Occasionally a page was deleted, i.e. saved with no text, upon relogin
forced by oauth. It is unclear how this was caused, but this fix should
prevent the deletion and show the page before editing to the user.
If the session is lost, possibly to bad server configuration, try a
silent relogin, if an cookie is present that indicates an oauth-session.
If auth_security_timeout is triggered try to re-login based on the
existing session data.
In both cases: Mostly correctly re-set the prvious state after re-login.
Some actions do not work as expected, e.g. pagination in old revisions.
It was decided not to use refresh-tokens. The desired functionality can be achieved by an online-relogin just as
good. Hence this should be prefered to the more user-security invasive
refresh-token mechanism.
As requested in issue 10, add an option to only allow a single external
Service for login, while also deactivating authentication against local
database.
Some providers need an exact matching redirect URL configured (Google)
so we can not keep any dynamic info in the URL. Instead we store it in
the user's session.
To prevent people can log into existing account with a newly created
social account with a forged email address. We only allow logins with
previously approved service providers.
When a user logs in for the first time, eg. the email does not exists,
then the user is created and the social account is approved
automatically.
Michael Große
Michael Große
Andreas Gohr
Andreas Gohr