Commit Graph

115 Commits (e9d8f604c6094f64f92d6e51844483e3fe149002)

Author SHA1 Message Date
Clement Michaud 7c80515b34 Fix U2F authentication by upgrading libraries. 2018-11-06 15:45:01 +01:00
Clement Michaud 798b001986 Bump grunt and grunt-contrib-watch. 2018-11-03 16:19:05 +01:00
Clement Michaud e8c3205e0a Make Authelia compatible with Firefox.
Use the polyfill version of u2f API provided by Google.

https://github.com/mastahyeti/u2f-api

This polyfill is at least compatible with Chrome and
Firefox after enabling the U2F support.

[HOWTO] Enable U2F in Firefox >= 57:
Navigate to 'about:config' and search for 'u2f' option.
Double-click on the line to toggle the option.
2018-10-27 18:22:01 +02:00
Clement Michaud a21c15d451 Bump request package. 2018-10-13 19:21:32 +02:00
Clement Michaud 96ecea203f Update bootstrap and randomatic dependencies. 2018-10-13 10:16:18 +02:00
Clement Michaud e7ad831d4d 3.9.5 2018-08-30 11:35:24 +02:00
Clement Michaud e568459c53 3.9.4 2018-08-30 11:29:04 +02:00
Clement Michaud 5fd8150875 3.9.3 2018-08-29 00:01:29 +02:00
Clement Michaud 64f28379ac 3.9.2 2018-08-28 21:05:57 +02:00
Clement Michaud cedcb07ed0 3.9.1 2018-08-27 22:54:25 +02:00
Clement Michaud 920b2c4f6a 3.9.0 2018-08-26 14:27:17 +02:00
Clement Michaud 1f5a18d12a 3.8.3 2018-08-25 19:37:35 +02:00
Clément Michaud 6438a5e48f
Fix ECONNRESET when LDAP queries fail. (#261)
This commit should fix #225.

In order to avoid stalling LDAP connections, Authelia creates new
sessions for each set of queries bound to one authentication, i.e.,
one session for authentication, emails retrieval and groups
retrieval.
Before this commit, a failing query was preventing the session to
be closed (unbind was not called). Now, unbind is always called
whatever the outcome of the query.

I took the opportunity of this commit to refactor LDAP client in
order to prepare the work on users database stored in a file.
(#233)
2018-08-25 19:22:48 +02:00
Clement Michaud e50b798edc 3.8.2 2018-08-24 23:05:30 +02:00
Clément Michaud 0fd285f975
Replace npm api key to solve publication. (#260)
* Replace npm api key.

* 3.8.1
2018-08-24 23:03:54 +02:00
Clement Michaud 596f97fc1d 3.8.0 2018-08-19 16:52:23 +02:00
Clement Michaud 39555179e4 Bump all dependencies 2018-05-07 23:23:29 +02:00
Clement Michaud 4da5402cdf Add helmet dependency and add it as express middleware 2018-04-26 09:07:06 +02:00
Clement Michaud 479d7ddc09 3.7.1 2018-04-24 22:12:27 +02:00
Clement Michaud a64462d3da Update chrome driver to fix integration tests 2018-03-29 23:20:16 +02:00
Clement Michaud 0b2f6ace83 Fix unit and integration tests 2018-03-29 23:09:29 +02:00
Clement Michaud a5592252c7 Bump npm dependencies 2018-03-23 10:13:00 +01:00
Clement Michaud 3f6c375446 3.7.0 2017-11-28 22:40:42 +01:00
Clement Michaud 515a82eb8d Add links and tooltips at second factor stage to better guide the user
A link to U2F explains what is a U2F security key and how they are used.

A tooltip on U2F device registration link is telling the user he needs a
security key to register.
2017-11-28 21:56:50 +01:00
Clement Michaud ca885e4b15 Fix not working u2f when using Firefox
The u2f-api package does not use the official u2f script provided by Yubikey.
Unfortunately, it was blocked by Firefox.  This change reintroduces the
official u2f script.
2017-11-09 00:21:24 +01:00
Clement Michaud e3e1235755 Fix unhandled error exception thrown by Bluebirds in tests 2017-11-01 16:30:51 +01:00
Clement Michaud 6d11801d56 Change the how-to to build Authelia in the README 2017-10-31 22:11:01 +01:00
Clement Michaud 7b68a543bf Strengthen password in LDAP using SHA512 crypt algorithm
Uses the crypt() function to do password encryption. This function handles
several schemes such as: MD5, Blowfish, SHA1, SHA2.
SHA-512 is used in Authelia for best security.
The algorithm is fully described in
https://www.akkadia.org/drepper/SHA-crypt.txt

