Commit Graph

210 Commits

Author SHA1 Message Date
David Taylor
821bb1e8cb
FEATURE: Rename 'Discourse SSO' to DiscourseConnect (#11978)
The 'Discourse SSO' protocol is being rebranded to DiscourseConnect. This should help to reduce confusion when 'SSO' is used in the generic sense.

This commit aims to:
- Rename `sso_` site settings. DiscourseConnect specific ones are prefixed `discourse_connect_`. Generic settings are prefixed `auth_`
- Add (server-side-only) backwards compatibility for the old setting names, with deprecation notices
- Copy `site_settings` database records to the new names
- Rename relevant translation keys
- Update relevant translations

This commit does **not** aim to:
- Rename any Ruby classes or methods. This might be done in a future commit
- Change any URLs. This would break existing integrations
- Make any changes to the protocol. This would break existing integrations
- Change any functionality. Further normalization across DiscourseConnect and other auth methods will be done separately

The risks are:
- There is no backwards compatibility for site settings on the client-side. Accessing auth-related site settings in Javascript is fairly rare, and an error on the client side would not be security-critical.
- If a plugin is monkey-patching parts of the auth process, changes to locale keys could cause broken error messages. This should also be unlikely. The old site setting names remain functional, so security-related overrides will remain working.

A follow-up commit will be made with a post-deploy migration to delete the old `site_settings` rows.
2021-02-08 10:04:33 +00:00
Martin Brennan
e58f9f7a55
DEV: Move logic for rate limiting user second factor to one place (#11941)
This moves all the rate limiting for user second factor (based on `params[:second_factor_token]` existing) to the one place, which rate limits by IP and also by username if a user is found.
2021-02-04 09:03:30 +10:00
Robin Ward
f39ae8a903
SECURITY: Rate limit MFA by login if possible (#11938)
This ensures we rate limit on logins where possible, we also normalize logins for the rate limiters centrally.
2021-02-03 10:26:28 +11:00
David Taylor
36b4712349
FIX: Logout redirect should only be /login for login_required sites (#11466)
25563357 moved the logout redirect logic from the client-side to the server-side. Unfortunately the login_required check was lost during the refactoring which meant that non-login-required sites would redirect to `/login` after redirect, and immediately restart the login process. Depending on the SSO implementation, that can make it impossible for users to log out cleanly.

This commit restores the login_required check, and prevents the potential redirect loop.
2020-12-11 09:44:16 +00:00
David Taylor
20c0da8516
FIX: Improve email validation error handling for external logins (#11307)
- Display reason for validation error when logging in via an authenticator
- Fix email validation handling for 'Discourse SSO', and add a spec

Previously, validation errors (e.g. blocked or already-taken emails) would raise a generic error with no useful information.
2020-11-23 11:06:08 +00:00
David Taylor
255633578c
DEV: Move logout redirect logic to server and add plugin hook (#11199)
This will allow authentication plugins to provide single-logout functionality by redirect users to the identity provider after logout.
2020-11-11 15:47:42 +00:00
Krzysztof Kotlarek
5cf411c3ae
FIX: move hp request from /users to /token (#10795)
`hp` is a valid username and we should not prevent users from registering it.
2020-10-02 09:01:40 +10:00
Sam Saffron
d8d54a92f1
FEATURE: tighten rate limiting rules for forgot password
1. Total 6 attempts per day per user
2. Total of 5 per unique email/login that is not found per hour
3. If an admin blocks an IP that IP can not request a reset
2020-05-08 13:30:51 +10:00
Justin DiRose
5471c065cd
FIX: Missing timezone guess on email session login (#9404)
Timezone is guessed by moment.js if unset upon a normal login, but was not when
logging in via an email link. This adds logic to update a guessed
timezone upon email login so timezones don't end up blank.
2020-04-10 13:19:39 -05:00
Sam Saffron
0375a5ac0b
DEV: reduce logging when no external id is specified
Previously we were returning an unknown sso error and logging a message
when external id was blank. This noise is not needed.
2020-04-08 12:42:28 +10:00
Blake Erickson
965ac3567b FIX: Handle SSO Provider Parse exception
Prevent unnecessary 500 errors from appearing in the logs and return a
422 response instead.
2020-02-12 16:08:04 -07:00
Matt Marjanović
ad2aa7b52c
FEATURE: Add logout functionality to SSO Provider protocol (#8816)
This commit adds support for an optional "logout" parameter in the
payload of the /session/sso_provider endpoint.  If an SSO Consumer
adds a "logout=true" parameter to the encoded/signed "sso" payload,
then Discourse will treat the request as a logout request instead
of an authentication request.  The logout flow works something like
this:

