authelia/internal/middlewares/const.go

package middlewares

import (
	"errors"

	"github.com/valyala/fasthttp"
)

var (
	headerXAutheliaURL = []byte("X-Authelia-URL")

	headerAccept        = []byte(fasthttp.HeaderAccept)
	headerContentLength = []byte(fasthttp.HeaderContentLength)
	headerLocation      = []byte(fasthttp.HeaderLocation)

	headerXForwardedProto = []byte(fasthttp.HeaderXForwardedProto)
	headerXForwardedHost  = []byte(fasthttp.HeaderXForwardedHost)
	headerXForwardedFor   = []byte(fasthttp.HeaderXForwardedFor)
	headerXRequestedWith  = []byte(fasthttp.HeaderXRequestedWith)

	headerXForwardedURI    = []byte("X-Forwarded-URI")
	headerXOriginalURL     = []byte("X-Original-URL")
	headerXOriginalMethod  = []byte("X-Original-Method")
	headerXForwardedMethod = []byte("X-Forwarded-Method")

	headerVary   = []byte(fasthttp.HeaderVary)
	headerAllow  = []byte(fasthttp.HeaderAllow)
	headerOrigin = []byte(fasthttp.HeaderOrigin)

	headerAccessControlAllowCredentials = []byte(fasthttp.HeaderAccessControlAllowCredentials)
	headerAccessControlAllowHeaders     = []byte(fasthttp.HeaderAccessControlAllowHeaders)
	headerAccessControlAllowMethods     = []byte(fasthttp.HeaderAccessControlAllowMethods)
	headerAccessControlAllowOrigin      = []byte(fasthttp.HeaderAccessControlAllowOrigin)
	headerAccessControlMaxAge           = []byte(fasthttp.HeaderAccessControlMaxAge)
	headerAccessControlRequestHeaders   = []byte(fasthttp.HeaderAccessControlRequestHeaders)
	headerAccessControlRequestMethod    = []byte(fasthttp.HeaderAccessControlRequestMethod)

	headerXContentTypeOptions   = []byte(fasthttp.HeaderXContentTypeOptions)
	headerReferrerPolicy        = []byte(fasthttp.HeaderReferrerPolicy)
	headerXFrameOptions         = []byte(fasthttp.HeaderXFrameOptions)
	headerPragma                = []byte(fasthttp.HeaderPragma)
	headerCacheControl          = []byte(fasthttp.HeaderCacheControl)
	headerXXSSProtection        = []byte(fasthttp.HeaderXXSSProtection)
	headerContentSecurityPolicy = []byte(fasthttp.HeaderContentSecurityPolicy)

	headerPermissionsPolicy = []byte("Permissions-Policy")
)

var (
	headerValueFalse           = []byte("false")
	headerValueTrue            = []byte("true")
	headerValueMaxAge          = []byte("100")
	headerValueVary            = []byte("Accept-Encoding, Origin")
	headerValueVaryWildcard    = []byte("Accept-Encoding")
	headerValueOriginWildcard  = []byte("*")
	headerValueZero            = []byte("0")
	headerValueCSPNone         = []byte("default-src 'none'")
	headerValueCSPNoneFormPost = []byte("default-src 'none'; script-src 'sha256-skflBqA90WuHvoczvimLdj49ExKdizFjX2Itd6xKZdU='")

	headerValueNoSniff                 = []byte("nosniff")
	headerValueStrictOriginCrossOrigin = []byte("strict-origin-when-cross-origin")
	headerValueSameOrigin              = []byte("SAMEORIGIN")
	headerValueNoCache                 = []byte("no-cache")
	headerValueNoStore                 = []byte("no-store")
	headerValueXSSModeBlock            = []byte("1; mode=block")
	headerValueCohort                  = []byte("interest-cohort=()")
)

const (
	strProtoHTTPS = "https"
	strProtoHTTP  = "http"
	strSlash      = "/"

	queryArgRedirect    = "rd"
	queryArgAutheliaURL = "authelia_url"
	queryArgToken       = "token"
)

var (
	protoHTTPS = []byte(strProtoHTTPS)
	protoHTTP  = []byte(strProtoHTTP)

	qryArgRedirect    = []byte(queryArgRedirect)
	qryArgAutheliaURL = []byte(queryArgAutheliaURL)

	keyUserValueBaseURL   = []byte("base_url")
	keyUserValueAuthzPath = []byte("authz_path")

