f03b293e6a
FEATURE: Header based auth for API requests ( #7129 )
...
Now you can also make authenticated API requests by passing the
`api_key` and `api_username` in the HTTP header instead of query params.
The new header values are: `Api-key` and `Api-Username`.
Here is an example in cURL:
``` text
curl -i -sS -X POST "http://127.0.0.1:3000/categories " \
-H "Content-Type: multipart/form-data;" \
-H "Api-Key: 7aa202bec1ff70563bc0a3d102feac0a7dd2af96b5b772a9feaf27485f9d31a2" \
-H "Api-Username: system" \
-F "name=7c1c0ed93583cba7124b745d1bd56b32" \
-F "color=49d9e9" \
-F "text_color=f0fcfd"
```
There is also support for `Api-User-Id` and `Api-User-External-Id`
instead of specifying the username along with the key.
2019-03-08 09:13:31 -07:00
fc7938f7e0
REFACTOR: Migrate GoogleOAuth2Authenticator to use ManagedAuthenticator ( #7120 )
...
https://meta.discourse.org/t/future-social-authentication-improvements/94691/3
2019-03-07 11:31:04 +00:00
703c724cf3
REFACTOR: Migrate InstagramAuthenticator to use ManagedAuthenticator ( #7081 )
2019-03-04 14:54:28 +01:00
b907924c93
FIX: ManagedAuthenticator should automatically update last_used time
2019-02-27 15:29:26 +00:00
a09b20f934
FIX: Google `HD` and `Prompt` settings should be checked at runtime
...
Previously a server restart was required after settings changes, and it did not work in multisite environments
2019-01-31 10:05:25 +00:00
d32900292d
FIX: Don't update `User#last_seen_at` when PG is in readonly take 3.
2019-01-22 18:07:48 +08:00
3c6a8a2bb1
Partially revert 4466fcf1bc.
2019-01-21 15:41:01 +08:00
4466fcf1bc
FIX: Don't update `User#last_seen_at` when PG is readonly take 2.
2019-01-21 13:49:08 +08:00
c732ae9ca9
FIX: Don't update `User#last_seen_at` when PG is in readonly.
2019-01-21 13:29:29 +08:00
9db829134c
FIX: Use database to persist metadata during social registration ( #6750 )
...
Previously was using the cookie_store, which is limited to 4kb. This caused issues for providers sending large volumes of metadata about a user.
2018-12-10 15:10:06 +00:00
502a0fe778
FIX: support connecting GitHub with existing accounts
2018-12-10 09:27:00 +11:00
160d29b18a
REFACTOR: Migrate TwitterAuthenticator to use ManagedAuthenticator ( #6739 )
...
No changes to functionality. TwitterAuthenticator goes from 136 lines to 24, and all twitter-specific logic elsewhere has been deleted 🎉
2018-12-07 15:39:06 +00:00
86f8734bc0
FIX: Prioritize explicit 'connect' over matching by email
...
This is an edge case that was previously handled by TwitterAuthenticator, but not FacebookAuthenticator.
2018-12-07 15:05:51 +00:00
3cad3f9df1
DEV: Add profile fetching support to `ManagedAuthenticator`
2018-12-07 15:05:51 +00:00
e117deb2ba
FIX: Improve avatar loading, and add tests
...
Follow-up from 4e2cc9c
2018-12-04 15:09:32 +00:00
4e2cc9caf0
FIX: Use safe navigation operator when looking for avatar URL
2018-12-03 17:28:21 +00:00
9125b5fbc4
DEV: Reformat single line method definition
...
Following comments on 71aaed272c
2018-12-03 15:03:00 +00:00
71aaed272c
DEV: Correct auth_provider deprecation warning
2018-11-30 22:22:26 +00:00
4e010382cc
REFACTOR: Initialize auth providers after `plugin.activate!`
...
Also added some helpful functionality for plugin developers:
- Raises RuntimeException if the auth provider has been registered too late
- Logs use of deprecated parameters
2018-11-30 16:58:18 +00:00
208005f9c9
REFACTOR: Migrate FacebookAuthenticator to use ManagedAuthenticator
...
Changes to functionality
- Removed syncing of user metadata including gender, location etc.
These are no longer available to standard Facebook applications.
- Removed the remote 'revoke' functionality. No other providers have
it, and it does not appear to be standard practice in other apps.
- The 'facebook_no_email' event is no longer logged. The system can
cope fine with a missing email address.
Data is migrated to the new user_associated_accounts table.
facebook_user_infos can be dropped once we are confident the data has
been migrated successfully.
2018-11-30 11:18:11 +00:00
534e1b1b18
DEV: Introduce Auth::ManagedAuthenticator
...
A generic implementation of Auth::Authenticator which stores data in the
new UserAssociatedAccount model. This should help significantly reduce the duplicated
logic across different auth providers.
