about summary refs log tree commit diff
path: root/app/controllers/auth
AgeCommit message (Collapse)Author
2022-12-15Fix single name variables on controller folder (#20092)David Vega
Co-authored-by: petrokoriakin1 <116151189+petrokoriakin1@users.noreply.github.com> Co-authored-by: petrokoriakin1 <116151189+petrokoriakin1@users.noreply.github.com> Co-authored-by: Effy Elden <effy@effy.space>
2022-12-15Revoke all authorized applications on password reset (#21325)Francis Murillo
* Clear sessions on password change * Rename User::clear_sessions to revoke_access for a clearer meaning * Add reset paassword controller test * Use User.find instead of User.find_for_authentication for reset password test * Use redirect and render for better test meaning in reset password Co-authored-by: Effy Elden <effy@effy.space>
2022-11-17Fix form-action CSP directive for external login (#20962)Claire
2022-11-16Add 'private' to Cache-Control, match Rails expectations (#20608)Daniel Axtens
Several controlers set quite intricate Cache-Control headers in order to hopefully not be cached by any intermediate proxies or local caches. Unfortunately, these headers are processed by ActionDispatch::HTTP::Cache in a way that squashes and discards any values set alongside no-store other than private: https://github.com/rails/rails/blob/8015c2c2cf5c8718449677570f372ceb01318a32/actionpack/lib/action_dispatch/http/cache.rb#L207-L209 We want to preserve no-store on these responses, but we might as well remove parts that are going to be dropped anyway. As many of the endpoints in these controllers are private to a particular user, we should also add "private", which will be preserved alongside no-store.
2022-11-07Fix crash when external auth provider has no display_name set (#19962)Claire
Fixes #19913
2022-10-30Fix invites (#19560)Claire
Fixes #19507 Fix regression from #19296
2022-10-05Add server rules to sign-up flow (#19296)Eugen Rochko
2022-08-24Add ability to block sign-ups from IP (#19037)Eugen Rochko
2022-06-21Fix suspicious sign-in mails never being sent (#18599)Claire
* Add tests * Fix suspicious sign-in mails never being sent
2022-05-26Fix confirmation redirect to app without `Location` header (#18523)Eugen Rochko
2022-04-06Remove sign-in token authentication, instead send e-mail about new sign-in ↵Eugen Rochko
(#17970)
2022-03-09Allow login through OpenID Connect (#16221)chandrn7
* added OpenID Connect as an SSO option * minor fixes * added comments, removed an option that shouldn't be set * fixed Gemfile.lock * added newline to end of Gemfile.lock * removed tab from Gemfile.lock * remove chomp * codeclimate changes and small name change to make function's purpose clearer * codeclimate fix * added SSO buttons to /about page * minor refactor * minor style change * removed spurious change * removed unecessary conditional from ensure_valid_username and added support for auth.info.name in user_params_from_auth * minor changes
2022-03-01Change old moderation strikes to be displayed in a separate page (#17566)Claire
* Change old moderation strikes to be displayed in a separate page Fixes #17552 This changes the moderation strikes displayed on `/auth/edit` to be those from the past 3 months, and make all moderation strikes targeting the current user available in `/disputes`. * Add short description of what the strikes page is for * Move link to list of strikes to “Account status” instead of navigation item * Normalize i18n file * Fix layout and styling of strikes link * Revert highlights_on regexp * Reintroduce account status summary - this way, “Account status” is never empty - account status is not necessarily bound to strikes, or recent strikes
2022-02-14Add appeals (#17364)Eugen Rochko
* Add appeals * Add ability to reject appeals and ability to browse pending appeals in admin UI * Add strikes to account page in settings * Various fixes and improvements - Add separate notification setting for appeals, separate from reports - Fix style of links in report/strike header - Change approving an appeal to not restore statuses (due to federation complexities) - Change style of successfully appealed strikes on account settings page - Change account settings page to only show unappealed or recently appealed strikes * Change appealed_at to overruled_at * Fix missing method error
2022-01-23Add OMNIAUTH_ONLY environment variable to enforce externa log-in (#17288)Claire
* Remove support for OAUTH_REDIRECT_AT_SIGN_IN Fixes #15959 Introduced in #6540, OAUTH_REDIRECT_AT_SIGN_IN allowed skipping the log-in form to instead redirect to the external OmniAuth login provider. However, it did not prevent the log-in form on /about introduced by #10232 from appearing, and completely broke with the introduction of #15228. As I restoring that previous log-in flow without introducing a security vulnerability may require extensive care and knowledge of how OmniAuth works, this commit removes support for OAUTH_REDIRECT_AT_SIGN_IN instead for the time being. * Add OMNIAUTH_ONLY environment variable to enforce external log-in only * Disable user registration when OMNIAUTH_ONLY is set to true * Replace log-in links When OMNIAUTH_ONLY is set with exactly one OmniAuth provider
2022-01-23Remove support for OAUTH_REDIRECT_AT_SIGN_IN (#17287)Claire
Fixes #15959 Introduced in #6540, OAUTH_REDIRECT_AT_SIGN_IN allowed skipping the log-in form to instead redirect to the external OmniAuth login provider. However, it did not prevent the log-in form on /about introduced by #10232 from appearing, and completely broke with the introduction of #15228. As I restoring that previous log-in flow without introducing a security vulnerability may require extensive care and knowledge of how OmniAuth works, this commit removes support for OAUTH_REDIRECT_AT_SIGN_IN instead for the time being.
