frederikhors
9c764f69fe
Redundant type conversion
2020-01-29 14:04:44 +01:00
Aaron L
4d85b23e8a
Fix missing lastaction on login
...
- Add Setup() function for expire to install a hook to set last action
on successful login. If Setup() is not called, expiration starts from
the first request made by the logged in user after the login request
itself.
2019-03-30 15:56:13 -07:00
Aaron L
834bb1ba43
Fix bug in expire
...
Users were able to persist one request past expiration because the
session state was not actually hidden for downstream http handlers as it
was in Authboss 1.0 because of the abstraction of ClientState where an
http handler cannot alter the session subsequent handlers.
There's a number of positive reasons for the design as is, but it did
end up creating this bug when this code was ported from v1 to v2.
2019-03-30 15:32:39 -07:00
Aaron L
81ffd176ac
Add VerifyPassword method
2019-03-15 13:43:57 -07:00
Aaron L
12fcb0d914
Fix readme typos
2019-03-06 19:50:25 -08:00
Aaron L
4b00b4dd33
Add validation to recover start
2019-03-06 08:25:30 -08:00
Aaron L
5c92c016e0
Merge branch 'dannashirn/master' into dev
2019-02-06 20:10:50 -08:00
Franco Albornoz
727723f88a
Delete duplicate phrase in README.md
2019-01-29 16:27:02 -03:00
Aaron L
a7b9d57691
Move mocks so external packages can use them
2019-01-20 09:45:26 -08:00
Aaron L
4a8ff134bb
Update changelog
2019-01-12 11:42:38 -08:00
Aaron L
470b7c0488
Fix bug in remember
2019-01-12 11:30:39 -08:00
Aaron L
6402c5da57
Merge branch 'frederikhors/patch-3' into dev
2019-01-12 10:43:01 -08:00
Aaron L
194ed7d048
Merge branch 'frederikhors/patch-4' into dev
2019-01-12 10:39:59 -08:00
frederikhors
7e3ad2a691
Update client_state.go
2019-01-08 13:47:18 +01:00
frederikhors
b69996a743
Update README.md
2019-01-07 02:04:17 +01:00
Aaron L
ee6a9ab99a
Update changelog
2018-12-31 09:54:10 -08:00
Aaron L
ca3933ab81
Merge remote-tracking branch 'offline-gmbh/master' into dev
2018-12-31 09:53:08 -08:00
Tobias Kündig
74d60ddf98
Forward call to Hijack()
...
This change makes sure that the `http.Hijacker` interface remains implemented
when using the `LoadClientStateMiddleware`.
2018-12-31 17:01:12 +01:00
Aaron L
ca066a55b5
Add DelAllSession method
...
In order to prevent leaking of session values (and to avoid the mess of
deleting the entire session cookie which could still have values we want
in it) this nuclear method is now called by expire/logout with a
whitelist of keys to keep (passed in from
Config.Storage.SessionWhitelistKeys).
2018-12-17 23:03:55 -08:00
Aaron L
db25c5e30b
Merge branch 'dev'
2018-12-16 22:54:11 -08:00
Aaron L
e38d4652d5
Bump version
2018-12-16 22:52:27 -08:00
Aaron L
f70bdd5eeb
Add EventAuthHijack to work around ordering issue
...
Lock/Confirm and possibly other authentication preemption mechanisms
hook into 'Before(EventAuth)', but the ordering of these rejection
mechanisms mixed with the 2fa acceptance response could result in a
dual response.
2018-12-16 22:50:26 -08:00
Aaron L
019073081f
Fix same hook like bug but for failures
2018-12-13 23:10:16 -08:00
Aaron L
0e85072885
Fix bug where After Auth hooks could fail
...
- User was not being set in the Context for 2fa success paths meaning
things like lock and remember event handlers would fail.
2018-12-13 23:04:28 -08:00
Aaron L
6f3e7ca54a
Add more flexibility to authboss.Middleware
...
- Add requirements and responses for the authboss middleware. This lets
us later add new types that don't break the API instead of a list of
bools.
