aboutsummaryrefslogtreecommitdiffstats
path: root/perllib/FixMyStreet/App/Controller/Auth.pm
Commit message (Collapse)AuthorAgeLines
* Allow cobrands to skip 2FA requirement.Matthew Somerville2019-12-09-4/+7
|
* Include areas in query param for inspector post-login redirect to all reportsDave Arter2019-12-09-18/+5
| | | | | Performs a proper redirect instead of detaching to /my/inspector_redirect so any request params from sign-in (e.g. password!) aren't carried through.
* Switch to internal QR code generator.Matthew Somerville2019-11-23-2/+2
|
* Fix password reset on 2FA accounts again.Matthew Somerville2019-11-05-2/+5
| | | | | | Just after fixing it, 3d593bc68 broke it again, because it took anyone who must have 2FA switched on to the must-have-2FA sign up flow, even if they already had 2FA set up.
* Add optional enforced password expiry.Matthew Somerville2019-11-04-2/+21
|
* If 2FA enforced, do it for an email login as well.Matthew Somerville2019-10-30-0/+31
|
* Fix password reset on 2FA accounts.Matthew Somerville2019-10-30-4/+21
|
* Allow enforcement of 2FA for staff users.Matthew Somerville2019-10-30-0/+5
|
* Allow non-superusers to store 2FA secrets.Matthew Somerville2019-10-28-1/+1
|
* Always return a name string if login successful.Matthew Somerville2019-08-22-1/+2
| | | | The app checks if name is set as a test for successful login.
* Allow OIDC auth to provide its own ‘change password’ URIDave Arter2019-08-16-4/+6
|
* Add test for OIDC logout redirectionDave Arter2019-08-16-1/+7
|
* Add support for OIDC logoutDave Arter2019-08-16-0/+6
|
* Allow cobrand to store extra fields on user when logging in via oauthDave Arter2019-08-16-1/+6
|
* Add OpenID Connect login functionalityDave Arter2019-08-16-11/+19
|
* Set user’s name when creating user via OAuthDave Arter2019-08-16-0/+3
|
* Simplify /auth sign in page.Matthew Somerville2018-11-09-6/+14
|
* Move all test endpoints under /_dev.Zarino Zappia2018-08-29-5/+0
|
* add a send login email button to user edit pageStruan Donald2018-06-25-1/+2
| | | | | | | | | Add a button to the user edit page that sends a login token email to the user. Helpful for user support situations where someone is having trouble logging in. Also for situations where you have added a user and want to get them logged in. Fixes #2041
* Use CSV escaping for categories in URLs.Matthew Somerville2018-06-21-1/+1
| | | | | Categories could contain commas, so splitting on comma is not good enough. Let’s escape the fields as if it’s a line in CSV. Fixes #2166.
* Merge branch '2fa-superuser'Matthew Somerville2018-02-07-0/+8
|\
| * Allow two-factor to work during creation flow.Matthew Somerville2018-02-07-0/+5
| |
| * Add two-factor authentication for superusers.Matthew Somerville2018-02-07-0/+3
| |
* | Merge branch 'password-tests'Matthew Somerville2018-02-06-2/+56
|\ \
| * | Add length/common password checking.Matthew Somerville2018-02-06-2/+56
| |/
* / Increase bcrypt cost.Matthew Somerville2018-02-01-0/+6
|/ | | | Though when running tests, decrease it for speed.
* Add an access token authentication credential.Matthew Somerville2017-11-29-0/+2
| | | | This allows access if you have a token associated with your user.
* Accept +1 geographic numbers as possibly mobile.Matthew Somerville2017-10-05-1/+1
| | | | | We have no way of knowing whether a +1 geographic number is fixed line or mobile, so accept them all as potentially mobile.
* Allow verify/change/add email/phone in profile.Matthew Somerville2017-09-30-13/+15
| | | | | | This expands the 'change email' functionality to work with phone number also, allow addition of missing details, and verifying of unverified details.
* Adapt things that assume email will be present.Matthew Somerville2017-09-30-1/+2
| | | | | | This includes stopping some emails being sent (moderation, alert, questionnaire), dealing with Open311/email report sending, and tokenised_url.
* Add ability to log in on /auth via text.Matthew Somerville2017-09-30-47/+66
| | | | A confirmation code is sent via Twilio to be entered on the site.
* Add 'verified' database columns for email/phone.Matthew Somerville2017-09-30-2/+2
| | | | | These are so we can state whether a user's email address or phone number have been verified by confirmation email/text.
* Move some auth functions to their own controllers.Matthew Somerville2017-09-30-249/+2
| | | | | | Move the social auth functions to Auth::Social, and the change email/password functions to Auth::Profile. There are no actual code changes.
* Add SIGNUPS_DISABLED config flagDave Arter2017-08-31-0/+20
|
* Don't redirect if logged in & auth form submitted.Matthew Somerville2017-08-08-1/+1
| | | | | | If you submit the auth form (as opposed to clicking a link to something that redirects to the auth form), we should assume you want to treat that as a login.
* Make sure all MapIt tests can run offline.Matthew Somerville2017-03-23-1/+1
|
* Use Token params for redirect on loginpezholio2017-02-15-3/+7
| | | | | Tokens can include a 'p' field in their data to set query params for the post-login redirect URL.
* Redirect to category-filtered /reports on loginDave Arter2017-02-14-1/+20
| | | | If the user has a from_body and at least one category set.
* Follow redirect to /admin after login if allowedDave Arter2017-02-14-1/+1
|
* Lowercase email when signing in.Matthew Somerville2017-01-26-0/+1
|
* Make sure csrf_time is deleted after use.Matthew Somerville2017-01-12-2/+3
| | | | | | If an out-of-date token was passed to check_csrf_token, then no new token would be output on the error page because csrf_time was still present.
* Return 400/500 for some client/server errors.Matthew Somerville2016-12-16-8/+5
|
* Use normal user authentication to control access to /adminMatthew Somerville2016-07-19-1/+1
| | | | | | | | | - Adds is_superuser flag to User - Logged-in user must be a superuser or have from_body set in order to access anything within /admin - has_permission_to on a superuser will always return true - Only superusers can create/grant superusers - New `createsuperuser` command for creating superusers
* Fix CSRF issue with new login during process.Matthew Somerville2016-07-05-0/+3
| | | | | | If you had no session cookie, started reporting a problem, logged in through that process, you would then get a CSRF error as the token had been created before the session was.
* Allow users to update their email address.Matthew Somerville2016-06-20-6/+56
|
* Improve CSRF tokens and add to more forms.Matthew Somerville2016-06-20-3/+37
|
* Improve auth flow taken when return key used.Matthew Somerville2016-06-20-5/+6
|
* Add Twitter social login.Matthew Somerville2016-04-08-16/+93
|
* Add login by Facebook on generic auth screen.Matthew Somerville2016-01-22-12/+16
|
* Add login by Facebook when reporting.Matthew Somerville2016-01-22-0/+108
|
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-20 10:59:14 +0000