Commit Graph

39 Commits

Author SHA1 Message Date
Christoph Wurst 376e570b15 Fix missing login hook wih Apache/SAML
Without this patch the hook does not transport the information whether the login is
done with an app password or not. The suspicious login app requires the parameter
to function correctly, hence adding it will make suspicious login detection also possible
with SAML users.

Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2019-06-11 07:42:25 +00:00
Morris Jobke 3ab884a479 Use non-absolute logout URL to fix wrong URL in reverse proxy scenario
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2019-05-08 17:37:19 +00:00
Roeland Jago Douma e3de4edc51
Urlencode the requesttoken
Followup of #13757

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-01-23 16:16:31 +01:00
Roeland Jago Douma ebd9f30d85
Request plain logout url
By requesting the plain logout url we allow it to be properly cached by
the caching router. We just add the requesttoken manually.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-01-23 14:06:03 +01:00
Bjoern Schiessle bb86a8ca36
add back-end as parameter to the pre-login hook
This is needed for the Global Scale setup to allow the master
node to perform different operations during login, depending
on the user management. Because in case of SAML, the authentication
at the idp happens at the master node.

Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2018-09-14 17:23:06 +02:00
Arthur Schiwon 38a90130ce
move log constants to ILogger
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2018-04-26 10:45:52 +02:00
Roeland Jago Douma 7ebd96416c
Remove deprecated OCP\User::getDisplayname
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-03-25 20:42:03 +02:00
Roeland Jago Douma 6c8caa1641
Remove deprecated \OCP\User::getUsers
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-03-25 20:33:24 +02:00
Morris Jobke 55532f19d9
Cleanup OC_User and OCP\User
* mainly removes deprecated methods and old static code

Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2018-01-16 18:39:11 +01:00
Morris Jobke 31c5c2a592
Change @georgehrke's email
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2017-11-06 20:38:59 +01:00
Morris Jobke 0eebff152a
Update license headers
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2017-11-06 16:56:19 +01:00
Lukas Reschke 2e4cd44556
Inject \OCP\IURLGenerator to make tests work
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-08-18 15:32:40 +02:00
Lukas Reschke a04feff9a7
Properly allow \OCP\Authentication\IApacheBackend to specify logout URL
Any `\OCP\Authentication\IApacheBackend` previously had to implement `getLogoutAttribute` which returns a string.
This string is directly injected into the logout `<a>` tag, so returning something like `href="foo"` would result
in `<a href="foo">`.

This is rather error prone and also in Nextcloud 12 broken as the logout entry has been moved with
054e161eb5 inside the navigation manager where one cannot simply inject attributes.

Thus this feature is broken in Nextcloud 12 which effectively leads to the bug described at nextcloud/user_saml#112,
people cannot logout anymore when using SAML using SLO. Basically in case of SAML you have a SLO url which redirects
you to the IdP and properly logs you out there as well.

Instead of monkey patching the Navigation manager I decided to instead change `\OCP\Authentication\IApacheBackend` to
use `\OCP\Authentication\IApacheBackend::getLogoutUrl` instead where it can return a string with the appropriate logout
URL. Since this functionality is only prominently used in the SAML plugin. Any custom app would need a small change but
I'm not aware of any and there's simply no way to fix this properly otherwise.

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-08-18 12:22:44 +02:00
Morris Jobke 050fa63380 Merge pull request #5939 from nextcloud/dont-have-set-uid-as-displayname
Remove setUidAsDisplayName
2017-08-01 13:28:27 +02:00
Lukas Reschke dfd8125aeb
Replace wrong PHPDocs
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-08-01 08:20:16 +02:00
Lukas Reschke bef4f015ee
Remove setUidAsDisplayName
This code is a leftover from the old Shibboleth implementation from ownCloud days, nowadays it causes more issues than it does good (such as https://github.com/nextcloud/user_saml/pull/137). Let's remove it for the future thus.

