about summary refs log tree commit diff
path: root/app/controllers/auth/registrations_controller.rb
AgeCommit message (Collapse)Author
2022-01-23Merge branch 'main' into glitch-soc/merge-upstreamClaire
Conflicts: - `spec/models/status_spec.rb`: Upstream added tests too close to glitch-soc-specific tests. Kept both tests.
2022-01-23Add OMNIAUTH_ONLY environment variable to enforce externa log-in (#17288)Claire
* Remove support for OAUTH_REDIRECT_AT_SIGN_IN Fixes #15959 Introduced in #6540, OAUTH_REDIRECT_AT_SIGN_IN allowed skipping the log-in form to instead redirect to the external OmniAuth login provider. However, it did not prevent the log-in form on /about introduced by #10232 from appearing, and completely broke with the introduction of #15228. As I restoring that previous log-in flow without introducing a security vulnerability may require extensive care and knowledge of how OmniAuth works, this commit removes support for OAUTH_REDIRECT_AT_SIGN_IN instead for the time being. * Add OMNIAUTH_ONLY environment variable to enforce external log-in only * Disable user registration when OMNIAUTH_ONLY is set to true * Replace log-in links When OMNIAUTH_ONLY is set with exactly one OmniAuth provider
2021-11-06Merge branch 'main' into glitch-soc/merge-upstreamClaire
2021-11-06Fix reviving revoked sessions and invalidating login (#16943)Claire
Up until now, we have used Devise's Rememberable mechanism to re-log users after the end of their browser sessions. This mechanism relies on a signed cookie containing a token. That token was stored on the user's record, meaning it was shared across all logged in browsers, meaning truly revoking a browser's ability to auto-log-in involves revoking the token itself, and revoking access from *all* logged-in browsers. We had a session mechanism that dynamically checks whether a user's session has been disabled, and would log out the user if so. However, this would only clear a session being actively used, and a new one could be respawned with the `remember_user_token` cookie. In practice, this caused two issues: - sessions could be revived after being closed from /auth/edit (security issue) - auto-log-in would be disabled for *all* browsers after logging out from one of them This PR removes the `remember_token` mechanism and treats the `_session_id` cookie/token as a browser-specific `remember_token`, fixing both issues.
2020-12-10Merge branch 'master' into glitch-soc/merge-upstreamClaire
Conflicts: - `app/controllers/about_controller.rb`: Minor conflict caused by glitch-soc's theming system. Ported upstream changes.
2020-12-10Add honeypot fields and minimum fill-out time for sign-up form (#15276)ThibG
* Add honeypot fields to limit non-specialized spam Add two honeypot fields: a fake website input and a fake password confirmation one. The label/placeholder/aria-label tells not to fill them, and they are hidden in CSS, so legitimate users should not fall into these. This should cut down on some non-Mastodon-specific spambots. * Require a 3 seconds delay before submitting the registration form * Fix tests * Move registration form time check to model validation * Give people a chance to clear the honeypot fields * Refactor honeypot translation strings Co-authored-by: Claire <claire.github-309c@sitedethib.com>
2020-10-21Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
Conflicts: - `.github/dependabot.yml`: Updated upstream, we deleted it to not be flooded by Depandabot. Kept deleted. - `Gemfile.lock`: Puma updated on both sides, went for the most recent version. - `app/controllers/api/v1/mutes_controller.rb`: Upstream updated the serializer to support timed mutes, while glitch-soc added a custom API ages ago to get information that is already available elsewhere. Dropped the glitch-soc-specific API, went with upstream changes. - `app/javascript/core/admin.js`: Conflict due to changing how assets are loaded. Went with upstream. - `app/javascript/packs/public.js`: Conflict due to changing how assets are loaded. Went with upstream. - `app/models/mute.rb`: 🤷 - `app/models/user.rb`: New user setting added upstream while we have glitch-soc-specific user settings. Added upstream's user setting. - `config/settings.yml`: Upstream added a new user setting close to a user setting we had changed the defaults for. Added the new upstream setting. - `package.json`: Upstream dependency updated “too close” to a glitch-soc-specific dependency. No real conflict. Updated the dependency.
2020-10-12Add IP-based rules (#14963)Eugen Rochko
2020-07-07Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
Conflicts: - `package.json`: Not really a conflict, just some glitch-soc-specific dependency too close to an upstream-updated one.
