Commit Graph

146 Commits (2e3e1a7c8bd328bb356d92c7ae7c902abc33540d)

Author SHA1 Message Date
Clement Michaud 48d6107b0b Rename redirect query parameter into rd for compatibility with nginx-ingress 2018-04-24 23:03:09 +02:00
Clement Michaud a9a14f8586 Add original nginx-ingress template to compare with the new one 2018-04-24 22:32:56 +02:00
Clement Michaud 0b2f6ace83 Fix unit and integration tests 2018-03-29 23:09:29 +02:00
Clement Michaud 6586402114 Support 'redirect' in /api/verify endpoint to support Traefik
Traefik handles auth forwarding but does not manage redirections like Nginx.
Therefore, Authelia must redirect the user and Traefik will forward this
request.

To support both Nginx and Traefik, /api/verify is now configurable with the
'redirect' get parameter. If the verification fails and 'redirect' is not
provided the response will be a 401 error as before.
If the parameter is provided and set to any URL, the response will be a
redirection (302) to this URL.
2017-12-04 22:52:33 +01:00
Clement Michaud a8974a9d8e Change domain from test.local to example.com
Warning: you will need to update your /etc/hosts to take this change into
account for the example environment to work.
2017-11-03 00:20:10 +01:00
Clement Michaud 009e7c2b78 Add basic authorization support for single-factor protected endpoints
One can now access a service using the basic authorization mechanism. Note the
service must not be protected by 2 factors.

The Remote-User and Remote-Groups are forwarded from Authelia like any browser
authentication.
2017-11-01 19:38:05 +01:00
Clement Michaud 6b78240d39 Fix endpoints redirection on errors
From this commit on, api endpoints reply with a 401 error code and non api
endpoints redirect to /error/40X.

This commit also fixes missing restrictions on /loggedin (the "already logged
in page). This was not a security issue, though.

The change also makes error pages automatically redirect the user after few
seconds based on the referrer or the default_redirection_url if provided in the
configuration.

Warning: The old /verify endpoint of the REST API has moved to /api/verify.
You will need to update your nginx configuration to take this change into
account.
2017-11-01 14:46:23 +01:00
Clement Michaud 54854bacb1 Use issuer and label when generating otpauthURL for TOTP
Issuer is customizable in configuration so that a company can set its own name
or website. If not provided, default value is 'authelia.com'.

The username is used as label.
2017-10-31 21:36:47 +01:00
Clement Michaud 73d5253297 Disable notifiers when server uses single factor method only
Notifier is not mandatory when authentication method is single_factor for
all sub-domains since there is no registration required.
2017-10-31 07:37:15 +01:00
Clement Michaud 3052c883a0 Improve UX of the second factor page
Start the U2F signing request when entering in the second factor page so that
the user only has to touch the token without any other clicks.
2017-10-31 07:27:36 +01:00
Clement Michaud 22d56b1faa Change basicauth.test.local into single_factor.test.local 2017-10-31 07:27:36 +01:00
Clement Michaud cd0a93f027 Rename authentication method from 'basic_auth' to 'single_factor' 2017-10-31 07:27:36 +01:00
Clement Michaud 563e2da323 Add default_redirection_url as configuration option
This URL is used when user access the authentication domain without providing
the 'redirect' query parameter. In that case, Authelia does not know
where to redirect the user.
If the parameter is defined, Authelia can redirect the user to a default page
when no redirect parameter is provided.

When user is already authenticated and tries to access the authentication
domain, the "already logged in" page is rendered and it now tells the user he
is to be redirected in few seconds and uses this URL to redirect.

This parameter is optional. If it is not provided, there is only a notification
message at the end of the authentication process, as before, and the user is
not redirected when visiting the authentication domain while already
authenticated.
2017-10-31 07:27:23 +01:00
Clement Michaud dacdce6c50 Implement session inactivity timeout
This timeout will prevent an attacker from using a session that has been
inactive for too long.
This inactivity timeout combined with the timeout before expiration makes a
good combination of security mechanisms to prevent session theft.

