RPJosh
/
authelia
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
authelia/internal/middlewares/authelia_context.go

612 lines
18 KiB
Go
Raw Normal View History

Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
package middlewares
import (
"encoding/json"
feat(server): customizable authz endpoints (#4296) This allows users to customize the authz endpoints. Closes #2753, Fixes #3716 Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2023-01-25 09:36:40 +00:00
"errors"
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
"fmt"
"net"
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2021-05-04 22:06:05 +00:00
"net/url"
feat(server): customizable authz endpoints (#4296) This allows users to customize the authz endpoints. Closes #2753, Fixes #3716 Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2023-01-25 09:36:40 +00:00
"path"
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
"strings"
"github.com/asaskevich/govalidator"
[MISC] Update durations to notation format and housekeeping (#824) * added regulation validator * made regulations find_time and ban_time values duration notation strings * added DefaultRegulationConfiguration for the validator * made session expiration and inactivity values duration notation strings * TOTP period does not need to be converted because adjustment should be discouraged * moved TOTP defaults to DefaultTOTPConfiguration and removed the consts * arranged the root config validator in configuration file order * adjusted tests for the changes * moved duration notation docs to root of configuration * added references to duration notation where applicable * project wide gofmt and goimports: * run gofmt * run goimports -local github.com/authelia/authelia -w on all files * Make jwt_secret error uniform and add tests * now at 100% coverage for internal/configuration/validator/configuration.go
2020-04-05 12:37:21 +00:00
"github.com/sirupsen/logrus"
"github.com/valyala/fasthttp"
fix: include major in go.mod module directive (#2278) * build: include major in go.mod module directive * fix: xflags * revert: cobra changes * fix: mock doc
2021-08-11 01:04:35 +00:00
"github.com/authelia/authelia/v4/internal/configuration/schema"
fix(middlewares): smart delay on reset password (#2767) This adds a smart delay on reset password attempts to prevent username enumeration. Additionally utilizes crypto rand instead of math rand. It also moves the timing delay functionality into its own handler func.
2022-01-20 23:46:13 +00:00
"github.com/authelia/authelia/v4/internal/logging"
fix(web): show appropriate default and available methods (#2999) This ensures that; the method set when a user does not have a preference is a method that is available, that if a user has a preferred method that is not available it is changed to an enabled method with preference put on methods the user has configured, that the frontend does not show the method selection option when only one method is available.
2022-03-28 01:26:30 +00:00
"github.com/authelia/authelia/v4/internal/model"
fix: include major in go.mod module directive (#2278) * build: include major in go.mod module directive * fix: xflags * revert: cobra changes * fix: mock doc
2021-08-11 01:04:35 +00:00
"github.com/authelia/authelia/v4/internal/session"
"github.com/authelia/authelia/v4/internal/utils"
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
)
Display correct RemoteIP in logs.
2019-12-11 07:52:02 +00:00
// NewRequestLogger create a new request logger for the given request.
func NewRequestLogger(ctx *AutheliaCtx) *logrus.Entry {
fix(middlewares): smart delay on reset password (#2767) This adds a smart delay on reset password attempts to prevent username enumeration. Additionally utilizes crypto rand instead of math rand. It also moves the timing delay functionality into its own handler func.
2022-01-20 23:46:13 +00:00
return logging.Logger().WithFields(logrus.Fields{
Display correct RemoteIP in logs.
2019-12-11 07:52:02 +00:00
"method": string(ctx.Method()),
"path": string(ctx.Path()),
"remote_ip": ctx.RemoteIP().String(),
})
}
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
// NewAutheliaCtx instantiate an AutheliaCtx out of a RequestCtx.
refactor(middlewares): convert the bridge to a builder (#3338) This adjusts the bridge to be utilized as a builder in order to make it more reusable.
2022-06-10 01:34:43 +00:00
func NewAutheliaCtx(requestCTX *fasthttp.RequestCtx, configuration schema.Configuration, providers Providers) (ctx *AutheliaCtx) {
ctx = new(AutheliaCtx)
ctx.RequestCtx = requestCTX
ctx.Providers = providers
ctx.Configuration = configuration
ctx.Logger = NewRequestLogger(ctx)
ctx.Clock = utils.RealClock{}
return ctx
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
}
fix(web): show appropriate default and available methods (#2999) This ensures that; the method set when a user does not have a preference is a method that is available, that if a user has a preferred method that is not available it is changed to an enabled method with preference put on methods the user has configured, that the frontend does not show the method selection option when only one method is available.
2022-03-28 01:26:30 +00:00
// AvailableSecondFactorMethods returns the available 2FA methods.
func (ctx *AutheliaCtx) AvailableSecondFactorMethods() (methods []string) {
methods = make([]string, 0, 3)
if !ctx.Configuration.TOTP.Disable {
methods = append(methods, model.SecondFactorMethodTOTP)
}
refactor: webauthn naming (#5243) Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-14 16:04:42 +00:00
if !ctx.Configuration.WebAuthn.Disable {
docs: adjust references of webauthn (#5203) Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-10 07:01:23 +00:00
methods = append(methods, model.SecondFactorMethodWebAuthn)
fix(web): show appropriate default and available methods (#2999) This ensures that; the method set when a user does not have a preference is a method that is available, that if a user has a preferred method that is not available it is changed to an enabled method with preference put on methods the user has configured, that the frontend does not show the method selection option when only one method is available.
2022-03-28 01:26:30 +00:00
}
refactor(configuration): remove ptr for duoapi and notifier (#3200) This adds to the ongoing effort to remove all pointers to structs in the configuration without breaking backwards compatibility.
2022-04-15 23:34:26 +00:00
if !ctx.Configuration.DuoAPI.Disable {
fix(web): show appropriate default and available methods (#2999) This ensures that; the method set when a user does not have a preference is a method that is available, that if a user has a preferred method that is not available it is changed to an enabled method with preference put on methods the user has configured, that the frontend does not show the method selection option when only one method is available.
2022-03-28 01:26:30 +00:00
methods = append(methods, model.SecondFactorMethodDuo)
}
return methods
}
Add support for PostgreSQL.
2019-11-16 19:50:58 +00:00
// Error reply with an error and display the stack trace in the logs.
fix(server): use of inconsistent methods for determining origin (#2848) This unifies the methods to obtain the X-Forwarded-* header values and provides logical fallbacks. In addition, so we can ensure this functionality extends to the templated files we've converted the ServeTemplatedFile method into a function that operates as a middlewares.RequestHandler. Fixes #2765
2022-02-06 13:37:28 +00:00
func (ctx *AutheliaCtx) Error(err error, message string) {
ctx.SetJSONError(message)
feat(regulator): enhance authentication logs (#2622) This adds additional logging to the authentication logs such as type, remote IP, request method, redirect URL, and if the attempt was done during a ban. This also means we log attempts that occur when the attempt was blocked by the regulator for record keeping purposes, as well as record 2FA attempts which can be used to inform admins and later to regulate based on other factors. Fixes #116, Fixes #1293.
2021-11-29 03:09:14 +00:00
fix(server): use of inconsistent methods for determining origin (#2848) This unifies the methods to obtain the X-Forwarded-* header values and provides logical fallbacks. In addition, so we can ensure this functionality extends to the templated files we've converted the ServeTemplatedFile method into a function that operates as a middlewares.RequestHandler. Fixes #2765
2022-02-06 13:37:28 +00:00
ctx.Logger.Error(err)
feat(regulator): enhance authentication logs (#2622) This adds additional logging to the authentication logs such as type, remote IP, request method, redirect URL, and if the attempt was done during a ban. This also means we log attempts that occur when the attempt was blocked by the regulator for record keeping purposes, as well as record 2FA attempts which can be used to inform admins and later to regulate based on other factors. Fixes #116, Fixes #1293.
