Commit Graph

1101 Commits

Author SHA1 Message Date
Clement Michaud
056565a968 Add X-Frame-Options header to avoid ability to embed websites in iframes 2017-10-16 20:56:26 +02:00
Clement Michaud
0b33982701 Add notes on security measures deployed in Authelia in README 2017-10-16 20:56:26 +02:00
Clement Michaud
f523e5335f Use HSTS in example 2017-10-16 20:56:26 +02:00
Clement Michaud
92b78f7c15 Enable secure and httpOnly option for sessions
These are 2 measures for improving security of cookies. One is used to
not send the cookie over HTTP (only HTTPS) and the other tells the browser to
disallow client-side code accessing the cookie.
2017-10-16 20:56:26 +02:00
Clément Michaud
6e3a9494ce Merge pull request #158 from clems4ever/anonymous-smtp
Allow anonymous user in SMTP notifier
2017-10-16 00:09:55 +02:00
Clément Michaud
35b934ecea Merge branch 'develop' into anonymous-smtp 2017-10-15 23:25:47 +02:00
Clément Michaud
5bac2b75b0 Merge pull request #159 from clems4ever/publish-develop-to-docker
Publish 'develop' tag to dockerhub
2017-10-15 23:24:28 +02:00
Clément Michaud
565fc35f07 Merge branch 'develop' into anonymous-smtp 2017-10-15 22:50:05 +02:00
Clément Michaud
15615b2741 Merge branch 'develop' into publish-develop-to-docker 2017-10-15 22:49:58 +02:00
Clément Michaud
3236b97ffd Merge pull request #156 from clems4ever/remove-schema-from-source
Remove configuration schema from source since it is generated
2017-10-15 22:49:23 +02:00
Clement Michaud
e8e8c8f7da Publish 'develop' tag to dockerhub 2017-10-15 22:48:56 +02:00
Clement Michaud
d3a2251d4a Allow anonymous user in SMTP notifier
SMTP notifier should be able to send emails with anonymous user, i.e. without
providing username and password in configuration file.
2017-10-15 22:41:22 +02:00
Clément Michaud
b6aca2619b Merge branch 'develop' into remove-schema-from-source 2017-10-15 22:31:06 +02:00
Clément Michaud
329927b865 Merge pull request #157 from clems4ever/already-logged-username
Add username to the 'already logged in' page
2017-10-15 22:30:55 +02:00
Clement Michaud
e8a1e7c52c Remove configuration schema from source since it is generated 2017-10-15 22:17:36 +02:00
Clement Michaud
daee042368 Add username to the 'already logged in' page 2017-10-15 22:15:54 +02:00
Clément Michaud
35b66ba630 Merge pull request #155 from clems4ever/block-logged-in-page
Block 'already logged in' page to unauthenticated user
2017-10-15 22:03:11 +02:00
Clement Michaud
f2ae1cd044 Block 'already logged in' page to unauthenticated user 2017-10-15 21:52:12 +02:00
Clément Michaud
8fa50482df Merge pull request #153 from clems4ever/opt-subdomain-methods
Make per_subdomain_methods optional in configuration file
2017-10-15 21:39:24 +02:00
Clement Michaud
12a8626ef7 Make per_subdomain_methods optional in configuration file 2017-10-15 20:01:16 +02:00
Clément Michaud
b3479c19da Merge pull request #149 from clems4ever/npm-package-fix
Do not include client/ and server/ in npm package
2017-10-15 16:09:50 +02:00
Clement Michaud
e599ac78ae Do not include client/ and server/ in npm package 2017-10-15 15:52:34 +02:00
Clément Michaud
4b51ae30cc Merge pull request #147 from clems4ever/userdn-ldap-filter
Add {dn} as an available matcher in LDAP groups filter
2017-10-15 15:02:46 +02:00
Clement Michaud
ce264ff4d3 Add {dn} as an available matcher in LDAP groups filter
Sometimes, LDAP organization is such that groups membership cannot be computed
with username only. User DN is required to retrieve groups.

e.g. user Joe has a username joe and a cn of Joe Blogs, resulting in a dn of
cn=Joe Blogs,ou=users,dc=example,dc=com which is needed to retrieve groups
but cannot be computed from joe only.

