closed-social
/
mastodon
3
0
Fork 2
Code Issues 5 Pull Requests 0 Projects 0 Releases 3 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
7824 Commits
4 Branches
567 MiB
Tree: c707ef49d9
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'c707ef49d9'
${ noResults }
mastodon/app/controllers/auth/sessions_controller.rb

125 lines
2.8 KiB
Raw Normal View History

Fix rubocop issues, introduce usage of frozen literal to improve performance
7 years ago
Customizing devise views and controllers
8 years ago
Remember me enabled by default
8 years ago
Customizing devise views and controllers
8 years ago
Remember me enabled by default
8 years ago
Split 2FA login into two prompts
7 years ago
Change unconfirmed user login behaviour (#11375) Allow access to account settings, 2FA, authorized applications, and account deletions to unconfirmed and pending users, as well as users who had their accounts disabled. Suspended users cannot update their e-mail or password or delete their account. Display account status on account settings page, for example, when an account is frozen, limited, unconfirmed or pending review. After sign up, login users straight away and show a simple page that tells them the status of their account with links to account settings and logout, to reduce onboarding friction and allow users to correct wrongly typed e-mail addresses. Move the final sign-up step of SSO integrations to be the same as above to reduce code duplication.
4 years ago
sign_in and sign_up views present og meta infos (#5308)
6 years ago
Compensate for scrollbar disappearing when media modal visible (#8100) * Compensate for scrollbar disappearing when media modal visible Make auth pages backgrounds lighter * Fix typo
5 years ago
Added optional two-factor authentication
7 years ago
New variable OAUTH_REDIRECT_AT_SIGN_IN + Ref #6538 (not only SAML strategies) (#6540)
6 years ago
If login redirects to omniauth, redirect logout to root_path (#6694) Fix #6670
6 years ago
New variable OAUTH_REDIRECT_AT_SIGN_IN + Ref #6538 (not only SAML strategies) (#6540)
6 years ago
If login redirects to omniauth, redirect logout to root_path (#6694) Fix #6670
6 years ago
New variable OAUTH_REDIRECT_AT_SIGN_IN + Ref #6538 (not only SAML strategies) (#6540)
6 years ago
Remember me enabled by default
8 years ago
Fix 2FA challenge and password challenge for non-database users (#11831) * Fix 2FA challenge not appearing for non-database users Fix #11685 * Fix account deletion not working when using external login Fix #11691
4 years ago
Remember me enabled by default
8 years ago
Replace logo, fix #57 - delete/unreblog/unfavourite API, fix #45 - app registration API
7 years ago
Split 2FA login into two prompts
7 years ago
Add force_login option to OAuth authorize page (#8655) * Add force_login option to OAuth authorize page For when a user needs to sign into an app from multiple accounts on the same server * When logging out from modal header, redirect back after re-login
5 years ago
Split 2FA login into two prompts
7 years ago
Fix empty flash message on the settings page (#3345)
7 years ago
Add force_login option to OAuth authorize page (#8655) * Add force_login option to OAuth authorize page For when a user needs to sign into an app from multiple accounts on the same server * When logging out from modal header, redirect back after re-login
5 years ago
Split 2FA login into two prompts
7 years ago
Replace logo, fix #57 - delete/unreblog/unfavourite API, fix #45 - app registration API
7 years ago
Split 2FA login into two prompts
7 years ago
Added optional two-factor authentication
7 years ago
Go to root after login in single user mode (#3289) In single user mode, visitors are redirected to the single user's profile page. So, if you are the owner without a session, you start from that page, click the login button and authenticate yourself expecting you'll soon get started with the home page, but in reality you'll get redirected back to where you started from -- your own profile page. This fixes the behavior by redirecting you home after login if you have started from your own profile page.
7 years ago
Adding e-mail confirmations
7 years ago
Go to root after login in single user mode (#3289) In single user mode, visitors are redirected to the single user's profile page. So, if you are the owner without a session, you start from that page, click the login button and authenticate yourself expecting you'll soon get started with the home page, but in reality you'll get redirected back to where you started from -- your own profile page. This fixes the behavior by redirecting you home after login if you have started from your own profile page.
7 years ago
Adding e-mail confirmations
7 years ago
Replace logo, fix #57 - delete/unreblog/unfavourite API, fix #45 - app registration API
7 years ago
Split 2FA login into two prompts
7 years ago
If login redirects to omniauth, redirect logout to root_path (#6694) Fix #6670
6 years ago
Split 2FA login into two prompts
7 years ago
