go/authboss
1
0
Fork 0
mirror of https://github.com/volatiletech/authboss.git synced 2024-11-24 08:42:17 +02:00
Code Issues Releases Activity
454 Commits 6 Branches 36 Tags 1.6 MiB
e4d1e16935
Commit Graph

454 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
frederikhors
e4d1e16935 Variable 'delete' collides with builtin function 2020-01-29 14:59:47 +01:00
Aaron L
4d85b23e8a Fix missing lastaction on login 
- Add Setup() function for expire to install a hook to set last action
  on successful login. If Setup() is not called, expiration starts from
  the first request made by the logged in user after the login request
  itself.
 2019-03-30 15:56:13 -07:00
Aaron L
834bb1ba43 Fix bug in expire 
Users were able to persist one request past expiration because the
session state was not actually hidden for downstream http handlers as it
was in Authboss 1.0 because of the abstraction of ClientState where an
http handler cannot alter the session subsequent handlers.

There's a number of positive reasons for the design as is, but it did
end up creating this bug when this code was ported from v1 to v2.
 2019-03-30 15:32:39 -07:00
Aaron L
81ffd176ac Add VerifyPassword method 2019-03-15 13:43:57 -07:00
Aaron L
12fcb0d914 Fix readme typos 2019-03-06 19:50:25 -08:00
Aaron L
4b00b4dd33 Add validation to recover start 2019-03-06 08:25:30 -08:00
Aaron L
5c92c016e0 Merge branch 'dannashirn/master' into dev 2019-02-06 20:10:50 -08:00
Franco Albornoz
727723f88a
Delete duplicate phrase in README.md 2019-01-29 16:27:02 -03:00
Aaron L
a7b9d57691 Move mocks so external packages can use them 2019-01-20 09:45:26 -08:00
Aaron L
4a8ff134bb Update changelog 2019-01-12 11:42:38 -08:00
Aaron L
470b7c0488 Fix bug in remember 2019-01-12 11:30:39 -08:00
Aaron L
6402c5da57 Merge branch 'frederikhors/patch-3' into dev 2019-01-12 10:43:01 -08:00
Aaron L
194ed7d048 Merge branch 'frederikhors/patch-4' into dev 2019-01-12 10:39:59 -08:00
frederikhors
7e3ad2a691
Update client_state.go 2019-01-08 13:47:18 +01:00
frederikhors
b69996a743
Update README.md 2019-01-07 02:04:17 +01:00
Aaron L
ee6a9ab99a Update changelog 2018-12-31 09:54:10 -08:00
Aaron L
ca3933ab81 Merge remote-tracking branch 'offline-gmbh/master' into dev 2018-12-31 09:53:08 -08:00
Tobias Kündig
74d60ddf98
Forward call to Hijack() 
This change makes sure that the `http.Hijacker` interface remains implemented
when using the `LoadClientStateMiddleware`.
 2018-12-31 17:01:12 +01:00
Aaron L
ca066a55b5 Add DelAllSession method 
In order to prevent leaking of session values (and to avoid the mess of
deleting the entire session cookie which could still have values we want
in it) this nuclear method is now called by expire/logout with a
whitelist of keys to keep (passed in from
Config.Storage.SessionWhitelistKeys).
 2018-12-17 23:03:55 -08:00
Aaron L
db25c5e30b Merge branch 'dev' 2018-12-16 22:54:11 -08:00
Aaron L
e38d4652d5 Bump version 2018-12-16 22:52:27 -08:00
Aaron L
f70bdd5eeb Add EventAuthHijack to work around ordering issue 
Lock/Confirm and possibly other authentication preemption mechanisms
hook into 'Before(EventAuth)', but the ordering of these rejection
mechanisms mixed with the 2fa acceptance response could result in a
dual response.
 2018-12-16 22:50:26 -08:00
Aaron L
019073081f Fix same hook like bug but for failures 2018-12-13 23:10:16 -08:00
Aaron L
0e85072885 Fix bug where After Auth hooks could fail 
- User was not being set in the Context for 2fa success paths meaning
  things like lock and remember event handlers would fail.
