Commit Graph

268 Commits (9d5ac4526e69f2d0fc5c027a8b53a534f44f86f2)

Author SHA1 Message Date
James Elliott 0a970aef8a
feat(oidc): persistent storage (#2965)
This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia.
2022-04-07 15:33:53 +10:00
renovate[bot] 004490c7b1
build(deps): update dependency alpine to v3.15.4 (#3114)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2022-04-05 11:15:43 +10:00
Clément Michaud 3ca438e3d5
feat: implement mutual tls in the web server (#3065)
Mutual TLS helps prevent untrusted clients communicating with services like Authelia. This can be utilized to reduce the attack surface.

Fixes #3041
2022-04-05 09:57:47 +10:00
James Elliott 2502d89682
fix(server): respond with 404/405 appropriately (#3087)
This adjusts the not found handler to not respond with a 404 on not found endpoints that are part of the /api or /.well-known folders, and respond with a 405 when the method isn't implemented.

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2022-04-04 09:58:01 +10:00
Manuel Nuñez bfd5d66ed8
feat(notification): password reset notification custom templates (#2828)
Implemented a system to allow overriding email templates, including the remote IP, and sending email notifications when the password was reset successfully.

Closes #2755, Closes #2756

Co-authored-by: Manuel Nuñez <@mind-ar>
Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2022-04-03 22:24:51 +10:00
James Elliott 36cf662458
refactor: misc password policy refactoring (#3102)
Add tests and makes the password policy a provider so the configuration can be loaded to memory on startup.
2022-04-03 10:48:26 +10:00
Manuel Nuñez 8659ba394d
feat(authentication): password policy (#2723)
Implement a password policy with visual feedback in the web portal.

Co-authored-by: Manuel Nuñez <@mind-ar>
Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2022-04-03 08:32:57 +10:00
James Elliott 0116506330
feat(oidc): implement amr claim (#2969)
This adds the amr claim which stores methods used to authenticate with Authelia by the users session.
2022-04-01 22:18:58 +11:00
renovate[bot] df9492ca0e
build(deps): update dependency traefik to v2.6.3 (#3075)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2022-03-31 17:00:08 +11:00
renovate[bot] 56048dd199
build(deps): update dependency alpine to v3.15.3 (#3072)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2022-03-29 14:08:54 +11:00
renovate[bot] b86c7b5284
build(deps): update dependency traefik to v2.6.2 (#3059)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2022-03-26 20:53:04 +11:00
renovate[bot] 2d981f7916
build(deps): update dependency alpine to v3.15.2 (#3051)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2022-03-26 19:46:15 +11:00
renovate[bot] 9eb23a301b
build(deps): update dependency alpine to v3.15.1 (#3028)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2022-03-17 15:53:30 +11:00
renovate[bot] 99326c2688
build(deps): update dependency haproxy to v2.5.5 (#3018)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2022-03-16 13:43:33 +11:00
James Elliott 6d937cf6cc
refactor(model): rename from models (#2968) 2022-03-06 16:47:40 +11:00
James Elliott 8f05846e21
feat: webauthn (#2707)
This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
2022-03-03 22:20:43 +11:00
James Elliott 1b2af90e5a
feat(commands): totp qr code in png format (#2673)
This allows exporting the TOTP QR code for easy registration when using `authelia storage totp generate` or `authelia storage totp export`.
2022-03-02 18:50:36 +11:00
renovate[bot] f8d9c6eab7
build(deps): update dependency haproxy to v2.5.4 (#2931)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2022-03-01 15:04:34 +11:00
James Elliott 3c81e75d79
feat(commands): add access-control check-policy command (#2871)
This adds an access-control command that checks the policy enforcement for a given criteria using a configuration file and refactors the configuration validation command to include all configuration sources.
2022-02-28 14:15:01 +11:00
renovate[bot] e286741357
build(deps): update dependency mariadb to v10.8.2 (#2917)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2022-02-27 10:12:17 +11:00
renovate[bot] 4b1bd01167
build(deps): update dependency traefik to v2.6.1 (#2912)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2022-02-24 21:13:08 +11:00
renovate[bot] eb76de6cdc
build(deps): update dependency haproxy to v2.5.3 (#2897)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2022-02-24 03:12:26 +11:00
Clément Michaud 5d4003c291
refactor: directly return error where sufficient (#2855) 2022-02-10 09:07:53 +11:00
James Elliott 1772a83190
refactor: apply godot recommendations (#2839) 2022-01-31 16:25:15 +11:00
renovate[bot] d8cf272757
build(deps): update traefik docker tag to v2.5.7 (#2815)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2022-01-21 13:43:06 +11:00
renovate[bot] 535ad2a697
build(deps): update haproxy docker tag to v2.5.1 (#2793)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2022-01-12 23:54:50 +11:00
renovate[bot] 2a1e7fc793
build(deps): update traefik docker tag to v2.5.6 (#2738)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-12-23 10:44:39 +11:00
renovate[bot] 93352aa36b
build(deps): update traefik docker tag to v2.5.5 (#2706)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-12-12 14:47:03 +11:00
renovate[bot] f9586b99a9
build(deps): update traefik docker tag to v1.7.34 (#2705)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-12-12 11:15:01 +11:00
James Elliott 104a61ecd6
refactor(web): only fetch totp conf if required (#2663)
Prevents the TOTP user config from being requested when the user has not registered or is already authenticated 2FA.
2021-12-02 21:28:16 +11:00
James Elliott f90ca855e3
feat(storage): postgresql schema and ssl options (#2659)
Adds the schema name and all ssl options for PostgreSQL. Also a significant refactor of the storage validation process.
2021-12-02 16:36:03 +11:00
Aram Akhavan 5b3fa1fffb
docs: consistent naming for configuration file (#2626)
* change all instances (file names and docs) of "config.template.yml" to "configuration.template.yml" so its consistent with the expectations of the Dockerfile

