| Age | Commit message (Collapse) | Author |
|---|
|
This adds a highly experimental option for developers looking to embed Authelia within another go binary.
Closes #5803
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
This adjusts the assets validations to only validate the asset overrides.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
Update the privacy policy acceptance message to use a placeholder-based approach that ensures consistent application branding across all language translations and add server-side validation to verify all translations maintain the required placeholders, preventing runtime issues with missing components.
Signed-off-by: Brynn Crowley <littlehill723@gmail.com>
|
|
This implements user authorization utilizing the OAuth 2.0 bearer scheme (i.e. RFC6750) for both the authorize code grant and client credentials grant. This effectively allows application "passwords" when used with the client credentials grant.
Closes #2023, Closes #188.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
Adds a subpath configuration query parameter to unix sockets and other listeners.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
This is intended on clarifying some information regarding common configuration examples like buffers, timeouts, etc.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
This adds several tests to current expected scenarios and makes some minor adjustments specifically for testability and consistency. The tests are intended to cover a specific scenario which was described by a user which cannot be replicated at this stage.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
This allows listening on unix sockets.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
Misc refactoring of the services logic to simplify the
|
|
This fixes a couple errors that were previously not logged as well as ensuring most templates are appropriately parsed via tests.
|
|
This should lead to a small performance gain by caching the openapi.yml with etags as well as eliminating the use of nonce crypto generation when not required.
|
|
* refactor: adjust defaults
* refactor: adjust level
* refactor: adjust level
* refactor: fix templates
|
|
This implements and leverages some common library logging interfaces.
|
|
Uses the errgroup package and pattern for supervising services like servers etc.
|
|
Adds ability to record metrics and gather them for Prometheus.
|
|
This fixes an issue where errors handled by the ErrorHandler were not correctly logged. It also ensures the errors are logged with fields to make them easy to diagnose.
Fixes #3506
|
|
This fixes edge cases where the remote IP was not correctly logged. Generally this is not an issue as most errors do not hit this handler, but in instances where a transport error occurs this is important.
|
|
This adjusts the CORS headers appropriately for OpenID Connect. This includes responding to OPTIONS requests appropriately. Currently this is only configured to operate when the Origin scheme is HTTPS; but can easily be expanded in the future to include additional Origins.
|
|
Co-authored-by: Renovate Bot <bot@renovateapp.com>
Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
Mutual TLS helps prevent untrusted clients communicating with services like Authelia. This can be utilized to reduce the attack surface.
Fixes #3041
|
|
This allows providing a custom URL for password resets. If provided the disable_reset_password option is ignored, the password reset API is disabled, and the button provided in the UI to reset the password redirects users to the configured endpoint.
Closes #1934, Closes #2854
Co-authored-by: you1996 <youssri@flyweight.tech>
|
|
This allows overriding translation files in folders with lowercase RFC5646 / BCP47 Format language codes. This also fixes an issues where languages which don't expressly match the language code specified due to having a variant will also match the existing codes.
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
|
|
This adjusts the not found handler to not respond with a 404 on not found endpoints that are part of the /api or /.well-known folders, and respond with a 405 when the method isn't implemented.
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
|
|
Add tests and makes the password policy a provider so the configuration can be loaded to memory on startup.
|
|
This ensures that; the method set when a user does not have a preference is a method that is available, that if a user has a preferred method that is not available it is changed to an enabled method with preference put on methods the user has configured, that the frontend does not show the method selection option when only one method is available.
|
|
This fixes an issue with the healthcheck writting the IPv6 host without brackets.
|
|
This fixes an issue not properly resolved by db6dd32151a8161e8348f32d19a687f0faa16ddf.
|
|
This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
|
|
This enhances the existing time.Duration parser to allow multiple units, and implements a decode hook which can be used by koanf to decode string/integers into time.Durations as applicable.
|
|
This unifies the methods to obtain the X-Forwarded-* header values and provides logical fallbacks. In addition, so we can ensure this functionality extends to the templated files we've converted the ServeTemplatedFile method into a function that operates as a middlewares.RequestHandler.
Fixes #2765
|
|
This adds a smart delay on reset password attempts to prevent username enumeration. Additionally utilizes crypto rand instead of math rand. It also moves the timing delay functionality into its own handler func.
|
|
Allow users to configure the TOTP Algorithm and Digits. This should be used with caution as many TOTP applications do not support it. Some will also fail to notify the user that there is an issue. i.e. if the algorithm in the QR code is sha512, they continue to generate one time passwords with sha1. In addition this drastically refactors TOTP in general to be more user friendly by not forcing them to register a new device if the administrator changes the period (or algorithm).
Fixes #1226.
|
|
Allow users to select and save the preferred duo device and method, depending on availability in the duo account. A default enrollment URL is provided and adjusted if returned by the duo API. This allows auto-enrollment if enabled by the administrator.
