2017-05-25 20:09:29 +07:00
|
|
|
/**
|
|
|
|
* @apiDefine UserSession
|
|
|
|
* @apiHeader {String} Cookie Cookie containing "connect.sid", the user
|
|
|
|
* session token.
|
|
|
|
*/
|
|
|
|
|
|
|
|
/**
|
|
|
|
* @apiDefine InternalError
|
|
|
|
* @apiError (Error 500) {String} error Internal error message.
|
|
|
|
*/
|
|
|
|
|
|
|
|
/**
|
|
|
|
* @apiDefine IdentityValidationStart
|
|
|
|
*
|
|
|
|
* @apiSuccess (Success 204) status Identity validation has been initiated.
|
|
|
|
* @apiError (Error 403) AccessDenied Access is denied.
|
|
|
|
* @apiError (Error 400) InvalidIdentity User identity is invalid.
|
|
|
|
* @apiError (Error 500) {String} error Internal error message.
|
|
|
|
*
|
|
|
|
* @apiDescription This request issue an identity validation token for the user
|
|
|
|
* bound to the session. It sends a challenge to the email address set in the user
|
|
|
|
* LDAP entry. The user must visit the sent URL to complete the validation and
|
|
|
|
* continue the registration process.
|
|
|
|
*/
|
|
|
|
|
|
|
|
/**
|
|
|
|
* @apiDefine IdentityValidationFinish
|
|
|
|
* @apiParam {String} identity_token The one-time identity validation token provided in the email.
|
|
|
|
* @apiSuccess (Success 200) {String} content The content of the page.
|
|
|
|
* @apiError (Error 403) AccessDenied Access is denied.
|
|
|
|
* @apiError (Error 500) {String} error Internal error message.
|
|
|
|
*/
|
|
|
|
|
|
|
|
/**
|
|
|
|
* @api {post} /api/secondfactor/u2f/register Complete U2F registration
|
|
|
|
* @apiName FinishU2FRegistration
|
|
|
|
* @apiGroup U2F
|
|
|
|
* @apiVersion 1.0.0
|
|
|
|
* @apiUse UserSession
|
|
|
|
* @apiUse InternalError
|
|
|
|
*
|
2017-12-05 04:39:55 +07:00
|
|
|
* @apiSuccess (Success 302) Redirect to the URL that has been stored during last call to /api/verify.
|
2017-05-25 20:09:29 +07:00
|
|
|
*
|
|
|
|
* @apiDescription Complete U2F registration request.
|
|
|
|
*/
|
|
|
|
export const SECOND_FACTOR_U2F_REGISTER_POST = "/api/u2f/register";
|
|
|
|
|
|
|
|
/**
|
|
|
|
* @api {get} /api/u2f/register_request Start U2F registration
|
|
|
|
* @apiName StartU2FRegistration
|
|
|
|
* @apiGroup U2F
|
|
|
|
* @apiVersion 1.0.0
|
|
|
|
* @apiUse UserSession
|
|
|
|
* @apiUse InternalError
|
|
|
|
*
|
|
|
|
* @apiSuccess (Success 200) authentication_request The U2F registration request.
|
|
|
|
* @apiError (Error 403) {none} error Unexpected identity validation challenge.
|
|
|
|
*
|
|
|
|
* @apiDescription Initiate a U2F device registration request.
|
|
|
|
*/
|
|
|
|
export const SECOND_FACTOR_U2F_REGISTER_REQUEST_GET = "/api/u2f/register_request";
|
|
|
|
|
|
|
|
/**
|
|
|
|
* @api {post} /api/u2f/sign Complete U2F authentication
|
|
|
|
* @apiName CompleteU2FAuthentication
|
|
|
|
* @apiGroup U2F
|
|
|
|
* @apiVersion 1.0.0
|
|
|
|
* @apiUse UserSession
|
|
|
|
* @apiUse InternalError
|
|
|
|
*
|
2017-12-05 04:39:55 +07:00
|
|
|
* @apiSuccess (Success 302) Redirect to the URL that has been stored during last call to /api/verify.
|
2017-05-25 20:09:29 +07:00
|
|
|
* @apiError (Error 403) {none} error No authentication request has been provided.
|
|
|
|
*
|
|
|
|
* @apiDescription Complete authentication request of the U2F device.
