about summary refs log tree commit diff
path: root/spec/controllers/auth
AgeCommit message (Collapse)Author
2019-09-18Add password challenge to 2FA settings, e-mail notifications (#11878)Eugen Rochko
Fix #3961
2019-09-15Fix 2FA challenge and password challenge for non-database users (#11831)Eugen Rochko
* Fix 2FA challenge not appearing for non-database users Fix #11685 * Fix account deletion not working when using external login Fix #11691
2019-07-22Change unconfirmed user login behaviour (#11375)Eugen Rochko
Allow access to account settings, 2FA, authorized applications, and account deletions to unconfirmed and pending users, as well as users who had their accounts disabled. Suspended users cannot update their e-mail or password or delete their account. Display account status on account settings page, for example, when an account is frozen, limited, unconfirmed or pending review. After sign up, login users straight away and show a simple page that tells them the status of their account with links to account settings and logout, to reduce onboarding friction and allow users to correct wrongly typed e-mail addresses. Move the final sign-up step of SSO integrations to be the same as above to reduce code duplication.
2019-05-02Check that an invite link is valid before bypassing approval mode (#10657)ThibG
* Check that an invite link is valid before bypassing approval mode Fixes #10656 * Add tests * Only consider valid invite links in registration controller * fixup
2019-03-14Admission-based registrations mode (#10250)Eugen Rochko
Fix #6856 Fix #6951
2018-10-20fix: Execute PAM authentication tests on CircleCI (#9029)takayamaki
and use 'if' option of context block
2018-10-20Do not test PAM authentication by default (#9027)Eugen Rochko
* Do not test PAM authentication by default * Disable PAM tests if PAM is not enabled
2018-10-04Lint pass (#8876)aus-social
2018-09-09Add force_login option to OAuth authorize page (#8655)Eugen Rochko
* Add force_login option to OAuth authorize page For when a user needs to sign into an app from multiple accounts on the same server * When logging out from modal header, redirect back after re-login
2018-06-21Add missing tests for confirmations controller (#7866)Shuhei Kitagawa
2018-04-21Reset locale on registration tests (#7219)Yamagishi Kazutoshi
2018-04-21Use raw status code on have_http_status (#7214)Yamagishi Kazutoshi
2018-04-11update gem, test pam authentication (#7028)Alexander
* update gem, test pam authentication * add description for test parameters * fix inclusion of optional group
2018-01-05Fix email confirmation link not updating email (#6187)Patrick Figel
A change introduced in #6125 prevents `Devise::Models::Confirmable#confirm` from being called for existing users, which in turn leads to `email` not being set to `unconfirmed_email`, breaking email updates. This also adds a test that would've caught this issue.
2017-09-10Default follows for new users (#4871)Eugen Rochko
When a new user confirms their e-mail, bootstrap their home timeline by automatically following a set of accounts. By default, all local admin accounts (that are unlocked). Can be customized by new admin setting (comma-separated usernames, local and unlocked only)
2017-08-05Add "signed in as" header to some pages (#4523)Eugen Rochko
2017-08-03Redirect to PasswordController#new when reset_password_token is invalid (#4506)nullkal
2017-06-25Cover Auth::RegistrationsController more (#3353)Akihiko Odaki (@fn_aki@pawoo.net)
2017-06-11Make sure email is case insensitive on all places (#3688)René Klačan
When case insensitivity is enabled via devise's `config.case_insensitive_keys` then `.find_for_authentication` method needs to be used instead of `.find_by` because second mentioned returns `nil` when valid email with different cases is passed. More info https://github.com/plataformatec/devise/wiki/How-To:-Use-case-insensitive-emails
2017-05-29Spec Auth::ConfirmationsController (#3348)Akihiko Odaki
2017-05-29Spec Auth::PasswordsController (#3352)Akihiko Odaki
2017-05-26Go to root after login in single user mode (#3289)Akinori MUSHA
In single user mode, visitors are redirected to the single user's profile page. So, if you are the owner without a session, you start from that page, click the login button and authenticate yourself expecting you'll soon get started with the home page, but in reality you'll get redirected back to where you started from -- your own profile page. This fixes the behavior by redirecting you home after login if you have started from your own profile page.
2017-05-23Fix Devise destroy method being available to delete user record (#3266)Eugen Rochko
(You may think that we need account deletions, but this way would've just orphaned the db records)
2017-05-02Auth sign out (#2511)Matt Jankowski
* Add a spec for signing out * Add spec showing that suspended user gets a 403 forbidden on sign out * Allow suspended account users to sign out
2017-04-27Catch error when server decryption fails on 2FA (#2512)Matt Jankowski
2017-04-25Localize with i18n for Devise::FailureApp (#2309)alpaca-tc
This PR fixes I18n.locale for rake middlewares. Mastodon uses Devise that depends on Warden. Warden::Manager can be found in rake middleware. It is outside of the controller. In the case of authentication failed, warden calls throw(:warden). At the time Warden::Manager delegates request to failure_app to generate response and flash[:alert] after catching it. Unfortunately, I18n.locale is already reset then because I18n.with_locale is enabled only inside the controller. If we used I18n.locale=, Devise::FailureApp could get the current locale.
2017-04-17Assign user locale on signup (#1982)saturday06
2017-04-15Add recovery code support for two-factor auth (#1773)Patrick Figel
* Add recovery code support for two-factor auth When users enable two-factor auth, the app now generates ten single-use recovery codes. Users are encouraged to print the codes and store them in a safe place. The two-factor prompt during login now accepts both OTP codes and recovery codes. The two-factor settings UI allows users to regenerated lost recovery codes. Users who have set up two-factor auth prior to this feature being added can use it to generate recovery codes for the first time. Fixes #563 and fixes #987 * Set OTP_SECRET in test enviroment * add missing .html to view file names
2017-04-09Fix /api/v1/accounts/update_credentials tests (#1357)Eugen
2017-01-04Fix #390 - fix redirect after sign-up (to login page instead of homepage)Eugen Rochko
2016-11-17Fix #148 - Devise mailer fixed, test spec added so it won't slip past againEugen Rochko
2016-09-26Replace logo, fix #57 - delete/unreblog/unfavourite API, fix #45 - appEugen Rochko
registration API
2016-08-17Upgrade to Rails 5.0.0.1Eugen Rochko
2016-03-28Remember me enabled by defaultEugen Rochko