2018-11-30 11:18:11 +00:00
f645cb9c14
FEATURE: Use translated name for 'your email has been authenticated by' ( #6649 )
2018-11-22 19:12:04 +00:00
182b34243d
FIX: opts is a hash in 'log_on_user'
...
cc @nbianca
2018-11-12 16:00:12 +01:00
5af9a69a3b
FIX: Do not check for suspicious login when impersonating. ( #6534 )
...
* FIX: Do not check for suspicious login when impersonating.
* DEV: Add 'impersonate' parameter to log_on_user.
2018-11-12 15:34:12 +01:00
5fc09a6467
DEV: Fix build.
2018-11-05 14:16:03 +02:00
a84b6b6b0c
SECURITY: Add CSRF protections to OpenID callback
2018-11-05 11:16:57 +00:00
d17c8df926
Only check for suspicious login for staff members
2018-10-26 00:29:28 +02:00
56e0f47bcd
FIX: Do not update `last_seen` for API access
...
This regressed in 2dc3a50
2018-10-25 13:38:57 +01:00
45f01e637b
FIX: when associating Github account disassociate others
...
There are some cases where an email floats from one GitHub account to another
if this happens just take over the Github mapping record
2018-10-10 15:46:50 +11:00
d8b543bb67
FIX: redirect to original URL after social signup
2018-09-05 01:44:23 +05:30
d1af89e3b3
DEV: Extract global admin api rate limiting into a dedicated method.
...
* We have a use case for overriding the rate limiting logic in a
plugin.
2018-09-04 16:37:54 +08:00
3b337bfc6b
Revert "FIX: Don't rate limit admin and staff constraints when matching routes."
...
This reverts commit 651b50b1a1
2018-09-04 14:27:21 +08:00
651b50b1a1
FIX: Don't rate limit admin and staff constraints when matching routes.
...
* When an error is raised when checking route constraints, we
can only return true/false which either lets the request
through or return a 404 error. Therefore, we just skip
rate limiting here and let the controller handle the
rate limiting.
2018-09-04 13:52:58 +08:00
272de95175
FIX: client duplicate registration should be cleaned up
...
If for any reason we are unable to correct client id on a user api key
invalidate old keys for client/user
2018-08-22 12:56:49 +10:00
860c1c3dcd
FEATURE: Automatically expire keys if not used for a configurable amount of time. ( #6264 )
2018-08-20 17:36:14 +02:00
6ddf7fcd1f
Fix warnings about already initialized constants
2018-08-09 17:29:02 +02:00
812add18bd
REFACTOR: Serve auth provider information in the site serializer.
...
At the moment core providers are hard-coded in Javascript, and plugin providers get added to the JS payload at compile time. This refactor means that we only ship enabled providers to the client.
2018-08-06 09:25:48 +01:00
6566b2f11a
FEATURE: Allow revoke and connect for Instagram logins
2018-07-30 14:38:53 +01:00
5f1fd0019b
FEATURE: Allow revoke and connect for GitHub logins
2018-07-27 17:18:53 +01:00
6296f63804
FEATURE: Revoke and connect for Yahoo logins
2018-07-27 16:20:47 +01:00
9c72c00206
FEATURE: Revoke and reconnect for Twitter logins
2018-07-27 12:28:51 +01:00
fa399ce1c5
FEATURE: Add revoke and reconnect functionality for google logins
2018-07-25 16:03:14 +01:00
776fd0de66
FIX: Filter open-id logins by identifier
2018-07-25 11:47:09 +01:00
eda1462b3b
FEATURE: List, revoke and reconnect associated accounts. Phase 1 ( #6099 )
...
Listing connections is supported for all built-in auth providers. Revoke and reconnect is currently only implemented for Facebook.
2018-07-23 16:51:57 +01:00
2dc3a50dac
FIX: Do not update `last seen` time for suspended users
2018-07-18 16:04:57 +01:00
ad5082d969
Make rubocop happy again.
2018-06-07 13:28:18 +08:00
543b7cddfb
FIX: Extra comma resulted in Github auth email result being an array.
...
https://meta.discourse.org/t/github-2fa-flow-broken/88674
2018-05-30 12:15:12 +08:00
f6d412465b
FIX: apply automatic group rules when using social login providers
2018-05-23 02:26:07 +03:00
2cf6fb7359
FIX: always unstage users when they log in
2018-05-13 17:00:02 +02:00
3d6dc764be
needed to remove legacy from a few more spots
2018-05-04 11:12:01 +10:00
Blake Erickson
David Taylor
Joffrey JAFFEUX
Guo Xiang Tan
Sam
Régis Hanol
Bianca Nenciu
Bianca Nenciu
Vinoth Kannan
Gerhard Schlager
OsamaSayegh