1. 04 Apr, 2016 6 commits
    • epriestley's avatar
      Implement "auth.logout" Conduit API method · e55522ca
      epriestley authored
      Summary:
      Ref T7303. Ref T7673. This implements an "auth.logout" which:
      
        - terminates all web sessions;
        - terminates the current OAuth token if called via OAuth; and
        - may always be called via OAuth.
      
      (Since it consumes an OAuth token, even a "malicious" OAuth application can't really be that much of a jerk with this: it can't continuously log you out, since calling the method once kills the token. The application would need to ask your permission again to get a fresh token.)
      
      The primary goal here is to let Phacility instances call this against the Phacility upstream, so that when you log out of an instance it also logs you out of your Phacility account (possibly with a checkbox or something).
      
      This also smooths over the session token code. Before this change, your sessions would get logged out but when you reloaded we'd tell you your session was invalid.
      
      Instead, try to clear the invalid session before telling the user there's an issue. I think that ssentially 100% of invalid sessions are a result of something in this vein (e.g., forced logout via Settings) nowadays, since the session code is generally stable and sane and has been for a long time.
      
      Test Plan:
        - Called `auth.logout` via console, got a reasonable logout experience.
        - Called `auth.logout` via OAuth.
          - Tried to make another call, verified OAuth token had been invalidated.
          - Verified web session had been invalidated.
      
      Reviewers: chad
      
      Reviewed By: chad
      
      Maniphest Tasks: T7303, T7673
      
      Differential Revision: https://secure.phabricator.com/D15594
      e55522ca
    • epriestley's avatar
      Begin cleaning up OAuth scope handling · 60133b6f
      epriestley authored
      Summary:
      Ref T7303. OAuth scope handling never got fully modernized and is a bit of a mess.
      
      Also introduce implicit "ALWAYS" and "NEVER" scopes.
      
      Always give tokens access to meta-methods like `conduit.getcapabilities` and `conduit.query`. These do not expose user information.
      
      Test Plan:
        - Used a token to call `user.whoami`.
        - Used a token to call `conduit.query`.
        - Used a token to try to call `user.query`, got rebuffed.
      
      Reviewers: chad
      
      Reviewed By: chad
      
      Maniphest Tasks: T7303
      
      Differential Revision: https://secure.phabricator.com/D15593
      60133b6f
    • epriestley's avatar
      Modernize some OAuth Server code · 694a8543
      epriestley authored
      Summary:
      Ref T7303. This inches toward properly-behaved cluster logout.
      
        - Use IDs instead of PHIDs in URIs.
        - Slightly more modern code.
        - Fix some crumb stuff.
      
      Test Plan: Created, edited, viewed, deleted, showed secret for, authorized, test-auth'd an application.
      
      Reviewers: chad
      
      Reviewed By: chad
      
      Maniphest Tasks: T7303
      
      Differential Revision: https://secure.phabricator.com/D15592
      694a8543
    • Chad Little's avatar
      Update XHProf for newPage · f54a2007
      Chad Little authored
      Summary: Simple Conversion
      
      Test Plan: Pull up /xhprof/
      
      Reviewers: epriestley
      
      Reviewed By: epriestley
      
      Subscribers: Korvin
      
      Differential Revision: https://secure.phabricator.com/D15603
      f54a2007
    • Chad Little's avatar
      Update Phlux to new UI · 12dca281
      Chad Little authored
      Summary: Updates view, list, edit pages on Phlux.
      
      Test Plan: Create a variable, see variable, edit variable, view lists.
      
      Reviewers: epriestley
      
      Reviewed By: epriestley
      
      Subscribers: Korvin
      
      Differential Revision: https://secure.phabricator.com/D15602
      12dca281
    • Chad Little's avatar
      Modernize People UI · f90cd8a1
      Chad Little authored
      Summary: Updates various /people/ pages for new UI and newPage
      
      Test Plan: Review creating people, new people, sending invites, editing a profile, setting a new picture, something with LDAP
      
      Reviewers: epriestley
      
      Reviewed By: epriestley
      
      Subscribers: Korvin
      
      Differential Revision: https://secure.phabricator.com/D15604
      f90cd8a1
  2. 03 Apr, 2016 16 commits
  3. 02 Apr, 2016 11 commits
  4. 01 Apr, 2016 7 commits