Joas Schilling
23b205ed48
Run the license script
2016-07-22 11:40:41 +02:00
Lukas Reschke
c1589f163c
Mitigate race condition
2016-07-20 23:09:27 +02:00
Lukas Reschke
ba4f12baa0
Implement brute force protection
...
Class Throttler implements the bruteforce protection for security actions in
Nextcloud.
It is working by logging invalid login attempts to the database and slowing
down all login attempts from the same subnet. The max delay is 30 seconds and
the starting delay are 200 milliseconds. (after the first failed login)
2016-07-20 22:08:56 +02:00
Lukas Reschke
179a355b2c
Merge remote-tracking branch 'upstream/master' into master-sync-upstream
2016-07-01 11:36:35 +02:00
Christoph Wurst
1710de8afb
Login hooks ( #25260 )
...
* fix login hooks
* adjust user session tests
* fix login return value of successful token logins
* trigger preLogin hook earlier; extract method 'loginWithPassword'
* call postLogin hook earlier; add PHPDoc
2016-06-27 22:16:22 +02:00
Lukas Reschke
6670d37658
Merge remote-tracking branch 'upstream/master' into master-sync-upstream
2016-06-27 18:23:00 +02:00
Bjoern Schiessle
2a990a0db5
verify user password on change
2016-06-27 14:08:11 +02:00
Christoph Wurst
89198e62e8
check login name when authenticating with client token
2016-06-24 13:57:09 +02:00
Vincent Petry
3db5de95bd
Merge pull request #25172 from owncloud/token-login-validation
...
Token login validation
2016-06-22 13:58:56 +02:00
Christoph Wurst
b805908dca
update session token password on user password change
2016-06-21 10:24:25 +02:00
Christoph Wurst
56199eba37
fix unit test warning/errors
2016-06-20 10:41:23 +02:00
Christoph Wurst
9d74ff02a4
fix nitpick
2016-06-20 09:13:47 +02:00
Christoph Wurst
1889df5c7c
dont create a session token for clients, validate the app password instead
2016-06-17 15:42:28 +02:00
Christoph Wurst
0c0a216f42
store last check timestamp in token instead of session
2016-06-17 15:42:28 +02:00
Christoph Wurst
c4149c59c2
use token last_activity instead of session value
2016-06-17 15:42:28 +02:00
Christoph Wurst
82b50d126c
add PasswordLoginForbiddenException
2016-06-17 11:02:07 +02:00
Christoph Wurst
465807490d
create session token only for clients that support cookies
2016-06-13 19:44:05 +02:00
Christoph Wurst
331d88bcab
create session token on all APIs
2016-06-13 15:38:34 +02:00
Vincent Petry
6ba18934e6
Merge pull request #25000 from owncloud/fix-email-login-dav
...
Allow login by email address via webdav as well
2016-06-09 16:28:06 +02:00
Thomas Müller
f20c617154
Allow login by email address via webdav as well - fixes #24791
2016-06-09 12:08:49 +02:00
Christoph Wurst
46e26f6b49
catch sessionnotavailable exception if memory session is used
2016-06-08 15:03:15 +02:00
Christoph Wurst
ec929f07f2
When creating a session token, make sure it's the login password and not a device token
2016-06-08 13:31:55 +02:00
Christoph Wurst
c58d8159d7
Create session tokens for apache auth users
2016-05-31 17:07:49 +02:00
Lukas Reschke
aba539703c
Update license headers
2016-05-26 19:57:24 +02:00
Christoph Wurst
a922957f76
add default token auth config on install, upgrade and add it to sample config
2016-05-24 18:02:52 +02:00
Christoph Wurst
28ce7dd262
do not allow client password logins if token auth is enforced or 2FA is enabled
2016-05-24 17:54:02 +02:00
Christoph Wurst
ad10485cec
when generating browser/device token, save the login name for later password checks
2016-05-24 11:49:15 +02:00
Christoph Wurst
4128b853e5
login explicitly
2016-05-24 09:48:02 +02:00
Vincent Petry
5a8af2f0be
Merge pull request #24729 from owncloud/try-token-login-first
...
try token login first
2016-05-23 20:50:57 +02:00
Vincent Petry
4f6670d759
Merge pull request #24658 from owncloud/invalidate-disabled-user-session
...
invalidate user session if the user was disabled
2016-05-23 20:50:25 +02:00
Christoph Wurst
dfb4d426c2
Add two factor auth to core
2016-05-23 11:21:10 +02:00
Christoph Wurst
c20cdc2213
invalidate user session if the user is disabled
2016-05-23 10:32:16 +02:00
Christoph Wurst
11dc97da43
try token login first
2016-05-20 10:52:39 +02:00
Christoph Wurst
f824f3e5f3
don't allow token login for disabled users
2016-05-18 21:10:37 +02:00
Christoph Wurst
98b465a8b9
a single token provider suffices
2016-05-18 09:20:48 +02:00
Christoph Wurst
0486d750aa
use the UID for creating the session token, not the login name
2016-05-11 13:36:46 +02:00
Christoph Wurst
69dafd727d
delete the token in case an exception is thrown when decrypting the password
2016-05-11 13:36:46 +02:00
Christoph Wurst
46bdf6ea2b
fix PHPDoc and other minor issues
2016-05-11 13:36:46 +02:00
Christoph Wurst
a9b500c03b
catch possible SessionNotAvailableExceptions
2016-05-11 13:36:46 +02:00
Christoph Wurst
f0f8bdd495
PHPDoc and other minor fixes
2016-05-11 13:36:46 +02:00
Christoph Wurst
699289cd26
pass in $request on OCS api
2016-05-11 13:36:46 +02:00
Christoph Wurst
168ccf90a6
try apache auth too
2016-05-11 13:36:46 +02:00
Christoph Wurst
8cc5f6036f
Fix existing tests
2016-05-11 13:36:46 +02:00
Christoph Wurst
7aa16e1559
fix setup
2016-05-11 13:36:46 +02:00
Christoph Wurst
7e7d5a2ef2
Add fallback to allow user:token basic auth
2016-05-11 13:36:46 +02:00
Christoph Wurst
fdc2cd7554
Add token auth for OCS APIs
2016-05-11 13:36:46 +02:00
Christoph Wurst
8d48502187
Add index on 'last_activity'
...
add token type column and delete only temporary tokens in the background job
debounce token updates; fix wrong class import
2016-05-11 13:36:46 +02:00
Christoph Wurst
53636c73d6
Add controller to generate client tokens
2016-05-11 13:36:46 +02:00
Christoph Wurst
3ab922601a
Check if session token is valid and log user out if the check fails
...
* Update last_activity timestamp of the session token
* Check user backend credentials once in 5 minutes
2016-05-11 13:36:46 +02:00
Christoph Wurst
2fa5e0a24e
invalidate (delete) session token on logout
...
add 'last_activity' column to session tokens and delete old ones via a background job
2016-05-11 13:36:46 +02:00