Commit Graph

114 Commits (036d1a4f51c3ff20acec9278baaf03310b9151b6)

Author SHA1 Message Date
Clement Michaud bc72f5c508 Use x-original-url instead of host to deduce domain to check permissions for 2018-04-25 00:41:41 +02:00
Clement Michaud 4be299d6eb Adapt kube example to work without custom nginx template 2018-04-24 23:59:15 +02:00
Clement Michaud 48d6107b0b Rename redirect query parameter into rd for compatibility with nginx-ingress 2018-04-24 23:03:09 +02:00
Clement Michaud bf3705b3e9 Attribute mail_attribute is not correcty taken into account 2018-04-24 21:33:31 +02:00
Clement Michaud 0b2f6ace83 Fix unit and integration tests 2018-03-29 23:09:29 +02:00
Clement Michaud 6586402114 Support 'redirect' in /api/verify endpoint to support Traefik
Traefik handles auth forwarding but does not manage redirections like Nginx.
Therefore, Authelia must redirect the user and Traefik will forward this
request.

To support both Nginx and Traefik, /api/verify is now configurable with the
'redirect' get parameter. If the verification fails and 'redirect' is not
provided the response will be a 401 error as before.
If the parameter is provided and set to any URL, the response will be a
redirection (302) to this URL.
2017-12-04 22:52:33 +01:00
Clement Michaud 515a82eb8d Add links and tooltips at second factor stage to better guide the user
A link to U2F explains what is a U2F security key and how they are used.

A tooltip on U2F device registration link is telling the user he needs a
security key to register.
2017-11-28 21:56:50 +01:00
Clement Michaud f47d3c2b0b Reset password form sends 200 status when user does not exist
Reset password sends 200 status codes to avoid user enumeration.
2017-11-18 21:27:07 +01:00
Clement Michaud ca885e4b15 Fix not working u2f when using Firefox
The u2f-api package does not use the official u2f script provided by Yubikey.
Unfortunately, it was blocked by Firefox.  This change reintroduces the
official u2f script.
2017-11-09 00:21:24 +01:00
Clement Michaud a8974a9d8e Change domain from test.local to example.com
Warning: you will need to update your /etc/hosts to take this change into
account for the example environment to work.
2017-11-03 00:20:10 +01:00
Clement Michaud d1f0543ac6 Fix bad redirection when no default_redirection_url is provided 2017-11-01 21:17:43 +01:00
Clement Michaud 009e7c2b78 Add basic authorization support for single-factor protected endpoints
One can now access a service using the basic authorization mechanism. Note the
service must not be protected by 2 factors.

The Remote-User and Remote-Groups are forwarded from Authelia like any browser
authentication.
2017-11-01 19:38:05 +01:00
Clement Michaud e3e1235755 Fix unhandled error exception thrown by Bluebirds in tests 2017-11-01 16:30:51 +01:00
Clement Michaud e93b98c1ec Remove unused AuthenticationValidator 2017-11-01 15:35:55 +01:00
Clement Michaud 6b78240d39 Fix endpoints redirection on errors
From this commit on, api endpoints reply with a 401 error code and non api
endpoints redirect to /error/40X.

This commit also fixes missing restrictions on /loggedin (the "already logged
in page). This was not a security issue, though.

The change also makes error pages automatically redirect the user after few
seconds based on the referrer or the default_redirection_url if provided in the
configuration.

Warning: The old /verify endpoint of the REST API has moved to /api/verify.
You will need to update your nginx configuration to take this change into
account.
2017-11-01 14:46:23 +01:00
Clement Michaud 54854bacb1 Use issuer and label when generating otpauthURL for TOTP
Issuer is customizable in configuration so that a company can set its own name
or website. If not provided, default value is 'authelia.com'.

The username is used as label.
2017-10-31 21:36:47 +01:00
Clement Michaud 73d5253297 Disable notifiers when server uses single factor method only
Notifier is not mandatory when authentication method is single_factor for
all sub-domains since there is no registration required.
2017-10-31 07:37:15 +01:00
Clement Michaud 3052c883a0 Improve UX of the second factor page
Start the U2F signing request when entering in the second factor page so that
the user only has to touch the token without any other clicks.
2017-10-31 07:27:36 +01:00
Clement Michaud 1e05c41a0c Remove useless comment from first factor page 2017-10-31 07:27:36 +01:00
Clement Michaud 42019bf67d Improve UX of the TOTP registration page
Mainly add badges and links to Google Play and Apple Store to get Google
Authenticator.
2017-10-31 07:27:36 +01:00
Clement Michaud 7b68a543bf Strengthen password in LDAP using SHA512 crypt algorithm
Uses the crypt() function to do password encryption. This function handles
several schemes such as: MD5, Blowfish, SHA1, SHA2.
SHA-512 is used in Authelia for best security.
The algorithm is fully described in
https://www.akkadia.org/drepper/SHA-crypt.txt

