Commit Graph

967 Commits (40fb13ba3c2adac42e38336c0a66732e155df00c)

Author SHA1 Message Date
Clement Michaud 56fdc40290 Every public endpoints return 200 with harmonized error messages or 401
Now, /verify can return 401 or 403 depending on the user authentication.
Every public API endpoints and pages return 200 with error message in
JSON body or 401 if the user is not authorized.

This policy makes it complicated for an attacker to know what is the source of
the failure and hide server-side bugs (not returning 500), bugs being potential
threats.
2017-10-14 11:57:38 +02:00
Clément Michaud 3bea8a290a Merge pull request #137 from clems4ever/mail-sender
Specify mail sender for SMTP and Gmail notifiers
2017-10-10 23:08:55 +02:00
Clement Michaud ab8aaeda25 Add configuration schema validation before starting Authelia 2017-10-10 21:59:20 +02:00
Clement Michaud 2a3fde5ee7 Add a schema validator to check user configuration 2017-10-10 01:14:36 +02:00
Clement Michaud 1ab09b71d4 Specify the sender email in Gmail and Smtp notifier configuration
Sender email address can now be specified in configuration and applies to
GMail notifier and SMTP notifier.
2017-10-10 00:07:12 +02:00
Clément Michaud d5035b8704 Merge pull request #131 from clems4ever/disable-second-factor
Allow basic authentication in configuration
2017-10-09 23:27:36 +02:00
Clement Michaud 9624aa6311 Adapt authentication methods configuration to be backward compatible
Prior version of configuration file can be used, the authentication methods
will be set to default values (two_factor as default method).
2017-10-09 23:14:05 +02:00
Clement Michaud bc8fe623df Use minified version of Authelia in npm package 2017-10-09 02:03:11 +02:00
Clement Michaud 9559bff5de Remove artifacts of only_basic_auth query param 2017-10-09 02:03:05 +02:00
Clément Michaud 2641fb1620 Merge pull request #130 from clems4ever/revert-filesystem-notifier
Revert filesystem notifier
2017-10-09 01:58:06 +02:00
Clement Michaud 46deb765bb 3.5.0 2017-10-09 01:15:40 +02:00
Clement Michaud a0aab77449 Add a section dealing with basic auth in README 2017-10-09 01:14:19 +02:00
Clement Michaud 9ddc0949b6 Add a way to logout at second factor stage 2017-10-09 01:07:43 +02:00
Clement Michaud 1cf4e57bb1 Redirect user when he has already validated some factors
Example 1: The user has validated first factor when accessing a service
protected by basic auth. When he tries to access another service protected
by second factor, he is redirected to second factor step to complete
authentication.

Example 2: The user has already validated second factor. When he access auth
service, he is redirected either to /loggedin page that displays an "already
logged in" page or to the URL provided in the "redirect" query parameter.
2017-10-09 01:07:32 +02:00
Clement Michaud c061dbfda4 Customize the authentication method to be used by a sub-domain
One can now customize the default authentication method for all sub-domains,
i.e., either 'two_factor' or 'basic_auth' and define specific authentication
method per sub-domain.

For example, one can specify that every sub-domain must be authenticated with
two factor except one sub-domain that must be authenticated with basic auth.
2017-10-08 23:39:29 +02:00
Clement Michaud e4274fbe1b Add a note about filesystem notifier option
This note tells the users testing with npm that they can enable the
filesystem notifier feature to test identity validation without access
to mailcatcher webmail.
2017-10-08 22:58:56 +02:00
Clément Michaud 6940e15ffa Merge pull request #125 from clems4ever/improve-logs
Improve logging format for clarity
2017-10-08 22:49:50 +02:00
Clément Michaud 83348f49c2 Merge pull request #129 from clems4ever/dockerhub-deployment
Deploy latest along with release tag
2017-10-08 22:49:41 +02:00
Clement Michaud 346c559141 Make file system an available notifier option for testing purpose 2017-10-08 22:48:20 +02:00
Clement Michaud 78f6028c1b Improve logging format for clarity
Previously, logs were not very friendly and it was hard to track
a request because of the lack of request ID.
Now every log message comes with a header containing: method, path
request ID, session ID, IP of the user, date.

Moreover, the configurations displayed in the logs have their secrets
hidden from this commit.
2017-10-08 22:33:50 +02:00
Clement Michaud 09b4bcadd4 Deploy latest along with release tag
Prior to this fix, every master commits was released to Dockerhub under latest
tag and tagged commit was released with a version tag in Dockerhub.
'Latest' tag in dockerhub should reference the latest released version and not
the head of master branch.

