letro/letro-authentication-service
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity
NaN Commits 2 Branches 1 Tag
cb8c40848955ff748cbd7d24cb3a02d06aa0a36e
Commit Graph

425 Commits

Author SHA1 Message Date
Quentin Gliech
cb8c408489 Admin API filter to search users by username 2025-09-15 14:12:31 +02:00
Quentin Gliech
b7015c0b3d Allow filtering guest/non-guest users 2025-09-15 12:51:06 +02:00
Quentin Gliech
7253ca69b0 Merge remote-tracking branch 'origin/main' into feat/login_hint_with_email 2025-08-18 16:43:00 +02:00
Quentin Gliech
eded025ff4 Fix a few clippy lints, mostly in doc comments 2025-08-18 10:34:28 +02:00
mcalinghee
a45a1d7f73 move Clock/MockClock/SystemClock/BoxClock/BoxRng to mas-data-model : format 2025-07-31 12:35:56 +02:00
mcalinghee
9fa91b9524 move Clock/MockClock/SystemClock/BoxClock/BoxRng to mas-data-model : correct documentation 2025-07-31 12:34:01 +02:00
mcalinghee
062f5aced7 move Clock/MockClock/SystemClock/BoxClock/BoxRng to mas-data-model 2025-07-31 11:17:33 +02:00
Andrew Ferrazzutti
49540693ab Decouple (un)locking from (re/de)activation 
Unify the admin API, CLI, and GraphQL API in not having the unlock
command also reactivate, or the deactivate command also lock.

