mastodon/app/models
Claire 6da135a493
Fix reviving revoked sessions and invalidating login (#16943)
Up until now, we have used Devise's Rememberable mechanism to re-log users
after the end of their browser sessions. This mechanism relies on a signed
cookie containing a token. That token was stored on the user's record,
meaning it was shared across all logged in browsers, meaning truly revoking
a browser's ability to auto-log-in involves revoking the token itself, and
revoking access from *all* logged-in browsers.

We had a session mechanism that dynamically checks whether a user's session
has been disabled, and would log out the user if so. However, this would only
clear a session being actively used, and a new one could be respawned with
the `remember_user_token` cookie.

In practice, this caused two issues:
- sessions could be revived after being closed from /auth/edit (security issue)
- auto-log-in would be disabled for *all* browsers after logging out from one
  of them

This PR removes the `remember_token` mechanism and treats the `_session_id`
cookie/token as a browser-specific `remember_token`, fixing both issues.
2021-11-06 00:13:58 +01:00
..
account_suggestions Change auto-following admin-selected accounts, show in recommendations (#16078) 2021-04-24 17:01:43 +02:00
admin Fix 404 error when filtering admin action logs by non-existent target account (#16643) 2021-10-14 20:53:11 +02:00
concerns Add remove from followers api (#16864) 2021-10-18 12:02:35 +02:00
form Add remove from followers api (#16864) 2021-10-18 12:02:35 +02:00
web Add `policy` param to `POST /api/v1/push/subscriptions` (#16040) 2021-04-15 05:00:25 +02:00
account.rb Switch from unmaintained paperclip to kt-paperclip (#16724) 2021-09-29 23:52:36 +02:00
account_alias.rb Remove dependency on goldfinger gem (#14919) 2020-10-08 00:34:57 +02:00
account_conversation.rb allow pagination by min_id and max_id (#14776) 2020-09-12 17:09:49 +02:00
account_deletion_request.rb Change account suspensions to be reversible by default (#14726) 2020-09-15 14:37:58 +02:00
account_domain_block.rb
account_filter.rb Fix admins being able to suspend their instance actor (#14567) 2020-12-15 17:23:58 +01:00
account_identity_proof.rb
account_migration.rb Fix race conditions on account migration creation (#15597) 2021-02-02 14:49:57 +01:00
account_moderation_note.rb
account_note.rb Fix AccountNote not having a maximum length (#16942) 2021-11-06 00:12:25 +01:00
account_pin.rb
account_stat.rb Fix upgrade path from 3.4.0 (#16465) 2021-07-07 21:13:30 +02:00
account_statuses_cleanup_policy.rb Allow keeping only 1 boosts/favs on auto deleting posts (#16653) 2021-10-14 21:11:14 +02:00
account_suggestions.rb Change auto-following admin-selected accounts, show in recommendations (#16078) 2021-04-24 17:01:43 +02:00
account_summary.rb Fix FollowRecommendationsScheduler failing because of unpopulated views (#16189) 2021-05-09 10:39:29 +02:00
account_warning.rb Add account sensitized (#14361) 2020-11-04 20:45:01 +01:00
account_warning_preset.rb Add titles to warning presets in admin UI (#13252) 2020-03-12 17:57:59 +01:00
admin.rb
announcement.rb Change order of announcements in admin page to sort them newest-first (#15091) 2020-11-04 21:15:22 +01:00
announcement_filter.rb Add announcements (#12662) 2020-01-23 22:00:13 +01:00
announcement_mute.rb Add announcements (#12662) 2020-01-23 22:00:13 +01:00
announcement_reaction.rb Add announcements (#12662) 2020-01-23 22:00:13 +01:00
application_record.rb
backup.rb Add announcements (#12662) 2020-01-23 22:00:13 +01:00
block.rb
bookmark.rb Add feature to automatically delete old toots (#16529) 2021-08-09 23:11:50 +02:00
canonical_email_block.rb Add canonical e-mail blocks for suspended accounts (#16049) 2021-04-17 03:14:25 +02:00
context.rb
conversation.rb
conversation_mute.rb
custom_emoji.rb Switch from unmaintained paperclip to kt-paperclip (#16724) 2021-09-29 23:52:36 +02:00
custom_emoji_category.rb
custom_emoji_filter.rb Various fixes and improvements (#12878) 2020-01-20 15:55:03 +01:00
custom_filter.rb Optimize map { ... }.compact calls (#15513) 2021-01-10 00:32:01 +01:00
device.rb Add E2EE API (#13820) 2020-06-02 19:24:53 +02:00
domain_allow.rb Fix performance on instances list in admin UI (#15282) 2020-12-14 09:06:34 +01:00
domain_block.rb Add option to obfuscate domain name in public list of domain blocks (#15355) 2020-12-18 08:30:41 +01:00