|
|
|
|
*/
|
|
|
|
export const SECOND_FACTOR_U2F_SIGN_POST = "/api/u2f/sign";
|
|
|
|
|
|
|
|
/**
|
|
|
|
* @api {get} /api/u2f/sign_request Start U2F authentication
|
|
|
|
* @apiName StartU2FAuthentication
|
|
|
|
* @apiGroup U2F
|
|
|
|
* @apiVersion 1.0.0
|
|
|
|
* @apiUse UserSession
|
|
|
|
* @apiUse InternalError
|
|
|
|
*
|
|
|
|
* @apiSuccess (Success 200) authentication_request The U2F authentication request.
|
|
|
|
* @apiError (Error 401) {none} error There is no key registered for user in session.
|
|
|
|
*
|
|
|
|
* @apiDescription Initiate an authentication request using a U2F device.
|
|
|
|
*/
|
|
|
|
export const SECOND_FACTOR_U2F_SIGN_REQUEST_GET = "/api/u2f/sign_request";
|
|
|
|
|
|
|
|
/**
|
|
|
|
* @api {post} /api/totp Complete TOTP authentication
|
|
|
|
* @apiName ValidateTOTPSecondFactor
|
|
|
|
* @apiGroup TOTP
|
|
|
|
* @apiVersion 1.0.0
|
|
|
|
* @apiUse UserSession
|
|
|
|
* @apiUse InternalError
|
|
|
|
*
|
|
|
|
* @apiParam {String} token TOTP token.
|
|
|
|
*
|
2017-12-05 04:39:55 +07:00
|
|
|
* @apiSuccess (Success 302) Redirect to the URL that has been stored during last call to /api/verify.
|
2017-05-25 20:09:29 +07:00
|
|
|
* @apiError (Error 401) {none} error TOTP token is invalid.
|
|
|
|
*
|
|
|
|
* @apiDescription Verify TOTP token. The user is authenticated upon success.
|
|
|
|
*/
|
|
|
|
export const SECOND_FACTOR_TOTP_POST = "/api/totp";
|
|
|
|
|
|
|
|
|
|
|
|
/**
|
2019-01-14 03:35:46 +07:00
|
|
|
* @api {get} /api/secondfactor/u2f/identity/start Start U2F registration identity validation
|
2017-05-25 20:09:29 +07:00
|
|
|
* @apiName RequestU2FRegistration
|
|
|
|
* @apiGroup U2F
|
|
|
|
* @apiVersion 1.0.0
|
|
|
|
* @apiUse UserSession
|
|
|
|
* @apiUse IdentityValidationStart
|
|
|
|
*/
|
2019-01-14 03:35:46 +07:00
|
|
|
export const SECOND_FACTOR_U2F_IDENTITY_START_POST = "/api/secondfactor/u2f/identity/start";
|
2017-05-25 20:09:29 +07:00
|
|
|
|
|
|
|
/**
|
2019-01-14 03:35:46 +07:00
|
|
|
* @api {get} /api/secondfactor/u2f/identity/finish Finish U2F registration identity validation
|
2017-05-25 20:09:29 +07:00
|
|
|
* @apiName ServeU2FRegistrationPage
|
|
|
|
* @apiGroup U2F
|
|
|
|
* @apiVersion 1.0.0
|
|
|
|
* @apiUse UserSession
|
|
|
|
* @apiUse IdentityValidationFinish
|
|
|
|
*
|
|
|
|
* @apiDescription Serves the U2F registration page that asks the user to
|
|
|
|
* touch the token of the U2F device.
|
|
|
|
*/
|
2019-01-14 03:35:46 +07:00
|
|
|
export const SECOND_FACTOR_U2F_IDENTITY_FINISH_POST = "/api/secondfactor/u2f/identity/finish";
|
2017-05-25 20:09:29 +07:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/**
|
2019-01-14 03:35:46 +07:00
|
|
|
* @api {get} /api/secondfactor/totp/identity/start Start TOTP registration identity validation
|
2017-05-25 20:09:29 +07:00
|
|
|
* @apiName StartTOTPRegistration
|
|
|
|
* @apiGroup TOTP
|
|
|
|
* @apiVersion 1.0.0
|
|
|
|
* @apiUse UserSession
|
|
|
|
* @apiUse IdentityValidationStart
|
|
|
|
*
|
|
|
|
* @apiDescription Initiates the identity validation
|
|
|
|
*/
|
2019-01-14 03:35:46 +07:00
|
|
|
export const SECOND_FACTOR_TOTP_IDENTITY_START_GET = "/api/secondfactor/totp/identity/start";
|
2017-05-25 20:09:29 +07:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/**
|
2019-01-14 03:35:46 +07:00
|
|
|
* @api {get} /api/secondfactor/totp/identity/finish Finish TOTP registration identity validation
|
2017-05-25 20:09:29 +07:00
|
|
|
* @apiName FinishTOTPRegistration
|
|
|
|
* @apiGroup TOTP
|
|
|
|
* @apiVersion 1.0.0
|
|
|
|
* @apiUse UserSession
|
|
|
|
* @apiUse IdentityValidationFinish
|
|
|
|
*
|
|
|
|
*
|
|
|
|
* @apiDescription Serves the TOTP registration page that displays the secret.
