| Age | Commit message (Collapse) | Author |
|---|
|
Add the ability for users to change their password from their user settings, without requiring them to use the reset password workflow. User's are required to create a elevated session in order to change their password. Users may not change their password to their current password. The user's current password is required for the password change. Users must follow any established password policies. Administrators are able to turn this feature off.
Closes #3548
|
|
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
Update the privacy policy acceptance message to use a placeholder-based approach that ensures consistent application branding across all language translations and add server-side validation to verify all translations maintain the required placeholders, preventing runtime issues with missing components.
Signed-off-by: Brynn Crowley <littlehill723@gmail.com>
|
|
This adds rate limits to the TOTP second factor endpoint, the Duo second factor endpoint, Session Elevation endpoint, and the Reset Password endpoint. This protection exists as several configurable tokenized buckets anchored to the users remote IP address. In the event the rate limit is exceeded by the user the middleware will respond with a 429 status, a Retry-After header, and JSON body indicating it's rate limited, which the UI will gracefully handle. This has several benefits that compliment the 1FA regulation, specifically in simple architectures it limits the number of SMTP sends a unique client can make, as well as the number of requests a particular client can make in general on specific endpoints where too many requests may indicate either a fault or some form of abuse.
Closes #7353, Closes #1947
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
This introduces a feature to the claims policy that allows merging the granted audience into the ID Token. This is not traditionally spec compliant but has some specific use cases.
Closes #8619
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
This adds an OLED tuned dark mode theme to the web frontend.
|
|
Add support for passkeys, granular attachment modality, granular authenticator selection, and authenticator filtering which is commonly used in an enterprise environment. This also adds metadata verification elements utilizing the MDS3 to the project, including saving attestation statements, verification of attestation statements, etc. This also makes a significant change to the authentication level logic to purely use RFC8176 authentication method references to ensure the future-proof nature of the implementation. This change paves the way for the future of Authelia ensuring we can add custom policies in the future to allow administrators to very deliberately decide what authentication methods are sufficient for a given resource as well as the ability to clearly communicate these authentication methods to third parties via OpenID Connect 1.0 and SAML 2.0. It should be noted that at the time of this commit Passkey authentication is considered a single factor and we will at a later stage add the customizable policies described here to handle other use cases, though we've included a flag that considers properly implemented passkeys as if they were MFA.
Closes #2827, Closes #2761
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
This adds RFC7516 JSON Web Encryption (JWE) support and the relevant machinery within OAuth 2.0 and OpenID Connect 1.0. Support is available for egress JWT's (such as egress ID Tokens, JWT Profile Access Tokens, Introspection Responses, etc) and for ingress JWT's (such as client assertions, token hints, etc).
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
This implements RFC8628 OAuth 2.0 Device Authorization Grant and the accompanying OAuth 2.0 Device Code Flow.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
This adds formal support for the claims parameter.
Closes #2868
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
This adds formal support for the prompt parameter.
Closes #2596
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
This fixes an undesirable default method UX where the default method for a browser is not correctly set when they register a new method.
Closes #8345
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
* fix(web): internalization
* fix(web): internalization
* fix(web): internalization
---------
Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
* build(deps): update dependency i18next-http-backend to v2.6.2
* fix(web): include i18n initialization in jest test setup
Signed-off-by: Amir Zarrinkafsh <nightah@me.com>
---------
Signed-off-by: Amir Zarrinkafsh <nightah@me.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
|
|
* build(deps): update dependency @testing-library/jest-dom to v6.6.2
* fix(web): adjust import for jest test setup
Signed-off-by: Amir Zarrinkafsh <nightah@me.com>
---------
Signed-off-by: Amir Zarrinkafsh <nightah@me.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
|
|
This fixes a UX issue in the UI where the TOTP Credential widget pane shows far too much information. This instead hides most of it behind a dialog.
|
|
In the case where the password reset email takes longer than expected, a user should be given an indication as to what is happening. This disables the login form and buttons when once a user initiates the password reset and shows a loading bar. The bar is visible and the form disabled until either the email succeeds or fails. This should also help minimize duplicate emails from clicking the button multiple times.
