Merge remote-tracking branch 'origin/master' into feat-settings-ui

# Conflicts:
#	web/package.json
#	web/pnpm-lock.yaml

api/openapi.yml

@@ -155,7 +155,7 @@ paths:
           example: '{{ $.Domain | default "example.com" }}'
           schema:
             type: string
-        - name: X-Forwarded-Uri
+        - name: X-Forwarded-URI
           in: header
           description: Redirection URL (URI)
           required: false
@@ -1540,7 +1540,7 @@ components:
       schema:
         type: string
     forwardedURIParam:
-      name: X-Forwarded-Uri
+      name: X-Forwarded-URI
       in: header
       description: Redirection URL (URI)
       required: true

docs/content/en/integration/proxies/caddy.md

@@ -230,7 +230,7 @@ nextcloud.example.com {
                 rewrite "/api/authz/forward-auth?authelia_url=https://auth.example.com/"
 
                 header_up X-Forwarded-Method {method}
-                header_up X-Forwarded-Uri {uri}
+                header_up X-Forwarded-URI {uri}
 
                 ## If the auth request:
                 ##   1. Responds with a status code IN the 200-299 range.

docs/content/en/integration/proxies/introduction.md

@@ -28,6 +28,29 @@ bootstrapping *Authelia*.
 
 See [support](support.md) for support information.
 
+### Required Headers
+
+__Authelia__ itself requires the following headers are set when secured behind a reverse proxy:
+
+* Scheme Detection:
+  * Default: [X-Forwarded-Proto] (header)
+  * Fallback: TLS (listening socket state)
+* Host Detection:
+  * Default: [X-Forwarded-Host] (header)
+  * Fallback: [Host] (header)
+* Path Detection:
+  * Default: X-Forwarded-URI (header)
+  * Fallback: [Start Line] Request Target (start line)
+* Remote IP:
+  * Default: [X-Forwarded-For]
+  * Fallback: TCP source IP
+
+[Host]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Host
+[Start Line]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Messages#start_line
+[X-Forwarded-For]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For
+[X-Forwarded-Proto]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto
+[X-Forwarded-Host]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Host
+
 ## Integration Implementation
 
 Authelia is capable of being integrated into many proxies due to the decisions regarding the implementation. We handle
@@ -41,12 +64,14 @@ your reverse proxy. The headers we rely on at the authz endpoints are as follows
 
 * [X-Forwarded-Proto](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto)
 * [X-Forwarded-Host](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Host)
-* X-Forwarded-Uri
+* X-Forwarded-URI
 * [X-Forwarded-For](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For)
 * X-Forwarded-Method / X-Original-Method
 * X-Original-URL
 
-The specifics however are dictated by the specific [Authorization Implementation](../../reference/guides/proxy-authorization.md) used.
+The specifics however are dictated by the specific
+[Authorization Implementation](../../reference/guides/proxy-authorization.md) used. Please refer to the specific
+implementation you're using.
 
 ### User Identification
 

docs/content/en/integration/proxies/nginx.md

@@ -350,7 +350,7 @@ use cases.
 
 The following is an example `proxy.conf`. The important directives include the `real_ip` directives which you should read
 [Trusted Proxies](#trusted-proxies) section to understand, or set the `X-Forwarded-Proto`, `X-Forwarded-Host`,
-`X-Forwarded-Uri`, and `X-Forwarded-For` headers.
+`X-Forwarded-URI`, and `X-Forwarded-For` headers.
 