	// UserValueKeyFormPost is the User Value key where we indicate the form_post response mode.
	UserValueKeyFormPost = []byte("form_post")

	headerSeparator = []byte(", ")

	contentTypeTextPlain       = []byte("text/plain; charset=utf-8")
	contentTypeTextHTML        = []byte("text/html; charset=utf-8")
	contentTypeApplicationJSON = []byte("application/json; charset=utf-8")
	contentTypeApplicationYAML = []byte("application/yaml; charset=utf-8")
)

const (
	headerValueXRequestedWithXHR = "XMLHttpRequest"
)

var okMessageBytes = []byte("{\"status\":\"OK\"}")

const (
	messageOperationFailed                      = "Operation failed"
	messageIdentityVerificationTokenAlreadyUsed = "The identity verification token has already been used"
	messageIdentityVerificationTokenHasExpired  = "The identity verification token has expired"
)

var protoHostSeparator = []byte("://")

var errPasswordPolicyNoMet = errors.New("the supplied password does not met the security policy")
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`package middlewares`

refactor(handlers): utilize referer for auth logging rm/rd (#2655) This utilizes the referrer query parameters instead of current request query parameters for logging the requested URI and method. Minor performance improvements to header peek/sets. 2021-12-02 02:21:46 +00:00			`import (`
refactor: misc password policy refactoring (#3102) Add tests and makes the password policy a provider so the configuration can be loaded to memory on startup. 2022-04-03 00:48:26 +00:00			`"errors"`

refactor(handlers): utilize referer for auth logging rm/rd (#2655) This utilizes the referrer query parameters instead of current request query parameters for logging the requested URI and method. Minor performance improvements to header peek/sets. 2021-12-02 02:21:46 +00:00			`"github.com/valyala/fasthttp"`
fix(handlers): handle xhr requests to /api/verify with 401 (#2189) This changes the way XML HTTP requests are handled on the verify endpoint so that they are redirected using a 401 instead of a 302/303. 2021-07-22 03:52:37 +00:00			`)`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00
refactor(handlers): utilize referer for auth logging rm/rd (#2655) This utilizes the referrer query parameters instead of current request query parameters for logging the requested URI and method. Minor performance improvements to header peek/sets. 2021-12-02 02:21:46 +00:00			`var (`
feat: envoy support (#3793) Adds support for Envoy and Istio using the X-Authelia-URL header. The documentation will be published just before the release. Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2022-10-01 11:47:09 +00:00			`headerXAutheliaURL = []byte("X-Authelia-URL")`

feat(oidc): provide cors config including options handlers (#3005) This adjusts the CORS headers appropriately for OpenID Connect. This includes responding to OPTIONS requests appropriately. Currently this is only configured to operate when the Origin scheme is HTTPS; but can easily be expanded in the future to include additional Origins. 2022-04-07 00:58:51 +00:00			`headerAccept = []byte(fasthttp.HeaderAccept)`
			`headerContentLength = []byte(fasthttp.HeaderContentLength)`
refactor(middlewares): factorize responses (#3628) 2022-07-08 12:18:52 +00:00			`headerLocation = []byte(fasthttp.HeaderLocation)`
feat(oidc): provide cors config including options handlers (#3005) This adjusts the CORS headers appropriately for OpenID Connect. This includes responding to OPTIONS requests appropriately. Currently this is only configured to operate when the Origin scheme is HTTPS; but can easily be expanded in the future to include additional Origins. 2022-04-07 00:58:51 +00:00
refactor(handlers): utilize referer for auth logging rm/rd (#2655) This utilizes the referrer query parameters instead of current request query parameters for logging the requested URI and method. Minor performance improvements to header peek/sets. 2021-12-02 02:21:46 +00:00			`headerXForwardedProto = []byte(fasthttp.HeaderXForwardedProto)`
			`headerXForwardedHost = []byte(fasthttp.HeaderXForwardedHost)`
			`headerXForwardedFor = []byte(fasthttp.HeaderXForwardedFor)`
			`headerXRequestedWith = []byte(fasthttp.HeaderXRequestedWith)`

