authelia/SECURITY.md

# Security Policy

## Prologue

Authelia takes security very seriously. We follow the rule of 
[responsible disclosure](https://en.wikipedia.org/wiki/Responsible_disclosure), and we urge our community to do so as
well instead of making the vulnerability public. This allows time for the security issue to be patched quickly.

If you discover a vulnerability in Authelia, please first contact one of the maintainers privately either via 
[Matrix](#matrix), [Discord](#discord), or [email](#email) as described in the [contact options](#contact-options) 
below. We urge you not to disclose the bug publicly at least until we've had a chance to fix it.

For more information about [security](https://www.authelia.com/docs/security/) related matters, please read 
[the documentation](https://www.authelia.com/docs/security/).

## Contact Options

### Matrix

Join the [Matrix Space](https://app.element.io/#/room/!qcxpPdXBiGBSTbFAJE:matrix.org?via=matrix.org) which
includes both the [Support Room](https://riot.im/app/#/room/#authelia:matrix.org) and the
[Contributing Room](https://riot.im/app/#/room/#authelia-contributing:matrix.org). You can check the members list for
one of the core team members who are identified as administrators in the rooms and space, alternatively you can just ask
for one of the core team members in one of the rooms. Once you've made contact with a core team member we ask you
privately message them to divulge the vulnerability.

### Discord

Join the [Discord Server](https://discord.authelia.com) and message the
[#support](https://discord.com/channels/707844280412012608/707844280412012612) or 
[#contributing](https://discord.com/channels/707844280412012608/804943261265297408) channels which link to 
[Matrix](#matrix) and contact a core team member. Once you've made contact with a core team member we ask you privately
message them to divulge the vulnerability.

### Email

You can contact any of the core team members for security vulnerability related issues by emailing
[security@authelia.com](mailto:security@authelia.com). This email is strictly reserved for security and vulnerability
disclosure related matters. If you need to contact us for any other reason please use 
[team@authelia.com](mailto:team@authelia.com) or another [contact option](#contact-options).

## Credit

Users who report bugs will optionally be creditted for the discovery. Both in the
[security advisory](https://github.com/authelia/authelia/security/advisories) and in our all contributors configuration.

## Process

1. User privately reports a potential vulnerability.
2. The core team reviews the report and ascertain if additional information is required.
3. The core team reproduces the bug.
4. The bug is patched, and if possible the user reporting te bug is given access to a fixed version or git patch.
5. The fix is confirmed to resolve the vulnerability.
6. The fix is released.
7. The [security advisory](https://github.com/authelia/authelia/security/advisories) is published sometime after users 
   have had a chance to update.

## Help Wanted

We are actively looking for sponsorship to obtain either a code security audit, penetration testing, or other audits 
related to improving the security of Authelia. If your company or you personally are willing to offer discounts, pro
bono, or funding towards services like these please feel free to contact us on *any* of the methods above.
docs: add matrix space information and update readme (#2061) * docs: add matrix space information and update readme We recently created a Matrix Space which includes both the original room, and a new contributing room. This commit also performs some basic housekeeping on the README.md, including but not limited to: factorizing the security section, adjusting the main description, clearly outlining areas where help is wanted, adding information related to the helm chart, adding more details in the features summary, grammar, and misc other changes. * docs: update security to be in line with the readme 2021-06-06 05:53:28 +00:00			`# Security Policy`

