authelia/internal/handlers/types.go

package handlers

import (
	"net/http"
	"net/url"

	"github.com/google/uuid"
	"github.com/ory/fosite"

	"github.com/authelia/authelia/v4/internal/authentication"
	"github.com/authelia/authelia/v4/internal/middlewares"
	"github.com/authelia/authelia/v4/internal/model"
	"github.com/authelia/authelia/v4/internal/oidc"
	"github.com/authelia/authelia/v4/internal/session"
)

// MethodList is the list of available methods.
type MethodList = []string

// configurationBody the content returned by the configuration endpoint.
type configurationBody struct {
	AvailableMethods MethodList `json:"available_methods"`
}

// bodySignTOTPRequest is the  model of the request body of TOTP 2FA authentication endpoint.
type bodySignTOTPRequest struct {
	Token      string `json:"token" valid:"required"`
	TargetURL  string `json:"targetURL"`
	Workflow   string `json:"workflow"`
	WorkflowID string `json:"workflowID"`
}

// bodySignWebAuthnRequest is the  model of the request body of WebAuthn 2FA authentication endpoint.
type bodySignWebAuthnRequest struct {
	TargetURL  string `json:"targetURL"`
	Workflow   string `json:"workflow"`
	WorkflowID string `json:"workflowID"`
}

// bodySignDuoRequest is the  model of the request body of Duo 2FA authentication endpoint.
type bodySignDuoRequest struct {
	TargetURL  string `json:"targetURL"`
	Passcode   string `json:"passcode"`
	Workflow   string `json:"workflow"`
	WorkflowID string `json:"workflowID"`
}

// bodyPreferred2FAMethod the selected 2FA method.
type bodyPreferred2FAMethod struct {
	Method string `json:"method" valid:"required"`
}

// bodyFirstFactorRequest represents the JSON body received by the endpoint.
type bodyFirstFactorRequest struct {
	Username       string `json:"username" valid:"required"`
	Password       string `json:"password" valid:"required"`
	TargetURL      string `json:"targetURL"`
	Workflow       string `json:"workflow"`
	WorkflowID     string `json:"workflowID"`
	RequestMethod  string `json:"requestMethod"`
	KeepMeLoggedIn *bool  `json:"keepMeLoggedIn"`
	// KeepMeLoggedIn: Cannot require this field because of https://github.com/asaskevich/govalidator/pull/329
	// TODO(c.michaud): add required validation once the above PR is merged.
}

// checkURIWithinDomainRequestBody represents the JSON body received by the endpoint checking if an URI is within
// the configured domain.
type checkURIWithinDomainRequestBody struct {
	URI string `json:"uri"`
}

type checkURIWithinDomainResponseBody struct {
	OK bool `json:"ok"`
}

// redirectResponse represent the response sent by the first factor endpoint
// when a redirection URL has been provided.
type redirectResponse struct {
	Redirect string `json:"redirect"`
}

// TOTPKeyResponse is the model of response that is sent to the client up successful identity verification.
type TOTPKeyResponse struct {
	Base32Secret string `json:"base32_secret"`
	OTPAuthURL   string `json:"otpauth_url"`
}

// DuoDeviceBody the selected Duo device and method.
type DuoDeviceBody struct {
	Device string `json:"device" valid:"required"`
	Method string `json:"method" valid:"required"`
}

// DuoDevice represents Duo devices and methods.
type DuoDevice struct {
	Device       string   `json:"device"`
	DisplayName  string   `json:"display_name"`
	Capabilities []string `json:"capabilities"`
}

// DuoDevicesResponse represents all available user devices and methods as well as an optional enrollment url.
type DuoDevicesResponse struct {
	Result    string      `json:"result" valid:"required"`
	Devices   []DuoDevice `json:"devices,omitempty"`
	EnrollURL string      `json:"enroll_url,omitempty"`
}

// DuoSignResponse represents a result of the preauth and or auth call with further optional info.
type DuoSignResponse struct {
	Result    string      `json:"result" valid:"required"`
	Devices   []DuoDevice `json:"devices,omitempty"`
	Redirect  string      `json:"redirect,omitempty"`
	EnrollURL string      `json:"enroll_url,omitempty"`
}

// StateResponse represents the response sent by the state endpoint.
type StateResponse struct {
	Username              string               `json:"username"`
	AuthenticationLevel   authentication.Level `json:"authentication_level"`
	DefaultRedirectionURL string               `json:"default_redirection_url"`
}

// resetPasswordStep1RequestBody model of the reset password (step1) request body.
type resetPasswordStep1RequestBody struct {
	Username string `json:"username"`
}

