085891a15d
Escape like parameters in database user backend
...
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-03-15 22:46:40 +01:00
a5ba1f7803
Remove legacy class OC_Group and OC_User
...
* basically a straight replacement of the wrapped code at the calling code parts
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2017-03-09 17:35:09 -06:00
19fc68cbdc
Merge pull request #2606 from temparus/master
...
Add preLoginValidation hook
2017-02-15 21:47:47 +01:00
dfaaebd765
Merge pull request #3417 from nextcloud/push-notification
...
Push notification
2017-02-10 16:00:47 -06:00
7c47f822a1
Save the used token id in the session so it can be used later on
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2017-02-09 15:02:59 +01:00
fa49c4a13b
Add a single public api for resolving a cloud id to a user and remote and back
...
Signed-off-by: Robin Appelman <robin@icewind.nl>
2017-02-08 15:17:02 +01:00
9b6f99ab08
Update license header
...
Signed-off-by: Sandro Lutz <sandro.lutz@temparus.ch>
2017-02-07 01:25:39 +01:00
fa1d607bfa
Merge remote-tracking branch 'nextcloud/master'
...
Signed-off-by: Sandro Lutz <sandro.lutz@temparus.ch>
2017-02-07 00:15:30 +01:00
6feff0ceba
Add check if UserManager is of type PublicEmitter before calling preLogin hook
...
Signed-off-by: Sandro Lutz <sandro.lutz@temparus.ch>
2017-02-01 21:53:50 +01:00
e30d28f7eb
Change where preLogin hook gets called
...
Signed-off-by: Sandro Lutz <sandro.lutz@temparus.ch>
2017-02-01 21:53:42 +01:00
a4ad8af6e3
Add proper default value for datadir
...
* better safe than sorry
* fixes #3091
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2017-01-19 19:49:41 -06:00
cdf01feba7
add action to existing brute force protection
...
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2017-01-18 15:25:16 +01:00
8ab16f87ac
spaces added
2017-01-10 16:44:14 +03:00
5c77923360
allowed '0' uid
2017-01-10 16:39:10 +03:00
b0ff59d42f
remove non required db requests
2017-01-10 13:09:33 +03:00
135198bf0d
Default value for null user
...
For guest users on every request executes query:
SELECT `uid`, `displayname` FROM `users` WHERE LOWER(`uid`) = LOWER(null)
as I see, uid can't be equal to null by design.
2017-01-09 23:34:23 +03:00
5aa388bbe2
Make sure the loginname is set when logging in via cookie
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2017-01-05 12:17:30 +01:00
91cd57e55b
Get user home folder before deletion
...
After the deletion getHome() will fail because the user doesn't exist
any more, so we need to fetch that value earlier.
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2016-12-23 12:42:31 +01:00
e368a745aa
Set last-login-check on basic auth
...
Else the last-login-check fails hard because the session value is not
set and thus defaults to 0.
* Started with tests
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2016-12-05 20:57:15 +01:00
9b808c4014
do not remember session tokens by default
...
We have to respect the value of the remember-me checkbox. Due to an error
in the source code the default value for the session token was to remember
it.
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2016-11-27 14:03:28 +01:00
0e88b519d1
fix warning with token login
...
Signed-off-by: Robin Appelman <robin@icewind.nl>
2016-11-16 16:33:56 +01:00
2389e0f250
read lockdown scope from token
...
Signed-off-by: Robin Appelman <icewind@owncloud.com>
2016-11-16 15:24:27 +01:00
b56f2c9ed0
basic lockdown logic
...
Signed-off-by: Robin Appelman <icewind@owncloud.com>
2016-11-16 15:24:23 +01:00
f07d75a4dd
@since 9.2.0 to @since 11.0.0
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2016-11-15 18:51:52 +01:00
506ccdbd8d
Introduce an event for first time login based on the last login time stamp
...
Use firstLogin event to trigger creation of default calendar and default address book
Delay login of admin user after setup so that firstLogin event can properly be processed for the admin
Fixing tests ...
Skeleton files are not copied over -> only 3 cache entries are remaining
Use updateLastLoginTimestamp to properly setup lastLogin value for a test user
2016-11-14 14:50:10 +01:00
6f86e468d4
inject ISecureRandom into user session and use injected config too
...
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2016-11-02 13:39:16 +01:00
d907666232
bring back remember-me
...
* try to reuse the old session token for remember me login
* decrypt/encrypt token password and set the session id accordingly
* create remember-me cookies only if checkbox is checked and 2fa solved
* adjust db token cleanup to store remembered tokens longer
* adjust unit tests
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2016-11-02 13:39:16 +01:00
f722640a32
Proper DI of config
...
