Session fixation attacks were prevented because a session ID was
regenerated at each first factor authentication but this commit
generalize session regeneration from first to second factor too.
Fixes#180
* [Buildkite] Enable automatic retries for failed github artifact step
This is to handle failures which may occur when attempting to upload assets, per: https://buildkite.com/authelia/authelia/builds/465#537f931f-efc3-4f7b-9527-c927c1425a52.
* [Buildkite] Ensure GitHub artifact step is reported as a failure
When the initial command fails and we remove the release, we need to ensure that the exit status is reported as non-zero to trigger the automatic retry.
* [FEATURE] Redis DB Number Selection
- Allow users to specify the DB number
- This is so users who use their redis for multiple purposes can have clear demarcation between their data
* revert: import order
* Add default/example to config template with docs
* Set DB Index property name to be more clear
* Add WSS support for insecure scheme detection
WSS connections were broken by the introduction of this check. Adding WSS as a supported scheme for secure connections prevents a 401 being returned for an authorised connection.
* Add tests for WSS
Also extend HTTPS tests to ensure they do not catch WSS URLs
* [BUGFIX] Fix crash when no emails or groups are retrieved from LDAP.
If group or email attribute configured by user in configuration is not
found in user object the list of attributes in LDAP search result is empty.
This change introduces a check before accessing the first element of the
list which previously led to out of bound access.
Fixes#647.
* [MISC] Change log level of LDAP connection creation to trace.
* [FEATURE] SMTPS Support
- Added port_tls option to enable SMTPS, off by default.
* Remove configuration variable for SMTPS
Instead we enable SMTPS on port 465 only. The reason for this is so we don't require an additional configuration variable.
* Add SMTPS warning and updated docs
* Adjust SMTPS warning
* Help users detect misconfiguration of their protected domain.
Sometimes users try to visit an URL pointing to a domain which is
not protected by Authelia and thus authentication fails. This log
line will help users detect those cases.
* Add a log to detect bad schemes in target URLs.
This helps users detect when an URL is http while it should be https.
Indeed, cookies are transported solely over a secure connection for
security reasons.
* Explicit document missing X-Forwarded-Proto and X-Fowarded-Host headers.
* Add the name of the authorization header in error messages.
* Add error and debug logs about X-Original-URL header.
* Add error log when not able to parse target URL in verify endpoint.
* Fix unit tests.
* [Buildkite] Fix changelog output for github releases
Fetch is required to grab the latest tag, this will ensure the correct data is generated
* [Buildkite] Only clean tags on pushes to master
Also ensure that master tag is not removed on github API failures.
* [Buildkite] Fix tag publishing for releases
* [Buildkite] Minor tweaks to github changelog output
* Redirect to default URL after 1FA when default policy is one_factor.
User is now redirected to the default redirection URL after 1FA if
the default policy is set to one_factor and there is no target URL
or if the target URL is unsafe.
Also, if the default policy is set to one_factor and the user is already
authenticated, if she visits the login portal, the 'already authenticated'
view is displayed with a logout button.
This fixes#581.
* Update users.yml
* Fix permissions issue causing suite test failure
* Remove unused mongo docker-compose file.
* Default redirection URL was not taken into account.
* Fix possible storage options in config template.
* Remove useless checks in u2f registration endpoints.
* Add default redirection url in config of duo suite.
* Fix log line in response handler of 2FA methods.
* Fix integration tests.
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>