Commit Graph

166 Commits

Author SHA1 Message Date
Robin Ward
569e57f0a9 FIX: Delete the invalid auth cookie even if you hit the rate limit 2018-02-09 19:09:54 -05:00
Robin Ward
8c04893a04 FIX: Don't throttle local lookups 2018-02-07 00:31:05 -05:00
Régis Hanol
e2d82b882e FIX: redirect to original URL after social login 2018-01-26 18:52:27 +01:00
Sam
215c0d5569 FEATURE: allow system api to target users via external id or user id
usage ?api_key=XYZ&api_user_external_id=ABC
usage ?api_key=XYZ&api_user_id=123
2018-01-12 17:40:18 +11:00
Vinoth Kannan
988b13ac77 FIX: GitHub auth always asking to verify email for new users (#5487) 2018-01-12 15:17:29 +11:00
Michael Brown
105cf61ed9 Implements https://meta.discourse.org/t/issue-user-changed-google-account-and-cant-connect-thru-his-profile/35028/18?u=supermathie 2017-12-20 17:59:36 -05:00
Sam
67aecff59c FEATURE: store twitter supplied email for auditing 2017-12-14 15:54:32 +11:00
Guo Xiang Tan
6ade508f39 FIX: Prevent 'rack.input' missing error. 2017-12-12 16:40:35 +08:00
Sam
68d3c2c74f FEATURE: add global rate limiter for admin api 60 per minute
Also move configuration of admin and user api rate limiting into global
settings. This is not intended to be configurable per site
2017-12-11 11:07:22 +11:00
Robin Ward
16407dfc11 Add a failed_code we can check for when using Auth::Result 2017-11-09 10:49:42 -05:00
Arpit Jalan
804b4f32f8 better error message when API authentication fails 2017-10-20 20:05:34 +05:30
Neil Lalonde
2db66072d7 SECURITY: signup without verified email using Google auth 2017-10-16 13:51:41 -04:00
Guo Xiang Tan
77d4c4d8dc Fix all the errors to get our tests green on Rails 5.1. 2017-09-25 13:48:58 +08:00
Kyle Zhao
5868508e98 GH#retrieve_avatar: simplify conditional and restructured testing 2017-08-22 23:46:50 -04:00
Kyle Zhao
49f0119c12 FEATURE: import Github profile picture 2017-08-22 20:23:47 -04:00
Guo Xiang Tan
5012d46cbd Add rubocop to our build. (#5004) 2017-07-28 10:20:09 +09:00
Blake Erickson
fcfc895167 FIX: new sign-ups via google are added to groups
This fix ensures that users that are signing up via google oauth are
automatically added to any groups.

A similar fix will probably need to be added to other oauth providers.
2017-07-07 14:08:58 -06:00
Neil Lalonde
8fd915a11a Revert "FIX: add path to cookies so sessions on the same domain but different subfolders don't log each other out" 2017-06-21 16:18:24 -04:00
Neil Lalonde
1716747810 FIX: add path to cookies so sessions on the same domain but different subfolders don't log each other out 2017-06-20 13:30:36 -04:00
Sam
8d80a5d97e add some explicit scoping to help avoid erratic failure in test 2017-03-07 16:00:51 -05:00
Sam
99f4d5082b FIX: Improve token rotation and increase logging
- avoid access denied on bad cookie, instead just nuke it
- avoid marking a token unseen for first minute post rotation
- log path in user auth token logs
2017-03-07 13:27:43 -05:00
Guo Xiang Tan
3d347fb9c4 FIX: Don't mark user as active if verified email is different. 2017-03-02 14:24:30 +08:00
Sam
122fb8025d FIX: last seen date erroneously updated when browser in background
In some cases user may be "last seen" even though browser tab is in
the background or computer is locked
2017-02-28 12:35:10 -05:00
Sam
ea1007e954 FEATURE: add support for same site cookies
Defaults to Lax, can be disabled or set to Strict.

