* [web] Expose metric for active users in SP
* Removed redundant UserHandler.setupLoginData()
In the past this method was also calling
a now deleted notifyDomainLicence(), but now
this is just an alias for populateTeamInvites()
* Added migration for `lastActive`
* Added secondary read precedence to count active users
GitOrigin-RevId: 86d6db31e1ae74ae40c6599e6acb731d8c4a04bd
* Promisify `AuthenticationController.doPassportLogin`
* Update tests `AuthenticationController.doPassportLogin`
* Add test on error handling for `AuthenticationController.doPassportLogin`
* Add test on error handling for `V1LoginController.doLogin`
* Extract error handling to `getErrorObject` function
* Simplify code
* Add `Metrics` calls
* Add `password is too long` in AuthenticationController
* Make `info` object consistent with the rest of the codebase
* Move error handling to `AuthenticationManager.handleAuthenticateErrors`
* Move `handleAuthenticateErrors` to other file
I moved this solely because I didn't manage to test it otherwise
* Update tests
* Remove `preDoPassportLogin` hook call
* Remove test on `preDoPassportLogin`
* Use try/catch block instead of `.catch()`
* Revert "Use try/catch block instead of `.catch()`"
This reverts commit 3475afa93ce4af7ad55c91bfc1d7ad3317600ea5.
* Replace `.catch` by `try/catch`
GitOrigin-RevId: 3fba65c30a2c5fc6e5abcd5b83c52801852ed462
* Replace `LoginRateLimiter.processLoginRequest` call by use of `RateLimiterMiddleware`
* Lowercase the email to avoid rate-limit bypass
* Remove unit test "when the users rate limit"
* Use `EmailHelper.parseEmail` to normalize email in `processLoginRequest`
This should address the `trim()` bypass
* Use `.trim().toLowerCase()` instead of `EmailHelper.parseEmail`
We can't use `EmailHelper.parseEmail`, else it breaks the test (and feature): "with username that does not look like an email"
* Add acceptance test for rate limit
* Add comment on rate limits
* Rename `rateLimiter` to `rateLimiterLoginEmail` for clarity
* Make the login rate limits configurable from the settings
GitOrigin-RevId: cf1c3a416745f2b007c85014a5084570d4a049a7
* Promisify LdapController
* Update tests LdapControllerTests.js
* Promisify `AuthenticationController.finishLogin`
* Simplify null checks in LdapController
* Fix: don't use spread operator in module.exports
* Make `AuthenticationController.promises.finishLogin` a promise that resolves
* Fixup: `finishLogin` does not call `next` then the promise finishes, it calls it only on errors
* Use `Modules.promises.hooks.fire`
* Revert `processPassportLogin` callback style
* Update error handling: Use `OError.tag` instead of `logger.err`
* Fix unit tests: Rely on callbacks rather than promises
* Fix: Actually call `passport.authenticate` (!!)
* Update test: fixup `passport.authenticate` mocks
This would have caught the bugs that the previous commit is solving
* Remove `.then(() => next())` in `processPassportLogin`
Co-authored-by: Eric Mc Sween <eric.mcsween@overleaf.com>
---------
Co-authored-by: Eric Mc Sween <eric.mcsween@overleaf.com>
GitOrigin-RevId: a7eab5f5289956aeb8f2418408958daef3511ab7
* Fix `revokeAllUserSessions` call in `_cleanupUser`
The user object should be passed, not the _id
* Change `revokeAllUserSessions` signature, take `req` and `stayLoggedIn` arguments
* Update uses of `revokeAllUserSessions`
* Fix promisified `revokeAllUserSessions` args
* Update tests
* Destroy or Regenerate the session in the end of `revokeAllUserSessions`
Per https://github.com/overleaf/internal/issues/17036#issuecomment-1938398570
* Revert "Destroy or Regenerate the session in the end of `revokeAllUserSessions`"
This reverts commit fe30734dbe45b27d2931d2e43a711d591bb85787.
* Rename `revokeAllUserSessions` to `removeSessionsFromRedis`
* Fixup tests
* Fix: add optional chaining in `req.sessionID` (!!)
GitOrigin-RevId: d41676bf00f463230af495e09c65fb9ee521f49f
* [web] upgrade @node-oauth/oauth2-server to ^5.1.0,
* Added `expressify` to middleware returned by Authentication.requireOauth()
* Extracted OAuth2 scope transformation to utilities
* Throw an error with undefined SAML scopes
GitOrigin-RevId: 00dfe81c707e9a3fcf9bb10e007c1fc646f7b9dd
* [web] set-password: reject same as current password
* [web] Add 'peek' operation on tokens
This allows us to improve the UX of the reset-password form,
by not invalidating the token in the case where the new
password will be rejected by validation logic.
We give up to three attempts before invalidating the token.
* [web] Add hide-on-error feature to async forms
This allows us to hide the form elements when certain
named error conditions occur.
* [web] reset-password: handle same-password rejection
We also change the implementation to use the new
peekValueFromToken API, and to expire the token explicitely
after it has been used to set the new password.
* [web] Validate OneTimeToken when loading password reset form
* [web] Rate limit GET: /user/password/set
Now that we are peeking at OneTimeToken when accessing this page,
we add rate to the GET request, matching that of the POST request.
* [web] Tidy up pug layout and mongo query for token peeking
Co-authored-by: Mathias Jakobsen <mathias.jakobsen@overleaf.com>
GitOrigin-RevId: 835205cc7c7ebe1209ee8e5b693efeb939a3056a