Commit Graph

238 Commits

Author SHA1 Message Date
Awais Jibran
6b1506c3ff Sends Post-password-change acknowledgement email
PROD-421
2020-10-05 17:01:19 +05:00
Syed Muhammad Dawoud Sheraz Ali
6f254aaf84 Merge pull request #205 from edx/dsheraz/PROD-217
fix password reset token leakage in referrer
2020-10-02 22:17:37 +05:00
Waheed Ahmed
af958ada75 Add new endpoint to validate password reset token.
Added a new endpoint to validate password reset token for
logistration MFE.

VAN-61
2020-09-30 16:12:33 +05:00
uzairr
b1d321374f Refactor third party auth msg generation 2020-09-29 06:52:02 +05:00
Tim McCormack
f29e418264 Revert "Revert "ARCHBOM-1494: Refer to custom attributes, not metrics, especially with edx-django-utils (#25010)" (#25025)" (#25055)
This reverts commit 986a448d9e.
2020-09-28 13:53:57 +00:00
DawoudSheraz
6181edfa4c fix password reset token leakage in referrer 2020-09-28 10:20:17 +05:00
Robert Raposa
9c6ee54258 remove flaky test_login_ratelimited 2020-09-25 11:24:47 -04:00
Feanil Patel
ddcf31c5ad Merge pull request #25009 from edx/feanil/fix_flaky_test
Fix a flaky test by freezing time in the right spot.
2020-09-21 12:15:28 -04:00
Ahtisham Shahid
986a448d9e Revert "ARCHBOM-1494: Refer to custom attributes, not metrics, especially with edx-django-utils (#25010)" (#25025)
This reverts commit ba9ee4e151.

Fixed Style lint issue
2020-09-21 13:48:00 +05:00
Tim McCormack
ba9ee4e151 ARCHBOM-1494: Refer to custom attributes, not metrics, especially with edx-django-utils (#25010)
This uses the new names introduced in edx-django-utils
3.8.0 (edx/edx-django-utils#59), which we're already using, as
well as updating a few other locations where we incorrectly refer
to New Relic custom metrics instead of custom attributes.

Includes a couple of unrelated lint fixes in a file I modified.
2020-09-18 13:33:50 +00:00
Feanil Patel
5e56621aeb Fix a flaky test by freezing time in the right spot.
The test was only freezing time for the first two calls to password reset
which meant that sometimes the last call to reset password was far enough
in the future to not be affected by the rate limiting.

We move the freeze_time context manager to outside of all the password
reset calls to make things more reliable.
2020-09-17 13:43:30 -04:00
Régis Behmo
a4ba4ae45e Clarify many feature toggle annotations across all applications 2020-09-16 15:20:43 +02:00
Régis Behmo
7d93715880 Rename toggle_expiration_date to toggle_target_removal_date
This is part of the changes brought by code-annotations==0.7.0
2020-09-16 15:19:16 +02:00
Régis Behmo
98a13d6a7e Remove deprecated toggle_status annotation
This annotation is deprecated since code-annotations==0.7.0
2020-09-16 15:19:15 +02:00
Régis Behmo
d1f9e769d0 Simplify the toggle_use_case annotation
Since code-annotations==0.7.0, incremental_release, launch_date,
monitored_rollout, graceful_degradation, beta_testing are all considered
as "temporary" use cases.
2020-09-16 15:16:13 +02:00
Régis Behmo
ab0e21455a Get rid of the toggle_category annotation, now deprecated
Since code-annotations==0.7.0, this annotation is not used anymore.
2020-09-16 15:16:13 +02:00
Régis Behmo
0c3bc12582 Fix deprecated toggle annoation format 2020-09-16 15:16:13 +02:00
Régis Behmo
7dc460d50a Wrap toggle annotation lines with multiline comments
This takes advantage of the new multiline annotation format with
single-line comment prefix, from code-annotations.
2020-09-16 15:16:12 +02:00
Régis Behmo
c8892d321b Document openedx/core/djangoapps/user_authn feature toggles 2020-09-16 15:14:56 +02:00
Régis Behmo
307457a255 Simplify hack to obtain waffle module names
Instead of going up the stacktrace to find the module names of waffle
flags and switches, we manually pass the module __name__ whenever the
flag is created. This is similar to `logging.getLogger(__name__)`
standard behaviour.

