haskell/yesod
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
4,684 Commits 42 Branches 853 Tags 10 MiB
71d951c09b
Commit Graph

484 Commits

Author SHA1 Message Date
Daniel Campoverde [alx741]
9014192c66 Update changelog 2017-02-18 18:31:05 -05:00
Daniel Campoverde [alx741]
ea5e1cca26 Update emailLoginHandler 'since' version 2017-02-18 18:28:53 -05:00
Daniel Campoverde [alx741]
c5ddf55937 Update emailLoginHandler 'since' version 2017-02-18 15:14:45 -05:00
Daniel Campoverde [alx741]
c78ae95b3a Fix email auth module 2017-02-18 15:14:45 -05:00
Daniel Campoverde [alx741]
311f7927bb Merge branch 'master' of https://github.com/yesodweb/yesod 2017-02-18 15:14:31 -05:00
Michael Snoyman
cdc6c8ae04 Version bumps/changelog updates 2017-02-08 11:20:31 +02:00
Daniel Campoverde [alx741]
276a9f1321 Add and export defaultEmailLoginHandler 2017-02-06 16:15:38 -05:00
Sibi Prabakaran
d1ec382fc6
Better haddock rendering: Since -> @since 2017-02-07 01:01:05 +05:30
Sibi Prabakaran
854e0e45e7
Update relevant changelog 2017-02-07 01:00:19 +05:30
Sibi Prabakaran
dddae24786
Export plugin identifier for GoogleEmail2 module 2017-02-07 01:00:00 +05:30
Sibi Prabakaran
6f1356f2a1
Update changelog 2017-02-05 20:27:00 +05:30
Sibi Prabakaran
0c3e1d2299
Derive Show for Creds type 
Useful for doing liftIO $ print inside Yesod handlers like
authenticate.
 2017-02-05 20:25:23 +05:30
Michael Snoyman
aefd074efa Cleanup GHC 8 redundant constraints 2017-02-05 13:35:12 +02:00
Michael Snoyman
3dc2d10b30 Compile with -Wall -Werror 2017-02-05 12:09:18 +02:00
Michael Snoyman
64ed0792bc Check mime-type for JSON bodies #1330 2017-02-02 08:10:19 +02:00
Michael Snoyman
db883f19b8 Fix some whitespace 2017-02-02 07:43:55 +02:00
Sibi Prabakaran
4330461033
Change the type signature from Text to Verkey 
Since the other type signatures of the typeclass has VerKey instead of
Text, it would be better to use VerKey here also to maintain
consistency. Also, IMO this signature is more easy to follow ( I had to
look at source to see how the verification key was generated. )
 2016-12-30 18:06:40 +05:30
Sibi Prabakaran
08f994103a
Add documentation for JSON endpoints for Yesod.Auth.Email module 2016-12-08 14:25:08 +05:30
Michael Snoyman
98854b4de3 Version bump for #1317 2016-12-07 09:23:53 -05:00
Sibi Prabakaran
60f66b4c3a
Add relevant changelog 2016-12-07 14:09:01 +05:30
Sibi Prabakaran
8f8c99db88
Do parseJsonBody only when form data is not found 2016-12-07 14:08:37 +05:30
Sibi Prabakaran
0255f93c22
Export croatianMessage 2016-12-06 18:44:46 +05:30
Sibi Prabakaran
47b2877c79
More Haddock fixes 2016-12-06 18:44:38 +05:30
Sibi Prabakaran
75df4e0468
Use @since for proper haddock rendering 2016-12-06 18:21:36 +05:30
Sibi Prabakaran
83575e92a0
Fix typo: /s/interoprate/interoperate 2016-12-06 18:20:18 +05:30
Sibi Prabakaran
85bd15d109
Add json support for postPasswordR 2016-12-06 18:17:19 +05:30
Sibi Prabakaran
b6cd72f49f
Implement Login via JSON endpoint 
Add additional handling of JSON endpoint in addition to the HTML form
method.
 2016-12-06 15:20:51 +05:30
Sibi Prabakaran
19840cdc89
Add json support for postRegisterR 2016-12-05 19:32:23 +05:30
Michael Snoyman
2c4e19e0b6 Version bump for #1309 2016-11-29 13:48:42 +02:00
Filip Gralinski
a3929aa9bb remove invalid Google OpenID link 2016-11-26 19:39:24 +01:00
Sibi Prabakaran
696faa3fd0
req is not needed. 2016-11-20 13:43:01 +05:30
Sibi Prabakaran
10850f5cee
Use checkCsrfHeaderOrParam instead of manual check 2016-11-20 13:32:15 +05:30
Sibi Prabakaran
7f17d829b3
Fix CSRF security vulnerability in registerHelper function 
Return a 403 status code if the csrf tokens are matched. This currently
affects two endpoints: During registration and during password reset
forms.