// resetPasswordStep2RequestBody model of the reset password (step2) request body.
type resetPasswordStep2RequestBody struct {
	Password string `json:"password"`
}

// PasswordPolicyBody represents the response sent by the password reset step 2.
type PasswordPolicyBody struct {
	Mode             string `json:"mode"`
	MinLength        int    `json:"min_length"`
	MaxLength        int    `json:"max_length"`
	MinScore         int    `json:"min_score"`
	RequireUppercase bool   `json:"require_uppercase"`
	RequireLowercase bool   `json:"require_lowercase"`
	RequireNumber    bool   `json:"require_number"`
	RequireSpecial   bool   `json:"require_special"`
}

type handlerAuthorizationConsent func(
	ctx *middlewares.AutheliaCtx, issuer *url.URL, client oidc.Client,
	userSession session.UserSession, subject uuid.UUID,
	rw http.ResponseWriter, r *http.Request,
	requester fosite.AuthorizeRequester) (consent *model.OAuth2ConsentSession, handled bool)
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`package handlers`

			`import (`
feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent. 2022-10-20 02:16:36 +00:00			`"net/http"`
			`"net/url"`

			`"github.com/google/uuid"`
			`"github.com/ory/fosite"`

fix: include major in go.mod module directive (#2278) * build: include major in go.mod module directive * fix: xflags * revert: cobra changes * fix: mock doc 2021-08-11 01:04:35 +00:00			`"github.com/authelia/authelia/v4/internal/authentication"`
feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent. 2022-10-20 02:16:36 +00:00			`"github.com/authelia/authelia/v4/internal/middlewares"`
			`"github.com/authelia/authelia/v4/internal/model"`
			`"github.com/authelia/authelia/v4/internal/oidc"`
			`"github.com/authelia/authelia/v4/internal/session"`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`)`

			`// MethodList is the list of available methods.`
			`type MethodList = []string`

feat(totp): algorithm and digits config (#2634) Allow users to configure the TOTP Algorithm and Digits. This should be used with caution as many TOTP applications do not support it. Some will also fail to notify the user that there is an issue. i.e. if the algorithm in the QR code is sha512, they continue to generate one time passwords with sha1. In addition this drastically refactors TOTP in general to be more user friendly by not forcing them to register a new device if the administrator changes the period (or algorithm). Fixes #1226. 2021-12-01 12:11:29 +00:00			`// configurationBody the content returned by the configuration endpoint.`
			`type configurationBody struct {`
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless. 2022-03-03 11:20:43 +00:00			AvailableMethods MethodList `json:"available_methods"`
feat(duo): multi device selection (#2137) Allow users to select and save the preferred duo device and method, depending on availability in the duo account. A default enrollment URL is provided and adjusted if returned by the duo API. This allows auto-enrollment if enabled by the administrator. Closes #594. Closes #1039. 2021-12-01 03:32:58 +00:00			`}`

feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent. 2022-10-20 02:16:36 +00:00			`// bodySignTOTPRequest is the model of the request body of TOTP 2FA authentication endpoint.`
			`type bodySignTOTPRequest struct {`
			Token string `json:"token" valid:"required"`
			TargetURL string `json:"targetURL"`
			Workflow string `json:"workflow"`
			WorkflowID string `json:"workflowID"`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`}`

refactor: webauthn naming (#5243) Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-04-14 16:04:42 +00:00			`// bodySignWebAuthnRequest is the model of the request body of WebAuthn 2FA authentication endpoint.`
			`type bodySignWebAuthnRequest struct {`
feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent. 2022-10-20 02:16:36 +00:00			TargetURL string `json:"targetURL"`
			Workflow string `json:"workflow"`
			WorkflowID string `json:"workflowID"`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`}`

feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent. 2022-10-20 02:16:36 +00:00			`// bodySignDuoRequest is the model of the request body of Duo 2FA authentication endpoint.`
			`type bodySignDuoRequest struct {`
			TargetURL string `json:"targetURL"`
			Passcode string `json:"passcode"`
			Workflow string `json:"workflow"`
			WorkflowID string `json:"workflowID"`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`}`

feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent. 2022-10-20 02:16:36 +00:00			`// bodyPreferred2FAMethod the selected 2FA method.`
			`type bodyPreferred2FAMethod struct {`
feat(totp): algorithm and digits config (#2634) Allow users to configure the TOTP Algorithm and Digits. This should be used with caution as many TOTP applications do not support it. Some will also fail to notify the user that there is an issue. i.e. if the algorithm in the QR code is sha512, they continue to generate one time passwords with sha1. In addition this drastically refactors TOTP in general to be more user friendly by not forcing them to register a new device if the administrator changes the period (or algorithm). Fixes #1226. 2021-12-01 12:11:29 +00:00			Method string `json:"method" valid:"required"`
			`}`

feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent. 2022-10-20 02:16:36 +00:00			`// bodyFirstFactorRequest represents the JSON body received by the endpoint.`
			`type bodyFirstFactorRequest struct {`
perf(authorizer): preload access control lists (#1640) * adjust session refresh to always occur (for disabled users) * feat: adds filtering option for Request Method in ACL's * simplify flow of internal/authorization/authorizer.go's methods * implement query string checking * utilize authorizer.Object fully * make matchers uniform * add tests * add missing request methods * add frontend enhancements to handle request method * add request method to 1FA Handler Suite * add internal ACL representations (preparsing) * expand on access_control next * add docs * remove unnecessary slice for network names and instead just use a plain string * add warning for ineffectual bypass policy (due to subjects) * add user/group wildcard support * fix(authorization): allow subject rules to match anonymous users * feat(api): add new params * docs(api): wording adjustments * test: add request method into testing and proxy docs * test: add several checks and refactor schema validation for ACL * test: add integration test for methods acl * refactor: apply suggestions from code review * docs(authorization): update description 2021-03-05 04:18:31 +00:00			Username string `json:"username" valid:"required"`
			Password string `json:"password" valid:"required"`
			TargetURL string `json:"targetURL"`
fix(handlers): consent session prevents standard flow (#3668) This fixes an issue where consent sessions prevent the standard workflow. 2022-07-26 05:43:39 +00:00			Workflow string `json:"workflow"`
feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent. 2022-10-20 02:16:36 +00:00			WorkflowID string `json:"workflowID"`
perf(authorizer): preload access control lists (#1640) * adjust session refresh to always occur (for disabled users) * feat: adds filtering option for Request Method in ACL's * simplify flow of internal/authorization/authorizer.go's methods * implement query string checking * utilize authorizer.Object fully * make matchers uniform * add tests * add missing request methods * add frontend enhancements to handle request method * add request method to 1FA Handler Suite * add internal ACL representations (preparsing) * expand on access_control next * add docs * remove unnecessary slice for network names and instead just use a plain string * add warning for ineffectual bypass policy (due to subjects) * add user/group wildcard support * fix(authorization): allow subject rules to match anonymous users * feat(api): add new params * docs(api): wording adjustments * test: add request method into testing and proxy docs * test: add several checks and refactor schema validation for ACL * test: add integration test for methods acl * refactor: apply suggestions from code review * docs(authorization): update description 2021-03-05 04:18:31 +00:00			RequestMethod string `json:"requestMethod"`
			KeepMeLoggedIn *bool `json:"keepMeLoggedIn"`
			`// KeepMeLoggedIn: Cannot require this field because of https://github.com/asaskevich/govalidator/pull/329`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`// TODO(c.michaud): add required validation once the above PR is merged.`
			`}`

fix: user is now redirected when authenticated (#2082) * fix(handlers,web): user is now redirected when authenticated Fix: #1788 * remove dead code and fix ci issues * fix infinite loop in frontend * fix issue with integration tests * handle bot recommendation * fix integration test & add dot to comment * fix last integration test * Update api/openapi.yml Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> * Update web/src/services/SafeRedirection.ts Co-authored-by: Amir Zarrinkafsh <nightah@me.com> * Update web/src/services/SafeRedirection.ts Co-authored-by: Amir Zarrinkafsh <nightah@me.com> * Update api/openapi.yml * Update openapi.yml * refactor: valid -> safe * refactor: adjust merge conflicts * Apply suggestions from code review Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> * fix: adjust test return messaging Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2021-08-02 06:15:38 +00:00			`// checkURIWithinDomainRequestBody represents the JSON body received by the endpoint checking if an URI is within`
			`// the configured domain.`
			`type checkURIWithinDomainRequestBody struct {`
			URI string `json:"uri"`
			`}`

			`type checkURIWithinDomainResponseBody struct {`
			OK bool `json:"ok"`
			`}`

Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`// redirectResponse represent the response sent by the first factor endpoint`
			`// when a redirection URL has been provided.`
			`type redirectResponse struct {`
			Redirect string `json:"redirect"`
			`}`

