David Taylor
3b8c468832
SECURITY: Require POST with CSRF token for OmniAuth request phase
2019-08-08 11:58:00 +01:00
David Taylor
0a6cae654b
SECURITY: Add confirmation screen when connecting associated accounts
2019-07-24 10:28:15 +01:00
David Taylor
2063d20e9a
Revert "DEV: Let OmniAuth strategies return auth result. ( #7833 )"
...
This reverts commit dc5eb76551
.
It is better to keep any custom redirect logic within omniauth, without relying on the app
2019-07-04 10:06:18 +01:00
Dan Ungureanu
dc5eb76551
DEV: Let OmniAuth strategies return auth result. ( #7833 )
2019-07-01 13:13:11 -03:00
Dan Ungureanu
ee8669d778
FIX: Ensure :after_auth event is triggered. ( #7791 )
2019-06-21 21:57:49 +03:00
Dan Ungureanu
a046f6ced5
FEATURE: Trigger Discourse events from authenticators. ( #7724 )
2019-06-11 11:28:42 +10:00
David Taylor
1299c94a52
FIX: Make serverside and clientside omniauth origin redirects consistent
...
Previously external domains were allowed in the client-side redirects, but not the server-side redirects. Now the behavior is to only allow local origins.
2019-05-15 12:40:51 +01:00
Sam Saffron
30990006a9
DEV: enable frozen string literal on all files
...
This reduces chances of errors where consumers of strings mutate inputs
and reduces memory usage of the app.
Test suite passes now, but there may be some stuff left, so we will run
a few sites on a branch prior to merging
2019-05-13 09:31:32 +08:00
Leo McArdle
b084750953
FIX: don't redirect incorrectly after full screen login ( #7170 )
...
Fixes two issues:
1. Redirecting to an external origin's path after login did not work
2. User would be erroneously redirected to the external origin after logout
https://meta.discourse.org/t/109755
2019-03-19 12:39:13 +00:00
David Taylor
0f734e2ae2
FIX: Return authenticated=true when reconnecting
...
This prevents a registration popup on the client
2018-12-11 17:40:02 +00:00
David Taylor
c7c56af397
FEATURE: Allow connecting associated accounts when two-factor is enabled ( #6754 )
...
Previously the 'reconnect' process was a bit magic - IF you were already logged into discourse, and followed the auth flow, your account would be reconnected and you would be 'logged in again'.
Now, we explicitly check for a reconnect=true parameter when the flow is started, store it in the session, and then only follow the reconnect logic if that variable is present. Setting this parameter also skips the 'logged in again' step, which means reconnect now works with 2fa enabled.
2018-12-11 13:19:00 +00:00
Vinoth Kannan
92bf3c667e
FIX: Flash authentication data not rendered in latest iOS safari browser
2018-10-30 04:00:36 +05:30
Vinoth Kannan
ca74246651
FIX: redirect users to SSO client URL after social login
2018-10-05 00:01:08 +05:30
Régis Hanol
de92913bf4
FIX: store the topic links using the cooked upload url
2018-08-14 12:23:32 +02:00
David Taylor
812add18bd
REFACTOR: Serve auth provider information in the site serializer.
...
At the moment core providers are hard-coded in Javascript, and plugin providers get added to the JS payload at compile time. This refactor means that we only ship enabled providers to the client.
2018-08-06 09:25:48 +01:00
David Taylor
eda1462b3b
FEATURE: List, revoke and reconnect associated accounts. Phase 1 ( #6099 )
...
Listing connections is supported for all built-in auth providers. Revoke and reconnect is currently only implemented for Facebook.
2018-07-23 16:51:57 +01:00
Vinoth Kannan
06deffc9da
FIX: returns provider_not_enabled error even if enabled
2018-07-13 22:49:30 +05:30
David Taylor
9a813210b9
SECURITY: Do not allow authentication with disabled plugin-supplied a… ( #6071 )
...
Do not allow authentication with disabled plugin-supplied auth providers
2018-07-09 14:25:58 +10:00
Guo Xiang Tan
21e9315416
FIX: Use user account email instead of auth email when totp is enabled.
