chinwagsocial/config
Claire 3251b8eead Fix reviving revoked sessions and invalidating login (#16943)
Up until now, we have used Devise's Rememberable mechanism to re-log users
after the end of their browser sessions. This mechanism relies on a signed
cookie containing a token. That token was stored on the user's record,
meaning it was shared across all logged in browsers, meaning truly revoking
a browser's ability to auto-log-in involves revoking the token itself, and
revoking access from *all* logged-in browsers.

We had a session mechanism that dynamically checks whether a user's session
has been disabled, and would log out the user if so. However, this would only
clear a session being actively used, and a new one could be respawned with
the `remember_user_token` cookie.

In practice, this caused two issues:
- sessions could be revived after being closed from /auth/edit (security issue)
- auto-log-in would be disabled for *all* browsers after logging out from one
  of them

This PR removes the `remember_token` mechanism and treats the `_session_id`
cookie/token as a browser-specific `remember_token`, fixing both issues.
2021-11-06 00:17:05 +01:00
..
environments Add Message-ID header to outgoing emails (#16076) 2021-04-19 18:41:29 +02:00
initializers Fix reviving revoked sessions and invalidating login (#16943) 2021-11-06 00:17:05 +01:00
locales Fix suspicious sign-in mail text being out of date (#16690) 2021-11-05 23:46:24 +01:00
webpack Bump js-yaml from 3.14.1 to 4.0.0 (#15484) 2021-01-05 02:08:59 +09:00
application.rb Fix some Rails frameworks being unnecessarily loaded (#16725) 2021-11-05 23:46:23 +01:00
boot.rb Add clean error message when RAILS_ENV is unset (#15381) 2020-12-20 18:05:03 +01:00
brakeman.ignore Ignore brakeman false positive warning (#16213) 2021-05-11 14:18:33 +02:00
database.yml config: add DB_SSLMODE for managed/remote PG (#10210) 2019-03-08 14:36:28 +01:00
deploy.rb Change references to tootsuite/mastodon to mastodon/mastodon (#16491) 2021-11-05 23:46:24 +01:00
environment.rb Make PreviewCard records reuseable between statuses (#4642) 2017-09-01 16:20:16 +02:00
i18n-tasks.yml Change move handler to carry blocks over (#14144) 2020-07-01 13:51:15 +02:00
navigation.rb Add cold-start follow recommendations (#15945) 2021-04-12 12:37:14 +02:00
pghero.yml Fix PgHero Content-Security-Policy when CDN_HOST is used (#13595) 2020-05-04 13:52:41 +02:00
puma.rb Add PERSISTENT_TIMEOUT option (#11756) 2019-09-04 20:44:08 +02:00
routes.rb Change trending hashtags to be affected be reblogs (#16164) 2021-05-07 14:33:43 +02:00
secrets.yml Upgrade to Rails 5.0.0.1 2016-08-17 17:58:00 +02:00
settings.yml Change auto-following admin-selected accounts, show in recommendations (#16078) 2021-04-24 17:01:43 +02:00
sidekiq.yml Add cold-start follow recommendations (#15945) 2021-04-12 12:37:14 +02:00
storage.yml Update Mastodon to Rails 6.1 (#15910) 2021-03-24 10:44:31 +01:00
themes.yml More polished light theme (#7620) 2018-05-25 18:36:26 +02:00
webpacker.yml Bump webpacker from 3.5.5 to 4.0.2 (#10277) 2019-03-15 15:05:31 +01:00