Mirrors
/
nextcloud-server
mirror of https://github.com/nextcloud/server
3
0
Fork 0
Code Releases Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
64891 Commits
691 Branches
1185 Tags
4.2 GiB
Tree: 0cab646ec0
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '0cab646ec0'
${ noResults }
nextcloud-server/core/Controller/LostController.php

344 lines
11 KiB
Raw Normal View History

Use appframework
12 years ago
Fix others
10 years ago
Update license headers Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
6 years ago
Update license headers
11 years ago
Update license headers Signed-off-by: Morris Jobke <hey@morrisjobke.de>
8 years ago
Update the license headers for Nextcloud 19 Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
6 years ago
Update license headers Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
6 years ago
Fix others
10 years ago
Update license headers
10 years ago
Update license headers Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
6 years ago
Update license headers
10 years ago
Update license headers
11 years ago
Update license headers Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
6 years ago
Fix others
10 years ago
Update license headers
11 years ago
Update license headers Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
6 years ago
Update license headers
11 years ago
Use appframework
12 years ago
move lost controller to core/controller * lostpassword.css is unneeded since #11696 is merged - 1b50d4f7ceb92fffe0d38f823f175cf7e419c69e * js is already in core/js * css is moved to core/css/lostpassword * template is moved to core/templates/lostpassword
10 years ago
Use appframework
12 years ago
Make LostController use IInitialState and LoggerInterface Signed-off-by: Thomas Citharel <tcit@tcit.fr>
4 years ago
Some php-cs fixes * Order the imports * No leading slash on imports * Empty line before namespace * One line per import * Empty after imports * Emmpty line at bottom of file Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
6 years ago
Adjust existing bruteforce protection code - Moves code to annotation - Adds the `throttle()` call on the responses on existing annotations Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
9 years ago
Some php-cs fixes * Order the imports * No leading slash on imports * Empty line before namespace * One line per import * Empty after imports * Emmpty line at bottom of file Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
6 years ago
Make LostController use IInitialState and LoggerInterface Signed-off-by: Thomas Citharel <tcit@tcit.fr>
4 years ago
Move OC_Defaults to OCP\Defaults * currently there are two ways to access default values: OCP\Defaults or OC_Defaults (which is extended by OCA\Theming\ThemingDefaults) * our code used a mixture of both of them, which made it hard to work on theme values * this extended the public interface with the missing methods and uses them everywhere to only rely on the public interface Signed-off-by: Morris Jobke <hey@morrisjobke.de>
9 years ago
only warn about data lose on password reset if per-user keys are used Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
8 years ago
Use magic DI for core controllers Signed-off-by: Joas Schilling <coding@schilljs.com>
10 years ago
Add password reset typed events These hooks are only used in the Encryption app from what I can see. Signed-off-by: Thomas Citharel <tcit@tcit.fr>
4 years ago
Migrate HintException to OCP Signed-off-by: Gary Kim <gary@garykim.dev>
5 years ago
Some php-cs fixes * Order the imports * No leading slash on imports * Empty line before namespace * One line per import * Empty after imports * Emmpty line at bottom of file Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
6 years ago
Allow to reset the password with the email as an input Signed-off-by: Joas Schilling <coding@schilljs.com>
9 years ago
Warn for password reset when files_encryption is enabled This patch wil warn the user of the consequences when resetting the password and requires checking a checkbox (as we had in the past) to reset a password. Furthermore I updated the code to use our new classes and added some unit tests for it :dancers: Fixes https://github.com/owncloud/core/issues/11438
11 years ago
Use new IMailer and add unit-tests for lostcontroller
11 years ago
move verification token logic out of lost password controller - to make it reusable - needed for local email verification Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
5 years ago
Add rate limiting on lost password emails Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
3 years ago
Update core to PHP 7.4 standard - Typed properties - Port to LoggerInterface Signed-off-by: Carl Schwan <carl@carlschwan.eu>
4 years ago
Migrate HintException to OCP Signed-off-by: Gary Kim <gary@garykim.dev>
5 years ago
Return first value from $users Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
7 years ago
Use appframework
12 years ago
Warn for password reset when files_encryption is enabled This patch wil warn the user of the consequences when resetting the password and requires checking a checkbox (as we had in the past) to reset a password. Furthermore I updated the code to use our new classes and added some unit tests for it :dancers: Fixes https://github.com/owncloud/core/issues/11438
11 years ago
Add "postPasswordReset" hook
11 years ago
move lost controller to core/controller * lostpassword.css is unneeded since #11696 is merged - 1b50d4f7ceb92fffe0d38f823f175cf7e419c69e * js is already in core/js * css is moved to core/css/lostpassword * template is moved to core/templates/lostpassword
10 years ago
