Use the polyfill version of u2f API provided by Google.
https://github.com/mastahyeti/u2f-api
This polyfill is at least compatible with Chrome and
Firefox after enabling the U2F support.
[HOWTO] Enable U2F in Firefox >= 57:
Navigate to 'about:config' and search for 'u2f' option.
Double-click on the line to toggle the option.
This commit should fix#225.
In order to avoid stalling LDAP connections, Authelia creates new
sessions for each set of queries bound to one authentication, i.e.,
one session for authentication, emails retrieval and groups
retrieval.
Before this commit, a failing query was preventing the session to
be closed (unbind was not called). Now, unbind is always called
whatever the outcome of the query.
I took the opportunity of this commit to refactor LDAP client in
order to prepare the work on users database stored in a file.
(#233)
A link to U2F explains what is a U2F security key and how they are used.
A tooltip on U2F device registration link is telling the user he needs a
security key to register.
The u2f-api package does not use the official u2f script provided by Yubikey.
Unfortunately, it was blocked by Firefox. This change reintroduces the
official u2f script.
Uses the crypt() function to do password encryption. This function handles
several schemes such as: MD5, Blowfish, SHA1, SHA2.
SHA-512 is used in Authelia for best security.
The algorithm is fully described in
https://www.akkadia.org/drepper/SHA-crypt.txt
The 'crypt3' npm package has been added as a dependency to use the crypt()
function. The package needs to be compiled in order to call the c function,
that's why python, make and C++ compiler are installed temporarily in the
Docker image.
A window of 1 means the token is checked against current time slot T
as well as at time slot T-1 and T+1.
A time slot is 30 seconds by default in Authelia.
Now, /verify can return 401 or 403 depending on the user authentication.
Every public API endpoints and pages return 200 with error message in
JSON body or 401 if the user is not authorized.
This policy makes it complicated for an attacker to know what is the source of
the failure and hide server-side bugs (not returning 500), bugs being potential
threats.