porchlight

History

Johan Lundberg faeecaed59 fix(security): invite links must not log in accounts with credentials A registration/re-invite link auto-established a session for any existing active user, so re-inviting a fully set-up user acted as a passwordless login. Invite links are for account setup only. After consuming the token, refuse to establish a session when the target account already has a password or WebAuthn credential. Credential-less accounts (e.g. freshly created by initial-admin) can still complete setup. Account recovery for set-up accounts must use a separate, authenticated flow. Refs: porchlight-a3a Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>		2026-06-04 10:51:01 +02:00
..
__init__.py	feat: add authentication routes with session login, WebAuthn, and credential management	2026-02-16 11:39:50 +01:00
test_last_credential_guard.py	fix: reorder imports and use ty-compatible type suppression	2026-02-19 14:29:01 +01:00
test_manage_credentials_page.py	fix: reorder imports and use ty-compatible type suppression	2026-02-19 14:29:01 +01:00
test_manage_password_credential.py	feat: require current password when changing password, add zxcvbn strength check	2026-03-31 15:34:43 +02:00
test_manage_webauthn_credential.py	fix: reorder imports and use ty-compatible type suppression	2026-02-19 14:29:01 +01:00
test_pages.py	feat: add authentication routes with session login, WebAuthn, and credential management	2026-02-16 11:39:50 +01:00
test_password_login.py	fix: reorder imports and use ty-compatible type suppression	2026-02-19 14:29:01 +01:00
test_register_magic_link.py	fix(security): invite links must not log in accounts with credentials	2026-06-04 10:51:01 +02:00
test_session_deps.py	update all imports in test files: fastapi_oidc_op → porchlight	2026-02-16 15:34:53 +01:00
test_webauthn_login.py	fix: reorder imports and use ty-compatible type suppression	2026-02-19 14:29:01 +01:00