Warn for password reset when files_encryption is enabled This patch wil warn the user of the consequences when resetting the password and requires checking a checkbox (as we had in the past) to reset a password. Furthermore I updated the code to use our new classes and added some unit tests for it :dancers: Fixes https://github.com/owncloud/core/issues/11438
11 years ago
Use appframework
12 years ago
Update core to PHP 7.4 standard - Typed properties - Port to LoggerInterface Signed-off-by: Carl Schwan <carl@carlschwan.eu>
4 years ago
Make LostController use IInitialState and LoggerInterface Signed-off-by: Thomas Citharel <tcit@tcit.fr>
4 years ago
Update core to PHP 7.4 standard - Typed properties - Port to LoggerInterface Signed-off-by: Carl Schwan <carl@carlschwan.eu>
4 years ago
Add password reset typed events These hooks are only used in the Encryption app from what I can see. Signed-off-by: Thomas Citharel <tcit@tcit.fr>
4 years ago
Add rate limiting on lost password emails Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
3 years ago
Add password reset typed events These hooks are only used in the Encryption app from what I can see. Signed-off-by: Thomas Citharel <tcit@tcit.fr>
4 years ago
move verification token logic out of lost password controller - to make it reusable - needed for local email verification Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
5 years ago
Update core to PHP 7.4 standard - Typed properties - Port to LoggerInterface Signed-off-by: Carl Schwan <carl@carlschwan.eu>
4 years ago
move verification token logic out of lost password controller - to make it reusable - needed for local email verification Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
5 years ago
Make LostController use IInitialState and LoggerInterface Signed-off-by: Thomas Citharel <tcit@tcit.fr>
4 years ago
move verification token logic out of lost password controller - to make it reusable - needed for local email verification Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
5 years ago
Update core to PHP 7.4 standard - Typed properties - Port to LoggerInterface Signed-off-by: Carl Schwan <carl@carlschwan.eu>
4 years ago
move verification token logic out of lost password controller - to make it reusable - needed for local email verification Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
5 years ago
Make LostController use IInitialState and LoggerInterface Signed-off-by: Thomas Citharel <tcit@tcit.fr>
4 years ago
Add password reset typed events These hooks are only used in the Encryption app from what I can see. Signed-off-by: Thomas Citharel <tcit@tcit.fr>
4 years ago
Add rate limiting on lost password emails Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
3 years ago
move verification token logic out of lost password controller - to make it reusable - needed for local email verification Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
5 years ago
Use appframework
12 years ago
use more stuff from core :)
12 years ago
Changes according to review
12 years ago
Use magic DI for core controllers Signed-off-by: Joas Schilling <coding@schilljs.com>
10 years ago
use more stuff from core :)
12 years ago
Use new IMailer and add unit-tests for lostcontroller
11 years ago
Generic message on password reset There is no need to inform the user if the account existed or not. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
7 years ago
Clean pending 2FA authentication on password reset When a password is reste we should make sure that all users are properly logged in. Pending states should be cleared. For example a session where the 2FA code is not entered yet should be cleared. The token is now removed so the session will be killed the next time this is checked (within 5 minutes). Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
7 years ago
Make LostController use IInitialState and LoggerInterface Signed-off-by: Thomas Citharel <tcit@tcit.fr>
4 years ago
move verification token logic out of lost password controller - to make it reusable - needed for local email verification Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
5 years ago
Add password reset typed events These hooks are only used in the Encryption app from what I can see. Signed-off-by: Thomas Citharel <tcit@tcit.fr>
4 years ago
Add rate limiting on lost password emails Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
3 years ago
Use appframework
12 years ago
use more stuff from core :)
12 years ago
Use appframework
12 years ago
Update core to PHP 7.4 standard - Typed properties - Port to LoggerInterface Signed-off-by: Carl Schwan <carl@carlschwan.eu>
4 years ago
Show error messages if a password reset link is invalid or expired - Moved token validation to method checkPasswordResetToken - Render error with message from exceptions
10 years ago
Make LostController use IInitialState and LoggerInterface Signed-off-by: Thomas Citharel <tcit@tcit.fr>
4 years ago
allow using of disabled password reset mechanism for special cases - LostController has three endpoints - door opener email() still rejects - resetform(), reachable from mail, checks the token first and may report that password reset is disabled - setPassword() got its check removed as it is behind CSFR anyway and still requires a valid token - this allows special cases like activating a freshly created guest account Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
5 years ago
Show error messages if a password reset link is invalid or expired - Moved token validation to method checkPasswordResetToken - Render error with message from exceptions
10 years ago
Make LostController use IInitialState and LoggerInterface Signed-off-by: Thomas Citharel <tcit@tcit.fr>
4 years ago
Move actual password reset to vue Signed-off-by: Julius Härtl <jus@bitgrid.net>
7 years ago
