diff --git a/.github/ISSUE_TEMPLATE/bug-report.yml b/.github/ISSUE_TEMPLATE/bug-report.yml index 5edf31148..aad2618b9 100644 --- a/.github/ISSUE_TEMPLATE/bug-report.yml +++ b/.github/ISSUE_TEMPLATE/bug-report.yml @@ -1,12 +1,12 @@ --- -name: Bug Report -description: Report a bug +name: 'Bug Report' +description: 'Report a bug' labels: - - type/bug/unconfirmed - - status/needs-triage - - priority/4/normal + - 'type/bug/unconfirmed' + - 'status/needs-triage' + - 'priority/4/normal' body: - - type: markdown + - type: 'markdown' attributes: value: | Thanks for taking the time to fill out this bug report. If you are unsure if this is actually a bug and you still need some form of support we generally recommend creating a [Question and Answer Discussion](https://github.com/authelia/authelia/discussions/new?category=q-a) first. @@ -25,160 +25,190 @@ body: - Do not truncate any logs unless you are complying with the specific instructions in the [Logs](https://www.authelia.com/r/troubleshooting#logs) section. - If you plan on sanitizing, removing, or adjusting any values for the logs or configuration files please read the [Sanitization](https://www.authelia.com/r/troubleshooting#sanitization) section. 7. Please consider including a [HTTP Archive File](https://www.authelia.com/r/har) if you're having redirection issues. - - type: dropdown - id: version + - type: 'dropdown' + id: 'version' attributes: - label: Version - description: What version(s) of Authelia can you reproduce this bug on? + label: | + Version + description: | + What version(s) of Authelia can you reproduce this bug on? multiple: true options: - - v4.37.5 - - v4.37.4 - - v4.37.3 - - v4.37.2 - - v4.37.1 - - v4.37.0 - - v4.36.9 - - v4.36.8 - - v4.36.7 - - v4.36.6 - - v4.36.5 - - v4.36.4 - - v4.36.3 - - v4.36.2 - - v4.36.1 - - v4.36.0 - - v4.35.6 - - v4.35.5 - - v4.35.4 - - v4.35.3 - - v4.35.2 - - v4.35.1 - - v4.35.0 - - v4.34.6 - - v4.34.5 - - v4.34.4 - - v4.34.3 - - v4.34.2 - - v4.34.1 - - v4.34.0 - - v4.33.2 - - v4.33.1 - - v4.33.0 - - v4.32.2 - - v4.32.1 - - v4.32.0 + - 'v4.37.5' + - 'v4.37.4' + - 'v4.37.3' + - 'v4.37.2' + - 'v4.37.1' + - 'v4.37.0' + - 'v4.36.9' + - 'v4.36.8' + - 'v4.36.7' + - 'v4.36.6' + - 'v4.36.5' + - 'v4.36.4' + - 'v4.36.3' + - 'v4.36.2' + - 'v4.36.1' + - 'v4.36.0' + - 'v4.35.6' + - 'v4.35.5' + - 'v4.35.4' + - 'v4.35.3' + - 'v4.35.2' + - 'v4.35.1' + - 'v4.35.0' + - 'v4.34.6' + - 'v4.34.5' + - 'v4.34.4' + - 'v4.34.3' + - 'v4.34.2' + - 'v4.34.1' + - 'v4.34.0' + - 'v4.33.2' + - 'v4.33.1' + - 'v4.33.0' + - 'v4.32.2' + - 'v4.32.1' + - 'v4.32.0' validations: required: true - - type: dropdown - id: deployment + - type: 'dropdown' + id: 'deployment' attributes: - label: Deployment Method - description: How are you deploying Authelia? + label: | + Deployment Method + description: | + How are you deploying Authelia? options: - - Docker - - Kubernetes - - Bare-metal - - Other + - 'Docker' + - 'Kubernetes' + - 'Bare-metal' + - 'Other' validations: required: true - - type: dropdown - id: proxy + - type: 'dropdown' + id: 'proxy' attributes: - label: Reverse Proxy - description: What reverse proxy are you using? + label: | + Reverse Proxy + description: | + What reverse proxy are you using? options: - - Caddy - - Traefik - - Envoy - - Istio - - NGINX - - SWAG - - NGINX Proxy Manager - - HAProxy + - 'Caddy' + - 'Traefik' + - 'Envoy' + - 'Istio' + - 'NGINX' + - 'SWAG' + - 'NGINX Proxy Manager' + - 'HAProxy' validations: required: true - - type: input - id: proxy-version + - type: 'input' + id: 'proxy-version' attributes: - label: Reverse Proxy Version - description: What is the version of your reverse proxy? - placeholder: x.x.x + label: | + Reverse Proxy Version + description: | + What is the version of your reverse proxy? + placeholder: 'x.x.x' validations: required: false - - type: textarea - id: description + - type: 'textarea' + id: 'description' attributes: - label: Description - description: Describe the bug. + label: | + Description + description: | + Describe the bug. validations: required: true - - type: textarea - id: reproduction + - type: 'textarea' + id: 'reproduction' attributes: - label: Reproduction - description: Describe how we can reproduce this issue. This should be step by step and should include detailed and specific information. Abstract or generic information should be avoided. For example this should include specific application names and versions if relevant. Reproducing the issue is important so we can verify it exists, add relevant