mastodon/config/initializers
Claire 6da135a493
Fix reviving revoked sessions and invalidating login (#16943)
Up until now, we have used Devise's Rememberable mechanism to re-log users
after the end of their browser sessions. This mechanism relies on a signed
cookie containing a token. That token was stored on the user's record,
meaning it was shared across all logged in browsers, meaning truly revoking
a browser's ability to auto-log-in involves revoking the token itself, and
revoking access from *all* logged-in browsers.

We had a session mechanism that dynamically checks whether a user's session
has been disabled, and would log out the user if so. However, this would only
clear a session being actively used, and a new one could be respawned with
the `remember_user_token` cookie.

In practice, this caused two issues:
- sessions could be revived after being closed from /auth/edit (security issue)
- auto-log-in would be disabled for *all* browsers after logging out from one
  of them

This PR removes the `remember_token` mechanism and treats the `_session_id`
cookie/token as a browser-specific `remember_token`, fixing both issues.
2021-11-06 00:13:58 +01:00
..
0_post_deployment_migrations.rb Add post-deployment migration system (#8182) 2018-08-13 13:40:01 +02:00
1_hosts.rb Fix host check on healthcheck path not being disabled (#16270) 2021-05-17 22:36:08 +02:00
2_whitelist_mode.rb Remove the terms blacklist and whitelist from UX (#14149) 2020-06-27 20:20:11 +02:00
active_model_serializers.rb Fix ActivityPub context not being dynamically computed (#11746) 2019-09-03 22:52:32 +02:00
application_controller_renderer.rb Update Mastodon to Rails 6.1 (#15910) 2021-03-24 10:44:31 +01:00
assets.rb HTML e-mails for UserMailer (#6256) 2018-01-16 03:29:11 +01:00
backtrace_silencers.rb Update Mastodon to Rails 6.1 (#15910) 2021-03-24 10:44:31 +01:00
blacklists.rb Remove the terms blacklist and whitelist from UX (#14149) 2020-06-27 20:20:11 +02:00
cache_buster.rb Add cache buster feature for media files (#15155) 2020-11-19 17:38:06 +01:00
chewy.rb Support authentication for ElasticSearch (#16890) 2021-10-24 17:20:03 +02:00
content_security_policy.rb Fix autoloading deprecation warnings from Rails 6 (#16010) 2021-04-09 02:31:20 +02:00
cookies_serializer.rb
cors.rb Use same CORS policy for /@:username and /users/:username (#9485) 2018-12-10 21:39:47 +01:00
devise.rb Fix reviving revoked sessions and invalidating login (#16943) 2021-11-06 00:13:58 +01:00
doorkeeper.rb Fix app name, website and redirect URIs not having a maximum length (#16042) 2021-04-15 16:28:43 +02:00
fast_blank.rb Fixed code quality issues (#15541) 2021-01-31 21:26:09 +01:00
ffmpeg.rb add ffmpeg initializer (#8855) 2018-10-09 03:02:52 +02:00
filter_parameter_logging.rb
http_client_proxy.rb Refactor monkey-patching of Goldfinger (#12561) 2020-05-10 11:41:43 +02:00
httplog.rb
inflections.rb Prepare Mastodon for zeitwerk autoloader (#15917) 2021-03-19 02:42:43 +01:00
json_ld.rb Fix preloaded JSON-LD context for identity not being used (#12138) 2019-10-10 06:48:53 +02:00
kaminari_config.rb Add ability to filter audit log in admin UI (#13381) 2020-04-03 13:06:34 +02:00
mail_delivery_job.rb Fix mailer jobs for deleted notifications erroring out (#16294) 2021-05-24 03:02:46 +02:00
makara.rb Drop dependency on secure_headers, fix response headers (#15712) 2021-02-11 23:47:05 +01:00
mime_types.rb
oj.rb Remove rabl dependency (#5894) 2017-12-06 15:04:49 +09:00
omniauth.rb New env variable: CAS_SECURITY_ASSUME_EMAIL_IS_VERIFIED (#16655) 2021-08-25 18:41:24 +02:00
open_uri_redirection.rb Optimize some regex matching (#15528) 2021-01-22 10:09:08 +01:00
paperclip.rb Fix autoloading deprecation warnings from Rails 6 (#16010) 2021-04-09 02:31:20 +02:00
permissions_policy.rb Update Mastodon to Rails 6.1 (#15910) 2021-03-24 10:44:31 +01:00
preload_link_headers.rb Update Mastodon to Rails 6.1 (#15910) 2021-03-24 10:44:31 +01:00
premailer_rails.rb HTML e-mails for UserMailer (#6256) 2018-01-16 03:29:11 +01:00
rack_attack.rb Add POST /api/v1/emails/confirmations to REST API (#15816) 2021-03-01 18:39:47 +01:00
rack_attack_logging.rb Change rate limits for various paths (#14253) 2020-07-07 15:26:39 +02:00
redis.rb Change Redis#exists calls to Redis#exists? to avoid deprecation warning (#14191) 2020-07-01 19:05:21 +02:00
session_activations.rb
session_store.rb Add Ruby 3.0 support (#16046) 2021-05-06 14:22:54 +02:00
sidekiq.rb Add a Redis environment variable for sidekiq (#16188) 2021-05-09 10:40:17 +02:00
simple_form.rb Fixed code quality issues (#15541) 2021-01-31 21:26:09 +01:00
single_user_mode.rb
statsd.rb Remove unused StatsD code and expose StatsD as a global variable (#11232) 2019-07-02 11:34:39 +02:00
stoplight.rb Fix stoplight logging to stderr separate from Rails logger (#10624) 2019-04-23 04:39:48 +02:00
strong_migrations.rb Fix migration failure due to StrongMigrations on production env (#5283) 2017-10-09 10:05:35 +02:00
suppress_csrf_warnings.rb Fix autoloading deprecation warnings from Rails 6 (#16010) 2021-04-09 02:31:20 +02:00
trusted_proxies.rb
twitter_regex.rb Minor memory optimizations (#16507) 2021-10-14 21:04:57 +02:00
vapid.rb Lint pass (#8876) 2018-10-04 12:36:53 +02:00
webauthn.rb Add WebAuthn as an alternative 2FA method (#14466) 2020-08-24 16:46:27 +02:00
wrap_parameters.rb