about summary refs log tree commit diff
path: root/config/initializers/devise.rb
AgeCommit message (Collapse)Author
2021-11-06Fix reviving revoked sessions and invalidating login (#16943)Claire
Up until now, we have used Devise's Rememberable mechanism to re-log users after the end of their browser sessions. This mechanism relies on a signed cookie containing a token. That token was stored on the user's record, meaning it was shared across all logged in browsers, meaning truly revoking a browser's ability to auto-log-in involves revoking the token itself, and revoking access from *all* logged-in browsers. We had a session mechanism that dynamically checks whether a user's session has been disabled, and would log out the user if so. However, this would only clear a session being actively used, and a new one could be respawned with the `remember_user_token` cookie. In practice, this caused two issues: - sessions could be revived after being closed from /auth/edit (security issue) - auto-log-in would be disabled for *all* browsers after logging out from one of them This PR removes the `remember_token` mechanism and treats the `_session_id` cookie/token as a browser-specific `remember_token`, fixing both issues.
2021-02-11Drop dependency on secure_headers, fix response headers (#15712)Claire
* Drop dependency on secure_headers, use always_write_cookie instead * Fix cookies in Tor Hidden Services by moving configuration to application.rb * Instead of setting always_write_cookie at boot, monkey-patch ActionDispatch
2021-02-11Onion service related changes to HTTPS handling (#15560)Cecylia Bocovich
* Enable secure cookie flag for https only * Disable force_ssl for .onion hosts only Co-authored-by: Aiden McClelland <me@drbonez.dev>
2020-11-06Fix cookies not having a SameSite attribute (#15098)Eugen Rochko
2019-12-01:sparkles: Add an LDAP Mail attribute config (#12053)Mathieu Brunot
Signed-off-by: mathieu.brunot <mathieu.brunot@monogramm.io>
2019-12-01:sparkles: Convert LDAP username (#12461)Mathieu Brunot
* :sparkles: Convert LDAP username #12021 Signed-off-by: mathieu.brunot <mathieu.brunot@monogramm.io> * :bug: Fix conversion var use Signed-off-by: mathieu.brunot <mathieu.brunot@monogramm.io> * :bug: Fix LDAP uid conversion test Signed-off-by: mathieu.brunot <mathieu.brunot@monogramm.io> * :ok_hand: Remove comments with ref to PR Signed-off-by: mathieu.brunot <mathieu.brunot@monogramm.io> * :ok_hand: Remove unnecessary paranthesis Signed-off-by: mathieu.brunot <mathieu.brunot@monogramm.io> * :wrench: Move space in conversion string Signed-off-by: mathieu.brunot <mathieu.brunot@monogramm.io>
2019-09-24Fix authentication before 2FA challenge (#11943)Eugen Rochko
Regression from #11831
2019-09-15Fix 2FA challenge and password challenge for non-database users (#11831)Eugen Rochko
* Fix 2FA challenge not appearing for non-database users Fix #11685 * Fix account deletion not working when using external login Fix #11691
2019-01-15Disable Same-Site cookie implementation to fix SSO issues on WebKit browsers ↵Moritz Heiber
(#9819)
2018-09-08feat(cookies): Use the same-site attribute to lax (#8626)Sorin Davidoi
CSFR-prevention is already implemented but adding this doesn't hurt. A brief introduction to Same-Site cookies (and the difference between strict and lax) can be found at https://blog.mozilla.org/security/2018/04/24/same-site-cookies-in-firefox-60/ TLDR: We use lax since we want the cookies to be sent when the user navigates safely from an external site.