2022-01-16Remove IP tracking columns from users table (#16409)Eugen Rochko
2021-11-06Fix reviving revoked sessions and invalidating login (#16943)Claire
Up until now, we have used Devise's Rememberable mechanism to re-log users after the end of their browser sessions. This mechanism relies on a signed cookie containing a token. That token was stored on the user's record, meaning it was shared across all logged in browsers, meaning truly revoking a browser's ability to auto-log-in involves revoking the token itself, and revoking access from *all* logged-in browsers. We had a session mechanism that dynamically checks whether a user's session has been disabled, and would log out the user if so. However, this would only clear a session being actively used, and a new one could be respawned with the `remember_user_token` cookie. In practice, this caused two issues: - sessions could be revived after being closed from /auth/edit (security issue) - auto-log-in would be disabled for *all* browsers after logging out from one of them This PR removes the `remember_token` mechanism and treats the `_session_id` cookie/token as a browser-specific `remember_token`, fixing both issues.
2021-09-30Fix webauthn secure key authentication (#16792)Claire
* Add tests * Fix webauthn secure key authentication Fixes #16769
2021-08-26Explicitly set userVerification to discoraged (#16545)Truong Nguyen
2021-08-25Fix authentication failures after going halfway through a sign-in attempt ↵Claire
(#16607) * Add tests * Add security-related tests My first (unpublished) attempt at fixing the issues introduced (extremely hard-to-exploit) security vulnerabilities, addressing them in a test. * Fix authentication failures after going halfway through a sign-in attempt * Refactor `authenticate_with_sign_in_token` and `authenticate_with_two_factor` to make the two authentication steps more obvious
2021-08-25Fix undefined variable for Auth::OmniauthCallbacksController (#16654)Daniel
The addition of authentication history broke the omniauth login with the following error: method=GET path=/auth/auth/cas/callback format=html controller=Auth::OmniauthCallbacksController action=cas status=500 error='NameError: undefined local variable or method `user' for #<Auth::OmniauthCallbacksController:0x00000000036290> Did you mean? @user' duration=435.93 view=0.00 db=36.19 * app/controllers/auth/omniauth_callbacks_controller.rb: fix variable name to `@user`
2021-06-21Add authentication history (#16408)Eugen Rochko
2021-05-03Change confirmations controller to redirect to / for approved users (#16151)Claire
Clicking the confirmation link multiple times currently leads to entering account settings, which can be confusing. This commit changes that so that it redirects to the root path, so it behaves the same way as clicking only once in most cases.
