Joseph Schorr
e220b50543
Refactor auth code to be cleaner and more extensible
...
We move all the auth handling, serialization and deserialization into a new AuthContext interface, and then standardize a registration model for handling of specific auth context types (user, robot, token, etc).
2018-02-14 15:35:27 -05:00
Joseph Schorr
1302fd2fbd
Switch csrf token check to use compare_digest to prevent timing attacks
...
Also adds some additional tests for CSRF tokens
2016-12-08 23:46:31 -05:00
Joseph Schorr
ff52fde8a5
Have Quay always use an OAuth-specific CSRF token
...
This change ensures that we always store and then check the contents of the OAuth `state` argument against a session-stored CSRF token.
Fixes https://www.pivotaltracker.com/story/show/135803615
2016-12-08 16:11:57 -05:00
Joseph Schorr
4ca877c1d4
Add ability to download system logs
2014-12-23 14:01:00 -05:00
Jimmy Zelinskie
716d7a737b
Strip whitespace from ALL the things.
2014-11-24 16:07:38 -05:00
jakedt
f1a7f86780
Fix CSRF token generation.
2014-03-25 17:51:22 -04:00
jakedt
219fbd6950
Make the CSRF checks mandatory.
2014-03-25 14:35:19 -04:00
jakedt
f060fd6ae0
Fix and unify CSRF support across web and API endpoints.
2014-03-25 14:32:26 -04:00
