Commit Graph

122 Commits

Author SHA1 Message Date
Sam Saffron
e073593c86 SECURITY: properly validate return URL for SSO
Previously carefully crafted URLs could redirect off site
2019-03-25 09:04:13 +11:00
Arpit Jalan
1ea0cbece8 FIX: skip adding sso diagnostics if sso object is nil 2018-12-19 20:55:35 +05:30
Maja Komel
2fcbbead45 FIX: move sso provider into its own class so it doesn't interfere with sso client (#6767) 2018-12-19 10:22:10 +01:00
David Taylor
f7ce607e5d
FIX: Return 422 instead of 500 for invalid SSO signature (#6738) 2018-12-07 15:01:44 +00:00
Sam
64d9be726f the protection I placed was in the wrong path moved to /session/sso
correct previous commit
2018-11-09 17:18:01 +11:00
Sam
3ae4fcd1f7 Improve redirect avoidance for /sso paths
e6b3310577 was missing an ege case
where return url included current_hostname
2018-11-09 17:03:58 +11:00
Sam
e6b3310577 FIX: never redirect back to /sso it will cause a loop
If for any reason our return url is set to `/sso` bypass using it
for login redirect
2018-11-09 14:27:36 +11:00
Sam
aa044623bd FIX: do not create superflous sessions when logged on
In some SSO implementations we may want to issue SSO pipelines for
already logged on users

In these cases do not re-log-in a user if they are clearly logged on
2018-11-01 12:54:01 +11:00
Maja Komel
27e732a58d FEATURE: allow multiple secrets for Discourse SSO provider
This splits off the logic between SSO keys used incoming vs outgoing, it allows to far better restrict who is allowed to log in using a site.

This allows for better auditing of the SSO provider feature
2018-10-15 16:03:53 +11:00
Vinoth Kannan
39b7e32848 DEV: Require sso and sig query string params for sso_login 2018-10-12 05:03:30 +05:30
Maja Komel
ec3e6a81a4 FEATURE: Second factor backup 2018-06-28 10:12:32 +02:00
Vinoth Kannan
d8e641cd98 FIX: avatar_url includes upload_path twice when local storage used 2018-06-06 18:27:30 +05:30
Régis Hanol
09cf35c760 FIX: redirect users after signing up using SSO provider 2018-05-12 00:41:27 +02:00
Régis Hanol
abda21a41f Revert "FIX: redirect to sso_destination_url after account activation"
This reverts commit 0402e97368.
2018-05-11 22:55:45 +02:00
Régis Hanol
0402e97368 FIX: redirect to sso_destination_url after account activation 2018-05-11 19:57:04 +02:00
Régis Hanol
2958e17cde remove duplicate code 2018-05-11 12:16:37 +02:00
Misaka 0x4e21
ff6be3c2e3 FEATURE: add profile_background fields into SSO (#5701)
Add profile_background and card_background fields into Discourse SSO.
2018-05-07 10:03:26 +02:00
Sam
5925a581db array is not supported here, use a simple comma delimited list 2018-04-10 14:37:10 +10:00
Guo Xiang Tan
21ae49ab92 Simplify log in for request specs. 2018-03-28 11:32:47 +08:00
Guo Xiang Tan
70be8124a3 SECURITY: Don't expose development route in production. 2018-03-28 11:32:47 +08:00
Guo Xiang Tan
b16471edfb FIX: Invalid token error incorrectly displayed on email login page. 2018-02-21 15:46:53 +08:00
Guo Xiang Tan
14f3594f9f Review Changes for f4f8a293e7. 2018-02-21 14:55:49 +08:00
Jeff Wong
f4f8a293e7 FEATURE: Implement 2factor login TOTP
implemented review items.

Blocking previous codes - valid 2-factor auth tokens can only be authenticated once/30 seconds.
I played with updating the “last used” any time the token was attempted but that seemed to be overkill, and frustrating as to why a token would fail.
Translatable texts.
Move second factor logic to a helper class.
Move second factor specific controller endpoints to its own controller.
Move serialization logic for 2-factor details in admin user views.
Add a login ember component for de-duplication
Fix up code formatting
Change verbiage of google authenticator

add controller tests:
second factor controller tests
change email tests
change password tests
admin login tests

add qunit tests - password reset, preferences

fix: check for 2factor on change email controller
fix: email controller - only show second factor errors on attempt
fix: check against 'true' to enable second factor.

