summaryrefslogtreecommitdiffstats
path: root/lib/private/AppFramework/Middleware
Commit message (Collapse)AuthorAgeFilesLines
...
* Add support for ratelimiting via annotationsLukas Reschke2017-04-131-11/+36
| | | | | | | | | | | | | This allows adding rate limiting via annotations to controllers, as one example: ``` @UserRateThrottle(limit=5, period=100) @AnonRateThrottle(limit=1, period=100) ``` Would mean that logged-in users can access the page 5 times within 100 seconds, and anonymous users 1 time within 100 seconds. If only an AnonRateThrottle is specified that one will also be applied to logged-in users. Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
* handle optional annotation parametersBjoern Schiessle2017-01-181-1/+1
| | | | Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
* introduce brute force protection for api callsBjoern Schiessle2017-01-181-1/+13
| | | | Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
* Allow to overwrite the message which we already do in SubadminMiddlewareJoas Schilling2016-12-081-2/+2
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* Merge pull request #2066 from nextcloud/fix-redirect-double-encodingMorris Jobke2016-11-291-1/+1
|\ | | | | do not double encode the redirect url
| * do not double encode the redirect urlChristoph Wurst2016-11-091-1/+1
| | | | | | | | Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* | Add the 15 seconds to the window, instead of removingJoas Schilling2016-11-181-1/+1
| | | | | | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* | Introduce PasswordConfirmRequired annotationJoas Schilling2016-11-182-0/+51
|/ | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* Move browserSupportsCspV3 to CSPNonceManagerRoeland Jago Douma2016-10-251-19/+8
| | | | Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Add support for CSP noncesLukas Reschke2016-10-241-1/+28
| | | | | | | | | | | | | | | | | CSP nonces are a feature available with CSP v2. Basically instead of saying "JS resources from the same domain are ok to be served" we now say "Ressources from everywhere are allowed as long as they add a `nonce` attribute to the script tag with the right nonce. At the moment the nonce is basically just a `<?php p(base64_encode($_['requesttoken'])) ?>`, we have to decode the requesttoken since `:` is not an allowed value in the nonce. So if somebody does on their own include JS files (instead of using the `addScript` public API, they now must also include that attribute.) IE does currently not implement CSP v2, thus there is a whitelist included that delivers the new CSP v2 policy to newer browsers. Check http://caniuse.com/#feat=contentsecuritypolicy2 for the current browser support list. An alternative approach would be to just add `'unsafe-inline'` as well as `'unsafe-inline'` is ignored by CSPv2 when a nonce is set. But this would make this security feature unusable at all in IE. Not worth it at the moment IMO. Implementing this offers the following advantages: 1. **Security:** As we host resources from the same domain by design we don't have to worry about 'self' anymore being in the whitelist 2. **Performance:** We can move oc.js again to inline JS. This makes the loading way quicker as we don't have to load on every load of a new web page a blocking dynamically non-cached JavaScript file. If you want to toy with CSP see also https://csp-evaluator.withgoogle.com/ Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
* Add trict CSP to OCS responsesRoeland Jago Douma2016-09-151-0/+5
| | | | | If a repsonse now explicitly has the Empty CSP set then the middleware won't touch it.
* Split OCS version handlingRoeland Jago Douma2016-09-061-38/+47
| | | | | | This cleans up a bit the OCSController/Middleware. Since the 2 versions of OCS differ a bit. Moved a lot of stuff internal since it is of no concern to the outside.
* Extend OCSMiddlewareRoeland Jago Douma2016-08-141-2/+60
| | | | | | * Always set 401 (v1.php and v2.php) * Set proper error codes for v2.php * Proper OCS output on unhandled exceptions
* We should properly check for 'true' instaed of the boolRoeland Jago Douma2016-08-011-1/+1
|
* Dark hackery to not always disable CSRF for OCS controllersRoeland Jago Douma2016-07-291-2/+10
|
* Support subdir in the OCS v2 endpointRoeland Jago Douma2016-07-271-1/+1
| | | | | | | We should check against the ending substring since people could run their nextcloud in a subfolder. * Added test
* Set proper status code in OCS AppFramework MiddlewareRoeland Jago Douma2016-07-221-1/+6
|
* Merge pull request #507 from nextcloud/run-le-scriptMorris Jobke2016-07-2111-14/+27
|\ | | | | Update emails and license headers with latest changes
| * Fix othersJoas Schilling2016-07-2111-14/+27
| |
* | Merge pull request #480 from nextcloud/fix_ocs_response_formatLukas Reschke2016-07-211-1/+1
|\ \ | |/ |/| AppFramework default response for OCS is xml
| * AppFramework do not get default responseRoeland Jago Douma2016-07-201-1/+1
| | | | | | | | | | | | | | | | | | The OCSResponse differs from other responses in that it defaults to XML. However we fell back to json by default. This makes sure that if nothing is set we don't pass anything. Which defaults then to the controllers default (which is often 'json') but in the case of the OCSResponse 'xml'.
* | Merge pull request #479 from nextcloud/add-bruteforce-throttlerLukas Reschke2016-07-211-14/+11
|\ \ | |/ |/| Implement brute force protection
| * Implement brute force protectionLukas Reschke2016-07-201-14/+11
| | | | | | | | | | | | | | | | | | Class Throttler implements the bruteforce protection for security actions in Nextcloud. It is working by logging invalid login attempts to the database and slowing down all login attempts from the same subnet. The max delay is 30 seconds and the starting delay are 200 milliseconds. (after the first failed login)
* | Merge pull request #476 from nextcloud/port-same-site-cookiesLukas Reschke2016-07-202-1/+46
|\ \ | | | | | | [master] Port Same-Site Cookies to master
| * | [master] Port Same-Site Cookies to masterLukas Reschke2016-07-202-1/+46
| |/ | | | | | | Fixes https://github.com/nextcloud/server/issues/50
* / Add OCSMiddleware to catch OCS exceptionsRoeland Jago Douma2016-07-201-0/+80
|/ | | | | | | * OCSException * OCSBadRequestException * OCSForbiddenException * OCSNotFoundException
* add PasswordLoginForbiddenExceptionChristoph Wurst2016-06-171-2/+7
|
* create session token on all APIsChristoph Wurst2016-06-131-1/+1
|
* use client login method on CORS routesChristoph Wurst2016-06-081-6/+6
|
* Update license headersLukas Reschke2016-05-268-8/+16
|
* Fix inconsistent nameing of AppFrameworkRoeland Jago Douma2016-04-225-12/+12
|
* Move \OC\AppFramework to PSR-4Roeland Jago Douma2016-04-229-0/+797
* Also moved the autoloader setup a bit up since we need it in initpaths
generated by cgit v1.2.3 (git 2.39.1) at 2025-01-23 21:13:01 +0000