From 04f6b48ac1a76fe9c6c3fd573427d418bc152adf Mon Sep 17 00:00:00 2001 From: Ivan Tashkinov Date: Sat, 31 Oct 2020 13:38:35 +0300 Subject: Auth subsystem refactoring and tweaks. Added proper OAuth skipping for SessionAuthenticationPlug. Integrated LegacyAuthenticationPlug into AuthenticationPlug. Adjusted tests & docs. --- docs/dev.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'docs/dev.md') diff --git a/docs/dev.md b/docs/dev.md index 22e0691f1..ba2718673 100644 --- a/docs/dev.md +++ b/docs/dev.md @@ -14,9 +14,9 @@ This document contains notes and guidelines for Pleroma developers. For `:api` pipeline routes, it'll be verified whether `OAuthScopesPlug` was called or explicitly skipped, and if it was not then auth information will be dropped for request. Then `EnsurePublicOrAuthenticatedPlug` will be called to ensure that either the instance is not private or user is authenticated (unless explicitly skipped). Such automated checks help to prevent human errors and result in higher security / privacy for users. -## [HTTP Basic Authentication](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Authorization) +## Non-OAuth authentication -* With HTTP Basic Auth, OAuth scopes check is _not_ performed for any action (since password is provided during the auth, requester is able to obtain a token with full permissions anyways). `Pleroma.Web.Plugs.AuthenticationPlug` and `Pleroma.Web.Plugs.LegacyAuthenticationPlug` both call `Pleroma.Web.Plugs.OAuthScopesPlug.skip_plug(conn)` when password is provided. +* With non-OAuth authentication ([HTTP Basic Authentication](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Authorization) or HTTP header- or params-provided auth), OAuth scopes check is _not_ performed for any action (since password is provided during the auth, requester is able to obtain a token with full permissions anyways); auth plugs invoke `Pleroma.Helpers.AuthHelper.skip_oauth(conn)` in this case. ## Auth-related configuration, OAuth consumer mode etc. -- cgit v1.2.3 From 8da9f919f82ac45c4519910a7e24cac2b797061f Mon Sep 17 00:00:00 2001 From: Alexander Strizhakov Date: Wed, 11 Nov 2020 18:49:15 +0300 Subject: little changes for MRF config descriptions - log level reduction, if policy doesn't implement config_description method - docs in dev.md --- docs/dev.md | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) (limited to 'docs/dev.md') diff --git a/docs/dev.md b/docs/dev.md index 22e0691f1..aa89a941f 100644 --- a/docs/dev.md +++ b/docs/dev.md @@ -21,3 +21,26 @@ This document contains notes and guidelines for Pleroma developers. ## Auth-related configuration, OAuth consumer mode etc. See `Authentication` section of [the configuration cheatsheet](configuration/cheatsheet.md#authentication). + +## MRF policies descriptions + +If MRF policy depends on config, it can be added into MRF tab to adminFE by adding `config_description/0` method, which returns map with special structure. + +Example: + +```elixir +%{ + key: :mrf_activity_expiration, + related_policy: "Pleroma.Web.ActivityPub.MRF.ActivityExpirationPolicy", + label: "MRF Activity Expiration Policy", + description: "Adds automatic expiration to all local activities", + children: [ + %{ + key: :days, + type: :integer, + description: "Default global expiration time for all local activities (in days)", + suggestions: [90, 365] + } + ] + } +``` -- cgit v1.2.3