Commit graph

19 commits

Author SHA1 Message Date
June Kelly
3288f87dbe [web] Password set/reset: reject current password (redux) (#8956)
* [web] set-password: reject same as current password

* [web] Add 'peek' operation on tokens

This allows us to improve the UX of the reset-password form,
by not invalidating the token in the case where the new
password will be rejected by validation logic.

We give up to three attempts before invalidating the token.

* [web] Add hide-on-error feature to async forms

This allows us to hide the form elements when certain
named error conditions occur.

* [web] reset-password: handle same-password rejection

We also change the implementation to use the new
peekValueFromToken API, and to expire the token explicitely
after it has been used to set the new password.

* [web] Validate OneTimeToken when loading password reset form

* [web] Rate limit GET: /user/password/set

Now that we are peeking at OneTimeToken when accessing this page,
we add rate to the GET request, matching that of the POST request.

* [web] Tidy up pug layout and mongo query for token peeking

Co-authored-by: Mathias Jakobsen <mathias.jakobsen@overleaf.com>
GitOrigin-RevId: 835205cc7c7ebe1209ee8e5b693efeb939a3056a
2022-09-28 08:06:54 +00:00
Henry Oswald
5f1abee345 Merge pull request #8939 from overleaf/revert-8882-jk-web-reject-same-password
Revert "[web] Password set/reset: reject current password"

GitOrigin-RevId: f14f970fe93064658a8659537c5cb417e34e2751
2022-07-20 08:04:00 +00:00
June Kelly
d04ea76081 Merge pull request #8882 from overleaf/jk-web-reject-same-password
[web] Password set/reset: reject current password

GitOrigin-RevId: 2c40dda4926d9c68564ae5126b3393b9286bb661
2022-07-20 08:03:36 +00:00
June Kelly
000f849381 Merge pull request #6143 from overleaf/jk-register-password-validation
[web] Password length validation on register

GitOrigin-RevId: 8d97d92f3176f25c5af29479ba85789eac28540a
2022-01-13 09:03:16 +00:00
Hugh O'Brien
3b95ac6d88 Merge pull request #5688 from overleaf/jpa-invalid-password-message
[web] password reset: validate user password ahead of invalidating token

GitOrigin-RevId: ba3e6549f53675a2216e2fc24293276c1968d416
2021-11-10 09:02:38 +00:00
June Kelly
5141f7b452 Merge pull request #5199 from overleaf/jk-de-ng-form-messages-role
[web] Improve a11y of form-messages

GitOrigin-RevId: 36360bc188f9a582e891d50328a6f27b414dce2a
2021-09-27 08:03:10 +00:00
Jakob Ackermann
891947770c Merge pull request #5124 from overleaf/jk-de-ng-set-password-page
[web] de-ng set password form

GitOrigin-RevId: d8ebf9f794454d5772e13ab783892d2bba6eed87
2021-09-24 08:03:23 +00:00
Jessica Lawshe
bb882c697c Merge pull request #4288 from overleaf/jel-skip-to-content
Add "Skip to content" to improve accessibility

GitOrigin-RevId: 43368a65057656bdea10b6be3c598d68bd8e2d40
2021-07-28 02:06:54 +00:00
Jakob Ackermann
9d00c351a8 Merge pull request #4327 from overleaf/jpa-pw-reset-captcha
[misc] add captcha on password reset requests

GitOrigin-RevId: 9a23b9c9dee2c56345e9c1846861c05c25126802
2021-07-28 02:06:02 +00:00
Alf Eaton
8227e68aca Improve form "for" and "autocomplete" attributes (#3822)
GitOrigin-RevId: 2ce35d57526fc36b5a974d0f940ef6ba08806864
2021-04-01 02:05:32 +00:00
Miguel Serrano
d65db1acf0 Merge pull request #3824 from overleaf/jpa-password-reset-email-forwarding
[misc] fix passing around of users email as part of password reset

GitOrigin-RevId: 54e8cde9867a2ce735bc7ebe281ead19ef49e6cd
2021-04-01 02:05:04 +00:00
Alf Eaton
a5637651b5 Add Content-Security-Policy header (#3783)
* Add Content-Security-Policy header
* Add nonce attribute to script tags
* Use source-map for webpack devtool
* Add ng-csp attribute when CSP is enabled
* Allow overriding CSP settings with environment variables
* Hook into render and allow routes to disable the CSP header

GitOrigin-RevId: a873736a3514198165f1b2f1e18d002b65f20d30
2021-03-26 03:04:55 +00:00
Jakob Ackermann
7609b741fa Merge pull request #3768 from overleaf/jpa-xss-10
[views] mitigate Angular XSS on password reset page

GitOrigin-RevId: 65f423fcb1a3afff0f396bb8e173d1e1bcff056a
2021-03-18 03:04:45 +00:00
Thomas
2d8167fa0a Merge pull request #3675 from overleaf/tm-main-landmarks-a11y
Add main landmark roles to multiple templates

GitOrigin-RevId: 80ae851fae015b21a3210d71d04287c0c9a3024d
2021-03-05 03:05:00 +00:00
Jessica Lawshe
552fb56b74 Merge pull request #3078 from overleaf/jel-log-password-reset-by-token
Update audit log when password reset by token

GitOrigin-RevId: 2ae7f59c5cdf2723e541a99c58c36564cc82adbf
2020-08-13 15:46:10 +00:00
Ersun Warncke
d624c29b6f remove v1 deps for password change/reset
GitOrigin-RevId: be25f19ae589c50bfde0b170860127fa8d6f63b7
2019-07-17 15:09:24 +00:00
Simon Detheridge
82672269c4 Merge pull request #1862 from overleaf/em-json-stringify
Globally apply StringHelper.stringifyJsonForScript()

GitOrigin-RevId: 82dc812a43a1e6f389471380a6a430c0a18dcec2
2019-06-17 15:14:25 +00:00
Jessica Lawshe
7666c8a481 Merge pull request #1236 from sharelatex/jel-password-reset
Reset password via API request to v1

GitOrigin-RevId: 00b0306ca77df650595a762382a8a63b05a945f6
2018-12-14 16:02:14 +00:00
Shane Kilkelly
57cd54bf55 WIP: migrate from jade to pug 2017-01-20 12:03:02 +00:00
Renamed from services/web/app/views/user/setPassword.jade (Browse further)