56fdc40290
Every public endpoints return 200 with harmonized error messages or 401
...
Now, /verify can return 401 or 403 depending on the user authentication.
Every public API endpoints and pages return 200 with error message in
JSON body or 401 if the user is not authorized.
This policy makes it complicated for an attacker to know what is the source of
the failure and hide server-side bugs (not returning 500), bugs being potential
threats.
2017-10-14 11:57:38 +02:00
9559bff5de
Remove artifacts of only_basic_auth query param
2017-10-09 02:03:05 +02:00
1cf4e57bb1
Redirect user when he has already validated some factors
...
Example 1: The user has validated first factor when accessing a service
protected by basic auth. When he tries to access another service protected
by second factor, he is redirected to second factor step to complete
authentication.
Example 2: The user has already validated second factor. When he access auth
service, he is redirected either to /loggedin page that displays an "already
logged in" page or to the URL provided in the "redirect" query parameter.
2017-10-09 01:07:32 +02:00
b7a180af9b
Fix randomness in integration tests
2017-10-08 17:13:29 +02:00
54c93fc945
Fix randomness with integration tests
...
The notification message pops up and hide after few seconds.
Sometimes, chrome drivers tries to click on a button that moves due
to the notification message animation and thus miss it.
2017-10-08 16:28:12 +02:00
66449eedb0
Use username matcher instead of user dn in group filter
...
Previously, string "{0}" was replaced by the user dn in the groups_filter
attributes of the LDAP configuration.
However, if the groups children only have a memberUid attribute, one would
like to use the username instead of the user dn.
Since the user dn can be built from the username, "{0}" is now replaced
by the username instead of the user dn so that an LDAP relying on attribute
'memberUid' can be used.
2017-10-07 14:10:22 +02:00
d8ff186303
Split client and server
...
Client and server now have their own tsconfig so that the transpilation is only
done on the part that is being modified.
It also allows faster transpilation since tests are now excluded from tsconfig.
They are compiled by ts-node during unit tests execution.
2017-10-07 00:49:42 +02:00
4cbf6efa42
Disable second factor for certain subdomain
2017-09-26 23:09:33 +02:00
f564174998
Remove FileSystem notifier completely
2017-09-24 23:20:51 +02:00
4cd78f3f83
Add SMTP notifier as an available option in configuration
...
One can now plug its own SMTP server to send notifications
for identity validation and password reset requests.
Filesystem has been removed from the template configuration file
since even tests now use mail catcher (the fake webmail) to
retrieve the email and the confirmation link.
2017-09-24 23:20:45 +02:00
cf16272a73
Refine access control with per resource ACLs
...
ACLs can now be defined by subdomain AND resource using pattern matching
with regular expressions.
It allows a very fine-grained access control to backend resources.
[Note] For using example environmnent, user must update its /etc/hosts with
new subdomains updated in README.
2017-09-24 21:39:47 +02:00
d005b83365
Set headers values Remote-User and Remote-Groups in /verify response
2017-09-22 21:25:15 +02:00
0a33b2d5ee
Add logs to detect redis connection issues earlier
...
Before this fix, the application was simply crashing during execution
when connection to redis was failing.
Now, it is correctly handled with failing promises and logs have been
enabled to clearly see the problem
2017-09-22 20:52:05 +02:00
7128970a53
Add redirection URL as a query parameter during authentication
...
Before this fix, the redirection URL was stored in the user session,
but this has a big drawback since user could open several pages in
browser and thus override the redirection URL leading the user to
be incorrectly redirected.
2017-09-22 17:53:18 +02:00
489dbf9e30
Merge branch 'master' into feature-dockercompose
2017-09-11 13:28:39 -05:00
a39605f9d7
Stabilize integration tests by increasing timeouts
2017-09-09 00:43:18 +02:00
e644fe7b7b
Split example scripts, allow running example using pre-built docker container (example-dockerhub) or build build from source, as it is now (example-commit).
2017-09-05 06:32:50 -05:00
85462be268
Wait for notifications to fade out before going forward in integration test steps.
2017-09-03 15:02:38 +02:00
98aa23ed5e
Fix client notifications not fading out after few seconds
2017-09-03 13:00:02 +02:00
64c06fd6b8
Parameterize authentication regulation via configuration file. Both for flexibility and for testing purposes.
2017-09-03 12:48:35 +02:00
20536abf8b
Introduce LDAP filters to search users and groups for more flexibility.
2017-09-02 22:38:26 +02:00
50636587a8
Notifications to users do not use notifyjs anymore. They are more common and located in the form areas to improve visibility on mobile devices.
2017-09-02 16:33:57 +02:00
61d0c2e980
Fix typescript transpilation after typescript update
2017-09-01 16:06:02 +02:00
928209dc98
Fix redirection after authentication and error page when accessing restricted pages
2017-08-03 00:41:13 +02:00
c12a085f8e
Replace mocha integration tests by cucumber tests
2017-07-31 22:20:33 +02:00
e45ac39c8f
Add Mongo as scalable and resilient storage backend
2017-07-31 00:29:00 +02:00
fd59044f5e
Open and close ldap client after each operation to avoid issues with idle connections and ECONNRESET exceptions
2017-07-19 20:59:39 +02:00
6d5fc84693
Add an icon to the webpages of example
2017-07-16 16:19:44 +02:00
74cbfc637b
Add system tests to test the example from end user point of view
2017-07-16 14:55:01 +02:00
8f152d2328
Fix example environment
2017-07-14 19:05:42 +02:00
f516aaf243
Adding one integration test for redis
2017-07-14 00:25:11 +02:00
94f5a1f256
Fix unit tests of SessionConfigurationBuilder
2017-07-13 23:21:33 +02:00
e947fed979
Read configuration of redis from the yaml file.
