Commit graph

90 commits

Author SHA1 Message Date
Domagoj Kriskovic
868d562d96 Support password-fallbackPassword array in requireBasicAuth (#27237)
GitOrigin-RevId: 33b15a05996bfa0190041f347772867a9667e2ca
2025-07-22 08:05:51 +00:00
Miguel Serrano
3ff142d478 [web] Expose metric for active users in SP (#20130)
* [web] Expose metric for active users in SP

* Removed redundant UserHandler.setupLoginData()

In the past this method was also calling
a now deleted notifyDomainLicence(), but now
this is just an alias for populateTeamInvites()

* Added migration for `lastActive`

* Added secondary read precedence to count active users

GitOrigin-RevId: 86d6db31e1ae74ae40c6599e6acb731d8c4a04bd
2024-10-14 10:57:28 +00:00
andrew rumble
032deaf05c Switch to mongodb-legacy
GitOrigin-RevId: 11e09528c153de6b7766d18c3c90d94962190371
2024-08-21 08:04:24 +00:00
Antoine Clausse
fb114a7c44 Merge pull request #19545 from overleaf/ac-remove-login-route-override
[web] Remove `/login` route override from overleaf-integration

GitOrigin-RevId: a22d0698e5039a8e77fb7ebb620500ad40a9a630
2024-08-14 08:04:26 +00:00
Antoine Clausse
1e36db524f [web] Merge authentication error handling (V1LoginController & AuthenticationController) (#19457)
* Promisify `AuthenticationController.doPassportLogin`

* Update tests `AuthenticationController.doPassportLogin`

* Add test on error handling for `AuthenticationController.doPassportLogin`

* Add test on error handling for `V1LoginController.doLogin`

* Extract error handling to `getErrorObject` function

* Simplify code

* Add `Metrics` calls

* Add `password is too long` in AuthenticationController

* Make `info` object consistent with the rest of the codebase

* Move error handling to `AuthenticationManager.handleAuthenticateErrors`

* Move `handleAuthenticateErrors` to other file

I moved this solely because I didn't manage to test it otherwise

* Update tests

* Remove `preDoPassportLogin` hook call

* Remove test on `preDoPassportLogin`

* Use try/catch block instead of `.catch()`

* Revert "Use try/catch block instead of `.catch()`"

This reverts commit 3475afa93ce4af7ad55c91bfc1d7ad3317600ea5.

* Replace `.catch` by `try/catch`

GitOrigin-RevId: 3fba65c30a2c5fc6e5abcd5b83c52801852ed462
2024-07-31 08:05:07 +00:00
Antoine Clausse
5f2718cf29 [web] Make rate-limit on login consistent, prevent "trim/case bypass" (#19555)
* Replace `LoginRateLimiter.processLoginRequest` call by use of `RateLimiterMiddleware`

* Lowercase the email to avoid rate-limit bypass

* Remove unit test "when the users rate limit"

* Use `EmailHelper.parseEmail` to normalize email in `processLoginRequest`

This should address the `trim()` bypass

* Use `.trim().toLowerCase()` instead of `EmailHelper.parseEmail`

We can't use `EmailHelper.parseEmail`, else it breaks the test (and feature): "with username that does not look like an email"

* Add acceptance test for rate limit

* Add comment on rate limits

* Rename `rateLimiter` to `rateLimiterLoginEmail` for clarity

* Make the login rate limits configurable from the settings

GitOrigin-RevId: cf1c3a416745f2b007c85014a5084570d4a049a7
2024-07-30 08:04:26 +00:00
Antoine Clausse
e452f1df5b [web] Promisify LdapController (#18500)
* Promisify LdapController

* Update tests LdapControllerTests.js

* Promisify `AuthenticationController.finishLogin`

* Simplify null checks in LdapController

* Fix: don't use spread operator in module.exports

* Make `AuthenticationController.promises.finishLogin` a promise that resolves

* Fixup: `finishLogin` does not call `next` then the promise finishes, it calls it only on errors

* Use `Modules.promises.hooks.fire`

* Revert `processPassportLogin` callback style

* Update error handling: Use `OError.tag` instead of `logger.err`

* Fix unit tests: Rely on callbacks rather than promises

* Fix: Actually call `passport.authenticate` (!!)