tests, and verify it is solved. + label: | + Reproduction + description: | + Describe how we can reproduce this issue. This should be step by step and should include detailed and specific information. Abstract or generic information should be avoided. For example this should include specific application names and versions if relevant. Reproducing the issue is important so we can verify it exists, add relevant tests, and verify it is solved. validations: required: true - - type: textarea - id: expectations + - type: 'textarea' + id: 'expectations' attributes: - label: Expectations - description: Describe the desired or expected results. + label: | + Expectations + description: | + Describe the desired or expected results. validations: required: false - - type: textarea - id: configuration + - type: 'textarea' + id: 'configuration' attributes: - label: Configuration (Authelia) - description: Provide a complete configuration file (the template will automatically put this content in a code block). - render: yaml + label: | + Configuration (Authelia) + description: | + Provide a complete configuration file (the template will automatically put this content in a code block). + render: 'yaml' validations: required: false - - type: textarea - id: logs + - type: 'textarea' + id: 'logs' attributes: - label: Logs (Authelia) + label: | + Logs (Authelia) description: | Provide complete logs with the log level set to debug or trace. Complete means from application start until the issue occurring. This is clearly explained in the [Logs](https://www.authelia.com/r/troubleshooting#logs) section of the troubleshooting guide. The template will automatically put this content in a code block so you can just paste it. - render: shell + render: 'shell' validations: required: true - - type: textarea - id: logs-other + - type: 'textarea' + id: 'logs-other' attributes: - label: Logs (Proxy / Application) - description: Provide complete debug logs for the affected proxy and/or application if available and relevant (the template will automatically put this content in a code block). - render: shell + label: | + Logs (Proxy / Application) + description: | + Provide complete debug logs for the affected proxy and/or application if available and relevant (the template will automatically put this content in a code block). + render: 'shell' validations: required: false - - type: textarea - id: documentation + - type: 'textarea' + id: 'documentation' attributes: - label: Documentation - description: Provide any relevant specification or other documentation if applicable. + label: | + Documentation + description: | + Provide any relevant specification or other documentation if applicable. validations: required: false - - type: checkboxes - id: checklist + - type: 'checkboxes' + id: 'checklist' attributes: - label: Pre-Submission Checklist - description: By submitting this issue confirm all of the following. + label: | + Pre-Submission Checklist + description: | + By submitting this issue confirm all of the following. options: - - label: I agree to follow the [Code of Conduct](http://www.authelia.com/code-of-conduct) + - label: | + I agree to follow the [Code of Conduct](http://www.authelia.com/code-of-conduct) required: true - - label: This is a bug report and not a support request + - label: | + This is a bug report and not a support request required: true - - label: I have read the security policy and this bug report is not a security issue or security related issue + - label: | + I have read the security policy and this bug report is not a security issue or security related issue required: true - - label: I have either included the complete configuration file or I am sure it's unrelated to the configuration + - label: | + I have either included the complete configuration file or I am sure it's unrelated to the configuration required: true - - label: I have provided all of the required information in full with the only alteration being reasonable sanitization in accordance with the [Troubleshooting Sanitization](https://www.authelia.com/r/sanitize) reference guide + - label: | + I have provided all of the required information in full with the only alteration being reasonable sanitization in accordance with the [Troubleshooting Sanitization](https://www.authelia.com/r/sanitize) reference guide required: true - - label: I have checked for related proxy or application logs and included them if available + - label: | + I have checked for related proxy or