aboutsummaryrefslogtreecommitdiffstats
path: root/lib/private/AppFramework/Middleware
Commit message (Collapse)AuthorAgeFilesLines
* fix: Use login name to check the passwordartonge/fix/use_loginname_to_check_passwordLouis Chemineau2025-04-021-1/+2
| | | | Signed-off-by: Louis Chemineau <louis@chmn.me>
* fix(auth): Allow 2FA challenges for Ephemeral sessionsbugfix/ios-3365/allow-2fa-for-ephemeral-sessionsJoas Schilling2025-03-181-0/+5
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* fix(login): Properly target public page with attributeartonge/fix/publicpage_attributeLouis Chemineau2025-03-051-1/+2
| | | | Signed-off-by: Louis Chemineau <louis@chmn.me>
* fix(login): Also check legacy annotation for ephemeral sessionsLouis Chemineau2025-02-271-0/+6
| | | | Signed-off-by: Louis Chemineau <louis@chmn.me>
* Merge pull request #51051 from nextcloud/artonge/fix/login_flow_v2_sessions_2Louis2025-02-271-0/+46
|\ | | | | feat: Close sessions created for login flow v2
| * feat: Close sessions created for login flow v2artonge/fix/login_flow_v2_sessions_2Louis Chemineau2025-02-261-0/+46
| | | | | | | | | | | | | | | | Sessions created during the login flow v2 should be short lived to not leave an unexpected opened session in the browser. This commit add a property to the session object to track its origin, and will close it as soon as possible, i.e., on the first non public page request. Signed-off-by: Louis Chemineau <louis@chmn.me>
* | fix(l10n): Improve english source stringsJoas Schilling2025-02-261-3/+3
|/ | | | | | | - No leading/trailing whitespace - Use asci single quote Signed-off-by: Joas Schilling <coding@schilljs.com>
* fix(ratelimit): Allow to bypass rate-limit from bruteforce allowlistbugfix/noid/allow-ratelimit-bypassJoas Schilling2025-01-271-0/+9
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* feat: Use inline password confirmation in external storage settingsLouis Chemineau2024-11-281-66/+57
| | | | Signed-off-by: Louis Chemineau <louis@chmn.me>
* fix(Middleware): log deprecation when annotation was actually usedfix/noid/deprecation-correct-caseArthur Schiwon2024-11-121-1/+1
| | | | Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
* chore(deps): Update nextcloud/coding-standard to v1.3.1provokateurin2024-09-193-4/+6
| | | | Signed-off-by: provokateurin <kate@provokateurin.de>
* chore: fix typo in `SameSiteCookieMiddleware`Ferdinand Thiessen2024-08-311-4/+4
| | | | Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
* chore: Remove unused `CsrfTokenManager` from `CSPMiddleware`Ferdinand Thiessen2024-08-311-16/+7
| | | | Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
* style: update codestyle for coding-standard 1.2.3Daniel Kesselberg2024-08-254-8/+8
| | | | Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
* perf: delay getting (sub)admin status for user in the security middleware ↵Robin Appelman2024-08-231-7/+28
| | | | | | untill we need it Signed-off-by: Robin Appelman <robin@icewind.nl>
* fix: Use `CSP_NONCE` env variable in ContentSecurity HeaderHolger Hees2024-08-131-1/+1
| | | | | | We should use 'cspNonceManager' for requesting the NONCE value, because it is doing the same as before, except that it honors a CPS_NONCE environment variable if available. Signed-off-by: Holger Hees <holger.hees@gmail.com>
* fix(files_sharing): show proper share not found error messageskjnldsv2024-08-061-18/+12
| | | | Signed-off-by: skjnldsv <skjnldsv@protonmail.com>
* feat(security): Add public API to allow validating IP Ranges and checking ↵Joas Schilling2024-07-191-5/+5
| | | | | | | for "in range" Signed-off-by: Joas Schilling <coding@schilljs.com> Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com>
* feat(security): restrict admin actions to IP rangesBenjamin Gaussorgues2024-07-192-53/+53
| | | | Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com>
* chore: use "app_api" session key, "app_api_system" is deprecatedAndrey Borysenko2024-07-181-2/+3
| | | | Signed-off-by: Andrey Borysenko <andrey18106x@gmail.com>
* feat: allow for ExApps to call Admin endpoints marked with specific attrAlexander Piskun2024-07-181-6/+15
| | | | Signed-off-by: Alexander Piskun <bigcat88@icloud.com>
* feat(Security): Warn about using annotations instead of attributesprovokateurin2024-07-183-1/+9
| | | | Signed-off-by: provokateurin <kate@provokateurin.de>
* feat(AppFramework): Add ExAppRequired attributeprovokateurin2024-07-012-1/+27
| | | | Signed-off-by: provokateurin <kate@provokateurin.de>
* refactor(Token): introduce scope constantsArthur Schiwon2024-06-051-1/+2
| | | | Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
* fix(Session): avoid password confirmation on SSOArthur Schiwon2024-06-051-2/+24
