RPJosh
/
authelia
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
authelia/internal/handlers/handler_firstfactor.go

145 lines
4.6 KiB
Go
Raw Normal View History

Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
package handlers
import (
feat(regulator): enhance authentication logs (#2622) This adds additional logging to the authentication logs such as type, remote IP, request method, redirect URL, and if the attempt was done during a ban. This also means we log attempts that occur when the attempt was blocked by the regulator for record keeping purposes, as well as record 2FA attempts which can be used to inform admins and later to regulate based on other factors. Fixes #116, Fixes #1293.
2021-11-29 03:09:14 +00:00
"errors"
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
"time"
fix(configuration): remember me duration disabled impossible (#2997) This fixes an issue not properly resolved by db6dd32151a8161e8348f32d19a687f0faa16ddf.
2022-03-13 02:51:23 +00:00
"github.com/authelia/authelia/v4/internal/configuration/schema"
fix: include major in go.mod module directive (#2278) * build: include major in go.mod module directive * fix: xflags * revert: cobra changes * fix: mock doc
2021-08-11 01:04:35 +00:00
"github.com/authelia/authelia/v4/internal/middlewares"
"github.com/authelia/authelia/v4/internal/regulation"
"github.com/authelia/authelia/v4/internal/session"
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
)
fix(server): incorrect remote ip logged in error handler (#3139) This fixes edge cases where the remote IP was not correctly logged. Generally this is not an issue as most errors do not hit this handler, but in instances where a transport error occurs this is important.
2022-04-08 04:13:47 +00:00
// FirstFactorPOST is the handler performing the first factory.
[FEATURE] Automatic Profile Refresh - LDAP (#912) * [FIX] LDAP Not Checking for Updated Groups * refactor handlers verifyFromSessionCookie * refactor authorizer selectMatchingObjectRules * refactor authorizer isDomainMatching * add authorizer URLHasGroupSubjects method * add user provider ProviderType method * update tests * check for new LDAP groups and update session when: * user provider type is LDAP * authorization is forbidden * URL has rule with group subjects * Implement Refresh Interval * add default values for LDAP user provider * add default for refresh interval * add schema validator for refresh interval * add various tests * rename hasUserBeenInactiveLongEnough to hasUserBeenInactiveTooLong * use Authelia ctx clock * add check to determine if user is deleted, if so destroy the * make ldap user not found error a const * implement GetRefreshSettings in mock * Use user not found const with FileProvider * comment exports * use ctx.Clock instead of time pkg * add debug logging * use ptr to reference userSession so we don't have to retrieve it again * add documenation * add check for 0 refresh interval to reduce CPU cost * remove badly copied debug msg * add group change delta message * add SliceStringDelta * refactor ldap refresh to use the new func * improve delta add/remove log message * fix incorrect logic in SliceStringDelta * add tests to SliceStringDelta * add always config option * add tests for always config option * update docs * apply suggestions from code review Co-Authored-By: Amir Zarrinkafsh <nightah@me.com> * complete mocks and fix an old one * show warning when LDAP details failed to update for an unknown reason * golint fix * actually fix existing mocks * use mocks for LDAP refresh testing * use mocks for LDAP refresh testing for both added and removed groups * use test mock to verify disabled refresh behaviour * add information to threat model * add time const for default Unix() value * misc adjustments to mocks * Suggestions from code review * requested changes * update emails * docs updates * test updates * misc * golint fix * set debug for dev testing * misc docs and logging updates * misc grammar/spelling * use built function for VerifyGet * fix reviewdog suggestions * requested changes * Apply suggestions from code review Co-authored-by: Amir Zarrinkafsh <nightah@me.com> Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
2020-05-04 19:39:25 +00:00
//nolint:gocyclo // TODO: Consider refactoring time permitting.
fix(server): incorrect remote ip logged in error handler (#3139) This fixes edge cases where the remote IP was not correctly logged. Generally this is not an issue as most errors do not hit this handler, but in instances where a transport error occurs this is important.
