Age | Commit message (Collapse) | Author | |
---|---|---|---|
2021-04-21 | Add latest changes from gitlab-org/gitlab@13-11-stable-eev13.11.0-rc43 | GitLab Bot | |
2020-10-21 | Add latest changes from gitlab-org/gitlab@13-5-stable-eev13.5.0-rc42 | GitLab Bot | |
2020-09-19 | Add latest changes from gitlab-org/gitlab@13-4-stable-ee | GitLab Bot | |
2020-09-01 | Add latest changes from gitlab-org/security/gitlab@13-3-stable-ee | GitLab Bot | |
2020-08-20 | Add latest changes from gitlab-org/gitlab@13-3-stable-ee | GitLab Bot | |
2020-07-20 | Add latest changes from gitlab-org/gitlab@13-2-stable-ee | GitLab Bot | |
2020-05-20 | Add latest changes from gitlab-org/gitlab@13-0-stable-ee | GitLab Bot | |
2020-03-13 | Add latest changes from gitlab-org/gitlab@master | GitLab Bot | |
2020-01-08 | Add latest changes from gitlab-org/gitlab@master | GitLab Bot | |
2019-12-20 | Add latest changes from gitlab-org/gitlab@master | GitLab Bot | |
2019-12-11 | Add latest changes from gitlab-org/gitlab@master | GitLab Bot | |
2019-11-17 | Add latest changes from gitlab-org/gitlab@master | GitLab Bot | |
2019-10-10 | Add latest changes from gitlab-org/gitlab@master | GitLab Bot | |
2019-09-30 | Validate that SAML requests are originated from gitlab | Sebastian Arcila Valenzuela | |
If the request wasn't initiated by gitlab we shouldn't add the new identity to the user, and instead show that we weren't able to link the identity to the user. This should fix: https://gitlab.com/gitlab-org/gitlab-ce/issues/56509 | |||
2019-09-30 | Add checking for email_verified key | Małgorzata Ksionek | |
Fix rubocop offences and add changelog Add email_verified key for feature specs Add code review remarks Add code review remarks Fix specs | |||
2019-09-13 | Add latest changes from gitlab-org/gitlab@master | GitLab Bot | |
2019-07-26 | Ensure Warden triggers after_authentication callback | Imre Farkas | |
By not triggering the callback: - ActiveSession lookup keys are not cleaned - Devise also misses its hook related to session cleanup | |||
2019-05-06 | CE changes for SSO web enforcement | James Edwards-Jones | |
Adds two methods for us to extend in EE: - OmniauthCallbacksController#link_identity - GroupPolicy#lookup_access_level! | |||
2019-04-08 | Externalize strings in flash messages | Martin Wortschack | |
- Externalize strings in controllers - Update PO file | |||
2019-03-19 | Move out link\unlink ability checks to a policy | Pavel Shutsin | |
We can extend the policy in EE for additional behavior | |||
2019-02-06 | Backport build_auth_user for GroupSAML callback | James Edwards-Jones | |
2019-02-04 | Avoid CSRF check on SAML failure endpoint | James Edwards-Jones | |
SAML and OAuth failures should cause a message to be presented, as well as logging that an attempt was made. These were incorrectly prevented by the CSRF check on POST endpoints such as SAML. In addition we were using a NullSession forgery protection, which made testing more difficult and could have allowed account linking to take place if a CSRF was ever needed but not present. | |||
2019-01-10 | Addressing peer review feedback. | Scott Escue | |
Replacing inline JS with ES 2015 functions included in pages/sessions/new. Also applying suggested server-side syntax improvements to OmniAuthCallbacksController. | |||
2019-01-10 | Preserve URL fragment across sign-in and sign-up redirects | Scott Escue | |
If window.location contains a URL fragment, append the fragment to all sign-in forms, the sign-up form, and all button based providers. | |||
2018-09-19 | Enable frozen string in app/controllers/**/*.rb | gfyoung | |
Enables frozen string for the following: * app/controllers/*.rb * app/controllers/admin/**/*.rb * app/controllers/boards/**/*.rb * app/controllers/ci/**/*.rb * app/controllers/concerns/**/*.rb Partially addresses #47424. | |||
