Commit graph

63 commits

Author SHA1 Message Date
Thomas Müller
82e8762c84
Fix issues where some user settings cannot be loaded when the user id differs in case sensitivity - fixes #25684 (#25686) 2016-08-29 14:33:16 +02:00
Roeland Jago Douma
6c360ad79f
Add PHPdoc 2016-08-15 11:14:28 +02:00
Jörn Friedrich Dreyer
291b3fd8b4
missing PHPDoc 2016-08-14 19:37:52 +02:00
Jörn Friedrich Dreyer
da5633c31a
Type compatability 2016-08-14 19:37:37 +02:00
Jörn Friedrich Dreyer
3593668413
Method is deprecated 2016-08-14 19:37:11 +02:00
Jörn Friedrich Dreyer
5aef60d2ca
Unreachable statement 2016-08-14 19:36:42 +02:00
Jörn Friedrich Dreyer
d2a16c4dc8
Unnecessary fully qualified names 2016-08-14 19:36:06 +02:00
michag86
5fb39bd0cb Apply password policy on user creation 2016-08-03 11:52:15 +02:00
Joas Schilling
0215b004da
Update with robin 2016-07-21 18:13:58 +02:00
Joas Schilling
ba87db3fcc
Fix others 2016-07-21 18:13:57 +02:00
Lukas Reschke
c1589f163c
Mitigate race condition 2016-07-20 23:09:27 +02:00
Lukas Reschke
ba4f12baa0
Implement brute force protection
Class Throttler implements the bruteforce protection for security actions in
Nextcloud.

It is working by logging invalid login attempts to the database and slowing
down all login attempts from the same subnet. The max delay is 30 seconds and
the starting delay are 200 milliseconds. (after the first failed login)
2016-07-20 22:08:56 +02:00
Lukas Reschke
179a355b2c Merge remote-tracking branch 'upstream/master' into master-sync-upstream 2016-07-01 11:36:35 +02:00
Christoph Wurst
1710de8afb Login hooks (#25260)
* fix login hooks

* adjust user session tests

* fix login return value of successful token logins

* trigger preLogin hook earlier; extract method 'loginWithPassword'

* call postLogin hook earlier; add PHPDoc
2016-06-27 22:16:22 +02:00
Lukas Reschke
6670d37658 Merge remote-tracking branch 'upstream/master' into master-sync-upstream 2016-06-27 18:23:00 +02:00
Bjoern Schiessle
2a990a0db5
verify user password on change 2016-06-27 14:08:11 +02:00
Christoph Wurst
89198e62e8 check login name when authenticating with client token 2016-06-24 13:57:09 +02:00
Vincent Petry
3db5de95bd Merge pull request #25172 from owncloud/token-login-validation
Token login validation
2016-06-22 13:58:56 +02:00
Christoph Wurst
b805908dca
update session token password on user password change 2016-06-21 10:24:25 +02:00
Christoph Wurst
56199eba37
fix unit test warning/errors 2016-06-20 10:41:23 +02:00
Christoph Wurst
9d74ff02a4
fix nitpick 2016-06-20 09:13:47 +02:00
Christoph Wurst
1889df5c7c
dont create a session token for clients, validate the app password instead 2016-06-17 15:42:28 +02:00
Christoph Wurst
0c0a216f42
store last check timestamp in token instead of session 2016-06-17 15:42:28 +02:00
Christoph Wurst
c4149c59c2
use token last_activity instead of session value 2016-06-17 15:42:28 +02:00
Christoph Wurst
82b50d126c
add PasswordLoginForbiddenException 2016-06-17 11:02:07 +02:00
Christoph Wurst
465807490d
create session token only for clients that support cookies 2016-06-13 19:44:05 +02:00
Christoph Wurst
331d88bcab
create session token on all APIs 2016-06-13 15:38:34 +02:00
Vincent Petry
6ba18934e6 Merge pull request #25000 from owncloud/fix-email-login-dav
Allow login by email address via webdav as well
2016-06-09 16:28:06 +02:00
Thomas Müller
f20c617154
Allow login by email address via webdav as well - fixes #24791 2016-06-09 12:08:49 +02:00
Christoph Wurst
46e26f6b49
catch sessionnotavailable exception if memory session is used 2016-06-08 15:03:15 +02:00
Christoph Wurst
ec929f07f2
When creating a session token, make sure it's the login password and not a device token 2016-06-08 13:31:55 +02:00
Christoph Wurst
c58d8159d7
Create session tokens for apache auth users 2016-05-31 17:07:49 +02:00
Lukas Reschke
aba539703c
Update license headers 2016-05-26 19:57:24 +02:00
Christoph Wurst
a922957f76
add default token auth config on install, upgrade and add it to sample config 2016-05-24 18:02:52 +02:00
Christoph Wurst
28ce7dd262
do not allow client password logins if token auth is enforced or 2FA is enabled 2016-05-24 17:54:02 +02:00
Christoph Wurst
ad10485cec
when generating browser/device token, save the login name for later password checks 2016-05-24 11:49:15 +02:00
Christoph Wurst
4128b853e5
login explicitly 2016-05-24 09:48:02 +02:00
Vincent Petry
5a8af2f0be Merge pull request #24729 from owncloud/try-token-login-first
try token login first
2016-05-23 20:50:57 +02:00
Vincent Petry
4f6670d759 Merge pull request #24658 from owncloud/invalidate-disabled-user-session
invalidate user session if the user was disabled
2016-05-23 20:50:25 +02:00
Christoph Wurst
dfb4d426c2
Add two factor auth to core 2016-05-23 11:21:10 +02:00
Christoph Wurst
c20cdc2213
invalidate user session if the user is disabled 2016-05-23 10:32:16 +02:00
Christoph Wurst
11dc97da43
try token login first 2016-05-20 10:52:39 +02:00
Christoph Wurst
f824f3e5f3
don't allow token login for disabled users 2016-05-18 21:10:37 +02:00
Christoph Wurst
98b465a8b9
a single token provider suffices 2016-05-18 09:20:48 +02:00
Christoph Wurst
0486d750aa
use the UID for creating the session token, not the login name 2016-05-11 13:36:46 +02:00
Christoph Wurst
69dafd727d
delete the token in case an exception is thrown when decrypting the password 2016-05-11 13:36:46 +02:00
Christoph Wurst
46bdf6ea2b
fix PHPDoc and other minor issues 2016-05-11 13:36:46 +02:00
Christoph Wurst
a9b500c03b
catch possible SessionNotAvailableExceptions 2016-05-11 13:36:46 +02:00
Christoph Wurst
f0f8bdd495
PHPDoc and other minor fixes 2016-05-11 13:36:46 +02:00
Christoph Wurst
699289cd26
pass in $request on OCS api 2016-05-11 13:36:46 +02:00