Alexandre Aubin
a52ed73a11
Typo
2019-01-17 23:21:30 +01:00
Josué Tille
437f3c238a
Fix when the user stay connected
2019-01-17 22:54:25 +01:00
Josué Tille
32d04dbac9
Fix SSOwat crash after password change
2019-01-07 11:45:29 +01:00
Laurent Peuch
253cde4b9a
[fix] CVE-2018-11347 http header injection
2018-12-06 23:50:21 +01:00
Alexandre Aubin
7be6e76cb8
SameSite=Strict breaks multisite
2018-11-19 16:06:12 +00:00
Alexandre Aubin
2699aa8db7
Clarify Set-Cookie syntax
2018-11-19 16:03:35 +00:00
Alexandre Aubin
2ff41d9920
Merge remote-tracking branch 'tYYGH/PR_choiceRewritePW+fixes' into stretch-unstable
2018-11-05 03:15:43 +01:00
Alexandre Aubin
b68ebc04c7
Merge pull request #103 from frju365/patch-1
...
[fix] Secure cookie setting
2018-11-04 16:20:59 +01:00
Alexandre Aubin
99c108f362
Merge pull request #104 from YunoHost/enh-pwd-validate
...
[enh] Validate password strength
2018-11-04 15:59:39 +01:00
Alexandre Aubin
cb96f848d3
This got removed
2018-10-31 18:55:07 +00:00
tituspijean
11d0e0689a
[mod] Redirect after logout if r
URI argument exists
2018-09-15 09:25:48 +02:00
ljf
e4ee83cc8e
[fix] Add a small comment
2018-08-29 03:00:13 +02:00
ljf
deeb30637e
[fix] Remove nginx log
2018-08-29 02:58:17 +02:00
ljf
410ba2e4a7
[fix] Remove extra end line of the cmd run with popen
2018-08-29 02:55:02 +02:00
ljf
7627101eb5
[enh] Simplify code thanks to change on password.py
2018-08-29 01:26:19 +02:00
ljf
349d486cec
[fix] Remove some nginx debug log
2018-08-29 01:08:36 +02:00
ljf
d83b522d50
[fix] Remove some nginx debug log
2018-08-29 00:56:24 +02:00
ljf
945b04cc67
[fix] Regex todo
2018-08-29 00:47:59 +02:00
ljf
95e1c1cd2f
[fix] Secure password transmission
2018-08-29 00:07:48 +02:00
ljf
ab8b040174
[enh] Validate password as configured
2018-08-28 21:33:19 +02:00
frju365
07c3db2c46
[fix] CVE CSRF with cookie setting
2018-08-25 02:29:26 +02:00
Eynix
23eb2fc3e4
replace hige by lustache
2018-06-07 11:56:34 +02:00
Y
db9059a55c
let the admin decide how passwords are handled
2017-09-16 19:22:47 +02:00
Laurent Peuch
9b7fee7a1b
[fix] attempt to fix https://github.com/YunoHost/SSOwat/pull/86#issuecomment-323417926
2017-08-19 04:39:51 +02:00
Laurent Peuch
98b1b53fbf
Merge pull request #87 from YunoHost/hash_algo
...
[fix] Auto-update user password hashes with new algo
2017-08-18 02:42:00 +02:00
Laurent Peuch
d440d06ae7
[fix] be paranoid and prevent shell injections here also while input is supposed to be safe
2017-08-18 02:35:08 +02:00
Laurent Peuch
c8c7fe7fc7
[fix] prevent shell injections
2017-08-18 02:34:46 +02:00
Laurent Peuch
d16f3f81d0
[enh] auto rehash in sha-512 users passwords on login
2017-08-15 11:41:24 +02:00
Laurent Peuch
2ff2fb92f3
[enh] encode password using sha512 on user modification of password
2017-08-15 11:11:35 +02:00
Côme Chilliet
47f01b3f6f
Fixed support for incomplete translations (fallback to default language for missing strings)
2017-08-10 16:31:00 +02:00
Laurent Peuch
50fcc831bf
[mod] comment didn't matched reality
2017-05-27 19:19:48 +02:00
Laurent Peuch
c1a388ccf0
Merge pull request #84 from YunoHost/caching_for_hash
...
[enh] uses caching for hash to avoid heavy recalculation and process spawning
2017-05-23 21:40:30 +02:00
Laurent Peuch
5157415ce3
[fix] remove tabs
2017-05-23 07:26:41 +02:00
Laurent Peuch
76677fab0d
[enh] uses caching for hash to avoid heavy recalculation and process spawning
2017-05-22 23:01:18 +02:00
sidddy
fc52f05459
Quick fix for CDA security issue
2017-05-18 08:45:20 +02:00
Laurent Peuch
98a6879ab4
[fix] don't include ip in token, this is useless and make infinite redirection\n\nIt has been confirmed by a security friend that this was nearly useless here since the token is marked as Secure and can only be exchanged on https so if someone managed to steal it the user have way more important problems.
