authelia/test/features/redirection.feature

Feature: User is correctly redirected 

  Scenario: User is redirected to authelia when he is not authenticated
    When I visit "https://public.example.com:8080"
    Then I'm redirected to "https://login.example.com:8080/?rd=https%3A%2F%2Fpublic.example.com%3A8080%2F"

  @need-registered-user-john
  Scenario: User is redirected to home page after several authentication tries
    When I visit "https://public.example.com:8080/secret.html"
    And I login with user "john" and password "badpassword"
    And I wait for notification to disappear
    And I clear field "username"
    And I login with user "john" and password "password" 
    And I use "REGISTERED" as TOTP token handle
    And I click on "Sign in"
    Then I'm redirected to "https://public.example.com:8080/secret.html"

  Scenario: User Harry does not have access to admin domain and thus he must get an error 403
    When I register TOTP and login with user "harry" and password "password"
    And I visit "https://admin.example.com:8080/secret.html"
    Then I get an error 403

  Scenario: Redirection URL is propagated from restricted page to first factor
    When I visit "https://public.example.com:8080/secret.html"
    Then I'm redirected to "https://login.example.com:8080/?rd=https%3A%2F%2Fpublic.example.com%3A8080%2Fsecret.html"

  Scenario: Redirection URL is propagated from first factor to second factor
    Given I visit "https://login.example.com:8080/"
    And I login with user "john" and password "password"
    And I register a TOTP secret called "Sec0"
    When I visit "https://public.example.com:8080/secret.html"
    And I login with user "john" and password "password"
    Then I'm redirected to "https://login.example.com:8080/secondfactor?rd=https%3A%2F%2Fpublic.example.com%3A8080%2Fsecret.html"

  Scenario: Redirection URL is used to send user from second factor to target page
    Given I visit "https://login.example.com:8080/"
    And I login with user "john" and password "password"
    And I register a TOTP secret called "Sec0"
    When I visit "https://public.example.com:8080/secret.html"
    And I login with user "john" and password "password"
    And I use "Sec0" as TOTP token handle
    And I click on "Sign in"
    Then I'm redirected to "https://public.example.com:8080/secret.html"

  @need-registered-user-john
  Scenario: User is redirected to default URL defined in configuration when authentication is successful
    When I visit "https://login.example.com:8080"
    And I login with user "john" and password "password" 
    And I use "REGISTERED" as TOTP token handle
    And I click on "Sign in"
    Then I'm redirected to "https://home.example.com:8080/"


  Scenario: User is redirected when hitting an error 401
    When I visit "https://login.example.com:8080/secondfactor/u2f/identity/finish"
    Then I'm redirected to "https://login.example.com:8080/error/401"
    And I sleep for 5 seconds
    And I'm redirected to "https://home.example.com:8080/"

