Commit Graph

128 Commits

Author SHA1 Message Date
Claire d4d0565b0f
Fix user creation failure handling in OAuth paths () 2024-02-14 21:49:45 +00:00
Claire b31af34c97
Merge pull request from GHSA-vm39-j3vx-pch3
* Prevent different identities from a same SSO provider from accessing a same account

* Lock auth provider changes behind `ALLOW_UNSAFE_AUTH_PROVIDER_REATTACH=true`

* Rename methods to avoid confusion between OAuth and OmniAuth
2024-02-14 15:16:07 +01:00
Claire eeabf9af72
Fix compatibility with Redis <6.2 () 2024-02-07 11:52:38 +00:00
Matt Jankowski 17ea22671d
Fix `Style/GuardClause` cop in app/controllers () 2024-01-25 15:13:41 +00:00
Claire e2d9635074
Add notification email on invalid second authenticator () 2024-01-22 13:55:43 +00:00
Claire 3593ee2e36
Add rate-limit of TOTP authentication attempts at controller level () 2024-01-19 12:19:49 +00:00
Matt Jankowski 0e5b8fc46b
Fix `Style/RedundantReturn` cop () 2023-12-18 09:50:51 +00:00
Claire 963354978a
Add `Account#unavailable?` and `Account#permanently_unavailable?` aliases () 2023-11-30 15:43:26 +00:00
Matt Jankowski 1f1c75bba5
File cleanup/organization in `controllers/concerns` () 2023-11-30 14:39:41 +00:00
Claire 07a4059901
Add support for invite codes in the registration API () 2023-11-13 13:27:00 +00:00
Claire 49b8433c56
Fix confusing screen when visiting a confirmation link for an already-confirmed email () 2023-10-25 21:33:44 +00:00
Claire 379115e601
Add SELF_DESTRUCT env variable to process self-destructions in the background () 2023-10-23 15:46:21 +00:00
Matt Jankowski 340f1a68be
Simplify instance presenter view access () 2023-09-28 16:52:37 +02:00
Matt Jankowski 50ff3d3342
Coverage for `Auth::OmniauthCallbacks` controller () 2023-07-25 09:46:57 +02:00
Claire b629e21515
Fix unexpected redirection to /explore after sign-in () 2023-07-24 16:06:32 +02:00
Matt Jankowski 5134fc65e2
Fix `Naming/AccessorMethodName` cop () 2023-07-12 10:03:19 +02:00
Claire e6a8faae81
Add users index on unconfirmed_email () 2023-07-02 19:41:35 +02:00
Claire 180f0e6715
Fix inefficient query when requesting a new confirmation email from a logged-in account () 2023-07-02 16:08:58 +02:00
Eugen Rochko f20698000f
Fix always redirecting to onboarding in web UI () 2023-06-14 09:05:03 +02:00
Frankie Roberto 36a77748b4
Order sessions by most-recent to least-recently updated () 2023-05-22 11:40:00 +02:00
Claire bec6a1cad4
Add hCaptcha support () 2023-05-16 23:27:35 +02:00
Matt Jankowski 6e226f5a32
Fix Rails/ActionOrder cop () 2023-04-30 06:46:39 +02:00
Eugen Rochko e98c86050a
Refactor `Cache-Control` and `Vary` definitions () 2023-04-19 16:07:29 +02:00
Eugen Rochko e5c0b16735
Add progress indicator to sign-up flow () 2023-04-16 07:01:24 +02:00
Claire 280fa3b2c0
Fix invalid/expired invites being processed on sign-up () 2023-03-31 21:42:28 +02:00
CSDUMMI d258ec8e3b
Prefer the stored location as after_sign_in_path in Omniauth Callback Controller () 2023-03-13 00:06:27 +01:00
Nick Schonning aef0051fd0
Enable Rubocop HTTP status rules () 2023-02-20 11:16:40 +09:00
Nick Schonning e2a3ebb271
Autofix Rubocop Style/IfUnlessModifier () 2023-02-18 12:37:47 +01:00
David Vega 1b5d207131
Fix single name variables on controller folder ()
Co-authored-by: petrokoriakin1 <116151189+petrokoriakin1@users.noreply.github.com>

