Commit Graph

140 Commits

Author SHA1 Message Date
David Taylor 3b8c468832 SECURITY: Require POST with CSRF token for OmniAuth request phase 2019-08-08 11:58:00 +01:00
David Taylor 0a6cae654b SECURITY: Add confirmation screen when connecting associated accounts 2019-07-24 10:28:15 +01:00
David Taylor 2063d20e9a Revert "DEV: Let OmniAuth strategies return auth result. (#7833)"
This reverts commit dc5eb76551.

It is better to keep any custom redirect logic within omniauth, without relying on the app
2019-07-04 10:06:18 +01:00
Dan Ungureanu dc5eb76551 DEV: Let OmniAuth strategies return auth result. (#7833) 2019-07-01 13:13:11 -03:00
Dan Ungureanu ee8669d778
FIX: Ensure :after_auth event is triggered. (#7791) 2019-06-21 21:57:49 +03:00
Dan Ungureanu a046f6ced5 FEATURE: Trigger Discourse events from authenticators. (#7724) 2019-06-11 11:28:42 +10:00
David Taylor 1299c94a52 FIX: Make serverside and clientside omniauth origin redirects consistent
Previously external domains were allowed in the client-side redirects, but not the server-side redirects. Now the behavior is to only allow local origins.
2019-05-15 12:40:51 +01:00
Sam Saffron 30990006a9 DEV: enable frozen string literal on all files
This reduces chances of errors where consumers of strings mutate inputs
and reduces memory usage of the app.

Test suite passes now, but there may be some stuff left, so we will run
a few sites on a branch prior to merging
2019-05-13 09:31:32 +08:00
Leo McArdle b084750953 FIX: don't redirect incorrectly after full screen login (#7170)
Fixes two issues:
1. Redirecting to an external origin's path after login did not work
2. User would be erroneously redirected to the external origin after logout

https://meta.discourse.org/t/109755
2019-03-19 12:39:13 +00:00
David Taylor 0f734e2ae2 FIX: Return authenticated=true when reconnecting
This prevents a registration popup on the client
2018-12-11 17:40:02 +00:00
David Taylor c7c56af397
FEATURE: Allow connecting associated accounts when two-factor is enabled (#6754)
Previously the 'reconnect' process was a bit magic - IF you were already logged into discourse, and followed the auth flow, your account would be reconnected and you would be 'logged in again'.

