letro/letro-authentication-service
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity
NaN Commits 2 Branches 1 Tag
4760129fa65e32c07488c19fa4a644c7fc5378ca
Commit Graph

217 Commits

Author SHA1 Message Date
Quentin Gliech
cb8c408489 Admin API filter to search users by username 2025-09-15 14:12:31 +02:00
Quentin Gliech
b7015c0b3d Allow filtering guest/non-guest users 2025-09-15 12:51:06 +02:00
Quentin Gliech
a2172a02ba Surface the user guest flag in the admin API 2025-09-15 12:51:00 +02:00
Quentin Gliech
7253ca69b0 Merge remote-tracking branch 'origin/main' into feat/login_hint_with_email 2025-08-18 16:43:00 +02:00
Quentin Gliech
8dd096ce60 Fix a few more clippy lints 2025-08-18 10:45:20 +02:00
Quentin Gliech
eded025ff4 Fix a few clippy lints, mostly in doc comments 2025-08-18 10:34:28 +02:00
mcalinghee
8bad68cc34 Merge branch 'main' into feat/login_hint_with_email 2025-08-05 17:02:14 +02:00
Quentin Gliech
4d83fcb25e Merge remote-tracking branch 'origin/main' into quenting/stable-api 2025-08-04 16:38:49 +02:00
mcalinghee
062f5aced7 move Clock/MockClock/SystemClock/BoxClock/BoxRng to mas-data-model 2025-07-31 11:17:33 +02:00
Quentin Gliech
b8d23be313 Fix many clippy warnings 
This is because the tracing-attributes update made clippy look at those
again. I've removed the `too_many_lines` lint, as it's not really useful
and we ignore it most of the time anyway.
 2025-07-30 14:49:38 +02:00
Andrew Ferrazzutti
49540693ab Decouple (un)locking from (re/de)activation 
Unify the admin API, CLI, and GraphQL API in not having the unlock
command also reactivate, or the deactivate command also lock.