The 'crypt3' npm package has been added as a dependency to use the crypt()
function. The package needs to be compiled in order to call the c function,
that's why python, make and C++ compiler are installed temporarily in the
Docker image.
2017-10-31 07:27:36 +01:00
Clement Michaud 969561f4ad Add Content-Security-Policy in Authelia web pages 2017-10-31 07:27:36 +01:00
Clement Michaud 869d55dfd1 Add a meta tag to avoid search engine indexing 2017-10-31 07:27:36 +01:00
Clement Michaud cd0a93f027 Rename authentication method from 'basic_auth' to 'single_factor' 2017-10-31 07:27:36 +01:00
Clement Michaud 563e2da323 Add default_redirection_url as configuration option
This URL is used when user access the authentication domain without providing
the 'redirect' query parameter. In that case, Authelia does not know
where to redirect the user.
If the parameter is defined, Authelia can redirect the user to a default page
when no redirect parameter is provided.

When user is already authenticated and tries to access the authentication
domain, the "already logged in" page is rendered and it now tells the user he
is to be redirected in few seconds and uses this URL to redirect.

This parameter is optional. If it is not provided, there is only a notification
message at the end of the authentication process, as before, and the user is
not redirected when visiting the authentication domain while already
authenticated.
2017-10-31 07:27:23 +01:00
Clement Michaud 2b65680774 Remove TOTP secret from endpoint logs 2017-10-31 07:27:23 +01:00
Clement Michaud dacdce6c50 Implement session inactivity timeout
This timeout will prevent an attacker from using a session that has been
inactive for too long.
This inactivity timeout combined with the timeout before expiration makes a
good combination of security mechanisms to prevent session theft.

If no activity timeout is provided, then the feature is disabled and only
session expiration remains as a protection.
2017-10-31 07:27:23 +01:00
Clement Michaud b9fa786df6 Refactor endpoints to get server variables as input parameters
This refactoring aims to ease testability and clean up a lot of soft touchy
typings in test code.

This is the first step of this refactoring introducing the concept and
implementing missing interfaces and stubs. At the end of the day,
ServerVariablesHandler should completely disappear and every variable should
be injected in the endpoint handler builder itself.
2017-10-31 07:26:53 +01:00
Dylan Smith c62b85e37d Less restrictive email handler - replace gmail with generic 2017-10-25 19:28:56 +11:00
Clement Michaud 92b78f7c15 Enable secure and httpOnly option for sessions
These are 2 measures for improving security of cookies. One is used to
not send the cookie over HTTP (only HTTPS) and the other tells the browser to
disallow client-side code accessing the cookie.
2017-10-16 20:56:26 +02:00
Clément Michaud 565fc35f07 Merge branch 'develop' into anonymous-smtp 2017-10-15 22:50:05 +02:00
Clement Michaud d3a2251d4a Allow anonymous user in SMTP notifier
SMTP notifier should be able to send emails with anonymous user, i.e. without
providing username and password in configuration file.
2017-10-15 22:41:22 +02:00
Clément Michaud b6aca2619b Merge branch 'develop' into remove-schema-from-source 2017-10-15 22:31:06 +02:00
Clement Michaud e8a1e7c52c Remove configuration schema from source since it is generated 2017-10-15 22:17:36 +02:00
Clement Michaud daee042368 Add username to the 'already logged in' page 2017-10-15 22:15:54 +02:00
Clement Michaud f2ae1cd044 Block 'already logged in' page to unauthenticated user 2017-10-15 21:52:12 +02:00
Clement Michaud 12a8626ef7 Make per_subdomain_methods optional in configuration file 2017-10-15 20:01:16 +02:00
Clement Michaud ce264ff4d3 Add {dn} as an available matcher in LDAP groups filter
Sometimes, LDAP organization is such that groups membership cannot be computed
with username only. User DN is required to retrieve groups.

e.g. user Joe has a username joe and a cn of Joe Blogs, resulting in a dn of
cn=Joe Blogs,ou=users,dc=example,dc=com which is needed to retrieve groups
but cannot be computed from joe only.

Issue was reported in issue #146
2017-10-15 14:51:26 +02:00
Clément Michaud 15fa6286ad Merge pull request #143 from clems4ever/protect-ldap-injection
Add input sanitizer to LDAP client to protect against LDAP injections
2017-10-15 13:36:38 +02:00
Clement Michaud 2e087f12f4 Fix out of bound access in LDAP results array 2017-10-15 02:07:04 +02:00
Clement Michaud 1dd0343860 Add input sanitizer to LDAP client to protect against LDAP injections 2017-10-15 01:35:33 +02:00
Clement Michaud bf3e71d732 Fix unhandled rejections in unit tests 2017-10-15 01:34:37 +02:00
Clement Michaud 3a88ca95b8 Check TOTP token with window of 1
A window of 1 means the token is checked against current time slot T
as well as at time slot T-1 and T+1.
A time slot is 30 seconds by default in Authelia.
2017-10-15 00:44:10 +02:00
Clément Michaud f041b946d9 Merge pull request #140 from clems4ever/improve-endpoint-errors
Every public endpoints return 200 with harmonized error messages or 401
2017-10-14 12:22:24 +02:00
Clement Michaud 56fdc40290 Every public endpoints return 200 with harmonized error messages or 401
Now, /verify can return 401 or 403 depending on the user authentication.
Every public API endpoints and pages return 200 with error message in
JSON body or 401 if the user is not authorized.

