Matt Jankowski
f652c54c33
Update devise to version 5.0 ( #37419 )
Bundler Audit / security (push) Waiting to run
Check i18n / check-i18n (push) Waiting to run
Chromatic / Check for relevant changes (push) Waiting to run
Chromatic / Run Chromatic (push) Blocked by required conditions
CodeQL / Analyze (actions) (push) Waiting to run
CodeQL / Analyze (javascript) (push) Waiting to run
CodeQL / Analyze (ruby) (push) Waiting to run
Check formatting / lint (push) Waiting to run
CSS Linting / lint (push) Waiting to run
Haml Linting / lint (push) Waiting to run
JavaScript Linting / lint (push) Waiting to run
Ruby Linting / lint (push) Waiting to run
JavaScript Testing / test (push) Waiting to run
Historical data migration test / test (14-alpine) (push) Waiting to run
Historical data migration test / test (15-alpine) (push) Waiting to run
Historical data migration test / test (16-alpine) (push) Waiting to run
Historical data migration test / test (17-alpine) (push) Waiting to run
Ruby Testing / build (production) (push) Waiting to run
Ruby Testing / build (test) (push) Waiting to run
Ruby Testing / test (.ruby-version) (push) Blocked by required conditions
Ruby Testing / test (3.2) (push) Blocked by required conditions
Ruby Testing / test (3.3) (push) Blocked by required conditions
Ruby Testing / End to End testing (.ruby-version) (push) Blocked by required conditions
Ruby Testing / End to End testing (3.2) (push) Blocked by required conditions
Ruby Testing / End to End testing (3.3) (push) Blocked by required conditions
Ruby Testing / Elastic Search integration testing (.ruby-version, docker.elastic.co/elasticsearch/elasticsearch:7.17.13) (push) Blocked by required conditions
Ruby Testing / Elastic Search integration testing (.ruby-version, docker.elastic.co/elasticsearch/elasticsearch:8.10.2) (push) Blocked by required conditions
Ruby Testing / Elastic Search integration testing (.ruby-version, opensearchproject/opensearch:2) (push) Blocked by required conditions
Ruby Testing / Elastic Search integration testing (3.2, docker.elastic.co/elasticsearch/elasticsearch:7.17.13) (push) Blocked by required conditions
Ruby Testing / Elastic Search integration testing (3.3, docker.elastic.co/elasticsearch/elasticsearch:7.17.13) (push) Blocked by required conditions
2026-02-05 11:05:32 +00:00
Matt Jankowski
0d5123199f
Fix Style/FormatStringToken cop ( #34861 )
2025-06-02 07:37:33 +00:00
Matt Jankowski
3c09fd3f89
Fix Style/FetchEnvVar cop in devise config ( #34846 )
2025-05-30 07:00:37 +00:00
Emelia Smith
b754e28190
Change devise to not use HTTP Basic Authentication ( #34501 )
2025-04-22 12:11:21 +00:00
Nick Schonning
13fb54920b
Enable Style/IfUnlessModifier RuboCop ( #30260 )
2024-05-13 09:54:15 +00:00
Matt Jankowski
040aaf3a48
Use default: ... assignment for Devise config, fixes Style/ClassVars cop ( #30214 )
2024-05-10 09:42:01 +00:00
Matt Jankowski
0ce081fe49
Remove monkey patch in favor of supported Devise config value ( #28760 )
2024-01-17 09:08:17 +00:00
Matt Jankowski
3107a9410c
Silence deprecation warning about secrets/credentials with Devise patch ( #27578 )
2023-10-31 11:10:15 +00:00
Renaud Chaput
e0da64bb4e
Fix empty ENV variables not using default nil value ( #27400 )
2023-10-13 19:00:53 +02:00
Nick Schonning
1d557305d2
Enable Rubocop Style/FrozenStringLiteralComment ( #23793 )
2023-07-12 09:47:08 +02:00
luzpaz
596923da4a
Fix typos in source documentation ( #21046 )
...
Fixed 2 source comment/documentation typos
2022-12-15 15:57:26 +01:00
Eugen Rochko
6e418bf346
Fix cookies secure flag being set when served over Tor ( #17992 )
2022-04-08 12:47:18 +02:00
Eugen Rochko
8e84ebf0cb
Remove IP tracking columns from users table ( #16409 )
2022-01-16 13:23:50 +01:00
Claire
6da135a493
Fix reviving revoked sessions and invalidating login ( #16943 )
...
Up until now, we have used Devise's Rememberable mechanism to re-log users
after the end of their browser sessions. This mechanism relies on a signed
cookie containing a token. That token was stored on the user's record,
meaning it was shared across all logged in browsers, meaning truly revoking
a browser's ability to auto-log-in involves revoking the token itself, and
revoking access from *all* logged-in browsers.
We had a session mechanism that dynamically checks whether a user's session
has been disabled, and would log out the user if so. However, this would only
clear a session being actively used, and a new one could be respawned with
the `remember_user_token` cookie.