			`## Prologue`
[DOCS] Add SECURITY.md and update README.md. (#906) * Add SECURITY.md and update README.md. * Align README.md and SECURITY.md with the security documentation. 2020-04-24 00:29:30 +00:00
docs: refactor and update security (#1944) Refactors the secrurity documentation to be up-to-date and conform to our style guidelines. Additionally went over each part and reworded things that needed it. 2021-06-01 04:11:33 +00:00			`Authelia takes security very seriously. We follow the rule of`
			`[responsible disclosure](https://en.wikipedia.org/wiki/Responsible_disclosure), and we urge our community to do so as`
			`well instead of making the vulnerability public. This allows time for the security issue to be patched quickly.`
[DOCS] Add SECURITY.md and update README.md. (#906) * Add SECURITY.md and update README.md. * Align README.md and SECURITY.md with the security documentation. 2020-04-24 00:29:30 +00:00
docs: refactor and update security (#1944) Refactors the secrurity documentation to be up-to-date and conform to our style guidelines. Additionally went over each part and reworded things that needed it. 2021-06-01 04:11:33 +00:00			`If you discover a vulnerability in Authelia, please first contact one of the maintainers privately either via`
			`[Matrix](#matrix), [Discord](#discord), or [email](#email) as described in the [contact options](#contact-options)`
			`below. We urge you not to disclose the bug publicly at least until we've had a chance to fix it.`
[DOCS] Add SECURITY.md and update README.md. (#906) * Add SECURITY.md and update README.md. * Align README.md and SECURITY.md with the security documentation. 2020-04-24 00:29:30 +00:00
docs: refactor and update security (#1944) Refactors the secrurity documentation to be up-to-date and conform to our style guidelines. Additionally went over each part and reworded things that needed it. 2021-06-01 04:11:33 +00:00			`For more information about [security](https://www.authelia.com/docs/security/) related matters, please read`
			`[the documentation](https://www.authelia.com/docs/security/).`
[FEATURE] Automatic Profile Refresh - LDAP (#912) * [FIX] LDAP Not Checking for Updated Groups * refactor handlers verifyFromSessionCookie * refactor authorizer selectMatchingObjectRules * refactor authorizer isDomainMatching * add authorizer URLHasGroupSubjects method * add user provider ProviderType method * update tests * check for new LDAP groups and update session when: * user provider type is LDAP * authorization is forbidden * URL has rule with group subjects * Implement Refresh Interval * add default values for LDAP user provider * add default for refresh interval * add schema validator for refresh interval * add various tests * rename hasUserBeenInactiveLongEnough to hasUserBeenInactiveTooLong * use Authelia ctx clock * add check to determine if user is deleted, if so destroy the * make ldap user not found error a const * implement GetRefreshSettings in mock * Use user not found const with FileProvider * comment exports * use ctx.Clock instead of time pkg * add debug logging * use ptr to reference userSession so we don't have to retrieve it again * add documenation * add check for 0 refresh interval to reduce CPU cost * remove badly copied debug msg * add group change delta message * add SliceStringDelta * refactor ldap refresh to use the new func * improve delta add/remove log message * fix incorrect logic in SliceStringDelta * add tests to SliceStringDelta * add always config option * add tests for always config option * update docs * apply suggestions from code review Co-Authored-By: Amir Zarrinkafsh <nightah@me.com> * complete mocks and fix an old one * show warning when LDAP details failed to update for an unknown reason * golint fix * actually fix existing mocks * use mocks for LDAP refresh testing * use mocks for LDAP refresh testing for both added and removed groups * use test mock to verify disabled refresh behaviour * add information to threat model * add time const for default Unix() value * misc adjustments to mocks * Suggestions from code review * requested changes * update emails * docs updates * test updates * misc * golint fix * set debug for dev testing * misc docs and logging updates * misc grammar/spelling * use built function for VerifyGet * fix reviewdog suggestions * requested changes * Apply suggestions from code review Co-authored-by: Amir Zarrinkafsh <nightah@me.com> Co-authored-by: Clément Michaud <clement.michaud34@gmail.com> 2020-05-04 19:39:25 +00:00
			`## Contact Options`