|
|
This fixes a UX bug where the webauthn credential buttons were crowded.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
Signed-off-by: Amir Zarrinkafsh <nightah@me.com>
Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
When Authelia is configured to only allow Time-based One Time Passwords the layout breaks on a single view, this fixes that issue.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
* build(deps): update typescript-eslint monorepo to v8
* fix(web): remove unused vars
Signed-off-by: Amir Zarrinkafsh <nightah@me.com>
---------
Signed-off-by: Amir Zarrinkafsh <nightah@me.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
|
|
inconsistent authenticated layout for authelia instances with no configured 2FA domains. example.com/authenticated
Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
|
|
The upgrade to MUI6 caused a layout issue with the authenticated view in the instance of the WebAuthn option, this resolves that issue.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
* build(deps): update material-ui monorepo to v6
* refactor: mui 6
---------
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
|
|
Update all grids to use the modern grid system in MUI.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
The existing date format for creation time/last used time for 2FA methods in the user settings menu is a bit lengthy and doesn't render too well even on desktop devices. This changes it to a delta-time format. Instead of showing the date, it shows the time since the last event e.g. just now, one day ago, 2 years ago etc. This leads to a better UX.
|
|
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
This fixes an issue where the UX was not great when adding new credentials with low feedback and the potential to double click the add button.
|
|
This fixes an issue where entering an invalid One-Time Code results in a UI soft-hang. The hang is not a deadlock but it's not very informative.
Fixes #7206
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
This reverts commit a99bb6339414275865255e1205831f7e273e1f4b and is the proper fix for #5902. This change adjusts the behaviour if Authelia is run with a sub-path and is visited without a trailing slash on the specified sub-path. In 4.37.5 the base path would get normalized without a trailing slash, however, would cause issues when a refresh was completed while carrying a redirection query string. In 4.38.x this was changed so the sub-path would not be normalized without the trailing slash and that it was therefore necessary. This change in behaviour could be observed as a regression by users with learned behaviours.
Fixes #5902.
Signed-off-by: Amir Zarrinkafsh <nightah@me.com>
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
Signed-off-by: Amir Zarrinkafsh <nightah@me.com>
|
|
* fix(web): resolve path conflicts between backend and frontend
Signed-off-by: Amir Zarrinkafsh <nightah@me.com>
* fix(suites): refactor suite pathprefix utils
Signed-off-by: Amir Zarrinkafsh <nightah@me.com>
* fix(suites): broken pathprefix for reset password scenario
Signed-off-by: Amir Zarrinkafsh <nightah@me.com>
---------
Signed-off-by: Amir Zarrinkafsh <nightah@me.com>
|
|
Fixes a missed change to secret -> client_secret and allows lazy loading optimizations for the layouts. In addition layouts are not really intended to be parameterized as much as normal components like these are so it makes sense to remove a few elements to satisfy common use cases within the codebase.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
This implements user authorization utilizing the OAuth 2.0 bearer scheme (i.e. RFC6750) for both the authorize code grant and client credentials grant. This effectively allows application "passwords" when used with the client credentials grant.
Closes #2023, Closes #188.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
Per our standard review process this adjusts the appropriate elements detected during the review.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
This adds several tests to several areas as per standard security practices, specifically adding a lot of testing to WebAuthn.
|
|
Adds caps lock detection to the password field.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
Add tests and adjust tests and code as appropriate. This also ensures we have thorough coverage of the code.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
This implements misc fixes as part of one of our betas.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
This adds functionality to the frontend to revoke the Reset Password JWT's.
Closes #136
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
This refactors various imports.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
This adds customizable options for identity verification where the user can either be required to skip the identity verification requirement when they have performed second factor authentication, or requiring second factor authentication in addition to the identity verification. There are 3 distinct modes. You can require both second factor authentication and the one-time code (recommended), you can require just the one-time code (default), or you can require either second factor authentication or a one-time code (discouraged).
Closes #135
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
|
This updates various documentaiton elements for the pending changes.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
|
