aboutsummaryrefslogtreecommitdiffstats
path: root/tests/lib/AppFramework/Middleware/Security
Commit message (Collapse)AuthorAgeFilesLines
* fix(ratelimit): Allow to bypass rate-limit from bruteforce allowlistbugfix/noid/allow-ratelimit-bypassJoas Schilling2025-01-271-1/+9
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* test:(PasswordConfirmationMiddleware): Fix constructor callLouis Chemineau2024-11-281-5/+14
| | | | Signed-off-by: Louis Chemineau <louis@chmn.me>
* refactor: Add void return type to PHPUnit test methodsChristoph Wurst2024-09-156-25/+25
| | | | Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* chore: Remove unused `CsrfTokenManager` from `CSPMiddleware`Ferdinand Thiessen2024-08-311-5/+0
| | | | Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
* perf: delay getting (sub)admin status for user in the security middleware ↵Robin Appelman2024-08-231-2/+15
| | | | | | untill we need it Signed-off-by: Robin Appelman <robin@icewind.nl>
* feat: Provide CSP nonce as `<meta>` elementFerdinand Thiessen2024-08-131-1/+0
| | | | | | | | This way we use the CSP nonce for dynamically loaded scripts. Important to notice: The CSP nonce must NOT be injected in `content` as this can lead to value exfiltration using e.g. side-channel attacts (CSS selectors). Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
* test: Adjust tests for CSP nonceFerdinand Thiessen2024-08-131-12/+8
| | | | Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
* feat(security): Add public API to allow validating IP Ranges and checking ↵Joas Schilling2024-07-191-2/+2
| | | | | | | for "in range" Signed-off-by: Joas Schilling <coding@schilljs.com> Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com>
* feat(security): restrict admin actions to IP rangesBenjamin Gaussorgues2024-07-191-1/+5
| | | | Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com>
* feat(Security): Warn about using annotations instead of attributesprovokateurin2024-07-182-12/+19
| | | | Signed-off-by: provokateurin <kate@provokateurin.de>
* feat(AppFramework): Add ExAppRequired attributeprovokateurin2024-07-012-1/+58
| | | | Signed-off-by: provokateurin <kate@provokateurin.de>
* refactor(Token): introduce scope constantsArthur Schiwon2024-06-051-1/+1
| | | | Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
* fix(Session): avoid password confirmation on SSOArthur Schiwon2024-06-052-1/+63
| | | | | | | | | | | SSO backends like SAML and OIDC tried a trick to suppress password confirmations as they are not possible by design. At least for SAML it was not reliable when existing user backends where used as user repositories. Now we are setting a special scope with the token, and also make sure that the scope is taken over when tokens are regenerated. Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
* chore: Add SPDX headerAndy Scherzinger2024-05-1313-230/+28
| | | | Signed-off-by: Andy Scherzinger <info@andy-scherzinger.de>
* fix: add check for app_api_system session flag to bypass rate limitFlorian Klinger2024-03-181-1/+5
| | | | | Signed-off-by: Florian Klinger <florian.klinger@nextcloud.com> Signed-off-by: Andrey Borysenko <andrey18106x@gmail.com>
* techdebt(DI): Use public IThrottler interface which exists since Nextcloud 25Joas Schilling2023-08-282-7/+8
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* fix(middleware): Also abort the request when reaching max delay in ↵Joas Schilling2023-05-151-7/+7
| | | | | | afterController Signed-off-by: Joas Schilling <coding@schilljs.com>
* feat(security): Add PHP \Attribute for remaining security annotationsJoas Schilling2023-04-258-250/+801
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* feat(ratelimit): Add Attributes support to rate limit middlewareJoas Schilling2023-04-241-103/+170
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* Add a debug message when throttling without definingJoas Schilling2023-03-081-6/+33
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* feat(middleware): Migrate BruteForceProtection annotation to PHP Attribute ↵Joas Schilling2023-03-081-61/+168
| | | | | | and allow multiple Signed-off-by: Joas Schilling <coding@schilljs.com>
* fix(CORS): CORS should only be bypassed on `PublicPage` if not logged in to ↵Ferdinand Thiessen2023-02-161-1/+35
| | | | | | prevent CSRF attack vectors Signed-off-by: Ferdinand Thiessen <rpm@fthiessen.de>
* composer run cs:fixCôme Chilliet2023-01-205-5/+0
| | | | Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
* Merge pull request #32587 from nextcloud/bugfix/noid/improve-jsconfighelperJoas Schilling2022-05-311-72/+52
|\ | | | | Improve JSConfigHelper code quality a bit
| * Restore old behaviour of sending flase for not found appsJoas Schilling2022-05-301-72/+52
| | | | | | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* | Update core to PHP 7.4 standardCarl Schwan2022-05-201-2/+1
|/ | | | | | | - Typed properties - Port to LoggerInterface Signed-off-by: Carl Schwan <carl@carlschwan.eu>
* Fix testsJoas Schilling2022-02-232-16/+16
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* Check style updateCarl Schwan2022-01-132-12/+12
| | | | Signed-off-by: Carl Schwan <carl@carlschwan.eu>
* Add admin privilege delegation for admin settingsCarl Schwan2021-09-291-1/+11
| | | | | | | This makes it possible for selected groups to access some settings pages. Signed-off-by: Carl Schwan <carl@carlschwan.eu>
* Fix warnings about logExceptionJoas Schilling2021-06-041-2/+2
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* Merge pull request #26591 from nextcloud/techdebt/noid/less-iloggerChristoph Wurst2021-04-271-3/+3
|\ | | | | Less ILogger
| * Fix unit testsJoas Schilling2021-04-271-3/+3
| | | | | | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* | Fix ratelimit templateJoas Schilling2021-04-271-11/+9
|/ | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* Format code to a single space around binary operatorsChristoph Wurst2020-10-052-2/+2
| | | | Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* More test fixingJoas Schilling2020-08-191-2/+2
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* Change PHPDoc type hint from PHPUnit_Framework_MockObject_MockObject to ↵Morris Jobke2020-08-126-40/+40
| | | | | | \PHPUnit\Framework\MockObject\MockObject Signed-off-by: Morris Jobke <hey@morrisjobke.de>
* Update SecurityMiddleware.phpHolger Hees2020-07-061-1/+1
| | | | | | OC::$WEBROOT can be empty in case if your nextcloud installation has no url prefix. This will result in an empty Location Header. in other areas OC::$WEBROOT is always used together with an /
* Format control structures, classes, methods and functionChristoph Wurst2020-04-102-4/+2
| | | | | | | | | | | | | | | To continue this formatting madness, here's a tiny patch that adds unified formatting for control structures like if and loops as well as classes, their methods and anonymous functions. This basically forces the constructs to start on the same line. This is not exactly what PSR2 wants, but I think we can have a few exceptions with "our" style. The starting of braces on the same line is pracrically standard for our code. This also removes and empty lines from method/function bodies at the beginning and end. Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* Unify function spacing to PSR2 recommendationChristoph Wurst2020-04-091-16/+16
| | | | Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* Use a blank line after the opening tagChristoph Wurst2020-04-092-0/+2
| | | | Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* Merge pull request #20170 from nextcloud/techdebt/remove-unused-importsChristoph Wurst2020-03-273-11/+0
|\ | | | | Remove unused imports
| * Remove unused importsChristoph Wurst2020-03-253-11/+0
| | | | | | | | Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* | Use the shorter phpunit syntax for mocked return valuesChristoph Wurst2020-03-252-16/+16
|/ | | | Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* Mode to modern phpunitRoeland Jago Douma2019-11-275-17/+23
| | | | Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Make phpunit8 compatibleRoeland Jago Douma2019-11-278-8/+8
| | | | Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Some php-cs fixesRoeland Jago Douma2019-11-224-3/+4
| | | | | | | | | | | * Order the imports * No leading slash on imports * Empty line before namespace * One line per import * Empty after imports * Emmpty line at bottom of file Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Add testsRoeland Jago Douma2019-08-101-0/+89
| | | | Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Split up security middlewareRoeland Jago Douma2019-07-272-97/+149
| | | | | | | | | | With upcoming work for the feature policy header. Splitting this in smaller classes that just do 1 thing makes sense. I rather have a few small classes that are tiny and do 1 thing right (and we all understand what is going on) than have big ones. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Make it possible to show admin settings for sub adminsChristoph Wurst2019-05-231-16/+47
| | | | Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* Do not use file as template parameterRoeland Jago Douma2018-08-091-1/+1
| | | | | | | | Using file will overwrite the $file parameter in the template base. Leading to trying to include a file that is the exception message. Which will of course fail. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
generated by cgit v1.2.3 (git 2.39.1) at 2025-04-30 05:06:06 +0000