2020-12-10Add honeypot fields and minimum fill-out time for sign-up form (#15276)ThibG
* Add honeypot fields to limit non-specialized spam Add two honeypot fields: a fake website input and a fake password confirmation one. The label/placeholder/aria-label tells not to fill them, and they are hidden in CSS, so legitimate users should not fall into these. This should cut down on some non-Mastodon-specific spambots. * Require a 3 seconds delay before submitting the registration form * Fix tests * Move registration form time check to model validation * Give people a chance to clear the honeypot fields * Refactor honeypot translation strings Co-authored-by: Claire <claire.github-309c@sitedethib.com>
2020-11-12Fix 2FA/sign-in token sessions being valid after password change (#14802)Eugen Rochko
If someone tries logging in to an account and is prompted for a 2FA code or sign-in token, even if the account's password or e-mail is updated in the meantime, the session will show the prompt and allow the login process to complete with a valid 2FA code or sign-in token
2020-10-12Add IP-based rules (#14963)Eugen Rochko
2020-08-24Add WebAuthn as an alternative 2FA method (#14466)santiagorodriguez96
* feat: add possibility of adding WebAuthn security keys to use as 2FA This adds a basic UI for enabling WebAuthn 2FA. We did a little refactor to the Settings page for editing the 2FA methods – now it will list the methods that are available to the user (TOTP and WebAuthn) and from there they'll be able to add or remove any of them. Also, it's worth mentioning that for enabling WebAuthn it's required to have TOTP enabled, so the first time that you go to the 2FA Settings page, you'll be asked to set it up. This work was inspired by the one donde by Github in their platform, and despite it could be approached in different ways, we decided to go with this one given that we feel that this gives a great UX. Co-authored-by: Facundo Padula <facundo.padula@cedarcode.com> * feat: add request for WebAuthn as second factor at login if enabled This commits adds the feature for using WebAuthn as a second factor for login when enabled. If users have WebAuthn enabled, now a page requesting for the use of a WebAuthn credential for log in will appear, although a link redirecting to the old page for logging in using a two-factor code will also be present. Co-authored-by: Facundo Padula <facundo.padula@cedarcode.com> * feat: add possibility of deleting WebAuthn Credentials Co-authored-by: Facundo Padula <facundo.padula@cedarcode.com> * feat: disable WebAuthn when an Admin disables 2FA for a user Co-authored-by: Facundo Padula <facundo.padula@cedarcode.com> * feat: remove ability to disable TOTP leaving only WebAuthn as 2FA Following examples form other platforms like Github, we decided to make Webauthn 2FA secondary to 2FA with TOTP, so that we removed the possibility of removing TOTP authentication only, leaving users with just WEbAuthn as 2FA. Instead, users will have to click on 'Disable 2FA' in order to remove second factor auth. The reason for WebAuthn being secondary to TOPT is that in that way, users will still be able to log in using their code from their phone's application if they don't have their security keys with them – or maybe even lost them. * We had to change a little the flow for setting up TOTP, given that now it's possible to setting up again if you already had TOTP, in order to let users modify their authenticator app – given that now it's not possible for them to disable TOTP and set it up again with another authenticator app. So, basically, now instead of storing the new `otp_secret` in the user, we store it in the session until the process of set up is finished. This was because, as it was before, when users clicked on 'Edit' in the new two-factor methods lists page, but then went back without finishing the flow, their `otp_secret` had been changed therefore invalidating their previous authenticator app, making them unable to log in again using TOTP. Co-authored-by: Facundo Padula <facundo.padula@cedarcode.com> * refactor: fix eslint errors The PR build was failing given that linting returning some errors. This commit attempts to fix them. * refactor: normalize i18n translations The build was failing given that i18n translations files were not normalized. This commits fixes that. * refactor: avoid having the webauthn gem locked to a specific version * refactor: use symbols for routes without '/' * refactor: avoid sending webauthn disabled email when 2FA is disabled When an admins disable 2FA for users, we were sending two mails to them, one notifying that 2FA was disabled and the other to notify that WebAuthn was disabled. As the second one is redundant since the first email includes it, we can remove it and send just one email to users. * refactor: avoid creating new env variable for webauthn_origin config * refactor: improve flash error messages for webauthn pages Co-authored-by: Facundo Padula <facundo.padula@cedarcode.com>
2020-07-14Fix rubocop warning (#14288)abcang
* Fix rubocop warning * use limit variable * use ContextCreatingMethods option
2020-07-07Fix other sessions not being logged out on password change (#14252)Eugen Rochko
While OAuth tokens were immediately revoked, accessing the home controller immediately generated new OAuth tokens and "revived" the session due to a combination of using remember_me tokens and overwriting the `authenticate_user!` method
2020-06-09Add e-mail-based sign in challenge for users with disabled 2FA (#14013)Eugen Rochko
2020-05-10Remove confusing “You are already signed in.” flash message (#13547)ThibG
When attempting to access the log-in page while already logged in, Devise's `require_no_authentication` kicks in and sets a flash message “You are already signed in.” In almost all cases, this also causes a redirect to /web, which does not display or clear flash messages, thus leaving the message to a potentially much later date, like for instance, accessing /preferences several minutes after being redirected to /web.