In practice, this caused two issues:
- sessions could be revived after being closed from /auth/edit (security issue)
- auto-log-in would be disabled for *all* browsers after logging out from one
of them
This PR removes the `remember_token` mechanism and treats the `_session_id`
cookie/token as a browser-specific `remember_token`, fixing both issues.
2021-11-06 00:13:58 +01:00
Claire
21fb3f3684
Drop dependency on secure_headers, fix response headers ( #15712 )
...
* Drop dependency on secure_headers, use always_write_cookie instead
* Fix cookies in Tor Hidden Services by moving configuration to application.rb
* Instead of setting always_write_cookie at boot, monkey-patch ActionDispatch
2021-02-11 23:47:05 +01:00
Cecylia Bocovich
e79f8dd85c
Onion service related changes to HTTPS handling ( #15560 )
...
* Enable secure cookie flag for https only
* Disable force_ssl for .onion hosts only
Co-authored-by: Aiden McClelland <me@drbonez.dev>
2021-02-11 04:40:13 +01:00
Eugen Rochko
acc1c03861
Fix cookies not having a SameSite attribute ( #15098 )
2020-11-06 11:57:14 +01:00
Mathieu Brunot
bd8dc9bd0c
✨ Add an LDAP Mail attribute config ( #12053 )
...
Signed-off-by: mathieu.brunot <mathieu.brunot@monogramm.io>
2019-12-01 18:52:21 +01:00
Mathieu Brunot
d70268f099
✨ Convert LDAP username ( #12461 )
...
* ✨ Convert LDAP username #12021
Signed-off-by: mathieu.brunot <mathieu.brunot@monogramm.io>
* 🐛 Fix conversion var use
Signed-off-by: mathieu.brunot <mathieu.brunot@monogramm.io>
* 🐛 Fix LDAP uid conversion test
Signed-off-by: mathieu.brunot <mathieu.brunot@monogramm.io>
* 👌 Remove comments with ref to PR
Signed-off-by: mathieu.brunot <mathieu.brunot@monogramm.io>
* 👌 Remove unnecessary paranthesis
Signed-off-by: mathieu.brunot <mathieu.brunot@monogramm.io>
* 🔧 Move space in conversion string
Signed-off-by: mathieu.brunot <mathieu.brunot@monogramm.io>
2019-12-01 07:21:28 +01:00
Eugen Rochko
a1f04c1e34
Fix authentication before 2FA challenge ( #11943 )
...
Regression from #11831
2019-09-24 04:35:36 +02:00
Eugen Rochko
c707ef49d9
Fix 2FA challenge and password challenge for non-database users ( #11831 )
...
* Fix 2FA challenge not appearing for non-database users
Fix #11685
* Fix account deletion not working when using external login
Fix #11691
2019-09-15 21:08:39 +02:00
Moritz Heiber
ecf40d09ed
Disable Same-Site cookie implementation to fix SSO issues on WebKit browsers ( #9819 )
2019-01-15 23:11:46 +01:00
Sorin Davidoi
6f3d934bc1
feat(cookies): Use the same-site attribute to lax ( #8626 )
...
CSFR-prevention is already implemented but adding this doesn't hurt.
A brief introduction to Same-Site cookies (and the difference between strict and
lax) can be found at
https://blog.mozilla.org/security/2018/04/24/same-site-cookies-in-firefox-60/
TLDR: We use lax since we want the cookies to be sent when the user navigates
safely from an external site.
2018-09-08 23:54:28 +02:00
Immae
b0f4fe456b
Add ldap search filter ( #8151 )
2018-08-15 18:12:44 +02:00
abcang
69bf116345
Add secure option to additional cookie ( #8069 )
2018-07-25 18:49:47 +02:00
Eugen Rochko
ac49c7932d
Add LDAP_TLS_NO_VERIFY option, don't require LDAP_ENABLED outside .env ( #6845 )
...
Fix #6816 , fix #6790
2018-03-20 19:41:51 +01:00
Alexander
33ee347c99
rename pam email environment variable to something more understandable and default to LOCAL_DOMAIN (better fallback) ( #6833 )
2018-03-19 20:09:26 +01:00
Alexander
42fe05dea1
fix logic for pam_controlled_service ( #6599 )
2018-03-02 19:02:50 +01:00
Eugen Rochko
47bdb9b33b
Fix #942 : Seamless LDAP login ( #6556 )
2018-02-28 19:04:53 +01:00
Eugen Rochko
38e0133e1b
Make PAM gem optional, allow configuration over environment ( #6415 )
2018-02-04 15:05:53 +01:00
Alexander
04fef7b888
pam authentication ( #5303 )
...
* add pam support, without extra column
* bugfixes for pam login
* document options
* fix code style
* fix codestyle
* fix tests
* don't call remember_me without password
* fix codestyle
* improve checks for pam usage (should fix tests)
* fix remember_me part 1
* add remember_token column because :rememberable requires either a password or this column.