 * User requests logout at SSO-Consumer site (e.g., clicks "Log me out!"
   on web browser).
 * SSO-Consumer site does whatever it does to destroy User's session on
   the SSO-Consumer site.
 * SSO-Consumer then redirects browser to the Discourse sso_provider
   endpoint, with a signed request bearing "logout=true" in addition
   to the usual nonce and the "return_sso_url".
 * Discourse destroys User's discourse session and redirects browser back
   to the "return_sso_url".
 * SSO-Consumer site does whatever it does --- notably, it cannot request
   SSO credentials from Discourse without the User being prompted to login
   again.
2020-02-03 12:53:14 -05:00
Martin Brennan
1014e56e80
DEV: Respond with 403 instead of 500 for disabled local login via email
Previously if local login via email was disabled because of the site setting or because SSO was enabled, we were raising a 500 error. We now raise a 403 error instead; we shouldn't raise 500 errors on purpose, instead keeping that code for unhandled errors. It doesn't make sense in the context of what we are validating either to raise a 500.
2020-01-20 16:11:58 +10:00
Martin Brennan
9c04aa593c
Fix broken admin login fro SSO enabled sites (#8737)
* When we refactored away the admin-login route we introduced a bug where admins could not log into an SSO enabled site, because of a check in the email_login route that disallowed this.
* Allow admin to get around this check.
2020-01-17 11:25:31 +10:00
Martin Brennan
66f2db4ea4 SECURITY: 2FA with U2F / TOTP 2020-01-15 11:27:12 +01:00
Martin Brennan
9e399b42b9 DEV: Remove redundant admin_login route, share with email_login 2020-01-13 12:10:07 +10:00
Martin Brennan
cb660ef952 SECURITY: Improve second factor auth logic 2020-01-10 10:45:56 +10:00
Joffrey JAFFEUX
aa73df768a
DEV: improves error message when sso param is not passed (#8549)
SingleSignOnProvider is expecting a sso param later in the chain. If sso param is not found it will cause a 500 with the following exception: `NoMethodError (undefined method `unpack1' for nil:NilClass)` as `set_return_sso_url` is attempting to decode it: https://github.com/discourse/discourse/blob/master/lib/single_sign_on_provider.rb#L19
2019-12-16 12:33:24 +01:00
Sam Saffron
0c52537f10 DEV: update rubocop to version 0.77
We like to stay as close as possible to latest with rubocop cause the cops
get better.

This update required some code changes, specifically the default is to avoid
explicit returns where implicit is done

Also this renames a few rules
2019-12-10 11:48:39 +11:00
Joffrey JAFFEUX
0d3d2c43a0
DEV: s/\$redis/Discourse\.redis (#8431)
This commit also adds a rubocop rule to prevent global variables.
2019-12-03 10:05:53 +01:00
Martin Brennan
afb5533581
FEATURE: Add timezone to core user_options (#8380)
* Add timezone to user_options table

* Also migrate existing timezone values from UserCustomField,
  which is where the discourse-calendar plugin is storing them

* Allow user to change their core timezone from Profile

* Auto guess & set timezone on login & invite accept & signup

* Serialize user_options.timezone for group members. this is so discourse-group-timezones can access the core user timezone, as it is being removed in discourse-calendar.

