aboutsummaryrefslogtreecommitdiffstats
path: root/lib/private/AppFramework
Commit message (Collapse)AuthorAgeFilesLines
* docs(dispatcher): Correct described return valuesjtr-docs-dispatcher-returnJosh4 days1-3/+5
| | | | Signed-off-by: Josh <josh.t.richards@gmail.com>
* fix: Remove support for app.php loadingCôme Chilliet13 days1-2/+2
| | | | | | | | | It has been deprecated for a long time, and the last known active application to use it (user_saml) is now migrated the modern API. Presence of the file is still checked in order to log an error. This behavior may be removed as well in a few versions. Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
* fix: Use login name to check the passwordartonge/fix/use_loginname_to_check_passwordLouis Chemineau2025-04-021-1/+2
| | | | Signed-off-by: Louis Chemineau <louis@chmn.me>
* fix: Move getAppInstalledVersions to AppConfig so that it can be used earlierfix/add-getappversions-replacementCôme Chilliet2025-03-251-0/+9
| | | | | | Call it from OC_App to make sure there is only one request to DB. Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
* fix(auth): Allow 2FA challenges for Ephemeral sessionsbugfix/ios-3365/allow-2fa-for-ephemeral-sessionsJoas Schilling2025-03-181-0/+5
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* fix(login): Properly target public page with attributeartonge/fix/publicpage_attributeLouis Chemineau2025-03-051-1/+2
| | | | Signed-off-by: Louis Chemineau <louis@chmn.me>
* Merge pull request #51116 from nextcloud/enh/noid/nullable-rangeArthur Schiwon2025-03-041-1/+1
|\ | | | | feat(AppFramework): extend range check to optional parameters
| * feat(AppFramework): extend range check to optional parametersenh/noid/nullable-rangeArthur Schiwon2025-02-271-1/+1
| | | | | | | | | | | | | | Now it also applies when a paramater is documtend with a pending |null, but no further unionation is considered. Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
* | fix(login): Also check legacy annotation for ephemeral sessionsLouis Chemineau2025-02-272-6/+7
|/ | | | Signed-off-by: Louis Chemineau <louis@chmn.me>
* Merge pull request #51051 from nextcloud/artonge/fix/login_flow_v2_sessions_2Louis2025-02-272-1/+53
|\ | | | | feat: Close sessions created for login flow v2
| * feat: Close sessions created for login flow v2artonge/fix/login_flow_v2_sessions_2Louis Chemineau2025-02-262-1/+53
| | | | | | | | | | | | | | | | Sessions created during the login flow v2 should be short lived to not leave an unexpected opened session in the browser. This commit add a property to the session object to track its origin, and will close it as soon as possible, i.e., on the first non public page request. Signed-off-by: Louis Chemineau <louis@chmn.me>
* | fix(l10n): Improve english source stringsJoas Schilling2025-02-261-3/+3
|/ | | | | | | - No leading/trailing whitespace - Use asci single quote Signed-off-by: Joas Schilling <coding@schilljs.com>
* chore: Add missing star in phpdoc commentfix/fix-psalm-taint-errorsCôme Chilliet2025-02-171-1/+1
| | | | Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
* fix: Correctly tag json encoding in BaseResponse to fix false-positiveCôme Chilliet2025-02-171-1/+9
| | | | | | …in psalm taint analysis Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
* fix(ratelimit): Allow to bypass rate-limit from bruteforce allowlistbugfix/noid/allow-ratelimit-bypassJoas Schilling2025-01-272-9/+10
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* feat(api): File conversion APIElizabeth Danzberger2025-01-151-0/+25
| | | | Signed-off-by: Elizabeth Danzberger <lizzy7128@tutanota.de>
* feat(lexicon): configurable default valueMaxence Lange2025-01-141-1/+2
| | | | Signed-off-by: Maxence Lange <maxence@artificial-owl.com>
* fix(Http): Only allow valid HTTP status code values via templatefix/http/template-valid-status-codesprovokateurin2025-01-073-8/+8
| | | | Signed-off-by: provokateurin <kate@provokateurin.de>
* feat(config): implementation of lexiconMaxence Lange2024-12-131-0/+34
| | | | Signed-off-by: Maxence Lange <maxence@artificial-owl.com>
* Merge pull request #49515 from ↵Joas Schilling2024-11-281-10/+2
|\ | | | | | | | | nextcloud/bugfix/noid/boolean-false-in-multipart-form-data fix(controller): Fix false booleans in multipart/form-data
| * fix(controller): Fix false booleans in multipart/form-dataJoas Schilling2024-11-281-10/+2
| | | | | | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* | feat: Use inline password confirmation in external storage settingsLouis Chemineau2024-11-282-66/+60
|/ | | | Signed-off-by: Louis Chemineau <louis@chmn.me>
* feat(Dispatcher): Add debug log for controller methods returning raw data ↵feat/dispatcher/log-raw-response-dataprovokateurin2024-11-151-0/+4
| | | | | | not wrapped in Response Signed-off-by: provokateurin <kate@provokateurin.de>
* chore(profile): move profile app from core to appsskjnldsv2024-11-142-0/+2