2017-05-18 08:40:33 +02:00
Laurent Peuch
2456eda200
[fix] Use hmac_sha512 instead of md5 for cookie hashing. Don't store the key in token anymore ( #80 )
...
* [fix] uses hmac_sha512 for hasing the token and don't store the key in it anymore
* [mod] remove python script and talk directly to openssl
2017-05-18 08:34:36 +02:00
Laurent Peuch
054b7d1752
[mod] remove things not related to logging
2017-05-13 15:08:56 +02:00
sidddy
ad39e3ded5
Added access log, ignore IP, check acl for basic auth
2017-05-13 15:06:18 +02:00
opi
fff95314ce
[fix] Use local variables for cookie's expired_time.
2017-02-28 15:38:46 +01:00
opi
6bd8eb1a90
[fix] Delete cookies on logout.
2017-02-28 15:36:45 +01:00
opi
2eb38d3eaa
[enh] Add 'Secure' flag in cookies.
2017-02-28 15:36:04 +01:00
opi
a2af42144b
[fix] Use 'Expires' instead of 'Max-Age' for every cookie for consistency.
2017-02-28 15:23:40 +01:00
JimboJoe
fb99ee2177
Fix HTTP cookie caching
...
- Use "Expires" instead of "Max-Age" when using a cookie date (Max-Age is used with an interval of seconds in the future: https://en.wikipedia.org/wiki/HTTP_cookie#Expires_and_Max-Age )
- Fix cookie dates to be compliant with specifications
Fixes errors with various "picky" clients (for example, Lightroom/Piwigo plugin).
2017-02-28 15:19:28 +01:00
Julien Malik
fd3338de99
[fix] Refresh ldap info before loading page that requires it, fixes #633
2017-02-28 11:14:22 +01:00
opi
e7b39d4d29
[fix] Always redirect to portal when calling logout page.
2017-02-23 17:53:17 +01:00
opi
bf24cf5e50
[enh] Use consistent coding convention for function prototype.
2016-04-30 12:40:59 +02:00
root
648b552297
adding credentials for non-anonymous bind
2016-04-29 14:31:37 +02:00
Jérôme Lebleu
a46be28b53
[fix] Construct a proper emails array ( fix #39 )
2015-06-30 21:03:20 +02:00
kload
cd85f6b740
[enh] Sort apps alphabeticaly + set app color regarding its name
2015-06-14 13:23:21 +02:00
kload
404fe510d2
[fix] Ensure that configuration is loaded properly when we need it
...
+ lowercase the username
+ do not fail when only oneemail alias is set
2015-06-02 17:05:06 +02:00
kload
8ee3d6b93d
[fix] Get rid of Cookie cache
2015-05-21 16:11:33 +02:00
kload
e15c15812c
[fix] Finally caught this little nasty Cookie setter
2015-05-21 15:29:36 +02:00
kload
f895e02986
[fix] Do not declare cookies as global variables
2015-05-16 21:03:06 +02:00
kload
0ebddc079a
[fix] Load libraries locally to avoid caching
2015-05-16 09:42:26 +02:00
kload
8953860017
[fix] Efficiently generate random strings
2015-04-30 15:16:51 +02:00
julienmalik
f5bd2dcc2b
[fix] escape minus character to avoid interpretation as range
...
Fixes #36
2015-03-31 11:29:45 +02:00
opi
b9b6d09769
[fix] Prevent adding the same cookie again and again.
2015-02-18 14:35:13 +01:00
Jérôme Lebleu
1d44e53f7b
[fix] Allow special characters in email adresses ( fix #33 )
2015-02-16 16:42:06 +01:00
Jérôme Lebleu
cf78b8929d
[enh] Consider new gTLDs in email regex using Lrexlib
2015-02-15 22:31:20 +01:00
kload
2a9769f7d9
[fix] Load modules as proper modules + typo
2015-02-15 13:03:01 +01:00
kload
35e69a1bf2
[fix] Separate files properly
2015-02-12 12:08:52 +01:00
kload
84015149b9
[enh] Separate configuration file loading to a new file and document it
2015-02-02 00:05:09 +01:00
kload
3fbb7d6d0e
[enh] Separate helpers to helpers.coffee
2015-02-01 15:04:36 +01:00