delta/gitlab/gitlab-ce.git/spec/controllers/sessions_controller_spec.rb, branch api-shared-groups gitlab.com: gitlab-org/gitlab-ce.git Add a U2F-specific audit log entry after logging in. 2016-06-06T07:20:31+00:00 Timothy Andrew mail@timothyandrew.net 2016-06-06T04:52:06+00:00 4db19bb4455cd21e80097a3e547d8b266a884aea - "two-factor" for OTP-based 2FA - "two-factor-via-u2f-device" for U2F-based 2FA - "standard" for non-2FA login 
- "two-factor" for OTP-based 2FA
- "two-factor-via-u2f-device" for U2F-based 2FA
- "standard" for non-2FA login
Merge branch 'upgrade-devise-two-factor' into 'master' 2016-06-02T00:44:41+00:00 Robert Speicher robert@gitlab.com 2016-06-02T00:44:41+00:00 7d33fba7af94667311ab9a7d7d7041ed72ba3937 Upgrade devise, devise-two-factor, and attr_encrypted Devise 4 includes support for Rails 5, working towards #14286. devise-async doesn't support Devise 4.0 and in 4.1 the bug that was blocking using Devise's built-in ActiveJob integration was fixed. So devise-async is removed. devise-two-factor 3.0.0 is required for Devise 4 support. attr_encrypted and encryptor are optional but recommended upgrades for devise-two-factor 3.0.0. The mode and algorithm will need to be changed in order to update to attr_encrypted 4.x in the future. See merge request !4216 

Upgrade devise, devise-two-factor, and attr_encrypted

Devise 4 includes support for Rails 5, working towards #14286. devise-async doesn't support Devise 4.0 and in 4.1 the bug that was blocking using Devise's built-in ActiveJob integration was fixed. So devise-async is removed. devise-two-factor 3.0.0 is required for Devise 4 support.

attr_encrypted and encryptor are optional but recommended upgrades for devise-two-factor 3.0.0. The mode and algorithm will need to be changed in order to update to attr_encrypted 4.x in the future.

See merge request !4216
 Pass the "Remember me" value to the 2FA token form 2016-05-31T02:25:35+00:00 Robert Speicher rspeicher@gmail.com 2016-05-31T02:17:26+00:00 a602df303175aaaf1d5b60a2c009f5e259d187db Prior, if a user had 2FA enabled and checked the "Remember me" field, the setting was ignored because the OTP input was on a new form and the value was never passed. Closes #18000 
Prior, if a user had 2FA enabled and checked the "Remember me" field,
the setting was ignored because the OTP input was on a new form and the
value was never passed.

Closes #18000
Fix a broken spec 2016-05-30T19:51:21+00:00 Connor Shea connor.james.shea@gmail.com 2016-05-19T22:36:50+00:00 5647fb14b6d638bb168014e997ecd2d29175249f Temporary fix until Devise 4 fixes this grammar issue: https://github.com/plataformatec/devise/issues/4095 
Temporary fix until Devise 4 fixes this grammar issue:
https://github.com/plataformatec/devise/issues/4095
Enable RSpec/NotToNot cop and auto-correct offenses 2016-05-24T19:40:29+00:00 Robert Speicher rspeicher@gmail.com 2016-05-23T23:37:59+00:00 75739e54be0fca389c05d3d9d3de69737c0ff3ab Also removes the note from the development/testing.md guide 
Also removes the note from the development/testing.md guide
Make sessions controller specs more explicit 2016-04-07T11:16:48+00:00 Grzegorz Bizon grzesiek.bizon@gmail.com 2016-04-07T09:45:04+00:00 33a8dfd04fbd1c0858ead20c020ede07e7b0962a 






Fix 2FA authentication spoofing vulnerability
2016-04-07T09:19:29+00:00

Grzegorz Bizon
grzesiek.bizon@gmail.com

2016-04-07T09:19:29+00:00

00da609cfd8bf1105fe433dfc92ab263d6205eaf

This commit attempts to change default user search scope if otp_user_id
session variable has been set. If it is present, it means that user has
2FA enabled, and has already been verified with login and password. In
this case we should look for user with otp_user_id first, before picking
it up by login.





This commit attempts to change default user search scope if otp_user_id
session variable has been set. If it is present, it means that user has
2FA enabled, and has already been verified with login and password. In
this case we should look for user with otp_user_id first, before picking
it up by login.







Add specs for sessions controller  including 2FA
2016-04-06T10:26:10+00:00

Grzegorz Bizon
grzesiek.bizon@gmail.com

2016-04-06T10:26:10+00:00

301f4074aa05f25757396182490c3ebfffe1e81c

This also contains specs for a bug described in #14900





This also contains specs for a bug described in #14900