| Age | Commit message (Collapse) | Author |
|---|
|
This adds a highly experimental option for developers looking to embed Authelia within another go binary.
Closes #5803
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
This adds rate limits to the TOTP second factor endpoint, the Duo second factor endpoint, Session Elevation endpoint, and the Reset Password endpoint. This protection exists as several configurable tokenized buckets anchored to the users remote IP address. In the event the rate limit is exceeded by the user the middleware will respond with a 429 status, a Retry-After header, and JSON body indicating it's rate limited, which the UI will gracefully handle. This has several benefits that compliment the 1FA regulation, specifically in simple architectures it limits the number of SMTP sends a unique client can make, as well as the number of requests a particular client can make in general on specific endpoints where too many requests may indicate either a fault or some form of abuse.
Closes #7353, Closes #1947
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
* fix: swagger-ui csp and cleanup unnecessary files
This change fixes CSP errors when browsing Swagger and cuts down the binary/image size 10%+ by keeping only required files from the swagger-ui package.
Signed-off-by: Amir Zarrinkafsh <nightah@me.com>
* fix(api): fix server url
Signed-off-by: Amir Zarrinkafsh <nightah@me.com>
* refactor: set strict csp on static served files
Signed-off-by: Amir Zarrinkafsh <nightah@me.com>
---------
Signed-off-by: Amir Zarrinkafsh <nightah@me.com>
|
|
The Allow header was set instead of the Cross-Origin Resource Sharing header Access-Control-Allow-Methods. This fixes that issue.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
This reverts commit a99bb6339414275865255e1205831f7e273e1f4b and is the proper fix for #5902. This change adjusts the behaviour if Authelia is run with a sub-path and is visited without a trailing slash on the specified sub-path. In 4.37.5 the base path would get normalized without a trailing slash, however, would cause issues when a refresh was completed while carrying a redirection query string. In 4.38.x this was changed so the sub-path would not be normalized without the trailing slash and that it was therefore necessary. This change in behaviour could be observed as a regression by users with learned behaviours.
Fixes #5902.
Signed-off-by: Amir Zarrinkafsh <nightah@me.com>
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
This updates the default headers for many endpoints per the OWASP best practices.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
This fixes an issue where the session information for the client credentials flow did not populate.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
This allows users to customize the authz endpoints.
Closes #2753, Fixes #3716
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
|
|
This fixes an issue where the form_post response never gets submitted.
Fixes #4669
|
|
This should lead to a small performance gain by caching the openapi.yml with etags as well as eliminating the use of nonce crypto generation when not required.
|
|
This refactors a few areas of the server templating and related functions.
|
|
Adds support for Envoy and Istio using the X-Authelia-URL header. The documentation will be published just before the release.
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
|
|
|
|
|
|
Addresses documentation and a couple of headers which were missed.
|
|
This fixes an issue with missing modern security headers such as the X-Content-Type-Options, Referer-Policy, etc.
|
|
This adjusts the CORS headers appropriately for OpenID Connect. This includes responding to OPTIONS requests appropriately. Currently this is only configured to operate when the Origin scheme is HTTPS; but can easily be expanded in the future to include additional Origins.
|
|
This allows overriding translation files in folders with lowercase RFC5646 / BCP47 Format language codes. This also fixes an issues where languages which don't expressly match the language code specified due to having a variant will also match the existing codes.
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
|
|
Add tests and makes the password policy a provider so the configuration can be loaded to memory on startup.
|
|
This adds a Cross Origin Resource Sharing policy that automatically allows any cross-origin request to the OpenID Connect discovery documents.
|
|
This unifies the methods to obtain the X-Forwarded-* header values and provides logical fallbacks. In addition, so we can ensure this functionality extends to the templated files we've converted the ServeTemplatedFile method into a function that operates as a middlewares.RequestHandler.
Fixes #2765
|
|
This utilizes the referrer query parameters instead of current request query parameters for logging the requested URI and method. Minor performance improvements to header peek/sets.
|
|
This change makes it so only metadata about tokens is stored. Tokens can still be resigned due to conversion methods that convert from the JWT type to the database type. This should be more efficient and should mean we don't have to encrypt tokens or token info in the database at least for now.
|
|
* feat: customizable static assets
This change provides the means to override specific assets from the embedded Go FS with files situated on disk.
We only allow overriding the following files currently:
* favicon.ico
* logo.png
* refactor(server): make logo string a const
* refactor(suites): override favicon and use ntp3 in traefik2 suite
* test(suites): test logo override in traefik2 suite
* test(suites): test asset override fallback in traefik suite
Closes #1630.
|
|
This changes the way XML HTTP requests are handled on the verify endpoint so that they are redirected using a 401 instead of a 302/303.
|
|
OpenID connect has become a standard when it comes to authentication and
in order to fix a security concern around forwarding authentication and authorization information
it has been decided to add support for it.
This feature is in beta version and only enabled when there is a configuration for it.
Before enabling it in production, please consider that it's in beta with potential bugs and that there
are several production critical features still missing such as all OIDC related data is stored in
configuration or memory. This means you are potentially going to experience issues with HA
deployments, or when restarting a single instance specifically related to OIDC.
We are still working on adding the remaining set of features before making it GA as soon as possible.
Related to #189
Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
|
|
* adjust session refresh to always occur (for disabled users)
* feat: adds filtering option for Request Method in ACL's
* simplify flow of internal/authorization/authorizer.go's methods
* implement query string checking
* utilize authorizer.Object fully
* make matchers uniform
* add tests
* add missing request methods
* add frontend enhancements to handle request method
* add request method to 1FA Handler Suite
* add internal ACL representations (preparsing)
* expand on access_control next
* add docs
* remove unnecessary slice for network names and instead just use a plain string
* add warning for ineffectual bypass policy (due to subjects)
* add user/group wildcard support
* fix(authorization): allow subject rules to match anonymous users
* feat(api): add new params
* docs(api): wording adjustments
* test: add request method into testing and proxy docs
* test: add several checks and refactor schema validation for ACL
* test: add integration test for methods acl
* refactor: apply suggestions from code review
* docs(authorization): update description
|
|
* [CI] Add goconst linter
* Implement goconst recommendations
* Rename defaultPolicy to denyPolicy
* Change order for test constants
Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
|
|
* [CI] Add godot linter
* Implement godot recommendations
|
|
https://github.com/golang-standards/project-layout
|
