On some systems with a lot of users this creates a lot of extra DB
writes.
Being able to increase this interval helps there.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
The serialized data in 19 has one property less and this was not
considered in the code. Hence adding a fallback. Moreover I'm changing
the deserialization into an array instead of object, as that is the
safer option.
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
When your password changes out of bounds your Nextcloud tokens will
become invalid. There is no real way around that. However we should make
sure that if you successfully log in again your passwords are all
updates
* Added event listener to the PostLoggedInEvent so that we can act on it
- Only if it is not a token login
* Make sure that we actually reset the invalid state when we update a
token. Else it keeps being marked invalid and thus not used.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
even when token is invalid or has no password.
Returning the uid as loginname is wrong, and leads to problems when
these differ. E.g. the getapppassword API was creating app token with
the uid as loginname. In a scenario with external authentication (such
as LDAP), these tokens were then invalidated next time their underlying
password was checked, and systematically ceased to function.
Co-authored-by: kesselb <mail@danielkesselberg.de>
for: switch to consistent camelCase
Signed-off-by: Lionel Elie Mamane <lionel@mamane.lu>
Else people might have the feeling this is also doing 2FA. And since it
is only prefered it can be ignored and hacked around.
Once we have proper 2FA with webauthn in one go this probably needs to
be revisted.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
To continue this formatting madness, here's a tiny patch that adds
unified formatting for control structures like if and loops as well as
classes, their methods and anonymous functions. This basically forces
the constructs to start on the same line. This is not exactly what PSR2
wants, but I think we can have a few exceptions with "our" style. The
starting of braces on the same line is pracrically standard for our
code.
This also removes and empty lines from method/function bodies at the
beginning and end.
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
This avoids hitting the backend with multiple requests for the same
token. And will help avoid quick LDAP lockouts.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
Env-based SAML uses the "Apache auth" mechanism to log users in. In this
code path, we first delete all existin auth tokens from the database,
before a new one is inserted. This is problematic for concurrent
requests as they might reach the same code at the same time, hence both
trying to insert a new row wit the same token (the session ID). This
also bubbles up and disables user_saml.
As the token might still be OK (both request will insert the same data),
we can actually just check if the UIDs of the conflict row is the same
as the one we want to insert right now. In that case let's just use the
existing entry and carry on.
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>