Sam Saffron
e073593c86
SECURITY: properly validate return URL for SSO
...
Previously carefully crafted URLs could redirect off site
2019-03-25 09:04:13 +11:00
Arpit Jalan
1ea0cbece8
FIX: skip adding sso diagnostics if sso object is nil
2018-12-19 20:55:35 +05:30
Maja Komel
2fcbbead45
FIX: move sso provider into its own class so it doesn't interfere with sso client ( #6767 )
2018-12-19 10:22:10 +01:00
David Taylor
f7ce607e5d
FIX: Return 422 instead of 500 for invalid SSO signature ( #6738 )
2018-12-07 15:01:44 +00:00
Sam
64d9be726f
the protection I placed was in the wrong path moved to /session/sso
...
correct previous commit
2018-11-09 17:18:01 +11:00
Sam
3ae4fcd1f7
Improve redirect avoidance for /sso paths
...
e6b3310577
was missing an ege case
where return url included current_hostname
2018-11-09 17:03:58 +11:00
Sam
e6b3310577
FIX: never redirect back to /sso
it will cause a loop
...
If for any reason our return url is set to `/sso` bypass using it
for login redirect
2018-11-09 14:27:36 +11:00
Sam
aa044623bd
FIX: do not create superflous sessions when logged on
...
In some SSO implementations we may want to issue SSO pipelines for
already logged on users
In these cases do not re-log-in a user if they are clearly logged on
2018-11-01 12:54:01 +11:00
Maja Komel
27e732a58d
FEATURE: allow multiple secrets for Discourse SSO provider
...
This splits off the logic between SSO keys used incoming vs outgoing, it allows to far better restrict who is allowed to log in using a site.
This allows for better auditing of the SSO provider feature
2018-10-15 16:03:53 +11:00
Vinoth Kannan
39b7e32848
DEV: Require sso and sig query string params for sso_login
2018-10-12 05:03:30 +05:30
Maja Komel
ec3e6a81a4
FEATURE: Second factor backup
2018-06-28 10:12:32 +02:00
Vinoth Kannan
d8e641cd98
FIX: avatar_url includes upload_path twice when local storage used
2018-06-06 18:27:30 +05:30
Régis Hanol
09cf35c760
FIX: redirect users after signing up using SSO provider
2018-05-12 00:41:27 +02:00
Régis Hanol
abda21a41f
Revert "FIX: redirect to sso_destination_url after account activation"
...
This reverts commit 0402e97368
.
2018-05-11 22:55:45 +02:00
Régis Hanol
0402e97368
FIX: redirect to sso_destination_url after account activation
2018-05-11 19:57:04 +02:00
Régis Hanol
2958e17cde
remove duplicate code
2018-05-11 12:16:37 +02:00
Misaka 0x4e21
ff6be3c2e3
FEATURE: add profile_background fields into SSO ( #5701 )
...
Add profile_background and card_background fields into Discourse SSO.
2018-05-07 10:03:26 +02:00
Sam
5925a581db
array is not supported here, use a simple comma delimited list
2018-04-10 14:37:10 +10:00
Guo Xiang Tan
21ae49ab92
Simplify log in for request specs.
2018-03-28 11:32:47 +08:00
Guo Xiang Tan
70be8124a3
SECURITY: Don't expose development route in production.
2018-03-28 11:32:47 +08:00
Guo Xiang Tan
b16471edfb
FIX: Invalid token error incorrectly displayed on email login page.
2018-02-21 15:46:53 +08:00
Guo Xiang Tan
14f3594f9f
Review Changes for f4f8a293e7
.
2018-02-21 14:55:49 +08:00
Jeff Wong
f4f8a293e7
FEATURE: Implement 2factor login TOTP
...
implemented review items.
Blocking previous codes - valid 2-factor auth tokens can only be authenticated once/30 seconds.
I played with updating the “last used” any time the token was attempted but that seemed to be overkill, and frustrating as to why a token would fail.
Translatable texts.
Move second factor logic to a helper class.
Move second factor specific controller endpoints to its own controller.
Move serialization logic for 2-factor details in admin user views.
Add a login ember component for de-duplication
Fix up code formatting
Change verbiage of google authenticator
add controller tests:
second factor controller tests
change email tests
change password tests
admin login tests
add qunit tests - password reset, preferences
fix: check for 2factor on change email controller
fix: email controller - only show second factor errors on attempt
fix: check against 'true' to enable second factor.
