Commit Graph

32 Commits (5119a0608d80c5b7b0bab5feac1a08322f760866)

Author SHA1 Message Date
Eugen Rochko 6be7b414e2 Change unconfirmed user login behaviour (#11375)
Allow access to account settings, 2FA, authorized applications, and
account deletions to unconfirmed and pending users, as well as
users who had their accounts disabled. Suspended users cannot update
their e-mail or password or delete their account.

Display account status on account settings page, for example, when
an account is frozen, limited, unconfirmed or pending review.

After sign up, login users straight away and show a simple page that
tells them the status of their account with links to account settings
and logout, to reduce onboarding friction and allow users to correct
wrongly typed e-mail addresses.

Move the final sign-up step of SSO integrations to be the same
as above to reduce code duplication.
2019-07-22 10:48:50 +02:00
ThibG af3971a0e6 Check that an invite link is valid before bypassing approval mode (#10657)
* Check that an invite link is valid before bypassing approval mode

Fixes #10656

* Add tests

* Only consider valid invite links in registration controller

* fixup
2019-05-02 04:30:12 +02:00
Eugen Rochko 73fb7bfa0f Admission-based registrations mode (#10250)
Fix #6856
Fix #6951
2019-03-14 05:28:30 +01:00
takayamaki 17229858c8 fix: Execute PAM authentication tests on CircleCI (#9029)
and use 'if' option of context block
2018-10-20 17:28:04 +02:00
Eugen Rochko 7e8733a518 Do not test PAM authentication by default (#9027)
* Do not test PAM authentication by default

* Disable PAM tests if PAM is not enabled
2018-10-20 07:32:26 +02:00
aus-social a53bcb6213 Lint pass (#8876) 2018-10-04 12:36:53 +02:00
Eugen Rochko 72a8ca84e0 Add force_login option to OAuth authorize page (#8655)
* Add force_login option to OAuth authorize page

For when a user needs to sign into an app from multiple accounts
on the same server

* When logging out from modal header, redirect back after re-login
2018-09-09 04:10:44 +02:00
Shuhei Kitagawa 2828f36415 Add missing tests for confirmations controller (#7866) 2018-06-21 10:40:23 +09:00
Yamagishi Kazutoshi 3637c4983b Reset locale on registration tests (#7219) 2018-04-21 23:37:07 +02:00
Yamagishi Kazutoshi 7da649efb4 Use raw status code on have_http_status (#7214) 2018-04-21 21:35:07 +02:00
Alexander 8a9da4c414 update gem, test pam authentication (#7028)
* update gem, test pam authentication

* add description for test parameters

* fix inclusion of optional group
2018-04-11 21:40:38 +02:00
Patrick Figel bc5487a1c2 Fix email confirmation link not updating email (#6187)
A change introduced in #6125 prevents
`Devise::Models::Confirmable#confirm` from being called for existing
users, which in turn leads to `email` not being set to
`unconfirmed_email`, breaking email updates. This also adds a test
that would've caught this issue.
2018-01-05 00:15:35 +01:00
Eugen Rochko 6628ea4a82 Default follows for new users (#4871)
When a new user confirms their e-mail, bootstrap their home timeline
by automatically following a set of accounts. By default, all local
admin accounts (that are unlocked). Can be customized by new admin
setting (comma-separated usernames, local and unlocked only)
2017-09-10 09:58:38 +02:00
Eugen Rochko fd69694749 Add "signed in as" header to some pages (#4523) 2017-08-05 04:24:58 +02:00
nullkal 62b92a4c0a Redirect to PasswordController#new when reset_password_token is invalid (#4506) 2017-08-03 17:45:45 +02:00
Akihiko Odaki (@fn_aki@pawoo.net) 4ca14209d1 Cover Auth::RegistrationsController more (#3353) 2017-06-25 21:42:55 +02:00
René Klačan ecdf17a2d7 Make sure email is case insensitive on all places (#3688)
When case insensitivity is enabled via devise's `config.case_insensitive_keys` then `.find_for_authentication` method needs to be used instead of `.find_by` because second mentioned returns `nil` when valid email with different cases is passed.

