Commit Graph

132 Commits (754baf00c01e0f682ec5fcdd024e46d6d48d1502)

Author SHA1 Message Date
Renaud Chaput c3e1d86d58
Fix log out from user menu not working on Safari (#31402) 5 months ago
Claire 2ec1181ee5
Fix contrast between background and form elements on some pages (#31266) 6 months ago
Matt Jankowski 929b9fdaff
Remove exclusion for `Rails/LexicallyScopedActionFilter` cop (#30697) 7 months ago
Matt Jankowski 9b5055d34d
Fix `Style/SuperArguments` cop (#30406) 8 months ago
Claire d4d0565b0f
Fix user creation failure handling in OAuth paths (#29207) 11 months ago
Claire b31af34c97
Merge pull request from GHSA-vm39-j3vx-pch3
* Prevent different identities from a same SSO provider from accessing a same account

* Lock auth provider changes behind `ALLOW_UNSAFE_AUTH_PROVIDER_REATTACH=true`

* Rename methods to avoid confusion between OAuth and OmniAuth
11 months ago
Claire eeabf9af72
Fix compatibility with Redis <6.2 (#29123) 12 months ago
Matt Jankowski 17ea22671d
Fix `Style/GuardClause` cop in app/controllers (#28420) 1 year ago
Claire e2d9635074
Add notification email on invalid second authenticator (#28822) 1 year ago
Claire 3593ee2e36
Add rate-limit of TOTP authentication attempts at controller level (#28801) 1 year ago
Matt Jankowski 0e5b8fc46b
Fix `Style/RedundantReturn` cop (#28391) 1 year ago
Claire 963354978a
Add `Account#unavailable?` and `Account#permanently_unavailable?` aliases (#28053) 1 year ago
Matt Jankowski 1f1c75bba5
File cleanup/organization in `controllers/concerns` (#27846) 1 year ago
Claire 07a4059901
Add support for invite codes in the registration API (#27805) 1 year ago
Claire 49b8433c56
Fix confusing screen when visiting a confirmation link for an already-confirmed email (#27368) 1 year ago
Claire 379115e601
Add SELF_DESTRUCT env variable to process self-destructions in the background (#26439) 1 year ago
Matt Jankowski 340f1a68be
Simplify instance presenter view access (#26046) 1 year ago
Matt Jankowski 50ff3d3342
Coverage for `Auth::OmniauthCallbacks` controller (#26147) 2 years ago
Claire b629e21515
Fix unexpected redirection to /explore after sign-in (#26143) 2 years ago
Matt Jankowski 5134fc65e2
Fix `Naming/AccessorMethodName` cop (#25924) 2 years ago
Claire e6a8faae81
Add users index on unconfirmed_email (#25672) 2 years ago
Claire 180f0e6715
Fix inefficient query when requesting a new confirmation email from a logged-in account (#25669) 2 years ago
Eugen Rochko f20698000f
Fix always redirecting to onboarding in web UI (#25396) 2 years ago
Frankie Roberto 36a77748b4
Order sessions by most-recent to least-recently updated (#25005) 2 years ago
Claire bec6a1cad4
Add hCaptcha support (#25019) 2 years ago
Matt Jankowski 6e226f5a32
Fix Rails/ActionOrder cop (#24692) 2 years ago
Eugen Rochko e98c86050a
Refactor `Cache-Control` and `Vary` definitions (#24347) 2 years ago
Eugen Rochko e5c0b16735
Add progress indicator to sign-up flow (#24545) 2 years ago
Claire 280fa3b2c0
Fix invalid/expired invites being processed on sign-up (#24337) 2 years ago
CSDUMMI d258ec8e3b
Prefer the stored location as after_sign_in_path in Omniauth Callback Controller (#24073) 2 years ago
Nick Schonning aef0051fd0
Enable Rubocop HTTP status rules (#23717) 2 years ago
Nick Schonning e2a3ebb271
Autofix Rubocop Style/IfUnlessModifier (#23697) 2 years ago
David Vega 1b5d207131
Fix single name variables on controller folder (#20092)
Co-authored-by: petrokoriakin1 <116151189+petrokoriakin1@users.noreply.github.com>

Co-authored-by: petrokoriakin1 <116151189+petrokoriakin1@users.noreply.github.com>
Co-authored-by: Effy Elden <effy@effy.space>
2 years ago
Francis Murillo 5fb1c3e934
Revoke all authorized applications on password reset (#21325)
* Clear sessions on password change

* Rename User::clear_sessions to revoke_access for a clearer meaning

* Add reset paassword controller test

* Use User.find instead of User.find_for_authentication for reset password test

* Use redirect and render for better test meaning in reset password

Co-authored-by: Effy Elden <effy@effy.space>
2 years ago
Claire 48e136605a
Fix form-action CSP directive for external login (#20962) 2 years ago
Daniel Axtens 4d85c27d1a
Add 'private' to Cache-Control, match Rails expectations (#20608)
Several controlers set quite intricate Cache-Control headers in order to
hopefully not be cached by any intermediate proxies or local caches. Unfortunately,
these headers are processed by ActionDispatch::HTTP::Cache in a way that squashes
and discards any values set alongside no-store other than private:
8015c2c2cf/actionpack/lib/action_dispatch/http/cache.rb (L207-L209)

