even when token is invalid or has no password.
Returning the uid as loginname is wrong, and leads to problems when
these differ. E.g. the getapppassword API was creating app token with
the uid as loginname. In a scenario with external authentication (such
as LDAP), these tokens were then invalidated next time their underlying
password was checked, and systematically ceased to function.
Co-authored-by: kesselb <mail@danielkesselberg.de>
for: switch to consistent camelCase
Signed-off-by: Lionel Elie Mamane <lionel@mamane.lu>
Ref #14552
This adds a BeforeUserRemovedEvent to the LDAP backend because it was missing. It's not really before, but we don't have the before state.
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
To continue this formatting madness, here's a tiny patch that adds
unified formatting for control structures like if and loops as well as
classes, their methods and anonymous functions. This basically forces
the constructs to start on the same line. This is not exactly what PSR2
wants, but I think we can have a few exceptions with "our" style. The
starting of braces on the same line is pracrically standard for our
code.
This also removes and empty lines from method/function bodies at the
beginning and end.
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* Order the imports
* No leading slash on imports
* Empty line before namespace
* One line per import
* Empty after imports
* Emmpty line at bottom of file
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
There were some cases where a negative limit could be passed in. Which
would happily make the query explode.
This is just a quick hack to make sure it never is negative.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
Avoids directly getting the token again. We just inserted it so it and
have all the info. So that query is just a waste.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
Some user backends (like the database backend) allow us to obtain a user
case insensitive. However the UID itself is case sensitive.
Example:
* create a user User1
* login as User1
- This results the data/User1 folder to be created etc
* now have some code somewhere that obtains the userFolder (from
IRootFolder) but pas in 'uSER1' as uid
- The code will check if that is a valid user. And in this case it is
since User1 and uSER1 both map to the same user
- However the the UID in the user object is used for the folder a new
folder fill be create data/uSER1
With this PR this is avoided now. Since we obtain the real UID casing in
the backend before creating the user object.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
Fixes#7084
Now entering wrongly cased email (roeland@ instead of Roeland@) for
password reset etc. Will also work.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
Fixes#12498
This means that we set that it is a proper app token once it is
validated. This will allow the 2FA middleware to just run the same
check.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
Fixes#12131
If we hit an expired token there is no need to continue checking. Since
we know it is a token.
We also should not register this with the bruteforce throttler as it is
actually a valid token. Just expired. Instead the authentication should
fail. And buisness continues as usual.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
Fixes#11097
If your password hash changed (becuse your are on 7.2 and we moved to
ARGON2). Then we shold not 'set a new password' but just update the
hash. As else we invoke the password policy again which might lock out
users.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* On weblogin check if we have invalid public key tokens
* If so update them all with the new token
This ensures that your marked as invalid tokens work again if you once
login on the web.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
This protects our cookies a bit more. It makes sure that when a 3rdparty
websites embededs a public alendar for example. That all the users see
this in anonymous mode there.
It adds a small helper function.
In the future we can think about protecting other cookies like this as
well. But for now this is sufficient to not have the user logged in at
all when doing 3rdparty requests.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
Sometimes when we force a session regeneration we want to update the
current token for this session.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
Fixes#9279
If a pure numerical user is in the DB the value might be casted to a int
when returned. Cast it all to a string so we don't break the strict
typing.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
Due to a misplaced closing parenthesis the condition of the left join
clause was just "userid = uid"; the other conditions were passed as
additional parameters to "leftJoin", and thus they were ignored.
Therefore, the result set contained every preference of each user
instead of only the email, so the "WHERE configvalue LIKE XXX" matched
any configuration value of the user.
Besides the closing parenthesis this commit also fixes the literal
values. Although "Literal" objects represent literal values they must be
created through "IExpressionBuilder::literal()" to be properly quoted;
otherwise it is just a plain string, which is treated as a column name.
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
* We first try the email as username but this fails
* Then we get the uid from the email and try again
We should not log the first attempt since it polutes the log with failed
login attempts while the login actually is valid.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
Fixes#7175.
- Updated the query to fetch the users in users > everyone tab.
