272de95175
FIX: client duplicate registration should be cleaned up
...
If for any reason we are unable to correct client id on a user api key
invalidate old keys for client/user
2018-08-22 12:56:49 +10:00
5f1fd0019b
FEATURE: Allow revoke and connect for GitHub logins
2018-07-27 17:18:53 +01:00
6296f63804
FEATURE: Revoke and connect for Yahoo logins
2018-07-27 16:20:47 +01:00
9c72c00206
FEATURE: Revoke and reconnect for Twitter logins
2018-07-27 12:28:51 +01:00
fa399ce1c5
FEATURE: Add revoke and reconnect functionality for google logins
2018-07-25 16:03:14 +01:00
eda1462b3b
FEATURE: List, revoke and reconnect associated accounts. Phase 1 ( #6099 )
...
Listing connections is supported for all built-in auth providers. Revoke and reconnect is currently only implemented for Facebook.
2018-07-23 16:51:57 +01:00
2dc3a50dac
FIX: Do not update `last seen` time for suspended users
2018-07-18 16:04:57 +01:00
7fc8a36529
DEV: Take 2 Queue jobs in tests by default.
...
On my machine this cuts the time taken to run our test suite
from ~11mins to ~9mins.
2018-05-31 16:23:23 +08:00
56e9ff6853
Revert "DEV: Queue jobs in tests by default."
...
Too risky for now
This reverts commit be28154d3b
2018-05-31 15:34:46 +08:00
be28154d3b
DEV: Queue jobs in tests by default.
2018-05-31 14:45:47 +08:00
543b7cddfb
FIX: Extra comma resulted in Github auth email result being an array.
...
https://meta.discourse.org/t/github-2fa-flow-broken/88674
2018-05-30 12:15:12 +08:00
d366f8d888
remove hack that destabliazed tese suite
2018-05-24 10:48:16 +10:00
f6d412465b
FIX: apply automatic group rules when using social login providers
2018-05-23 02:26:07 +03:00
2cf6fb7359
FIX: always unstage users when they log in
2018-05-13 17:00:02 +02:00
3a06cb461e
FEATURE: remove support for legacy auth tokens
2018-05-04 10:12:10 +10:00
c5d26992d4
Prefer to use primary email for new user creation over other available emails
2018-03-19 17:10:35 +05:30
215c0d5569
FEATURE: allow system api to target users via external id or user id
...
usage ?api_key=XYZ&api_user_external_id=ABC
usage ?api_key=XYZ&api_user_id=123
2018-01-12 17:40:18 +11:00
988b13ac77
FIX: GitHub auth always asking to verify email for new users ( #5487 )
2018-01-12 15:17:29 +11:00
81b3a4a3da
improve spec
2017-12-15 11:42:51 +11:00
67aecff59c
FEATURE: store twitter supplied email for auditing
2017-12-14 15:54:32 +11:00
6ade508f39
FIX: Prevent 'rack.input' missing error.
2017-12-12 16:40:35 +08:00
68d3c2c74f
FEATURE: add global rate limiter for admin api 60 per minute
...
Also move configuration of admin and user api rate limiting into global
settings. This is not intended to be configurable per site
2017-12-11 11:07:22 +11:00
dd70ef3abf
Revert "Revert "PERF: improve speed of rate limiter""
...
This reverts commit 2373d85239
2017-12-04 21:23:11 +11:00
2373d85239
Revert "PERF: improve speed of rate limiter"
...
This reverts commit a9bcdd7f27
2017-12-04 21:19:28 +11:00
a9bcdd7f27
PERF: improve speed of rate limiter
...
Also
- adds a global rate limiter option
- cleans up usage in tests
- fixes freeze_time so it handles clock_gettime
2017-12-04 18:17:30 +11:00
804b4f32f8
better error message when API authentication fails
2017-10-20 20:05:34 +05:30
2db66072d7
SECURITY: signup without verified email using Google auth
2017-10-16 13:51:41 -04:00
d0f5a3d7a4
`Sidekiq::Testing.fake!` is the default mode.
2017-08-24 09:40:19 +09:00
5868508e98
GH#retrieve_avatar: simplify conditional and restructured testing
2017-08-22 23:46:50 -04:00
49f0119c12
FEATURE: import Github profile picture
2017-08-22 20:23:47 -04:00
5012d46cbd
Add rubocop to our build. ( #5004 )
2017-07-28 10:20:09 +09:00
fcfc895167
FIX: new sign-ups via google are added to groups
...
