Roeland Jago Douma
ac8a6e2244
Clean pending 2FA authentication on password reset
...
When a password is reste we should make sure that all users are properly
logged in. Pending states should be cleared. For example a session where
the 2FA code is not entered yet should be cleared.
The token is now removed so the session will be killed the next time
this is checked (within 5 minutes).
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-01-29 13:08:56 +01:00
Roeland Jago Douma
d0397f9b53
Generic message on password reset
...
There is no need to inform the user if the account existed or not.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-01-15 15:53:43 +01:00
blizzz
ef97ef72f6
Merge pull request #10743 from danielkesselberg/bugfix/noid/allow-password-reset-for-duplicate-email
...
Enable password reset for user with same email address when only one is active
2018-09-13 10:48:30 +02:00
Morris Jobke
cf3f4888cc
Change password expiration time from 12h to 7d
...
We use the same logic for creating accounts without a password and there the 12h is a bit short. Users don't expect that the signup link needs to be clicked within 12h - 7d should be a more expected behavior.
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2018-08-31 13:31:03 +02:00
Daniel Kesselberg
031fdfb1fc
Enable password reset for user with same email address when only one is active
...
When two or more user share the same email address its not possible to
reset password by email. Even when only one account is active.
This pr reduce list of users returned by getByEmail by disabled users.
Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
2018-08-19 16:32:46 +02:00
Bjoern Schiessle
dfec66ca02
only warn about data lose on password reset if per-user keys are used
...
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2018-08-15 15:08:34 +02:00
Robin Appelman
8ed50d4b63
prefill userid for login after password reset
...
Signed-off-by: Robin Appelman <robin@icewind.nl>
2018-06-21 15:18:07 +02:00
Rémy Jacquin
04e1cab5ee
Fix translation bug on lost password page
...
Fix nextcloud/password_policy#26
Signed-off-by: Rémy Jacquin <remy@remyj.fr>
2018-05-20 12:51:50 +02:00
Joas Schilling
339e320064
Fix existing usages
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2018-02-15 12:18:51 +01:00
Arthur Schiwon
4f3d52a364
never translate login names when requiring with a user id
...
where appropriate, the preLoginNameUsedAsUserName hook should be thrown.
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2018-01-03 13:25:00 +01:00
Morris Jobke
0eebff152a
Update license headers
...
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2017-11-06 16:56:19 +01:00
Joas Schilling
3119fd41ce
Set the data from the template
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2017-10-18 15:12:03 +02:00
Joas Schilling
8b37fe7f65
Set the subject with the email template to allow theming
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2017-10-18 15:12:03 +02:00
Joas Schilling
6dbb64c4a2
Merge setMetaData into constructor
...
This ensures that the meta data is set in the beginning
Signed-off-by: Joas Schilling <coding@schilljs.com>
2017-09-04 15:07:41 +02:00
Joas Schilling
6a130d01e7
Also for reset password
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2017-08-24 18:02:37 +02:00
Joas Schilling
d5c6d56170
No password reset for disabled users
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2017-08-18 13:21:53 +02:00
Morris Jobke
188b87e03b
Cleanup legacy user class from unused methods
...
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2017-07-24 12:17:53 +02:00
Joas Schilling
0828df5ed4
Disable the API endpoints as well
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2017-05-11 17:03:57 +02:00
Joas Schilling
3d671cc536
Merge pull request #4443 from nextcloud/cleanup-unused-imports
...
Remove unused use statements
2017-04-24 11:47:37 +02:00
Morris Jobke
c54a59d51e
Remove unused use statements
...
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2017-04-22 19:23:31 -05:00
Lukas Reschke
d0d34d308a
Add at most 10 password reset requests per 5 minutes and IP range
...
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-04-22 08:12:54 +02:00
Morris Jobke
16c4755e03
Rename renderHTML to renderHtml
...
* fixes #4383
* improves consistency
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2017-04-19 15:46:41 -05:00
Lukas Reschke
727688ebd9
Adjust existing bruteforce protection code
...
- Moves code to annotation
- Adds the `throttle()` call on the responses on existing annotations
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-04-14 13:42:40 +02:00
Lukas Reschke
81d3732bf5
Merge pull request #4308 from nextcloud/lost-password-email
...
Update email template for lost password email
2017-04-13 20:02:15 +02:00
Lukas Reschke
66835476b5
Add support for ratelimiting via annotations
...
This allows adding rate limiting via annotations to controllers, as one example:
```
@UserRateThrottle(limit=5, period=100)
@AnonRateThrottle(limit=1, period=100)
```
Would mean that logged-in users can access the page 5 times within 100 seconds, and anonymous users 1 time within 100 seconds. If only an AnonRateThrottle is specified that one will also be applied to logged-in users.
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-04-13 12:00:16 +02:00
Morris Jobke
1f962f9115
Update email template for lost password email
...
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2017-04-12 15:19:53 -05:00
Morris Jobke
5b4adf66e5
Move OC_Defaults to OCP\Defaults
...
* currently there are two ways to access default values:
OCP\Defaults or OC_Defaults (which is extended by
OCA\Theming\ThemingDefaults)
* our code used a mixture of both of them, which made
it hard to work on theme values
* this extended the public interface with the missing
methods and uses them everywhere to only rely on the
public interface
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2017-04-09 21:43:01 -05:00
Joas Schilling
4bae7ef96d
Allow to reset the password with the email as an input
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2017-03-28 21:17:37 +02:00
Bjoern Schiessle
927d3865a0
add brute force protection to password reset to make it harder to guess user logins
...
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2017-01-19 10:12:45 +01:00
Bjoern Schiessle
fcda3a20f4
create new encryption keys on password reset and backup the old one
...
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2017-01-10 17:04:32 +01:00
Bjoern Schiessle
16bbd3fd7c
fix password reset if encryption is enabled
...
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2016-12-08 12:08:05 +01:00
Lukas Reschke
6d686c213b
[WIP] Use mail for encrypting the password reset token as well
2016-11-03 14:27:26 +01:00
Joas Schilling
877cb06bfe
Use magic DI for core controllers
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2016-09-30 10:00:26 +02:00
Roeland Jago Douma
f6423f74e3
Minor cleanup in core Controllers
2016-08-29 21:52:09 +02:00
Joas Schilling
736e884e9a
Move the reset token to core app
2016-08-23 15:01:38 +02:00
Joas Schilling
ba87db3fcc
Fix others
2016-07-21 18:13:57 +02:00
Joas Schilling
2c988ecbf4
Use the themed Defaults everywhere
2016-07-15 09:17:30 +02:00
Lukas Reschke
aba539703c
Update license headers
2016-05-26 19:57:24 +02:00
Julius Haertl
8ee2cb47d0
Show error messages if a password reset link is invalid or expired
...
- Moved token validation to method checkPasswordResetToken
- Render error with message from exceptions
2016-05-23 16:48:10 +02:00
Lukas Reschke
a4b19a5b1e
Rename files to be PSR-4 compliant
2016-04-06 11:00:52 +02:00