feat(web): one-time codes for identity verification

This replaces the JWT method for Identity Verification for most elements with a One-Time Code which has a controllable lifetime. These codes elevate the session for a duration, are less likely to be accidentally clicked, can be revoked, and generally a better experience for users. Users will be able to copy the codes directly from the email or manually type them. This improves the process as the user is very unlikely to input the code into the wrong window, and can't open it in the wrong browser. In addition the process prevents accidental clicking from causing issues.

Closes #3801

Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>

2 files changed, 25 insertions, 18 deletions

diff --git a/examples/compose/lite/authelia/configuration.yml b/examples/compose/lite/authelia/configuration.yml
index bd06a5dd3..e1bcbabf1 100644
--- a/examples/compose/lite/authelia/configuration.yml
+++ b/examples/compose/lite/authelia/configuration.yml
@@ -3,18 +3,22 @@
 #                   Authelia configuration                    #
 ###############################################################
 
-# This secret can also be set using the env variables AUTHELIA_JWT_SECRET_FILE
-jwt_secret: a_very_important_secret
-default_redirection_url: https://public.example.com
+
+default_redirection_url: 'https://public.example.com'
 
 server:
   address: 'tcp://:9091'
 
 log:
-  level: debug
+  level: 'debug'
 
 totp:
-  issuer: authelia.com
+  issuer: 'authelia.com'
+
+identity_validation:
+  reset_password:
+    # This secret can also be set using the env variables AUTHELIA_IDENTITY_VERIFICATION_RESET_PASSWORD_JWT_SECRET_FILE
+    jwt_secret: 'a_very_important_secret'
 
 # duo_api:
 #  hostname: api-123456789.example.com
@@ -24,26 +28,26 @@ totp:
 
 authentication_backend:
   file:
-    path: /config/users_database.yml
+    path: '/config/users_database.yml'
 
 access_control:
-  default_policy: deny
+  default_policy: 'deny'
   rules:
     # Rules applied to everyone
-    - domain: public.example.com
-      policy: bypass
-    - domain: traefik.example.com
-      policy: one_factor
-    - domain: secure.example.com
-      policy: two_factor
+    - domain: 'public.example.com'
+      policy: 'bypass'
+    - domain: 'traefik.example.com'
+      policy: 'one_factor'
+    - domain: 'secure.example.com'
+      policy: 'two_factor'
 
 session:
   # This secret can also be set using the env variables AUTHELIA_SESSION_SECRET_FILE
-  secret: unsecure_session_secret
+  secret: 'unsecure_session_secret'
 
   cookies:
-    - name: authelia_session
-      domain: example.com  # Should match whatever your root protected domain is
+    - name: 'authelia_session'
+      domain: 'example.com'  # Should match whatever your root protected domain is
       expiration: 3600  # 1 hour
       inactivity: 300  # 5 minutes
 
diff --git a/examples/compose/local/authelia/configuration.yml b/examples/compose/local/authelia/configuration.yml
index c19b62167..6c8551e3b 100644
--- a/examples/compose/local/authelia/configuration.yml
+++ b/examples/compose/local/authelia/configuration.yml
@@ -3,8 +3,7 @@
 #                   Authelia configuration                    #
 ###############################################################
 
-jwt_secret: a_very_important_secret
-default_redirection_url: https://public.example.com
+default_redirection_url: 'https://public.example.com'
 
 server:
   address: 'tcp://:9091'
@@ -15,6 +14,10 @@ log:
 totp:
   issuer: authelia.com
 
+identity_validation:
+  reset_password:
+    jwt_secret: 'a_very_important_secret'
+
 authentication_backend:
   file:
     path: /config/users_database.yml