haskell/yesod
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
4,580 Commits 42 Branches 853 Tags 10 MiB
d03e92ff9b
Commit Graph

265 Commits

Author SHA1 Message Date
Christopher League
fd870c95f9 Provide CSRF token in Dummy login form 2016-04-02 23:04:58 -04:00
Arthur Fayzrakhmanov (Артур Файзрахманов)
ecdee7f51a Tidy up imports 2016-03-29 19:14:40 +05:00
Arthur Fayzrakhmanov (Артур Файзрахманов)
5febecf812 Improve Russian translation for ConfirmPass message 2016-03-29 19:14:27 +05:00
Sebastien Canart
36bc175f50 Add French translation for CurrentPassword 2016-03-23 08:26:44 +01:00
Adam Sjøgren
04a7c12b65 Add translation to Danish. 2016-03-20 21:16:14 +01:00
Murray
a15070709d allow more than one session message and add statuses 2016-03-16 18:14:40 +00:00
Michael Snoyman
27a9faa91f Merge pull request #1183 from lethjakman/auth_forgot_password_csrf 
Fixed forgot password CSRF with form helper
 2016-03-13 08:11:16 +02:00
Alex Kardos
d76aa1a16e Converted runFormPosts to generateFormPost 
This is a cleaner way to generate forms without ignoring one of the
variables.
 2016-03-12 18:29:05 -07:00
Alex Kardos
9fb3f61ac8 Moved settings to functions to clean up the form 2016-03-12 18:29:05 -07:00
Alex Kardos
2f0a7fbcc5 Wrapped email login form with an id 2016-03-12 18:29:05 -07:00
Alex Kardos
0c0cb12a10 Used form helper for forgot password form 
* Removed unused idents
* Isolated form logic
* Added an id around forgot password for styling purposes
 2016-03-12 18:28:49 -07:00
Michael Snoyman
8df56ecaa1 Merge pull request #1176 from lethjakman/auth_set_password_csrf 
Auth password handler CSRF
 2016-03-10 10:55:17 +02:00
Alex Kardos
dee130ac9f Made spacing consistent with the rest of the file 2016-03-09 19:47:52 -07:00
Alex Kardos
7faecc8952 Added translations and dummy data for current password 
German and Spanish provided by Erin Eichenberger.
 2016-03-09 19:22:36 -07:00
Michael Snoyman
936fe84cdd Deprecate BrowserId #1173 2016-03-08 16:27:21 +02:00
Alex Kardos
e3aa310c84 Used monadic form helper for password handler 
This needed to happen in order to automatically get CSRF protection

Several changes happened while switching over:
* Relied on built in names for inputs
* Cleaned up naming
* Created password helpers for each field
* Added a translation for current password
 2016-03-07 16:44:05 -07:00
Michael Snoyman
4ed1e7e486 Merge pull request #1174 from lethjakman/auth_main_page_csrf 
Fixed CSRF token for login page
 2016-03-07 10:03:30 +02:00
Alex Kardos
4b78c4d60a Moved emailLoginHandler out of authEmail 
The authEmail function was getting large so I moved the
emailLoginHandler out into its own function.
 2016-03-05 16:59:02 -07:00
Alex Kardos
d42d38990d Added translated label to default register handler 
This was removed on accident.
 2016-03-05 16:58:34 -07:00
Alex Kardos
4963f562fe Converted yesod login screen to monadic form 
The form helpers weren't being used which caused the CSRF tokens to not
be present. This also allows for a bit more flexability and
cleans up the code as well.
 2016-03-03 20:52:08 -07:00
Maximilian Tagher
aae32399f1 Merge pull request #1165 from lethjakman/auth_csrf 
Fixed registerHandler CSRF issue
 2016-02-23 14:54:50 +01:00
Alex Kardos
1cae0e38ab Moved login logic into a function 
This is more clear and looks like the other authorization plugins.
 2016-02-20 21:28:20 -07:00
Alex Kardos
456e93fb10 Added autofocus attribute to email input 2016-02-20 13:47:42 -07:00
Alex Kardos
27e1ec3be3 Used email field for input 2016-02-20 13:39:18 -07:00
Alex Kardos
c376146231 Removed whitespace 2016-02-20 13:38:48 -07:00
Alex Kardos
ed5037fa74 Used localized email label 2016-02-20 13:38:19 -07:00
Alex Kardos
3e37983f1c Added encoding type and removed unused variable 2016-02-20 13:37:43 -07:00
Alex Kardos
76fc5887f9 Fixed registerHandler CSRF issue 
The default register handler for email authentication didn't provide a
CSRF token. I provided one by using a monadic form helper.
 2016-02-17 20:39:09 -07:00
Maximilian Tagher
d39ce44c21 Use defaultCsrfParamName instead of hard-coding its value 
* Up version bounds so that `defaultCsrfParamName` is available.
* I didn't bump the yesod-form version. It seemed unnecessary to do a new release just for this.
 2016-02-15 23:59:24 -08:00
Maximilian Tagher
a01051eaf6 Have the yesod-auth login form use a CSRF token 
Closes #1159