application logs and included them if available required: true - - label: I have checked for related issues and checked the documentation + - label: | + I have checked for related issues and checked the documentation required: true ... diff --git a/config.template.yml b/config.template.yml index 5b7f82ad0..2319109de 100644 --- a/config.template.yml +++ b/config.template.yml @@ -90,13 +90,13 @@ server: ## Server Timeouts configuration. # timeouts: - ## Read timeout. + ## Read timeout in the duration common syntax. # read: '6s' - ## Write timeout. + ## Write timeout in the duration common syntax. # write: '6s' - ## Idle timeout. + ## Idle timeout in the duration common syntax. # idle: '30s' ## Server Endpoints configuration. @@ -171,13 +171,13 @@ telemetry: ## Metrics Server Timeouts configuration. # timeouts: - ## Read timeout. + ## Read timeout in the duration common syntax. # read: '6s' - ## Write timeout. + ## Write timeout in the duration common syntax. # write: '6s' - ## Idle timeout. + ## Idle timeout in the duration common syntax. # idle: '30s' ## @@ -223,7 +223,7 @@ webauthn: ## Disable WebAuthn. disable: false - ## Adjust the interaction timeout for WebAuthn dialogues. + ## The interaction timeout for WebAuthn dialogues in the duration common syntax. timeout: '60s' ## The display name the browser should show the user for when using WebAuthn to login/register. @@ -264,7 +264,7 @@ ntp: ## NTP version. version: 4 - ## Maximum allowed time offset between the host and the NTP server in duration common syntax. + ## Maximum allowed time offset between the host and the NTP server in the duration common syntax. max_desync: '3s' ## Disables the NTP check on startup entirely. This means Authelia will not contact a remote service at all if you @@ -293,14 +293,13 @@ authentication_backend: ## functionality. custom_url: '' - ## The amount of time to wait before we refresh data from the authentication backend. Uses duration notation. + ## The amount of time to wait before we refresh data from the authentication backend in the duration common syntax. ## To disable this feature set it to 'disable', this will slightly reduce security because for Authelia, users will ## always belong to groups they belonged to at the time of login even if they have been removed from them in LDAP. ## To force update on every request you can set this to '0' or 'always', this will increase processor demand. ## See the below documentation for more information. - ## Duration Notation docs: https://www.authelia.com/c/common#duration ## Refresh Interval docs: https://www.authelia.com/c/1fa#refresh-interval - refresh_interval: 5m + refresh_interval: '5m' ## ## LDAP (Authentication Provider) @@ -736,7 +735,6 @@ session: # same_site: 'lax' ## The value for inactivity, expiration, and remember_me are in seconds or the duration common syntax. - ## See: https://www.authelia.com/c/common#duration ## All three of these values affect the cookie/session validity period. Longer periods are considered less secure ## because a stolen cookie will last longer giving attackers more time to spy or attack. @@ -753,30 +751,19 @@ session: ## this value to -1 disables remember me for this session cookie domain. # remember_me: '1M' - ## Cookie Session Domain default 'name' value. The name of the session cookie. + ## Cookie Session Domain default 'name' value. name: 'authelia_session' - ## Cookie Session Domain default 'same_site' value. Sets the Cookie SameSite value. Possible options are none, lax, - ## or strict. Please read https://www.authelia.com/c/session#same_site + ## Cookie Session Domain default 'same_site' value. same_site: 'lax' - ## The value for inactivity, expiration, and remember_me are in seconds or the duration common syntax. - ## See: https://www.authelia.com/c/common#duration - ## All three of these values affect the cookie/session validity period. Longer periods are considered less secure - ## because a stolen cookie will last longer giving attackers more time to spy or attack. - - ## Cookie Session Domain default 'inactivity' value. The inactivity time before the session is reset. If expiration is - ## set to 1h, and this is set to 5m, if the user does not select the remember me option their session will get - ## destroyed after 1h, or after 5m since the last time Authelia detected user activity. + ## Cookie Session Domain default 'inactivity' value. inactivity: '5m' - ## Cookie Session Domain default 'expiration' value. The time before the session cookie