authelia/internal/handlers/handler_firstfactor.go

package handlers

import (
	"fmt"
	"net/url"
	"time"

	"github.com/authelia/authelia/internal/authentication"
	"github.com/authelia/authelia/internal/authorization"
	"github.com/authelia/authelia/internal/middlewares"
	"github.com/authelia/authelia/internal/regulation"
	"github.com/authelia/authelia/internal/session"
	"github.com/authelia/authelia/internal/utils"
)

// FirstFactorPost is the handler performing the first factory.
func FirstFactorPost(ctx *middlewares.AutheliaCtx) {
	bodyJSON := firstFactorRequestBody{}
	err := ctx.ParseBody(&bodyJSON)

	if err != nil {
		ctx.Error(err, authenticationFailedMessage)
		return
	}

	bannedUntil, err := ctx.Providers.Regulator.Regulate(bodyJSON.Username)

	if err != nil {
		if err == regulation.ErrUserIsBanned {
			ctx.Error(fmt.Errorf("User %s is banned until %s", bodyJSON.Username, bannedUntil), userBannedMessage)
			return
		}
		ctx.Error(fmt.Errorf("Unable to regulate authentication: %s", err), authenticationFailedMessage)
		return
	}

	userPasswordOk, err := ctx.Providers.UserProvider.CheckUserPassword(bodyJSON.Username, bodyJSON.Password)

	if err != nil {
		ctx.Logger.Debugf("Mark authentication attempt made by user %s", bodyJSON.Username)
		ctx.Providers.Regulator.Mark(bodyJSON.Username, false)

		ctx.Error(fmt.Errorf("Error while checking password for user %s: %s", bodyJSON.Username, err.Error()), authenticationFailedMessage)
		return
	}

	if !userPasswordOk {
		ctx.Logger.Debugf("Mark authentication attempt made by user %s", bodyJSON.Username)
		ctx.Providers.Regulator.Mark(bodyJSON.Username, false)

		ctx.ReplyError(fmt.Errorf("Credentials are wrong for user %s", bodyJSON.Username), authenticationFailedMessage)
		return
	}

	ctx.Logger.Debugf("Credentials validation of user %s is ok", bodyJSON.Username)

	ctx.Logger.Debugf("Mark authentication attempt made by user %s", bodyJSON.Username)
	err = ctx.Providers.Regulator.Mark(bodyJSON.Username, true)

	if err != nil {
		ctx.Error(fmt.Errorf("Unable to mark authentication: %s", err), authenticationFailedMessage)
		return
	}

	// Reset all values from previous session before regenerating the cookie.
	err = ctx.SaveSession(session.NewDefaultUserSession())

	if err != nil {
		ctx.Error(fmt.Errorf("Unable to reset the session for user %s: %s", bodyJSON.Username, err), authenticationFailedMessage)
		return
	}

	err = ctx.Providers.SessionProvider.RegenerateSession(ctx.RequestCtx)

	if err != nil {
		ctx.Error(fmt.Errorf("Unable to regenerate session for user %s: %s", bodyJSON.Username, err), authenticationFailedMessage)
		return
	}

	// set the cookie to expire in 1 year if "Remember me" was ticked.
	if *bodyJSON.KeepMeLoggedIn {
		err = ctx.Providers.SessionProvider.UpdateExpiration(ctx.RequestCtx, time.Duration(31556952*time.Second))
		if err != nil {
			ctx.Error(fmt.Errorf("Unable to update expiration timer for user %s: %s", bodyJSON.Username, err), authenticationFailedMessage)
			return
		}
	}

	// Get the details of the given user from the user provider.
	userDetails, err := ctx.Providers.UserProvider.GetDetails(bodyJSON.Username)

	if err != nil {
		ctx.Error(fmt.Errorf("Error while retrieving details from user %s: %s", bodyJSON.Username, err.Error()), authenticationFailedMessage)
		return
	}

	ctx.Logger.Tracef("Details for user %s => groups: %s, emails %s", bodyJSON.Username, userDetails.Groups, userDetails.Emails)

	// And set those information in the new session.
	userSession := ctx.GetSession()
	userSession.Username = bodyJSON.Username
	userSession.Groups = userDetails.Groups
	userSession.Emails = userDetails.Emails
	userSession.AuthenticationLevel = authentication.OneFactor
	userSession.LastActivity = time.Now().Unix()
	userSession.KeepMeLoggedIn = *bodyJSON.KeepMeLoggedIn
	err = ctx.SaveSession(userSession)

	if err != nil {
		ctx.Error(fmt.Errorf("Unable to save session of user %s", bodyJSON.Username), authenticationFailedMessage)
		return
	}

