Commit Graph

83 Commits

Author SHA1 Message Date
Clément Michaud
6438a5e48f
Fix ECONNRESET when LDAP queries fail. (#261)
This commit should fix #225.

In order to avoid stalling LDAP connections, Authelia creates new
sessions for each set of queries bound to one authentication, i.e.,
one session for authentication, emails retrieval and groups
retrieval.
Before this commit, a failing query was preventing the session to
be closed (unbind was not called). Now, unbind is always called
whatever the outcome of the query.

I took the opportunity of this commit to refactor LDAP client in
order to prepare the work on users database stored in a file.
(#233)
2018-08-25 19:22:48 +02:00
Clément Michaud
c503765dd6
Implement retry mechanism for broken connections to mongo (#258)
Before this patch, when Authelia started, if Mongo was not
up and running, Authelia failed to connect and never retried.
Now, everytime Authelia faces a broken connection, it tries
to reconnect during the next operation.
2018-08-19 16:51:36 +02:00
Clément Michaud
0dd9a5f815
Make session cookie name customizable. (#256)
This option is optional and set to authelia_session
by default.
2018-08-19 13:07:00 +02:00
Clement Michaud
6d6162f26c Add tests for minimal configuration 2018-08-10 00:12:04 +02:00
Clement Michaud
35fbea355f Fix logging after configuration refactoring 2018-08-09 23:52:53 +02:00
Clement Michaud
73be5bfc68 Fix missing default value in configuration 2018-08-09 23:52:53 +02:00
Clement Michaud
c82f910da3 Refactor configuration to remove optional sections from minimal template
Also move tests from dedicated directory to source dir with .spec.ts extension
2018-08-09 23:52:53 +02:00
Clément Michaud
a70863c48c
Merge branch 'master' into bootstrap_loading_spinner 2018-07-26 22:30:09 +02:00
Callan Bryant
dc0d0d046c restore important whitespace 2018-07-26 08:21:12 +01:00
Clément Michaud
fbe613d5ba
Merge branch 'master' into overlay_notifications 2018-07-25 21:31:23 +02:00
Clément Michaud
a8dbf27faf
Merge branch 'master' into bootstrap_loading_spinner 2018-07-25 21:31:11 +02:00
Clement Michaud
1e0a279179 Fix issues with integration tests in master 2018-07-25 20:52:26 +02:00
Callan Bryant
eea023a200 Make notifications appear on top instead of inline
Currently notifications reflow the document which causes the interface
to jump twice which can be frustrating if you're trying to click
something.

This change makes the notification appear at the top of the form as
such:
2018-07-20 09:34:13 +01:00
Callan Bryant
9cd48c068d Make first factor login page UI indicate loading state
* Submit button changes to "Loading..."
* Form fades and disables
2018-07-19 17:07:58 +01:00
Clement Michaud
df9cb51a89 Make sure session.domain is provided in config.yml 2018-05-17 01:12:14 +02:00
Clement Michaud
acd5a7a26d Fix compilation and unit tests 2018-05-17 00:06:07 +02:00
Clement Michaud
39555179e4 Bump all dependencies 2018-05-07 23:23:29 +02:00
Clement Michaud
4da5402cdf Add helmet dependency and add it as express middleware 2018-04-26 09:07:06 +02:00
Clement Michaud
7a13523004 Fix basic authentication and tests 2018-04-25 23:22:41 +02:00
Clement Michaud
bc72f5c508 Use x-original-url instead of host to deduce domain to check permissions for 2018-04-25 00:41:41 +02:00
Clement Michaud
4be299d6eb Adapt kube example to work without custom nginx template 2018-04-24 23:59:15 +02:00
Clement Michaud
48d6107b0b Rename redirect query parameter into rd for compatibility with nginx-ingress 2018-04-24 23:03:09 +02:00
Clement Michaud
bf3705b3e9 Attribute mail_attribute is not correcty taken into account 2018-04-24 21:33:31 +02:00
Clement Michaud
0b2f6ace83 Fix unit and integration tests 2018-03-29 23:09:29 +02:00
Clement Michaud
6586402114 Support 'redirect' in /api/verify endpoint to support Traefik
Traefik handles auth forwarding but does not manage redirections like Nginx.
Therefore, Authelia must redirect the user and Traefik will forward this
request.

To support both Nginx and Traefik, /api/verify is now configurable with the
'redirect' get parameter. If the verification fails and 'redirect' is not
provided the response will be a 401 error as before.
If the parameter is provided and set to any URL, the response will be a
redirection (302) to this URL.
2017-12-04 22:52:33 +01:00
Clement Michaud
515a82eb8d Add links and tooltips at second factor stage to better guide the user
A link to U2F explains what is a U2F security key and how they are used.

A tooltip on U2F device registration link is telling the user he needs a
security key to register.
2017-11-28 21:56:50 +01:00
Clement Michaud
f47d3c2b0b Reset password form sends 200 status when user does not exist
Reset password sends 200 status codes to avoid user enumeration.
2017-11-18 21:27:07 +01:00
Clement Michaud
ca885e4b15 Fix not working u2f when using Firefox
The u2f-api package does not use the official u2f script provided by Yubikey.
Unfortunately, it was blocked by Firefox.  This change reintroduces the
official u2f script.
2017-11-09 00:21:24 +01:00
Clement Michaud
a8974a9d8e Change domain from test.local to example.com
Warning: you will need to update your /etc/hosts to take this change into
account for the example environment to work.
2017-11-03 00:20:10 +01:00
Clement Michaud
d1f0543ac6 Fix bad redirection when no default_redirection_url is provided 2017-11-01 21:17:43 +01:00
Clement Michaud
009e7c2b78 Add basic authorization support for single-factor protected endpoints
One can now access a service using the basic authorization mechanism. Note the
service must not be protected by 2 factors.

