Sam
0ab96a7691
FEATURE: add hidden setting for verbose auth token logging
...
This is only needed to debug auth token issues, will result in lots
of logging
2017-02-13 14:01:09 -05:00
Sam
ff49f72ad9
FEATURE: per client user tokens
...
Revamped system for managing authentication tokens.
- Every user has 1 token per client (web browser)
- Tokens are rotated every 10 minutes
New system migrates the old tokens to "legacy" tokens,
so users still remain logged on.
Also introduces weekly job to expire old auth tokens.
2017-02-07 09:22:16 -05:00
Sam
6ff309aa80
SECURITY: don't grant same privileges to user_api and api access
...
User API is no longer gets bypasses that standard API gets.
Only bypasses are CSRF and XHR requirements.
2016-12-16 12:05:43 +11:00
Sam
2ddabc3928
FIX: protect against future regressions of google omniauth
2016-11-07 12:48:00 +11:00
Régis Hanol
923db2e559
FIX: download avatar from facebook/twitter in a job in order to prevent hangs when avatars are huge
2016-10-24 17:15:13 +02:00
Régis Hanol
0862ad406d
FIX: pull twitter's avatar & profile when signing up
2016-10-17 15:43:40 +02:00
Sam
b246f1a694
FEATURE: set secure flag on _t cookie if https is forced
2016-10-17 12:11:49 +11:00
Sam
f4f5524190
FEATURE: user API now contains scopes so permission is granular
...
previously we supported blanket read and write for user API, this
change amends it so we can define more limited scopes. A scope only
covers a few routes. You can not grant access to part of the site and
leave a large amount of the information hidden to API consumer.
2016-10-14 16:05:42 +11:00
Régis Hanol
9dd1f7b5b6
pull avatar, bio & location from Twitter
2016-10-13 10:49:51 +02:00
Sam
aaec05e36a
FIX: stop asking for bio from facebook, it is deprecated
2016-10-11 10:56:07 +11:00
Rafael dos Santos Silva
5bdaaca848
Make it square!
2016-09-28 12:49:22 -03:00
Rafael dos Santos Silva
f5746f490f
Uses higher resolution pictures when importing avatars from Facebook
2016-09-28 01:38:41 -03:00
Jared Reisinger
2ae7c47a3c
Add support for email whitelist/blacklist to GitHub auth
...
If a site is configured for GitHub logins, _**and**_ has an email domain
whitelist, it's possible to get in a state where a new user is locked to
a non-whitelist email (their GitHub primary) even though they have an
alternate email that's on the whitelist. In all cases, the GitHub
primary email is attempted first so that previously existing behavior
will be the default.
- Add whitelist/blacklist support to GithubAuthenticator (via
EmailValidator)
- Add multiple email support GithubAuthenticator
- Add test specs for GithubAuthenticator
- Add authenticator-agnostic "none of your email addresses are allowed"
error message.
2016-09-22 11:31:10 -07:00
Sam
8dc4329094
FEATURE: optionally get extra profile info from facebook
...
This feature requires the application be approved by facebook, so it is
default off
2016-09-19 16:14:11 +10:00
Sam
5b3cd3fac9
FEATURE: Import facebook avatars when logging in via facebook
...
FIX: warning about popup dimensions when using facebook login
Rules are:
- On account creation we always import
- If you already have an avatar uploaded, nothing is changed
- If you have no avatar uploaded, we upload from facebook on login
- If you have no avatar uploaded, we select facebook unless gravatar already selected
This also fixes SSO issues where on account creation accounts had missing avatar uploads
2016-09-19 15:10:23 +10:00
Robin Ward
9609a47016
Ability to skip email validation via a plugin
2016-09-07 14:05:46 -04:00
Robin Ward
610dd933a3
FEATURE: Support importing email from Twitter
2016-09-06 12:18:13 -04:00
Sam
be0fd5b4cc
FEATURE: allow user api key revocation for read only keys
2016-09-02 17:04:00 +10:00
Sam
c4bf138d2c
FIX: incorrect error being raised
2016-08-26 10:39:13 +10:00
Sam
b09922b58a
we have to allow message bus for read clients
2016-08-19 15:22:52 +10:00
Sam
3ea68f8f6c
tweak headers so they can be consumed
2016-08-18 14:38:33 +10:00
Sam
416e7e0d1e
FEATURE: basic UI to view user api keys
2016-08-16 17:06:52 +10:00
Sam
fc095acaaa
Feature: User API key support (server side implementation)
...
