Commit Graph

54 Commits

Author SHA1 Message Date
Neil Lalonde 8fd915a11a Revert "FIX: add path to cookies so sessions on the same domain but different subfolders don't log each other out" 2017-06-21 16:18:24 -04:00
Neil Lalonde 1716747810 FIX: add path to cookies so sessions on the same domain but different subfolders don't log each other out 2017-06-20 13:30:36 -04:00
Sam 99f4d5082b FIX: Improve token rotation and increase logging
- avoid access denied on bad cookie, instead just nuke it
- avoid marking a token unseen for first minute post rotation
- log path in user auth token logs
2017-03-07 13:27:43 -05:00
Sam 122fb8025d FIX: last seen date erroneously updated when browser in background
In some cases user may be "last seen" even though browser tab is in
the background or computer is locked
2017-02-28 12:35:10 -05:00
Sam ea1007e954 FEATURE: add support for same site cookies
Defaults to Lax, can be disabled or set to Strict.

Strict will only work if you require login and use SSO. Otherwise when clicking on links to your site you will appear logged out till you refresh the page.
2017-02-23 12:01:28 -05:00
Sam ad435da377 fix typo 2017-02-23 10:58:53 -05:00
Sam Saffron b7d2edc7dc FIX: allow some auth token misses prior to clearing cookie
It appears that in some cases ios queues up requests up front
and "releases" them when tab gets focus, this allows for a certain
number of cookie misses for this case. Otherwise you get logged off.
2017-02-22 12:37:11 -05:00
Sam 7a85469c4c SECURITY: inactive/suspended accounts should be banned from api
Also fixes edge cases around users presenting multiple credentials
2017-02-17 11:03:09 -05:00
Sam 0ab96a7691 FEATURE: add hidden setting for verbose auth token logging
This is only needed to debug auth token issues, will result in lots
of logging
2017-02-13 14:01:09 -05:00
Sam ff49f72ad9 FEATURE: per client user tokens
Revamped system for managing authentication tokens.

- Every user has 1 token per client (web browser)
- Tokens are rotated every 10 minutes

New system migrates the old tokens to "legacy" tokens,
so users still remain logged on.

Also introduces weekly job to expire old auth tokens.
2017-02-07 09:22:16 -05:00
Sam 6ff309aa80 SECURITY: don't grant same privileges to user_api and api access
User API is no longer gets bypasses that standard API gets.
Only bypasses are CSRF and XHR requirements.
2016-12-16 12:05:43 +11:00
Sam b246f1a694 FEATURE: set secure flag on _t cookie if https is forced 2016-10-17 12:11:49 +11:00
Sam f4f5524190 FEATURE: user API now contains scopes so permission is granular
previously we supported blanket read and write for user API, this
change amends it so we can define more limited scopes. A scope only
covers a few routes. You can not grant access to part of the site and
leave a large amount of the information hidden to API consumer.
2016-10-14 16:05:42 +11:00
Sam be0fd5b4cc FEATURE: allow user api key revocation for read only keys 2016-09-02 17:04:00 +10:00
Sam c4bf138d2c FIX: incorrect error being raised 2016-08-26 10:39:13 +10:00
Sam b09922b58a we have to allow message bus for read clients 2016-08-19 15:22:52 +10:00
Sam 3ea68f8f6c tweak headers so they can be consumed 2016-08-18 14:38:33 +10:00
Sam 416e7e0d1e FEATURE: basic UI to view user api keys 2016-08-16 17:06:52 +10:00
Sam fc095acaaa Feature: User API key support (server side implementation)
- Supports throttled read and write
- No support for push yet, but data is captured about intent
2016-08-15 17:59:36 +10:00
Sam 5cc8bb535b SECURITY: do cookie auth rate limiting earlier 2016-08-09 10:02:18 +10:00
Sam 16a383ea1e SECURITY: limit bad cookie auth attempts
- Also cleans up the _t cookie if it is invalid
2016-07-28 12:58:49 +10:00
Sam b5fbff947b FIX: don't expire old sessions when logging in 2016-07-26 11:37:41 +10:00
Sam c1f62d8657 Revert "make upgrade a bit more seamless"
This reverts commit 78b88a1633.
2016-07-25 12:49:33 +10:00
Sam 78b88a1633 make upgrade a bit more seamless 2016-07-25 12:30:52 +10:00
Sam df535c6346 FEATURE: refresh session cookie at most once an hour
This feature ensures session cookie lifespan is extended
when user is online.