* Fixed comments
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2016-10-28 10:13:35 +02:00
f8352fcb8d
introduce callForSeenUsers and countSeenUsers ( #26361 )
...
* introduce callForSeenUsers and countSeenUsers
* add tests
* oracle should support not null on clob
* since 9.2.0
2016-10-28 08:44:05 +02:00
6d1e858aa4
Fix logClientIn for non-existing users ( #26292 )
...
The check for two factor enforcement would return true for non-existing
users. This fix makes it return false in order to be able to perform
the regular login which will then fail and return false.
This prevents throwing PasswordLoginForbidden for non-existing users.
2016-10-25 09:34:27 +02:00
25ed6714c7
dont update the auth token twice
...
Signed-off-by: Robin Appelman <robin@icewind.nl>
2016-10-11 11:05:25 +02:00
1273d82e8b
Cache non existing DB user
...
We always query the database backend. Even if we use a different one
(ldap for example). Now we do this everytime we try to get a user object
so caching that a user is not in the DB safes some queries on each
request then (at least 2 what I found).
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2016-10-10 09:30:36 +02:00
4d1acfd4ef
Only trigger postDelete hooks when the user was deleted...
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2016-09-29 15:40:53 +02:00
5b7b8f8dac
Remove notifications upon user deletion
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2016-09-29 15:40:52 +02:00
57f9117843
Merge pull request #1087 from nextcloud/get-delay-twice
...
dont get bruteforce delay twice
2016-08-30 18:43:01 +02:00
82e8762c84
Fix issues where some user settings cannot be loaded when the user id differs in case sensitivity - fixes #25684 ( #25686 )
2016-08-29 14:33:16 +02:00
6c93fe08f5
dont get bruteforce delay twice
2016-08-29 13:36:49 +02:00
6c360ad79f
Add PHPdoc
2016-08-15 11:14:28 +02:00
291b3fd8b4
missing PHPDoc
2016-08-14 19:37:52 +02:00
da5633c31a
Type compatability
2016-08-14 19:37:37 +02:00
3593668413
Method is deprecated
2016-08-14 19:37:11 +02:00
5aef60d2ca
Unreachable statement
2016-08-14 19:36:42 +02:00
d2a16c4dc8
Unnecessary fully qualified names
2016-08-14 19:36:06 +02:00
5fb39bd0cb
Apply password policy on user creation
2016-08-03 11:52:15 +02:00
0215b004da
Update with robin
2016-07-21 18:13:58 +02:00
ba87db3fcc
Fix others
2016-07-21 18:13:57 +02:00
c1589f163c
Mitigate race condition
2016-07-20 23:09:27 +02:00
ba4f12baa0
Implement brute force protection
...
Class Throttler implements the bruteforce protection for security actions in
Nextcloud.
It is working by logging invalid login attempts to the database and slowing
down all login attempts from the same subnet. The max delay is 30 seconds and
the starting delay are 200 milliseconds. (after the first failed login)
2016-07-20 22:08:56 +02:00
179a355b2c
Merge remote-tracking branch 'upstream/master' into master-sync-upstream
2016-07-01 11:36:35 +02:00
1710de8afb
Login hooks ( #25260 )
...
* fix login hooks
* adjust user session tests
* fix login return value of successful token logins
* trigger preLogin hook earlier; extract method 'loginWithPassword'
* call postLogin hook earlier; add PHPDoc
2016-06-27 22:16:22 +02:00
6670d37658
Merge remote-tracking branch 'upstream/master' into master-sync-upstream
2016-06-27 18:23:00 +02:00
2a990a0db5
verify user password on change
2016-06-27 14:08:11 +02:00
89198e62e8
check login name when authenticating with client token
2016-06-24 13:57:09 +02:00
3db5de95bd
Merge pull request #25172 from owncloud/token-login-validation
...
Token login validation
2016-06-22 13:58:56 +02:00
b805908dca
update session token password on user password change
2016-06-21 10:24:25 +02:00
56199eba37
fix unit test warning/errors
2016-06-20 10:41:23 +02:00
9d74ff02a4
fix nitpick
2016-06-20 09:13:47 +02:00
1889df5c7c
dont create a session token for clients, validate the app password instead
2016-06-17 15:42:28 +02:00
0c0a216f42
store last check timestamp in token instead of session
2016-06-17 15:42:28 +02:00
c4149c59c2
use token last_activity instead of session value
2016-06-17 15:42:28 +02:00
82b50d126c
add PasswordLoginForbiddenException
2016-06-17 11:02:07 +02:00
465807490d
create session token only for clients that support cookies
2016-06-13 19:44:05 +02:00
331d88bcab
create session token on all APIs
2016-06-13 15:38:34 +02:00
6ba18934e6
Merge pull request #25000 from owncloud/fix-email-login-dav
...