2022-04-08 04:13:47 +00:00
func FirstFactorPOST(delayFunc middlewares.TimingAttackDelayFunc) middlewares.RequestHandler {
[FEATURE] Delay 1FA Authentication (#993) * adaptively delay 1FA by the actual execution time of authentication * should grow and shrink over time as successful attempts are made * uses the average of the last 10 successful attempts to calculate * starts at an average of 1000ms * minimum is 250ms * a random delay is added to the largest of avg or minimum * the random delay is between 0ms and 85ms * bump LDAP suite to 80s timeout * bump regulation scenario to 45s * add mutex locking * amend logging * add docs * add tests Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
2020-05-20 22:03:15 +00:00
return func(ctx *middlewares.AutheliaCtx) {
var successful bool
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
[FEATURE] Delay 1FA Authentication (#993) * adaptively delay 1FA by the actual execution time of authentication * should grow and shrink over time as successful attempts are made * uses the average of the last 10 successful attempts to calculate * starts at an average of 1000ms * minimum is 250ms * a random delay is added to the largest of avg or minimum * the random delay is between 0ms and 85ms * bump LDAP suite to 80s timeout * bump regulation scenario to 45s * add mutex locking * amend logging * add docs * add tests Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
2020-05-20 22:03:15 +00:00
requestTime := time.Now()
fix(middlewares): smart delay on reset password (#2767) This adds a smart delay on reset password attempts to prevent username enumeration. Additionally utilizes crypto rand instead of math rand. It also moves the timing delay functionality into its own handler func.
2022-01-20 23:46:13 +00:00
if delayFunc != nil {
defer delayFunc(ctx.Logger, requestTime, &successful)
[FEATURE] Delay 1FA Authentication (#993) * adaptively delay 1FA by the actual execution time of authentication * should grow and shrink over time as successful attempts are made * uses the average of the last 10 successful attempts to calculate * starts at an average of 1000ms * minimum is 250ms * a random delay is added to the largest of avg or minimum * the random delay is between 0ms and 85ms * bump LDAP suite to 80s timeout * bump regulation scenario to 45s * add mutex locking * amend logging * add docs * add tests Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
2020-05-20 22:03:15 +00:00
}
bodyJSON := firstFactorRequestBody{}
feat(regulator): enhance authentication logs (#2622) This adds additional logging to the authentication logs such as type, remote IP, request method, redirect URL, and if the attempt was done during a ban. This also means we log attempts that occur when the attempt was blocked by the regulator for record keeping purposes, as well as record 2FA attempts which can be used to inform admins and later to regulate based on other factors. Fixes #116, Fixes #1293.
2021-11-29 03:09:14 +00:00
if err := ctx.ParseBody(&bodyJSON); err != nil {
ctx.Logger.Errorf(logFmtErrParseRequestBody, regulation.AuthType1FA, err)
respondUnauthorized(ctx, messageAuthenticationFailed)
Fix and parallelize integration tests.
2019-11-30 16:49:52 +00:00
return
}
[CI] Add wsl linter (#980) * [CI] Add wsl linter * Implement wsl recommendations Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
2020-05-05 19:35:32 +00:00
feat(regulator): enhance authentication logs (#2622) This adds additional logging to the authentication logs such as type, remote IP, request method, redirect URL, and if the attempt was done during a ban. This also means we log attempts that occur when the attempt was blocked by the regulator for record keeping purposes, as well as record 2FA attempts which can be used to inform admins and later to regulate based on other factors. Fixes #116, Fixes #1293.
