| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
| |
We have the token anyway. So better the scope as well.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
|
| |
|
|
|
|
|
| |
Sometimes when we force a session regeneration we want to update the
current token for this session.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
|
| |
|
|
| |
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
|
| |
|
|
| |
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
|
| |
|
|
|
|
|
|
|
|
| |
* We first try the email as username but this fails
* Then we get the uid from the email and try again
We should not log the first attempt since it polutes the log with failed
login attempts while the login actually is valid.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
|
| |
|
|
|
|
| |
where appropriate, the preLoginNameUsedAsUserName hook should be thrown.
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
|
| |
|
|
|
|
| |
* also allows to search by displayname
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
|
| |
|
|
| |
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
|
| |
|
|
| |
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The CSP nonce is based on the CSRF token. This token does not change,
unless you log in (or out). In case of the session data being lost,
e.g. because php gets rid of old sessions, a new CSRF token is gen-
erated. While this is fine in theory, it actually caused some annoying
problems where the browser restored a tab and Nextcloud js was blocked
due to an outdated nonce.
The main problem here is that, while processing the request, we write
out security headers relatively early. At that point the CSRF token
is known/generated and transformed into a CSP nonce. During this request,
however, we also log the user in because the session information was
lost. At that point we also refresh the CSRF token, which eventually
causes the browser to block any scripts as the nonce in the header
does not match the one which is used to include scripts.
This patch adds a flag to indicate whether the CSRF token should be
refreshed or not. It is assumed that refreshing is only necessary
if we want to re-generate the session id too. To my knowledge, this
case only happens on fresh logins, not when we recover from a deleted
session file.
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
`\OC\User\Database::createUser` can throw a PHP exception in case the UID is longer than
permitted in the database. This is against it's PHPDocs and we should cast this to `false`,
so that the regular error handling triggers in.
The easiest way to reproduce is on MySQL:
1. Create user `aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa` in admin panel
2. Create user `aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa` in admin panel again
3. See SQL exception as error message
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
|
| |
|
|
| |
Signed-off-by: Joas Schilling <coding@schilljs.com>
|
| |
|
|
| |
Signed-off-by: Robin Appelman <robin@icewind.nl>
|
| |
|
|
|
|
|
|
|
| |
Most of the time, when people have multiple backends or add a
custom backend, they want to create the users there and not in
the default backend. But since that is registered first, users
were always created there.
Signed-off-by: Joas Schilling <coding@schilljs.com>
|
| |
|
|
| |
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
|
| |
|
|
| |
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
|
| |
|
|
|
|
|
|
|
|
| |
The encryption app relies on the post_login hook to initialize its keys.
Since we do not emit it on a remembered login, the keys were always un-
initialized and the user was asked to log out and in again.
This patch *translates* the postRememberedLogin hook to a post_login
hook.
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
|
| |
|
|
| |
Signed-off-by: Joas Schilling <coding@schilljs.com>
|
| |
|
|
| |
Signed-off-by: Robin Appelman <robin@icewind.nl>
|
| |
|
|
|
|
| |
Users page takes advantage of that
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
|
| |
|
|
| |
Signed-off-by: Joas Schilling <coding@schilljs.com>
|
| |
|
|
| |
Signed-off-by: Joas Schilling <coding@schilljs.com>
|
| |
|
|
| |
Signed-off-by: Joas Schilling <coding@schilljs.com>
|
| |
|
|
| |
Signed-off-by: Joas Schilling <coding@schilljs.com>
|
| |\
| |
| | |
Add activities when email or password is changed
|
| | |
| |
| |
| | |
Signed-off-by: Joas Schilling <coding@schilljs.com>
|
| |\ \
| |/
|/|
| |
| | |
nextcloud/fix-login-controller-test-consolidate-login
Fix login controller test and consolidate login
|
| | |
| |
| |
| | |
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
|
| | |
| |
| |
| | |
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
|
| | |
| |
| |
| | |
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
|
| | |
| |
| |
| | |
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
|
| | |
| |
| |
| | |
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
|
| | |
| |
| |
| | |
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
|
| |/
|
|
| |
Signed-off-by: Joas Schilling <coding@schilljs.com>
|
| |
|
|
| |
Signed-off-by: Robin Appelman <robin@icewind.nl>
|
| |
|
|
| |
Signed-off-by: Robin Appelman <robin@icewind.nl>
|
| |\
| |
| | |
Sharing dialog: make autocomplete sorting case insensitive
|
| | |
| |
| |
| | |
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
|
| |\ \
| | |
| | | |
cache loadUser if not exists
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Add comment, closeCursor in user DB query
Invalidate user in cache after successful creation
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
|
| |/ /
| |
| |
| |
| |
| |
| |
| | |
* Add postLogout hook to finish sessions from external session managers like CAS
* Add postLogout hook to finish sessions from external session managers like CAS
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
|
| | |
| |
| |
| |
| |
| | |
The constructor is iniitiated already very early in base.php, thus requiring this here will break the setup and some more. For now we probably have to live with a static function call here thus.
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
|
| |/
|
|
| |
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
|
| |
|
|
|
|
| |
* basically a straight replacement of the wrapped code at the calling code parts
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
|
| |\
| |
| | |
Add preLoginValidation hook
|
| | |
| |
| |
| | |
Signed-off-by: Sandro Lutz <sandro.lutz@temparus.ch>
|
| | |\
| | |
| | |
| | | |
Signed-off-by: Sandro Lutz <sandro.lutz@temparus.ch>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Sandro Lutz <sandro.lutz@temparus.ch>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Sandro Lutz <sandro.lutz@temparus.ch>
|