Based on reading this [StackOverflow Post](http://stackoverflow.com/questions/6412813/do-login-forms-need-tokens-against-csrf-attacks) and skimming [this paper](http://seclab.stanford.edu/websec/csrf/csrf.pdf), using CSRF protection on login forms protects against a vulnerability where an attacker submits their own username/password in the login form. Later, the user uses the real site, but doesn't realize they're logged in as the attacker. This creates vulnerabilities like:

1. If the site logs the user's activity for them (e.g. recently watched videos on YouTube, previous searches on Google), the attacker can see this information by logging in.
2. The user adds sensitive information to the account, like credit card information, the attacker can login and potentially steal that information or use it on the site.

I don't think this vulnerability applies to the `Yesod.Auth.Hardcoded` plugin because the attacker couldn't create an account of their own.

However:

* If I understand the example in `Yesod.Auth.Hardcoded`, one use case is to share one login form that works for both the Hardcoded plugin as well as normal database-backed username/password login, in which case having a CSRF token makes sense
* I don't see a downside to having the CSRF token there
* It makes the Hardcoded plugin work with the CSRF middleware

Does this sound like the right solution?
 2016-02-14 17:32:46 -08:00
Eugen
69b4751990 Fix typo in auth german translation 2016-01-26 00:12:26 +01:00
Michael Snoyman
df90bd43e2 Deprecate Yesod.Auth.GoogleEmail #1150 2016-01-21 09:00:50 +02:00
vlatkoB
1fca3ceea3 Croatian translation 2016-01-20 08:48:15 +01:00
mrkkrp
1976e90be9 Bump password strength to compensate 2 years 
Computers are now faster than in 2013.
 2015-12-03 00:08:51 +06:00
Arthur Fayzrakhmanov (Артур Файзрахманов)
4f2f49b5ee Update documention 
More concrete module documentation.  Now it shows a way to combine
'AuthHardcoded' plugin with other plugins.

Fixed some typos.
 2015-11-29 22:12:40 +05:00
Arthur Fayzrakhmanov (Артур Файзрахманов)
b024a7a540 Add module documentation 2015-11-29 22:12:40 +05:00
Arthur Fayzrakhmanov (Артур Файзрахманов)
9fbc3bc082 Initial module implementation 2015-11-29 22:12:40 +05:00
Arthur Fayzrakhmanov (Артур Файзрахманов)
ec3ec15a80 Fix Czech UserName message 
Convert word "jméno" to lowercase.
See comment from
[`lubomir`](https://github.com/yesodweb/yesod/pull/1100#commitcomment-14580304)
 2015-11-24 13:34:13 +05:00
Arthur Fayzrakhmanov (Артур Файзрахманов)
97d8bbba06 Introduce LogoutTitle message constructor 
`LogoutTitle` is a replacement for `Logout` constructor, the latter is
inconsistent with `LoginTitle` constructor name.
Added `DEPRECATED` pragma to warn users about this change.
 2015-11-24 02:15:03 +05:00
Arthur Fayzrakhmanov (Артур Файзрахманов)
11bedecdc0 Prettify imports (via Stylish Haskell) 2015-11-23 16:41:09 +05:00
Arthur Fayzrakhmanov (Артур Файзрахманов)
d1e92af79e Add UserName message constructor 2015-11-23 16:40:47 +05:00
Arthur Fayzrakhmanov (Артур Файзрахманов)
311f949f0e Extract "in"/"out" suffixes in Login/Logout words 
Split "Login" and "Logout" words into two parts, e.g. "Log In" and "Log
Out".
 2015-11-23 16:14:40 +05:00
Michael Snoyman
2179a8e30d GoogleEmail2: proper error message when permission denied 2015-10-13 08:02:19 +00:00
Greg Weber
3f96cae289 yesod-auth: add a runHttpRequest typeclass method 2015-10-07 07:06:21 -07:00
Greg Weber
6a567f0ccd ask for profile permission 
somehow we are able to read the profile
of most users without this
 2015-09-10 15:57:01 -07:00
Arthur Fayzrakhmanov (Артур Файзрахманов)
2074915962 Apply stylish-haskell, organize imports 2015-06-24 20:54:27 +05:00
Arthur Fayzrakhmanov (Артур Файзрахманов)
dfd14ea16d Remove redundant imports 2015-06-24 20:54:27 +05:00
Arthur Fayzrakhmanov (Артур Файзрахманов)
1891e573fc Use nonce package in Auth.GoogleEmail2 
Generate CSRF tokens using `nonce` package
 2015-06-24 20:54:20 +05:00
Arthur Fayzrakhmanov (Артур Файзрахманов)
4b05cd83f6 Use nonce package in Auth.Email 
Generate verification keys using `nonce` package.
 2015-06-24 20:54:11 +05:00
Jude Taylor
886e6bdd2c add ConstrainedClassMethods 2015-06-08 00:30:16 -07:00
Michael Snoyman
fa0fbb4569 Version bump 2015-04-26 18:37:33 +03:00
Richard Zetterberg
9e1516594e Fixes faulty type annotations 2015-04-26 15:28:45 +02:00
Richard Zetterberg
770a7a29d2 Adds export of verify route 
This allows users of the library to easily render VerUrl to use in
verification emails to new users, if the user was created outside
of the regular register functionality.
 2015-04-26 14:55:12 +02:00
patrick brisbin
3564e1f746
Add AuthenticationResult and authenticate function 
- getAuthId returns Maybe AuthId with no useful information in the
  Nothing case.
- AuthenticationResult includes whether it was a User or Server error
  (with an accompanying message) in the failure case.
- User errors are displayed back to the user and have a 401 status in
  JSON responses. Server errors are logged and a generic error message
  is presented to the user, with a 500 status in JSON responses.