Still let the unlock command of the CLI and GraphQL API to also
reactivate the target user, albeit as a non-default option.
 2025-07-16 14:17:01 -04:00
Andrew Ferrazzutti
415e3a2555 Separate active state from lock state in admin API 
- Allow the admin API to deactivate a user without locking it, and to
  unlock a user without reactivating it.
- Make unlock-and-reactivate flows unset the "deactivated_at" timestamp.
- Revert adding an "unlock" parameter on `ReactivateUserJob`, as the
  option is used only by the admin API which doesn't use a job.
 2025-07-16 14:17:01 -04:00
Andrew Ferrazzutti
44ffec5111 Add admin API endpoint to reactivate user 2025-07-16 14:17:01 -04:00
Quentin Gliech
a51a697013 Miscellaneous housekeeping (#4735) 2025-07-16 18:53:59 +02:00
Quentin Gliech
0f45344937 Allow running jobs from the job queue in tests (#4775) 2025-07-11 14:47:23 +02:00
Quentin Gliech
716640486e Make the task State::clock() return a &dyn Clock instead of a BoxClock 2025-07-09 17:20:03 +02:00
Quentin Gliech
39b3dbe5db Make email address lookups case-insensitive 2025-07-08 18:01:20 +02:00
Quentin Gliech
e8627166a9 Log out oauth & compat sessions when receiving a backchannel logout request 2025-07-04 16:27:10 +02:00
Quentin Gliech
84d9e47e23 Compose filters for batch logging out of browser sessions 
Instead of having to load all authentication sessions in memory, we
allow composing browser session filters with a upstream auth sessions
filter
 2025-07-04 16:27:10 +02:00
Quentin Gliech
500e25a069 storage: allow filtering browser sessions by which upstream session 
authd them
 2025-07-04 16:27:10 +02:00
Quentin Gliech
db8c557f81 Backchannel logout behavior settings on upstream providers 2025-07-04 16:27:10 +02:00
Quentin Gliech
aaf4bf588f Allow filtering upstream sessions by sub and sid claims 2025-07-04 16:27:09 +02:00
Quentin Gliech
a3acec4973 storage: list and count methods for upstream oauth sessions 2025-07-04 16:27:09 +02:00
Quentin Gliech
5b7bf232d6 Record the decoded ID token claims on upstream auth sessions 2025-07-04 16:27:09 +02:00
Jason Volk
f5f66c0a42 Fix rogue invalid characters inside doc comments. 
Signed-off-by: Jason Volk <jason@zemos.net>
 2025-06-30 17:06:58 +00:00
Quentin Gliech
6421d9d1f5 Add license headers in most files that missed them 2025-06-12 11:01:07 +02:00
Quentin Gliech
52b0a9b2ba Update license headers to match the actual license 2025-06-12 10:32:16 +02:00
Quentin Gliech
69e3001966 Define all the dependencies at the workspace level 2025-06-10 14:25:38 +02:00
Quentin Gliech
5a4bc59bd3 Admin API to edit registration tokens 2025-06-05 18:22:16 +02:00
Quentin Gliech
5a34e28f4c Admin API to un-revoke a user registration token. 2025-06-05 16:56:42 +02:00
Quentin Gliech
8a6fd1d6b2 List and count methods on the UserRegistrationTokenRepository 2025-06-03 17:42:53 +02:00
Quentin Gliech
e28221ac49 Data model and repository for user registration tokens 2025-06-03 17:42:52 +02:00
Quentin Gliech
bdd56faa02 Don't hold database connections open when talking to the homeserver (#4527) 2025-05-09 09:13:42 +02:00
Quentin Gliech
481b2d4cf9 Move the pool acquisition metric logic to the PgRepositoryFactory 2025-05-07 17:09:20 +02:00
Quentin Gliech
90faa72633 Introduce a RepositoryFactory 2025-05-07 17:00:49 +02:00
Quentin Gliech
955bd28590 Don't generate and send a nonce for non-OIDC-compliant auth requests 2025-05-07 15:34:27 +02:00
Doug
7f91c8948b Add a configuration for forwarding the login hint to the upstream provider. 2025-05-06 17:50:33 +01:00
Quentin Gliech
7b9b44c644 Allow setting custom names on sessions (#4459) 2025-04-30 15:32:25 +02:00
Quentin Gliech
aba9ca38e6 Insert client_name when upserting statically registered clients (#4417) 2025-04-30 11:50:49 +02:00
Quentin Gliech
3b9d580b17 storage: methods to set the sessions human name 2025-04-25 16:55:30 +02:00
Quentin Gliech
234de8b737 Save the locale detected when starting an authorization grant 2025-04-25 12:55:22 +02:00
Quentin Gliech
bcd83ef649 storage: allow setting the human_name when creating compat sessions 2025-04-25 12:55:10 +02:00
Quentin Gliech
f457bd8d35 Don't parse the user agent unless we need to 2025-04-24 13:13:26 +02:00
Adis Veletanlic
7890862500 Add client_name to static registrations function and generate new query data 2025-04-16 11:44:58 +02:00
Quentin Gliech
c4f4f09336 Lookup usernames case insensitively (#4378) 2025-04-14 15:51:59 +02:00
Quentin Gliech
a47dba1b1d Always ask for consent, never for reauth (#4386) 2025-04-14 15:51:48 +02:00
Quentin Gliech
73a4007c18 Always ask for consent, never for reauth 
Now that we have deduplicated clients, we're in this weird situation
where authorization grants just… go through.

This is because 4 years ago, I designed it to support prompt=consent and
prompt=none, but that never ended up being used/mentioned in the MSCs.

We also had support for max_age, but that required reauthing, which
doesn't work well with upstream providers.

So this removes support for prompt=consent|none and max_age, and makes
sure we always go through the consent page.

Lots of code deleted, yay!
 2025-04-10 19:57:45 +02:00
Quentin Gliech
7f0dcaa73f Lookup usernames case insensitively 2025-04-10 18:36:43 +02:00
mcalinghee
4269bc3ce3 correct format and translation 2025-04-10 17:57:58 +02:00
mcalinghee
2fe4752aa4 add login by email + feature flag 2025-04-10 17:57:58 +02:00
Quentin Gliech
e064c381b6 Admin API for adding and removing upstream oauth links (#4255) 2025-04-09 13:33:16 +02:00
Quentin Gliech
2c6e2b42a1 compat login: support using client-provided device ID (#4342) 2025-04-07 08:52:29 +02:00
Olivier 'reivilibre
74276140c6 UNFINISHED: finish active sessions when replacing a device 2025-04-04 17:52:08 +01:00