* Annotate user_option with timezone

* Validate timezone values
2019-11-25 10:49:27 +10:00
Penar Musaraj
067696df8f DEV: Apply Rubocop redundant return style 2019-11-14 15:10:51 -05:00
Krzysztof Kotlarek
427d54b2b0 DEV: Upgrading Discourse to Zeitwerk (#8098)
Zeitwerk simplifies working with dependencies in dev and makes it easier reloading class chains. 

We no longer need to use Rails "require_dependency" anywhere and instead can just use standard 
Ruby patterns to require files.

This is a far reaching change and we expect some followups here.
2019-10-02 14:01:53 +10:00
Martin Brennan
68d35b14f4 FEATURE: Webauthn authenticator management with 2FA login (Security Keys) (#8099)
Adds 2 factor authentication method via second factor security keys over [web authn](https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API).

Allows a user to authenticate a second factor on login, login-via-email, admin-login, and change password routes. Adds registration area within existing user second factor preferences to register multiple security keys. Supports both external (yubikey) and built-in (macOS/android fingerprint readers).
2019-10-01 19:08:41 -07:00
David Taylor
6d3d08daad UX: Hide login/signup header buttons during authentication flows 2019-08-08 13:57:18 +01:00
Osama Sayegh
525920a979
FIX: Better error when SSO fails due to blank secret (#7946)
* FIX: Better error when SSO fails due to blank secret

* Update spec/requests/session_controller_spec.rb

Co-Authored-By: Robin Ward <robin.ward@gmail.com>
2019-07-26 17:37:23 +03:00
Osama Sayegh
997add3af9
DEV: Add extension point to allow modifying SSO URL (#7937)
This allows plugins to, for example, add extra query params to the SSO URL when discourse redirects to to the SSO website.
2019-07-25 00:18:27 +03:00
David Taylor
e6e47f2fb2 SECURITY: Add confirmation screen when logging in via user-api OTP 2019-06-17 16:18:44 +01:00
David Taylor
52387be4a4 SECURITY: Add confirmation screen when logging in via email link 2019-06-17 16:18:37 +01:00
David Taylor
5f6f707080 Revert "Merge pull request from GHSA-hv9p-jfm4-gpr9"
This reverts commit b8340c6c8e.
2019-06-17 16:17:10 +01:00
David Taylor
b8340c6c8e
Merge pull request from GHSA-hv9p-jfm4-gpr9
* SECURITY: Add confirmation screen when logging in via email link

* SECURITY: Add confirmation screen when logging in via user-api OTP

* FIX: Correct translation key in session controller specs

* FIX: Use .email-login class for page
2019-06-17 15:59:41 +01:00
Sam Saffron
e302c0af8b DEV: by default disable anon impersonation in dev environments
The impersonate any user by anonymous feature in dev should require a
deliberate opt-in. This way developers are better aware of the security
implications of this development only feature.
2019-06-03 10:02:27 +10:00
Guo Xiang Tan
64c117519e Fix modifying frozen strings errors take 3. 2019-05-13 16:45:23 +08:00
Sam Saffron
30990006a9 DEV: enable frozen string literal on all files
This reduces chances of errors where consumers of strings mutate inputs
and reduces memory usage of the app.

