| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
|
| |
|
|
| |
Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
|
| |
|
|
| |
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
|
| |
|
|
| |
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
|
| |
|
|
|
|
|
|
| |
- re-stablishes old behaviour with cache to return null instead of throwing
an InvalidTokenException when the token is cached as non-existing
- token invalidation and re-generation are bundled in a DB transaction now
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
|
| |
|
|
|
|
|
|
|
|
|
| |
SSO backends like SAML and OIDC tried a trick to suppress password
confirmations as they are not possible by design. At least for SAML it was
not reliable when existing user backends where used as user repositories.
Now we are setting a special scope with the token, and also make sure that
the scope is taken over when tokens are regenerated.
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
|
| |\
| |
| |
| |
| | |
nextcloud/fix/auth/selective-token-activity-update
fix(auth): Update authtoken activity selectively
|
| | |
| |
| |
| | |
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
|
| |/
|
|
| |
Signed-off-by: Andy Scherzinger <info@andy-scherzinger.de>
|
| |\
| |
| | |
Avoid updating the same oc_authtoken row twice
|
| | |
| |
| |
| | |
Signed-off-by: Julius Härtl <jus@bitgrid.net>
|
| |/
|
|
| |
Signed-off-by: Joas Schilling <coding@schilljs.com>
|
| |
|
|
| |
Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
|
| |
|
|
| |
Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com>
|
| |
|
|
| |
Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
|
| |
|
|
| |
Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
|
| |
|
|
|
| |
Signed-off-by: Joas Schilling <coding@schilljs.com>
Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com>
|
| |
|
|
| |
Signed-off-by: Lucas Azevedo <lhs_azevedo@hotmail.com>
|
| |\
| |
| | |
Signed-off-by: Côme Chilliet <91878298+come-nc@users.noreply.github.com>
|
| | |
| |
| |
| |
| |
| | |
All or nothing
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
|
| |/
|
|
| |
Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
|
| |
|
|
|
|
| |
Allows to log-in via a passwordless authentication provider, eg SSO
Signed-off-by: Ember 'n0emis' Keske <git@n0emis.eu>
|
| |
|
|
|
|
|
|
| |
This can happen when the auth.storeCryptedPassword config is used,
which previously errored with:
Hasher::verify(): Argument #2 ($hash) must be of type string, null given
Signed-off-by: Joas Schilling <coding@schilljs.com>
|
| |\
| |
| |
| |
| | |
nextcloud/perf/noid/only-check-for-token-when-it-can-actually-be
fix(performance): Only search for auth tokens when the provided login…
|
| | |
| |
| |
| | |
Signed-off-by: Joas Schilling <coding@schilljs.com>
|
| | |
| |
| |
| |
| |
| | |
long enough
Signed-off-by: Joas Schilling <coding@schilljs.com>
|
| |/
|
|
|
|
| |
per user
Signed-off-by: Julius Härtl <jus@bitgrid.net>
|
| |
|
|
|
|
| |
verified
Signed-off-by: Joas Schilling <coding@schilljs.com>
|
| |
|
|
| |
Signed-off-by: Joas Schilling <coding@schilljs.com>
|
| |
|
|
|
|
|
| |
We need to store the new authentication details when the hash did **not** verify
the old password.
Signed-off-by: Joas Schilling <coding@schilljs.com>
|
| |
|
|
| |
Signed-off-by: Joas Schilling <coding@schilljs.com>
|
| |\
| |
| | |
PublickKeyTokenProvider: Fix password update routine with password hash
|
| | |
| |
| |
| | |
Signed-off-by: Marcel Klehr <mklehr@gmx.net>
|
| |/
|
|
| |
Signed-off-by: Joas Schilling <coding@schilljs.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The session token renewal does
1) Read the old token
2) Write a new token
3) Delete the old token
If two processes succeed to read the old token there can be two new tokens because
the queries were not run in a transaction. This is particularly problematic on
clustered DBs where 1) would go to a read node and 2) and 3) go to a write node.
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
|
| |\
| |
| | |
Add fallback routines for empty secret cases
|
| | |
| |
| |
| | |
Co-authored-by: Joas Schilling <213943+nickvergessen@users.noreply.github.com>
Signed-off-by: Carl Schwan <carl@carlschwan.eu>
|
| | |
| |
| |
| | |
Signed-off-by: Julius Härtl <jus@bitgrid.net>
|
| | |
| |
| |
| | |
Signed-off-by: Julius Härtl <jus@bitgrid.net>
|
| | |
| |
| |
| | |
Signed-off-by: Julius Härtl <jus@bitgrid.net>
|
| |\ \
| | |
| | | |
Handle one time password better
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Carl Schwan <carl@carlschwan.eu>
|
| |/ /
| |
| |
| |
| |
| |
| |
| | |
This is an helpful helper that should be used in more place than just
server and this is already the case with groupfodlers, deck, user_oidc
and more using it, so let's make it public
Signed-off-by: Carl Schwan <carl@carlschwan.eu>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
For passwords bigger than 250 characters, use a bigger key since the
performance impact is minor (around one second to encrypt the password).
For passwords bigger than 470 characters, give up earlier and throw
exeception recommanding admin to either enable the previously enabled
configuration or use smaller passwords.
Signed-off-by: Carl Schwan <carl@carlschwan.eu>
|
| | |
| |
| |
| |
| |
| |
| |
| | |
This adds an option to disable storing passwords in the database. This
might be desirable when using single use token as passwords or very
large passwords.
Signed-off-by: Carl Schwan <carl@carlschwan.eu>
|
| | |
| |
| |
| | |
Signed-off-by: Joas Schilling <coding@schilljs.com>
|
| |/
|
|
| |
Signed-off-by: Joas Schilling <coding@schilljs.com>
|
| |
|
|
| |
Signed-off-by: Joas Schilling <coding@schilljs.com>
|
| |
|
|
| |
Signed-off-by: Joas Schilling <coding@schilljs.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The auth token activity logic works as follows
* Read auth token
* Compare last activity time stamp to current time
* Update auth token activity if it's older than x seconds
This works fine in isolation but with concurrency that means that
occasionally the same token is read simultaneously by two processes and
both of these processes will trigger an update of the same row.
Affectively the second update doesn't add much value. It might set the
time stamp to the exact same time stamp or one a few seconds later. But
the last activity is no precise science, we don't need this accuracy.
This patch changes the UPDATE query to include the expected value in a
comparison with the current data. This results in an affected row when
the data in the DB still has an old time stamp, but won't affect a row
if the time stamp is (nearly) up to date.
This is a micro optimization and will possibly not show any significant
performance improvement. Yet in setups with a DB cluster it means that
the write node has to send fewer changes to the read nodes due to the
lower number of actual changes.
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
|
