aboutsummaryrefslogtreecommitdiffstats
path: root/lib/private/Authentication
Commit message (Collapse)AuthorAgeFilesLines
...
| * fix(performance): Only search for auth tokens when the provided login is ↵Joas Schilling2023-02-081-1/+22
| | | | | | | | | | | | long enough Signed-off-by: Joas Schilling <coding@schilljs.com>
* | fix(authtoken): Store only one hash for authtokens with the current password ↵Julius Härtl2023-02-092-1/+50
|/ | | | | | per user Signed-off-by: Julius Härtl <jus@bitgrid.net>
* composer run cs:fixCôme Chilliet2023-01-2042-44/+0
| | | | Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
* Merge pull request #36001 from nextcloud/validate-user-tzVincent Petry2023-01-111-1/+5
|\ | | | | Validate user timezone given from login data before saving it
| * Validate user timezone given from login data before saving itThomas Citharel2023-01-041-1/+5
| | | | | | | | | | | | Follow-up to #36000 Signed-off-by: Thomas Citharel <tcit@tcit.fr>
* | fix(authentication): Update the token when the hash is null or can not be ↵Joas Schilling2023-01-091-4/+21
| | | | | | | | | | | | verified Signed-off-by: Joas Schilling <coding@schilljs.com>
* | fix(authentication): Only hash the new password when neededJoas Schilling2023-01-091-2/+6
| | | | | | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* | fix(authentication): Invert the logic to the original intentionJoas Schilling2023-01-091-2/+3
| | | | | | | | | | | | | | We need to store the new authentication details when the hash did **not** verify the old password. Signed-off-by: Joas Schilling <coding@schilljs.com>
* | fix(authentication): Only verify each hash onceJoas Schilling2023-01-091-2/+4
| | | | | | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* | Merge pull request #33898 from nextcloud/fix/authtoken-password-updateJulius Härtl2023-01-052-4/+22
|\ \ | | | | | | PublickKeyTokenProvider: Fix password update routine with password hash
| * | PublickKeyTokenProvider: Fix password update routine with password hashMarcel Klehr2023-01-042-4/+22
| |/ | | | | | | Signed-off-by: Marcel Klehr <mklehr@gmx.net>
* / Add a const for the max user password lengthJoas Schilling2023-01-041-1/+2
|/ | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* Do not setup a session when not required on WebDAV requestsJulius Härtl2022-12-211-1/+2
| | | | | | | | | | If basic auth is used on WebDAV endpoints, we will not setup a session by default but instead set a test cookie. Clients which handle session cookies properly will send back the cookie then on the second request and a session will be initialized which can be resued for authentication. Signed-off-by: Julius Härtl <jus@bitgrid.net>
* feat: add event for failed loginsRoeland Jago Douma2022-11-243-5/+13
| | | | | | | | Apps might also like to know about failed logins. This adds that event. The private interface changes are backwards compatible so all should be fine. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Skip general login with email for non-valid addresses and LDAPJulius Härtl2022-10-261-0/+12
| | | | Signed-off-by: Julius Härtl <jus@bitgrid.net>
* Merge pull request #34554 from nextcloud/fix/psalm-twofactor-registryCarl Schwan2022-10-182-4/+4
|\ | | | | Fix wrong types in phpdoc for twofactor registry
| * Fix the type of the return array in a few more placesCarl Schwan2022-10-182-4/+4
| | | | | | | | Signed-off-by: Carl Schwan <carl@carlschwan.eu>
* | Run session token renewals in a database transactionChristoph Wurst2022-10-181-23/+32
| | | | | | | | | | | | | | | | | | | | | | | | | | The session token renewal does 1) Read the old token 2) Write a new token 3) Delete the old token If two processes succeed to read the old token there can be two new tokens because the queries were not run in a transaction. This is particularly problematic on clustered DBs where 1) would go to a read node and 2) and 3) go to a write node. Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* | Merge pull request #31499 from nextcloud/bugfix/empty-secretCarl Schwan2022-10-171-5/+24
|\ \ | |/ |/| Add fallback routines for empty secret cases
| * Mark method as deprecatedCarl Schwan2022-09-131-1/+1
| | | | | | | | Co-authored-by: Joas Schilling <213943+nickvergessen@users.noreply.github.com> Signed-off-by: Carl Schwan <carl@carlschwan.eu>
| * Rotate token after fallbackJulius Härtl2022-03-101-2/+8
| | | | | | | | Signed-off-by: Julius Härtl <jus@bitgrid.net>
| * Add fallback routines for empty secret casesJulius Härtl2022-03-101-3/+16
| | | | | | | | Signed-off-by: Julius Härtl <jus@bitgrid.net>
* | Pass logger to passwordless auth WebAuthn libChristoph Wurst2022-10-031-1/+4
| | | | | | | | Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* | Add back TokenCleanupJob to invalidate old temporary tokensThomas Citharel2022-08-251-0/+41
| | | | | | | | Signed-off-by: Thomas Citharel <tcit@tcit.fr>
* | Do not update passwords if nothing changedJulius Härtl2022-08-091-3/+6
| | | | | | | | Signed-off-by: Julius Härtl <jus@bitgrid.net>
* | Merge pull request #33225 from nextcloud/fix/handle-one-time-passwordsCarl Schwan2022-07-291-1/+1
|\ \ | | | | | | Handle one time password better
| * | Handle one time password betterCarl Schwan2022-07-281-1/+1
| | | | | | | | | | | | Signed-off-by: Carl Schwan <carl@carlschwan.eu>
* | | Fix typos in lib/private subdirectoryluz paz2022-07-271-1/+1
| | | | | | | | | | | | | | | | | | Found via `codespell -q 3 -S l10n -L jus ./lib/private` Signed-off-by: luz paz <luzpaz@github.com>
* | | Merge pull request #30510 from nextcloud/user-cleanup-storage-before-cacheVincent Petry2022-07-261-1/+1