Show error messages if a password reset link is invalid or expired - Moved token validation to method checkPasswordResetToken - Render error with message from exceptions
10 years ago
use more stuff from core :)
12 years ago
move lost controller to core/controller * lostpassword.css is unneeded since #11696 is merged - 1b50d4f7ceb92fffe0d38f823f175cf7e419c69e * js is already in core/js * css is moved to core/css/lostpassword * template is moved to core/templates/lostpassword
10 years ago
Move actual password reset to vue Signed-off-by: Julius Härtl <jus@bitgrid.net>
7 years ago
use more stuff from core :)
12 years ago
Use appframework
12 years ago
use more stuff from core :)
12 years ago
Show error messages if a password reset link is invalid or expired - Moved token validation to method checkPasswordResetToken - Render error with message from exceptions
10 years ago
Make LostController use IInitialState and LoggerInterface Signed-off-by: Thomas Citharel <tcit@tcit.fr>
4 years ago
Show error messages if a password reset link is invalid or expired - Moved token validation to method checkPasswordResetToken - Render error with message from exceptions
10 years ago
move verification token logic out of lost password controller - to make it reusable - needed for local email verification Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
5 years ago
[WIP] Use mail for encrypting the password reset token as well
10 years ago
fixes missing prefix to validate password reset token - also fixes the test which missed asserting the presence of it Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
5 years ago
move verification token logic out of lost password controller - to make it reusable - needed for local email verification Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
5 years ago
Make LostController use IInitialState and LoggerInterface Signed-off-by: Thomas Citharel <tcit@tcit.fr>
4 years ago
Show error messages if a password reset link is invalid or expired - Moved token validation to method checkPasswordResetToken - Render error with message from exceptions
10 years ago
Update core to PHP 7.4 standard - Typed properties - Port to LoggerInterface Signed-off-by: Carl Schwan <carl@carlschwan.eu>
4 years ago
Use the short array syntax, everywhere Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
6 years ago
more style fixes
12 years ago
Update core to PHP 7.4 standard - Typed properties - Port to LoggerInterface Signed-off-by: Carl Schwan <carl@carlschwan.eu>
4 years ago
Format code to a single space around binary operators Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
5 years ago
more style fixes
12 years ago
Changes according to review
12 years ago
Add support for ratelimiting via annotations This allows adding rate limiting via annotations to controllers, as one example: ``` @UserRateThrottle(limit=5, period=100) @AnonRateThrottle(limit=1, period=100) ``` Would mean that logged-in users can access the page 5 times within 100 seconds, and anonymous users 1 time within 100 seconds. If only an AnonRateThrottle is specified that one will also be applied to logged-in users. Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
9 years ago
Add at most 10 password reset requests per 5 minutes and IP range Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
9 years ago
Changes according to review
12 years ago
Update core to PHP 7.4 standard - Typed properties - Port to LoggerInterface Signed-off-by: Carl Schwan <carl@carlschwan.eu>
4 years ago
Disable the API endpoints as well Signed-off-by: Joas Schilling <coding@schilljs.com>
9 years ago
never translate login names when requiring with a user id where appropriate, the preLoginNameUsedAsUserName hook should be thrown. Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
8 years ago
use more stuff from core :)
12 years ago
Changes according to review
12 years ago
Warn for password reset when files_encryption is enabled This patch wil warn the user of the consequences when resetting the password and requires checking a checkbox (as we had in the past) to reset a password. Furthermore I updated the code to use our new classes and added some unit tests for it :dancers: Fixes https://github.com/owncloud/core/issues/11438
11 years ago
Use proper exception in lostController There is no need to log the expcetion of most of the stuff here. We should properly log them but an exception is excessive. This moves it to a proper exception which we can catch and then log. The other exceptions will still be fully logged. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
7 years ago
Generic message on password reset There is no need to inform the user if the account existed or not. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
7 years ago
Use proper exception in lostController There is no need to log the expcetion of most of the stuff here. We should properly log them but an exception is excessive. This moves it to a proper exception which we can catch and then log. The other exceptions will still be fully logged. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
7 years ago
Make LostController use IInitialState and LoggerInterface Signed-off-by: Thomas Citharel <tcit@tcit.fr>
4 years ago
Update core to PHP 7.4 standard - Typed properties - Port to LoggerInterface Signed-off-by: Carl Schwan <carl@carlschwan.eu>
4 years ago
Changes according to review
12 years ago
use more stuff from core :)
12 years ago
Adjust existing bruteforce protection code - Moves code to annotation - Adds the `throttle()` call on the responses on existing annotations Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
9 years ago
Changes according to review
12 years ago
use more stuff from core :)
12 years ago
Changes according to review
12 years ago
