-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Pluggable auth #24189
Pluggable auth #24189
Conversation
<default_enable/> | ||
<types> | ||
<!-- this is used to disable the feature of enabling an app for specific groups only because this would break this app --> | ||
<filesystem/> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Remove, authentication also blocks disabling such apps
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This provider app example will be removed, it's just there for testing purposes
|
||
/** | ||
* @param string $token | ||
* @return boolean|string user UID if token is valid, false when invalid |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm personally not a huge fan of APIs that return multiple types. Can we make it throw an exception when invalid?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes, using an exception sounds better
b51cfe1
to
9efb81f
Compare
94e9f01
to
a9de92b
Compare
* @param array $errors | ||
* @param string[] $messages | ||
*/ | ||
public static function displayLoginPage($errors = array(), $messages = []) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Isn't that like, dead in master? :)
add some range to time() assertions
951a783
to
0486d75
Compare
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
This revives #1975I removed the two-factor code from this PR to keep it simple.
TODO:
Invalidate tokens if the session is killed in base.php?-> Invalidate browser session token when maximum session lifetime is reached #24542curl --request POST -F 'user=youruser' -F 'password=yourpassword' localhost:8080/token/generate
Don't use sessions if the client sends an auth token-> Don't use session if the client uses an auth token #24543BUGS:
Changing own password kicks you out, hence the session token needs to be updated on password change-> Changing own password logs you out #24544Not possible to add an account to the desktop client – I suspect the login url change to cause that. @LukasReschke what are we gonna do about that?It works, I was testing with wrong credentials 🙈"Unable to generate a URL for the named route \\\"login#showLoginForm\\\" as such route does not exist.
ORA-12899: value too large for column "AUTOTEST"."oc_authtoken"."token" (actual: 128, maximum: 100)
Next steps (follow-up PRs):