Commit Graph

120 Commits

Author SHA1 Message Date
Sandro Lutz 9b6f99ab08 Update license header
Signed-off-by: Sandro Lutz <sandro.lutz@temparus.ch>
2017-02-07 01:25:39 +01:00
Sandro Lutz fa1d607bfa Merge remote-tracking branch 'nextcloud/master'
Signed-off-by: Sandro Lutz <sandro.lutz@temparus.ch>
2017-02-07 00:15:30 +01:00
Sandro Lutz 6feff0ceba Add check if UserManager is of type PublicEmitter before calling preLogin hook
Signed-off-by: Sandro Lutz <sandro.lutz@temparus.ch>
2017-02-01 21:53:50 +01:00
Sandro Lutz e30d28f7eb Change where preLogin hook gets called
Signed-off-by: Sandro Lutz <sandro.lutz@temparus.ch>
2017-02-01 21:53:42 +01:00
Bjoern Schiessle cdf01feba7
add action to existing brute force protection
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2017-01-18 15:25:16 +01:00
Joas Schilling 5aa388bbe2
Make sure the loginname is set when logging in via cookie
Signed-off-by: Joas Schilling <coding@schilljs.com>
2017-01-05 12:17:30 +01:00
Roeland Jago Douma e368a745aa
Set last-login-check on basic auth
Else the last-login-check fails hard because the session value is not
set and thus defaults to 0.

* Started with tests

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2016-12-05 20:57:15 +01:00
Christoph Wurst 9b808c4014 do not remember session tokens by default
We have to respect the value of the remember-me checkbox. Due to an error
in the source code the default value for the session token was to remember
it.

Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2016-11-27 14:03:28 +01:00
Robin Appelman 0e88b519d1
fix warning with token login
Signed-off-by: Robin Appelman <robin@icewind.nl>
2016-11-16 16:33:56 +01:00
Robin Appelman 2389e0f250
read lockdown scope from token
Signed-off-by: Robin Appelman <icewind@owncloud.com>
2016-11-16 15:24:27 +01:00
Robin Appelman b56f2c9ed0
basic lockdown logic
Signed-off-by: Robin Appelman <icewind@owncloud.com>
2016-11-16 15:24:23 +01:00
Thomas Müller 506ccdbd8d
Introduce an event for first time login based on the last login time stamp
Use firstLogin event to trigger creation of default calendar and default address book

Delay login of admin user after setup so that firstLogin event can properly be processed for the admin

Fixing tests ...

Skeleton files are not copied over -> only 3 cache entries are remaining

Use updateLastLoginTimestamp to properly setup lastLogin value for a test user
2016-11-14 14:50:10 +01:00
Christoph Wurst 6f86e468d4
inject ISecureRandom into user session and use injected config too
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2016-11-02 13:39:16 +01:00
Christoph Wurst d907666232
bring back remember-me
* try to reuse the old session token for remember me login
* decrypt/encrypt token password and set the session id accordingly
* create remember-me cookies only if checkbox is checked and 2fa solved
* adjust db token cleanup to store remembered tokens longer
* adjust unit tests

Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2016-11-02 13:39:16 +01:00
Vincent Petry 6d1e858aa4
Fix logClientIn for non-existing users (#26292)
The check for two factor enforcement would return true for non-existing
users. This fix makes it return false in order to be able to perform
the regular login which will then fail and return false.

This prevents throwing PasswordLoginForbidden for non-existing users.
2016-10-25 09:34:27 +02:00
Robin Appelman 25ed6714c7
dont update the auth token twice
Signed-off-by: Robin Appelman <robin@icewind.nl>
2016-10-11 11:05:25 +02:00
Robin Appelman 6c93fe08f5 dont get bruteforce delay twice 2016-08-29 13:36:49 +02:00
Jörn Friedrich Dreyer 291b3fd8b4
missing PHPDoc 2016-08-14 19:37:52 +02:00
Jörn Friedrich Dreyer da5633c31a
Type compatability 2016-08-14 19:37:37 +02:00
Jörn Friedrich Dreyer 5aef60d2ca
Unreachable statement 2016-08-14 19:36:42 +02:00
Joas Schilling 0215b004da
Update with robin 2016-07-21 18:13:58 +02:00
Joas Schilling ba87db3fcc
Fix others 2016-07-21 18:13:57 +02:00
Lukas Reschke c1589f163c
Mitigate race condition 2016-07-20 23:09:27 +02:00
Lukas Reschke ba4f12baa0
Implement brute force protection
Class Throttler implements the bruteforce protection for security actions in
Nextcloud.

It is working by logging invalid login attempts to the database and slowing
down all login attempts from the same subnet. The max delay is 30 seconds and
the starting delay are 200 milliseconds. (after the first failed login)
2016-07-20 22:08:56 +02:00
Christoph Wurst 1710de8afb Login hooks (#25260)
* fix login hooks

* adjust user session tests

* fix login return value of successful token logins

* trigger preLogin hook earlier; extract method 'loginWithPassword'