Update core to PHP 7.4 standard - Typed properties - Port to LoggerInterface Signed-off-by: Carl Schwan <carl@carlschwan.eu>
4 years ago
Use magic DI for core controllers Signed-off-by: Joas Schilling <coding@schilljs.com>
10 years ago
only warn about data lose on password reset if per-user keys are used Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
8 years ago
Use the short array syntax, everywhere Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
6 years ago
only warn about data lose on password reset if per-user keys are used Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
8 years ago
Warn for password reset when files_encryption is enabled This patch wil warn the user of the consequences when resetting the password and requires checking a checkbox (as we had in the past) to reset a password. Furthermore I updated the code to use our new classes and added some unit tests for it :dancers: Fixes https://github.com/owncloud/core/issues/11438
11 years ago
Changes according to review
12 years ago
Show error messages if a password reset link is invalid or expired - Moved token validation to method checkPasswordResetToken - Render error with message from exceptions
10 years ago
more style fixes
12 years ago
use more stuff from core :)
12 years ago
Add password reset typed events These hooks are only used in the Encryption app from what I can see. Signed-off-by: Thomas Citharel <tcit@tcit.fr>
4 years ago
Use the short array syntax, everywhere Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
6 years ago
create new encryption keys on password reset and backup the old one Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
9 years ago
- adding default value for $recoveryPassword - set password correctly in lost password
12 years ago
Make LostController use IInitialState and LoggerInterface Signed-off-by: Thomas Citharel <tcit@tcit.fr>
4 years ago
Changes according to review
12 years ago
use more stuff from core :)
12 years ago
Add password reset typed events These hooks are only used in the Encryption app from what I can see. Signed-off-by: Thomas Citharel <tcit@tcit.fr>
4 years ago
Use the short array syntax, everywhere Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
6 years ago
Add "postPasswordReset" hook
11 years ago
Clean pending 2FA authentication on password reset When a password is reste we should make sure that all users are properly logged in. Pending states should be cleared. For example a session where the 2FA code is not entered yet should be cleared. The token is now removed so the session will be killed the next time this is checked (within 5 minutes). Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
7 years ago
Move the reset token to core app
10 years ago
Cleanup legacy user class from unused methods Signed-off-by: Morris Jobke <hey@morrisjobke.de>
9 years ago
Format control structures, classes, methods and function To continue this formatting madness, here's a tiny patch that adds unified formatting for control structures like if and loops as well as classes, their methods and anonymous functions. This basically forces the constructs to start on the same line. This is not exactly what PSR2 wants, but I think we can have a few exceptions with "our" style. The starting of braces on the same line is pracrically standard for our code. This also removes and empty lines from method/function bodies at the beginning and end. Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
6 years ago
Fix translation bug on lost password page Fix nextcloud/password_policy#26 Signed-off-by: Rémy Jacquin <remy@remyj.fr>
8 years ago
Make LostController use IInitialState and LoggerInterface Signed-off-by: Thomas Citharel <tcit@tcit.fr>
4 years ago
more style fixes
12 years ago
Changes according to review
12 years ago
use more stuff from core :)
12 years ago
prefill userid for login after password reset Signed-off-by: Robin Appelman <robin@icewind.nl>
8 years ago
Changes according to review
12 years ago
use more stuff from core :)
12 years ago
Warn for password reset when files_encryption is enabled This patch wil warn the user of the consequences when resetting the password and requires checking a checkbox (as we had in the past) to reset a password. Furthermore I updated the code to use our new classes and added some unit tests for it :dancers: Fixes https://github.com/owncloud/core/issues/11438
11 years ago
Use proper exception in lostController There is no need to log the expcetion of most of the stuff here. We should properly log them but an exception is excessive. This moves it to a proper exception which we can catch and then log. The other exceptions will still be fully logged. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
7 years ago
Warn for password reset when files_encryption is enabled This patch wil warn the user of the consequences when resetting the password and requires checking a checkbox (as we had in the past) to reset a password. Furthermore I updated the code to use our new classes and added some unit tests for it :dancers: Fixes https://github.com/owncloud/core/issues/11438
11 years ago
Update core to PHP 7.4 standard - Typed properties - Port to LoggerInterface Signed-off-by: Carl Schwan <carl@carlschwan.eu>
4 years ago
Allow to reset the password with the email as an input Signed-off-by: Joas Schilling <coding@schilljs.com>
9 years ago
use more stuff from core :)
12 years ago
Changes according to review
12 years ago
Use proper exception in lostController There is no need to log the expcetion of most of the stuff here. We should properly log them but an exception is excessive. This moves it to a proper exception which we can catch and then log. The other exceptions will still be fully logged. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