2017-07-13 23:17:04 +02:00
925b58fabc
Add redis option to the express-session middleware
2017-07-13 23:14:31 +02:00
e56c2492ed
Fix integration test and package Travis scripts
2017-06-29 13:09:08 +02:00
0414d28e2b
Fix LDAP binding non working on servers with restricted ACL rules and add unit tests
2017-06-29 11:29:33 +02:00
ddf1e48535
Refactor client to make it responsive and testable
2017-06-16 18:16:38 +02:00
f96074b0c9
Fix redirection url sent by email during identity validation
2017-06-16 18:16:38 +02:00
9fddcc7e93
Fix issue with domain access during first factor phase
2017-05-22 00:19:38 +02:00
9e89a690fb
Finish migration to typescript
2017-05-21 22:45:54 +02:00
e3257b81a5
Move denyNotLogged function to typescript
2017-05-21 13:11:54 +02:00
fad23ff3be
Move Authentication validator and routes to typescript
2017-05-21 12:58:12 +02:00
c98c07832d
Move TOTP authenticator to typescript
2017-05-21 12:14:59 +02:00
b54c181d27
Move ldap client to typescript
2017-05-21 01:15:34 +02:00
bada70cf64
Move exceptions to typescript
2017-05-20 22:55:37 +02:00
bf74667726
Move TOTP Validator and Generator to typescript
2017-05-20 19:16:57 +02:00
40e02d23bf
Move access-control feature to typescript
2017-05-20 17:30:42 +02:00
57278a7306
Move notifiers to typescript
2017-05-20 16:01:56 +02:00
b0c6c61df5
Migrate server to typescript
2017-05-20 16:01:18 +02:00
923886667d
moving authentication regulator to typescript
2017-05-20 16:01:09 +02:00
4356cfe7c1
First step to typescript transformation
2017-05-20 16:00:47 +02:00
6d24e82835
Remove '/authentication/' base path from endpoint URLs
2017-05-14 17:41:56 +02:00
dabd24e06a
Adding integration tests for testing the example deployment
2017-05-14 16:50:57 +02:00
32ff6cb387
Remove qrcode dependency as an npm package and replace it with a client side cross-browser library that generates qrcodes
2017-05-14 13:37:05 +02:00
b403cfe2f8
Rework the configuration of the access control to allow default policy for certain domains
2017-03-25 18:38:14 +01:00
e310478e6d
Allow per user access control rules
2017-03-25 15:28:57 +01:00
2a73b1a431
Add the access_control entry in the config file to allow the user to define per group rules to access the subdomains
2017-03-25 15:17:21 +01:00
4b93338bae
Move config adaptation into a module and make it testable
2017-03-22 22:28:54 +01:00
c7e4f76b9c
Add an LDAP user search filter in the configuration filte to specify the user attribute to search for in LDAP
2017-03-16 01:25:55 +01:00
606ddc7308
Handle SSO over multiple subdomains
2017-03-15 23:07:57 +01:00
2cc854b968
Adding ApiDoc documentation to the repository
2017-01-29 01:33:48 +01:00
5be5b34522
Remove temporarily integration tests
2017-01-28 20:13:56 +01:00
d29aac78d0
Create a filesystem notifier for simple getting started
2017-01-28 19:59:15 +01:00
90494407a9
Register TOTP secrets per user
2017-01-28 18:27:54 +01:00
b205ba6a0d
Use a rendered html email template for identity check
2017-01-28 02:33:45 +01:00
cb98f0454a
Implement authentication regulation
2017-01-28 01:32:25 +01:00
05046338ed
Implement password reset
2017-01-27 01:20:03 +01:00
804039b6aa
Registration process consumes the token so that it can only be used once
2017-01-22 18:06:12 +01:00
d3db94105e
Registration process sends an email to allow user to register its U2F device
2017-01-22 17:54:45 +01:00
3d82cef30b
Fix u2f tests
2017-01-21 21:57:48 +01:00
631b201229
Remove _auth query path and update nginx config so that every authentication request is proxified under /auth/
2017-01-21 20:33:55 +01:00
8b4339f8da
Use filesystem data store to save u2f meta info
2017-01-21 20:24:35 +01:00
9670b23a8b
Implement FIDO u2f authentication
2017-01-21 17:41:06 +01:00
8c743228bf
Use promises in jwt component
2017-01-19 01:44:24 +01:00
d21164af58
Validate first factor through a post request
2017-01-19 01:01:37 +01:00
ccbcb758f0
Reconnect to LDAP when connection is closed (or not open at the beginning)
2016-12-18 01:49:09 +01:00
318bf33d2c
Move unit tests to unitary directory and add integration tests
2016-12-18 00:07:56 +01:00
7aacae842d
Edit nginx configuration and add redirection during login and logout
2016-12-17 19:36:41 +01:00
e13315eb92
Move files from app to src and tests in root directory + adding more tests
2016-12-17 02:06:40 +01:00
Clement Michaud
FrozenDragoon
FrozenDragoon