Régis Hanol
182b34243d
FIX: opts is a hash in 'log_on_user'
...
cc @nbianca
2018-11-12 16:00:12 +01:00
Bianca Nenciu
5af9a69a3b
FIX: Do not check for suspicious login when impersonating. ( #6534 )
...
* FIX: Do not check for suspicious login when impersonating.
* DEV: Add 'impersonate' parameter to log_on_user.
2018-11-12 15:34:12 +01:00
Bianca Nenciu
5fc09a6467
DEV: Fix build.
2018-11-05 14:16:03 +02:00
David Taylor
a84b6b6b0c
SECURITY: Add CSRF protections to OpenID callback
2018-11-05 11:16:57 +00:00
Régis Hanol
d17c8df926
Only check for suspicious login for staff members
2018-10-26 00:29:28 +02:00
David Taylor
56e0f47bcd
FIX: Do not update last_seen
for API access
...
This regressed in 2dc3a50
. I have now added tests for the behavior.
2018-10-25 13:38:57 +01:00
Sam
45f01e637b
FIX: when associating Github account disassociate others
...
There are some cases where an email floats from one GitHub account to another
if this happens just take over the Github mapping record
2018-10-10 15:46:50 +11:00
Vinoth Kannan
d8b543bb67
FIX: redirect to original URL after social signup
2018-09-05 01:44:23 +05:30
Guo Xiang Tan
d1af89e3b3
DEV: Extract global admin api rate limiting into a dedicated method.
...
* We have a use case for overriding the rate limiting logic in a
plugin.
2018-09-04 16:37:54 +08:00
Guo Xiang Tan
3b337bfc6b
Revert "FIX: Don't rate limit admin and staff constraints when matching routes."
...
This reverts commit 651b50b1a1
.
2018-09-04 14:27:21 +08:00
Guo Xiang Tan
651b50b1a1
FIX: Don't rate limit admin and staff constraints when matching routes.
...
* When an error is raised when checking route constraints, we
can only return true/false which either lets the request
through or return a 404 error. Therefore, we just skip
rate limiting here and let the controller handle the
rate limiting.
2018-09-04 13:52:58 +08:00
Sam
272de95175
FIX: client duplicate registration should be cleaned up
...
If for any reason we are unable to correct client id on a user api key
invalidate old keys for client/user
2018-08-22 12:56:49 +10:00
Bianca Nenciu
860c1c3dcd
FEATURE: Automatically expire keys if not used for a configurable amount of time. ( #6264 )
2018-08-20 17:36:14 +02:00
Gerhard Schlager
6ddf7fcd1f
Fix warnings about already initialized constants
2018-08-09 17:29:02 +02:00
David Taylor
812add18bd
REFACTOR: Serve auth provider information in the site serializer.
...
At the moment core providers are hard-coded in Javascript, and plugin providers get added to the JS payload at compile time. This refactor means that we only ship enabled providers to the client.
2018-08-06 09:25:48 +01:00
David Taylor
6566b2f11a
FEATURE: Allow revoke and connect for Instagram logins
2018-07-30 14:38:53 +01:00
David Taylor
5f1fd0019b
FEATURE: Allow revoke and connect for GitHub logins
2018-07-27 17:18:53 +01:00
David Taylor
6296f63804
FEATURE: Revoke and connect for Yahoo logins
2018-07-27 16:20:47 +01:00
David Taylor
9c72c00206
FEATURE: Revoke and reconnect for Twitter logins
2018-07-27 12:28:51 +01:00
David Taylor
fa399ce1c5
FEATURE: Add revoke and reconnect functionality for google logins
2018-07-25 16:03:14 +01:00
David Taylor
776fd0de66
FIX: Filter open-id logins by identifier
2018-07-25 11:47:09 +01:00
David Taylor
eda1462b3b
FEATURE: List, revoke and reconnect associated accounts. Phase 1 ( #6099 )
...
Listing connections is supported for all built-in auth providers. Revoke and reconnect is currently only implemented for Facebook.
2018-07-23 16:51:57 +01:00
David Taylor
2dc3a50dac
FIX: Do not update last seen
time for suspended users
2018-07-18 16:04:57 +01:00
Guo Xiang Tan
ad5082d969
Make rubocop happy again.
2018-06-07 13:28:18 +08:00
Guo Xiang Tan
543b7cddfb
FIX: Extra comma resulted in Github auth email result being an array.