7 years ago
Changes according to review
12 years ago
use more stuff from core :)
12 years ago
Add rate limiting on lost password emails Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
3 years ago
[WIP] Use mail for encrypting the password reset token as well
10 years ago
move verification token logic out of lost password controller - to make it reusable - needed for local email verification Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
5 years ago
Warn for password reset when files_encryption is enabled This patch wil warn the user of the consequences when resetting the password and requires checking a checkbox (as we had in the past) to reset a password. Furthermore I updated the code to use our new classes and added some unit tests for it :dancers: Fixes https://github.com/owncloud/core/issues/11438
11 years ago
Use the short array syntax, everywhere Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
6 years ago
use more stuff from core :)
12 years ago
Merge setMetaData into constructor This ensures that the meta data is set in the beginning Signed-off-by: Joas Schilling <coding@schilljs.com>
9 years ago
Also for reset password Signed-off-by: Joas Schilling <coding@schilljs.com>
9 years ago
Update email template for lost password email Signed-off-by: Morris Jobke <hey@morrisjobke.de>
9 years ago
Set the subject with the email template to allow theming Signed-off-by: Joas Schilling <coding@schilljs.com>
9 years ago
Update email template for lost password email Signed-off-by: Morris Jobke <hey@morrisjobke.de>
9 years ago
Fix existing usages Signed-off-by: Joas Schilling <coding@schilljs.com>
8 years ago
Update email template for lost password email Signed-off-by: Morris Jobke <hey@morrisjobke.de>
9 years ago
Fix existing usages Signed-off-by: Joas Schilling <coding@schilljs.com>
8 years ago
Update email template for lost password email Signed-off-by: Morris Jobke <hey@morrisjobke.de>
9 years ago
use more stuff from core :)
12 years ago
Changes according to review
12 years ago
Use new IMailer and add unit-tests for lostcontroller
11 years ago
Send emails on password reset to the displayname Signed-off-by: Joas Schilling <coding@schilljs.com>
5 years ago
Use new IMailer and add unit-tests for lostcontroller
11 years ago
Set the data from the template Signed-off-by: Joas Schilling <coding@schilljs.com>
9 years ago
Use new IMailer and add unit-tests for lostcontroller
11 years ago
Make LostController use IInitialState and LoggerInterface Signed-off-by: Thomas Citharel <tcit@tcit.fr>
4 years ago
Use proper exception in lostController There is no need to log the expcetion of most of the stuff here. We should properly log them but an exception is excessive. This moves it to a proper exception which we can catch and then log. The other exceptions will still be fully logged. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
7 years ago
Update core to PHP 7.4 standard - Typed properties - Port to LoggerInterface Signed-off-by: Carl Schwan <carl@carlschwan.eu>
4 years ago
Changes according to review
12 years ago
Use appframework
12 years ago
Allow to reset the password with the email as an input Signed-off-by: Joas Schilling <coding@schilljs.com>
9 years ago
Use proper exception in lostController There is no need to log the expcetion of most of the stuff here. We should properly log them but an exception is excessive. This moves it to a proper exception which we can catch and then log. The other exceptions will still be fully logged. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
7 years ago
Allow to reset the password with the email as an input Signed-off-by: Joas Schilling <coding@schilljs.com>
9 years ago
Update core to PHP 7.4 standard - Typed properties - Port to LoggerInterface Signed-off-by: Carl Schwan <carl@carlschwan.eu>
4 years ago
Allow to reset the password with the email as an input Signed-off-by: Joas Schilling <coding@schilljs.com>
9 years ago
No password reset for disabled users Signed-off-by: Joas Schilling <coding@schilljs.com>
9 years ago
Update core/Controller/LostController.php Co-authored-by: John Molakvoæ <skjnldsv@users.noreply.github.com> Signed-off-by: NoSleep82 <52562874+NoSleep82@users.noreply.github.com>
4 years ago
No password reset for disabled users Signed-off-by: Joas Schilling <coding@schilljs.com>
9 years ago
Allow to reset the password with the email as an input Signed-off-by: Joas Schilling <coding@schilljs.com>
9 years ago
No password reset for disabled users Signed-off-by: Joas Schilling <coding@schilljs.com>
9 years ago
Return first value from $users Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
7 years ago
Enable password reset for user with same email address when only one is active When two or more user share the same email address its not possible to reset password by email. Even when only one account is active. This pr reduce list of users returned by getByEmail by disabled users. Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
8 years ago
Return first value from $users Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
7 years ago
Allow to reset the password with the email as an input Signed-off-by: Joas Schilling <coding@schilljs.com>
9 years ago
Update LostController.php i would be useful to know who is trying to reset the password (misspelled username or email, ex user or some sort of attack) Signed-off-by: NoSleep82 <52562874+NoSleep82@users.noreply.github.com>
4 years ago
Allow to reset the password with the email as an input Signed-off-by: Joas Schilling <coding@schilljs.com>
9 years ago
Use appframework
12 years ago
  1. <?php
  2. /**
  3. * @copyright Copyright (c) 2016, ownCloud, Inc.
