Commit graph

99 commits

Author SHA1 Message Date
Ivan Tashkinov 2a4a4f3342 [#468] Defined OAuth restrictions for all applicable routes.
Improved missing "scopes" param handling.
Allowed "any of" / "all of" mode specification in OAuthScopesPlug.
Fixed auth UI / behavior when user selects no permissions at /oauth/authorize.
2019-02-15 19:54:37 +03:00
Ivan Tashkinov 027adbc9e5 [#468] Refactored OAuth scopes parsing / defaults handling. 2019-02-14 17:03:19 +03:00
William Pitcock e9ef4b8da6 oauth: never use base64 padding when returning tokens to applications
The normal Base64 alphabet uses the equals sign (=) as a padding character.  Since
Base64 strings are self-synchronizing, padding characters are unnecessary, so don't
generate them in the first place.
2019-02-14 01:10:04 +00:00
Ivan Tashkinov 063baca5e4 [#468] User UI for OAuth permissions restriction. Standardized storage format for scopes fields, updated usages. 2019-02-14 00:29:29 +03:00
Maxim Filippov 760fec4cb8 Update token.ex 2019-02-13 12:59:56 +03:00
Maxim Filippov 62a45bdc11 Add revoke token 2019-02-13 12:59:56 +03:00
Maxim Filippov 61a4bc5095 Add OAuth tokens endpoint 2019-02-13 12:59:56 +03:00
Haelwenn (lanodan) Monnier d924dc73ba
de-group import/s 2019-02-09 16:31:17 +01:00
Haelwenn (lanodan) Monnier 6a6a5b3251
de-group alias/es 2019-02-09 16:31:17 +01:00
Ivan Tashkinov 4ad843fb9d [#468] Prototype of OAuth2 scopes support. TwitterAPI scope restrictions. 2019-02-09 17:09:08 +03:00
Ivan Tashkinov 2c68cf7e9e OAuth2 security fixes: redirect URI validation, "Mastodon-Local" security breach fix.
(`POST /api/v1/apps` could create "Mastodon-Local" app wth any redirect_uris,
and if that happened before /web/login is accessed for the first time
then Pleroma used this externally created record with arbitrary
redirect_uris and client_secret known by creator).
2019-02-07 22:14:06 +03:00
lain 1825118fd4 Correctly handle invalid credentials on auth login.
Closes #407
2019-01-28 11:41:47 +01:00
href 28d77e373c
Flake Ids for Users and Activities 2019-01-23 11:26:27 +01:00
William Pitcock 980b5288ed update copyright years to 2019 2018-12-31 15:41:47 +00:00
William Pitcock 2791ce9a1f add license boilerplate to pleroma core 2018-12-23 20:56:42 +00:00
Ivan Tashkinov b096e30cff [#114] Added email confirmation resend action. Added tests
for registration, authentication, email confirmation, confirmation resending.
Made admin methods create confirmed users.
2018-12-18 17:22:46 +03:00
Ivan Tashkinov 1de0aa2f10 [#114] Account confirmation email, registration as unconfirmed (config-based), auth prevention for unconfirmed. 2018-12-18 17:21:05 +03:00
Maksim Pechnikov 074fa790ba fix compile warnings 2018-12-09 20:50:08 +03:00
William Pitcock 419ed3a0ca oauth: fix token decode regression 2018-11-11 05:26:39 +00:00
lain 4f640c43ed Unify Mastodon Login with OAuth login.
This removes duplication in the login code.
2018-11-06 15:19:11 +01:00
Haelwenn (lanodan) Monnier eacab0fb05
Delete Tokens and Authorizations on password change
Closes: https://git.pleroma.social/pleroma/pleroma/issues/320
2018-10-14 02:14:54 +02:00
Dominique Feyer 801d645c6b TASK: Fix formatting 2018-09-09 23:42:28 +02:00
Dominique Feyer b79c126ee0 Add missing URL encoding in create authorization redirect 2018-09-09 23:31:47 +02:00
Martin Kühl 84d84e4ca4 OAuth: Support /revoke endpoint for revoking tokens
(for compatibility with Mastodon)
2018-09-01 23:10:48 +02:00
Martin Kühl ad2a7972e7 OAuth: Set created_at in token exchange response
(for compatibility with Mastodon)
2018-09-01 23:10:48 +02:00
lambda 2c303b3302 Merge branch 'bugfix/oauth2-param-name' into 'develop'
oauth: support either name or username parameter with grant_type=password

Closes #180

See merge request pleroma/pleroma!219
2018-06-14 07:14:18 +00:00
William Pitcock 5442466569 oauth: fix password-based login when username is email address
closes #199
2018-06-14 02:32:30 +00:00
William Pitcock 4894b88b1b oauth: support either name or username parameter with grant_type=password
closes #180
2018-06-14 02:07:43 +00:00
D Anzorge 3607dc4558 Make token exchange return errors with 400 as status code 2018-06-06 03:14:50 +02:00
D Anzorge 73904e8f78 Make OAuth token endpoint work with HTTP Basic auth
client_id/client_secret can now be supplied in an Authorization header
2018-06-04 00:59:00 +02:00
lain ffe028cd73 More warning fixes. 2018-05-07 18:11:37 +02:00
lain 9e6ae44729 Formatting fixes. 2018-04-21 09:43:53 +02:00
eal 947431e9aa MastoAPI and OAuth: allow login with either email or username. 2018-04-18 13:13:57 +03:00
lain 4afbef39f4 Format the code. 2018-03-30 15:01:53 +02:00
William Pitcock dd21137f38 oauth: implement grant_type=password for single-page apps 2018-03-23 15:53:58 -05:00
lain f9ab38a443 Fix test. 2018-03-22 12:37:24 +01:00
Mark Felder 2702df489f cap again 2018-03-19 18:00:02 +00:00
Mark Felder 2549a73d6d start with a capital 2018-03-19 17:58:45 +00:00
Calv Collins 73249fa5ff Changed fallback controller to handle all cases from OAuthController 2018-02-08 18:15:59 +00:00
Calv Collins bdb5dd2194 Create action_fallback for username/password incorrect input 2018-02-08 16:57:30 +00:00
Roger Braun fd12e585c9 Handle existing redirect params. 2017-11-10 18:24:50 +01:00
eal b0e27b21dd Fix tootdon logins. 2017-11-06 21:51:31 +02:00
Roger Braun 5602293690 Fix callback state. 2017-09-16 11:37:55 +02:00
Roger Braun ac3f32da7e Preserve state in oauth 2017-09-14 09:29:51 +02:00
Roger Braun 5fe9e4dd3f Do oauth redirect. 2017-09-09 19:03:57 +02:00
Roger Braun 59dd240c08 Use token exchange method. 2017-09-09 12:10:46 +02:00
Roger Braun 95cedd6000 Make auth tokens usable once and expire them. 2017-09-09 12:02:59 +02:00
Roger Braun 2652d9e4ed Slight cleanup. 2017-09-07 08:58:10 +02:00
Roger Braun 2a298d70f9 Add very basic oauth and mastodon api support. 2017-09-06 19:06:25 +02:00