ash-project/ash_authentication
1
0
Fork 0
mirror of https://github.com/team-alembic/ash_authentication.git synced 2024-09-20 13:24:20 +12:00
Code Issues Projects Releases Packages Wiki Activity
603 commits 25 branches 98 tags 6.6 MiB
Commit graph

2 commits

Author SHA1 Message Date
James Harton
ca3dac3878
fix: don't allow special purpose tokens to be used for sign in. (#191) 
This fixes a security issue where someone in possession of a special purpose token (reset, confirmation, magic link, etc) would be able to access an API using this token.  We strongly encourage you to upgrade.

Closes #190.
 2023-02-12 21:14:16 +13:00
James Harton
d5c5d6b6c5
feat: Add token-required-for-authentication feature. (#116) 
* Adds the `require_token_presence_for_authentication?` DSL option to the Authentication extension which when enabled changes the following behaviour:
  1. The `store_in_session` plug will store the user's token rather than their subject in the session.
  2. The `retrieve_from_session` plug will look for a stored token in the session rather than a subject and ensure that it's present in the `TokenResource`.
  3. The `retrieve_from_bearer` plug will ensure that the token is present in the `TokenResource`.
* Adds the `get_token` action to the `TokenResource`.
 2023-01-11 15:12:53 +13:00