2021-11-29 03:09:14 +00:00
if bannedUntil, err := ctx.Providers.Regulator.Regulate(ctx, bodyJSON.Username); err != nil {
if errors.Is(err, regulation.ErrUserIsBanned) {
_ = markAuthenticationAttempt(ctx, false, &bannedUntil, bodyJSON.Username, regulation.AuthType1FA, nil)
respondUnauthorized(ctx, messageAuthenticationFailed)
[CI] Add wsl linter (#980) * [CI] Add wsl linter * Implement wsl recommendations Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
2020-05-05 19:35:32 +00:00
[FEATURE] Delay 1FA Authentication (#993) * adaptively delay 1FA by the actual execution time of authentication * should grow and shrink over time as successful attempts are made * uses the average of the last 10 successful attempts to calculate * starts at an average of 1000ms * minimum is 250ms * a random delay is added to the largest of avg or minimum * the random delay is between 0ms and 85ms * bump LDAP suite to 80s timeout * bump regulation scenario to 45s * add mutex locking * amend logging * add docs * add tests Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
2020-05-20 22:03:15 +00:00
return
}
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
feat(regulator): enhance authentication logs (#2622) This adds additional logging to the authentication logs such as type, remote IP, request method, redirect URL, and if the attempt was done during a ban. This also means we log attempts that occur when the attempt was blocked by the regulator for record keeping purposes, as well as record 2FA attempts which can be used to inform admins and later to regulate based on other factors. Fixes #116, Fixes #1293.
2021-11-29 03:09:14 +00:00
ctx.Logger.Errorf(logFmtErrRegulationFail, regulation.AuthType1FA, bodyJSON.Username, err)
respondUnauthorized(ctx, messageAuthenticationFailed)
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
[FEATURE] Delay 1FA Authentication (#993) * adaptively delay 1FA by the actual execution time of authentication * should grow and shrink over time as successful attempts are made * uses the average of the last 10 successful attempts to calculate * starts at an average of 1000ms * minimum is 250ms * a random delay is added to the largest of avg or minimum * the random delay is between 0ms and 85ms * bump LDAP suite to 80s timeout * bump regulation scenario to 45s * add mutex locking * amend logging * add docs * add tests Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
2020-05-20 22:03:15 +00:00
return
}
Rewrite and fix remaining suites in Go.
2019-11-24 20:27:59 +00:00
[FEATURE] Delay 1FA Authentication (#993) * adaptively delay 1FA by the actual execution time of authentication * should grow and shrink over time as successful attempts are made * uses the average of the last 10 successful attempts to calculate * starts at an average of 1000ms * minimum is 250ms * a random delay is added to the largest of avg or minimum * the random delay is between 0ms and 85ms * bump LDAP suite to 80s timeout * bump regulation scenario to 45s * add mutex locking * amend logging * add docs * add tests Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
2020-05-20 22:03:15 +00:00
userPasswordOk, err := ctx.Providers.UserProvider.CheckUserPassword(bodyJSON.Username, bodyJSON.Password)
if err != nil {
feat(regulator): enhance authentication logs (#2622) This adds additional logging to the authentication logs such as type, remote IP, request method, redirect URL, and if the attempt was done during a ban. This also means we log attempts that occur when the attempt was blocked by the regulator for record keeping purposes, as well as record 2FA attempts which can be used to inform admins and later to regulate based on other factors. Fixes #116, Fixes #1293.
2021-11-29 03:09:14 +00:00
_ = markAuthenticationAttempt(ctx, false, nil, bodyJSON.Username, regulation.AuthType1FA, err)
[MISC] Refactor and address most errcheck linter ignores (#1511) * [MISC] Refactor and address most errcheck linter ignores This is mostly a quality of life change. When we first implemented the errcheck linter we ignored a number of items in our legacy codebase with intent to revisit down the track. * Handle errors for regulation marks and remove unnecessary logging
2020-12-16 01:47:31 +00:00
feat(regulator): enhance authentication logs (#2622) This adds additional logging to the authentication logs such as type, remote IP, request method, redirect URL, and if the attempt was done during a ban. This also means we log attempts that occur when the attempt was blocked by the regulator for record keeping purposes, as well as record 2FA attempts which can be used to inform admins and later to regulate based on other factors. Fixes #116, Fixes #1293.
2021-11-29 03:09:14 +00:00
respondUnauthorized(ctx, messageAuthenticationFailed)
Fix and parallelize integration tests.