 ##### Standard Variant
 
@@ -363,7 +363,7 @@ proxy_set_header Host $host;
 proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
 proxy_set_header X-Forwarded-Proto $scheme;
 proxy_set_header X-Forwarded-Host $http_host;
-proxy_set_header X-Forwarded-Uri $request_uri;
+proxy_set_header X-Forwarded-URI $request_uri;
 proxy_set_header X-Forwarded-Ssl on;
 proxy_set_header X-Forwarded-For $remote_addr;
 proxy_set_header X-Real-IP $remote_addr;
@@ -408,7 +408,7 @@ proxy_set_header Host $host;
 proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
 proxy_set_header X-Forwarded-Proto $scheme;
 proxy_set_header X-Forwarded-Host $http_host;
-proxy_set_header X-Forwarded-Uri $request_uri;
+proxy_set_header X-Forwarded-URI $request_uri;
 proxy_set_header X-Forwarded-Ssl on;
 proxy_set_header X-Forwarded-For $remote_addr;
 ```
@@ -539,7 +539,7 @@ location /internal/authelia/authz/basic {
     proxy_set_header X-Forwarded-Method $request_method;
     proxy_set_header X-Forwarded-Proto $scheme;
     proxy_set_header X-Forwarded-Host $http_host;
-    proxy_set_header X-Forwarded-Uri $request_uri;
+    proxy_set_header X-Forwarded-URI $request_uri;
     proxy_set_header X-Forwarded-For $remote_addr;
     proxy_set_header Content-Length "";
     proxy_set_header Connection "";

docs/content/en/reference/cli/authelia/authelia_crypto_certificate_ecdsa_generate.md

@@ -56,6 +56,7 @@ authelia crypto certificate ecdsa generate --help
   -o, --organization strings            certificate organization (default [Authelia])
       --organizational-unit strings     certificate organizational unit
       --path.ca string                  source directory of the certificate authority files, if not provided the certificate will be self-signed
+      --pkcs8                           force PKCS #8 ASN.1 format
   -p, --postcode strings                certificate postcode
       --province strings                certificate province
       --sans strings                    subject alternative names

docs/content/en/reference/cli/authelia/authelia_crypto_certificate_ecdsa_request.md

@@ -48,6 +48,7 @@ authelia crypto certificate ecdsa request --help
       --not-before string             earliest date and time the certificate is considered valid in various formats (default is now)
   -o, --organization strings          certificate organization (default [Authelia])
       --organizational-unit strings   certificate organizational unit
+      --pkcs8                         force PKCS #8 ASN.1 format
   -p, --postcode strings              certificate postcode
       --province strings              certificate province
       --sans strings                  subject alternative names

docs/content/en/reference/cli/authelia/authelia_crypto_certificate_ed25519_generate.md

@@ -55,6 +55,7 @@ authelia crypto certificate ed25519 request --help
   -o, --organization strings            certificate organization (default [Authelia])
       --organizational-unit strings     certificate organizational unit
       --path.ca string                  source directory of the certificate authority files, if not provided the certificate will be self-signed
+      --pkcs8                           force PKCS #8 ASN.1 format
   -p, --postcode strings                certificate postcode
       --province strings                certificate province
       --sans strings                    subject alternative names

docs/content/en/reference/cli/authelia/authelia_crypto_certificate_ed25519_request.md

