Add method to store session ids by ip

Add new specs for storing session ids

Add cleaning up records after login

Add retrieving anonymous sessions

Add login recaptcha setting

Add new setting to sessions controller

Add conditions for showing captcha

Add sessions controller specs

Add admin settings specs for login protection

Add new settings to api

Add stub to devise spec

Add new translation key

Add cr remarks

Rename class call

Add cr remarks

Change if-clause for consistency

Add cr remarks

Add code review remarks

Refactor AnonymousSession class

Add changelog entry

Move AnonymousSession class to lib

Move store unauthenticated sessions to sessions controller

Move link to recaptcha info

Regenerate text file

Improve copy on the spam page

Change action filter for storing anonymous sessions

Fix rubocop offences

Add code review remarks

Imre (Admin) authored 5 years ago and James Lopez committed 5 years ago

By not triggering the callback:
- ActiveSession lookup keys are not cleaned
- Devise also misses its hook related to session cleanup

Closes #55564
This is first discovered in #54739 (comment 122609857) that if both if: and only:
are used in a before_action or after_action or alike, if: is completely ignored.

- Externalize strings in controllers
- Update PO file

Enables frozen string for the following:

* app/controllers/*.rb
* app/controllers/admin/**/*.rb
* app/controllers/boards/**/*.rb
* app/controllers/ci/**/*.rb
* app/controllers/concerns/**/*.rb

Partially addresses #47424.

This whitelists all existing offenses for the various CodeReuse cops, of
which most are triggered by the CodeReuse/ActiveRecord cop.

We also try to unify the way we setup OmniAuth, and how we check
if it's enabled or not.

This will only be displayed if `X-GitLab-Show-Login-Captcha` is set as an HTTP
header.

`InternalRedirect` prevents Open redirect issues by only allowing
redirection to paths on the same host.

It cleans up any unwanted strings from the path that could point to
another host (fe. //about.gitlab.com/hello). While preserving the
querystring and fragment of the uri.

It is already used by:

- `TermsController`
- `ContinueParams`
  - `ImportsController`
  - `ForksController`
- `SessionsController`: Only for verifying the host in CE. EE allows
   redirecting to a different instance using Geo.

In GitLab EE, a GitLab instance can be read-only (e.g. when it's a Geo
secondary node). But in GitLab CE it also might be useful to have the
"read-only" idea around. So port it back to GitLab CE.

Also having the principle of read-only in GitLab CE would hopefully
lead to less errors introduced, doing write operations when there
aren't allowed for read-only calls.

Closes gitlab-org/gitlab-ce#37534.

# This is the 1st commit message:
Add logging for all web authentication events

# This is the commit message #2:

Re-add underscore to after_inactive_sign_up_path_for

# This is the commit message #3:

Standardize on username=

# This is the commit message #4:

after_filter -> after_action, _resource -> resource

# This is the commit message #5:

Add two-factor login failures and account lockouts

# This is the commit message #6:

Move logging from two-factor concern to user model

# This is the commit message #7:

Add spaces around default parameter assignments

# This is the commit message #8:

Move logs out of user model

# This is the commit message #9:

Replace filtered_params with user_params

# This is the commit message #10:

Standardize case

# This is the commit message #1:

Fixes for username and AppLogger.info

This avoids loading the `OmniAuthCallbacksController` at boot time so
it doesn't mess up the `before_action`-chain

Otherwise the token might be cleared before authentication is
done, causing the authentication itself to fail

When sign-in is disabled:
 - skip password expiration checks
 - prevent password reset requests
 - don’t show Password tab in User Settings
 - don’t allow login with username/password for Git over HTTP requests
 - render 404 on requests to Profiles::PasswordsController