haskell/yesod
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
4,741 Commits 42 Branches 853 Tags 10 MiB
c7e4dd0a1c
Commit Graph

4741 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Alex Kardos
ed5037fa74 Used localized email label 2016-02-20 13:38:19 -07:00
Alex Kardos
3e37983f1c Added encoding type and removed unused variable 2016-02-20 13:37:43 -07:00
Luigy Leon
f576a8a435 only perform checks when it needs to build 2016-02-19 15:42:42 -05:00
Luigy Leon
d87499deb5 [yesod-bin] improve stack detection for 'stack keter' 
The following will now use stack:

* `stack query` succeeds from current directory instead of searching that a `stack.yaml` exists
* `STACK_YAML` or `STACK_EXE`(set by `stack exec`) environment variables are set
 2016-02-19 12:21:02 -05:00
Alex Kardos
76fc5887f9 Fixed registerHandler CSRF issue 
The default register handler for email authentication didn't provide a
CSRF token. I provided one by using a monadic form helper.
 2016-02-17 20:39:09 -07:00
Maximilian Tagher
d39ce44c21 Use defaultCsrfParamName instead of hard-coding its value 
* Up version bounds so that `defaultCsrfParamName` is available.
* I didn't bump the yesod-form version. It seemed unnecessary to do a new release just for this.
 2016-02-15 23:59:24 -08:00
Maximilian Tagher
a01051eaf6 Have the yesod-auth login form use a CSRF token 
Closes #1159

Based on reading this [StackOverflow Post](http://stackoverflow.com/questions/6412813/do-login-forms-need-tokens-against-csrf-attacks) and skimming [this paper](http://seclab.stanford.edu/websec/csrf/csrf.pdf), using CSRF protection on login forms protects against a vulnerability where an attacker submits their own username/password in the login form. Later, the user uses the real site, but doesn't realize they're logged in as the attacker. This creates vulnerabilities like:

1. If the site logs the user's activity for them (e.g. recently watched videos on YouTube, previous searches on Google), the attacker can see this information by logging in.
2. The user adds sensitive information to the account, like credit card information, the attacker can login and potentially steal that information or use it on the site.

I don't think this vulnerability applies to the `Yesod.Auth.Hardcoded` plugin because the attacker couldn't create an account of their own.

However:

* If I understand the example in `Yesod.Auth.Hardcoded`, one use case is to share one login form that works for both the Hardcoded plugin as well as normal database-backed username/password login, in which case having a CSRF token makes sense
* I don't see a downside to having the CSRF token there
* It makes the Hardcoded plugin work with the CSRF middleware