Co-authored-by: petrokoriakin1 <116151189+petrokoriakin1@users.noreply.github.com>
Co-authored-by: Effy Elden <effy@effy.space>
2022-12-15 17:11:58 +01:00
Francis Murillo 5fb1c3e934
Revoke all authorized applications on password reset ()
* Clear sessions on password change

* Rename User::clear_sessions to revoke_access for a clearer meaning

* Add reset paassword controller test

* Use User.find instead of User.find_for_authentication for reset password test

* Use redirect and render for better test meaning in reset password

Co-authored-by: Effy Elden <effy@effy.space>
2022-12-15 15:47:06 +01:00
Claire 48e136605a
Fix form-action CSP directive for external login () 2022-11-17 22:59:07 +01:00
Daniel Axtens 4d85c27d1a
Add 'private' to Cache-Control, match Rails expectations ()
Several controlers set quite intricate Cache-Control headers in order to
hopefully not be cached by any intermediate proxies or local caches. Unfortunately,
these headers are processed by ActionDispatch::HTTP::Cache in a way that squashes
and discards any values set alongside no-store other than private:
8015c2c2cf/actionpack/lib/action_dispatch/http/cache.rb (L207-L209)

We want to preserve no-store on these responses, but we might as well remove
parts that are going to be dropped anyway. As many of the endpoints in these
controllers are private to a particular user, we should also add "private",
which will be preserved alongside no-store.
2022-11-16 04:56:30 +01:00
Claire 1e1289b024
Fix crash when external auth provider has no display_name set ()
Fixes 
2022-11-07 15:43:24 +01:00
Claire a529d6d93e
Fix invites ()
Fixes 

Fix regression from 
2022-10-30 19:04:39 +01:00
Eugen Rochko 679274465b
Add server rules to sign-up flow () 2022-10-05 18:57:33 +02:00
Eugen Rochko d83faa1a89
Add ability to block sign-ups from IP () 2022-08-24 19:00:37 +02:00
Claire 327eed0076
Fix suspicious sign-in mails never being sent ()
* Add tests

* Fix suspicious sign-in mails never being sent
2022-06-21 15:16:22 +02:00
Eugen Rochko 96129c2f10
Fix confirmation redirect to app without `Location` header () 2022-05-26 22:03:54 +02:00
Eugen Rochko 6221b36b27
Remove sign-in token authentication, instead send e-mail about new sign-in () 2022-04-06 20:58:12 +02:00
chandrn7 a6ed6845c9
Allow login through OpenID Connect ()
* added OpenID Connect as an SSO option

* minor fixes

* added comments, removed an option that shouldn't be set

* fixed Gemfile.lock

* added newline to end of Gemfile.lock

* removed tab from Gemfile.lock

* remove chomp

* codeclimate changes and small name change to make function's purpose clearer

* codeclimate fix

* added SSO buttons to /about page

* minor refactor

* minor style change

* removed spurious change

* removed unecessary conditional from ensure_valid_username and added support for auth.info.name in user_params_from_auth

* minor changes
2022-03-09 12:07:35 +01:00
Claire 14919fe11e
Change old moderation strikes to be displayed in a separate page ()
* Change old moderation strikes to be displayed in a separate page

Fixes 

This changes the moderation strikes displayed on `/auth/edit` to be those from
the past 3 months, and make all moderation strikes targeting the current user
available in `/disputes`.

* Add short description of what the strikes page is for

* Move link to list of strikes to “Account status” instead of navigation item

* Normalize i18n file

* Fix layout and styling of strikes link

* Revert highlights_on regexp

* Reintroduce account status summary

- this way, “Account status” is never empty
- account status is not necessarily bound to strikes, or recent strikes
2022-03-01 19:37:47 +01:00
Eugen Rochko 564efd0651
Add appeals ()
* Add appeals

* Add ability to reject appeals and ability to browse pending appeals in admin UI

* Add strikes to account page in settings

* Various fixes and improvements

- Add separate notification setting for appeals, separate from reports
- Fix style of links in report/strike header
- Change approving an appeal to not restore statuses (due to federation complexities)
- Change style of successfully appealed strikes on account settings page
- Change account settings page to only show unappealed or recently appealed strikes

* Change appealed_at to overruled_at

* Fix missing method error
2022-02-14 21:27:53 +01:00
Claire bddd9ba36d
Add OMNIAUTH_ONLY environment variable to enforce externa log-in ()
* Remove support for OAUTH_REDIRECT_AT_SIGN_IN

Fixes 

Introduced in , OAUTH_REDIRECT_AT_SIGN_IN allowed skipping the log-in form
to instead redirect to the external OmniAuth login provider.

