Commit Graph

2770 Commits

Author SHA1 Message Date
Clement Michaud
3052c883a0 Improve UX of the second factor page
Start the U2F signing request when entering in the second factor page so that
the user only has to touch the token without any other clicks.
2017-10-31 07:27:36 +01:00
Clement Michaud
1e05c41a0c Remove useless comment from first factor page 2017-10-31 07:27:36 +01:00
Clement Michaud
42019bf67d Improve UX of the TOTP registration page
Mainly add badges and links to Google Play and Apple Store to get Google
Authenticator.
2017-10-31 07:27:36 +01:00
Clement Michaud
7b68a543bf Strengthen password in LDAP using SHA512 crypt algorithm
Uses the crypt() function to do password encryption. This function handles
several schemes such as: MD5, Blowfish, SHA1, SHA2.
SHA-512 is used in Authelia for best security.
The algorithm is fully described in
https://www.akkadia.org/drepper/SHA-crypt.txt

The 'crypt3' npm package has been added as a dependency to use the crypt()
function. The package needs to be compiled in order to call the c function,
that's why python, make and C++ compiler are installed temporarily in the
Docker image.
2017-10-31 07:27:36 +01:00
Clement Michaud
22d56b1faa Change basicauth.test.local into single_factor.test.local 2017-10-31 07:27:36 +01:00
Clement Michaud
969561f4ad Add Content-Security-Policy in Authelia web pages 2017-10-31 07:27:36 +01:00
Clement Michaud
a3560ef8d3 Add possible security measures in README 2017-10-31 07:27:36 +01:00
Clement Michaud
869d55dfd1 Add a meta tag to avoid search engine indexing 2017-10-31 07:27:36 +01:00
Clement Michaud
cd0a93f027 Rename authentication method from 'basic_auth' to 'single_factor' 2017-10-31 07:27:36 +01:00
Clement Michaud
563e2da323 Add default_redirection_url as configuration option
This URL is used when user access the authentication domain without providing
the 'redirect' query parameter. In that case, Authelia does not know
where to redirect the user.
If the parameter is defined, Authelia can redirect the user to a default page
when no redirect parameter is provided.

When user is already authenticated and tries to access the authentication
domain, the "already logged in" page is rendered and it now tells the user he
is to be redirected in few seconds and uses this URL to redirect.

This parameter is optional. If it is not provided, there is only a notification
message at the end of the authentication process, as before, and the user is
not redirected when visiting the authentication domain while already
authenticated.
2017-10-31 07:27:23 +01:00
Clement Michaud
99b04809a5 Provide information about fake webmail in home page of example 2017-10-31 07:27:23 +01:00
Clement Michaud
2b65680774 Remove TOTP secret from endpoint logs 2017-10-31 07:27:23 +01:00
Clement Michaud
dacdce6c50 Implement session inactivity timeout
This timeout will prevent an attacker from using a session that has been
inactive for too long.
This inactivity timeout combined with the timeout before expiration makes a
good combination of security mechanisms to prevent session theft.

If no activity timeout is provided, then the feature is disabled and only
session expiration remains as a protection.
2017-10-31 07:27:23 +01:00
Clement Michaud
b9fa786df6 Refactor endpoints to get server variables as input parameters
This refactoring aims to ease testability and clean up a lot of soft touchy
typings in test code.

