This adds additional logging to the authentication logs such as type, remote IP, request method, redirect URL, and if the attempt was done during a ban. This also means we log attempts that occur when the attempt was blocked by the regulator for record keeping purposes, as well as record 2FA attempts which can be used to inform admins and later to regulate based on other factors.
Fixes#116, Fixes#1293.
This is a massive overhaul to the SQL Storage for Authelia. It facilitates a whole heap of utility commands to help manage the database, primary keys, ensures all database requests use a context for cancellations, and paves the way for a few other PR's which improve the database.
Fixes#1337
* refactor(handlers): lower case error messages
also refactor verifyAuth function to detect malicious activity both with session
cookie and authorization header.
* refacto(handlers): simplify error construction
* fix(handlers): check prefix in authorization header to determine auth method
* fix(handlers): determining the method should be done with headers instead of query arg
* refacto(handlers): rollback changes of verifyAuth
* don't lowercase log messages
* Apply suggestions from code review
Make sure logger errors are not lowercased.
* fix: uppercase logger errors and remove unused param
* Do not lowercase logger errors
* Remove unused param targetURL
* Rename url variable to not conflict with imported package
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
* [FIX] Send correct HTTP status codes for 1FA
* use harmonious func to handle all 1FA attempt errors
* use same harmonious func to handle 2FA attempt errors
* always send a 401 which is correct according to https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/401
* fix tests
* refactor isTargetURLAuthorized
* fix padding and imports
* harmonize remaining return messages
* fixup docs and layout of verifySessionHasUpToDateProfile
* added regulation validator
* made regulations find_time and ban_time values duration notation strings
* added DefaultRegulationConfiguration for the validator
* made session expiration and inactivity values duration notation strings
* TOTP period does not need to be converted because adjustment should be discouraged
* moved TOTP defaults to DefaultTOTPConfiguration and removed the consts
* arranged the root config validator in configuration file order
* adjusted tests for the changes
* moved duration notation docs to root of configuration
* added references to duration notation where applicable
* project wide gofmt and goimports:
* run gofmt
* run goimports -local github.com/authelia/authelia -w on all files
* Make jwt_secret error uniform and add tests
* now at 100% coverage for internal/configuration/validator/configuration.go
James Elliott
Clément Michaud
Amir Zarrinkafsh