Commit Graph

88 Commits (19a543289bf4d6e6980aedbdc27d12bacb77efc6)

Author SHA1 Message Date
Amir Zarrinkafsh b12528a65c
[FEATURE] Display TOTP secret on device registration (#1551)
* This change provides the TOTP secret which allows users to copy and utilise for password managers and other applications.
* Hide TextField if secret isn't present
* This ensure that the TextField is removed on a page or if there is no secret present.
* Add multiple buttons and set default value to OTP URL
* Remove inline icon and add icons under text field which allow copying of the secret key and the whole OTP URL.
* Fix integration tests
* Add notifications on click for secret buttons
* Also remove autoFocus on TextField so a user can identify that the full OTP URL is in focus.
2020-12-29 13:30:00 +11:00
Amir Zarrinkafsh 7c6a86882f
[MISC] Catch OpenLDAP ppolicy error (#1508)
* [MISC] Catch OpenLDAP ppolicy error

Further to the discussion over at #361, this change now ensures that OpenLDAP password complexity errors are caught and appropriately handled.

This change also includes the PasswordComplexity test suite in the LDAP integration suite. This is because a ppolicy has been setup and enforced.

* Remove password history for integration tests

* Adjust max failures due to regulation trigger

* Fix error handling for password resets

* Refactor and include code suggestions
2020-12-16 12:30:03 +11:00
Amir Zarrinkafsh aa64d0c4e5
[FEATURE] Support MSAD password reset via unicodePwd attribute (#1460)
* Added `ActiveDirectory` suite for integration tests with Samba AD
* Updated documentation
* Minor styling refactor to suites
* Clean up LDAP user provisioning
* Fix Authelia home splash to reference correct link for webmail
* Add notification message for password complexity errors
* Add password complexity integration test
* Rename implementation default from rfc to custom
* add specific defaults for LDAP (activedirectory implementation)
* add docs to show the new defaults
* add docs explaining the importance of users filter
* add tests
* update instances of LDAP implementation names to use the new consts where applicable
* made the 'custom' case in the UpdatePassword method for the implementation switch the default case instead
* update config examples due to the new defaults
* apply changes from code review
* replace schema default name from MSAD to ActiveDirectory for consistency
* fix missing default for username_attribute
* replace test raising on empty username attribute with not raising on empty

Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2020-11-27 20:59:22 +11:00
Amir Zarrinkafsh 106c9032ad
[CI] Fix development workflow (#1465)
Since merging #1135 and utilising Go templating to enable/disable the rememeber me and password reset features these have stopped working in the development workflow.
During frontend development if someone wants to modify these values they should modify the `.env.development` file accordingly.
2020-11-16 20:58:29 +11:00
Amir Zarrinkafsh 2834f3f8e8
[BUGFIX] Fix re-rendering callbacks (#1445)
b34b10322b introduced a regression where including deps in the associated useCallback functions would cause React to re-render components.
This resulted in unexpected symptoms like multiple Duo push requests, even if a successful or errored request had already been received.

Empty deps/no re-rendering for the respective callbacks is an expected result therefore we can safely ignore these issues the linter is suggesting needs to be fixed.
2020-11-11 14:51:42 +11:00
Amir Zarrinkafsh e243fad1ba
[MISC] Disable auto capitalization of username field on mobile (#1435) 2020-11-09 14:04:44 +11:00
dependabot-preview[bot] cc94b1daa3
[MISC] (deps): Bump @types/react from 16.9.43 to 16.9.56 in /web (#1429)
* [MISC] (deps): Bump @types/react from 16.9.43 to 16.9.56 in /web

Bumps [@types/react](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/react) from 16.9.43 to 16.9.56.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/react)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

* Cast style to React.CSSProperties for LinearProgressBar

Upgrading this typescript library results in the following type issue:

Failed to compile.

/buildkite/builds/authelia/authelia/web/src/components/LinearProgressBar.tsx
TypeScript error in /buildkite/builds/authelia/authelia/web/src/components/LinearProgressBar.tsx(23,13):
Type 'import("/buildkite/builds/authelia/authelia/web/node_modules/@material-ui/styles/withStyles/withStyles").CSSProperties | undefined' is not assignable to type 'React.CSSProperties | undefined'.
  Type 'import("/buildkite/builds/authelia/authelia/web/node_modules/@material-ui/styles/withStyles/withStyles").CSSProperties' is not assignable to type 'React.CSSProperties'.
    Types of property 'appearance' are incompatible.
      Type '"-moz-initial" | "inherit" | "initial" | "revert" | "unset" | "none" | "button-bevel" | "checkbox" | "listbox" | "menulist" | "menulist-button" | "meter" | "progress-bar" | "push-button" | ... 7 more ... | undefined' is not assignable to type '"-moz-initial" | "inherit" | "initial" | "revert" | "unset" | "auto" | "none" | "checkbox" | "listbox" | "menulist" | "menulist-button" | "meter" | "progress-bar" | "push-button" | ... 7 more ... | undefined'.
        Type '"button-bevel"' is not assignable to type '"-moz-initial" | "inherit" | "initial" | "revert" | "unset" | "auto" | "none" | "checkbox" | "listbox" | "menulist" | "menulist-button" | "meter" | "progress-bar" | "push-button" | ... 7 more ... | undefined'.  TS2322

