- Don't allow code re-use, successfully used codes will be invalid on repeated use for the window time
- Don't attach the full twofactor secret to user object in session for security. Only store a boolean if it's enabled for rendering, checks, etc. The full account should be fetched first before doTwoFactor()
- Better names for some keys of twofactor redis stuff
Add warning to twofactor.html that other sessions will be logged out and they have to log in again
Change cache-control header to no-cache, even though private is secure (prevent showing cached page without outdated secret)
Close#479 add endpoints for board and global settings.json to api with options that would be useful for a 3rd party app. Add the associated tasks, calls to them in settings.
Small change and add comments in lib/build/render.
Generators changes:
- take captchaoptions as argument, so no longer require config.get or captchas db imports
- return the captcha object (gm instance) and solution (whatever).
The model itself inserts the solution to db, gets captchaid for filename and cookie, and writes the image to disk.
Slightly cleaner imo, and makes the captcha generators more testable without requiring any mocking for DB/config.
re: the captcha one, roundrobin = too fast expiring, sampling expireAfter $gte some time = possible to not get returned a captcha. so stucking with random. been working fine.
still todo migration
"ips" will make more sense for staff now
qrange/hrange no longer need to be stored
bypass still work like before. will have .BP suffix, normal ips are .IP
filtering and stuff still works
bans page will now show .*'s in the cloaked view for range bans
in future version, this allows (even for those who cant see raw ips):
- modlog, bans, post hisory filters including per-range
- directly input ips/range cloak to ban, without selecting a post
- upgrading existing bans from single to ranges
because rewriting the whole page can be annoying and you couldnt access the text without styling
also can change .html name, maybe that will get removed but it works atm.
still needs more tweaks and proper testing
models and controllers arent done, things wont work yet.
added a migration and updated the template.js with some new needed values,
changed "banners" in manage to "assets" since it will hold both now
refactor the banners file form into a mixin since its basically repeated for flags,
and make it a tad more customisable
i *think* the migration from previous version will work.
made the version to 0.1.0 because im sick of 0.0.10000 and this is kinda a big change.
close#334
add a few missing field to paramconverter
make dnsbl cache time divided since it takes the time format
make redis print when it gets a message if debuglogs are on