* Update test: fixup `passport.authenticate` mocks

This would have caught the bugs that the previous commit is solving

* Remove `.then(() => next())` in `processPassportLogin`

Co-authored-by: Eric Mc Sween <eric.mcsween@overleaf.com>

---------

Co-authored-by: Eric Mc Sween <eric.mcsween@overleaf.com>
GitOrigin-RevId: a7eab5f5289956aeb8f2418408958daef3511ab7
2024-06-06 08:04:23 +00:00
Eric Mc Sween
876ee4d967 Merge pull request #18225 from overleaf/em-typescript-eslint
Add typescript-eslint rule: no-floating-promises

GitOrigin-RevId: 8c3decdff537c885f5bfeb5250b7805480bc6602
2024-05-27 10:22:20 +00:00
Antoine Clausse
25d8e053be [web] Update revokeAllUserSessions and rename it to removeSessionsFromRedis (#18360)
* Fix `revokeAllUserSessions` call in `_cleanupUser`

The user object should be passed, not the _id

* Change `revokeAllUserSessions` signature, take `req` and `stayLoggedIn` arguments

* Update uses of `revokeAllUserSessions`

* Fix promisified `revokeAllUserSessions` args

* Update tests

* Destroy or Regenerate the session in the end of `revokeAllUserSessions`

Per https://github.com/overleaf/internal/issues/17036#issuecomment-1938398570

* Revert "Destroy or Regenerate the session in the end of `revokeAllUserSessions`"

This reverts commit fe30734dbe45b27d2931d2e43a711d591bb85787.

* Rename `revokeAllUserSessions` to `removeSessionsFromRedis`

* Fixup tests

* Fix: add optional chaining in `req.sessionID` (!!)

GitOrigin-RevId: d41676bf00f463230af495e09c65fb9ee521f49f
2024-05-20 08:04:12 +00:00
Jakob Ackermann
dfe587f297 Merge pull request #18294 from overleaf/jpa-td-invite-details
[web] avoid content reflection via query parameter on register page

GitOrigin-RevId: 43e7ba6069e0d9f3f12e5e9e680b5960b0673782
2024-05-16 08:05:09 +00:00
Jakob Ackermann
4c49841637 Merge pull request #18153 from overleaf/jpa-validate-session-in-store
[web] check for redis connection being out of sync in session store

GitOrigin-RevId: c271e88d4e1fbcb0f7a57f4775e8ef88b70b16a8
2024-05-03 08:04:25 +00:00
Brian Gough
29105911c5 Merge pull request #17732 from overleaf/bg-session-mitigation-initial-protoype
anonymous cookie-based sessions module

GitOrigin-RevId: 75fe2d48fa384ba8d07c0b478a9a5a907a2b3b67
2024-04-26 08:04:54 +00:00
David
ce00af7838 Merge pull request #18011 from overleaf/dp-make-_getRedirectFromSession-public
Make _getRedirectFromSession a public method

GitOrigin-RevId: 6538e4ec25e607d32beb944370d151d4f1a3709c
2024-04-24 08:04:13 +00:00
David
0cf17478fe Merge pull request #17810 from overleaf/dp-compormised-password-prompt
Add compromised password prompt

GitOrigin-RevId: 7910a220943fcb3aa191da6d514d5bc3ae20f5a3
2024-04-19 08:03:58 +00:00
roo hutton
754609f379 Merge pull request #17830 from overleaf/rh-reduce-staff-access-session
[web] Reduce size of staffAccess field in session

GitOrigin-RevId: 7745dc595e8096caef04fd140b47532f0775f165
2024-04-12 08:06:35 +00:00
Thomas
811173d32d Merge pull request #17569 from overleaf/tm-account-suspension
Add the ability to suspend user accounts

GitOrigin-RevId: 5e57f29941434c78a47354baca83527213f9b9b5
2024-03-22 09:03:06 +00:00
David
1ba5b27e57 Merge pull request #17408 from overleaf/dp-mongoose-callback-autherntication-manager
Promisify AuthenticationManager and AuthenticationManagerTests

GitOrigin-RevId: 8120bf55d19380a6ecf5241ffab8722eff2d4fe3
2024-03-12 09:03:14 +00:00
Jakob Ackermann
84a2b25a3c Merge pull request #17401 from overleaf/jpa-skip-hibp-known-device
[web] skip HIBP check from known devices

GitOrigin-RevId: 897df02492aafeac010753c7c306e02bde5b1fd8
2024-03-05 09:03:37 +00:00
Miguel Serrano
abe33de010 [web] upgrade @node-oauth/oauth2-server to ^5.1.0, (#16705)
* [web] upgrade @node-oauth/oauth2-server to ^5.1.0,

* Added `expressify` to middleware returned by Authentication.requireOauth()

* Extracted OAuth2 scope transformation to utilities

* Throw an error with undefined SAML scopes

GitOrigin-RevId: 00dfe81c707e9a3fcf9bb10e007c1fc646f7b9dd
2024-02-09 09:05:20 +00:00
Jakob Ackermann
63520c7076 Merge pull request #16859 from overleaf/jpa-sharelatex-cleanup
[misc] ShareLaTeX cleanup - high impact

GitOrigin-RevId: 6dcce9b0f15e30f7afcf6d69c3df36a369f38120
2024-02-09 09:04:11 +00:00
Jakob Ackermann
880087945e Merge pull request #16854 from overleaf/jpa-overleaf-integration-core-tests
[web] enable overleaf-integration module when running SaaS tests

