Commit Graph

134 Commits (ae667624acbdcba796921dc44c24efd362d4a49a)

Author SHA1 Message Date
Matt Jankowski a397141d78
Move non-action public method controller callback to private methods ()
Matt Jankowski a9d0b48b65
Set "admin" body class from `admin` nested layout ()
Renaud Chaput c3e1d86d58
Fix log out from user menu not working on Safari ()
Claire 2ec1181ee5
Fix contrast between background and form elements on some pages ()
Matt Jankowski 929b9fdaff
Remove exclusion for `Rails/LexicallyScopedActionFilter` cop ()
Matt Jankowski 9b5055d34d
Fix `Style/SuperArguments` cop ()
Claire d4d0565b0f
Fix user creation failure handling in OAuth paths ()
Claire b31af34c97
Merge pull request from GHSA-vm39-j3vx-pch3
* Prevent different identities from a same SSO provider from accessing a same account

* Lock auth provider changes behind `ALLOW_UNSAFE_AUTH_PROVIDER_REATTACH=true`

* Rename methods to avoid confusion between OAuth and OmniAuth
Claire eeabf9af72
Fix compatibility with Redis <6.2 ()
Matt Jankowski 17ea22671d
Fix `Style/GuardClause` cop in app/controllers ()
Claire e2d9635074
Add notification email on invalid second authenticator ()
Claire 3593ee2e36
Add rate-limit of TOTP authentication attempts at controller level ()
Matt Jankowski 0e5b8fc46b
Fix `Style/RedundantReturn` cop ()
Claire 963354978a
Add `Account#unavailable?` and `Account#permanently_unavailable?` aliases ()
Matt Jankowski 1f1c75bba5
File cleanup/organization in `controllers/concerns` ()
Claire 07a4059901
Add support for invite codes in the registration API ()
Claire 49b8433c56
Fix confusing screen when visiting a confirmation link for an already-confirmed email ()
Claire 379115e601
Add SELF_DESTRUCT env variable to process self-destructions in the background ()
Matt Jankowski 340f1a68be
Simplify instance presenter view access ()
Matt Jankowski 50ff3d3342
Coverage for `Auth::OmniauthCallbacks` controller ()
Claire b629e21515
Fix unexpected redirection to /explore after sign-in ()
Matt Jankowski 5134fc65e2
Fix `Naming/AccessorMethodName` cop ()
Claire e6a8faae81
Add users index on unconfirmed_email ()
Claire 180f0e6715
Fix inefficient query when requesting a new confirmation email from a logged-in account ()
Eugen Rochko f20698000f
Fix always redirecting to onboarding in web UI ()
Frankie Roberto 36a77748b4
Order sessions by most-recent to least-recently updated ()
Claire bec6a1cad4
Add hCaptcha support ()
Matt Jankowski 6e226f5a32
Fix Rails/ActionOrder cop ()
Eugen Rochko e98c86050a
Refactor `Cache-Control` and `Vary` definitions ()
Eugen Rochko e5c0b16735
Add progress indicator to sign-up flow ()
Claire 280fa3b2c0
Fix invalid/expired invites being processed on sign-up ()
CSDUMMI d258ec8e3b
Prefer the stored location as after_sign_in_path in Omniauth Callback Controller ()
Nick Schonning aef0051fd0
Enable Rubocop HTTP status rules ()
Nick Schonning e2a3ebb271
Autofix Rubocop Style/IfUnlessModifier ()
David Vega 1b5d207131
Fix single name variables on controller folder ()
Co-authored-by: petrokoriakin1 <116151189+petrokoriakin1@users.noreply.github.com>

Co-authored-by: petrokoriakin1 <116151189+petrokoriakin1@users.noreply.github.com>
Co-authored-by: Effy Elden <effy@effy.space>
Francis Murillo 5fb1c3e934
Revoke all authorized applications on password reset ()
* Clear sessions on password change

* Rename User::clear_sessions to revoke_access for a clearer meaning

* Add reset paassword controller test

* Use User.find instead of User.find_for_authentication for reset password test

* Use redirect and render for better test meaning in reset password

Co-authored-by: Effy Elden <effy@effy.space>
Claire 48e136605a
Fix form-action CSP directive for external login ()
Daniel Axtens 4d85c27d1a
Add 'private' to Cache-Control, match Rails expectations ()
Several controlers set quite intricate Cache-Control headers in order to
hopefully not be cached by any intermediate proxies or local caches. Unfortunately,
these headers are processed by ActionDispatch::HTTP::Cache in a way that squashes
and discards any values set alongside no-store other than private:
8015c2c2cf/actionpack/lib/action_dispatch/http/cache.rb (L207-L209)

