268 Commits

Author SHA1 Message Date
Pēteris Caune
8fe8e0f605
Update alert email template: more information, less styling
Fixes: #348
2020-12-26 18:11:36 +02:00
Pēteris Caune
dfd159ab18
Add a "Lost password?" link with instructions in the Sign In page 2020-12-09 15:38:19 +02:00
Shea Polansky
54a95a0ee2
Add http header auth (#457)
* Add HTTP header authentiation backend/middleware

* Add docs for remote header auth

* Improve docs on external auth

* Add warning for unknown  REMOTE_USER_HEADER_TYPE

* Move active check for header auth to middleware
Add extra header type sanity check to the backend

* Add test cases for remote header login

* Improve header-based authentication

- remove the 'ID' mode
- add CustomHeaderBackend to AUTHENTICATION_BACKENDS conditionally
- rewrite CustomHeaderBackend and CustomHeaderMiddleware to
use less inherited code
- add more test cases

Co-authored-by: Pēteris Caune <cuu508@gmail.com>
2020-12-09 11:25:56 +02:00
Pēteris Caune
0b4251bdee
Add logic to handle exceptions thrown by the fido2 library 2020-11-19 16:53:58 +02:00
Pēteris Caune
3cfc31610a
Add extra security checks in the login_webauthn view 2020-11-19 16:21:31 +02:00
Pēteris Caune
8448f882cf
Add notes about adding a second key, and removing the last key 2020-11-19 15:05:08 +02:00
Pēteris Caune
568a287850
Fix WebAuthn registration to use random bytes for user handle
User handle is used in a username-less authentication, to map a
credential received from browser with an user account in the
database. Since we only use security keys as a second factor,
the user handle is not of much use to us.

The user handle:
 - must not be blank,
 - must not be a constant value,
 - must not contain personally identifiable information.

So we use random bytes, and don't store them on our end.
2020-11-19 13:59:23 +02:00
Pēteris Caune
8dbf9e02af
Fix capitalization, Webauthn -> WebAuthn 2020-11-19 13:01:26 +02:00
Pēteris Caune
7124383a53
Add checks for RP_ID, add a 2FA section in README 2020-11-19 12:54:00 +02:00
Pēteris Caune
9401bc3987
Update the "Close Account" function to use confirmation codes 2020-11-16 16:22:25 +02:00
Pēteris Caune
48750ee668
Update "Change Password" to show messages in panel's footer 2020-11-16 15:45:25 +02:00
Pēteris Caune
fb79948759
Update the "Change Email" function to use confirmation codes 2020-11-16 15:33:29 +02:00
Pēteris Caune
ed6b15bfa9
Update the "Set Password" function to use confirmation codes 2020-11-16 14:53:50 +02:00
Pēteris Caune
1ca4caa3a8
Update the set_password view to use update_session_auth_hash
Changing user's password logs themselves out. To avoid that,
we were logging the user back in right after changing the password.

I recently discovered update_session_auth_hash, which seems to
be the proper way to do this.

Docs: https://docs.djangoproject.com/en/3.1/topics/auth/default/#session-invalidation-on-password-change
2020-11-16 14:29:52 +02:00
Pēteris Caune
adb7702f39
Rename login_tfa to login_webauthn 2020-11-16 14:16:06 +02:00
Pēteris Caune
7639f0dd69
Add test cases for the login_tfa view 2020-11-16 14:01:04 +02:00
Pēteris Caune
d0f327b213
Add Base64Field field (base64-encoded binary data) 2020-11-16 13:10:38 +02:00
Pēteris Caune
839c309cf7
Refactor for testability, add more test cases 2020-11-16 12:52:26 +02:00
Pēteris Caune
155a1f132b
Simplify super() calls in tests 2020-11-16 11:20:01 +02:00
Pēteris Caune
155226d82a
Add tests for sudo mode 2020-11-16 10:58:38 +02:00
Pēteris Caune
ecf964ea3b
Remove a verify_origin workaround 2020-11-15 21:49:25 +02:00
Pēteris Caune
9f58ebfd3e
Hook up a 2FA check after a password or email link authentication 2020-11-15 21:39:49 +02:00
Pēteris Caune
64be87137b
Add a two-factor authentication form (WIP) 2020-11-14 12:54:26 +02:00
Pēteris Caune
2ac0f87560
Implement a "Remove Security Key" feature 2020-11-14 11:45:09 +02:00
Pēteris Caune
42497fe91a
Add rate limiting to the sudo code form 2020-11-13 22:04:19 +02:00
Pēteris Caune
2c3286c280
Improve the "add security key" UX, require sudo mode 2020-11-13 16:23:28 +02:00
Pēteris Caune
e3aedd3b03
Add require_sudo_mode decorator
Planning to use it for sensitive operations (add/remove security keys),
change email, change password, close account.