  @need-registered-user-harry
  Scenario: User is redirected when hitting an error 403
    When I visit "https://login.example.com:8080"
    And I login with user "harry" and password "password" 
    And I use "REGISTERED" as TOTP token handle
    And I click on "Sign in"
    And I'm redirected to "https://home.example.com:8080/"
    When I visit "https://admin.example.com:8080/secret.html"
    Then I'm redirected to "https://login.example.com:8080/error/403"
    And I sleep for 5 seconds
    And I'm redirected to "https://home.example.com:8080/"
Wait for notifications to fade out before going forward in integration test steps. 2017-09-03 13:02:38 +00:00			`Feature: User is correctly redirected`
Replace mocha integration tests by cucumber tests 2017-07-26 21:45:26 +00:00
Fix redirection after authentication and error page when accessing restricted pages 2017-08-02 22:30:41 +00:00			`Scenario: User is redirected to authelia when he is not authenticated`
Change domain from test.local to example.com Warning: you will need to update your /etc/hosts to take this change into account for the example environment to work. 2017-11-02 20:34:07 +00:00			`When I visit "https://public.example.com:8080"`
Rename redirect query parameter into rd for compatibility with nginx-ingress 2018-04-24 21:03:05 +00:00			`Then I'm redirected to "https://login.example.com:8080/?rd=https%3A%2F%2Fpublic.example.com%3A8080%2F"`
Replace mocha integration tests by cucumber tests 2017-07-26 21:45:26 +00:00
Add logs to detect redis connection issues earlier Before this fix, the application was simply crashing during execution when connection to redis was failing. Now, it is correctly handled with failing promises and logs have been enabled to clearly see the problem 2017-09-21 20:07:34 +00:00			`@need-registered-user-john`
Fix redirection after authentication and error page when accessing restricted pages 2017-08-02 22:30:41 +00:00			`Scenario: User is redirected to home page after several authentication tries`
Change domain from test.local to example.com Warning: you will need to update your /etc/hosts to take this change into account for the example environment to work. 2017-11-02 20:34:07 +00:00			`When I visit "https://public.example.com:8080/secret.html"`
Add logs to detect redis connection issues earlier Before this fix, the application was simply crashing during execution when connection to redis was failing. Now, it is correctly handled with failing promises and logs have been enabled to clearly see the problem 2017-09-21 20:07:34 +00:00			`And I login with user "john" and password "badpassword"`
Fix randomness with integration tests The notification message pops up and hide after few seconds. Sometimes, chrome drivers tries to click on a button that moves due to the notification message animation and thus miss it. 2017-10-08 14:28:10 +00:00			`And I wait for notification to disappear`
Fix redirection after authentication and error page when accessing restricted pages 2017-08-02 22:30:41 +00:00			`And I clear field "username"`
			`And I login with user "john" and password "password"`
Add logs to detect redis connection issues earlier Before this fix, the application was simply crashing during execution when connection to redis was failing. Now, it is correctly handled with failing promises and logs have been enabled to clearly see the problem 2017-09-21 20:07:34 +00:00			`And I use "REGISTERED" as TOTP token handle`
Improve UX of the second factor page Start the U2F signing request when entering in the second factor page so that the user only has to touch the token without any other clicks. 2017-10-21 23:23:26 +00:00			`And I click on "Sign in"`
Change domain from test.local to example.com Warning: you will need to update your /etc/hosts to take this change into account for the example environment to work. 2017-11-02 20:34:07 +00:00			`Then I'm redirected to "https://public.example.com:8080/secret.html"`
Fix redirection after authentication and error page when accessing restricted pages 2017-08-02 22:30:41 +00:00
Refine access control with per resource ACLs ACLs can now be defined by subdomain AND resource using pattern matching with regular expressions. It allows a very fine-grained access control to backend resources. [Note] For using example environmnent, user must update its /etc/hosts with new subdomains updated in README. 2017-09-03 13:22:09 +00:00			`Scenario: User Harry does not have access to admin domain and thus he must get an error 403`
Fix redirection after authentication and error page when accessing restricted pages 2017-08-02 22:30:41 +00:00			`When I register TOTP and login with user "harry" and password "password"`
Change domain from test.local to example.com Warning: you will need to update your /etc/hosts to take this change into account for the example environment to work. 2017-11-02 20:34:07 +00:00			`And I visit "https://admin.example.com:8080/secret.html"`
Add redirection URL as a query parameter during authentication Before this fix, the redirection URL was stored in the user session, but this has a big drawback since user could open several pages in browser and thus override the redirection URL leading the user to be incorrectly redirected. 2017-09-22 15:53:18 +00:00			`Then I get an error 403`