| | | | | | | | | | | SSO backends like SAML and OIDC tried a trick to suppress password confirmations as they are not possible by design. At least for SAML it was not reliable when existing user backends where used as user repositories. Now we are setting a special scope with the token, and also make sure that the scope is taken over when tokens are regenerated. Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
* chore: Add SPDX headerAndy Scherzinger2024-05-2426-552/+64
| | | | Signed-off-by: Andy Scherzinger <info@andy-scherzinger.de>
* fix: add check for app_api_system session flag to bypass rate limitFlorian Klinger2024-03-181-0/+7
| | | | | Signed-off-by: Florian Klinger <florian.klinger@nextcloud.com> Signed-off-by: Andrey Borysenko <andrey18106x@gmail.com>
* feat: rename users to account or personVincent Petry2024-02-131-3/+3
| | | | | | Replace translated text in most locations Signed-off-by: Vincent Petry <vincent@nextcloud.com>
* techdebt(Middleware): Add more specific array types so its clickable in IDEsJoas Schilling2023-11-301-6/+6
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* chore: apply changes from Nextcloud coding standards 1.1.1Joas Schilling2023-11-236-22/+22
| | | | | Signed-off-by: Joas Schilling <coding@schilljs.com> Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com>
* fixed Drone testAlexander Piskun2023-10-061-1/+2
| | | | Signed-off-by: Alexander Piskun <bigcat88@icloud.com>
* added CORS skip if session was created by AppAPIAlexander Piskun2023-10-021-0/+4
| | | | Signed-off-by: Alexander Piskun <bigcat88@icloud.com>
* feat(appframework): Expose programmatic rate limiterChristoph Wurst2023-09-201-0/+3
| | | | Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* techdebt(DI): Use public IThrottler interface which exists since Nextcloud 25Joas Schilling2023-08-283-14/+8
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* fix(middleware): Fix header injection for bruteforce middlewareJoas Schilling2023-08-221-5/+1
| | | | | | | Calling setHeaders(getHeaders()) breaks the CSP nonce for unknown reasons So shifting back to old standard practise for now Signed-off-by: Joas Schilling <coding@schilljs.com>
* feat: Add a header which signals that the request was throttledJoas Schilling2023-08-211-4/+14
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* add separate event for rendering login page templateRobin Appelman2023-08-171-2/+8
| | | | Signed-off-by: Robin Appelman <robin@icewind.nl>
* Rewrite OCS CSRF check to be readablejld31032023-08-161-7/+15
| | | | Signed-off-by: jld3103 <jld3103yt@gmail.com>
* fix!: Remove legacy event dispatching Symfony's GenericEvent from ↵Joas Schilling2023-07-271-30/+5
| | | | | | AdditionalScripts Signed-off-by: Joas Schilling <coding@schilljs.com>
* Merge pull request #38261 from fsamapoor/replace_strpos_calls_in_lib_privateRobin Appelman2023-06-012-2/+2
|\ | | | | Refactors "strpos" calls in lib/private to improve code readability.
| * Refactors "strpos" calls in lib/private to improve code readability.Faraz Samapoor2023-05-152-2/+2
| | | | | | | | Signed-off-by: Faraz Samapoor <fsamapoor@gmail.com>
* | fix(middleware): Also abort the request when reaching max delay in ↵Joas Schilling2023-05-151-22/+30
|/ | | | | | afterController Signed-off-by: Joas Schilling <coding@schilljs.com>
* feat(security): Add PHP \Attribute for remaining security annotationsJoas Schilling2023-04-254-27/+132
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* feat(ratelimit): Add Attributes support to rate limit middlewareJoas Schilling2023-04-241-41/+77
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* fix(security)!: Use consistent HTTP status for strict cookie checksChristoph Wurst2023-04-171-0/+3
| | | | | | | Before: 503/412 Now: 412 + json body explaining the error Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* Add a debug message when throttling without definingJoas Schilling2023-03-081-10/+9
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* feat(middleware): Migrate BruteForceProtection annotation to PHP Attribute ↵Joas Schilling2023-03-081-5/+43
| | | | | | and allow multiple Signed-off-by: Joas Schilling <coding@schilljs.com>
* fix(CORS): CORS should only be bypassed on `PublicPage` if not logged in to ↵Ferdinand Thiessen2023-02-161-1/+1
| | | | | | prevent CSRF attack vectors Signed-off-by: Ferdinand Thiessen <rpm@fthiessen.de>
* feat(app-framework): Add UseSession attribute to replace annotationChristoph Wurst2023-01-271-4/+30
| | | | Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* composer run cs:fixCôme Chilliet2023-01-2010-15/+5
| | | | Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
generated by cgit v1.2.3 (git 2.39.1) at 2025-05-03 03:58:11 +0000