letro/letro-authentication-service
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity
3,012 Commits 2 Branches 1 Tag
ebb4bb9f666d2d97ca9f2beea00849530eebf6dc
Commit Graph

63 Commits

Author SHA1 Message Date
reivilibre
ca05566e82 Add rate-limiting for account recovery and registration (#3093) 
* Add rate-limiting for account recovery and registration

* Rename login ratelimiter `per_address` to `per_ip` for consistency

Co-authored-by: Quentin Gliech <quenting@element.io>
 2024-08-07 17:57:36 +00:00
reivilibre
8f0d7800ff Add configuration for rate-limiting of logins, replacing hardcoded limits (#3090) 2024-08-07 18:36:02 +01:00
Quentin Gliech
58b673d54d Disallow OAuth 2.0 use of the GraphQL API by default 2024-08-07 18:09:51 +02:00
Quentin Gliech
a8cf8c519a Move the account-related options out of experimental 2024-08-01 14:50:21 +02:00
Quentin Gliech
c8b4a17a55 config: allow serving the admin API routes 2024-07-26 11:36:55 +02:00
reivilibre
a4891fa9ef Backend work to support minimum password complexity (#2965) 
* config: Add minimum password complexity option

* PasswordManager: add function for checking if complexity is sufficient

* Enforce password complexity on registration, change and recovery

* cli: Use exit code 1 for weak passwords

This seems preferable to exit code 0, but ideally we should choose one
and document it.