@@ -47,6 +47,7 @@ authelia crypto certificate ed25519 request --help
       --not-before string             earliest date and time the certificate is considered valid in various formats (default is now)
   -o, --organization strings          certificate organization (default [Authelia])
       --organizational-unit strings   certificate organizational unit
+      --pkcs8                         force PKCS #8 ASN.1 format
   -p, --postcode strings              certificate postcode
       --province strings              certificate province
       --sans strings                  subject alternative names

docs/content/en/reference/cli/authelia/authelia_crypto_certificate_rsa_generate.md

@@ -56,6 +56,7 @@ authelia crypto certificate rsa generate --help
   -o, --organization strings            certificate organization (default [Authelia])
       --organizational-unit strings     certificate organizational unit
       --path.ca string                  source directory of the certificate authority files, if not provided the certificate will be self-signed
+      --pkcs8                           force PKCS #8 ASN.1 format
   -p, --postcode strings                certificate postcode
       --province strings                certificate province
       --sans strings                    subject alternative names

docs/content/en/reference/cli/authelia/authelia_crypto_certificate_rsa_request.md

@@ -48,6 +48,7 @@ authelia crypto certificate rsa request --help
       --not-before string             earliest date and time the certificate is considered valid in various formats (default is now)
   -o, --organization strings          certificate organization (default [Authelia])
       --organizational-unit strings   certificate organizational unit
+      --pkcs8                         force PKCS #8 ASN.1 format
   -p, --postcode strings              certificate postcode
       --province strings              certificate province
       --sans strings                  subject alternative names

go.mod

@@ -34,7 +34,7 @@ require (
 	github.com/ory/fosite v0.44.0
 	github.com/ory/herodot v0.10.2
 	github.com/ory/x v0.0.553
-	github.com/otiai10/copy v1.10.0
+	github.com/otiai10/copy v1.11.0
 	github.com/pkg/errors v0.9.1
 	github.com/pquerna/otp v1.4.0
 	github.com/prometheus/client_golang v1.15.0

go.sum

@@ -329,8 +329,8 @@ github.com/ory/herodot v0.10.2 h1:gGvNMHgAwWzdP/eo+roSiT5CGssygHSjDU7MSQNlJ4E=
 github.com/ory/herodot v0.10.2/go.mod h1:MMNmY6MG1uB6fnXYFaHoqdV23DTWctlPsmRCeq/2+wc=
 github.com/ory/x v0.0.553 h1:dRSEcbfpJYOl+yk55LTiLUXq2JslaeVaTp6CzHQW5Kw=
 github.com/ory/x v0.0.553/go.mod h1:oRVemI3SQQOLvOCJWIRinHQKlgmay/NbwSyRUIsS/Yk=
-github.com/otiai10/copy v1.10.0 h1:znyI7l134wNg/wDktoVQPxPkgvhDfGCYUasey+h0rDQ=
+github.com/otiai10/copy v1.11.0 h1:OKBD80J/mLBrwnzXqGtFCzprFSGioo30JcmR4APsNwc=
-github.com/otiai10/copy v1.10.0/go.mod h1:rSaLseMUsZFFbsFGc7wCJnnkTAvdc5L6VWxPE4308Ww=
+github.com/otiai10/copy v1.11.0/go.mod h1:rSaLseMUsZFFbsFGc7wCJnnkTAvdc5L6VWxPE4308Ww=
 github.com/otiai10/mint v1.5.1 h1:XaPLeE+9vGbuyEHem1JNk3bYc7KKqyI/na0/mLd/Kks=
 github.com/pborman/uuid v1.2.1 h1:+ZZIw58t/ozdjRaXh/3awHfmWRbzYxJoAdNJxe/3pvw=
 github.com/pborman/uuid v1.2.1/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtPdI/k=

internal/commands/crypto.go

@@ -275,18 +275,20 @@ func (ctx *CmdCtx) CryptoGenerateRunE(cmd *cobra.Command, args []string) (err er
 // CryptoCertificateRequestRunE is the RunE for the authelia crypto certificate request command.
