about summary refs log tree commit diff
path: root/app/views/auth
AgeCommit message (Collapse)Author
2022-01-26Add some explanation text on the CAPTCHA confirmation pageClaire
2022-01-25Change CAPTCHA handling to be only on email verificationClaire
This simplifies the implementation considerably, and while not providing ideal UX, it's the most flexible approach.
2022-01-25Add ability to set hCaptcha either on registration form or on e-mail validationClaire
Upshot of CAPTCHA on e-mail validation is it does not need to break the in-band registration API.
2022-01-24Add optional hCaptcha supportClaire
Fixes #1649 This requires setting `HCAPTCHA_SECRET_KEY` and `HCAPTCHA_SITE_KEY`, then enabling the admin setting at `/admin/settings/edit#form_admin_settings_captcha_enabled` Subsequently, a hCaptcha widget will be displayed on `/about` and `/auth/sign_up` unless: - the user is already signed-up already - the user has used an invite link - the user has already solved the captcha (and registration failed for another reason) The Content-Security-Policy headers are altered automatically to allow the third-party hCaptcha scripts on `/about` and `/auth/sign_up` following the same rules as above.
2022-01-23Merge branch 'main' into glitch-soc/merge-upstreamClaire
Conflicts: - `spec/models/status_spec.rb`: Upstream added tests too close to glitch-soc-specific tests. Kept both tests.
2022-01-23Add OMNIAUTH_ONLY environment variable to enforce externa log-in (#17288)Claire
* Remove support for OAUTH_REDIRECT_AT_SIGN_IN Fixes #15959 Introduced in #6540, OAUTH_REDIRECT_AT_SIGN_IN allowed skipping the log-in form to instead redirect to the external OmniAuth login provider. However, it did not prevent the log-in form on /about introduced by #10232 from appearing, and completely broke with the introduction of #15228. As I restoring that previous log-in flow without introducing a security vulnerability may require extensive care and knowledge of how OmniAuth works, this commit removes support for OAUTH_REDIRECT_AT_SIGN_IN instead for the time being. * Add OMNIAUTH_ONLY environment variable to enforce external log-in only * Disable user registration when OMNIAUTH_ONLY is set to true * Replace log-in links When OMNIAUTH_ONLY is set with exactly one OmniAuth provider
2021-06-23Merge branch 'main' into glitch-soc/merge-upstreamClaire
2021-06-21Add authentication history (#16408)Eugen Rochko
2020-12-15Merge branch 'master' into glitch-soc/merge-upstreamClaire
Conflicts: - `app/models/form/admin_settings.rb`: New setting added upstream. Ported it. - `app/views/statuses/_simple_status.html.haml`: Upstream removed RTL classes. Did the same. - `config/settings.yml`: New setting added upstream. Ported it.
2020-12-14Add ability to require invite request text (#15326)ThibG
Fixes #15273 Co-authored-by: Claire <claire.github-309c@sitedethib.com>
2020-12-10Merge branch 'master' into glitch-soc/merge-upstreamClaire
Conflicts: - `app/controllers/about_controller.rb`: Minor conflict caused by glitch-soc's theming system. Ported upstream changes.
2020-12-10Add honeypot fields and minimum fill-out time for sign-up form (#15276)ThibG
* Add honeypot fields to limit non-specialized spam Add two honeypot fields: a fake website input and a fake password confirmation one. The label/placeholder/aria-label tells not to fill them, and they are hidden in CSS, so legitimate users should not fall into these. This should cut down on some non-Mastodon-specific spambots. * Require a 3 seconds delay before submitting the registration form * Fix tests * Move registration form time check to model validation * Give people a chance to clear the honeypot fields * Refactor honeypot translation strings Co-authored-by: Claire <claire.github-309c@sitedethib.com>
2020-12-05Merge branch 'master' into glitch-soc/merge-upstreamClaire
Conflicts: - `app/services/remove_status_service.rb`: Conflict caused by us having a distinc Direct timeline. Ported upstream changes. - `app/javascript/mastodon/features/compose/components/compose_form.js`: Conflict between glitch-soc's variable character limit and upstream refactoring that part of the code. Ported upstream changes.