Strict will only work if you require login and use SSO. Otherwise when clicking on links to your site you will appear logged out till you refresh the page.
2017-02-23 12:01:28 -05:00
Sam
ad435da377 fix typo 2017-02-23 10:58:53 -05:00
Sam Saffron
b7d2edc7dc FIX: allow some auth token misses prior to clearing cookie
It appears that in some cases ios queues up requests up front
and "releases" them when tab gets focus, this allows for a certain
number of cookie misses for this case. Otherwise you get logged off.
2017-02-22 12:37:11 -05:00
Sam
7a85469c4c SECURITY: inactive/suspended accounts should be banned from api
Also fixes edge cases around users presenting multiple credentials
2017-02-17 11:03:09 -05:00
Sam
0ab96a7691 FEATURE: add hidden setting for verbose auth token logging
This is only needed to debug auth token issues, will result in lots
of logging
2017-02-13 14:01:09 -05:00
Sam
ff49f72ad9 FEATURE: per client user tokens
Revamped system for managing authentication tokens.

- Every user has 1 token per client (web browser)
- Tokens are rotated every 10 minutes

New system migrates the old tokens to "legacy" tokens,
so users still remain logged on.

Also introduces weekly job to expire old auth tokens.
2017-02-07 09:22:16 -05:00
Sam
6ff309aa80 SECURITY: don't grant same privileges to user_api and api access
User API is no longer gets bypasses that standard API gets.
Only bypasses are CSRF and XHR requirements.
2016-12-16 12:05:43 +11:00
Sam
2ddabc3928 FIX: protect against future regressions of google omniauth 2016-11-07 12:48:00 +11:00
Régis Hanol
923db2e559 FIX: download avatar from facebook/twitter in a job in order to prevent hangs when avatars are huge 2016-10-24 17:15:13 +02:00
Régis Hanol
0862ad406d FIX: pull twitter's avatar & profile when signing up 2016-10-17 15:43:40 +02:00
Sam
b246f1a694 FEATURE: set secure flag on _t cookie if https is forced 2016-10-17 12:11:49 +11:00
Sam
f4f5524190 FEATURE: user API now contains scopes so permission is granular
previously we supported blanket read and write for user API, this
change amends it so we can define more limited scopes. A scope only
covers a few routes. You can not grant access to part of the site and
leave a large amount of the information hidden to API consumer.
2016-10-14 16:05:42 +11:00
Régis Hanol
9dd1f7b5b6 pull avatar, bio & location from Twitter 2016-10-13 10:49:51 +02:00
Sam
aaec05e36a FIX: stop asking for bio from facebook, it is deprecated 2016-10-11 10:56:07 +11:00
Rafael dos Santos Silva
5bdaaca848 Make it square! 2016-09-28 12:49:22 -03:00
Rafael dos Santos Silva
f5746f490f Uses higher resolution pictures when importing avatars from Facebook 2016-09-28 01:38:41 -03:00
Jared Reisinger
2ae7c47a3c Add support for email whitelist/blacklist to GitHub auth
If a site is configured for GitHub logins, _**and**_ has an email domain
whitelist, it's possible to get in a state where a new user is locked to
a non-whitelist email (their GitHub primary) even though they have an
alternate email that's on the whitelist.  In all cases, the GitHub
primary email is attempted first so that previously existing behavior
will be the default.

- Add whitelist/blacklist support to GithubAuthenticator (via
  EmailValidator)

- Add multiple email support GithubAuthenticator

- Add test specs for GithubAuthenticator

- Add authenticator-agnostic "none of your email addresses are allowed"
  error message.
2016-09-22 11:31:10 -07:00
Sam
8dc4329094 FEATURE: optionally get extra profile info from facebook
This feature requires the application be approved by facebook, so it is
default off
2016-09-19 16:14:11 +10:00
Sam
5b3cd3fac9 FEATURE: Import facebook avatars when logging in via facebook
FIX: warning about popup dimensions when using facebook login

Rules are:

- On account creation we always import
- If you already have an avatar uploaded, nothing is changed
- If you have no avatar uploaded, we upload from facebook on login
- If you have no avatar uploaded, we select facebook unless gravatar already selected