Add modal for explaining what 2fa with links to Google Authenticator/FreeOTP
add two factor to email signin link
rate limit if second factor token present
add rate limiter test for second factor attempts
2018-02-21 09:04:07 +08:00
Guo Xiang Tan
96e5a7da46
Prefer success_Json
over custom success JSON payload.
2018-02-15 07:47:35 +08:00
Erick Guan
03b3e57a44
FEATURE: login by a link from email
...
Co-authored-by: tgxworld <tgx@discourse.org>
2018-02-13 16:14:39 +08:00
Guo Xiang Tan
f7f743970b
Just use space to prettify SSO verbose error logging.
2017-11-30 15:10:00 +08:00
Sam
4b42a0abc9
FIX: add error for suspended users attempting to login via sso
2017-11-14 16:52:00 +11:00
Rafael dos Santos Silva
5d5268a82b
Feature: Group handling
2017-10-25 22:49:17 -02:00
Neil Lalonde
1faae3c765
rename forgot_password_strict to hide_email_address_taken
2017-10-03 15:28:31 -04:00
Guo Xiang Tan
77d4c4d8dc
Fix all the errors to get our tests green on Rails 5.1.
2017-09-25 13:48:58 +08:00
Erick Guan
c7a101476e
Spec for local auth check
2017-08-16 11:01:00 +02:00
Guo Xiang Tan
5012d46cbd
Add rubocop to our build. ( #5004 )
2017-07-28 10:20:09 +09:00
Guo Xiang Tan
ee449b0dd5
Improve SSO verbose log when user record is invalid.
2017-04-13 11:39:26 +08:00
Sam Saffron
0013a23dc1
SECURITY: prefer render plain/html to render text where possible
2017-04-10 08:01:42 -04:00
Guo Xiang Tan
5943543ec3
FIX: Improve checks for non-human users.
2017-04-06 11:29:34 +08:00
Sam
8e5e3b5af8
FIX: sso provider require return_sso_url
2017-03-22 09:08:38 -04:00
Robin Ward
874e8900af
Display email address in SSO error message.
2017-03-21 15:37:46 -04:00
Robin Ward
aeaf5075bf
Custom errors for when Email is invalid via SSO
2017-03-21 15:23:38 -04:00
Robin Ward
52d78294cc
Render a layout when there's an SSO error
2017-03-21 15:23:38 -04:00
Guo Xiang Tan
9364d8ce71
FIX: Store user's id instead for sending activation email.
...
* Email and username are both allowed to be used for logging in.
Therefore, it is easier to just store the user's id rather than
to store the username and email in the session.
2017-03-13 20:24:55 +08:00
Guo Xiang Tan
7ebfa3c901
SECURITY: Only allow users to resend activation email with a valid session.
...
* Improve error when an active user tries to request for an activation email.
2017-03-13 19:35:29 +08:00
Arpit Jalan
cba51e1c38
FEATURE: new site setting for max logins per ip per hour/minute
2017-02-27 16:58:03 +05:30
Sam
dd383300b1
FEATURE: rate limit by login on password reset
2016-12-19 11:03:07 +11:00
Sam
61eb134181
FEATURE: setting to allow arbitrary redirects from sso origin
...
if sso_allows_all_return_paths is set to true you can redirect off-site from sso success
2016-12-16 13:37:44 +11:00
Guo Xiang Tan
559918c6c6
PERF: Add endpoint to check if a group can be mentioned by user.
2016-11-26 02:20:46 +08:00
Sam
e6fcaadd45
FIX: redirects back to origin for SSO and omniauth login
2016-09-16 13:48:50 +10:00
Sam
0b334cdf74
FIX: stop removing query params from destination url in sso
2016-08-16 17:06:52 +10:00
Robin Ward
2f8ab8cd30
SECURITY: XSS in "Account Suspended" Messages and Badge Descriptions
2016-07-28 11:38:12 -04:00
Peter Lejeck
e265b7b090
Log RecordInvalid when verbose_sso_logging enabled
2016-06-29 22:12:25 -07:00
Sam
852860de66
FEATURE: simpler and friendlier unsubscribe workflow
...
- All unsubscribes go to the exact same page
- You may unsubscribe from watching a category on that page
- You no longer need to be logged in to unsubscribe from a topic
- Simplified footer on emails
2016-06-17 11:28:49 +10:00