			`headerXForwardedURI = []byte("X-Forwarded-URI")`
			`headerXOriginalURL = []byte("X-Original-URL")`
refactor(server): simplify templating and url derivation (#4547) This refactors a few areas of the server templating and related functions. 2022-12-17 00:49:05 +00:00			`headerXOriginalMethod = []byte("X-Original-Method")`
refactor(handlers): utilize referer for auth logging rm/rd (#2655) This utilizes the referrer query parameters instead of current request query parameters for logging the requested URI and method. Minor performance improvements to header peek/sets. 2021-12-02 02:21:46 +00:00			`headerXForwardedMethod = []byte("X-Forwarded-Method")`
fix(server): use of inconsistent methods for determining origin (#2848) This unifies the methods to obtain the X-Forwarded-* header values and provides logical fallbacks. In addition, so we can ensure this functionality extends to the templated files we've converted the ServeTemplatedFile method into a function that operates as a middlewares.RequestHandler. Fixes #2765 2022-02-06 13:37:28 +00:00
feat(oidc): provide cors config including options handlers (#3005) This adjusts the CORS headers appropriately for OpenID Connect. This includes responding to OPTIONS requests appropriately. Currently this is only configured to operate when the Origin scheme is HTTPS; but can easily be expanded in the future to include additional Origins. 2022-04-07 00:58:51 +00:00			`headerVary = []byte(fasthttp.HeaderVary)`
			`headerAllow = []byte(fasthttp.HeaderAllow)`
			`headerOrigin = []byte(fasthttp.HeaderOrigin)`

feat(oidc): add automatic allow all cors to discovery (#2953) This adds a Cross Origin Resource Sharing policy that automatically allows any cross-origin request to the OpenID Connect discovery documents. 2022-03-04 04:46:12 +00:00			`headerAccessControlAllowCredentials = []byte(fasthttp.HeaderAccessControlAllowCredentials)`
			`headerAccessControlAllowHeaders = []byte(fasthttp.HeaderAccessControlAllowHeaders)`
			`headerAccessControlAllowMethods = []byte(fasthttp.HeaderAccessControlAllowMethods)`
			`headerAccessControlAllowOrigin = []byte(fasthttp.HeaderAccessControlAllowOrigin)`
			`headerAccessControlMaxAge = []byte(fasthttp.HeaderAccessControlMaxAge)`
			`headerAccessControlRequestHeaders = []byte(fasthttp.HeaderAccessControlRequestHeaders)`
			`headerAccessControlRequestMethod = []byte(fasthttp.HeaderAccessControlRequestMethod)`
fix(server): missing modern security headers (#3288) This fixes an issue with missing modern security headers such as the X-Content-Type-Options, Referer-Policy, etc. 2022-05-03 02:19:30 +00:00
fix(server): missing cache and xss headers (#3289) Addresses documentation and a couple of headers which were missed. 2022-05-04 04:47:23 +00:00			`headerXContentTypeOptions = []byte(fasthttp.HeaderXContentTypeOptions)`
			`headerReferrerPolicy = []byte(fasthttp.HeaderReferrerPolicy)`
			`headerXFrameOptions = []byte(fasthttp.HeaderXFrameOptions)`
			`headerPragma = []byte(fasthttp.HeaderPragma)`
			`headerCacheControl = []byte(fasthttp.HeaderCacheControl)`
			`headerXXSSProtection = []byte(fasthttp.HeaderXXSSProtection)`
			`headerContentSecurityPolicy = []byte(fasthttp.HeaderContentSecurityPolicy)`

			`headerPermissionsPolicy = []byte("Permissions-Policy")`
feat(oidc): add automatic allow all cors to discovery (#2953) This adds a Cross Origin Resource Sharing policy that automatically allows any cross-origin request to the OpenID Connect discovery documents. 2022-03-04 04:46:12 +00:00			`)`