* Expose minimum password complexity score over GraphQL
 2024-07-11 10:17:39 +01:00
Christian Tramnitz
b52342cee5 Fix RFC1918 network in default proxy configuration (#2908) 2024-07-05 08:22:39 +00:00
Quentin Gliech
65c416ff2e New config options to set the database certificates 2024-07-05 09:54:18 +02:00
Quentin Gliech
041c74e7b2 Gate account recovery behing a configuration flag 2024-06-28 15:59:21 +02:00
Quentin Gliech
5e1e27f7ea hCaptcha support 2024-05-15 09:38:10 +02:00
Quentin Gliech
608daa9ac2 Cloudflare Turnstile support 2024-05-15 09:38:10 +02:00
Quentin Gliech
764069b6bc Render reCAPTCHA challenge on the registration form 2024-05-15 09:38:10 +02:00
Quentin Gliech
3e450b50f0 Fix recently added Clippy lints 
This also ignores the clippy::blocks_in_conditions lint in two crates,
until tracing gets fixed: https://github.com/tokio-rs/tracing/issues/2876
 2024-05-07 07:32:02 +02:00
Quentin Gliech
9c22a39c0e Introduce config to restrict user capabilities 2024-04-30 13:33:47 +02:00
Quentin Gliech
f82ad8c0e6 Soft-delete upstream OAuth 2.0 providers on config sync 2024-04-03 09:51:22 +02:00
Quentin Gliech
2d9157986e Allow disabling registrations (#2553) 2024-04-03 09:27:14 +02:00
Quentin Gliech
4674db94f4 Simplify ConfigurationSection trait & skip default values when serializing 
This removes the `test` and `generate` methods from the
`ConfigurationSection` trait, as they did not really had a reason to
exist in the trait itself.
 2024-03-22 13:33:09 +01:00
Quentin Gliech
ff1267eefd Flatten the upstream_oauth2 config section 2024-03-22 13:33:09 +01:00
Quentin Gliech
5eadd1ffbd Flatten the telemetry config section 2024-03-22 13:33:09 +01:00
Quentin Gliech
4fd2bc8000 Flatten the secrets config section 2024-03-22 13:33:09 +01:00
Quentin Gliech
8d41352a1b Clean up the default policy config data 2024-03-22 13:33:09 +01:00
Quentin Gliech
0e7e2e7089 Flatten the passwords config section 2024-03-22 13:33:09 +01:00
Quentin Gliech
0f0dff8c1a Flatten the http config 
Also properly remove the `spa` resource
 2024-03-22 13:33:09 +01:00
Quentin Gliech
fedf41fe38 Flatten the email config 2024-03-22 13:33:09 +01:00
Quentin Gliech
8eff88e9e8 Flatten the database config 2024-03-22 13:33:09 +01:00
Quentin Gliech
f61bdbba72 Flatten the clients config 2024-03-22 13:33:09 +01:00
Quentin Gliech
771b6a2f8b Upgrade OTEL and remove support for Jaeger and Zipkin exporters 2024-03-18 17:26:40 +01:00
Quentin Gliech
dd15135915 Load the additional OAuth parameters from the config 2024-03-01 14:36:37 +01:00
Quentin Gliech
34ce0f3e37 Move schemars to workspace dependencies 
Also enables the `preserve_order` feature, hence the big schema output diff.
 2024-03-01 14:36:37 +01:00
Quentin Gliech
bcf2452c39 Update config schema 
Because enabled the serde_json feature which preserves the order in
dicts, keys moved around in the generated schema.
 2024-02-08 15:28:43 +01:00
Quentin Gliech
36a793b971 Make the claims_imports optional in the config 2023-11-22 15:13:28 +01:00
Quentin Gliech
b7f509532e Add upstream OAuth 2.0 providers name and branding 2023-11-20 17:23:02 +01:00
Quentin Gliech
6942fc4570 Allow endpoints and discovery mode override for upstream oauth2 providers 
This time, at the configuration and database level
 2023-11-17 16:18:39 +01:00
Quentin Gliech
097f314d8b Use minijinja templates to map OIDC claims to user attributes 2023-11-08 12:05:58 +01:00
Quentin Gliech
b96d95792d Add instance privacy policy, TOS and imprint, and loads of design cleanups 2023-10-30 15:55:15 +01:00
Quentin Gliech
fd4481713b Allow running the authentication service on a different base path 2023-10-06 14:07:55 +02:00
Quentin Gliech
ad8cc6be9e templates: add translations function 2023-10-05 19:29:23 +02:00
Quentin Gliech
baaa725fcd Infer client IP address from the peer address and the X-Forwarded-Proxy header 2023-09-20 20:24:30 +02:00
Quentin Gliech
00a4508d87 Rename the 'hack' configuration section to 'experimental' 2023-08-31 18:05:00 +02:00
Quentin Gliech
8d0cf9fdbf Make the access tokens TTL configurable 2023-08-31 18:05:00 +02:00
Quentin Gliech
80b3398424 Make the email verification state more configurable on upstream OAuth 2.0 registration 
This also marks the email as primary
 2023-08-31 14:20:06 +02:00
Quentin Gliech
86d40b0345 Make sure we validate passwords & emails by the policy at all stages 
Also refactors the way we get the policy engines in requests
 2023-08-30 19:39:39 +02:00
Quentin Gliech
a6dc094f09 Move some common dependencies on the workspace level 
Also deprecates the AWS SESv2 transport for emails
 2023-08-14 13:00:01 +02:00
Quentin Gliech
82afe9471c Better frontend assets handling and move the react app to /account/ (#1324) 
This makes the Vite assets handling better, namely:

 - make it possible to include any vite assets in the templates
 - include the right `<link rel="preload">` tags for assets
 - include Subresource Integrity hashes
 - pre-compress assets and remove on-the-fly compression by the Rust server
 - build the CSS used by templates through Vite

It also moves the React app from /app/ to /account/, and remove some of the old SSR account screens.
 2023-07-06 15:30:26 +02:00
Quentin Gliech
439e51ca80 Allow setting a different issuer from the public base URL 2023-06-27 12:53:15 +02:00
Quentin Gliech
086c2c8a8e CLI tool to sync the upstream IDPs with the config 2023-06-26 17:24:56 +02:00
Quentin Gliech
cef7efca8c Define upstream OAuth providers in the config 
And adds CLI tool to sync them with the database (WIP)
 2023-06-26 17:24:56 +02:00
Quentin Gliech
f767130e1b Update the JSON schema 2023-06-14 12:53:48 +02:00
Quentin Gliech
5d14582686 Make password-based login optional 2023-05-23 17:02:02 +02:00
Quentin Gliech
cef2064e99 Lint 2023-04-14 10:22:22 +02:00