mastodon/config
Claire 6da135a493
Fix reviving revoked sessions and invalidating login (#16943)
Up until now, we have used Devise's Rememberable mechanism to re-log users
after the end of their browser sessions. This mechanism relies on a signed
cookie containing a token. That token was stored on the user's record,
meaning it was shared across all logged in browsers, meaning truly revoking
a browser's ability to auto-log-in involves revoking the token itself, and
revoking access from *all* logged-in browsers.

We had a session mechanism that dynamically checks whether a user's session
has been disabled, and would log out the user if so. However, this would only
clear a session being actively used, and a new one could be respawned with
the `remember_user_token` cookie.

In practice, this caused two issues:
- sessions could be revived after being closed from /auth/edit (security issue)
- auto-log-in would be disabled for *all* browsers after logging out from one
  of them

This PR removes the `remember_token` mechanism and treats the `_session_id`
cookie/token as a browser-specific `remember_token`, fixing both issues.
2021-11-06 00:13:58 +01:00
..
environments Default to system ca-certificates.crt if none is specified (#10857) 2021-10-14 21:05:50 +02:00
initializers Fix reviving revoked sessions and invalidating login (#16943) 2021-11-06 00:13:58 +01:00
locales New Crowdin updates (#16354) 2021-10-17 10:28:51 +09:00
webpack Bump jest from 26.6.3 to 27.1.0 (#16376) 2021-08-28 09:58:04 +09:00
application.rb Add S3_FORCE_SINGLE_REQUEST env var to work around S3 compatibility issues (#16866) 2021-10-18 18:29:04 +02:00
boot.rb Bump bootsnap from 1.6.0 to 1.8.1 (#16677) 2021-09-19 14:42:32 +09:00
brakeman.ignore Ignore brakeman false positive warning (#16213) 2021-05-11 14:18:33 +02:00
database.yml config: add DB_SSLMODE for managed/remote PG (#10210) 2019-03-08 14:36:28 +01:00
deploy.rb Change references to tootsuite/mastodon to mastodon/mastodon (#16491) 2021-07-13 15:46:20 +02:00
environment.rb Make PreviewCard records reuseable between statuses (#4642) 2017-09-01 16:20:16 +02:00
i18n-tasks.yml Change move handler to carry blocks over (#14144) 2020-07-01 13:51:15 +02:00
navigation.rb Add feature to automatically delete old toots (#16529) 2021-08-09 23:11:50 +02:00
pghero.yml Fix PgHero Content-Security-Policy when CDN_HOST is used (#13595) 2020-05-04 13:52:41 +02:00
puma.rb Add PERSISTENT_TIMEOUT option (#11756) 2019-09-04 20:44:08 +02:00
routes.rb Add remove from followers api (#16864) 2021-10-18 12:02:35 +02:00
secrets.yml Upgrade to Rails 5.0.0.1 2016-08-17 17:58:00 +02:00
settings.yml Change auto-following admin-selected accounts, show in recommendations (#16078) 2021-04-24 17:01:43 +02:00
sidekiq.yml Add feature to automatically delete old toots (#16529) 2021-08-09 23:11:50 +02:00
storage.yml Update Mastodon to Rails 6.1 (#15910) 2021-03-24 10:44:31 +01:00
themes.yml More polished light theme (#7620) 2018-05-25 18:36:26 +02:00
webpacker.yml Bump webpacker from 3.5.5 to 4.0.2 (#10277) 2019-03-15 15:05:31 +01:00