mastodon

mirror of https://github.com/lunaisnotaboy/mastodon.git synced 2024-11-05 14:36:04 +00:00

History

Claire 6da135a493 Fix reviving revoked sessions and invalidating login (#16943 ) Up until now, we have used Devise's Rememberable mechanism to re-log users after the end of their browser sessions. This mechanism relies on a signed cookie containing a token. That token was stored on the user's record, meaning it was shared across all logged in browsers, meaning truly revoking a browser's ability to auto-log-in involves revoking the token itself, and revoking access from all logged-in browsers. We had a session mechanism that dynamically checks whether a user's session has been disabled, and would log out the user if so. However, this would only clear a session being actively used, and a new one could be respawned with the `remember_user_token` cookie. In practice, this caused two issues: - sessions could be revived after being closed from /auth/edit (security issue) - auto-log-in would be disabled for all browsers after logging out from one of them This PR removes the `remember_token` mechanism and treats the `_session_id` cookie/token as a browser-specific `remember_token`, fixing both issues.		2021-11-06 00:13:58 +01:00
..
0_post_deployment_migrations.rb
1_hosts.rb	Fix host check on healthcheck path not being disabled (#16270 )	2021-05-17 22:36:08 +02:00
2_whitelist_mode.rb
active_model_serializers.rb
application_controller_renderer.rb	Update Mastodon to Rails 6.1 (#15910 )	2021-03-24 10:44:31 +01:00
assets.rb
backtrace_silencers.rb	Update Mastodon to Rails 6.1 (#15910 )	2021-03-24 10:44:31 +01:00
blacklists.rb
cache_buster.rb
chewy.rb	Support authentication for ElasticSearch (#16890 )	2021-10-24 17:20:03 +02:00
content_security_policy.rb	Fix autoloading deprecation warnings from Rails 6 (#16010 )	2021-04-09 02:31:20 +02:00
cookies_serializer.rb
cors.rb
devise.rb	Fix reviving revoked sessions and invalidating login (#16943 )	2021-11-06 00:13:58 +01:00
doorkeeper.rb	Fix app name, website and redirect URIs not having a maximum length (#16042 )	2021-04-15 16:28:43 +02:00
fast_blank.rb	Fixed code quality issues (#15541 )	2021-01-31 21:26:09 +01:00
ffmpeg.rb
filter_parameter_logging.rb
http_client_proxy.rb
httplog.rb
inflections.rb	Prepare Mastodon for zeitwerk autoloader (#15917 )	2021-03-19 02:42:43 +01:00
json_ld.rb
kaminari_config.rb
mail_delivery_job.rb	Fix mailer jobs for deleted notifications erroring out (#16294 )	2021-05-24 03:02:46 +02:00
makara.rb	Drop dependency on secure_headers, fix response headers (#15712 )	2021-02-11 23:47:05 +01:00
mime_types.rb
oj.rb
omniauth.rb	New env variable: CAS_SECURITY_ASSUME_EMAIL_IS_VERIFIED (#16655 )	2021-08-25 18:41:24 +02:00
open_uri_redirection.rb	Optimize some regex matching (#15528 )	2021-01-22 10:09:08 +01:00
paperclip.rb	Fix autoloading deprecation warnings from Rails 6 (#16010 )	2021-04-09 02:31:20 +02:00
permissions_policy.rb	Update Mastodon to Rails 6.1 (#15910 )	2021-03-24 10:44:31 +01:00
preload_link_headers.rb	Update Mastodon to Rails 6.1 (#15910 )	2021-03-24 10:44:31 +01:00
premailer_rails.rb
rack_attack.rb	Add `POST /api/v1/emails/confirmations` to REST API (#15816 )	2021-03-01 18:39:47 +01:00
rack_attack_logging.rb
redis.rb
session_activations.rb
session_store.rb	Add Ruby 3.0 support (#16046 )	2021-05-06 14:22:54 +02:00
sidekiq.rb	Add a Redis environment variable for sidekiq (#16188 )	2021-05-09 10:40:17 +02:00
simple_form.rb	Fixed code quality issues (#15541 )	2021-01-31 21:26:09 +01:00
single_user_mode.rb
statsd.rb
stoplight.rb
strong_migrations.rb
suppress_csrf_warnings.rb	Fix autoloading deprecation warnings from Rails 6 (#16010 )	2021-04-09 02:31:20 +02:00
trusted_proxies.rb
twitter_regex.rb	Minor memory optimizations (#16507 )	2021-10-14 21:04:57 +02:00
vapid.rb
webauthn.rb
wrap_parameters.rb