2020-11-28Fix omniauth (SAML/CAS) sign-in routes not having CSRF protection (#15228)Eugen Rochko
2020-11-06Add subresource integrity for JS and CSS assets (#15096)Eugen Rochko
Fix #2744
2020-09-28Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
Conflicts: - `Gemfile.lock`: Not a real conflict, upstream updated dependencies that were too close to glitch-soc-only ones in the file. - `app/controllers/oauth/authorized_applications_controller.rb`: Upstream changed the logic surrounding suspended accounts. Minor conflict due to glitch-soc's theming system. Ported upstream changes. - `app/controllers/settings/base_controller.rb`: Upstream refactored and changed the logic surrounding suspended accounts. Minor conflict due to glitch-soc's theming system. Ported upstream changes. - `app/controllers/settings/sessions_controller.rb`: Upstream refactored and changed the logic surrounding suspended accounts. Minor conflict due to glitch-soc's theming system. Ported upstream changes. - `app/models/user.rb`: Upstream refactored and changed the logic surrounding suspended accounts. Minor conflict due to glitch-soc not preventing moved accounts from logging in. Ported upstream changes while keeping the ability for moved accounts to log in. - `app/policies/status_policy.rb`: Upstream refactored and changed the logic surrounding suspended accounts. Minor conflict due to glitch-soc's local-only toots. Ported upstream changes. - `app/serializers/rest/account_serializer.rb`: Upstream refactored and changed the logic surrounding suspended accounts. Minor conflict due to glitch-soc's ability to hide followers count. Ported upstream changes. - `app/services/process_mentions_service.rb`: Upstream refactored and changed the logic surrounding suspended accounts. Minor conflict due to glitch-soc's local-only toots. Ported upstream changes. - `package.json`: Not a real conflict, upstream updated dependencies that were too close to glitch-soc-only ones in the file.
2020-09-11Refactor settings controllers (#14767)Eugen Rochko
- Disallow suspended accounts from revoking sessions and apps - Allow suspended accounts to access exports
2020-08-30Adapt 2FA changes to glitch-soc's theming systemThibaut Girka
2020-08-24Add WebAuthn as an alternative 2FA method (#14466)santiagorodriguez96
* feat: add possibility of adding WebAuthn security keys to use as 2FA This adds a basic UI for enabling WebAuthn 2FA. We did a little refactor to the Settings page for editing the 2FA methods – now it will list the methods that are available to the user (TOTP and WebAuthn) and from there they'll be able to add or remove any of them. Also, it's worth mentioning that for enabling WebAuthn it's required to have TOTP enabled, so the first time that you go to the 2FA Settings page, you'll be asked to set it up. This work was inspired by the one donde by Github in their platform, and despite it could be approached in different ways, we decided to go with this one given that we feel that this gives a great UX. Co-authored-by: Facundo Padula <facundo.padula@cedarcode.com> * feat: add request for WebAuthn as second factor at login if enabled This commits adds the feature for using WebAuthn as a second factor for login when enabled. If users have WebAuthn enabled, now a page requesting for the use of a WebAuthn credential for log in will appear, although a link redirecting to the old page for logging in using a two-factor code will also be present. Co-authored-by: Facundo Padula <facundo.padula@cedarcode.com> * feat: add possibility of deleting WebAuthn Credentials Co-authored-by: Facundo Padula <facundo.padula@cedarcode.com> * feat: disable WebAuthn when an Admin disables 2FA for a user Co-authored-by: Facundo Padula <facundo.padula@cedarcode.com> * feat: remove ability to disable TOTP leaving only WebAuthn as 2FA Following examples form other platforms like Github, we decided to make Webauthn 2FA secondary to 2FA with TOTP, so that we removed the possibility of removing TOTP authentication only, leaving users with just WEbAuthn as 2FA. Instead, users will have to click on 'Disable 2FA' in order to remove second factor auth. The reason for WebAuthn being secondary to TOPT is that in that way, users will still be able to log in using their code from their phone's application if they don't have their security keys with them – or maybe even lost them. * We had to change a little the flow for setting up TOTP, given that now it's possible to setting up again if you already had TOTP, in order to let users modify their authenticator app – given that now it's not possible for them to disable TOTP and set it up again with another authenticator app. So, basically, now instead of storing the new `otp_secret` in the user, we store it in the session until the process of set up is finished. This was because, as it was before, when users clicked on 'Edit' in the new two-factor methods lists page, but then went back without finishing the flow, their `otp_secret` had been changed therefore invalidating their previous authenticator app, making them unable to log in again using TOTP. Co-authored-by: