fef
/
nyastodon
forked from mirrors/catstodon
1
1
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
develop
main
nya-1.2.2
nya-1.2.1
nya-1.2.0
v0.1.2
v0.1.1
v0.1.0
4.0.1+1.0.0
4.0.1+1.0.1
4.0.1+1.0.2
4.0.1+1.0.3
4.0.1+1.0.4
v0.6
v0.7
v0.8
v0.9
v0.9.9
v1.0
v1.1
v1.1.1
v1.1.2
v1.2
v1.2.1
v1.2.2
v1.3
v1.3.1
v1.3.2
v1.4.1
v1.4.2
v1.4.3
v1.4.4
v1.4.5
v1.4.6
v1.4.7
v1.4rc1
v1.4rc2
v1.4rc3
v1.4rc4
v1.4rc5
v1.4rc6
v1.5.0
v1.5.0rc1
v1.5.0rc2
v1.5.0rc3
v1.5.1
v1.6.0
v1.6.0rc1
v1.6.0rc2
v1.6.0rc3
v1.6.0rc4
v1.6.0rc5
v1.6.1
v2.0.0
v2.0.0rc1
v2.0.0rc2
v2.0.0rc3
v2.0.0rc4
v2.1.0
v2.1.0rc1
v2.1.0rc2
v2.1.0rc3
v2.1.0rc4
v2.1.0rc5
v2.1.0rc6
v2.1.1
v2.1.2
v2.1.3
v2.2.0
v2.2.0rc1
v2.2.0rc2
v2.3.0
v2.3.0rc1
v2.3.0rc2
v2.3.0rc3
v2.3.1
v2.3.1rc1
v2.3.1rc2
v2.3.1rc3
v2.3.2
v2.3.2rc1
v2.3.2rc2
v2.3.2rc3
v2.3.2rc4
v2.3.2rc5
v2.4.0
v2.4.0rc1
v2.4.0rc2
v2.4.0rc3
v2.4.0rc4
v2.4.0rc5
v2.4.1
v2.4.1rc1
v2.4.1rc2
v2.4.1rc3
v2.4.1rc4
v2.4.2
v2.4.2rc1
v2.4.2rc2
v2.4.2rc3
v2.4.3
v2.4.3rc1
v2.4.3rc2
v2.4.3rc3
v2.4.4
v2.4.5
v2.5.0
v2.5.0rc1
v2.5.0rc2
v2.5.1
v2.5.2
v2.6.0
v2.6.0rc1
v2.6.0rc2
v2.6.0rc3
v2.6.0rc4
v2.6.1
v2.6.2
v2.6.3
v2.6.4
v2.6.5
v2.7.0
v2.7.0rc1
v2.7.0rc2
v2.7.0rc3
v2.7.1
v2.7.2
v2.7.3
v2.7.4
v2.8.0
v2.8.0rc1
v2.8.0rc2
v2.8.0rc3
v2.8.1
v2.8.2
v2.8.3
v2.8.4
v2.9.0
v2.9.0rc1
v2.9.0rc2
v2.9.1
v2.9.2
v2.9.3
v2.9.4
v3.0.0
v3.0.0rc1
v3.0.0rc2
v3.0.0rc3
v3.0.1
v3.0.2
v3.1.0
v3.1.0rc1
v3.1.0rc2
v3.1.1
v3.1.2
v3.1.3
v3.1.4
v3.1.5
v3.2.0
v3.2.0rc1
v3.2.0rc2
v3.2.1
v3.2.2
v3.3.0
v3.3.0rc1
v3.3.0rc2
v3.3.0rc3
v3.3.1
v3.3.2
v3.3.3
v3.4.0
v3.4.0rc1
v3.4.0rc2
v3.4.1
v3.4.2
v3.4.3
v3.4.4
v3.4.5
v3.4.6
v3.4.7
v3.4.8
v3.5.0
v3.5.0rc1
v3.5.0rc2
v3.5.0rc3
v3.5.1
v3.5.2
v3.5.3
v3.5.3+1.0.0
v3.5.3+1.0.1
v3.5.3+1.0.3
v3.5.3+1.0.4
v3.5.3+1.0.5
v3.5.3+1.0.6
v3.5.3+1.0.7
v3.5.3+1.0.8
v3.5.3+1.0.9
v3.5.3+1.1.0
v3.5.3+1.1.1
v3.5.3+1.1.2
v3.5.3+1.1.3
v3.5.3+1.1.4
v3.5.3+1.1.5
v3.5.3+1.1.6
v3.5.3+1.2.1
v3.5.3+1.2.2
v3.5.3+1.2.3
v4.0.0
v4.0.0+1.0.0
v4.0.0rc1
v4.0.0rc2
v4.0.0rc3
v4.0.0rc4
v4.0.1
v4.0.2
v4.0.2+1.0.0
v4.0.2+1.0.1
v4.0.2+1.0.10
v4.0.2+1.0.11
v4.0.2+1.0.12
v4.0.2+1.0.13
v4.0.2+1.0.2
v4.0.2+1.0.3
v4.0.2+1.0.4
v4.0.2+1.0.5
v4.0.2+1.0.6
v4.0.2+1.0.7
v4.0.2+1.0.8
v4.0.2+1.0.9
v4.0.2+1.1.0
v4.0.2+1.1.1
v4.0.2+1.1.2
v4.0.2+1.1.3
v4.0.2+1.1.4
v4.0.2+1.1.5
v4.0.2+1.1.6
v4.0.2+1.1.7
v4.0.2+1.1.8
v4.0.2+1.1.9
v4.1.0
v4.1.0+1.0.0
v4.1.0+1.0.1
v4.1.0+2.0.0
v4.1.0+2.0.1
v4.1.0+2.0.2
v4.1.0+2.0.4
v4.1.0+2.0.5
v4.1.0+2.1.0
v4.1.0+2.1.1
v4.1.0rc1
v4.1.0rc2
v4.1.0rc3
v4.1.1+1.0.0
v4.1.1+1.0.1
v4.1.1+1.0.2
v4.1.1+1.0.3
v4.1.1+1.0.4
v4.1.1+1.0.5
v4.1.1+1.0.6
v4.1.1+1.0.7
v4.1.2+1.0.0
v4.1.2+1.0.1
v4.1.2+1.0.2
v4.1.2+1.0.3
v4.1.2+1.0.4
v4.1.2+1.1.0
v4.1.2+1.1.1
v4.1.2+1.1.2
v4.1.2+1.1.3
v4.1.2+1.1.4
v4.1.3+1.0.0
v4.1.4+1.0.0
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'v3.4.4'
${ noResults }
nyastodon/config/initializers
History
Claire 3251b8eead Fix reviving revoked sessions and invalidating login (#16943) 
Up until now, we have used Devise's Rememberable mechanism to re-log users
after the end of their browser sessions. This mechanism relies on a signed
cookie containing a token. That token was stored on the user's record,
meaning it was shared across all logged in browsers, meaning truly revoking
a browser's ability to auto-log-in involves revoking the token itself, and
revoking access from *all* logged-in browsers.

