Commit Graph

2297 Commits (0ab94597df4051178497a4180575133b2215f0fa)

Author SHA1 Message Date
Clément Michaud 8f88f45cb2
Merge pull request #202 from clems4ever/feature/reset-password-enum
Reset password form sends 200 status when user does not exist
2017-11-18 23:32:47 +01:00
Clement Michaud f47d3c2b0b Reset password form sends 200 status when user does not exist
Reset password sends 200 status codes to avoid user enumeration.
2017-11-18 21:27:07 +01:00
Clément Michaud 792afbc476
Merge pull request #198 from clems4ever/bugfix/firefox-u2f-api
Fix not working u2f when using Firefox
2017-11-09 00:51:21 +01:00
Clement Michaud ca885e4b15 Fix not working u2f when using Firefox
The u2f-api package does not use the official u2f script provided by Yubikey.
Unfortunately, it was blocked by Firefox.  This change reintroduces the
official u2f script.
2017-11-09 00:21:24 +01:00
Clément Michaud 899246c374
Merge pull request #197 from clems4ever/feature/split-authelia-backend
Create a more real world example with multiple reverse proxies
2017-11-03 00:47:16 +01:00
Clement Michaud a8974a9d8e Change domain from test.local to example.com
Warning: you will need to update your /etc/hosts to take this change into
account for the example environment to work.
2017-11-03 00:20:10 +01:00
Clement Michaud bbbffaa3ae Split nginx service into portal, backend and authelia services
This setup is closer to real production infrastructure.
2017-11-03 00:20:10 +01:00
Clement Michaud b8c8c3bd75 Move docker-compose files to the example directory 2017-11-03 00:20:10 +01:00
Clément Michaud 40a4fd0918
Merge pull request #196 from clems4ever/update-contributors
Add contributors to source and documentation to CONTRIBUTORS.md
2017-11-01 22:44:50 +01:00
Clement Michaud cfaf5d3562 Add contributors to source and documentation to CONTRIBUTORS.md 2017-11-01 22:13:17 +01:00
Clément Michaud c734effb84
Merge pull request #195 from clems4ever/feature/reduce-title
Reduce font size and height of header
2017-11-01 22:04:55 +01:00
Clement Michaud 28f9c52355 Reduce font size and height of the header 2017-11-01 21:42:12 +01:00
Clément Michaud a5da5d790b
Merge pull request #194 from clems4ever/feature/fix-redirection
Fix bad redirection when no default_redirection_url is provided
2017-11-01 21:41:08 +01:00
Clement Michaud d1f0543ac6 Fix bad redirection when no default_redirection_url is provided 2017-11-01 21:17:43 +01:00
Clément Michaud b37c0293b8
Merge pull request #193 from clems4ever/feature/support-basic-auth
Add support of basic auth for single-factor protected endpoints
2017-11-01 20:33:09 +01:00
Clement Michaud 009e7c2b78 Add basic authorization support for single-factor protected endpoints
One can now access a service using the basic authorization mechanism. Note the
service must not be protected by 2 factors.

The Remote-User and Remote-Groups are forwarded from Authelia like any browser
authentication.
2017-11-01 19:38:05 +01:00
Clement Michaud e3e1235755 Fix unhandled error exception thrown by Bluebirds in tests 2017-11-01 16:30:51 +01:00
Clement Michaud e93b98c1ec Remove unused AuthenticationValidator 2017-11-01 15:35:55 +01:00
Clément Michaud 17a5e2ad6e
Merge pull request #187 from clems4ever/feature/fix-endpoints-restrictions
Fix endpoints redirection on errors
2017-11-01 15:01:23 +01:00
Clement Michaud 6b78240d39 Fix endpoints redirection on errors
From this commit on, api endpoints reply with a 401 error code and non api
endpoints redirect to /error/40X.

This commit also fixes missing restrictions on /loggedin (the "already logged
in page). This was not a security issue, though.

The change also makes error pages automatically redirect the user after few
seconds based on the referrer or the default_redirection_url if provided in the
configuration.

Warning: The old /verify endpoint of the REST API has moved to /api/verify.
You will need to update your nginx configuration to take this change into
account.
2017-11-01 14:46:23 +01:00
Clément Michaud 837884ef0d
Merge pull request #177 from clems4ever/fix-deployment-script
Fix deployment commands using npm and provided in README
2017-10-31 22:33:25 +01:00
Clement Michaud 6d11801d56 Change the how-to to build Authelia in the README 2017-10-31 22:11:01 +01:00
Clément Michaud c1afde83f6
Merge pull request #185 from clems4ever/totp-issuer-and-label
Use issuer and label when generating otpauthURL for TOTP
2017-10-31 22:10:04 +01:00
Clement Michaud 54854bacb1 Use issuer and label when generating otpauthURL for TOTP
Issuer is customizable in configuration so that a company can set its own name
or website. If not provided, default value is 'authelia.com'.