GitOrigin-RevId: 36eda6ef448604a55f8dc8daac5ce29af23b6b0b
2024-02-05 09:04:05 +00:00
Jakob Ackermann
797f2c518d Merge pull request #16514 from overleaf/jpa-enforce-oauth-scope
[web] restrict access to oauth endpoints to their respective clients

GitOrigin-RevId: 6ffa6008130588e44d336e2af32584ee20ad3ffc
2024-01-18 09:04:28 +00:00
Mathias Jakobsen
c371732e6e Merge pull request #16186 from overleaf/mj-mongo-object-id
[web] Use constructor for ObjectId

GitOrigin-RevId: 9eb8b377ea599605b72af237d1ab12f4d8287162
2023-12-19 09:04:02 +00:00
Miguel Serrano
771f07d7ad Merge pull request #16202 from overleaf/msm-passport-upgrade-2
[web] passport + passport-saml updates (post revert)

GitOrigin-RevId: e1fa5757e15b3ac733511570637d39297247e050
2023-12-14 09:03:24 +00:00
Miguel Serrano
369d5cb406 Merge pull request #16190 from overleaf/revert-15519-em-upgrade-passport
Revert "Upgrade passport"

GitOrigin-RevId: 34a5442d6dae9623463908f92ab103bdc16f1b67
2023-12-12 09:04:23 +00:00
Miguel Serrano
d96283e593 Merge pull request #15519 from overleaf/em-upgrade-passport
Upgrade passport

GitOrigin-RevId: b93bfcab39ba3d2ab4efb4814371defec8ca95c4
2023-12-12 09:04:08 +00:00
Jakob Ackermann
a2e231185c Merge pull request #14606 from overleaf/jpa-bcrypt-metrics
[web] add metrics for bcrypt operations

GitOrigin-RevId: 42bf9bedb84295ceea7f660f1daac3adb7b853d9
2023-09-05 08:04:56 +00:00
June Kelly
a140e3dc8c Merge pull request #12269 from overleaf/jk-enable-password-similarity-check
[web] Enforce password similarity check

GitOrigin-RevId: 1bc4efebba401663c1db9d209dc560560f160ce0
2023-03-23 09:04:12 +00:00
Eric Mc Sween
21971956b7 Merge pull request #12219 from overleaf/em-camel-case-web
Camel case variables in web

GitOrigin-RevId: 28e61b759b27f71265f33ab64f588374dba610e0
2023-03-22 09:05:04 +00:00
June Kelly
556a557a04 Merge pull request #12261 from overleaf/jk-alter-password-similarity
[web] Alter password-similarity check/metric

GitOrigin-RevId: e9a55b4a86d2b69d6f34c1e2339d32321e08341d
2023-03-20 09:03:10 +00:00
Eric Mc Sween
65976cb363 Merge pull request #11869 from overleaf/em-upgrade-mongoose-web
Upgrade Mongoose and the Mongo driver in web

GitOrigin-RevId: 2cad1aabe57eae424a9e4c68b2e0062f0e78ffaf
2023-03-01 09:03:27 +00:00
ilkin-overleaf
38cdd77890 Merge pull request #11943 from overleaf/jk-another-password-similarity-metric
[web] Add another metric for password similarity

GitOrigin-RevId: 6d44796a63f3be85bfee86056e03cfd3bb47066c
2023-03-01 09:03:02 +00:00
Jakob Ackermann
b6d5b97326 Merge pull request #11817 from overleaf/jk-password-too-similar-metric-refinement
[web] Refine metrics on password-too-similar validation

GitOrigin-RevId: f644e50e4815b34ad9af5215ebc3c9a082572681
2023-02-17 09:03:52 +00:00
June Kelly
c4ecded316 Merge pull request #11508 from overleaf/jk-password-disallow-substring
[web] Metric for passwords too similar to email

GitOrigin-RevId: cf8320fc3c9561b4dc6d54a3e97db96400ece2a9
2023-02-02 18:22:17 +00:00
June Kelly
be7b424a63 Merge pull request #11436 from overleaf/jk-increase-password-min-length-to-8
[web] Increase the minimum password length to 8 characters

GitOrigin-RevId: 94eb3c5605183b5e189babd3342dc308f403ebbd
2023-02-02 09:02:56 +00:00
ilkin-overleaf
2675cab92e Merge pull request #10394 from overleaf/ii-password-reset-and-strength-checking
[web] Password reset strength checking and UI updates

GitOrigin-RevId: 442a5c9e7e9d0a61d3ae649f3526bc3c02fd5704
2022-12-07 09:03:36 +00:00
June Kelly
9e824ac93c Merge pull request #9951 from overleaf/jk-audit-failed-login-attempts
[web] Audit failed login attempts

