Commit graph

25 commits

Author SHA1 Message Date
Eugen Rochko
8eb0d880cb Fix 2FA challenge and password challenge for non-database users (#11831)
* Fix 2FA challenge not appearing for non-database users

Fix #11685

* Fix account deletion not working when using external login

Fix #11691
2019-09-15 21:08:39 +02:00
Moritz Heiber
f2cefd9d73 Disable Same-Site cookie implementation to fix SSO issues on WebKit browsers (#9819) 2019-01-15 23:11:46 +01:00
Sorin Davidoi
0b1c90bf88 feat(cookies): Use the same-site attribute to lax (#8626)
CSFR-prevention is already implemented but adding this doesn't hurt.

A brief introduction to Same-Site cookies (and the difference between strict and
lax) can be found at
https://blog.mozilla.org/security/2018/04/24/same-site-cookies-in-firefox-60/

TLDR: We use lax since we want the cookies to be sent when the user navigates
safely from an external site.
2018-09-08 23:54:28 +02:00
Immae
cbaabe0215 Add ldap search filter (#8151) 2018-08-15 18:12:44 +02:00
abcang
b46416fe47 Add secure option to additional cookie (#8069) 2018-07-25 18:49:47 +02:00
Eugen Rochko
59b3b38b0e Add LDAP_TLS_NO_VERIFY option, don't require LDAP_ENABLED outside .env (#6845)
Fix #6816, fix #6790
2018-03-20 19:41:51 +01:00
Alexander
af08f6042d rename pam email environment variable to something more understandable and default to LOCAL_DOMAIN (better fallback) (#6833) 2018-03-19 20:09:26 +01:00
Alexander
988f6505e4 fix logic for pam_controlled_service (#6599) 2018-03-02 19:02:50 +01:00
Eugen Rochko
9721b7746a Fix #942: Seamless LDAP login (#6556) 2018-02-28 19:04:53 +01:00
Eugen Rochko
555e7205da Make PAM gem optional, allow configuration over environment (#6415) 2018-02-04 15:05:53 +01:00
Alexander
23ce0c86da pam authentication (#5303)
* add pam support, without extra column

* bugfixes for pam login

* document options

* fix code style

* fix codestyle

* fix tests

* don't call remember_me without password

* fix codestyle

* improve checks for pam usage (should fix tests)

* fix remember_me part 1

* add remember_token column because :rememberable requires either a password or this column.

* migrate db for remember_token

* move pam_authentication to the right place, fix logic bug in edit.html.haml

* fix tests

* fix pam authentication, improve username lookup, add comment

* valid? is sometimes not honored, return nil instead trying to authenticate with pam

* update devise_pam_authenticatable2 and adjust code. Fixes sideeffects observed in tests

* update devise_pam_authenticatable gem, fixes for codeconventions, fix finding user

* codeconvention fixes

* code convention fixes

* fix idention

* update dependency, explicit conflict check

* fix disabled password updates if in pam mode

* fix check password if password is present, fix templates

* block registration if account is maintained by pam

* Revert "block registration if account is maintained by pam"

This reverts commit 8e7a083d650240b6fac414926744b4b90b435f20.

* fix identation error introduced by rebase

* block usernames maintained by pam

* document pam settings better

* fix code style
2018-02-02 10:18:55 +01:00
Patrick Figel
3c20cfd734 Add confirmation step for email changes (#6071)
* Add confirmation step for email changes

This adds a confirmation step for email changes of existing users.
Like the initial account confirmation, a confirmation link is sent
to the new address.

Additionally, a notification is sent to the existing address when
the change is initiated. This message includes instruction to reset
the password immediately or to contact the instance admin if the
change was not initiated by the account owner.

Fixes #3871

* Add review fixes
2018-01-02 16:55:00 +01:00
Eugen Rochko
506508f30c Extend Devise remember_me longevity to 1 year instead of 2 weeks (#4587)
Force SSL only cookies for remember_me, adjust confirmation
expiration time to fit with the user cleanup scheduler
2017-08-12 16:30:59 +02:00
Eugen Rochko
f3e8fca1a7 Fix sessions being replaced needlessly (#4292) 2017-07-22 01:09:10 +02:00
Eugen Rochko
0217e15dd3 Fix #4058 - Use a long-lived cookie to keep track of user-level sessions (#4091)
* Fix #4058 - Use a long-lived cookie to keep track of user-level sessions

* Fix tests, smooth migrate from previous session-based identifier
2017-07-07 23:25:15 +02:00
Eugen Rochko
c465c5b3a8 Add overview of active sessions (#3929)
* Add overview of active sessions

* Better display of browser/platform name

* Improve how browser information is stored and displayed for sessions overview

* Fix test
2017-06-25 16:54:30 +02:00
Sorin Davidoi
1280559503 Revocable sessions (#3616)
* feat: Revocable sessions

* fix: Tests using sign_in

* feat: Configuration entry for the maximum number of session activations
2017-06-23 18:50:53 +02:00
Patrick Figel
15b393201e Add recovery code support for two-factor auth (#1773)
* Add recovery code support for two-factor auth

When users enable two-factor auth, the app now generates ten
single-use recovery codes. Users are encouraged to print the codes
and store them in a safe place.

The two-factor prompt during login now accepts both OTP codes and
recovery codes.

The two-factor settings UI allows users to regenerated lost
recovery codes. Users who have set up two-factor auth prior to
this feature being added can use it to generate recovery codes
for the first time.

Fixes #563 and fixes #987

* Set OTP_SECRET in test enviroment

* add missing .html to view file names
2017-04-15 13:26:03 +02:00
Yann GUERN
dc7ea0225a Avoid user enumeration with devise paranoid mode (#1527) 2017-04-11 14:21:15 +02:00
Eugen Rochko
0bf8c1b5d8 Do not automatically login after password reset, as it would circumvent two-factor auth (if enabled)
Do not require e-mail address changes to be re-confirmed, it's only trouble for no real benefit
2017-01-27 20:35:16 +01:00
Eugen Rochko
9b8670c939 Added optional two-factor authentication 2017-01-27 20:35:16 +01:00
Eugen Rochko
0e0b4f9e59 i18n for devise mailer too 2016-11-16 18:25:21 +01:00
Eugen Rochko
2c374cd97c Adding e-mail configuration 2016-03-16 12:13:40 +01:00
Eugen Rochko
ab6696e855 Adding doorkeeper, adding a REST API
POST /api/statuses                  Params: status (text contents), in_reply_to_id (optional)
GET  /api/statuses/:id
POST /api/statuses/:id/reblog

GET  /api/accounts/:id
GET  /api/accounts/:id/following
GET  /api/accounts/:id/followers
POST /api/accounts/:id/follow
POST /api/accounts/:id/unfollow

POST /api/follows                  Params: uri (e.g. user@domain)

OAuth authentication is currently disabled, but the API can be used with HTTP Auth.
2016-03-07 12:42:33 +01:00
Eugen Rochko
7e93da3f8d Removing grape and adding devise 2016-03-05 13:12:24 +01:00