	if bodyJSON.TargetURL != "" {
		targetURL, err := url.ParseRequestURI(bodyJSON.TargetURL)
		if err != nil {
			ctx.Error(fmt.Errorf("Unable to parse target URL %s: %s", bodyJSON.TargetURL, err), authenticationFailedMessage)
			return
		}
		requiredLevel := ctx.Providers.Authorizer.GetRequiredLevel(authorization.Subject{
			Username: userSession.Username,
			Groups:   userSession.Groups,
			IP:       ctx.RemoteIP(),
		}, *targetURL)

		ctx.Logger.Debugf("Required level for the URL %s is %d", targetURL.String(), requiredLevel)

		safeRedirection := utils.IsRedirectionSafe(*targetURL, ctx.Configuration.Session.Domain)

		if safeRedirection && requiredLevel <= authorization.OneFactor {
			ctx.Logger.Debugf("Redirection is safe, redirecting...")
			response := redirectResponse{bodyJSON.TargetURL}
			ctx.SetJSONBody(response)
		} else {
			ctx.ReplyOK()
		}
	} else {
		ctx.ReplyOK()
	}
}
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`package handlers`

			`import (`
			`"fmt"`
			`"net/url"`
			`"time"`

Rename org from clems4ever to authelia Also fix references from config.yml to configuration.yml 2019-12-24 02:14:52 +00:00			`"github.com/authelia/authelia/internal/authentication"`
			`"github.com/authelia/authelia/internal/authorization"`
			`"github.com/authelia/authelia/internal/middlewares"`
			`"github.com/authelia/authelia/internal/regulation"`
			`"github.com/authelia/authelia/internal/session"`
[FIX] Fix default redirection URL not taken into account (#600) * Remove unused mongo docker-compose file. * Default redirection URL was not taken into account. * Fix possible storage options in config template. * Remove useless checks in u2f registration endpoints. * Add default redirection url in config of duo suite. * Fix log line in response handler of 2FA methods. * Fix integration tests. Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2020-02-01 12:54:50 +00:00			`"github.com/authelia/authelia/internal/utils"`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`)`

			`// FirstFactorPost is the handler performing the first factory.`
			`func FirstFactorPost(ctx *middlewares.AutheliaCtx) {`
			`bodyJSON := firstFactorRequestBody{}`
			`err := ctx.ParseBody(&bodyJSON)`

			`if err != nil {`
			`ctx.Error(err, authenticationFailedMessage)`
			`return`
			`}`

			`bannedUntil, err := ctx.Providers.Regulator.Regulate(bodyJSON.Username)`

Fix and parallelize integration tests. 2019-11-30 16:49:52 +00:00			`if err != nil {`
			`if err == regulation.ErrUserIsBanned {`
			`ctx.Error(fmt.Errorf("User %s is banned until %s", bodyJSON.Username, bannedUntil), userBannedMessage)`
			`return`
			`}`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`ctx.Error(fmt.Errorf("Unable to regulate authentication: %s", err), authenticationFailedMessage)`
			`return`
			`}`

			`userPasswordOk, err := ctx.Providers.UserProvider.CheckUserPassword(bodyJSON.Username, bodyJSON.Password)`

			`if err != nil {`
Rewrite and fix remaining suites in Go. 2019-11-24 20:27:59 +00:00			`ctx.Logger.Debugf("Mark authentication attempt made by user %s", bodyJSON.Username)`
			`ctx.Providers.Regulator.Mark(bodyJSON.Username, false)`

Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`ctx.Error(fmt.Errorf("Error while checking password for user %s: %s", bodyJSON.Username, err.Error()), authenticationFailedMessage)`
			`return`
			`}`

			`if !userPasswordOk {`
Fix and parallelize integration tests. 2019-11-30 16:49:52 +00:00			`ctx.Logger.Debugf("Mark authentication attempt made by user %s", bodyJSON.Username)`
			`ctx.Providers.Regulator.Mark(bodyJSON.Username, false)`

Add support for PostgreSQL. 2019-11-16 19:50:58 +00:00			`ctx.ReplyError(fmt.Errorf("Credentials are wrong for user %s", bodyJSON.Username), authenticationFailedMessage)`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`return`
			`}`

			`ctx.Logger.Debugf("Credentials validation of user %s is ok", bodyJSON.Username)`

Fix unit tests. 2019-11-30 14:33:45 +00:00			`ctx.Logger.Debugf("Mark authentication attempt made by user %s", bodyJSON.Username)`
			`err = ctx.Providers.Regulator.Mark(bodyJSON.Username, true)`

			`if err != nil {`
			`ctx.Error(fmt.Errorf("Unable to mark authentication: %s", err), authenticationFailedMessage)`
			`return`
			`}`

Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`// Reset all values from previous session before regenerating the cookie.`
			`err = ctx.SaveSession(session.NewDefaultUserSession())`