GitOrigin-RevId: 19325f808f77584891e1e12b5ed7aaa16aa6aec9
2022-10-20 08:03:44 +00:00
Timothée Alby
adeaf4de79 Merge pull request #9983 from overleaf/jpa-web-fix-password-upgrade
[web] fix process for upgrading of password hashes

GitOrigin-RevId: 3bc99dbd8601c190d758080d70ea1a465bd9e542
2022-10-18 08:03:11 +00:00
June Kelly
3288f87dbe [web] Password set/reset: reject current password (redux) (#8956)
* [web] set-password: reject same as current password

* [web] Add 'peek' operation on tokens

This allows us to improve the UX of the reset-password form,
by not invalidating the token in the case where the new
password will be rejected by validation logic.

We give up to three attempts before invalidating the token.

* [web] Add hide-on-error feature to async forms

This allows us to hide the form elements when certain
named error conditions occur.

* [web] reset-password: handle same-password rejection

We also change the implementation to use the new
peekValueFromToken API, and to expire the token explicitely
after it has been used to set the new password.

* [web] Validate OneTimeToken when loading password reset form

* [web] Rate limit GET: /user/password/set

Now that we are peeking at OneTimeToken when accessing this page,
we add rate to the GET request, matching that of the POST request.

* [web] Tidy up pug layout and mongo query for token peeking

Co-authored-by: Mathias Jakobsen <mathias.jakobsen@overleaf.com>
GitOrigin-RevId: 835205cc7c7ebe1209ee8e5b693efeb939a3056a
2022-09-28 08:06:54 +00:00
Henry Oswald
5f1abee345 Merge pull request #8939 from overleaf/revert-8882-jk-web-reject-same-password
Revert "[web] Password set/reset: reject current password"

GitOrigin-RevId: f14f970fe93064658a8659537c5cb417e34e2751
2022-07-20 08:04:00 +00:00
June Kelly
d04ea76081 Merge pull request #8882 from overleaf/jk-web-reject-same-password
[web] Password set/reset: reject current password

GitOrigin-RevId: 2c40dda4926d9c68564ae5126b3393b9286bb661
2022-07-20 08:03:36 +00:00
Eric Mc Sween
e0d91eaa26 Merge pull request #7906 from overleaf/em-downgrade-logs
Downgrade all INFO logs to DEBUG

GitOrigin-RevId: 05ed582ef0721fcada059f0ad158565f50feca27
2022-05-17 08:05:26 +00:00
Jakob Ackermann
e82a053c85 Merge pull request #6614 from overleaf/jpa-msm-separate-admin-app
[misc] move admin capability from www. to admin. subdomain

GitOrigin-RevId: e0daeacf3c06b856ffb9fd35dce76e71f14e8459
2022-04-05 12:18:24 +00:00
Jakob Ackermann
d812b88e76 Merge pull request #6457 from overleaf/jpa-harden-login
[web] harden login process

GitOrigin-RevId: 5c0b7cc725efd5e3e879067ad8a42fe46a47b60d
2022-01-27 09:03:38 +00:00
Jakob Ackermann
1fc0b3e4aa Merge pull request #6349 from overleaf/jpa-password-strength-checking
[web] data collection for password strength using HaveIBeenPwned api

GitOrigin-RevId: 7e4d57a979c29027fb7ca5294f3935500a0b4cf3
2022-01-20 09:03:07 +00:00
Jakob Ackermann
d720d6affa Merge pull request #6317 from overleaf/jpa-send-explicit-content-type
[web] send explicit content type in responses

GitOrigin-RevId: d5aeaba57a7d2fc053fbf5adc2299fb46e435341
2022-01-18 09:03:18 +00:00
June Kelly
c72ec548bb Merge pull request #5976 from overleaf/jk-login-audit-log-type
[web] Add 'method' info to login audit log

GitOrigin-RevId: 093fe885bc1b688aebd640d6762f031c752191d4
2022-01-14 09:02:28 +00:00
Alf Eaton
50df230846 [web] Upgrade Prettier to match version in monorepo root (#6231)
GitOrigin-RevId: 02f97af1b9704782eee77a0b7dfc477ada23e34d
2022-01-11 09:03:23 +00:00
Brian Gough
108c99cf53 Merge pull request #6141 from overleaf/bg-update-basic-auth
[web] remove deprecated basic-auth-connect module

GitOrigin-RevId: b18435c98696858da70f3a715258c3c7a86c3b54
2021-12-20 09:03:06 +00:00
Alexandre Bourdin
3577f25ba2 Merge pull request #5051 from overleaf/ab-web-mono-analytics-id
Analytics ID Support (v2)

GitOrigin-RevId: 707f62697f6566d8aad22e424684d97f7bc147df
2021-09-13 08:03:14 +00:00