summaryrefslogtreecommitdiffstats
path: root/lib/private/AppFramework/Middleware
Commit message (Collapse)AuthorAgeFilesLines
* feat: rename users to account or personVincent Petry2024-02-131-3/+3
| | | | | | Replace translated text in most locations Signed-off-by: Vincent Petry <vincent@nextcloud.com>
* techdebt(Middleware): Add more specific array types so its clickable in IDEsJoas Schilling2023-11-301-6/+6
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* chore: apply changes from Nextcloud coding standards 1.1.1Joas Schilling2023-11-236-22/+22
| | | | | Signed-off-by: Joas Schilling <coding@schilljs.com> Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com>
* fixed Drone testAlexander Piskun2023-10-061-1/+2
| | | | Signed-off-by: Alexander Piskun <bigcat88@icloud.com>
* added CORS skip if session was created by AppAPIAlexander Piskun2023-10-021-0/+4
| | | | Signed-off-by: Alexander Piskun <bigcat88@icloud.com>
* feat(appframework): Expose programmatic rate limiterChristoph Wurst2023-09-201-0/+3
| | | | Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* techdebt(DI): Use public IThrottler interface which exists since Nextcloud 25Joas Schilling2023-08-283-14/+8
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* fix(middleware): Fix header injection for bruteforce middlewareJoas Schilling2023-08-221-5/+1
| | | | | | | Calling setHeaders(getHeaders()) breaks the CSP nonce for unknown reasons So shifting back to old standard practise for now Signed-off-by: Joas Schilling <coding@schilljs.com>
* feat: Add a header which signals that the request was throttledJoas Schilling2023-08-211-4/+14
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* add separate event for rendering login page templateRobin Appelman2023-08-171-2/+8
| | | | Signed-off-by: Robin Appelman <robin@icewind.nl>
* Rewrite OCS CSRF check to be readablejld31032023-08-161-7/+15
| | | | Signed-off-by: jld3103 <jld3103yt@gmail.com>
* fix!: Remove legacy event dispatching Symfony's GenericEvent from ↵Joas Schilling2023-07-271-30/+5
| | | | | | AdditionalScripts Signed-off-by: Joas Schilling <coding@schilljs.com>
* Merge pull request #38261 from fsamapoor/replace_strpos_calls_in_lib_privateRobin Appelman2023-06-012-2/+2
|\ | | | | Refactors "strpos" calls in lib/private to improve code readability.
| * Refactors "strpos" calls in lib/private to improve code readability.Faraz Samapoor2023-05-152-2/+2
| | | | | | | | Signed-off-by: Faraz Samapoor <fsamapoor@gmail.com>
* | fix(middleware): Also abort the request when reaching max delay in ↵Joas Schilling2023-05-151-22/+30
|/ | | | | | afterController Signed-off-by: Joas Schilling <coding@schilljs.com>
* feat(security): Add PHP \Attribute for remaining security annotationsJoas Schilling2023-04-254-27/+132
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* feat(ratelimit): Add Attributes support to rate limit middlewareJoas Schilling2023-04-241-41/+77
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* fix(security)!: Use consistent HTTP status for strict cookie checksChristoph Wurst2023-04-171-0/+3
| | | | | | | Before: 503/412 Now: 412 + json body explaining the error Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* Add a debug message when throttling without definingJoas Schilling2023-03-081-10/+9
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* feat(middleware): Migrate BruteForceProtection annotation to PHP Attribute ↵Joas Schilling2023-03-081-5/+43
| | | | | | and allow multiple Signed-off-by: Joas Schilling <coding@schilljs.com>
* fix(CORS): CORS should only be bypassed on `PublicPage` if not logged in to ↵Ferdinand Thiessen2023-02-161-1/+1
| | | | | | prevent CSRF attack vectors Signed-off-by: Ferdinand Thiessen <rpm@fthiessen.de>
* feat(app-framework): Add UseSession attribute to replace annotationChristoph Wurst2023-01-271-4/+30
| | | | Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* composer run cs:fixCôme Chilliet2023-01-2010-15/+5
| | | | Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
* use bruteforce protection on all methods wrapped by PublicShareMiddlewareJulien Veyssier2022-12-071-1/+21
| | | | | | if an invalid token is provided or when share password is wrong Signed-off-by: Julien Veyssier <julien-nc@posteo.net>
