github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-29 01:31:35 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity
28,108 Commits 294 Branches 514 Tags
725859ba43d69a4e6ded33df947d79f77f09a081
Commit Graph

63 Commits

Author SHA1 Message Date
Guo Xiang Tan
7fc8a36529 DEV: Take 2 Queue jobs in tests by default. 
On my machine this cuts the time taken to run our test suite
from ~11mins to ~9mins.
 2018-05-31 16:23:23 +08:00
Guo Xiang Tan
56e9ff6853 Revert "DEV: Queue jobs in tests by default." 
Too risky for now

This reverts commit be28154d3b9289a249d413d462705cd075375888.
 2018-05-31 15:34:46 +08:00
Guo Xiang Tan
be28154d3b DEV: Queue jobs in tests by default. 2018-05-31 14:45:47 +08:00
Guo Xiang Tan
543b7cddfb FIX: Extra comma resulted in Github auth email result being an array. 
https://meta.discourse.org/t/github-2fa-flow-broken/88674
 2018-05-30 12:15:12 +08:00
Sam
d366f8d888 remove hack that destabliazed tese suite 2018-05-24 10:48:16 +10:00
OsamaSayegh
f6d412465b FIX: apply automatic group rules when using social login providers 2018-05-23 02:26:07 +03:00
Régis Hanol
2cf6fb7359 FIX: always unstage users when they log in 2018-05-13 17:00:02 +02:00
Sam
3a06cb461e FEATURE: remove support for legacy auth tokens 2018-05-04 10:12:10 +10:00
Vinoth Kannan
c5d26992d4 Prefer to use primary email for new user creation over other available emails 2018-03-19 17:10:35 +05:30
Sam
215c0d5569 FEATURE: allow system api to target users via external id or user id 
usage ?api_key=XYZ&api_user_external_id=ABC
usage ?api_key=XYZ&api_user_id=123
 2018-01-12 17:40:18 +11:00
Vinoth Kannan
988b13ac77 FIX: GitHub auth always asking to verify email for new users (#5487) 2018-01-12 15:17:29 +11:00
Sam
81b3a4a3da improve spec 2017-12-15 11:42:51 +11:00
Sam
67aecff59c FEATURE: store twitter supplied email for auditing 2017-12-14 15:54:32 +11:00
Guo Xiang Tan
6ade508f39 FIX: Prevent 'rack.input' missing error. 2017-12-12 16:40:35 +08:00
Sam
68d3c2c74f FEATURE: add global rate limiter for admin api 60 per minute 
Also move configuration of admin and user api rate limiting into global
settings. This is not intended to be configurable per site
 2017-12-11 11:07:22 +11:00
Sam
dd70ef3abf Revert "Revert "PERF: improve speed of rate limiter"" 
This reverts commit 2373d85239b7c19a04aab74155360d7dd572a1eb.
 2017-12-04 21:23:11 +11:00
Sam
2373d85239 Revert "PERF: improve speed of rate limiter" 
This reverts commit a9bcdd7f279827e86ec474bcf4c9ed96bc1c0060.
 2017-12-04 21:19:28 +11:00
Sam
a9bcdd7f27 PERF: improve speed of rate limiter 
Also

- adds a global rate limiter option
- cleans up usage in tests
- fixes freeze_time so it handles clock_gettime
 2017-12-04 18:17:30 +11:00
Arpit Jalan
804b4f32f8 better error message when API authentication fails 2017-10-20 20:05:34 +05:30
Neil Lalonde
2db66072d7 SECURITY: signup without verified email using Google auth 2017-10-16 13:51:41 -04:00
Guo Xiang Tan
d0f5a3d7a4 Sidekiq::Testing.fake! is the default mode. 2017-08-24 09:40:19 +09:00
Kyle Zhao
5868508e98 GH#retrieve_avatar: simplify conditional and restructured testing 2017-08-22 23:46:50 -04:00
Kyle Zhao
49f0119c12 FEATURE: import Github profile picture 2017-08-22 20:23:47 -04:00
Guo Xiang Tan
5012d46cbd Add rubocop to our build. (#5004) 2017-07-28 10:20:09 +09:00
Blake Erickson
fcfc895167 FIX: new sign-ups via google are added to groups 
This fix ensures that users that are signing up via google oauth are
automatically added to any groups.

A similar fix will probably need to be added to other oauth providers.
 2017-07-07 14:08:58 -06:00
Neil Lalonde
8fd915a11a Revert "FIX: add path to cookies so sessions on the same domain but different subfolders don't log each other out" 2017-06-21 16:18:24 -04:00
Neil Lalonde
1716747810 FIX: add path to cookies so sessions on the same domain but different subfolders don't log each other out 2017-06-20 13:30:36 -04:00
Sam
99f4d5082b FIX: Improve token rotation and increase logging 
- avoid access denied on bad cookie, instead just nuke it
- avoid marking a token unseen for first minute post rotation
- log path in user auth token logs
 2017-03-07 13:27:43 -05:00
Guo Xiang Tan
76dd6933d2 Revert "Revert "Revert "SECURITY: Ensure oAuth authenticated email is the same as created user's email.""" 
This reverts commit e6d75f68449ba5cc57e0abcbaa8cc1d505dd4916.