Add recovery code support for two-factor auth (#1773) * Add recovery code support for two-factor auth When users enable two-factor auth, the app now generates ten single-use recovery codes. Users are encouraged to print the codes and store them in a safe place. The two-factor prompt during login now accepts both OTP codes and recovery codes. The two-factor settings UI allows users to regenerated lost recovery codes. Users who have set up two-factor auth prior to this feature being added can use it to generate recovery codes for the first time. Fixes #563 and fixes #987 * Set OTP_SECRET in test enviroment * add missing .html to view file names
7 years ago
Fix 2FA challenge and password challenge for non-database users (#11831) * Fix 2FA challenge not appearing for non-database users Fix #11685 * Fix account deletion not working when using external login Fix #11691
4 years ago
Catch error when server decryption fails on 2FA (#2512)
7 years ago
Split 2FA login into two prompts
7 years ago
Fix 2FA challenge and password challenge for non-database users (#11831) * Fix 2FA challenge not appearing for non-database users Fix #11685 * Fix account deletion not working when using external login Fix #11691
4 years ago
Split 2FA login into two prompts
7 years ago
Go to root after login in single user mode (#3289) In single user mode, visitors are redirected to the single user's profile page. So, if you are the owner without a session, you start from that page, click the login button and authenticate yourself expecting you'll soon get started with the home page, but in reality you'll get redirected back to where you started from -- your own profile page. This fixes the behavior by redirecting you home after login if you have started from your own profile page.
7 years ago
Fix 2FA challenge and password challenge for non-database users (#11831) * Fix 2FA challenge not appearing for non-database users Fix #11685 * Fix account deletion not working when using external login Fix #11691
4 years ago
Go to root after login in single user mode (#3289) In single user mode, visitors are redirected to the single user's profile page. So, if you are the owner without a session, you start from that page, click the login button and authenticate yourself expecting you'll soon get started with the home page, but in reality you'll get redirected back to where you started from -- your own profile page. This fixes the behavior by redirecting you home after login if you have started from your own profile page.
7 years ago
sign_in and sign_up views present og meta infos (#5308)
6 years ago
Compensate for scrollbar disappearing when media modal visible (#8100) * Compensate for scrollbar disappearing when media modal visible Make auth pages backgrounds lighter * Fix typo
5 years ago
Go to root after login in single user mode (#3289) In single user mode, visitors are redirected to the single user's profile page. So, if you are the owner without a session, you start from that page, click the login button and authenticate yourself expecting you'll soon get started with the home page, but in reality you'll get redirected back to where you started from -- your own profile page. This fixes the behavior by redirecting you home after login if you have started from your own profile page.
7 years ago
Fix 2FA challenge and password challenge for non-database users (#11831) * Fix 2FA challenge not appearing for non-database users Fix #11685 * Fix account deletion not working when using external login Fix #11691
4 years ago
Go to root after login in single user mode (#3289) In single user mode, visitors are redirected to the single user's profile page. So, if you are the owner without a session, you start from that page, click the login button and authenticate yourself expecting you'll soon get started with the home page, but in reality you'll get redirected back to where you started from -- your own profile page. This fixes the behavior by redirecting you home after login if you have started from your own profile page.
7 years ago
Fix 2FA challenge and password challenge for non-database users (#11831) * Fix 2FA challenge not appearing for non-database users Fix #11685 * Fix account deletion not working when using external login Fix #11691
4 years ago
Go to root after login in single user mode (#3289) In single user mode, visitors are redirected to the single user's profile page. So, if you are the owner without a session, you start from that page, click the login button and authenticate yourself expecting you'll soon get started with the home page, but in reality you'll get redirected back to where you started from -- your own profile page. This fixes the behavior by redirecting you home after login if you have started from your own profile page.
7 years ago
feat(auth/session_controller): Send Clear-Site-Data when logging out (#8627) Will clear the browser's cache, cookies and storage. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Clear-Site-Data https://w3c.github.io/webappsec-clear-site-data/
5 years ago
Add force_login option to OAuth authorize page (#8655) * Add force_login option to OAuth authorize page For when a user needs to sign into an app from multiple accounts on the same server * When logging out from modal header, redirect back after re-login
5 years ago
Customizing devise views and controllers
8 years ago
 
  1. # frozen_string_literal: true
  2. 