Thus, after this fix, 'latest' tag references the latest released version of
Authelia and 'master' tag references the head of master git branch.
2017-10-08 18:56:18 +02:00
Clément Michaud 26418278bc Merge pull request #127 from clems4ever/adapt-acl-config
Adapt ACL configuration to make it more flexible
2017-10-08 17:31:19 +02:00
Clement Michaud b7a180af9b Fix randomness in integration tests 2017-10-08 17:13:29 +02:00
Clement Michaud 54c93fc945 Fix randomness with integration tests
The notification message pops up and hide after few seconds.
Sometimes, chrome drivers tries to click on a button that moves due
to the notification message animation and thus miss it.
2017-10-08 16:28:12 +02:00
Clement Michaud d86a3f8393 3.4.2 2017-10-08 16:11:16 +02:00
Clement Michaud bf56e378e0 Fail docker publication when login to docker fails 2017-10-08 16:11:05 +02:00
Clement Michaud 267cf2921d Adapt ACL configuration to make it more flexible
Basically, the ACL configuration was very static and it was not allowed
to remove 'any', 'groups', 'users'. The application crashed when those
keys did not exist.
After this fix, every key is optional and replaced by a default value
for the app configuration to be complete and used by Authelia.

Later, a configuration validator will be implemented to detect issues
with configuration at startup.
2017-10-08 15:34:58 +02:00
Clement Michaud f3f61d4e13 3.4.1 2017-10-08 14:48:46 +02:00
Clément Michaud 15374f39d1 Merge pull request #122 from clems4ever/disable-autocomplete
Disable autocomplete for TOTP field
2017-10-07 23:44:33 +02:00
Clément Michaud 7aa458e306 Merge pull request #121 from clems4ever/disable-express-powered-by
Disable x-powered-by header sent by express
2017-10-07 22:46:07 +02:00
Clement Michaud e05d1c9c0f Disable autocomplete for TOTP field 2017-10-07 22:23:28 +02:00
Clement Michaud 2349de6698 Disable x-powered-by header sent by express 2017-10-07 22:18:40 +02:00
Clément Michaud 0fee64ed88 Merge pull request #120 from clems4ever/fix-missing-images
Fix missing images in notification messages
2017-10-07 22:13:35 +02:00
Clément Michaud b74cf5fd77 Merge pull request #119 from clems4ever/remove-smtp-logs
Remove useless logs displaying smtp credentials
2017-10-07 22:10:11 +02:00
Clement Michaud ae720c5230 Fix missing images in notification messages 2017-10-07 21:58:41 +02:00
Clement Michaud a4d7ade791 Remove useless logs displaying smtp credentials 2017-10-07 21:48:43 +02:00
Clément Michaud 9933900395 Merge pull request #106 from clems4ever/username-in-group-filter
Use username matcher instead of user dn in group filter
2017-10-07 14:22:13 +02:00
Clement Michaud 66449eedb0 Use username matcher instead of user dn in group filter
Previously, string "{0}" was replaced by the user dn in the groups_filter
attributes of the LDAP configuration.
However, if the groups children only have a memberUid attribute, one would
like to use the username instead of the user dn.

Since the user dn can be built from the username, "{0}" is now replaced
by the username instead of the user dn so that an LDAP relying on attribute
'memberUid' can be used.
2017-10-07 14:10:22 +02:00
Clément Michaud be81f04248 Merge pull request #105 from clems4ever/split-client-server
Split client and server
2017-10-07 11:36:05 +02:00
Clement Michaud d8ff186303 Split client and server
Client and server now have their own tsconfig so that the transpilation is only
done on the part that is being modified.

It also allows faster transpilation since tests are now excluded from tsconfig.
They are compiled by ts-node during unit tests execution.
2017-10-07 00:49:42 +02:00
Clement Michaud 444d278a1e 3.4.0 2017-10-04 21:53:19 +02:00
Clément Michaud 89de19bb35 Merge pull request #98 from clems4ever/disable-second-factor
Allow basic auth for certain subdomains
2017-09-26 23:25:07 +02:00
Clement Michaud 4cbf6efa42 Disable second factor for certain subdomain 2017-09-26 23:09:33 +02:00
Clément Michaud 1636fc27e5 Fix bad merge on README.md 2017-09-25 13:32:25 +02:00
Clément Michaud 92ef190202 Merge pull request #97 from clems4ever/smtp-notifier
Add SMTP notifier as an available option in configuration
2017-09-24 23:56:44 +02:00
Clement Michaud f564174998 Remove FileSystem notifier completely 2017-09-24 23:20:51 +02:00
Clement Michaud 4cd78f3f83 Add SMTP notifier as an available option in configuration
One can now plug its own SMTP server to send notifications
for identity validation and password reset requests.

Filesystem has been removed from the template configuration file
since even tests now use mail catcher (the fake webmail) to
retrieve the email and the confirmation link.
2017-09-24 23:20:45 +02:00
Clément Michaud 7a2b45a66f Merge pull request #95 from clems4ever/acl-by-resources
Refine access control with per resource ACLs
2017-09-24 21:54:18 +02:00
Clement Michaud cf16272a73 Refine access control with per resource ACLs
ACLs can now be defined by subdomain AND resource using pattern matching
with regular expressions.
It allows a very fine-grained access control to backend resources.

[Note] For using example environmnent, user must update its /etc/hosts with
new subdomains updated in README.
2017-09-24 21:39:47 +02:00
Clément Michaud 59d0a06a95 Merge pull request #94 from clems4ever/nginx-abort-connection
Add Content-Length header to the forwarded request to Authelia
2017-09-23 19:01:29 +02:00