Thomas Lynch
9d695b902c
eslint fix
2 years ago
Thomas Lynch
3f53c60a73
Handle form submissions to login with no twofactor body field because otp moduel wants at least a string
2 years ago
Thomas Lynch
79c45eda4d
Change login flow to always check both 2FA, update CHANGELOG
2 years ago
Thomas Lynch
f4328812f2
Add e2e tests for twofactor
...
Remove some cruft from package-lock from speakeasy
Add guard in dotwofactor for no/null (not blank) twofactor
2 years ago
Thomas Lynch
29bb4856ab
2fa improvements
...
- Don't allow code re-use, successfully used codes will be invalid on repeated use for the window time
- Don't attach the full twofactor secret to user object in session for security. Only store a boolean if it's enabled for rendering, checks, etc. The full account should be fetched first before doTwoFactor()
- Better names for some keys of twofactor redis stuff
2 years ago
Thomas Lynch
d9288a137a
Refactor new OTPAuth...validate pattern, remove await -- it isn't and shouldn't be async
2 years ago
Thomas Lynch
b93bab7faf
Switch speakeasy -> otpauth (maintained, more modern, actively developed)
...
Remove dev debug skip of 2fa generation ratelimit
Shorten totp validity window
Remove ugly stuff from login/changepassword forms, change wording
2 years ago
Thomas Lynch
4d86406483
Initial commit of 2FA for accounts, TOTP-based
2 years ago
Thomas Lynch
e047782249
eslint lib, migrations, db, models, test, schedules and root dir
2 years ago
Thomas Lynch
bb582c2de8
"helpers" -> "lib
...
god help anybody who gets serious merge conflicts from this
close #434
2 years ago
Thomas Lynch
18b58202e7
show last active date for accounts in globalnamage accounts page close #236
...
NOTE: based on last time session was refreshed and updated from db ~1h, or when a user logs in
4 years ago
some random guy
cd789dba0c
remove unnecessary user object from session
...
It only had a single property, username.
4 years ago
some random guy
0190ae5a0b
less garbage is session store
...
authenticated: same as `user != null`
user.authLevel, user.ownedBoards, user.modBoards: refreshed by sessionrefresh on
each request anyways, so it doesn't make much sense to store them in the session
store too.
4 years ago
some random guy
6f1ab5292f
safer redirects with login/logout
...
* properly escape goto parameter
* do not redirect to anywhere, only to the same server, no query parameters
This should still allow valid targets, like `/account.html`,
`/boardname/manage/whatever` while disallow things like `https://othersite.com `.
4 years ago
fatchan
a0d0394e62
dynamicresponse everything
5 years ago
fatchan
2b4e631756
accounts page, list owned and mod boards in accounts, show on global manage and accounts page
5 years ago
fatchan
8c09b8bd58
add db index file and destructure to reduce repetitive imports
5 years ago
fatchan
12f1df0e9c
refactor, all orm controllers now separate ^-^
5 years ago
fatchan
f5d859c71e
redirect to correct page on login or manage
5 years ago
fatchan
a818a25e91
generate and save html to disk. actions that would cause a page to change delete the html. on the next visit, nginx will try_files, else pass to the backend which will generate the page again. CURRENTLY DOES NOT SUPPORT POST ACTIONS e.g. deletes, spoiler, sticky, etc will not cause pages to be deleted for future rebuilding. thats coming in next commits. consider this the start of actual smart building strategy to prevent templating and db hits unnecessarily. where its possible to serve a plain html page, we will do so.
5 years ago
fatchan
ff4f6c4758
stop calling that a model
5 years ago
fatchan
c4243d1f81
markdown fix and simpler login check/redirect
5 years ago
fatchan
3c327862d9
some pages redirect after logging in
5 years ago
fatchan
db963d4607
global and board IP bans, improved error handling, improved permissions checks
5 years ago
fatchan
b42a7eafdf
rename, restructure api vs forms naming + correct delete permissions
6 years ago
fatchan
e00c6d2fff
Basic registration and login with model and controllers
6 years ago