The decorator sends a six-digit confirmation code to user's email
and renders a form for entering it back. If the user enters the
correct code, the decorators sets a sudo=active marker in
user's session, valid for 30 minutes.
2020-11-13 11:08:06 +02:00
Pēteris Caune
03ea725612
Add Credential.created field 2020-11-12 18:03:12 +02:00
Pēteris Caune
53688f1d87
Add error handling on the client side, use Django form API 2020-11-12 17:08:23 +02:00
Pēteris Caune
1eaa216d3a
Add experimental code for registering Webauthn credentials 2020-11-12 16:15:07 +02:00
Pēteris Caune
ad720af242
Rename "hc-p-channels" to "hc-channels" 2020-09-01 12:56:35 +03:00
Pēteris Caune
0a85c5ed12
In Account Settings > My Projects, indicate read-only memberships as read-only 2020-08-31 11:07:39 +03:00
Pēteris Caune
e424176a1f
Remove mentions of "whitelist" 2020-08-26 16:38:29 +03:00
Pēteris Caune
d73de68f70
Specify the read-write/read-only flag when inviting a team member. 2020-08-26 16:09:17 +03:00
Pēteris Caune
adb004b333
Read-only users cannot change project settings. 2020-08-26 15:04:12 +03:00
Pēteris Caune
00790dc33c
Member.rw flag. Read-only users cannot edit check's name/desc/tags or schedule 2020-08-26 12:16:43 +03:00
Pēteris Caune
2346ac3e80
Bugfix: don't allow duplicate team memberships 2020-08-19 12:07:48 +03:00
Pēteris Caune
b7e2404f98
Host a read-only dashboard (from github.com/healthchecks/dashboard/), link to it from "Project Settings" > "Show API keys" 2020-08-18 14:07:55 +03:00
Pēteris Caune
c75a37570e
In channels admin, don't show the notification counts, querying it is too expensive. 2020-08-18 13:30:24 +03:00
Pēteris Caune
c7af52637a
Less verbose output in the senddeletionnotices command 2020-08-18 11:05:04 +03:00
Pēteris Caune
697cb19bde
Handle excessively long email addresses in the team member invite form. 2020-08-17 12:05:19 +03:00
Pēteris Caune
ffafc16fe5
Handle excessively long email addresses in the signup form. 2020-08-17 11:31:24 +03:00
Pēteris Caune
b63f3bed8e
Limit project name to 60 characters to prevent abuse 2020-08-10 11:23:59 +03:00
Pēteris Caune
f131123e0e
In the test_it_sends_link testcase, explicitly set the USE_PAYMENTS setting. This way tests work regardless of what's in the environment variable or local_settings.py file. 2020-08-05 17:35:37 +03:00
Ronald Ip
c476f042ba
Fix logic bug in test_signup (#408)
Resolves #408 by fixing the test_signup logic bug introduced in 8c13457.
2020-08-05 22:27:44 +08:00
Pēteris Caune
d05691f86f
SMS and phone calls now have separate "limit reached" email templates. 2020-08-03 18:00:48 +03:00
Pēteris Caune
8c13457037
Use separate counters for SMS and phone calls. 2020-08-03 17:52:09 +03:00
Pēteris Caune
f814035f03
Declutter /admin/accounts/profile/ 2020-07-16 16:31:57 +03:00
Pēteris Caune
e89229a2ca
In admin, visualize account's number of checks 2020-07-06 18:39:27 +03:00
Pēteris Caune
a18eb134f5
Refactor: change Check.get_status(with_started=...) default value from True to False (with_started=False is or will be useful in more places) 2020-06-25 15:23:59 +03:00