2018-12-10 23:00:27 -08:00
Aaron L
71f88be037
Fix session persistence security hole in totp/sms
...
- Reorder the lookups to ensure CurrentUser is always looked up before
any temporary pending PIDs.
- See changelog for more details
2018-12-10 22:26:47 -08:00
Aaron L
adaf5a9192
Fix session persistence security hole in totp/sms
...
- Reorder the lookups to ensure CurrentUser is always looked up before
any temporary pending PIDs.
- See changelog for more details
2018-12-10 22:23:37 -08:00
Aaron L
7518918b47
Fix test regex to accept all base64 characters
2018-12-10 20:13:44 -08:00
Aaron L
003476b6d5
Revert "Make removal of 2fa require e-mail verification"
...
This reverts commit 5b876d21c3
.
2018-12-10 20:12:34 -08:00
Aaron L
d08fd7a196
Merge branch 'jmhodges/patch-2' into dev
2018-12-09 23:56:59 -08:00
Aaron L
aa6187d73b
Merge branch 'jmhodges/patch-1' into dev
2018-12-09 23:55:43 -08:00
Aaron L
9254c094cf
Remove L from two factor recovery codes
...
- This is a difficult letter to tell apart from the number 1 depending
on the font. 0 and o should be okay since all letters are lowercase.
2018-12-09 20:27:59 -08:00
Jeff Hodges
028e8bd137
link to godoc in relevant places in the README.md
2018-12-08 19:55:34 -08:00
Jeff Hodges
ddab48d8da
correct defaults package link in README.md
2018-12-08 19:49:22 -08:00
Aaron L
90eb33a4b1
Fix panic in JSON renderer on empty body
2018-12-07 09:32:45 -08:00
Aaron L
5b876d21c3
Make removal of 2fa require e-mail verification
...
- Fix a bug in a test regex that would fail occaisonally
2018-12-04 23:41:45 -08:00
Aaron L
1c254ce6ce
Update changelog
2018-11-14 18:31:17 -08:00
Aaron L
4eafb62a8f
Merge branch 'rarguelloF/fix-rules-lowercase' into dev
2018-11-14 18:30:27 -08:00
Rodrigo Argüello Flores
63e9512667
Fix default.Rules lowercase condition
2018-11-10 19:36:44 +09:00
Aaron L
87b06f40ed
Document 2fa e-mail verification
...
- Move TOC underneath important info in readme
2018-11-04 23:23:00 -08:00
Aaron L
b5103a916f
Update changelog
2018-11-04 23:00:14 -08:00
Aaron L
cf24e257d8
Merge branch 'rarguelloF/fix-login-get' into dev
2018-11-04 22:59:03 -08:00
Aaron L
6c663762e4
Fix couple bugs with remember and 2fa
...
- Fix bug where setup paths were not mountpathed so twofactor_verify
would redirect to a 404.
- Fix bug in remember where a user would be remembered even if logged in
depending on the middleware order (if something had previously called
LoadCurrentUser/LoadCurrentUserID it was fine, if not, the user was
half-authed even if he was cleared of half-auth previously).
2018-11-04 22:49:43 -08:00
Aaron L
9f965c8531
Fix bug in sms email validation
2018-11-04 21:17:54 -08:00
Aaron L
931ccfba1f
Add twofactor setup e-mail validation options
2018-11-01 22:49:25 -07:00
Rodrigo Argüello Flores
af3f34f140
Fix login get endpoint when no FormValueRedirect is given
2018-11-01 14:44:54 +09:00
Aaron L
97b72a4816
Bump version
2018-10-28 23:29:25 -07:00
Aaron L
5a62b6c20c
Fix some broken tests
2018-10-28 23:28:04 -07:00
Aaron L
25eda89076
Ensure important events are firing for 2fa modules
2018-10-28 23:17:10 -07:00
Aaron L
3944d57c9d
Make the default json renderer write a status
2018-10-28 22:58:00 -07:00