leap_web.git/users/lib, branch 0.2.5 [leap_web] security fix: clear srp data from db asap (#3686) 2013-09-23T09:38:20+00:00 Azul azul@leap.se 2013-09-23T08:20:02+00:00 80bcb7d273395af614730024e21a92a1c568228d This is a quick fix for iSEC issue #13. 
This is a quick fix for iSEC issue #13.
close srp vulnerability and report error in webapp 2013-08-08T08:44:33+00:00 Azul azul@leap.se 2013-08-07T16:09:20+00:00 a0b276e4b8ae86dec7deee898e85b65784d89933 






use ruby-srp 0.2.0 which has a hex based api
2013-07-16T10:32:43+00:00

Azul
azul@leap.se

2013-07-16T10:32:43+00:00

6e47ea438cf35c6cad00e65e2817cb57d07db111












print debug info on failed login attempts
2013-07-12T07:34:37+00:00

Azul
azul@leap.se

2013-06-24T10:16:04+00:00

76e36080ed56c33f220509bd67a3693bf9d7567b












Want to tweak some, but start to displaying base generic message via javascript.
2013-06-27T19:31:39+00:00

jessib
jessib@leap.se

2013-06-27T19:31:39+00:00

a01e7686ea7c046a9cd544b618b30727f2a41b3b












Merge branch 'master' into feature/limit_user_leak
2013-03-05T12:35:05+00:00

Azul
azul@leap.se

2013-03-05T12:35:05+00:00

27c16ccceffa1d8eaaf02612cf29a60bfe6ced01

Conflicts:
	users/lib/warden/strategies/secure_remote_password.rb





Conflicts:
	users/lib/warden/strategies/secure_remote_password.rb







When attempting to login, the error messages should not leak information about whether a username is valid.
2013-02-28T19:54:24+00:00

jessib
jessib@leap.se

2013-02-28T19:54:24+00:00

a1279ecca51fbe7014d841ed6bca8842d3441814

This also means the error message is more appropriate if somebody tries to login with somebody else's username and their password.





This also means the error message is more appropriate if somebody tries to login with somebody else's username and their password.







api for sessions fixed
2013-02-26T10:45:56+00:00

Azul
azul@leap.se

2013-02-26T10:42:19+00:00

4a92bab4d8c231a17a14afc81c391f9a1f91c063

* now we return the user id on login
* allow a destroy request for logging out
* added test for api sessions controller





* now we return the user id on login
* allow a destroy request for logging out
* added test for api sessions controller







using ruby-srp 0.1.5 SRP::Client to wrap user in session
2013-02-06T15:16:34+00:00

Azul
azul@leap.se

2013-02-06T15:16:34+00:00

1bf82535b25cb17c58a196fdaab639040f48e769












Removing aliases from webfinger as the link wouldn't work anyway, and don't want to leak ID information.
2013-01-24T19:38:11+00:00

jessib
jessib@leap.se

2013-01-24T19:38:11+00:00

9d053b6c9b61c68bf11f95bcb37631a518f1fba4