2018-08-15Add ldap search filter (#8151)Immae
2018-07-25Add secure option to additional cookie (#8069)abcang
2018-03-20Add LDAP_TLS_NO_VERIFY option, don't require LDAP_ENABLED outside .env (#6845)Eugen Rochko
Fix #6816, fix #6790
2018-03-19rename pam email environment variable to something more understandable and ↵Alexander
default to LOCAL_DOMAIN (better fallback) (#6833)
2018-03-02fix logic for pam_controlled_service (#6599)Alexander
2018-02-28Fix #942: Seamless LDAP login (#6556)Eugen Rochko
2018-02-04Make PAM gem optional, allow configuration over environment (#6415)Eugen Rochko
2018-02-02pam authentication (#5303)Alexander
* add pam support, without extra column * bugfixes for pam login * document options * fix code style * fix codestyle * fix tests * don't call remember_me without password * fix codestyle * improve checks for pam usage (should fix tests) * fix remember_me part 1 * add remember_token column because :rememberable requires either a password or this column. * migrate db for remember_token * move pam_authentication to the right place, fix logic bug in edit.html.haml * fix tests * fix pam authentication, improve username lookup, add comment * valid? is sometimes not honored, return nil instead trying to authenticate with pam * update devise_pam_authenticatable2 and adjust code. Fixes sideeffects observed in tests * update devise_pam_authenticatable gem, fixes for codeconventions, fix finding user * codeconvention fixes * code convention fixes * fix idention * update dependency, explicit conflict check * fix disabled password updates if in pam mode * fix check password if password is present, fix templates * block registration if account is maintained by pam * Revert "block registration if account is maintained by pam" This reverts commit 8e7a083d650240b6fac414926744b4b90b435f20. * fix identation error introduced by rebase * block usernames maintained by pam * document pam settings better * fix code style
2018-01-02Add confirmation step for email changes (#6071)Patrick Figel
* Add confirmation step for email changes This adds a confirmation step for email changes of existing users. Like the initial account confirmation, a confirmation link is sent to the new address. Additionally, a notification is sent to the existing address when the change is initiated. This message includes instruction to reset the password immediately or to contact the instance admin if the change was not initiated by the account owner. Fixes #3871 * Add review fixes
2017-08-12Extend Devise remember_me longevity to 1 year instead of 2 weeks (#4587)Eugen Rochko
Force SSL only cookies for remember_me, adjust confirmation expiration time to fit with the user cleanup scheduler
2017-07-22Fix sessions being replaced needlessly (#4292)Eugen Rochko
2017-07-07Fix #4058 - Use a long-lived cookie to keep track of user-level sessions (#4091)Eugen Rochko
* Fix #4058 - Use a long-lived cookie to keep track of user-level sessions * Fix tests, smooth migrate from previous session-based identifier
2017-06-25Add overview of active sessions (#3929)Eugen Rochko
* Add overview of active sessions * Better display of browser/platform name * Improve how browser information is stored and displayed for sessions overview * Fix test
2017-06-23Revocable sessions (#3616)Sorin Davidoi
* feat: Revocable sessions * fix: Tests using sign_in * feat: Configuration entry for the maximum number of session activations
2017-04-15Add recovery code support for two-factor auth (#1773)Patrick Figel
* Add recovery code support for two-factor auth When users enable two-factor auth, the app now generates ten single-use recovery codes. Users are encouraged to print the codes and store them in a safe place. The two-factor prompt during login now accepts both OTP codes and recovery codes. The two-factor settings UI allows users to regenerated lost recovery codes. Users who have set up two-factor auth prior to this feature being added can use it to generate recovery codes for the first time. Fixes #563 and fixes #987 * Set OTP_SECRET in test enviroment * add missing .html to view file names
2017-04-11Avoid user enumeration with devise paranoid mode (#1527)Yann GUERN
2017-01-27Do not automatically login after password reset, as it would circumvent ↵Eugen Rochko
two-factor auth (if enabled) Do not require e-mail address changes to be re-confirmed, it's only trouble for no real benefit
2017-01-27Added optional two-factor authenticationEugen Rochko
2016-11-16i18n for devise mailer tooEugen Rochko
2016-03-16Adding e-mail configurationEugen Rochko
2016-03-07Adding doorkeeper, adding a REST APIEugen Rochko
POST /api/statuses Params: status (text contents), in_reply_to_id (optional) GET /api/statuses/:id POST /api/statuses/:id/reblog GET /api/accounts/:id GET /api/accounts/:id/following GET /api/accounts/:id/followers POST /api/accounts/:id/follow POST /api/accounts/:id/unfollow POST /api/follows Params: uri (e.g. user@domain) OAuth authentication is currently disabled, but the API can be used with HTTP Auth.
2016-03-05Removing grape and adding deviseEugen Rochko