Commit Graph

104 Commits

Author SHA1 Message Date
Martin Brennan 66f2db4ea4 SECURITY: 2FA with U2F / TOTP 2020-01-15 11:27:12 +01:00
David Taylor 5eda44f8f2 FIX: Do not redirect to `/auth/*` urls after authentication
When using the login confirmation screen, the referrer URL is `/auth/{provider}`. That means that the user is redirected back to the confirmation screen after logging in, even though login was successful. This is very confusing. Instead, they should be redirected to the homepage.
2020-01-08 17:06:03 +00:00
Sam Saffron 0c52537f10 DEV: update rubocop to version 0.77
We like to stay as close as possible to latest with rubocop cause the cops
get better.

This update required some code changes, specifically the default is to avoid
explicit returns where implicit is done

Also this renames a few rules
2019-12-10 11:48:39 +11:00
Joffrey JAFFEUX 0d3d2c43a0
DEV: s/\$redis/Discourse\.redis (#8431)
This commit also adds a rubocop rule to prevent global variables.
2019-12-03 10:05:53 +01:00
David Taylor d2bceff133
FEATURE: Use full page redirection for all external auth methods (#8092)
Using popups is becoming increasingly rare. Full page redirects are already used on mobile, and for some providers. This commit removes all logic related to popup authentication, leaving only the full page redirect method.

For more info, see https://meta.discourse.org/t/do-we-need-popups-for-login/127988
2019-10-08 12:10:43 +01:00
Krzysztof Kotlarek 427d54b2b0 DEV: Upgrading Discourse to Zeitwerk (#8098)
Zeitwerk simplifies working with dependencies in dev and makes it easier reloading class chains. 

We no longer need to use Rails "require_dependency" anywhere and instead can just use standard 
Ruby patterns to require files.

This is a far reaching change and we expect some followups here.
2019-10-02 14:01:53 +10:00
David Taylor de4bf6ee9f FIX: When activating via omniauth, create tokens after password reset
Resetting a password invalidates all email tokens, so we need to create the tokens after the password reset.
2019-08-28 14:43:25 +01:00
David Taylor a5e198fa30 SECURITY: Reset password when activating an account via auth provider
Followup to d693b4e35fe0e58c5578eae4a56c06dff4756ba2
2019-08-28 14:07:07 +01:00
David Taylor 9878bc62b3 Revert "Merge pull request from GHSA-7cmh-wm9h-j63f"
This reverts commit 8e5a8d1d54. The change will be re-applied with improvements.
2019-08-28 14:07:03 +01:00
David Taylor 8e5a8d1d54 Merge pull request from GHSA-7cmh-wm9h-j63f 2019-08-27 09:11:19 -07:00
Blake Erickson 893d30fb92 REVERT: External auth when redeeming invites
Reverting this commit:

87a0a6664e

because I'm extracting all of this logic into a plugin instead.
2019-08-16 12:44:14 -06:00
David Taylor 750802bf56
UX: Improve error handling for common OmniAuth exceptions (#7991)
This displays more useful messages for the most common issues we see:
- CSRF (when the user switches browser)
- Invalid IAT (when the server clock is wrong)
- OAuth::Unauthorized for OAuth1 providers, when the credentials are incorrect

This commit also stops earlier for disabled authenticators. Now we stop at the request phase, rather than the callback phase.
2019-08-12 10:55:02 +01:00
Blake Erickson 87a0a6664e FEATURE: External auth when redeeming invites
This feature (when enabled) will allow for invite_only sites to require
external authentication before they can redeem an invite.

- Created hidden site setting to toggle this
- Enables sending invites with local logins disabled
- OAuth button added to invite form
- Requires OAuth email address to match invite email address
- Prevents redeeming invite if OAuth authentication fails
2019-08-11 12:20:02 -06:00
David Taylor 6d3d08daad UX: Hide login/signup header buttons during authentication flows 2019-08-08 13:57:18 +01:00
David Taylor 3b8c468832 SECURITY: Require POST with CSRF token for OmniAuth request phase 2019-08-08 11:58:00 +01:00
David Taylor 0a6cae654b SECURITY: Add confirmation screen when connecting associated accounts 2019-07-24 10:28:15 +01:00
David Taylor 2063d20e9a Revert "DEV: Let OmniAuth strategies return auth result. (#7833)"
This reverts commit dc5eb76551.

It is better to keep any custom redirect logic within omniauth, without relying on the app
2019-07-04 10:06:18 +01:00
Dan Ungureanu dc5eb76551 DEV: Let OmniAuth strategies return auth result. (#7833) 2019-07-01 13:13:11 -03:00
Dan Ungureanu ee8669d778
FIX: Ensure :after_auth event is triggered. (#7791) 2019-06-21 21:57:49 +03:00
Dan Ungureanu a046f6ced5 FEATURE: Trigger Discourse events from authenticators. (#7724) 2019-06-11 11:28:42 +10:00
David Taylor 1299c94a52 FIX: Make serverside and clientside omniauth origin redirects consistent
Previously external domains were allowed in the client-side redirects, but not the server-side redirects. Now the behavior is to only allow local origins.
2019-05-15 12:40:51 +01:00
Sam Saffron 30990006a9 DEV: enable frozen string literal on all files
This reduces chances of errors where consumers of strings mutate inputs
and reduces memory usage of the app.