    21 |     return (
    22 |         <LinearProgress
  > 23 |             style={props.style}
       |             ^
    24 |             variant="determinate"
    25 |             classes={{
    26 |                 root: style.progressRoot,

error Command failed with exit code 1.

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-11-09 11:14:50 +11:00
dependabot-preview[bot] e6f4768961
[MISC] (deps): Bump react-scripts from 3.4.4 to 4.0.0 in /web (#1403)
Bumps [react-scripts](https://github.com/facebook/create-react-app/tree/HEAD/packages/react-scripts) from 3.4.4 to 4.0.0.
- [Release notes](https://github.com/facebook/create-react-app/releases)
- [Changelog](https://github.com/facebook/create-react-app/blob/master/CHANGELOG-3.x.md)
- [Commits](https://github.com/facebook/create-react-app/commits/react-scripts@4.0.0/packages/react-scripts)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Address CRA breaking changes

This is related to [breaking changes](https://github.com/facebook/create-react-app/blob/master/CHANGELOG.md#breaking-changes) in CRA specific to ESLint.

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
2020-11-07 13:06:18 +11:00
Amir Zarrinkafsh 160e98f275
[DEV] Fix webpack for development workflow (#1163) 2020-07-01 17:16:08 +10:00
Amir Zarrinkafsh b770d3cb6c
[BUGFIX] Fix paths for embedded media assets (#1150) 2020-06-24 09:37:49 +10:00
Amir Zarrinkafsh 29e54c231b
[MISC] Template global config and refactor some /api endpoints (#1135)
* [MISC] Template global config and refactor some /api endpoints
* /api/configuration has been removed in favour of templating said global config
* /api/configuration/extended has been renamed to /api/configuration and display_name has been removed
* /api/user/info has been modified to include display_name

Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2020-06-21 15:40:37 +02:00
Amir Zarrinkafsh e43bc93047
[FEATURE] Add configurable display name to frontend (#1124)
* [FEATURE] Add configurable display name to frontend
This feature allows users with a LDAP backend to specify an attribute (default is "displayname") to retrieve a users name for the portal greeting.
Similarly for the file based backend a new required key "name" has been introduced.

This can also be used down the line with OIDC as a separate scope.

* Update references from Name to DisplayName
* Update compose bundles to include displayname refs
* Update LDAP automatic profile refresh
* Ensure display name is updated
* Fix bug which prevented trace logging for profile refresh to not trigger
2020-06-19 20:50:21 +10:00
James Elliott fcd0b5e46a
[FEATURE] Allow Authelia to listen on a specified path (#1027)
* [FEATURE] Allow Authelia to listen on a specified path

* Fix linting and add a couple typescript types

* Template index.html to support base_url

* Update docs and configuration template

* Access base path from body attribute.

* Update CSP

* Fix unit test
Also remove check for body as this will never get triggered, react itself is loaded inside the body so this has to always be successful.

* Template index.html with ${PUBLIC_URL}

* Define PUBLIC_URL in .env(s)

* Add docs clarification

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2020-05-21 12:20:55 +10:00
James Elliott a4cf2e675f
[DEPRECATE] Remove Google Analytics (#1021)
* it doesn't work with our current CSP
* it's probably not used by anyone
* it isn't in harmony with our security purposes
* literally removes all use of it
* suggestions from code review
* remove useless test.

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2020-05-16 09:41:42 +10:00
Clément Michaud 29325ab273
Fix CSP not propagated in default handler. (#915)
Also:
- not hide the CSP header in the dist version of suites.
- Fix CSP errors due to FontAwesome loading stylesheets dynamically.
2020-04-26 00:12:55 +02:00
James Elliott 4e7d645084
[FIX] Layout discrepancy with U2F (#914)
* 4.8.0 deps bump changed the root containers padding from 32px to 24px
* only affects the u2f screen, this fixes the padding on the root container for the Login Layout
* this makes u2f screen layout behave the same as all of the other ones
2020-04-25 16:56:56 +02:00
Amir Zarrinkafsh 69c822a7ed
[MISC] Tweak frontend portal behaviour on enter keypress (#874)
Currently the first factor login page has somewhat inconsistent behaviour when pressing enter on a field.