			`Scenario: Redirection URL is propagated from restricted page to first factor`
Change domain from test.local to example.com Warning: you will need to update your /etc/hosts to take this change into account for the example environment to work. 2017-11-02 20:34:07 +00:00			`When I visit "https://public.example.com:8080/secret.html"`
Rename redirect query parameter into rd for compatibility with nginx-ingress 2018-04-24 21:03:05 +00:00			`Then I'm redirected to "https://login.example.com:8080/?rd=https%3A%2F%2Fpublic.example.com%3A8080%2Fsecret.html"`
Add redirection URL as a query parameter during authentication Before this fix, the redirection URL was stored in the user session, but this has a big drawback since user could open several pages in browser and thus override the redirection URL leading the user to be incorrectly redirected. 2017-09-22 15:53:18 +00:00
			`Scenario: Redirection URL is propagated from first factor to second factor`
Change domain from test.local to example.com Warning: you will need to update your /etc/hosts to take this change into account for the example environment to work. 2017-11-02 20:34:07 +00:00			`Given I visit "https://login.example.com:8080/"`
Add redirection URL as a query parameter during authentication Before this fix, the redirection URL was stored in the user session, but this has a big drawback since user could open several pages in browser and thus override the redirection URL leading the user to be incorrectly redirected. 2017-09-22 15:53:18 +00:00			`And I login with user "john" and password "password"`
			`And I register a TOTP secret called "Sec0"`
Change domain from test.local to example.com Warning: you will need to update your /etc/hosts to take this change into account for the example environment to work. 2017-11-02 20:34:07 +00:00			`When I visit "https://public.example.com:8080/secret.html"`
Add redirection URL as a query parameter during authentication Before this fix, the redirection URL was stored in the user session, but this has a big drawback since user could open several pages in browser and thus override the redirection URL leading the user to be incorrectly redirected. 2017-09-22 15:53:18 +00:00			`And I login with user "john" and password "password"`
Rename redirect query parameter into rd for compatibility with nginx-ingress 2018-04-24 21:03:05 +00:00			`Then I'm redirected to "https://login.example.com:8080/secondfactor?rd=https%3A%2F%2Fpublic.example.com%3A8080%2Fsecret.html"`
Add redirection URL as a query parameter during authentication Before this fix, the redirection URL was stored in the user session, but this has a big drawback since user could open several pages in browser and thus override the redirection URL leading the user to be incorrectly redirected. 2017-09-22 15:53:18 +00:00
			`Scenario: Redirection URL is used to send user from second factor to target page`
Change domain from test.local to example.com Warning: you will need to update your /etc/hosts to take this change into account for the example environment to work. 2017-11-02 20:34:07 +00:00			`Given I visit "https://login.example.com:8080/"`
Add redirection URL as a query parameter during authentication Before this fix, the redirection URL was stored in the user session, but this has a big drawback since user could open several pages in browser and thus override the redirection URL leading the user to be incorrectly redirected. 2017-09-22 15:53:18 +00:00			`And I login with user "john" and password "password"`
			`And I register a TOTP secret called "Sec0"`
Change domain from test.local to example.com Warning: you will need to update your /etc/hosts to take this change into account for the example environment to work. 2017-11-02 20:34:07 +00:00			`When I visit "https://public.example.com:8080/secret.html"`
Add redirection URL as a query parameter during authentication Before this fix, the redirection URL was stored in the user session, but this has a big drawback since user could open several pages in browser and thus override the redirection URL leading the user to be incorrectly redirected. 2017-09-22 15:53:18 +00:00			`And I login with user "john" and password "password"`
			`And I use "Sec0" as TOTP token handle`
Improve UX of the second factor page Start the U2F signing request when entering in the second factor page so that the user only has to touch the token without any other clicks. 2017-10-21 23:23:26 +00:00			`And I click on "Sign in"`
Change domain from test.local to example.com Warning: you will need to update your /etc/hosts to take this change into account for the example environment to work. 2017-11-02 20:34:07 +00:00			`Then I'm redirected to "https://public.example.com:8080/secret.html"`
Add default_redirection_url as configuration option This URL is used when user access the authentication domain without providing the 'redirect' query parameter. In that case, Authelia does not know where to redirect the user. If the parameter is defined, Authelia can redirect the user to a default page when no redirect parameter is provided. When user is already authenticated and tries to access the authentication domain, the "already logged in" page is rendered and it now tells the user he is to be redirected in few seconds and uses this URL to redirect. This parameter is optional. If it is not provided, there is only a notification message at the end of the authentication process, as before, and the user is not redirected when visiting the authentication domain while already authenticated. 2017-10-17 21:24:02 +00:00
			`@need-registered-user-john`
			`Scenario: User is redirected to default URL defined in configuration when authentication is successful`
Change domain from test.local to example.com Warning: you will need to update your /etc/hosts to take this change into account for the example environment to work. 2017-11-02 20:34:07 +00:00			`When I visit "https://login.example.com:8080"`
Add default_redirection_url as configuration option This URL is used when user access the authentication domain without providing the 'redirect' query parameter. In that case, Authelia does not know where to redirect the user. If the parameter is defined, Authelia can redirect the user to a default page when no redirect parameter is provided. When user is already authenticated and tries to access the authentication domain, the "already logged in" page is rendered and it now tells the user he is to be redirected in few seconds and uses this URL to redirect. This parameter is optional. If it is not provided, there is only a notification message at the end of the authentication process, as before, and the user is not redirected when visiting the authentication domain while already authenticated. 2017-10-17 21:24:02 +00:00			`And I login with user "john" and password "password"`
			`And I use "REGISTERED" as TOTP token handle`
Improve UX of the second factor page Start the U2F signing request when entering in the second factor page so that the user only has to touch the token without any other clicks. 2017-10-21 23:23:26 +00:00			`And I click on "Sign in"`
Change domain from test.local to example.com Warning: you will need to update your /etc/hosts to take this change into account for the example environment to work. 2017-11-02 20:34:07 +00:00			`Then I'm redirected to "https://home.example.com:8080/"`
Fix endpoints redirection on errors From this commit on, api endpoints reply with a 401 error code and non api endpoints redirect to /error/40X. This commit also fixes missing restrictions on /loggedin (the "already logged in page). This was not a security issue, though. The change also makes error pages automatically redirect the user after few seconds based on the referrer or the default_redirection_url if provided in the configuration. Warning: The old /verify endpoint of the REST API has moved to /api/verify. You will need to update your nginx configuration to take this change into account. 2017-11-01 13:24:18 +00:00