We had a session mechanism that dynamically checks whether a user's session
has been disabled, and would log out the user if so. However, this would only
clear a session being actively used, and a new one could be respawned with
the `remember_user_token` cookie.

In practice, this caused two issues:
- sessions could be revived after being closed from /auth/edit (security issue)
- auto-log-in would be disabled for *all* browsers after logging out from one
  of them

This PR removes the `remember_token` mechanism and treats the `_session_id`
cookie/token as a browser-specific `remember_token`, fixing both issues.
 		3 years ago
..
0_post_deployment_migrations.rb
1_hosts.rb
2_whitelist_mode.rb
active_model_serializers.rb
application_controller_renderer.rb
assets.rb
backtrace_silencers.rb
blacklists.rb
cache_buster.rb
chewy.rb
content_security_policy.rb
cookies_serializer.rb
cors.rb
devise.rb
doorkeeper.rb
fast_blank.rb
ffmpeg.rb
filter_parameter_logging.rb
http_client_proxy.rb
httplog.rb
inflections.rb
json_ld.rb
kaminari_config.rb
mail_delivery_job.rb
makara.rb
mime_types.rb
oj.rb
omniauth.rb
open_uri_redirection.rb
paperclip.rb
permissions_policy.rb
preload_link_headers.rb
premailer_rails.rb
rack_attack.rb
rack_attack_logging.rb
redis.rb
session_activations.rb
session_store.rb
sidekiq.rb
simple_form.rb
single_user_mode.rb
statsd.rb
stoplight.rb
strong_migrations.rb
suppress_csrf_warnings.rb
trusted_proxies.rb
twitter_regex.rb
vapid.rb
webauthn.rb
wrap_parameters.rb