Facundo Padula <facundo.padula@cedarcode.com> * refactor: fix eslint errors The PR build was failing given that linting returning some errors. This commit attempts to fix them. * refactor: normalize i18n translations The build was failing given that i18n translations files were not normalized. This commits fixes that. * refactor: avoid having the webauthn gem locked to a specific version * refactor: use symbols for routes without '/' * refactor: avoid sending webauthn disabled email when 2FA is disabled When an admins disable 2FA for users, we were sending two mails to them, one notifying that 2FA was disabled and the other to notify that WebAuthn was disabled. As the second one is redundant since the first email includes it, we can remove it and send just one email to users. * refactor: avoid creating new env variable for webauthn_origin config * refactor: improve flash error messages for webauthn pages Co-authored-by: Facundo Padula <facundo.padula@cedarcode.com>
2020-08-19Fix client-side form validation not accepting handles with uppercase letters ↵ThibG
(#14599)
2020-08-12Add client-side validation in password change forms (#14564)ThibG
* Fix client-side username validation at registration It used the Account::USERNAME_RE regexp which is for *remote* users, local user validation is stricter. Also take into account max username length. * Add client-side form validation for password change * Add client-side form validation to dedicated registration form Previous changes only applied to the /about page, not the dedicated form on /auth
2020-06-09Add e-mail-based sign in challenge for users with disabled 2FA (#14013)Eugen Rochko
2020-04-28Fix end-user-facing uses of inline CSS (#13438)ThibG
* Move some inline styles to CSS files * Move default_account_display_name span to fix useless tags with duplicate id * Change handling of public pages spoiler text from inline CSS to dataset attribute * Use the `dir` HTML attribute instead of inline CSS * Move status action bar inline CSS to CSS file * Hide logo resources from CSS file, not inline CSS Fixes #11601 * Move translation prompt styling from inline CSS to CSS file * Move “invited by” styling on registration form from inline to CSS file * Use the progress tag to display poll results in JS fallback * Fix poll results JS-less fallback when the user has voted for an option * Change account public page “moved” notice to use img tags instead of inline CSS * Move OTP hint inline CSS to SCSS file * Hide JS-less fallback vote progressbars from accessibility tools Co-authored-by: Eugen Rochko <eugen@zeonfederated.com>
2020-02-16Fix invite request input not being shown on sign-up error if left empty (#13089)ThibG
If the “Why do you want to join?” textarea is left empty and the entered params do not validate, the textarea isn't shown again, unlike other fields. This commit fixes that by populating an empty `UserInviteRequest` when needed.
2019-09-29Add (back) option to set redirect notice on account without moving followers ↵Eugen Rochko
(#11994) Fix #11913
2019-09-19Add account migration UI (#11846)Eugen Rochko
Fix #10736 - Change data export to be available for non-functional accounts - Change non-functional accounts to include redirecting accounts
2019-09-18Add password challenge to 2FA settings, e-mail notifications (#11878)Eugen Rochko
Fix #3961
2019-09-04Change account deletion page to have better explanations (#11753)Eugen Rochko
Fix deletion of unconfirmed account not freeing up the username Add prefill of logged-in user's email in the reconfirmation form
2019-09-03Change OpenGraph description on sign-up page to reflect invite (#11744)Eugen Rochko
2019-07-30Add whitelist mode (#11291)Eugen Rochko
2019-07-22Change unconfirmed user login behaviour (#11375)Eugen Rochko
Allow access to account settings, 2FA, authorized applications, and account deletions to unconfirmed and pending users, as well as users who had their accounts disabled. Suspended users cannot update their e-mail or password or delete their account. Display account status on account settings page, for example, when an account is frozen, limited, unconfirmed or pending review. After sign up, login users straight away and show a simple page that tells them the status of their account with links to account settings and logout, to reduce onboarding friction and allow users to correct wrongly typed e-mail addresses. Move the final sign-up step of SSO integrations to be the same as above to reduce code duplication.
2019-04-23Fix sign up button not saying sign up when invite is used (#10623)Eugen Rochko
Fix #10616
2019-04-09Add "why do you want to join" field to invite requests (#10524)Eugen Rochko
* Add "why do you want to join" field to invite requests Fix #10512 * Remove unused translations * Fix broken registrations when no invite request text is submitted
2019-03-14Admission-based registrations mode (#10250)Eugen Rochko
Fix #6856 Fix #6951
2018-11-16Change the password form order (#9267)mayaeh
* Change order of password. * Update Japanese translation for "Show thread". * Separate the translation PR.