  4. *
  5. * @author Arthur Schiwon <blizzz@arthur-schiwon.de>
  6. * @author Bernhard Posselt <dev@bernhard-posselt.com>
  7. * @author Bjoern Schiessle <bjoern@schiessle.org>
  8. * @author Christoph Wurst <christoph@winzerhof-wurst.at>
  9. * @author Daniel Kesselberg <mail@danielkesselberg.de>
  10. * @author Joas Schilling <coding@schilljs.com>
  11. * @author Julius Haertl <jus@bitgrid.net>
  12. * @author Julius Härtl <jus@bitgrid.net>
  13. * @author Lukas Reschke <lukas@statuscode.ch>
  14. * @author Morris Jobke <hey@morrisjobke.de>
  15. * @author Rémy Jacquin <remy@remyj.fr>
  16. * @author Robin Appelman <robin@icewind.nl>
  17. * @author Roeland Jago Douma <roeland@famdouma.nl>
  18. * @author Thomas Müller <thomas.mueller@tmit.eu>
  19. * @author Victor Dubiniuk <dubiniuk@owncloud.com>
  20. *
  21. * @license AGPL-3.0
  22. *
  23. * This code is free software: you can redistribute it and/or modify
  24. * it under the terms of the GNU Affero General Public License, version 3,
  25. * as published by the Free Software Foundation.
  26. *
  27. * This program is distributed in the hope that it will be useful,
  28. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  29. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  30. * GNU Affero General Public License for more details.
  31. *
  32. * You should have received a copy of the GNU Affero General Public License, version 3,
  33. * along with this program. If not, see <http://www.gnu.org/licenses/>
  34. *
  35. */
  36. namespace OC\Core\Controller;
  38. use Exception;
  39. use OCP\AppFramework\Controller;
  40. use OCP\AppFramework\Http\JSONResponse;
  41. use OCP\AppFramework\Http\TemplateResponse;
  42. use OCP\AppFramework\Services\IInitialState;
  43. use OCP\Defaults;
  44. use OCP\Encryption\IEncryptionModule;
  45. use OCP\Encryption\IManager;
  46. use OCP\EventDispatcher\IEventDispatcher;
  47. use OCP\HintException;
  48. use OCP\IConfig;
  49. use OCP\IL10N;
  50. use OCP\IRequest;
  51. use OCP\IURLGenerator;
  52. use OCP\IUser;
  53. use OCP\IUserManager;
  54. use OCP\Mail\IMailer;
  55. use OCP\Security\VerificationToken\IVerificationToken;
  56. use OCP\Security\VerificationToken\InvalidTokenException;
  57. use OC\Authentication\TwoFactorAuth\Manager;
  58. use OC\Core\Events\BeforePasswordResetEvent;
  59. use OC\Core\Events\PasswordResetEvent;
  60. use OC\Core\Exception\ResetPasswordException;
  61. use OC\Security\RateLimiting\Exception\RateLimitExceededException;
  62. use OC\Security\RateLimiting\Limiter;
  63. use Psr\Log\LoggerInterface;
  64. use function array_filter;
  65. use function count;
  66. use function reset;
  68. /**
  69. * Class LostController
  70. *
  71. * Successfully changing a password will emit the post_passwordReset hook.