As the waffle classes are used outside of edx-platform, we make the new
module_name argument an optional keyword argument. This will change once
we pull waffle_utils outside of edx-platform.

Note that the module name is normally only required to view the list of
existing waffle flags and switches. The module name should not be
necessary to verify if a flag is enabled. Thus, maybe it would make
sense to create a `add` class methor similar to:

    class WaffleFlag:
        @classmethod
        def add(cls, namespace, flag, module):
            instance = cls(namespace, flag)
            cls._class_instances.add((instance, module))
2020-09-14 09:30:24 +02:00
uzairr
c68155f76f Modify the api response
Update the api response so that it cannot contain the response
in the form of HTML which may prove vulnerable for MFE in future.

VAN-14
2020-09-10 12:39:09 +05:00
Zainab Amir
8f83d10528 Add Mechanism to enable logistration MFE (#24908)
Add a toggle that in conjuction with REDIRECT_TO_ACCOUNT_MICROFRONTEND
enables or disables logistration MFE.

VAN-3
2020-09-08 17:46:50 +05:00
Pierre Mailhot
36db87e734 fixing language issue for original activation email on sites using more than one language
https://openedx.atlassian.net/browse/CRI-217
https://discuss.openedx.org/t/activation-email-in-multiple-languages/2808
2020-08-27 03:37:05 -04:00
uzairr
7bc17c7dd9 Ratelimit the registration endpoint
PROD-880
2020-08-20 18:38:26 +05:00
Manjinder Singh
c76ed6ae45 Extracting plugin app from edx-platform (#24678)
* Moving plugins infrastructure to edx-django-utils
This PR extracts the code that enables plugins in edx-platform and puts it in edx-django-utils. This is done to allow other IDAS to add plugin functionality.
2020-08-12 07:48:53 -04:00
Jeff Chaves
e1bd970b46 ENT-2894: Use new welcome template when redirected from enterprise proxy login view (#24587)
* using new welcome template when redirected from enterprise proxy login view

* enabling safe redirects to enterprise learner portal from login in devstack

* ading admin portal to login redirect whitelist

* running make upgrade to version bump edx-enterprise
2020-07-24 17:40:42 -04:00
Talia
6d365ca1da fixes for front end saml work and to align with data requirements. 2020-07-24 14:45:34 -04:00
Robert Raposa
77e490f057 ARCHBOM-1305: remove deprecated flag_undefined_default (#24426)
This is the final step in removing the deprecated
flag_undefined_default as explained by the following ADR:
https://github.com/edx/edx-platform/blob/master/openedx/core/djangoapps/waffle_utils/docs/decisions/0001-refactor-waffle-flag-default.rst

Notes:

* All uses of flag_undefined_default=False were always
  supposed to have been no-ops.
* All uses of flag_undefined_default=True that are removed
  in this PR have been replaced by migrations in past PRs.
* The temporary metric temp_flag_default_used id no longer
  reporting any data.

ARCHBOM-1305
2020-07-09 09:31:31 -04:00
Feanil Patel
f2ac18049b Validate before accessing email parts.
For somereason earlier validation is not ensuring that we have a valid e-email.
In this case, break out of the flow since we don't have a domain that's in our
list and log the user's id so that we can learn more about when this happens.

By a reading of the code flow, it doesn't seem like it should be possible except
with a handful of users that have invalid e-mail addresses in the database but it
seems to be happening pretty regularly.
2020-07-08 13:35:55 -04:00
Waheed Ahmed
4f80fd6540 Improve password reset rate limit.
Used django-ratelimit instead of django-ratelimit-backend
to configure two different rate limit configurations for same
endpoint.

