Commit Graph

79 Commits

Author SHA1 Message Date
Maja Komel ec3e6a81a4 FEATURE: Second factor backup 2018-06-28 10:12:32 +02:00
Régis Hanol 0402e97368 FIX: redirect to sso_destination_url after account activation 2018-05-11 19:57:04 +02:00
Guo Xiang Tan 70f14da732 UX: Use 'tel' input type for 2FA token inputs. 2018-02-27 09:30:44 +08:00
Guo Xiang Tan a9699da672 UX: Specify pattern and maxlength for 2FA input fields. 2018-02-26 18:29:46 +08:00
Guo Xiang Tan 1f74509a75 FIX: 2FA prompt incorrectly displayed on admin login page. 2018-02-23 11:05:39 +08:00
Guo Xiang Tan 964624f3ab FIX: No error displayed when 2FA token is invalid on admin login page. 2018-02-22 09:45:57 +08:00
Guo Xiang Tan edf326a9a5 Fix incorrect translation. 2018-02-22 08:06:37 +08:00
Jeff Wong f4f8a293e7 FEATURE: Implement 2factor login TOTP
implemented review items.

Blocking previous codes - valid 2-factor auth tokens can only be authenticated once/30 seconds.
I played with updating the “last used” any time the token was attempted but that seemed to be overkill, and frustrating as to why a token would fail.
Translatable texts.
Move second factor logic to a helper class.
Move second factor specific controller endpoints to its own controller.
Move serialization logic for 2-factor details in admin user views.
Add a login ember component for de-duplication
Fix up code formatting
Change verbiage of google authenticator

add controller tests:
second factor controller tests
change email tests
change password tests
admin login tests

add qunit tests - password reset, preferences

fix: check for 2factor on change email controller
fix: email controller - only show second factor errors on attempt
fix: check against 'true' to enable second factor.

