haskell/yesod
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,999 Commits 42 Branches 853 Tags 10 MiB
64cb8980db
Commit Graph

3999 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Michael Snoyman
64cb8980db Version bump 2016-03-02 11:08:15 +02:00
Michael Snoyman
169b3a6b44 Merge branch 'fix/oauth-twitter-id' of https://github.com/kakkun61/yesod 2016-03-02 11:05:25 +02:00
Michael Snoyman
5709040dcd Add some docs for MassInput 2016-03-02 11:05:19 +02:00
Kazuki Okamoto
e1b70eb0f8 new twitter plugin 2016-03-02 10:59:43 +09:00
Sibi
3d8c91bae6 Merge pull request #1169 from bitemyapp/master 
Trivial typo in haddocks bothering me
 2016-03-02 03:58:20 +05:30
Chris Allen
7123b02500 typo 2016-03-01 15:13:34 -06:00
Kazuki Okamoto
8a66da1f24 Revert "add twitterId function" 
This reverts commit 074b0c68e7.
 2016-03-01 23:21:17 +09:00
Kazuki Okamoto
074b0c68e7 add twitterId function 2016-02-29 04:07:42 +09:00
Kazuki Okamoto
d46d754555 Revert "change Twitter ID screen_name → user_id" 
This reverts commit 5a25e5e53b.
 2016-02-29 00:00:42 +09:00
Kazuki Okamoto
5a25e5e53b change Twitter ID screen_name → user_id 2016-02-28 16:48:56 +09:00
Maximilian Tagher
aae32399f1 Merge pull request #1165 from lethjakman/auth_csrf 
Fixed registerHandler CSRF issue
 2016-02-23 14:54:50 +01:00
Maximilian Tagher
9dd48ab4b3 Merge pull request #1161 from MaxGabriel/yesodAuthHardodedUseCSRFToken 
Have the yesod-auth login form use a CSRF token
 2016-02-23 14:54:38 +01:00
Michael Snoyman
b09d029fb7 Merge pull request #1166 from luigy/master 
[WIP] improve stack detection for yesod-bin
 2016-02-21 15:51:43 +02:00
Alex Kardos
456e93fb10 Added autofocus attribute to email input 2016-02-20 13:47:42 -07:00
Alex Kardos
27e1ec3be3 Used email field for input 2016-02-20 13:39:18 -07:00
Alex Kardos
c376146231 Removed whitespace 2016-02-20 13:38:48 -07:00
Alex Kardos
ed5037fa74 Used localized email label 2016-02-20 13:38:19 -07:00
Alex Kardos
3e37983f1c Added encoding type and removed unused variable 2016-02-20 13:37:43 -07:00
Luigy Leon
f576a8a435 only perform checks when it needs to build 2016-02-19 15:42:42 -05:00
Luigy Leon
d87499deb5 [yesod-bin] improve stack detection for 'stack keter' 
The following will now use stack:

* `stack query` succeeds from current directory instead of searching that a `stack.yaml` exists
* `STACK_YAML` or `STACK_EXE`(set by `stack exec`) environment variables are set
 2016-02-19 12:21:02 -05:00
Alex Kardos
76fc5887f9 Fixed registerHandler CSRF issue 
The default register handler for email authentication didn't provide a
CSRF token. I provided one by using a monadic form helper.
 2016-02-17 20:39:09 -07:00
Maximilian Tagher
d39ce44c21 Use defaultCsrfParamName instead of hard-coding its value 
* Up version bounds so that `defaultCsrfParamName` is available.
* I didn't bump the yesod-form version. It seemed unnecessary to do a new release just for this.
 2016-02-15 23:59:24 -08:00
Maximilian Tagher
a01051eaf6 Have the yesod-auth login form use a CSRF token 
Closes #1159

Based on reading this [StackOverflow Post](http://stackoverflow.com/questions/6412813/do-login-forms-need-tokens-against-csrf-attacks) and skimming [this paper](http://seclab.stanford.edu/websec/csrf/csrf.pdf), using CSRF protection on login forms protects against a vulnerability where an attacker submits their own username/password in the login form. Later, the user uses the real site, but doesn't realize they're logged in as the attacker. This creates vulnerabilities like:

1. If the site logs the user's activity for them (e.g. recently watched videos on YouTube, previous searches on Google), the attacker can see this information by logging in.
2. The user adds sensitive information to the account, like credit card information, the attacker can login and potentially steal that information or use it on the site.