Add modal for explaining what 2fa with links to Google Authenticator/FreeOTP

add two factor to email signin link

rate limit if second factor token present

add rate limiter test for second factor attempts
2018-02-21 09:04:07 +08:00
Guo Xiang Tan
96e5a7da46 Prefer success_Json over custom success JSON payload. 2018-02-15 07:47:35 +08:00
Erick Guan
03b3e57a44 FEATURE: login by a link from email
Co-authored-by: tgxworld <tgx@discourse.org>
2018-02-13 16:14:39 +08:00
Guo Xiang Tan
f7f743970b Just use space to prettify SSO verbose error logging. 2017-11-30 15:10:00 +08:00
Sam
4b42a0abc9 FIX: add error for suspended users attempting to login via sso 2017-11-14 16:52:00 +11:00
Rafael dos Santos Silva
5d5268a82b Feature: Group handling 2017-10-25 22:49:17 -02:00
Neil Lalonde
1faae3c765 rename forgot_password_strict to hide_email_address_taken 2017-10-03 15:28:31 -04:00
Guo Xiang Tan
77d4c4d8dc Fix all the errors to get our tests green on Rails 5.1. 2017-09-25 13:48:58 +08:00
Erick Guan
c7a101476e Spec for local auth check 2017-08-16 11:01:00 +02:00
Guo Xiang Tan
5012d46cbd Add rubocop to our build. (#5004) 2017-07-28 10:20:09 +09:00
Guo Xiang Tan
ee449b0dd5 Improve SSO verbose log when user record is invalid. 2017-04-13 11:39:26 +08:00
Sam Saffron
0013a23dc1 SECURITY: prefer render plain/html to render text where possible 2017-04-10 08:01:42 -04:00
Guo Xiang Tan
5943543ec3 FIX: Improve checks for non-human users. 2017-04-06 11:29:34 +08:00
Sam
8e5e3b5af8 FIX: sso provider require return_sso_url 2017-03-22 09:08:38 -04:00
Robin Ward
874e8900af Display email address in SSO error message. 2017-03-21 15:37:46 -04:00
Robin Ward
aeaf5075bf Custom errors for when Email is invalid via SSO 2017-03-21 15:23:38 -04:00
Robin Ward
52d78294cc Render a layout when there's an SSO error 2017-03-21 15:23:38 -04:00
Guo Xiang Tan
9364d8ce71 FIX: Store user's id instead for sending activation email.
* Email and username are both allowed to be used for logging in.
  Therefore, it is easier to just store the user's id rather than
  to store the username and email in the session.
2017-03-13 20:24:55 +08:00
Guo Xiang Tan
7ebfa3c901 SECURITY: Only allow users to resend activation email with a valid session.
* Improve error when an active user tries to request for an activation email.
2017-03-13 19:35:29 +08:00
Arpit Jalan
cba51e1c38 FEATURE: new site setting for max logins per ip per hour/minute 2017-02-27 16:58:03 +05:30
Sam
dd383300b1 FEATURE: rate limit by login on password reset 2016-12-19 11:03:07 +11:00
Sam
61eb134181 FEATURE: setting to allow arbitrary redirects from sso origin
if sso_allows_all_return_paths is set to true you can redirect off-site from sso success
2016-12-16 13:37:44 +11:00
Guo Xiang Tan
559918c6c6 PERF: Add endpoint to check if a group can be mentioned by user. 2016-11-26 02:20:46 +08:00
Sam
e6fcaadd45 FIX: redirects back to origin for SSO and omniauth login 2016-09-16 13:48:50 +10:00
Sam
0b334cdf74 FIX: stop removing query params from destination url in sso 2016-08-16 17:06:52 +10:00
Robin Ward
2f8ab8cd30 SECURITY: XSS in "Account Suspended" Messages and Badge Descriptions 2016-07-28 11:38:12 -04:00
Peter Lejeck
e265b7b090 Log RecordInvalid when verbose_sso_logging enabled 2016-06-29 22:12:25 -07:00
Sam
852860de66 FEATURE: simpler and friendlier unsubscribe workflow
- All unsubscribes go to the exact same page
- You may unsubscribe from watching a category on that page
- You no longer need to be logged in to unsubscribe from a topic
- Simplified footer on emails
2016-06-17 11:28:49 +10:00