David Taylor
2dc3a50dac
FIX: Do not update last seen
time for suspended users
2018-07-18 16:04:57 +01:00
Régis Hanol
2cf6fb7359
FIX: always unstage users when they log in
2018-05-13 17:00:02 +02:00
Sam
3d6dc764be
needed to remove legacy from a few more spots
2018-05-04 11:12:01 +10:00
Robin Ward
c75fd34328
Allow Discourse installs to name the token cookie
2018-03-13 16:48:40 -04:00
Sam
0134e41286
FEATURE: detect when client thinks user is logged on but is not
...
This cleans up an error condition where UI thinks a user is logged on
but the user is not. If this happens user will be prompted to refresh.
2018-03-06 16:49:31 +11:00
Sam
a3c7ee09b6
FIX: ruby bench not working properly
...
- Remove thin which is no longer supported
- Bypass admin api rate limiting in profile environment
- Admin password was too short
- Run by default in concurrency 1 mode
- A skip bundle assets flag to speed up local testing
2018-02-19 11:37:16 +11:00
Robin Ward
569e57f0a9
FIX: Delete the invalid auth cookie even if you hit the rate limit
2018-02-09 19:09:54 -05:00
Robin Ward
8c04893a04
FIX: Don't throttle local lookups
2018-02-07 00:31:05 -05:00
Sam
215c0d5569
FEATURE: allow system api to target users via external id or user id
...
usage ?api_key=XYZ&api_user_external_id=ABC
usage ?api_key=XYZ&api_user_id=123
2018-01-12 17:40:18 +11:00
Guo Xiang Tan
6ade508f39
FIX: Prevent 'rack.input' missing error.
2017-12-12 16:40:35 +08:00
Sam
68d3c2c74f
FEATURE: add global rate limiter for admin api 60 per minute
...
Also move configuration of admin and user api rate limiting into global
settings. This is not intended to be configurable per site
2017-12-11 11:07:22 +11:00
Arpit Jalan
804b4f32f8
better error message when API authentication fails
2017-10-20 20:05:34 +05:30
Guo Xiang Tan
77d4c4d8dc
Fix all the errors to get our tests green on Rails 5.1.
2017-09-25 13:48:58 +08:00
Guo Xiang Tan
5012d46cbd
Add rubocop to our build. ( #5004 )
2017-07-28 10:20:09 +09:00
Neil Lalonde
8fd915a11a
Revert "FIX: add path to cookies so sessions on the same domain but different subfolders don't log each other out"
2017-06-21 16:18:24 -04:00
Neil Lalonde
1716747810
FIX: add path to cookies so sessions on the same domain but different subfolders don't log each other out
2017-06-20 13:30:36 -04:00
Sam
99f4d5082b
FIX: Improve token rotation and increase logging
...
- avoid access denied on bad cookie, instead just nuke it
- avoid marking a token unseen for first minute post rotation
- log path in user auth token logs
2017-03-07 13:27:43 -05:00
Sam
122fb8025d
FIX: last seen date erroneously updated when browser in background
...
In some cases user may be "last seen" even though browser tab is in
the background or computer is locked
2017-02-28 12:35:10 -05:00
Sam
ea1007e954
FEATURE: add support for same site cookies
...
Defaults to Lax, can be disabled or set to Strict.
Strict will only work if you require login and use SSO. Otherwise when clicking on links to your site you will appear logged out till you refresh the page.
2017-02-23 12:01:28 -05:00
Sam
ad435da377
fix typo
2017-02-23 10:58:53 -05:00
Sam Saffron
b7d2edc7dc
FIX: allow some auth token misses prior to clearing cookie
...
It appears that in some cases ios queues up requests up front
and "releases" them when tab gets focus, this allows for a certain
number of cookie misses for this case. Otherwise you get logged off.
2017-02-22 12:37:11 -05:00
Sam
7a85469c4c
SECURITY: inactive/suspended accounts should be banned from api
...
Also fixes edge cases around users presenting multiple credentials
2017-02-17 11:03:09 -05:00
Sam
0ab96a7691
FEATURE: add hidden setting for verbose auth token logging
...
This is only needed to debug auth token issues, will result in lots
of logging
2017-02-13 14:01:09 -05:00
Sam
ff49f72ad9
FEATURE: per client user tokens
...
Revamped system for managing authentication tokens.
- Every user has 1 token per client (web browser)
- Tokens are rotated every 10 minutes
New system migrates the old tokens to "legacy" tokens,
so users still remain logged on.
