Commit graph

16 commits

Author SHA1 Message Date
gfyoung
73322a0e55 Enable frozen string in app/controllers/**/*.rb
Enables frozen string for the following:

* app/controllers/*.rb
* app/controllers/admin/**/*.rb
* app/controllers/boards/**/*.rb
* app/controllers/ci/**/*.rb
* app/controllers/concerns/**/*.rb

Partially addresses #47424.
2018-09-18 21:22:45 -07:00
Yorick Peterse
2039c8280d
Disable existing offenses for the CodeReuse cops
This whitelists all existing offenses for the various CodeReuse cops, of
which most are triggered by the CodeReuse/ActiveRecord cop.
2018-09-11 17:32:00 +02:00
Grzegorz Bizon
68547bc0e0 Track blocked users and two factor authentications 2018-07-23 15:13:11 +02:00
James Edwards-Jones
f10c999bca Refactor OmniauthCallbacksController to remove duplication
Moves LDAP to its own controller with tests
Provides path forward for implementing GroupSaml
2018-04-22 23:50:55 +01:00
blackst0ne
ec144bddb9 [Rails5] Add raise: false to skip_before_action in authenticates_with_two_factor.rb
Rails 5.0 raises `ArgumentErrror` if an unrecognised callback is skipped.
8b88df94eb
This commit adds `raise: false` to the filter.
2018-04-06 22:37:59 +11:00
Douwe Maan
6deed66eda
Merge branch 'sh-fix-otp-backup-invalidation-10-5' into 'security-10-5'
Ensure that OTP backup codes are always invalidated - 10.5 port

See merge request gitlab/gitlabhq!2324
2018-03-07 13:36:43 +01:00
Brian Neel
66d9d258ad Standardize capitalization and status 2017-09-27 23:54:52 -04:00
Brian Neel
8fa87ea3fb # This is a combination of 1 commit.
# This is the 1st commit message:
Add logging for all web authentication events

# This is the commit message #2:

Re-add underscore to after_inactive_sign_up_path_for

# This is the commit message #3:

Standardize on username=

# This is the commit message #4:

after_filter -> after_action, _resource -> resource

# This is the commit message #5:

Add two-factor login failures and account lockouts

# This is the commit message #6:

Move logging from two-factor concern to user model

# This is the commit message #7:

Add spaces around default parameter assignments

# This is the commit message #8:

Move logs out of user model

# This is the commit message #9:

Replace filtered_params with user_params

# This is the commit message #10:

Standardize case

# This is the commit message #1:

Fixes for username and AppLogger.info
2017-09-27 21:52:12 -04:00
Douwe Maan
8bfae74e9c Delete correct key from session after authenticating using U2F 2017-08-11 10:54:03 +00:00
http://jneen.net/
0ea04cc5bf use the policy stack to protect logins 2017-03-09 11:49:52 -08:00
Sean McGivern
194fbc3c3d Restrict failed login attempts for users with 2FA
Copy logic from `Devise::Models::Lockable#valid_for_authentication?`, as
our custom login flow with two pages doesn't call this method. This will
increment the failed login counter, and lock the user's account once
they exceed the number of failed attempts.

Also ensure that users who are locked can't continue to submit 2FA
codes.
2016-10-04 15:01:38 +01:00
DJ Mountney
9224f031cf Pass the remember_me option into the u2f form and support it while authenticating
Matches the changes done for non-u2f two-factor auth
2016-09-01 17:11:42 -07:00
Timothy Andrew
3572582dd2 Use a single challenge for U2F authentication.
1. According to the spec, either we have a single challenge with
   a number of `signRequests`, or a number of `signRequests`, each with
   it's own challenge.

2. Previously, we had both these - per-request challenges, as well as a
   single extra challenge.

3. This commit changes this so that the per-request challenges are
   removed, leaving only a single challenge, as per the v1.1 U2F API.

4. The existing implementation didn't work in Firefox, because the
   Firefox (extension) implementation is less flexible with regard to
   the inputs.

5. Fix teaspoon specs.

6. References: https://fidoalliance.org/specs/fido-u2f-v1.0-nfc-bt-amendment-20150514/fido-u2f-javascript-api.html#h2_background
2016-07-14 08:19:09 +05:30
Timothy Andrew
4b33c4c6d1 Load Javascript U2F library selectively.
1. Only on supported Chrome versions

2. Mainly, this lets us simplify the javascript-based U2F check to
   `window.u2f`, where `window.u2f` can either be loaded from the GitLab
   server (for Chrome) or from the Firefox extension.

3. This is a better way to provide browser detection for U2F.
2016-07-14 08:19:09 +05:30
Timothy Andrew
86b07caa59 Implement authentication (login) using a U2F device.
- Move the `authenticate_with_two_factor` method from
  `ApplicationController` to the `AuthenticatesWithTwoFactor` module,
  where it should be.
2016-06-06 12:50:31 +05:30
Robert Speicher
c802d8eee1 Refactor SessionsController to use a controller concern 2015-05-14 14:24:05 -04:00