...
https://meta.discourse.org/t/github-2fa-flow-broken/88674
2018-05-30 12:15:12 +08:00
Régis Hanol
2cf6fb7359
FIX: always unstage users when they log in
2018-05-13 17:00:02 +02:00
Guo Xiang Tan
142571bba0
Remove use of `rescue nil`.
...
* `rescue nil` is a really bad pattern to use in our code base.
We should rescue errors that we expect the code to throw and
not rescue everything because we're unsure of what errors the
code would throw. This would reduce the amount of pain we face
when debugging why something isn't working as expexted. I've
been bitten countless of times by errors being swallowed as a
result during debugging sessions.
2018-04-02 13:52:51 +08:00
Guo Xiang Tan
fb75f188ba
FEATURE: Disallow login via omniauth when user has 2FA enabled.
2018-03-01 15:47:07 +08:00
Guo Xiang Tan
5a462b930d
REFACTOR: Prefer `exists?` over `present`.
2018-03-01 10:22:41 +08:00
Régis Hanol
e2d82b882e
FIX: redirect to original URL after social login
2018-01-26 18:52:27 +01:00
Arpit Jalan
492af81e67
FIX: save registration_ip_address for staged users logging in via social auth
2017-12-12 17:41:16 +05:30
Robin Ward
cef64e8f03
UX: Use `no_ember` styling for omniauth error page
2017-11-15 14:04:26 -05:00
Guo Xiang Tan
77d4c4d8dc
Fix all the errors to get our tests green on Rails 5.1.
2017-09-25 13:48:58 +08:00
Arpit Jalan
4e49b3b140
FIX: do not create new email token if there already exists a confirmed one
2017-09-14 10:52:29 +05:30
Leo McArdle
104d97695d
FIX: don't activate un-confirmed email on omniauth authentication ( #5176 )
2017-09-12 17:36:17 +02:00
Guo Xiang Tan
5012d46cbd
Add rubocop to our build. ( #5004 )
2017-07-28 10:20:09 +09:00
Régis Hanol
038454bde2
FIX: always confirm emails when SSO says so
2017-06-08 01:05:33 +02:00
Robin Ward
ca965f83c3
Revert "FIX: If login is required, redirect to the `/login` route instead of root"
...
This reverts commit 8a8dec550b
.
2017-05-25 14:04:28 -04:00
Robin Ward
8a8dec550b
FIX: If login is required, redirect to the `/login` route instead of root
2017-05-25 13:35:15 -04:00
Robin Ward
777f1f0f47
FIX: Return a 404 if the auth session is not present
2017-05-04 15:35:24 -04:00
Arpit Jalan
7fb17b83c4
FIX: confirm email token for user created via social login
2017-04-13 14:15:32 +05:30
Guo Xiang Tan
3d347fb9c4
FIX: Don't mark user as `active` if verified email is different.
2017-03-02 14:24:30 +08:00
Sam
e6fcaadd45
FIX: redirects back to origin for SSO and omniauth login
2016-09-16 13:48:50 +10:00
Sam
0303080586
we do not define auth providers for builtins
2016-08-29 11:12:24 +10:00
Sam
22b8c0d44e
FIX: fullscreen login set from client needs to be respected
2016-08-29 10:13:51 +10:00
Régis Hanol
841f36b058
FIX: automatically unstage user when signing in using OAuth
2016-04-04 19:04:10 +02:00
Ubuntu
5c603bf8ec
Added Instagram login method
2016-02-25 12:13:59 +10:00
Robin Ward
a9823ab59a
FIX: Use a cookie to bypass the anon cache
2015-10-28 17:16:56 -04:00
Sam
b6c2aa13e6
clean up implementation of non frame login / registration
2015-10-13 14:49:09 +11:00
Sam
b3aebca406
FEATURE: allow auto provider to specify "full screen login"
...
this feature means we attempt to log in without opening a frame.
