Commit graph

81 commits

Author SHA1 Message Date
Matt Jankowski
ae676edc2b Expand coverage for User#token_for_app (#32434) 2024-10-16 12:40:58 +02:00
Matt Jankowski
cd7b670cd8
Reduce factory creation in User#reset_password! spec (#32021) 2024-09-23 09:18:04 +00:00
renovate[bot]
6801afa12f
Update dependency devise-two-factor to v6 [SECURITY] (#31957)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: David Roetzel <david@roetzel.de>
2024-09-19 10:56:09 +00:00
Matt Jankowski
5acec087ca
Simplify basic presence validations (#29664) 2024-09-05 15:36:05 +00:00
Matt Jankowski
14af5b47ac
Add coverage for model normalizations (#31734) 2024-09-04 05:12:40 +00:00
Matt Jankowski
02df1b4e4a
Finish email allow/deny list naming migration (#30530) 2024-08-13 07:37:32 +00:00
Matt Jankowski
f1300ad284
Rename jobs/attachments rspec tag names (#29762) 2024-07-08 16:01:08 +00:00
Matt Jankowski
1e7d5d2957
Update devise-two-factor to version 5.0.0 (#28325)
Co-authored-by: Claire <claire.github-309c@sitedethib.com>
2024-05-02 09:31:41 +00:00
Matt Jankowski
285f63c02e
Use composable query in User.active scope (#29775) 2024-04-08 13:53:49 +00:00
Claire
38b9d31f63
Improve email address validation (#29838) 2024-04-05 07:48:45 +00:00
Matt Jankowski
64f9939e39
Use capture_emails helper to improve email assertions in specs (#29245) 2024-02-19 15:57:47 +00:00
Matt Jankowski
117b507df5
Extract subject from User#mark_email_as_confirmed! spec (#29231) 2024-02-16 13:01:04 +00:00
Emelia Smith
68eaa804c9
Merge pull request from GHSA-7w3c-p9j8-mq3x
* Ensure destruction of OAuth Applications notifies streaming

Due to doorkeeper using a dependent: delete_all relationship, the destroy of an OAuth Application bypassed the existing AccessTokenExtension callbacks for announcing destructing of access tokens.

* Ensure password resets revoke access to Streaming API

* Improve performance of deleting OAuth tokens

---------

Co-authored-by: Claire <claire.github-309c@sitedethib.com>
2024-02-14 15:15:34 +01:00
Matt Jankowski
6d35a77c92
Combine repeated subjects in models/user spec (#28937) 2024-01-26 16:22:44 +00:00
Claire
98b5f85f10
Rename and refactor User#confirm! to User#mark_email_as_confirmed! (#28735) 2024-01-15 18:04:58 +00:00
Matt Jankowski
543d7890fd
Use normalizes to prepare User values (#28650)
Co-authored-by: Claire <claire.github-309c@sitedethib.com>
2024-01-10 13:36:06 +00:00
Matt Jankowski
00341c70ff
Use Sidekiq fake! instead of inline! in specs (#25369) 2024-01-10 11:06:58 +00:00
Matt Jankowski
c753b1ad35
Clean up of RSpec/LetSetup within spec/models (#28444) 2023-12-21 09:18:38 +00:00
Claire
6fed0fcbaa
Remove unneeded settings cleanup from specs (#28425) 2023-12-19 15:17:22 +00:00
Eugen Rochko
cdc57c74b7
Fix unsupported time zone or locale preventing sign-up (#28035)
Co-authored-by: Claire <claire.github-309c@sitedethib.com>
2023-11-22 11:38:07 +00:00
Matt Jankowski
b06284c572
Fix RSpec/HookArgument cop (#27747) 2023-11-07 09:10:36 +00:00
Matt Jankowski
bcd0171e5e
Fix Lint/UselessAssignment cop (#27472) 2023-10-19 16:55:06 +02:00
Matt Jankowski
a1b27d8b61
Fix Naming/VariableNumber cop (#27447) 2023-10-18 14:26:22 +02:00
Matt Jankowski
6c0e3f490a
Fix RSpec/MissingExampleGroupArgument cop (#25310) 2023-06-06 15:51:42 +02:00
Matt Jankowski
c42591356d
Fix RSpec/DescribedClass cop (#25104) 2023-06-06 13:58:33 +02:00
Matt Jankowski
b896b16cb3
Fix RSpec/PredicateMatcher cop (#25102) 2023-05-23 16:49:11 +02:00
Matt Jankowski
c97b611b6b
Fix RSpec/InferredSpecType cop (#24736) 2023-05-04 05:49:53 +02:00
Matt Jankowski
4cfe52635c
Add pending spec for User.those_who_can (#24724) 2023-04-29 22:03:36 +02:00
Nick Schonning
a3393d0d07
Autofix Rubocop RSpec/MatchArray (#24050) 2023-04-26 20:21:54 +02:00
Eugen Rochko
a9b5598c97
Change user settings to be stored in a more optimal way (#23630)
Co-authored-by: Claire <claire.github-309c@sitedethib.com>
2023-03-30 14:44:00 +02:00
Nick Schonning
84cc805cae
Enable Style/FrozenStringLiteralComment for specs (#23790) 2023-02-22 09:55:31 +09:00
Nick Schonning
5116347eb7
Autofix Rubocop RSpec/BeEq (#23740) 2023-02-20 06:14:50 +01:00
Nick Schonning
4552685f6b
Autofix Rubocop RSpec/LeadingSubject (#23670) 2023-02-20 13:24:14 +09:00
Nick Schonning
bd1d57c230
Autofix Rubocop RSpec/EmptyLineAfterSubject (#23719) 2023-02-20 02:46:00 +01:00
Nick Schonning
65ba0d92ef
Enable Rubocop RSpec/NotToNot (#23723) 2023-02-20 02:33:27 +01:00
Nick Schonning
ac3561098e
Autofix Rubocop RSpec/LetBeforeExamples (#23671) 2023-02-19 07:17:59 +09:00
Nick Schonning
c0a645f647
Autofix Rubocop RSpec/ExampleWording (#23667) 2023-02-18 03:26:20 +01:00
Nick Schonning
54318dcd6d
Autofix Rubocop RSpec/ClassCheck (#23685) 2023-02-18 03:24:16 +01:00
Nick Schonning
68b1071f86
Autofix Rubocop RSpec/BeNil (#23653) 2023-02-17 21:45:27 +09:00
Claire
6883fddb19
Fix account activation being triggered before email confirmation (#23245)
* Add tests