* migrate db for remember_token
* move pam_authentication to the right place, fix logic bug in edit.html.haml
* fix tests
* fix pam authentication, improve username lookup, add comment
* valid? is sometimes not honored, return nil instead trying to authenticate with pam
* update devise_pam_authenticatable2 and adjust code. Fixes sideeffects observed in tests
* update devise_pam_authenticatable gem, fixes for codeconventions, fix finding user
* codeconvention fixes
* code convention fixes
* fix idention
* update dependency, explicit conflict check
* fix disabled password updates if in pam mode
* fix check password if password is present, fix templates
* block registration if account is maintained by pam
* Revert "block registration if account is maintained by pam"
This reverts commit 8e7a083d650240b6fac414926744b4b90b435f20.
* fix identation error introduced by rebase
* block usernames maintained by pam
* document pam settings better
* fix code style
2018-02-02 10:18:55 +01:00
Patrick Figel
04ecf44c2f
Add confirmation step for email changes ( #6071 )
...
* Add confirmation step for email changes
This adds a confirmation step for email changes of existing users.
Like the initial account confirmation, a confirmation link is sent
to the new address.
Additionally, a notification is sent to the existing address when
the change is initiated. This message includes instruction to reset
the password immediately or to contact the instance admin if the
change was not initiated by the account owner.
Fixes #3871
* Add review fixes
2018-01-02 16:55:00 +01:00
Eugen Rochko
40be4ea239
Extend Devise remember_me longevity to 1 year instead of 2 weeks ( #4587 )
...
Force SSL only cookies for remember_me, adjust confirmation
expiration time to fit with the user cleanup scheduler
2017-08-12 16:30:59 +02:00
Eugen Rochko
8d6c3cd48a
Fix sessions being replaced needlessly ( #4292 )
2017-07-22 01:09:10 +02:00
Eugen Rochko
00df69bc89
Fix #4058 - Use a long-lived cookie to keep track of user-level sessions ( #4091 )
...
* Fix #4058 - Use a long-lived cookie to keep track of user-level sessions
* Fix tests, smooth migrate from previous session-based identifier
2017-07-07 23:25:15 +02:00
Eugen Rochko
f7301bd5b9
Add overview of active sessions ( #3929 )
...
* Add overview of active sessions
* Better display of browser/platform name
* Improve how browser information is stored and displayed for sessions overview
* Fix test
2017-06-25 16:54:30 +02:00
Sorin Davidoi
2211e8d1cd
Revocable sessions ( #3616 )
...
* feat: Revocable sessions
* fix: Tests using sign_in
* feat: Configuration entry for the maximum number of session activations
2017-06-23 18:50:53 +02:00
Patrick Figel
df4ff9a8e1
Add recovery code support for two-factor auth ( #1773 )
...
* Add recovery code support for two-factor auth
When users enable two-factor auth, the app now generates ten
single-use recovery codes. Users are encouraged to print the codes
and store them in a safe place.
The two-factor prompt during login now accepts both OTP codes and
recovery codes.
The two-factor settings UI allows users to regenerated lost
recovery codes. Users who have set up two-factor auth prior to
this feature being added can use it to generate recovery codes
for the first time.
Fixes #563 and fixes #987
* Set OTP_SECRET in test enviroment
* add missing .html to view file names
2017-04-15 13:26:03 +02:00
Yann GUERN
a85d4473aa
Avoid user enumeration with devise paranoid mode ( #1527 )
2017-04-11 14:21:15 +02:00
Eugen Rochko
76e970c856
Do not automatically login after password reset, as it would circumvent two-factor auth (if enabled)
...
Do not require e-mail address changes to be re-confirmed, it's only trouble for no real benefit
2017-01-27 20:35:16 +01:00
Eugen Rochko
ba192f12e3
Added optional two-factor authentication
2017-01-27 20:35:16 +01:00
Eugen Rochko
116ab27e08
i18n for devise mailer too
2016-11-16 18:25:21 +01:00
Eugen Rochko
2c374cd97c
Adding e-mail configuration
2016-03-16 12:13:40 +01:00
Eugen Rochko
ab6696e855
Adding doorkeeper, adding a REST API
...
POST /api/statuses Params: status (text contents), in_reply_to_id (optional)
GET /api/statuses/:id
POST /api/statuses/:id/reblog
GET /api/accounts/:id
GET /api/accounts/:id/following
GET /api/accounts/:id/followers
POST /api/accounts/:id/follow
POST /api/accounts/:id/unfollow
POST /api/follows Params: uri (e.g. user@domain)
OAuth authentication is currently disabled, but the API can be used with HTTP Auth.
2016-03-07 12:42:33 +01:00
Eugen Rochko
7e93da3f8d
Removing grape and adding devise
2016-03-05 13:12:24 +01:00