This fix ensures that users that are signing up via google oauth are
automatically added to any groups.
A similar fix will probably need to be added to other oauth providers.
2017-07-07 14:08:58 -06:00
8fd915a11a
Revert "FIX: add path to cookies so sessions on the same domain but different subfolders don't log each other out"
2017-06-21 16:18:24 -04:00
1716747810
FIX: add path to cookies so sessions on the same domain but different subfolders don't log each other out
2017-06-20 13:30:36 -04:00
99f4d5082b
FIX: Improve token rotation and increase logging
...
- avoid access denied on bad cookie, instead just nuke it
- avoid marking a token unseen for first minute post rotation
- log path in user auth token logs
2017-03-07 13:27:43 -05:00
76dd6933d2
Revert "Revert "Revert "SECURITY: Ensure oAuth authenticated email is the same as created user's email."""
...
This reverts commit e6d75f6844
2017-03-01 10:16:59 +08:00
122fb8025d
FIX: last seen date erroneously updated when browser in background
...
In some cases user may be "last seen" even though browser tab is in
the background or computer is locked
2017-02-28 12:35:10 -05:00
e6d75f6844
Revert "Revert "SECURITY: Ensure oAuth authenticated email is the same as created user's email.""
...
This reverts commit 0e3def7d2b
2017-02-28 11:27:14 +08:00
0e3def7d2b
Revert "SECURITY: Ensure oAuth authenticated email is the same as created user's email."
...
This reverts commit 1060239e2d
2017-02-27 13:19:26 -05:00
1060239e2d
SECURITY: Ensure oAuth authenticated email is the same as created user's email.
2017-02-24 13:13:10 +08:00
0847b4258a
Revert "SECURITY: Ensure that user has been authenticated."
...
This reverts commit fbe51d68a7
2017-02-24 13:12:29 +08:00
fbe51d68a7
SECURITY: Ensure that user has been authenticated.
2017-02-24 10:47:48 +08:00
ea1007e954
FEATURE: add support for same site cookies
...
Defaults to Lax, can be disabled or set to Strict.
Strict will only work if you require login and use SSO. Otherwise when clicking on links to your site you will appear logged out till you refresh the page.
2017-02-23 12:01:28 -05:00
b7d2edc7dc
FIX: allow some auth token misses prior to clearing cookie
...
It appears that in some cases ios queues up requests up front
and "releases" them when tab gets focus, this allows for a certain
number of cookie misses for this case. Otherwise you get logged off.
2017-02-22 12:37:11 -05:00
7a85469c4c
SECURITY: inactive/suspended accounts should be banned from api
...
Also fixes edge cases around users presenting multiple credentials
2017-02-17 11:03:09 -05:00
ff49f72ad9
FEATURE: per client user tokens
...
Revamped system for managing authentication tokens.
- Every user has 1 token per client (web browser)
- Tokens are rotated every 10 minutes
New system migrates the old tokens to "legacy" tokens,
so users still remain logged on.
Also introduces weekly job to expire old auth tokens.
2017-02-07 09:22:16 -05:00
6ff309aa80
SECURITY: don't grant same privileges to user_api and api access
...
User API is no longer gets bypasses that standard API gets.
Only bypasses are CSRF and XHR requirements.
2016-12-16 12:05:43 +11:00
2ddabc3928
FIX: protect against future regressions of google omniauth
2016-11-07 12:48:00 +11:00
f4f5524190
FEATURE: user API now contains scopes so permission is granular
...
previously we supported blanket read and write for user API, this
change amends it so we can define more limited scopes. A scope only
covers a few routes. You can not grant access to part of the site and
leave a large amount of the information hidden to API consumer.
2016-10-14 16:05:42 +11:00
2ae7c47a3c
Add support for email whitelist/blacklist to GitHub auth
...
If a site is configured for GitHub logins, _**and**_ has an email domain
whitelist, it's possible to get in a state where a new user is locked to
a non-whitelist email (their GitHub primary) even though they have an
alternate email that's on the whitelist. In all cases, the GitHub
primary email is attempted first so that previously existing behavior
will be the default.