  3. class Auth::SessionsController < Devise::SessionsController
  4.   include Devise::Controllers::Rememberable
  5. 

  6.   layout 'auth'
  7. 

  8.   skip_before_action :require_no_authentication, only: [:create]
  9.   skip_before_action :require_functional!
  10. 

  11.   before_action :set_instance_presenter, only: [:new]
  12.   before_action :set_body_classes
  13. 

  14.   def new
  15.     Devise.omniauth_configs.each do |provider, config|
  16.       return redirect_to(omniauth_authorize_path(resource_name, provider)) if config.strategy.redirect_at_sign_in
  17.     end
  18. 

  19.     super
  20.   end
  21. 

  22.   def create
  23.     self.resource = begin
  24.       if user_params[:email].blank? && session[:otp_user_id].present?
  25.         User.find(session[:otp_user_id])
  26.       else
  27.         warden.authenticate!(auth_options)
  28.       end
  29.     end
  30. 

  31.     if resource.otp_required_for_login?
  32.       if user_params[:otp_attempt].present? && session[:otp_user_id].present?
  33.         authenticate_with_two_factor_via_otp(resource)
  34.       else
  35.         prompt_for_two_factor(resource)
  36.       end
  37.     else
  38.       authenticate_and_respond(resource)
  39.     end
  40.   end
  41. 

  42.   def destroy
  43.     tmp_stored_location = stored_location_for(:user)
  44.     super
  45.     flash.delete(:notice)
  46.     store_location_for(:user, tmp_stored_location) if continue_after?
  47.   end
  48. 

  49.   protected
  50. 

  51.   def user_params
  52.     params.require(:user).permit(:email, :password, :otp_attempt)
  53.   end
  54. 

  55.   def after_sign_in_path_for(resource)
  56.     last_url = stored_location_for(:user)
  57. 

  58.     if home_paths(resource).include?(last_url)
  59.       root_path
  60.     else
  61.       last_url || root_path
  62.     end
  63.   end
  64. 

  65.   def after_sign_out_path_for(_resource_or_scope)
  66.     Devise.omniauth_configs.each_value do |config|
  67.       return root_path if config.strategy.redirect_at_sign_in
  68.     end
  69. 

  70.     super
  71.   end
  72. 

  73.   def valid_otp_attempt?(user)
  74.     user.validate_and_consume_otp!(user_params[:otp_attempt]) ||
  75.       user.invalidate_otp_backup_code!(user_params[:otp_attempt])
  76.   rescue OpenSSL::Cipher::CipherError
  77.     false
  78.   end
  79. 

  80.   def authenticate_with_two_factor_via_otp(user)
  81.     if valid_otp_attempt?(user)
  82.       session.delete(:otp_user_id)
  83.       authenticate_and_respond(user)
  84.     else
  85.       flash.now[:alert] = I18n.t('users.invalid_otp_token')
  86.       prompt_for_two_factor(user)
  87.     end
  88.   end
  89. 

  90.   def prompt_for_two_factor(user)
  91.     session[:otp_user_id] = user.id
  92.     render :two_factor
  93.   end
  94. 

  95.   def authenticate_and_respond(user)
  96.     sign_in(user)
  97.     remember_me(user)
  98. 

  99.     respond_with user, location: after_sign_in_path_for(user)
  100.   end
  101. 

  102.   private
  103. 

  104.   def set_instance_presenter
  105.     @instance_presenter = InstancePresenter.new
  106.   end
  107. 

  108.   def set_body_classes
  109.     @body_classes = 'lighter'
  110.   end
  111. 

  112.   def home_paths(resource)
  113.     paths = [about_path]
  114. 

  115.     if single_user_mode? && resource.is_a?(User)
  116.       paths << short_account_path(username: resource.account)
  117.     end
  118. 

  119.     paths
  120.   end
  121. 

  122.   def continue_after?
  123.     truthy_param?(:continue)
  124.   end
  125. end