Existing login attempt tracker is a set of funcions those are not easy
to understand. Created a tracker class that handles all tracker logic and provides
useful methods to access.
Testcases added for the same.
Reference: https://web.dev/samesite-cookies-explained/
Scenario:
A user is logged in on a frappe instance. (with, say, sid=abcd)
In an OAuth like flow, a third party site, say, GitHub redirects the user to the frappe instance.
Now because SameSite=Strict is set, the browser can't send the cookies it has (sid=abcd) to the frappe server.
Once the frappe server receives this request without cookies, It assumes that this is an unauthenticated user, and sets cookies in response as sid=Guest.
Reference: f3e14b4ac7/frappe/sessions.py (L178)
Once the browser receives these values in response (sid=Guest) it overwrites the existing cookie values(sid=abcd) and sets sid=Guest,
This effectively causes the user session to be terminated.
* add HTTPOnly to sid, so sid will no longer be accessible through
javascript.
* mark all cookies Secure by default over HTTPS.
* set SameSite to Strict for all cookies by default, preventing
cross-origin cookie access.
* remove redundant publish_realtime for setting csrf_token on the
client-side.
Signed-off-by: Chinmay D. Pai <chinmaydpai@gmail.com>
* [start] postgres
* [wip] started refactoring db_schema
* Add psycopg2 to requirements.txt
* Add support for Postgres SQL
- Separate frameworkSQL, database, schema, setup_db file for
mariaDB and postgres
- WIP
* Remove quotes from sql to make it compatible with postgres as well
* Moved some code from db_schema to database.py
* Move code from db_schema to schema.py
Add other required refactoring
* Add schema chages
* Remove redundant code in file
* Add invalid column name exception class to exceptions.py
* Add back tick in query wherever needed and replace ifnull with coalesce
* Update get_column_description code in database.py file
* Remove a print statement
* Add keys to get on_duplicate query
* Add bactick wherever necessary
- Remove db_schema.py file
* Remove DATE_SUB as it is incompatible with postgres
- Fix prepare_filter_condition
* Add backtick and quotes wherever necessary
- Move get_database_size to frappe.db namespace
- fix some left out bugs and errors
* Add code to create key and unique index
- added mysql and posgres in their respective database.py
* Add more bacticks in queries and fix some errors
- Pass keys to on_duplicate_update method
- Replace MONTH with EXTRACT function
- Remove DATEDIFF and CURDATE usage
* Cast state value to int in toggle_two_factor_auth
- since two_factor_auth has the datatype of Int
* Refactor
- Replace Timediff with normal arithmetic operator
- Add MAX_COLUMN_LENGTH
- Remove Redundant code
- Add regexp character constant
- Move create_help_table to database.py
- Add get_full_text_search_condition method
- Inherit MariaDBTable from DBTable
* Replace Database instance with get_db method
* Move db_manager to separate file
* Refactor
- Remove some unwanted code
- Separate alter table code for postgres and mysql
- Replace data_type with column_type in database.py
* Make fulltext search changes in global_search.py
* Add empty string check
* Add root_password to site config
* Create cli command for postgres console
* Move setup of help database to setup_db.py
* Add get_database_list method
* Fix exception handling
- Replace bad_field handler with missing_column handler
* Fix tests and sql queries
* Fix import error
* Fix typo db -> database
* Fix error with make_table in help.py
* Try test for postgres
* Remove pyhton 2.7 version to try postgres travis test
* Add test fixes
* Add db_type to the config of test_site_postgres
* Enable query debug to check the reason for travis fail
* Add backticks to check if the test passes
* Update travis.yml
- Add postgres addon
* Try appending 'd_' to hash for db_name
- since postgres does not support dbname starting with a number
* Try adding db_type for global help to make travis work
* Add print statements to debug travis failure
* Enable transaction and remove debug flag
* Fix help table creation query (postgres)
* Fix import issue
* Add some checks to prevent errors
- Some doctypes used to get called even before they are created
* Try fixes
* Update travis config
* Fix create index for help table
* Remove unused code
* Fix queries and update travis config
* Fix ifnull replace logic (regex)
* Add query fixes and code cleanup
* Fix typo
- get_column_description -> get_table_columns_description
* Fix tests
- Replace double quotes in query with single quote
* Replace psycopg2 with psycopg2-binary to avoid warnings
- http://initd.org/psycopg/docs/install.html#binary-install-from-pypi
* Add multisql api
* Add few multisql queries
* Remove print statements
* Remove get_fulltext_search_condition method and replace with multi query
* Remove text slicing in create user
* Set default for 'values' argument in multisql
* Fix incorrect queries and remove few debug flags
- Fix multisql bug
* Force delete user to fix test
- Fix Import error
- Fix incorrect query
* Fix query builder bug
* Fix bad query
* Fix query (minor)
* Convert boolean text to int since is_private has datatype of int
- Some query changes like removed double quotes
and replace with interpolated string to pass multiple
value pass in one of the query
* Extend database class from an object to support python 2
* Fix query
- Add quotes around value passed to the query for variable comparision
* Try setting host_name for each test site
- To avoid "RemoteDisconnected" error while testing data migration test
- Update travis.yml to add hosts
- Remove unwanted commit in setup_help_database
* Set site hostname to data migration connector (in test file)
- To connect the same site host
* Fix duplicate entry issue
- the problem is in naming series file.
