Roeland Jago Douma
b1d8084700
Fix tests
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-01-15 21:43:11 +01:00
Julius Härtl
f5f6ed664d
Hide stay logged in checkbox when flow authentication is used
...
Signed-off-by: Julius Härtl <jus@bitgrid.net>
2017-12-28 11:15:26 +01:00
Morris Jobke
0326c2c54f
Fix broken tests
...
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2017-09-04 14:17:03 +02:00
Roeland Jago Douma
3bd104ef7c
Fix LoginController
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-08-09 15:12:02 +02:00
Lukas Reschke
f22ab3e665
Add metadata to \OCP\AppFramework\Http\Response::throttle
...
Fixes https://github.com/nextcloud/server/issues/5891
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-07-27 14:17:45 +02:00
Lukas Reschke
2f87fb6b45
Add Clear-Site-Data header
...
This adds a Clear-Site-Data header to the logout response which will delete all relevant data in the caches which may contain potentially sensitive content.
See https://w3c.github.io/webappsec-clear-site-data/#header for the definition of the types.
Ref https://twitter.com/mikewest/status/877149667909406723
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-06-20 19:46:10 +02:00
Christoph Wurst
bb1d191f82
Fix remember redirect_url on failed login attempts
...
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2017-04-25 09:38:19 +02:00
Lukas Reschke
8149945a91
Make BruteForceProtection annotation more clever
...
This makes the new `@BruteForceProtection` annotation more clever and moves the relevant code into it's own middleware.
Basically you can now set `@BruteForceProtection(action=$key)` as annotation and that will make the controller bruteforce protected. However, the difference to before is that you need to call `$responmse->throttle()` to increase the counter. Before the counter was increased every time which leads to all kind of unexpected problems.
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-04-13 23:05:33 +02:00
Morris Jobke
d36751ee38
Merge pull request #2424 from nextcloud/fix-login-controller-test-consolidate-login
...
Fix login controller test and consolidate login
2017-04-13 12:16:38 -05:00
Joas Schilling
7ad791efb4
Dont create a log entry on email login
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2017-04-07 10:15:20 +02:00
Arthur Schiwon
7b3fdfeeaa
do login routine only once when done via LoginController
...
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2017-04-06 15:22:42 +02:00
Arthur Schiwon
2994cbc586
fix login controller tests
...
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2017-04-06 15:20:17 +02:00
Christoph Wurst
5e728d0eda
oc_token should be nc_token
...
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2017-02-02 21:56:44 +01:00
Christoph Wurst
140555b786
always allow remembered login
...
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2017-01-11 19:20:11 +01:00
Joas Schilling
924358ef96
Save the timezone on login again
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2016-12-08 10:45:24 +01:00
Christoph Wurst
d907666232
bring back remember-me
...
* try to reuse the old session token for remember me login
* decrypt/encrypt token password and set the session id accordingly
* create remember-me cookies only if checkbox is checked and 2fa solved
* adjust db token cleanup to store remembered tokens longer
* adjust unit tests
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2016-11-02 13:39:16 +01:00
Christoph Wurst
291dd0bd31
redirect to 2fa provider if there's only one active for the user
2016-08-29 18:36:39 +02:00
Joas Schilling
736e884e9a
Move the reset token to core app
2016-08-23 15:01:38 +02:00
Joas Schilling
139fb8de94
Remove "password reset token" after successful login
2016-08-23 12:54:45 +02:00
Lukas Reschke
cf3cfca356
Use generated URL
2016-08-15 17:37:55 +02:00
Lukas Reschke
75d135d8d4
Fix tests for LoginController
2016-08-15 17:19:32 +02:00
Lukas Reschke
65d1472005
Don't use create mock
...
Not compatible with this PHPunit version
2016-08-15 17:08:27 +02:00
Lukas Reschke
72b5f9bfac
Use createMock instead of deprecated getMock
2016-08-11 15:22:29 +02:00
Lukas Reschke
9ca25e857c
Redirect users when already logged-in on login form
2016-08-11 15:22:29 +02:00
Lukas Reschke
c1589f163c
Mitigate race condition
2016-07-20 23:09:27 +02:00
Lukas Reschke
ba4f12baa0
Implement brute force protection
...
Class Throttler implements the bruteforce protection for security actions in
Nextcloud.
It is working by logging invalid login attempts to the database and slowing
down all login attempts from the same subnet. The max delay is 30 seconds and
the starting delay are 200 milliseconds. (after the first failed login)
2016-07-20 22:08:56 +02:00
Thomas Müller
232d735893
Do not leak the login name - fixes #25047
2016-06-09 16:44:31 +02:00
Christoph Wurst
ad10485cec
when generating browser/device token, save the login name for later password checks
2016-05-24 11:49:15 +02:00
Christoph Wurst
dfb4d426c2
Add two factor auth to core
2016-05-23 11:21:10 +02:00
Joas Schilling
392bc0c6b9
Move tests/core/ to PSR-4
2016-05-19 11:18:25 +02:00