expires and the session is - ## destroyed if remember me IS NOT selected by the user. + ## Cookie Session Domain default 'expiration' value. expiration: '1h' - ## Cookie Session Domain default 'remember_me' value. The time before the cookie expires and the session is destroyed - ## if remember me IS selected by the user. Setting this value to -1 disables remember me for all session cookie - ## domains which do not have a specific 'remember_me' value. + ## Cookie Session Domain default 'remember_me' value. remember_me: '1M' ## @@ -934,11 +921,11 @@ regulation: ## The number of failed login attempts before user is banned. Set it to 0 to disable regulation. max_retries: 3 - ## The time range in duration common syntax during which the user can attempt login before being banned. The user is - ## banned if the authentication failed 'max_retries' times in a 'find_time' seconds window. + ## The time range during which the user can attempt login before being banned in the duration common syntax. The user + ## is banned if the authentication failed 'max_retries' times in a 'find_time' seconds window. find_time: '2m' - ## The length of time in duration common syntax before a banned user can login again. + ## The length of time before a banned user can login again in the duration common syntax. ban_time: '5m' ## @@ -1441,7 +1428,7 @@ notifier: # DO NOT USE== # -----END RSA PRIVATE KEY----- - ## The lifespans configure the expiration for these token types. + ## The lifespans configure the expiration for these token types in the duration common syntax. # access_token_lifespan: '1h' # authorize_code_lifespan: '1m' # id_token_lifespan: '1h' @@ -1547,6 +1534,6 @@ notifier: # consent_mode: 'auto' ## This value controls the duration a consent on this client remains remembered when the consent mode is - ## configured as 'auto' or 'pre-configured'. + ## configured as 'auto' or 'pre-configured' in the duration common syntax. # pre_configured_consent_duration: '1w' ... diff --git a/docs/content/en/configuration/miscellaneous/server.md b/docs/content/en/configuration/miscellaneous/server.md index de1bfb205..e0cc0a538 100644 --- a/docs/content/en/configuration/miscellaneous/server.md +++ b/docs/content/en/configuration/miscellaneous/server.md @@ -22,6 +22,7 @@ aliases: ```yaml server: address: 'tcp://:9091' + umask: 0022 path: '' disable_healthcheck: false tls: @@ -67,7 +68,7 @@ see the [documentation](../prologue/common.md#address) on this format for more i Configures the listener address for the Main HTTP Server. The address itself is a listener and the scheme must either be the `unix` scheme or one of the `tcp` schemes. -__Example:__ +__Examples:__ ```yaml server: @@ -83,8 +84,15 @@ server: {{< confkey type="int" required="no" >}} -If set temporarily changes the Umask during the creation of the unix domain socket if configured as such in the -[address](#address). +If set temporarily changes the umask during the creation of the unix domain socket if configured as such in the +[address](#address). Typically this should be set before the process is actually running and users should not use this +option, however it's recognized in various specific scenarios this may not be completely adequate. + +One such example is when you want the proxy to have permission to the socket but not the files, in which case running a +umask of `0077` by default is good, and running a umask of `0027` so that the group Authelia is running as has +permission to the socket. + +This value should typically be prefixed with a `0` to ensure the relevant parsers handle it correctly. ### path @@ -203,11 +211,11 @@ Enables the go [pprof](https://pkg.go.dev/net/http/pprof) endpoints. #### enable_expvars +{{< confkey type="boolean" default="false" required="no" >}} + *__Security Note:__ This is a developer endpoint. __DO NOT__ enable it unless you know why you're enabling it. __DO NOT__ enable this in production.