Test suite passes now, but there may be some stuff left, so we will run
a few sites on a branch prior to merging
2019-05-13 09:31:32 +08:00
Guo Xiang Tan
24347ace10 FIX: Properly associate user_profiles background urls via upload id.
`Upload#url` is more likely and can change from time to time. When it
does changes, we don't want to have to look through multiple tables to
ensure that the URLs are all up to date. Instead, we simply associate
uploads properly to `UserProfile` so that it does not have to replicate
the URLs in the table.
2019-05-02 14:58:24 +08:00
Chris Butler
8673bd832a FEATURE: use failed_to_login for SSO error (#7394)
The error displayed when logging into suspended accounts via SSO never includes
the suspension reason, unlike non-SSO logins. By re-using the failed_to_login
method when generating the error message for SSO we can ensure the message is
consistent between the SSO and non-SSO paths.
2019-04-24 16:38:56 +10:00
Penar Musaraj
fdf4145d4b
FEATURE: Delegated authentication via user api keys (#7272) 2019-04-01 13:18:53 -04:00
Sam Saffron
40ac895ef7 SECURITY: properly validate return URL for SSO
Previously carefully crafted URLs could redirect off site
2019-03-25 09:02:42 +11:00
Robin Ward
c719658f9f human? helper method on a user
This is cleaner than hard coding `id > 0` in ruby code.
2019-02-08 13:34:54 -05:00
Arpit Jalan
1ea0cbece8 FIX: skip adding sso diagnostics if sso object is nil 2018-12-19 20:55:35 +05:30
Maja Komel
2fcbbead45 FIX: move sso provider into its own class so it doesn't interfere with sso client (#6767) 2018-12-19 10:22:10 +01:00
David Taylor
f7ce607e5d
FIX: Return 422 instead of 500 for invalid SSO signature (#6738) 2018-12-07 15:01:44 +00:00
Sam
64d9be726f the protection I placed was in the wrong path moved to /session/sso
correct previous commit
2018-11-09 17:18:01 +11:00
Sam
3ae4fcd1f7 Improve redirect avoidance for /sso paths
e6b3310577 was missing an ege case
where return url included current_hostname
2018-11-09 17:03:58 +11:00
Sam
e6b3310577 FIX: never redirect back to /sso it will cause a loop
If for any reason our return url is set to `/sso` bypass using it
for login redirect
2018-11-09 14:27:36 +11:00
Sam
aa044623bd FIX: do not create superflous sessions when logged on
In some SSO implementations we may want to issue SSO pipelines for
already logged on users

In these cases do not re-log-in a user if they are clearly logged on
2018-11-01 12:54:01 +11:00
Maja Komel
27e732a58d FEATURE: allow multiple secrets for Discourse SSO provider
This splits off the logic between SSO keys used incoming vs outgoing, it allows to far better restrict who is allowed to log in using a site.

This allows for better auditing of the SSO provider feature
2018-10-15 16:03:53 +11:00
Vinoth Kannan
39b7e32848 DEV: Require sso and sig query string params for sso_login 2018-10-12 05:03:30 +05:30
Maja Komel
ec3e6a81a4 FEATURE: Second factor backup 2018-06-28 10:12:32 +02:00
Vinoth Kannan
d8e641cd98 FIX: avatar_url includes upload_path twice when local storage used 2018-06-06 18:27:30 +05:30
Régis Hanol
09cf35c760 FIX: redirect users after signing up using SSO provider 2018-05-12 00:41:27 +02:00
Régis Hanol
abda21a41f Revert "FIX: redirect to sso_destination_url after account activation"
This reverts commit 0402e97368.
2018-05-11 22:55:45 +02:00
Régis Hanol
0402e97368 FIX: redirect to sso_destination_url after account activation 2018-05-11 19:57:04 +02:00
Régis Hanol
2958e17cde remove duplicate code 2018-05-11 12:16:37 +02:00
Misaka 0x4e21
ff6be3c2e3 FEATURE: add profile_background fields into SSO (#5701)
Add profile_background and card_background fields into Discourse SSO.
2018-05-07 10:03:26 +02:00
Sam
5925a581db array is not supported here, use a simple comma delimited list 2018-04-10 14:37:10 +10:00
Guo Xiang Tan
21ae49ab92 Simplify log in for request specs. 2018-03-28 11:32:47 +08:00
Guo Xiang Tan
70be8124a3 SECURITY: Don't expose development route in production. 2018-03-28 11:32:47 +08:00
Guo Xiang Tan
b16471edfb FIX: Invalid token error incorrectly displayed on email login page. 2018-02-21 15:46:53 +08:00
Guo Xiang Tan
14f3594f9f Review Changes for f4f8a293e7. 2018-02-21 14:55:49 +08:00
Jeff Wong
f4f8a293e7 FEATURE: Implement 2factor login TOTP
implemented review items.