Resolves #956
 2015-03-23 18:01:26 -04:00
Joel Taylor
dbd5fbfea2 add pragmas 2015-02-22 17:18:13 -08:00
Michael Snoyman
d82d3843b4 Version bump 2015-02-19 08:33:41 +02:00
Konstantin Zudov
18a8513e38 Save the access_token only from special handler 2015-02-16 14:16:26 +02:00
Konstantin Zudov
7ed5d4ad39 Added means to fetch user's Google profile 
The existing GoogleEmail2 auth did that:
  - Acquire user access token with offline access
  - Use token to acquire user's profile
  - Build `Creds` with user's email as `ident` and the other profile
    details as stringy key-value pairs in `credsExtra`

This wasn't enough for me, for several reasons:
  - Access token was not saved after authentication. If we request 'offline'
    token why not to have a way of using it later.
  - Stringy key-value profile is not nice and `credsExtra` can be accessed
    only from `getAuthId`
  - I might want to request the profile after authentication process

So I've added the needed features.
  - The access token is saved in a session
  - There is a `Person` type with `FromJSON` instance and `getPerson`
    can be used to acquire it from `HandlerT`
 2015-02-16 09:44:13 +02:00
Félix Sipma
9c1a970305 Updated french translation of Yesod.Auth.Message. 2015-01-07 19:40:37 +01:00
gxtaillon
c9dff10bd1 Updated french translation of Yesod.Auth.Message. 2014-12-28 00:51:43 -05:00
Артур Файзрахманов
7875b6aa87 Support "Logout" message 
Added support for `Logout` message, all translations made with Google
Translate, except: Russian translation (by hand) and Dutch translation
(do not translated)
 2014-12-22 01:19:47 +05:00
Mats Rietdijk
0678281352 Adds missing dutch translation and improved another translation 2014-11-19 23:02:35 +01:00
Mats Rietdijk
31fb28850c Adds dutch translations to yesod-auth 2014-11-19 22:47:32 +01:00
Paul Rouse
fbb0313589 Redirect dynamically in GoogleEmail2 login page 2014-10-21 09:09:34 +01:00
Greg Weber
510f70d5b3 fix typos 2014-09-24 08:07:15 -07:00
Greg Weber
01339ad528 add some documentation for Yesod.Auth.Email 2014-09-24 07:47:13 -07:00
Michael Snoyman
f86d181377 Merge branch 'master' into yesod-1.4 2014-09-21 00:07:11 +03:00
Greg Weber
629df4a291 add required attribute 2014-09-17 12:31:42 -07:00
Greg Weber
8c2542eb8c add required attribute 2014-09-17 09:28:26 -07:00
Greg Weber
448b33d1cc fix confirmation email status 
I screwed this up in a big re-factoring in 153654ad
 2014-09-16 18:49:45 -07:00
Greg Weber
4f95cb9f64 Merge pull request #825 from yesodweb/confirm-email-status 
Confirm email status
 2014-09-16 20:49:05 -05:00
Greg Weber
2a30519169 fix some import warnings 2014-09-16 18:13:28 -07:00
Greg Weber
1067816b5d fix confirmation email status 
I screwed this up in a big re-factoring in 153654ad
 2014-09-16 18:10:40 -07:00
Greg Weber
ec6fd486b6 remove the id_token parameter 
We saw this error:
Internal Server Error
key "id_token" not present
 2014-09-11 13:19:20 -07:00
Michael Snoyman