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-07-31 15:52:53 +02:00
Roeland Jago Douma b930f32e89
Remove legacy OC_User_Backend and OC_User_Interface
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-07-24 20:42:55 +02:00
Morris Jobke c43d479372 Merge pull request #5855 from nextcloud/cleanup-legacy-user-class
Cleanup legacy user class from unused methods
2017-07-24 14:39:18 +02:00
Morris Jobke 188b87e03b Cleanup legacy user class from unused methods
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2017-07-24 12:17:53 +02:00
Morris Jobke 7790017a14 Cleanup code of personal page to use public interfaces
* public interfaces instead of static code calls
* drop static private namespace methods

Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2017-07-24 12:11:24 +02:00
Jörn Friedrich Dreyer fff6d6e3e8
Refactor auth methods
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2017-04-26 01:08:53 -03:00
Morris Jobke a5ba1f7803
Remove legacy class OC_Group and OC_User
* basically a straight replacement of the wrapped code at the calling code parts

Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2017-03-09 17:35:09 -06:00
Lukas Reschke 92c74d2f9a
Don't force displayname if backend already provides one
`\OC_User::loginWithApache` is used in combination with backend mechanisms like our SSO / SAML integration. Those can optionally already provide a displayname using other means. For example by mapping SAML attributes.

The current approach makes it however impossible for backends using `\OCP\Authentication\IApacheBackend` to set a displayname on their own. Because the display name will simply be overwritten with the loginname.

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-02-16 13:55:48 +01:00
Vincent Petry b32e252fb0
Testing md5home (#26854)
* Allow clearing default user backends in config.php

When specifying "user_backends" in config.php, a new option "default"
when set to false will prevent the default user backend to be
registered. The default one is the database backend.
This makes it possible to select exclusive user backends from apps.

* Testing app provides test user backend for alternative homes

The backend provide md5 result to getHome()

* Only md5 the user home when it's not the admin

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2016-12-22 11:03:42 +01:00
Christoph Wurst d907666232
bring back remember-me
* try to reuse the old session token for remember me login
* decrypt/encrypt token password and set the session id accordingly
* create remember-me cookies only if checkbox is checked and 2fa solved
* adjust db token cleanup to store remembered tokens longer
* adjust unit tests

Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2016-11-02 13:39:16 +01:00
Joas Schilling 0215b004da
Update with robin 2016-07-21 18:13:58 +02:00
Joas Schilling ba87db3fcc
Fix others 2016-07-21 18:13:57 +02:00
Christoph Wurst c58d8159d7
Create session tokens for apache auth users 2016-05-31 17:07:49 +02:00
Lukas Reschke aba539703c
Update license headers 2016-05-26 19:57:24 +02:00
Christoph Wurst 7aa16e1559
fix setup 2016-05-11 13:36:46 +02:00
Christoph Wurst 3ab922601a
Check if session token is valid and log user out if the check fails
* Update last_activity timestamp of the session token
* Check user backend credentials once in 5 minutes
2016-05-11 13:36:46 +02:00
Christoph Wurst d8cde414bd
token based auth
* Add InvalidTokenException
* add DefaultTokenMapper and use it to check if a auth token exists
* create new token for the browser session if none exists
hash stored token; save user agent
* encrypt login password when creating the token
2016-05-11 13:36:46 +02:00
Roeland Jago Douma 9e1d9871a8
Move OC_User_Database to \OC\User\Database 2016-05-10 19:53:36 +02:00
Björn Schießle 61be98f554 Merge pull request #24410 from owncloud/fix_24182
first call the post_login hooks, before we call getUserFolder.
2016-05-04 10:23:38 +02:00
Thomas Müller 4b2544925f Merge pull request #23844 from owncloud/disable-user
Add occ commands to enable and disable a user + a disabled user can n…
2016-05-03 15:22:41 +02:00
Björn Schießle 8c0984d605
first call the post_login hooks, before we call getUserFolder.
The login process needs to be completed before we can safely create
the users home folder. For example we need to give encryption a chance
to initialize the users encryption keys in order to copy the skeleton
files correctly
2016-05-03 10:46:05 +02:00
Thomas Müller 7aca13f14c
Allow login by email address 2016-05-02 14:51:01 +02:00
Thomas Müller 9c9fec36dd
Add occ commands to enable and disable a user + a disabled user can no longer login - fixes #23838 2016-05-02 09:31:22 +02:00
Roeland Jago Douma 368be8894c
Move non PSR-4 files from lib/private root to legacy
As discussed we move all old style classes (OC_FOO_BAR) to legacy.
Then from there we can evaluate the need to convert them back or if they
can be fully deprecated/deleted.
2016-04-30 11:32:22 +02:00