email_domain_block.rb Add option to include resolved DNS records when blacklisting e-mail domains in admin UI (#13254) 2020-03-12 22:35:20 +01:00
encrypted_message.rb Change Redis#exists calls to Redis#exists? to avoid deprecation warning (#14191) 2020-07-01 19:05:21 +02:00
export.rb Add import/export feature for bookmarks (#14956) 2020-11-19 17:48:13 +01:00
favourite.rb Add feature to automatically delete old toots (#16529) 2021-08-09 23:11:50 +02:00
featured_tag.rb
feed.rb allow pagination by min_id and max_id (#14776) 2020-09-12 17:09:49 +02:00
follow.rb Fix being able to import more than allowed number of follows (#15384) 2020-12-26 23:52:46 +01:00
follow_recommendation.rb Fix FollowRecommendationsScheduler failing because of unpopulated views (#16189) 2021-05-09 10:39:29 +02:00
follow_recommendation_filter.rb Add cold-start follow recommendations (#15945) 2021-04-12 12:37:14 +02:00
follow_recommendation_suppression.rb Add cold-start follow recommendations (#15945) 2021-04-12 12:37:14 +02:00
follow_request.rb Fix edge case where accepted follow cannot be processed because of follow limit (#16098) 2021-04-23 22:51:21 +02:00
home_feed.rb Fix rubocop config and warnings (#15503) 2021-01-07 09:40:55 +01:00
identity.rb
import.rb Fix follow limit preventing re-following of a moved account (#14207) 2020-12-18 09:18:31 +01:00
instance.rb Add management of delivery availability in Federation settings (#15771) 2021-05-05 23:39:02 +02:00
instance_filter.rb Add management of delivery availability in Federation settings (#15771) 2021-05-05 23:39:02 +02:00
invite.rb Change account suspensions to be reversible by default (#14726) 2020-09-15 14:37:58 +02:00
invite_filter.rb Various fixes and improvements (#12878) 2020-01-20 15:55:03 +01:00
ip_block.rb Add IP-based rules (#14963) 2020-10-12 16:33:49 +02:00
list.rb Improve account deletion performances further (#15407) 2020-12-22 23:57:46 +01:00
list_account.rb
list_feed.rb Fix rubocop config and warnings (#15503) 2021-01-07 09:40:55 +01:00
login_activity.rb Add authentication history (#16408) 2021-06-21 17:07:30 +02:00
marker.rb
media_attachment.rb Fix error when rendering public pages with media attachments (#16763) 2021-10-13 15:27:19 +02:00
mention.rb
message_franking.rb Add E2EE API (#13820) 2020-06-02 19:24:53 +02:00
mute.rb Add duration parameter to muting. (#13831) 2020-10-13 01:01:14 +02:00
notification.rb Prepare Mastodon for Rails 6 (#15911) 2021-03-17 10:09:55 +01:00
one_time_key.rb Add E2EE API (#13820) 2020-06-02 19:24:53 +02:00
poll.rb Fix rubocop config and warnings (#15503) 2021-01-07 09:40:55 +01:00
poll_vote.rb
preview_card.rb Switch from unmaintained paperclip to kt-paperclip (#16724) 2021-09-29 23:52:36 +02:00
public_feed.rb Fix rubocop config and warnings (#15503) 2021-01-07 09:40:55 +01:00
relationship_filter.rb Fix followings list order | Issue #13538 (#13676) 2020-05-08 20:17:16 +02:00
relay.rb Fix enable/disable relay failures (#13535) 2020-04-23 22:04:18 +02:00
remote_follow.rb Remove dependency on goldfinger gem (#14919) 2020-10-08 00:34:57 +02:00
report.rb Update Mastodon to Rails 6.1 (#15910) 2021-03-24 10:44:31 +01:00
report_filter.rb Add ability to filter reports by origin of target account (#16487) 2021-07-11 11:01:38 +02:00
report_note.rb
rule.rb Add server rules (#15769) 2021-02-21 19:50:12 +01:00
scheduled_status.rb
search.rb
session_activation.rb Add Ruby 3.0 support (#16046) 2021-05-06 14:22:54 +02:00
setting.rb Use Rails' index_by where it makes sense (#15542) 2021-01-12 09:27:38 +01:00
site_upload.rb
status.rb Fix handling announcements with links (#16941) 2021-11-05 21:14:35 +01:00
status_pin.rb Add feature to automatically delete old toots (#16529) 2021-08-09 23:11:50 +02:00
status_stat.rb
system_key.rb Add E2EE API (#13820) 2020-06-02 19:24:53 +02:00
tag.rb Change trending hashtags to be affected be reblogs (#16164) 2021-05-07 14:33:43 +02:00
tag_feed.rb Fix rubocop config and warnings (#15503) 2021-01-07 09:40:55 +01:00
tag_filter.rb Change trending hashtags to be affected be reblogs (#16164) 2021-05-07 14:33:43 +02:00
tombstone.rb
trending_tags.rb Change trending hashtags to be affected be reblogs (#16164) 2021-05-07 14:33:43 +02:00
unavailable_domain.rb Fix performance on instances list in admin UI (#15282) 2020-12-14 09:06:34 +01:00
user.rb Fix reviving revoked sessions and invalidating login (#16943) 2021-11-06 00:13:58 +01:00
user_invite_request.rb
web.rb
webauthn_credential.rb Fix validates :sign_count of WebauthnCredential (#14806) 2020-09-16 20:16:46 +02:00