Also decreases session timeout from 90 to 60 days.
Ensures all users (including logged on ones) get expiring sessions.
2016-07-25 12:07:31 +10:00
Arpit Jalan a9207dafa7 FEATURE: configure session time via site setting for all the users (#4343) 2016-07-23 02:57:30 +05:30
Guo Xiang Tan 22ade1f811
FEATURE: Add event trigger when a user is logged out. 2016-07-04 17:20:30 +08:00
Sam f88cf4e2f0 Merge pull request #4226 from xfalcox/non-persistent-session
FEATURE: add setting permanent_session_cookie to configure session st…
2016-06-29 16:47:31 +10:00
Régis Hanol 9704603fab FEATURE: sendgrid webhooks 2016-06-01 21:48:06 +02:00
Sam 52c3b0b0ce clear mini profiler cookie when admin logs off 2016-05-18 17:27:54 +10:00
Rafael dos Santos Silva 09ef5f613e FEATURE: add setting permanent_session_cookie to configure session stickiness
Now admins can turn make the login cookie die after the browser is closed, so the user needs to log in everytime.
2016-05-17 01:12:09 -03:00
Arpit Jalan 74b3807f60 FEATURE: new bootstrap mode settings for brand new Discourse community (#4193)
* FEATURE: new bootstrap mode settings for brand new Discourse community

* new SiteSetting.set_and_log method
2016-04-26 13:08:19 -04:00
Sam 803feefd54 MessageBus handles readonly redis now, no need to wrap it 2015-05-04 12:21:00 +10:00
Robin Ward 5b3f99aa50 Don't blow up if Redis switches to READONLY 2015-04-24 14:37:16 -04:00
Sam 3483c8318f FEATURE: logging out logs you out everywhere
can be disabled by changing the setting "log_out_strict" to false
2015-01-28 12:56:41 +11:00
Sam a9cda0f947 FEATURE: allow restricting API keys to a particular range 2014-11-20 15:21:49 +11:00
Sam aa9b3bb35a FEATURE: allow long polling to go to a different url
Added the site setting long_polling_base_url , this allows you
to farm long polling to a different server.

This setting is very important if a CDN is serving dynamic content.
2014-10-24 13:38:38 +11:00
riking 12cb682548 Start passing more context to Discourse.handle_exception 2014-07-17 14:11:56 -07:00
Sam 67db561429 BUGFIX: missed a key rename
BUGFIX: API spec not enabling CSRF
2014-05-23 08:43:19 +10:00
Sam cf254000cf Revert "Revert "BUGFIX: improve error messages for invalid API keys""
This reverts commit e9afe28586.
2014-05-23 08:43:19 +10:00
Neil Lalonde e9afe28586 Revert "BUGFIX: improve error messages for invalid API keys" 2014-05-22 14:55:36 -04:00
Sam eeef775f21 BUGFIX: improve error messages for invalid API keys
BUGFIX: don't track last seen for message bus
2014-05-22 09:01:29 +10:00
Louis Rose 1574485443 Perform the where(...).first to find_by(...) refactoring.
This refactoring was automated using the command: bundle exec "ruby refactorings/where_dot_first_to_find_by/app.rb"
2014-05-06 14:41:59 +01:00
Neil Lalonde 1da59e7e2e FIX: deactivated users shouldn't be able to log in 2014-04-28 13:46:28 -04:00
Sam 7e7c4efcc0 FEATURE: on initial boot hint users on how to get admin 2014-03-24 18:03:39 +11:00
Sam 2c8ae22b87 FEATURE: add a simple queue Scheduler::Defer.later {}
For quick jobs that do not need to be sent to sidekiq,
runs inline in a single thread but does not block
2014-03-17 12:16:19 +11:00
Sam ceb80611d6 PERF: defer last_ip_address and last_seen updates 2014-03-03 15:16:38 +11:00
Neil Lalonde 0c6f794eb0 Used the term suspended instead of banned. 2013-11-07 13:53:49 -05:00
Sam 8ff35d4b10 automatically make developers admins on account creation, this solves the user #1 problem
you can simply set the DEVELOPER_EMAILS to a comma delimited list and the users will be auto admined
2013-11-02 10:26:02 +11:00
Régis Hanol b56b11d96a add qunit to autospec 2013-11-01 23:57:50 +01:00