This also fixes SSO issues where on account creation accounts had missing avatar uploads
2016-09-19 15:10:23 +10:00
Robin Ward
9609a47016 Ability to skip email validation via a plugin 2016-09-07 14:05:46 -04:00
Robin Ward
610dd933a3 FEATURE: Support importing email from Twitter 2016-09-06 12:18:13 -04:00
Sam
be0fd5b4cc FEATURE: allow user api key revocation for read only keys 2016-09-02 17:04:00 +10:00
Sam
c4bf138d2c FIX: incorrect error being raised 2016-08-26 10:39:13 +10:00
Sam
b09922b58a we have to allow message bus for read clients 2016-08-19 15:22:52 +10:00
Sam
3ea68f8f6c tweak headers so they can be consumed 2016-08-18 14:38:33 +10:00
Sam
416e7e0d1e FEATURE: basic UI to view user api keys 2016-08-16 17:06:52 +10:00
Sam
fc095acaaa Feature: User API key support (server side implementation)
- Supports throttled read and write
- No support for push yet, but data is captured about intent
2016-08-15 17:59:36 +10:00
Sam
5cc8bb535b SECURITY: do cookie auth rate limiting earlier 2016-08-09 10:02:18 +10:00
Sam
16a383ea1e SECURITY: limit bad cookie auth attempts
- Also cleans up the _t cookie if it is invalid
2016-07-28 12:58:49 +10:00
Sam
b5fbff947b FIX: don't expire old sessions when logging in 2016-07-26 11:37:41 +10:00
Sam
c1f62d8657 Revert "make upgrade a bit more seamless"
This reverts commit 78b88a1633.
2016-07-25 12:49:33 +10:00
Sam
78b88a1633 make upgrade a bit more seamless 2016-07-25 12:30:52 +10:00
Sam
df535c6346 FEATURE: refresh session cookie at most once an hour
This feature ensures session cookie lifespan is extended
when user is online.

Also decreases session timeout from 90 to 60 days.
Ensures all users (including logged on ones) get expiring sessions.
2016-07-25 12:07:31 +10:00
Arpit Jalan
a9207dafa7 FEATURE: configure session time via site setting for all the users (#4343) 2016-07-23 02:57:30 +05:30
Guo Xiang Tan
22ade1f811
FEATURE: Add event trigger when a user is logged out. 2016-07-04 17:20:30 +08:00
Sam
f88cf4e2f0 Merge pull request #4226 from xfalcox/non-persistent-session
FEATURE: add setting permanent_session_cookie to configure session st…
2016-06-29 16:47:31 +10:00
Régis Hanol
9704603fab FEATURE: sendgrid webhooks 2016-06-01 21:48:06 +02:00
Sam
52c3b0b0ce clear mini profiler cookie when admin logs off 2016-05-18 17:27:54 +10:00
Rafael dos Santos Silva
09ef5f613e FEATURE: add setting permanent_session_cookie to configure session stickiness
Now admins can turn make the login cookie die after the browser is closed, so the user needs to log in everytime.
2016-05-17 01:12:09 -03:00
Arpit Jalan
74b3807f60 FEATURE: new bootstrap mode settings for brand new Discourse community (#4193)
* FEATURE: new bootstrap mode settings for brand new Discourse community

* new SiteSetting.set_and_log method
2016-04-26 13:08:19 -04:00
Mark Biegel
70b287a053 Update instagram_authenticator.rb 2016-02-26 11:37:48 +10:00
Ubuntu
5c603bf8ec Added Instagram login method 2016-02-25 12:13:59 +10:00
Sam
0ef141b2c3 FIX: skip jwt encoding for auth 2016-02-05 08:48:16 +11:00
Robin Ward
0b4c9005f9 FIX: Don't include name in hash when names are disabled.
This could break some SSO implementations due to honeypot
not being triggered.
2015-10-29 12:19:45 -04:00
Robin Ward
7dbc2590a5 Support for auth plugins to freeze the username 2015-06-26 15:55:33 -04:00
Robin Ward
b4960d48b4 Better support for passing up errors when OmniAuth fails after auth 2015-06-24 12:12:43 -04:00
Sam
803feefd54 MessageBus handles readonly redis now, no need to wrap it 2015-05-04 12:21:00 +10:00
Robin Ward
5b3f99aa50 Don't blow up if Redis switches to READONLY 2015-04-24 14:37:16 -04:00
Neil Lalonde
7c14db44cc UX: improve message when admin login is blocked because of admin ip address whitelisting 2015-03-02 12:13:22 -05:00
Sam
3483c8318f FEATURE: logging out logs you out everywhere
can be disabled by changing the setting "log_out_strict" to false
2015-01-28 12:56:41 +11:00
Neil Lalonde
7412ff4da7 FIX: suspended users are logged out when they are suspended. Show a reason for suspension when they try to log in. 2015-01-19 12:37:02 -05:00
Greg Kempe
e979382ab4 Facebook auth without an email should allow user to enter email
In some cases Facebook doesn't send back a user's email. In this
case, allow the user to enter their email address.