2021-11-29 03:09:14 +00:00
}
// SetJSONError sets the body of the response to an JSON error KO message.
fix(server): use of inconsistent methods for determining origin (#2848) This unifies the methods to obtain the X-Forwarded-* header values and provides logical fallbacks. In addition, so we can ensure this functionality extends to the templated files we've converted the ServeTemplatedFile method into a function that operates as a middlewares.RequestHandler. Fixes #2765
2022-02-06 13:37:28 +00:00
func (ctx *AutheliaCtx) SetJSONError(message string) {
refactor(middlewares): factorize responses (#3628)
2022-07-08 12:18:52 +00:00
if replyErr := ctx.ReplyJSON(ErrorResponse{Status: "KO", Message: message}, 0); replyErr != nil {
ctx.Logger.Error(replyErr)
Provide commands to migrate database from v3 to v4.
2019-11-17 01:05:46 +00:00
}
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
}
[CI] Add godot linter (#958) * [CI] Add godot linter * Implement godot recommendations
2020-05-02 05:06:39 +00:00
// ReplyError reply with an error but does not display any stack trace in the logs.
fix(server): use of inconsistent methods for determining origin (#2848) This unifies the methods to obtain the X-Forwarded-* header values and provides logical fallbacks. In addition, so we can ensure this functionality extends to the templated files we've converted the ServeTemplatedFile method into a function that operates as a middlewares.RequestHandler. Fixes #2765
2022-02-06 13:37:28 +00:00
func (ctx *AutheliaCtx) ReplyError(err error, message string) {
Provide commands to migrate database from v3 to v4.
2019-11-17 01:05:46 +00:00
b, marshalErr := json.Marshal(ErrorResponse{Status: "KO", Message: message})
if marshalErr != nil {
fix(server): use of inconsistent methods for determining origin (#2848) This unifies the methods to obtain the X-Forwarded-* header values and provides logical fallbacks. In addition, so we can ensure this functionality extends to the templated files we've converted the ServeTemplatedFile method into a function that operates as a middlewares.RequestHandler. Fixes #2765
2022-02-06 13:37:28 +00:00
ctx.Logger.Error(marshalErr)
Provide commands to migrate database from v3 to v4.
2019-11-17 01:05:46 +00:00
}
refactor(server): simplify templating and url derivation (#4547) This refactors a few areas of the server templating and related functions.
2022-12-17 00:49:05 +00:00
ctx.SetContentTypeApplicationJSON()
fix(server): use of inconsistent methods for determining origin (#2848) This unifies the methods to obtain the X-Forwarded-* header values and provides logical fallbacks. In addition, so we can ensure this functionality extends to the templated files we've converted the ServeTemplatedFile method into a function that operates as a middlewares.RequestHandler. Fixes #2765
2022-02-06 13:37:28 +00:00
ctx.SetBody(b)
ctx.Logger.Debug(err)
Add support for PostgreSQL.
2019-11-16 19:50:58 +00:00
}
refactor(middlewares): factorize responses (#3628)
2022-07-08 12:18:52 +00:00
// ReplyStatusCode resets a response and replies with the given status code and relevant message.
func (ctx *AutheliaCtx) ReplyStatusCode(statusCode int) {
ctx.Response.Reset()
ctx.SetStatusCode(statusCode)
refactor(server): simplify templating and url derivation (#4547) This refactors a few areas of the server templating and related functions.
2022-12-17 00:49:05 +00:00
ctx.SetContentTypeTextPlain()
refactor(middlewares): factorize responses (#3628)
2022-07-08 12:18:52 +00:00
ctx.SetBodyString(fmt.Sprintf("%d %s", statusCode, fasthttp.StatusMessage(statusCode)))
}
// ReplyJSON writes a JSON response.
refactor: any (#4133) * refactor: any * refactor: fix test
2022-10-05 05:05:23 +00:00
func (ctx *AutheliaCtx) ReplyJSON(data any, statusCode int) (err error) {
refactor(middlewares): factorize responses (#3628)
2022-07-08 12:18:52 +00:00
var (
body []byte
)
if body, err = json.Marshal(data); err != nil {
return fmt.Errorf("unable to marshal JSON body: %w", err)
}
if statusCode > 0 {
ctx.SetStatusCode(statusCode)
}
refactor(server): simplify templating and url derivation (#4547) This refactors a few areas of the server templating and related functions.
2022-12-17 00:49:05 +00:00
ctx.SetContentTypeApplicationJSON()
refactor(middlewares): factorize responses (#3628)
2022-07-08 12:18:52 +00:00
ctx.SetBody(body)
return nil
}
[CI] Add godot linter (#958) * [CI] Add godot linter * Implement godot recommendations
2020-05-02 05:06:39 +00:00
// ReplyUnauthorized response sent when user is unauthorized.
fix(server): use of inconsistent methods for determining origin (#2848) This unifies the methods to obtain the X-Forwarded-* header values and provides logical fallbacks. In addition, so we can ensure this functionality extends to the templated files we've converted the ServeTemplatedFile method into a function that operates as a middlewares.RequestHandler. Fixes #2765
2022-02-06 13:37:28 +00:00
func (ctx *AutheliaCtx) ReplyUnauthorized() {
refactor(middlewares): factorize responses (#3628)
2022-07-08 12:18:52 +00:00
ctx.ReplyStatusCode(fasthttp.StatusUnauthorized)
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
}
[CI] Add godot linter (#958) * [CI] Add godot linter * Implement godot recommendations
2020-05-02 05:06:39 +00:00
// ReplyForbidden response sent when access is forbidden to user.
fix(server): use of inconsistent methods for determining origin (#2848) This unifies the methods to obtain the X-Forwarded-* header values and provides logical fallbacks. In addition, so we can ensure this functionality extends to the templated files we've converted the ServeTemplatedFile method into a function that operates as a middlewares.RequestHandler. Fixes #2765
2022-02-06 13:37:28 +00:00
func (ctx *AutheliaCtx) ReplyForbidden() {
refactor(middlewares): factorize responses (#3628)
2022-07-08 12:18:52 +00:00
ctx.ReplyStatusCode(fasthttp.StatusForbidden)
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
}
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2021-05-04 22:06:05 +00:00
// ReplyBadRequest response sent when bad request has been sent.
fix(server): use of inconsistent methods for determining origin (#2848) This unifies the methods to obtain the X-Forwarded-* header values and provides logical fallbacks. In addition, so we can ensure this functionality extends to the templated files we've converted the ServeTemplatedFile method into a function that operates as a middlewares.RequestHandler. Fixes #2765
2022-02-06 13:37:28 +00:00
func (ctx *AutheliaCtx) ReplyBadRequest() {
refactor(middlewares): factorize responses (#3628)
2022-07-08 12:18:52 +00:00
ctx.ReplyStatusCode(fasthttp.StatusBadRequest)
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2021-05-04 22:06:05 +00:00
}
feat(server): customizable authz endpoints (#4296) This allows users to customize the authz endpoints. Closes #2753, Fixes #3716 Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2023-01-25 09:36:40 +00:00
// XForwardedMethod returns the content of the X-Forwarded-Method header.
func (ctx *AutheliaCtx) XForwardedMethod() (method []byte) {
return ctx.Request.Header.PeekBytes(headerXForwardedMethod)
}
// XForwardedProto returns the content of the X-Forwarded-Proto header.