The typical workflow will focus the next field from username -> password -> attempt login.
However if a user wants to tab down and hit spacebar to activate the remember me option, they cannot just hit enter and attempt a login.

This change will attempt a sign-in if the username and password fields both contain data and enter is pressed on either the username, password or remember me fields.
If the first condition is not met the the respective field(s) will error (turn red) and focus will be set to the in sequential order per the normal workflow.
2020-04-16 10:09:12 +02:00
James Elliott 9800421b88
[FEATURE] Disable Reset Password (#823)
* [FEATURE] Disable Reset Password
* add configuration key to authentication_backend called disable_reset_password
* disable_reset_password prevents the API handler for the functionality and the UI element
* disable_reset_password is a boolean
* adjust RememberMeEnabled to be RememberMe instead as it's just unnecessary
* add docs for security measures and in the authentication docs
* updated config.template.yml
* add flexEnd style to align reset password when remember me disabled
* add todo items for ldap user/password validation relating to this
2020-04-05 09:28:09 +10:00
James Elliott 626f5d2949
[FEATURE] Remember Me Configuration (#813)
* [FEATURE] Remember Me Configuration
* allow users to specify the duration of remember me using remember_me_duration in session config
* setting the duration to 0 disables remember me
* only render the remember me element if remember me is enabled
* prevent malicious users from faking remember me functionality in the backend
* add string to duration helper called ParseDurationString to parse a string into a duration
* added tests to the helper function
* use the SessionProvider to store the time.Duration instead of parsing it over and over again
* add sec doc, adjust month/min, consistency
* renamed internal/utils/constants.go to internal/utils/const.go to be consistent
* added security measure docs
* adjusted default remember me duration to be 1 month instead of 1 year
* utilize default remember me duration in the autheliaCtx mock
* adjust order of keys in session configuration examples
* add notes on session security measures secret only being redis 
* add TODO items for duration notation for both Expiration and Inactivity (will be removed soon)
* fix error text for Inactivity in the validator 
* add session validator tests
* deref check bodyJSON.KeepMeLoggedIn and derive the value based on conf and user input and store it (DRY)
* remove unnecessary regex for the simplified ParseDurationString utility
* ParseDurationString only accepts decimals without leading zeros now
* comprehensively test all unit types
* remove unnecessary type unions in web
* add test to check sanity of time duration consts, this is just so they can't be accidentally changed
* simplify deref check and assignment
* fix reset password padding/margins
* adjust some doc wording
* adjust the handler configuration suite test
* actually run the handler configuration suite test (whoops)
* reduce the number of regex's used by ParseDurationString to 1, thanks to Clement
* adjust some error wording
2020-04-04 10:11:33 +11:00
Amir Zarrinkafsh d82b46a3ec
[FEATURE] Autofocus on authentication and OTP pages (#806)
* [FEATURE] Autofocus on authentication and OTP pages
This change sets the input focus on the first factor authentication and OTP pages.

The behaviour for the first factor authentication page has also been amended slightly, if an incorrect username or password is provided the password field will be cleared and set as the focus.

One thing to note is that the OTP page does not focus on any re-rendering and this is because the component doesn't handle focusing. This means that the OTP input only is auto-focused when you first visit it, if you enter an incorrect OTP there will be no focus.

Ideally we should be looking for a different library or writing a component for this ourselves in future.

Closes #511.

* Add TODO markers for potential refactor
2020-04-01 10:27:54 +11:00
Clément Michaud 7a3e782dc0
[FEATURE][BREAKING] Allow users to sign in with email. (#792)
* [FEATURE][BREAKING] Allow users to sign in with email.

The users_filter purpose evolved with the introduction of username_attribute
but is reverted here to allow the most flexibility. users_filter is now the
actual filter used for searching the user and not a sub-filter based on the
username_attribute anymore.

* {input} placeholder has been introduced to later deprecate {0} which has been
kept for backward compatibility.
* {username_attribute} and {mail_attribute} are new placeholders used to back
reference other configuration options.

Fix #735

* [MISC] Introduce new placeholders for groups_filter too.

* [MISC] Update BREAKING.md to mention the change regarding users_filter.

* [MISC] Fix unit and integration tests.

* Log an error message in console when U2F is not supported.