 2018-12-13 23:04:28 -08:00
Aaron L
6f3e7ca54a Add more flexibility to authboss.Middleware 
- Add requirements and responses for the authboss middleware. This lets
  us later add new types that don't break the API instead of a list of
  bools.
 2018-12-10 23:00:27 -08:00
Aaron L
71f88be037 Fix session persistence security hole in totp/sms 
- Reorder the lookups to ensure CurrentUser is always looked up before
  any temporary pending PIDs.
- See changelog for more details
 2018-12-10 22:26:47 -08:00
Aaron L
adaf5a9192 Fix session persistence security hole in totp/sms 
- Reorder the lookups to ensure CurrentUser is always looked up before
  any temporary pending PIDs.
- See changelog for more details
 2018-12-10 22:23:37 -08:00
Aaron L
7518918b47 Fix test regex to accept all base64 characters 2018-12-10 20:13:44 -08:00
Aaron L
003476b6d5 Revert "Make removal of 2fa require e-mail verification" 
This reverts commit 5b876d21c3.
 2018-12-10 20:12:34 -08:00
Aaron L
d08fd7a196 Merge branch 'jmhodges/patch-2' into dev 2018-12-09 23:56:59 -08:00
Aaron L
aa6187d73b Merge branch 'jmhodges/patch-1' into dev 2018-12-09 23:55:43 -08:00
Aaron L
9254c094cf Remove L from two factor recovery codes 
- This is a difficult letter to tell apart from the number 1 depending
  on the font. 0 and o should be okay since all letters are lowercase.
 2018-12-09 20:27:59 -08:00
Jeff Hodges
028e8bd137
link to godoc in relevant places in the README.md 2018-12-08 19:55:34 -08:00
Jeff Hodges
ddab48d8da
correct defaults package link in README.md 2018-12-08 19:49:22 -08:00
Aaron L
90eb33a4b1 Fix panic in JSON renderer on empty body 2018-12-07 09:32:45 -08:00
Aaron L
5b876d21c3 Make removal of 2fa require e-mail verification 
- Fix a bug in a test regex that would fail occaisonally
 2018-12-04 23:41:45 -08:00
Aaron L
1c254ce6ce Update changelog 2018-11-14 18:31:17 -08:00
Aaron L
4eafb62a8f Merge branch 'rarguelloF/fix-rules-lowercase' into dev 2018-11-14 18:30:27 -08:00
Rodrigo Argüello Flores
63e9512667
Fix default.Rules lowercase condition 2018-11-10 19:36:44 +09:00
Aaron L
87b06f40ed Document 2fa e-mail verification 
- Move TOC underneath important info in readme
 2018-11-04 23:23:00 -08:00
Aaron L
b5103a916f Update changelog 2018-11-04 23:00:14 -08:00
Aaron L
cf24e257d8 Merge branch 'rarguelloF/fix-login-get' into dev 2018-11-04 22:59:03 -08:00
Aaron L
6c663762e4 Fix couple bugs with remember and 2fa 
- Fix bug where setup paths were not mountpathed so twofactor_verify
  would redirect to a 404.
- Fix bug in remember where a user would be remembered even if logged in
  depending on the middleware order (if something had previously called
  LoadCurrentUser/LoadCurrentUserID it was fine, if not, the user was
  half-authed even if he was cleared of half-auth previously).
 2018-11-04 22:49:43 -08:00
Aaron L
9f965c8531 Fix bug in sms email validation 2018-11-04 21:17:54 -08:00
Aaron L
931ccfba1f Add twofactor setup e-mail validation options 2018-11-01 22:49:25 -07:00
Rodrigo Argüello Flores
af3f34f140
Fix login get endpoint when no FormValueRedirect is given 2018-11-01 14:44:54 +09:00
Aaron L
97b72a4816 Bump version 2018-10-28 23:29:25 -07:00
Aaron L
5a62b6c20c Fix some broken tests 2018-10-28 23:28:04 -07:00
Aaron L
25eda89076 Ensure important events are firing for 2fa modules 2018-10-28 23:17:10 -07:00
Aaron L
3944d57c9d Make the default json renderer write a status 2018-10-28 22:58:00 -07:00