Commit Graph

86 Commits (e70f0914f323b9ba23917f4a6e703709f6507ebe)

Author SHA1 Message Date
Clement Michaud 91763e97a1 Get IP of the original client when querying /verify. 2018-08-28 23:06:14 +02:00
Clément Michaud 67f84b97c8
Enable authentication to Mongo and Redis. (#263)
* Fix issue in unit test of IdentityCheckMiddleware.

* Enable authentication to Mongo server.

* Enable authentication to Redis.
2018-08-26 13:10:23 +02:00
Clément Michaud 9dab40c2ce
Add support for users database on disk. (#262)
In order to simplify the deployment of Authelia for
testing, LDAP is now optional made optional thanks
to users database stored in a file. One can update
the file manually even while Authelia is running.

With this feature the minimal configuration requires
only two components: Authelia and nginx.

The users database is obviously made for development
environments only as it prevents Authelia to be scaled
to more than one instance.

Note: Configuration has been updated. Key `ldap` has
been nested in `authentication_backend`.
2018-08-26 10:30:43 +02:00
Clément Michaud 6438a5e48f
Fix ECONNRESET when LDAP queries fail. (#261)
This commit should fix #225.

In order to avoid stalling LDAP connections, Authelia creates new
sessions for each set of queries bound to one authentication, i.e.,
one session for authentication, emails retrieval and groups
retrieval.
Before this commit, a failing query was preventing the session to
be closed (unbind was not called). Now, unbind is always called
whatever the outcome of the query.

I took the opportunity of this commit to refactor LDAP client in
order to prepare the work on users database stored in a file.
(#233)
2018-08-25 19:22:48 +02:00
Clément Michaud c503765dd6
Implement retry mechanism for broken connections to mongo (#258)
Before this patch, when Authelia started, if Mongo was not
up and running, Authelia failed to connect and never retried.
Now, everytime Authelia faces a broken connection, it tries
to reconnect during the next operation.
2018-08-19 16:51:36 +02:00
Clément Michaud 0dd9a5f815
Make session cookie name customizable. (#256)
This option is optional and set to authelia_session
by default.
2018-08-19 13:07:00 +02:00
Clement Michaud 6d6162f26c Add tests for minimal configuration 2018-08-10 00:12:04 +02:00
Clement Michaud 35fbea355f Fix logging after configuration refactoring 2018-08-09 23:52:53 +02:00
Clement Michaud 73be5bfc68 Fix missing default value in configuration 2018-08-09 23:52:53 +02:00
Clement Michaud c82f910da3 Refactor configuration to remove optional sections from minimal template
Also move tests from dedicated directory to source dir with .spec.ts extension
2018-08-09 23:52:53 +02:00
Clément Michaud a70863c48c
Merge branch 'master' into bootstrap_loading_spinner 2018-07-26 22:30:09 +02:00
Callan Bryant dc0d0d046c restore important whitespace 2018-07-26 08:21:12 +01:00
Clément Michaud fbe613d5ba
Merge branch 'master' into overlay_notifications 2018-07-25 21:31:23 +02:00
Clément Michaud a8dbf27faf
Merge branch 'master' into bootstrap_loading_spinner 2018-07-25 21:31:11 +02:00
Clement Michaud 1e0a279179 Fix issues with integration tests in master 2018-07-25 20:52:26 +02:00
Callan Bryant eea023a200 Make notifications appear on top instead of inline
Currently notifications reflow the document which causes the interface
to jump twice which can be frustrating if you're trying to click
something.

This change makes the notification appear at the top of the form as
such:
2018-07-20 09:34:13 +01:00
Callan Bryant 9cd48c068d Make first factor login page UI indicate loading state
* Submit button changes to "Loading..."
* Form fades and disables
2018-07-19 17:07:58 +01:00
Clement Michaud df9cb51a89 Make sure session.domain is provided in config.yml 2018-05-17 01:12:14 +02:00
Clement Michaud acd5a7a26d Fix compilation and unit tests 2018-05-17 00:06:07 +02:00
Clement Michaud 39555179e4 Bump all dependencies 2018-05-07 23:23:29 +02:00
Clement Michaud 4da5402cdf Add helmet dependency and add it as express middleware 2018-04-26 09:07:06 +02:00
Clement Michaud 7a13523004 Fix basic authentication and tests 2018-04-25 23:22:41 +02:00
Clement Michaud bc72f5c508 Use x-original-url instead of host to deduce domain to check permissions for 2018-04-25 00:41:41 +02:00
Clement Michaud 4be299d6eb Adapt kube example to work without custom nginx template 2018-04-24 23:59:15 +02:00
Clement Michaud 48d6107b0b Rename redirect query parameter into rd for compatibility with nginx-ingress 2018-04-24 23:03:09 +02:00
Clement Michaud bf3705b3e9 Attribute mail_attribute is not correcty taken into account 2018-04-24 21:33:31 +02:00
Clement Michaud 0b2f6ace83 Fix unit and integration tests 2018-03-29 23:09:29 +02:00
Clement Michaud 6586402114 Support 'redirect' in /api/verify endpoint to support Traefik
Traefik handles auth forwarding but does not manage redirections like Nginx.
Therefore, Authelia must redirect the user and Traefik will forward this
request.

To support both Nginx and Traefik, /api/verify is now configurable with the
'redirect' get parameter. If the verification fails and 'redirect' is not
provided the response will be a 401 error as before.
If the parameter is provided and set to any URL, the response will be a
redirection (302) to this URL.
2017-12-04 22:52:33 +01:00
Clement Michaud 515a82eb8d Add links and tooltips at second factor stage to better guide the user
A link to U2F explains what is a U2F security key and how they are used.