* Allow CSRF on CORS routesJonas Rittershofer2022-09-211-0/+4
| | | | | | Co-authored-by: Julius Härtl <jus@bitgrid.net> Co-authored-by: Andreas Brinner <andreas@everlanes.net> Signed-off-by: Jonas Rittershofer <jotoeri@users.noreply.github.com>
* Reopen sessions if we need to write to them instead of keeping them openJulius Härtl2022-08-171-2/+2
| | | | | | | Sessions are a locking operation until we write close them, so close them early and reopen later in case we want to write to them Signed-off-by: Julius Härtl <jus@bitgrid.net>
* Fix typos in lib/private subdirectoryluz paz2022-07-271-1/+1
| | | | | | Found via `codespell -q 3 -S l10n -L jus ./lib/private` Signed-off-by: luz paz <luzpaz@github.com>
* Update core to PHP 7.4 standardCarl Schwan2022-05-201-11/+3
| | | | | | | - Typed properties - Port to LoggerInterface Signed-off-by: Carl Schwan <carl@carlschwan.eu>
* Add direct arg to login flowVincent Petry2022-03-281-0/+3
| | | | | Signed-off-by: Vincent Petry <vincent@nextcloud.com> Co-Authored-by: Carl Schwan <carl@carlschwan.eu>
* Check style updateCarl Schwan2022-01-131-1/+1
| | | | Signed-off-by: Carl Schwan <carl@carlschwan.eu>
* Pass username prefill through unauthenticated request redirectsJulius Härtl2021-12-291-0/+4
| | | | Signed-off-by: Julius Härtl <jus@bitgrid.net>
* Add admin privilege delegation for admin settingsCarl Schwan2021-09-291-5/+42
| | | | | | | This makes it possible for selected groups to access some settings pages. Signed-off-by: Carl Schwan <carl@carlschwan.eu>
* Move DateTime::RFC2822 to DateTimeInterface::2822Christoph Wurst2021-06-231-1/+1
| | | | Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* Update php licensesJohn Molakvoæ (skjnldsv)2021-06-0426-46/+24
| | | | Signed-off-by: John Molakvoæ (skjnldsv) <skjnldsv@protonmail.com>
* fix error when using CORS with no auth credentialskorelstar2021-05-181-5/+4
|
* Fix unauthorized OCS status in provisioningJoas Schilling2021-05-121-2/+10
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* Merge pull request #26591 from nextcloud/techdebt/noid/less-iloggerChristoph Wurst2021-04-271-6/+5
|\ | | | | Less ILogger
| * Less ILoggerJoas Schilling2021-04-271-6/+5
| | | | | | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* | Fix ratelimit templateJoas Schilling2021-04-271-14/+7
|/ | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* Remove deprecated \OCP\APIRoeland Jago Douma2021-03-031-3/+2
| | | | | | | | Time to remove this forgood now. Remaining constant moved over The world is a tiny bit better Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Format code to a single space around binary operatorsChristoph Wurst2020-10-053-5/+5
| | | | Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* Add acutal response to BeforeTemplateRenderedEventJulius Härtl2020-09-241-1/+1
| | | | Signed-off-by: Julius Härtl <jus@bitgrid.net>
* Update the license headers for Nextcloud 20Christoph Wurst2020-08-245-2/+9
| | | | Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* Fix CSJoas Schilling2020-08-191-0/+1
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* Send "429 Too Many Requests" in case of brute force protectionJoas Schilling2020-08-191-1/+27
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* Move NotFoundResponse to a proper TemplateResponseJulius Härtl2020-07-241-9/+8
| | | | Signed-off-by: Julius Härtl <jus@bitgrid.net>
* Add real events to load additionalscriptsRoeland Jago Douma2020-07-151-5/+15
| | | | Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Update SecurityMiddleware.phpHolger Hees2020-07-061-1/+1
| | | | | | OC::$WEBROOT can be empty in case if your nextcloud installation has no url prefix. This will result in an empty Location Header. in other areas OC::$WEBROOT is always used together with an /
* Allow TemplateResponse to be compressedMorris Jobke2020-05-151-0/+4
| | | | Signed-off-by: Morris Jobke <hey@morrisjobke.de>
* Move the notmodified check to middleware where it belongsRoeland Jago Douma2020-05-131-0/+56
| | | | Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
generated by cgit v1.2.3 (git 2.39.1) at 2025-03-26 00:35:27 +0000