Mirrors
/
nextcloud-server
mirror of https://github.com/nextcloud/server
3
0
Fork 0
Code Releases Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
79770 Commits
630 Branches
1167 Tags
3.9 GiB
Tree: c9aea8ffdf
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'c9aea8ffdf'
${ noResults }
nextcloud-server/lib/private/AppFramework/Middleware/FlowV2EphemeralSessionsMidd...

58 lines
1.5 KiB
Raw Normal View History

feat: Close sessions created for login flow v2 Sessions created during the login flow v2 should be short lived to not leave an unexpected opened session in the browser. This commit add a property to the session object to track its origin, and will close it as soon as possible, i.e., on the first non public page request. Signed-off-by: Louis Chemineau <louis@chmn.me>
10 months ago
fix(login): Also check legacy annotation for ephemeral sessions Signed-off-by: Louis Chemineau <louis@chmn.me>
10 months ago
feat: Close sessions created for login flow v2 Sessions created during the login flow v2 should be short lived to not leave an unexpected opened session in the browser. This commit add a property to the session object to track its origin, and will close it as soon as possible, i.e., on the first non public page request. Signed-off-by: Louis Chemineau <louis@chmn.me>
10 months ago
fix(auth): Allow 2FA challenges for Ephemeral sessions Signed-off-by: Joas Schilling <coding@schilljs.com>
9 months ago
feat: Close sessions created for login flow v2 Sessions created during the login flow v2 should be short lived to not leave an unexpected opened session in the browser. This commit add a property to the session object to track its origin, and will close it as soon as possible, i.e., on the first non public page request. Signed-off-by: Louis Chemineau <louis@chmn.me>
10 months ago
fix(login): Properly target public page with attribute Signed-off-by: Louis Chemineau <louis@chmn.me>
10 months ago
feat: Close sessions created for login flow v2 Sessions created during the login flow v2 should be short lived to not leave an unexpected opened session in the browser. This commit add a property to the session object to track its origin, and will close it as soon as possible, i.e., on the first non public page request. Signed-off-by: Louis Chemineau <louis@chmn.me>
10 months ago
fix(login): Also check legacy annotation for ephemeral sessions Signed-off-by: Louis Chemineau <louis@chmn.me>
10 months ago
feat: Close sessions created for login flow v2 Sessions created during the login flow v2 should be short lived to not leave an unexpected opened session in the browser. This commit add a property to the session object to track its origin, and will close it as soon as possible, i.e., on the first non public page request. Signed-off-by: Louis Chemineau <louis@chmn.me>
10 months ago
fix(auth): Allow 2FA challenges for Ephemeral sessions Signed-off-by: Joas Schilling <coding@schilljs.com>
9 months ago
feat: Close sessions created for login flow v2 Sessions created during the login flow v2 should be short lived to not leave an unexpected opened session in the browser. This commit add a property to the session object to track its origin, and will close it as soon as possible, i.e., on the first non public page request. Signed-off-by: Louis Chemineau <louis@chmn.me>
10 months ago
fix(login): Properly target public page with attribute Signed-off-by: Louis Chemineau <louis@chmn.me>
10 months ago
feat: Close sessions created for login flow v2 Sessions created during the login flow v2 should be short lived to not leave an unexpected opened session in the browser. This commit add a property to the session object to track its origin, and will close it as soon as possible, i.e., on the first non public page request. Signed-off-by: Louis Chemineau <louis@chmn.me>
10 months ago
fix(login): Also check legacy annotation for ephemeral sessions Signed-off-by: Louis Chemineau <louis@chmn.me>
10 months ago
feat: Close sessions created for login flow v2 Sessions created during the login flow v2 should be short lived to not leave an unexpected opened session in the browser. This commit add a property to the session object to track its origin, and will close it as soon as possible, i.e., on the first non public page request. Signed-off-by: Louis Chemineau <louis@chmn.me>
10 months ago
  1. <?php
  3. declare(strict_types=1);
  4. /**
  5. * SPDX-FileCopyrightText: 2025 Nextcloud GmbH and Nextcloud contributors
  6. * SPDX-License-Identifier: AGPL-3.0-only
  7. */
  8. namespace OC\AppFramework\Middleware;
  10. use OC\AppFramework\Utility\ControllerMethodReflector;
  11. use OC\Core\Controller\ClientFlowLoginV2Controller;
  12. use OC\Core\Controller\TwoFactorChallengeController;
  13. use OCP\AppFramework\Controller;
  14. use OCP\AppFramework\Http\Attribute\PublicPage;
  15. use OCP\AppFramework\Middleware;
  16. use OCP\ISession;
  17. use OCP\IUserSession;
  18. use ReflectionMethod;
  20. // Will close the session if the user session is ephemeral.
  21. // Happens when the user logs in via the login flow v2.
  22. class FlowV2EphemeralSessionsMiddleware extends Middleware {
  23. public function __construct(
  24. private ISession $session,
  25. private IUserSession $userSession,
  26. private ControllerMethodReflector $reflector,
  27. ) {
  28. }
  30. public function beforeController(Controller $controller, string $methodName) {
  31. if (!$this->session->get(ClientFlowLoginV2Controller::EPHEMERAL_NAME)) {
  32. return;
  33. }
  35. if (
  36. $controller instanceof ClientFlowLoginV2Controller &&
  37. ($methodName === 'grantPage' || $methodName === 'generateAppPassword')
  38. ) {
  39. return;
  40. }
  42. if ($controller instanceof TwoFactorChallengeController) {
  43. return;
  44. }
  46. $reflectionMethod = new ReflectionMethod($controller, $methodName);
  47. if (!empty($reflectionMethod->getAttributes(PublicPage::class))) {
  48. return;
  49. }
  51. if ($this->reflector->hasAnnotation('PublicPage')) {
  52. return;
  53. }
  55. $this->userSession->logout();
  56. $this->session->close();
  57. }
  58. }