorris Jobke2018-01-231-1/+4
| | | | Signed-off-by: Morris Jobke <hey@morrisjobke.de>
* Move passwordconfirmation to its own midlewareRoeland Jago Douma2018-01-022-28/+82
| | | | | | Add tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* disable password confirmation with SSOBjoern Schiessle2018-01-021-2/+16
| | | | Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
* Update license headersMorris Jobke2017-11-068-3/+15
| | | | Signed-off-by: Morris Jobke <hey@morrisjobke.de>
* Use proper DI for security middleware for app enabled checkMorris Jobke2017-10-241-2/+8
| | | | Signed-off-by: Morris Jobke <hey@morrisjobke.de>
* Handle SameSiteCookie check for index.php in AppFramework MiddlewareRoeland Jago Douma2017-09-242-0/+144
| | | | Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Remove explicit type hints for ControllerLukas Reschke2017-08-016-15/+15
| | | | | | This is public API and breaks the middlewares of existing apps. Since this also requires maintaining two different code paths for 12 and 13 I'm at the moment voting for reverting this change. Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
* Merge pull request #5907 from nextcloud/add-metadata-to-throttle-callMorris Jobke2017-08-011-1/+1
|\ | | | | Add metadata to \OCP\AppFramework\Http\Response::throttle
| * Add metadata to \OCP\AppFramework\Http\Response::throttleLukas Reschke2017-07-271-1/+1
| | | | | | | | | | | | Fixes https://github.com/nextcloud/server/issues/5891 Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
* | Fix middleware implementations signaturesRoeland Jago Douma2017-07-316-23/+26
|/ | | | Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Check whether the $_SERVER['REQUEST_*'] vars exist before using themJoas Schilling2017-05-151-6/+5
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* Remove unused use statementsMorris Jobke2017-04-221-1/+0
| | | | Signed-off-by: Morris Jobke <hey@morrisjobke.de>
* Make BruteForceProtection annotation more cleverLukas Reschke2017-04-132-14/+84
| | | | | | | | This makes the new `@BruteForceProtection` annotation more clever and moves the relevant code into it's own middleware. Basically you can now set `@BruteForceProtection(action=$key)` as annotation and that will make the controller bruteforce protected. However, the difference to before is that you need to call `$responmse->throttle()` to increase the counter. Before the counter was increased every time which leads to all kind of unexpected problems. Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
* Move to dedicated MiddleWareLukas Reschke2017-04-132-35/+144
| | | | Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
* Add support for ratelimiting via annotationsLukas Reschke2017-04-131-11/+36
| | | | | | | | | | | | | This allows adding rate limiting via annotations to controllers, as one example: ``` @UserRateThrottle(limit=5, period=100) @AnonRateThrottle(limit=1, period=100) ``` Would mean that logged-in users can access the page 5 times within 100 seconds, and anonymous users 1 time within 100 seconds. If only an AnonRateThrottle is specified that one will also be applied to logged-in users. Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
* handle optional annotation parametersBjoern Schiessle2017-01-181-1/+1
| | | | Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
* introduce brute force protection for api callsBjoern Schiessle2017-01-181-1/+13
| | | | Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
* Allow to overwrite the message which we already do in SubadminMiddlewareJoas Schilling2016-12-081-2/+2
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* Merge pull request #2066 from nextcloud/fix-redirect-double-encodingMorris Jobke2016-11-291-1/+1
|\ | | | | do not double encode the redirect url
| * do not double encode the redirect urlChristoph Wurst2016-11-091-1/+1
| | | | | | | | Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* | Add the 15 seconds to the window, instead of removingJoas Schilling2016-11-181-1/+1
| | | | | | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* | Introduce PasswordConfirmRequired annotationJoas Schilling2016-11-182-0/+51
|/ | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* Move browserSupportsCspV3 to CSPNonceManagerRoeland Jago Douma2016-10-251-19/+8
| | | | Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Add support for CSP noncesLukas Reschke2016-10-241-1/+28
| | | | | | | | | | | | | | | | | CSP nonces are a feature available with CSP v2. Basically instead of saying "JS resources from the same domain are ok to be served" we now say "Ressources from everywhere are allowed as long as they add a `nonce` attribute to the script tag with the right nonce. At the moment the nonce is basically just a `<?php p(base64_encode($_['requesttoken'])) ?>`, we have to decode the requesttoken since `:` is not an allowed value in the nonce. So if somebody does on their own include JS files (instead of using the `addScript` public API, they now must also include that attribute.) IE does currently not implement CSP v2, thus there is a whitelist included that delivers the new CSP v2 policy to newer browsers. Check http://caniuse.com/#feat=contentsecuritypolicy2 for the current browser support list. An alternative approach would be to just add `'unsafe-inline'` as well as `'unsafe-inline'` is ignored by CSPv2 when a nonce is set. But this would make this security feature unusable at all in IE. Not worth it at the moment IMO. Implementing this offers the following advantages: 1. **Security:** As we host resources from the same domain by design we don't have to worry about 'self' anymore being in the whitelist 2. **Performance:** We can move oc.js again to inline JS. This makes the loading way quicker as we don't have to load on every load of a new web page a blocking dynamically non-cached JavaScript file. If you want to toy with CSP see also https://csp-evaluator.withgoogle.com/ Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
* Add trict CSP to OCS responsesRoeland Jago Douma2016-09-151-0/+5
| | | | | If a repsonse now explicitly has the Empty CSP set then the middleware won't touch it.
* Split OCS version handlingRoeland Jago Douma2016-09-061-38/+47
| | | | | | This cleans up a bit the OCSController/Middleware. Since the 2 versions of OCS differ a bit. Moved a lot of stuff internal since it is of no concern to the outside.
* Extend OCSMiddlewareRoeland Jago Douma2016-08-141-2/+60
| | | | | | * Always set 401 (v1.php and v2.php) * Set proper error codes for v2.php * Proper OCS output on unhandled exceptions
* We should properly check for 'true' instaed of the boolRoeland Jago Douma2016-08-011-1/+1
|
* Dark hackery to not always disable CSRF for OCS controllersRoeland Jago Douma2016-07-291-2/+10
|
* Support subdir in the OCS v2 endpointRoeland Jago Douma2016-07-271-1/+1
| | | | | | | We should check against the ending substring since people could run their nextcloud in a subfolder. * Added test
* Set proper status code in OCS AppFramework MiddlewareRoeland Jago Douma2016-07-221-1/+6
|
generated by cgit v1.2.3 (git 2.39.1) at 2025-05-07 10:31:18 +0000