diff options
| author | lain <lain@soykaf.club> | 2020-12-09 15:55:45 +0000 |
|---|---|---|
| committer | lain <lain@soykaf.club> | 2020-12-09 15:55:45 +0000 |
| commit | 477c6c8e558c1b1f193caadb6172db840c1910a4 (patch) | |
| tree | 6d7f533436d9de01b4190db1318da98ea719cd49 /docs | |
| parent | 1436a2fa2dfd5fef6d61d1bba9ba074b359b40a3 (diff) | |
| parent | 055a306380cdfc7b34faeaa90c09e408569f3b92 (diff) | |
Merge branch 'auth-improvements' into 'develop'
Cookie auth rework / Auth subsystem refactoring and tweaks
Closes pleroma/secteam/pleroma#3
See merge request pleroma/pleroma!3112
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/configuration/static_dir.md | 5 | ||||
| -rw-r--r-- | docs/dev.md | 4 |
2 files changed, 7 insertions, 2 deletions
diff --git a/docs/configuration/static_dir.md b/docs/configuration/static_dir.md index 8ac07b725..a294bb604 100644 --- a/docs/configuration/static_dir.md +++ b/docs/configuration/static_dir.md @@ -88,3 +88,8 @@ config :pleroma, :frontend_configurations, Note the extra `static` folder for the terms-of-service.html Terms of Service will be shown to all users on the registration page. It's the best place where to write down the rules for your instance. You can modify the rules by adding and changing `$static_dir/static/terms-of-service.html`. + + +## Styling rendered pages + +To overwrite the CSS stylesheet of the OAuth form and other static pages, you can upload your own CSS file to `instance/static/static.css`. This will completely replace the CSS used by those pages, so it might be a good idea to copy the one from `priv/static/instance/static.css` and make your changes. diff --git a/docs/dev.md b/docs/dev.md index aa89a941f..765380a58 100644 --- a/docs/dev.md +++ b/docs/dev.md @@ -14,9 +14,9 @@ This document contains notes and guidelines for Pleroma developers. For `:api` pipeline routes, it'll be verified whether `OAuthScopesPlug` was called or explicitly skipped, and if it was not then auth information will be dropped for request. Then `EnsurePublicOrAuthenticatedPlug` will be called to ensure that either the instance is not private or user is authenticated (unless explicitly skipped). Such automated checks help to prevent human errors and result in higher security / privacy for users. -## [HTTP Basic Authentication](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Authorization) +## Non-OAuth authentication -* With HTTP Basic Auth, OAuth scopes check is _not_ performed for any action (since password is provided during the auth, requester is able to obtain a token with full permissions anyways). `Pleroma.Web.Plugs.AuthenticationPlug` and `Pleroma.Web.Plugs.LegacyAuthenticationPlug` both call `Pleroma.Web.Plugs.OAuthScopesPlug.skip_plug(conn)` when password is provided. +* With non-OAuth authentication ([HTTP Basic Authentication](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Authorization) or HTTP header- or params-provided auth), OAuth scopes check is _not_ performed for any action (since password is provided during the auth, requester is able to obtain a token with full permissions anyways); auth plugs invoke `Pleroma.Helpers.AuthHelper.skip_oauth(conn)` in this case. ## Auth-related configuration, OAuth consumer mode etc. |