However, it did not prevent the log-in form on /about introduced by  from
appearing, and completely broke with the introduction of .

As I restoring that previous log-in flow without introducing a security
vulnerability may require extensive care and knowledge of how OmniAuth works,
this commit removes support for OAUTH_REDIRECT_AT_SIGN_IN instead for the time
being.

* Add OMNIAUTH_ONLY environment variable to enforce external log-in only

* Disable user registration when OMNIAUTH_ONLY is set to true

* Replace log-in links When OMNIAUTH_ONLY is set with exactly one OmniAuth provider
2022-01-23 15:52:58 +01:00
Claire cfa583fa71
Remove support for OAUTH_REDIRECT_AT_SIGN_IN ()
Fixes 

Introduced in , OAUTH_REDIRECT_AT_SIGN_IN allowed skipping the log-in form
to instead redirect to the external OmniAuth login provider.

However, it did not prevent the log-in form on /about introduced by  from
appearing, and completely broke with the introduction of .

As I restoring that previous log-in flow without introducing a security
vulnerability may require extensive care and knowledge of how OmniAuth works,
this commit removes support for OAUTH_REDIRECT_AT_SIGN_IN instead for the time
being.
2022-01-23 15:50:41 +01:00
Eugen Rochko 8e84ebf0cb
Remove IP tracking columns from users table () 2022-01-16 13:23:50 +01:00
Claire 6da135a493
Fix reviving revoked sessions and invalidating login ()
Up until now, we have used Devise's Rememberable mechanism to re-log users
after the end of their browser sessions. This mechanism relies on a signed
cookie containing a token. That token was stored on the user's record,
meaning it was shared across all logged in browsers, meaning truly revoking
a browser's ability to auto-log-in involves revoking the token itself, and
revoking access from *all* logged-in browsers.

We had a session mechanism that dynamically checks whether a user's session
has been disabled, and would log out the user if so. However, this would only
clear a session being actively used, and a new one could be respawned with
the `remember_user_token` cookie.

In practice, this caused two issues:
- sessions could be revived after being closed from /auth/edit (security issue)
- auto-log-in would be disabled for *all* browsers after logging out from one
  of them

This PR removes the `remember_token` mechanism and treats the `_session_id`
cookie/token as a browser-specific `remember_token`, fixing both issues.
2021-11-06 00:13:58 +01:00
Claire 24f9ea7818
Fix webauthn secure key authentication ()
* Add tests

* Fix webauthn secure key authentication

Fixes 
2021-09-30 05:26:29 +02:00
Truong Nguyen 7283a5d3b9
Explicitly set userVerification to discoraged () 2021-08-26 09:51:22 -05:00
Claire 94bcf45321
Fix authentication failures after going halfway through a sign-in attempt ()
* Add tests

* Add security-related tests

My first (unpublished) attempt at fixing the issues introduced (extremely
hard-to-exploit) security vulnerabilities, addressing them in a test.

* Fix authentication failures after going halfway through a sign-in attempt

* Refactor `authenticate_with_sign_in_token` and `authenticate_with_two_factor` to make the two authentication steps more obvious
2021-08-25 22:52:41 +02:00
Daniel 5c21021176
Fix undefined variable for Auth::OmniauthCallbacksController ()
The addition of authentication history broke the omniauth login with
the following error:

  method=GET path=/auth/auth/cas/callback format=html
  controller=Auth::OmniauthCallbacksController action=cas status=500
  error='NameError: undefined local variable or method `user' for
  #<Auth::OmniauthCallbacksController:0x00000000036290>
  Did you mean?  @user' duration=435.93 view=0.00 db=36.19

* app/controllers/auth/omniauth_callbacks_controller.rb: fix variable
  name to `@user`
2021-08-25 17:40:56 +02:00