See
https://meta.discourse.org/t/facebook-initial-login-create-account-dialog-leaves-email-field-blank/13815/15
2014-12-08 12:43:06 +02:00
Sam
a9cda0f947 FEATURE: allow restricting API keys to a particular range 2014-11-20 15:21:49 +11:00
Sam
aa9b3bb35a FEATURE: allow long polling to go to a different url
Added the site setting long_polling_base_url , this allows you
to farm long polling to a different server.

This setting is very important if a CDN is serving dynamic content.
2014-10-24 13:38:38 +11:00
Neil Lalonde
ca5f361d0a FEATURE: restrict admin access based on IP address 2014-09-05 12:06:01 -04:00
Sam
fdc89b1735 SECURITY: GitHub authenticator returning unverified emails 2014-09-03 12:53:22 +10:00
Régis Hanol
7c65adfd6f FEATURE: raise an exception when the email is missing in the OpenId callback 2014-08-07 19:28:50 +02:00
Neil Lalonde
030c748adb Revert "FIX: google oauth2 for sites using https. Need to specify the redirect_uri during setup in this case."
This reverts commit fe6235b40e.
2014-07-31 16:56:08 -04:00
Neil Lalonde
fe6235b40e FIX: google oauth2 for sites using https. Need to specify the redirect_uri during setup in this case. 2014-07-31 14:50:46 -04:00
riking
12cb682548 Start passing more context to Discourse.handle_exception 2014-07-17 14:11:56 -07:00
Neil Lalonde
01a68f8cc7 Emails are case insensitive 2014-07-16 10:22:01 -04:00
Sam
67db561429 BUGFIX: missed a key rename
BUGFIX: API spec not enabling CSRF
2014-05-23 08:43:19 +10:00
Sam
cf254000cf Revert "Revert "BUGFIX: improve error messages for invalid API keys""
This reverts commit e9afe28586.
2014-05-23 08:43:19 +10:00
Neil Lalonde
e9afe28586 Revert "BUGFIX: improve error messages for invalid API keys" 2014-05-22 14:55:36 -04:00
Sam
eeef775f21 BUGFIX: improve error messages for invalid API keys
BUGFIX: don't track last seen for message bus
2014-05-22 09:01:29 +10:00
Neil Lalonde
742841ddce Add Google Oauth2 authenticator. The current Google OpenID authentication has been deprecated by Google and will NOT work for any new websites. 2014-05-21 18:35:10 -04:00
Louis Rose
1574485443 Perform the where(...).first to find_by(...) refactoring.
This refactoring was automated using the command: bundle exec "ruby refactorings/where_dot_first_to_find_by/app.rb"
2014-05-06 14:41:59 +01:00
Neil Lalonde
1da59e7e2e FIX: deactivated users shouldn't be able to log in 2014-04-28 13:46:28 -04:00
Sam
5897d3419c BUGFIX: identity_url was not fished out correctly
If I user logged in with Google and then changed email,
they would no longer be able to log in with google
2014-03-26 14:52:50 +11:00
Sam
35ee341122 SECURITY: GitHub returns unvalidated emails 2014-03-26 10:55:36 +11:00
Sam
7e7c4efcc0 FEATURE: on initial boot hint users on how to get admin 2014-03-24 18:03:39 +11:00
Neil Lalonde
a74764c833 Log when facebook doesn't provide an email address 2014-03-19 13:31:17 -04:00
Sam
2c8ae22b87 FEATURE: add a simple queue Scheduler::Defer.later {}
For quick jobs that do not need to be sent to sidekiq,
runs inline in a single thread but does not block
2014-03-17 12:16:19 +11:00
Sam
ceb80611d6 PERF: defer last_ip_address and last_seen updates 2014-03-03 15:16:38 +11:00
Sam
70c50d321a BUGFIX: allow facebook auth for people refusing email 2014-02-17 14:45:17 +11:00
Erik Ordway
f1e8bdaee5 Remove cas auth from core and convert the settings over so they can be used by the plugin 2014-02-11 15:57:08 -08:00
Sam
7ad00f426c FEATURE REMOVAL: persona login
see: https://meta.discourse.org/t/pulling-persona-out-of-discourse-core/12613
2014-02-11 16:56:48 +11:00