hangarmc / hangarauth Goto Github PK
View Code? Open in Web Editor NEWHangar's Authentication Portal
License: MIT License
Hangar's Authentication Portal
License: MIT License
As a new member of Hangar, I registered a new account recently.
Unfortunately, while reporting some issues I shared a screen of my QR Code in the chat which is very bad in a security point of view. It has been deleted quickly, but finally it raised the question about the possibility to change the QR Code for similar cases than mine
need to find good texts for the emails:
https://github.com/HangarMC/HangarAuth/tree/master/docker/deployment/kratos/templates
The password can not be used because password length must be at least 8 characters but only got 2.
sounds wrong. Suggestion: Your password does not meet the minimum required length. It has to be at least 8 characters long, but is only 4
or something like thatas described in title, button does not seem to be clickable.
ability to click save in change avatar page
Similar to #289, a lack of 2FA entry to disable 2FA is a security risk.
I usually use my Enter key instead of clicking on Sign in, but currently when hitting Enter nothing seems to happen.
If you hit Enter in the "Security key" tab, you get thrown back into the Password tab and your input gets cleared
It would be nicer (and more secure) to have an option to allow only signing in with an email, or allowing username and email. I don't want people guessing away at my password assuming they don't have my email and only username.
Likely some carry-over. Also has no logo, might be related.
If I manage to take the session client from a browser and I live across the world from where the session was originally created - it should require me to reauthorize
This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.
These updates are currently rate-limited. Click on a checkbox below to force their creation now.
These updates have been manually edited so Renovate will no longer make changes. To discard all commits and start over, click on a checkbox.
@nuxt-alt/proxy
, @pinia/nuxt
, @unocss/nuxt
, @vuelidate/core
, @vuelidate/validators
, eslint
, eslint-import-resolver-typescript
, filesize
, lint-staged
, pinia
, pnpm
, sass
, typescript
, unplugin-icons
)These updates have all been created already. Click a checkbox below to force a retry/rebase of any.
io.awspring.cloud:spring-cloud-aws-starter-s3
, org.springdoc:springdoc-openapi-ui
, org.testcontainers:postgresql
, org.springframework.boot:spring-boot-starter-parent
)docker/docker-compose.yml
chart/dockerfiles/backend/Dockerfile
eclipse-temurin 17.0.6_10-jre-alpine
chart/dockerfiles/frontend/Dockerfile
node 19-alpine
docker/hydra/Dockerfile
oryd/hydra v1.11.10
docker/kratos/Dockerfile
oryd/kratos v0.11.1
docker/postgres/Dockerfile
postgres 14-alpine
.github/workflows/backend_build.yml
actions/checkout v3
actions/setup-java v3
actions/cache v3
.github/workflows/deploy.yml
actions/checkout v3
docker/setup-buildx-action v2
actions/setup-java v3
actions/setup-node v3
pnpm/action-setup v2.2.4
actions/cache v3
actions/cache v3
docker/login-action v2
docker/metadata-action v4
docker/build-push-action v3
docker/metadata-action v4
docker/build-push-action v3
.github/workflows/frontend_build.yml
actions/checkout v3
actions/setup-node v3
pnpm/action-setup v2.2.4
actions/cache v3
.github/workflows/issues_to_project.yml
actions/add-to-project v0.4.0
chart/values.yaml
oryd/hydra v1.11.10
oryd/kratos v0.11.1
oryd/kratos v0.11.1
chart/Chart.yaml
postgresql 12.1.11
backend/pom.xml
org.springframework.boot:spring-boot-starter-parent 3.0.4
org.jdbi:jdbi3-bom 3.37.1
com.squareup.okhttp3:okhttp 4.10.0
sh.ory.hydra:hydra-client 1.11.8
org.sejda.imageio:webp-imageio 0.1.6
org.springdoc:springdoc-openapi-ui 1.6.15
org.jetbrains:annotations 24.0.1
io.awspring.cloud:spring-cloud-aws-starter-s3 3.0.0-RC1
com.h2database:h2 2.1.214
org.testcontainers:postgresql 1.17.6
org.graalvm.buildtools:native-maven-plugin 0.9.20
frontend/package.json
@headlessui/vue 1.7.12
@intlify/unplugin-vue-i18n ^0.10.0
@ory/hydra-client 1.11.8
@ory/kratos-client 0.11.1
@pinia/nuxt 0.4.7
@vuelidate/core 2.0.0
@vuelidate/validators 2.0.0
@vueuse/components 9.13.0