This policy makes it complicated for an attacker to know what is the source of
the failure and hide server-side bugs (not returning 500), bugs being potential
threats.
2017-10-14 11:57:38 +02:00
Clement Michaud ab8aaeda25 Add configuration schema validation before starting Authelia 2017-10-10 21:59:20 +02:00
Clement Michaud 2a3fde5ee7 Add a schema validator to check user configuration 2017-10-10 01:14:36 +02:00
Clement Michaud 1ab09b71d4 Specify the sender email in Gmail and Smtp notifier configuration
Sender email address can now be specified in configuration and applies to
GMail notifier and SMTP notifier.
2017-10-10 00:07:12 +02:00
Clément Michaud d5035b8704 Merge pull request #131 from clems4ever/disable-second-factor
Allow basic authentication in configuration
2017-10-09 23:27:36 +02:00
Clement Michaud 9624aa6311 Adapt authentication methods configuration to be backward compatible
Prior version of configuration file can be used, the authentication methods
will be set to default values (two_factor as default method).
2017-10-09 23:14:05 +02:00
Clement Michaud 9559bff5de Remove artifacts of only_basic_auth query param 2017-10-09 02:03:05 +02:00
Clément Michaud 2641fb1620 Merge pull request #130 from clems4ever/revert-filesystem-notifier
Revert filesystem notifier
2017-10-09 01:58:06 +02:00
Clement Michaud 9ddc0949b6 Add a way to logout at second factor stage 2017-10-09 01:07:43 +02:00
Clement Michaud 1cf4e57bb1 Redirect user when he has already validated some factors
Example 1: The user has validated first factor when accessing a service
protected by basic auth. When he tries to access another service protected
by second factor, he is redirected to second factor step to complete
authentication.

Example 2: The user has already validated second factor. When he access auth
service, he is redirected either to /loggedin page that displays an "already
logged in" page or to the URL provided in the "redirect" query parameter.
2017-10-09 01:07:32 +02:00
Clement Michaud c061dbfda4 Customize the authentication method to be used by a sub-domain
One can now customize the default authentication method for all sub-domains,
i.e., either 'two_factor' or 'basic_auth' and define specific authentication
method per sub-domain.

For example, one can specify that every sub-domain must be authenticated with
two factor except one sub-domain that must be authenticated with basic auth.
2017-10-08 23:39:29 +02:00
Clement Michaud 346c559141 Make file system an available notifier option for testing purpose 2017-10-08 22:48:20 +02:00
Clement Michaud 78f6028c1b Improve logging format for clarity
Previously, logs were not very friendly and it was hard to track
a request because of the lack of request ID.
Now every log message comes with a header containing: method, path
request ID, session ID, IP of the user, date.

Moreover, the configurations displayed in the logs have their secrets
hidden from this commit.
2017-10-08 22:33:50 +02:00
Clement Michaud 267cf2921d Adapt ACL configuration to make it more flexible
Basically, the ACL configuration was very static and it was not allowed
to remove 'any', 'groups', 'users'. The application crashed when those
keys did not exist.
After this fix, every key is optional and replaced by a default value
for the app configuration to be complete and used by Authelia.

Later, a configuration validator will be implemented to detect issues
with configuration at startup.
2017-10-08 15:34:58 +02:00
Clément Michaud 15374f39d1 Merge pull request #122 from clems4ever/disable-autocomplete
Disable autocomplete for TOTP field
2017-10-07 23:44:33 +02:00
Clement Michaud e05d1c9c0f Disable autocomplete for TOTP field 2017-10-07 22:23:28 +02:00
Clement Michaud 2349de6698 Disable x-powered-by header sent by express 2017-10-07 22:18:40 +02:00
Clement Michaud a4d7ade791 Remove useless logs displaying smtp credentials 2017-10-07 21:48:43 +02:00
Clement Michaud 66449eedb0 Use username matcher instead of user dn in group filter
Previously, string "{0}" was replaced by the user dn in the groups_filter
attributes of the LDAP configuration.
However, if the groups children only have a memberUid attribute, one would
like to use the username instead of the user dn.

Since the user dn can be built from the username, "{0}" is now replaced
by the username instead of the user dn so that an LDAP relying on attribute
'memberUid' can be used.
2017-10-07 14:10:22 +02:00
Clement Michaud d8ff186303 Split client and server
Client and server now have their own tsconfig so that the transpilation is only
done on the part that is being modified.

It also allows faster transpilation since tests are now excluded from tsconfig.
They are compiled by ts-node during unit tests execution.
2017-10-07 00:49:42 +02:00