aboutsummaryrefslogtreecommitdiffstats
path: root/tests/lib/AppFramework/Http
Commit message (Collapse)AuthorAgeFilesLines
* fix(AppFramework): Allow requests with OCS-APIRequest header to pass CSRF checksprovokateurin2024-07-251-0/+20
| | | | Signed-off-by: provokateurin <kate@provokateurin.de>
* chore: Add SPDX headerAndy Scherzinger2024-05-1319-278/+52
| | | | Signed-off-by: Andy Scherzinger <info@andy-scherzinger.de>
* test(request): Add tests to strip the port when forwarding requestsJoas Schilling2024-02-131-288/+119
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* test(unit): fix RequestTestArthur Schiwon2024-01-271-3/+4
| | | | Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
* fix(API): Use a distinct exception so apps can react to it and customize the ↵Joas Schilling2023-11-281-1/+2
| | | | | | return Signed-off-by: Joas Schilling <coding@schilljs.com>
* enh(dispatcher): enforce psalm ranges in the http dispatcherArthur Schiwon2023-11-241-0/+47
| | | | | | - allows devs to provide int ranges for API arguments Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
* chore: apply changes from Nextcloud coding standards 1.1.1Joas Schilling2023-11-231-1/+1
| | | | | Signed-off-by: Joas Schilling <coding@schilljs.com> Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com>
* fix(CSP): Only add `strict-dynamic` when using noncesFerdinand Thiessen2023-11-172-59/+59
| | | | Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
* fix!(ContentSecurityPolicy): Make `strict-dynamic` enabled by default on ↵Ferdinand Thiessen2023-11-171-76/+73
| | | | | | `script-src-elem` Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
* feat(ContentSecurityPolicy): Allow to set `strict-dynamic` on ↵Ferdinand Thiessen2023-11-172-0/+73
| | | | | | | | | `script-src-elem` only This adds the possibility to set `strict-dynamic` on `script-src-elem` only while keep the default rules for `script-src`. The idea is to allow loading module js which imports other files and thus does not allow nonces on import but on the initial script tag. Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
* Reverse X-Forwarded-For list to read the correct proxy remote addressJoas Schilling2023-11-161-6/+32
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* Stop sending deprecated Pragma headerGit'Fellow2023-08-281-2/+0
| | | | Signed-off-by: Git'Fellow <12234510+solracsf@users.noreply.github.com>
* Allow "wasm-unsafe-eval" in CSPDaniel Calviño Sánchez2023-08-102-0/+14
| | | | | | | | | | | | | | | | | | If a page has a Content Security Policy header and the `script-src` (or `default-src`) directive does not contain neither `wasm-unsafe-eval` nor `unsafe-eval` loading and executing WebAssembly is blocked in the page (although it is still possible to load and execute WebAssembly in a worker thread). Although the Nextcloud classes to manage the CSP already supported allowing `unsafe-eval` this affects not only WebAssembly, but also the `eval` operation in JavaScript. To make possible to allow WebAssembly execution without allowing JavaScript `eval` this commit adds support for allowing `wasm-unsafe-eval`. Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
* feat(request): Allow to match the client version with the ↵Joas Schilling2023-07-111-0/+57
| | | | | | IRequest::USER_AGENT_* regex Signed-off-by: Joas Schilling <coding@schilljs.com>
* Add template types to responsesjld31032023-06-301-1/+4
| | | | Signed-off-by: jld3103 <jld3103yt@gmail.com>
* chore(appframework)!: Drop ↵Christoph Wurst2023-06-123-37/+3
| | | | | | \OCP\AppFramework\Http\EmptyContentSecurityPolicy::allowInlineScript Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* Adapt tests to config value typingCôme Chilliet2023-04-051-6/+6
| | | | Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
* Change X-Robots-Tag header from "none" to "noindex, nofollow"MichaIng2023-02-152-2/+2
| | | | | | | | | | While "none" is indeed equivalent to "noindex, nofollow" for Google, but seems to be not supported by Bing and probably other search engines. https://developer.mozilla.org/en-US/docs/Web/HTML/Element/meta/name#other_metadata_names https://developers.google.com/search/docs/crawling-indexing/robots-meta-tag?hl=de#comma-separated-list https://www.bing.com/webmasters/help/which-robots-metatags-does-bing-support-5198d240 Signed-off-by: MichaIng <micha@dietpi.com>
* composer run cs:fixCôme Chilliet2023-01-2010-10/+0
| | | | Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
* feat(app framework)!: Inject services into controller methodsChristoph Wurst2023-01-181-10/+19
| | | | | | | | | | | | | | | Usually Nextcloud DI goes through constructor injection. This has the implication that each instance of a class builds the full DI tree. That is the injected services, their services, etc. Occasionally there is a service that is only needed for one controller method. Then the DI tree is build regardless if used or not. If services are injected into the method, we only build the DI tree if that method gets executed. This is also how Laravel allows injection. Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* Merge branch 'master' into add-scim-json-supportStanimir Bozhilov2022-12-193-21/+41
