openproject

Commit Graph

Author	SHA1	Message	Date
Oliver Günther	5920ace376	[37024] Make system user permanent admin (#9192 ) * [37024] Make system user permanent admin https://community.openproject.org/wp/37024 * Yield self from run_given * Fix count for admin in bim seeder	4 years ago
ulferts	1bdd2ab9ae	safe automatic fixes by rubocop (#8994 )	4 years ago
Oliver Günther	38ecb6b28c	[32486] Use error response for unauthenticated instead of warden Instead of warden responding with 401 "unauthorized", use our own error response that correctly sets the `WWWW-Authenticat` header. We tripped into the default 401 error that does not output any headers if we're not returning any users. This was caused by another issue: The `session` object may be present, even though no session id exists. Checking `session&.id` instead always yields the anonymous user. This will ensure consumers of APIV3 to always get a JSON / HAL response as well. https://community.openproject.com/wp/32486	5 years ago
Oliver Günther	56a75602a6	[31609] Make system user active	5 years ago
Oliver Günther	19e06b3fc1	Don't break session auth if fallback session provided When no session is provided (e.g., just curl an attachment URL), Rack will still give you a session that is empty, which of course has TTL attribute outdated if being checked for it. Thus we accept an empty placeholder session as valid as long there are no attributes. The only user authenticatable through it is `User.anonymous`.	5 years ago
Oliver Günther	0311ec1934	Disable BasicAuthFailure when basic auth config not enabled	5 years ago
Jens Ulferts	90cade534c	ensure redirecting to oauth2 consent after login Placing the back_url in the session does not suffice as session initialization in most cases will reset the back_url stored in the session. But even in those cases is the session value then set to the value in params	6 years ago
Oliver Günther	95352a423c	Add client credentials spec	6 years ago
Oliver Günther	9e72c05ed3	Implement client credentials flow with a custom user_id	6 years ago
Oliver Günther	e41d85e9c7	Implement OAuth applications CRUD	6 years ago
Oliver Günther	38c8ca1ac1	Add OAuth with warden	6 years ago
Oliver Günther	7d8526d77f	Allow Session requests on GET without frontend header This is required since now attachments are displayed through apiv3 URLs. GET requests are safe to request without the header present.	6 years ago
ulferts	c88b0b85c4	return proper WWW Authenticate header on missing credentials (#6150 ) An anonymous_fallback is introduced and registered to be the last strategy for warden. That strategy will always apply and it will always return the anonymous user. The better way would be to only apply the strategy if login is not required. That way we would still be able to return a 403 when credentials are missing but would no longer need to have 401 handlers outside of warden. That duplicity caused the missing header in the first place. It would however require us to handle the realm in the strategy and by that increase the coupling between the strategy and the application. [ci skip]	7 years ago
Oliver Günther	988d96c241	Restrict session API authentication to X-Requested-With	7 years ago
Oliver Günther	5d84add246	Expire sessions in warden auth scope	7 years ago
Oliver Günther	0fbb9c6168	Provide configuration option for basic auth API access This adds: 1. A configuration option `apiv3_enable_basic_auth` to determine whether v3 may use the basic auth strategies 2. Extensions to the warden strategies to disable them unless configured	8 years ago
Markus Kahl	a770bf762c	follow warden default, which is true for store	9 years ago
Markus Kahl	c33c9b60e3	looks like the store default is true	9 years ago
Markus Kahl	3865ce4f1f	polish	9 years ago
Markus Kahl	bcd981df5c	consider X-Authentication-Scheme; opt scoped realm	9 years ago
Alex Coles	a6212fb304	Fix syntax (w/Rubocop) in lib code Signed-off-by: Alex Coles <alex@alexbcoles.com>	9 years ago
Markus Kahl	1d0146dfda	amended comment	10 years ago
Markus Kahl	be08d64991	do nothing when configuration is missing altogether	10 years ago
Markus Kahl	2a465785d1	allow digit-only but not empty passwords	10 years ago
Markus Kahl	27868f5c75	allow custom responses for authentication failures	10 years ago
Markus Kahl	1814455eb7	failure_app has to be instance	10 years ago
Markus Kahl	28c81dfad0	use existing method to find user via api key	10 years ago
Markus Kahl	4957750270	wrapped comment	10 years ago
Markus Kahl	7e40c11ca4	moved strategies; refactoring	10 years ago
Markus Kahl	e4dbfeef3a	hound	10 years ago
Markus Kahl	c01902c45e	clean up	10 years ago
Markus Kahl	d4dfdb9dcc	use API keys for user basic auth; refactoring	10 years ago
Markus Kahl	6cb6953a07	basic auth for api v3 (WIP)	10 years ago

34 Commits (ff0acd980de60519c3dd02ac486be186d7849b39)