Commit Graph

7 Commits (99b04809a565fdce85851e4a5d1c3348e0ed7dec)

Author SHA1 Message Date
Clement Michaud dacdce6c50 Implement session inactivity timeout
This timeout will prevent an attacker from using a session that has been
inactive for too long.
This inactivity timeout combined with the timeout before expiration makes a
good combination of security mechanisms to prevent session theft.

If no activity timeout is provided, then the feature is disabled and only
session expiration remains as a protection.
2017-10-31 07:27:23 +01:00
Clement Michaud b9fa786df6 Refactor endpoints to get server variables as input parameters
This refactoring aims to ease testability and clean up a lot of soft touchy
typings in test code.

This is the first step of this refactoring introducing the concept and
implementing missing interfaces and stubs. At the end of the day,
ServerVariablesHandler should completely disappear and every variable should
be injected in the endpoint handler builder itself.
2017-10-31 07:26:53 +01:00
Clement Michaud bf3e71d732 Fix unhandled rejections in unit tests 2017-10-15 01:34:37 +02:00
Clement Michaud 56fdc40290 Every public endpoints return 200 with harmonized error messages or 401
Now, /verify can return 401 or 403 depending on the user authentication.
Every public API endpoints and pages return 200 with error message in
JSON body or 401 if the user is not authorized.

This policy makes it complicated for an attacker to know what is the source of
the failure and hide server-side bugs (not returning 500), bugs being potential
threats.
2017-10-14 11:57:38 +02:00
Clement Michaud c061dbfda4 Customize the authentication method to be used by a sub-domain
One can now customize the default authentication method for all sub-domains,
i.e., either 'two_factor' or 'basic_auth' and define specific authentication
method per sub-domain.

For example, one can specify that every sub-domain must be authenticated with
two factor except one sub-domain that must be authenticated with basic auth.
2017-10-08 23:39:29 +02:00
Clement Michaud 78f6028c1b Improve logging format for clarity
Previously, logs were not very friendly and it was hard to track
a request because of the lack of request ID.
Now every log message comes with a header containing: method, path
request ID, session ID, IP of the user, date.

Moreover, the configurations displayed in the logs have their secrets
hidden from this commit.
2017-10-08 22:33:50 +02:00
Clement Michaud d8ff186303 Split client and server
Client and server now have their own tsconfig so that the transpilation is only
done on the part that is being modified.

It also allows faster transpilation since tests are now excluded from tsconfig.
They are compiled by ts-node during unit tests execution.
2017-10-07 00:49:42 +02:00