Now, we explicitly check for a reconnect=true parameter when the flow is started, store it in the session, and then only follow the reconnect logic if that variable is present. Setting this parameter also skips the 'logged in again' step, which means reconnect now works with 2fa enabled.
2018-12-11 13:19:00 +00:00
Vinoth Kannan 92bf3c667e FIX: Flash authentication data not rendered in latest iOS safari browser 2018-10-30 04:00:36 +05:30
Vinoth Kannan ca74246651 FIX: redirect users to SSO client URL after social login 2018-10-05 00:01:08 +05:30
Régis Hanol de92913bf4 FIX: store the topic links using the cooked upload url 2018-08-14 12:23:32 +02:00
David Taylor 812add18bd REFACTOR: Serve auth provider information in the site serializer.
At the moment core providers are hard-coded in Javascript, and plugin providers get added to the JS payload at compile time. This refactor means that we only ship enabled providers to the client.
2018-08-06 09:25:48 +01:00
David Taylor eda1462b3b
FEATURE: List, revoke and reconnect associated accounts. Phase 1 (#6099)
Listing connections is supported for all built-in auth providers. Revoke and reconnect is currently only implemented for Facebook.
2018-07-23 16:51:57 +01:00
Vinoth Kannan 06deffc9da FIX: returns provider_not_enabled error even if enabled 2018-07-13 22:49:30 +05:30
David Taylor 9a813210b9 SECURITY: Do not allow authentication with disabled plugin-supplied a… (#6071)
Do not allow authentication with disabled plugin-supplied auth providers
2018-07-09 14:25:58 +10:00
Guo Xiang Tan 21e9315416 FIX: Use user account email instead of auth email when totp is enabled.
https://meta.discourse.org/t/github-2fa-flow-broken/88674
2018-05-30 12:15:12 +08:00
Régis Hanol 2cf6fb7359 FIX: always unstage users when they log in 2018-05-13 17:00:02 +02:00
Guo Xiang Tan 142571bba0 Remove use of `rescue nil`.
* `rescue nil` is a really bad pattern to use in our code base.
  We should rescue errors that we expect the code to throw and
  not rescue everything because we're unsure of what errors the
  code would throw. This would reduce the amount of pain we face
  when debugging why something isn't working as expexted. I've
  been bitten countless of times by errors being swallowed as a
  result during debugging sessions.
2018-04-02 13:52:51 +08:00
Guo Xiang Tan fb75f188ba FEATURE: Disallow login via omniauth when user has 2FA enabled. 2018-03-01 15:47:07 +08:00
Guo Xiang Tan 5a462b930d REFACTOR: Prefer `exists?` over `present`. 2018-03-01 10:22:41 +08:00
Régis Hanol e2d82b882e FIX: redirect to original URL after social login 2018-01-26 18:52:27 +01:00
Arpit Jalan 492af81e67 FIX: save registration_ip_address for staged users logging in via social auth 2017-12-12 17:41:16 +05:30
Robin Ward cef64e8f03 UX: Use `no_ember` styling for omniauth error page 2017-11-15 14:04:26 -05:00
Guo Xiang Tan 77d4c4d8dc Fix all the errors to get our tests green on Rails 5.1. 2017-09-25 13:48:58 +08:00
Arpit Jalan 4e49b3b140 FIX: do not create new email token if there already exists a confirmed one 2017-09-14 10:52:29 +05:30
Leo McArdle 104d97695d FIX: don't activate un-confirmed email on omniauth authentication (#5176) 2017-09-12 17:36:17 +02:00
Guo Xiang Tan 5012d46cbd Add rubocop to our build. (#5004) 2017-07-28 10:20:09 +09:00
Régis Hanol 038454bde2 FIX: always confirm emails when SSO says so 2017-06-08 01:05:33 +02:00
Robin Ward ca965f83c3 Revert "FIX: If login is required, redirect to the `/login` route instead of root"
This reverts commit 8a8dec550b.
2017-05-25 14:04:28 -04:00
Robin Ward 8a8dec550b FIX: If login is required, redirect to the `/login` route instead of root 2017-05-25 13:35:15 -04:00
Robin Ward 777f1f0f47 FIX: Return a 404 if the auth session is not present 2017-05-04 15:35:24 -04:00
Arpit Jalan 7fb17b83c4 FIX: confirm email token for user created via social login 2017-04-13 14:15:32 +05:30
Guo Xiang Tan 3d347fb9c4 FIX: Don't mark user as `active` if verified email is different. 2017-03-02 14:24:30 +08:00
Sam e6fcaadd45 FIX: redirects back to origin for SSO and omniauth login 2016-09-16 13:48:50 +10:00
Sam 0303080586 we do not define auth providers for builtins 2016-08-29 11:12:24 +10:00
Sam 22b8c0d44e FIX: fullscreen login set from client needs to be respected 2016-08-29 10:13:51 +10:00
Régis Hanol 841f36b058 FIX: automatically unstage user when signing in using OAuth 2016-04-04 19:04:10 +02:00
Ubuntu 5c603bf8ec Added Instagram login method 2016-02-25 12:13:59 +10:00
Robin Ward a9823ab59a FIX: Use a cookie to bypass the anon cache 2015-10-28 17:16:56 -04:00
Sam b6c2aa13e6 clean up implementation of non frame login / registration 2015-10-13 14:49:09 +11:00
Sam b3aebca406 FEATURE: allow auto provider to specify "full screen login"
this feature means we attempt to log in without opening a frame.
2015-10-13 12:23:34 +11:00
Robin Ward b4960d48b4 Better support for passing up errors when OmniAuth fails after auth 2015-06-24 12:12:43 -04:00
Neil Lalonde eaa1afeaf5 remove Google OpenID auth, since Google doesn't support it anymore 2015-05-25 15:13:44 -04:00
Neil Lalonde 7c14db44cc UX: improve message when admin login is blocked because of admin ip address whitelisting 2015-03-02 12:13:22 -05:00
Robin Ward 987504c6ab Rename `no_js` layout to `no_ember`
While *sometimes* `no_js` was used for visitors without js (for example
disabling it on your browser) it was also used for some pages that were
disabled to JS capable browsers, including the 404 page.

