Commit Graph

142 Commits

Author SHA1 Message Date
Sam 272de95175 FIX: client duplicate registration should be cleaned up
If for any reason we are unable to correct client id on a user api key
invalidate old keys for client/user
2018-08-22 12:56:49 +10:00
Bianca Nenciu 860c1c3dcd FEATURE: Automatically expire keys if not used for a configurable amount of time. (#6264) 2018-08-20 17:36:14 +02:00
Gerhard Schlager 6ddf7fcd1f Fix warnings about already initialized constants 2018-08-09 17:29:02 +02:00
David Taylor 812add18bd REFACTOR: Serve auth provider information in the site serializer.
At the moment core providers are hard-coded in Javascript, and plugin providers get added to the JS payload at compile time. This refactor means that we only ship enabled providers to the client.
2018-08-06 09:25:48 +01:00
David Taylor 6566b2f11a FEATURE: Allow revoke and connect for Instagram logins 2018-07-30 14:38:53 +01:00
David Taylor 5f1fd0019b FEATURE: Allow revoke and connect for GitHub logins 2018-07-27 17:18:53 +01:00
David Taylor 6296f63804 FEATURE: Revoke and connect for Yahoo logins 2018-07-27 16:20:47 +01:00
David Taylor 9c72c00206 FEATURE: Revoke and reconnect for Twitter logins 2018-07-27 12:28:51 +01:00
David Taylor fa399ce1c5 FEATURE: Add revoke and reconnect functionality for google logins 2018-07-25 16:03:14 +01:00
David Taylor 776fd0de66 FIX: Filter open-id logins by identifier 2018-07-25 11:47:09 +01:00
David Taylor eda1462b3b
FEATURE: List, revoke and reconnect associated accounts. Phase 1 (#6099)
Listing connections is supported for all built-in auth providers. Revoke and reconnect is currently only implemented for Facebook.
2018-07-23 16:51:57 +01:00
David Taylor 2dc3a50dac FIX: Do not update `last seen` time for suspended users 2018-07-18 16:04:57 +01:00
Guo Xiang Tan ad5082d969 Make rubocop happy again. 2018-06-07 13:28:18 +08:00
Guo Xiang Tan 543b7cddfb FIX: Extra comma resulted in Github auth email result being an array.
https://meta.discourse.org/t/github-2fa-flow-broken/88674
2018-05-30 12:15:12 +08:00
OsamaSayegh f6d412465b FIX: apply automatic group rules when using social login providers 2018-05-23 02:26:07 +03:00
Régis Hanol 2cf6fb7359 FIX: always unstage users when they log in 2018-05-13 17:00:02 +02:00
Sam 3d6dc764be needed to remove legacy from a few more spots 2018-05-04 11:12:01 +10:00
Sam c7a0ced656 FIX: remove facebook_request_extra_profile_details
Since this no longer works
2018-04-26 14:14:35 +10:00
Vinoth Kannan c5d26992d4 Prefer to use primary email for new user creation over other available emails 2018-03-19 17:10:35 +05:30
Robin Ward c75fd34328 Allow Discourse installs to name the token cookie 2018-03-13 16:48:40 -04:00
Sam 0134e41286 FEATURE: detect when client thinks user is logged on but is not
This cleans up an error condition where UI thinks a user is logged on
but the user is not. If this happens user will be prompted to refresh.
2018-03-06 16:49:31 +11:00
Guo Xiang Tan fb75f188ba FEATURE: Disallow login via omniauth when user has 2FA enabled. 2018-03-01 15:47:07 +08:00
Guo Xiang Tan 24d0a7a4c7 Take 2 on f74d6bb605.
New options are left out by default when not configured so that an
incorrect default configuration doesn't blow up google oauth for
everyone.
2018-02-23 07:53:01 +08:00
Joffrey JAFFEUX 1c790ae6bc Revert "Add prompt and HD settings to the Google OAuth2 plugin."
This reverts commit f74d6bb605.
2018-02-22 19:17:02 +01:00
Geoffrey Challen f74d6bb605 Add prompt and HD settings to the Google OAuth2 plugin. 2018-02-22 12:29:19 +08:00
Sam a3c7ee09b6 FIX: ruby bench not working properly
- Remove thin which is no longer supported
- Bypass admin api rate limiting in profile environment
- Admin password was too short
- Run by default in concurrency 1 mode
- A skip bundle assets flag to speed up local testing
2018-02-19 11:37:16 +11:00
Robin Ward 569e57f0a9 FIX: Delete the invalid auth cookie even if you hit the rate limit 2018-02-09 19:09:54 -05:00
Robin Ward 8c04893a04 FIX: Don't throttle local lookups 2018-02-07 00:31:05 -05:00
Régis Hanol e2d82b882e FIX: redirect to original URL after social login 2018-01-26 18:52:27 +01:00
Sam 215c0d5569 FEATURE: allow system api to target users via external id or user id
usage ?api_key=XYZ&api_user_external_id=ABC
usage ?api_key=XYZ&api_user_id=123
2018-01-12 17:40:18 +11:00
Vinoth Kannan 988b13ac77 FIX: GitHub auth always asking to verify email for new users (#5487) 2018-01-12 15:17:29 +11:00
Michael Brown 105cf61ed9 Implements https://meta.discourse.org/t/issue-user-changed-google-account-and-cant-connect-thru-his-profile/35028/18?u=supermathie 2017-12-20 17:59:36 -05:00
Sam 67aecff59c FEATURE: store twitter supplied email for auditing 2017-12-14 15:54:32 +11:00
Guo Xiang Tan 6ade508f39 FIX: Prevent 'rack.input' missing error. 2017-12-12 16:40:35 +08:00
Sam 68d3c2c74f FEATURE: add global rate limiter for admin api 60 per minute
Also move configuration of admin and user api rate limiting into global
settings. This is not intended to be configurable per site
2017-12-11 11:07:22 +11:00
Robin Ward 16407dfc11 Add a `failed_code` we can check for when using Auth::Result 2017-11-09 10:49:42 -05:00
Arpit Jalan 804b4f32f8 better error message when API authentication fails 2017-10-20 20:05:34 +05:30
Neil Lalonde 2db66072d7 SECURITY: signup without verified email using Google auth 2017-10-16 13:51:41 -04:00
Guo Xiang Tan 77d4c4d8dc Fix all the errors to get our tests green on Rails 5.1. 2017-09-25 13:48:58 +08:00
Kyle Zhao 5868508e98 GH#retrieve_avatar: simplify conditional and restructured testing 2017-08-22 23:46:50 -04:00
Kyle Zhao 49f0119c12 FEATURE: import Github profile picture 2017-08-22 20:23:47 -04:00
Guo Xiang Tan 5012d46cbd Add rubocop to our build. (#5004) 2017-07-28 10:20:09 +09:00
Blake Erickson fcfc895167 FIX: new sign-ups via google are added to groups
This fix ensures that users that are signing up via google oauth are
automatically added to any groups.

