chinwagsocial/config/initializers
Claire b6b19419e2 Fix reviving revoked sessions and invalidating login (#16943)
Up until now, we have used Devise's Rememberable mechanism to re-log users
after the end of their browser sessions. This mechanism relies on a signed
cookie containing a token. That token was stored on the user's record,
meaning it was shared across all logged in browsers, meaning truly revoking
a browser's ability to auto-log-in involves revoking the token itself, and
revoking access from *all* logged-in browsers.

We had a session mechanism that dynamically checks whether a user's session
has been disabled, and would log out the user if so. However, this would only
clear a session being actively used, and a new one could be respawned with
the `remember_user_token` cookie.

In practice, this caused two issues:
- sessions could be revived after being closed from /auth/edit (security issue)
- auto-log-in would be disabled for *all* browsers after logging out from one
  of them

This PR removes the `remember_token` mechanism and treats the `_session_id`
cookie/token as a browser-specific `remember_token`, fixing both issues.
2022-01-28 22:53:15 +01:00
..
0_post_deployment_migrations.rb Add post-deployment migration system (#8182) 2018-08-13 13:40:01 +02:00
1_hosts.rb Set Content-Security-Policy rules through RoR's config (#8957) 2018-10-11 20:35:46 +02:00
2_whitelist_mode.rb Remove the terms blacklist and whitelist from UX (#14149) 2020-06-27 20:20:11 +02:00
active_model_serializers.rb Fix ActivityPub context not being dynamically computed (#11746) 2019-09-03 22:52:32 +02:00
application_controller_renderer.rb
assets.rb HTML e-mails for UserMailer (#6256) 2018-01-16 03:29:11 +01:00
backtrace_silencers.rb
blacklists.rb Remove the terms blacklist and whitelist from UX (#14149) 2020-06-27 20:20:11 +02:00
cache_buster.rb Add cache buster feature for media files (#15155) 2020-11-19 17:38:06 +01:00
chewy.rb Fix unnecessary queries when batch-removing statuses, 100x faster (#15387) 2020-12-22 17:13:55 +01:00
content_security_policy.rb Fix hashtag column options styling (#14247) 2020-07-07 01:33:38 +02:00
cookies_serializer.rb
cors.rb Use same CORS policy for /@:username and /users/:username (#9485) 2018-12-10 21:39:47 +01:00
delivery_job.rb Skip mailer job retries when a record no longer exists (#9590) 2018-12-21 06:16:17 +01:00
devise.rb Fix reviving revoked sessions and invalidating login (#16943) 2022-01-28 22:53:15 +01:00
doorkeeper.rb Fix app name, website and redirect URIs not having a maximum length (#16042) 2022-01-28 22:39:48 +01:00
fast_blank.rb
ffmpeg.rb add ffmpeg initializer (#8855) 2018-10-09 03:02:52 +02:00
filter_parameter_logging.rb
health_check.rb Hide error message on /heath (#11947) 2019-09-24 20:28:25 +02:00
http_client_proxy.rb Refactor monkey-patching of Goldfinger (#12561) 2020-05-10 11:41:43 +02:00
httplog.rb
inflections.rb Add E2EE API (#13820) 2020-06-02 19:24:53 +02:00
json_ld.rb Fix preloaded JSON-LD context for identity not being used (#12138) 2019-10-10 06:48:53 +02:00
kaminari_config.rb Add ability to filter audit log in admin UI (#13381) 2020-04-03 13:06:34 +02:00
makara.rb Fix cookies not having a SameSite attribute (#15098) 2020-11-06 11:57:14 +01:00
mime_types.rb
oj.rb
omniauth.rb Support clock drift in Omniauth SAML provider (#15511) 2022-01-28 22:39:48 +01:00
open_uri_redirection.rb rubocop issues - Cleaning up (#8912) 2018-10-08 04:50:11 +02:00
pagination.rb
paperclip.rb Add stoplight for object storage failures, return HTTP 503 (#13043) 2020-12-15 12:55:29 +01:00
premailer_rails.rb HTML e-mails for UserMailer (#6256) 2018-01-16 03:29:11 +01:00
rack_attack.rb Add IP-based rules (#14963) 2020-10-12 16:33:49 +02:00
rack_attack_logging.rb Change rate limits for various paths (#14253) 2020-07-07 15:26:39 +02:00
redis.rb Change Redis#exists calls to Redis#exists? to avoid deprecation warning (#14191) 2020-07-01 19:05:21 +02:00
session_activations.rb
session_store.rb Fix cookies not having a SameSite attribute (#15098) 2020-11-06 11:57:14 +01:00
sidekiq.rb Fix background jobs not using locks like they are supposed to (#13361) 2020-03-31 21:59:03 +02:00
simple_form.rb Add announcements (#12662) 2020-01-23 22:00:13 +01:00
single_user_mode.rb
statsd.rb Remove unused StatsD code and expose StatsD as a global variable (#11232) 2019-07-02 11:34:39 +02:00
stoplight.rb Fix stoplight logging to stderr separate from Rails logger (#10624) 2019-04-23 04:39:48 +02:00
strong_migrations.rb
suppress_csrf_warnings.rb
trusted_proxies.rb
twitter_regex.rb Add support for Gemini urls (#15013) 2020-10-19 17:02:13 +02:00
vapid.rb Lint pass (#8876) 2018-10-04 12:36:53 +02:00
webauthn.rb Add WebAuthn as an alternative 2FA method (#14466) 2020-08-24 16:46:27 +02:00
wrap_parameters.rb