Adds encryption to the U2F public keys. While the public keys cannot be used to authenticate, only to validate someone is authenticated, if a rogue operator changed these in the database they may be able to bypass 2FA. This prevents that.
Allow users to configure the TOTP Algorithm and Digits. This should be used with caution as many TOTP applications do not support it. Some will also fail to notify the user that there is an issue. i.e. if the algorithm in the QR code is sha512, they continue to generate one time passwords with sha1. In addition this drastically refactors TOTP in general to be more user friendly by not forcing them to register a new device if the administrator changes the period (or algorithm).
Fixes#1226.
This adds additional logging to the authentication logs such as type, remote IP, request method, redirect URL, and if the attempt was done during a ban. This also means we log attempts that occur when the attempt was blocked by the regulator for record keeping purposes, as well as record 2FA attempts which can be used to inform admins and later to regulate based on other factors.
Fixes#116, Fixes#1293.
This is a massive overhaul to the SQL Storage for Authelia. It facilitates a whole heap of utility commands to help manage the database, primary keys, ensures all database requests use a context for cancellations, and paves the way for a few other PR's which improve the database.
Fixes#1337
* refactor(handlers): lower case error messages
also refactor verifyAuth function to detect malicious activity both with session
cookie and authorization header.
* refacto(handlers): simplify error construction
* fix(handlers): check prefix in authorization header to determine auth method
* fix(handlers): determining the method should be done with headers instead of query arg
* refacto(handlers): rollback changes of verifyAuth
* don't lowercase log messages
* Apply suggestions from code review
Make sure logger errors are not lowercased.
* fix: uppercase logger errors and remove unused param
* Do not lowercase logger errors
* Remove unused param targetURL
* Rename url variable to not conflict with imported package
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
* adaptively delay 1FA by the actual execution time of authentication
* should grow and shrink over time as successful attempts are made
* uses the average of the last 10 successful attempts to calculate
* starts at an average of 1000ms
* minimum is 250ms
* a random delay is added to the largest of avg or minimum
* the random delay is between 0ms and 85ms
* bump LDAP suite to 80s timeout
* bump regulation scenario to 45s
* add mutex locking
* amend logging
* add docs
* add tests
Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
* [FIX] Send correct HTTP status codes for 1FA
* use harmonious func to handle all 1FA attempt errors
* use same harmonious func to handle 2FA attempt errors
* always send a 401 which is correct according to https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/401
* fix tests
* refactor isTargetURLAuthorized
* fix padding and imports
* harmonize remaining return messages
* fixup docs and layout of verifySessionHasUpToDateProfile
* [FIX] LDAP Not Checking for Updated Groups
* refactor handlers verifyFromSessionCookie
* refactor authorizer selectMatchingObjectRules
* refactor authorizer isDomainMatching
* add authorizer URLHasGroupSubjects method
* add user provider ProviderType method
* update tests
* check for new LDAP groups and update session when:
* user provider type is LDAP
* authorization is forbidden
* URL has rule with group subjects
* Implement Refresh Interval
* add default values for LDAP user provider
* add default for refresh interval
* add schema validator for refresh interval
* add various tests
* rename hasUserBeenInactiveLongEnough to hasUserBeenInactiveTooLong
* use Authelia ctx clock
* add check to determine if user is deleted, if so destroy the
* make ldap user not found error a const
* implement GetRefreshSettings in mock
* Use user not found const with FileProvider
* comment exports
* use ctx.Clock instead of time pkg
* add debug logging
* use ptr to reference userSession so we don't have to retrieve it again
* add documenation
* add check for 0 refresh interval to reduce CPU cost
* remove badly copied debug msg
* add group change delta message
* add SliceStringDelta
* refactor ldap refresh to use the new func
* improve delta add/remove log message
* fix incorrect logic in SliceStringDelta
* add tests to SliceStringDelta
* add always config option
* add tests for always config option
* update docs
* apply suggestions from code review
Co-Authored-By: Amir Zarrinkafsh <nightah@me.com>
* complete mocks and fix an old one
* show warning when LDAP details failed to update for an unknown reason
* golint fix
* actually fix existing mocks
* use mocks for LDAP refresh testing
* use mocks for LDAP refresh testing for both added and removed groups
* use test mock to verify disabled refresh behaviour
* add information to threat model
* add time const for default Unix() value
* misc adjustments to mocks
* Suggestions from code review
* requested changes
* update emails
* docs updates
* test updates
* misc
* golint fix
* set debug for dev testing
* misc docs and logging updates
* misc grammar/spelling
* use built function for VerifyGet
* fix reviewdog suggestions
* requested changes
* Apply suggestions from code review
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
* added support for listing multiple domains and multiple subjects
* updated documentation to show use of multiple domains and subjects
* updated config.template.yml to display multiple domains as a list
* updated config.template.yml to display multiple subjects as a list
* updated docs/configuration/access-control.md to display multiple domains as a list
* updated docs/configuration/access-control.md to display multiple subjects as a list
* removed redundant check that always returned true
* Commentary definition for `weak`
* added regulation validator
* made regulations find_time and ban_time values duration notation strings
* added DefaultRegulationConfiguration for the validator
* made session expiration and inactivity values duration notation strings
* TOTP period does not need to be converted because adjustment should be discouraged
* moved TOTP defaults to DefaultTOTPConfiguration and removed the consts
* arranged the root config validator in configuration file order
* adjusted tests for the changes
* moved duration notation docs to root of configuration
* added references to duration notation where applicable
* project wide gofmt and goimports:
* run gofmt
* run goimports -local github.com/authelia/authelia -w on all files
* Make jwt_secret error uniform and add tests
* now at 100% coverage for internal/configuration/validator/configuration.go
* [BUGFIX] Set username retrieved from authentication backend in session.
In some setups, binding is case insensitive but Authelia is case
sensitive and therefore need the actual username as stored in the
authentication backend in order for Authelia to work correctly.
Fixes#561.
* Use uid attribute as unique user identifier in suites.
* Fix the integration tests.
* Update config.template.yml
* Compute user filter based on username attribute and users_filter.
The filter provided in users_filter is now combined with a filter
based on the username attribute to perform the LDAP search query
finding a user object from the username.
* Fix LDAP based integration tests.
* Update `users_filter` reference examples
When no rule is set to two_factor in ACL configuration, 2FA is
considered disabled. Therefore, when a user cannot be redirected
correctly because no target URL is provided or the URL is unsafe,
the user is either redirected to the default URL or to the
'already authenticated' view instead of the second factor view.
Fixes#683
* Redirect to default URL after 1FA when default policy is one_factor.
User is now redirected to the default redirection URL after 1FA if
the default policy is set to one_factor and there is no target URL
or if the target URL is unsafe.
Also, if the default policy is set to one_factor and the user is already
authenticated, if she visits the login portal, the 'already authenticated'
view is displayed with a logout button.
This fixes#581.
* Update users.yml
* Fix permissions issue causing suite test failure
Instead of checking the value of the cookie expiration we rely
on the boolean stored in the user session to check whether inactivity
timeout should be disabled.
James Elliott
Clément Michaud
Amir Zarrinkafsh
Dustin Sweigart