2019-11-30 16:49:52 +00:00
[FEATURE] Delay 1FA Authentication (#993) * adaptively delay 1FA by the actual execution time of authentication * should grow and shrink over time as successful attempts are made * uses the average of the last 10 successful attempts to calculate * starts at an average of 1000ms * minimum is 250ms * a random delay is added to the largest of avg or minimum * the random delay is between 0ms and 85ms * bump LDAP suite to 80s timeout * bump regulation scenario to 45s * add mutex locking * amend logging * add docs * add tests Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
2020-05-20 22:03:15 +00:00
return
}
[SECURITY] Fix Authentication HTTP Status Codes (#959) * [FIX] Send correct HTTP status codes for 1FA * use harmonious func to handle all 1FA attempt errors * use same harmonious func to handle 2FA attempt errors * always send a 401 which is correct according to https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/401 * fix tests * refactor isTargetURLAuthorized * fix padding and imports * harmonize remaining return messages * fixup docs and layout of verifySessionHasUpToDateProfile
2020-05-05 21:27:38 +00:00
[FEATURE] Delay 1FA Authentication (#993) * adaptively delay 1FA by the actual execution time of authentication * should grow and shrink over time as successful attempts are made * uses the average of the last 10 successful attempts to calculate * starts at an average of 1000ms * minimum is 250ms * a random delay is added to the largest of avg or minimum * the random delay is between 0ms and 85ms * bump LDAP suite to 80s timeout * bump regulation scenario to 45s * add mutex locking * amend logging * add docs * add tests Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
2020-05-20 22:03:15 +00:00
if !userPasswordOk {
feat(regulator): enhance authentication logs (#2622) This adds additional logging to the authentication logs such as type, remote IP, request method, redirect URL, and if the attempt was done during a ban. This also means we log attempts that occur when the attempt was blocked by the regulator for record keeping purposes, as well as record 2FA attempts which can be used to inform admins and later to regulate based on other factors. Fixes #116, Fixes #1293.
2021-11-29 03:09:14 +00:00
_ = markAuthenticationAttempt(ctx, false, nil, bodyJSON.Username, regulation.AuthType1FA, nil)
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
feat(regulator): enhance authentication logs (#2622) This adds additional logging to the authentication logs such as type, remote IP, request method, redirect URL, and if the attempt was done during a ban. This also means we log attempts that occur when the attempt was blocked by the regulator for record keeping purposes, as well as record 2FA attempts which can be used to inform admins and later to regulate based on other factors. Fixes #116, Fixes #1293.
2021-11-29 03:09:14 +00:00
respondUnauthorized(ctx, messageAuthenticationFailed)
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
[FEATURE] Delay 1FA Authentication (#993) * adaptively delay 1FA by the actual execution time of authentication * should grow and shrink over time as successful attempts are made * uses the average of the last 10 successful attempts to calculate * starts at an average of 1000ms * minimum is 250ms * a random delay is added to the largest of avg or minimum * the random delay is between 0ms and 85ms * bump LDAP suite to 80s timeout * bump regulation scenario to 45s * add mutex locking * amend logging * add docs * add tests Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
2020-05-20 22:03:15 +00:00
return
}
Fix unit tests.
2019-11-30 14:33:45 +00:00
feat(regulator): enhance authentication logs (#2622) This adds additional logging to the authentication logs such as type, remote IP, request method, redirect URL, and if the attempt was done during a ban. This also means we log attempts that occur when the attempt was blocked by the regulator for record keeping purposes, as well as record 2FA attempts which can be used to inform admins and later to regulate based on other factors. Fixes #116, Fixes #1293.
2021-11-29 03:09:14 +00:00
if err = markAuthenticationAttempt(ctx, true, nil, bodyJSON.Username, regulation.AuthType1FA, nil); err != nil {
respondUnauthorized(ctx, messageAuthenticationFailed)
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
[FEATURE] Delay 1FA Authentication (#993) * adaptively delay 1FA by the actual execution time of authentication * should grow and shrink over time as successful attempts are made * uses the average of the last 10 successful attempts to calculate * starts at an average of 1000ms * minimum is 250ms * a random delay is added to the largest of avg or minimum * the random delay is between 0ms and 85ms * bump LDAP suite to 80s timeout * bump regulation scenario to 45s * add mutex locking * amend logging * add docs * add tests Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
2020-05-20 22:03:15 +00:00
return
}
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2021-05-04 22:06:05 +00:00
userSession := ctx.GetSession()
newSession := session.NewDefaultUserSession()
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia.
