* adaptively delay 1FA by the actual execution time of authentication
* should grow and shrink over time as successful attempts are made
* uses the average of the last 10 successful attempts to calculate
* starts at an average of 1000ms
* minimum is 250ms
* a random delay is added to the largest of avg or minimum
* the random delay is between 0ms and 85ms
* bump LDAP suite to 80s timeout
* bump regulation scenario to 45s
* add mutex locking
* amend logging
* add docs
* add tests
Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
* [FIX] LDAP Not Checking for Updated Groups
* refactor handlers verifyFromSessionCookie
* refactor authorizer selectMatchingObjectRules
* refactor authorizer isDomainMatching
* add authorizer URLHasGroupSubjects method
* add user provider ProviderType method
* update tests
* check for new LDAP groups and update session when:
* user provider type is LDAP
* authorization is forbidden
* URL has rule with group subjects
* Implement Refresh Interval
* add default values for LDAP user provider
* add default for refresh interval
* add schema validator for refresh interval
* add various tests
* rename hasUserBeenInactiveLongEnough to hasUserBeenInactiveTooLong
* use Authelia ctx clock
* add check to determine if user is deleted, if so destroy the
* make ldap user not found error a const
* implement GetRefreshSettings in mock
* Use user not found const with FileProvider
* comment exports
* use ctx.Clock instead of time pkg
* add debug logging
* use ptr to reference userSession so we don't have to retrieve it again
* add documenation
* add check for 0 refresh interval to reduce CPU cost
* remove badly copied debug msg
* add group change delta message
* add SliceStringDelta
* refactor ldap refresh to use the new func
* improve delta add/remove log message
* fix incorrect logic in SliceStringDelta
* add tests to SliceStringDelta
* add always config option
* add tests for always config option
* update docs
* apply suggestions from code review
Co-Authored-By: Amir Zarrinkafsh <nightah@me.com>
* complete mocks and fix an old one
* show warning when LDAP details failed to update for an unknown reason
* golint fix
* actually fix existing mocks
* use mocks for LDAP refresh testing
* use mocks for LDAP refresh testing for both added and removed groups
* use test mock to verify disabled refresh behaviour
* add information to threat model
* add time const for default Unix() value
* misc adjustments to mocks
* Suggestions from code review
* requested changes
* update emails
* docs updates
* test updates
* misc
* golint fix
* set debug for dev testing
* misc docs and logging updates
* misc grammar/spelling
* use built function for VerifyGet
* fix reviewdog suggestions
* requested changes
* Apply suggestions from code review
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
* [DOCS] Add threat model documentation under security section.
* Update docs/security/threat-model.md
Co-Authored-By: Amir Zarrinkafsh <nightah@me.com>
* Apply suggestions from code review
Co-Authored-By: Amir Zarrinkafsh <nightah@me.com>
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
* [FEATURE] Disable Reset Password
* add configuration key to authentication_backend called disable_reset_password
* disable_reset_password prevents the API handler for the functionality and the UI element
* disable_reset_password is a boolean
* adjust RememberMeEnabled to be RememberMe instead as it's just unnecessary
* add docs for security measures and in the authentication docs
* updated config.template.yml
* add flexEnd style to align reset password when remember me disabled
* add todo items for ldap user/password validation relating to this
* [FEATURE] Remember Me Configuration
* allow users to specify the duration of remember me using remember_me_duration in session config
* setting the duration to 0 disables remember me
* only render the remember me element if remember me is enabled
* prevent malicious users from faking remember me functionality in the backend
* add string to duration helper called ParseDurationString to parse a string into a duration
* added tests to the helper function
* use the SessionProvider to store the time.Duration instead of parsing it over and over again
* add sec doc, adjust month/min, consistency
* renamed internal/utils/constants.go to internal/utils/const.go to be consistent
* added security measure docs
* adjusted default remember me duration to be 1 month instead of 1 year
* utilize default remember me duration in the autheliaCtx mock
* adjust order of keys in session configuration examples
* add notes on session security measures secret only being redis
* add TODO items for duration notation for both Expiration and Inactivity (will be removed soon)
* fix error text for Inactivity in the validator
* add session validator tests
* deref check bodyJSON.KeepMeLoggedIn and derive the value based on conf and user input and store it (DRY)
* remove unnecessary regex for the simplified ParseDurationString utility
* ParseDurationString only accepts decimals without leading zeros now
* comprehensively test all unit types
* remove unnecessary type unions in web
* add test to check sanity of time duration consts, this is just so they can't be accidentally changed
* simplify deref check and assignment
* fix reset password padding/margins
* adjust some doc wording
* adjust the handler configuration suite test
* actually run the handler configuration suite test (whoops)
* reduce the number of regex's used by ParseDurationString to 1, thanks to Clement
* adjust some error wording
* [FEATURE] Support Argon2id Passwords
- Updated go module github.com/simia-tech/crypt
- Added Argon2id support for file based authentication backend
- Made it the default method
- Made it so backwards compatibility with SHA512 exists
- Force seeding of the random string generator used for salts to ensure they are all different
- Added command params to the authelia hash-password command
- Automatically remove {CRYPT} from hashes as they are updated
- Automatically change hashes when they are updated to the configured algorithm
- Made the hashing algorithm parameters completely configurable
- Added reasonably comprehensive test suites
- Updated docs
- Updated config template
* Adjust error output
* Fix unit test
* Add unit tests and argon2 version check
* Fix new unit tests
* Update docs, added tests
* Implement configurable values and more comprehensive testing
* Added cmd params to hash_password, updated docs, misc fixes
* More detailed error for cmd, fixed a typo
* Fixed cmd flag error, minor refactoring
* Requested Changes and Minor refactoring
* Increase entropy
* Update docs for entropy changes
* Refactor to reduce nesting and easier code maintenance
* Cleanup Errors (uniformity for the function call)
* Check salt length, fix docs
* Add Base64 string validation for argon2id
* Cleanup and Finalization
- Moved RandomString function from ./internal/authentication/password_hash.go to ./internal/utils/strings.go
- Added SplitStringToArrayOfStrings func that splits strings into an array with a fixed max string len
- Fixed an error in validator that would allow a zero salt length
- Added a test to verify the upstream crypt module supports our defined random salt chars
- Updated docs
- Removed unused "HashingAlgorithm" string type
* Update crypt go mod, support argon2id key length and major refactor
* Config Template Update, Final Tests
* Use schema defaults for hash-password cmd
* Iterations check
* Docs requested changes
* Test Coverage, suggested edits
* Wording edit
* Doc changes
* Default sanity changes
* Default sanity changes - docs
* CI Sanity changes
* Memory in MB
James Elliott
Clément Michaud
Amir Zarrinkafsh