If no activity timeout is provided, then the feature is disabled and only
session expiration remains as a protection.
2017-10-31 07:27:23 +01:00
Clement Michaud 3a88ca95b8 Check TOTP token with window of 1
A window of 1 means the token is checked against current time slot T
as well as at time slot T-1 and T+1.
A time slot is 30 seconds by default in Authelia.
2017-10-15 00:44:10 +02:00
Clement Michaud c02d9b4a6e Display current URL when redirection step fails in integration tests 2017-10-14 22:12:00 +02:00
Clement Michaud 8cf58d7b31 Add tests on headers forwarded to backend
Ensure Remote-User and Remote-Groups can be forwarded to the backend app.
2017-10-14 22:11:56 +02:00
Clement Michaud 56fdc40290 Every public endpoints return 200 with harmonized error messages or 401
Now, /verify can return 401 or 403 depending on the user authentication.
Every public API endpoints and pages return 200 with error message in
JSON body or 401 if the user is not authorized.

This policy makes it complicated for an attacker to know what is the source of
the failure and hide server-side bugs (not returning 500), bugs being potential
threats.
2017-10-14 11:57:38 +02:00
Clement Michaud 9559bff5de Remove artifacts of only_basic_auth query param 2017-10-09 02:03:05 +02:00
Clement Michaud 1cf4e57bb1 Redirect user when he has already validated some factors
Example 1: The user has validated first factor when accessing a service
protected by basic auth. When he tries to access another service protected
by second factor, he is redirected to second factor step to complete
authentication.

Example 2: The user has already validated second factor. When he access auth
service, he is redirected either to /loggedin page that displays an "already
logged in" page or to the URL provided in the "redirect" query parameter.
2017-10-09 01:07:32 +02:00
Clement Michaud b7a180af9b Fix randomness in integration tests 2017-10-08 17:13:29 +02:00
Clement Michaud 54c93fc945 Fix randomness with integration tests
The notification message pops up and hide after few seconds.
Sometimes, chrome drivers tries to click on a button that moves due
to the notification message animation and thus miss it.
2017-10-08 16:28:12 +02:00
Clement Michaud 66449eedb0 Use username matcher instead of user dn in group filter
Previously, string "{0}" was replaced by the user dn in the groups_filter
attributes of the LDAP configuration.
However, if the groups children only have a memberUid attribute, one would
like to use the username instead of the user dn.

Since the user dn can be built from the username, "{0}" is now replaced
by the username instead of the user dn so that an LDAP relying on attribute
'memberUid' can be used.
2017-10-07 14:10:22 +02:00
Clement Michaud d8ff186303 Split client and server
Client and server now have their own tsconfig so that the transpilation is only
done on the part that is being modified.

It also allows faster transpilation since tests are now excluded from tsconfig.
They are compiled by ts-node during unit tests execution.
2017-10-07 00:49:42 +02:00
Clement Michaud 4cbf6efa42 Disable second factor for certain subdomain 2017-09-26 23:09:33 +02:00
Clement Michaud f564174998 Remove FileSystem notifier completely 2017-09-24 23:20:51 +02:00
Clement Michaud 4cd78f3f83 Add SMTP notifier as an available option in configuration
One can now plug its own SMTP server to send notifications
for identity validation and password reset requests.

Filesystem has been removed from the template configuration file
since even tests now use mail catcher (the fake webmail) to
retrieve the email and the confirmation link.
2017-09-24 23:20:45 +02:00
Clement Michaud cf16272a73 Refine access control with per resource ACLs
ACLs can now be defined by subdomain AND resource using pattern matching
with regular expressions.
It allows a very fine-grained access control to backend resources.

[Note] For using example environmnent, user must update its /etc/hosts with
new subdomains updated in README.
2017-09-24 21:39:47 +02:00
Clement Michaud d005b83365 Set headers values Remote-User and Remote-Groups in /verify response 2017-09-22 21:25:15 +02:00
Clement Michaud 0a33b2d5ee Add logs to detect redis connection issues earlier
Before this fix, the application was simply crashing during execution
when connection to redis was failing.

