# This is the 1st commit message:
Add logging for all web authentication events
# This is the commit message #2:
Re-add underscore to after_inactive_sign_up_path_for
# This is the commit message #3:
Standardize on username=
# This is the commit message #4:
after_filter -> after_action, _resource -> resource
# This is the commit message #5:
Add two-factor login failures and account lockouts
# This is the commit message #6:
Move logging from two-factor concern to user model
# This is the commit message #7:
Add spaces around default parameter assignments
# This is the commit message #8:
Move logs out of user model
# This is the commit message #9:
Replace filtered_params with user_params
# This is the commit message #10:
Standardize case
# This is the commit message #1:
Fixes for username and AppLogger.info
Copy logic from `Devise::Models::Lockable#valid_for_authentication?`, as
our custom login flow with two pages doesn't call this method. This will
increment the failed login counter, and lock the user's account once
they exceed the number of failed attempts.
Also ensure that users who are locked can't continue to submit 2FA
codes.
1. According to the spec, either we have a single challenge with
a number of `signRequests`, or a number of `signRequests`, each with
it's own challenge.
2. Previously, we had both these - per-request challenges, as well as a
single extra challenge.
3. This commit changes this so that the per-request challenges are
removed, leaving only a single challenge, as per the v1.1 U2F API.
4. The existing implementation didn't work in Firefox, because the
Firefox (extension) implementation is less flexible with regard to
the inputs.
5. Fix teaspoon specs.
6. References: https://fidoalliance.org/specs/fido-u2f-v1.0-nfc-bt-amendment-20150514/fido-u2f-javascript-api.html#h2_background
1. Only on supported Chrome versions
2. Mainly, this lets us simplify the javascript-based U2F check to
`window.u2f`, where `window.u2f` can either be loaded from the GitLab
server (for Chrome) or from the Firefox extension.
3. This is a better way to provide browser detection for U2F.
Brian Neel