2022-04-07 05:33:53 +00:00
newSession.ConsentChallengeID = userSession.ConsentChallengeID
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2021-05-04 22:06:05 +00:00
// Reset all values from previous session except OIDC workflow before regenerating the cookie.
feat(regulator): enhance authentication logs (#2622) This adds additional logging to the authentication logs such as type, remote IP, request method, redirect URL, and if the attempt was done during a ban. This also means we log attempts that occur when the attempt was blocked by the regulator for record keeping purposes, as well as record 2FA attempts which can be used to inform admins and later to regulate based on other factors. Fixes #116, Fixes #1293.
2021-11-29 03:09:14 +00:00
if err = ctx.SaveSession(newSession); err != nil {
ctx.Logger.Errorf(logFmtErrSessionReset, regulation.AuthType1FA, bodyJSON.Username, err)
respondUnauthorized(ctx, messageAuthenticationFailed)
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
[FEATURE] Delay 1FA Authentication (#993) * adaptively delay 1FA by the actual execution time of authentication * should grow and shrink over time as successful attempts are made * uses the average of the last 10 successful attempts to calculate * starts at an average of 1000ms * minimum is 250ms * a random delay is added to the largest of avg or minimum * the random delay is between 0ms and 85ms * bump LDAP suite to 80s timeout * bump regulation scenario to 45s * add mutex locking * amend logging * add docs * add tests Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
2020-05-20 22:03:15 +00:00
return
}
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
feat(regulator): enhance authentication logs (#2622) This adds additional logging to the authentication logs such as type, remote IP, request method, redirect URL, and if the attempt was done during a ban. This also means we log attempts that occur when the attempt was blocked by the regulator for record keeping purposes, as well as record 2FA attempts which can be used to inform admins and later to regulate based on other factors. Fixes #116, Fixes #1293.
2021-11-29 03:09:14 +00:00
if err = ctx.Providers.SessionProvider.RegenerateSession(ctx.RequestCtx); err != nil {
ctx.Logger.Errorf(logFmtErrSessionRegenerate, regulation.AuthType1FA, bodyJSON.Username, err)
respondUnauthorized(ctx, messageAuthenticationFailed)
[FEATURE] Remember Me Configuration (#813) * [FEATURE] Remember Me Configuration * allow users to specify the duration of remember me using remember_me_duration in session config * setting the duration to 0 disables remember me * only render the remember me element if remember me is enabled * prevent malicious users from faking remember me functionality in the backend * add string to duration helper called ParseDurationString to parse a string into a duration * added tests to the helper function * use the SessionProvider to store the time.Duration instead of parsing it over and over again * add sec doc, adjust month/min, consistency * renamed internal/utils/constants.go to internal/utils/const.go to be consistent * added security measure docs * adjusted default remember me duration to be 1 month instead of 1 year * utilize default remember me duration in the autheliaCtx mock * adjust order of keys in session configuration examples * add notes on session security measures secret only being redis * add TODO items for duration notation for both Expiration and Inactivity (will be removed soon) * fix error text for Inactivity in the validator * add session validator tests * deref check bodyJSON.KeepMeLoggedIn and derive the value based on conf and user input and store it (DRY) * remove unnecessary regex for the simplified ParseDurationString utility * ParseDurationString only accepts decimals without leading zeros now * comprehensively test all unit types * remove unnecessary type unions in web * add test to check sanity of time duration consts, this is just so they can't be accidentally changed * simplify deref check and assignment * fix reset password padding/margins * adjust some doc wording * adjust the handler configuration suite test * actually run the handler configuration suite test (whoops) * reduce the number of regex's used by ParseDurationString to 1, thanks to Clement * adjust some error wording
2020-04-03 23:11:33 +00:00
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
return
}
refactor: apply godot recommendations (#2839)
2022-01-31 05:25:15 +00:00
// Check if bodyJSON.KeepMeLoggedIn can be deref'd and derive the value based on the configuration and JSON data.
fix(configuration): remember me duration disabled impossible (#2997) This fixes an issue not properly resolved by db6dd32151a8161e8348f32d19a687f0faa16ddf.
