2b65680774
Remove TOTP secret from endpoint logs
2017-10-31 07:27:23 +01:00
dacdce6c50
Implement session inactivity timeout
...
This timeout will prevent an attacker from using a session that has been
inactive for too long.
This inactivity timeout combined with the timeout before expiration makes a
good combination of security mechanisms to prevent session theft.
If no activity timeout is provided, then the feature is disabled and only
session expiration remains as a protection.
2017-10-31 07:27:23 +01:00
b9fa786df6
Refactor endpoints to get server variables as input parameters
...
This refactoring aims to ease testability and clean up a lot of soft touchy
typings in test code.
This is the first step of this refactoring introducing the concept and
implementing missing interfaces and stubs. At the end of the day,
ServerVariablesHandler should completely disappear and every variable should
be injected in the endpoint handler builder itself.
2017-10-31 07:26:53 +01:00
34a595863a
Merge pull request #181 from Chemsmith/add-email-handeler-2
...
Less restrictive email handler - replace gmail with generic
2017-10-31 07:01:30 +01:00
c62b85e37d
Less restrictive email handler - replace gmail with generic
2017-10-25 19:28:56 +11:00
5570ac3d84
3.6.0
2017-10-16 22:32:55 +02:00
19c846a366
Merge pull request #160 from clems4ever/develop
...
Release 3.6.0
2017-10-16 22:32:18 +02:00
39b3898908
Merge pull request #152 from clems4ever/cookie-theft
...
Prevention agains cookie theft
2017-10-16 21:11:58 +02:00
056565a968
Add X-Frame-Options header to avoid ability to embed websites in iframes
2017-10-16 20:56:26 +02:00
0b33982701
Add notes on security measures deployed in Authelia in README
2017-10-16 20:56:26 +02:00
f523e5335f
Use HSTS in example
2017-10-16 20:56:26 +02:00
92b78f7c15
Enable secure and httpOnly option for sessions
...
These are 2 measures for improving security of cookies. One is used to
not send the cookie over HTTP (only HTTPS) and the other tells the browser to
disallow client-side code accessing the cookie.
2017-10-16 20:56:26 +02:00
6e3a9494ce
Merge pull request #158 from clems4ever/anonymous-smtp
...
Allow anonymous user in SMTP notifier
2017-10-16 00:09:55 +02:00
35b934ecea
Merge branch 'develop' into anonymous-smtp
2017-10-15 23:25:47 +02:00
5bac2b75b0
Merge pull request #159 from clems4ever/publish-develop-to-docker
...
Publish 'develop' tag to dockerhub
2017-10-15 23:24:28 +02:00
565fc35f07
Merge branch 'develop' into anonymous-smtp
2017-10-15 22:50:05 +02:00
15615b2741
Merge branch 'develop' into publish-develop-to-docker
2017-10-15 22:49:58 +02:00
3236b97ffd
Merge pull request #156 from clems4ever/remove-schema-from-source
...
Remove configuration schema from source since it is generated
2017-10-15 22:49:23 +02:00
e8e8c8f7da
Publish 'develop' tag to dockerhub
2017-10-15 22:48:56 +02:00
d3a2251d4a
Allow anonymous user in SMTP notifier
...
SMTP notifier should be able to send emails with anonymous user, i.e. without
providing username and password in configuration file.
2017-10-15 22:41:22 +02:00
b6aca2619b
Merge branch 'develop' into remove-schema-from-source
2017-10-15 22:31:06 +02:00
329927b865
Merge pull request #157 from clems4ever/already-logged-username
...
Add username to the 'already logged in' page
2017-10-15 22:30:55 +02:00
e8a1e7c52c
Remove configuration schema from source since it is generated
2017-10-15 22:17:36 +02:00
daee042368
Add username to the 'already logged in' page
2017-10-15 22:15:54 +02:00
35b66ba630
Merge pull request #155 from clems4ever/block-logged-in-page
...
Block 'already logged in' page to unauthenticated user
2017-10-15 22:03:11 +02:00
f2ae1cd044
Block 'already logged in' page to unauthenticated user
2017-10-15 21:52:12 +02:00
8fa50482df
Merge pull request #153 from clems4ever/opt-subdomain-methods
...
