1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-11 09:22:40 +01:00
phorge-phorge/src/applications/people/storage
epriestley d75007cf42 Validate logins, and simplify email password resets
Summary:
  - There are some recent reports of login issues, see T755 and T754. I'm not
really sure what's going on, but this is an attempt at getting some more
information.
  - When we login a user by setting 'phusr' and 'phsid', send them to
/login/validate/ to validate that the cookies actually got set.
  - Do email password resets in two steps: first, log the user in. Redirect them
through validate, then give them the option to reset their password.
  - Don't CSRF logged-out users. It technically sort of works most of the time
right now, but is silly. If we need logged-out CSRF we should generate it in
some more reliable way.

Test Plan:
  - Logged in with username/password.
  - Logged in with OAuth.
  - Logged in with email password reset.
  - Sent bad values to /login/validate/, got appropriate errors.
  - Reset password.
  - Verified next_uri still works.

Reviewers: btrahan, jungejason

Reviewed By: btrahan

CC: aran, btrahan, j3kuntz

Maniphest Tasks: T754, T755

Differential Revision: https://secure.phabricator.com/D1353
2012-01-11 08:25:55 -08:00
..
base Basic user/account tool. 2011-01-23 18:09:16 -08:00
log Move most remaining sha1() calls to HMAC 2011-12-19 08:56:53 -08:00
preferences Minor tweaks to Preferences 2011-03-31 16:07:14 -07:00
profile Slightly more sophisticated profiles. 2011-02-19 18:28:41 -08:00
user Validate logins, and simplify email password resets 2012-01-11 08:25:55 -08:00
useroauthinfo Store OAuth tokens and more OAuth account info. 2011-02-22 10:27:27 -08:00
usersshkey Allow users to associate SSH Public Keys with their accounts 2011-07-23 09:15:20 -07:00