Commit Graph
13 Commits
Author SHA1 Message Date
andrew rumbleandCopybot 032deaf05c Switch to mongodb-legacy
GitOrigin-RevId: 11e09528c153de6b7766d18c3c90d94962190371
2024-08-21 08:04:24 +00:00
Antoine ClausseandCopybot 5f2718cf29 [web] Make rate-limit on login consistent, prevent "trim/case bypass" (#19555)
* Replace `LoginRateLimiter.processLoginRequest` call by use of `RateLimiterMiddleware`

* Lowercase the email to avoid rate-limit bypass

* Remove unit test "when the users rate limit"

* Use `EmailHelper.parseEmail` to normalize email in `processLoginRequest`

This should address the `trim()` bypass

* Use `.trim().toLowerCase()` instead of `EmailHelper.parseEmail`

We can't use `EmailHelper.parseEmail`, else it breaks the test (and feature): "with username that does not look like an email"

* Add acceptance test for rate limit

* Add comment on rate limits

* Rename `rateLimiter` to `rateLimiterLoginEmail` for clarity

* Make the login rate limits configurable from the settings

GitOrigin-RevId: cf1c3a416745f2b007c85014a5084570d4a049a7
2024-07-30 08:04:26 +00:00
Jakob AckermannandCopybot 84a2b25a3c Merge pull request #17401 from overleaf/jpa-skip-hibp-known-device
[web] skip HIBP check from known devices

GitOrigin-RevId: 897df02492aafeac010753c7c306e02bde5b1fd8
2024-03-05 09:03:37 +00:00
Mathias JakobsenandCopybot c371732e6e Merge pull request #16186 from overleaf/mj-mongo-object-id
[web] Use constructor for ObjectId

GitOrigin-RevId: 9eb8b377ea599605b72af237d1ab12f4d8287162
2023-12-19 09:04:02 +00:00
June KellyandCopybot 9e824ac93c Merge pull request #9951 from overleaf/jk-audit-failed-login-attempts
[web] Audit failed login attempts

GitOrigin-RevId: 19325f808f77584891e1e12b5ed7aaa16aa6aec9
2022-10-20 08:03:44 +00:00
Miguel SerranoandCopybot 74f44e655a Merge pull request #9617 from overleaf/msm-audit-log-collections
Move project/user audit logs to their own collections

GitOrigin-RevId: f6f89b3e2815c0fe5691a79eceb35b77b3c370d8
2022-09-30 08:04:17 +00:00
Jakob AckermannandCopybot 8e77ada424 Merge pull request #6417 from overleaf/jpa-device-history
[web] add cookie/JWE based device history for skipping captcha challenge

GitOrigin-RevId: b091564bfd93f7e587d396c860fd864f220f4b63
2022-01-27 09:03:34 +00:00
June KellyandCopybot c72ec548bb Merge pull request #5976 from overleaf/jk-login-audit-log-type
[web] Add 'method' info to login audit log

GitOrigin-RevId: 093fe885bc1b688aebd640d6762f031c752191d4
2022-01-14 09:02:28 +00:00
Jakob AckermannandCopybot 13b8321986 Merge pull request #5375 from overleaf/jpa-401-failed-login
[web] send a non success status code for failed logins in Server CE/Pro

GitOrigin-RevId: 1aace4456c8602af26a362346bfc462e1476b0f7
2021-10-07 08:04:49 +00:00
Alf EatonandCopybot 1be43911b4 Merge pull request #3942 from overleaf/prettier-trailing-comma
Set Prettier's "trailingComma" setting to "es5"

GitOrigin-RevId: 9f14150511929a855b27467ad17be6ab262fe5d5
2021-04-28 02:10:01 +00:00
Alf EatonandCopybot 1ebc8a79cb Merge pull request #3495 from overleaf/ae-prettier-2
Upgrade Prettier to v2

GitOrigin-RevId: 85aa3fa1acb6332c4f58c46165a43d1a51471f33
2021-04-15 02:05:22 +00:00
Shane KilkellyandCopybot 04fa863f9f Merge pull request #3892 from overleaf/sk-reroll-csrf
Regenerate CSRF token on login

GitOrigin-RevId: 501582b34794a822f4c9fe3af2575b5756511e06
2021-04-10 02:05:13 +00:00
Timothée AlbyandCopybot 8ec7ebe645 Merge pull request #3713 from overleaf/jpa-login-event-drop-pii
[AuthenticationController] do not include PII as part of login event

GitOrigin-RevId: 274378b3a21945637dc33d2cfb39a53e9aaad9b7
2021-03-30 02:05:09 +00:00