This curl request demonstrates how this can be exploited to register new
email:

curl -i --header "Accept: application/json" --request POST -F
"email=sibi@psibi.in" http://localhost:3005/auth/page/email/register

With the patch applied, it will respond with this:

{"message":"Permission Denied. A valid CSRF token wasn't present in HTTP
headers or POST parameters. Because the request could have been forged,
it's been rejected altogether. Check the Yesod.Core.Handler docs of the
yesod-core package for details on CSRF protection."}
 2016-11-20 03:59:32 +05:30
Bryan Richter
add9d4393a
Comment on unsafePerformIO, close #1245 2016-10-03 09:08:22 -07:00
Michael Snoyman
a04d2b25ba Version bump 2016-09-02 12:39:01 +03:00
kevin147147
e27cebb8a5 Translation bug in german message 
missing space
 2016-09-01 11:55:44 +02:00
Michael Snoyman
d2482bf178 Version bump 2016-08-14 15:44:53 +03:00
Michael Snoyman
25cb163e11 Relax upper bounds for persistent 2.6 2016-08-14 15:41:17 +03:00
Felix Paulusma
76726063e4 Updated some Dutch translations. 2016-07-12 17:19:09 +02:00
Michael Snoyman
6595a707d0 Version bump 2016-06-27 10:46:19 +03:00
Bryan Richter
5342f891f3 Add key reuse warning (#1222) (#1233) 2016-05-14 15:40:07 -07:00
Michael Snoyman
bd1ea59cbd Version bump 2016-04-25 18:17:13 +03:00
Erik de Castro Lopo
34e0c8b638 yesod-auth: Fixes for persistent 2.5 2016-04-19 15:18:46 +10:00
Eric Easley
d99de61554 Use CPP to maintain backward compat 2016-04-18 10:03:39 -07:00
Eric Easley
8e71f766b5 Use PersistRecordBackend constraint synonym 2016-04-15 21:25:40 -07:00
Eric Easley
bf3a9c9dd4 Switch to released persistent-2.5 2016-04-14 15:14:56 -07:00
Eric Easley
f7494260b0 Merge remote-tracking branch 'upstream/master' 2016-04-11 09:16:06 -07:00
Christopher League
85a62ab074 Bump yesod-auth version for CSRF support (#1205) 2016-04-03 12:43:15 -04:00
Christopher League
fd870c95f9 Provide CSRF token in Dummy login form 2016-04-02 23:04:58 -04:00
Eric Easley
02dcb99cad Merge remote-tracking branch 'upstream/master' 2016-03-31 13:03:47 -07:00
Arthur Fayzrakhmanov (Артур Файзрахманов)
ecdee7f51a Tidy up imports 2016-03-29 19:14:40 +05:00
Arthur Fayzrakhmanov (Артур Файзрахманов)
5febecf812 Improve Russian translation for ConfirmPass message 2016-03-29 19:14:27 +05:00
Michael Snoyman
aa6714e4b0 Undo minor bump that was not needed 2016-03-29 09:16:33 +03:00
Michael Snoyman
31d07481f1 Version bump 2016-03-29 09:15:57 +03:00
Sebastien Canart
36bc175f50 Add French translation for CurrentPassword 2016-03-23 08:26:44 +01:00
Adam Sjøgren
04a7c12b65 Add translation to Danish. 2016-03-20 21:16:14 +01:00
Murray
a15070709d allow more than one session message and add statuses 2016-03-16 18:14:40 +00:00
Michael Snoyman
27a9faa91f Merge pull request #1183 from lethjakman/auth_forgot_password_csrf 
Fixed forgot password CSRF with form helper
 2016-03-13 08:11:16 +02:00
Alex Kardos
d76aa1a16e Converted runFormPosts to generateFormPost 
This is a cleaner way to generate forms without ignoring one of the
variables.
 2016-03-12 18:29:05 -07:00
Alex Kardos
9fb3f61ac8 Moved settings to functions to clean up the form 2016-03-12 18:29:05 -07:00
Alex Kardos
2f0a7fbcc5 Wrapped email login form with an id 2016-03-12 18:29:05 -07:00
Alex Kardos
0c0cb12a10 Used form helper for forgot password form 
* Removed unused idents
* Isolated form logic
* Added an id around forgot password for styling purposes
 2016-03-12 18:28:49 -07:00
Michael Snoyman
8df56ecaa1 Merge pull request #1176 from lethjakman/auth_set_password_csrf 
Auth password handler CSRF
 2016-03-10 10:55:17 +02:00
Alex Kardos
dee130ac9f Made spacing consistent with the rest of the file 2016-03-09 19:47:52 -07:00
Alex Kardos
7faecc8952 Added translations and dummy data for current password 
German and Spanish provided by Erin Eichenberger.
 2016-03-09 19:22:36 -07:00
Michael Snoyman
936fe84cdd Deprecate BrowserId #1173 2016-03-08 16:27:21 +02:00
Alex Kardos
e3aa310c84 Used monadic form helper for password handler 
This needed to happen in order to automatically get CSRF protection