* Apply suggestions from code review

* Update BREAKING.md

Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-03-31 09:36:04 +11:00
James Elliott 40fb13ba3c
[FEATURE] TOTP Tuning Configuration Options and Fix Timer Graphic (#773)
* Add period TOPT config key to define the time in seconds each OTP is rotated
* Add skew TOTP config to define how many keys either side of the current one should be considered valid
* Add tests and set minimum values
* Update config template
* Use unix epoch for position calculation and Fix QR gen
  * This resolves the timer resetting improperly at the 0 seconds mark and allows for periods longer than 1 minute
* Generate QR based on period
* Fix OTP timer graphic
2020-03-25 12:48:20 +11:00
dependabot-preview[bot] e5173da69e
[MISC] (deps): Bump @material-ui/core from 4.8.0 to 4.9.7 in /web (#743)
* [MISC] (deps): Bump @material-ui/core from 4.8.0 to 4.9.7 in /web

Bumps [@material-ui/core](https://github.com/mui-org/material-ui/tree/HEAD/packages/material-ui) from 4.8.0 to 4.9.7.
- [Release notes](https://github.com/mui-org/material-ui/releases)
- [Changelog](https://github.com/mui-org/material-ui/blob/master/CHANGELOG.md)
- [Commits](https://github.com/mui-org/material-ui/commits/v4.9.7/packages/material-ui)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

* Fix compilation.

Signed-off-by: Clement Michaud <clement.michaud34@gmail.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2020-03-21 13:24:59 +11:00
Amir Zarrinkafsh 72a3f1e0d7
[BUGFIX] Skip 2FA step if no ACL rule is two_factor (#684)
When no rule is set to two_factor in ACL configuration, 2FA is
considered disabled. Therefore, when a user cannot be redirected
correctly because no target URL is provided or the URL is unsafe,
the user is either redirected to the default URL or to the
'already authenticated' view instead of the second factor view.

Fixes #683
2020-03-06 11:31:09 +11:00
Clément Michaud d1d02d9eae
[FIX] Redirect to default URL after 1FA when default policy is one_factor. (#611)
* Redirect to default URL after 1FA when default policy is one_factor.

User is now redirected to the default redirection URL after 1FA if
the default policy is set to one_factor and there is no target URL
or if the target URL is unsafe.

Also, if the default policy is set to one_factor and the user is already
authenticated, if she visits the login portal, the 'already authenticated'
view is displayed with a logout button.

This fixes #581.

* Update users.yml

* Fix permissions issue causing suite test failure
2020-02-05 08:18:02 +11:00
Clément Michaud 2e86f270cd Encode URL set to rd parameter. (#559)
* Encode URL set to rd parameter.

URL encoding that parameter solves PR #476.

Some URL parameters set during redirection were magically disappearing
after the redirection due to the authentication process. By using URL encoding,
those parameters should not be stripped anymore.

* Fix integration tests.
2020-01-19 01:57:42 +11:00
Amir Zarrinkafsh 612881ca67 Fix spelling errors 2020-01-10 11:33:18 +01:00
Amir Zarrinkafsh fabb76754e
Rename org from clems4ever to authelia
Also fix references from config.yml to configuration.yml
2019-12-24 13:14:52 +11:00
Clement Michaud 3d20142292 Allow administrator to provide a Google Analytics tracking ID.
Providing a GA tracking ID allows administrators to analyze
how the portal is used by their users in large environments,
i.e., with many users.
This will make even more sense when we have users and admins
management interfaces.
2019-12-08 14:31:48 +01:00
Clement Michaud df33bef478 Test user does see the not registered message.
When a user use Authelia for the first time no device is enrolled in DB.
Now we test that the user does see the "not registered" message when
no device is enrolled and see the standard 2FA method when a device is
already enrolled.
2019-12-08 14:31:48 +01:00
Clement Michaud 5f8726fe87 Let the user know device is not enrolled.
A message is now displayed to the user when he first sign in
in Authelia letting him know that a device must be enrolled.

Also introduce a message letting him know when he is already
authenticated.
2019-12-08 14:31:48 +01:00
Clement Michaud 5942e00412 Introduce hasU2F and hasTOTP in user info. 2019-12-08 14:31:48 +01:00
Clement Michaud 3aacb34571 Raise sign in timeout of security key to 30 seconds. 2019-12-05 23:20:12 +01:00
Clement Michaud 135cf718d5 Fix DuoPush suite and do some clean up. 2019-12-05 11:05:24 +01:00
Clement Michaud b89f63e9c1 Fix and parallelize integration tests. 2019-12-05 11:05:24 +01:00
Clement Michaud c78a732c6a Rewrite and fix remaining suites in Go. 2019-12-05 11:05:24 +01:00
Clement Michaud 373911d199 Add first unit tests to frontend components. 2019-12-05 11:05:24 +01:00
Clement Michaud 9ae2096d2a Rewrite authelia frontend to improve user experience.
This refactoring simplify the code of the frontend and prepare the
portal for receiving a user settings page and an admin page.
2019-12-05 11:05:24 +01:00