Commit graph

36 commits

Author SHA1 Message Date
Eugen Rochko
2dbf6bc5ad Add e-mail-based sign in challenge for users with disabled 2FA () 2020-06-09 10:23:06 +02:00
ThibG
ddd9bad7f1 Fix sign-ups without checked user agreement being accepted through the web form ()
* Fix user agreement not being verified

* Fix tests

* Fix up agreement field being dismissed
2020-02-16 12:56:53 +01:00
Eugen Rochko
1781358bd9 Add password challenge to 2FA settings, e-mail notifications ()
Fix 
2019-09-18 16:37:27 +02:00
Eugen Rochko
8eb0d880cb Fix 2FA challenge and password challenge for non-database users ()
* Fix 2FA challenge not appearing for non-database users

Fix 

* Fix account deletion not working when using external login

Fix 
2019-09-15 21:08:39 +02:00
Eugen Rochko
6be7b414e2 Change unconfirmed user login behaviour ()
Allow access to account settings, 2FA, authorized applications, and
account deletions to unconfirmed and pending users, as well as
users who had their accounts disabled. Suspended users cannot update
their e-mail or password or delete their account.

Display account status on account settings page, for example, when
an account is frozen, limited, unconfirmed or pending review.

After sign up, login users straight away and show a simple page that
tells them the status of their account with links to account settings
and logout, to reduce onboarding friction and allow users to correct
wrongly typed e-mail addresses.

Move the final sign-up step of SSO integrations to be the same
as above to reduce code duplication.
2019-07-22 10:48:50 +02:00
ThibG
af3971a0e6 Check that an invite link is valid before bypassing approval mode ()
* Check that an invite link is valid before bypassing approval mode

Fixes 

* Add tests

* Only consider valid invite links in registration controller

* fixup
2019-05-02 04:30:12 +02:00
Eugen Rochko
73fb7bfa0f Admission-based registrations mode ()
Fix 
Fix 
2019-03-14 05:28:30 +01:00
takayamaki
17229858c8 fix: Execute PAM authentication tests on CircleCI ()
and use 'if' option of context block
2018-10-20 17:28:04 +02:00
Eugen Rochko
7e8733a518 Do not test PAM authentication by default ()
* Do not test PAM authentication by default

* Disable PAM tests if PAM is not enabled
2018-10-20 07:32:26 +02:00
aus-social
a53bcb6213 Lint pass () 2018-10-04 12:36:53 +02:00
Eugen Rochko
72a8ca84e0 Add force_login option to OAuth authorize page ()
* Add force_login option to OAuth authorize page

For when a user needs to sign into an app from multiple accounts
on the same server

* When logging out from modal header, redirect back after re-login
2018-09-09 04:10:44 +02:00
Shuhei Kitagawa
2828f36415 Add missing tests for confirmations controller () 2018-06-21 10:40:23 +09:00
Yamagishi Kazutoshi
3637c4983b Reset locale on registration tests () 2018-04-21 23:37:07 +02:00
Yamagishi Kazutoshi
7da649efb4 Use raw status code on have_http_status () 2018-04-21 21:35:07 +02:00
Alexander
8a9da4c414 update gem, test pam authentication ()
* update gem, test pam authentication

* add description for test parameters

* fix inclusion of optional group
2018-04-11 21:40:38 +02:00
Patrick Figel
bc5487a1c2 Fix email confirmation link not updating email ()
A change introduced in  prevents
`Devise::Models::Confirmable#confirm` from being called for existing
users, which in turn leads to `email` not being set to
`unconfirmed_email`, breaking email updates. This also adds a test
that would've caught this issue.
2018-01-05 00:15:35 +01:00
Eugen Rochko
6628ea4a82 Default follows for new users ()
When a new user confirms their e-mail, bootstrap their home timeline
by automatically following a set of accounts. By default, all local
admin accounts (that are unlocked). Can be customized by new admin
setting (comma-separated usernames, local and unlocked only)
2017-09-10 09:58:38 +02:00
Eugen Rochko
fd69694749 Add "signed in as" header to some pages () 2017-08-05 04:24:58 +02:00
nullkal
62b92a4c0a Redirect to PasswordController#new when reset_password_token is invalid () 2017-08-03 17:45:45 +02:00
Akihiko Odaki (@fn_aki@pawoo.net)
4ca14209d1 Cover Auth::RegistrationsController more () 2017-06-25 21:42:55 +02:00
René Klačan
ecdf17a2d7 Make sure email is case insensitive on all places ()
When case insensitivity is enabled via devise's `config.case_insensitive_keys` then `.find_for_authentication` method needs to be used instead of `.find_by` because second mentioned returns `nil` when valid email with different cases is passed.

