There are plans to remove executionContexts from the spec: https://github.com/w3c/webappsec-clear-site-data/issues/59

Firefox already removed it https://bugzilla.mozilla.org/show_bug.cgi?id=1548034

Chromium implementation is not finish: https://bugs.chromium.org/p/chromium/issues/detail?id=898503&q=clear-site-data&sort=-modified&colspec=ID%20Pri%20M%20Stars%20ReleaseBlock%20Component%20Status%20Owner%20Summary%20OS%20Modified



Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>

Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>

Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>

Fixes #12568
Since the clearing of the execution context causes another reload. We
should not do the redirect_uri handling as this results in redirecting
back to the logout page on login.

This adds a simple middleware that will just check if the
ClearExecutionContext session variable is set. If that is the case it
will just redirect back to the login page.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>

Signed-off-by: Michael Weimann <mail@michael-weimann.eu>

If the remember_login_cookie_lifetime is set to 0 this means we do not
want to use remember me at all. In that case we should also not creatae
a remember me cookie and should create a proper temp token.

Further this specifies that is not 0 the remember me time should always
be larger than the session timeout. Because else the behavior is not
really defined.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>

Fixes #11146
As documented when it is set to disabled the user can't request a lost
password.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>

Signed-off-by: Rayn0r <Andre.Weidemann@web.de>

In https://github.com/nextcloud/server/commit/2f87fb6b456fd109c90a5093c31b7a3f62a32040 this header was introduced. The referenced documentation says:

> When delivered with a response from https://example.com/clear, the following header will cause cookies associated with the origin https://example.com to be cleared, as well as cookies on any origin in the same registered domain (e.g. https://www.example.com/ and https://more.subdomains.example.com/).

This also applies if `https://nextcloud.example.com/`

 sends the `Clear-Site-Data: "cookies"` header.
This is not the behavior we want at this point!

So I removed the deletion of cookies from the header. This has no effect on the logout process as this header is supported only recently and the logout works in old browsers as well.

Signed-off-by: Patrick Conrad <conrad@iza.org>

* On weblogin check if we have invalid public key tokens
* If so update them all with the new token

This ensures that your marked as invalid tokens work again if you once
login on the web.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>

Signed-off-by: Michael Weimann <mail@michael-weimann.eu>

If a failed login is logged, we save the username as metadata
in the bruteforce throttler. To prevent database error due to
very long strings, this truncates the username at 64 bytes in
the assumption that no real username is longer than that.long strings,

Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>

Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>

Fixes https://github.com/nextcloud/server/issues/10500

.

Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>

Signed-off-by: Michael Weimann <mail@michael-weimann.eu>

This adds persistence to the Nextcloud server 2FA logic so that the server
knows which 2FA providers are enabled for a specific user at any time, even
when the provider is not available.

The `IStatefulProvider` interface was added as tagging interface for providers
that are compatible with this new API.

Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>

Signed-off-by: Morris Jobke <hey@morrisjobke.de>

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>

Fixes #8004

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>

Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>

Signed-off-by: Julius Härtl <jus@bitgrid.net>

Signed-off-by: Morris Jobke <hey@morrisjobke.de>

The URLGenerator doesn't support `` as target for absolute URLs, we need to link to `/` thus.

Regression introduced with https://github.com/nextcloud/server/commit/46229a00f39e507249dbe3ceb7507277da3fa4f8



Signed-off-by: Lukas Reschke <lukas@statuscode.ch>

Signed-off-by: Morris Jobke <hey@morrisjobke.de>

Signed-off-by: Julius Härtl <jus@bitgrid.net>

Fixes https://github.com/nextcloud/server/issues/5891



Signed-off-by: Lukas Reschke <lukas@statuscode.ch>

This adds a Clear-Site-Data header to the logout response which will delete all relevant data in the caches which may contain potentially sensitive content.

See https://w3c.github.io/webappsec-clear-site-data/#header for the definition of the types.

Ref https://twitter.com/mikewest/status/877149667909406723



Signed-off-by: Lukas Reschke <lukas@statuscode.ch>

Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>

This makes the new `@BruteForceProtection` annotation more clever and moves the relevant code into it's own middleware.

Basically you can now set `@BruteForceProtection(action=$key)` as annotation and that will make the controller bruteforce protected. However, the difference to before is that you need to call `$responmse->throttle()` to increase the counter. Before the counter was increased every time which leads to all kind of unexpected problems.

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>

Signed-off-by: Joas Schilling <coding@schilljs.com>

Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>

Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>

Signed-off-by: Sandro Lutz <sandro.lutz@temparus.ch>

Signed-off-by: Sandro Lutz <sandro.lutz@temparus.ch>

Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>

Signed-off-by: Sandro Lutz <sandro.lutz@temparus.ch>