about summary refs log tree commit diff
path: root/app/controllers/auth/sessions_controller.rb
AgeCommit message (Collapse)Author
2022-06-28Merge branch 'main' into glitch-soc/merge-upstreamClaire
Conflicts: - `.github/workflows/build-image.yml`: Fix erroneous deletion in a previous merge. - `Gemfile`: Conflict caused by glitch-soc-only hCaptcha dependency - `app/controllers/auth/sessions_controller.rb`: Minor conflict due to glitch-soc's theming system. - `app/controllers/filters_controller.rb`: Minor conflict due to glitch-soc's theming system. - `app/serializers/rest/status_serializer.rb`: Minor conflict due to glitch-soc having an extra `local_only` property
2022-06-21Fix suspicious sign-in mails never being sent (#18599)Claire
* Add tests * Fix suspicious sign-in mails never being sent
2022-04-06Merge branch 'main' into glitch-soc/merge-upstreamClaire
Conflicts: - `app/controllers/concerns/sign_in_token_authentication_concern.rb`: Upstream removed this file, while glitch-soc had changes to deal with its theming system. Removed the file like upstream did.
2022-04-06Remove sign-in token authentication, instead send e-mail about new sign-in ↵Eugen Rochko
(#17970)
2022-01-23Merge branch 'main' into glitch-soc/merge-upstreamClaire
Conflicts: - `spec/models/status_spec.rb`: Upstream added tests too close to glitch-soc-specific tests. Kept both tests.
2022-01-23Remove support for OAUTH_REDIRECT_AT_SIGN_IN (#17287)Claire
Fixes #15959 Introduced in #6540, OAUTH_REDIRECT_AT_SIGN_IN allowed skipping the log-in form to instead redirect to the external OmniAuth login provider. However, it did not prevent the log-in form on /about introduced by #10232 from appearing, and completely broke with the introduction of #15228. As I restoring that previous log-in flow without introducing a security vulnerability may require extensive care and knowledge of how OmniAuth works, this commit removes support for OAUTH_REDIRECT_AT_SIGN_IN instead for the time being.
2022-01-16Merge branch 'main' into glitch-soc/merge-upstreamClaire
Conflicts: - `README.md`: Upstream added some text, but our README is completely different. Kept our README unchanged.
2022-01-16Remove IP tracking columns from users table (#16409)Eugen Rochko
2021-11-06Merge branch 'main' into glitch-soc/merge-upstreamClaire
2021-11-06Fix reviving revoked sessions and invalidating login (#16943)Claire
Up until now, we have used Devise's Rememberable mechanism to re-log users after the end of their browser sessions. This mechanism relies on a signed cookie containing a token. That token was stored on the user's record, meaning it was shared across all logged in browsers, meaning truly revoking a browser's ability to auto-log-in involves revoking the token itself, and revoking access from *all* logged-in browsers. We had a session mechanism that dynamically checks whether a user's session has been disabled, and would log out the user if so. However, this would only clear a session being actively used, and a new one could be respawned with the `remember_user_token` cookie. In practice, this caused two issues: - sessions could be revived after being closed from /auth/edit (security issue) - auto-log-in would be disabled for *all* browsers after logging out from one of them This PR removes the `remember_token` mechanism and treats the `_session_id` cookie/token as a browser-specific `remember_token`, fixing both issues.
2021-09-30Merge branch 'main' into glitch-soc/merge-upstreamClaire
2021-09-30Fix webauthn secure key authentication (#16792)Claire
* Add tests * Fix webauthn secure key authentication Fixes #16769
2021-08-27Merge branch 'main' into glitch-soc/merge-upstreamClaire
2021-08-26Explicitly set userVerification to discoraged (#16545)Truong Nguyen
2021-08-25Fix authentication failures after going halfway through a sign-in attempt ↵Claire
(#16607) * Add tests * Add security-related tests My first (unpublished) attempt at fixing the issues introduced (extremely hard-to-exploit) security vulnerabilities, addressing them in a test. * Fix authentication failures after going halfway through a sign-in attempt * Refactor `authenticate_with_sign_in_token` and `authenticate_with_two_factor` to make the two authentication steps more obvious
2021-06-23Merge branch 'main' into glitch-soc/merge-upstreamClaire
2021-06-21Add authentication history (#16408)Eugen Rochko
2020-11-14Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
Conflicts: - `app/controllers/concerns/sign_in_token_authentication_concern.rb`: Conflict caused because of glitch-soc's theming system. Took upstream's new code and applied the theming system changes on top of it. - `app/controllers/concerns/two_factor_authentication_concern.rb`: Conflict caused because of glitch-soc's theming system. Took upstream's new code and applied the theming system changes on top of it.
