Adds encryption to the U2F public keys. While the public keys cannot be used to authenticate, only to validate someone is authenticated, if a rogue operator changed these in the database they may be able to bypass 2FA. This prevents that.
* change all instances (file names and docs) of "config.template.yml" to "configuration.template.yml" so its consistent with the expectations of the Dockerfile
* Keep config.template.yml named as is
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
* Update index.html
* revert filename changes and add a note about docker
* refactor: apply suggestions from code review
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
Allow users to configure the TOTP Algorithm and Digits. This should be used with caution as many TOTP applications do not support it. Some will also fail to notify the user that there is an issue. i.e. if the algorithm in the QR code is sha512, they continue to generate one time passwords with sha1. In addition this drastically refactors TOTP in general to be more user friendly by not forcing them to register a new device if the administrator changes the period (or algorithm).
Fixes#1226.
Allow users to select and save the preferred duo device and method, depending on availability in the duo account. A default enrollment URL is provided and adjusted if returned by the duo API. This allows auto-enrollment if enabled by the administrator.
Closes#594. Closes#1039.
This change addresses an issue with the usage of the full sender configuration option in the MAIL FROM SMTP command. If a user includes a name in the sender this shouldn't be sent in the MAIL FROM command, instead we should extract it and use just the email portion.
Fixes#2571
This adds an AES-GCM 256bit encryption layer for storage for sensitive items. This is only TOTP secrets for the time being but this may be expanded later. This will require a configuration change as per https://www.authelia.com/docs/configuration/migration.html#4330.
Closes#682
This is a massive overhaul to the SQL Storage for Authelia. It facilitates a whole heap of utility commands to help manage the database, primary keys, ensures all database requests use a context for cancellations, and paves the way for a few other PR's which improve the database.
Fixes#1337
* feat: customizable static assets
This change provides the means to override specific assets from the embedded Go FS with files situated on disk.
We only allow overriding the following files currently:
* favicon.ico
* logo.png
* refactor(server): make logo string a const
* refactor(suites): override favicon and use ntp3 in traefik2 suite
* test(suites): test logo override in traefik2 suite
* test(suites): test asset override fallback in traefik suite
Closes#1630.
* Check for pnpm in authelia-scripts
* Improve husky hooks to check for required apps
* Use pnpm in coverage dockerfile
* Use pnpm in dev workflow
* Stop buildx log truncation
* Ignore pnpm lockfile in yamllint
* Update versions required for docker and docker-compose in contributing docs
This adds method to validate the system clock is synchronized on startup. Configuration allows adjusting the server address, enabled state, desync limit, and if the error is fatal.
Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
This change implements a --config flag for the hash-password which parses the config and validates it just as it would at run-time. The values specified in the config replace those specified as parameters.
* feat(cmd): add config flag to hash-password tool
* fix(cmd): fix linting issue
Closes: #1709.
* ci: add husky with pre-commit and commit-msg hooks
This change includes two new hooks as part of our GitHub workflow with husky:
* `pre-commit`: Performs linting with golangci-lint and eslint/prettier
* `commit-msg`: Ensures that the commit messages conform to our guidelines and will error and provide context to a user when they do not.
The `prepare` command which has been included is executed each time a `yarn install` is executed.
* ci: extend @commitlint/config-conventional configuration
* fix: lint all dot js files
* docs: add gitea redirect_uri with notes to community docs
* docs: remove unnecessary dash from Gitea notes
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
This implements both a connection timeout for LDAP connections, and makes it configurable by administrators. The default is 5s. The reason for this commit is currently if a connection to an LDAP server cannot be established it does not timeout in a reasonable period.
This change means we only check the filters for the existence of placeholders that cannot be replaced at startup. We then utilized cached results of that lookup for subsequent replacements.
This commit replaces github.com/spf13/viper with github.com/knadh/koanf. Koanf is very similar library to viper, with less dependencies and several quality of life differences. This also allows most config options to be defined by ENV. Lastly it also enables the use of split configuration files which can be configured by setting the --config flag multiple times.
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
This change adjusts several global options moving them into the server block. It additionally notes other breaking changes in the configuration.
BREAKING CHANGE: Several configuration options have been changed and moved into other sections. Migration instructions are documented here: https://authelia.com/docs/configuration/migration.html#4.30.0
This updates and unifies the contact options so it is easier to maintain. All contact options now link back to one of two locations, and both of these locations are a copy and paste for the most part.
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
This implements the public option for clients which allows using Authelia as an OpenID Connect Provider for cli applications and SPA's where the client secret cannot be considered secure.
James Elliott
Aram Akhavan
Philipp Staiger
Amir Zarrinkafsh
Justin Sievenpiper
dependabot[bot]
yossbg
Alex Gustafsson
Nicolas Reymundo
polandy
Georg Lauterbach