The username is used as label.
2017-10-31 21:36:47 +01:00
Clement Michaud 87056c14e2 Fix npm package versions with package-lock.json 2017-10-31 07:37:15 +01:00
Clement Michaud 608b20a736 Add shared/ directory in .npmignore 2017-10-31 07:37:15 +01:00
Clement Michaud 73d5253297 Disable notifiers when server uses single factor method only
Notifier is not mandatory when authentication method is single_factor for
all sub-domains since there is no registration required.
2017-10-31 07:37:15 +01:00
Clement Michaud 3052c883a0 Improve UX of the second factor page
Start the U2F signing request when entering in the second factor page so that
the user only has to touch the token without any other clicks.
2017-10-31 07:27:36 +01:00
Clement Michaud 1e05c41a0c Remove useless comment from first factor page 2017-10-31 07:27:36 +01:00
Clement Michaud 42019bf67d Improve UX of the TOTP registration page
Mainly add badges and links to Google Play and Apple Store to get Google
Authenticator.
2017-10-31 07:27:36 +01:00
Clement Michaud 7b68a543bf Strengthen password in LDAP using SHA512 crypt algorithm
Uses the crypt() function to do password encryption. This function handles
several schemes such as: MD5, Blowfish, SHA1, SHA2.
SHA-512 is used in Authelia for best security.
The algorithm is fully described in
https://www.akkadia.org/drepper/SHA-crypt.txt

The 'crypt3' npm package has been added as a dependency to use the crypt()
function. The package needs to be compiled in order to call the c function,
that's why python, make and C++ compiler are installed temporarily in the
Docker image.
2017-10-31 07:27:36 +01:00
Clement Michaud 22d56b1faa Change basicauth.test.local into single_factor.test.local 2017-10-31 07:27:36 +01:00
Clement Michaud 969561f4ad Add Content-Security-Policy in Authelia web pages 2017-10-31 07:27:36 +01:00
Clement Michaud a3560ef8d3 Add possible security measures in README 2017-10-31 07:27:36 +01:00
Clement Michaud 869d55dfd1 Add a meta tag to avoid search engine indexing 2017-10-31 07:27:36 +01:00
Clement Michaud cd0a93f027 Rename authentication method from 'basic_auth' to 'single_factor' 2017-10-31 07:27:36 +01:00
Clement Michaud 563e2da323 Add default_redirection_url as configuration option
This URL is used when user access the authentication domain without providing
the 'redirect' query parameter. In that case, Authelia does not know
where to redirect the user.
If the parameter is defined, Authelia can redirect the user to a default page
when no redirect parameter is provided.

When user is already authenticated and tries to access the authentication
domain, the "already logged in" page is rendered and it now tells the user he
is to be redirected in few seconds and uses this URL to redirect.

This parameter is optional. If it is not provided, there is only a notification
message at the end of the authentication process, as before, and the user is
not redirected when visiting the authentication domain while already
authenticated.
2017-10-31 07:27:23 +01:00
Clement Michaud 99b04809a5 Provide information about fake webmail in home page of example 2017-10-31 07:27:23 +01:00
Clement Michaud 2b65680774 Remove TOTP secret from endpoint logs 2017-10-31 07:27:23 +01:00
Clement Michaud dacdce6c50 Implement session inactivity timeout
This timeout will prevent an attacker from using a session that has been
inactive for too long.
This inactivity timeout combined with the timeout before expiration makes a
good combination of security mechanisms to prevent session theft.

If no activity timeout is provided, then the feature is disabled and only
session expiration remains as a protection.
2017-10-31 07:27:23 +01:00
Clement Michaud b9fa786df6 Refactor endpoints to get server variables as input parameters
This refactoring aims to ease testability and clean up a lot of soft touchy
typings in test code.

This is the first step of this refactoring introducing the concept and
implementing missing interfaces and stubs. At the end of the day,
ServerVariablesHandler should completely disappear and every variable should
be injected in the endpoint handler builder itself.
2017-10-31 07:26:53 +01:00
Clément Michaud 34a595863a
Merge pull request #181 from Chemsmith/add-email-handeler-2
Less restrictive email handler - replace gmail with generic
2017-10-31 07:01:30 +01:00
Dylan Smith c62b85e37d Less restrictive email handler - replace gmail with generic 2017-10-25 19:28:56 +11:00
Clement Michaud 5570ac3d84 3.6.0 2017-10-16 22:32:55 +02:00
Clément Michaud 19c846a366 Merge pull request #160 from clems4ever/develop
Release 3.6.0
2017-10-16 22:32:18 +02:00
Clément Michaud 39b3898908 Merge pull request #152 from clems4ever/cookie-theft
Prevention agains cookie theft
2017-10-16 21:11:58 +02:00
Clement Michaud 056565a968 Add X-Frame-Options header to avoid ability to embed websites in iframes 2017-10-16 20:56:26 +02:00
Clement Michaud 0b33982701 Add notes on security measures deployed in Authelia in README 2017-10-16 20:56:26 +02:00
Clement Michaud f523e5335f Use HSTS in example 2017-10-16 20:56:26 +02:00
Clement Michaud 92b78f7c15 Enable secure and httpOnly option for sessions
These are 2 measures for improving security of cookies. One is used to
not send the cookie over HTTP (only HTTPS) and the other tells the browser to
disallow client-side code accessing the cookie.
2017-10-16 20:56:26 +02:00