Commit Graph

96 Commits

Author SHA1 Message Date
Sam
4b42a0abc9 FIX: add error for suspended users attempting to login via sso 2017-11-14 16:52:00 +11:00
Rafael dos Santos Silva
5d5268a82b Feature: Group handling 2017-10-25 22:49:17 -02:00
Neil Lalonde
1faae3c765 rename forgot_password_strict to hide_email_address_taken 2017-10-03 15:28:31 -04:00
Guo Xiang Tan
77d4c4d8dc Fix all the errors to get our tests green on Rails 5.1. 2017-09-25 13:48:58 +08:00
Erick Guan
c7a101476e Spec for local auth check 2017-08-16 11:01:00 +02:00
Guo Xiang Tan
5012d46cbd Add rubocop to our build. (#5004) 2017-07-28 10:20:09 +09:00
Guo Xiang Tan
ee449b0dd5 Improve SSO verbose log when user record is invalid. 2017-04-13 11:39:26 +08:00
Sam Saffron
0013a23dc1 SECURITY: prefer render plain/html to render text where possible 2017-04-10 08:01:42 -04:00
Guo Xiang Tan
5943543ec3 FIX: Improve checks for non-human users. 2017-04-06 11:29:34 +08:00
Sam
8e5e3b5af8 FIX: sso provider require return_sso_url 2017-03-22 09:08:38 -04:00
Robin Ward
874e8900af Display email address in SSO error message. 2017-03-21 15:37:46 -04:00
Robin Ward
aeaf5075bf Custom errors for when Email is invalid via SSO 2017-03-21 15:23:38 -04:00
Robin Ward
52d78294cc Render a layout when there's an SSO error 2017-03-21 15:23:38 -04:00
Guo Xiang Tan
9364d8ce71 FIX: Store user's id instead for sending activation email.
* Email and username are both allowed to be used for logging in.
  Therefore, it is easier to just store the user's id rather than
  to store the username and email in the session.
2017-03-13 20:24:55 +08:00
Guo Xiang Tan
7ebfa3c901 SECURITY: Only allow users to resend activation email with a valid session.
* Improve error when an active user tries to request for an activation email.
2017-03-13 19:35:29 +08:00
Arpit Jalan
cba51e1c38 FEATURE: new site setting for max logins per ip per hour/minute 2017-02-27 16:58:03 +05:30
Sam
dd383300b1 FEATURE: rate limit by login on password reset 2016-12-19 11:03:07 +11:00
Sam
61eb134181 FEATURE: setting to allow arbitrary redirects from sso origin
if sso_allows_all_return_paths is set to true you can redirect off-site from sso success
2016-12-16 13:37:44 +11:00
Guo Xiang Tan
559918c6c6 PERF: Add endpoint to check if a group can be mentioned by user. 2016-11-26 02:20:46 +08:00
Sam
e6fcaadd45 FIX: redirects back to origin for SSO and omniauth login 2016-09-16 13:48:50 +10:00
Sam
0b334cdf74 FIX: stop removing query params from destination url in sso 2016-08-16 17:06:52 +10:00
Robin Ward
2f8ab8cd30 SECURITY: XSS in "Account Suspended" Messages and Badge Descriptions 2016-07-28 11:38:12 -04:00
Peter Lejeck
e265b7b090 Log RecordInvalid when verbose_sso_logging enabled 2016-06-29 22:12:25 -07:00
Sam
852860de66 FEATURE: simpler and friendlier unsubscribe workflow
- All unsubscribes go to the exact same page
- You may unsubscribe from watching a category on that page
- You no longer need to be logged in to unsubscribe from a topic
- Simplified footer on emails
2016-06-17 11:28:49 +10:00
Sam
19ca08857f FEATURE: verbose SSO logging
By enabling the site setting verbose_sso_logging
you can log information every time a user tries initiates SSO
and during SSO failures
2016-04-08 11:20:01 +10:00
Sam
a130cb8305 FEATURE: move more urgent emails notifications to critical queue
Move signup, admin login and password change email notifications
to critical queue
2016-04-07 14:39:01 +10:00
Sam
8ec7fd84fd FEATURE: prioritize sidekiq jobs
This commit introduces 3 queues for sidekiq

"critical" for urgent jobs (weighted at 4x weight)
"default" for standard jobs(weighted at 2x weight)
"low" for less important jobs