			`Scenario: User is redirected when hitting an error 401`
Change domain from test.local to example.com Warning: you will need to update your /etc/hosts to take this change into account for the example environment to work. 2017-11-02 20:34:07 +00:00			`When I visit "https://login.example.com:8080/secondfactor/u2f/identity/finish"`
			`Then I'm redirected to "https://login.example.com:8080/error/401"`
Fix endpoints redirection on errors From this commit on, api endpoints reply with a 401 error code and non api endpoints redirect to /error/40X. This commit also fixes missing restrictions on /loggedin (the "already logged in page). This was not a security issue, though. The change also makes error pages automatically redirect the user after few seconds based on the referrer or the default_redirection_url if provided in the configuration. Warning: The old /verify endpoint of the REST API has moved to /api/verify. You will need to update your nginx configuration to take this change into account. 2017-11-01 13:24:18 +00:00			`And I sleep for 5 seconds`
Change domain from test.local to example.com Warning: you will need to update your /etc/hosts to take this change into account for the example environment to work. 2017-11-02 20:34:07 +00:00			`And I'm redirected to "https://home.example.com:8080/"`
Fix endpoints redirection on errors From this commit on, api endpoints reply with a 401 error code and non api endpoints redirect to /error/40X. This commit also fixes missing restrictions on /loggedin (the "already logged in page). This was not a security issue, though. The change also makes error pages automatically redirect the user after few seconds based on the referrer or the default_redirection_url if provided in the configuration. Warning: The old /verify endpoint of the REST API has moved to /api/verify. You will need to update your nginx configuration to take this change into account. 2017-11-01 13:24:18 +00:00
			`@need-registered-user-harry`
			`Scenario: User is redirected when hitting an error 403`
Change domain from test.local to example.com Warning: you will need to update your /etc/hosts to take this change into account for the example environment to work. 2017-11-02 20:34:07 +00:00			`When I visit "https://login.example.com:8080"`
Fix endpoints redirection on errors From this commit on, api endpoints reply with a 401 error code and non api endpoints redirect to /error/40X. This commit also fixes missing restrictions on /loggedin (the "already logged in page). This was not a security issue, though. The change also makes error pages automatically redirect the user after few seconds based on the referrer or the default_redirection_url if provided in the configuration. Warning: The old /verify endpoint of the REST API has moved to /api/verify. You will need to update your nginx configuration to take this change into account. 2017-11-01 13:24:18 +00:00			`And I login with user "harry" and password "password"`
			`And I use "REGISTERED" as TOTP token handle`
			`And I click on "Sign in"`
Change domain from test.local to example.com Warning: you will need to update your /etc/hosts to take this change into account for the example environment to work. 2017-11-02 20:34:07 +00:00			`And I'm redirected to "https://home.example.com:8080/"`
			`When I visit "https://admin.example.com:8080/secret.html"`
			`Then I'm redirected to "https://login.example.com:8080/error/403"`
Fix endpoints redirection on errors From this commit on, api endpoints reply with a 401 error code and non api endpoints redirect to /error/40X. This commit also fixes missing restrictions on /loggedin (the "already logged in page). This was not a security issue, though. The change also makes error pages automatically redirect the user after few seconds based on the referrer or the default_redirection_url if provided in the configuration. Warning: The old /verify endpoint of the REST API has moved to /api/verify. You will need to update your nginx configuration to take this change into account. 2017-11-01 13:24:18 +00:00			`And I sleep for 5 seconds`
Change domain from test.local to example.com Warning: you will need to update your /etc/hosts to take this change into account for the example environment to work. 2017-11-02 20:34:07 +00:00			`And I'm redirected to "https://home.example.com:8080/"`