* Fix account activation being triggered before email confirmation

Fixes #23098
2023-01-24 19:40:21 +01:00
Eugen Rochko
44b2ee3485
Add customizable user roles (#18641)
* Add customizable user roles

* Various fixes and improvements

* Add migration for old settings and fix tootctl role management
2022-07-05 02:41:40 +02:00
Jeong Arm
2fd2666eea
Add test for user matching ip (#17572) 2022-02-16 13:14:53 +01:00
Claire
e38fc319dc
Refactor and improve tests (#17386)
* Change account and user fabricators to simplify and improve tests

- `Fabricate(:account)` implicitly fabricates an associated `user` if
  no `domain` attribute is given (an account with `domain: nil` is
  considered a local account, but no user record was created), unless
  `user: nil` is passed
- `Fabricate(:account, user: Fabricate(:user))` should still be possible
  but is discouraged.

* Fix and refactor tests

- avoid passing unneeded attributes to `Fabricate(:user)` or
  `Fabricate(:account)`
- avoid embedding `Fabricate(:user)` into a `Fabricate(:account)` or the other
  way around
- prefer `Fabricate(:user, account_attributes: …)` to
  `Fabricate(:user, account: Fabricate(:account, …)`
- also, some tests were using remote accounts with local user records, which is
  not representative of production code.
2022-01-28 00:46:42 +01:00
Eugen Rochko
771c9d4ba8
Add ability to skip sign-in token authentication for specific users (#16427)
Remove "active within last two weeks" exception for sign in token requirement

Change admin reset password to lock access until the password is reset
2021-07-08 05:31:28 +02:00
Claire
cbd0ee1d07
Update Mastodon to Rails 6.1 (#15910)
* Update devise-two-factor to unreleased fork for Rails 6 support

Update tests to match new `rotp` version.

* Update nsa gem to unreleased fork for Rails 6 support

* Update rails to 6.1.3 and rails-i18n to 6.0

* Update to unreleased fork of pluck_each for Ruby 6 support

* Run "rails app:update"

* Add missing ActiveStorage config file

* Use config.ssl_options instead of removed ApplicationController#force_ssl

Disabled force_ssl-related tests as they do not seem to be easily testable
anymore.

* Fix nonce directives by removing Rails 5 specific monkey-patching

* Fix fixture_file_upload deprecation warning

* Fix yield-based test failing with Rails 6

* Use Rails 6's index_with when possible

* Use ActiveRecord::Cache::Store#delete_multi from Rails 6

This will yield better performances when deleting an account

* Disable Rails 6.1's automatic preload link headers

Since Rails 6.1, ActionView adds preload links for javascript files
in the Links header per default.

In our case, that will bloat headers too much and potentially cause
issues with reverse proxies. Furhermore, we don't need those links,
as we already output them as HTML link tags.

* Switch to Rails 6.0 default config

* Switch to Rails 6.1 default config

* Do not include autoload paths in the load path
2021-03-24 10:44:31 +01:00
Claire
051efed5ed
Bypass MX validation for explicitly allowed domains (#15930)
* Bypass MX validation for explicitly allowed domains

This spares some lookups and prevent issues in some edge cases with
local domains.

