summaryrefslogtreecommitdiffstats
path: root/lib/public/AppFramework
Commit message (Collapse)AuthorAgeFilesLines
* OC_OCS_Response is deprecatedRoeland Jago Douma2017-09-211-1/+1
| | | | Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* fix typo and set @since properlyThomas Citharel2017-09-152-6/+6
| | | | Signed-off-by: Thomas Citharel <tcit@tcit.fr>
* Add CSP frame-ancestors supportThomas Citharel2017-09-152-0/+34
| | | | | | Didn't set the @since annotation yet. Signed-off-by: Thomas Citharel <tcit@tcit.fr>
* Remove explicit type hints for ControllerLukas Reschke2017-08-011-4/+4
| | | | | | This is public API and breaks the middlewares of existing apps. Since this also requires maintaining two different code paths for 12 and 13 I'm at the moment voting for reverting this change. Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
* Merge pull request #5907 from nextcloud/add-metadata-to-throttle-callMorris Jobke2017-08-011-1/+15
|\ | | | | Add metadata to \OCP\AppFramework\Http\Response::throttle
| * Add metadata to \OCP\AppFramework\Http\Response::throttleLukas Reschke2017-07-271-1/+15
| | | | | | | | | | | | Fixes https://github.com/nextcloud/server/issues/5891 Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
* | Merge pull request #5877 from nextcloud/typehint_middlewareMorris Jobke2017-08-011-4/+4
|\ \ | | | | | | Prop argument type for Middleware
| * | Prop argument type for MiddlewareRoeland Jago Douma2017-07-311-4/+4
| |/ | | | | | | Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* | Some more invalid PHPDocs in legacy classesLukas Reschke2017-08-011-0/+1
| | | | | | | | Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
* | Replace wrong PHPDocsLukas Reschke2017-08-013-2/+3
|/ | | | Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
* Some phpstorm inspection fixesRoeland Jago Douma2017-07-224-14/+14
| | | | Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Remove deprecated Controller FunctionsRoeland Jago Douma2017-07-201-105/+1
| | | | Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Remove unused use statementsMorris Jobke2017-04-226-7/+0
| | | | Signed-off-by: Morris Jobke <hey@morrisjobke.de>
* Make BruteForceProtection annotation more cleverLukas Reschke2017-04-131-0/+19
| | | | | | | | This makes the new `@BruteForceProtection` annotation more clever and moves the relevant code into it's own middleware. Basically you can now set `@BruteForceProtection(action=$key)` as annotation and that will make the controller bruteforce protected. However, the difference to before is that you need to call `$responmse->throttle()` to increase the counter. Before the counter was increased every time which leads to all kind of unexpected problems. Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
* Web app manifestPierre Rudloff2017-03-281-0/+1
| | | | Signed-off-by: Jan-Christoph Borchardt <hey@jancborchardt.net>
* Add base-uri to CSP policyLukas Reschke2017-03-161-0/+1
| | | | | | As per https://twitter.com/we1x/status/842032709543333890 a nice security hardening Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
* set 'no-store' cache header if we do not want FF to cacheChristoph Wurst2017-01-091-2/+2
| | | | Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* Remove IDb interface which was deprecated for 3 years alreadyJoas Schilling2016-12-141-15/+1
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* prevent warning in StreamResponseRobin Appelman2016-11-291-1/+1
| | | | Signed-off-by: Robin Appelman <robin@icewind.nl>
* allow passing a stream to StreamResponseRobin Appelman2016-11-162-3/+3
| | | | Signed-off-by: Robin Appelman <robin@icewind.nl>
* @since 9.2.0 to @since 11.0.0Roeland Jago Douma2016-11-153-5/+5
| | | | Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* refactoring code to reduce cyclomatic complexitDonquixote2016-11-072-10/+5
| | | | Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Add support for CSP noncesLukas Reschke2016-10-242-2/+24
