This fixes edge cases where the remote IP was not correctly logged. Generally this is not an issue as most errors do not hit this handler, but in instances where a transport error occurs this is important.
This adjusts the CORS headers appropriately for OpenID Connect. This includes responding to OPTIONS requests appropriately. Currently this is only configured to operate when the Origin scheme is HTTPS; but can easily be expanded in the future to include additional Origins.
This allows overriding translation files in folders with lowercase RFC5646 / BCP47 Format language codes. This also fixes an issues where languages which don't expressly match the language code specified due to having a variant will also match the existing codes.
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
Implemented a system to allow overriding email templates, including the remote IP, and sending email notifications when the password was reset successfully.
Closes#2755, Closes#2756
Co-authored-by: Manuel Nuñez <@mind-ar>
Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
This ensures that; the method set when a user does not have a preference is a method that is available, that if a user has a preferred method that is not available it is changed to an enabled method with preference put on methods the user has configured, that the frontend does not show the method selection option when only one method is available.
This fixes a usage of uuid.New() which can potentially panic. Instead we use a uuid.NewRandom() which also generates a UUID V4 instead of a UUID V1. In addition all uuid.NewUUID() calls have been replaced by uuid.NewRandom().
This unifies the methods to obtain the X-Forwarded-* header values and provides logical fallbacks. In addition, so we can ensure this functionality extends to the templated files we've converted the ServeTemplatedFile method into a function that operates as a middlewares.RequestHandler.
Fixes#2765
This adds a smart delay on reset password attempts to prevent username enumeration. Additionally utilizes crypto rand instead of math rand. It also moves the timing delay functionality into its own handler func.
Adds encryption to the U2F public keys. While the public keys cannot be used to authenticate, only to validate someone is authenticated, if a rogue operator changed these in the database they may be able to bypass 2FA. This prevents that.
This utilizes the referrer query parameters instead of current request query parameters for logging the requested URI and method. Minor performance improvements to header peek/sets.
Allow users to configure the TOTP Algorithm and Digits. This should be used with caution as many TOTP applications do not support it. Some will also fail to notify the user that there is an issue. i.e. if the algorithm in the QR code is sha512, they continue to generate one time passwords with sha1. In addition this drastically refactors TOTP in general to be more user friendly by not forcing them to register a new device if the administrator changes the period (or algorithm).
Fixes#1226.
This change makes it so only metadata about tokens is stored. Tokens can still be resigned due to conversion methods that convert from the JWT type to the database type. This should be more efficient and should mean we don't have to encrypt tokens or token info in the database at least for now.
This adds additional logging to the authentication logs such as type, remote IP, request method, redirect URL, and if the attempt was done during a ban. This also means we log attempts that occur when the attempt was blocked by the regulator for record keeping purposes, as well as record 2FA attempts which can be used to inform admins and later to regulate based on other factors.
Fixes#116, Fixes#1293.
This is a massive overhaul to the SQL Storage for Authelia. It facilitates a whole heap of utility commands to help manage the database, primary keys, ensures all database requests use a context for cancellations, and paves the way for a few other PR's which improve the database.
Fixes#1337
* feat: customizable static assets
This change provides the means to override specific assets from the embedded Go FS with files situated on disk.
We only allow overriding the following files currently:
* favicon.ico
* logo.png
* refactor(server): make logo string a const
* refactor(suites): override favicon and use ntp3 in traefik2 suite
* test(suites): test logo override in traefik2 suite
* test(suites): test asset override fallback in traefik suite
Closes#1630.
* refactor(handlers): lower case error messages
also refactor verifyAuth function to detect malicious activity both with session
cookie and authorization header.
* refacto(handlers): simplify error construction
* fix(handlers): check prefix in authorization header to determine auth method
* fix(handlers): determining the method should be done with headers instead of query arg
* refacto(handlers): rollback changes of verifyAuth
* don't lowercase log messages
* Apply suggestions from code review
Make sure logger errors are not lowercased.
