mastodon/app
Claire b6b19419e2 Fix reviving revoked sessions and invalidating login (#16943)
Up until now, we have used Devise's Rememberable mechanism to re-log users
after the end of their browser sessions. This mechanism relies on a signed
cookie containing a token. That token was stored on the user's record,
meaning it was shared across all logged in browsers, meaning truly revoking
a browser's ability to auto-log-in involves revoking the token itself, and
revoking access from *all* logged-in browsers.

We had a session mechanism that dynamically checks whether a user's session
has been disabled, and would log out the user if so. However, this would only
clear a session being actively used, and a new one could be respawned with
the `remember_user_token` cookie.

In practice, this caused two issues:
- sessions could be revived after being closed from /auth/edit (security issue)
- auto-log-in would be disabled for *all* browsers after logging out from one
  of them

This PR removes the `remember_token` mechanism and treats the `_session_id`
cookie/token as a browser-specific `remember_token`, fixing both issues.
2022-01-28 22:53:15 +01:00
..
chewy Change tootctl search deploy algorithm (#14300) 2020-07-14 18:10:35 +02:00
controllers Fix reviving revoked sessions and invalidating login (#16943) 2022-01-28 22:53:15 +01:00
helpers Change RTL detection to rely on unicode-bidi paragraph by paragraph (#14573) 2020-12-15 12:56:43 +01:00
javascript New Crowdin updates (#15413) 2020-12-26 23:51:46 +01:00
lib Fix invalid blurhash handling in Create activity (#16583) 2022-01-28 22:53:15 +01:00
mailers Change account suspensions to be reversible by default (#14726) 2020-09-15 14:37:58 +02:00
models Fix reviving revoked sessions and invalidating login (#16943) 2022-01-28 22:53:15 +01:00
policies Fix admins being able to suspend their instance actor (#14567) 2020-12-15 17:23:58 +01:00
presenters Fix performance on instances list in admin UI (#15282) 2020-12-14 09:06:34 +01:00
serializers use relative path for scope (#16714) 2022-01-28 22:39:48 +01:00
services Fix remotely-suspended accounts' toots being merged back into timelines (#16628) 2022-01-28 22:53:15 +01:00
validators Fix follow limit preventing re-following of a moved account (#14207) 2020-12-18 09:18:31 +01:00
views Fix custom CSS when CDN_HOST is set (#15927) 2022-01-28 22:39:48 +01:00
workers Fix newlines in accout notes added by the Move handler (#16415) 2022-01-28 22:53:15 +01:00