| | | | Signed-off-by: skjnldsv <skjnldsv@protonmail.com>
* fix(Middleware): log deprecation when annotation was actually usedfix/noid/deprecation-correct-caseArthur Schiwon2024-11-121-1/+1
| | | | Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
* chore: Add proper deprecation dates where missingFerdinand Thiessen2024-09-201-5/+5
| | | | Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
* chore(deps): Update nextcloud/coding-standard to v1.3.1provokateurin2024-09-195-11/+13
| | | | Signed-off-by: provokateurin <kate@provokateurin.de>
* chore!: Remove `OC\AppFramework\Logger`Ferdinand Thiessen2024-09-192-112/+0
| | | | Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
* fix(BaseResponse): Cast XML element values to stringfix/baseresponse/xml-element-value-string-castprovokateurin2024-09-151-1/+3
| | | | Signed-off-by: provokateurin <kate@provokateurin.de>
* chore: fix typo in `SameSiteCookieMiddleware`Ferdinand Thiessen2024-08-311-4/+4
| | | | Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
* chore: Remove unused `CsrfTokenManager` from `CSPMiddleware`Ferdinand Thiessen2024-08-312-17/+7
| | | | Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
* style: update codestyle for coding-standard 1.2.3Daniel Kesselberg2024-08-2510-34/+34
| | | | Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
* perf: delay getting (sub)admin status for user in the security middleware ↵Robin Appelman2024-08-232-9/+31
| | | | | | untill we need it Signed-off-by: Robin Appelman <robin@icewind.nl>
* fix: Support Safari mobileFerdinand Thiessen2024-08-211-0/+1
| | | | Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
* fix: Use `CSP_NONCE` env variable in ContentSecurity HeaderHolger Hees2024-08-131-1/+1
| | | | | | We should use 'cspNonceManager' for requesting the NONCE value, because it is doing the same as before, except that it honors a CPS_NONCE environment variable if available. Signed-off-by: Holger Hees <holger.hees@gmail.com>
* fix(files_sharing): show proper share not found error messageskjnldsv2024-08-062-19/+13
| | | | Signed-off-by: skjnldsv <skjnldsv@protonmail.com>
* fix(AppFramework): Allow requests with OCS-APIRequest header to pass CSRF checksprovokateurin2024-07-251-0/+4
| | | | Signed-off-by: provokateurin <kate@provokateurin.de>
* feat: mail provider backendSebastianKrupinski2024-07-231-0/+24
| | | | Signed-off-by: SebastianKrupinski <krupinskis05@gmail.com>
* feat(security): Add public API to allow validating IP Ranges and checking ↵Joas Schilling2024-07-192-7/+7
| | | | | | | for "in range" Signed-off-by: Joas Schilling <coding@schilljs.com> Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com>
* feat(security): restrict admin actions to IP rangesBenjamin Gaussorgues2024-07-193-54/+56
| | | | Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com>
* chore: use "app_api" session key, "app_api_system" is deprecatedAndrey Borysenko2024-07-181-2/+3
| | | | Signed-off-by: Andrey Borysenko <andrey18106x@gmail.com>
* feat: allow for ExApps to call Admin endpoints marked with specific attrAlexander Piskun2024-07-181-6/+15
| | | | Signed-off-by: Alexander Piskun <bigcat88@icloud.com>
* feat(Security): Warn about using annotations instead of attributesprovokateurin2024-07-184-2/+12
| | | | Signed-off-by: provokateurin <kate@provokateurin.de>
* feat: Add new forbidden filename options to CapabilitiesFerdinand Thiessen2024-07-111-1/+3
| | | | | | | | | Allow clients to access the new filename validation options and make frontend name validation possible. Co-authored-by: Ferdinand Thiessen <opensource@fthiessen.de> Co-authored-by: Kate <26026535+provokateurin@users.noreply.github.com> Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
* feat(AppFramework): Add ExAppRequired attributeprovokateurin2024-07-012-1/+27
| | | | Signed-off-by: provokateurin <kate@provokateurin.de>
* fix(logger): Fix scoped PSR logger when running psalm:ciJoas Schilling2024-06-111-9/+9
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* refactor(Token): introduce scope constantsArthur Schiwon2024-06-051-1/+2
| | | | Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
* fix(Session): avoid password confirmation on SSOArthur Schiwon2024-06-052-3/+26
| | | | | | | | | | | SSO backends like SAML and OIDC tried a trick to suppress password confirmations as they are not possible by design. At least for SAML it was not reliable when existing user backends where used as user repositories. Now we are setting a special scope with the token, and also make sure that the scope is taken over when tokens are regenerated. Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
* chore: Add SPDX headerAndy Scherzinger2024-05-2459-1285/+148
| | | | Signed-off-by: Andy Scherzinger <info@andy-scherzinger.de>
* fix: address review commentsMarcel Klehr2024-05-141-2/+2
| | | | Signed-off-by: Marcel Klehr <mklehr@gmx.net>
generated by cgit v1.2.3 (git 2.39.1) at 2025-04-27 18:07:31 +0000