The 'crypt3' npm package has been added as a dependency to use the crypt()
function. The package needs to be compiled in order to call the c function,
that's why python, make and C++ compiler are installed temporarily in the
Docker image.
2017-10-31 07:27:36 +01:00
Clement Michaud 5570ac3d84 3.6.0 2017-10-16 22:32:55 +02:00
Clement Michaud bf3e71d732 Fix unhandled rejections in unit tests 2017-10-15 01:34:37 +02:00
Clement Michaud 3a88ca95b8 Check TOTP token with window of 1
A window of 1 means the token is checked against current time slot T
as well as at time slot T-1 and T+1.
A time slot is 30 seconds by default in Authelia.
2017-10-15 00:44:10 +02:00
Clément Michaud f041b946d9 Merge pull request #140 from clems4ever/improve-endpoint-errors
Every public endpoints return 200 with harmonized error messages or 401
2017-10-14 12:22:24 +02:00
Clement Michaud 56fdc40290 Every public endpoints return 200 with harmonized error messages or 401
Now, /verify can return 401 or 403 depending on the user authentication.
Every public API endpoints and pages return 200 with error message in
JSON body or 401 if the user is not authorized.

This policy makes it complicated for an attacker to know what is the source of
the failure and hide server-side bugs (not returning 500), bugs being potential
threats.
2017-10-14 11:57:38 +02:00
Clement Michaud 2a3fde5ee7 Add a schema validator to check user configuration 2017-10-10 01:14:36 +02:00
Clement Michaud 46deb765bb 3.5.0 2017-10-09 01:15:40 +02:00
Clement Michaud 78f6028c1b Improve logging format for clarity
Previously, logs were not very friendly and it was hard to track
a request because of the lack of request ID.
Now every log message comes with a header containing: method, path
request ID, session ID, IP of the user, date.

Moreover, the configurations displayed in the logs have their secrets
hidden from this commit.
2017-10-08 22:33:50 +02:00
Clement Michaud d86a3f8393 3.4.2 2017-10-08 16:11:16 +02:00
Clement Michaud f3f61d4e13 3.4.1 2017-10-08 14:48:46 +02:00
Clement Michaud d8ff186303 Split client and server
Client and server now have their own tsconfig so that the transpilation is only
done on the part that is being modified.

It also allows faster transpilation since tests are now excluded from tsconfig.
They are compiled by ts-node during unit tests execution.
2017-10-07 00:49:42 +02:00
Clement Michaud 444d278a1e 3.4.0 2017-10-04 21:53:19 +02:00
Clement Michaud 4cd78f3f83 Add SMTP notifier as an available option in configuration
One can now plug its own SMTP server to send notifications
for identity validation and password reset requests.

Filesystem has been removed from the template configuration file
since even tests now use mail catcher (the fake webmail) to
retrieve the email and the confirmation link.
2017-09-24 23:20:45 +02:00
Clement Michaud 0a33b2d5ee Add logs to detect redis connection issues earlier
Before this fix, the application was simply crashing during execution
when connection to redis was failing.

Now, it is correctly handled with failing promises and logs have been
enabled to clearly see the problem
2017-09-22 20:52:05 +02:00
FrozenDragoon 489dbf9e30 Merge branch 'master' into feature-dockercompose 2017-09-11 13:28:39 -05:00
Clement Michaud 1643f4779c 3.3.19 2017-09-09 01:36:36 +02:00
Clement Michaud f4926ac138 Fix npm package missing dist directory 2017-09-09 00:43:19 +02:00
Clement Michaud 85834befb6 3.3.2 2017-09-05 00:43:06 +02:00
Clement Michaud dbb936679c Try to fix issue with npm publishing 2017-09-05 00:43:00 +02:00
Clement Michaud 432568f8f5 3.3.1 2017-09-04 23:49:15 +02:00
Clement Michaud d4a2b5dab9 Try to fix issue with npm publishing 2017-09-04 23:49:11 +02:00
Clement Michaud 86bb5c5a19 3.3.0 2017-09-04 21:51:58 +02:00