fix(server): use of inconsistent methods for determining origin (#2848) This unifies the methods to obtain the X-Forwarded-* header values and provides logical fallbacks. In addition, so we can ensure this functionality extends to the templated files we've converted the ServeTemplatedFile method into a function that operates as a middlewares.RequestHandler. Fixes #2765
2022-02-06 13:37:28 +00:00
func (ctx *AutheliaCtx) XForwardedProto() (proto []byte) {
feat(server): customizable authz endpoints (#4296) This allows users to customize the authz endpoints. Closes #2753, Fixes #3716 Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2023-01-25 09:36:40 +00:00
proto = ctx.Request.Header.PeekBytes(headerXForwardedProto)
fix(server): use of inconsistent methods for determining origin (#2848) This unifies the methods to obtain the X-Forwarded-* header values and provides logical fallbacks. In addition, so we can ensure this functionality extends to the templated files we've converted the ServeTemplatedFile method into a function that operates as a middlewares.RequestHandler. Fixes #2765
2022-02-06 13:37:28 +00:00
if proto == nil {
feat(server): customizable authz endpoints (#4296) This allows users to customize the authz endpoints. Closes #2753, Fixes #3716 Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2023-01-25 09:36:40 +00:00
if ctx.IsTLS() {
fix(server): use of inconsistent methods for determining origin (#2848) This unifies the methods to obtain the X-Forwarded-* header values and provides logical fallbacks. In addition, so we can ensure this functionality extends to the templated files we've converted the ServeTemplatedFile method into a function that operates as a middlewares.RequestHandler. Fixes #2765
2022-02-06 13:37:28 +00:00
return protoHTTPS
}
return protoHTTP
}
return proto
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
}
feat(server): customizable authz endpoints (#4296) This allows users to customize the authz endpoints. Closes #2753, Fixes #3716 Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2023-01-25 09:36:40 +00:00
// XForwardedHost returns the content of the X-Forwarded-Host header.
func (ctx *AutheliaCtx) XForwardedHost() (host []byte) {
return ctx.Request.Header.PeekBytes(headerXForwardedHost)
perf(authorizer): preload access control lists (#1640) * adjust session refresh to always occur (for disabled users) * feat: adds filtering option for Request Method in ACL's * simplify flow of internal/authorization/authorizer.go's methods * implement query string checking * utilize authorizer.Object fully * make matchers uniform * add tests * add missing request methods * add frontend enhancements to handle request method * add request method to 1FA Handler Suite * add internal ACL representations (preparsing) * expand on access_control next * add docs * remove unnecessary slice for network names and instead just use a plain string * add warning for ineffectual bypass policy (due to subjects) * add user/group wildcard support * fix(authorization): allow subject rules to match anonymous users * feat(api): add new params * docs(api): wording adjustments * test: add request method into testing and proxy docs * test: add several checks and refactor schema validation for ACL * test: add integration test for methods acl * refactor: apply suggestions from code review * docs(authorization): update description
2021-03-05 04:18:31 +00:00
}
feat(server): customizable authz endpoints (#4296) This allows users to customize the authz endpoints. Closes #2753, Fixes #3716 Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2023-01-25 09:36:40 +00:00
// GetXForwardedHost returns the content of the X-Forwarded-Host header falling back to the Host header.
func (ctx *AutheliaCtx) GetXForwardedHost() (host []byte) {
host = ctx.XForwardedHost()
fix(server): use of inconsistent methods for determining origin (#2848) This unifies the methods to obtain the X-Forwarded-* header values and provides logical fallbacks. In addition, so we can ensure this functionality extends to the templated files we've converted the ServeTemplatedFile method into a function that operates as a middlewares.RequestHandler. Fixes #2765
2022-02-06 13:37:28 +00:00
if host == nil {
return ctx.RequestCtx.Host()
}
return host
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
}
docs: header consistency (#5266)
2023-04-17 23:53:26 +00:00
// XForwardedURI returns the content of the X-Forwarded-URI header.
feat(server): customizable authz endpoints (#4296) This allows users to customize the authz endpoints. Closes #2753, Fixes #3716 Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2023-01-25 09:36:40 +00:00
func (ctx *AutheliaCtx) XForwardedURI() (host []byte) {
return ctx.Request.Header.PeekBytes(headerXForwardedURI)
}
// GetXForwardedURI returns the content of the X-Forwarded-URI header, falling back to the start-line request path.
func (ctx *AutheliaCtx) GetXForwardedURI() (uri []byte) {
uri = ctx.XForwardedURI()
fix(server): use of inconsistent methods for determining origin (#2848) This unifies the methods to obtain the X-Forwarded-* header values and provides logical fallbacks. In addition, so we can ensure this functionality extends to the templated files we've converted the ServeTemplatedFile method into a function that operates as a middlewares.RequestHandler. Fixes #2765
2022-02-06 13:37:28 +00:00
if len(uri) == 0 {
feat(server): customizable authz endpoints (#4296) This allows users to customize the authz endpoints. Closes #2753, Fixes #3716 Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2023-01-25 09:36:40 +00:00
return ctx.RequestURI()
fix(server): use of inconsistent methods for determining origin (#2848) This unifies the methods to obtain the X-Forwarded-* header values and provides logical fallbacks. In addition, so we can ensure this functionality extends to the templated files we've converted the ServeTemplatedFile method into a function that operates as a middlewares.RequestHandler. Fixes #2765
2022-02-06 13:37:28 +00:00
}
return uri
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
}
feat(server): customizable authz endpoints (#4296) This allows users to customize the authz endpoints. Closes #2753, Fixes #3716 Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2023-01-25 09:36:40 +00:00
// XOriginalMethod returns the content of the X-Original-Method header.
func (ctx *AutheliaCtx) XOriginalMethod() []byte {
return ctx.Request.Header.PeekBytes(headerXOriginalMethod)
refactor(server): simplify templating and url derivation (#4547) This refactors a few areas of the server templating and related functions.
2022-12-17 00:49:05 +00:00
}
feat(server): customizable authz endpoints (#4296) This allows users to customize the authz endpoints. Closes #2753, Fixes #3716 Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2023-01-25 09:36:40 +00:00
// XOriginalURL returns the content of the X-Original-URL header.
func (ctx *AutheliaCtx) XOriginalURL() []byte {
return ctx.Request.Header.PeekBytes(headerXOriginalURL)
refactor(server): simplify templating and url derivation (#4547) This refactors a few areas of the server templating and related functions.
2022-12-17 00:49:05 +00:00
}
feat(server): customizable authz endpoints (#4296) This allows users to customize the authz endpoints. Closes #2753, Fixes #3716 Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2023-01-25 09:36:40 +00:00
// XAutheliaURL returns the content of the X-Authelia-URL header which is used to communicate the location of the
refactor(server): simplify templating and url derivation (#4547) This refactors a few areas of the server templating and related functions.
2022-12-17 00:49:05 +00:00
// portal when using proxies like Envoy.
func (ctx *AutheliaCtx) XAutheliaURL() []byte {
feat(server): customizable authz endpoints (#4296) This allows users to customize the authz endpoints. Closes #2753, Fixes #3716 Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2023-01-25 09:36:40 +00:00
return ctx.Request.Header.PeekBytes(headerXAutheliaURL)
feat: envoy support (#3793) Adds support for Envoy and Istio using the X-Authelia-URL header. The documentation will be published just before the release. Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2022-10-01 11:47:09 +00:00
}
feat(server): customizable authz endpoints (#4296) This allows users to customize the authz endpoints. Closes #2753, Fixes #3716 Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2023-01-25 09:36:40 +00:00
// QueryArgRedirect returns the content of the 'rd' query argument.
refactor(server): simplify templating and url derivation (#4547) This refactors a few areas of the server templating and related functions.