2018-06-25 | Honor saml assurance level to allow 2FA bypassing | Roger Rüttimann | |
2018-06-21 | [Rails5] Force the `protect_from_forgery` callback run first | blackst0ne | |
Since Rails 5.0 the `protect_from_forgery` callback doesn't run first by default anymore. [1] Instead it gets inserted into callbacks chain where callbacks get called in order. This commit forces the callback to run first. [1]: https://github.com/rails/rails/commit/39794037817703575c35a75f1961b01b83791191 | |||
2018-05-21 | Backport helpers from GroupSAML failure messages | James Edwards-Jones | |
2018-05-04 | Backport IdentityLinker#failed? from GroupSaml callback flow | James Edwards-Jones | |
2018-04-30 | Exclude LDAP from OmniauthCallbackController base methods | James Edwards-Jones | |
2018-04-23 | Replace define_method with alias_method in Omniauth Controllers | James Edwards-Jones | |
2018-04-23 | Unify Saml::IdentityLinker and OAuth::IdentityLinker | James Edwards-Jones | |
2018-04-23 | Show error on failed OAuth account link | James Edwards-Jones | |
2018-04-23 | Refactor OmniauthCallbacksController to remove duplication | James Edwards-Jones | |
Moves LDAP to its own controller with tests Provides path forward for implementing GroupSaml | |||
2018-03-22 | Writes specs | Tiago Botelho | |
2018-03-22 | Tracks the number of failed attempts made by a user trying to authenticate ↵ | Tiago Botelho | |
with any external authentication method | |||
2018-03-21 | Merge branch 'fix/auth0-unsafe-login-10-6' into 'security-10-6' | James Lopez | |
[10.6] Fix GitLab Auth0 integration signs in the wrong user See merge request gitlab/gitlabhq!2354 | |||
2018-02-28 | Moved o_auth/saml/ldap modules under gitlab/auth | Horatiu Eugen Vlad | |
2018-02-02 | use Gitlab::UserSettings directly as a singleton instead of ↵ | Mario de la Ossa | |
including/extending it | |||
2018-01-17 | Merge branch 'jej/fix-disabled-oauth-access-10-3' into 'security-10-3' | Robert Speicher | |
[10.3] Prevent login with disabled OAuth providers See merge request gitlab/gitlabhq!2296 (cherry picked from commit 4936650427ffc88e6ee927aedbb2c724d24b094c) a0f9d222 Prevents login with disabled OAuth providers | |||
2018-01-11 | Adds Rubocop rule for line break around conditionals | 🙈 jacopo beschi 🙉 | |
2017-11-23 | Allow password authentication to be disabled entirely | Markus Koller | |
2017-11-17 | Changing OAuth lookup to be case insensitive | Francisco Javier López | |
2017-08-24 | Define ldap methods at runtime | Bob Van Landuyt | |
This avoids loading the `OmniAuthCallbacksController` at boot time so it doesn't mess up the `before_action`-chain | |||
2017-08-15 | Enable Layout/TrailingWhitespace cop and auto-correct offenses | Robert Speicher | |
2017-08-07 | [EE Backport] Update log audit event in omniauth_callbacks_controller.rb | James Lopez | |
2017-07-06 | Fix build for !11963. | Timothy Andrew | |
- Don't use `request.env['omniauth.params']` if it isn't present. - Remove the `saml` section from the `gitlab.yml` test section. Some tests depend on this section not being initially present, so it can be overridden in the test. This MR doesn't add any tests for SAML, so we didn't really need this in the first place anyway. - Clean up the test -> omniauth section of `gitlab.yml` | |||
2017-07-06 | Implement "remember me" for OAuth-based login. | Timothy Andrew | |
- Pass a `remember_me` query parameter along with the initial OAuth request, and pick this parameter up during the omniauth callback from request.env['omniauth.params']`. - For 2FA-based login, copy the `remember_me` param from `omniauth.params` to `params`, which the 2FA process will pick up. - For non-2FA-based login, simply call the `remember_me` devise method to set the session cookie. | |||
2017-06-21 | Enable Style/DotPosition Rubocop :cop: | Grzegorz Bizon | |
2017-05-05 | Update design of auth error page | Annabel Dunstone Gray | |