- Add Setup() function for expire to install a hook to set last action
on successful login. If Setup() is not called, expiration starts from
the first request made by the logged in user after the login request
itself.
Users were able to persist one request past expiration because the
session state was not actually hidden for downstream http handlers as it
was in Authboss 1.0 because of the abstraction of ClientState where an
http handler cannot alter the session subsequent handlers.
There's a number of positive reasons for the design as is, but it did
end up creating this bug when this code was ported from v1 to v2.
In order to prevent leaking of session values (and to avoid the mess of
deleting the entire session cookie which could still have values we want
in it) this nuclear method is now called by expire/logout with a
whitelist of keys to keep (passed in from
Config.Storage.SessionWhitelistKeys).
Lock/Confirm and possibly other authentication preemption mechanisms
hook into 'Before(EventAuth)', but the ordering of these rejection
mechanisms mixed with the 2fa acceptance response could result in a
dual response.
- Fix bug where setup paths were not mountpathed so twofactor_verify
would redirect to a 404.
- Fix bug in remember where a user would be remembered even if logged in
depending on the middleware order (if something had previously called
LoadCurrentUser/LoadCurrentUserID it was fine, if not, the user was
half-authed even if he was cleared of half-auth previously).
- Change changelog format to use keepachangelog standard
- Refactor the config to be made of substructs to help organize all the
pieces
- Add the new interfaces to the configuration
- Clean up module loading (no unnecessary reflection to create new value)
- Change User interface to have a Get/SetPID not E-mail/Username, this
way we don't ever have to refer to one or the other, we just always
assume pid. In the case of Confirm/Recover we'll have to make a GetEmail
or there won't be a way for us to get the e-mail to send to.
- Delete the xsrf nonsense in the core