2022-12-17 00:49:05 +00:00
func (ctx *AutheliaCtx) QueryArgRedirect() []byte {
feat(server): customizable authz endpoints (#4296) This allows users to customize the authz endpoints. Closes #2753, Fixes #3716 Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2023-01-25 09:36:40 +00:00
return ctx.QueryArgs().PeekBytes(qryArgRedirect)
}
// QueryArgAutheliaURL returns the content of the 'authelia_url' query argument.
func (ctx *AutheliaCtx) QueryArgAutheliaURL() []byte {
return ctx.QueryArgs().PeekBytes(qryArgAutheliaURL)
}
// AuthzPath returns the 'authz_path' value.
func (ctx *AutheliaCtx) AuthzPath() (uri []byte) {
if uv := ctx.UserValueBytes(keyUserValueAuthzPath); uv != nil {
return []byte(uv.(string))
}
return nil
feat: envoy support (#3793) Adds support for Envoy and Istio using the X-Authelia-URL header. The documentation will be published just before the release. Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2022-10-01 11:47:09 +00:00
}
fix: oidc issuer path and strip path middleware (#2272) * fix: oidc issuer path and strip path middleware This ensures the server.path requests append the base_url to the oidc well-known issuer information and adjusts server.path configuration to only strip the configured path instead of the first level entirely regardless of its content. * fix: only log the token error and general refactoring * refactor: factorize base_url functions * refactor(server): include all paths in startup logging * refactor: factorize * refactor: GetExternalRootURL -> ExternalRootURL Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-08-10 00:31:08 +00:00
// BasePath returns the base_url as per the path visited by the client.
refactor(server): simplify templating and url derivation (#4547) This refactors a few areas of the server templating and related functions.
2022-12-17 00:49:05 +00:00
func (ctx *AutheliaCtx) BasePath() string {
feat(server): customizable authz endpoints (#4296) This allows users to customize the authz endpoints. Closes #2753, Fixes #3716 Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2023-01-25 09:36:40 +00:00
if baseURL := ctx.UserValueBytes(keyUserValueBaseURL); baseURL != nil {
fix: oidc issuer path and strip path middleware (#2272) * fix: oidc issuer path and strip path middleware This ensures the server.path requests append the base_url to the oidc well-known issuer information and adjusts server.path configuration to only strip the configured path instead of the first level entirely regardless of its content. * fix: only log the token error and general refactoring * refactor: factorize base_url functions * refactor(server): include all paths in startup logging * refactor: factorize * refactor: GetExternalRootURL -> ExternalRootURL Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-08-10 00:31:08 +00:00
return baseURL.(string)
}
refactor(server): simplify templating and url derivation (#4547) This refactors a few areas of the server templating and related functions.
2022-12-17 00:49:05 +00:00
return ""
fix: oidc issuer path and strip path middleware (#2272) * fix: oidc issuer path and strip path middleware This ensures the server.path requests append the base_url to the oidc well-known issuer information and adjusts server.path configuration to only strip the configured path instead of the first level entirely regardless of its content. * fix: only log the token error and general refactoring * refactor: factorize base_url functions * refactor(server): include all paths in startup logging * refactor: factorize * refactor: GetExternalRootURL -> ExternalRootURL Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-08-10 00:31:08 +00:00
}
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2021-05-04 22:06:05 +00:00
refactor(server): simplify templating and url derivation (#4547) This refactors a few areas of the server templating and related functions.
2022-12-17 00:49:05 +00:00
// BasePathSlash is the same as BasePath but returns a final slash as well.
func (ctx *AutheliaCtx) BasePathSlash() string {
feat(server): customizable authz endpoints (#4296) This allows users to customize the authz endpoints. Closes #2753, Fixes #3716 Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2023-01-25 09:36:40 +00:00
if baseURL := ctx.UserValueBytes(keyUserValueBaseURL); baseURL != nil {
refactor(server): simplify templating and url derivation (#4547) This refactors a few areas of the server templating and related functions.
2022-12-17 00:49:05 +00:00
return baseURL.(string) + strSlash
fix: oidc issuer path and strip path middleware (#2272) * fix: oidc issuer path and strip path middleware This ensures the server.path requests append the base_url to the oidc well-known issuer information and adjusts server.path configuration to only strip the configured path instead of the first level entirely regardless of its content. * fix: only log the token error and general refactoring * refactor: factorize base_url functions * refactor(server): include all paths in startup logging * refactor: factorize * refactor: GetExternalRootURL -> ExternalRootURL Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-08-10 00:31:08 +00:00
}
refactor(server): simplify templating and url derivation (#4547) This refactors a few areas of the server templating and related functions.
2022-12-17 00:49:05 +00:00
return strSlash
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2021-05-04 22:06:05 +00:00
}
refactor(server): simplify templating and url derivation (#4547) This refactors a few areas of the server templating and related functions.
2022-12-17 00:49:05 +00:00
// RootURL returns the Root URL.
func (ctx *AutheliaCtx) RootURL() (issuerURL *url.URL) {
return &url.URL{
Scheme: string(ctx.XForwardedProto()),
feat(server): customizable authz endpoints (#4296) This allows users to customize the authz endpoints. Closes #2753, Fixes #3716 Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2023-01-25 09:36:40 +00:00
Host: string(ctx.GetXForwardedHost()),
refactor(server): simplify templating and url derivation (#4547) This refactors a few areas of the server templating and related functions.
2022-12-17 00:49:05 +00:00
Path: ctx.BasePath(),
feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent.
2022-10-20 02:16:36 +00:00
}
}
refactor(server): simplify templating and url derivation (#4547) This refactors a few areas of the server templating and related functions.
2022-12-17 00:49:05 +00:00
// RootURLSlash is the same as RootURL but includes a final slash as well.
func (ctx *AutheliaCtx) RootURLSlash() (issuerURL *url.URL) {
return &url.URL{
Scheme: string(ctx.XForwardedProto()),
feat(server): customizable authz endpoints (#4296) This allows users to customize the authz endpoints. Closes #2753, Fixes #3716 Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2023-01-25 09:36:40 +00:00
Host: string(ctx.GetXForwardedHost()),
refactor(server): simplify templating and url derivation (#4547) This refactors a few areas of the server templating and related functions.
2022-12-17 00:49:05 +00:00
Path: ctx.BasePathSlash(),
}
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
}
feat(session): multiple session cookie domains (#3754) This adds support to configure multiple session cookie domains. Closes #1198 Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2023-01-12 10:57:44 +00:00
// GetTargetURICookieDomain returns the session provider for the targetURI domain.
func (ctx *AutheliaCtx) GetTargetURICookieDomain(targetURI *url.URL) string {
feat(server): customizable authz endpoints (#4296) This allows users to customize the authz endpoints. Closes #2753, Fixes #3716 Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2023-01-25 09:36:40 +00:00
if targetURI == nil {
return ""
}
feat(session): multiple session cookie domains (#3754) This adds support to configure multiple session cookie domains. Closes #1198 Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2023-01-12 10:57:44 +00:00
hostname := targetURI.Hostname()
for _, domain := range ctx.Configuration.Session.Cookies {
if utils.HasDomainSuffix(hostname, domain.Domain) {
return domain.Domain
}
}
return ""
}
// IsSafeRedirectionTargetURI returns true if the targetURI is within the scope of a cookie domain and secure.
func (ctx *AutheliaCtx) IsSafeRedirectionTargetURI(targetURI *url.URL) bool {
if !utils.IsURISecure(targetURI) {
return false
}
return ctx.GetTargetURICookieDomain(targetURI) != ""
}
// GetCookieDomain returns the cookie domain for the current request.