Even worse, sometimes it was used on pages that *had* Javascript, such
as our `/activate-account` route. It has been renamed to `no_ember` to
indicate what it really is, a layout for the site that doesn't load our
Ember.js application.
2015-01-15 15:56:53 -05:00
Sam e6dba8adc2 SECURITY: don't echo the "strategy" param returned by auto provider 2015-01-06 16:28:45 +11:00
Neil Lalonde 90771937f0 FIX: broken external auth 2014-10-03 16:15:00 -04:00
Neil Lalonde ebf46450bc Refactor omniauth_callbacks_controller for extensibility 2014-10-03 11:02:04 -04:00
Neil Lalonde ca5f361d0a FEATURE: restrict admin access based on IP address 2014-09-05 12:06:01 -04:00
Neil Lalonde 742841ddce Add Google Oauth2 authenticator. The current Google OpenID authentication has been deprecated by Google and will NOT work for any new websites. 2014-05-21 18:35:10 -04:00
Erik Ordway 1167b5c4b5 I can see this on git hub but it is being missing by the test 2014-02-11 17:25:54 -08:00
Sam 7ad00f426c FEATURE REMOVAL: persona login
see: https://meta.discourse.org/t/pulling-persona-out-of-discourse-core/12613
2014-02-11 16:56:48 +11:00
Neil Lalonde da825451d0 Invite link can't be used to log in after you set a password or sign in with 3rd party 2014-01-21 16:56:41 -05:00
Shiv Kumar 2f0e20bc11 add session to auth hash in oauth complete method 2013-11-19 09:58:12 -08:00
Régis Hanol b56b11d96a add qunit to autospec 2013-11-01 23:57:50 +01:00
Neil Lalonde b06f928568 Fix missing provider param message when using Persona 2013-09-23 09:46:25 -07:00
Emili Parreno ee96fabcba Allow CAS authentication 2013-08-28 14:34:51 +02:00
Sam 61281a3c81 invite only forums had very wonky logic, invited users were not being activated, invite_only forums were still registering users 2013-08-28 17:18:31 +10:00
Sam c4a0152dc6 recover from bad CSRF tokens without requiring a hard refresh of the browser 2013-08-27 15:56:12 +10:00
Sam 213ce33af2 Fixed all broken specs
Moved middleware config into authenticators
2013-08-26 12:59:17 +10:00
Sam b52aba15e0 major refactor of auth, break up the gigantic omniauth controller into sub classes for way better extensibitily 2013-08-26 12:59:17 +10:00
Michael Kirk 9e8d8870f5 fixed: record Oauth2 user email 2013-08-19 11:21:27 -07:00
Michael Kirk 4af8a9102e Authenticate with Discourse via OAuth2
See https://github.com/michaelkirk/discourse_oauth2_example for an
example of how you might integrate your existing oauth2 provider's
authentication via a Discourse plugin.
2013-08-17 21:45:20 -07:00
Sam 803d023e23 Fixed GitHub auth, GitHub can provide us with a valid email - so automatically log in for those cases 2013-08-02 12:16:44 +10:00
Sam 160107a712 working plugin interface for custom openid auth, custom css and custom js 2013-08-01 16:02:43 +10:00
Sam aa6c92922d SECURITY: correct our CSRF implementation to be much more aggressive 2013-07-29 15:13:13 +10:00
Sam c7697bbae2 remove duplicate code 2013-07-16 15:44:38 +10:00
Andreas Haller 661f2057f7 Improve the omniauth controller specs. Fix the email provided by CAS. Get name from CAS attributes.
* Make omniauth controller specs more robust by using shared examples for all authentication providers in controller spec. – Still passing. Yay!