			`// TOTPKeyResponse is the model of response that is sent to the client up successful identity verification.`
			`type TOTPKeyResponse struct {`
			Base32Secret string `json:"base32_secret"`
			OTPAuthURL string `json:"otpauth_url"`
			`}`

feat(duo): multi device selection (#2137) Allow users to select and save the preferred duo device and method, depending on availability in the duo account. A default enrollment URL is provided and adjusted if returned by the duo API. This allows auto-enrollment if enabled by the administrator. Closes #594. Closes #1039. 2021-12-01 03:32:58 +00:00			`// DuoDeviceBody the selected Duo device and method.`
			`type DuoDeviceBody struct {`
			Device string `json:"device" valid:"required"`
			Method string `json:"method" valid:"required"`
			`}`

			`// DuoDevice represents Duo devices and methods.`
			`type DuoDevice struct {`
			Device string `json:"device"`
			DisplayName string `json:"display_name"`
			Capabilities []string `json:"capabilities"`
			`}`

			`// DuoDevicesResponse represents all available user devices and methods as well as an optional enrollment url.`
			`type DuoDevicesResponse struct {`
			Result string `json:"result" valid:"required"`
			Devices []DuoDevice `json:"devices,omitempty"`
			EnrollURL string `json:"enroll_url,omitempty"`
			`}`

			`// DuoSignResponse represents a result of the preauth and or auth call with further optional info.`
			`type DuoSignResponse struct {`
			Result string `json:"result" valid:"required"`
			Devices []DuoDevice `json:"devices,omitempty"`
			Redirect string `json:"redirect,omitempty"`
			EnrollURL string `json:"enroll_url,omitempty"`
			`}`

Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`// StateResponse represents the response sent by the state endpoint.`
			`type StateResponse struct {`
			Username string `json:"username"`
			AuthenticationLevel authentication.Level `json:"authentication_level"`
			DefaultRedirectionURL string `json:"default_redirection_url"`
			`}`

[MISC] Implement golint recommendations (#885) Co-authored-by: Clément Michaud <clement.michaud34@gmail.com> 2020-04-20 21:03:38 +00:00			`// resetPasswordStep1RequestBody model of the reset password (step1) request body.`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`type resetPasswordStep1RequestBody struct {`
			Username string `json:"username"`
			`}`

[MISC] Implement golint recommendations (#885) Co-authored-by: Clément Michaud <clement.michaud34@gmail.com> 2020-04-20 21:03:38 +00:00			`// resetPasswordStep2RequestBody model of the reset password (step2) request body.`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`type resetPasswordStep2RequestBody struct {`
			Password string `json:"password"`
			`}`
feat(authentication): password policy (#2723) Implement a password policy with visual feedback in the web portal. Co-authored-by: Manuel Nuñez <@mind-ar> Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> 2022-04-02 22:32:57 +00:00
feat(metrics): implement prometheus metrics (#3234) Adds ability to record metrics and gather them for Prometheus. 2022-06-14 07:20:13 +00:00			`// PasswordPolicyBody represents the response sent by the password reset step 2.`
			`type PasswordPolicyBody struct {`
feat(authentication): password policy (#2723) Implement a password policy with visual feedback in the web portal. Co-authored-by: Manuel Nuñez <@mind-ar> Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> 2022-04-02 22:32:57 +00:00			Mode string `json:"mode"`
			MinLength int `json:"min_length"`
			MaxLength int `json:"max_length"`
feat(server): zxcvbn password policy server side (#3151) This is so the zxcvbn ppolicy is checked on the server. 2022-04-15 09:30:51 +00:00			MinScore int `json:"min_score"`
feat(authentication): password policy (#2723) Implement a password policy with visual feedback in the web portal. Co-authored-by: Manuel Nuñez <@mind-ar> Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> 2022-04-02 22:32:57 +00:00			RequireUppercase bool `json:"require_uppercase"`
			RequireLowercase bool `json:"require_lowercase"`
			RequireNumber bool `json:"require_number"`
			RequireSpecial bool `json:"require_special"`
			`}`
feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent. 2022-10-20 02:16:36 +00:00
			`type handlerAuthorizationConsent func(`
feat(oidc): client authentication modes (#5150) This adds a feature to OpenID Connect 1.0 where clients can be restricted to a specific client authentication mode, as well as implements some backend requirements for the private_key_jwt client authentication mode (and potentially the tls_client_auth / self_signed_tls_client_auth client authentication modes). It also adds some improvements to configuration defaults and validations which will for now be warnings but likely be made into errors. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-04-13 10:58:18 +00:00			`ctx middlewares.AutheliaCtx, issuer url.URL, client oidc.Client,`
feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent. 2022-10-20 02:16:36 +00:00			`userSession session.UserSession, subject uuid.UUID,`
			`rw http.ResponseWriter, r *http.Request,`
			`requester fosite.AuthorizeRequester) (consent *model.OAuth2ConsentSession, handled bool)`