func (ctx *AutheliaCtx) GetCookieDomain() (domain string, err error) {
var targetURI *url.URL
feat(server): customizable authz endpoints (#4296) This allows users to customize the authz endpoints. Closes #2753, Fixes #3716 Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2023-01-25 09:36:40 +00:00
if targetURI, err = ctx.GetXOriginalURLOrXForwardedURL(); err != nil {
feat(session): multiple session cookie domains (#3754) This adds support to configure multiple session cookie domains. Closes #1198 Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2023-01-12 10:57:44 +00:00
return "", fmt.Errorf("unable to retrieve cookie domain: %s", err)
}
return ctx.GetTargetURICookieDomain(targetURI), nil
}
feat(server): customizable authz endpoints (#4296) This allows users to customize the authz endpoints. Closes #2753, Fixes #3716 Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2023-01-25 09:36:40 +00:00
// GetSessionProviderByTargetURL returns the session provider for the Request's domain.
func (ctx *AutheliaCtx) GetSessionProviderByTargetURL(targetURL *url.URL) (provider *session.Session, err error) {
domain := ctx.GetTargetURICookieDomain(targetURL)
if domain == "" {
return nil, fmt.Errorf("unable to retrieve domain session: %w", err)
}
return ctx.Providers.SessionProvider.Get(domain)
}
feat(session): multiple session cookie domains (#3754) This adds support to configure multiple session cookie domains. Closes #1198 Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2023-01-12 10:57:44 +00:00
// GetSessionProvider returns the session provider for the Request's domain.
func (ctx *AutheliaCtx) GetSessionProvider() (provider *session.Session, err error) {
feat(server): customizable authz endpoints (#4296) This allows users to customize the authz endpoints. Closes #2753, Fixes #3716 Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2023-01-25 09:36:40 +00:00
if ctx.session == nil {
var domain string
if domain, err = ctx.GetCookieDomain(); err != nil {
return nil, err
}
feat(session): multiple session cookie domains (#3754) This adds support to configure multiple session cookie domains. Closes #1198 Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2023-01-12 10:57:44 +00:00
feat(server): customizable authz endpoints (#4296) This allows users to customize the authz endpoints. Closes #2753, Fixes #3716 Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2023-01-25 09:36:40 +00:00
if ctx.session, err = ctx.GetCookieDomainSessionProvider(domain); err != nil {
return nil, err
}
feat(session): multiple session cookie domains (#3754) This adds support to configure multiple session cookie domains. Closes #1198 Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2023-01-12 10:57:44 +00:00
}
feat(server): customizable authz endpoints (#4296) This allows users to customize the authz endpoints. Closes #2753, Fixes #3716 Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2023-01-25 09:36:40 +00:00
return ctx.session, nil
}
// GetCookieDomainSessionProvider returns the session provider for the provided domain.
func (ctx *AutheliaCtx) GetCookieDomainSessionProvider(domain string) (provider *session.Session, err error) {
if domain == "" {
return nil, fmt.Errorf("unable to retrieve domain session: %w", err)
feat(session): multiple session cookie domains (#3754) This adds support to configure multiple session cookie domains. Closes #1198 Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2023-01-12 10:57:44 +00:00
}
feat(server): customizable authz endpoints (#4296) This allows users to customize the authz endpoints. Closes #2753, Fixes #3716 Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2023-01-25 09:36:40 +00:00
return ctx.Providers.SessionProvider.Get(domain)
feat(session): multiple session cookie domains (#3754) This adds support to configure multiple session cookie domains. Closes #1198 Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2023-01-12 10:57:44 +00:00
}
feat(server): customizable authz endpoints (#4296) This allows users to customize the authz endpoints. Closes #2753, Fixes #3716 Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2023-01-25 09:36:40 +00:00
// GetSession returns the user session provided the cookie provider could be discovered. It is recommended to get the
// provider itself if you also need to update or destroy sessions.
func (ctx *AutheliaCtx) GetSession() (userSession session.UserSession, err error) {
var provider *session.Session
if provider, err = ctx.GetSessionProvider(); err != nil {
return userSession, err
feat(session): multiple session cookie domains (#3754) This adds support to configure multiple session cookie domains. Closes #1198 Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2023-01-12 10:57:44 +00:00
}
feat(server): customizable authz endpoints (#4296) This allows users to customize the authz endpoints. Closes #2753, Fixes #3716 Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2023-01-25 09:36:40 +00:00
if userSession, err = provider.GetSession(ctx.RequestCtx); err != nil {
fix(server): use of inconsistent methods for determining origin (#2848) This unifies the methods to obtain the X-Forwarded-* header values and provides logical fallbacks. In addition, so we can ensure this functionality extends to the templated files we've converted the ServeTemplatedFile method into a function that operates as a middlewares.RequestHandler. Fixes #2765
2022-02-06 13:37:28 +00:00
ctx.Logger.Error("Unable to retrieve user session")
feat(server): customizable authz endpoints (#4296) This allows users to customize the authz endpoints. Closes #2753, Fixes #3716 Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2023-01-25 09:36:40 +00:00
return provider.NewDefaultUserSession(), nil
Disable inactivity timeout when user checked remember me. Instead of checking the value of the cookie expiration we rely on the boolean stored in the user session to check whether inactivity timeout should be disabled.
2020-01-17 22:48:48 +00:00
}
[CI] Add wsl linter (#980) * [CI] Add wsl linter * Implement wsl recommendations Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
2020-05-05 19:35:32 +00:00
feat(server): customizable authz endpoints (#4296) This allows users to customize the authz endpoints. Closes #2753, Fixes #3716 Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2023-01-25 09:36:40 +00:00
if userSession.CookieDomain != provider.Config.Domain {
ctx.Logger.Warnf("Destroying session cookie as the cookie domain '%s' does not match the requests detected cookie domain '%s' which may be a sign a user tried to move this cookie from one domain to another", userSession.CookieDomain, provider.Config.Domain)
if err = provider.DestroySession(ctx.RequestCtx); err != nil {
ctx.Logger.WithError(err).Error("Error occurred trying to destroy the session cookie")
}
userSession = provider.NewDefaultUserSession()
if err = provider.SaveSession(ctx.RequestCtx, userSession); err != nil {
ctx.Logger.WithError(err).Error("Error occurred trying to save the new session cookie")
}
}
return userSession, nil
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
}
feat(server): customizable authz endpoints (#4296) This allows users to customize the authz endpoints. Closes #2753, Fixes #3716 Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2023-01-25 09:36:40 +00:00
// SaveSession saves the content of the session.
fix(server): use of inconsistent methods for determining origin (#2848) This unifies the methods to obtain the X-Forwarded-* header values and provides logical fallbacks. In addition, so we can ensure this functionality extends to the templated files we've converted the ServeTemplatedFile method into a function that operates as a middlewares.RequestHandler. Fixes #2765
2022-02-06 13:37:28 +00:00
func (ctx *AutheliaCtx) SaveSession(userSession session.UserSession) error {
feat(session): multiple session cookie domains (#3754) This adds support to configure multiple session cookie domains. Closes #1198 Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2023-01-12 10:57:44 +00:00
provider, err := ctx.GetSessionProvider()
if err != nil {
return fmt.Errorf("unable to save user session: %s", err)
}
return provider.SaveSession(ctx.RequestCtx, userSession)
}
feat(server): customizable authz endpoints (#4296) This allows users to customize the authz endpoints. Closes #2753, Fixes #3716 Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2023-01-25 09:36:40 +00:00
// RegenerateSession regenerates a user session.