The Remote-User and Remote-Groups are forwarded from Authelia like any browser
authentication.
2017-11-01 19:38:05 +01:00
Clement Michaud
e3e1235755 Fix unhandled error exception thrown by Bluebirds in tests 2017-11-01 16:30:51 +01:00
Clement Michaud
e93b98c1ec Remove unused AuthenticationValidator 2017-11-01 15:35:55 +01:00
Clement Michaud
6b78240d39 Fix endpoints redirection on errors
From this commit on, api endpoints reply with a 401 error code and non api
endpoints redirect to /error/40X.

This commit also fixes missing restrictions on /loggedin (the "already logged
in page). This was not a security issue, though.

The change also makes error pages automatically redirect the user after few
seconds based on the referrer or the default_redirection_url if provided in the
configuration.

Warning: The old /verify endpoint of the REST API has moved to /api/verify.
You will need to update your nginx configuration to take this change into
account.
2017-11-01 14:46:23 +01:00
Clement Michaud
54854bacb1 Use issuer and label when generating otpauthURL for TOTP
Issuer is customizable in configuration so that a company can set its own name
or website. If not provided, default value is 'authelia.com'.

The username is used as label.
2017-10-31 21:36:47 +01:00
Clement Michaud
73d5253297 Disable notifiers when server uses single factor method only
Notifier is not mandatory when authentication method is single_factor for
all sub-domains since there is no registration required.
2017-10-31 07:37:15 +01:00
Clement Michaud
3052c883a0 Improve UX of the second factor page
Start the U2F signing request when entering in the second factor page so that
the user only has to touch the token without any other clicks.
2017-10-31 07:27:36 +01:00
Clement Michaud
1e05c41a0c Remove useless comment from first factor page 2017-10-31 07:27:36 +01:00
Clement Michaud
42019bf67d Improve UX of the TOTP registration page
Mainly add badges and links to Google Play and Apple Store to get Google
Authenticator.
2017-10-31 07:27:36 +01:00
Clement Michaud
7b68a543bf Strengthen password in LDAP using SHA512 crypt algorithm
Uses the crypt() function to do password encryption. This function handles
several schemes such as: MD5, Blowfish, SHA1, SHA2.
SHA-512 is used in Authelia for best security.
The algorithm is fully described in
https://www.akkadia.org/drepper/SHA-crypt.txt

The 'crypt3' npm package has been added as a dependency to use the crypt()
function. The package needs to be compiled in order to call the c function,
that's why python, make and C++ compiler are installed temporarily in the
Docker image.
2017-10-31 07:27:36 +01:00
Clement Michaud
969561f4ad Add Content-Security-Policy in Authelia web pages 2017-10-31 07:27:36 +01:00
Clement Michaud
869d55dfd1 Add a meta tag to avoid search engine indexing 2017-10-31 07:27:36 +01:00
Clement Michaud
cd0a93f027 Rename authentication method from 'basic_auth' to 'single_factor' 2017-10-31 07:27:36 +01:00
Clement Michaud
563e2da323 Add default_redirection_url as configuration option
This URL is used when user access the authentication domain without providing
the 'redirect' query parameter. In that case, Authelia does not know
where to redirect the user.
If the parameter is defined, Authelia can redirect the user to a default page
when no redirect parameter is provided.

When user is already authenticated and tries to access the authentication
domain, the "already logged in" page is rendered and it now tells the user he
is to be redirected in few seconds and uses this URL to redirect.

This parameter is optional. If it is not provided, there is only a notification
message at the end of the authentication process, as before, and the user is
not redirected when visiting the authentication domain while already
authenticated.
2017-10-31 07:27:23 +01:00
Clement Michaud
2b65680774 Remove TOTP secret from endpoint logs 2017-10-31 07:27:23 +01:00
Clement Michaud
dacdce6c50 Implement session inactivity timeout
This timeout will prevent an attacker from using a session that has been
inactive for too long.
This inactivity timeout combined with the timeout before expiration makes a
good combination of security mechanisms to prevent session theft.

If no activity timeout is provided, then the feature is disabled and only
session expiration remains as a protection.
2017-10-31 07:27:23 +01:00
Clement Michaud
b9fa786df6 Refactor endpoints to get server variables as input parameters
This refactoring aims to ease testability and clean up a lot of soft touchy
typings in test code.

This is the first step of this refactoring introducing the concept and
implementing missing interfaces and stubs. At the end of the day,
ServerVariablesHandler should completely disappear and every variable should
be injected in the endpoint handler builder itself.
2017-10-31 07:26:53 +01:00
Dylan Smith
c62b85e37d Less restrictive email handler - replace gmail with generic 2017-10-25 19:28:56 +11:00
Clement Michaud
92b78f7c15 Enable secure and httpOnly option for sessions
These are 2 measures for improving security of cookies. One is used to
not send the cookie over HTTP (only HTTPS) and the other tells the browser to
disallow client-side code accessing the cookie.
2017-10-16 20:56:26 +02:00
Clément Michaud
565fc35f07 Merge branch 'develop' into anonymous-smtp 2017-10-15 22:50:05 +02:00