"critical jobs"

Reset Password emails has been seperated to its own job
Heartbeat which is required to keep sidekiq running
Test email which needs to return real quick


"low priority jobs"

Notify mailing list
Pull hotlinked images
Update gravatar

"default"

All the rest

Note: for people running sidekiq from command line use

bin/sidekiq -q critical,4 -q default,2 -q low
2016-04-07 12:56:43 +10:00
Robin Ward
f0552af5f1 FIX: Don't log validation errors for sso 2016-03-23 14:44:34 -04:00
Régis Hanol
0a84275800 missed a couple of newlines in the logs 2016-02-24 23:35:45 +01:00
Régis Hanol
97c7b894ce better logs when an error happens in SSO 2016-02-24 21:57:01 +01:00
Neil Lalonde
97130463d6 FEATURE: show a new modal when suspended users try to log in 2016-02-19 12:19:20 -05:00
Régis Hanol
7d3be0f8f1 forgot password on a staged account does nothing 2015-11-09 17:37:33 +01:00
Arpit Jalan
c28843e87b FIX: redirect to return_url when working as SSO provider 2015-10-25 11:30:38 +05:30
Dan Singerman
8055d065f2 Refactor ApplicationController#redirect_to_login_if_required to use session for SSO 2015-08-11 16:48:55 +01:00
Dan Singerman
7056db26e6 Respect cookie[:destination_url] in Single Sign On
When the login_required setting is true, the destination URL is dropped. This change means it will be
respected at login time
2015-08-11 16:31:28 +01:00
Sam
fc2a08731a FIX: sso_not_approved_url not working correctly 2015-05-30 13:19:07 +10:00
Sam
02fa7448ca FEATURE: custom url to redirect to on account pending approval for sso 2015-05-27 14:06:45 +10:00
Sam
918034aa7b remove less useful error reporting 2015-05-27 11:17:28 +10:00
Sam
e5888cf090 PERF: avoid preloading json in cases where it is not needed
(uploads / avatars / non GET requests)
2015-05-20 17:12:16 +10:00
Sam
14ab9c45b6 Merge pull request #3470 from ahuling13/expired-nonce-return-status
In the case of an expired nonce, return a 400 status code instead of 500
2015-05-20 12:08:17 +10:00
Andrew Huling
e44ddff9bb Change the expired nonce return status code from 400 to 419. 2015-05-19 13:13:14 -04:00
Paul Kaplan
b8a43e153c Use session controller to prevent inactive SSO users 2015-05-15 12:15:06 -05:00
Andrew Huling
e1d2ecef10 In the case of an expired nonce, return a 400 status code instead of a 500.
500 status codes are for unexpected server-side error scenarios. When an expired nonce is used by the client, a 4XX-level error is more appropriate because the client has submitted a bad request (by using an expired nonce). A 500 also causes Internet Explorer to show its default 500 page which does not show the error message and leads to a bad end user experience. I am choosing 400 for the new status rather than 401 or 403 because 401 requires a WWW-Authenticate header which would be difficult to generate in an SSO scenario and a 403 implies that no re-authentication will address the failure.
2015-05-14 16:03:02 -04:00
Harm Geerts
d9a3e82516 Stop sso login processing after rendering error
This prevents a DoubleRenderError triggered on the redirect_to.
2015-05-11 14:17:32 +02:00
Sam
f5af4768eb FEATURE: add clean support for running Discourse in a subfolder
To setup set DISCOURSE_RELATIVE_URL_ROOT to the folder you wish
2015-03-09 13:14:29 +11:00
Neil Lalonde
7c14db44cc UX: improve message when admin login is blocked because of admin ip address whitelisting 2015-03-02 12:13:22 -05:00
Robin Ward
3e2ba5b30b FIX: If an IP is blocked, don't allow people to login using it 2015-02-25 16:02:40 -05:00
Robin Ward
ca5730018a FIX: SSO code should respect IP address filters 2015-02-23 16:01:46 -05:00
riking
5657006aca Rename handle_exception to handle_job_exception 2015-02-09 12:47:46 -08:00
Robin Ward
b3a2c0c45b SECURITY: The SSO return_path was an open redirect
This security fix needs SSO to be configured, and the user has to go
through the entire auth process before being redirected to the wrong host so
it is probably lower priority for most installs.
2015-01-22 12:20:17 -05:00