aboutsummaryrefslogtreecommitdiffstats
path: root/lib/private/Authentication
Commit message (Collapse)AuthorAgeFilesLines
* fix(webauthn): do not require bcmath or gmp - not needed anymoreFerdinand Thiessen2025-03-191-8/+0
| | | | | | | | The extensions are not required anymore but only recommended for performance. See also: https://github.com/web-auth/webauthn-framework/issues/213 Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
* Merge pull request #51130 from nextcloud/fix/credential-passwordless-authJulius Knorr2025-03-071-5/+9
|\ | | | | fix: Do not build encrypted password if there is none
| * fix: Do not build encrypted password if there is nonefix/credential-passwordless-authJulius Knorr2025-03-061-5/+9
| | | | | | | | Signed-off-by: Julius Knorr <jus@bitgrid.net>
* | fix: Move login via email logic to local backendfix/move-email-logic-local-user-backendFerdinand Thiessen2025-03-032-55/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Backends can decide which names they accept for login, e.g. with user_ldap you can configure arbitrary login fields. This was a hacky approach to allow login via email, so instead this is now only handled by the local user backend. This also fixes some other related problems: Other logic relys on `backend::get()` which was not handling email, so e.g. password policy could not block users logged in via email if they use out-dated passwords. Similar for other integrations, as the user backend was not consistent with what is a login name and what not. Co-authored-by: Ferdinand Thiessen <opensource@fthiessen.de> Co-authored-by: Côme Chilliet <91878298+come-nc@users.noreply.github.com> Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
* | fix(login): Support subfolder install for ephemeral sessionsartonge/fix/epehmeral_sessionsLouis Chemineau2025-02-271-1/+4
| | | | | | | | Signed-off-by: Louis Chemineau <louis@chmn.me>
* | feat: Close sessions created for login flow v2artonge/fix/login_flow_v2_sessions_2Louis Chemineau2025-02-262-60/+42
|/ | | | | | | | Sessions created during the login flow v2 should be short lived to not leave an unexpected opened session in the browser. This commit add a property to the session object to track its origin, and will close it as soon as possible, i.e., on the first non public page request. Signed-off-by: Louis Chemineau <louis@chmn.me>
* fix: Handle exception when clearing previously removed two factor tokensclear-pending-two-factor-tokens-also-from-configurationDaniel Calviño Sánchez2024-11-051-1/+5
| | | | | | | | If a token was already removed from the database but not from the configuration clearing the tokens will try to remove it again from the database, which caused a DoesNotExistException to be thrown. Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
* fix: Clear pending two factor tokens also from configurationDaniel Calviño Sánchez2024-11-051-0/+2
| | | | | | | | | Otherwise as the tokens were removed from the database but not from the configuration the next time that the tokens were cleared the previous tokens were still got from the configuration, and trying to remove them again from the database ended in a DoesNotExistException being thrown. Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
* fix: crypto made inline for constructor and decrypt error handled in exceptionfix/encrypt-decrypt-passwordyemkareems2024-10-281-2/+4
| | | | Signed-off-by: yemkareems <yemkareems@gmail.com>
* fix: crypto made inline for constructor and decrypt error handled in exceptionyemkareems2024-10-281-6/+7
| | | | Signed-off-by: yemkareems <yemkareems@gmail.com>
* fix: use Icrypto in place of Cyptoyemkareems2024-10-281-3/+3
| | | | Signed-off-by: yemkareems <yemkareems@gmail.com>
* fix: crypto type made not nullable and tests run using ICryptoyemkareems2024-10-281-3/+3
| | | | Signed-off-by: yemkareems <yemkareems@gmail.com>
* fix: encrypt and store password, decrypt and retrieve the sameyemkareems2024-10-281-1/+9
| | | | Signed-off-by: yemkareems <yemkareems@gmail.com>
* Merge pull request #47329 from nextcloud/feat/add-datetime-qbmapper-supportFerdinand Thiessen2024-10-181-7/+8
|\ | | | | feat(AppFramework): Add full support for date / time / datetime columns
| * fix: Adjust Entity typesfeat/add-datetime-qbmapper-supportFerdinand Thiessen2024-10-171-7/+8
| | | | | | | | Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
* | chore(db): Apply query prepared statementsdbQueriesExecStmt2Git'Fellow2024-10-171-2/+2
|/ | | | | | | | | | | | | | | | Fix: psalm fix: bad file fix: bug chore: add batch chore: add batch chore: add batch fix: psalm
* chore(db): Correctly apply query typesGit'Fellow2024-10-171-7/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | fix: psalm fix: error fix: add batch fix: fatal error fix: add batch chore: add batch chore: add batch fix: psalm fix: typo fix: psalm fix: return bool fix: revert Manager
* fix: Make user removal more resilientFerdinand Thiessen2024-09-261-8/+14
| | | | | | | | | | | | | | Currently there is a problem if an exception is thrown in `User::delete`, because at that point the user is already removed from the backend, but not all data is deleted. There is no way to recover from this state, as the user is gone no information is available anymore. This means the data is still available on the server but can not removed by any API anymore. The solution here is to first set a flag and backup the user home, this can be used to recover failed user deletions in a way the delete can be re-tried. Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
* chore: Add proper deprecation dates where missingFerdinand Thiessen2024-09-201-1/+1
| | | | Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
* chore(deps): Update nextcloud/coding-standard to v1.3.1provokateurin2024-09-193-3/+3
| | | | Signed-off-by: provokateurin <kate@provokateurin.de>
* chore: Migrate cleanAppId and getAppPath calls to IAppManager from OC_AppCôme Chilliet2024-09-131-19/+11
| | | | Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
* style: update codestyle for coding-standard 1.2.3Daniel Kesselberg2024-08-256-20/+20
| | | | Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
* feat(webauthn): Add user verification to webauthn challengesS1m2024-08-153-8/+27
| | | | | | | | Require user verification if all tokens are registered with UV flag, else discourage it Signed-off-by: S1m <git@sgougeon.fr> Signed-off-by: Richard Steinmetz <richard@steinmetz.cloud>
* feat(auth): Clean-up unused auth tokens and wipe tokensChristoph Wurst2024-08-132-9/+21
| | | | Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* fix(Token): take over scope in token refresh with login by cookieArthur Schiwon2024-07-193-6/+19
| | | | Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
* fix(Session): avoid race conditions on clustered setupsArthur Schiwon2024-07-101-1/+1
| | | | | | | | - re-stablishes old behaviour with cache to return null instead of throwing an InvalidTokenException when the token is cached as non-existing - token invalidation and re-generation are bundled in a DB transaction now Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
* feat(notifications): Migrate server INotifiers to new exceptionsJoas Schilling2024-06-251-3/+3
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* refactor(Token): introduce scope constantsArthur Schiwon2024-06-051-1/+2
| | | | Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
* fix(Session): avoid password confirmation on SSOArthur Schiwon2024-06-051-0/+1
| | | | | | | | | | | SSO backends like SAML and OIDC tried a trick to suppress password confirmations as they are not possible by design. At least for SAML it was not reliable when existing user backends where used as user repositories. Now we are setting a special scope with the token, and also make sure that the scope is taken over when tokens are regenerated. Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
* Merge pull request #45411 from ↵Daniel2024-05-291-2/+0
|\ | | | | | | | | nextcloud/fix/auth/selective-token-activity-update fix(auth): Update authtoken activity selectively
| * fix(auth): Update authtoken activity selectivelyChristoph Wurst2024-05-211-2/+0
| | | | | | | | Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* | chore: Add SPDX headerAndy Scherzinger2024-05-2467-1315/+148
|/ | | | Signed-off-by: Andy Scherzinger <info@andy-scherzinger.de>
* Merge pull request #45026 from nextcloud/fix/token-updateChristoph Wurst2024-05-161-0/+2
|\ | | | | Avoid updating the same oc_authtoken row twice
| * fix: Always set last activity if we update the row of an authtoken anywaysJulius Härtl2024-04-291-0/+2
| | | | | | | | Signed-off-by: Julius Härtl <jus@bitgrid.net>
* | fix(session): Avoid race condition for cache::get() vs. cache::hasKey()Joas Schilling2024-04-291-6/+6
|/ | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* fix(deps): Bump web-auth/webauthn-lib from 3.3.9 to 4.8.5Ferdinand Thiessen2024-04-161-24/+24
| | | | Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
* fix: Fix new psalm errors from updateCôme Chilliet2024-04-081-9/+7
| | | | | | | Not sure about the SimpleContainer modification, let’s see what CI says about that. Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
* fix: Apply new coding standard to all filesCôme Chilliet2024-04-029-11/+11
| | | | Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
* feat(perf): add cache for authtoken lookupBenjamin Gaussorgues2024-02-282-63/+78
| | | | Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com>
* feat: rename users to account or personVincent Petry2024-02-131-1/+1
| | | | | | Replace translated text in most locations Signed-off-by: Vincent Petry <vincent@nextcloud.com>
* chore: Fix missing template parameter for IEventListenerCôme Chilliet2024-01-302-0/+2
| | | | Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
* Import OCP IToken as OCPIToken to avoid a name clash in lib/privateCôme Chilliet2024-01-113-65/+65
| | | | Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
* Use OCP version of IToken in AppPasswordCreatedEventCôme Chilliet2024-01-111-6/+4
| | | | Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
* Use IToken from OCP instead of OCCôme Chilliet2024-01-113-0/+3
| | | | Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
* Suppress or fix psalm errors related to InvalidTokenExceptionCôme Chilliet2024-01-112-4/+6
| | | | Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
* Always catch OCP versions of authentication exceptionsCôme Chilliet2024-01-114-10/+11
| | | | | | And always throw OC versions for BC Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
* AppAPI: allowed to bypass Two-FactorAlexander Piskun2023-12-281-2/+2
| | | | Signed-off-by: Alexander Piskun <bigcat88@icloud.com>
* chore: apply changes from Nextcloud coding standards 1.1.1Joas Schilling2023-11-2322-92/+92
| | | | | Signed-off-by: Joas Schilling <coding@schilljs.com> Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com>
* fix: Show error message when CSRF check fails at loginChristoph Wurst2023-11-081-0/+5
| | | | Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* Allow passing null to PublicKeyToken::setScope, fixes testsCôme Chilliet2023-10-231-2/+2
| | | | Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
generated by cgit v1.2.3 (git 2.39.1) at 2025-04-17 09:24:05 +0000