closes#5880
We track failed attempts for both (pseudonym) and (pseudonym, ip) in
Redis, the latter with a lower threshold. If either threshold is
exceeded, the user can't attempt to login for a given time period
(default 5 minutes). This protects against brute force auth attacks.
We've hooked into Authlogic for this, so it should apply to everywhere a
user is logged in -- login screen, API basic auth, Respondus API, etc.
It doesn't apply to SSO auth, where the SSO authority is assumed to have
existing protection of its own.
I refactored the Respondus SOAP API to use Authlogic in a more standard
manner, to make this work.
Change-Id: I569823f83c5c2855526464da270426275eb857cd
Reviewed-on: https://gerrit.instructure.com/6428
Tested-by: Hudson <hudson@instructure.com>
Reviewed-by: Cody Cutrer <cody@instructure.com>
Reviewed-by: Zach Wily <zach@instructure.com>
store a hash of the key in the database when it's first set up, and
check it every subsequent time we load the environment, aborting if it
doesn't match. also provide a way to overwrite the hash in the db (via
env var and/or rake task)
Change-Id: I2a9f75cc850698ca247f39702a703c486fb7413d
Reviewed-on: https://gerrit.instructure.com/2972
Tested-by: Hudson <hudson@instructure.com>
Reviewed-by: Brian Whitmer <brian@instructure.com>
- external tools can be added on the course/account
settings page
- external tools can be linked to from within modules
- clicking a tool in a module will load a new page
with the tool embedded in an iframe
- see context_external_tools for standard procedures
on retrieving settings for a specific link
fixes#4013
Change-Id: I8aa1934f8deac9af26d74036162b34fd1c4242e1
Reviewed-on: https://gerrit.instructure.com/2601
Tested-by: Hudson <hudson@instructure.com>
Reviewed-by: Bracken Mosbacker <bracken@instructure.com>