2020-11-12Fix 2FA/sign-in token sessions being valid after password change (#14802)Eugen Rochko
If someone tries logging in to an account and is prompted for a 2FA code or sign-in token, even if the account's password or e-mail is updated in the meantime, the session will show the prompt and allow the login process to complete with a valid 2FA code or sign-in token
2020-08-30Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
Conflicts: - `app/controllers/accounts_controller.rb`: Upstream change too close to a glitch-soc change related to instance-local toots. Merged upstream changes. - `app/services/fan_out_on_write_service.rb`: Minor conflict due to glitch-soc's handling of Direct Messages, merged upstream changes. - `yarn.lock`: Not really a conflict, caused by glitch-soc-only dependencies being textually too close to updated upstream dependencies. Merged upstream changes.
2020-08-24Add WebAuthn as an alternative 2FA method (#14466)santiagorodriguez96
* feat: add possibility of adding WebAuthn security keys to use as 2FA This adds a basic UI for enabling WebAuthn 2FA. We did a little refactor to the Settings page for editing the 2FA methods – now it will list the methods that are available to the user (TOTP and WebAuthn) and from there they'll be able to add or remove any of them. Also, it's worth mentioning that for enabling WebAuthn it's required to have TOTP enabled, so the first time that you go to the 2FA Settings page, you'll be asked to set it up. This work was inspired by the one donde by Github in their platform, and despite it could be approached in different ways, we decided to go with this one given that we feel that this gives a great UX. Co-authored-by: Facundo Padula <facundo.padula@cedarcode.com> * feat: add request for WebAuthn as second factor at login if enabled This commits adds the feature for using WebAuthn as a second factor for login when enabled. If users have WebAuthn enabled, now a page requesting for the use of a WebAuthn credential for log in will appear, although a link redirecting to the old page for logging in using a two-factor code will also be present. Co-authored-by: Facundo Padula <facundo.padula@cedarcode.com> * feat: add possibility of deleting WebAuthn Credentials Co-authored-by: Facundo Padula <facundo.padula@cedarcode.com> * feat: disable WebAuthn when an Admin disables 2FA for a user Co-authored-by: Facundo Padula <facundo.padula@cedarcode.com> * feat: remove ability to disable TOTP leaving only WebAuthn as 2FA Following examples form other platforms like Github, we decided to make Webauthn 2FA secondary to 2FA with TOTP, so that we removed the possibility of removing TOTP authentication only, leaving users with just WEbAuthn as 2FA. Instead, users will have to click on 'Disable 2FA' in order to remove second factor auth. The reason for WebAuthn being secondary to TOPT is that in that way, users will still be able to log in using their code from their phone's application if they don't have their security keys with them – or maybe even lost them. * We had to change a little the flow for setting up TOTP, given that now it's possible to setting up again if you already had TOTP, in order to let users modify their authenticator app – given that now it's not possible for them to disable TOTP and set it up again with another authenticator app. So, basically, now instead of storing the new `otp_secret` in the user, we store it in the session until the process of set up is finished. This was because, as it was before, when users clicked on 'Edit' in the new two-factor methods lists page, but then went back without finishing the flow, their `otp_secret` had been changed therefore invalidating their previous authenticator app, making them unable to log in again using TOTP. Co-authored-by: Facundo Padula <facundo.padula@cedarcode.com> * refactor: fix eslint errors The PR build was failing given that linting returning some errors. This commit attempts to fix them. * refactor: normalize i18n translations The build was failing given that i18n translations files were not normalized. This commits fixes that. * refactor: avoid having the webauthn gem locked to a specific version * refactor: use symbols for routes without '/' * refactor: avoid sending webauthn disabled email when 2FA is disabled When an admins disable 2FA for users, we were sending two mails to them, one notifying that 2FA was disabled and the other to notify that WebAuthn was disabled. As the second one is redundant since the first email includes it, we can remove it and send just one email to users. * refactor: avoid creating new env variable for webauthn_origin config * refactor: improve flash error messages for webauthn pages Co-authored-by: Facundo Padula <facundo.padula@cedarcode.com>
2020-07-15Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
Conflicts: - `config/routes.rb`: Upstream disabled E2EE routes, which we did earlier, but slightly differently. Took upstream's version.