We want to preserve no-store on these responses, but we might as well remove
parts that are going to be dropped anyway. As many of the endpoints in these
controllers are private to a particular user, we should also add "private",
which will be preserved alongside no-store.
2 years ago
Claire 1e1289b024
Fix crash when external auth provider has no display_name set (#19962)
Fixes #19913
2 years ago
Claire a529d6d93e
Fix invites (#19560)
Fixes #19507

Fix regression from #19296
2 years ago
Eugen Rochko 679274465b
Add server rules to sign-up flow (#19296) 2 years ago
Eugen Rochko d83faa1a89
Add ability to block sign-ups from IP (#19037) 2 years ago
Claire 327eed0076
Fix suspicious sign-in mails never being sent (#18599)
* Add tests

* Fix suspicious sign-in mails never being sent
3 years ago
Eugen Rochko 96129c2f10
Fix confirmation redirect to app without `Location` header (#18523) 3 years ago
Eugen Rochko 6221b36b27
Remove sign-in token authentication, instead send e-mail about new sign-in (#17970) 3 years ago
chandrn7 a6ed6845c9
Allow login through OpenID Connect (#16221)
* added OpenID Connect as an SSO option

* minor fixes

* added comments, removed an option that shouldn't be set

* fixed Gemfile.lock

* added newline to end of Gemfile.lock

* removed tab from Gemfile.lock

* remove chomp

* codeclimate changes and small name change to make function's purpose clearer

* codeclimate fix

* added SSO buttons to /about page

* minor refactor

* minor style change

* removed spurious change

* removed unecessary conditional from ensure_valid_username and added support for auth.info.name in user_params_from_auth

* minor changes
3 years ago
Claire 14919fe11e
Change old moderation strikes to be displayed in a separate page (#17566)
* Change old moderation strikes to be displayed in a separate page

Fixes #17552

This changes the moderation strikes displayed on `/auth/edit` to be those from
the past 3 months, and make all moderation strikes targeting the current user
available in `/disputes`.

* Add short description of what the strikes page is for

* Move link to list of strikes to “Account status” instead of navigation item

* Normalize i18n file

* Fix layout and styling of strikes link

* Revert highlights_on regexp

* Reintroduce account status summary

- this way, “Account status” is never empty
- account status is not necessarily bound to strikes, or recent strikes
3 years ago
Eugen Rochko 564efd0651
Add appeals (#17364)
* Add appeals

* Add ability to reject appeals and ability to browse pending appeals in admin UI

* Add strikes to account page in settings

* Various fixes and improvements

- Add separate notification setting for appeals, separate from reports
- Fix style of links in report/strike header
- Change approving an appeal to not restore statuses (due to federation complexities)
- Change style of successfully appealed strikes on account settings page
- Change account settings page to only show unappealed or recently appealed strikes

* Change appealed_at to overruled_at

* Fix missing method error
3 years ago
Claire bddd9ba36d
Add OMNIAUTH_ONLY environment variable to enforce externa log-in (#17288)
* Remove support for OAUTH_REDIRECT_AT_SIGN_IN

Fixes #15959

Introduced in #6540, OAUTH_REDIRECT_AT_SIGN_IN allowed skipping the log-in form
to instead redirect to the external OmniAuth login provider.

However, it did not prevent the log-in form on /about introduced by #10232 from
appearing, and completely broke with the introduction of #15228.

As I restoring that previous log-in flow without introducing a security
vulnerability may require extensive care and knowledge of how OmniAuth works,
this commit removes support for OAUTH_REDIRECT_AT_SIGN_IN instead for the time
being.

* Add OMNIAUTH_ONLY environment variable to enforce external log-in only

* Disable user registration when OMNIAUTH_ONLY is set to true

* Replace log-in links When OMNIAUTH_ONLY is set with exactly one OmniAuth provider
3 years ago
Claire cfa583fa71
Remove support for OAUTH_REDIRECT_AT_SIGN_IN (#17287)
Fixes #15959

Introduced in #6540, OAUTH_REDIRECT_AT_SIGN_IN allowed skipping the log-in form
to instead redirect to the external OmniAuth login provider.

However, it did not prevent the log-in form on /about introduced by #10232 from
appearing, and completely broke with the introduction of #15228.

As I restoring that previous log-in flow without introducing a security
vulnerability may require extensive care and knowledge of how OmniAuth works,
this commit removes support for OAUTH_REDIRECT_AT_SIGN_IN instead for the time
being.
3 years ago
Eugen Rochko 8e84ebf0cb
Remove IP tracking columns from users table (#16409) 3 years ago
Claire 6da135a493
Fix reviving revoked sessions and invalidating login (#16943)
Up until now, we have used Devise's Rememberable mechanism to re-log users
after the end of their browser sessions. This mechanism relies on a signed
cookie containing a token. That token was stored on the user's record,
meaning it was shared across all logged in browsers, meaning truly revoking
a browser's ability to auto-log-in involves revoking the token itself, and
revoking access from *all* logged-in browsers.

We had a session mechanism that dynamically checks whether a user's session
has been disabled, and would log out the user if so. However, this would only
clear a session being actively used, and a new one could be respawned with
the `remember_user_token` cookie.

In practice, this caused two issues:
- sessions could be revived after being closed from /auth/edit (security issue)
- auto-log-in would be disabled for *all* browsers after logging out from one
  of them

This PR removes the `remember_token` mechanism and treats the `_session_id`
cookie/token as a browser-specific `remember_token`, fixing both issues.
3 years ago