2020-07-07Fix other sessions not being logged out on password change (#14252)Eugen Rochko
While OAuth tokens were immediately revoked, accessing the home controller immediately generated new OAuth tokens and "revived" the session due to a combination of using remember_me tokens and overwriting the `authenticate_user!` method
2020-02-19Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
2020-02-16Fix sign-ups without checked user agreement being accepted through the web ↵ThibG
form (#13088) * Fix user agreement not being verified * Fix tests * Fix up agreement field being dismissed
2020-01-24Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
Conflicts: - `app/controllers/statuses_controller.rb`: Minor conflict due to theming system
2020-01-24Fix password change/reset not immediately invalidating other sessions (#12928)Eugen Rochko
While making browser requests in the other sessions after a password change or reset does not allow you to be logged in and correctly invalidates the session making the request, sessions have API tokens associated with them, which can still be used until that session is invalidated. This is a security issue for accounts that were already compromised some other way because it makes it harder to throw out the hijacker.
2020-01-04Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
Conflicts: - `app/controllers/application_controller.rb`: Conflict due to theming system. - `app/controllers/oauth/authorizations_controller.rb`: Conflict due to theming system.
2019-12-30Fix settings pages being cacheable by the browser (#12714)Eugen Rochko
Fix #12255
2019-07-23Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
Conflicts: - app/controllers/application_controller.rb - app/controllers/auth/confirmations_controller.rb - app/controllers/auth/sessions_controller.rb - app/controllers/settings/deletes_controller.rb - app/controllers/settings/two_factor_authentication/recovery_codes_controller.rb
2019-07-22Change unconfirmed user login behaviour (#11375)Eugen Rochko
Allow access to account settings, 2FA, authorized applications, and account deletions to unconfirmed and pending users, as well as users who had their accounts disabled. Suspended users cannot update their e-mail or password or delete their account. Display account status on account settings page, for example, when an account is frozen, limited, unconfirmed or pending review. After sign up, login users straight away and show a simple page that tells them the status of their account with links to account settings and logout, to reduce onboarding friction and allow users to correct wrongly typed e-mail addresses. Move the final sign-up step of SSO integrations to be the same as above to reduce code duplication.
2019-05-04Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
Conflicts: - app/models/media_attachment.rb
2019-05-02Check that an invite link is valid before bypassing approval mode (#10657)ThibG
* Check that an invite link is valid before bypassing approval mode Fixes #10656 * Add tests * Only consider valid invite links in registration controller * fixup
2019-04-10Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
Conflicts: - app/views/admin/pending_accounts/index.html.haml No real conflict, upstream changes too close to glitch-specific theming system changes. - config/navigation.rb Upstream redesigned the settings navigation, took those changes and re-inserted the flavours menu.
2019-04-09Add "why do you want to join" field to invite requests (#10524)Eugen Rochko
* Add "why do you want to join" field to invite requests Fix #10512 * Remove unused translations * Fix broken registrations when no invite request text is submitted
2019-03-14Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
Conflicts: - app/views/admin/settings/edit.html.haml: Conflict due to how the theming settings change.
2019-03-14Admission-based registrations mode (#10250)Eugen Rochko
Fix #6856 Fix #6951
2019-02-15Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
2019-02-12Save IP address used for sign-up, not only sign-in (#10026)ThibG
Fixes #9995
2019-01-02Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
Conflicts manually resolved: - app/services/post_status_service.rb - config/locales/simple_form.pl.yml - config/routes.rb - config/webpack/loaders/sass.js - config/webpack/shared.js - package.json - yarn.lock
2018-12-24Add REST API for creating an account (#9572)Eugen Rochko
* Add REST API for creating an account The method is available to apps with a token obtained via the client credentials grant. It creates a user and account records, as well as an access token for the app that initiated the request. The user is unconfirmed, and an e-mail is sent as usual. The method returns the access token, which the app should save for later. The REST API is not available to users with unconfirmed accounts, so the app must be smart to wait for the user to click a link in their e-mail inbox. The method is rate-limited by IP to 5 requests per 30 minutes. * Redirect users back to app from confirmation if they were created with an app * Add tests * Return 403 on the method if registrations are not open * Require agreement param to be true in the API when creating an account
2018-10-27Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
2018-10-26Fix styling in /auth/edit (#9117)ThibG
2018-08-01Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
Manually-resolved conflicts: .circleci/config.yml app/controllers/accounts_controller.rb app/controllers/auth/passwords_controller.rb app/controllers/statuses_controller.rb app/javascript/packs/public.js app/models/media_attachment.rb app/views/stream_entries/_content_spoiler.html.haml app/views/stream_entries/_media.html.haml config/locales/en.yml config/locales/ja.yml config/locales/pl.yml lib/mastodon/version.rb Some content from app/javascript/packs/public.js has been split to app/javascript/core/settings.js. Translation strings for glitch-soc's keyword mutes were dropped. Everything else was mostly “take both”.
