- Adjust AUTH LOGIN functionality to be closer to AUTH PLAIN
- Removed: secure (notifier smtp conf) boolean string
- Added: disable_verify_cert (notifier smtp conf) boolean
- disables X509 validation of certificates
- Added: disable_require_tls (notifier smtp conf) boolean
- allows emails to be sent over plain text (for non-authenticated only)
- Added: trusted_cert (notifier smtp conf) string (path)
- allows specifying the path of a PEM format cert to add to trusted cert pool
- Make SMTP notifier return errors on connection over plain text
- Make SMTP notifier return errors on TLS connection with invalid certs
- Implemented various debug logging for the SMTP notifier
- Implemented explicit SMTP closes on errors (previously left con open)
- Split SMTPNotifier Send func to seperate funcs for:
- writing future test suites and startup checks more easily
- organization and readability
- Add details of changes to docs/security.yml
- Adjust config.yml's (template and test) for the changes
* Update references to remove hash router
In commit 9ae2096, the redirection parameter is changed in the example `nginx.conf`, and also in other places like `internal/middlewares/identity_verification.go`:
```
- link := fmt.Sprintf("%s://%s/#%s?token=%s", ctx.XForwardedProto(),
+ link := fmt.Sprintf("%s://%s%s?token=%s", ctx.XForwardedProto(),
```
Some tests are not fully rewritten in Go, a typescript wrapper is called
instead until we remove the remaining TS tests and dependencies.
Also, dockerize every components (mainly Authelia backend, frontend and kind)
so that the project does not interfere with user host anymore (open ports for instance).
The only remaining intrusive change is the one done during bootstrap to add entries in /etc/hosts.
It will soon be avoided using authelia.com domain that I own.
This is going to be the v4.
Expected improvements:
- More reliable due to static typing.
- Bump of performance.
- Improvement of logging.
- Authelia can be shipped as a single binary.
- Will likely work on ARM architecture.
Authelia client uses hash router instead of browser router in order to work
with Kubernetes nginx-ingress-controller. This is also better for users having
old browsers.
This commit is breaking because it requires to change the configuration of the
proxy to include the # in the URL of the login portal.
On some LDAP servers, the `uid` attribute is more like a guid, while the
username exists instead in a dedicated field, like `username`. This
means the `uid` is not necessarily equal to `username`.
This is allows referencing using the `uid` to search for groups in the same
way as `dn` so that one can explicitly match the `memberuid` to the `uid` for
the user without the assumptions that come with using `{0}`.