 func (ctx *CmdCtx) CryptoCertificateRequestRunE(cmd *cobra.Command, _ []string) (err error) {
 	var (
+		template                *x509.CertificateRequest
 		privateKey              any
+		csr                     []byte
+		privateKeyPath, csrPath string
+		pkcs8                   bool
 	)
 
 	if privateKey, err = ctx.cryptoGenPrivateKeyFromCmd(cmd); err != nil {
 		return err
 	}
 
-	var (
+	if pkcs8, err = cmd.Flags().GetBool(cmdFlagNamePKCS8); err != nil {
-		template                *x509.CertificateRequest
+		return err
-		csr                     []byte
+	}
-		privateKeyPath, csrPath string
-	)
 
 	if template, err = cryptoGetCSRFromCmd(cmd); err != nil {
 		return err
@@ -329,7 +331,7 @@ func (ctx *CmdCtx) CryptoCertificateRequestRunE(cmd *cobra.Command, _ []string)
 		return fmt.Errorf("failed to create certificate request: %w", err)
 	}
 
-	if err = utils.WriteKeyToPEM(privateKey, privateKeyPath, false); err != nil {
+	if err = utils.WriteKeyToPEM(privateKey, privateKeyPath, pkcs8); err != nil {
 		return err
 	}
 
@@ -345,8 +347,13 @@ func (ctx *CmdCtx) CryptoCertificateGenerateRunE(cmd *cobra.Command, _ []string,
 	var (
 		template, caCertificate, parent       *x509.Certificate
 		publicKey, caPrivateKey, signatureKey any
+		pkcs8                                 bool
 	)
 
+	if pkcs8, err = cmd.Flags().GetBool(cmdFlagNamePKCS8); err != nil {
+		return err
+	}
+
 	if publicKey = utils.PublicKeyFromPrivateKey(privateKey); publicKey == nil {
 		return fmt.Errorf("failed to obtain public key from private key")
 	}
@@ -419,7 +426,7 @@ func (ctx *CmdCtx) CryptoCertificateGenerateRunE(cmd *cobra.Command, _ []string,
 		return fmt.Errorf("failed to create certificate: %w", err)
 	}
 
-	if err = utils.WriteKeyToPEM(privateKey, privateKeyPath, false); err != nil {
+	if err = utils.WriteKeyToPEM(privateKey, privateKeyPath, pkcs8); err != nil {
 		return err
 	}
 

internal/commands/crypto_helper.go

@@ -59,10 +59,10 @@ func cmdFlagsCryptoCertificateRequest(cmd *cobra.Command) {
 
 func cmdFlagsCryptoPairGenerate(cmd *cobra.Command) {
 	cmd.Flags().String(cmdFlagNameFilePublicKey, "public.pem", "name of the file to export the public key data to")
-	cmd.Flags().Bool(cmdFlagNamePKCS8, false, "force PKCS #8 ASN.1 format")
 }
 
 func cmdFlagsCryptoPrivateKey(cmd *cobra.Command) {
+	cmd.Flags().Bool(cmdFlagNamePKCS8, false, "force PKCS #8 ASN.1 format")
 	cmd.Flags().String(cmdFlagNameFilePrivateKey, "private.pem", "name of the file to export the private key data to")
 	cmd.Flags().StringP(cmdFlagNameDirectory, "d", "", "directory where the generated keys, certificates, etc will be stored")
 }

internal/handlers/const_test.go

@@ -21,7 +21,7 @@ var (
 
 const (
 	testXOriginalMethod = "X-Original-Method"
-	testXOriginalUrl    = "X-Original-Url"
+	testXOriginalUrl    = "X-Original-URL"
 	testBypass          = "bypass"
 	testWithoutAccept   = "WithoutAccept"
 	testWithXHRHeader   = "WithXHRHeader"

internal/handlers/handler_authz_impl_forwardauth_test.go

@@ -240,7 +240,7 @@ func (s *ForwardAuthAuthzSuite) TestShouldHandleMissingHostDeny() {
 			mock.Ctx.Request.Header.Set("X-Forwarded-Method", method)
 			mock.Ctx.Request.Header.Set(fasthttp.HeaderXForwardedProto, "https")
 			mock.Ctx.Request.Header.Del(fasthttp.HeaderXForwardedHost)
-			mock.Ctx.Request.Header.Set("X-Forwarded-Uri", "/")
+			mock.Ctx.Request.Header.Set("X-Forwarded-URI", "/")
 			mock.Ctx.Request.Header.Set(fasthttp.HeaderAccept, "text/html; charset=utf-8")
 
 			authz.Handler(mock.Ctx)