Several changes happened while switching over:
* Relied on built in names for inputs
* Cleaned up naming
* Created password helpers for each field
* Added a translation for current password
 2016-03-07 16:44:05 -07:00
Michael Snoyman
4ed1e7e486 Merge pull request #1174 from lethjakman/auth_main_page_csrf 
Fixed CSRF token for login page
 2016-03-07 10:03:30 +02:00
Alex Kardos
4b78c4d60a Moved emailLoginHandler out of authEmail 
The authEmail function was getting large so I moved the
emailLoginHandler out into its own function.
 2016-03-05 16:59:02 -07:00
Alex Kardos
d42d38990d Added translated label to default register handler 
This was removed on accident.
 2016-03-05 16:58:34 -07:00
Alex Kardos
4963f562fe Converted yesod login screen to monadic form 
The form helpers weren't being used which caused the CSRF tokens to not
be present. This also allows for a bit more flexability and
cleans up the code as well.
 2016-03-03 20:52:08 -07:00
Maximilian Tagher
aae32399f1 Merge pull request #1165 from lethjakman/auth_csrf 
Fixed registerHandler CSRF issue
 2016-02-23 14:54:50 +01:00
Alex Kardos
1cae0e38ab Moved login logic into a function 
This is more clear and looks like the other authorization plugins.
 2016-02-20 21:28:20 -07:00
Alex Kardos
456e93fb10 Added autofocus attribute to email input 2016-02-20 13:47:42 -07:00
Alex Kardos
27e1ec3be3 Used email field for input 2016-02-20 13:39:18 -07:00
Alex Kardos
c376146231 Removed whitespace 2016-02-20 13:38:48 -07:00
Alex Kardos
ed5037fa74 Used localized email label 2016-02-20 13:38:19 -07:00
Alex Kardos
3e37983f1c Added encoding type and removed unused variable 2016-02-20 13:37:43 -07:00
Alex Kardos
76fc5887f9 Fixed registerHandler CSRF issue 
The default register handler for email authentication didn't provide a
CSRF token. I provided one by using a monadic form helper.
 2016-02-17 20:39:09 -07:00
Maximilian Tagher
d39ce44c21 Use defaultCsrfParamName instead of hard-coding its value 
* Up version bounds so that `defaultCsrfParamName` is available.
* I didn't bump the yesod-form version. It seemed unnecessary to do a new release just for this.
 2016-02-15 23:59:24 -08:00
Maximilian Tagher
a01051eaf6 Have the yesod-auth login form use a CSRF token 
Closes #1159

Based on reading this [StackOverflow Post](http://stackoverflow.com/questions/6412813/do-login-forms-need-tokens-against-csrf-attacks) and skimming [this paper](http://seclab.stanford.edu/websec/csrf/csrf.pdf), using CSRF protection on login forms protects against a vulnerability where an attacker submits their own username/password in the login form. Later, the user uses the real site, but doesn't realize they're logged in as the attacker. This creates vulnerabilities like:

1. If the site logs the user's activity for them (e.g. recently watched videos on YouTube, previous searches on Google), the attacker can see this information by logging in.
2. The user adds sensitive information to the account, like credit card information, the attacker can login and potentially steal that information or use it on the site.

