path: root/lib/VNWeb/
AgeCommit message (Collapse)AuthorFilesLines
2019-11-19Increase CSRF token validity window to 12 hoursYorhel1-4/+2
People leave their window open for a while, and that's fine.
2019-10-12Add Patreon link to main menu + minor fixesYorhel1-1/+2
2019-10-10rewards: Apply supporters badge and unicode name (almost) everywhereYorhel1-14/+11
Only place where this isn't applied (yet?): Sorting user lists still goes by the old username and board names don't use the new unicode names. I have to say, I quite like the sql_user() and user_() pattern. It's not without problems when applied to everything, but it's good enough for several use cases.
2019-10-03Require email confirmation when changing email addressYorhel1-7/+11
This ensures that the email address linked to a user is always valid and actually belong(s|ed) to that user.
2019-10-03SQL: Add session types + use sessions for password reset tokensYorhel1-5/+4
This improves the password reset workflow a bit. The users.passwd field is now no longer used for reset tokens, meaning that the current password isn't affected until the user actually clicks the link and changes it. It is now also possible to have multiple active password reset tokens, in case one of the emails got lost. All existing tokens are invalidated when the user finally changes their password. Tokens are now valid for at most 1 week instead of indefinitely.
2019-10-03SQL: Change sessions.lastused into sessions.expiresYorhel1-12/+5
This will be helpful when adding other types of sessions with different expiration.
2019-10-03SQL: Get rid of the users_prefs table, store preferences in users tableYorhel1-15/+12
This bloats the users table a little bit, but that's fine. The main advantage of this change is that we now have a proper schema for user preferences, rather than the schemaless key-value mess we had before. This commit also splits the 'tags_cat' preference up into tags_cont, tags_ero and tags_tech bools, as that's more compact to store and easier to work with. This commit also changes the 'notify_nodbedit' preference to 'notify_dbedit' with inverted meaning. The reason the value was negated in the first place was because the old schemaless approach did not support positive defaults.
2019-09-30v2rw: Convert login, logout & insecure-password-change formsYorhel1-5/+11
The insecure-password-change flow is now slightly more friendly. The logout functionality has been hardened to use POST and require CSRF.
2019-09-23Minor administrative fixesYorhel1-1/+1
The FCGI module is only required when running in FastCGI mode, which isn't how the container is configured. The AnyEvent::HTTP module, on the other hand, is required for many of the new Multi::* modules. They're not enabled by default but are still a significant part of Multi, so it's good to have the dependencies available.
2019-09-23v2rw: Convert doc pages + add framework for item fetching & display & revisionsYorhel1-1/+0
This bumps the minimum Perl version to 5.26 in order to make use of lexical subroutines - a feature I've been wanting for a while. This should be the last version bump, 5.26 is the highest version in Ubuntu LTS at the moment. Not that I use Ubuntu, but it's used by the Docker container and it's a sensible reference. I merged the 'maintabs' and 'hiddenmsg' features into the primary framework_ function; It fits quite well there, removes a little bit of boilerplate from the DB entry page code and reduces the reliance on common "dbSomethingGet()" methods. I was hoping I'd be able to reduce the boilerplate required for defining revisions, but I don't think that's going to happen. What I did do was reimplement the diffing to handle item and text diffs separately, with sensible defaults for the old split/join/diff options. Diffing is now performed on the raw structured data rather than on formatted HTML, which, combined with the db_entry() functions, ought to be less brittle.
2019-09-18v2rw: Convert authentication code to VNWeb::AuthYorhel1-0/+307
More churn! Also converted v3 to use VNWeb::Auth, considering the API is pretty much the same. Converted VNWeb::* to use VNDB::Config directly rather than read from tuwf->{}, converted VNWeb::HTML to use VNWeb::Auth, and updated util/ with the new code style. I tested as much as I could, but I'm sure I broke something.