@@ -395,7 +395,7 @@ func (s *ForwardAuthAuthzSuite) TestShouldHandleInvalidURLForCVE202132637() {
 					mock.Ctx.Request.Header.Set("X-Forwarded-Method", method)
 					mock.Ctx.Request.Header.SetBytesKV([]byte(fasthttp.HeaderXForwardedProto), tc.scheme)
 					mock.Ctx.Request.Header.SetBytesKV([]byte(fasthttp.HeaderXForwardedHost), tc.host)
-					mock.Ctx.Request.Header.Set("X-Forwarded-Uri", tc.path)
+					mock.Ctx.Request.Header.Set("X-Forwarded-URI", tc.path)
 					mock.Ctx.Request.Header.Set(fasthttp.HeaderAccept, "text/html; charset=utf-8")
 
 					authz.Handler(mock.Ctx)
@@ -560,7 +560,7 @@ func setRequestForwardAuth(ctx *middlewares.AutheliaCtx, method string, targetUR
 	if targetURI != nil {
 		ctx.Request.Header.Set(fasthttp.HeaderXForwardedProto, targetURI.Scheme)
 		ctx.Request.Header.Set(fasthttp.HeaderXForwardedHost, targetURI.Host)
-		ctx.Request.Header.Set("X-Forwarded-Uri", targetURI.Path)
+		ctx.Request.Header.Set("X-Forwarded-URI", targetURI.Path)
 	}
 
 	setRequestXHRValues(ctx, accept, xhr)

internal/handlers/handler_authz_impl_legacy_test.go

@@ -60,7 +60,7 @@ func (s *LegacyAuthzSuite) TestShouldHandleAllMethodsDeny() {
 					mock.Ctx.Request.Header.Set("X-Forwarded-Method", method)
 					mock.Ctx.Request.Header.Set(fasthttp.HeaderXForwardedProto, pairURI.TargetURI.Scheme)
 					mock.Ctx.Request.Header.Set(fasthttp.HeaderXForwardedHost, pairURI.TargetURI.Host)
-					mock.Ctx.Request.Header.Set("X-Forwarded-Uri", pairURI.TargetURI.Path)
+					mock.Ctx.Request.Header.Set("X-Forwarded-URI", pairURI.TargetURI.Path)
 					mock.Ctx.Request.Header.Set(fasthttp.HeaderAccept, "text/html; charset=utf-8")
 
 					authz.Handler(mock.Ctx)
@@ -108,7 +108,7 @@ func (s *LegacyAuthzSuite) TestShouldHandleAllMethodsOverrideAutheliaURLDeny() {
 					mock.Ctx.Request.Header.Set("X-Forwarded-Method", method)
 					mock.Ctx.Request.Header.Set(fasthttp.HeaderXForwardedProto, pairURI.TargetURI.Scheme)
 					mock.Ctx.Request.Header.Set(fasthttp.HeaderXForwardedHost, pairURI.TargetURI.Host)
-					mock.Ctx.Request.Header.Set("X-Forwarded-Uri", pairURI.TargetURI.Path)
+					mock.Ctx.Request.Header.Set("X-Forwarded-URI", pairURI.TargetURI.Path)
 					mock.Ctx.Request.Header.Set(fasthttp.HeaderAccept, "text/html; charset=utf-8")
 
 					authz.Handler(mock.Ctx)
@@ -151,7 +151,7 @@ func (s *LegacyAuthzSuite) TestShouldHandleAllMethodsMissingAutheliaURLBypassSta
 					mock.Ctx.Request.Header.Set("X-Forwarded-Method", method)
 					mock.Ctx.Request.Header.Set(fasthttp.HeaderXForwardedProto, targetURI.Scheme)
 					mock.Ctx.Request.Header.Set(fasthttp.HeaderXForwardedHost, targetURI.Host)
-					mock.Ctx.Request.Header.Set("X-Forwarded-Uri", targetURI.Path)
+					mock.Ctx.Request.Header.Set("X-Forwarded-URI", targetURI.Path)
 					mock.Ctx.Request.Header.Set(fasthttp.HeaderAccept, "text/html; charset=utf-8")
 
 					authz.Handler(mock.Ctx)
@@ -183,7 +183,7 @@ func (s *LegacyAuthzSuite) TestShouldHandleAllMethodsMissingAutheliaURLOneFactor
 					mock.Ctx.Request.Header.Set("X-Forwarded-Method", method)
 					mock.Ctx.Request.Header.Set(fasthttp.HeaderXForwardedProto, targetURI.Scheme)
 					mock.Ctx.Request.Header.Set(fasthttp.HeaderXForwardedHost, targetURI.Host)
-					mock.Ctx.Request.Header.Set("X-Forwarded-Uri", targetURI.Path)
+					mock.Ctx.Request.Header.Set("X-Forwarded-URI", targetURI.Path)
 					mock.Ctx.Request.Header.Set(fasthttp.HeaderAccept, "text/html; charset=utf-8")
 
 					authz.Handler(mock.Ctx)
@@ -213,7 +213,7 @@ func (s *LegacyAuthzSuite) TestShouldHandleAllMethodsRDAutheliaURLOneFactorStatu