  72. *
  73. * @package OC\Core\Controller
  74. */
  75. class LostController extends Controller {
  76. protected IURLGenerator $urlGenerator;
  77. protected IUserManager $userManager;
  78. protected Defaults $defaults;
  79. protected IL10N $l10n;
  80. protected string $from;
  81. protected IManager $encryptionManager;
  82. protected IConfig $config;
  83. protected IMailer $mailer;
  84. private LoggerInterface $logger;
  85. private Manager $twoFactorManager;
  86. private IInitialState $initialState;
  87. private IVerificationToken $verificationToken;
  88. private IEventDispatcher $eventDispatcher;
  89. private Limiter $limiter;
  91. public function __construct(
  92. string $appName,
  93. IRequest $request,
  94. IURLGenerator $urlGenerator,
  95. IUserManager $userManager,
  96. Defaults $defaults,
  97. IL10N $l10n,
  98. IConfig $config,
  99. string $defaultMailAddress,
  100. IManager $encryptionManager,
  101. IMailer $mailer,
  102. LoggerInterface $logger,
  103. Manager $twoFactorManager,
  104. IInitialState $initialState,
  105. IVerificationToken $verificationToken,
  106. IEventDispatcher $eventDispatcher,
  107. Limiter $limiter
  108. ) {
  109. parent::__construct($appName, $request);
  110. $this->urlGenerator = $urlGenerator;
  111. $this->userManager = $userManager;
  112. $this->defaults = $defaults;
  113. $this->l10n = $l10n;
  114. $this->from = $defaultMailAddress;
  115. $this->encryptionManager = $encryptionManager;
  116. $this->config = $config;
  117. $this->mailer = $mailer;
  118. $this->logger = $logger;
  119. $this->twoFactorManager = $twoFactorManager;
  120. $this->initialState = $initialState;
  121. $this->verificationToken = $verificationToken;
  122. $this->eventDispatcher = $eventDispatcher;
  123. $this->limiter = $limiter;
  124. }
  126. /**
  127. * Someone wants to reset their password:
  128. *
  129. * @PublicPage
  130. * @NoCSRFRequired
  131. */
  132. public function resetform(string $token, string $userId): TemplateResponse {
  133. try {
  134. $this->checkPasswordResetToken($token, $userId);
  135. } catch (Exception $e) {
  136. if ($this->config->getSystemValue('lost_password_link', '') !== 'disabled'
  137. || ($e instanceof InvalidTokenException
  138. && !in_array($e->getCode(), [InvalidTokenException::TOKEN_NOT_FOUND, InvalidTokenException::USER_UNKNOWN]))
  139. ) {
  140. return new TemplateResponse(
  141. 'core', 'error', [
  142. "errors" => [["error" => $e->getMessage()]]
  143. ],
  144. TemplateResponse::RENDER_AS_GUEST
  145. );
  146. }
  147. return new TemplateResponse('core', 'error', [
  148. 'errors' => [['error' => $this->l10n->t('Password reset is disabled')]]
  149. ],
  150. TemplateResponse::RENDER_AS_GUEST
  151. );
  152. }
  153. $this->initialState->provideInitialState('resetPasswordUser', $userId);
  154. $this->initialState->provideInitialState('resetPasswordTarget',
  155. $this->urlGenerator->linkToRouteAbsolute('core.lost.setPassword', ['userId' => $userId, 'token' => $token])
  156. );
  158. return new TemplateResponse(
  159. 'core',
  160. 'login',
  161. [],
  162. 'guest'
  163. );
  164. }
  166. /**
  167. * @throws Exception
  168. */
  169. protected function checkPasswordResetToken(string $token, string $userId): void {
  170. try {
  171. $user = $this->userManager->get($userId);
  172. $this->verificationToken->check($token, $user, 'lostpassword', $user ? $user->getEMailAddress() : '', true);
  173. } catch (InvalidTokenException $e) {
  174. $error = $e->getCode() === InvalidTokenException::TOKEN_EXPIRED
  175. ? $this->l10n->t('Could not reset password because the token is expired')
  176. : $this->l10n->t('Could not reset password because the token is invalid');
  177. throw new Exception($error, (int)$e->getCode(), $e);
  178. }
  179. }
  181. private function error(string $message, array $additional = []): array {
  182. return array_merge(['status' => 'error', 'msg' => $message], $additional);
  183. }
  185. private function success(array $data = []): array {
  186. return array_merge($data, ['status' => 'success']);
  187. }
  189. /**
  190. * @PublicPage
  191. * @BruteForceProtection(action=passwordResetEmail)
  192. * @AnonRateThrottle(limit=10, period=300)
  193. */
  194. public function email(string $user): JSONResponse {
  195. if ($this->config->getSystemValue('lost_password_link', '') !== '') {
  196. return new JSONResponse($this->error($this->l10n->t('Password reset is disabled')));
  197. }
  199. \OCP\Util::emitHook(
  200. '\OCA\Files_Sharing\API\Server2Server',
  201. 'preLoginNameUsedAsUserName',
  202. ['uid' => &$user]
  203. );
  205. // FIXME: use HTTP error codes
  206. try {
  207. $this->sendEmail($user);
  208. } catch (ResetPasswordException $e) {
  209. // Ignore the error since we do not want to leak this info
  210. $this->logger->warning('Could not send password reset email: ' . $e->getMessage());
  211. } catch (Exception $e) {
  212. $this->logger->error($e->getMessage(), ['exception' => $e]);
  213. }