...
https://meta.discourse.org/t/github-2fa-flow-broken/88674
2018-05-30 12:15:12 +08:00
OsamaSayegh
f6d412465b
FIX: apply automatic group rules when using social login providers
2018-05-23 02:26:07 +03:00
Régis Hanol
2cf6fb7359
FIX: always unstage users when they log in
2018-05-13 17:00:02 +02:00
Sam
3d6dc764be
needed to remove legacy from a few more spots
2018-05-04 11:12:01 +10:00
Sam
c7a0ced656
FIX: remove facebook_request_extra_profile_details
...
Since this no longer works
2018-04-26 14:14:35 +10:00
Vinoth Kannan
c5d26992d4
Prefer to use primary email for new user creation over other available emails
2018-03-19 17:10:35 +05:30
Robin Ward
c75fd34328
Allow Discourse installs to name the token cookie
2018-03-13 16:48:40 -04:00
Sam
0134e41286
FEATURE: detect when client thinks user is logged on but is not
...
This cleans up an error condition where UI thinks a user is logged on
but the user is not. If this happens user will be prompted to refresh.
2018-03-06 16:49:31 +11:00
Guo Xiang Tan
fb75f188ba
FEATURE: Disallow login via omniauth when user has 2FA enabled.
2018-03-01 15:47:07 +08:00
Guo Xiang Tan
24d0a7a4c7
Take 2 on f74d6bb605
.
...
New options are left out by default when not configured so that an
incorrect default configuration doesn't blow up google oauth for
everyone.
2018-02-23 07:53:01 +08:00
Joffrey JAFFEUX
1c790ae6bc
Revert "Add prompt and HD settings to the Google OAuth2 plugin."
...
This reverts commit f74d6bb605
.
2018-02-22 19:17:02 +01:00
Geoffrey Challen
f74d6bb605
Add prompt and HD settings to the Google OAuth2 plugin.
2018-02-22 12:29:19 +08:00
Sam
a3c7ee09b6
FIX: ruby bench not working properly
...
- Remove thin which is no longer supported
- Bypass admin api rate limiting in profile environment
- Admin password was too short
- Run by default in concurrency 1 mode
- A skip bundle assets flag to speed up local testing
2018-02-19 11:37:16 +11:00
Robin Ward
569e57f0a9
FIX: Delete the invalid auth cookie even if you hit the rate limit
2018-02-09 19:09:54 -05:00
Robin Ward
8c04893a04
FIX: Don't throttle local lookups
2018-02-07 00:31:05 -05:00
Régis Hanol
e2d82b882e
FIX: redirect to original URL after social login
2018-01-26 18:52:27 +01:00
Sam
215c0d5569
FEATURE: allow system api to target users via external id or user id
...
usage ?api_key=XYZ&api_user_external_id=ABC
usage ?api_key=XYZ&api_user_id=123
2018-01-12 17:40:18 +11:00
Vinoth Kannan
988b13ac77
FIX: GitHub auth always asking to verify email for new users ( #5487 )
2018-01-12 15:17:29 +11:00
Michael Brown
105cf61ed9
Implements https://meta.discourse.org/t/issue-user-changed-google-account-and-cant-connect-thru-his-profile/35028/18?u=supermathie
2017-12-20 17:59:36 -05:00
Sam
67aecff59c
FEATURE: store twitter supplied email for auditing
2017-12-14 15:54:32 +11:00
Guo Xiang Tan
6ade508f39
FIX: Prevent 'rack.input' missing error.
2017-12-12 16:40:35 +08:00
Sam
68d3c2c74f
FEATURE: add global rate limiter for admin api 60 per minute
...
Also move configuration of admin and user api rate limiting into global
settings. This is not intended to be configurable per site
2017-12-11 11:07:22 +11:00
Robin Ward
16407dfc11
Add a failed_code
we can check for when using Auth::Result
2017-11-09 10:49:42 -05:00
Arpit Jalan
804b4f32f8
better error message when API authentication fails
2017-10-20 20:05:34 +05:30
Neil Lalonde
2db66072d7
SECURITY: signup without verified email using Google auth
2017-10-16 13:51:41 -04:00
Guo Xiang Tan
77d4c4d8dc
Fix all the errors to get our tests green on Rails 5.1.
2017-09-25 13:48:58 +08:00