I don't think this vulnerability applies to the `Yesod.Auth.Hardcoded` plugin because the attacker couldn't create an account of their own.

However:

* If I understand the example in `Yesod.Auth.Hardcoded`, one use case is to share one login form that works for both the Hardcoded plugin as well as normal database-backed username/password login, in which case having a CSRF token makes sense
* I don't see a downside to having the CSRF token there
* It makes the Hardcoded plugin work with the CSRF middleware

Does this sound like the right solution?
 2016-02-14 17:32:46 -08:00
Eric Easley
4bc4fc3b36 Adjust yesod-auth for split DB 2016-02-07 19:17:50 -08:00
Eugen
69b4751990 Fix typo in auth german translation 2016-01-26 00:12:26 +01:00
Michael Snoyman
df90bd43e2 Deprecate Yesod.Auth.GoogleEmail #1150 2016-01-21 09:00:50 +02:00
vlatkoB
1fca3ceea3 Croatian translation 2016-01-20 08:48:15 +01:00
mrkkrp
1976e90be9 Bump password strength to compensate 2 years 
Computers are now faster than in 2013.
 2015-12-03 00:08:51 +06:00
mrkkrp
2431100c8b Fix a typo 2015-12-03 00:08:40 +06:00
Greg Weber
dae434aa64 release Yesod.Auth.HardCoded 2015-11-29 17:27:41 -08:00
Arthur Fayzrakhmanov (Артур Файзрахманов)
4f2f49b5ee Update documention 
More concrete module documentation.  Now it shows a way to combine
'AuthHardcoded' plugin with other plugins.

Fixed some typos.
 2015-11-29 22:12:40 +05:00
Arthur Fayzrakhmanov (Артур Файзрахманов)
f524ce55ea Bump minor version of yesod-auth 2015-11-29 22:12:40 +05:00
Arthur Fayzrakhmanov (Артур Файзрахманов)
b024a7a540 Add module documentation 2015-11-29 22:12:40 +05:00
Arthur Fayzrakhmanov (Артур Файзрахманов)
9fbc3bc082 Initial module implementation 2015-11-29 22:12:40 +05:00
Arthur Fayzrakhmanov (Артур Файзрахманов)
ec3ec15a80 Fix Czech UserName message 
Convert word "jméno" to lowercase.
See comment from
[`lubomir`](https://github.com/yesodweb/yesod/pull/1100#commitcomment-14580304)
 2015-11-24 13:34:13 +05:00
Arthur Fayzrakhmanov (Артур Файзрахманов)
a6494bf788 Bump minor version 2015-11-24 02:19:04 +05:00
Arthur Fayzrakhmanov (Артур Файзрахманов)
97d8bbba06 Introduce LogoutTitle message constructor 
`LogoutTitle` is a replacement for `Logout` constructor, the latter is
inconsistent with `LoginTitle` constructor name.
Added `DEPRECATED` pragma to warn users about this change.
 2015-11-24 02:15:03 +05:00
Arthur Fayzrakhmanov (Артур Файзрахманов)
11bedecdc0 Prettify imports (via Stylish Haskell) 2015-11-23 16:41:09 +05:00
Arthur Fayzrakhmanov (Артур Файзрахманов)
d1e92af79e Add UserName message constructor 2015-11-23 16:40:47 +05:00
Arthur Fayzrakhmanov (Артур Файзрахманов)
311f949f0e Extract "in"/"out" suffixes in Login/Logout words 
Split "Login" and "Logout" words into two parts, e.g. "Log In" and "Log
Out".
 2015-11-23 16:14:40 +05:00
Paul Rouse
276e687ac5 Example loginHandler override in haddock 2015-10-27 11:50:27 +00:00
Paul Rouse
a25153d86e Provide default loginHandler as separate function 2015-10-21 12:27:59 +01:00