More info https://github.com/plataformatec/devise/wiki/How-To:-Use-case-insensitive-emails
2017-06-11 02:29:08 +02:00
Akihiko Odaki
587f2d0b1f Spec Auth::ConfirmationsController () 2017-05-29 18:13:11 +02:00
Akihiko Odaki
503298d89b Spec Auth::PasswordsController () 2017-05-29 18:10:50 +02:00
Akinori MUSHA
8a5d3b2e5d Go to root after login in single user mode ()
In single user mode, visitors are redirected to the single user's
profile page.  So, if you are the owner without a session, you start
from that page, click the login button and authenticate yourself
expecting you'll soon get started with the home page, but in reality
you'll get redirected back to where you started from -- your own
profile page.

This fixes the behavior by redirecting you home after login if you
have started from your own profile page.
2017-05-26 14:14:03 +02:00
Eugen Rochko
b886ecea5c Fix Devise destroy method being available to delete user record ()
(You may think that we need account deletions, but this way would've just orphaned the db records)
2017-05-23 21:32:42 +02:00
Matt Jankowski
129e06f0b3 Auth sign out ()
* Add a spec for signing out

* Add spec showing that suspended user gets a 403 forbidden on sign out

* Allow suspended account users to sign out
2017-05-02 23:37:58 +02:00
Matt Jankowski
b17d7a1f85 Catch error when server decryption fails on 2FA () 2017-04-27 15:18:21 +02:00
alpaca-tc
31d49716c6 Localize with i18n for Devise::FailureApp ()
This PR fixes I18n.locale for rake middlewares. Mastodon uses Devise that depends on Warden.
Warden::Manager can be found in rake middleware. It is outside of the controller.

In the case of authentication failed, warden calls throw(:warden). At the time Warden::Manager
delegates request to failure_app to generate response and flash[:alert] after catching it.
Unfortunately, I18n.locale is already reset then because I18n.with_locale is enabled only
inside the controller. If we used I18n.locale=, Devise::FailureApp could get the current locale.
2017-04-25 15:06:41 +02:00
saturday06
abf70be71e Assign user locale on signup () 2017-04-17 10:29:08 +02:00
Patrick Figel
15b393201e Add recovery code support for two-factor auth ()
* Add recovery code support for two-factor auth

When users enable two-factor auth, the app now generates ten
single-use recovery codes. Users are encouraged to print the codes
and store them in a safe place.

The two-factor prompt during login now accepts both OTP codes and
recovery codes.

The two-factor settings UI allows users to regenerated lost
recovery codes. Users who have set up two-factor auth prior to
this feature being added can use it to generate recovery codes
for the first time.

Fixes  and fixes 

* Set OTP_SECRET in test enviroment

* add missing .html to view file names
2017-04-15 13:26:03 +02:00
Eugen
47a3702db4 Fix /api/v1/accounts/update_credentials tests () 2017-04-09 20:23:14 +02:00
Eugen Rochko
800f6cf6a3 Fix - fix redirect after sign-up (to login page instead of homepage) 2017-01-04 15:31:25 +01:00
Eugen Rochko
08ed85b3cf Fix - Devise mailer fixed, test spec added so it won't slip past again 2016-11-17 12:29:11 +01:00
Eugen Rochko
7e14eefc81 Replace logo, fix - delete/unreblog/unfavourite API, fix - app
registration API
2016-09-26 23:56:53 +02:00
Eugen Rochko
10ba09f546 Upgrade to Rails 5.0.0.1 2016-08-17 17:58:00 +02:00
Eugen Rochko
ff2cbc0753 Remember me enabled by default 2016-03-28 00:06:52 +02:00