feat(session): multiple session cookie domains (#3754) This adds support to configure multiple session cookie domains. Closes #1198 Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2023-01-12 10:57:44 +00:00
func (ctx *AutheliaCtx) RegenerateSession() error {
provider, err := ctx.GetSessionProvider()
if err != nil {
return fmt.Errorf("unable to regenerate user session: %s", err)
}
return provider.RegenerateSession(ctx.RequestCtx)
}
feat(server): customizable authz endpoints (#4296) This allows users to customize the authz endpoints. Closes #2753, Fixes #3716 Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2023-01-25 09:36:40 +00:00
// DestroySession destroys a user session.
feat(session): multiple session cookie domains (#3754) This adds support to configure multiple session cookie domains. Closes #1198 Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2023-01-12 10:57:44 +00:00
func (ctx *AutheliaCtx) DestroySession() error {
provider, err := ctx.GetSessionProvider()
if err != nil {
return fmt.Errorf("unable to destroy user session: %s", err)
}
return provider.DestroySession(ctx.RequestCtx)
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
}
[CI] Add godot linter (#958) * [CI] Add godot linter * Implement godot recommendations
2020-05-02 05:06:39 +00:00
// ReplyOK is a helper method to reply ok.
fix(server): use of inconsistent methods for determining origin (#2848) This unifies the methods to obtain the X-Forwarded-* header values and provides logical fallbacks. In addition, so we can ensure this functionality extends to the templated files we've converted the ServeTemplatedFile method into a function that operates as a middlewares.RequestHandler. Fixes #2765
2022-02-06 13:37:28 +00:00
func (ctx *AutheliaCtx) ReplyOK() {
refactor(server): simplify templating and url derivation (#4547) This refactors a few areas of the server templating and related functions.
2022-12-17 00:49:05 +00:00
ctx.SetContentTypeApplicationJSON()
fix(server): use of inconsistent methods for determining origin (#2848) This unifies the methods to obtain the X-Forwarded-* header values and provides logical fallbacks. In addition, so we can ensure this functionality extends to the templated files we've converted the ServeTemplatedFile method into a function that operates as a middlewares.RequestHandler. Fixes #2765
2022-02-06 13:37:28 +00:00
ctx.SetBody(okMessageBytes)
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
}
[CI] Add godot linter (#958) * [CI] Add godot linter * Implement godot recommendations
2020-05-02 05:06:39 +00:00
// ParseBody parse the request body into the type of value.
refactor: any (#4133) * refactor: any * refactor: fix test
2022-10-05 05:05:23 +00:00
func (ctx *AutheliaCtx) ParseBody(value any) error {
fix(server): use of inconsistent methods for determining origin (#2848) This unifies the methods to obtain the X-Forwarded-* header values and provides logical fallbacks. In addition, so we can ensure this functionality extends to the templated files we've converted the ServeTemplatedFile method into a function that operates as a middlewares.RequestHandler. Fixes #2765
2022-02-06 13:37:28 +00:00
err := json.Unmarshal(ctx.PostBody(), &value)
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
if err != nil {
feat(regulator): enhance authentication logs (#2622) This adds additional logging to the authentication logs such as type, remote IP, request method, redirect URL, and if the attempt was done during a ban. This also means we log attempts that occur when the attempt was blocked by the regulator for record keeping purposes, as well as record 2FA attempts which can be used to inform admins and later to regulate based on other factors. Fixes #116, Fixes #1293.
2021-11-29 03:09:14 +00:00
return fmt.Errorf("unable to parse body: %w", err)
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
}
valid, err := govalidator.ValidateStruct(value)
if err != nil {
feat(regulator): enhance authentication logs (#2622) This adds additional logging to the authentication logs such as type, remote IP, request method, redirect URL, and if the attempt was done during a ban. This also means we log attempts that occur when the attempt was blocked by the regulator for record keeping purposes, as well as record 2FA attempts which can be used to inform admins and later to regulate based on other factors. Fixes #116, Fixes #1293.
2021-11-29 03:09:14 +00:00
return fmt.Errorf("unable to validate body: %w", err)
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
}
if !valid {
return fmt.Errorf("Body is not valid")
}
[CI] Add wsl linter (#980) * [CI] Add wsl linter * Implement wsl recommendations Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
2020-05-05 19:35:32 +00:00
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
return nil
}
feat(server): customizable authz endpoints (#4296) This allows users to customize the authz endpoints. Closes #2753, Fixes #3716 Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2023-01-25 09:36:40 +00:00
// SetContentTypeApplicationJSON sets the Content-Type header to 'application/json; charset=utf-8'.
func (ctx *AutheliaCtx) SetContentTypeApplicationJSON() {
ctx.SetContentTypeBytes(contentTypeApplicationJSON)
}
// SetContentTypeTextPlain efficiently sets the Content-Type header to 'text/plain; charset=utf-8'.
func (ctx *AutheliaCtx) SetContentTypeTextPlain() {
ctx.SetContentTypeBytes(contentTypeTextPlain)
}
// SetContentTypeTextHTML efficiently sets the Content-Type header to 'text/html; charset=utf-8'.
func (ctx *AutheliaCtx) SetContentTypeTextHTML() {
ctx.SetContentTypeBytes(contentTypeTextHTML)
}
// SetContentTypeApplicationYAML efficiently sets the Content-Type header to 'application/yaml; charset=utf-8'.
func (ctx *AutheliaCtx) SetContentTypeApplicationYAML() {
ctx.SetContentTypeBytes(contentTypeApplicationYAML)
}
// SetContentSecurityPolicy sets the Content-Security-Policy header.
func (ctx *AutheliaCtx) SetContentSecurityPolicy(value string) {
ctx.Response.Header.SetBytesK(headerContentSecurityPolicy, value)
}
// SetContentSecurityPolicyBytes sets the Content-Security-Policy header.
func (ctx *AutheliaCtx) SetContentSecurityPolicyBytes(value []byte) {
ctx.Response.Header.SetBytesKV(headerContentSecurityPolicy, value)
}
[CI] Add godot linter (#958) * [CI] Add godot linter * Implement godot recommendations
2020-05-02 05:06:39 +00:00
// SetJSONBody Set json body.
refactor: any (#4133) * refactor: any * refactor: fix test
2022-10-05 05:05:23 +00:00
func (ctx *AutheliaCtx) SetJSONBody(value any) error {
refactor(middlewares): factorize responses (#3628)
2022-07-08 12:18:52 +00:00
return ctx.ReplyJSON(OKResponse{Status: "OK", Data: value}, 0)
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
}
// RemoteIP return the remote IP taking X-Forwarded-For header into account if provided.
fix(server): use of inconsistent methods for determining origin (#2848) This unifies the methods to obtain the X-Forwarded-* header values and provides logical fallbacks. In addition, so we can ensure this functionality extends to the templated files we've converted the ServeTemplatedFile method into a function that operates as a middlewares.RequestHandler. Fixes #2765
2022-02-06 13:37:28 +00:00
func (ctx *AutheliaCtx) RemoteIP() net.IP {
fix(middlewares): failure to detect remote ip (#5339) This fixes an edge case where the RemoteIP detection could safely fail with an error, and instead defaults to the TCP packet information. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-30 00:52:45 +00:00
if header := ctx.Request.Header.PeekBytes(headerXForwardedFor); len(header) != 0 {
ips := strings.SplitN(string(header), ",", 2)
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
fix(middlewares): failure to detect remote ip (#5339) This fixes an edge case where the RemoteIP detection could safely fail with an error, and instead defaults to the TCP packet information. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-30 00:52:45 +00:00
if len(ips) != 0 {
if ip := net.ParseIP(strings.Trim(ips[0], " ")); ip != nil {
return ip
}
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
}
}
[CI] Add wsl linter (#980) * [CI] Add wsl linter * Implement wsl recommendations Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
2020-05-05 19:35:32 +00:00
fix(server): use of inconsistent methods for determining origin (#2848) This unifies the methods to obtain the X-Forwarded-* header values and provides logical fallbacks. In addition, so we can ensure this functionality extends to the templated files we've converted the ServeTemplatedFile method into a function that operates as a middlewares.RequestHandler. Fixes #2765
2022-02-06 13:37:28 +00:00
return ctx.RequestCtx.RemoteIP()
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
}
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2021-05-04 22:06:05 +00:00
feat(server): customizable authz endpoints (#4296) This allows users to customize the authz endpoints. Closes #2753, Fixes #3716 Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2023-01-25 09:36:40 +00:00
// GetXForwardedURL returns the parsed X-Forwarded-Proto, X-Forwarded-Host, and X-Forwarded-URI request header as a
// *url.URL.
