Add method to store session ids by ip
Add new specs for storing session ids
Add cleaning up records after login
Add retrieving anonymous sessions
Add login recaptcha setting
Add new setting to sessions controller
Add conditions for showing captcha
Add sessions controller specs
Add admin settings specs for login protection
Add new settings to api
Add stub to devise spec
Add new translation key
Add cr remarks
Rename class call
Add cr remarks
Change if-clause for consistency
Add cr remarks
Add code review remarks
Refactor AnonymousSession class
Add changelog entry
Move AnonymousSession class to lib
Move store unauthenticated sessions to sessions controller
Move link to recaptcha info
Regenerate text file
Improve copy on the spam page
Change action filter for storing anonymous sessions
Fix rubocop offences
Add code review remarks
Closes#55564
This is first discovered in #54739 (comment 122609857) that if both if: and only:
are used in a before_action or after_action or alike, if: is completely ignored.
`InternalRedirect` prevents Open redirect issues by only allowing
redirection to paths on the same host.
It cleans up any unwanted strings from the path that could point to
another host (fe. //about.gitlab.com/hello). While preserving the
querystring and fragment of the uri.
It is already used by:
- `TermsController`
- `ContinueParams`
- `ImportsController`
- `ForksController`
- `SessionsController`: Only for verifying the host in CE. EE allows
redirecting to a different instance using Geo.
In GitLab EE, a GitLab instance can be read-only (e.g. when it's a Geo
secondary node). But in GitLab CE it also might be useful to have the
"read-only" idea around. So port it back to GitLab CE.
Also having the principle of read-only in GitLab CE would hopefully
lead to less errors introduced, doing write operations when there
aren't allowed for read-only calls.
Closesgitlab-org/gitlab-ce#37534.
# This is the 1st commit message:
Add logging for all web authentication events
# This is the commit message #2:
Re-add underscore to after_inactive_sign_up_path_for
# This is the commit message #3:
Standardize on username=
# This is the commit message #4:
after_filter -> after_action, _resource -> resource
# This is the commit message #5:
Add two-factor login failures and account lockouts
# This is the commit message #6:
Move logging from two-factor concern to user model
# This is the commit message #7:
Add spaces around default parameter assignments
# This is the commit message #8:
Move logs out of user model
# This is the commit message #9:
Replace filtered_params with user_params
# This is the commit message #10:
Standardize case
# This is the commit message #1:
Fixes for username and AppLogger.info
When sign-in is disabled:
- skip password expiration checks
- prevent password reset requests
- don’t show Password tab in User Settings
- don’t allow login with username/password for Git over HTTP requests
- render 404 on requests to Profiles::PasswordsController
This commit lets a user bypass the automatic signin on the login form,
in order to login with a technical (admin, etc) account
Closes#3786
Signed-off-by: Rémy Coutable <remy@rymai.me>
+ Use NullMetrics to mock metrics when unused
+ Use method_missing in NullMetrics mocking
+ Update prometheus gem to version that correctly uses transitive dependencies
+ Ensure correct folders are used in Multiprocess prometheus client tests.
+ rename Sessions controller's metric
This is a step for #29118.
Add a single metric to count successful logins.
Summary types are not supported so remove Collector. Either
we need to support the summary type or we need to create a
multiprocess-friendly Collector.
Add config to load prometheus and set up the Collector and the
Exporter.
Fix `Gemfile` as current prometheus-client gemspec is missing the
`mmap2` dependency.
After this change the sign-in-success flash message will not be shown
refactor: set flash message to be nil while signing in
test: changed tests to reflect removal of sign-in message
refactor: adding signed_in message back
See Merge Request !7837
issue#24982
The helper constructs the path for a given oauth provider since Devise 4.0 deprecated passing the provider to the omniauth authentication path.
Fixes#18110.
Check if the Users table has exactly one user limiting the whole set
## What does this MR do?
Limit the query set so about a full scan for all the rows on the users table (only scan to records)
#18225
See merge request !4492
Added minimum password length to password field
Add a placeholder to the password field in the register form with the minimum number of characters required. Also added a pattern to the field to stop it submitting if less than that.
Closes#17765
See merge request !4458
Prior, if a user had 2FA enabled and checked the "Remember me" field,
the setting was ignored because the OTP input was on a new form and the
value was never passed.
Closes#18000
This commit attempts to change default user search scope if otp_user_id
session variable has been set. If it is present, it means that user has
2FA enabled, and has already been verified with login and password. In
this case we should look for user with otp_user_id first, before picking
it up by login.
Małgorzata Ksionek
Imre Farkas
George Thomas
James Edwards-Jones
Illya Klymov
Martin Wortschack
Jasper Maes
gfyoung
Yorick Peterse
Sean McGivern
Grzegorz Bizon
Lin Jen-Shin
Stan Hu
Bob Van Landuyt
Horatiu Eugen Vlad
🙈 jacopo beschi 🙉
Markus Koller
Toon Claes
Valery Sizov
Robert Speicher
Brian Neel
James Lopez
Rubén Dávila
Douwe Maan
Robin Bobbitt
Ben Kochie
Grzegorz Bizon
Maxime Besson
Pawel Chojnacki
Kevin Lyda
Kevin Lyda
mhasbini
Douwe Maan
Rydkin Maxim
jnoortheen
Connor Shea
Jacob Vosmaer (GitLab)
Paco Guzman
Timothy Andrew
Phil Hughes
Robert Speicher
Gabriel Mazetto
Valery Sizov
Alex Lossent
Dmitriy Zaporozhets
Jan-Willem van der Meer
Jacob Vosmaer
Marin Jankovski