			`var (`
fix(oidc): csp blocks form_post response form submit (#4719) This fixes an issue where the form_post response never gets submitted. Fixes #4669 2023-01-07 20:04:06 +00:00			`headerValueFalse = []byte("false")`
			`headerValueTrue = []byte("true")`
			`headerValueMaxAge = []byte("100")`
			`headerValueVary = []byte("Accept-Encoding, Origin")`
			`headerValueVaryWildcard = []byte("Accept-Encoding")`
			`headerValueOriginWildcard = []byte("*")`
			`headerValueZero = []byte("0")`
			`headerValueCSPNone = []byte("default-src 'none'")`
			`headerValueCSPNoneFormPost = []byte("default-src 'none'; script-src 'sha256-skflBqA90WuHvoczvimLdj49ExKdizFjX2Itd6xKZdU='")`
fix(server): missing modern security headers (#3288) This fixes an issue with missing modern security headers such as the X-Content-Type-Options, Referer-Policy, etc. 2022-05-03 02:19:30 +00:00
			`headerValueNoSniff = []byte("nosniff")`
			`headerValueStrictOriginCrossOrigin = []byte("strict-origin-when-cross-origin")`
fix(server): missing cache and xss headers (#3289) Addresses documentation and a couple of headers which were missed. 2022-05-04 04:47:23 +00:00			`headerValueSameOrigin = []byte("SAMEORIGIN")`
			`headerValueNoCache = []byte("no-cache")`
			`headerValueNoStore = []byte("no-store")`
			`headerValueXSSModeBlock = []byte("1; mode=block")`
fix(server): missing modern security headers (#3288) This fixes an issue with missing modern security headers such as the X-Content-Type-Options, Referer-Policy, etc. 2022-05-03 02:19:30 +00:00			`headerValueCohort = []byte("interest-cohort=()")`
feat(oidc): add automatic allow all cors to discovery (#2953) This adds a Cross Origin Resource Sharing policy that automatically allows any cross-origin request to the OpenID Connect discovery documents. 2022-03-04 04:46:12 +00:00			`)`

refactor: clean up uri checking functions (#3943) 2022-09-03 01:51:02 +00:00			`const (`
			`strProtoHTTPS = "https"`
			`strProtoHTTP = "http"`
refactor(server): simplify templating and url derivation (#4547) This refactors a few areas of the server templating and related functions. 2022-12-17 00:49:05 +00:00			`strSlash = "/"`

feat(server): customizable authz endpoints (#4296) This allows users to customize the authz endpoints. Closes #2753, Fixes #3716 Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2023-01-25 09:36:40 +00:00			`queryArgRedirect = "rd"`
			`queryArgAutheliaURL = "authelia_url"`
			`queryArgToken = "token"`
refactor: clean up uri checking functions (#3943) 2022-09-03 01:51:02 +00:00			`)`

feat(oidc): add automatic allow all cors to discovery (#2953) This adds a Cross Origin Resource Sharing policy that automatically allows any cross-origin request to the OpenID Connect discovery documents. 2022-03-04 04:46:12 +00:00			`var (`
refactor: clean up uri checking functions (#3943) 2022-09-03 01:51:02 +00:00			`protoHTTPS = []byte(strProtoHTTPS)`
			`protoHTTP = []byte(strProtoHTTP)`
fix(server): use of inconsistent methods for determining origin (#2848) This unifies the methods to obtain the X-Forwarded-* header values and provides logical fallbacks. In addition, so we can ensure this functionality extends to the templated files we've converted the ServeTemplatedFile method into a function that operates as a middlewares.RequestHandler. Fixes #2765 2022-02-06 13:37:28 +00:00
feat(server): customizable authz endpoints (#4296) This allows users to customize the authz endpoints. Closes #2753, Fixes #3716 Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2023-01-25 09:36:40 +00:00			`qryArgRedirect = []byte(queryArgRedirect)`
			`qryArgAutheliaURL = []byte(queryArgAutheliaURL)`
feat: envoy support (#3793) Adds support for Envoy and Istio using the X-Authelia-URL header. The documentation will be published just before the release. Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2022-10-01 11:47:09 +00:00
feat(server): customizable authz endpoints (#4296) This allows users to customize the authz endpoints. Closes #2753, Fixes #3716 Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2023-01-25 09:36:40 +00:00			`keyUserValueBaseURL = []byte("base_url")`
			`keyUserValueAuthzPath = []byte("authz_path")`
feat(oidc): provide cors config including options handlers (#3005) This adjusts the CORS headers appropriately for OpenID Connect. This includes responding to OPTIONS requests appropriately. Currently this is only configured to operate when the Origin scheme is HTTPS; but can easily be expanded in the future to include additional Origins. 2022-04-07 00:58:51 +00:00
fix(oidc): csp blocks form_post response form submit (#4719) This fixes an issue where the form_post response never gets submitted. Fixes #4669 2023-01-07 20:04:06 +00:00			`// UserValueKeyFormPost is the User Value key where we indicate the form_post response mode.`
			`UserValueKeyFormPost = []byte("form_post")`

