Commit Graph

38 Commits

Author SHA1 Message Date
Clement Michaud
a717b965c1 Display only available 2FA methods.
For instance Duo Push Notification method is not displayed if the API
is not configured.
2019-03-24 22:23:25 +01:00
Clement Michaud
d09a307ff8 Fix redirection after 2FA method change.
Authelia was using links with href="#" that changed the URL when clicked
on. Therefore, this commit removes the href property and apply link style
to tags without href property.
2019-03-24 20:02:55 +01:00
Clement Michaud
8ef402511c Add Duo Push Notification option as 2FA. 2019-03-24 15:15:49 +01:00
Clement Michaud
d9e487c99f Display only one 2FA option.
Displaying only one option at 2FA stage will allow to add more options
like DUO push or OAuth.

The user can switch to other option and in this case the option is
remembered so that next time, the user will see the same option. The
latest option is considered as the prefered option by Authelia.
2019-03-23 19:34:00 +01:00
Clement Michaud
76fa325f08 [BREAKING] Create a suite for kubernetes tests.
Authelia client uses hash router instead of browser router in order to work
with Kubernetes nginx-ingress-controller. This is also better for users having
old browsers.

This commit is breaking because it requires to change the configuration of the
proxy to include the # in the URL of the login portal.
2019-03-16 00:13:27 +01:00
Clement Michaud
5614bea827 Fix unit tests. 2019-03-03 11:39:40 +01:00
Clement Michaud
c579355c5b Migrate more Cucumber tests into Mocha. 2019-03-03 11:39:40 +01:00
Clement Michaud
efceb66ffa Migrate some tests to mocha. 2019-03-03 11:39:40 +01:00
Clement Michaud
d3a790627e Fix inactivity Ãe2e tests. 2019-03-03 11:39:40 +01:00
Clement Michaud
61946929d2 Cleanup redirection url in redux state. 2019-03-03 11:39:40 +01:00
Clement Michaud
d2a547eca6 Fix e2e tests for complete configuration. 2019-03-03 11:39:40 +01:00
Clement Michaud
c5eb86e0fd Fix e2e test with minimal configuration. 2019-03-03 11:39:40 +01:00
Clement Michaud
eccf08b6b0 Authelia can be run locally while communicating with docker environment. 2019-03-03 11:39:40 +01:00
Clement Michaud
1bc0029651 Introduce authelia-cli to ease development cycle. 2019-03-03 11:39:40 +01:00
Clement Michaud
317611b099 Replace material-UI by material-components-web. 2019-03-03 11:39:40 +01:00
Clement Michaud
419c883a8c Replace client by client-react. 2019-03-03 11:39:40 +01:00
Clement Michaud
42581dfe93 Fix open redirection vulnerability.
In order to redirect the user after authentication, Authelia uses
rd query parameter provided by the proxy. However an attacker could
use phishing to make the user be redirected to a bad domain. In order
to avoid the user to be redirected to a bad location, Authelia now
verifies the redirection URL is under the protected domain.
2018-11-17 17:48:20 +01:00
Clement Michaud
7c80515b34 Fix U2F authentication by upgrading libraries. 2018-11-06 15:45:01 +01:00
Clement Michaud
e8c3205e0a Make Authelia compatible with Firefox.
Use the polyfill version of u2f API provided by Google.

https://github.com/mastahyeti/u2f-api

This polyfill is at least compatible with Chrome and
Firefox after enabling the U2F support.

[HOWTO] Enable U2F in Firefox >= 57:
Navigate to 'about:config' and search for 'u2f' option.
Double-click on the line to toggle the option.
2018-10-27 18:22:01 +02:00
Clement Michaud
4c3b5cfbb3 Implement Keep me logged in feature. 2018-10-21 16:11:31 +02:00
Clement Michaud
059c5936f5 Add 'keep me logged in' checkbox in first factor page. 2018-10-21 15:25:28 +02:00
Clement Michaud
a1592d9897 Update Authelia icon and add a title image. 2018-08-30 11:26:13 +02:00
Clément Michaud
a70863c48c
Merge branch 'master' into bootstrap_loading_spinner 2018-07-26 22:30:09 +02:00
Callan Bryant
a1233e5437 re-enable element before sending message 2018-07-23 11:06:17 +01:00
Callan Bryant
eea023a200 Make notifications appear on top instead of inline
Currently notifications reflow the document which causes the interface
to jump twice which can be frustrating if you're trying to click
something.

This change makes the notification appear at the top of the form as
such:
2018-07-20 09:34:13 +01:00
Callan Bryant
9cd48c068d Make first factor login page UI indicate loading state
* Submit button changes to "Loading..."
* Form fades and disables
2018-07-19 17:07:58 +01:00
Clement Michaud
a5592252c7 Bump npm dependencies 2018-03-23 10:13:00 +01:00
Clement Michaud
515a82eb8d Add links and tooltips at second factor stage to better guide the user
A link to U2F explains what is a U2F security key and how they are used.

A tooltip on U2F device registration link is telling the user he needs a
security key to register.
2017-11-28 21:56:50 +01:00
Clement Michaud
ca885e4b15 Fix not working u2f when using Firefox
The u2f-api package does not use the official u2f script provided by Yubikey.
Unfortunately, it was blocked by Firefox.  This change reintroduces the
official u2f script.
2017-11-09 00:21:24 +01:00
Clement Michaud
28f9c52355 Reduce font size and height of the header 2017-11-01 21:42:12 +01:00
Clement Michaud
3052c883a0 Improve UX of the second factor page
Start the U2F signing request when entering in the second factor page so that
the user only has to touch the token without any other clicks.
2017-10-31 07:27:36 +01:00
Clement Michaud
42019bf67d Improve UX of the TOTP registration page
Mainly add badges and links to Google Play and Apple Store to get Google
Authenticator.
2017-10-31 07:27:36 +01:00
Clement Michaud
969561f4ad Add Content-Security-Policy in Authelia web pages 2017-10-31 07:27:36 +01:00
Clement Michaud
563e2da323 Add default_redirection_url as configuration option
This URL is used when user access the authentication domain without providing
the 'redirect' query parameter. In that case, Authelia does not know
where to redirect the user.
If the parameter is defined, Authelia can redirect the user to a default page
when no redirect parameter is provided.

When user is already authenticated and tries to access the authentication
domain, the "already logged in" page is rendered and it now tells the user he
is to be redirected in few seconds and uses this URL to redirect.

This parameter is optional. If it is not provided, there is only a notification
message at the end of the authentication process, as before, and the user is
not redirected when visiting the authentication domain while already
authenticated.
2017-10-31 07:27:23 +01:00
Clement Michaud
56fdc40290 Every public endpoints return 200 with harmonized error messages or 401
Now, /verify can return 401 or 403 depending on the user authentication.
Every public API endpoints and pages return 200 with error message in
JSON body or 401 if the user is not authorized.

This policy makes it complicated for an attacker to know what is the source of
the failure and hide server-side bugs (not returning 500), bugs being potential
threats.
2017-10-14 11:57:38 +02:00
Clement Michaud
9559bff5de Remove artifacts of only_basic_auth query param 2017-10-09 02:03:05 +02:00
Clement Michaud
ae720c5230 Fix missing images in notification messages 2017-10-07 21:58:41 +02:00
Clement Michaud
d8ff186303 Split client and server
Client and server now have their own tsconfig so that the transpilation is only
done on the part that is being modified.

It also allows faster transpilation since tests are now excluded from tsconfig.
They are compiled by ts-node during unit tests execution.
2017-10-07 00:49:42 +02:00