func (ctx *AutheliaCtx) GetXForwardedURL() (requestURI *url.URL, err error) {
forwardedProto, forwardedHost, forwardedURI := ctx.XForwardedProto(), ctx.GetXForwardedHost(), ctx.GetXForwardedURI()
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2021-05-04 22:06:05 +00:00
feat(server): customizable authz endpoints (#4296) This allows users to customize the authz endpoints. Closes #2753, Fixes #3716 Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2023-01-25 09:36:40 +00:00
if forwardedProto == nil {
return nil, ErrMissingXForwardedProto
}
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2021-05-04 22:06:05 +00:00
feat(server): customizable authz endpoints (#4296) This allows users to customize the authz endpoints. Closes #2753, Fixes #3716 Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2023-01-25 09:36:40 +00:00
if forwardedHost == nil {
return nil, ErrMissingXForwardedHost
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2021-05-04 22:06:05 +00:00
}
feat(server): customizable authz endpoints (#4296) This allows users to customize the authz endpoints. Closes #2753, Fixes #3716 Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2023-01-25 09:36:40 +00:00
value := utils.BytesJoin(forwardedProto, protoHostSeparator, forwardedHost, forwardedURI)
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2021-05-04 22:06:05 +00:00
feat(server): customizable authz endpoints (#4296) This allows users to customize the authz endpoints. Closes #2753, Fixes #3716 Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2023-01-25 09:36:40 +00:00
if requestURI, err = url.ParseRequestURI(string(value)); err != nil {
return nil, fmt.Errorf("failed to parse X-Forwarded Headers: %w", err)
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2021-05-04 22:06:05 +00:00
}
feat(server): customizable authz endpoints (#4296) This allows users to customize the authz endpoints. Closes #2753, Fixes #3716 Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2023-01-25 09:36:40 +00:00
return requestURI, nil
}
// GetXOriginalURL returns the parsed X-OriginalURL request header as a *url.URL.
func (ctx *AutheliaCtx) GetXOriginalURL() (requestURI *url.URL, err error) {
value := ctx.XOriginalURL()
if value == nil {
return nil, ErrMissingXOriginalURL
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2021-05-04 22:06:05 +00:00
}
feat(server): customizable authz endpoints (#4296) This allows users to customize the authz endpoints. Closes #2753, Fixes #3716 Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2023-01-25 09:36:40 +00:00
if requestURI, err = url.ParseRequestURI(string(value)); err != nil {
return nil, fmt.Errorf("failed to parse X-Original-URL header: %w", err)
}
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2021-05-04 22:06:05 +00:00
feat(server): customizable authz endpoints (#4296) This allows users to customize the authz endpoints. Closes #2753, Fixes #3716 Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2023-01-25 09:36:40 +00:00
return requestURI, nil
}
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2021-05-04 22:06:05 +00:00
feat(server): customizable authz endpoints (#4296) This allows users to customize the authz endpoints. Closes #2753, Fixes #3716 Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2023-01-25 09:36:40 +00:00
// GetXOriginalURLOrXForwardedURL returns the parsed X-Original-URL request header if it's available or the parsed
// X-Forwarded request headers if not.
func (ctx *AutheliaCtx) GetXOriginalURLOrXForwardedURL() (requestURI *url.URL, err error) {
requestURI, err = ctx.GetXOriginalURL()
switch {
case err == nil:
return requestURI, nil
case errors.Is(err, ErrMissingXOriginalURL):
return ctx.GetXForwardedURL()
default:
return requestURI, err
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2021-05-04 22:06:05 +00:00
}
feat(server): customizable authz endpoints (#4296) This allows users to customize the authz endpoints. Closes #2753, Fixes #3716 Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2023-01-25 09:36:40 +00:00
}
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2021-05-04 22:06:05 +00:00
feat(server): customizable authz endpoints (#4296) This allows users to customize the authz endpoints. Closes #2753, Fixes #3716 Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2023-01-25 09:36:40 +00:00
// IssuerURL returns the expected Issuer.
func (ctx *AutheliaCtx) IssuerURL() (issuerURL *url.URL, err error) {
issuerURL = &url.URL{
Scheme: strProtoHTTPS,
}
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2021-05-04 22:06:05 +00:00
feat(server): customizable authz endpoints (#4296) This allows users to customize the authz endpoints. Closes #2753, Fixes #3716 Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2023-01-25 09:36:40 +00:00
if scheme := ctx.XForwardedProto(); scheme != nil {
issuerURL.Scheme = string(scheme)
}
if host := ctx.GetXForwardedHost(); len(host) != 0 {
issuerURL.Host = string(host)
} else {
return nil, ErrMissingXForwardedHost
}
if base := ctx.BasePath(); base != "" {
issuerURL.Path = path.Join(issuerURL.Path, base)
}
return issuerURL, nil
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2021-05-04 22:06:05 +00:00
}
fix(handlers): handle xhr requests to /api/verify with 401 (#2189) This changes the way XML HTTP requests are handled on the verify endpoint so that they are redirected using a 401 instead of a 302/303.
2021-07-22 03:52:37 +00:00
// IsXHR returns true if the request is a XMLHttpRequest.
refactor: clean up uri checking functions (#3943)
2022-09-03 01:51:02 +00:00
func (ctx *AutheliaCtx) IsXHR() (xhr bool) {
feat(server): customizable authz endpoints (#4296) This allows users to customize the authz endpoints. Closes #2753, Fixes #3716 Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2023-01-25 09:36:40 +00:00
if requestedWith := ctx.Request.Header.PeekBytes(headerXRequestedWith); requestedWith != nil && strings.EqualFold(string(requestedWith), headerValueXRequestedWithXHR) {
return true
}
fix(handlers): handle xhr requests to /api/verify with 401 (#2189) This changes the way XML HTTP requests are handled on the verify endpoint so that they are redirected using a 401 instead of a 302/303.
2021-07-22 03:52:37 +00:00
feat(server): customizable authz endpoints (#4296) This allows users to customize the authz endpoints. Closes #2753, Fixes #3716 Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2023-01-25 09:36:40 +00:00
return false
fix(handlers): handle xhr requests to /api/verify with 401 (#2189) This changes the way XML HTTP requests are handled on the verify endpoint so that they are redirected using a 401 instead of a 302/303.
2021-07-22 03:52:37 +00:00
}
// AcceptsMIME takes a mime type and returns true if the request accepts that type or the wildcard type.
refactor: clean up uri checking functions (#3943)
2022-09-03 01:51:02 +00:00
func (ctx *AutheliaCtx) AcceptsMIME(mime string) (acceptsMime bool) {
fix(server): use of inconsistent methods for determining origin (#2848) This unifies the methods to obtain the X-Forwarded-* header values and provides logical fallbacks. In addition, so we can ensure this functionality extends to the templated files we've converted the ServeTemplatedFile method into a function that operates as a middlewares.RequestHandler. Fixes #2765
2022-02-06 13:37:28 +00:00
accepts := strings.Split(string(ctx.Request.Header.PeekBytes(headerAccept)), ",")
fix(handlers): handle xhr requests to /api/verify with 401 (#2189) This changes the way XML HTTP requests are handled on the verify endpoint so that they are redirected using a 401 instead of a 302/303.