* -{{< confkey type="boolean" default="false" required="no" >}} - Enables the go [expvar](https://pkg.go.dev/expvar) endpoints. #### authz diff --git a/docs/content/en/configuration/prologue/common.md b/docs/content/en/configuration/prologue/common.md index 4e8f54a95..bea8f06dc 100644 --- a/docs/content/en/configuration/prologue/common.md +++ b/docs/content/en/configuration/prologue/common.md @@ -24,24 +24,9 @@ guide on configuring any particular instance. The base type for this syntax is a string, and it also handles integers however this is discouraged. -We have implemented a string/integer based syntax for configuration options that take a duration of time. This section -describes the implementation of this. You can use this implementation in various areas of configuration such as: - -* session: - * expiration - * inactivity - * remember_me -* regulation: - * ban_time - * find_time -* ntp: - * max_desync -* webauthn: - * timeout - -The way this format works is you can either configure an integer or a string in the specific configuration areas. If you -supply an integer, it is considered a representation of seconds. If you supply a string, it parses the string in blocks -of quantities and units (number followed by a unit letter). For example `5h` indicates a quantity of 5 units of `h`. +If you supply an integer, it is considered a representation of seconds. If you supply a string, it parses the string in +blocks of quantities and units (number followed by a unit letter). For example `5h` indicates a quantity of 5 units +of `h`. The following is ignored: - all spaces @@ -104,20 +89,44 @@ portions. Required portions may exist within optional portions, in which case th format specific text which indicates if the accompanying text exists then it is actually required, otherwise it's entirely optional. -The connector address values take the following formats: +The square brackets indicate optional sections, and the angled brackets indicate required sections. The following +sections elaborate on this. Sections may only be optional for the purposes of parsing, there may be a configuration +requirement that one of these is provided. + +##### Hostname + +The following format represents the hostname format. It's valid for both a listener and connector in most instances. +Refer to the individual documentation for an option for clarity. In this format as per the notation the scheme and port +are optional. The default for these when not provided varies. ```text [://][:] +``` + +##### Port + +The following format represents the port format. It's valid only for a listener in most instances. +Refer to the individual documentation for an option for clarity. In this format as per the notation the scheme and +hostname are optional. The default for the scheme when not provided varies, and the default for the hostname is all +available addresses when not provided. + +```text +[://][hostname]: +``` + +##### Unix Domain Socket + +The following format represents the unix domain socket format. It's valid for both a listener and connector in most +instances. Refer to the individual documentation for an option for clarity. In this format as per the notation there +are no optional portions. + +```text unix:// ``` -The listener address values take the following additional formats: +##### Examples -```text -[://]: -``` - -Examples: +Various examples for these formats. ```text 0.0.0.0 @@ -131,9 +140,6 @@ udp://:123 unix:///var/lib/authelia.sock ``` -The square brackets indicate optional sections, and the angled brackets indicate required sections. The following -sections elaborate on this. Sections may only be optional for the purposes of parsing, there may be a configuration -requirement that one of these is provided. #### scheme diff --git a/docs/content/en/configuration/telemetry/metrics.md b/docs/content/en/configuration/telemetry/metrics.md index 4e277752d..21779ed0b 100644 --- a/docs/content/en/configuration/telemetry/metrics.md +++ b/docs/content/en/configuration/telemetry/metrics.md @@ -23,6 +23,7 @@ telemetry: metrics: enabled: false address: 'tcp://:9959' + umask: 0022 buffers: read: 4096 write: 4096 @@ -56,8 +57,15 @@ the scheme must either be the `unix` scheme or one of the `tcp` schemes. {{< confkey type="int" required="no" >}} -If set temporarily changes the Umask during the creation of the unix domain socket if configured as such in the -[address](#address). +If set temporarily changes the umask during the creation of the unix domain socket if configured as such in the +[address](#address). Typically this should be set before the process is actually running and users should not use this +option, however it's recognized in various specific scenarios this may not be completely adequate. + +One such example is when you want the proxy to have permission to the socket but not the files, in which case running a +umask of `0077` by default is good, and running a umask of `0027` so that the group Authelia is running as has +permission to the socket. + +This value should typically be prefixed with a `0` to ensure