|
|
|
|
* The secret is a QRCode and a base32 secret.
|
|
|
|
*/
|
2019-01-14 03:35:46 +07:00
|
|
|
export const SECOND_FACTOR_TOTP_IDENTITY_FINISH_GET = "/api/secondfactor/totp/identity/finish";
|
2017-05-25 20:09:29 +07:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
* @api {post} /api/password-reset Set new password
|
|
|
|
* @apiName SetNewLDAPPassword
|
|
|
|
* @apiGroup PasswordReset
|
|
|
|
* @apiVersion 1.0.0
|
|
|
|
* @apiUse UserSession
|
|
|
|
*
|
|
|
|
* @apiParam {String} password New password
|
|
|
|
*
|
|
|
|
* @apiDescription Set a new password for the user.
|
|
|
|
*/
|
|
|
|
export const RESET_PASSWORD_FORM_POST = "/api/password-reset";
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
* @api {get} /password-reset/request Request username
|
|
|
|
* @apiName ServePasswordResetPage
|
|
|
|
* @apiGroup PasswordReset
|
|
|
|
* @apiVersion 1.0.0
|
|
|
|
* @apiUse UserSession
|
|
|
|
*
|
|
|
|
* @apiDescription Serve a page that requires the username.
|
|
|
|
*/
|
2019-01-20 02:10:43 +07:00
|
|
|
export const RESET_PASSWORD_REQUEST_GET = "/api/password-reset/request";
|
2017-05-25 20:09:29 +07:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
* @api {get} /password-reset/identity/start Start password reset request
|
|
|
|
* @apiName StartPasswordResetRequest
|
|
|
|
* @apiGroup PasswordReset
|
|
|
|
* @apiVersion 1.0.0
|
|
|
|
* @apiUse UserSession
|
|
|
|
* @apiUse IdentityValidationStart
|
|
|
|
*
|
|
|
|
* @apiDescription Start password reset request.
|
|
|
|
*/
|
2019-01-20 02:10:43 +07:00
|
|
|
export const RESET_PASSWORD_IDENTITY_START_GET = "/api/password-reset/identity/start";
|
2017-05-25 20:09:29 +07:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
* @api {post} /reset-password/request Finish password reset request
|
|
|
|
* @apiName FinishPasswordResetRequest
|
|
|
|
* @apiGroup PasswordReset
|
|
|
|
* @apiVersion 1.0.0
|
|
|
|
* @apiUse UserSession
|
|
|
|
* @apiUse IdentityValidationFinish
|
|
|
|
*
|
|
|
|
* @apiDescription Start password reset request.
|
|
|
|
*/
|
2019-01-20 02:10:43 +07:00
|
|
|
export const RESET_PASSWORD_IDENTITY_FINISH_GET = "/api/password-reset/identity/finish";
|
2017-05-25 20:09:29 +07:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
* @api {post} /1stfactor Bind user against LDAP
|
|
|
|
* @apiName ValidateFirstFactor
|
|
|
|
* @apiGroup Authentication
|
|
|
|
* @apiVersion 1.0.0
|
|
|
|
* @apiUse UserSession
|
|
|
|
* @apiUse InternalError
|
|
|
|
*
|
|
|
|
* @apiParam {String} username User username.
|
|
|
|
* @apiParam {String} password User password.
|
|
|
|
*
|
|
|
|
* @apiSuccess (Success 204) status 1st factor is validated.
|
|
|
|
* @apiError (Error 401) {none} error 1st factor is not validated.
|
|
|
|
* @apiError (Error 401) {none} error Access has been restricted after too
|
|
|
|
* many authentication attempts
|
|
|
|
*
|
|
|
|
* @apiDescription Verify credentials against the LDAP.