Still let the unlock command of the CLI and GraphQL API to also
reactivate the target user, albeit as a non-default option.
 2025-07-16 14:17:01 -04:00
Andrew Ferrazzutti
415e3a2555 Separate active state from lock state in admin API 
- Allow the admin API to deactivate a user without locking it, and to
  unlock a user without reactivating it.
- Make unlock-and-reactivate flows unset the "deactivated_at" timestamp.
- Revert adding an "unlock" parameter on `ReactivateUserJob`, as the
  option is used only by the admin API which doesn't use a job.
 2025-07-16 14:17:01 -04:00
Andrew Ferrazzutti
44ffec5111 Add admin API endpoint to reactivate user 2025-07-16 14:17:01 -04:00
Quentin Gliech
39b3dbe5db Make email address lookups case-insensitive 2025-07-08 18:01:20 +02:00
Quentin Gliech
e8627166a9 Log out oauth & compat sessions when receiving a backchannel logout request 2025-07-04 16:27:10 +02:00
Quentin Gliech
84d9e47e23 Compose filters for batch logging out of browser sessions 
Instead of having to load all authentication sessions in memory, we
allow composing browser session filters with a upstream auth sessions
filter
 2025-07-04 16:27:10 +02:00
Quentin Gliech
500e25a069 storage: allow filtering browser sessions by which upstream session 
authd them
 2025-07-04 16:27:10 +02:00
Quentin Gliech
db8c557f81 Backchannel logout behavior settings on upstream providers 2025-07-04 16:27:10 +02:00
Quentin Gliech
aaf4bf588f Allow filtering upstream sessions by sub and sid claims 2025-07-04 16:27:09 +02:00
Quentin Gliech
a3acec4973 storage: list and count methods for upstream oauth sessions 2025-07-04 16:27:09 +02:00
Quentin Gliech
5b7bf232d6 Record the decoded ID token claims on upstream auth sessions 2025-07-04 16:27:09 +02:00
Quentin Gliech
7605f4ac6f storage: get both the stable & unstable scopes when looking for devices 2025-06-13 15:54:51 +02:00
Quentin Gliech
52b0a9b2ba Update license headers to match the actual license 2025-06-12 10:32:16 +02:00
Quentin Gliech
5a4bc59bd3 Admin API to edit registration tokens 2025-06-05 18:22:16 +02:00
Quentin Gliech
5a34e28f4c Admin API to un-revoke a user registration token. 2025-06-05 16:56:42 +02:00
Quentin Gliech
8a6fd1d6b2 List and count methods on the UserRegistrationTokenRepository 2025-06-03 17:42:53 +02:00
Quentin Gliech
e28221ac49 Data model and repository for user registration tokens 2025-06-03 17:42:52 +02:00
Quentin Gliech
bdd56faa02 Don't hold database connections open when talking to the homeserver (#4527) 2025-05-09 09:13:42 +02:00
Quentin Gliech
481b2d4cf9 Move the pool acquisition metric logic to the PgRepositoryFactory 2025-05-07 17:09:20 +02:00
Quentin Gliech
90faa72633 Introduce a RepositoryFactory 2025-05-07 17:00:49 +02:00
Quentin Gliech
955bd28590 Don't generate and send a nonce for non-OIDC-compliant auth requests 2025-05-07 15:34:27 +02:00
Doug
7f91c8948b Add a configuration for forwarding the login hint to the upstream provider. 2025-05-06 17:50:33 +01:00
Quentin Gliech
7b9b44c644 Allow setting custom names on sessions (#4459) 2025-04-30 15:32:25 +02:00
Quentin Gliech
aba9ca38e6 Insert client_name when upserting statically registered clients (#4417) 2025-04-30 11:50:49 +02:00
Quentin Gliech
0396de202a Avoid deadlocks when updating the last activity of sessions 2025-04-28 09:56:30 +02:00
Quentin Gliech
3b9d580b17 storage: methods to set the sessions human name 2025-04-25 16:55:30 +02:00
Quentin Gliech
7ec87b1855 storage: add a user-provided human name to OAuth 2.0 sessions 2025-04-25 16:55:29 +02:00
Quentin Gliech
234de8b737 Save the locale detected when starting an authorization grant 2025-04-25 12:55:22 +02:00
Quentin Gliech
bcd83ef649 storage: allow setting the human_name when creating compat sessions 2025-04-25 12:55:10 +02:00
Quentin Gliech
f457bd8d35 Don't parse the user agent unless we need to 2025-04-24 13:13:26 +02:00
Adis Veletanlic
7890862500 Add client_name to static registrations function and generate new query data 2025-04-16 11:44:58 +02:00
Quentin Gliech
c4f4f09336 Lookup usernames case insensitively (#4378) 2025-04-14 15:51:59 +02:00
Quentin Gliech
a47dba1b1d Always ask for consent, never for reauth (#4386) 2025-04-14 15:51:48 +02:00
Quentin Gliech
3eb9822791 Handle the case where there are multiple users with the same username, but with a different casing. 2025-04-11 15:38:28 +02:00
Quentin Gliech
73a4007c18 Always ask for consent, never for reauth 
Now that we have deduplicated clients, we're in this weird situation
where authorization grants just… go through.

This is because 4 years ago, I designed it to support prompt=consent and
prompt=none, but that never ended up being used/mentioned in the MSCs.

We also had support for max_age, but that required reauthing, which
doesn't work well with upstream providers.

So this removes support for prompt=consent|none and max_age, and makes
sure we always go through the consent page.

Lots of code deleted, yay!
 2025-04-10 19:57:45 +02:00
Quentin Gliech
b80a52e390 Also lowercase the username when checking if it exists. 2025-04-10 18:45:13 +02:00
Quentin Gliech
7f0dcaa73f Lookup usernames case insensitively 2025-04-10 18:36:43 +02:00
mcalinghee
2fe4752aa4 add login by email + feature flag 2025-04-10 17:57:58 +02:00
Quentin Gliech
e064c381b6 Admin API for adding and removing upstream oauth links (#4255) 2025-04-09 13:33:16 +02:00
Tonkku
8f19164e09 Separate spans 2025-04-08 16:54:35 +00:00