We want to preserve no-store on these responses, but we might as well remove
parts that are going to be dropped anyway. As many of the endpoints in these
controllers are private to a particular user, we should also add "private",
which will be preserved alongside no-store.
Claire 1e1289b024
Fix crash when external auth provider has no display_name set ()
Fixes 
Claire a529d6d93e
Fix invites ()
Fixes 

Fix regression from 
Eugen Rochko 679274465b
Add server rules to sign-up flow ()
Eugen Rochko d83faa1a89
Add ability to block sign-ups from IP ()
Claire 327eed0076
Fix suspicious sign-in mails never being sent ()
* Add tests

* Fix suspicious sign-in mails never being sent
Eugen Rochko 96129c2f10
Fix confirmation redirect to app without `Location` header ()
Eugen Rochko 6221b36b27
Remove sign-in token authentication, instead send e-mail about new sign-in ()
chandrn7 a6ed6845c9
Allow login through OpenID Connect ()
* added OpenID Connect as an SSO option

* minor fixes

* added comments, removed an option that shouldn't be set

* fixed Gemfile.lock

* added newline to end of Gemfile.lock

* removed tab from Gemfile.lock

* remove chomp

* codeclimate changes and small name change to make function's purpose clearer

* codeclimate fix

* added SSO buttons to /about page

* minor refactor

* minor style change

* removed spurious change

* removed unecessary conditional from ensure_valid_username and added support for auth.info.name in user_params_from_auth

* minor changes
Claire 14919fe11e
Change old moderation strikes to be displayed in a separate page ()
* Change old moderation strikes to be displayed in a separate page

Fixes 

This changes the moderation strikes displayed on `/auth/edit` to be those from
the past 3 months, and make all moderation strikes targeting the current user
available in `/disputes`.

* Add short description of what the strikes page is for

* Move link to list of strikes to “Account status” instead of navigation item

* Normalize i18n file

* Fix layout and styling of strikes link

* Revert highlights_on regexp

* Reintroduce account status summary

- this way, “Account status” is never empty
- account status is not necessarily bound to strikes, or recent strikes
Eugen Rochko 564efd0651
Add appeals ()
* Add appeals

* Add ability to reject appeals and ability to browse pending appeals in admin UI

* Add strikes to account page in settings

* Various fixes and improvements

- Add separate notification setting for appeals, separate from reports
- Fix style of links in report/strike header
- Change approving an appeal to not restore statuses (due to federation complexities)
- Change style of successfully appealed strikes on account settings page
- Change account settings page to only show unappealed or recently appealed strikes

* Change appealed_at to overruled_at

* Fix missing method error
Claire bddd9ba36d
Add OMNIAUTH_ONLY environment variable to enforce externa log-in ()
* Remove support for OAUTH_REDIRECT_AT_SIGN_IN

Fixes 

Introduced in , OAUTH_REDIRECT_AT_SIGN_IN allowed skipping the log-in form
to instead redirect to the external OmniAuth login provider.

However, it did not prevent the log-in form on /about introduced by  from
appearing, and completely broke with the introduction of .

As I restoring that previous log-in flow without introducing a security
vulnerability may require extensive care and knowledge of how OmniAuth works,
this commit removes support for OAUTH_REDIRECT_AT_SIGN_IN instead for the time
being.

* Add OMNIAUTH_ONLY environment variable to enforce external log-in only

* Disable user registration when OMNIAUTH_ONLY is set to true

* Replace log-in links When OMNIAUTH_ONLY is set with exactly one OmniAuth provider
Claire cfa583fa71
Remove support for OAUTH_REDIRECT_AT_SIGN_IN ()
Fixes 

Introduced in , OAUTH_REDIRECT_AT_SIGN_IN allowed skipping the log-in form
to instead redirect to the external OmniAuth login provider.

However, it did not prevent the log-in form on /about introduced by  from
appearing, and completely broke with the introduction of .

As I restoring that previous log-in flow without introducing a security
vulnerability may require extensive care and knowledge of how OmniAuth works,
this commit removes support for OAUTH_REDIRECT_AT_SIGN_IN instead for the time
being.