2022-03-13 02:51:23 +00:00
keepMeLoggedIn := ctx.Providers.SessionProvider.RememberMe != schema.RememberMeDisabled && bodyJSON.KeepMeLoggedIn != nil && *bodyJSON.KeepMeLoggedIn
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
refactor: apply godot recommendations (#2839)
2022-01-31 05:25:15 +00:00
// Set the cookie to expire if remember me is enabled and the user has asked us to.
[FEATURE] Delay 1FA Authentication (#993) * adaptively delay 1FA by the actual execution time of authentication * should grow and shrink over time as successful attempts are made * uses the average of the last 10 successful attempts to calculate * starts at an average of 1000ms * minimum is 250ms * a random delay is added to the largest of avg or minimum * the random delay is between 0ms and 85ms * bump LDAP suite to 80s timeout * bump regulation scenario to 45s * add mutex locking * amend logging * add docs * add tests Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
2020-05-20 22:03:15 +00:00
if keepMeLoggedIn {
err = ctx.Providers.SessionProvider.UpdateExpiration(ctx.RequestCtx, ctx.Providers.SessionProvider.RememberMe)
if err != nil {
feat(regulator): enhance authentication logs (#2622) This adds additional logging to the authentication logs such as type, remote IP, request method, redirect URL, and if the attempt was done during a ban. This also means we log attempts that occur when the attempt was blocked by the regulator for record keeping purposes, as well as record 2FA attempts which can be used to inform admins and later to regulate based on other factors. Fixes #116, Fixes #1293.
2021-11-29 03:09:14 +00:00
ctx.Logger.Errorf(logFmtErrSessionSave, "updated expiration", regulation.AuthType1FA, bodyJSON.Username, err)
respondUnauthorized(ctx, messageAuthenticationFailed)
[FEATURE] Delay 1FA Authentication (#993) * adaptively delay 1FA by the actual execution time of authentication * should grow and shrink over time as successful attempts are made * uses the average of the last 10 successful attempts to calculate * starts at an average of 1000ms * minimum is 250ms * a random delay is added to the largest of avg or minimum * the random delay is between 0ms and 85ms * bump LDAP suite to 80s timeout * bump regulation scenario to 45s * add mutex locking * amend logging * add docs * add tests Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
2020-05-20 22:03:15 +00:00
return
}
}
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
[FEATURE] Delay 1FA Authentication (#993) * adaptively delay 1FA by the actual execution time of authentication * should grow and shrink over time as successful attempts are made * uses the average of the last 10 successful attempts to calculate * starts at an average of 1000ms * minimum is 250ms * a random delay is added to the largest of avg or minimum * the random delay is between 0ms and 85ms * bump LDAP suite to 80s timeout * bump regulation scenario to 45s * add mutex locking * amend logging * add docs * add tests Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
2020-05-20 22:03:15 +00:00
// Get the details of the given user from the user provider.
userDetails, err := ctx.Providers.UserProvider.GetDetails(bodyJSON.Username)
if err != nil {
feat(regulator): enhance authentication logs (#2622) This adds additional logging to the authentication logs such as type, remote IP, request method, redirect URL, and if the attempt was done during a ban. This also means we log attempts that occur when the attempt was blocked by the regulator for record keeping purposes, as well as record 2FA attempts which can be used to inform admins and later to regulate based on other factors. Fixes #116, Fixes #1293.
2021-11-29 03:09:14 +00:00
ctx.Logger.Errorf(logFmtErrObtainProfileDetails, regulation.AuthType1FA, bodyJSON.Username, err)
respondUnauthorized(ctx, messageAuthenticationFailed)
[FEATURE] Delay 1FA Authentication (#993) * adaptively delay 1FA by the actual execution time of authentication * should grow and shrink over time as successful attempts are made * uses the average of the last 10 successful attempts to calculate * starts at an average of 1000ms * minimum is 250ms * a random delay is added to the largest of avg or minimum * the random delay is between 0ms and 85ms * bump LDAP suite to 80s timeout * bump regulation scenario to 45s * add mutex locking * amend logging * add docs * add tests Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
2020-05-20 22:03:15 +00:00
return
}
[CI] Add wsl linter (#980) * [CI] Add wsl linter * Implement wsl recommendations Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
2020-05-05 19:35:32 +00:00
feat(regulator): enhance authentication logs (#2622) This adds additional logging to the authentication logs such as type, remote IP, request method, redirect URL, and if the attempt was done during a ban. This also means we log attempts that occur when the attempt was blocked by the regulator for record keeping purposes, as well as record 2FA attempts which can be used to inform admins and later to regulate based on other factors. Fixes #116, Fixes #1293.