|
|
|
|
*/
|
|
|
|
export const FIRST_FACTOR_POST = "/api/firstfactor";
|
|
|
|
|
|
|
|
/**
|
2019-01-14 03:35:46 +07:00
|
|
|
* @api {get} /state Authentication state
|
|
|
|
* @apiName State
|
2017-05-25 20:09:29 +07:00
|
|
|
* @apiGroup Authentication
|
|
|
|
* @apiVersion 1.0.0
|
2019-01-26 21:29:12 +07:00
|
|
|
*
|
2019-01-14 03:35:46 +07:00
|
|
|
* @apiSuccess (Success 200) A dict containing the username and the authentication
|
|
|
|
* level
|
2019-01-26 21:29:12 +07:00
|
|
|
*
|
2019-01-14 03:35:46 +07:00
|
|
|
* @apiDescription Get the authentication state of the user based on the cookie.
|
2017-05-25 20:09:29 +07:00
|
|
|
*/
|
2019-01-14 03:35:46 +07:00
|
|
|
export const STATE_GET = "/api/state";
|
2017-05-25 20:09:29 +07:00
|
|
|
|
|
|
|
/**
|
2017-11-01 20:24:18 +07:00
|
|
|
* @api {get} /api/verify Verify user authentication
|
2017-05-25 20:09:29 +07:00
|
|
|
* @apiName VerifyAuthentication
|
|
|
|
* @apiGroup Verification
|
|
|
|
* @apiVersion 1.0.0
|
|
|
|
* @apiUse UserSession
|
|
|
|
*
|
2017-12-05 04:39:55 +07:00
|
|
|
* @apiParam {String} redirect Optional parameter set to the url where the user
|
|
|
|
* is redirected if access is refused. It is mainly used by Traefik that does
|
|
|
|
* not control the redirection itself.
|
|
|
|
*
|
2017-05-25 20:09:29 +07:00
|
|
|
* @apiSuccess (Success 204) status The user is authenticated.
|
2017-12-05 04:39:55 +07:00
|
|
|
* @apiError (Error 302) redirect The user is redirected if redirect parameter is provided.
|
|
|
|
* @apiError (Error 401) status The user get an error if access failed
|
2017-05-25 20:09:29 +07:00
|
|
|
*
|
|
|
|
* @apiDescription Verify that the user is authenticated, i.e., the two
|
2017-09-23 02:18:38 +07:00
|
|
|
* factors have been validated.
|
|
|
|
* If the user is authenticated the response headers Remote-User and Remote-Groups
|
|
|
|
* are set. Remote-User contains the user id of the currently logged in user and Remote-Groups
|
|
|
|
* a comma separated list of assigned groups.
|
2017-05-25 20:09:29 +07:00
|
|
|
*/
|
2017-11-01 20:24:18 +07:00
|
|
|
export const VERIFY_GET = "/api/verify";
|
2017-05-25 20:09:29 +07:00
|
|
|
|
|
|
|
/**
|
2019-01-14 03:35:46 +07:00
|
|
|
* @api {post} /api/logout Logout procedure
|
2017-05-25 20:09:29 +07:00
|
|
|
* @apiName Logout
|
|
|
|
* @apiGroup Authentication
|
|
|
|
* @apiVersion 1.0.0
|
|
|
|
*
|
2019-01-14 03:35:46 +07:00
|
|
|
* @apiSuccess (Success 200)
|
2017-05-25 20:09:29 +07:00
|
|
|
*
|
2019-01-14 03:35:46 +07:00
|
|
|
* @apiDescription Resets the session to logout the user.
|
2017-05-25 20:09:29 +07:00
|
|
|
*/
|
2019-01-14 03:35:46 +07:00
|
|
|
export const LOGOUT_POST = "/api/logout";
|
2017-05-25 20:09:29 +07:00
|
|
|
|
2019-01-31 04:44:03 +07:00
|
|
|
/**
|
|
|
|
* @api {post} /api/redirect Url redirection checking endpoint
|
|
|
|
* @apiName Redirect
|
|
|
|
* @apiGroup Authentication
|
|
|
|
* @apiVersion 1.0.0
|
|
|
|
* @apiDescription Check if the user can be redirected to the url provided.
|
|
|
|
* The level of permissions for this user are checked and the url must be
|
|
|
|
* in the domain protected by authelia.
|
|
|
|
*
|
|
|
|
* @apiSuccess (Success 200)
|
|
|
|
*
|
|
|
|
* @apiDescription Resets the session to logout the user.
|
|
|
|
*/
|
|
|
|
export const REDIRECT_POST = "/api/redirect";
|