mirror of
https://git.pleroma.social/pleroma/pleroma.git
synced 2024-12-23 08:36:29 +00:00
Merge branch 'fix/remote-follow-auth' into 'develop'
Fix: remote follows should not ask user to log-in again for authorization See merge request pleroma/pleroma!1060
This commit is contained in:
commit
02a53d00c9
4 changed files with 13 additions and 10 deletions
|
@ -32,6 +32,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
|
||||||
- Federation: Expand the audience of delete activities to all recipients of the deleted object
|
- Federation: Expand the audience of delete activities to all recipients of the deleted object
|
||||||
- Federation: Removed `inReplyToStatusId` from objects
|
- Federation: Removed `inReplyToStatusId` from objects
|
||||||
- Configuration: Dedupe enabled by default
|
- Configuration: Dedupe enabled by default
|
||||||
|
- Configuration: Added `extra_cookie_attrs` for setting non-standard cookie attributes. Defaults to ["SameSite=Lax"] so that remote follows work.
|
||||||
- Pleroma API: Support for emoji tags in `/api/pleroma/emoji` resulting in a breaking API change
|
- Pleroma API: Support for emoji tags in `/api/pleroma/emoji` resulting in a breaking API change
|
||||||
- Mastodon API: Support for `exclude_types`, `limit` and `min_id` in `/api/v1/notifications`
|
- Mastodon API: Support for `exclude_types`, `limit` and `min_id` in `/api/v1/notifications`
|
||||||
- Mastodon API: Add `languages` and `registrations` to `/api/v1/instance`
|
- Mastodon API: Add `languages` and `registrations` to `/api/v1/instance`
|
||||||
|
|
|
@ -154,7 +154,10 @@ config :pleroma, Pleroma.Web.Endpoint,
|
||||||
signing_salt: "CqaoopA2",
|
signing_salt: "CqaoopA2",
|
||||||
render_errors: [view: Pleroma.Web.ErrorView, accepts: ~w(json)],
|
render_errors: [view: Pleroma.Web.ErrorView, accepts: ~w(json)],
|
||||||
pubsub: [name: Pleroma.PubSub, adapter: Phoenix.PubSub.PG2],
|
pubsub: [name: Pleroma.PubSub, adapter: Phoenix.PubSub.PG2],
|
||||||
secure_cookie_flag: true
|
secure_cookie_flag: true,
|
||||||
|
extra_cookie_attrs: [
|
||||||
|
"SameSite=Lax"
|
||||||
|
]
|
||||||
|
|
||||||
# Configures Elixir's Logger
|
# Configures Elixir's Logger
|
||||||
config :logger, :console,
|
config :logger, :console,
|
||||||
|
|
|
@ -221,6 +221,8 @@ This section is used to configure Pleroma-FE, unless ``:managed_config`` in ``:i
|
||||||
- `scheme` - e.g `http`, `https`
|
- `scheme` - e.g `http`, `https`
|
||||||
- `port`
|
- `port`
|
||||||
- `path`
|
- `path`
|
||||||
|
* `extra_cookie_attrs` - a list of `Key=Value` strings to be added as non-standard cookie attributes. Defaults to `["SameSite=Lax"]`. See the [SameSite article](https://www.owasp.org/index.php/SameSite) on OWASP for more info.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
**Important note**: if you modify anything inside these lists, default `config.exs` values will be overwritten, which may result in breakage, to make sure this does not happen please copy the default value for the list from `config.exs` and modify/add only what you need
|
**Important note**: if you modify anything inside these lists, default `config.exs` values will be overwritten, which may result in breakage, to make sure this does not happen please copy the default value for the list from `config.exs` and modify/add only what you need
|
||||||
|
@ -442,6 +444,8 @@ The server should also be started with `OAUTH_CONSUMER_STRATEGIES="..." mix phx.
|
||||||
|
|
||||||
Note: each strategy requires separate setup (on external provider side and Pleroma side). Below are the guidelines on setting up most popular strategies.
|
Note: each strategy requires separate setup (on external provider side and Pleroma side). Below are the guidelines on setting up most popular strategies.
|
||||||
|
|
||||||
|
Note: make sure that `"SameSite=Lax"` is set in `extra_cookie_attrs` when you have this feature enabled. OAuth consumer mode will not work with `"SameSite=Strict"`
|
||||||
|
|
||||||
* For Twitter, [register an app](https://developer.twitter.com/en/apps), configure callback URL to https://<your_host>/oauth/twitter/callback
|
* For Twitter, [register an app](https://developer.twitter.com/en/apps), configure callback URL to https://<your_host>/oauth/twitter/callback
|
||||||
|
|
||||||
* For Facebook, [register an app](https://developers.facebook.com/apps), configure callback URL to https://<your_host>/oauth/facebook/callback, enable Facebook Login service at https://developers.facebook.com/apps/<app_id>/fb-login/settings/
|
* For Facebook, [register an app](https://developers.facebook.com/apps), configure callback URL to https://<your_host>/oauth/facebook/callback, enable Facebook Login service at https://developers.facebook.com/apps/<app_id>/fb-login/settings/
|
||||||
|
|
|
@ -58,14 +58,9 @@ defmodule Pleroma.Web.Endpoint do
|
||||||
do: "__Host-pleroma_key",
|
do: "__Host-pleroma_key",
|
||||||
else: "pleroma_key"
|
else: "pleroma_key"
|
||||||
|
|
||||||
same_site =
|
extra =
|
||||||
if Pleroma.Config.oauth_consumer_enabled?() do
|
Pleroma.Config.get([__MODULE__, :extra_cookie_attrs])
|
||||||
# Note: "SameSite=Strict" prevents sign in with external OAuth provider
|
|> Enum.join(";")
|
||||||
# (there would be no cookies during callback request from OAuth provider)
|
|
||||||
"SameSite=Lax"
|
|
||||||
else
|
|
||||||
"SameSite=Strict"
|
|
||||||
end
|
|
||||||
|
|
||||||
# The session will be stored in the cookie and signed,
|
# The session will be stored in the cookie and signed,
|
||||||
# this means its contents can be read but not tampered with.
|
# this means its contents can be read but not tampered with.
|
||||||
|
@ -77,7 +72,7 @@ defmodule Pleroma.Web.Endpoint do
|
||||||
signing_salt: {Pleroma.Config, :get, [[__MODULE__, :signing_salt], "CqaoopA2"]},
|
signing_salt: {Pleroma.Config, :get, [[__MODULE__, :signing_salt], "CqaoopA2"]},
|
||||||
http_only: true,
|
http_only: true,
|
||||||
secure: secure_cookies,
|
secure: secure_cookies,
|
||||||
extra: same_site
|
extra: extra
|
||||||
)
|
)
|
||||||
|
|
||||||
# Note: the plug and its configuration is compile-time this can't be upstreamed yet
|
# Note: the plug and its configuration is compile-time this can't be upstreamed yet
|
||||||
|
|
Loading…
Reference in a new issue