- Add whitelist/blacklist support to GithubAuthenticator (via
EmailValidator)
- Add multiple email support GithubAuthenticator
- Add test specs for GithubAuthenticator
- Add authenticator-agnostic "none of your email addresses are allowed"
error message.
2016-09-22 11:31:10 -07:00
8dc4329094
FEATURE: optionally get extra profile info from facebook
...
This feature requires the application be approved by facebook, so it is
default off
2016-09-19 16:14:11 +10:00
3ea68f8f6c
tweak headers so they can be consumed
2016-08-18 14:38:33 +10:00
fc095acaaa
Feature: User API key support (server side implementation)
...
- Supports throttled read and write
- No support for push yet, but data is captured about intent
2016-08-15 17:59:36 +10:00
5cc8bb535b
SECURITY: do cookie auth rate limiting earlier
2016-08-09 10:02:18 +10:00
16a383ea1e
SECURITY: limit bad cookie auth attempts
...
- Also cleans up the _t cookie if it is invalid
2016-07-28 12:58:49 +10:00
b5fbff947b
FIX: don't expire old sessions when logging in
2016-07-26 11:37:41 +10:00
df535c6346
FEATURE: refresh session cookie at most once an hour
...
This feature ensures session cookie lifespan is extended
when user is online.
Also decreases session timeout from 90 to 60 days.
Ensures all users (including logged on ones) get expiring sessions.
2016-07-25 12:07:31 +10:00
3e50313fdc
Prepare for separation of RSpec helper files
...
Since rspec-rails 3, the default installation creates two helper files:
* `spec_helper.rb`
* `rails_helper.rb`
`spec_helper.rb` is intended as a way of running specs that do not
require Rails, whereas `rails_helper.rb` loads Rails (as Discourse's
current `spec_helper.rb` does).
For more information:
https://www.relishapp.com/rspec/rspec-rails/docs/upgrade#default-helper-files
In this commit, I've simply replaced all instances of `spec_helper` with
`rails_helper`, and renamed the original `spec_helper.rb`.
This brings the Discourse project closer to the standard usage of RSpec
in a Rails app.
At present, every spec relies on loading Rails, but there are likely
many that don't need to. In a future pull request, I hope to introduce a
separate, minimal `spec_helper.rb` which can be used in tests which
don't rely on Rails.
2015-12-01 20:39:42 +00:00
0fd98b56d8
few components with rspec3 syntax
2015-01-09 13:34:37 -03:00
4d936325e7
test forwarding works as expected
2014-11-24 17:16:11 +11:00
a9cda0f947
FEATURE: allow restricting API keys to a particular range
2014-11-20 15:21:49 +11:00
de76b512c1
fix most deprecations in the specs (still some left)
2014-09-25 17:44:48 +02:00
7c65adfd6f
FEATURE: raise an exception when the email is missing in the OpenId callback
2014-08-07 19:28:50 +02:00
cf254000cf
Revert "Revert "BUGFIX: improve error messages for invalid API keys""
...
This reverts commit e9afe28586
2014-05-23 08:43:19 +10:00
e9afe28586
Revert "BUGFIX: improve error messages for invalid API keys"
2014-05-22 14:55:36 -04:00
eeef775f21
BUGFIX: improve error messages for invalid API keys
...
BUGFIX: don't track last seen for message bus
2014-05-22 09:01:29 +10:00
742841ddce
Add Google Oauth2 authenticator. The current Google OpenID authentication has been deprecated by Google and will NOT work for any new websites.
2014-05-21 18:35:10 -04:00
5897d3419c
BUGFIX: identity_url was not fished out correctly
...
If I user logged in with Google and then changed email,
they would no longer be able to log in with google
2014-03-26 14:52:50 +11:00
95e936c299
cleanup API for looking up a user by email or username, add specs, fix invalid auto association in open id provider
2013-10-28 16:29:07 +11:00
d0b4c751b7
fix facebook authenticator
2013-08-26 17:36:20 +10:00
Sam
David Taylor
Guo Xiang Tan
OsamaSayegh
Régis Hanol
Vinoth Kannan
Arpit Jalan
Neil Lalonde
Kyle Zhao
Guo Xiang Tan
Blake Erickson
Robin Ward
Jared Reisinger
Andy Waite
Luciano Sousa