Merge pull request #4466 from dokuwiki/trustedproxies

Remove remaining uses of old proxy settings

�� Rector and PHPCS fixes

add random delay on login #4491

This is meant to mitigate timing attacks on the login mechanism.

Make is_ssl and baseurl use proper proxy checks

This should not only address #4455 but also ensures that the related
headers are only used when they come from a trusted reverse proxy chain.

treat getallheaders more suspiciously. fixes #4415

mv UNUSABLE_PASSWORD const to defines

add new behavior to doc block

allow to set unusable password

This could be used by plugins such as dokuwiki-plugin-oauth to create
accounts that can only by accessed via SSO.

�� Rector and PHPCS fixes

unset empty REMOTE_USER. fixes #4348

An empty remote user should not be set at all. Seems like some
webservers always set the environment var, even if no authentication
happened. I'd argue that this

unset empty REMOTE_USER. fixes #4348

An empty remote user should not be set at all. Seems like some
webservers always set the environment var, even if no authentication
happened. I'd argue that this is wrong, but this should fix the
behaviour.

show more ...

alternative token header support

The Authorization header is not always passed on to PHP, depending on
the setup (See https://stackoverflow.com/q/34472303 for examples and
workarounds).

This patch

alternative token header support

The Authorization header is not always passed on to PHP, depending on
the setup (See https://stackoverflow.com/q/34472303 for examples and
workarounds).

This patch adds support for an alternative X-DokuWiki-Token header that
can be used when using token authentication and the standard
Authorization header can not be used.

show more ...

gracefully handle decryption errors

This should fix #4198

adjust AES encryption to match phpseclib version2

See https://github.com/phpseclib/phpseclib/discussions/1974#discussioncomment-8107663

upgrade to phpseclib 3

This replaces the dependabot PR #4114 and adjusts the usage of the
library.

�� Rector and PHPCS fixes

prefer getallheaders() over apache_request_headers()

Merge pull request #2432 from dokuwiki/tokenauth

Implement Token Authentication

Tokenauth: ignore case when gettign auth header from apache

Introduce token authentication #2431

This generates a JWT token for users. This token can be sent in a Bearer
authentication header as a login mechanism. Users can reset their token
in the profile.

Introduce token authentication #2431

This generates a JWT token for users. This token can be sent in a Bearer
authentication header as a login mechanism. Users can reset their token
in the profile.

Note: a previously suggested implementation used a custom token format,
not JWT tokens

show more ...

Fix updateProfile() not checking for removed $changes["pass"]

If the authentication plugin does not support modifying passwords, we
unset($changes['pass']) further above, but then the check for
$cha

Fix updateProfile() not checking for removed $changes["pass"]

If the authentication plugin does not support modifying passwords, we
unset($changes['pass']) further above, but then the check for
$changes['pass'] must also handle the case that we did indeed unset it.

show more ...

remove debug, fix codesniffer

use $auth instanceof AuthPlugin instead of not null check

unused items, phpdocs

code style: line breaks

code style: operator spacing