about summary refs log tree commit diff
path: root/app/controllers/auth
AgeCommit message (Collapse)Author
2018-12-24Add REST API for creating an account (#9572)Eugen Rochko
* Add REST API for creating an account The method is available to apps with a token obtained via the client credentials grant. It creates a user and account records, as well as an access token for the app that initiated the request. The user is unconfirmed, and an e-mail is sent as usual. The method returns the access token, which the app should save for later. The REST API is not available to users with unconfirmed accounts, so the app must be smart to wait for the user to click a link in their e-mail inbox. The method is rate-limited by IP to 5 requests per 30 minutes. * Redirect users back to app from confirmation if they were created with an app * Add tests * Return 403 on the method if registrations are not open * Require agreement param to be true in the API when creating an account
2018-10-30Revert "feat(auth/session_controller): Send Clear-Site-Data when logging out ↵Eugen Rochko
(8627)" (#9161) This reverts commit 10680f93e7d6333d43aabc4c6f251a076120231c.
2018-10-26Fix styling in /auth/edit (#9117)ThibG
2018-09-14Misc. typos (#8694)luzpaz
Found via `codespell -q 3 --skip="./app/javascript/mastodon/locales,./config/locales"`
2018-09-09Add force_login option to OAuth authorize page (#8655)Eugen Rochko
* Add force_login option to OAuth authorize page For when a user needs to sign into an app from multiple accounts on the same server * When logging out from modal header, redirect back after re-login
2018-09-07feat(auth/session_controller): Send Clear-Site-Data when logging out (#8627)Sorin Davidoi
Will clear the browser's cache, cookies and storage. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Clear-Site-Data https://w3c.github.io/webappsec-clear-site-data/
2018-08-23Allow mods to disable login, improve message when login disabled (#8329)Eugen Rochko
* Allow moderators to disable/enable login * Instead of rejecting login, show forbidden error when login disabled Avoid confusion because when login is rejected, the message is that the account is not activated, which is wrong. * Fix tests
2018-07-31Compensate for scrollbar disappearing when media modal visible (#8100)Eugen Rochko
* Compensate for scrollbar disappearing when media modal visible Make auth pages backgrounds lighter * Fix typo
2018-07-05If signed in, redirect autofollow invite to profile page (#7956)Eugen Rochko
Fix #7944
2018-06-21Replace bypass option with bypass_sign_in (#7867)Shuhei Kitagawa
2018-06-15Add autofollow option to invites (#7805)Eugen Rochko
* Add autofollow option to invites * Trigger CodeClimate rebuild
2018-03-08If login redirects to omniauth, redirect logout to root_path (#6694)Eugen Rochko
Fix #6670
2018-02-28Fix #942: Seamless LDAP login (#6556)Eugen Rochko
2018-02-23New variable OAUTH_REDIRECT_AT_SIGN_IN + Ref #6538 (not only SAML ↵Ghislain Loaec
strategies) (#6540)
2018-02-04CAS + SAML authentication feature (#6425)Eugen Rochko
* Cas authentication feature * Config * Remove class_eval + Omniauth initializer * Codeclimate review * Codeclimate review 2 * Codeclimate review 3 * Remove uid/email reconciliation * SAML authentication * Clean up code * Improve login form * Fix code style issues * Add locales
2018-02-02pam authentication (#5303)Alexander
* add pam support, without extra column * bugfixes for pam login * document options * fix code style * fix codestyle * fix tests * don't call remember_me without password * fix codestyle * improve checks for pam usage (should fix tests) * fix remember_me part 1 * add remember_token column because :rememberable requires either a password or this column. * migrate db for remember_token * move pam_authentication to the right place, fix logic bug in edit.html.haml * fix tests * fix pam authentication, improve username lookup, add comment * valid? is sometimes not honored, return nil instead trying to authenticate with pam * update devise_pam_authenticatable2 and adjust code. Fixes sideeffects observed in tests * update devise_pam_authenticatable gem, fixes for codeconventions, fix finding user * codeconvention fixes * code convention fixes * fix idention * update dependency, explicit conflict check * fix disabled password updates if in pam mode * fix check password if password is present, fix templates * block registration if account is maintained by pam * Revert "block registration if account is maintained by pam" This reverts commit 8e7a083d650240b6fac414926744b4b90b435f20. * fix identation error introduced by rebase * block usernames maintained by pam * document pam settings better * fix code style
2018-01-02Add confirmation step for email changes (#6071)Patrick Figel
* Add confirmation step for email changes This adds a confirmation step for email changes of existing users. Like the initial account confirmation, a confirmation link is sent to the new address. Additionally, a notification is sent to the existing address when the change is initiated. This message includes instruction to reset the password immediately or to contact the instance admin if the change was not initiated by the account owner. Fixes #3871 * Add review fixes
2017-12-29Add more instance stats APIs (#6125)Eugen Rochko
* Add GET /api/v1/instance/peers API to reveal known domains * Add GET /api/v1/instance/activity API * Make new APIs disableable, exclude private statuses from activity stats * Fix code style issue * Fix week timestamps
2017-11-27Add consumable invites (#5814)Eugen Rochko