| | | | | | | | | | | | | | | | | CSP nonces are a feature available with CSP v2. Basically instead of saying "JS resources from the same domain are ok to be served" we now say "Ressources from everywhere are allowed as long as they add a `nonce` attribute to the script tag with the right nonce. At the moment the nonce is basically just a `<?php p(base64_encode($_['requesttoken'])) ?>`, we have to decode the requesttoken since `:` is not an allowed value in the nonce. So if somebody does on their own include JS files (instead of using the `addScript` public API, they now must also include that attribute.) IE does currently not implement CSP v2, thus there is a whitelist included that delivers the new CSP v2 policy to newer browsers. Check http://caniuse.com/#feat=contentsecuritypolicy2 for the current browser support list. An alternative approach would be to just add `'unsafe-inline'` as well as `'unsafe-inline'` is ignored by CSPv2 when a nonce is set. But this would make this security feature unusable at all in IE. Not worth it at the moment IMO. Implementing this offers the following advantages: 1. **Security:** As we host resources from the same domain by design we don't have to worry about 'self' anymore being in the whitelist 2. **Performance:** We can move oc.js again to inline JS. This makes the loading way quicker as we don't have to load on every load of a new web page a blocking dynamically non-cached JavaScript file. If you want to toy with CSP see also https://csp-evaluator.withgoogle.com/ Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
* Initial AppDataRoeland Jago Douma2016-10-051-4/+3
| | | | | | | | | | | | * Introduce simpleFS * Introduce IAppData * Introduce AppData Factory to get your AppData folder * Update FileDisplayResponse * AppData implements a ISimpleRoot but lazy. So only if an apps starts to access data will stuff get initialized Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Add trict CSP to OCS responsesRoeland Jago Douma2016-09-151-3/+3
| | | | | If a repsonse now explicitly has the Empty CSP set then the middleware won't touch it.
* Split OCS version handlingRoeland Jago Douma2016-09-061-13/+19
| | | | | | This cleans up a bit the OCSController/Middleware. Since the 2 versions of OCS differ a bit. Moved a lot of stuff internal since it is of no concern to the outside.
* Add FileDisplayResponseRoeland Jago Douma2016-09-051-0/+70
| | | | | A lazy implementation of the DisplayResponse that only hits the filesystem if the etag and mtime do not match.
* Merge pull request #1158 from nextcloud/cache_avatarsLukas Reschke2016-09-051-2/+1
|\ | | | | Cache avatars
| * Cache avatars properlyRoeland Jago Douma2016-08-301-2/+1
| | | | | | | | | | * Set proper caching headers for avatars (15 minutes) * For our own avatar use some extra logic to invalidate when we update
* | Deprecate OCSResponeRoeland Jago Douma2016-09-051-2/+3
|/ | | | | The OCSResponse should not be used by apps. They should extend the OCSController and use normal DataResponses instead.
* OCSController requires DataResponseRoeland Jago Douma2016-08-101-11/+4
| | | | | | The OCS Controller requires a DataResponse object to be returned. This means that all error handling will have to be done via exceptions thrown and handling in the middleware.
* Merge pull request #507 from nextcloud/run-le-scriptMorris Jobke2016-07-2134-36/+70
|\ | | | | Update emails and license headers with latest changes
| * Update with robinJoas Schilling2016-07-211-1/+1
| |
| * Fix othersJoas Schilling2016-07-2134-35/+69
| |
* | AppFramework do not get default responseRoeland Jago Douma2016-07-202-3/+18
|/ | | | | | | | | The OCSResponse differs from other responses in that it defaults to XML. However we fell back to json by default. This makes sure that if nothing is set we don't pass anything. Which defaults then to the controllers default (which is often 'json') but in the case of the OCSResponse 'xml'.
* Add OCSMiddleware to catch OCS exceptionsRoeland Jago Douma2016-07-204-0/+165
| | | | | | | * OCSException * OCSBadRequestException * OCSForbiddenException * OCSNotFoundException
* Update license headersLukas Reschke2016-05-2614-10/+15
|
* Move \OCP\AppFramework to PSR-4Roeland Jago Douma2016-05-0630-0/+3583