|\ \ \ | | | | | | | | delete files before cleaning cache when cleaning user files
| * | | delete files before cleaning cache when cleaning user filesRobin Appelman2022-06-131-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | otherwise, when using object store, we loose track of which files the user owns before we can delete them Signed-off-by: Robin Appelman <robin@icewind.nl>
* | | | Move CappedMemoryCache to OCPCarl Schwan2022-07-141-1/+1
| |/ / |/| | | | | | | | | | | | | | | | | | | | This is an helpful helper that should be used in more place than just server and this is already the case with groupfodlers, deck, user_oidc and more using it, so let's make it public Signed-off-by: Carl Schwan <carl@carlschwan.eu>
* | | Handler large passwordsCarl Schwan2022-07-051-1/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | For passwords bigger than 250 characters, use a bigger key since the performance impact is minor (around one second to encrypt the password). For passwords bigger than 470 characters, give up earlier and throw exeception recommanding admin to either enable the previously enabled configuration or use smaller passwords. Signed-off-by: Carl Schwan <carl@carlschwan.eu>
* | | Handle one time passwordsCarl Schwan2022-07-051-1/+1
|/ / | | | | | | | | | | | | | | This adds an option to disable storing passwords in the database. This might be desirable when using single use token as passwords or very large passwords. Signed-off-by: Carl Schwan <carl@carlschwan.eu>
* | Fix replacing external storage password during debug logChristoph Wurst2022-06-011-1/+1
| | | | | | | | Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* | Merge pull request #32357 from nextcloud/user-delete-remove-wrappersJulius Härtl2022-05-161-0/+8
|\ \ | | | | | | remove storage wrappers when deleting the user storage
| * | remove storage wrappers when deleting the user storageRobin Appelman2022-05-121-0/+8
| | | | | | | | | | | | Signed-off-by: Robin Appelman <robin@icewind.nl>
* | | Fix user agent trimming on installationJoas Schilling2022-05-091-1/+1
|/ / | | | | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* | Log why the login token can't be used for credentialsChristoph Wurst2022-04-041-3/+3
| | | | | | | | | | | | And always pass the exception object to the logger. Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* | Automatically cut the token name on the first levelJoas Schilling2022-03-232-3/+3
| | | | | | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* | Limit the length of app password namesJoas Schilling2022-03-232-0/+8
|/ | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* Also cache non-existing to reuse itJoas Schilling2022-02-161-0/+5
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* Merge pull request #30016 from ↵Joas Schilling2021-12-027-831/+14
|\ | | | | | | | | nextcloud/techdebt/noid/remove-default-token-provider Remove default token which is deprecated since Nextcloud 13
| * Remove default token which is deprecated since Nextcloud 13Joas Schilling2021-12-017-831/+14
| | | | | | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* | Only check the twofactor state once per requestJoas Schilling2021-12-011-1/+9
|/ | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* Fix ArrayAccess and JsonSerializable return typesCôme Chilliet2021-11-232-2/+2
| | | | | | First round of modifications for PHP 8.1 Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
* Prevent duplicate auth token activity updatesChristoph Wurst2021-10-222-2/+40
| | | | | | | | | | | | | | | | | | | | | | | | | | The auth token activity logic works as follows * Read auth token * Compare last activity time stamp to current time * Update auth token activity if it's older than x seconds This works fine in isolation but with concurrency that means that occasionally the same token is read simultaneously by two processes and both of these processes will trigger an update of the same row. Affectively the second update doesn't add much value. It might set the time stamp to the exact same time stamp or one a few seconds later. But the last activity is no precise science, we don't need this accuracy. This patch changes the UPDATE query to include the expected value in a comparison with the current data. This results in an affected row when the data in the DB still has an old time stamp, but won't affect a row if the time stamp is (nearly) up to date. This is a micro optimization and will possibly not show any significant performance improvement. Yet in setups with a DB cluster it means that the write node has to send fewer changes to the read nodes due to the lower number of actual changes. Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* Type the autentication provider passwords as nullable stringsChristoph Wurst2021-10-133-13/+4
| | | | | | | | For historic reasons we couldn't add a nullable type hint before nullable type hints were supported by our target php versions. This is now possible. Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* Tokens without password should not trigger changed password invalidationJulius Härtl2021-10-071-1/+1
| | | | Signed-off-by: Julius Härtl <jus@bitgrid.net>
* prevent the invalidation of pw based authn tokens on a pw less loginTobias Assmann2021-07-162-0/+10
| | | | Signed-off-by: Tobias Assmann <tobias.assmann@ecsec.de>
* Properly cleanup entries of WebAuthn on user deletionMorris Jobke2021-06-182-0/+63
| | | | Signed-off-by: Morris Jobke <hey@morrisjobke.de>
generated by cgit v1.2.3 (git 2.39.1) at 2025-04-30 20:12:24 +0000