Commit Graph

155 Commits

Author SHA1 Message Date
Patrick Conrad 06e43bb46a
Remove cookies from Clear-Site-Data Header
In 2f87fb6b45 this header was introduced. The referenced documentation says:

> When delivered with a response from https://example.com/clear, the following header will cause cookies associated with the origin https://example.com to be cleared, as well as cookies on any origin in the same registered domain (e.g. https://www.example.com/ and https://more.subdomains.example.com/).

This also applies if `https://nextcloud.example.com/` sends the `Clear-Site-Data: "cookies"` header.
This is not the behavior we want at this point!

So I removed the deletion of cookies from the header. This has no effect on the logout process as this header is supported only recently and the logout works in old browsers as well.

Signed-off-by: Patrick Conrad <conrad@iza.org>
(cherry picked from commit 1806baaeaf)
2018-10-24 08:53:46 +02:00
Morris Jobke 7613801a58
Change password expiration time from 12h to 7d
We use the same logic for creating accounts without a password and there the 12h is a bit short. Users don't expect that the signup link needs to be clicked within 12h - 7d should be a more expected behavior.

Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2018-10-16 09:24:38 +02:00
Bjoern Schiessle 5b54b8cba2
update unit tests
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2018-08-10 17:26:11 +02:00
Joas Schilling f2706cb572
Add unit test
Signed-off-by: Joas Schilling <coding@schilljs.com>
2018-01-15 00:49:28 +01:00
Julius Härtl f5f6ed664d
Hide stay logged in checkbox when flow authentication is used
Signed-off-by: Julius Härtl <jus@bitgrid.net>
2017-12-28 11:15:26 +01:00
Roeland Jago Douma 094d41937a
Fix tests
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-12-18 21:06:52 +01:00
Roeland Jago Douma c1fcd6fc98
Merge pull request #7324 from nextcloud/no-sorters-no-instances
don't create sorter instances when none was requested
2017-12-11 15:27:44 +01:00
Morris Jobke ed7beb929e
Merge pull request #6876 from nextcloud/always_img_avatar
Always generate avatar
2017-12-08 23:58:17 +01:00
Bjoern Schiessle 555fe7047f
fix tests
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2017-12-08 13:29:33 +01:00
Roeland Jago Douma 8e8fe6b8eb
Fix tests
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-11-29 14:23:15 +01:00
Arthur Schiwon 96bc03a03a
don't create sorter instances when none was requested
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2017-11-28 13:30:51 +01:00
Mario Danic c2cd5fc5d3 Fix flow
Signed-off-by: Mario Danic <mario@lovelyhq.com>
2017-11-09 00:29:34 +01:00
Julius Härtl cd1bfea8c4
Theming: theme flow redirection page
Signed-off-by: Julius Härtl <jus@bitgrid.net>
2017-11-08 14:56:32 +01:00
Arthur Schiwon e2805f02aa
Merge branch 'master' into autocomplete-gui 2017-11-01 15:37:29 +01:00
Arthur Schiwon 25aad121e6
meanwhile we can have exact matches. also show those.
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2017-10-31 14:58:48 +01:00
Arthur Schiwon fa2f03979b
add search parameter to autocomplete controller
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2017-10-25 17:26:50 +02:00
Morris Jobke 43e498844e
Use ::class in test mocks
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2017-10-24 17:45:32 +02:00
Arthur Schiwon fd6daf8d19
AutoCompletion backend
* introduce a Controller for requests
* introduce result sorting mechanism
* extend Comments to retrieve commentors (actors) in a tree
* add commenters sorter
* add share recipients sorter

Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2017-10-22 14:13:32 +02:00
Joas Schilling 3119fd41ce
Set the data from the template
Signed-off-by: Joas Schilling <coding@schilljs.com>
2017-10-18 15:12:03 +02:00
Morris Jobke 444779ce96
Fix tests
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2017-09-06 16:38:24 +02:00
Morris Jobke 0326c2c54f
Fix broken tests
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2017-09-04 14:17:03 +02:00
Joas Schilling 0aff1c9268
Return the user id in case of an error
Signed-off-by: Joas Schilling <coding@schilljs.com>
2017-08-29 11:10:30 +02:00
Morris Jobke 0b652648cc Merge pull request #6177 from nextcloud/properly-add-slo-url
Properly allow \OCP\Authentication\IApacheBackend to specify logout URL
2017-08-26 18:50:52 +02:00
Joas Schilling d5c6d56170
No password reset for disabled users
Signed-off-by: Joas Schilling <coding@schilljs.com>
2017-08-18 13:21:53 +02:00
Lukas Reschke a04feff9a7
Properly allow \OCP\Authentication\IApacheBackend to specify logout URL
Any `\OCP\Authentication\IApacheBackend` previously had to implement `getLogoutAttribute` which returns a string.
This string is directly injected into the logout `<a>` tag, so returning something like `href="foo"` would result
in `<a href="foo">`.

This is rather error prone and also in Nextcloud 12 broken as the logout entry has been moved with
054e161eb5 inside the navigation manager where one cannot simply inject attributes.

Thus this feature is broken in Nextcloud 12 which effectively leads to the bug described at nextcloud/user_saml#112,
people cannot logout anymore when using SAML using SLO. Basically in case of SAML you have a SLO url which redirects
you to the IdP and properly logs you out there as well.