* fix: uppercase logger errors and remove unused param
* Do not lowercase logger errors
* Remove unused param targetURL
* Rename url variable to not conflict with imported package
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
This adds method to validate the system clock is synchronized on startup. Configuration allows adjusting the server address, enabled state, desync limit, and if the error is fatal.
Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
* fix: oidc issuer path and strip path middleware
This ensures the server.path requests append the base_url to the oidc well-known issuer information and adjusts server.path configuration to only strip the configured path instead of the first level entirely regardless of its content.
* fix: only log the token error and general refactoring
* refactor: factorize base_url functions
* refactor(server): include all paths in startup logging
* refactor: factorize
* refactor: GetExternalRootURL -> ExternalRootURL
Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
This replaces github.com/dgrijalva/jwt-go and github.com/form3tech-oss/jwt-go with github.com/golang-jwt/jwt which will be the maintained package going forward.
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
OpenID connect has become a standard when it comes to authentication and
in order to fix a security concern around forwarding authentication and authorization information
it has been decided to add support for it.
This feature is in beta version and only enabled when there is a configuration for it.
Before enabling it in production, please consider that it's in beta with potential bugs and that there
are several production critical features still missing such as all OIDC related data is stored in
configuration or memory. This means you are potentially going to experience issues with HA
deployments, or when restarting a single instance specifically related to OIDC.
We are still working on adding the remaining set of features before making it GA as soon as possible.
Related to #189
Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
* add a plain text email template
* use plain text email template for file based emails
* add config option to SMTP emails named disable_html_emails
* config option is a boolean that when set to true will only send plain text emails
* add docs for more complex SMTP notifier options
* update template
* add rfc1341 multipart logic to notifier
* check for errors after identity_verification
* * fix nil ptr
* go mod tidy
* remove needless checks
* * use multipart/atlernative instead
* * add rfc5322 compliant date header
* * fix linting issues
* [FEATURE] Allow Authelia to listen on a specified path
* Fix linting and add a couple typescript types
* Template index.html to support base_url
* Update docs and configuration template
* Access base path from body attribute.
* Update CSP
* Fix unit test
Also remove check for body as this will never get triggered, react itself is loaded inside the body so this has to always be successful.
* Template index.html with ${PUBLIC_URL}
* Define PUBLIC_URL in .env(s)
* Add docs clarification
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
* [FEATURE] Customizable Email Subject
* allow users to optionally change email subject
* this is so they can more easily communicate the source of the email
* Update docs/configuration/notifier/smtp.md
Co-Authored-By: Amir Zarrinkafsh <nightah@me.com>
Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
* added regulation validator
* made regulations find_time and ban_time values duration notation strings
* added DefaultRegulationConfiguration for the validator
* made session expiration and inactivity values duration notation strings
* TOTP period does not need to be converted because adjustment should be discouraged
* moved TOTP defaults to DefaultTOTPConfiguration and removed the consts
* arranged the root config validator in configuration file order
* adjusted tests for the changes
* moved duration notation docs to root of configuration
* added references to duration notation where applicable
* project wide gofmt and goimports:
* run gofmt
* run goimports -local github.com/authelia/authelia -w on all files
* Make jwt_secret error uniform and add tests
* now at 100% coverage for internal/configuration/validator/configuration.go
* Remove unused mongo docker-compose file.
* Default redirection URL was not taken into account.
* Fix possible storage options in config template.
* Remove useless checks in u2f registration endpoints.
* Add default redirection url in config of duo suite.
* Fix log line in response handler of 2FA methods.
* Fix integration tests.
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
Instead of checking the value of the cookie expiration we rely
on the boolean stored in the user session to check whether inactivity
timeout should be disabled.
Authelia needs to know with what IP was the request originating in
order to apply network based ACL rules. Authelia already supported
X-Forwarded-For but X-Real-IP is another way to define it. It takes
precedence over X-Forwarded-For.