Also introduces weekly job to expire old auth tokens.
2017-02-07 09:22:16 -05:00
Sam
6ff309aa80
SECURITY: don't grant same privileges to user_api and api access
...
User API is no longer gets bypasses that standard API gets.
Only bypasses are CSRF and XHR requirements.
2016-12-16 12:05:43 +11:00
Sam
b246f1a694
FEATURE: set secure flag on _t cookie if https is forced
2016-10-17 12:11:49 +11:00
Sam
f4f5524190
FEATURE: user API now contains scopes so permission is granular
...
previously we supported blanket read and write for user API, this
change amends it so we can define more limited scopes. A scope only
covers a few routes. You can not grant access to part of the site and
leave a large amount of the information hidden to API consumer.
2016-10-14 16:05:42 +11:00
Sam
be0fd5b4cc
FEATURE: allow user api key revocation for read only keys
2016-09-02 17:04:00 +10:00
Sam
c4bf138d2c
FIX: incorrect error being raised
2016-08-26 10:39:13 +10:00
Sam
b09922b58a
we have to allow message bus for read clients
2016-08-19 15:22:52 +10:00
Sam
3ea68f8f6c
tweak headers so they can be consumed
2016-08-18 14:38:33 +10:00
Sam
416e7e0d1e
FEATURE: basic UI to view user api keys
2016-08-16 17:06:52 +10:00
Sam
fc095acaaa
Feature: User API key support (server side implementation)
...
- Supports throttled read and write
- No support for push yet, but data is captured about intent
2016-08-15 17:59:36 +10:00
Sam
5cc8bb535b
SECURITY: do cookie auth rate limiting earlier
2016-08-09 10:02:18 +10:00
Sam
16a383ea1e
SECURITY: limit bad cookie auth attempts
...
- Also cleans up the _t cookie if it is invalid
2016-07-28 12:58:49 +10:00
Sam
b5fbff947b
FIX: don't expire old sessions when logging in
2016-07-26 11:37:41 +10:00
Sam
c1f62d8657
Revert "make upgrade a bit more seamless"
...
This reverts commit 78b88a1633
.
2016-07-25 12:49:33 +10:00
Sam
78b88a1633
make upgrade a bit more seamless
2016-07-25 12:30:52 +10:00
Sam
df535c6346
FEATURE: refresh session cookie at most once an hour
...
This feature ensures session cookie lifespan is extended
when user is online.
Also decreases session timeout from 90 to 60 days.
Ensures all users (including logged on ones) get expiring sessions.
2016-07-25 12:07:31 +10:00
Arpit Jalan
a9207dafa7
FEATURE: configure session time via site setting for all the users ( #4343 )
2016-07-23 02:57:30 +05:30
Guo Xiang Tan
22ade1f811
FEATURE: Add event trigger when a user is logged out.
2016-07-04 17:20:30 +08:00
Sam
f88cf4e2f0
Merge pull request #4226 from xfalcox/non-persistent-session
...
FEATURE: add setting permanent_session_cookie to configure session st…
2016-06-29 16:47:31 +10:00
Régis Hanol
9704603fab
FEATURE: sendgrid webhooks
2016-06-01 21:48:06 +02:00
Sam
52c3b0b0ce
clear mini profiler cookie when admin logs off
2016-05-18 17:27:54 +10:00
Rafael dos Santos Silva
09ef5f613e
FEATURE: add setting permanent_session_cookie to configure session stickiness
...
Now admins can turn make the login cookie die after the browser is closed, so the user needs to log in everytime.
2016-05-17 01:12:09 -03:00
Arpit Jalan
74b3807f60
FEATURE: new bootstrap mode settings for brand new Discourse community ( #4193 )
...
* FEATURE: new bootstrap mode settings for brand new Discourse community
* new SiteSetting.set_and_log method
2016-04-26 13:08:19 -04:00
Sam
803feefd54
MessageBus handles readonly redis now, no need to wrap it
2015-05-04 12:21:00 +10:00
Robin Ward
5b3f99aa50
Don't blow up if Redis switches to READONLY
2015-04-24 14:37:16 -04:00
Sam
3483c8318f
FEATURE: logging out logs you out everywhere
...
can be disabled by changing the setting "log_out_strict" to false
2015-01-28 12:56:41 +11:00
Sam
a9cda0f947
FEATURE: allow restricting API keys to a particular range
2014-11-20 15:21:49 +11:00