Commit Graph

21 Commits (8def9bb1a93b3163360496ac8fe61ad3445c7c45)

Author SHA1 Message Date
Clement Michaud b842792a16 Implement session inactivity timeout
This timeout will prevent an attacker from using a session that has been
inactive for too long.
This inactivity timeout combined with the timeout before expiration makes a
good combination of security mechanisms to prevent session theft.

If no activity timeout is provided, then the feature is disabled and only
session expiration remains as a protection.
2017-10-17 23:48:56 +02:00
Clement Michaud 9e275441c9 Refactor endpoints to get server variables as input parameters
This refactoring aims to ease testability and clean up a lot of soft touchy
typings in test code.

This is the first step of this refactoring introducing the concept and
implementing missing interfaces and stubs. At the end of the day,
ServerVariablesHandler should completely disappear and every variable should
be injected in the endpoint handler builder itself.
2017-10-17 23:04:28 +02:00
Clement Michaud 92b78f7c15 Enable secure and httpOnly option for sessions
These are 2 measures for improving security of cookies. One is used to
not send the cookie over HTTP (only HTTPS) and the other tells the browser to
disallow client-side code accessing the cookie.
2017-10-16 20:56:26 +02:00
Clement Michaud d3a2251d4a Allow anonymous user in SMTP notifier
SMTP notifier should be able to send emails with anonymous user, i.e. without
providing username and password in configuration file.
2017-10-15 22:41:22 +02:00
Clement Michaud f2ae1cd044 Block 'already logged in' page to unauthenticated user 2017-10-15 21:52:12 +02:00
Clement Michaud ce264ff4d3 Add {dn} as an available matcher in LDAP groups filter
Sometimes, LDAP organization is such that groups membership cannot be computed
with username only. User DN is required to retrieve groups.

e.g. user Joe has a username joe and a cn of Joe Blogs, resulting in a dn of
cn=Joe Blogs,ou=users,dc=example,dc=com which is needed to retrieve groups
but cannot be computed from joe only.

Issue was reported in issue #146
2017-10-15 14:51:26 +02:00
Clément Michaud 15fa6286ad Merge pull request #143 from clems4ever/protect-ldap-injection
Add input sanitizer to LDAP client to protect against LDAP injections
2017-10-15 13:36:38 +02:00
Clement Michaud 1dd0343860 Add input sanitizer to LDAP client to protect against LDAP injections 2017-10-15 01:35:33 +02:00
Clement Michaud bf3e71d732 Fix unhandled rejections in unit tests 2017-10-15 01:34:37 +02:00
Clement Michaud 3a88ca95b8 Check TOTP token with window of 1
A window of 1 means the token is checked against current time slot T
as well as at time slot T-1 and T+1.
A time slot is 30 seconds by default in Authelia.
2017-10-15 00:44:10 +02:00
Clément Michaud f041b946d9 Merge pull request #140 from clems4ever/improve-endpoint-errors
Every public endpoints return 200 with harmonized error messages or 401
2017-10-14 12:22:24 +02:00
Clement Michaud 56fdc40290 Every public endpoints return 200 with harmonized error messages or 401
Now, /verify can return 401 or 403 depending on the user authentication.
Every public API endpoints and pages return 200 with error message in
JSON body or 401 if the user is not authorized.

This policy makes it complicated for an attacker to know what is the source of
the failure and hide server-side bugs (not returning 500), bugs being potential
threats.
2017-10-14 11:57:38 +02:00
Clement Michaud ab8aaeda25 Add configuration schema validation before starting Authelia 2017-10-10 21:59:20 +02:00
Clement Michaud 2a3fde5ee7 Add a schema validator to check user configuration 2017-10-10 01:14:36 +02:00
Clement Michaud 1ab09b71d4 Specify the sender email in Gmail and Smtp notifier configuration
Sender email address can now be specified in configuration and applies to
GMail notifier and SMTP notifier.
2017-10-10 00:07:12 +02:00
Clement Michaud 9624aa6311 Adapt authentication methods configuration to be backward compatible
Prior version of configuration file can be used, the authentication methods
will be set to default values (two_factor as default method).
2017-10-09 23:14:05 +02:00
Clement Michaud c061dbfda4 Customize the authentication method to be used by a sub-domain
One can now customize the default authentication method for all sub-domains,
i.e., either 'two_factor' or 'basic_auth' and define specific authentication
method per sub-domain.

For example, one can specify that every sub-domain must be authenticated with
two factor except one sub-domain that must be authenticated with basic auth.
2017-10-08 23:39:29 +02:00
Clement Michaud 78f6028c1b Improve logging format for clarity
Previously, logs were not very friendly and it was hard to track
a request because of the lack of request ID.
Now every log message comes with a header containing: method, path
request ID, session ID, IP of the user, date.

Moreover, the configurations displayed in the logs have their secrets
hidden from this commit.
2017-10-08 22:33:50 +02:00
Clement Michaud 267cf2921d Adapt ACL configuration to make it more flexible
Basically, the ACL configuration was very static and it was not allowed
to remove 'any', 'groups', 'users'. The application crashed when those
keys did not exist.
After this fix, every key is optional and replaced by a default value
for the app configuration to be complete and used by Authelia.

Later, a configuration validator will be implemented to detect issues
with configuration at startup.
2017-10-08 15:34:58 +02:00
Clement Michaud 66449eedb0 Use username matcher instead of user dn in group filter
Previously, string "{0}" was replaced by the user dn in the groups_filter
attributes of the LDAP configuration.
However, if the groups children only have a memberUid attribute, one would
like to use the username instead of the user dn.

Since the user dn can be built from the username, "{0}" is now replaced
by the username instead of the user dn so that an LDAP relying on attribute
'memberUid' can be used.
2017-10-07 14:10:22 +02:00
Clement Michaud d8ff186303 Split client and server
Client and server now have their own tsconfig so that the transpilation is only
done on the part that is being modified.

It also allows faster transpilation since tests are now excluded from tsconfig.
They are compiled by ts-node during unit tests execution.
2017-10-07 00:49:42 +02:00