Pēteris Caune
7252f2f101
Fix _allow_redirect function to reject absolute URLs
This fixes a security issue:
- attacker can crafts a redirect URL to an external site
- attacker gets victim to click on it
- victim logs in
- after login, Healthchecks redirects victim to the external site
The _allow_redirect function now additionally
requires the redirect URL is relative (has no scheme or domain).
3 years ago
Pēteris Caune
f85aec225d
Fix redirect-after-login when using TOTP
If user has both WebAuthn and TOTP configured,
when logging in, they will be asked to choose between
"Use security keys" and "Use authenticator app".
The "Use authenticator app" is a link to a different
page (/accounts/login/two_factor/totp/). This commit makes
sure the ?next= query parameter is preserved when navigating
to that page.
For reference, the ?next= query parameter is the URL we should
redirect to after a successful login. Use case:
User is logged out. They click on a bookmarked "Check Details"
link. They get redirected to the login form. After
entering username & password and completing 2FA,
they get redirected to the "Check Details" page they
originally wanted to visit.
3 years ago
Pēteris Caune
e6427995b7
Add Whitenoise and improve README
Fixes : #548
3 years ago
Pēteris Caune
ca3afa33f9
Add auth method selection step
This has dual purpose:
* if user has both WebAuthn and TOTP set up, they can choose
between the two as equal options.
* we initiate WebAuthn flow only after an explicit user action
(button press). This may help with authentication failures
on recent MacOS, iOS and iPadOS versions [1]
[1] https://support.yubico.com/hc/en-us/articles/360022004600-No-reaction-when-using-WebAuthn-on-macOS-iOS-and-iPadOS
3 years ago
Pēteris Caune
f3af13654e
Refactor email sending functions to allow customization
For example, if we need to use a custom From: address,
we can now do:
m = make_message("template-name", recipient, ctx)
m.from_email = "...." # customize here
send(m)
3 years ago
Pēteris Caune
fca600659d
Improve hc.lib.emails.send()
- add optional `from_email` argument
- add test cases that exercise the retry loop
3 years ago
Pēteris Caune
c3d458f6f0
Fix the unsubscribe_reports view to handle already deleted users
3 years ago
Pēteris Caune
d60d8a43b6
Add protection against TOTP code reuse
3 years ago
Pēteris Caune
8ed5e93cd2
Add rate limiting for TOTP auth attempts
3 years ago
Pēteris Caune
222722569e
Add support for 2FA using TOTP
Fixes : #354
3 years ago
Pēteris Caune
bbd2786e0f
Optimize queries and fix team member sorting
3 years ago
Pēteris Caune
e1c3beb4e9
Add test cases for manager operations
3 years ago
Pēteris Caune
4f83f8c06b
Fix a 403 when transferring a project to a read-only team member
3 years ago
swoga
9640d2242f
feat: add manager role
3 years ago
Pēteris Caune
ce9ff3ac42
Add a migration to remove Member.rw
3 years ago
Pēteris Caune
cb799dbd29
Remove the Member.rw field (superseded by Member.role)
3 years ago
Pēteris Caune
936a5213f8
Switch from Member.rw to Member.role as the source of truth
3 years ago
Pēteris Caune
d19cb8c681
Add a data migration to populate Member.role
3 years ago
Pēteris Caune
5230dbb425
Add Member.role field
3 years ago
Pēteris Caune
e46000ecdf
Add admin action to log in as any user
3 years ago
Pēteris Caune
2382bf6722
Add SITE_LOGO_URL setting
Fixes : #323
3 years ago
Pēteris Caune
b75b062559
Remove unsigned token support in hc.front.views.unsubscribe_email
3 years ago
Pēteris Caune
d243f502d3
Fix off-by-one-month error in monthly reports, downtime columns
Fixes : #539
3 years ago
Pēteris Caune
61a8a8de26
Remove Profile.reports_allowed (obsolete)
It is obsoleted by Profile.reports
3 years ago
swoga
b70e2c9a25
feat: treat failure before success
3 years ago
Pēteris Caune
8a154cbaf5
Expose Credentials model in Django admin
This is to help troubleshoot 2FA issues without
running manual SQL queries.
3 years ago
Pēteris Caune
2d20f439dd
Remove PagerDuty Connect
PagerDuty Connect is deprecated and will be discontinued.
It is replaced by PagerDuty Simple Install Flow (see
README for setup instructions).
3 years ago
Pēteris Caune
6c10980889
Add Account Settings > Appearance page
3 years ago
Pēteris Caune
fd7ab5e767
Implement PagerDuty Simple Install Flow
3 years ago
Pēteris Caune
a0cd2c63e9
Update report templates for weekly reports
4 years ago
Pēteris Caune
8ce09ab9e5
Widen report time window to 9AM - 11AM
4 years ago
Pēteris Caune
548b2ac33c
Update the signup form to collect browser's timezone
4 years ago
Pēteris Caune
6094bca241
Improve wording
4 years ago
Pēteris Caune
fa5dd8b45a
Add mitigation for bad tz values
4 years ago
Pēteris Caune
df44ee58c0
Add an option for weekly reports (in addition to monthly)
4 years ago
Pēteris Caune
03a538c5e2
Add Profile.reports field
This is in preparation of adding an option for weekly
reports (#407 )
4 years ago
Pēteris Caune
e91441d814
Add fallback for legacy sms values
4 years ago
Pēteris Caune
855d188981
Add support for "... is UP" SMS notifications
Fixes : #512
4 years ago
Pēteris Caune
e090aa5403
Improve the handling of unknown email addresses in the Sign In form
4 years ago
Pēteris Caune
64f2e86051
Increase "Success / Failure Keywords" field lengths to 200
4 years ago
Pēteris Caune
6ed983cdd5
Improve copy in "Profile" > "Email and Password" section
When an account has a password, replace "Set Password"
button's label with "Change Password"
4 years ago
Pēteris Caune
6c8b6a2a19
Remove functools.cached_property usage
Cannot use functools.cached_property, as it was added in Py 3.8,
but we support 3.6+
4 years ago
Pēteris Caune
738a648407
Improve project sorting in the "My Projects" page
Primary sort key: projects with overall_status=down go first
Secondary sort key: project's name
4 years ago
Pēteris Caune
4587b45cab
Add more tests for hc.api.views.create_check
4 years ago
Pēteris Caune
2831e5d7c1
Add a test case for filtering flips by timestamp
4 years ago
Pēteris Caune
742af7bfd8
Remove unused return statement
4 years ago
Pēteris Caune
78652b5659
Upgrade Django version to 3.2
4 years ago
Pēteris Caune
67d11e8d40
Fix the month boundary calculation in monthly reports
Fixes : #497
4 years ago
Pēteris Caune
68b1d5bb8b
Fix the "Email Reports" screen to clear Profile.next_nag_date
4 years ago
Pēteris Caune
1d6b75d5dc
Move Profile *model* tests to test_profile_model
4 years ago