This is why we should not be pushing directly to master.
 2017-03-01 10:16:59 +08:00
Sam
122fb8025d FIX: last seen date erroneously updated when browser in background 
In some cases user may be "last seen" even though browser tab is in
the background or computer is locked
 2017-02-28 12:35:10 -05:00
Guo Xiang Tan
e6d75f6844 Revert "Revert "SECURITY: Ensure oAuth authenticated email is the same as created user's email."" 
This reverts commit 0e3def7d2b78053bb84cc432afc65228e66143aa.
 2017-02-28 11:27:14 +08:00
Robin Ward
0e3def7d2b Revert "SECURITY: Ensure oAuth authenticated email is the same as created user's email." 
This reverts commit 1060239e2df6ab400f3d988dae3447d099ae8942.
 2017-02-27 13:19:26 -05:00
Guo Xiang Tan
1060239e2d SECURITY: Ensure oAuth authenticated email is the same as created user's email. 2017-02-24 13:13:10 +08:00
Guo Xiang Tan
0847b4258a Revert "SECURITY: Ensure that user has been authenticated." 
This reverts commit fbe51d68a7e4c89183415e24e8163dd3f70085df.

Changing the commit message to correctly reflect what we're actually
fixing.
 2017-02-24 13:12:29 +08:00
Guo Xiang Tan
fbe51d68a7 SECURITY: Ensure that user has been authenticated. 2017-02-24 10:47:48 +08:00
Sam
ea1007e954 FEATURE: add support for same site cookies 
Defaults to Lax, can be disabled or set to Strict.

Strict will only work if you require login and use SSO. Otherwise when clicking on links to your site you will appear logged out till you refresh the page.
 2017-02-23 12:01:28 -05:00
Sam Saffron
b7d2edc7dc FIX: allow some auth token misses prior to clearing cookie 
It appears that in some cases ios queues up requests up front
and "releases" them when tab gets focus, this allows for a certain
number of cookie misses for this case. Otherwise you get logged off.
 2017-02-22 12:37:11 -05:00
Sam
7a85469c4c SECURITY: inactive/suspended accounts should be banned from api 
Also fixes edge cases around users presenting multiple credentials
 2017-02-17 11:03:09 -05:00
Sam
ff49f72ad9 FEATURE: per client user tokens 
Revamped system for managing authentication tokens.

- Every user has 1 token per client (web browser)
- Tokens are rotated every 10 minutes

New system migrates the old tokens to "legacy" tokens,
so users still remain logged on.

Also introduces weekly job to expire old auth tokens.
 2017-02-07 09:22:16 -05:00
Sam
6ff309aa80 SECURITY: don't grant same privileges to user_api and api access 
User API is no longer gets bypasses that standard API gets.
Only bypasses are CSRF and XHR requirements.
 2016-12-16 12:05:43 +11:00
Sam
2ddabc3928 FIX: protect against future regressions of google omniauth 2016-11-07 12:48:00 +11:00
Sam
f4f5524190 FEATURE: user API now contains scopes so permission is granular 
previously we supported blanket read and write for user API, this
change amends it so we can define more limited scopes. A scope only
covers a few routes. You can not grant access to part of the site and
leave a large amount of the information hidden to API consumer.
 2016-10-14 16:05:42 +11:00
Jared Reisinger
2ae7c47a3c Add support for email whitelist/blacklist to GitHub auth 
If a site is configured for GitHub logins, _**and**_ has an email domain
whitelist, it's possible to get in a state where a new user is locked to
a non-whitelist email (their GitHub primary) even though they have an
alternate email that's on the whitelist.  In all cases, the GitHub
primary email is attempted first so that previously existing behavior
will be the default.

- Add whitelist/blacklist support to GithubAuthenticator (via
  EmailValidator)

- Add multiple email support GithubAuthenticator

- Add test specs for GithubAuthenticator

- Add authenticator-agnostic "none of your email addresses are allowed"
  error message.
 2016-09-22 11:31:10 -07:00
Sam
8dc4329094 FEATURE: optionally get extra profile info from facebook 
This feature requires the application be approved by facebook, so it is
default off
 2016-09-19 16:14:11 +10:00
Sam
3ea68f8f6c tweak headers so they can be consumed 2016-08-18 14:38:33 +10:00
Sam
fc095acaaa Feature: User API key support (server side implementation) 
- Supports throttled read and write
- No support for push yet, but data is captured about intent
 2016-08-15 17:59:36 +10:00
Sam
5cc8bb535b SECURITY: do cookie auth rate limiting earlier 2016-08-09 10:02:18 +10:00
Sam
16a383ea1e SECURITY: limit bad cookie auth attempts 
- Also cleans up the _t cookie if it is invalid
 2016-07-28 12:58:49 +10:00
Sam
b5fbff947b FIX: don't expire old sessions when logging in 2016-07-26 11:37:41 +10:00
Sam
df535c6346 FEATURE: refresh session cookie at most once an hour 
This feature ensures session cookie lifespan is extended
when user is online.

Also decreases session timeout from 90 to 60 days.
Ensures all users (including logged on ones) get expiring sessions.
 2016-07-25 12:07:31 +10:00