Test suite passes now, but there may be some stuff left, so we will run
a few sites on a branch prior to merging
2019-05-13 09:31:32 +08:00
Leo McArdle b084750953 FIX: don't redirect incorrectly after full screen login (#7170)
Fixes two issues:
1. Redirecting to an external origin's path after login did not work
2. User would be erroneously redirected to the external origin after logout

https://meta.discourse.org/t/109755
2019-03-19 12:39:13 +00:00
David Taylor 0f734e2ae2 FIX: Return authenticated=true when reconnecting
This prevents a registration popup on the client
2018-12-11 17:40:02 +00:00
David Taylor c7c56af397
FEATURE: Allow connecting associated accounts when two-factor is enabled (#6754)
Previously the 'reconnect' process was a bit magic - IF you were already logged into discourse, and followed the auth flow, your account would be reconnected and you would be 'logged in again'.

Now, we explicitly check for a reconnect=true parameter when the flow is started, store it in the session, and then only follow the reconnect logic if that variable is present. Setting this parameter also skips the 'logged in again' step, which means reconnect now works with 2fa enabled.
2018-12-11 13:19:00 +00:00
Vinoth Kannan 92bf3c667e FIX: Flash authentication data not rendered in latest iOS safari browser 2018-10-30 04:00:36 +05:30
Vinoth Kannan ca74246651 FIX: redirect users to SSO client URL after social login 2018-10-05 00:01:08 +05:30
Régis Hanol de92913bf4 FIX: store the topic links using the cooked upload url 2018-08-14 12:23:32 +02:00
David Taylor 812add18bd REFACTOR: Serve auth provider information in the site serializer.
At the moment core providers are hard-coded in Javascript, and plugin providers get added to the JS payload at compile time. This refactor means that we only ship enabled providers to the client.
2018-08-06 09:25:48 +01:00
David Taylor eda1462b3b
FEATURE: List, revoke and reconnect associated accounts. Phase 1 (#6099)
Listing connections is supported for all built-in auth providers. Revoke and reconnect is currently only implemented for Facebook.
2018-07-23 16:51:57 +01:00
Vinoth Kannan 06deffc9da FIX: returns provider_not_enabled error even if enabled 2018-07-13 22:49:30 +05:30
David Taylor 9a813210b9 SECURITY: Do not allow authentication with disabled plugin-supplied a… (#6071)
Do not allow authentication with disabled plugin-supplied auth providers
2018-07-09 14:25:58 +10:00
Guo Xiang Tan 21e9315416 FIX: Use user account email instead of auth email when totp is enabled.
https://meta.discourse.org/t/github-2fa-flow-broken/88674
2018-05-30 12:15:12 +08:00
Régis Hanol 2cf6fb7359 FIX: always unstage users when they log in 2018-05-13 17:00:02 +02:00
Guo Xiang Tan 142571bba0 Remove use of `rescue nil`.
* `rescue nil` is a really bad pattern to use in our code base.
  We should rescue errors that we expect the code to throw and
  not rescue everything because we're unsure of what errors the
  code would throw. This would reduce the amount of pain we face
  when debugging why something isn't working as expexted. I've
  been bitten countless of times by errors being swallowed as a
  result during debugging sessions.
2018-04-02 13:52:51 +08:00
Guo Xiang Tan fb75f188ba FEATURE: Disallow login via omniauth when user has 2FA enabled. 2018-03-01 15:47:07 +08:00
Guo Xiang Tan 5a462b930d REFACTOR: Prefer `exists?` over `present`. 2018-03-01 10:22:41 +08:00
Régis Hanol e2d82b882e FIX: redirect to original URL after social login 2018-01-26 18:52:27 +01:00
Arpit Jalan 492af81e67 FIX: save registration_ip_address for staged users logging in via social auth 2017-12-12 17:41:16 +05:30
Robin Ward cef64e8f03 UX: Use `no_ember` styling for omniauth error page 2017-11-15 14:04:26 -05:00
Guo Xiang Tan 77d4c4d8dc Fix all the errors to get our tests green on Rails 5.1. 2017-09-25 13:48:58 +08:00
Arpit Jalan 4e49b3b140 FIX: do not create new email token if there already exists a confirmed one 2017-09-14 10:52:29 +05:30
Leo McArdle 104d97695d FIX: don't activate un-confirmed email on omniauth authentication (#5176) 2017-09-12 17:36:17 +02:00
Guo Xiang Tan 5012d46cbd Add rubocop to our build. (#5004) 2017-07-28 10:20:09 +09:00
Régis Hanol 038454bde2 FIX: always confirm emails when SSO says so 2017-06-08 01:05:33 +02:00
Robin Ward ca965f83c3 Revert "FIX: If login is required, redirect to the `/login` route instead of root"
This reverts commit 8a8dec550b.
2017-05-25 14:04:28 -04:00
Robin Ward 8a8dec550b FIX: If login is required, redirect to the `/login` route instead of root 2017-05-25 13:35:15 -04:00
Robin Ward 777f1f0f47 FIX: Return a 404 if the auth session is not present 2017-05-04 15:35:24 -04:00
Arpit Jalan 7fb17b83c4 FIX: confirm email token for user created via social login 2017-04-13 14:15:32 +05:30
Guo Xiang Tan 3d347fb9c4 FIX: Don't mark user as `active` if verified email is different. 2017-03-02 14:24:30 +08:00