haskell/yesod
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
4,261 Commits 42 Branches 853 Tags 10 MiB
ae7dfd2408
Commit Graph

69 Commits

Author SHA1 Message Date
Sibi Prabakaran
696faa3fd0
req is not needed. 2016-11-20 13:43:01 +05:30
Sibi Prabakaran
10850f5cee
Use checkCsrfHeaderOrParam instead of manual check 2016-11-20 13:32:15 +05:30
Sibi Prabakaran
7f17d829b3
Fix CSRF security vulnerability in registerHelper function 
Return a 403 status code if the csrf tokens are matched. This currently
affects two endpoints: During registration and during password reset
forms.

This curl request demonstrates how this can be exploited to register new
email:

curl -i --header "Accept: application/json" --request POST -F
"email=sibi@psibi.in" http://localhost:3005/auth/page/email/register

With the patch applied, it will respond with this:

{"message":"Permission Denied. A valid CSRF token wasn't present in HTTP
headers or POST parameters. Because the request could have been forged,
it's been rejected altogether. Check the Yesod.Core.Handler docs of the
yesod-core package for details on CSRF protection."}
 2016-11-20 03:59:32 +05:30
Bryan Richter
add9d4393a
Comment on unsafePerformIO, close #1245 2016-10-03 09:08:22 -07:00
Bryan Richter
5342f891f3 Add key reuse warning (#1222) (#1233) 2016-05-14 15:40:07 -07:00
Murray
a15070709d allow more than one session message and add statuses 2016-03-16 18:14:40 +00:00
Alex Kardos
d76aa1a16e Converted runFormPosts to generateFormPost 
This is a cleaner way to generate forms without ignoring one of the
variables.
 2016-03-12 18:29:05 -07:00
Alex Kardos
9fb3f61ac8 Moved settings to functions to clean up the form 2016-03-12 18:29:05 -07:00
Alex Kardos
2f0a7fbcc5 Wrapped email login form with an id 2016-03-12 18:29:05 -07:00
Alex Kardos
0c0cb12a10 Used form helper for forgot password form 
* Removed unused idents
* Isolated form logic
* Added an id around forgot password for styling purposes
 2016-03-12 18:28:49 -07:00
Alex Kardos
e3aa310c84 Used monadic form helper for password handler 
This needed to happen in order to automatically get CSRF protection