A similar fix will probably need to be added to other oauth providers.
2017-07-07 14:08:58 -06:00
Neil Lalonde 8fd915a11a Revert "FIX: add path to cookies so sessions on the same domain but different subfolders don't log each other out" 2017-06-21 16:18:24 -04:00
Neil Lalonde 1716747810 FIX: add path to cookies so sessions on the same domain but different subfolders don't log each other out 2017-06-20 13:30:36 -04:00
Sam 8d80a5d97e add some explicit scoping to help avoid erratic failure in test 2017-03-07 16:00:51 -05:00
Sam 99f4d5082b FIX: Improve token rotation and increase logging
- avoid access denied on bad cookie, instead just nuke it
- avoid marking a token unseen for first minute post rotation
- log path in user auth token logs
2017-03-07 13:27:43 -05:00
Guo Xiang Tan 3d347fb9c4 FIX: Don't mark user as `active` if verified email is different. 2017-03-02 14:24:30 +08:00
Sam 122fb8025d FIX: last seen date erroneously updated when browser in background
In some cases user may be "last seen" even though browser tab is in
the background or computer is locked
2017-02-28 12:35:10 -05:00
Sam ea1007e954 FEATURE: add support for same site cookies
Defaults to Lax, can be disabled or set to Strict.

Strict will only work if you require login and use SSO. Otherwise when clicking on links to your site you will appear logged out till you refresh the page.
2017-02-23 12:01:28 -05:00