In previous commits I unknowingly changed a part of a series query
due to which series were not getting reset
* Replace few sql queries with orm methods
* Fix codacy
* Fix 'Doctype Sessions not found' issue
* Fix bugs induced during codacy fixes
* Fix Notification Test
- Use ORM instead of raw sql
* Set Date fallback value to 0001-01-01
- 0000-00-00 is invalid date in Postgres
- 0001-01-01 works in both
* Fix date filter method
* Replace double quotes with single quote for literal value
* Remove print statement
* Replace double quotes with single
* Fix tests
- Replace few raw sql with ORM
* Separate query for postgres
- update_fields_to_fetch_query
* Fix tests
- replace locate with strpos for postgres
* Fix tests
- Skip test for datediff
- convert bytes to str in escape method
* Remove TestBot
* Skip fieldname extraction
* Replace docshare raw sql with ORM
* Fix typo
* Fix ancestor query test
* Fix test data migration
* Remove hardcoded hostname
* Add default option and option list for db_type
* Remove frappe.async module
* Remove a debug flag from test
* Fix codacy
* fix import issue
* Convert classmethod to static method
* Convert few instance methods to static methods
* Remove some unused imports
* Fix codacy
- Add exception type
- Replace few instance methods with static methods
- Remove unsued import
* Fix codacy
* Remove unused code
* Remove some unused codes
- Convert some instance methods to static function
* Fix a issue with query modification
* Fix add_index query
* Fix query
* Fix update_auth patch
* Fix a issue with exception handling
* Add try catch to a reload_doc
* Add try-catch to file_manager_hook patch
* import update_gravatar to set_user_gravatar patch
* Undo all the wrong patch fixes
* Fix db_setup code 😪
- previously it was not restoring db from source SQL
which is why few old patched were breaking
(because they were getting different schema structure)
* Fix typo !
* Fix exception(is_missing_column) handling
* Add deleted code
- This code is only used in a erpnext patch.
Can be moved to that patch file
* Fix codacy
* Replace a mariadb specific function in a query used in validate_series
* Remove a debug flag
* Revert changes (rename_parent_and_child)
* Fix validate_one_root method
* Fix date format issue
* Fix codacy
- Disable a pylint for variable argument warning
- Convert an instance method to static method
* Add bandit.yml
The Codacy seems to use Bandit which generates
warning for every subprocess import and its usage during pytest
Since we have carefully used subprocess (avoided user input),
warnings needs to be avoided.
This can be removed if we have any alternative for subprocess usage.
* Skip start_process_with_partial_path check
* Fix typo
* Add python 2.7 test
* Move python versions in travis.yml
* Add python versions to jobs
* Overwrite python version inheritance for postgres in travis.yml
* Add quotes around python version in .travis.yml
* Add quotes around the name of the job
* Try a travis fix
* Try .travis.yml fix
* Import missing subprocess
* Refactor travis.yml
* Refactor travis.yml
- move install and tests commands to separate files
- Use matrix to build combination of python version and db type
* Make install.sh and run-tests.sh executable
* Add sudo required to travis.yml to allow sudo cmmands in shell files
* Load nvm
* Remove verbose flag from scripts
* Remove command-trace-print flag
* Change to build dir in before script
* Add absolute path for scripts
* Fix tests
* Fix typo
* Fix codacy
- fixes - "echo won't expand escape sequences." warning
* Append (_) underscore instead of 'd' for db_name
* Remove printf and use mysql execute flag
* Removed comment_type 'updated'
* New doctype activity log
* Moved feed.py to activity_log
* Updated feed gets stored in activity_log
* Activity page fetches feed from activity_log
* feed match condition change
* modified
* modified hooks.py
* modified sessions.py
* patch added
* naming in patch
* moved login, logout feed to activity_log
* changes in auth.py, hooks.py
* deleted doctype authentication_log and added test cases
* added utils.py in core
* moved some methods from communication.py to utils.py