feat(oidc): provide cors config including options handlers (#3005) This adjusts the CORS headers appropriately for OpenID Connect. This includes responding to OPTIONS requests appropriately. Currently this is only configured to operate when the Origin scheme is HTTPS; but can easily be expanded in the future to include additional Origins. 2022-04-07 00:58:51 +00:00			`headerSeparator = []byte(", ")`
refactor(middlewares): factorize responses (#3628) 2022-07-08 12:18:52 +00:00
			`contentTypeTextPlain = []byte("text/plain; charset=utf-8")`
			`contentTypeTextHTML = []byte("text/html; charset=utf-8")`
			`contentTypeApplicationJSON = []byte("application/json; charset=utf-8")`
perf(server): cached openapi document (#4674) This should lead to a small performance gain by caching the openapi.yml with etags as well as eliminating the use of nonce crypto generation when not required. 2023-01-03 03:49:02 +00:00			`contentTypeApplicationYAML = []byte("application/yaml; charset=utf-8")`
fix(handlers): handle xhr requests to /api/verify with 401 (#2189) This changes the way XML HTTP requests are handled on the verify endpoint so that they are redirected using a 401 instead of a 302/303. 2021-07-22 03:52:37 +00:00			`)`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00
fix(handlers): handle xhr requests to /api/verify with 401 (#2189) This changes the way XML HTTP requests are handled on the verify endpoint so that they are redirected using a 401 instead of a 302/303. 2021-07-22 03:52:37 +00:00			`const (`
refactor(handlers): utilize referer for auth logging rm/rd (#2655) This utilizes the referrer query parameters instead of current request query parameters for logging the requested URI and method. Minor performance improvements to header peek/sets. 2021-12-02 02:21:46 +00:00			`headerValueXRequestedWithXHR = "XMLHttpRequest"`
fix(handlers): handle xhr requests to /api/verify with 401 (#2189) This changes the way XML HTTP requests are handled on the verify endpoint so that they are redirected using a 401 instead of a 302/303. 2021-07-22 03:52:37 +00:00			`)`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00
			`var okMessageBytes = []byte("{\"status\":\"OK\"}")`

fix(handlers): handle xhr requests to /api/verify with 401 (#2189) This changes the way XML HTTP requests are handled on the verify endpoint so that they are redirected using a 401 instead of a 302/303. 2021-07-22 03:52:37 +00:00			`const (`
			`messageOperationFailed = "Operation failed"`
			`messageIdentityVerificationTokenAlreadyUsed = "The identity verification token has already been used"`
			`messageIdentityVerificationTokenHasExpired = "The identity verification token has expired"`
			`)`
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com> 2021-05-04 22:06:05 +00:00
			`var protoHostSeparator = []byte("://")`
refactor: misc password policy refactoring (#3102) Add tests and makes the password policy a provider so the configuration can be loaded to memory on startup. 2022-04-03 00:48:26 +00:00
			`var errPasswordPolicyNoMet = errors.New("the supplied password does not met the security policy")`