the relevant parsers handle it correctly. ### buffers diff --git a/docs/content/en/reference/integrations/time-based-one-time-password-apps.md b/docs/content/en/reference/integrations/time-based-one-time-password-apps.md index 92aacfc5a..2d8c63931 100644 --- a/docs/content/en/reference/integrations/time-based-one-time-password-apps.md +++ b/docs/content/en/reference/integrations/time-based-one-time-password-apps.md @@ -2,7 +2,7 @@ title: "Time-based OTP Applications" description: "A Time-based OTP Application integration reference guide" lead: "This section contains a Time-based OTP Application integration reference guide for Authelia." -date: 2022-11-19T16:47:09+11:00 +date: 2023-05-07T17:52:47+10:00 draft: false images: [] menu: diff --git a/internal/configuration/config.template.yml b/internal/configuration/config.template.yml index 5b7f82ad0..2319109de 100644 --- a/internal/configuration/config.template.yml +++ b/internal/configuration/config.template.yml @@ -90,13 +90,13 @@ server: ## Server Timeouts configuration. # timeouts: - ## Read timeout. + ## Read timeout in the duration common syntax. # read: '6s' - ## Write timeout. + ## Write timeout in the duration common syntax. # write: '6s' - ## Idle timeout. + ## Idle timeout in the duration common syntax. # idle: '30s' ## Server Endpoints configuration. @@ -171,13 +171,13 @@ telemetry: ## Metrics Server Timeouts configuration. # timeouts: - ## Read timeout. + ## Read timeout in the duration common syntax. # read: '6s' - ## Write timeout. + ## Write timeout in the duration common syntax. # write: '6s' - ## Idle timeout. + ## Idle timeout in the duration common syntax. # idle: '30s' ## @@ -223,7 +223,7 @@ webauthn: ## Disable WebAuthn. disable: false - ## Adjust the interaction timeout for WebAuthn dialogues. + ## The interaction timeout for WebAuthn dialogues in the duration common syntax. timeout: '60s' ## The display name the browser should show the user for when using WebAuthn to login/register. @@ -264,7 +264,7 @@ ntp: ## NTP version. version: 4 - ## Maximum allowed time offset between the host and the NTP server in duration common syntax. + ## Maximum allowed time offset between the host and the NTP server in the duration common syntax. max_desync: '3s' ## Disables the NTP check on startup entirely. This means Authelia will not contact a remote service at all if you @@ -293,14 +293,13 @@ authentication_backend: ## functionality. custom_url: '' - ## The amount of time to wait before we refresh data from the authentication backend. Uses duration notation. + ## The amount of time to wait before we refresh data from the authentication backend in the duration common syntax. ## To disable this feature set it to 'disable', this will slightly reduce security because for Authelia, users will ## always belong to groups they belonged to at the time of login even if they have been removed from them in LDAP. ## To force update on every request you can set this to '0' or 'always', this will increase processor demand. ## See the below documentation for more information. - ## Duration Notation docs: https://www.authelia.com/c/common#duration ## Refresh Interval docs: https://www.authelia.com/c/1fa#refresh-interval - refresh_interval: 5m + refresh_interval: '5m' ## ## LDAP (Authentication Provider) @@ -736,7 +735,6 @@ session: # same_site: 'lax' ## The value for inactivity, expiration, and remember_me are in seconds or the duration common syntax. - ## See: https://www.authelia.com/c/common#duration ## All three of these values affect the cookie/session validity period. Longer periods are considered less secure ## because a stolen cookie will last longer giving attackers more time to spy or attack. @@ -753,30 +751,19 @@ session: ## this value to -1 disables remember me for this session cookie domain. # remember_me: '1M' - ## Cookie Session Domain default 'name' value. The name of the session cookie. + ## Cookie Session Domain default 'name' value. name: 'authelia_session' - ## Cookie Session Domain default 'same_site' value. Sets the Cookie SameSite value. Possible options are none, lax, - ## or strict. Please read https://www.authelia.com/c/session#same_site + ## Cookie Session Domain default 'same_site' value. same_site: 'lax' - ## The value for inactivity, expiration, and remember_me are in seconds or the duration common syntax. - ## See: https://www.authelia.com/c/common#duration - ## All three of these values affect the cookie/session validity period. Longer periods are