* Added checkbox to disable pass login in settings
* Added user_pass disable option in Login page context
* Hide user-pass fields when option disabled
* Added check for social login key and LDAP
* feat: Disable API based usr-pwd login
* style: format with black
* refactor: simpify auth validation
No need for else clause
* refactor: fixup sys setting json and move field
* refactor: sys settings validation
* refactor: simpler imports
* chore: undo unintional changes
* test: add test for disabled user pass
Co-authored-by: Ankush Menat <ankush@frappe.io>
Added slots for these classes:
- Session - Created on EACH request
- LoginManager - Created on each request
- Monitor - Created on each request if monitor is enabled (usually in
prod setup)
refactor: clean up code to py39+ supported syntax
- f-strings instead of format
- latest typing support instead of pre 3.9 TitleCase
- remove UTF-8 declarations.
- many more changes
Powered by https://github.com/asottile/pyupgrade/ + manual cleanups
User.language should be given higher priority in terms of
authenticated user since they chose it. Even higher than the
browser they're using...even if the system locales aren't set
properly and browser isn't configured properly
Order of priority for setting language:
1. Form Dict => _lang
2. Cookie => preferred_language
3. Request Header => Accept-Language
4. User document => language
5. System Settings => language
Cookie is placed at #2 since the language picker in the navbar depends
on it. And the Accept-Language header sends values based on the client's locales.
---
Form Dict _lang now accepts language codes too. Previously, language
names were used...for whatever reason.
* Remove six for PY2 compatability since our dependencies are not, PY2
is legacy.
* Removed usages of utils from future/past libraries since they are
deprecated. This includes 'from __future__ ...' and 'from past...'
statements.
* Removed compatibility imports for PY2, switched from six imports to
standard library imports.
* Removed utils code blocks that handle operations depending on PY2/3
versions.
* Removed 'from __future__ ...' lines from templates/code generators
* Used PY3 syntaxes in place of PY2 compatible blocks. eg: metaclass
Existing login attempt tracker is a set of funcions those are not easy
to understand. Created a tracker class that handles all tracker logic and provides
useful methods to access.
Testcases added for the same.
Reference: https://web.dev/samesite-cookies-explained/
Scenario:
A user is logged in on a frappe instance. (with, say, sid=abcd)
In an OAuth like flow, a third party site, say, GitHub redirects the user to the frappe instance.
Now because SameSite=Strict is set, the browser can't send the cookies it has (sid=abcd) to the frappe server.
Once the frappe server receives this request without cookies, It assumes that this is an unauthenticated user, and sets cookies in response as sid=Guest.
Reference: f3e14b4ac7/frappe/sessions.py (L178)
Once the browser receives these values in response (sid=Guest) it overwrites the existing cookie values(sid=abcd) and sets sid=Guest,
This effectively causes the user session to be terminated.
* add HTTPOnly to sid, so sid will no longer be accessible through
javascript.
* mark all cookies Secure by default over HTTPS.
* set SameSite to Strict for all cookies by default, preventing
cross-origin cookie access.
* remove redundant publish_realtime for setting csrf_token on the
client-side.
Signed-off-by: Chinmay D. Pai <chinmaydpai@gmail.com>