- Supports throttled read and write
- No support for push yet, but data is captured about intent
2016-08-15 17:59:36 +10:00
Sam
5cc8bb535b
SECURITY: do cookie auth rate limiting earlier
2016-08-09 10:02:18 +10:00
Sam
16a383ea1e
SECURITY: limit bad cookie auth attempts
...
- Also cleans up the _t cookie if it is invalid
2016-07-28 12:58:49 +10:00
Sam
b5fbff947b
FIX: don't expire old sessions when logging in
2016-07-26 11:37:41 +10:00
Sam
c1f62d8657
Revert "make upgrade a bit more seamless"
...
This reverts commit 78b88a1633
.
2016-07-25 12:49:33 +10:00
Sam
78b88a1633
make upgrade a bit more seamless
2016-07-25 12:30:52 +10:00
Sam
df535c6346
FEATURE: refresh session cookie at most once an hour
...
This feature ensures session cookie lifespan is extended
when user is online.
Also decreases session timeout from 90 to 60 days.
Ensures all users (including logged on ones) get expiring sessions.
2016-07-25 12:07:31 +10:00
Arpit Jalan
a9207dafa7
FEATURE: configure session time via site setting for all the users ( #4343 )
2016-07-23 02:57:30 +05:30
Guo Xiang Tan
22ade1f811
FEATURE: Add event trigger when a user is logged out.
2016-07-04 17:20:30 +08:00
Sam
f88cf4e2f0
Merge pull request #4226 from xfalcox/non-persistent-session
...
FEATURE: add setting permanent_session_cookie to configure session st…
2016-06-29 16:47:31 +10:00
Régis Hanol
9704603fab
FEATURE: sendgrid webhooks
2016-06-01 21:48:06 +02:00
Sam
52c3b0b0ce
clear mini profiler cookie when admin logs off
2016-05-18 17:27:54 +10:00
Rafael dos Santos Silva
09ef5f613e
FEATURE: add setting permanent_session_cookie to configure session stickiness
...
Now admins can turn make the login cookie die after the browser is closed, so the user needs to log in everytime.
2016-05-17 01:12:09 -03:00
Arpit Jalan
74b3807f60
FEATURE: new bootstrap mode settings for brand new Discourse community ( #4193 )
...
* FEATURE: new bootstrap mode settings for brand new Discourse community
* new SiteSetting.set_and_log method
2016-04-26 13:08:19 -04:00
Mark Biegel
70b287a053
Update instagram_authenticator.rb
2016-02-26 11:37:48 +10:00
Ubuntu
5c603bf8ec
Added Instagram login method
2016-02-25 12:13:59 +10:00
Sam
0ef141b2c3
FIX: skip jwt encoding for auth
2016-02-05 08:48:16 +11:00
Robin Ward
0b4c9005f9
FIX: Don't include `name` in hash when names are disabled.
...
This could break some SSO implementations due to honeypot
not being triggered.
2015-10-29 12:19:45 -04:00
Robin Ward
7dbc2590a5
Support for auth plugins to freeze the username
2015-06-26 15:55:33 -04:00
Robin Ward
b4960d48b4
Better support for passing up errors when OmniAuth fails after auth
2015-06-24 12:12:43 -04:00
Sam
803feefd54
MessageBus handles readonly redis now, no need to wrap it
2015-05-04 12:21:00 +10:00
Robin Ward
5b3f99aa50
Don't blow up if Redis switches to READONLY
2015-04-24 14:37:16 -04:00
Neil Lalonde
7c14db44cc
UX: improve message when admin login is blocked because of admin ip address whitelisting
2015-03-02 12:13:22 -05:00
Sam
3483c8318f
FEATURE: logging out logs you out everywhere
...
can be disabled by changing the setting "log_out_strict" to false
2015-01-28 12:56:41 +11:00
Neil Lalonde
7412ff4da7
FIX: suspended users are logged out when they are suspended. Show a reason for suspension when they try to log in.
2015-01-19 12:37:02 -05:00
Greg Kempe
e979382ab4
Facebook auth without an email should allow user to enter email
...
In some cases Facebook doesn't send back a user's email. In this
case, allow the user to enter their email address.
See
https://meta.discourse.org/t/facebook-initial-login-create-account-dialog-leaves-email-field-blank/13815/15
2014-12-08 12:43:06 +02:00
Sam
a9cda0f947
FEATURE: allow restricting API keys to a particular range
2014-11-20 15:21:49 +11:00
Sam
aa9b3bb35a
FEATURE: allow long polling to go to a different url
...
Added the site setting long_polling_base_url , this allows you
to farm long polling to a different server.
This setting is very important if a CDN is serving dynamic content.
2014-10-24 13:38:38 +11:00