- Updated the query to fetch the users in users > admin tab.
- Tested to ensure that the disabled users are also being fetched.
- Added test cases.
Signed-off-by: Abijeet <abijeetpatro@gmail.com>
The CSP nonce is based on the CSRF token. This token does not change,
unless you log in (or out). In case of the session data being lost,
e.g. because php gets rid of old sessions, a new CSRF token is gen-
erated. While this is fine in theory, it actually caused some annoying
problems where the browser restored a tab and Nextcloud js was blocked
due to an outdated nonce.
The main problem here is that, while processing the request, we write
out security headers relatively early. At that point the CSRF token
is known/generated and transformed into a CSP nonce. During this request,
however, we also log the user in because the session information was
lost. At that point we also refresh the CSRF token, which eventually
causes the browser to block any scripts as the nonce in the header
does not match the one which is used to include scripts.
This patch adds a flag to indicate whether the CSRF token should be
refreshed or not. It is assumed that refreshing is only necessary
if we want to re-generate the session id too. To my knowledge, this
case only happens on fresh logins, not when we recover from a deleted
session file.
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
`\OC\User\Database::createUser` can throw a PHP exception in case the UID is longer than
permitted in the database. This is against it's PHPDocs and we should cast this to `false`,
so that the regular error handling triggers in.
The easiest way to reproduce is on MySQL:
1. Create user `aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa` in admin panel
2. Create user `aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa` in admin panel again
3. See SQL exception as error message
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
Most of the time, when people have multiple backends or add a
custom backend, they want to create the users there and not in
the default backend. But since that is registered first, users
were always created there.
Signed-off-by: Joas Schilling <coding@schilljs.com>
The encryption app relies on the post_login hook to initialize its keys.
Since we do not emit it on a remembered login, the keys were always un-
initialized and the user was asked to log out and in again.
This patch *translates* the postRememberedLogin hook to a post_login
hook.
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* Add postLogout hook to finish sessions from external session managers like CAS
* Add postLogout hook to finish sessions from external session managers like CAS
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
The constructor is iniitiated already very early in base.php, thus requiring this here will break the setup and some more. For now we probably have to live with a static function call here thus.
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
For guest users on every request executes query:
SELECT `uid`, `displayname` FROM `users` WHERE LOWER(`uid`) = LOWER(null)
as I see, uid can't be equal to null by design.
After the deletion getHome() will fail because the user doesn't exist
any more, so we need to fetch that value earlier.
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
Else the last-login-check fails hard because the session value is not
set and thus defaults to 0.
* Started with tests
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
We have to respect the value of the remember-me checkbox. Due to an error
in the source code the default value for the session token was to remember
it.
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
Use firstLogin event to trigger creation of default calendar and default address book
Delay login of admin user after setup so that firstLogin event can properly be processed for the admin
Fixing tests ...
Skeleton files are not copied over -> only 3 cache entries are remaining
Use updateLastLoginTimestamp to properly setup lastLogin value for a test user
* try to reuse the old session token for remember me login
* decrypt/encrypt token password and set the session id accordingly
* create remember-me cookies only if checkbox is checked and 2fa solved
* adjust db token cleanup to store remembered tokens longer
* adjust unit tests
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
The check for two factor enforcement would return true for non-existing
users. This fix makes it return false in order to be able to perform
the regular login which will then fail and return false.
This prevents throwing PasswordLoginForbidden for non-existing users.
We always query the database backend. Even if we use a different one
(ldap for example). Now we do this everytime we try to get a user object
so caching that a user is not in the DB safes some queries on each
request then (at least 2 what I found).
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
Class Throttler implements the bruteforce protection for security actions in
Nextcloud.
It is working by logging invalid login attempts to the database and slowing
down all login attempts from the same subnet. The max delay is 30 seconds and
the starting delay are 200 milliseconds. (after the first failed login)
* Add InvalidTokenException
* add DefaultTokenMapper and use it to check if a auth token exists
* create new token for the browser session if none exists
hash stored token; save user agent
* encrypt login password when creating the token
