2019-04-24 21:52:08 +00:00
|
|
|
package handlers
|
|
|
|
|
|
|
|
// TOTPRegistrationAction is the string representation of the action for which the token has been produced.
|
|
|
|
const TOTPRegistrationAction = "RegisterTOTPDevice"
|
|
|
|
|
|
|
|
// U2FRegistrationAction is the string representation of the action for which the token has been produced.
|
|
|
|
const U2FRegistrationAction = "RegisterU2FDevice"
|
|
|
|
|
|
|
|
// ResetPasswordAction is the string representation of the action for which the token has been produced.
|
|
|
|
const ResetPasswordAction = "ResetPassword"
|
|
|
|
|
|
|
|
const authPrefix = "Basic "
|
|
|
|
|
2021-02-23 23:35:04 +00:00
|
|
|
// ProxyAuthorizationHeader is the basic-auth HTTP header Authelia utilises.
|
|
|
|
const ProxyAuthorizationHeader = "Proxy-Authorization"
|
|
|
|
|
|
|
|
// AuthorizationHeader is the basic-auth HTTP header Authelia utilises with "auth=basic" query param.
|
|
|
|
const AuthorizationHeader = "Authorization"
|
2020-12-01 23:03:44 +00:00
|
|
|
|
|
|
|
// SessionUsernameHeader is used as additional protection to validate a user for things like pam_exec.
|
|
|
|
const SessionUsernameHeader = "Session-Username"
|
|
|
|
|
2019-04-24 21:52:08 +00:00
|
|
|
const remoteUserHeader = "Remote-User"
|
2020-10-26 11:38:08 +00:00
|
|
|
const remoteNameHeader = "Remote-Name"
|
|
|
|
const remoteEmailHeader = "Remote-Email"
|
2019-04-24 21:52:08 +00:00
|
|
|
const remoteGroupsHeader = "Remote-Groups"
|
|
|
|
|
|
|
|
const (
|
2020-04-20 21:03:38 +00:00
|
|
|
// Forbidden means the user is forbidden the access to a resource.
|
2019-04-24 21:52:08 +00:00
|
|
|
Forbidden authorizationMatching = iota
|
|
|
|
// NotAuthorized means the user can access the resource with more permissions.
|
|
|
|
NotAuthorized authorizationMatching = iota
|
|
|
|
// Authorized means the user is authorized given her current permissions.
|
|
|
|
Authorized authorizationMatching = iota
|
|
|
|
)
|
|
|
|
|
|
|
|
const operationFailedMessage = "Operation failed."
|
|
|
|
const authenticationFailedMessage = "Authentication failed. Check your credentials."
|
|
|
|
const userBannedMessage = "Please retry in a few minutes."
|
2020-04-11 03:54:18 +00:00
|
|
|
const unableToRegisterOneTimePasswordMessage = "Unable to set up one-time passwords." //nolint:gosec
|
2019-04-24 21:52:08 +00:00
|
|
|
const unableToRegisterSecurityKeyMessage = "Unable to register your security key."
|
|
|
|
const unableToResetPasswordMessage = "Unable to reset your password."
|
|
|
|
const mfaValidationFailedMessage = "Authentication failed, please retry later."
|
2020-05-02 16:20:40 +00:00
|
|
|
|
2020-12-16 01:30:03 +00:00
|
|
|
const ldapPasswordComplexityCode = "0000052D."
|
|
|
|
|
2021-06-16 02:50:14 +00:00
|
|
|
var ldapPasswordComplexityCodes = []string{
|
|
|
|
"0000052D", "SynoNumber", "SynoMixedCase", "SynoExcludeNameDesc", "SynoSpecialChar",
|
|
|
|
}
|
|
|
|
var ldapPasswordComplexityErrors = []string{
|
|
|
|
"LDAP Result Code 19 \"Constraint Violation\": Password fails quality checking policy",
|
|
|
|
"LDAP Result Code 19 \"Constraint Violation\": Password is too young to change",
|
|
|
|
}
|
2020-11-27 09:59:22 +00:00
|
|
|
|
2020-05-02 16:20:40 +00:00
|
|
|
const testInactivity = "10"
|
|
|
|
const testRedirectionURL = "http://redirection.local"
|
|
|
|
const testResultAllow = "allow"
|
|
|
|
const testUsername = "john"
|
2020-05-20 22:03:15 +00:00
|
|
|
|
|
|
|
const movingAverageWindow = 10
|
|
|
|
const msMinimumDelay1FA = float64(250)
|
|
|
|
const msMaximumRandomDelay = int64(85)
|
2021-05-04 22:06:05 +00:00
|
|
|
|
|
|
|
// OIDC constants.
|
|
|
|
const (
|
|
|
|
oidcJWKsPath = "/api/oidc/jwks"
|
|
|
|
oidcAuthorizePath = "/api/oidc/authorize"
|
|
|
|
oidcTokenPath = "/api/oidc/token" //nolint:gosec // This is not a hard coded credential, it's a path.
|
|
|
|
oidcIntrospectPath = "/api/oidc/introspect"
|
|
|
|
oidcRevokePath = "/api/oidc/revoke"
|
2021-07-10 04:56:33 +00:00
|
|
|
oidcUserinfoPath = "/api/oidc/userinfo"
|
2021-05-04 22:06:05 +00:00
|
|
|
|
|
|
|
// Note: If you change this const you must also do so in the frontend at web/src/services/Api.ts.
|
|
|
|
oidcConsentPath = "/api/oidc/consent"
|
|
|
|
)
|
|
|
|
|
|
|
|
const (
|
|
|
|
accept = "accept"
|
|
|
|
reject = "reject"
|
|
|
|
)
|