Lukas Reschke
ba4f12baa0
Implement brute force protection
...
Class Throttler implements the bruteforce protection for security actions in
Nextcloud.
It is working by logging invalid login attempts to the database and slowing
down all login attempts from the same subnet. The max delay is 30 seconds and
the starting delay are 200 milliseconds. (after the first failed login)
2016-07-20 22:08:56 +02:00
Roeland Jago Douma
f2d091a963
Fix failing tests after db split
2016-07-13 09:26:19 +02:00
Lukas Reschke
179a355b2c
Merge remote-tracking branch 'upstream/master' into master-sync-upstream
2016-07-01 11:36:35 +02:00
Christoph Wurst
1710de8afb
Login hooks ( #25260 )
...
* fix login hooks
* adjust user session tests
* fix login return value of successful token logins
* trigger preLogin hook earlier; extract method 'loginWithPassword'
* call postLogin hook earlier; add PHPDoc
2016-06-27 22:16:22 +02:00
Lukas Reschke
6670d37658
Merge remote-tracking branch 'upstream/master' into master-sync-upstream
2016-06-27 18:23:00 +02:00
Bjoern Schiessle
2a990a0db5
verify user password on change
2016-06-27 14:08:11 +02:00
Christoph Wurst
89198e62e8
check login name when authenticating with client token
2016-06-24 13:57:09 +02:00
Vincent Petry
3db5de95bd
Merge pull request #25172 from owncloud/token-login-validation
...
Token login validation
2016-06-22 13:58:56 +02:00
Christoph Wurst
b805908dca
update session token password on user password change
2016-06-21 10:24:25 +02:00
Christoph Wurst
56199eba37
fix unit test warning/errors
2016-06-20 10:41:23 +02:00
Christoph Wurst
8ef5431e7a
fix user session tests
2016-06-20 09:10:11 +02:00
Christoph Wurst
82b50d126c
add PasswordLoginForbiddenException
2016-06-17 11:02:07 +02:00
Christoph Wurst
465807490d
create session token only for clients that support cookies
2016-06-13 19:44:05 +02:00
Christoph Wurst
ec929f07f2
When creating a session token, make sure it's the login password and not a device token
2016-06-08 13:31:55 +02:00
Christoph Wurst
c58d8159d7
Create session tokens for apache auth users
2016-05-31 17:07:49 +02:00
Christoph Wurst
28ce7dd262
do not allow client password logins if token auth is enforced or 2FA is enabled
2016-05-24 17:54:02 +02:00
Christoph Wurst
ad10485cec
when generating browser/device token, save the login name for later password checks
2016-05-24 11:49:15 +02:00
Christoph Wurst
c20cdc2213
invalidate user session if the user is disabled
2016-05-23 10:32:16 +02:00
Joas Schilling
94ad54ec9b
Move tests/ to PSR-4 ( #24731 )
...
* Move a-b to PSR-4
* Move c-d to PSR-4
* Move e+g to PSR-4
* Move h-l to PSR-4
* Move m-r to PSR-4
* Move s-u to PSR-4
* Move files/ to PSR-4
* Move remaining tests to PSR-4
* Remove Test\ from old autoloader
2016-05-20 15:38:20 +02:00