* Add tests

* Fix test
2021-03-19 23:48:47 +01:00
santiagorodriguez96
e8d41bc2fe
Add WebAuthn as an alternative 2FA method (#14466)
* feat: add possibility of adding WebAuthn security keys to use as 2FA

This adds a basic UI for enabling WebAuthn 2FA. We did a little refactor
to the Settings page for editing the 2FA methods – now it will list the
methods that are available to the user (TOTP and WebAuthn) and from
there they'll be able to add or remove any of them.
Also, it's worth mentioning that for enabling WebAuthn it's required to
have TOTP enabled, so the first time that you go to the 2FA Settings
page, you'll be asked to set it up.
This work was inspired by the one donde by Github in their platform, and
despite it could be approached in different ways, we decided to go with
this one given that we feel that this gives a great UX.

Co-authored-by: Facundo Padula <facundo.padula@cedarcode.com>

* feat: add request for WebAuthn as second factor at login if enabled

This commits adds the feature for using WebAuthn as a second factor for
login when enabled.
If users have WebAuthn enabled, now a page requesting for the use of a
WebAuthn credential for log in will appear, although a link redirecting
to the old page for logging in using a two-factor code will also be
present.

Co-authored-by: Facundo Padula <facundo.padula@cedarcode.com>

* feat: add possibility of deleting WebAuthn Credentials

Co-authored-by: Facundo Padula <facundo.padula@cedarcode.com>

* feat: disable WebAuthn when an Admin disables 2FA for a user

Co-authored-by: Facundo Padula <facundo.padula@cedarcode.com>

* feat: remove ability to disable TOTP leaving only WebAuthn as 2FA

Following examples form other platforms like Github, we decided to make
Webauthn 2FA secondary to 2FA with TOTP, so that we removed the
possibility of removing TOTP authentication only, leaving users with
just WEbAuthn as 2FA. Instead, users will have to click on 'Disable 2FA'
in order to remove second factor auth.
The reason for WebAuthn being secondary to TOPT is that in that way,
users will still be able to log in using their code from their phone's
application if they don't have their security keys with them – or maybe
even lost them.

* We had to change a little the flow for setting up TOTP, given that now
  it's possible to setting up again if you already had TOTP, in order to
  let users modify their authenticator app – given that now it's not
  possible for them to disable TOTP and set it up again with another
  authenticator app.
  So, basically, now instead of storing the new `otp_secret` in the
  user, we store it in the session until the process of set up is
  finished.
  This was because, as it was before, when users clicked on 'Edit' in
  the new two-factor methods lists page, but then went back without
  finishing the flow, their `otp_secret` had been changed therefore
  invalidating their previous authenticator app, making them unable to
  log in again using TOTP.

Co-authored-by: Facundo Padula <facundo.padula@cedarcode.com>

* refactor: fix eslint errors

The PR build was failing given that linting returning some errors.
This commit attempts to fix them.

* refactor: normalize i18n translations

The build was failing given that i18n translations files were not
normalized.
This commits fixes that.

* refactor: avoid having the webauthn gem locked to a specific version

* refactor: use symbols for routes without '/'

* refactor: avoid sending webauthn disabled email when 2FA is disabled

When an admins disable 2FA for users, we were sending two mails
to them, one notifying that 2FA was disabled and the other to notify
that WebAuthn was disabled.
As the second one is redundant since the first email includes it, we can
remove it and send just one email to users.

* refactor: avoid creating new env variable for webauthn_origin config

* refactor: improve flash error messages for webauthn pages

Co-authored-by: Facundo Padula <facundo.padula@cedarcode.com>
2020-08-24 16:46:27 +02:00
Eugen Rochko
71921f6bc3
Fix user disabling changing activity timestamps, fix nil error (#12943) 2020-01-25 05:22:35 +01:00
Eugen Rochko
964ae8eee5
Change unconfirmed user login behaviour (#11375)
Allow access to account settings, 2FA, authorized applications, and
account deletions to unconfirmed and pending users, as well as
users who had their accounts disabled. Suspended users cannot update
their e-mail or password or delete their account.

Display account status on account settings page, for example, when
an account is frozen, limited, unconfirmed or pending review.

After sign up, login users straight away and show a simple page that
tells them the status of their account with links to account settings
and logout, to reduce onboarding friction and allow users to correct
wrongly typed e-mail addresses.

Move the final sign-up step of SSO integrations to be the same
as above to reduce code duplication.
2019-07-22 10:48:50 +02:00
Eugen Rochko
5d2fc6de32
Add REST API for creating an account (#9572)
* Add REST API for creating an account

The method is available to apps with a token obtained via the client
credentials grant. It creates a user and account records, as well as
an access token for the app that initiated the request. The user is
unconfirmed, and an e-mail is sent as usual.

The method returns the access token, which the app should save for
later. The REST API is not available to users with unconfirmed
accounts, so the app must be smart to wait for the user to click a
link in their e-mail inbox.

The method is rate-limited by IP to 5 requests per 30 minutes.

* Redirect users back to app from confirmation if they were created with an app

* Add tests

* Return 403 on the method if registrations are not open

* Require agreement param to be true in the API when creating an account
2018-12-24 19:12:38 +01:00