considered less secure - ## because a stolen cookie will last longer giving attackers more time to spy or attack. - - ## Cookie Session Domain default 'inactivity' value. The inactivity time before the session is reset. If expiration is - ## set to 1h, and this is set to 5m, if the user does not select the remember me option their session will get - ## destroyed after 1h, or after 5m since the last time Authelia detected user activity. + ## Cookie Session Domain default 'inactivity' value. inactivity: '5m' - ## Cookie Session Domain default 'expiration' value. The time before the session cookie expires and the session is - ## destroyed if remember me IS NOT selected by the user. + ## Cookie Session Domain default 'expiration' value. expiration: '1h' - ## Cookie Session Domain default 'remember_me' value. The time before the cookie expires and the session is destroyed - ## if remember me IS selected by the user. Setting this value to -1 disables remember me for all session cookie - ## domains which do not have a specific 'remember_me' value. + ## Cookie Session Domain default 'remember_me' value. remember_me: '1M' ## @@ -934,11 +921,11 @@ regulation: ## The number of failed login attempts before user is banned. Set it to 0 to disable regulation. max_retries: 3 - ## The time range in duration common syntax during which the user can attempt login before being banned. The user is - ## banned if the authentication failed 'max_retries' times in a 'find_time' seconds window. + ## The time range during which the user can attempt login before being banned in the duration common syntax. The user + ## is banned if the authentication failed 'max_retries' times in a 'find_time' seconds window. find_time: '2m' - ## The length of time in duration common syntax before a banned user can login again. + ## The length of time before a banned user can login again in the duration common syntax. ban_time: '5m' ## @@ -1441,7 +1428,7 @@ notifier: # DO NOT USE== # -----END RSA PRIVATE KEY----- - ## The lifespans configure the expiration for these token types. + ## The lifespans configure the expiration for these token types in the duration common syntax. # access_token_lifespan: '1h' # authorize_code_lifespan: '1m' # id_token_lifespan: '1h' @@ -1547,6 +1534,6 @@ notifier: # consent_mode: 'auto' ## This value controls the duration a consent on this client remains remembered when the consent mode is - ## configured as 'auto' or 'pre-configured'. + ## configured as 'auto' or 'pre-configured' in the duration common syntax. # pre_configured_consent_duration: '1w' ... diff --git a/internal/configuration/validator/authentication_test.go b/internal/configuration/validator/authentication_test.go index fa5c4830d..a606348ce 100644 --- a/internal/configuration/validator/authentication_test.go +++ b/internal/configuration/validator/authentication_test.go @@ -759,7 +759,7 @@ func (suite *LDAPAuthenticationBackendSuite) TestShouldRaiseOnBadRefreshInterval suite.Len(suite.validator.Warnings(), 0) suite.Require().Len(suite.validator.Errors(), 1) - suite.EqualError(suite.validator.Errors()[0], "authentication_backend: option 'refresh_interval' is configured to 'blah' but it must be either a duration notation or one of 'disable', or 'always': could not parse 'blah' as a duration") + suite.EqualError(suite.validator.Errors()[0], "authentication_backend: option 'refresh_interval' is configured to 'blah' but it must be either in duration common syntax or one of 'disable', or 'always': could not parse 'blah' as a duration") } func (suite *LDAPAuthenticationBackendSuite) TestShouldSetDefaultImplementation() { diff --git a/internal/configuration/validator/const.go b/internal/configuration/validator/const.go index d96bfc1bb..63be6a4fc 100644 --- a/internal/configuration/validator/const.go +++ b/internal/configuration/validator/const.go @@ -79,7 +79,7 @@ const ( errFmtAuthBackendMultipleConfigured = "authentication_backend: please ensure only one of the 'file' or 'ldap' " + "backend is configured" errFmtAuthBackendRefreshInterval = "authentication_backend: option 'refresh_interval' is configured to '%s' but " + - "it must be either a duration notation or one of 'disable', or 'always': %w" + "it must be either in duration common syntax or one of 'disable', or 'always': %w" errFmtAuthBackendPasswordResetCustomURLScheme = "authentication_backend: password_reset: option 'custom_url' is" + " configured to '%s' which has the scheme '%s' but the scheme must be either 'http' or 'https'"