			`### Matrix`

docs: add matrix space information and update readme (#2061) * docs: add matrix space information and update readme We recently created a Matrix Space which includes both the original room, and a new contributing room. This commit also performs some basic housekeeping on the README.md, including but not limited to: factorizing the security section, adjusting the main description, clearly outlining areas where help is wanted, adding information related to the helm chart, adding more details in the features summary, grammar, and misc other changes. * docs: update security to be in line with the readme 2021-06-06 05:53:28 +00:00			`Join the [Matrix Space](https://app.element.io/#/room/!qcxpPdXBiGBSTbFAJE:matrix.org?via=matrix.org) which`
			`includes both the [Support Room](https://riot.im/app/#/room/#authelia:matrix.org) and the`
			`[Contributing Room](https://riot.im/app/#/room/#authelia-contributing:matrix.org). You can check the members list for`
			`one of the core team members who are identified as administrators in the rooms and space, alternatively you can just ask`
			`for one of the core team members in one of the rooms. Once you've made contact with a core team member we ask you`
			`privately message them to divulge the vulnerability.`
[FEATURE] Automatic Profile Refresh - LDAP (#912) * [FIX] LDAP Not Checking for Updated Groups * refactor handlers verifyFromSessionCookie * refactor authorizer selectMatchingObjectRules * refactor authorizer isDomainMatching * add authorizer URLHasGroupSubjects method * add user provider ProviderType method * update tests * check for new LDAP groups and update session when: * user provider type is LDAP * authorization is forbidden * URL has rule with group subjects * Implement Refresh Interval * add default values for LDAP user provider * add default for refresh interval * add schema validator for refresh interval * add various tests * rename hasUserBeenInactiveLongEnough to hasUserBeenInactiveTooLong * use Authelia ctx clock * add check to determine if user is deleted, if so destroy the * make ldap user not found error a const * implement GetRefreshSettings in mock * Use user not found const with FileProvider * comment exports * use ctx.Clock instead of time pkg * add debug logging * use ptr to reference userSession so we don't have to retrieve it again * add documenation * add check for 0 refresh interval to reduce CPU cost * remove badly copied debug msg * add group change delta message * add SliceStringDelta * refactor ldap refresh to use the new func * improve delta add/remove log message * fix incorrect logic in SliceStringDelta * add tests to SliceStringDelta * add always config option * add tests for always config option * update docs * apply suggestions from code review Co-Authored-By: Amir Zarrinkafsh <nightah@me.com> * complete mocks and fix an old one * show warning when LDAP details failed to update for an unknown reason * golint fix * actually fix existing mocks * use mocks for LDAP refresh testing * use mocks for LDAP refresh testing for both added and removed groups * use test mock to verify disabled refresh behaviour * add information to threat model * add time const for default Unix() value * misc adjustments to mocks * Suggestions from code review * requested changes * update emails * docs updates * test updates * misc * golint fix * set debug for dev testing * misc docs and logging updates * misc grammar/spelling * use built function for VerifyGet * fix reviewdog suggestions * requested changes * Apply suggestions from code review Co-authored-by: Amir Zarrinkafsh <nightah@me.com> Co-authored-by: Clément Michaud <clement.michaud34@gmail.com> 2020-05-04 19:39:25 +00:00
docs: update contribution guidelines (#1666) * docs: update contribution guidelines * add release commit message type * update none/empty scope definition * add go mod tidy post update option 2021-01-30 08:29:07 +00:00			`### Discord`