* Add consumable invites * Add UI for generating invite codes * Add tests * Display max uses and expiration in invites table, delete invite * Remove unused column and redundant validator - Default follows not used, probably bad idea - InviteCodeValidator is redundant because RegistrationsController checks invite code validity * Add admin setting to disable invites * Add admin UI for invites, configurable role for invite creation - Admin UI that lists everyone's invites, always available - Admin setting min_invite_role to control who can invite people - Non-admin invite UI only visible if users are allowed to * Do not remove invites from database, expire them instantly
2017-11-17Fix some rubocop style issues (#5730)Eugen Rochko
2017-10-13Set InstancePresenter to `Auth::RegistrationsController#create` (#5366)Yamagishi Kazutoshi
2017-10-11sign_in and sign_up views present og meta infos (#5308)takayamaki
2017-09-10Default follows for new users (#4871)Eugen Rochko
When a new user confirms their e-mail, bootstrap their home timeline by automatically following a set of accounts. By default, all local admin accounts (that are unlocked). Can be customized by new admin setting (comma-separated usernames, local and unlocked only)
2017-08-03Redirect to PasswordController#new when reset_password_token is invalid (#4506)nullkal
2017-06-25Add overview of active sessions (#3929)Eugen Rochko
* Add overview of active sessions * Better display of browser/platform name * Improve how browser information is stored and displayed for sessions overview * Fix test
2017-06-11Make sure email is case insensitive on all places (#3688)René Klačan
When case insensitivity is enabled via devise's `config.case_insensitive_keys` then `.find_for_authentication` method needs to be used instead of `.find_by` because second mentioned returns `nil` when valid email with different cases is passed. More info https://github.com/plataformatec/devise/wiki/How-To:-Use-case-insensitive-emails
2017-05-27Fix empty flash message on the settings page (#3345)unarist
2017-05-26Go to root after login in single user mode (#3289)Akinori MUSHA
In single user mode, visitors are redirected to the single user's profile page. So, if you are the owner without a session, you start from that page, click the login button and authenticate yourself expecting you'll soon get started with the home page, but in reality you'll get redirected back to where you started from -- your own profile page. This fixes the behavior by redirecting you home after login if you have started from your own profile page.
2017-05-23Fix Devise destroy method being available to delete user record (#3266)Eugen Rochko
(You may think that we need account deletions, but this way would've just orphaned the db records)
2017-05-02Auth sign out (#2511)Matt Jankowski
* Add a spec for signing out * Add spec showing that suspended user gets a 403 forbidden on sign out * Allow suspended account users to sign out
2017-05-01Fix Rubocop offences (#2630)yhirano
* disable Bundler/OrderedGems * fix rubocop Lint/UselessAssignment * fix rubocop Style/BlockDelimiters * fix rubocop Style/AlignHash * fix rubocop Style/AlignParameters, Style/EachWithObject * fix rubocop Style/SpaceInLambdaLiteral
2017-04-27Catch error when server decryption fails on 2FA (#2512)Matt Jankowski
2017-04-17Assign user locale on signup (#1982)saturday06
2017-04-15Give SINGLE_USER a chance to register (#1820)Marcin Cieślak
An attempt to open a brand new Mastodon instance configured as SINGLE_USER_MODE=true will cause an exception. Enable temporary registration if we have no users in the database Fixes #1817
2017-04-15Add recovery code support for two-factor auth (#1773)Patrick Figel
* Add recovery code support for two-factor auth When users enable two-factor auth, the app now generates ten single-use recovery codes. Users are encouraged to print the codes and store them in a safe place. The two-factor prompt during login now accepts both OTP codes and recovery codes. The two-factor settings UI allows users to regenerated lost recovery codes. Users who have set up two-factor auth prior to this feature being added can use it to generate recovery codes for the first time. Fixes #563 and fixes #987 * Set OTP_SECRET in test enviroment * add missing .html to view file names
2017-04-04New admin setting: open/close registrations, with custom message, from the ↵Eugen Rochko
admin UI
2017-02-08Fix #611 - Layout setting in registrations controllerEugen
2017-01-28Split 2FA login into two promptsEugen Rochko
2017-01-28Update settings to re-use admin layout, one big navigation tree, improve ↵Eugen Rochko
settings forms
2017-01-27Added optional two-factor authenticationEugen Rochko
2017-01-04Fix #390 - fix redirect after sign-up (to login page instead of homepage)Eugen Rochko
2016-12-06Add single user modeEugen Rochko
2016-11-15Fix rubocop issues, introduce usage of frozen literal to improve performanceEugen Rochko
2016-10-13Shorten rendered links (strip protocol and www, truncate to 30 chars), redirectEugen Rochko
to sign in page after sign up instead of root path which redirects to /about
2016-10-03Adding e-mail confirmationsEugen Rochko
2016-10-02Redirect after sign in to previous page (unless it's a sign in/up/etc page)Eugen Rochko
2016-09-29Improve code styleEugen Rochko
2016-09-26Replace logo, fix #57 - delete/unreblog/unfavourite API, fix #45 - appEugen Rochko
registration API
2016-08-17Upgrade to Rails 5.0.0.1Eugen Rochko
2016-03-28Remember me enabled by defaultEugen Rochko