core
core copied to clipboard
Add login.token_auth_enforced parameter to disallow password based logins
… completely.
Description
This prevents the login formular from rendering and sessions from being created even for handcrafted requests (even if csrf protection is disabled).
Related Issue
- Fixes https://github.com/owncloud/core/issues/39484
Motivation and Context
As described in the original ticket, I'm paranoid and want to disable password based logins after enabling two factor authentication on my personal ownCloud instance.
What do you think? Especially of the parameter name?
token_auth_enforced
is used for everything but the browser login, login.alternatives
is used for adding the buttons - so that namespace and the analogous parameter name seemed to kinda make sense to me, but I have no strong opinion about this.
How Has This Been Tested?
In my regular development setup :)
Screenshots (if appropriate):
With the customer portal it obviously doesn't make sense, because you still need to login after registering - but I the button is analogous to the OIDC (e.g.) login button.
Types of changes
- [ ] Bug fix (non-breaking change which fixes an issue)
- [x] New feature (non-breaking change which adds functionality)
- [ ] Database schema changes (next release will require increase of minor version instead of patch)
- [ ] Breaking change (fix or feature that would cause existing functionality to change)
- [ ] Technical debt
- [ ] Tests only (no source changes)
Checklist:
- [x] Code changes
- [ ] Unit tests added
- [ ] Acceptance tests added
- [ ] Documentation ticket raised:
- [ ] Changelog item, see TEMPLATE
Thanks for opening this pull request! The maintainers of this repository would appreciate it if you would create a changelog item based on your changes.
https://github.com/owncloud/core/tree/work/login.token_auth_enforced
This branch is 1 commit ahead, 1074 commits behind master.
Please start from a current core master branch.
Rebased
This is docs relevant, please file a docs issue when close to merge.
Ping?
Rebased.
https://drone.owncloud.com/owncloud/core/34822/10/7
There were 13 failures:
1) Tests\Core\Controller\LoginControllerTest::testResponseForNotLoggedinUser
Failed asserting that two objects are equal.
--- Expected
+++ Actual
@@ @@
'alt_login' => Array ()
'rememberLoginAllowed' => false
'rememberLoginState' => 0
- 'strictLoginEnforced' => false
+ 'strictLoginEnforced' => null
+ 'login.token_auth_enforced' => null
)
'renderAs' => 'guest'
'appName' => 'core'
...
Does anyone have an opinion or comment about this?
Maybe @micbar @JanAckermann @JammingBen ?
@DeepDiver1975 maybe you can have a look on this