			`Join the [Discord Server](https://discord.authelia.com) and message the`
docs: add matrix space information and update readme (#2061) * docs: add matrix space information and update readme We recently created a Matrix Space which includes both the original room, and a new contributing room. This commit also performs some basic housekeeping on the README.md, including but not limited to: factorizing the security section, adjusting the main description, clearly outlining areas where help is wanted, adding information related to the helm chart, adding more details in the features summary, grammar, and misc other changes. * docs: update security to be in line with the readme 2021-06-06 05:53:28 +00:00			`[#support](https://discord.com/channels/707844280412012608/707844280412012612) or`
			`[#contributing](https://discord.com/channels/707844280412012608/804943261265297408) channels which link to`
			`[Matrix](#matrix) and contact a core team member. Once you've made contact with a core team member we ask you privately`
			`message them to divulge the vulnerability.`
docs: update contribution guidelines (#1666) * docs: update contribution guidelines * add release commit message type * update none/empty scope definition * add go mod tidy post update option 2021-01-30 08:29:07 +00:00
[FEATURE] Automatic Profile Refresh - LDAP (#912) * [FIX] LDAP Not Checking for Updated Groups * refactor handlers verifyFromSessionCookie * refactor authorizer selectMatchingObjectRules * refactor authorizer isDomainMatching * add authorizer URLHasGroupSubjects method * add user provider ProviderType method * update tests * check for new LDAP groups and update session when: * user provider type is LDAP * authorization is forbidden * URL has rule with group subjects * Implement Refresh Interval * add default values for LDAP user provider * add default for refresh interval * add schema validator for refresh interval * add various tests * rename hasUserBeenInactiveLongEnough to hasUserBeenInactiveTooLong * use Authelia ctx clock * add check to determine if user is deleted, if so destroy the * make ldap user not found error a const * implement GetRefreshSettings in mock * Use user not found const with FileProvider * comment exports * use ctx.Clock instead of time pkg * add debug logging * use ptr to reference userSession so we don't have to retrieve it again * add documenation * add check for 0 refresh interval to reduce CPU cost * remove badly copied debug msg * add group change delta message * add SliceStringDelta * refactor ldap refresh to use the new func * improve delta add/remove log message * fix incorrect logic in SliceStringDelta * add tests to SliceStringDelta * add always config option * add tests for always config option * update docs * apply suggestions from code review Co-Authored-By: Amir Zarrinkafsh <nightah@me.com> * complete mocks and fix an old one * show warning when LDAP details failed to update for an unknown reason * golint fix * actually fix existing mocks * use mocks for LDAP refresh testing * use mocks for LDAP refresh testing for both added and removed groups * use test mock to verify disabled refresh behaviour * add information to threat model * add time const for default Unix() value * misc adjustments to mocks * Suggestions from code review * requested changes * update emails * docs updates * test updates * misc * golint fix * set debug for dev testing * misc docs and logging updates * misc grammar/spelling * use built function for VerifyGet * fix reviewdog suggestions * requested changes * Apply suggestions from code review Co-authored-by: Amir Zarrinkafsh <nightah@me.com> Co-authored-by: Clément Michaud <clement.michaud34@gmail.com> 2020-05-04 19:39:25 +00:00			`### Email`

