In 2f87fb6b45 this header was introduced. The referenced documentation says:
> When delivered with a response from https://example.com/clear, the following header will cause cookies associated with the origin https://example.com to be cleared, as well as cookies on any origin in the same registered domain (e.g. https://www.example.com/ and https://more.subdomains.example.com/).
This also applies if `https://nextcloud.example.com/` sends the `Clear-Site-Data: "cookies"` header.
This is not the behavior we want at this point!
So I removed the deletion of cookies from the header. This has no effect on the logout process as this header is supported only recently and the logout works in old browsers as well.
Signed-off-by: Patrick Conrad <conrad@iza.org>
(cherry picked from commit 1806baaeaf)
We use the same logic for creating accounts without a password and there the 12h is a bit short. Users don't expect that the signup link needs to be clicked within 12h - 7d should be a more expected behavior.
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
Fixes#7697
When using the new login flow a token will be generated since we login.
However after that we generate yet another token to return (as we
should).
However we should kill the current session token as we are done with it.
And will never use it again.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
Even if no avatar is set we should just generate the image. This to not
duplicate the code on all the clients. And only server images from the
avtar endpoint.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
Fixes#6967
This allows clients to check for Walled Garden connections.
The endpoint just responds with a 204 (which is very unlikely with such
a connection)
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* introduce a Controller for requests
* introduce result sorting mechanism
* extend Comments to retrieve commentors (actors) in a tree
* add commenters sorter
* add share recipients sorter
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
The URLGenerator doesn't support `` as target for absolute URLs, we need to link to `/` thus.
Regression introduced with 46229a00f3
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
Any `\OCP\Authentication\IApacheBackend` previously had to implement `getLogoutAttribute` which returns a string.
This string is directly injected into the logout `<a>` tag, so returning something like `href="foo"` would result
in `<a href="foo">`.
This is rather error prone and also in Nextcloud 12 broken as the logout entry has been moved with
054e161eb5 inside the navigation manager where one cannot simply inject attributes.
Thus this feature is broken in Nextcloud 12 which effectively leads to the bug described at nextcloud/user_saml#112,
people cannot logout anymore when using SAML using SLO. Basically in case of SAML you have a SLO url which redirects
you to the IdP and properly logs you out there as well.
Instead of monkey patching the Navigation manager I decided to instead change `\OCP\Authentication\IApacheBackend` to
use `\OCP\Authentication\IApacheBackend::getLogoutUrl` instead where it can return a string with the appropriate logout
URL. Since this functionality is only prominently used in the SAML plugin. Any custom app would need a small change but
I'm not aware of any and there's simply no way to fix this properly otherwise.
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
Patrick Conrad
Morris Jobke
Bjoern Schiessle
Rémy Jacquin
Roeland Jago Douma
Arthur Schiwon
Mario Danic
Julius Härtl
Roeland Jago Douma
Joas Schilling
Lukas Reschke
Christoph Wurst