This refactors the suites to use a Enterprise Root CA PKI signed certificate so the CA public certificate can be trusted. This is particularly useful for webauthn in Chrome.
This adds support to configure multiple session cookie domains.
Closes#1198
Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
This change replaces Kind with a might lighter K8s variation K3D.
Many of our manifests have also been consolidated.
Other key changes have been highlighted below:
* Utilise K3D Traefik Ingress
* Automatically provision all manifests, removing the abundance of shell scripts
* Expose Traefik and K8s dashboards through the Ingress
This adds a new helper which retrieves the build metadata, uses it to generate container labels, and refactors XFlags uses to utilize the same machinery.
Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
Allow users to configure the TOTP Algorithm and Digits. This should be used with caution as many TOTP applications do not support it. Some will also fail to notify the user that there is an issue. i.e. if the algorithm in the QR code is sha512, they continue to generate one time passwords with sha1. In addition this drastically refactors TOTP in general to be more user friendly by not forcing them to register a new device if the administrator changes the period (or algorithm).
Fixes#1226.
* feat(web): replace cra with vite
* fix: add istanbul
* fix: add jest
* fix: inject env vars
* fix: replicate cra output directories
* fix: post-frontend build for go templating
* fix: dynamic publicpath
* fix(web): import resolution with aliases for .module.css files
* refactor(server): baseurl var
* refactor(web): drop babel-jest for esbuild-jest
* refactor(web): add inline sourcemap for coverage bundle
* build(deps): update web deps
* build(deps): downgrade vite-plugin-istanbul to 2.2.0
98bf77dbaa is a breaking change that means production mode builds can no longer be instrumented.
* refactor(web): match frontend name and version
* refactor(web): drop cra readme
* Check for pnpm in authelia-scripts
* Improve husky hooks to check for required apps
* Use pnpm in coverage dockerfile
* Use pnpm in dev workflow
* Stop buildx log truncation
* Ignore pnpm lockfile in yamllint
* Update versions required for docker and docker-compose in contributing docs
* feat: hardened authelia binaries
This change ensures that all Authelia binaries which are compiled and distributed are hardened with the following standards:
* RELRO
* Stack canary
* NX
* PIE/ASLR
* Stripped RPATH AND RUNPATH
* Stripped Symbols
* Fortify
The musl variants currently [do not support Fortify](https://wiki.musl-libc.org/future-ideas.html#Fortify).
* refactor: docker pull for authelia/crossbuild in background
* feat: builds with gox and buildx
This change builds all of Authelia respective binaries in parallel within a single step and distributes as necessary to subsequent steps, we now also build and distribute for the following OS/Architecture: freebsd/amd64.
Our CI/CD pipeline now also utilises docker buildx as a default for builds and pushes.
* refactor: clean up docker helper
* Remove `authelia-scripts docker push-image` command as all pushes will be performed with buildx and manifests
* Rename the --arch flag to --container
* Add Dockerfile.dev for users that want to build an Authelia container from source without utilising suites
* Set Dockerfile.dev as default for `authelia-scripts docker build` command
* refactor: variant -> container