about summary refs log tree commit diff
path: root/app/controllers/oauth
AgeCommit message (Collapse)Author
2022-11-17Fix OAuth flow being broken by recent CSP change (#20958)Claire
2022-11-16Add 'private' to Cache-Control, match Rails expectations (#20608)Daniel Axtens
Several controlers set quite intricate Cache-Control headers in order to hopefully not be cached by any intermediate proxies or local caches. Unfortunately, these headers are processed by ActionDispatch::HTTP::Cache in a way that squashes and discards any values set alongside no-store other than private: https://github.com/rails/rails/blob/8015c2c2cf5c8718449677570f372ceb01318a32/actionpack/lib/action_dispatch/http/cache.rb#L207-L209 We want to preserve no-store on these responses, but we might as well remove parts that are going to be dropped anyway. As many of the endpoints in these controllers are private to a particular user, we should also add "private", which will be preserved alongside no-store.
2022-05-01Fix error when trying to revoke OAuth token without supplying a token (#18205)Eugen Rochko
2020-09-11Refactor settings controllers (#14767)Eugen Rochko
- Disallow suspended accounts from revoking sessions and apps - Allow suspended accounts to access exports
2019-12-30Fix settings pages being cacheable by the browser (#12714)Eugen Rochko
Fix #12255
2019-07-22Change unconfirmed user login behaviour (#11375)Eugen Rochko
Allow access to account settings, 2FA, authorized applications, and account deletions to unconfirmed and pending users, as well as users who had their accounts disabled. Suspended users cannot update their e-mail or password or delete their account. Display account status on account settings page, for example, when an account is frozen, limited, unconfirmed or pending review. After sign up, login users straight away and show a simple page that tells them the status of their account with links to account settings and logout, to reduce onboarding friction and allow users to correct wrongly typed e-mail addresses. Move the final sign-up step of SSO integrations to be the same as above to reduce code duplication.
2019-02-04Fix authorized applications list page design (#9969)rinsuki
2018-09-09Add force_login option to OAuth authorize page (#8655)Eugen Rochko
* Add force_login option to OAuth authorize page For when a user needs to sign into an app from multiple accounts on the same server * When logging out from modal header, redirect back after re-login
2018-05-19Ensure push subscription is immediately removed when application is revoked ↵Eugen Rochko
(#7548) * Ensure push subscription is immediately removed when application is revoked * When token is revoked from app, unsubscribe too
2017-04-08Fix #1165 - before_action was called before protect_from_forgeryEugen Rochko
2017-04-07Allow setting of default language through configEugen Rochko
Setting of locale in controller extracted to Localized concern, the doorkeeper authorized applications controller moved under custom namespace with inclusion of Localized, which resolves the "it sometimes appears in a different random language" bug
2017-04-04Only call regeneration worker after first login after a 14 day breakEugen Rochko
2016-11-15Fix rubocop issues, introduce usage of frozen literal to improve performanceEugen Rochko
2016-10-23Fix OAuth authorization redirectEugen Rochko
2016-10-22Adding OAuth access scopes, fixing OAuth authorization UI, adding rate limitingEugen Rochko
to the API
2016-09-26Replace logo, fix #57 - delete/unreblog/unfavourite API, fix #45 - appEugen Rochko
registration API
2016-08-17Upgrade to Rails 5.0.0.1Eugen Rochko
2016-03-14Bind oauth applications to usersEugen Rochko