mastodon/config/initializers
Claire 6da135a493
Fix reviving revoked sessions and invalidating login (#16943)
Up until now, we have used Devise's Rememberable mechanism to re-log users
after the end of their browser sessions. This mechanism relies on a signed
cookie containing a token. That token was stored on the user's record,
meaning it was shared across all logged in browsers, meaning truly revoking
a browser's ability to auto-log-in involves revoking the token itself, and
revoking access from *all* logged-in browsers.

We had a session mechanism that dynamically checks whether a user's session
has been disabled, and would log out the user if so. However, this would only
clear a session being actively used, and a new one could be respawned with
the `remember_user_token` cookie.

In practice, this caused two issues:
- sessions could be revived after being closed from /auth/edit (security issue)
- auto-log-in would be disabled for *all* browsers after logging out from one
  of them

This PR removes the `remember_token` mechanism and treats the `_session_id`
cookie/token as a browser-specific `remember_token`, fixing both issues.
2021-11-06 00:13:58 +01:00
..
0_post_deployment_migrations.rb
1_hosts.rb Fix host check on healthcheck path not being disabled (#16270) 2021-05-17 22:36:08 +02:00
2_whitelist_mode.rb
active_model_serializers.rb
application_controller_renderer.rb Update Mastodon to Rails 6.1 (#15910) 2021-03-24 10:44:31 +01:00
assets.rb
backtrace_silencers.rb Update Mastodon to Rails 6.1 (#15910) 2021-03-24 10:44:31 +01:00
blacklists.rb
cache_buster.rb
chewy.rb Support authentication for ElasticSearch (#16890) 2021-10-24 17:20:03 +02:00
content_security_policy.rb Fix autoloading deprecation warnings from Rails 6 (#16010) 2021-04-09 02:31:20 +02:00
cookies_serializer.rb
cors.rb
devise.rb Fix reviving revoked sessions and invalidating login (#16943) 2021-11-06 00:13:58 +01:00
doorkeeper.rb Fix app name, website and redirect URIs not having a maximum length (#16042) 2021-04-15 16:28:43 +02:00
fast_blank.rb
ffmpeg.rb
filter_parameter_logging.rb
http_client_proxy.rb
httplog.rb
inflections.rb Prepare Mastodon for zeitwerk autoloader (#15917) 2021-03-19 02:42:43 +01:00
json_ld.rb
kaminari_config.rb
mail_delivery_job.rb Fix mailer jobs for deleted notifications erroring out (#16294) 2021-05-24 03:02:46 +02:00
makara.rb Drop dependency on secure_headers, fix response headers (#15712) 2021-02-11 23:47:05 +01:00
mime_types.rb
oj.rb
omniauth.rb New env variable: CAS_SECURITY_ASSUME_EMAIL_IS_VERIFIED (#16655) 2021-08-25 18:41:24 +02:00
open_uri_redirection.rb
paperclip.rb Fix autoloading deprecation warnings from Rails 6 (#16010) 2021-04-09 02:31:20 +02:00
permissions_policy.rb Update Mastodon to Rails 6.1 (#15910) 2021-03-24 10:44:31 +01:00
preload_link_headers.rb Update Mastodon to Rails 6.1 (#15910) 2021-03-24 10:44:31 +01:00
premailer_rails.rb
rack_attack.rb Add POST /api/v1/emails/confirmations to REST API (#15816) 2021-03-01 18:39:47 +01:00
rack_attack_logging.rb
redis.rb
session_activations.rb
session_store.rb Add Ruby 3.0 support (#16046) 2021-05-06 14:22:54 +02:00
sidekiq.rb Add a Redis environment variable for sidekiq (#16188) 2021-05-09 10:40:17 +02:00
simple_form.rb
single_user_mode.rb
statsd.rb
stoplight.rb
strong_migrations.rb
suppress_csrf_warnings.rb Fix autoloading deprecation warnings from Rails 6 (#16010) 2021-04-09 02:31:20 +02:00
trusted_proxies.rb
twitter_regex.rb Minor memory optimizations (#16507) 2021-10-14 21:04:57 +02:00
vapid.rb
webauthn.rb
wrap_parameters.rb