This is the first step of this refactoring introducing the concept and
implementing missing interfaces and stubs. At the end of the day,
ServerVariablesHandler should completely disappear and every variable should
be injected in the endpoint handler builder itself.
2017-10-31 07:26:53 +01:00
Clément Michaud
34a595863a
Merge pull request #181 from Chemsmith/add-email-handeler-2
Less restrictive email handler - replace gmail with generic
2017-10-31 07:01:30 +01:00
Dylan Smith
c62b85e37d Less restrictive email handler - replace gmail with generic 2017-10-25 19:28:56 +11:00
Clement Michaud
5570ac3d84 3.6.0 2017-10-16 22:32:55 +02:00
Clément Michaud
19c846a366 Merge pull request #160 from clems4ever/develop
Release 3.6.0
2017-10-16 22:32:18 +02:00
Clément Michaud
39b3898908 Merge pull request #152 from clems4ever/cookie-theft
Prevention agains cookie theft
2017-10-16 21:11:58 +02:00
Clement Michaud
056565a968 Add X-Frame-Options header to avoid ability to embed websites in iframes 2017-10-16 20:56:26 +02:00
Clement Michaud
0b33982701 Add notes on security measures deployed in Authelia in README 2017-10-16 20:56:26 +02:00
Clement Michaud
f523e5335f Use HSTS in example 2017-10-16 20:56:26 +02:00
Clement Michaud
92b78f7c15 Enable secure and httpOnly option for sessions
These are 2 measures for improving security of cookies. One is used to
not send the cookie over HTTP (only HTTPS) and the other tells the browser to
disallow client-side code accessing the cookie.
2017-10-16 20:56:26 +02:00
Clément Michaud
6e3a9494ce Merge pull request #158 from clems4ever/anonymous-smtp
Allow anonymous user in SMTP notifier
2017-10-16 00:09:55 +02:00
Clément Michaud
35b934ecea Merge branch 'develop' into anonymous-smtp 2017-10-15 23:25:47 +02:00
Clément Michaud
5bac2b75b0 Merge pull request #159 from clems4ever/publish-develop-to-docker
Publish 'develop' tag to dockerhub
2017-10-15 23:24:28 +02:00
Clément Michaud
565fc35f07 Merge branch 'develop' into anonymous-smtp 2017-10-15 22:50:05 +02:00
Clément Michaud
15615b2741 Merge branch 'develop' into publish-develop-to-docker 2017-10-15 22:49:58 +02:00
Clément Michaud
3236b97ffd Merge pull request #156 from clems4ever/remove-schema-from-source
Remove configuration schema from source since it is generated
2017-10-15 22:49:23 +02:00
Clement Michaud
e8e8c8f7da Publish 'develop' tag to dockerhub 2017-10-15 22:48:56 +02:00
Clement Michaud
d3a2251d4a Allow anonymous user in SMTP notifier
SMTP notifier should be able to send emails with anonymous user, i.e. without
providing username and password in configuration file.
2017-10-15 22:41:22 +02:00
Clément Michaud
b6aca2619b Merge branch 'develop' into remove-schema-from-source 2017-10-15 22:31:06 +02:00
Clément Michaud
329927b865 Merge pull request #157 from clems4ever/already-logged-username
Add username to the 'already logged in' page
2017-10-15 22:30:55 +02:00
Clement Michaud
e8a1e7c52c Remove configuration schema from source since it is generated 2017-10-15 22:17:36 +02:00
Clement Michaud
daee042368 Add username to the 'already logged in' page 2017-10-15 22:15:54 +02:00
Clément Michaud
35b66ba630 Merge pull request #155 from clems4ever/block-logged-in-page
Block 'already logged in' page to unauthenticated user
2017-10-15 22:03:11 +02:00
Clement Michaud
f2ae1cd044 Block 'already logged in' page to unauthenticated user 2017-10-15 21:52:12 +02:00
Clément Michaud
8fa50482df Merge pull request #153 from clems4ever/opt-subdomain-methods
Make per_subdomain_methods optional in configuration file
2017-10-15 21:39:24 +02:00
Clement Michaud
12a8626ef7 Make per_subdomain_methods optional in configuration file 2017-10-15 20:01:16 +02:00
Clément Michaud
b3479c19da Merge pull request #149 from clems4ever/npm-package-fix
Do not include client/ and server/ in npm package
2017-10-15 16:09:50 +02:00
Clement Michaud
e599ac78ae Do not include client/ and server/ in npm package 2017-10-15 15:52:34 +02:00
Clément Michaud
4b51ae30cc Merge pull request #147 from clems4ever/userdn-ldap-filter
Add {dn} as an available matcher in LDAP groups filter
2017-10-15 15:02:46 +02:00
Clement Michaud
ce264ff4d3 Add {dn} as an available matcher in LDAP groups filter
Sometimes, LDAP organization is such that groups membership cannot be computed
with username only. User DN is required to retrieve groups.

e.g. user Joe has a username joe and a cn of Joe Blogs, resulting in a dn of
cn=Joe Blogs,ou=users,dc=example,dc=com which is needed to retrieve groups
but cannot be computed from joe only.

Issue was reported in issue #146
2017-10-15 14:51:26 +02:00
Clément Michaud
15fa6286ad Merge pull request #143 from clems4ever/protect-ldap-injection
Add input sanitizer to LDAP client to protect against LDAP injections
2017-10-15 13:36:38 +02:00
Clement Michaud
2e087f12f4 Fix out of bound access in LDAP results array 2017-10-15 02:07:04 +02:00
Clément Michaud
9fe202f227 Merge pull request #144 from clems4ever/test-forward-headers
Fix unhandled rejections in unit tests
2017-10-15 01:55:31 +02:00
Clement Michaud
1dd0343860 Add input sanitizer to LDAP client to protect against LDAP injections 2017-10-15 01:35:33 +02:00
Clement Michaud
bf3e71d732 Fix unhandled rejections in unit tests 2017-10-15 01:34:37 +02:00
Clément Michaud
cb139997d2 Merge pull request #142 from clems4ever/test-forward-headers
Add test for headers forwarding feature
2017-10-15 01:13:57 +02:00
Clement Michaud
3a88ca95b8 Check TOTP token with window of 1
A window of 1 means the token is checked against current time slot T
as well as at time slot T-1 and T+1.
A time slot is 30 seconds by default in Authelia.
2017-10-15 00:44:10 +02:00