Several changes happened while switching over:
* Relied on built in names for inputs
* Cleaned up naming
* Created password helpers for each field
* Added a translation for current password
 2016-03-07 16:44:05 -07:00
Alex Kardos
4b78c4d60a Moved emailLoginHandler out of authEmail 
The authEmail function was getting large so I moved the
emailLoginHandler out into its own function.
 2016-03-05 16:59:02 -07:00
Alex Kardos
d42d38990d Added translated label to default register handler 
This was removed on accident.
 2016-03-05 16:58:34 -07:00
Alex Kardos
4963f562fe Converted yesod login screen to monadic form 
The form helpers weren't being used which caused the CSRF tokens to not
be present. This also allows for a bit more flexability and
cleans up the code as well.
 2016-03-03 20:52:08 -07:00
Alex Kardos
1cae0e38ab Moved login logic into a function 
This is more clear and looks like the other authorization plugins.
 2016-02-20 21:28:20 -07:00
Alex Kardos
456e93fb10 Added autofocus attribute to email input 2016-02-20 13:47:42 -07:00
Alex Kardos
27e1ec3be3 Used email field for input 2016-02-20 13:39:18 -07:00
Alex Kardos
c376146231 Removed whitespace 2016-02-20 13:38:48 -07:00
Alex Kardos
ed5037fa74 Used localized email label 2016-02-20 13:38:19 -07:00
Alex Kardos
3e37983f1c Added encoding type and removed unused variable 2016-02-20 13:37:43 -07:00
Alex Kardos
76fc5887f9 Fixed registerHandler CSRF issue 
The default register handler for email authentication didn't provide a
CSRF token. I provided one by using a monadic form helper.
 2016-02-17 20:39:09 -07:00
mrkkrp
1976e90be9 Bump password strength to compensate 2 years 
Computers are now faster than in 2013.
 2015-12-03 00:08:51 +06:00
Arthur Fayzrakhmanov (Артур Файзрахманов)
2074915962 Apply stylish-haskell, organize imports 2015-06-24 20:54:27 +05:00
Arthur Fayzrakhmanov (Артур Файзрахманов)
dfd14ea16d Remove redundant imports 2015-06-24 20:54:27 +05:00
Arthur Fayzrakhmanov (Артур Файзрахманов)
4b05cd83f6 Use nonce package in Auth.Email 
Generate verification keys using `nonce` package.
 2015-06-24 20:54:11 +05:00
Jude Taylor
886e6bdd2c add ConstrainedClassMethods 2015-06-08 00:30:16 -07:00
Michael Snoyman
fa0fbb4569 Version bump 2015-04-26 18:37:33 +03:00
Richard Zetterberg
9e1516594e Fixes faulty type annotations 2015-04-26 15:28:45 +02:00
Richard Zetterberg
770a7a29d2 Adds export of verify route 
This allows users of the library to easily render VerUrl to use in
verification emails to new users, if the user was created outside
of the regular register functionality.
 2015-04-26 14:55:12 +02:00
Greg Weber
510f70d5b3 fix typos 2014-09-24 08:07:15 -07:00
Greg Weber
01339ad528 add some documentation for Yesod.Auth.Email 2014-09-24 07:47:13 -07:00
Greg Weber
629df4a291 add required attribute 2014-09-17 12:31:42 -07:00
Greg Weber
2a30519169 fix some import warnings 2014-09-16 18:13:28 -07:00
Greg Weber
1067816b5d fix confirmation email status 
I screwed this up in a big re-factoring in 153654ad
 2014-09-16 18:10:40 -07:00
Michael Snoyman
e35836bbc1 Include patched pwstore-fast implementation. 
See: https://github.com/PeterScott/pwstore/pull/10
 2014-05-11 15:43:06 +03:00
Axel Angel
bd1b5b1ef1 Auth.Email: modern buttons, use translation RegisterLong 2014-05-09 00:29:50 +02:00
Michael Snoyman
bdcb174830 Remove pureMD5 and SHA deps 2014-03-26 15:21:37 +02:00
Greg Weber
b1cdf072ad Merge branch 'master' into auth-json-2 
Conflicts:
	yesod-auth/Yesod/Auth.hs
	yesod-auth/Yesod/Auth/Email.hs
	yesod-auth/yesod-auth.cabal
 2014-03-20 14:38:14 -07:00
Felipe Lessa
6f7e8c8e04 Allow Yesod.Auth.Email handlers to be overriden. 
The main purpose is to allow more customization of the Yesod.Auth.Email
handlers by not only changing the CSS but also the DOM.
 2014-02-25 19:28:09 -03:00
Felipe Lessa
9e6db27be2 Sync normalizeEmailAddress' doc to current code. 2014-02-25 19:11:44 -03:00
Felipe Lessa
9f7031d9dd Whitespace. 2014-02-25 19:10:02 -03:00
Felipe Lessa
71558d3342 Increase Yesod.Auth.Email pwstore strength to the recommended minimum of 14. 2014-02-25 19:08:50 -03:00
Greg Weber
d817d37c9c yesod-auth: user defined layout 2014-01-08 14:35:13 -08:00
Greg Weber
153654adb9 yesod-auth: send json responses 2014-01-08 12:19:45 -08:00
Greg Weber
507d6faed8 Merge pull request #638 from jprider63/master 
Add the function onHtmlError to the auth typeclass so users can customize behavior on authentication errors.
 2013-12-23 07:16:31 -08:00
jp.rider63
b57ac44d9c Added type constraint to onHtmlError. Modified plugins to support this 
changed type
 2013-12-22 01:02:30 -05:00
Greg Weber
366e63fb36 use loginErrorMessageI to send a json response 2013-12-20 18:32:20 -08:00
Michael Snoyman
7274341322 normalizeEmailAddress 2013-09-09 15:01:20 +02:00
Michael Snoyman
e420705b07 Allow modification of confirmation email page 2013-08-20 13:38:11 +03:00
Michael Snoyman
e99302e93d needOldPassword and checkPasswordSecurity 2013-08-07 09:21:29 +03:00