A tooltip on U2F device registration link is telling the user he needs a
security key to register.
2017-11-28 21:56:50 +01:00
Clement Michaud f47d3c2b0b Reset password form sends 200 status when user does not exist
Reset password sends 200 status codes to avoid user enumeration.
2017-11-18 21:27:07 +01:00
Clement Michaud ca885e4b15 Fix not working u2f when using Firefox
The u2f-api package does not use the official u2f script provided by Yubikey.
Unfortunately, it was blocked by Firefox.  This change reintroduces the
official u2f script.
2017-11-09 00:21:24 +01:00
Clement Michaud a8974a9d8e Change domain from test.local to example.com
Warning: you will need to update your /etc/hosts to take this change into
account for the example environment to work.
2017-11-03 00:20:10 +01:00
Clement Michaud d1f0543ac6 Fix bad redirection when no default_redirection_url is provided 2017-11-01 21:17:43 +01:00
Clement Michaud 009e7c2b78 Add basic authorization support for single-factor protected endpoints
One can now access a service using the basic authorization mechanism. Note the
service must not be protected by 2 factors.

The Remote-User and Remote-Groups are forwarded from Authelia like any browser
authentication.
2017-11-01 19:38:05 +01:00
Clement Michaud e3e1235755 Fix unhandled error exception thrown by Bluebirds in tests 2017-11-01 16:30:51 +01:00
Clement Michaud e93b98c1ec Remove unused AuthenticationValidator 2017-11-01 15:35:55 +01:00
Clement Michaud 6b78240d39 Fix endpoints redirection on errors
From this commit on, api endpoints reply with a 401 error code and non api
endpoints redirect to /error/40X.

This commit also fixes missing restrictions on /loggedin (the "already logged
in page). This was not a security issue, though.

The change also makes error pages automatically redirect the user after few
seconds based on the referrer or the default_redirection_url if provided in the
configuration.

Warning: The old /verify endpoint of the REST API has moved to /api/verify.
You will need to update your nginx configuration to take this change into
account.
2017-11-01 14:46:23 +01:00
Clement Michaud 54854bacb1 Use issuer and label when generating otpauthURL for TOTP
Issuer is customizable in configuration so that a company can set its own name
or website. If not provided, default value is 'authelia.com'.

The username is used as label.
2017-10-31 21:36:47 +01:00
Clement Michaud 73d5253297 Disable notifiers when server uses single factor method only
Notifier is not mandatory when authentication method is single_factor for
all sub-domains since there is no registration required.
2017-10-31 07:37:15 +01:00
Clement Michaud 3052c883a0 Improve UX of the second factor page
Start the U2F signing request when entering in the second factor page so that
the user only has to touch the token without any other clicks.
2017-10-31 07:27:36 +01:00
Clement Michaud 1e05c41a0c Remove useless comment from first factor page 2017-10-31 07:27:36 +01:00
Clement Michaud 42019bf67d Improve UX of the TOTP registration page
Mainly add badges and links to Google Play and Apple Store to get Google
Authenticator.
2017-10-31 07:27:36 +01:00
Clement Michaud 7b68a543bf Strengthen password in LDAP using SHA512 crypt algorithm
Uses the crypt() function to do password encryption. This function handles
several schemes such as: MD5, Blowfish, SHA1, SHA2.
SHA-512 is used in Authelia for best security.
The algorithm is fully described in
https://www.akkadia.org/drepper/SHA-crypt.txt

The 'crypt3' npm package has been added as a dependency to use the crypt()
function. The package needs to be compiled in order to call the c function,
that's why python, make and C++ compiler are installed temporarily in the
Docker image.
2017-10-31 07:27:36 +01:00
Clement Michaud 969561f4ad Add Content-Security-Policy in Authelia web pages 2017-10-31 07:27:36 +01:00
Clement Michaud 869d55dfd1 Add a meta tag to avoid search engine indexing 2017-10-31 07:27:36 +01:00
Clement Michaud cd0a93f027 Rename authentication method from 'basic_auth' to 'single_factor' 2017-10-31 07:27:36 +01:00
Clement Michaud 563e2da323 Add default_redirection_url as configuration option
This URL is used when user access the authentication domain without providing
the 'redirect' query parameter. In that case, Authelia does not know
where to redirect the user.
If the parameter is defined, Authelia can redirect the user to a default page
when no redirect parameter is provided.

When user is already authenticated and tries to access the authentication
domain, the "already logged in" page is rendered and it now tells the user he
is to be redirected in few seconds and uses this URL to redirect.

This parameter is optional. If it is not provided, there is only a notification
message at the end of the authentication process, as before, and the user is
not redirected when visiting the authentication domain while already
authenticated.
2017-10-31 07:27:23 +01:00
Clement Michaud 2b65680774 Remove TOTP secret from endpoint logs 2017-10-31 07:27:23 +01:00
Clement Michaud dacdce6c50 Implement session inactivity timeout
This timeout will prevent an attacker from using a session that has been
inactive for too long.
This inactivity timeout combined with the timeout before expiration makes a
good combination of security mechanisms to prevent session theft.

If no activity timeout is provided, then the feature is disabled and only
session expiration remains as a protection.
2017-10-31 07:27:23 +01:00
Clement Michaud b9fa786df6 Refactor endpoints to get server variables as input parameters
This refactoring aims to ease testability and clean up a lot of soft touchy
typings in test code.

This is the first step of this refactoring introducing the concept and
implementing missing interfaces and stubs. At the end of the day,
ServerVariablesHandler should completely disappear and every variable should
be injected in the endpoint handler builder itself.
2017-10-31 07:26:53 +01:00