 					mock.Ctx.Request.Header.Set("X-Forwarded-Method", method)
 					mock.Ctx.Request.Header.Set(fasthttp.HeaderXForwardedProto, targetURI.Scheme)
 					mock.Ctx.Request.Header.Set(fasthttp.HeaderXForwardedHost, targetURI.Host)
-					mock.Ctx.Request.Header.Set("X-Forwarded-Uri", targetURI.Path)
+					mock.Ctx.Request.Header.Set("X-Forwarded-URI", targetURI.Path)
 					mock.Ctx.Request.Header.Set(fasthttp.HeaderAccept, "text/html; charset=utf-8")
 					mock.Ctx.Request.SetRequestURI("/api/verify?rd=https%3A%2F%2Fauth.example.com")
 
@@ -263,7 +263,7 @@ func (s *LegacyAuthzSuite) TestShouldHandleAllMethodsXHRDeny() {
 							mock.Ctx.Request.Header.Set("X-Forwarded-Method", method)
 							mock.Ctx.Request.Header.Set(fasthttp.HeaderXForwardedProto, pairURI.TargetURI.Scheme)
 							mock.Ctx.Request.Header.Set(fasthttp.HeaderXForwardedHost, pairURI.TargetURI.Host)
-							mock.Ctx.Request.Header.Set("X-Forwarded-Uri", pairURI.TargetURI.Path)
+							mock.Ctx.Request.Header.Set("X-Forwarded-URI", pairURI.TargetURI.Path)
 
 							if x {
 								mock.Ctx.Request.Header.Set(fasthttp.HeaderAccept, "text/html; charset=utf-8")
@@ -311,7 +311,7 @@ func (s *LegacyAuthzSuite) TestShouldHandleInvalidMethodCharsDeny() {
 					mock.Ctx.Request.Header.Set("X-Forwarded-Method", method)
 					mock.Ctx.Request.Header.Set(fasthttp.HeaderXForwardedProto, targetURI.Scheme)
 					mock.Ctx.Request.Header.Set(fasthttp.HeaderXForwardedHost, targetURI.Host)
-					mock.Ctx.Request.Header.Set("X-Forwarded-Uri", targetURI.Path)
+					mock.Ctx.Request.Header.Set("X-Forwarded-URI", targetURI.Path)
 					mock.Ctx.Request.Header.Set(fasthttp.HeaderAccept, "text/html; charset=utf-8")
 
 					authz.Handler(mock.Ctx)
@@ -338,7 +338,7 @@ func (s *LegacyAuthzSuite) TestShouldHandleMissingHostDeny() {
 			mock.Ctx.Request.Header.Set("X-Forwarded-Method", method)
 			mock.Ctx.Request.Header.Set(fasthttp.HeaderXForwardedProto, "https")
 			mock.Ctx.Request.Header.Del(fasthttp.HeaderXForwardedHost)
-			mock.Ctx.Request.Header.Set("X-Forwarded-Uri", "/")
+			mock.Ctx.Request.Header.Set("X-Forwarded-URI", "/")
 			mock.Ctx.Request.Header.Set(fasthttp.HeaderAccept, "text/html; charset=utf-8")
 
 			authz.Handler(mock.Ctx)
@@ -370,7 +370,7 @@ func (s *LegacyAuthzSuite) TestShouldHandleAllMethodsAllow() {
 					mock.Ctx.Request.Header.Set("X-Forwarded-Method", method)
 					mock.Ctx.Request.Header.Set(fasthttp.HeaderXForwardedProto, targetURI.Scheme)
 					mock.Ctx.Request.Header.Set(fasthttp.HeaderXForwardedHost, targetURI.Host)
-					mock.Ctx.Request.Header.Set("X-Forwarded-Uri", targetURI.Path)
+					mock.Ctx.Request.Header.Set("X-Forwarded-URI", targetURI.Path)
 					mock.Ctx.Request.Header.Set(fasthttp.HeaderAccept, "text/html; charset=utf-8")
 
 					authz.Handler(mock.Ctx)
@@ -454,7 +454,7 @@ func (s *LegacyAuthzSuite) TestShouldHandleAllMethodsAllowXHR() {
 					mock.Ctx.Request.Header.Set("X-Forwarded-Method", method)
 					mock.Ctx.Request.Header.Set(fasthttp.HeaderXForwardedProto, targetURI.Scheme)
 					mock.Ctx.Request.Header.Set(fasthttp.HeaderXForwardedHost, targetURI.Host)
-					mock.Ctx.Request.Header.Set("X-Forwarded-Uri", targetURI.Path)
+					mock.Ctx.Request.Header.Set("X-Forwarded-URI", targetURI.Path)
 					mock.Ctx.Request.Header.Set(fasthttp.HeaderAccept, "text/html; charset=utf-8")
 
 					authz.Handler(mock.Ctx)
@@ -613,7 +613,7 @@ func (s *LegacyAuthzSuite) TestShouldHandleInvalidURLForCVE202132637() {
 					mock.Ctx.Request.Header.Set("X-Forwarded-Method", method)