Issue was reported in issue #146
2017-10-15 14:51:26 +02:00
Clément Michaud
15fa6286ad Merge pull request #143 from clems4ever/protect-ldap-injection
Add input sanitizer to LDAP client to protect against LDAP injections
2017-10-15 13:36:38 +02:00
Clement Michaud
2e087f12f4 Fix out of bound access in LDAP results array 2017-10-15 02:07:04 +02:00
Clément Michaud
9fe202f227 Merge pull request #144 from clems4ever/test-forward-headers
Fix unhandled rejections in unit tests
2017-10-15 01:55:31 +02:00
Clement Michaud
1dd0343860 Add input sanitizer to LDAP client to protect against LDAP injections 2017-10-15 01:35:33 +02:00
Clement Michaud
bf3e71d732 Fix unhandled rejections in unit tests 2017-10-15 01:34:37 +02:00
Clément Michaud
cb139997d2 Merge pull request #142 from clems4ever/test-forward-headers
Add test for headers forwarding feature
2017-10-15 01:13:57 +02:00
Clement Michaud
3a88ca95b8 Check TOTP token with window of 1
A window of 1 means the token is checked against current time slot T
as well as at time slot T-1 and T+1.
A time slot is 30 seconds by default in Authelia.
2017-10-15 00:44:10 +02:00
Clement Michaud
c02d9b4a6e Display current URL when redirection step fails in integration tests 2017-10-14 22:12:00 +02:00
Clement Michaud
8cf58d7b31 Add tests on headers forwarded to backend
Ensure Remote-User and Remote-Groups can be forwarded to the backend app.
2017-10-14 22:11:56 +02:00
Clément Michaud
f041b946d9 Merge pull request #140 from clems4ever/improve-endpoint-errors
Every public endpoints return 200 with harmonized error messages or 401
2017-10-14 12:22:24 +02:00
Clement Michaud
56fdc40290 Every public endpoints return 200 with harmonized error messages or 401
Now, /verify can return 401 or 403 depending on the user authentication.
Every public API endpoints and pages return 200 with error message in
JSON body or 401 if the user is not authorized.

This policy makes it complicated for an attacker to know what is the source of
the failure and hide server-side bugs (not returning 500), bugs being potential
threats.
2017-10-14 11:57:38 +02:00
Clément Michaud
3bea8a290a Merge pull request #137 from clems4ever/mail-sender
Specify mail sender for SMTP and Gmail notifiers
2017-10-10 23:08:55 +02:00
Clement Michaud
ab8aaeda25 Add configuration schema validation before starting Authelia 2017-10-10 21:59:20 +02:00
Clement Michaud
2a3fde5ee7 Add a schema validator to check user configuration 2017-10-10 01:14:36 +02:00
Clement Michaud
1ab09b71d4 Specify the sender email in Gmail and Smtp notifier configuration
Sender email address can now be specified in configuration and applies to
GMail notifier and SMTP notifier.
2017-10-10 00:07:12 +02:00
Clément Michaud
d5035b8704 Merge pull request #131 from clems4ever/disable-second-factor
Allow basic authentication in configuration
2017-10-09 23:27:36 +02:00
Clement Michaud
9624aa6311 Adapt authentication methods configuration to be backward compatible
Prior version of configuration file can be used, the authentication methods
will be set to default values (two_factor as default method).
2017-10-09 23:14:05 +02:00
Clement Michaud
bc8fe623df Use minified version of Authelia in npm package 2017-10-09 02:03:11 +02:00
Clement Michaud
9559bff5de Remove artifacts of only_basic_auth query param 2017-10-09 02:03:05 +02:00
Clément Michaud
2641fb1620 Merge pull request #130 from clems4ever/revert-filesystem-notifier
Revert filesystem notifier
2017-10-09 01:58:06 +02:00
Clement Michaud
46deb765bb 3.5.0 2017-10-09 01:15:40 +02:00
Clement Michaud
a0aab77449 Add a section dealing with basic auth in README 2017-10-09 01:14:19 +02:00
Clement Michaud
9ddc0949b6 Add a way to logout at second factor stage 2017-10-09 01:07:43 +02:00
Clement Michaud
1cf4e57bb1 Redirect user when he has already validated some factors
Example 1: The user has validated first factor when accessing a service
protected by basic auth. When he tries to access another service protected
by second factor, he is redirected to second factor step to complete
authentication.

Example 2: The user has already validated second factor. When he access auth
service, he is redirected either to /loggedin page that displays an "already
logged in" page or to the URL provided in the "redirect" query parameter.
2017-10-09 01:07:32 +02:00
Clement Michaud
c061dbfda4 Customize the authentication method to be used by a sub-domain
One can now customize the default authentication method for all sub-domains,
i.e., either 'two_factor' or 'basic_auth' and define specific authentication
method per sub-domain.

For example, one can specify that every sub-domain must be authenticated with
two factor except one sub-domain that must be authenticated with basic auth.
2017-10-08 23:39:29 +02:00
Clement Michaud
e4274fbe1b Add a note about filesystem notifier option
This note tells the users testing with npm that they can enable the
filesystem notifier feature to test identity validation without access
to mailcatcher webmail.
2017-10-08 22:58:56 +02:00