2021-11-29 03:09:14 +00:00
ctx.Logger.Tracef(logFmtTraceProfileDetails, bodyJSON.Username, userDetails.Groups, userDetails.Emails)
[CI] Add wsl linter (#980) * [CI] Add wsl linter * Implement wsl recommendations Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
2020-05-05 19:35:32 +00:00
feat(oidc): add additional config options, accurate token times, and refactoring (#1991) * This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes. * Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately. * Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
userSession.SetOneFactor(ctx.Clock.Now(), userDetails, keepMeLoggedIn)
if refresh, refreshInterval := getProfileRefreshSettings(ctx.Configuration.AuthenticationBackend); refresh {
[FEATURE] Delay 1FA Authentication (#993) * adaptively delay 1FA by the actual execution time of authentication * should grow and shrink over time as successful attempts are made * uses the average of the last 10 successful attempts to calculate * starts at an average of 1000ms * minimum is 250ms * a random delay is added to the largest of avg or minimum * the random delay is between 0ms and 85ms * bump LDAP suite to 80s timeout * bump regulation scenario to 45s * add mutex locking * amend logging * add docs * add tests Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
2020-05-20 22:03:15 +00:00
userSession.RefreshTTL = ctx.Clock.Now().Add(refreshInterval)
}
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
feat(regulator): enhance authentication logs (#2622) This adds additional logging to the authentication logs such as type, remote IP, request method, redirect URL, and if the attempt was done during a ban. This also means we log attempts that occur when the attempt was blocked by the regulator for record keeping purposes, as well as record 2FA attempts which can be used to inform admins and later to regulate based on other factors. Fixes #116, Fixes #1293.
2021-11-29 03:09:14 +00:00
if err = ctx.SaveSession(userSession); err != nil {
ctx.Logger.Errorf(logFmtErrSessionSave, "updated profile", regulation.AuthType1FA, bodyJSON.Username, err)
respondUnauthorized(ctx, messageAuthenticationFailed)
[FEATURE] Delay 1FA Authentication (#993) * adaptively delay 1FA by the actual execution time of authentication * should grow and shrink over time as successful attempts are made * uses the average of the last 10 successful attempts to calculate * starts at an average of 1000ms * minimum is 250ms * a random delay is added to the largest of avg or minimum * the random delay is between 0ms and 85ms * bump LDAP suite to 80s timeout * bump regulation scenario to 45s * add mutex locking * amend logging * add docs * add tests Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
2020-05-20 22:03:15 +00:00
return
}
successful = true
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia.
2022-04-07 05:33:53 +00:00
if userSession.ConsentChallengeID != nil {
feat(oidc): add additional config options, accurate token times, and refactoring (#1991) * This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes. * Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately. * Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
handleOIDCWorkflowResponse(ctx)
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2021-05-04 22:06:05 +00:00
} else {
Handle1FAResponse(ctx, bodyJSON.TargetURL, bodyJSON.RequestMethod, userSession.Username, userSession.Groups)
}
[FEATURE] Delay 1FA Authentication (#993) * adaptively delay 1FA by the actual execution time of authentication * should grow and shrink over time as successful attempts are made * uses the average of the last 10 successful attempts to calculate * starts at an average of 1000ms * minimum is 250ms * a random delay is added to the largest of avg or minimum * the random delay is between 0ms and 85ms * bump LDAP suite to 80s timeout * bump regulation scenario to 45s * add mutex locking * amend logging * add docs * add tests Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
2020-05-20 22:03:15 +00:00
}
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
}