* Return "casuser", instead of "casuser@" when no cas_domainname is configured.

* If no cas_domainname is configured, the CAS authentication would return "casuser@" for the users email field, because it tried to assume the email adress of the CAS user by it's username + cas_domainname.
  Now it just returns the username instead of adding an "@" if cas_domainname is not configured.
  This especially makes sense on CAS setups where the username equals the users email adress.
  The old behaviour, if cas_domainname is configured, was not changed.

* Fetch the email from CAS attributes if provided
  If the cas:authenticationSuccess (handled via omniauth-cas) response gives us an email use that.
  If not, behave as before (username or username@cas_domainname).

* Fetch the (full) name from CAS attributes if provided
  If the CAS response by omniauth provides a [:info][:name] field, prefer this over the uid, because we want the name to be a "Full Name", instead of just a "shortname"
2013-07-04 12:01:39 +02:00
Dmitriy Budnik 2722029d38 stylistic refactorings
w/ less syntactic sugar
2013-06-25 18:23:23 +03:00
Juan de Dios Herrero 96d23ddd8d Refactored user_name suggestion methods into a module to reduce the complexity of User model 2013-06-06 16:40:10 +02:00
Chris Hunt acf147ef88 Disable OmniAuth account creation if 'invite only' 2013-06-05 11:11:02 -07:00
Sam 5e305eaf0a missing skip filter for omniauth 2013-06-05 10:30:51 +10:00
Erik Ordway 364a59d344 remove hardcoded value and replace with SiteSetting.cas_domainname 2013-05-29 15:47:49 -07:00
Erik Ordway 1575ce7b10 add cas support with a few tests 2013-05-23 13:40:50 -07:00
Mark Rushakoff 56acb5fcce Don't call to_sym on param 2013-04-08 22:55:39 -07:00
Robin Ward 738789f336 Admins can't lock themselves out of a site by setting approval. 2013-04-03 12:23:28 -04:00
Karan Misra 5dfb04e4b3 Convert a lot of :a => b to a: b and bring peace to the world 2013-03-25 05:07:36 +05:30
Sarah Vessels 54c7b1ab63 Use consistent new-style hashes in render calls *twitch* 2013-03-22 14:08:11 -04:00
Régis Hanol 239cbd2d58 enforce coding convention
replaced every `and` by `&&` and every `or` by `||`
2013-03-05 01:42:44 +01:00
Robin Ward 51f6ae69c9 Check when logging in whether a auth provider is enabled, including specs 2013-03-04 13:44:41 -05:00
Dan Callahan 23d812a4ab Use AJAX for submitting Persona credentials.
Fixes issue with needing to unblock popups.
2013-03-01 14:00:56 -06:00
Dan Callahan ef8cf2f734 Add basic Persona functionality
1. No session integration yet, so automatic login/logout events are suppressed.

2. Popup blockers must be disabled: submits form to target="_blank"
2013-03-01 14:00:56 -06:00
nverba b45f872c04 Added Github authentication option, disabled by default with enable options in settings. 2013-02-26 05:00:21 +00:00
Neil Lalonde 3ca2d92b2f Fix the missing {{provider}} value message 2013-02-19 16:28:12 -05:00
Jesse Pollak ad5a5b4866 This commit adds a callback route to handle omniauth failure and removes a few unneccessary entries in en.yml 2013-02-14 18:08:40 -08:00
Robin Ward f00006ee7d Fix broken Yahoo! signup. 2013-02-13 12:37:48 -05:00
xdite 9189d937f7 move all logic to omniauth
implement omniauth-facebook / omniauth-twitter
2013-02-13 15:08:38 +08:00