Commit Graph

24 Commits

Author SHA1 Message Date
Clement Michaud
3a88ca95b8 Check TOTP token with window of 1
A window of 1 means the token is checked against current time slot T
as well as at time slot T-1 and T+1.
A time slot is 30 seconds by default in Authelia.
2017-10-15 00:44:10 +02:00
Clement Michaud
c02d9b4a6e Display current URL when redirection step fails in integration tests 2017-10-14 22:12:00 +02:00
Clement Michaud
8cf58d7b31 Add tests on headers forwarded to backend
Ensure Remote-User and Remote-Groups can be forwarded to the backend app.
2017-10-14 22:11:56 +02:00
Clement Michaud
56fdc40290 Every public endpoints return 200 with harmonized error messages or 401
Now, /verify can return 401 or 403 depending on the user authentication.
Every public API endpoints and pages return 200 with error message in
JSON body or 401 if the user is not authorized.

This policy makes it complicated for an attacker to know what is the source of
the failure and hide server-side bugs (not returning 500), bugs being potential
threats.
2017-10-14 11:57:38 +02:00
Clement Michaud
9559bff5de Remove artifacts of only_basic_auth query param 2017-10-09 02:03:05 +02:00
Clement Michaud
1cf4e57bb1 Redirect user when he has already validated some factors
Example 1: The user has validated first factor when accessing a service
protected by basic auth. When he tries to access another service protected
by second factor, he is redirected to second factor step to complete
authentication.

Example 2: The user has already validated second factor. When he access auth
service, he is redirected either to /loggedin page that displays an "already
logged in" page or to the URL provided in the "redirect" query parameter.
2017-10-09 01:07:32 +02:00
Clement Michaud
b7a180af9b Fix randomness in integration tests 2017-10-08 17:13:29 +02:00
Clement Michaud
54c93fc945 Fix randomness with integration tests
The notification message pops up and hide after few seconds.
Sometimes, chrome drivers tries to click on a button that moves due
to the notification message animation and thus miss it.
2017-10-08 16:28:12 +02:00
Clement Michaud
66449eedb0 Use username matcher instead of user dn in group filter
Previously, string "{0}" was replaced by the user dn in the groups_filter
attributes of the LDAP configuration.
However, if the groups children only have a memberUid attribute, one would
like to use the username instead of the user dn.

Since the user dn can be built from the username, "{0}" is now replaced
by the username instead of the user dn so that an LDAP relying on attribute
'memberUid' can be used.
2017-10-07 14:10:22 +02:00
Clement Michaud
d8ff186303 Split client and server
Client and server now have their own tsconfig so that the transpilation is only
done on the part that is being modified.

It also allows faster transpilation since tests are now excluded from tsconfig.
They are compiled by ts-node during unit tests execution.
2017-10-07 00:49:42 +02:00
Clement Michaud
4cbf6efa42 Disable second factor for certain subdomain 2017-09-26 23:09:33 +02:00
Clement Michaud
4cd78f3f83 Add SMTP notifier as an available option in configuration
One can now plug its own SMTP server to send notifications
for identity validation and password reset requests.

Filesystem has been removed from the template configuration file
since even tests now use mail catcher (the fake webmail) to
retrieve the email and the confirmation link.
2017-09-24 23:20:45 +02:00
Clement Michaud
cf16272a73 Refine access control with per resource ACLs
ACLs can now be defined by subdomain AND resource using pattern matching
with regular expressions.
It allows a very fine-grained access control to backend resources.

[Note] For using example environmnent, user must update its /etc/hosts with
new subdomains updated in README.
2017-09-24 21:39:47 +02:00
Clement Michaud
0a33b2d5ee Add logs to detect redis connection issues earlier
Before this fix, the application was simply crashing during execution
when connection to redis was failing.

Now, it is correctly handled with failing promises and logs have been
enabled to clearly see the problem
2017-09-22 20:52:05 +02:00
Clement Michaud
7128970a53 Add redirection URL as a query parameter during authentication
Before this fix, the redirection URL was stored in the user session,
but this has a big drawback since user could open several pages in
browser and thus override the redirection URL leading the user to
be incorrectly redirected.
2017-09-22 17:53:18 +02:00
FrozenDragoon
489dbf9e30 Merge branch 'master' into feature-dockercompose 2017-09-11 13:28:39 -05:00
Clement Michaud
a39605f9d7 Stabilize integration tests by increasing timeouts 2017-09-09 00:43:18 +02:00
FrozenDragoon
e644fe7b7b Split example scripts, allow running example using pre-built docker container (example-dockerhub) or build build from source, as it is now (example-commit). 2017-09-05 06:32:50 -05:00
Clement Michaud
85462be268 Wait for notifications to fade out before going forward in integration test steps. 2017-09-03 15:02:38 +02:00
Clement Michaud
64c06fd6b8 Parameterize authentication regulation via configuration file. Both for flexibility and for testing purposes. 2017-09-03 12:48:35 +02:00
Clement Michaud
20536abf8b Introduce LDAP filters to search users and groups for more flexibility. 2017-09-02 22:38:26 +02:00
Clement Michaud
50636587a8 Notifications to users do not use notifyjs anymore. They are more common and located in the form areas to improve visibility on mobile devices. 2017-09-02 16:33:57 +02:00
Clement Michaud
928209dc98 Fix redirection after authentication and error page when accessing restricted pages 2017-08-03 00:41:13 +02:00
Clement Michaud
c12a085f8e Replace mocha integration tests by cucumber tests 2017-07-31 22:20:33 +02:00