2021-07-22 03:52:37 +00:00
for i, accept := range accepts {
mimeType := strings.Trim(strings.SplitN(accept, ";", 2)[0], " ")
if mimeType == mime || (i == 0 && mimeType == "*/*") {
return true
}
}
return false
}
// SpecialRedirect performs a redirect similar to fasthttp.RequestCtx except it allows statusCode 401 and includes body
feat(handlers): authz authrequest authelia url (#5181) This adjusts the AuthRequest Authz implementation behave similarly to the other implementations in as much as Authelia can return the relevant redirection to the proxy and the proxy just utilizes it if possible. In addition it swaps the HAProxy examples over to the ForwardAuth implementation as that's now supported. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-08 04:48:55 +00:00
// content in the form of a link to the location if the request method was not head.
fix(server): use of inconsistent methods for determining origin (#2848) This unifies the methods to obtain the X-Forwarded-* header values and provides logical fallbacks. In addition, so we can ensure this functionality extends to the templated files we've converted the ServeTemplatedFile method into a function that operates as a middlewares.RequestHandler. Fixes #2765
2022-02-06 13:37:28 +00:00
func (ctx *AutheliaCtx) SpecialRedirect(uri string, statusCode int) {
feat(handlers): authz authrequest authelia url (#5181) This adjusts the AuthRequest Authz implementation behave similarly to the other implementations in as much as Authelia can return the relevant redirection to the proxy and the proxy just utilizes it if possible. In addition it swaps the HAProxy examples over to the ForwardAuth implementation as that's now supported. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-08 04:48:55 +00:00
var u []byte
u, statusCode = ctx.setSpecialRedirect(uri, statusCode)
ctx.SetContentTypeTextHTML()
ctx.SetBodyString(fmt.Sprintf("<a href=\"%s\">%d %s</a>", utils.StringHTMLEscape(string(u)), statusCode, fasthttp.StatusMessage(statusCode)))
}
// SpecialRedirectNoBody performs a redirect similar to fasthttp.RequestCtx except it allows statusCode 401 and includes
// no body.
func (ctx *AutheliaCtx) SpecialRedirectNoBody(uri string, statusCode int) {
_, _ = ctx.setSpecialRedirect(uri, statusCode)
}
func (ctx *AutheliaCtx) setSpecialRedirect(uri string, statusCode int) ([]byte, int) {
fix(handlers): handle xhr requests to /api/verify with 401 (#2189) This changes the way XML HTTP requests are handled on the verify endpoint so that they are redirected using a 401 instead of a 302/303.
2021-07-22 03:52:37 +00:00
if statusCode < fasthttp.StatusMovedPermanently || (statusCode > fasthttp.StatusSeeOther && statusCode != fasthttp.StatusTemporaryRedirect && statusCode != fasthttp.StatusPermanentRedirect && statusCode != fasthttp.StatusUnauthorized) {
statusCode = fasthttp.StatusFound
}
fix(server): use of inconsistent methods for determining origin (#2848) This unifies the methods to obtain the X-Forwarded-* header values and provides logical fallbacks. In addition, so we can ensure this functionality extends to the templated files we've converted the ServeTemplatedFile method into a function that operates as a middlewares.RequestHandler. Fixes #2765
2022-02-06 13:37:28 +00:00
ctx.SetStatusCode(statusCode)
fix(handlers): handle xhr requests to /api/verify with 401 (#2189) This changes the way XML HTTP requests are handled on the verify endpoint so that they are redirected using a 401 instead of a 302/303.
2021-07-22 03:52:37 +00:00
u := fasthttp.AcquireURI()
fix(server): use of inconsistent methods for determining origin (#2848) This unifies the methods to obtain the X-Forwarded-* header values and provides logical fallbacks. In addition, so we can ensure this functionality extends to the templated files we've converted the ServeTemplatedFile method into a function that operates as a middlewares.RequestHandler. Fixes #2765
2022-02-06 13:37:28 +00:00
ctx.URI().CopyTo(u)
fix(handlers): handle xhr requests to /api/verify with 401 (#2189) This changes the way XML HTTP requests are handled on the verify endpoint so that they are redirected using a 401 instead of a 302/303.
2021-07-22 03:52:37 +00:00
u.Update(uri)
feat(handlers): authz authrequest authelia url (#5181) This adjusts the AuthRequest Authz implementation behave similarly to the other implementations in as much as Authelia can return the relevant redirection to the proxy and the proxy just utilizes it if possible. In addition it swaps the HAProxy examples over to the ForwardAuth implementation as that's now supported. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-08 04:48:55 +00:00
raw := u.FullURI()
fix(handlers): handle xhr requests to /api/verify with 401 (#2189) This changes the way XML HTTP requests are handled on the verify endpoint so that they are redirected using a 401 instead of a 302/303.
2021-07-22 03:52:37 +00:00
feat(handlers): authz authrequest authelia url (#5181) This adjusts the AuthRequest Authz implementation behave similarly to the other implementations in as much as Authelia can return the relevant redirection to the proxy and the proxy just utilizes it if possible. In addition it swaps the HAProxy examples over to the ForwardAuth implementation as that's now supported. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-08 04:48:55 +00:00
ctx.Response.Header.SetBytesKV(headerLocation, raw)
fix(handlers): handle xhr requests to /api/verify with 401 (#2189) This changes the way XML HTTP requests are handled on the verify endpoint so that they are redirected using a 401 instead of a 302/303.
2021-07-22 03:52:37 +00:00
fasthttp.ReleaseURI(u)
feat(handlers): authz authrequest authelia url (#5181) This adjusts the AuthRequest Authz implementation behave similarly to the other implementations in as much as Authelia can return the relevant redirection to the proxy and the proxy just utilizes it if possible. In addition it swaps the HAProxy examples over to the ForwardAuth implementation as that's now supported. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-08 04:48:55 +00:00
return raw, statusCode
fix(handlers): handle xhr requests to /api/verify with 401 (#2189) This changes the way XML HTTP requests are handled on the verify endpoint so that they are redirected using a 401 instead of a 302/303.
2021-07-22 03:52:37 +00:00
}
feat(metrics): implement prometheus metrics (#3234) Adds ability to record metrics and gather them for Prometheus.
2022-06-14 07:20:13 +00:00
feat(server): customizable authz endpoints (#4296) This allows users to customize the authz endpoints. Closes #2753, Fixes #3716 Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2023-01-25 09:36:40 +00:00
// RecordAuthn records authentication metrics.
func (ctx *AutheliaCtx) RecordAuthn(success, regulated bool, method string) {
feat(metrics): implement prometheus metrics (#3234) Adds ability to record metrics and gather them for Prometheus.
2022-06-14 07:20:13 +00:00
if ctx.Providers.Metrics == nil {
return
}
feat(server): customizable authz endpoints (#4296) This allows users to customize the authz endpoints. Closes #2753, Fixes #3716 Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2023-01-25 09:36:40 +00:00
ctx.Providers.Metrics.RecordAuthn(success, regulated, method)
perf(server): cached openapi document (#4674) This should lead to a small performance gain by caching the openapi.yml with etags as well as eliminating the use of nonce crypto generation when not required.
2023-01-03 03:49:02 +00:00
}