* call postLogin hook earlier; add PHPDoc
2016-06-27 22:16:22 +02:00
Christoph Wurst 89198e62e8 check login name when authenticating with client token 2016-06-24 13:57:09 +02:00
Vincent Petry 3db5de95bd Merge pull request #25172 from owncloud/token-login-validation
Token login validation
2016-06-22 13:58:56 +02:00
Christoph Wurst b805908dca
update session token password on user password change 2016-06-21 10:24:25 +02:00
Christoph Wurst 56199eba37
fix unit test warning/errors 2016-06-20 10:41:23 +02:00
Christoph Wurst 9d74ff02a4
fix nitpick 2016-06-20 09:13:47 +02:00
Christoph Wurst 1889df5c7c
dont create a session token for clients, validate the app password instead 2016-06-17 15:42:28 +02:00
Christoph Wurst 0c0a216f42
store last check timestamp in token instead of session 2016-06-17 15:42:28 +02:00
Christoph Wurst c4149c59c2
use token last_activity instead of session value 2016-06-17 15:42:28 +02:00
Christoph Wurst 82b50d126c
add PasswordLoginForbiddenException 2016-06-17 11:02:07 +02:00
Christoph Wurst 465807490d
create session token only for clients that support cookies 2016-06-13 19:44:05 +02:00
Christoph Wurst 331d88bcab
create session token on all APIs 2016-06-13 15:38:34 +02:00
Vincent Petry 6ba18934e6 Merge pull request #25000 from owncloud/fix-email-login-dav
Allow login by email address via webdav as well
2016-06-09 16:28:06 +02:00
Thomas Müller f20c617154
Allow login by email address via webdav as well - fixes #24791 2016-06-09 12:08:49 +02:00
Christoph Wurst 46e26f6b49
catch sessionnotavailable exception if memory session is used 2016-06-08 15:03:15 +02:00
Christoph Wurst ec929f07f2
When creating a session token, make sure it's the login password and not a device token 2016-06-08 13:31:55 +02:00
Christoph Wurst c58d8159d7
Create session tokens for apache auth users 2016-05-31 17:07:49 +02:00
Lukas Reschke aba539703c
Update license headers 2016-05-26 19:57:24 +02:00
Christoph Wurst a922957f76
add default token auth config on install, upgrade and add it to sample config 2016-05-24 18:02:52 +02:00
Christoph Wurst 28ce7dd262
do not allow client password logins if token auth is enforced or 2FA is enabled 2016-05-24 17:54:02 +02:00
Christoph Wurst ad10485cec
when generating browser/device token, save the login name for later password checks 2016-05-24 11:49:15 +02:00
Christoph Wurst 4128b853e5
login explicitly 2016-05-24 09:48:02 +02:00
Vincent Petry 5a8af2f0be Merge pull request #24729 from owncloud/try-token-login-first
try token login first
2016-05-23 20:50:57 +02:00
Vincent Petry 4f6670d759 Merge pull request #24658 from owncloud/invalidate-disabled-user-session
invalidate user session if the user was disabled
2016-05-23 20:50:25 +02:00
Christoph Wurst dfb4d426c2
Add two factor auth to core 2016-05-23 11:21:10 +02:00
Christoph Wurst c20cdc2213
invalidate user session if the user is disabled 2016-05-23 10:32:16 +02:00
Christoph Wurst 11dc97da43
try token login first 2016-05-20 10:52:39 +02:00
Christoph Wurst f824f3e5f3
don't allow token login for disabled users 2016-05-18 21:10:37 +02:00
Christoph Wurst 98b465a8b9
a single token provider suffices 2016-05-18 09:20:48 +02:00
Christoph Wurst 0486d750aa
use the UID for creating the session token, not the login name 2016-05-11 13:36:46 +02:00
Christoph Wurst 69dafd727d
delete the token in case an exception is thrown when decrypting the password 2016-05-11 13:36:46 +02:00
Christoph Wurst 46bdf6ea2b
fix PHPDoc and other minor issues 2016-05-11 13:36:46 +02:00
Christoph Wurst a9b500c03b
catch possible SessionNotAvailableExceptions 2016-05-11 13:36:46 +02:00
Christoph Wurst f0f8bdd495
PHPDoc and other minor fixes 2016-05-11 13:36:46 +02:00
Christoph Wurst 699289cd26
pass in $request on OCS api 2016-05-11 13:36:46 +02:00
Christoph Wurst 168ccf90a6
try apache auth too 2016-05-11 13:36:46 +02:00
Christoph Wurst 8cc5f6036f
Fix existing tests 2016-05-11 13:36:46 +02:00
Christoph Wurst 7aa16e1559
fix setup 2016-05-11 13:36:46 +02:00
Christoph Wurst 7e7d5a2ef2
Add fallback to allow user:token basic auth 2016-05-11 13:36:46 +02:00
Christoph Wurst fdc2cd7554
Add token auth for OCS APIs 2016-05-11 13:36:46 +02:00
Christoph Wurst 8d48502187
Add index on 'last_activity'
add token type column and delete only temporary tokens in the background job

debounce token updates; fix wrong class import
2016-05-11 13:36:46 +02:00
Christoph Wurst 53636c73d6
Add controller to generate client tokens 2016-05-11 13:36:46 +02:00
Christoph Wurst 3ab922601a
Check if session token is valid and log user out if the check fails
* Update last_activity timestamp of the session token
* Check user backend credentials once in 5 minutes
2016-05-11 13:36:46 +02:00
Christoph Wurst 2fa5e0a24e
invalidate (delete) session token on logout
add 'last_activity' column to session tokens and delete old ones via a background job
2016-05-11 13:36:46 +02:00
Christoph Wurst d8cde414bd
token based auth
* Add InvalidTokenException
* add DefaultTokenMapper and use it to check if a auth token exists
* create new token for the browser session if none exists
hash stored token; save user agent
* encrypt login password when creating the token
2016-05-11 13:36:46 +02:00
Roeland Jago Douma 9504500e5f
Move \OC\User to PSR-4 2016-05-10 19:53:36 +02:00