|\ | | | | Signed-off-by: Stanimir Bozhilov <stanimir.bozhilov.1998@gmail.com>
| * Merge pull request #35780 from ↵Vincent Petry2022-12-161-7/+14
| |\ | | | | | | | | | | | | nextcloud/fix/http-dispatcher-double-parameter-cast Fix missing cast of double controller parameters
| | * fix(app framework): Fix missing cast of double controller parametersChristoph Wurst2022-12-151-7/+14
| | | | | | | | | | | | | | | | | | ``settype`` allows 'double' as alias of 'float'. Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
| * | check if params given to API are really an arrayArtur Neumann2022-12-151-2/+13
| |/ | | | | | | Signed-off-by: Artur Neumann <artur@jankaritech.com>
| * Fix some more problems with tests under PHP 8.2Côme Chilliet2022-11-151-12/+14
| | | | | | | | Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
* | Fix the JSON content type regex to match all MIME typesStanimir Bozhilov2022-09-261-0/+91
| | | | | | | | Signed-off-by: Stanimir Bozhilov <stanimir@audriga.com>
* | Add unit tests for application/scim+json content typeStanimir Bozhilov2022-09-201-0/+92
|/ | | | Signed-off-by: Stanimir Bozhilov <stanimir@audriga.com>
* Support specifying IPv6 proxies in CIDR notationSimon Leiner2022-08-021-0/+77
| | | | | | | | | | Previously, it was not possible to use CIDR notation for IPv6 proxies in the trusted_proxies parameter of config.php [1]. This patch adds support for that. [1]: https://docs.nextcloud.com/server/24/admin_manual/configuration_server/reverse_proxy_configuration.html#defining-trusted-proxies Signed-off-by: Simon Leiner <simon@leiner.me>
* Fix PHP 8.2 warnings about undeclared propertiesCôme Chilliet2022-06-211-0/+2
| | | | Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
* Remove at matcher uses in tests/libCôme Chilliet2022-06-161-98/+79
| | | | Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
* Use JSON_THROW_ON_ERROR instead of custom error handlingJulius Härtl2022-05-301-3/+3
| | | | Signed-off-by: Julius Härtl <jus@bitgrid.net>
* Merge pull request #31235 from nextcloud/techdebt/noid/extract-request-idJoas Schilling2022-03-223-165/+171
|\ | | | | Extract request id handling to dedicated class so it can be injected without DB dependency
| * Adjust and add unit testsJoas Schilling2022-02-233-165/+171
| | | | | | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* | Allow to set a strict-dynamic CSP through the APIJulius Härtl2022-03-091-0/+17
| | | | | | | | Signed-off-by: Julius Härtl <jus@bitgrid.net>
* | Fix testsJulius Härtl2022-02-281-7/+20
|/ | | | Signed-off-by: Julius Härtl <jus@bitgrid.net>
* send request id in response headerRobin Appelman2022-02-012-1/+3
| | | | Signed-off-by: Robin Appelman <robin@icewind.nl>
* Check style updateCarl Schwan2022-01-131-8/+8
| | | | Signed-off-by: Carl Schwan <carl@carlschwan.eu>
* Fix DateTime constructor calls with nullCôme Chilliet2021-11-232-4/+4
| | | | Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
* Escape filename in Content-DispositionLukas Reschke2021-06-021-11/+25
| | | | | | We should escape all occurences of ' and \ in here. Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
* Set frame-ancestors to none if none are filledRoeland Jago Douma2020-11-183-59/+59
| | | | | | | | frame-ancestors doesn't fall back to default-src. So when we apply a very restricted CSP we should make sure to set it to 'none' and not leave it empty. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Remove deprecated OCSResponseRoeland Jago Douma2020-11-011-64/+0
| | | | Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Format code to a single space around binary operatorsChristoph Wurst2020-10-051-5/+5
| | | | Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* Fix testsJoas Schilling2020-10-021-9/+46
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* Change PHPDoc type hint from PHPUnit_Framework_MockObject_MockObject to ↵Morris Jobke2020-08-121-1/+1
| | | | | | \PHPUnit\Framework\MockObject\MockObject Signed-off-by: Morris Jobke <hey@morrisjobke.de>
* Use assertStringContainsString instead of assertContains on stringsMorris Jobke2020-07-231-2/+2
| | | | Signed-off-by: Morris Jobke <hey@morrisjobke.de>
* Fix IPv6 remote addresses from X_FORWARDED_FOR headers before validatingJoas Schilling2020-07-021-0/+28
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* Fix robots "noindex, nofollow" signalsJoas Schilling2020-06-252-2/+4
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* Merge pull request #21479 from nextcloud/fix/21474/allow_specifying_cookie_typeblizzz2020-06-221-6/+13
|\ | | | | Allow to specify the cookie type for appframework responses
| * Allow to specify the cookie type for appframework responsesRoeland Jago Douma2020-06-221-6/+13
| | | | | | | | | | | | | | | | | | In general it is good to set them to Lax. But also to give devs more control over them is not a bad thing. Helps with #21474 Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* | Fix unit test of the ResponseTestRoeland Jago Douma2020-06-211-3/+3
|/ | | | Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
generated by cgit v1.2.3 (git 2.39.1) at 2025-04-30 19:36:33 +0000