2015-10-13 12:23:34 +11:00
Robin Ward
b4960d48b4
Better support for passing up errors when OmniAuth fails after auth
2015-06-24 12:12:43 -04:00
Neil Lalonde
eaa1afeaf5
remove Google OpenID auth, since Google doesn't support it anymore
2015-05-25 15:13:44 -04:00
Neil Lalonde
7c14db44cc
UX: improve message when admin login is blocked because of admin ip address whitelisting
2015-03-02 12:13:22 -05:00
Robin Ward
987504c6ab
Rename `no_js` layout to `no_ember`
...
While *sometimes* `no_js` was used for visitors without js (for example
disabling it on your browser) it was also used for some pages that were
disabled to JS capable browsers, including the 404 page.
Even worse, sometimes it was used on pages that *had* Javascript, such
as our `/activate-account` route. It has been renamed to `no_ember` to
indicate what it really is, a layout for the site that doesn't load our
Ember.js application.
2015-01-15 15:56:53 -05:00
Sam
e6dba8adc2
SECURITY: don't echo the "strategy" param returned by auto provider
2015-01-06 16:28:45 +11:00
Neil Lalonde
90771937f0
FIX: broken external auth
2014-10-03 16:15:00 -04:00
Neil Lalonde
ebf46450bc
Refactor omniauth_callbacks_controller for extensibility
2014-10-03 11:02:04 -04:00
Neil Lalonde
ca5f361d0a
FEATURE: restrict admin access based on IP address
2014-09-05 12:06:01 -04:00
Neil Lalonde
742841ddce
Add Google Oauth2 authenticator. The current Google OpenID authentication has been deprecated by Google and will NOT work for any new websites.
2014-05-21 18:35:10 -04:00
Erik Ordway
1167b5c4b5
I can see this on git hub but it is being missing by the test
2014-02-11 17:25:54 -08:00
Sam
7ad00f426c
FEATURE REMOVAL: persona login
...
see: https://meta.discourse.org/t/pulling-persona-out-of-discourse-core/12613
2014-02-11 16:56:48 +11:00
Neil Lalonde
da825451d0
Invite link can't be used to log in after you set a password or sign in with 3rd party
2014-01-21 16:56:41 -05:00
Shiv Kumar
2f0e20bc11
add session to auth hash in oauth complete method
2013-11-19 09:58:12 -08:00
Régis Hanol
b56b11d96a
add qunit to autospec
2013-11-01 23:57:50 +01:00
Neil Lalonde
b06f928568
Fix missing provider param message when using Persona
2013-09-23 09:46:25 -07:00
Emili Parreno
ee96fabcba
Allow CAS authentication
2013-08-28 14:34:51 +02:00
Sam
61281a3c81
invite only forums had very wonky logic, invited users were not being activated, invite_only forums were still registering users
2013-08-28 17:18:31 +10:00
Sam
c4a0152dc6
recover from bad CSRF tokens without requiring a hard refresh of the browser
2013-08-27 15:56:12 +10:00
Sam
213ce33af2
Fixed all broken specs
...
Moved middleware config into authenticators
2013-08-26 12:59:17 +10:00
Sam
b52aba15e0
major refactor of auth, break up the gigantic omniauth controller into sub classes for way better extensibitily
2013-08-26 12:59:17 +10:00
Michael Kirk
9e8d8870f5
fixed: record Oauth2 user email
2013-08-19 11:21:27 -07:00
Michael Kirk
4af8a9102e
Authenticate with Discourse via OAuth2
...
See https://github.com/michaelkirk/discourse_oauth2_example for an
example of how you might integrate your existing oauth2 provider's
authentication via a Discourse plugin.
2013-08-17 21:45:20 -07:00
Sam
803d023e23
Fixed GitHub auth, GitHub can provide us with a valid email - so automatically log in for those cases
2013-08-02 12:16:44 +10:00
Sam
160107a712
working plugin interface for custom openid auth, custom css and custom js
2013-08-01 16:02:43 +10:00
Sam
aa6c92922d
SECURITY: correct our CSRF implementation to be much more aggressive
2013-07-29 15:13:13 +10:00
Sam
c7697bbae2
remove duplicate code
2013-07-16 15:44:38 +10:00
Andreas Haller
661f2057f7
Improve the omniauth controller specs. Fix the email provided by CAS. Get name from CAS attributes.