Does this sound like the right solution?
 2016-02-14 17:32:46 -08:00
Eric Easley
dbffca825c Update stack.yaml to point at modified persistent 2016-02-11 13:14:27 -08:00
Eric Easley
4bc4fc3b36 Adjust yesod-auth for split DB 2016-02-07 19:17:50 -08:00
Eric Easley
1dea0ef5b1 Adjust yesod-form for split DB 2016-02-07 19:15:57 -08:00
Eric Easley
7b35665d73 Adjust yesod-persistent for split DB 2016-02-07 19:11:41 -08:00
Michael Snoyman
d8414c3c20 Merge pull request #1155 from chreekat/enclosure-doc 
Document feed entry enclosures
 2016-02-03 09:27:41 +02:00
Bryan Richter
806dc5c629
Fuller docs + version bump 2016-02-02 08:59:01 -08:00
Bryan Richter
4d48ba71be
Document feed entry enclosures 2016-02-01 20:18:58 -08:00
Sibi
7ea1e004c9 Merge pull request #1153 from mrP0tat0Head/fix-auth-message-german-translation 
Fix typo in auth german translation
 2016-01-26 06:03:27 +05:30
Eugen
69b4751990 Fix typo in auth german translation 2016-01-26 00:12:26 +01:00
Michael Snoyman
cf5a390cad Add _token parameter to redirectToPost #1151 2016-01-24 14:37:44 +02:00
Michael Snoyman
be9d0a281d Better Travis caching 2016-01-21 14:15:24 +02:00
Michael Snoyman
aa36a22834 Version bump for yesod-core 2016-01-21 09:59:45 +02:00
Michael Snoyman
fff6449fa2 Newer wai-app-static to fix build against nightly 2016-01-21 09:09:03 +02:00
Michael Snoyman
df90bd43e2 Deprecate Yesod.Auth.GoogleEmail #1150 2016-01-21 09:00:50 +02:00
Michael Snoyman
607d23151a Merge pull request #1149 from vlatkoB/master 
Croatian translation
 2016-01-20 14:48:04 +02:00
vlatkoB
a6e11245cf Fix var name to croatianFormMessage 2016-01-20 09:47:28 +01:00
vlatkoB
1fca3ceea3 Croatian translation 2016-01-20 08:48:15 +01:00
Anupam Jain
38680c6568 Add test for hierarchical subsite with arguments 
Note: Needed to enable ViewPatterns for this
 2016-01-19 17:06:40 +05:30
Anupam Jain
9859fe1ddb Pass hierarchical route arguments to subsites 2016-01-19 15:21:15 +05:30
Michael Snoyman
d6cd13a423 Changelog for #1144 2016-01-14 09:34:43 +02:00
Michael Snoyman
8f2d92baab Merge pull request #1144 from ajnsit/hierarchical-subsites 
Allow subsites within hierarchical routes
 2016-01-14 09:34:00 +02:00
Anupam Jain
0d99f94e5a Add a testcase for nested subsites 2016-01-14 11:30:06 +05:30
Anupam Jain
a1df470d01 Allow subsites within hierarchical routes 2016-01-13 10:47:50 +05:30
Michael Snoyman
eae422ea0c Merge pull request #1143 from Dridus/properly-polymorphic-sendStatusJSON 
#1142 make sendStatusJSON fully polymorphic in its return type, since it never returns
 2016-01-12 19:24:07 +02:00
Ross MacLeod
1fb53dfa9e #1142 make sendStatusJSON fully polymorphic in its return type, since it never returns 2016-01-12 11:32:20 -05:00
Michael Snoyman
d4a907d4e8 tar 0.5 2016-01-10 17:23:06 +02:00
Michael Snoyman
3228b40843 Fully remove the yesod init command (fixes #1132) 2015-12-30 09:04:29 +02:00
Greg Weber
5dff4adf86 Merge pull request #1129 from silky/master 
Add error class when help text is an error.
 2015-12-28 20:18:43 -08:00
silky
6ec02a917f Add error class when help text is an error. 2015-12-23 16:00:37 +11:00
Michael Snoyman
d346b8361f Version bump (fixes #1128) 2015-12-19 20:08:17 +02:00
Michael Snoyman
bff65b7942 Version bump for #1122 2015-12-14 11:50:25 +02:00
Michael Snoyman
10709c4e26 Merge pull request #1122 from pseudonom/master 
Add hook to apply arbitrary function to all handlers
 2015-12-14 11:49:30 +02:00
Michael Snoyman
bde5a69914 Merge pull request #1124 from mrkkrp/master 
Fix references to ‘Yesod.Core.Handler’
 2015-12-12 21:16:00 +02:00
mrkkrp
15c1573538 ‘checkCsrfHeaderNamed’ → ‘checkCsrfParamNamed’ 
Also removed trailing whitespace. Actual typo fix is on line 1318.
 2015-12-11 23:00:01 +06:00
mrkkrp
bb02d2b911 fix references to ‘Yesod.Core.Handler’ 2015-12-11 22:40:06 +06:00
Eric Easley
21e49c7710 Fix tests for unwrapping hook 2015-12-10 09:53:55 -08:00
Eric Easley
56c19a2cd3 Add hook to apply arbitrary function to all handlers 2015-12-09 11:29:13 -08:00
Greg Weber
b271978ccf Merge pull request #1105 from bitemyapp/master 
JSON-specific sendResponseStatus
 2015-12-07 16:04:07 -08:00
Greg Weber
2ecfec1b9a Merge pull request #1116 from lethjakman/auth_demo 
Added an example with email auth and an ses mailer
 2015-12-07 15:13:36 -08:00
Michael Snoyman
5c6a20d6c0 Merge pull request #1119 from mrkkrp/master 
Fix a typo in Russian translation of form messages
 2015-12-07 12:26:40 +02:00
mrkkrp
b8949f4970 Fix a typo in Russian translation of form messages 2015-12-07 15:54:40 +06:00
Michael Snoyman
1fb697ff0d Add a workaround for yesodweb/wai#478 2015-12-06 13:29:17 +02:00
Michael Snoyman
288c457cfa Version bump for yesodweb/yesod-scaffold#114 2015-12-06 12:55:59 +02:00