Commit Graph

13 Commits (39555179e4b33e123433b68937d6b3a8995a5b99)

Author SHA1 Message Date
Clement Michaud 73d5253297 Disable notifiers when server uses single factor method only
Notifier is not mandatory when authentication method is single_factor for
all sub-domains since there is no registration required.
2017-10-31 07:37:15 +01:00
Clement Michaud cd0a93f027 Rename authentication method from 'basic_auth' to 'single_factor' 2017-10-31 07:27:36 +01:00
Clement Michaud 563e2da323 Add default_redirection_url as configuration option
This URL is used when user access the authentication domain without providing
the 'redirect' query parameter. In that case, Authelia does not know
where to redirect the user.
If the parameter is defined, Authelia can redirect the user to a default page
when no redirect parameter is provided.

When user is already authenticated and tries to access the authentication
domain, the "already logged in" page is rendered and it now tells the user he
is to be redirected in few seconds and uses this URL to redirect.

This parameter is optional. If it is not provided, there is only a notification
message at the end of the authentication process, as before, and the user is
not redirected when visiting the authentication domain while already
authenticated.
2017-10-31 07:27:23 +01:00
Clement Michaud dacdce6c50 Implement session inactivity timeout
This timeout will prevent an attacker from using a session that has been
inactive for too long.
This inactivity timeout combined with the timeout before expiration makes a
good combination of security mechanisms to prevent session theft.

If no activity timeout is provided, then the feature is disabled and only
session expiration remains as a protection.
2017-10-31 07:27:23 +01:00
Dylan Smith c62b85e37d Less restrictive email handler - replace gmail with generic 2017-10-25 19:28:56 +11:00
Clement Michaud ce264ff4d3 Add {dn} as an available matcher in LDAP groups filter
Sometimes, LDAP organization is such that groups membership cannot be computed
with username only. User DN is required to retrieve groups.

e.g. user Joe has a username joe and a cn of Joe Blogs, resulting in a dn of
cn=Joe Blogs,ou=users,dc=example,dc=com which is needed to retrieve groups
but cannot be computed from joe only.

Issue was reported in issue #146
2017-10-15 14:51:26 +02:00
Clement Michaud ab8aaeda25 Add configuration schema validation before starting Authelia 2017-10-10 21:59:20 +02:00
Clement Michaud 2a3fde5ee7 Add a schema validator to check user configuration 2017-10-10 01:14:36 +02:00
Clement Michaud 1ab09b71d4 Specify the sender email in Gmail and Smtp notifier configuration
Sender email address can now be specified in configuration and applies to
GMail notifier and SMTP notifier.
2017-10-10 00:07:12 +02:00
Clement Michaud 9624aa6311 Adapt authentication methods configuration to be backward compatible
Prior version of configuration file can be used, the authentication methods
will be set to default values (two_factor as default method).
2017-10-09 23:14:05 +02:00
Clement Michaud 267cf2921d Adapt ACL configuration to make it more flexible
Basically, the ACL configuration was very static and it was not allowed
to remove 'any', 'groups', 'users'. The application crashed when those
keys did not exist.
After this fix, every key is optional and replaced by a default value
for the app configuration to be complete and used by Authelia.

Later, a configuration validator will be implemented to detect issues
with configuration at startup.
2017-10-08 15:34:58 +02:00
Clement Michaud 66449eedb0 Use username matcher instead of user dn in group filter
Previously, string "{0}" was replaced by the user dn in the groups_filter
attributes of the LDAP configuration.
However, if the groups children only have a memberUid attribute, one would
like to use the username instead of the user dn.

Since the user dn can be built from the username, "{0}" is now replaced
by the username instead of the user dn so that an LDAP relying on attribute
'memberUid' can be used.
2017-10-07 14:10:22 +02:00
Clement Michaud d8ff186303 Split client and server
Client and server now have their own tsconfig so that the transpilation is only
done on the part that is being modified.

It also allows faster transpilation since tests are now excluded from tsconfig.
They are compiled by ts-node during unit tests execution.
2017-10-07 00:49:42 +02:00