			`if err != nil {`
			`ctx.Error(fmt.Errorf("Unable to reset the session for user %s: %s", bodyJSON.Username, err), authenticationFailedMessage)`
			`return`
			`}`

			`err = ctx.Providers.SessionProvider.RegenerateSession(ctx.RequestCtx)`

			`if err != nil {`
			`ctx.Error(fmt.Errorf("Unable to regenerate session for user %s: %s", bodyJSON.Username, err), authenticationFailedMessage)`
			`return`
			`}`

Fixes Remember Me functionality - Adjust the remember me duration to 1 year - Fixes #552 2020-01-17 02:36:18 +00:00			`// set the cookie to expire in 1 year if "Remember me" was ticked.`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`if *bodyJSON.KeepMeLoggedIn {`
[FIX] Fix default redirection URL not taken into account (#600) * Remove unused mongo docker-compose file. * Default redirection URL was not taken into account. * Fix possible storage options in config template. * Remove useless checks in u2f registration endpoints. * Add default redirection url in config of duo suite. * Fix log line in response handler of 2FA methods. * Fix integration tests. Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2020-02-01 12:54:50 +00:00			`err = ctx.Providers.SessionProvider.UpdateExpiration(ctx.RequestCtx, time.Duration(31556952*time.Second))`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`if err != nil {`
			`ctx.Error(fmt.Errorf("Unable to update expiration timer for user %s: %s", bodyJSON.Username, err), authenticationFailedMessage)`
			`return`
			`}`
			`}`

			`// Get the details of the given user from the user provider.`
			`userDetails, err := ctx.Providers.UserProvider.GetDetails(bodyJSON.Username)`

			`if err != nil {`
			`ctx.Error(fmt.Errorf("Error while retrieving details from user %s: %s", bodyJSON.Username, err.Error()), authenticationFailedMessage)`
			`return`
			`}`

Add support for PostgreSQL. 2019-11-16 19:50:58 +00:00			`ctx.Logger.Tracef("Details for user %s => groups: %s, emails %s", bodyJSON.Username, userDetails.Groups, userDetails.Emails)`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00
			`// And set those information in the new session.`
			`userSession := ctx.GetSession()`
			`userSession.Username = bodyJSON.Username`
			`userSession.Groups = userDetails.Groups`
			`userSession.Emails = userDetails.Emails`
			`userSession.AuthenticationLevel = authentication.OneFactor`
			`userSession.LastActivity = time.Now().Unix()`
Disable inactivity timeout when user checked remember me. Instead of checking the value of the cookie expiration we rely on the boolean stored in the user session to check whether inactivity timeout should be disabled. 2020-01-17 22:48:48 +00:00			`userSession.KeepMeLoggedIn = *bodyJSON.KeepMeLoggedIn`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`err = ctx.SaveSession(userSession)`

			`if err != nil {`
			`ctx.Error(fmt.Errorf("Unable to save session of user %s", bodyJSON.Username), authenticationFailedMessage)`
			`return`
			`}`

			`if bodyJSON.TargetURL != "" {`
			`targetURL, err := url.ParseRequestURI(bodyJSON.TargetURL)`
			`if err != nil {`
			`ctx.Error(fmt.Errorf("Unable to parse target URL %s: %s", bodyJSON.TargetURL, err), authenticationFailedMessage)`
			`return`
			`}`
			`requiredLevel := ctx.Providers.Authorizer.GetRequiredLevel(authorization.Subject{`
			`Username: userSession.Username,`
			`Groups: userSession.Groups,`
			`IP: ctx.RemoteIP(),`
			`}, *targetURL)`

			`ctx.Logger.Debugf("Required level for the URL %s is %d", targetURL.String(), requiredLevel)`

[FIX] Fix default redirection URL not taken into account (#600) * Remove unused mongo docker-compose file. * Default redirection URL was not taken into account. * Fix possible storage options in config template. * Remove useless checks in u2f registration endpoints. * Add default redirection url in config of duo suite. * Fix log line in response handler of 2FA methods. * Fix integration tests. Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2020-02-01 12:54:50 +00:00			`safeRedirection := utils.IsRedirectionSafe(*targetURL, ctx.Configuration.Session.Domain)`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00
			`if safeRedirection && requiredLevel <= authorization.OneFactor {`
Rewrite authelia frontend to improve user experience. This refactoring simplify the code of the frontend and prepare the portal for receiving a user settings page and an admin page. 2019-11-18 23:37:36 +00:00			`ctx.Logger.Debugf("Redirection is safe, redirecting...")`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`response := redirectResponse{bodyJSON.TargetURL}`
			`ctx.SetJSONBody(response)`
			`} else {`
			`ctx.ReplyOK()`
			`}`
			`} else {`
			`ctx.ReplyOK()`
			`}`
			`}`