Blocking previous codes - valid 2-factor auth tokens can only be authenticated once/30 seconds.
I played with updating the “last used” any time the token was attempted but that seemed to be overkill, and frustrating as to why a token would fail.
Translatable texts.
Move second factor logic to a helper class.
Move second factor specific controller endpoints to its own controller.
Move serialization logic for 2-factor details in admin user views.
Add a login ember component for de-duplication
Fix up code formatting
Change verbiage of google authenticator

add controller tests:
second factor controller tests
change email tests
change password tests
admin login tests

add qunit tests - password reset, preferences

fix: check for 2factor on change email controller
fix: email controller - only show second factor errors on attempt
fix: check against 'true' to enable second factor.

Add modal for explaining what 2fa with links to Google Authenticator/FreeOTP

add two factor to email signin link

rate limit if second factor token present

add rate limiter test for second factor attempts
2018-02-21 09:04:07 +08:00
Guo Xiang Tan
96e5a7da46 Prefer success_Json over custom success JSON payload. 2018-02-15 07:47:35 +08:00
Erick Guan
03b3e57a44 FEATURE: login by a link from email
Co-authored-by: tgxworld <tgx@discourse.org>
2018-02-13 16:14:39 +08:00
Guo Xiang Tan
f7f743970b Just use space to prettify SSO verbose error logging. 2017-11-30 15:10:00 +08:00
Sam
4b42a0abc9 FIX: add error for suspended users attempting to login via sso 2017-11-14 16:52:00 +11:00
Rafael dos Santos Silva
5d5268a82b Feature: Group handling 2017-10-25 22:49:17 -02:00
Neil Lalonde
1faae3c765 rename forgot_password_strict to hide_email_address_taken 2017-10-03 15:28:31 -04:00
Guo Xiang Tan
77d4c4d8dc Fix all the errors to get our tests green on Rails 5.1. 2017-09-25 13:48:58 +08:00
Erick Guan
c7a101476e Spec for local auth check 2017-08-16 11:01:00 +02:00
Guo Xiang Tan
5012d46cbd Add rubocop to our build. (#5004) 2017-07-28 10:20:09 +09:00
Guo Xiang Tan
ee449b0dd5 Improve SSO verbose log when user record is invalid. 2017-04-13 11:39:26 +08:00
Sam Saffron
0013a23dc1 SECURITY: prefer render plain/html to render text where possible 2017-04-10 08:01:42 -04:00
Guo Xiang Tan
5943543ec3 FIX: Improve checks for non-human users. 2017-04-06 11:29:34 +08:00
Sam
8e5e3b5af8 FIX: sso provider require return_sso_url 2017-03-22 09:08:38 -04:00
Robin Ward
874e8900af Display email address in SSO error message. 2017-03-21 15:37:46 -04:00
Robin Ward
aeaf5075bf Custom errors for when Email is invalid via SSO 2017-03-21 15:23:38 -04:00
Robin Ward
52d78294cc Render a layout when there's an SSO error 2017-03-21 15:23:38 -04:00
Guo Xiang Tan
9364d8ce71 FIX: Store user's id instead for sending activation email.
* Email and username are both allowed to be used for logging in.
  Therefore, it is easier to just store the user's id rather than
  to store the username and email in the session.
2017-03-13 20:24:55 +08:00
Guo Xiang Tan
7ebfa3c901 SECURITY: Only allow users to resend activation email with a valid session.
* Improve error when an active user tries to request for an activation email.
2017-03-13 19:35:29 +08:00
Arpit Jalan
cba51e1c38 FEATURE: new site setting for max logins per ip per hour/minute 2017-02-27 16:58:03 +05:30
Sam
dd383300b1 FEATURE: rate limit by login on password reset 2016-12-19 11:03:07 +11:00
Sam
61eb134181 FEATURE: setting to allow arbitrary redirects from sso origin
if sso_allows_all_return_paths is set to true you can redirect off-site from sso success
2016-12-16 13:37:44 +11:00
Guo Xiang Tan
559918c6c6 PERF: Add endpoint to check if a group can be mentioned by user. 2016-11-26 02:20:46 +08:00
Sam
e6fcaadd45 FIX: redirects back to origin for SSO and omniauth login 2016-09-16 13:48:50 +10:00
Sam
0b334cdf74 FIX: stop removing query params from destination url in sso 2016-08-16 17:06:52 +10:00
Robin Ward
2f8ab8cd30 SECURITY: XSS in "Account Suspended" Messages and Badge Descriptions 2016-07-28 11:38:12 -04:00
Peter Lejeck
e265b7b090 Log RecordInvalid when verbose_sso_logging enabled 2016-06-29 22:12:25 -07:00
Sam
852860de66 FEATURE: simpler and friendlier unsubscribe workflow
- All unsubscribes go to the exact same page
- You may unsubscribe from watching a category on that page
- You no longer need to be logged in to unsubscribe from a topic
- Simplified footer on emails
2016-06-17 11:28:49 +10:00
Sam
19ca08857f FEATURE: verbose SSO logging
By enabling the site setting verbose_sso_logging
you can log information every time a user tries initiates SSO
and during SSO failures
2016-04-08 11:20:01 +10:00
Sam
a130cb8305 FEATURE: move more urgent emails notifications to critical queue
Move signup, admin login and password change email notifications
to critical queue
2016-04-07 14:39:01 +10:00
Sam
8ec7fd84fd FEATURE: prioritize sidekiq jobs
This commit introduces 3 queues for sidekiq