 					mock.Ctx.Request.Header.SetBytesKV([]byte(fasthttp.HeaderXForwardedProto), tc.scheme)
 					mock.Ctx.Request.Header.SetBytesKV([]byte(fasthttp.HeaderXForwardedHost), tc.host)
-					mock.Ctx.Request.Header.Set("X-Forwarded-Uri", tc.path)
+					mock.Ctx.Request.Header.Set("X-Forwarded-URI", tc.path)
 					mock.Ctx.Request.Header.Set(fasthttp.HeaderAccept, "text/html; charset=utf-8")
 
 					authz.Handler(mock.Ctx)

internal/middlewares/authelia_context.go

@@ -177,7 +177,7 @@ func (ctx *AutheliaCtx) GetXForwardedHost() (host []byte) {
 	return host
 }
 
-// XForwardedURI returns the content of the X-Forwarded-Uri header.
+// XForwardedURI returns the content of the X-Forwarded-URI header.
 func (ctx *AutheliaCtx) XForwardedURI() (host []byte) {
 	return ctx.Request.Header.PeekBytes(headerXForwardedURI)
 }

internal/server/template_test.go

@@ -71,7 +71,7 @@ func TestShouldTemplateOpenAPI(t *testing.T) {
 
 	mock.Ctx.Request.Header.Set(fasthttp.HeaderXForwardedProto, "https")
 	mock.Ctx.Request.Header.Set(fasthttp.HeaderXForwardedHost, "example.com")
-	mock.Ctx.Request.Header.Set("X-Forwarded-Uri", "/api/openapi.yml")
+	mock.Ctx.Request.Header.Set("X-Forwarded-URI", "/api/openapi.yml")
 
 	handler(mock.Ctx)
 

internal/suites/example/compose/envoy/docker-compose.yml

@@ -2,7 +2,7 @@
 version: '3'
 services:
   envoy:
-    image: envoyproxy/envoy:v1.25.5
+    image: envoyproxy/envoy:v1.26.0
     volumes:
       - ./example/compose/envoy/envoy.yaml:/etc/envoy/envoy.yaml
       - ./common/pki:/pki

web/package.json

@@ -23,14 +23,14 @@
     "@fortawesome/free-solid-svg-icons": "6.4.0",
     "@fortawesome/react-fontawesome": "0.2.0",
     "@mui/icons-material": "5.11.16",
-    "@mui/material": "5.12.0",
+    "@mui/material": "5.12.1",
     "@mui/styles": "5.12.0",
     "@simplewebauthn/browser": "7.2.0",
     "@simplewebauthn/typescript-types": "7.0.0",
-    "axios": "1.3.5",
+    "axios": "1.3.6",
     "broadcast-channel": "5.0.3",
     "classnames": "2.3.2",
-    "i18next": "22.4.14",
+    "i18next": "22.4.15",
     "i18next-browser-languagedetector": "7.0.1",
     "i18next-http-backend": "2.2.0",
     "qrcode.react": "3.1.0",
@@ -77,16 +77,16 @@
     "@limegrass/eslint-plugin-import-alias": "1.0.6",
     "@testing-library/jest-dom": "5.16.5",
     "@testing-library/react": "14.0.0",
-    "@types/node": "18.15.11",
+    "@types/node": "18.15.13",
-    "@types/react": "18.0.35",
+    "@types/react": "18.0.37",
     "@types/react-dom": "18.0.11",
     "@types/testing-library__jest-dom": "5.14.5",
     "@types/zxcvbn": "4.4.1",
-    "@typescript-eslint/eslint-plugin": "5.58.0",
+    "@typescript-eslint/eslint-plugin": "5.59.0",
-    "@typescript-eslint/parser": "5.58.0",
+    "@typescript-eslint/parser": "5.59.0",
-    "@vitejs/plugin-react": "3.1.0",
+    "@vitejs/plugin-react": "4.0.0",
     "@vitest/coverage-istanbul": "0.30.1",
-    "esbuild": "0.17.16",
+    "esbuild": "0.17.17",
     "eslint": "8.38.0",
     "eslint-config-prettier": "8.8.0",
     "eslint-config-react-app": "7.0.1",
@@ -97,12 +97,12 @@
     "eslint-plugin-prettier": "4.2.1",
     "eslint-plugin-react": "7.32.2",
     "eslint-plugin-react-hooks": "4.6.0",
-    "happy-dom": "9.7.1",
+    "happy-dom": "9.8.4",
     "husky": "8.0.3",
     "prettier": "2.8.7",
     "react-test-renderer": "18.2.0",
     "typescript": "5.0.4",
-    "vite": "4.2.1",
+    "vite": "4.3.1",
     "vite-plugin-eslint": "1.8.1",
     "vite-plugin-istanbul": "4.0.1",
     "vite-plugin-svgr": "2.4.0",