Add modal for explaining what 2fa with links to Google Authenticator/FreeOTP

add two factor to email signin link

rate limit if second factor token present

add rate limiter test for second factor attempts
2018-02-21 09:04:07 +08:00
Vinoth Kannan f08995c390 Remove unused code lines 2017-12-29 12:32:18 +05:30
Neil Lalonde 66e53f449a UX: Auth complete page/modal has a link to continue to the site to accomodate auth methods that can't automatically redirect to Discourse 2017-11-21 13:56:19 -05:00
Robin Ward cef64e8f03 UX: Use `no_ember` styling for omniauth error page 2017-11-15 14:04:26 -05:00
Neil Lalonde 7dc3671490 FEATURE: remove obsolete settings ga_tracking_code and ga_domain_name. Use ga_universal_tracking_code and ga_universal_domain_name instead. 2017-11-01 11:41:51 -04:00
Neil Lalonde bf00ab5d4a FIX: grant admin on subfolder 2017-10-27 16:46:02 -04:00
Neil Lalonde 0b41046238 don't force SiteSetting.title into meta title tag 2017-06-12 13:50:50 -04:00
Robin Ward b381372184 Use Ember.js for the `/u/account-created` path so we can add controls 2017-05-03 11:18:01 -04:00
Sam b43d2e42f4 missing spots 2017-04-17 12:30:20 -04:00
Robin Ward 17f2974d0a SECURITY: Confirm new administrator accounts via email 2017-04-04 15:59:01 -04:00
Robin Ward 45a257815a Convert front end paths from `/users/` to `/u/` 2017-03-30 10:23:24 -04:00
Neil Lalonde c4e10f2a9d FEATURE: redesign the change password page to use javascript and validations 2017-02-03 16:09:24 -05:00
Sam 0599bd0154 FEATURE: add referrer never tag to password reset page 2016-12-19 11:01:58 +11:00
Jeff Atwood 1386f9c8c9 make the activate account button a btn-primary 2016-07-14 03:40:55 -07:00
Robin Ward f7c303c82e FIX: If there's no `window.opener` use the localStorage method for login 2016-07-08 14:45:34 -04:00
Robin Ward eff2865278 FIX: Support create account on facebook browser 2016-06-10 11:12:46 -04:00
Robin Ward 171dbd4b09 Allow redirects on Facebook Browser 2016-06-09 15:51:46 -04:00
Robin Ward f6eb5e823b Temporarily remove FB browser redirect 2016-06-09 15:35:17 -04:00
Robin Ward ba5993ae79 FIX: Invalid escaping of URL 2016-06-09 15:10:21 -04:00
Robin Ward 4730c82b3a FIX: Detect `window.opener` 2016-06-09 14:51:38 -04:00
Robin Ward eee15dfe7f FIX: On facebook browser, don't close the window but redirect instead 2016-06-09 14:20:44 -04:00
Arpit Jalan cf97efb643 make the text field autofocus on admin-login page 2016-05-25 23:41:07 +05:30
Arpit Jalan 05164d4cae FEATURE: add Google Analytics code to more user pages 2016-04-02 01:29:08 +05:30
Robin Ward 5771d2aee2 SECURITY: Support for confirm old as well as new email accounts 2016-03-08 14:52:22 -05:00
Arpit Jalan 50e65634d7 FEATURE: new setting min_admin_password_length and better default 2016-03-02 14:43:26 +05:30
Neil Lalonde c7df6783a9 FIX: only invalidate password reset links using javascript 2016-01-04 11:48:54 -05:00
Neil Lalonde 2d7c3067ba FIX: automatic redirect after activating account on subfolder installs 2015-12-15 14:46:35 -05:00
Sam d6932e4ac4 add missing include 2015-11-25 22:47:50 +11:00
Régis Hanol 37c5909a31 FIX: use the first image in the first post in the topic as opengraph image
FEATURE: new 'default_opengraph_image_url' setting
2015-10-15 11:00:47 +02:00
Sam b6c2aa13e6 clean up implementation of non frame login / registration 2015-10-13 14:49:09 +11:00
Sam fab51496cb correct full screen login feature 2015-10-13 13:11:49 +11:00
Sam b3aebca406 FEATURE: allow auto provider to specify "full screen login"
this feature means we attempt to log in without opening a frame.
2015-10-13 12:23:34 +11:00
Sam 57e3323663 redirect back to base uri if there is no window opener. 2015-10-13 12:03:43 +11:00
Robin Ward b4960d48b4 Better support for passing up errors when OmniAuth fails after auth 2015-06-24 12:12:43 -04:00
Arpit Jalan f3687b6e56 UX: show caps lock warning on password reset page 2015-05-04 13:01:35 +05:30
Arpit Jalan 2932284293 FEATURE: magic login route for admin when SSO is enabled 2015-04-27 22:54:48 +05:30
Sam f5af4768eb FEATURE: add clean support for running Discourse in a subfolder
To setup set DISCOURSE_RELATIVE_URL_ROOT to the folder you wish
2015-03-09 13:14:29 +11:00
Sam 17927b2e8b FIX: don't use flash cause we are not redirecting
(we should probably change that though)
2015-02-20 10:28:58 +11:00
Robin Ward 987504c6ab Rename `no_js` layout to `no_ember`
While *sometimes* `no_js` was used for visitors without js (for example
disabling it on your browser) it was also used for some pages that were
disabled to JS capable browsers, including the 404 page.

Even worse, sometimes it was used on pages that *had* Javascript, such
as our `/activate-account` route. It has been renamed to `no_ember` to
indicate what it really is, a layout for the site that doesn't load our
Ember.js application.
2015-01-15 15:56:53 -05:00
Régis Hanol 07211489f0 FIX: hide restricted profile info from TL0 users to anonymous in 'JS-off' page 2014-11-27 19:51:13 +01:00
Jeff Atwood 8e38c129c5 minor login copy tweaks 2014-11-06 02:27:27 -08:00
Robin Ward c9eb809dad FIX: The text to users who signed up when approval was required was
misleading.
2014-11-04 15:48:03 -05:00
Neil Lalonde 4762b4ac24 FIX: on completion of external auth, window.close may fail because of iOS Safari bug. Prompt user to manually close the window. 2014-10-15 11:00:34 -04:00