Commit graph

19 commits

Author SHA1 Message Date
Rémy Coutable
cfe19b795e Add a new Gitlab::UserActivities class to track user activities
This new class uses a Redis Hash instead of a Sorted Set.

Signed-off-by: Rémy Coutable <remy@rymai.me>
2017-04-14 15:20:55 +02:00
James Lopez
3cb84e06b7 Remove user activities table and use redis instead of PG for recording activities
Refactored specs and added a post deployment migration to remove the activity users table.
2017-04-14 15:20:55 +02:00
James Lopez
2951a8543e Add user activity service and spec. Also added relevant - NOT offline - migration
It uses a user activity table instead of a column in users.
Tested with mySQL and postgreSQL
2017-04-14 15:20:55 +02:00
mhasbini
af0c08b6f9 Fix redirection after login when the referer have params 2017-04-02 18:54:19 +03:00
Pawel Chojnacki
2ff139ddee Make Warden set_user hook validate user ip uniquness
+ rename shared context
2017-03-06 15:41:25 +01:00
Pawel Chojnacki
0ef8a64348 Remove unecessary calls to limit_user!, UniqueIps Middleware, and address MR review
- cleanup formating in haml
 - clarify time window is in seconds
 - cleanup straneous chunks in db/schema
 - rename count_uniqe_ips to update_and_return_ips_count
 - other
2017-03-06 15:41:25 +01:00
Pawel Chojnacki
b1da4f7de3 Cleanup RSpec tests 2017-03-06 15:41:25 +01:00
Pawel Chojnacki
8993801f0c Test various login scenarios if the limit gets enforced 2017-03-06 15:41:25 +01:00
jnoortheen
6ab74b1cb3 fix: 24982- Remove'Signed in successfully' message
After this change the sign-in-success flash message will not be shown

refactor: set flash message to be nil while signing in

test: changed tests to reflect removal of sign-in message

refactor: adding signed_in message back

See Merge Request !7837

issue#24982
2016-12-07 20:30:28 +05:30
Sean McGivern
194fbc3c3d Restrict failed login attempts for users with 2FA
Copy logic from `Devise::Models::Lockable#valid_for_authentication?`, as
our custom login flow with two pages doesn't call this method. This will
increment the failed login counter, and lock the user's account once
they exceed the number of failed attempts.

Also ensure that users who are locked can't continue to submit 2FA
codes.
2016-10-04 15:01:38 +01:00
DJ Mountney
9224f031cf Pass the remember_me option into the u2f form and support it while authenticating
Matches the changes done for non-u2f two-factor auth
2016-09-01 17:11:42 -07:00
Timothy Andrew
4db19bb445 Add a U2F-specific audit log entry after logging in.
- "two-factor" for OTP-based 2FA
- "two-factor-via-u2f-device" for U2F-based 2FA
- "standard" for non-2FA login
2016-06-06 12:50:31 +05:30
Robert Speicher
7d33fba7af Merge branch 'upgrade-devise-two-factor' into 'master'
Upgrade devise, devise-two-factor, and attr_encrypted

Devise 4 includes support for Rails 5, working towards #14286. devise-async doesn't support Devise 4.0 and in 4.1 the bug that was blocking using Devise's built-in ActiveJob integration was fixed. So devise-async is removed. devise-two-factor 3.0.0 is required for Devise 4 support.

attr_encrypted and encryptor are optional but recommended upgrades for devise-two-factor 3.0.0. The mode and algorithm will need to be changed in order to update to attr_encrypted 4.x in the future.

See merge request !4216
2016-06-02 00:44:41 +00:00
Robert Speicher
a602df3031 Pass the "Remember me" value to the 2FA token form
Prior, if a user had 2FA enabled and checked the "Remember me" field,
the setting was ignored because the OTP input was on a new form and the
value was never passed.

Closes #18000
2016-05-30 22:25:35 -04:00
Connor Shea
5647fb14b6
Fix a broken spec
Temporary fix until Devise 4 fixes this grammar issue:
https://github.com/plataformatec/devise/issues/4095
2016-05-30 13:51:21 -06:00
Robert Speicher
75739e54be Enable RSpec/NotToNot cop and auto-correct offenses
Also removes the note from the development/testing.md guide
2016-05-24 15:40:29 -04:00
Grzegorz Bizon
33a8dfd04f Make sessions controller specs more explicit 2016-04-07 13:16:48 +02:00
Grzegorz Bizon
00da609cfd Fix 2FA authentication spoofing vulnerability
This commit attempts to change default user search scope if otp_user_id
session variable has been set. If it is present, it means that user has
2FA enabled, and has already been verified with login and password. In
this case we should look for user with otp_user_id first, before picking
it up by login.
2016-04-07 11:19:29 +02:00
Grzegorz Bizon
301f4074aa Add specs for sessions controller including 2FA
This also contains specs for a bug described in #14900
2016-04-06 12:26:10 +02:00