Instead of monkey patching the Navigation manager I decided to instead change `\OCP\Authentication\IApacheBackend` to
use `\OCP\Authentication\IApacheBackend::getLogoutUrl` instead where it can return a string with the appropriate logout
URL. Since this functionality is only prominently used in the SAML plugin. Any custom app would need a small change but
I'm not aware of any and there's simply no way to fix this properly otherwise.

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-08-18 12:22:44 +02:00
Roeland Jago Douma ba7cf03daf
Fix LostControllerTest
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-08-09 15:51:13 +02:00
Roeland Jago Douma 3bd104ef7c
Fix LoginController
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-08-09 15:12:02 +02:00
Morris Jobke 84c22fdeef Merge pull request #5907 from nextcloud/add-metadata-to-throttle-call
Add metadata to \OCP\AppFramework\Http\Response::throttle
2017-08-01 14:43:47 +02:00
Morris Jobke 6010c4f267 Merge pull request #5877 from nextcloud/typehint_middleware
Prop argument type for Middleware
2017-08-01 14:28:16 +02:00
Roeland Jago Douma 2fae696d35
Fix tests
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-08-01 08:20:17 +02:00
Lukas Reschke c25e782dd6
Fix settings/Controller/
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-08-01 08:20:15 +02:00
Roeland Jago Douma f71dc7523f
Fix tests
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-07-31 16:54:19 +02:00
Lukas Reschke f22ab3e665
Add metadata to \OCP\AppFramework\Http\Response::throttle
Fixes https://github.com/nextcloud/server/issues/5891

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-07-27 14:17:45 +02:00
Morris Jobke 0de90cfc67 Fix 403 and 404 redirect
* Nextcloud is not properly loaded in the standalone version (especially the theming)
* it is already not listed anymore in the Nginx config (see nextcloud/documentation#392)
* the index.php-free version doesn't support this

Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2017-07-26 16:30:09 +02:00
Roeland Jago Douma 86a496d94a Merge pull request #5567 from nextcloud/public-capabilities
Public capabilities API
2017-07-12 13:04:54 +02:00
Morris Jobke efa52ec111 Merge pull request #5441 from nextcloud/custom-theme-update
Add command to apply updates to custom themes
2017-07-05 12:44:43 +02:00
Julius Härtl 2e47210d6f Add command to apply updates to custom themes
Signed-off-by: Julius Härtl <jus@bitgrid.net>
2017-07-05 12:38:07 +02:00
Julius Härtl 01093604d3
Add tests for public capabilties
Signed-off-by: Julius Härtl <jus@bitgrid.net>
2017-06-30 11:21:15 +02:00
Lukas Reschke 2f87fb6b45
Add Clear-Site-Data header
This adds a Clear-Site-Data header to the logout response which will delete all relevant data in the caches which may contain potentially sensitive content.

See https://w3c.github.io/webappsec-clear-site-data/#header for the definition of the types.

Ref https://twitter.com/mikewest/status/877149667909406723

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-06-20 19:46:10 +02:00
Lukas Reschke 26ee889fec
Add tests for ClientFlowLoginController
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-05-18 20:49:08 +02:00
Joas Schilling 0828df5ed4
Disable the API endpoints as well
Signed-off-by: Joas Schilling <coding@schilljs.com>
2017-05-11 17:03:57 +02:00
Joas Schilling d418ea550b
Automatic injection for CssController
Signed-off-by: Joas Schilling <coding@schilljs.com>
2017-05-10 09:42:40 +02:00
Joas Schilling 9c8fe82000
Automatic injection for JsController
Signed-off-by: Joas Schilling <coding@schilljs.com>
2017-05-10 09:42:15 +02:00
Mario Danic e4aac15a92
Update login flow redirection
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-05-04 19:21:22 +02:00
Georg Ehrke 60f9ed6241
add contactsmenu popover
Signed-off-by: Georg Ehrke <developer@georgehrke.com>
2017-04-26 09:26:53 +02:00
Jan-Christoph Borchardt 241e397326 Merge branch 'master' into contactsmenu
Signed-off-by: Jan-Christoph Borchardt <hey@jancborchardt.net>
2017-04-26 00:50:38 +02:00
Christoph Wurst 36cee1f386 Let apps register contact menu provider via info.xml
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2017-04-25 20:47:17 +02:00
Christoph Wurst d091793ceb Contacts menu
* load list of contacts from the server
* show last message of each contact

Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2017-04-25 20:47:17 +02:00
Roeland Jago Douma aae079aa29
AppToken to 72 chars
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-04-25 20:18:49 +02:00
Lukas Reschke 6a16df7288
Add new auth flow
This implements the basics for the new app-password based authentication flow for our clients.
The current implementation tries to keep it as simple as possible and works the following way:

1. Unauthenticated client opens `/index.php/login/flow`
2. User will be asked whether they want to grant access to the client
3. If accepted the user has the chance to do so using existing App Token or automatically generate an app password.

If the user chooses to use an existing app token then that one will simply be redirected to the `nc://` protocol handler.
While we can improve on that in the future, I think keeping this smaller at the moment has its advantages. Also, in the
near future we have to think about an automatic migration endpoint so there's that anyways :-)

If the user chooses to use the regular login the following happens:

1. A session state token is written to the session
2. User is redirected to the login page
3. If successfully authenticated they will be redirected to a page redirecting to the POST controller
4. The POST controller will check if the CSRF token as well as the state token is correct, if yes the user will be redirected to the `nc://` protocol handler.

This approach is quite simple but also allows to be extended in the future. One could for example allow external websites to consume this authentication endpoint as well.

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-04-25 20:18:49 +02:00