2020-02-16Fix sign-ups without checked user agreement being accepted through the web ↵ThibG
form (#13088) * Fix user agreement not being verified * Fix tests * Fix up agreement field being dismissed
2020-01-24Fix password change/reset not immediately invalidating other sessions (#12928)Eugen Rochko
While making browser requests in the other sessions after a password change or reset does not allow you to be logged in and correctly invalidates the session making the request, sessions have API tokens associated with them, which can still be used until that session is invalidated. This is a security issue for accounts that were already compromised some other way because it makes it harder to throw out the hijacker.
2019-12-30Fix settings pages being cacheable by the browser (#12714)Eugen Rochko
Fix #12255
2019-09-24Fix authentication before 2FA challenge (#11943)Eugen Rochko
Regression from #11831
2019-09-18Add password challenge to 2FA settings, e-mail notifications (#11878)Eugen Rochko
Fix #3961
2019-09-15Fix 2FA challenge and password challenge for non-database users (#11831)Eugen Rochko
* Fix 2FA challenge not appearing for non-database users Fix #11685 * Fix account deletion not working when using external login Fix #11691
2019-09-05Fix wrong variable regression from #11753 (#11763)Eugen Rochko
2019-09-04Change account deletion page to have better explanations (#11753)Eugen Rochko
Fix deletion of unconfirmed account not freeing up the username Add prefill of logged-in user's email in the reconfirmation form
2019-07-22Change unconfirmed user login behaviour (#11375)Eugen Rochko
Allow access to account settings, 2FA, authorized applications, and account deletions to unconfirmed and pending users, as well as users who had their accounts disabled. Suspended users cannot update their e-mail or password or delete their account. Display account status on account settings page, for example, when an account is frozen, limited, unconfirmed or pending review. After sign up, login users straight away and show a simple page that tells them the status of their account with links to account settings and logout, to reduce onboarding friction and allow users to correct wrongly typed e-mail addresses. Move the final sign-up step of SSO integrations to be the same as above to reduce code duplication.
2019-05-02Check that an invite link is valid before bypassing approval mode (#10657)ThibG
* Check that an invite link is valid before bypassing approval mode Fixes #10656 * Add tests * Only consider valid invite links in registration controller * fixup
2019-04-09Add "why do you want to join" field to invite requests (#10524)Eugen Rochko
* Add "why do you want to join" field to invite requests Fix #10512 * Remove unused translations * Fix broken registrations when no invite request text is submitted
2019-03-14Admission-based registrations mode (#10250)Eugen Rochko
Fix #6856 Fix #6951
2019-02-12Save IP address used for sign-up, not only sign-in (#10026)ThibG
Fixes #9995
2018-12-24Add REST API for creating an account (#9572)Eugen Rochko
* Add REST API for creating an account The method is available to apps with a token obtained via the client credentials grant. It creates a user and account records, as well as an access token for the app that initiated the request. The user is unconfirmed, and an e-mail is sent as usual. The method returns the access token, which the app should save for later. The REST API is not available to users with unconfirmed accounts, so the app must be smart to wait for the user to click a link in their e-mail inbox. The method is rate-limited by IP to 5 requests per 30 minutes. * Redirect users back to app from confirmation if they were created with an app * Add tests * Return 403 on the method if registrations are not open * Require agreement param to be true in the API when creating an account
2018-10-30Revert "feat(auth/session_controller): Send Clear-Site-Data when logging out ↵Eugen Rochko
(8627)" (#9161) This reverts commit 10680f93e7d6333d43aabc4c6f251a076120231c.
2018-10-26Fix styling in /auth/edit (#9117)ThibG
2018-09-14Misc. typos (#8694)luzpaz
Found via `codespell -q 3 --skip="./app/javascript/mastodon/locales,./config/locales"`
2018-09-09Add force_login option to OAuth authorize page (#8655)Eugen Rochko
* Add force_login option to OAuth authorize page For when a user needs to sign into an app from multiple accounts on the same server * When logging out from modal header, redirect back after re-login