mastodon/config
Claire b6b19419e2 Fix reviving revoked sessions and invalidating login (#16943)
Up until now, we have used Devise's Rememberable mechanism to re-log users
after the end of their browser sessions. This mechanism relies on a signed
cookie containing a token. That token was stored on the user's record,
meaning it was shared across all logged in browsers, meaning truly revoking
a browser's ability to auto-log-in involves revoking the token itself, and
revoking access from *all* logged-in browsers.

We had a session mechanism that dynamically checks whether a user's session
has been disabled, and would log out the user if so. However, this would only
clear a session being actively used, and a new one could be respawned with
the `remember_user_token` cookie.

In practice, this caused two issues:
- sessions could be revived after being closed from /auth/edit (security issue)
- auto-log-in would be disabled for *all* browsers after logging out from one
  of them

This PR removes the `remember_token` mechanism and treats the `_session_id`
cookie/token as a browser-specific `remember_token`, fixing both issues.
2022-01-28 22:53:15 +01:00
..
environments add ssl option in smtp setting (#14309) 2020-07-15 14:43:49 +02:00
initializers Fix reviving revoked sessions and invalidating login (#16943) 2022-01-28 22:53:15 +01:00
locales Normalize locale files (#15434) 2020-12-27 05:30:56 +01:00
webpack Add subresource integrity for JS and CSS assets (#15096) 2020-11-06 11:56:31 +01:00
application.rb Fix media processing getting stuck on too much stdin/stderr (#16136) 2022-01-28 22:39:48 +01:00
boot.rb Add clean error message when RAILS_ENV is unset (#15381) 2020-12-20 18:05:03 +01:00
brakeman.ignore Fix performance on instances list in admin UI (#15282) 2020-12-14 09:06:34 +01:00
database.yml config: add DB_SSLMODE for managed/remote PG (#10210) 2019-03-08 14:36:28 +01:00
deploy.rb Bump capistrano from 3.14.0 to 3.14.1 (#14037) 2020-06-17 06:31:30 +02:00
environment.rb Make PreviewCard records reuseable between statuses (#4642) 2017-09-01 16:20:16 +02:00
i18n-tasks.yml Change move handler to carry blocks over (#14144) 2020-07-01 13:51:15 +02:00
navigation.rb Add IP-based rules (#14963) 2020-10-12 16:33:49 +02:00
pghero.yml Fix PgHero Content-Security-Policy when CDN_HOST is used (#13595) 2020-05-04 13:52:41 +02:00
puma.rb Add PERSISTENT_TIMEOUT option (#11756) 2019-09-04 20:44:08 +02:00
routes.rb Add import/export feature for bookmarks (#14956) 2020-11-19 17:48:13 +01:00
secrets.yml Upgrade to Rails 5.0.0.1 2016-08-17 17:58:00 +02:00
settings.yml Add ability to require invite request text (#15326) 2020-12-14 10:03:09 +01:00
sidekiq.yml Fix to isolate the sidekiq process that runs the scheduler job (#15314) 2020-12-15 03:04:03 +01:00
themes.yml More polished light theme (#7620) 2018-05-25 18:36:26 +02:00
webpacker.yml Bump webpacker from 3.5.5 to 4.0.2 (#10277) 2019-03-15 15:05:31 +01:00