744bb2c372
Lookup usernames case insensitively ( #4378 )
2025-04-14 15:51:59 +02:00
bd737342b9
Always ask for consent, never for reauth ( #4386 )
2025-04-14 15:51:48 +02:00
cf732ac8f0
Always ask for consent, never for reauth
...
Now that we have deduplicated clients, we're in this weird situation
where authorization grants just… go through.
This is because 4 years ago, I designed it to support prompt=consent and
prompt=none, but that never ended up being used/mentioned in the MSCs.
We also had support for max_age, but that required reauthing, which
doesn't work well with upstream providers.
So this removes support for prompt=consent|none and max_age, and makes
sure we always go through the consent page.
Lots of code deleted, yay!
2025-04-10 19:57:45 +02:00
b5ed17dbff
Lookup usernames case insensitively
2025-04-10 18:36:43 +02:00
77e954e475
correct format and translation
2025-04-10 17:57:58 +02:00
f2a47f9a88
add login by email + feature flag
2025-04-10 17:57:58 +02:00
2b81c8a42e
Admin API for adding and removing upstream oauth links ( #4255 )
2025-04-09 13:33:16 +02:00
d310f48a7e
compat login: support using client-provided device ID ( #4342 )
2025-04-07 08:52:29 +02:00
a73cb1c2fb
UNFINISHED: finish active sessions when replacing a device
2025-04-04 17:52:08 +01:00
1f2eccc645
compat login (sso): support using client-provided device_id
2025-04-04 16:25:01 +01:00
5c13757e1d
Deduplicate client registrations by hashing the metadata
2025-03-25 15:00:23 +01:00
850a9ed81b
Link removal storage API
...
From #3245 with changes from review
2025-03-17 18:31:11 +02:00
6a37fdfe30
Merge branch 'main' into quenting/dynamic-policy-data
2025-03-14 10:16:16 +01:00
8581ca19ef
Prune stale policy data once a day
2025-03-13 13:40:59 +01:00
69bfdb2d5d
Order the OAuth providers in the UI by their order in the config file
2025-03-12 11:12:55 +01:00
b72b83665e
Repository method to deactivate a user.
2025-03-11 17:35:13 +01:00
6519d6c9ea
Add a deactivated_at flag on users
2025-03-11 17:35:13 +01:00
10276b05fc
Allow removing email addresses in bulk
2025-03-11 17:35:12 +01:00
aa3af157a3
storage: store dynamic policy data in the database
2025-02-25 12:26:22 +01:00
a538b50233
Bump most Rust dependencies
2025-02-24 12:12:07 +01:00
3d2b67a0b2
Upgrade to Rust 1.85 and edition 2024
2025-02-21 16:15:02 +01:00
dab640aa51
Allow filtering sessions by client kind (dynamic or static)
2025-02-12 17:31:21 +01:00
935400d87b
Experimental feature to timeout inactive sessions
2025-02-12 17:31:21 +01:00
2ae36b4a84
Setup job to expire inactive browser sessions
2025-02-12 14:03:41 +01:00
4353185802
Setup a job to expire compatibility sessions
2025-02-12 13:57:36 +01:00
34f7e49a54
Setup a job to expire OAuth 2.0 sessions
2025-02-12 13:47:48 +01:00
917f4d1817
Allow filtering OAuth sessions with any/no user
2025-02-12 13:00:22 +01:00
0e3d10ee45
storage: allow filtering upstream OAuth links by subject
2025-02-12 11:01:53 +01:00
0f3b2d2d89
When consuming a compat refresh token, consume others in the session
2025-02-05 11:36:27 +01:00
a83cdfb517
Clarify that VerifyEmailJob is kept for flushing old jobs
2025-01-23 18:31:27 +01:00
6092efe949
Merge branch 'main' into quenting/optional-email
2025-01-20 11:31:48 +01:00
9247885518
Remove unused dependencies
2025-01-16 17:59:03 +01:00
dbb53160b6
Data model and storage layer for storing user registrations
2025-01-14 16:30:43 +01:00
5f5fc44fbd
Job to send the new email authentication codes
2025-01-14 15:47:17 +01:00
0513f198d8
Rip out the email verification codes
...
This considers all user_emails as confirmed, and removes the verification code.
It will be replaced by a new email authentication code flow
2025-01-14 15:46:45 +01:00
75526ff0c4
storage: new email authentication codes
2025-01-13 17:00:30 +01:00
ee33e9c0fb
Remove the primary email address concept
2025-01-13 17:00:30 +01:00
af1282b510
Allow response_mode to be null and if so do not add the query param ( #3700 )
2024-12-18 18:18:39 +01:00
a97d2daa3d
Make the issue optional on upstream OAuth 2.0 providers
2024-12-17 13:40:34 +01:00
80903ed629
Add id_token_signed_response_alg and userinfo_signed_response_alg ( #3664 )
2024-12-17 11:54:16 +01:00
177a0f42bd
Allow revoking refresh tokens
...
This lets us track 'revoked' tokens separately from 'consumed' tokens.
2024-12-11 14:15:01 +01:00
0360427adf
Cleanup revoked tokens instead of expired ones
...
If we continue deleting expired tokens, we might not record whether the
token was used or not, and not know what to do in case of
a double-refresh.
Revoked tokens are safe to delete.
This also reduces the frequency of the cleanup job to once an hour.
2024-12-11 14:15:01 +01:00
23c73cf191
Record when access tokens are first used
2024-12-11 14:15:01 +01:00
56cb293fbb
Record the next refresh token ID when refreshing
...
This will help us determine whether we had a double-refresh happening
2024-12-11 14:15:01 +01:00
2345685b92
Remove the schedule_expression from the database & other fixes
2024-12-06 16:24:26 +01:00
186860b10f
Cron-like recurring jobs
2024-12-06 16:24:26 +01:00
cb07af5008
Allow scheduling jobs in the future
...
Also retries jobs with an exponential backoff.
2024-12-06 16:24:26 +01:00
358186187d
Retry failed jobs
2024-12-06 16:24:26 +01:00
89856576cb
Actually consume jobs
2024-12-06 16:24:26 +01:00
b689554909
Schedule jobs through the new queue
2024-12-06 16:24:26 +01:00
Quentin Gliech