docs: add matrix space information and update readme (#2061) * docs: add matrix space information and update readme We recently created a Matrix Space which includes both the original room, and a new contributing room. This commit also performs some basic housekeeping on the README.md, including but not limited to: factorizing the security section, adjusting the main description, clearly outlining areas where help is wanted, adding information related to the helm chart, adding more details in the features summary, grammar, and misc other changes. * docs: update security to be in line with the readme 2021-06-06 05:53:28 +00:00			`You can contact any of the core team members for security vulnerability related issues by emailing`
[FEATURE] Automatic Profile Refresh - LDAP (#912) * [FIX] LDAP Not Checking for Updated Groups * refactor handlers verifyFromSessionCookie * refactor authorizer selectMatchingObjectRules * refactor authorizer isDomainMatching * add authorizer URLHasGroupSubjects method * add user provider ProviderType method * update tests * check for new LDAP groups and update session when: * user provider type is LDAP * authorization is forbidden * URL has rule with group subjects * Implement Refresh Interval * add default values for LDAP user provider * add default for refresh interval * add schema validator for refresh interval * add various tests * rename hasUserBeenInactiveLongEnough to hasUserBeenInactiveTooLong * use Authelia ctx clock * add check to determine if user is deleted, if so destroy the * make ldap user not found error a const * implement GetRefreshSettings in mock * Use user not found const with FileProvider * comment exports * use ctx.Clock instead of time pkg * add debug logging * use ptr to reference userSession so we don't have to retrieve it again * add documenation * add check for 0 refresh interval to reduce CPU cost * remove badly copied debug msg * add group change delta message * add SliceStringDelta * refactor ldap refresh to use the new func * improve delta add/remove log message * fix incorrect logic in SliceStringDelta * add tests to SliceStringDelta * add always config option * add tests for always config option * update docs * apply suggestions from code review Co-Authored-By: Amir Zarrinkafsh <nightah@me.com> * complete mocks and fix an old one * show warning when LDAP details failed to update for an unknown reason * golint fix * actually fix existing mocks * use mocks for LDAP refresh testing * use mocks for LDAP refresh testing for both added and removed groups * use test mock to verify disabled refresh behaviour * add information to threat model * add time const for default Unix() value * misc adjustments to mocks * Suggestions from code review * requested changes * update emails * docs updates * test updates * misc * golint fix * set debug for dev testing * misc docs and logging updates * misc grammar/spelling * use built function for VerifyGet * fix reviewdog suggestions * requested changes * Apply suggestions from code review Co-authored-by: Amir Zarrinkafsh <nightah@me.com> Co-authored-by: Clément Michaud <clement.michaud34@gmail.com> 2020-05-04 19:39:25 +00:00			`[security@authelia.com](mailto:security@authelia.com). This email is strictly reserved for security and vulnerability`
docs: refactor and update security (#1944) Refactors the secrurity documentation to be up-to-date and conform to our style guidelines. Additionally went over each part and reworded things that needed it. 2021-06-01 04:11:33 +00:00			`disclosure related matters. If you need to contact us for any other reason please use`
			`[team@authelia.com](mailto:team@authelia.com) or another [contact option](#contact-options).`

			`## Credit`

			`Users who report bugs will optionally be creditted for the discovery. Both in the`
			`[security advisory](https://github.com/authelia/authelia/security/advisories) and in our all contributors configuration.`

			`## Process`

			`1. User privately reports a potential vulnerability.`
docs: add matrix space information and update readme (#2061) * docs: add matrix space information and update readme We recently created a Matrix Space which includes both the original room, and a new contributing room. This commit also performs some basic housekeeping on the README.md, including but not limited to: factorizing the security section, adjusting the main description, clearly outlining areas where help is wanted, adding information related to the helm chart, adding more details in the features summary, grammar, and misc other changes. * docs: update security to be in line with the readme 2021-06-06 05:53:28 +00:00			`2. The core team reviews the report and ascertain if additional information is required.`
			`3. The core team reproduces the bug.`
docs: refactor and update security (#1944) Refactors the secrurity documentation to be up-to-date and conform to our style guidelines. Additionally went over each part and reworded things that needed it. 2021-06-01 04:11:33 +00:00			`4. The bug is patched, and if possible the user reporting te bug is given access to a fixed version or git patch.`
			`5. The fix is confirmed to resolve the vulnerability.`
			`6. The fix is released.`
			`7. The [security advisory](https://github.com/authelia/authelia/security/advisories) is published sometime after users`
docs: add matrix space information and update readme (#2061) * docs: add matrix space information and update readme We recently created a Matrix Space which includes both the original room, and a new contributing room. This commit also performs some basic housekeeping on the README.md, including but not limited to: factorizing the security section, adjusting the main description, clearly outlining areas where help is wanted, adding information related to the helm chart, adding more details in the features summary, grammar, and misc other changes. * docs: update security to be in line with the readme 2021-06-06 05:53:28 +00:00			`have had a chance to update.`

			`## Help Wanted`

			`We are actively looking for sponsorship to obtain either a code security audit, penetration testing, or other audits`
			`related to improving the security of Authelia. If your company or you personally are willing to offer discounts, pro`
			`bono, or funding towards services like these please feel free to contact us on any of the methods above.`