2020-07-14Fix rubocop warning (#14288)abcang
* Fix rubocop warning * use limit variable * use ContextCreatingMethods option
2020-06-09Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
Conflicts: - `app/controllers/activitypub/collections_controller.rb`: Conflict due to glitch-soc having to take care of local-only pinned toots in that controller. Took upstream's changes and restored the local-only special handling. - `app/controllers/auth/sessions_controller.rb`: Minor conflicts due to the theming system, applied upstream changes, adapted the following two files for glitch-soc's theming system: - `app/controllers/concerns/sign_in_token_authentication_concern.rb` - `app/controllers/concerns/two_factor_authentication_concern.rb` - `app/services/backup_service.rb`: Minor conflict due to glitch-soc having to handle local-only toots specially. Applied upstream changes and restored the local-only special handling. - `app/views/admin/custom_emojis/index.html.haml`: Minor conflict due to the theming system. - `package.json`: Upstream dependency updated, too close to a glitch-soc-only dependency in the file. - `yarn.lock`: Upstream dependency updated, too close to a glitch-soc-only dependency in the file.
2020-06-09Add e-mail-based sign in challenge for users with disabled 2FA (#14013)Eugen Rochko
2020-05-10Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
Conflicts: - `Gemfile.lock`: Not a real conflict, just a glitch-soc-only dependency too close to a dependency that got updated upstream. Updated as well. - `app/models/status.rb`: Not a real conflict, just a change too close to glitch-soc-changed code for optionally showing boosts in public timelines. Applied upstream changes. - `app/views/layouts/application.html.haml`: Upstream a new, static CSS file, conflict due to glitch-soc's theming system, include the file regardless of the theme. - `config/initializers/content_security_policy.rb`: Upstream dropped 'unsafe-inline' from the 'style-src' directive, but both files are very different. Removed 'unsafe-inline' as well.
2020-05-10Remove confusing “You are already signed in.” flash message (#13547)ThibG
When attempting to access the log-in page while already logged in, Devise's `require_no_authentication` kicks in and sets a flash message “You are already signed in.” In almost all cases, this also causes a redirect to /web, which does not display or clear flash messages, thus leaving the message to a potentially much later date, like for instance, accessing /preferences several minutes after being redirected to /web.
2019-10-10Ensure pack is set when rendering OTP promptThibaut Girka
Fixes #1230
2019-09-30Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
Conflicts: - Gemfile - Gemfile.lock - app/controllers/about_controller.rb - app/controllers/auth/sessions_controller.rb
2019-09-24Fix authentication before 2FA challenge (#11943)Eugen Rochko
Regression from #11831
2019-09-18Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
Conflicts: - app/controllers/auth/sessions_controller.rb Minor conflict due to glitch-soc's theming code
2019-09-18Add password challenge to 2FA settings, e-mail notifications (#11878)Eugen Rochko
Fix #3961
2019-09-15Fix 2FA challenge and password challenge for non-database users (#11831)Eugen Rochko
* Fix 2FA challenge not appearing for non-database users Fix #11685 * Fix account deletion not working when using external login Fix #11691
2019-07-23Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
Conflicts: - app/controllers/application_controller.rb - app/controllers/auth/confirmations_controller.rb - app/controllers/auth/sessions_controller.rb - app/controllers/settings/deletes_controller.rb - app/controllers/settings/two_factor_authentication/recovery_codes_controller.rb
2019-07-22Change unconfirmed user login behaviour (#11375)Eugen Rochko
Allow access to account settings, 2FA, authorized applications, and account deletions to unconfirmed and pending users, as well as users who had their accounts disabled. Suspended users cannot update their e-mail or password or delete their account. Display account status on account settings page, for example, when an account is frozen, limited, unconfirmed or pending review. After sign up, login users straight away and show a simple page that tells them the status of their account with links to account settings and logout, to reduce onboarding friction and allow users to correct wrongly typed e-mail addresses. Move the final sign-up step of SSO integrations to be the same as above to reduce code duplication.