Make per_subdomain_methods optional in configuration file
2017-10-15 21:39:24 +02:00
12a8626ef7
Make per_subdomain_methods optional in configuration file
2017-10-15 20:01:16 +02:00
b3479c19da
Merge pull request #149 from clems4ever/npm-package-fix
...
Do not include client/ and server/ in npm package
2017-10-15 16:09:50 +02:00
e599ac78ae
Do not include client/ and server/ in npm package
2017-10-15 15:52:34 +02:00
4b51ae30cc
Merge pull request #147 from clems4ever/userdn-ldap-filter
...
Add {dn} as an available matcher in LDAP groups filter
2017-10-15 15:02:46 +02:00
ce264ff4d3
Add {dn} as an available matcher in LDAP groups filter
...
Sometimes, LDAP organization is such that groups membership cannot be computed
with username only. User DN is required to retrieve groups.
e.g. user Joe has a username joe and a cn of Joe Blogs, resulting in a dn of
cn=Joe Blogs,ou=users,dc=example,dc=com which is needed to retrieve groups
but cannot be computed from joe only.
Issue was reported in issue #146
2017-10-15 14:51:26 +02:00
15fa6286ad
Merge pull request #143 from clems4ever/protect-ldap-injection
...
Add input sanitizer to LDAP client to protect against LDAP injections
2017-10-15 13:36:38 +02:00
2e087f12f4
Fix out of bound access in LDAP results array
2017-10-15 02:07:04 +02:00
9fe202f227
Merge pull request #144 from clems4ever/test-forward-headers
...
Fix unhandled rejections in unit tests
2017-10-15 01:55:31 +02:00
1dd0343860
Add input sanitizer to LDAP client to protect against LDAP injections
2017-10-15 01:35:33 +02:00
bf3e71d732
Fix unhandled rejections in unit tests
2017-10-15 01:34:37 +02:00
cb139997d2
Merge pull request #142 from clems4ever/test-forward-headers
...
Add test for headers forwarding feature
2017-10-15 01:13:57 +02:00
3a88ca95b8
Check TOTP token with window of 1
...
A window of 1 means the token is checked against current time slot T
as well as at time slot T-1 and T+1.
A time slot is 30 seconds by default in Authelia.
2017-10-15 00:44:10 +02:00
c02d9b4a6e
Display current URL when redirection step fails in integration tests
2017-10-14 22:12:00 +02:00
8cf58d7b31
Add tests on headers forwarded to backend
...
Ensure Remote-User and Remote-Groups can be forwarded to the backend app.
2017-10-14 22:11:56 +02:00
f041b946d9
Merge pull request #140 from clems4ever/improve-endpoint-errors
...
Every public endpoints return 200 with harmonized error messages or 401
2017-10-14 12:22:24 +02:00
56fdc40290
Every public endpoints return 200 with harmonized error messages or 401
...
Now, /verify can return 401 or 403 depending on the user authentication.
Every public API endpoints and pages return 200 with error message in
JSON body or 401 if the user is not authorized.
This policy makes it complicated for an attacker to know what is the source of
the failure and hide server-side bugs (not returning 500), bugs being potential
threats.
2017-10-14 11:57:38 +02:00
3bea8a290a
Merge pull request #137 from clems4ever/mail-sender
...
Specify mail sender for SMTP and Gmail notifiers
2017-10-10 23:08:55 +02:00
ab8aaeda25
Add configuration schema validation before starting Authelia
2017-10-10 21:59:20 +02:00
2a3fde5ee7
Add a schema validator to check user configuration
2017-10-10 01:14:36 +02:00
1ab09b71d4
Specify the sender email in Gmail and Smtp notifier configuration
...
Sender email address can now be specified in configuration and applies to
GMail notifier and SMTP notifier.
2017-10-10 00:07:12 +02:00
d5035b8704
Merge pull request #131 from clems4ever/disable-second-factor
...
Allow basic authentication in configuration
2017-10-09 23:27:36 +02:00
9624aa6311
Adapt authentication methods configuration to be backward compatible
...
Prior version of configuration file can be used, the authentication methods
will be set to default values (two_factor as default method).
2017-10-09 23:14:05 +02:00
bc8fe623df
Use minified version of Authelia in npm package
2017-10-09 02:03:11 +02:00
Clement Michaud
Dylan Smith