phorge-phorge

revi-archive/phorge-phorge

Fork 0

mirror of https://we.phorge.it/source/phorge.git synced 2024-12-28 08:20:57 +01:00

Commit graph

Author	SHA1	Message	Date
epriestley	d75007cf42	Validate logins, and simplify email password resets Summary: - There are some recent reports of login issues, see T755 and T754. I'm not really sure what's going on, but this is an attempt at getting some more information. - When we login a user by setting 'phusr' and 'phsid', send them to /login/validate/ to validate that the cookies actually got set. - Do email password resets in two steps: first, log the user in. Redirect them through validate, then give them the option to reset their password. - Don't CSRF logged-out users. It technically sort of works most of the time right now, but is silly. If we need logged-out CSRF we should generate it in some more reliable way. Test Plan: - Logged in with username/password. - Logged in with OAuth. - Logged in with email password reset. - Sent bad values to /login/validate/, got appropriate errors. - Reset password. - Verified next_uri still works. Reviewers: btrahan, jungejason Reviewed By: btrahan CC: aran, btrahan, j3kuntz Maniphest Tasks: T754, T755 Differential Revision: https://secure.phabricator.com/D1353	2012-01-11 08:25:55 -08:00
epriestley	d3efdcff03	Modularize oauth.	2011-02-27 20:38:11 -08:00
epriestley	03fec6e911	PhabricatorEnv 'infratructure' -> 'infrastructure' (rofl) Recaptcha Email Login / Forgot Password Password Reset	2011-01-31 11:55:26 -08:00

Author

SHA1

Message

Date

epriestley

d75007cf42

Validate logins, and simplify email password resets

Summary:
  - There are some recent reports of login issues, see T755 and T754. I'm not
really sure what's going on, but this is an attempt at getting some more
information.
  - When we login a user by setting 'phusr' and 'phsid', send them to
/login/validate/ to validate that the cookies actually got set.
  - Do email password resets in two steps: first, log the user in. Redirect them
through validate, then give them the option to reset their password.
  - Don't CSRF logged-out users. It technically sort of works most of the time
right now, but is silly. If we need logged-out CSRF we should generate it in
some more reliable way.

Test Plan:
  - Logged in with username/password.
  - Logged in with OAuth.
  - Logged in with email password reset.
  - Sent bad values to /login/validate/, got appropriate errors.
  - Reset password.
  - Verified next_uri still works.

Reviewers: btrahan, jungejason

Reviewed By: btrahan

CC: aran, btrahan, j3kuntz

Maniphest Tasks: T754, T755

Differential Revision: https://secure.phabricator.com/D1353

2012-01-11 08:25:55 -08:00

epriestley

d3efdcff03

Modularize oauth.

2011-02-27 20:38:11 -08:00

epriestley

03fec6e911

PhabricatorEnv

'infratructure' -> 'infrastructure' (rofl)
Recaptcha
Email Login / Forgot Password
Password Reset

2011-01-31 11:55:26 -08:00

3 commits