PROD-1708
2020-07-08 16:19:07 +05:00
Waheed Ahmed
a6a69224d1 Ratelimit login_user endpoint.
Ratelimited `login_user` endpoint using `django-ratelimit`, also
decreased default value of logistration rate limit to 100 requests
per five minutes per IP.

PROD-1877
2020-07-08 15:36:11 +05:00
Ahtisham Shahid
5707bbdc90 updated confirm_email field type (#24205)
* updated confirm_email field type and removed confirm email form v1
2020-06-22 17:10:41 +05:00
Ahtisham Shahid
340e00988f Removed confirm email after SSO 2020-06-16 14:06:52 +05:00
adeel khan
76419f9d01 Merge pull request #23913 from edx/adeel/prod_1505_improve_security_lockouts_logic
Improving user locked out logic.
2020-06-10 14:21:16 +05:00
Waheed Ahmed
6b268c37b4 Rate limit logistration endpoints.
PROD-1506
2020-06-10 13:33:26 +05:00
Adeel Khan
2383fb3fa6 Improving user locked out logic.
This patch improves on the user locked
out logic by providing a helping message
near locked out. This would help reduce
retries by giving user the option to use
password reset flow to fix the issue.

PROD-1505
2020-06-09 09:36:42 +05:00
Ahtisham Shahid
b69163fae7 Merge pull request #24079 from edx/ahtisham/PROD-1412-2
Added v2 for confirm email backward compatibility
2020-06-03 17:13:49 +05:00
Ahtisham Shahid
af033d25cc Added v2 for confrim email backward compatiblity
updated tests

fixed style issue

Fixed tests for v2 api
2020-06-02 13:01:58 +05:00
hasnain.naveed
c51dc9db20 ENT-2818 | Added enterprise slug login's url on edx login page. 2020-05-28 19:58:46 +05:00
Feanil Patel
c06f7b2fd7 Revert "Rate limit logistration endpoints."
This reverts commit 74bc970edc.
2020-05-21 11:41:09 -04:00
Feanil Patel
72ea1b7d4f Revert "Increase requests limit for logistration rate limit."
This reverts commit a1c018823d.
2020-05-21 11:40:47 -04:00
Waheed Ahmed
a1c018823d Increase requests limit for logistration rate limit. 2020-05-21 17:05:19 +05:00
Waheed Ahmed
74bc970edc Rate limit logistration endpoints.
PROD-1506
2020-05-21 13:45:48 +05:00
Ned Batchelder
cca33732ba Correct markup mistakes in api docs 2020-05-12 13:36:14 -04:00
mariajgrimaldi
8063adf5eb changed cookie_date for http_date (#23929)
I wanted to make a byte-sized contribution but there were no Jira tickets so we decided, thanks to a conversation with @jmbowman through the Open Edx Community #incr (Slack) channel, to collaborate in the elimination of warnings listed in the Warnings Report at https://build.testeng.edx.org/job/edx-platform-python-pipeline-master/warning_5freport_5fall_2ehtml/

This PR contributes to the elimination of RemovedInDjango30Warnings, specifically the one mentioned above and reported in the Warnings Report

Changed cookie_date to http_date in the following file:

    openedx/core/djangoapps/user_authn/cookies.py

This warning occurs due to deprecation since Django 2.1: https://docs.djangoproject.com/en/2.2/ref/utils/#django.utils.http.cookie_date
2020-05-08 15:55:23 -04:00
Ali Akbar
0955865fa9 Merge pull request #23885 from edx/aakbar/PROD-1478
Unauthenticated Contact Us improvements
2020-05-08 19:49:06 +05:00
Ali-D-Akbar
94907cc4a9 Unauthenticated Contact Us improvements
fix password reset page, add another test and remove typo

improve js test

add quality changes

add quality changes
2020-05-08 14:14:35 +05:00
Waheed Ahmed
c603111895 added another test case. 2020-05-07 15:14:31 +05:00
Waheed Ahmed
05d18effde Implement both IP and email based rate limiting. 2020-05-07 15:14:31 +05:00
Waheed Ahmed
f3db71171e Fix password reset rate limiting for existing users.
PROD-1427
2020-05-07 15:14:31 +05:00