Allow login by email address via webdav as well
2016-06-09 16:28:06 +02:00
f20c617154
Allow login by email address via webdav as well - fixes #24791
2016-06-09 12:08:49 +02:00
46e26f6b49
catch sessionnotavailable exception if memory session is used
2016-06-08 15:03:15 +02:00
ec929f07f2
When creating a session token, make sure it's the login password and not a device token
2016-06-08 13:31:55 +02:00
c58d8159d7
Create session tokens for apache auth users
2016-05-31 17:07:49 +02:00
aba539703c
Update license headers
2016-05-26 19:57:24 +02:00
a922957f76
add default token auth config on install, upgrade and add it to sample config
2016-05-24 18:02:52 +02:00
28ce7dd262
do not allow client password logins if token auth is enforced or 2FA is enabled
2016-05-24 17:54:02 +02:00
ad10485cec
when generating browser/device token, save the login name for later password checks
2016-05-24 11:49:15 +02:00
4128b853e5
login explicitly
2016-05-24 09:48:02 +02:00
5a8af2f0be
Merge pull request #24729 from owncloud/try-token-login-first
...
try token login first
2016-05-23 20:50:57 +02:00
4f6670d759
Merge pull request #24658 from owncloud/invalidate-disabled-user-session
...
invalidate user session if the user was disabled
2016-05-23 20:50:25 +02:00
dfb4d426c2
Add two factor auth to core
2016-05-23 11:21:10 +02:00
c20cdc2213
invalidate user session if the user is disabled
2016-05-23 10:32:16 +02:00
11dc97da43
try token login first
2016-05-20 10:52:39 +02:00
f824f3e5f3
don't allow token login for disabled users
2016-05-18 21:10:37 +02:00
98b465a8b9
a single token provider suffices
2016-05-18 09:20:48 +02:00
0486d750aa
use the UID for creating the session token, not the login name
2016-05-11 13:36:46 +02:00
69dafd727d
delete the token in case an exception is thrown when decrypting the password
2016-05-11 13:36:46 +02:00
46bdf6ea2b
fix PHPDoc and other minor issues
2016-05-11 13:36:46 +02:00
a9b500c03b
catch possible SessionNotAvailableExceptions
2016-05-11 13:36:46 +02:00
f0f8bdd495
PHPDoc and other minor fixes
2016-05-11 13:36:46 +02:00
699289cd26
pass in $request on OCS api
2016-05-11 13:36:46 +02:00
168ccf90a6
try apache auth too
2016-05-11 13:36:46 +02:00
8cc5f6036f
Fix existing tests
2016-05-11 13:36:46 +02:00
7aa16e1559
fix setup
2016-05-11 13:36:46 +02:00
7e7d5a2ef2
Add fallback to allow user:token basic auth
2016-05-11 13:36:46 +02:00
fdc2cd7554
Add token auth for OCS APIs
2016-05-11 13:36:46 +02:00
8d48502187
Add index on 'last_activity'
...
add token type column and delete only temporary tokens in the background job
debounce token updates; fix wrong class import
2016-05-11 13:36:46 +02:00
53636c73d6
Add controller to generate client tokens
2016-05-11 13:36:46 +02:00
3ab922601a
Check if session token is valid and log user out if the check fails
...
* Update last_activity timestamp of the session token
* Check user backend credentials once in 5 minutes
2016-05-11 13:36:46 +02:00
2fa5e0a24e
invalidate (delete) session token on logout
...
add 'last_activity' column to session tokens and delete old ones via a background job
2016-05-11 13:36:46 +02:00
d8cde414bd
token based auth
...
* Add InvalidTokenException
* add DefaultTokenMapper and use it to check if a auth token exists
* create new token for the browser session if none exists
hash stored token; save user agent
* encrypt login password when creating the token
2016-05-11 13:36:46 +02:00
f6ee738ba8
Add \OC\User\Backend
...
Since some apps (ldap et al) still depend on OC_User_Backend this seemed
like the cleanest approach.
2016-05-10 19:53:36 +02:00
9e1d9871a8
Move OC_User_Database to \OC\User\Database
2016-05-10 19:53:36 +02:00
9504500e5f
Move \OC\User to PSR-4
2016-05-10 19:53:36 +02:00
Lukas Reschke
Morris Jobke
blizzz
Joas Schilling
Robin Appelman
Sandro Lutz
Bjoern Schiessle
Loki3000
Vincent Petry
Roeland Jago Douma
Christoph Wurst
Robin Appelman
Thomas Müller
Jörn Friedrich Dreyer
Thomas Müller
michag86
Lukas Reschke
Christoph Wurst
Christoph Wurst
Roeland Jago Douma