"critical" for urgent jobs (weighted at 4x weight)
"default" for standard jobs(weighted at 2x weight)
"low" for less important jobs


"critical jobs"

Reset Password emails has been seperated to its own job
Heartbeat which is required to keep sidekiq running
Test email which needs to return real quick


"low priority jobs"

Notify mailing list
Pull hotlinked images
Update gravatar

"default"

All the rest

Note: for people running sidekiq from command line use

bin/sidekiq -q critical,4 -q default,2 -q low
2016-04-07 12:56:43 +10:00
Robin Ward
f0552af5f1 FIX: Don't log validation errors for sso 2016-03-23 14:44:34 -04:00
Régis Hanol
0a84275800 missed a couple of newlines in the logs 2016-02-24 23:35:45 +01:00
Régis Hanol
97c7b894ce better logs when an error happens in SSO 2016-02-24 21:57:01 +01:00
Neil Lalonde
97130463d6 FEATURE: show a new modal when suspended users try to log in 2016-02-19 12:19:20 -05:00
Régis Hanol
7d3be0f8f1 forgot password on a staged account does nothing 2015-11-09 17:37:33 +01:00
Arpit Jalan
c28843e87b FIX: redirect to return_url when working as SSO provider 2015-10-25 11:30:38 +05:30
Dan Singerman
8055d065f2 Refactor ApplicationController#redirect_to_login_if_required to use session for SSO 2015-08-11 16:48:55 +01:00
Dan Singerman
7056db26e6 Respect cookie[:destination_url] in Single Sign On
When the login_required setting is true, the destination URL is dropped. This change means it will be
respected at login time
2015-08-11 16:31:28 +01:00
Sam
fc2a08731a FIX: sso_not_approved_url not working correctly 2015-05-30 13:19:07 +10:00