2b01c38d60 Added missing pragma 2014-09-08 07:11:38 +03:00
Michael Snoyman
587080dbff Merge pull request #797 from wuzzeb/master 
Include google person information in the credsExtra field for GoogleEmail2 auth
 2014-08-17 11:20:29 +03:00
John Lenz
2a6956a85c Small fixes to adding person info to creds extra for google auth 2014-08-15 21:17:52 -05:00
Kadzuya OKAMOTO
1fe72e8351 fixed Japanese message 2014-08-15 12:57:39 +09:00
John Lenz
8cc1accc11 Include google person information in the credsExtra field for GoogleEmail2 auth 2014-08-05 22:46:55 -05:00
Michael Snoyman
4fd1f76b17 Merge pull request #792 from geraldus/auth-minor-improvements 
pre-baked Route Auth value
 2014-08-03 13:09:35 +03:00
Артур Файзрахманов
ed53d46adc Type signature fix 2014-08-03 16:07:16 +06:00
Артур Файзрахманов
13f0eb3895 pre-baked Route Auth value 
Added forwardUrl alias for `PluginR "browserid" []` as in other plugins
(e.g. GoogleEmail2 and OpenID).
 2014-08-03 16:02:52 +06:00
Артур Файзрахманов
30be70918f added messages for Russian language 
`.cabal` unchanged, need version bump
 2014-07-28 23:13:31 +06:00
Michael Snoyman
28c366a3b3 Add back conduit 1.0 support #757 2014-06-16 09:07:04 +03:00
Michael Snoyman
96caaf31d8 GoogleEmail2 2014-06-01 16:10:47 +03:00
Michael Snoyman
e35836bbc1 Include patched pwstore-fast implementation. 
See: https://github.com/PeterScott/pwstore/pull/10
 2014-05-11 15:43:06 +03:00
Michael Snoyman
ddc622485a Merge pull request #735 from axel-angel/master 
Auth.Email: modern buttons, use translation RegisterLong
 2014-05-09 07:31:04 +03:00
Axel Angel
da034e7beb Translate missing french messages 2014-05-09 00:50:13 +02:00
Axel Angel
bd1b5b1ef1 Auth.Email: modern buttons, use translation RegisterLong 2014-05-09 00:29:50 +02:00
Michael Snoyman
bdcb174830 Remove pureMD5 and SHA deps 2014-03-26 15:21:37 +02:00
Michael Snoyman
57442abaae Remove HashDB 2014-03-21 08:48:15 +02:00
Greg Weber
b1cdf072ad Merge branch 'master' into auth-json-2 
Conflicts:
	yesod-auth/Yesod/Auth.hs
	yesod-auth/Yesod/Auth/Email.hs
	yesod-auth/yesod-auth.cabal
 2014-03-20 14:38:14 -07:00
Max Cantor (MBPr)
6182ecb256 Correct Cabal Version and Added createOnClickOverride to BrowserId 2014-03-04 15:24:08 -08:00
Felipe Lessa
6f7e8c8e04 Allow Yesod.Auth.Email handlers to be overriden. 
The main purpose is to allow more customization of the Yesod.Auth.Email
handlers by not only changing the CSS but also the DOM.
 2014-02-25 19:28:09 -03:00
Felipe Lessa
9e6db27be2 Sync normalizeEmailAddress' doc to current code. 2014-02-25 19:11:44 -03:00
Felipe Lessa
9f7031d9dd Whitespace. 2014-02-25 19:10:02 -03:00
Felipe Lessa
71558d3342 Increase Yesod.Auth.Email pwstore strength to the recommended minimum of 14. 2014-02-25 19:08:50 -03:00
Michael Snoyman
98b64cd17c Security warnings for Yesod.Auth.HashDB #668 2014-02-22 19:22:47 +02:00
Greg Weber
d817d37c9c yesod-auth: user defined layout 2014-01-08 14:35:13 -08:00
Greg Weber
153654adb9 yesod-auth: send json responses 2014-01-08 12:19:45 -08:00