From this commit on, api endpoints reply with a 401 error code and non api
endpoints redirect to /error/40X.
This commit also fixes missing restrictions on /loggedin (the "already logged
in page). This was not a security issue, though.
The change also makes error pages automatically redirect the user after few
seconds based on the referrer or the default_redirection_url if provided in the
configuration.
Warning: The old /verify endpoint of the REST API has moved to /api/verify.
You will need to update your nginx configuration to take this change into
account.
This URL is used when user access the authentication domain without providing
the 'redirect' query parameter. In that case, Authelia does not know
where to redirect the user.
If the parameter is defined, Authelia can redirect the user to a default page
when no redirect parameter is provided.
When user is already authenticated and tries to access the authentication
domain, the "already logged in" page is rendered and it now tells the user he
is to be redirected in few seconds and uses this URL to redirect.
This parameter is optional. If it is not provided, there is only a notification
message at the end of the authentication process, as before, and the user is
not redirected when visiting the authentication domain while already
authenticated.
This timeout will prevent an attacker from using a session that has been
inactive for too long.
This inactivity timeout combined with the timeout before expiration makes a
good combination of security mechanisms to prevent session theft.
If no activity timeout is provided, then the feature is disabled and only
session expiration remains as a protection.
The notification message pops up and hide after few seconds.
Sometimes, chrome drivers tries to click on a button that moves due
to the notification message animation and thus miss it.
ACLs can now be defined by subdomain AND resource using pattern matching
with regular expressions.
It allows a very fine-grained access control to backend resources.
[Note] For using example environmnent, user must update its /etc/hosts with
new subdomains updated in README.
Before this fix, the application was simply crashing during execution
when connection to redis was failing.
Now, it is correctly handled with failing promises and logs have been
enabled to clearly see the problem
Before this fix, the redirection URL was stored in the user session,
but this has a big drawback since user could open several pages in
browser and thus override the redirection URL leading the user to
be incorrectly redirected.
Clement Michaud