Now, it is correctly handled with failing promises and logs have been
enabled to clearly see the problem
2017-09-22 20:52:05 +02:00
Clement Michaud 7128970a53 Add redirection URL as a query parameter during authentication
Before this fix, the redirection URL was stored in the user session,
but this has a big drawback since user could open several pages in
browser and thus override the redirection URL leading the user to
be incorrectly redirected.
2017-09-22 17:53:18 +02:00
FrozenDragoon 489dbf9e30 Merge branch 'master' into feature-dockercompose 2017-09-11 13:28:39 -05:00
Clement Michaud a39605f9d7 Stabilize integration tests by increasing timeouts 2017-09-09 00:43:18 +02:00
FrozenDragoon e644fe7b7b Split example scripts, allow running example using pre-built docker container (example-dockerhub) or build build from source, as it is now (example-commit). 2017-09-05 06:32:50 -05:00
Clement Michaud 85462be268 Wait for notifications to fade out before going forward in integration test steps. 2017-09-03 15:02:38 +02:00
Clement Michaud 98aa23ed5e Fix client notifications not fading out after few seconds 2017-09-03 13:00:02 +02:00
Clement Michaud 64c06fd6b8 Parameterize authentication regulation via configuration file. Both for flexibility and for testing purposes. 2017-09-03 12:48:35 +02:00
Clement Michaud 20536abf8b Introduce LDAP filters to search users and groups for more flexibility. 2017-09-02 22:38:26 +02:00
Clement Michaud 50636587a8 Notifications to users do not use notifyjs anymore. They are more common and located in the form areas to improve visibility on mobile devices. 2017-09-02 16:33:57 +02:00
Clement Michaud 61d0c2e980 Fix typescript transpilation after typescript update 2017-09-01 16:06:02 +02:00
Clement Michaud 928209dc98 Fix redirection after authentication and error page when accessing restricted pages 2017-08-03 00:41:13 +02:00
Clement Michaud c12a085f8e Replace mocha integration tests by cucumber tests 2017-07-31 22:20:33 +02:00
Clement Michaud e45ac39c8f Add Mongo as scalable and resilient storage backend 2017-07-31 00:29:00 +02:00
Clement Michaud fd59044f5e Open and close ldap client after each operation to avoid issues with idle connections and ECONNRESET exceptions 2017-07-19 20:59:39 +02:00
Clement Michaud 6d5fc84693 Add an icon to the webpages of example 2017-07-16 16:19:44 +02:00
Clement Michaud 74cbfc637b Add system tests to test the example from end user point of view 2017-07-16 14:55:01 +02:00
Clement Michaud 8f152d2328 Fix example environment 2017-07-14 19:05:42 +02:00
Clement Michaud f516aaf243 Adding one integration test for redis 2017-07-14 00:25:11 +02:00
Clement Michaud 94f5a1f256 Fix unit tests of SessionConfigurationBuilder 2017-07-13 23:21:33 +02:00
Clement Michaud e947fed979 Read configuration of redis from the yaml file. 2017-07-13 23:17:04 +02:00
Clement Michaud 925b58fabc Add redis option to the express-session middleware 2017-07-13 23:14:31 +02:00
Clement Michaud e56c2492ed Fix integration test and package Travis scripts 2017-06-29 13:09:08 +02:00
Clement Michaud 0414d28e2b Fix LDAP binding non working on servers with restricted ACL rules and add unit tests 2017-06-29 11:29:33 +02:00
Clement Michaud ddf1e48535 Refactor client to make it responsive and testable 2017-06-16 18:16:38 +02:00
Clement Michaud f96074b0c9 Fix redirection url sent by email during identity validation 2017-06-16 18:16:38 +02:00
Clement Michaud 9fddcc7e93 Fix issue with domain access during first factor phase 2017-05-22 00:19:38 +02:00
Clement Michaud 9e89a690fb Finish migration to typescript 2017-05-21 22:45:54 +02:00
Clement Michaud e3257b81a5 Move denyNotLogged function to typescript 2017-05-21 13:11:54 +02:00
Clement Michaud fad23ff3be Move Authentication validator and routes to typescript 2017-05-21 12:58:12 +02:00
Clement Michaud c98c07832d Move TOTP authenticator to typescript 2017-05-21 12:14:59 +02:00
