Authelia was using links with href="#" that changed the URL when clicked
on. Therefore, this commit removes the href property and apply link style
to tags without href property.
Displaying only one option at 2FA stage will allow to add more options
like DUO push or OAuth.
The user can switch to other option and in this case the option is
remembered so that next time, the user will see the same option. The
latest option is considered as the prefered option by Authelia.
Before this fix an anonymous user was not able to access a resource
that were configured with a bypass policy. This was due to a useless
check of the userid in the auth session. Moreover, in the case of an
anonymous user, we should not check the inactivity period since there
is no session.
Also refactor /verify endpoint for better testability and add tests
in a new suite.
Authelia client uses hash router instead of browser router in order to work
with Kubernetes nginx-ingress-controller. This is also better for users having
old browsers.
This commit is breaking because it requires to change the configuration of the
proxy to include the # in the URL of the login portal.
With previous configuration format rules were not ordered between groups and
thus not predictable. Also in some cases `any` must have been a higher
precedence than `groups`. Flattening the rules let the user apply whatever
policy he can think of.
When several rules match the (subject, domain, resource), the first one is
applied.
NOTE: This commit changed the format for declaring ACLs. Be sure to update
your configuration file before upgrading.
In order to redirect the user after authentication, Authelia uses
rd query parameter provided by the proxy. However an attacker could
use phishing to make the user be redirected to a bad domain. In order
to avoid the user to be redirected to a bad location, Authelia now
verifies the redirection URL is under the protected domain.
Clement Michaud
Clement Michaud