Closes #594. Closes #1039.
|
|
* feat: customizable static assets
This change provides the means to override specific assets from the embedded Go FS with files situated on disk.
We only allow overriding the following files currently:
* favicon.ico
* logo.png
* refactor(server): make logo string a const
* refactor(suites): override favicon and use ntp3 in traefik2 suite
* test(suites): test logo override in traefik2 suite
* test(suites): test asset override fallback in traefik suite
Closes #1630.
|
|
This utilizes the context of the request and configuration to determine the correct scheme to use for the base URL.
Fixes #2485. Fixes #2476.
|
|
Given the fact that many Linux OSes are defaulting to CGroups v2 and also Authelia changing the default memory config for argon2id this warning is now obselete.
|
|
* build: include major in go.mod module directive
* fix: xflags
* revert: cobra changes
* fix: mock doc
|
|
* fix: oidc issuer path and strip path middleware
This ensures the server.path requests append the base_url to the oidc well-known issuer information and adjusts server.path configuration to only strip the configured path instead of the first level entirely regardless of its content.
* fix: only log the token error and general refactoring
* refactor: factorize base_url functions
* refactor(server): include all paths in startup logging
* refactor: factorize
* refactor: GetExternalRootURL -> ExternalRootURL
Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
This makes the healthcheck simple and configured directly by Authelia's configuration on startup.
|
|
This commit replaces github.com/spf13/viper with github.com/knadh/koanf. Koanf is very similar library to viper, with less dependencies and several quality of life differences. This also allows most config options to be defined by ENV. Lastly it also enables the use of split configuration files which can be configured by setting the --config flag multiple times.
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
|
|
This change adjusts several global options moving them into the server block. It additionally notes other breaking changes in the configuration.
BREAKING CHANGE: Several configuration options have been changed and moved into other sections. Migration instructions are documented here: https://authelia.com/docs/configuration/migration.html#4.30.0
|
|
* fix(handlers,web): user is now redirected when authenticated
Fix: #1788
* remove dead code and fix ci issues
* fix infinite loop in frontend
* fix issue with integration tests
* handle bot recommendation
* fix integration test & add dot to comment
* fix last integration test
* Update api/openapi.yml
Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
* Update web/src/services/SafeRedirection.ts
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
* Update web/src/services/SafeRedirection.ts
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
* Update api/openapi.yml
* Update openapi.yml
* refactor: valid -> safe
* refactor: adjust merge conflicts
* Apply suggestions from code review
Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
* fix: adjust test return messaging
Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
|
|
This changes the way XML HTTP requests are handled on the verify endpoint so that they are redirected using a 401 instead of a 302/303.
|
|
This is so levels like warn and error can be used to exclude info or warn messages. Additionally there is a reasonable refactoring of logging moving the log config options to the logging key because there are a significant number of log options now. This also decouples the expvars and pprof handlers from the log level, and they are now configured by server.enable_expvars and server.enable_pprof at any logging level.
|
|
OpenID connect has become a standard when it comes to authentication and
in order to fix a security concern around forwarding authentication and authorization information
it has been decided to add support for it.
This feature is in beta version and only enabled when there is a configuration for it.
Before enabling it in production, please consider that it's in beta with potential bugs and that there
are several production critical features still missing such as all OIDC related data is stored in
configuration or memory. This means you are potentially going to experience issues with HA
deployments, or when restarting a single instance specifically related to OIDC.
We are still working on adding the remaining set of features before making it GA as soon as possible.
Related to #189
Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
|
|
Returns a 404 instead of 405 on bad API endpoints. The original issue was resolved in 3487fd392e770c3e4c7af9aa5ef8e3e25b9a73eb however this resolves another issue that's related. Additionally this ensures the behavior is tested.
Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
Fixes #1520
Closes #1534
|
|
* feat: go:embed static assets
Go 1.16 introduced the ability to embed files within a generated binary directly with the go tool chain. This simplifies our dependencies and the significantly improves the development workflow for future developers.
Key points to note:
Due to the inability to embed files that do not reside within the local package we need to duplicate our `config.template.yml` within `internal/configuration`.
To avoid issues with the development workflow empty mock files have been included within `internal/server/public_html`. These are substituted with the respective generated files during the CI/CD and build workflows.
* fix(suites): increase ldap suite test timeout
* fix(server): fix swagger asset CSP
|
|
* [FEATURE] Add theme support
This change allows users to select a theme for Authelia on start-up.
The default will continue to be the existing theme which is known as `light`.
Three new options are now also provided:
* `dark`
* `grey`
* `custom`
The `custom` theme allows users to specify a primary and secondary hex color code to be utilised to style the portal.
Co-authored-by: BankaiNoJutsu <lbegert@gmail.com>
* Add themes to integration tests
* Remove custom theme
* Fix linting issue in access_control_test.go
Co-authored-by: BankaiNoJutsu <lbegert@gmail.com>
|