Clement Michaud b54c181d27 Move ldap client to typescript 2017-05-21 01:15:34 +02:00
Clement Michaud bada70cf64 Move exceptions to typescript 2017-05-20 22:55:37 +02:00
Clement Michaud bf74667726 Move TOTP Validator and Generator to typescript 2017-05-20 19:16:57 +02:00
Clement Michaud 40e02d23bf Move access-control feature to typescript 2017-05-20 17:30:42 +02:00
Clement Michaud 57278a7306 Move notifiers to typescript 2017-05-20 16:01:56 +02:00
Clement Michaud b0c6c61df5 Migrate server to typescript 2017-05-20 16:01:18 +02:00
Clement Michaud 923886667d moving authentication regulator to typescript 2017-05-20 16:01:09 +02:00
Clement Michaud 4356cfe7c1 First step to typescript transformation 2017-05-20 16:00:47 +02:00
Clement Michaud 6d24e82835 Remove '/authentication/' base path from endpoint URLs 2017-05-14 17:41:56 +02:00
Clement Michaud dabd24e06a Adding integration tests for testing the example deployment 2017-05-14 16:50:57 +02:00
Clement Michaud 32ff6cb387 Remove qrcode dependency as an npm package and replace it with a client side cross-browser library that generates qrcodes 2017-05-14 13:37:05 +02:00
Clement Michaud b403cfe2f8 Rework the configuration of the access control to allow default policy for certain domains 2017-03-25 18:38:14 +01:00
Clement Michaud e310478e6d Allow per user access control rules 2017-03-25 15:28:57 +01:00
Clement Michaud 2a73b1a431 Add the access_control entry in the config file to allow the user to define per group rules to access the subdomains 2017-03-25 15:17:21 +01:00
Clement Michaud 4b93338bae Move config adaptation into a module and make it testable 2017-03-22 22:28:54 +01:00
Clement Michaud c7e4f76b9c Add an LDAP user search filter in the configuration filte to specify the user attribute to search for in LDAP 2017-03-16 01:25:55 +01:00
Clement Michaud 606ddc7308 Handle SSO over multiple subdomains 2017-03-15 23:07:57 +01:00
Clement Michaud 2cc854b968 Adding ApiDoc documentation to the repository 2017-01-29 01:33:48 +01:00
Clement Michaud 5be5b34522 Remove temporarily integration tests 2017-01-28 20:13:56 +01:00
Clement Michaud d29aac78d0 Create a filesystem notifier for simple getting started 2017-01-28 19:59:15 +01:00
Clement Michaud 90494407a9 Register TOTP secrets per user 2017-01-28 18:27:54 +01:00
Clement Michaud b205ba6a0d Use a rendered html email template for identity check 2017-01-28 02:33:45 +01:00
Clement Michaud cb98f0454a Implement authentication regulation 2017-01-28 01:32:25 +01:00
Clement Michaud 05046338ed Implement password reset 2017-01-27 01:20:03 +01:00
Clement Michaud 804039b6aa Registration process consumes the token so that it can only be used once 2017-01-22 18:06:12 +01:00
Clement Michaud d3db94105e Registration process sends an email to allow user to register its U2F device 2017-01-22 17:54:45 +01:00
Clement Michaud 3d82cef30b Fix u2f tests 2017-01-21 21:57:48 +01:00
Clement Michaud 631b201229 Remove _auth query path and update nginx config so that every authentication request is proxified under /auth/ 2017-01-21 20:33:55 +01:00
Clement Michaud 8b4339f8da Use filesystem data store to save u2f meta info 2017-01-21 20:24:35 +01:00
Clement Michaud 9670b23a8b Implement FIDO u2f authentication 2017-01-21 17:41:06 +01:00
Clement Michaud 8c743228bf Use promises in jwt component 2017-01-19 01:44:24 +01:00
Clement Michaud d21164af58 Validate first factor through a post request 2017-01-19 01:01:37 +01:00
Clement Michaud ccbcb758f0 Reconnect to LDAP when connection is closed (or not open at the beginning) 2016-12-18 01:49:09 +01:00
Clement Michaud 318bf33d2c Move unit tests to unitary directory and add integration tests 2016-12-18 00:07:56 +01:00
Clement Michaud 7aacae842d Edit nginx configuration and add redirection during login and logout 2016-12-17 19:36:41 +01:00
Clement Michaud e13315eb92 Move files from app to src and tests in root directory + adding more tests 2016-12-17 02:06:40 +01:00