2018-07-31Compensate for scrollbar disappearing when media modal visible (#8100)Eugen Rochko
* Compensate for scrollbar disappearing when media modal visible Make auth pages backgrounds lighter * Fix typo
2018-07-09Merge branch 'master' into glitch-soc/tentative-mergeThibaut Girka
Conflicts: README.md app/controllers/statuses_controller.rb app/lib/feed_manager.rb config/navigation.rb spec/lib/feed_manager_spec.rb Conflicts were resolved by taking both versions for each change. This means the two filter systems (glitch-soc's keyword mutes and tootsuite's custom filters) are in place, which will be changed in a follow-up commit.
2018-07-05If signed in, redirect autofollow invite to profile page (#7956)Eugen Rochko
Fix #7944
2018-06-15Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
Conflicts: app/javascript/mastodon/initial_state.js db/schema.rb Upstream added a new field to initial_state. Not too sure about what happened with db/schema.rb though…
2018-06-15Add autofollow option to invites (#7805)Eugen Rochko
* Add autofollow option to invites * Trigger CodeClimate rebuild
2018-02-02Merge remote-tracking branch 'tootsuite/master' into merge-upstreamDavid Yip
Conflicts: app/javascript/styles/mastodon/components.scss
2018-02-02pam authentication (#5303)Alexander
* add pam support, without extra column * bugfixes for pam login * document options * fix code style * fix codestyle * fix tests * don't call remember_me without password * fix codestyle * improve checks for pam usage (should fix tests) * fix remember_me part 1 * add remember_token column because :rememberable requires either a password or this column. * migrate db for remember_token * move pam_authentication to the right place, fix logic bug in edit.html.haml * fix tests * fix pam authentication, improve username lookup, add comment * valid? is sometimes not honored, return nil instead trying to authenticate with pam * update devise_pam_authenticatable2 and adjust code. Fixes sideeffects observed in tests * update devise_pam_authenticatable gem, fixes for codeconventions, fix finding user * codeconvention fixes * code convention fixes * fix idention * update dependency, explicit conflict check * fix disabled password updates if in pam mode * fix check password if password is present, fix templates * block registration if account is maintained by pam * Revert "block registration if account is maintained by pam" This reverts commit 8e7a083d650240b6fac414926744b4b90b435f20. * fix identation error introduced by rebase * block usernames maintained by pam * document pam settings better * fix code style
2018-01-03Merge remote-tracking branch 'tootsuite/master' into glitchsoc/masterJenkins
2018-01-02Add confirmation step for email changes (#6071)Patrick Figel
* Add confirmation step for email changes This adds a confirmation step for email changes of existing users. Like the initial account confirmation, a confirmation link is sent to the new address. Additionally, a notification is sent to the existing address when the change is initiated. This message includes instruction to reset the password immediately or to contact the instance admin if the change was not initiated by the account owner. Fixes #3871 * Add review fixes
2017-12-04Merge branch 'gs-master' into glitch-themeDavid Yip
2017-12-03Fixed typoskibigo!
2017-11-27Add consumable invites (#5814)Eugen Rochko
* Add consumable invites * Add UI for generating invite codes * Add tests * Display max uses and expiration in invites table, delete invite * Remove unused column and redundant validator - Default follows not used, probably bad idea - InviteCodeValidator is redundant because RegistrationsController checks invite code validity * Add admin setting to disable invites * Add admin UI for invites, configurable role for invite creation - Admin UI that lists everyone's invites, always available - Admin setting min_invite_role to control who can invite people - Non-admin invite UI only visible if users are allowed to * Do not remove invites from database, expire them instantly
2017-11-20Finalized theme loading and stuffkibigo!
2017-10-13Set InstancePresenter to `Auth::RegistrationsController#create` (#5366)Yamagishi Kazutoshi
2017-10-11sign_in and sign_up views present og meta infos (#5308)takayamaki
2017-06-25Add overview of active sessions (#3929)Eugen Rochko
* Add overview of active sessions * Better display of browser/platform name * Improve how browser information is stored and displayed for sessions overview * Fix test
2017-05-23Fix Devise destroy method being available to delete user record (#3266)Eugen Rochko
(You may think that we need account deletions, but this way would've just orphaned the db records)
2017-04-17Assign user locale on signup (#1982)saturday06
2017-04-15Give SINGLE_USER a chance to register (#1820)Marcin Cieślak
An attempt to open a brand new Mastodon instance configured as SINGLE_USER_MODE=true will cause an exception. Enable temporary registration if we have no users in the database Fixes #1817