2018-10-30Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
Conflicts: - app/controllers/auth/sessions_controller.rb Upstream reverted something we partially reverted already. Reverted the rest to match upstream.
2018-10-30Revert "feat(auth/session_controller): Send Clear-Site-Data when logging out ↵Eugen Rochko
(8627)" (#9161) This reverts commit 10680f93e7d6333d43aabc4c6f251a076120231c.
2018-09-19Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
Conflicts: Vagrantfile app/javascript/packs/public.js app/views/admin/settings/edit.html.haml app/views/settings/preferences/show.html.haml app/views/settings/profiles/show.html.haml config/locales/es.yml config/locales/simple_form.en.yml config/webpack/configuration.js config/webpack/loaders/babel.js package.json yarn.lock Split new additions to app/javascript/packs/public.js to app/javascript/core/settings.js
2018-09-14Misc. typos (#8694)luzpaz
Found via `codespell -q 3 --skip="./app/javascript/mastodon/locales,./config/locales"`
2018-09-11Do not clear local storage on log outThibaut Girka
2018-09-11Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
Conflicts: app/controllers/oauth/authorizations_controller.rb Just two changes being too close to one another. Took both.
2018-09-09Add force_login option to OAuth authorize page (#8655)Eugen Rochko
* Add force_login option to OAuth authorize page For when a user needs to sign into an app from multiple accounts on the same server * When logging out from modal header, redirect back after re-login
2018-09-07feat(auth/session_controller): Send Clear-Site-Data when logging out (#8627)Sorin Davidoi
Will clear the browser's cache, cookies and storage. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Clear-Site-Data https://w3c.github.io/webappsec-clear-site-data/
2018-08-24Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
Conflicts: app/controllers/application_controller.rb Changed instance theme selection by instance flavour selection.
2018-08-23Allow mods to disable login, improve message when login disabled (#8329)Eugen Rochko
* Allow moderators to disable/enable login * Instead of rejecting login, show forbidden error when login disabled Avoid confusion because when login is rejected, the message is that the account is not activated, which is wrong. * Fix tests
2018-08-01Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
Manually-resolved conflicts: .circleci/config.yml app/controllers/accounts_controller.rb app/controllers/auth/passwords_controller.rb app/controllers/statuses_controller.rb app/javascript/packs/public.js app/models/media_attachment.rb app/views/stream_entries/_content_spoiler.html.haml app/views/stream_entries/_media.html.haml config/locales/en.yml config/locales/ja.yml config/locales/pl.yml lib/mastodon/version.rb Some content from app/javascript/packs/public.js has been split to app/javascript/core/settings.js. Translation strings for glitch-soc's keyword mutes were dropped. Everything else was mostly “take both”.
2018-07-31Compensate for scrollbar disappearing when media modal visible (#8100)Eugen Rochko
* Compensate for scrollbar disappearing when media modal visible Make auth pages backgrounds lighter * Fix typo
2018-03-09Merge remote-tracking branch 'tootsuite/master' into glitchsoc/masterJenkins
2018-03-08If login redirects to omniauth, redirect logout to root_path (#6694)Eugen Rochko
Fix #6670
2018-03-02Merge remote-tracking branch 'origin/master' into merge-upstreamDavid Yip
Conflicts: README.md app/controllers/follower_accounts_controller.rb app/controllers/following_accounts_controller.rb app/serializers/rest/instance_serializer.rb app/views/stream_entries/_simple_status.html.haml config/locales/simple_form.ja.yml