* Keep config.template.yml named as is

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>

* Update index.html

* revert filename changes and add a note about docker

* refactor: apply suggestions from code review

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2021-12-02 15:50:05 +11:00
James Elliott 7df242f1e3
refactor: remove ioutil (#2635)
Was deprecated in 1.16 and has more performant options available.
2021-12-02 00:14:15 +11:00
James Elliott ad8e844af6
feat(totp): algorithm and digits config (#2634)
Allow users to configure the TOTP Algorithm and Digits. This should be used with caution as many TOTP applications do not support it. Some will also fail to notify the user that there is an issue. i.e. if the algorithm in the QR code is sha512, they continue to generate one time passwords with sha1. In addition this drastically refactors TOTP in general to be more user friendly by not forcing them to register a new device if the administrator changes the period (or algorithm).

Fixes #1226.
2021-12-01 23:11:29 +11:00
Philipp Staiger 01b77384f9
feat(duo): multi device selection (#2137)
Allow users to select and save the preferred duo device and method, depending on availability in the duo account. A default enrollment URL is provided and adjusted if returned by the duo API. This allows auto-enrollment if enabled by the administrator.

Closes #594. Closes #1039.
2021-12-01 14:32:58 +11:00
James Elliott 9ceee6c660
feat(storage): only store identity token metadata (#2627)
This change makes it so only metadata about tokens is stored. Tokens can still be resigned due to conversion methods that convert from the JWT type to the database type. This should be more efficient and should mean we don't have to encrypt tokens or token info in the database at least for now.
2021-11-30 17:58:21 +11:00
James Elliott 347bd1be77
feat(storage): encrypted secret values (#2588)
This adds an AES-GCM 256bit encryption layer for storage for sensitive items. This is only TOTP secrets for the time being but this may be expanded later. This will require a configuration change as per https://www.authelia.com/docs/configuration/migration.html#4330.

Closes #682
2021-11-25 12:56:58 +11:00
renovate[bot] 290e3f7aaa
build(deps): update alpine docker tag to v3.15.0 (#2631)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-11-25 08:46:44 +11:00
renovate[bot] c128359c74
build(deps): update haproxy docker tag to v2.5.0 (#2624)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-11-24 11:36:46 +11:00
James Elliott 3695aa8140
feat(storage): primary key for all tables and general qol refactoring (#2431)
This is a massive overhaul to the SQL Storage for Authelia. It facilitates a whole heap of utility commands to help manage the database, primary keys, ensures all database requests use a context for cancellations, and paves the way for a few other PR's which improve the database.

Fixes #1337
2021-11-23 20:45:38 +11:00
Amir Zarrinkafsh 0be883befb
feat: customizable static assets (#2597)
* feat: customizable static assets

This change provides the means to override specific assets from the embedded Go FS with files situated on disk.

We only allow overriding the following files currently:
* favicon.ico
* logo.png

* refactor(server): make logo string a const

* refactor(suites): override favicon and use ntp3 in traefik2 suite

* test(suites): test logo override in traefik2 suite

* test(suites): test asset override fallback in traefik suite

Closes #1630.
2021-11-15 19:37:58 +11:00
renovate[bot] 50f9dc6a4c
build(deps): update alpine docker tag to v3.14.3 (#2599) 2021-11-13 11:04:11 +11:00
renovate[bot] 6765b97342
build(deps): update mariadb docker tag to v10.7.1 (#2585)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-11-10 15:57:48 +11:00
renovate[bot] 035d084ada
build(deps): update traefik docker tag to v2.5.4 (#2575)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-11-09 08:20:38 +11:00
Amir Zarrinkafsh 83488d52a6
refactor(suites): replace selenium with go-rod (#2534)
* refactor(suites): replace selenium with go-rod

This change replaces [tebeka/selenium](https://github.com/tebeka/selenium) with [go-rod](https://github.com/go-rod/rod).

We no longer have a chromedriver/external driver dependency to utilise Selenium as we instead utilise the Chrome Dev Protocol to communicate with the browser.

Rod [documents](https://go-rod.github.io/#/why-rod) benefits of choosing the library as opposed to the available alternatives.
2021-11-06 00:14:42 +11:00
renovate[bot] ed0efb76b3
build(deps): update haproxy docker tag to v2.4.8 (#2563)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-11-04 12:00:23 +11:00
renovate[bot] 4b904fc321
build(deps): update node.js to v17 (#2523)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-10-21 09:43:54 +11:00
Amir Zarrinkafsh 9445878ca2
refactor(web): use transformindexhtml vite hook (#2488) 2021-10-11 20:30:02 +11:00
Amir Zarrinkafsh a3e84769b5
feat(web): replace cra with vite (#2457)
* feat(web): replace cra with vite

* fix: add istanbul
* fix: add jest
* fix: inject env vars
* fix: replicate cra output directories
* fix: post-frontend build for go templating
* fix: dynamic publicpath

* fix(web): import resolution with aliases for .module.css files

* refactor(server): baseurl var

* refactor(web): drop babel-jest for esbuild-jest

* refactor(web): add inline sourcemap for coverage bundle

* build(deps): update web deps

* build(deps): downgrade vite-plugin-istanbul to 2.2.0

98bf77dbaa is a breaking change that means production mode builds can no longer be instrumented.

* refactor(web): match frontend name and version

* refactor(web): drop cra readme
2021-10-08 15:00:06 +11:00
renovate[bot] 455499fa93
build(deps): update traefik docker tag to v1.7.33 (#2466)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-10-08 12:51:30 +11:00