...
* Make omniauth controller specs more robust by using shared examples for all authentication providers in controller spec. – Still passing. Yay!
* Return "casuser", instead of "casuser@" when no cas_domainname is configured.
* If no cas_domainname is configured, the CAS authentication would return "casuser@" for the users email field, because it tried to assume the email adress of the CAS user by it's username + cas_domainname.
Now it just returns the username instead of adding an "@" if cas_domainname is not configured.
This especially makes sense on CAS setups where the username equals the users email adress.
The old behaviour, if cas_domainname is configured, was not changed.
* Fetch the email from CAS attributes if provided
If the cas:authenticationSuccess (handled via omniauth-cas) response gives us an email use that.
If not, behave as before (username or username@cas_domainname).
* Fetch the (full) name from CAS attributes if provided
If the CAS response by omniauth provides a [:info][:name] field, prefer this over the uid, because we want the name to be a "Full Name", instead of just a "shortname"
2013-07-04 12:01:39 +02:00
Dmitriy Budnik
2722029d38
stylistic refactorings
...
w/ less syntactic sugar
2013-06-25 18:23:23 +03:00
Juan de Dios Herrero
96d23ddd8d
Refactored user_name suggestion methods into a module to reduce the complexity of User model
2013-06-06 16:40:10 +02:00
Chris Hunt
acf147ef88
Disable OmniAuth account creation if 'invite only'
2013-06-05 11:11:02 -07:00
Sam
5e305eaf0a
missing skip filter for omniauth
2013-06-05 10:30:51 +10:00
Erik Ordway
364a59d344
remove hardcoded value and replace with SiteSetting.cas_domainname
2013-05-29 15:47:49 -07:00
Erik Ordway
1575ce7b10
add cas support with a few tests
2013-05-23 13:40:50 -07:00
Mark Rushakoff
56acb5fcce
Don't call to_sym on param
2013-04-08 22:55:39 -07:00
Robin Ward
738789f336
Admins can't lock themselves out of a site by setting approval.
2013-04-03 12:23:28 -04:00
Karan Misra
5dfb04e4b3
Convert a lot of :a => b to a: b and bring peace to the world
2013-03-25 05:07:36 +05:30
Sarah Vessels
54c7b1ab63
Use consistent new-style hashes in render calls *twitch*
2013-03-22 14:08:11 -04:00
Régis Hanol
239cbd2d58
enforce coding convention
...
replaced every `and` by `&&` and every `or` by `||`
2013-03-05 01:42:44 +01:00
Robin Ward
51f6ae69c9
Check when logging in whether a auth provider is enabled, including specs
2013-03-04 13:44:41 -05:00
Dan Callahan
23d812a4ab
Use AJAX for submitting Persona credentials.
...
Fixes issue with needing to unblock popups.
2013-03-01 14:00:56 -06:00
Dan Callahan
ef8cf2f734
Add basic Persona functionality
...
1. No session integration yet, so automatic login/logout events are suppressed.
2. Popup blockers must be disabled: submits form to target="_blank"
2013-03-01 14:00:56 -06:00
nverba
b45f872c04
Added Github authentication option, disabled by default with enable options in settings.
2013-02-26 05:00:21 +00:00
Neil Lalonde
3ca2d92b2f
Fix the missing {{provider}} value message
2013-02-19 16:28:12 -05:00
Jesse Pollak
ad5a5b4866
This commit adds a callback route to handle omniauth failure and removes a few unneccessary entries in en.yml
2013-02-14 18:08:40 -08:00
Robin Ward
f00006ee7d
Fix broken Yahoo! signup.
2013-02-13 12:37:48 -05:00
xdite
9189d937f7
move all logic to omniauth
...
implement omniauth-facebook / omniauth-twitter
2013-02-13 15:08:38 +08:00