@vueuse/core 9.13.0
@vueuse/head 1.1.23
@vueuse/integrations 9.13.0
accept-language-parser 1.5.0
axios 0.27.2
debug 4.3.4
filesize 10.0.6
lodash-es ^4.17.21
nprogress 0.2.0
ofetch ^1.0.1
pinia 2.0.33
universal-cookie 4.0.4
vue 3.2.47
vue-advanced-cropper 2.8.8
vue-i18n 9.2.2
vue3-popper 1.5.0
@iconify-json/mdi 1.1.50
@nuxt-alt/proxy 2.2.0
@nuxtjs/eslint-config-typescript 12.0.0
@types/accept-language-parser 1.5.3
@types/debug 4.1.7
@types/lodash-es ^4.17.7
@types/node ^18.15.9
@types/nprogress 0.2.0
@types/prettier 2.7.2
@types/qs 6.9.7
@unocss/nuxt ^0.50.6
@vue/eslint-config-typescript 11.0.2
eslint 8.36.0
eslint-config-prettier 8.8.0
eslint-import-resolver-alias 1.1.2
eslint-import-resolver-typescript 3.5.3
eslint-plugin-eslint-comments 3.2.0
eslint-plugin-import 2.27.5
eslint-plugin-unicorn 46.0.0
eslint-plugin-vue 9.10.0
husky 8.0.3
lint-staged 13.2.0
nuxt ^3.3.2
pnpm 7.30.3
prettier 2.8.7
qs 6.11.1
regenerator-runtime 0.13.11
sass 1.60.0
typescript 5.0.2
unplugin-auto-import 0.15.2
unplugin-icons 0.15.3
unplugin-vue-components 0.24.1
vite 4.2.1
vite-plugin-eslint 1.8.1
vue-tsc 1.2.0
node >=16
It's easy to accidentally share your 2FA QR code by taking a screenshot of your member settings page. Perhaps any sensitive information should be hidden by default so that it won't be accidentally shared.
I think the 2FA QR code on members' member settings should be blurred out by default, which can be toggled via a button, switch, or some other input.
No response
When loading the main account settings page (default page for logged in users), there is a POST request to save settings. This is due to the watched dark mode boolean being called which tries to save the settings. the csrf_token parameter is missing from that post request. This request is handled by the SettingsController.
When trying to sed GithHub name/Discord ID in the user information section in the settings it will claim that the username is missing. It was in the field efore but not after clicking save.
I assume that's because the username isn't sent with the request as you shouldn't be able to change that? So the solution should definitely not be to send the field value (as a malicious actor could just send whatever) but add the property or ignore that it's missing on the backend.
When entering the verification process through the profile, you eventually reach a "dead end" where you have no direct way back to your profile and are forced to fumble your way back to hangar. Having a "back to profile" button, auto redirect, or even the normal hangar navbar at the top would be an easy solution for this.
The login flow in hangar-auth feels really weird. So I click on Security Key, enter my username, and then "Sign in with security key". Then I get the Prepare your WebAuthn device
thingy, but below that the "Password" tab is selected and I have to click on "Security Key" again, before I then get a Continue button that feels completely out of place and has the same color as Register/Forgot
we need to cut images too size (only allow 1:1)
maybe we can have a fancy tool on frontend for selecting a region and zooming?
also need to downscale images to reasonable file sizes, plus allow different formats (webp anyone?!)
Without this, a session hijack, or even just someone passing by an unlocked PC can gain access to the codes, effectively bypassing 2FA.
if we disable debug, it doesnt work
Changing the username should be restricted to once per month (or even longer), or require mod approval - although I'd prefer the time option. Also see https://discord.com/channels/855123416889163777/859527399901626398/1056615488844738620
Showing a name history on the Hangar profile would also be good.
if you upload a gif, you get a 500 on a url like this https://hangar-auth.minidigger.me/avatar/Peaches_MLG?size=120x120
WEBP version of avatar has extraneous borders, compared with the uploaded PNG. This is evident in dark mode.
Incorrect:
https://hangar.papermc.dev/SlimeDog or https://hangarauth.papermc.dev/account/settings?flow=447cbcd6-0af4-4c2f-9c6f-ed0c4ea2c1e8
Avatar should be converted/presented per the original.
No response
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.