More info https://github.com/plataformatec/devise/wiki/How-To:-Use-case-insensitive-emails
2017-06-11 02:29:08 +02:00
Akihiko Odaki 587f2d0b1f Spec Auth::ConfirmationsController (#3348) 2017-05-29 18:13:11 +02:00
Akihiko Odaki 503298d89b Spec Auth::PasswordsController (#3352) 2017-05-29 18:10:50 +02:00
Akinori MUSHA 8a5d3b2e5d Go to root after login in single user mode (#3289)
In single user mode, visitors are redirected to the single user's
profile page.  So, if you are the owner without a session, you start
from that page, click the login button and authenticate yourself
expecting you'll soon get started with the home page, but in reality
you'll get redirected back to where you started from -- your own
profile page.

This fixes the behavior by redirecting you home after login if you
have started from your own profile page.
2017-05-26 14:14:03 +02:00
Eugen Rochko b886ecea5c Fix Devise destroy method being available to delete user record (#3266)
(You may think that we need account deletions, but this way would've just orphaned the db records)
2017-05-23 21:32:42 +02:00
Matt Jankowski 129e06f0b3 Auth sign out (#2511)
* Add a spec for signing out

* Add spec showing that suspended user gets a 403 forbidden on sign out

* Allow suspended account users to sign out
2017-05-02 23:37:58 +02:00
Matt Jankowski b17d7a1f85 Catch error when server decryption fails on 2FA (#2512) 2017-04-27 15:18:21 +02:00
alpaca-tc 31d49716c6 Localize with i18n for Devise::FailureApp (#2309)
This PR fixes I18n.locale for rake middlewares. Mastodon uses Devise that depends on Warden.
Warden::Manager can be found in rake middleware. It is outside of the controller.

In the case of authentication failed, warden calls throw(:warden). At the time Warden::Manager
delegates request to failure_app to generate response and flash[:alert] after catching it.
Unfortunately, I18n.locale is already reset then because I18n.with_locale is enabled only
inside the controller. If we used I18n.locale=, Devise::FailureApp could get the current locale.
2017-04-25 15:06:41 +02:00
saturday06 abf70be71e Assign user locale on signup (#1982) 2017-04-17 10:29:08 +02:00
Patrick Figel 15b393201e Add recovery code support for two-factor auth (#1773)
* Add recovery code support for two-factor auth

When users enable two-factor auth, the app now generates ten
single-use recovery codes. Users are encouraged to print the codes
and store them in a safe place.

The two-factor prompt during login now accepts both OTP codes and
recovery codes.

The two-factor settings UI allows users to regenerated lost
recovery codes. Users who have set up two-factor auth prior to
this feature being added can use it to generate recovery codes
for the first time.

Fixes #563 and fixes #987

* Set OTP_SECRET in test enviroment

* add missing .html to view file names
2017-04-15 13:26:03 +02:00
Eugen 47a3702db4 Fix /api/v1/accounts/update_credentials tests (#1357) 2017-04-09 20:23:14 +02:00
Eugen Rochko 800f6cf6a3 Fix #390 - fix redirect after sign-up (to login page instead of homepage) 2017-01-04 15:31:25 +01:00
Eugen Rochko 08ed85b3cf Fix #148 - Devise mailer fixed, test spec added so it won't slip past again 2016-11-17 12:29:11 +01:00
Eugen Rochko 7e14eefc81 Replace logo, fix #57 - delete/unreblog/unfavourite API, fix #45 - app
registration API
2016-09-26 23:56:53 +02:00
Eugen Rochko 10ba09f546 Upgrade to Rails 5.0.0.1 2016-08-17 17:58:00 +02:00
Eugen Rochko ff2cbc0753 Remember me enabled by default 2016-03-28 00:06:52 +02:00