I don't think this vulnerability applies to the `Yesod.Auth.Hardcoded` plugin because the attacker couldn't create an account of their own.

However:

* If I understand the example in `Yesod.Auth.Hardcoded`, one use case is to share one login form that works for both the Hardcoded plugin as well as normal database-backed username/password login, in which case having a CSRF token makes sense
* I don't see a downside to having the CSRF token there
* It makes the Hardcoded plugin work with the CSRF middleware

Does this sound like the right solution?
 2016-02-14 17:32:46 -08:00
Michael Snoyman
d8414c3c20 Merge pull request #1155 from chreekat/enclosure-doc 
Document feed entry enclosures
 2016-02-03 09:27:41 +02:00
Bryan Richter
806dc5c629
Fuller docs + version bump 2016-02-02 08:59:01 -08:00
Bryan Richter
4d48ba71be
Document feed entry enclosures 2016-02-01 20:18:58 -08:00
Sibi
7ea1e004c9 Merge pull request #1153 from mrP0tat0Head/fix-auth-message-german-translation 
Fix typo in auth german translation
 2016-01-26 06:03:27 +05:30
Eugen
69b4751990 Fix typo in auth german translation 2016-01-26 00:12:26 +01:00
Michael Snoyman
cf5a390cad Add _token parameter to redirectToPost #1151 2016-01-24 14:37:44 +02:00
Michael Snoyman
be9d0a281d Better Travis caching 2016-01-21 14:15:24 +02:00
Michael Snoyman
aa36a22834 Version bump for yesod-core 2016-01-21 09:59:45 +02:00
Michael Snoyman
fff6449fa2 Newer wai-app-static to fix build against nightly 2016-01-21 09:09:03 +02:00
Michael Snoyman
df90bd43e2 Deprecate Yesod.Auth.GoogleEmail #1150 2016-01-21 09:00:50 +02:00
Michael Snoyman
607d23151a Merge pull request #1149 from vlatkoB/master 
Croatian translation
 2016-01-20 14:48:04 +02:00
vlatkoB
a6e11245cf Fix var name to croatianFormMessage 2016-01-20 09:47:28 +01:00
vlatkoB
1fca3ceea3 Croatian translation 2016-01-20 08:48:15 +01:00
Michael Snoyman
d6cd13a423 Changelog for #1144 2016-01-14 09:34:43 +02:00
Michael Snoyman
8f2d92baab Merge pull request #1144 from ajnsit/hierarchical-subsites 
Allow subsites within hierarchical routes
 2016-01-14 09:34:00 +02:00
Anupam Jain
0d99f94e5a Add a testcase for nested subsites 2016-01-14 11:30:06 +05:30
Anupam Jain
a1df470d01 Allow subsites within hierarchical routes 2016-01-13 10:47:50 +05:30
Michael Snoyman
eae422ea0c Merge pull request #1143 from Dridus/properly-polymorphic-sendStatusJSON 
#1142 make sendStatusJSON fully polymorphic in its return type, since it never returns
 2016-01-12 19:24:07 +02:00
Ross MacLeod
1fb53dfa9e #1142 make sendStatusJSON fully polymorphic in its return type, since it never returns 2016-01-12 11:32:20 -05:00
Michael Snoyman
d4a907d4e8 tar 0.5 2016-01-10 17:23:06 +02:00
Michael Snoyman
3228b40843 Fully remove the yesod init command (fixes #1132) 2015-12-30 09:04:29 +02:00
Greg Weber
5dff4adf86 Merge pull request #1129 from silky/master 
Add error class when help text is an error.
 2015-12-28 20:18:43 -08:00
silky
6ec02a917f Add error class when help text is an error. 2015-12-23 16:00:37 +11:00
Michael Snoyman
d346b8361f Version bump (fixes #1128) 2015-12-19 20:08:17 +02:00
Michael Snoyman
bff65b7942 Version bump for #1122 2015-12-14 11:50:25 +02:00
Michael Snoyman
10709c4e26 Merge pull request #1122 from pseudonom/master 
Add hook to apply arbitrary function to all handlers
 2015-12-14 11:49:30 +02:00
Michael Snoyman
bde5a69914 Merge pull request #1124 from mrkkrp/master 
Fix references to ‘Yesod.Core.Handler’
 2015-12-12 21:16:00 +02:00