mirrors
/
mastodon
mirror of https://github.com/mastodon/mastodon.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
mastodon/config/initializers
History
Claire b6b19419e2 Fix reviving revoked sessions and invalidating login (#16943) 
Up until now, we have used Devise's Rememberable mechanism to re-log users
after the end of their browser sessions. This mechanism relies on a signed
cookie containing a token. That token was stored on the user's record,
meaning it was shared across all logged in browsers, meaning truly revoking
a browser's ability to auto-log-in involves revoking the token itself, and
revoking access from *all* logged-in browsers.

We had a session mechanism that dynamically checks whether a user's session
has been disabled, and would log out the user if so. However, this would only
clear a session being actively used, and a new one could be respawned with
the `remember_user_token` cookie.

In practice, this caused two issues:
- sessions could be revived after being closed from /auth/edit (security issue)
- auto-log-in would be disabled for *all* browsers after logging out from one
  of them

This PR removes the `remember_token` mechanism and treats the `_session_id`
cookie/token as a browser-specific `remember_token`, fixing both issues.
 		2022-01-28 22:53:15 +01:00
..
0_post_deployment_migrations.rb
1_hosts.rb
2_whitelist_mode.rb
active_model_serializers.rb
application_controller_renderer.rb
assets.rb
backtrace_silencers.rb
blacklists.rb
cache_buster.rb Add cache buster feature for media files (#15155) 2020-11-19 17:38:06 +01:00
chewy.rb Fix unnecessary queries when batch-removing statuses, 100x faster (#15387) 2020-12-22 17:13:55 +01:00
content_security_policy.rb
cookies_serializer.rb
cors.rb
delivery_job.rb
devise.rb Fix reviving revoked sessions and invalidating login (#16943) 2022-01-28 22:53:15 +01:00
doorkeeper.rb Fix app name, website and redirect URIs not having a maximum length (#16042) 2022-01-28 22:39:48 +01:00
fast_blank.rb
ffmpeg.rb
filter_parameter_logging.rb
health_check.rb
http_client_proxy.rb
httplog.rb
inflections.rb
json_ld.rb
kaminari_config.rb
makara.rb Fix cookies not having a SameSite attribute (#15098) 2020-11-06 11:57:14 +01:00
mime_types.rb
oj.rb
omniauth.rb Support clock drift in Omniauth SAML provider (#15511) 2022-01-28 22:39:48 +01:00
open_uri_redirection.rb
pagination.rb
paperclip.rb Add stoplight for object storage failures, return HTTP 503 (#13043) 2020-12-15 12:55:29 +01:00
premailer_rails.rb
rack_attack.rb Add IP-based rules (#14963) 2020-10-12 16:33:49 +02:00
rack_attack_logging.rb Change rate limits for various paths (#14253) 2020-07-07 15:26:39 +02:00
redis.rb
session_activations.rb
session_store.rb Fix cookies not having a SameSite attribute (#15098) 2020-11-06 11:57:14 +01:00
sidekiq.rb
simple_form.rb
single_user_mode.rb
statsd.rb
stoplight.rb
strong_migrations.rb
suppress_csrf_warnings.rb
trusted_proxies.rb
twitter_regex.rb Add support for Gemini urls (#15013) 2020-10-19 17:02:13 +02:00
vapid.rb
webauthn.rb Add WebAuthn as an alternative 2FA method (#14466) 2020-08-24 16:46:27 +02:00
wrap_parameters.rb