2018-10-30Fix td instead of th in sessions table header (#9162)Eugen Rochko
Fix #9130
2018-09-18Redesign forms, verify link ownership with rel="me" (#8703)Eugen Rochko
* Verify link ownership with rel="me" * Add explanation about verification to UI * Perform link verifications * Add click-to-copy widget for verification HTML * Redesign edit profile page * Redesign forms * Improve responsive design of settings pages * Restore landing page sign-up form * Fix typo * Support <link> tags, add spec * Fix links not being verified on first discovery and passive updates
2018-08-23When registrations closed, link "Sign up" to joinmastodon.org (#8395)Eugen Rochko
Fix #8393
2018-07-28Redesign public profiles and toots (#8068)Eugen Rochko
2018-06-15Add autofollow option to invites (#7805)Eugen Rochko
* Add autofollow option to invites * Trigger CodeClimate rebuild
2018-05-06Add contact e-mail hint to 2FA login form (#7376)Eugen Rochko
2018-03-07Add headings to the security settings page (#6661)Sylvhem
* Changes the headings' rank of the security settings section This commit changes the existing headings' rank of the security settings section from level 6 to level 4. * Renames the auth.change_password string into auth.security The "Security" preferences' section used to be called "Change password". When it was renamed, the string name wasn't changed. This commits changes auth.change_password to auth.security. * Adds a heading to the password change form There was previously no heading for the part of the "Security" page that contain the password change form. This commit adds a rank 4 heading to this section and reintroduces an "auth.change_password" string to be used inside it. * Removes useless HR elements The various sections of the "Security" settings page were previously separated by HR elements. Now that there is proper headings, they're not required anymore. * Updates CSS This commit updates CSS in such a way that the same style is applied to all the H4 elements of the settings. * Correct a mistake A character went missing on one of the previous commits, broking the CSS. This new commit fixes it.
2018-03-04Fix #6611: Typo in change password template (#6616)Eugen Rochko
2018-02-28Fix #942: Seamless LDAP login (#6556)Eugen Rochko
2018-02-10Fix password recovery (#6459)ThibG
* Fix password recovery * Use “resource” instead of “current_user”
2018-02-04CAS + SAML authentication feature (#6425)Eugen Rochko
* Cas authentication feature * Config * Remove class_eval + Omniauth initializer * Codeclimate review * Codeclimate review 2 * Codeclimate review 3 * Remove uid/email reconciliation * SAML authentication * Clean up code * Improve login form * Fix code style issues * Add locales
2018-02-02pam authentication (#5303)Alexander
* add pam support, without extra column * bugfixes for pam login * document options * fix code style * fix codestyle * fix tests * don't call remember_me without password * fix codestyle * improve checks for pam usage (should fix tests) * fix remember_me part 1 * add remember_token column because :rememberable requires either a password or this column. * migrate db for remember_token * move pam_authentication to the right place, fix logic bug in edit.html.haml * fix tests * fix pam authentication, improve username lookup, add comment * valid? is sometimes not honored, return nil instead trying to authenticate with pam * update devise_pam_authenticatable2 and adjust code. Fixes sideeffects observed in tests * update devise_pam_authenticatable gem, fixes for codeconventions, fix finding user * codeconvention fixes * code convention fixes * fix idention * update dependency, explicit conflict check * fix disabled password updates if in pam mode * fix check password if password is present, fix templates * block registration if account is maintained by pam * Revert "block registration if account is maintained by pam" This reverts commit 8e7a083d650240b6fac414926744b4b90b435f20. * fix identation error introduced by rebase * block usernames maintained by pam * document pam settings better * fix code style
2018-01-12Handle sessions that can't be translated (#6245)Jeong Arm
* Handle sessions that can't be translated This commit fixes #6165. * Fix typo
2017-11-27Add consumable invites (#5814)Eugen Rochko
* Add consumable invites * Add UI for generating invite codes * Add tests * Display max uses and expiration in invites table, delete invite * Remove unused column and redundant validator - Default follows not used, probably bad idea - InviteCodeValidator is redundant because RegistrationsController checks invite code validity * Add admin setting to disable invites * Add admin UI for invites, configurable role for invite creation - Admin UI that lists everyone's invites, always available - Admin setting min_invite_role to control who can invite people - Non-admin invite UI only visible if users are allowed to * Do not remove invites from database, expire them instantly
2017-10-11sign_in and sign_up views present og meta infos (#5308)takayamaki