  215. $response = new JSONResponse($this->success());
  216. $response->throttle();
  217. return $response;
  218. }
  220. /**
  221. * @PublicPage
  222. */
  223. public function setPassword(string $token, string $userId, string $password, bool $proceed): array {
  224. if ($this->encryptionManager->isEnabled() && !$proceed) {
  225. $encryptionModules = $this->encryptionManager->getEncryptionModules();
  226. foreach ($encryptionModules as $module) {
  227. /** @var IEncryptionModule $instance */
  228. $instance = call_user_func($module['callback']);
  229. // this way we can find out whether per-user keys are used or a system wide encryption key
  230. if ($instance->needDetailedAccessList()) {
  231. return $this->error('', ['encryption' => true]);
  232. }
  233. }
  234. }
  236. try {
  237. $this->checkPasswordResetToken($token, $userId);
  238. $user = $this->userManager->get($userId);
  240. $this->eventDispatcher->dispatchTyped(new BeforePasswordResetEvent($user, $password));
  241. \OC_Hook::emit('\OC\Core\LostPassword\Controller\LostController', 'pre_passwordReset', ['uid' => $userId, 'password' => $password]);
  243. if (!$user->setPassword($password)) {
  244. throw new Exception();
  245. }
  247. $this->eventDispatcher->dispatchTyped(new PasswordResetEvent($user, $password));
  248. \OC_Hook::emit('\OC\Core\LostPassword\Controller\LostController', 'post_passwordReset', ['uid' => $userId, 'password' => $password]);
  250. $this->twoFactorManager->clearTwoFactorPending($userId);
  252. $this->config->deleteUserValue($userId, 'core', 'lostpassword');
  253. @\OC::$server->getUserSession()->unsetMagicInCookie();
  254. } catch (HintException $e) {
  255. return $this->error($e->getHint());
  256. } catch (Exception $e) {
  257. return $this->error($e->getMessage());
  258. }
  260. return $this->success(['user' => $userId]);
  261. }
  263. /**
  264. * @throws ResetPasswordException
  265. * @throws \OCP\PreConditionNotMetException
  266. */
  267. protected function sendEmail(string $input): void {
  268. $user = $this->findUserByIdOrMail($input);
  269. $email = $user->getEMailAddress();
  271. if (empty($email)) {
  272. throw new ResetPasswordException('Could not send reset e-mail since there is no email for username ' . $input);
  273. }
  275. try {
  276. $this->limiter->registerUserRequest('lostpasswordemail', 5, 1800, $user);
  277. } catch (RateLimitExceededException $e) {
  278. throw new ResetPasswordException('Could not send reset e-mail, 5 of them were already sent in the last 30 minutes', 0, $e);
  279. }
  281. // Generate the token. It is stored encrypted in the database with the
  282. // secret being the users' email address appended with the system secret.
  283. // This makes the token automatically invalidate once the user changes
  284. // their email address.
  285. $token = $this->verificationToken->create($user, 'lostpassword', $email);
  287. $link = $this->urlGenerator->linkToRouteAbsolute('core.lost.resetform', ['userId' => $user->getUID(), 'token' => $token]);
  289. $emailTemplate = $this->mailer->createEMailTemplate('core.ResetPassword', [
  290. 'link' => $link,
  291. ]);
  293. $emailTemplate->setSubject($this->l10n->t('%s password reset', [$this->defaults->getName()]));
  294. $emailTemplate->addHeader();
  295. $emailTemplate->addHeading($this->l10n->t('Password reset'));
  297. $emailTemplate->addBodyText(
  298. htmlspecialchars($this->l10n->t('Click the following button to reset your password. If you have not requested the password reset, then ignore this email.')),
  299. $this->l10n->t('Click the following link to reset your password. If you have not requested the password reset, then ignore this email.')
  300. );
  302. $emailTemplate->addBodyButton(
  303. htmlspecialchars($this->l10n->t('Reset your password')),
  304. $link,
  305. false
  306. );
  307. $emailTemplate->addFooter();
  309. try {
  310. $message = $this->mailer->createMessage();
  311. $message->setTo([$email => $user->getDisplayName()]);
  312. $message->setFrom([$this->from => $this->defaults->getName()]);
  313. $message->useTemplate($emailTemplate);
  314. $this->mailer->send($message);
  315. } catch (Exception $e) {
  316. // Log the exception and continue
  317. $this->logger->error($e->getMessage(), ['app' => 'core', 'exception' => $e]);
  318. }
  319. }
  321. /**
  322. * @throws ResetPasswordException
  323. */
  324. protected function findUserByIdOrMail(string $input): IUser {
  325. $user = $this->userManager->get($input);
  326. if ($user instanceof IUser) {
  327. if (!$user->isEnabled()) {
  328. throw new ResetPasswordException('User ' . $user->getUID() . ' is disabled');
  329. }
  331. return $user;
  332. }
  334. $users = array_filter($this->userManager->getByEmail($input), function (IUser $user) {
  335. return $user->isEnabled();
  336. });
  338. if (count($users) === 1) {
  339. return reset($users);
  340. }
  342. throw new ResetPasswordException('Could not find user ' . $input);
  343. }
  344. }