[BUGFIX] Static Session Expiration Key (#1564)

* [BUGFIX] Static Session Expiration Key

* keys for session expiration are random for each instance of Authelia
* this is caused by upstream setting it to a random value
* using a temporary bugfix fork of github.com/fasthttp/session to resolve locally
* add some misc doc additions

docs/security/measures.md

@@ -138,12 +138,14 @@ to 0 to disable this feature, and set an expiration of something like 2 hours an
 of 10 minutes. This means the hard limit or the time the session will be destroyed no matter
 what is 2 hours, and the soft limit or the time a user can be inactive for is 10 minutes.
 
-### More protections measures with Nginx
+### Additional proxy protection measures
 
-You can also apply the following headers to your nginx configuration for
+You can also apply the following headers to your proxy configuration for
 improving security. Please read the documentation of those headers before
 applying them blindly.
 
+#### nginx
+
 ```
 # We don't want any credentials / TOTP secret key / QR code to be cached by
 # the client
@@ -160,7 +162,54 @@ add_header X-Frame-Options "SAMEORIGIN";
 add_header X-XSS-Protection "1; mode=block";
 ```
 
-[HSTS]: https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/
+
+#### Traefik 2.x - Kubernetes CRD
+
+```yaml
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: headers-authelia
+spec:
+  headers:
+    browserXssFilter: true
+    customFrameOptionsValue: "SAMEORIGIN"
+    customResponseHeaders:
+      Cache-Control: "no-store"
+      Pragma: "no-cache"
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: authelia
+spec:
+  entryPoints:
+    - http
+  routes:
+    - match: Host(`auth.example.com`) && PathPrefix(`/`)
+      kind: Rule
+      priority: 1
+      middlewares:
+        - name: headers-authelia
+          namespace: authelia
+      services:
+        - name: authelia
+          port: 80
+```
+
+#### Traefik 2.x - docker-compose
+
+```yaml
+services:
+  authelia:
+    labels:
+      - "traefik.http.routers.authelia.middlewares=authelia-headers"
+      - "traefik.http.middlewares.authelia-headers.headers.browserXssFilter=true"
+      - "traefik.http.middlewares.authelia-headers.headers.customFrameOptionsValue=SAMEORIGIN"
+      - "traefik.http.middlewares.authelia-headers.headers.customResponseHeaders.Cache-Control=no-store"
+      - "traefik.http.middlewares.authelia-headers.headers.customResponseHeaders.Pragma=no-cache"
+```
 
 ### More protections measures with fail2ban
 
@@ -264,3 +313,6 @@ services:
     volumes:
       - ./authelia:/config
 ```
+
+
+[HSTS]: https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/

go.mod

@@ -8,19 +8,17 @@ require (
 	github.com/Gurpartap/logrus-stack v0.0.0-20170710170904-89c00d8a28f4
 	github.com/Workiva/go-datastructures v1.0.52
 	github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a
+	github.com/authelia/session/v2 v2.3.0
 	github.com/deckarep/golang-set v1.7.1
 	github.com/dgrijalva/jwt-go v3.2.0+incompatible
 	github.com/duosecurity/duo_api_golang v0.0.0-20190308151101-6c680f768e74
 	github.com/facebookgo/stack v0.0.0-20160209184415-751773369052 // indirect
 	github.com/fasthttp/router v1.2.4
-	github.com/fasthttp/session/v2 v2.2.1
 	github.com/go-ldap/ldap/v3 v3.2.3
 	github.com/go-sql-driver/mysql v1.5.0
 	github.com/golang/mock v1.4.4
 	github.com/jackc/pgx/v4 v4.8.1
 	github.com/mattn/go-sqlite3 v2.0.3+incompatible
-	github.com/onsi/ginkgo v1.10.3 // indirect
-	github.com/onsi/gomega v1.7.1 // indirect
 	github.com/otiai10/copy v1.2.0
 	github.com/pelletier/go-toml v1.4.0 // indirect
 	github.com/pquerna/otp v1.2.0
@@ -31,7 +29,7 @@ require (
 	github.com/stretchr/testify v1.6.1
 	github.com/tebeka/selenium v0.9.9
 	github.com/tstranex/u2f v1.0.0
-	github.com/valyala/fasthttp v1.15.1
+	github.com/valyala/fasthttp v1.18.0
 	golang.org/x/text v0.3.3
 	gopkg.in/yaml.v2 v2.3.0
 )

internal/session/encrypting_serializer.go

@@ -4,7 +4,7 @@ import (
 	"crypto/sha256"
 	"fmt"
 
-	"github.com/fasthttp/session/v2"
+	"github.com/authelia/session/v2"
 
 	"github.com/authelia/authelia/internal/utils"
 )

internal/session/encrypting_serializer_test.go

@@ -3,7 +3,7 @@ package session
 import (
 	"testing"
 
-	"github.com/fasthttp/session/v2"
+	"github.com/authelia/session/v2"
 
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"

internal/session/provider.go

@@ -4,9 +4,9 @@ import (
 	"encoding/json"
 	"time"
 
-	fasthttpsession "github.com/fasthttp/session/v2"
-	"github.com/fasthttp/session/v2/providers/memory"
-	"github.com/fasthttp/session/v2/providers/redis"
+	fasthttpsession "github.com/authelia/session/v2"
+	"github.com/authelia/session/v2/providers/memory"
+	"github.com/authelia/session/v2/providers/redis"
 	"github.com/valyala/fasthttp"
 
 	"github.com/authelia/authelia/internal/configuration/schema"

internal/session/provider_config.go

@@ -3,8 +3,8 @@ package session
 import (
 	"fmt"
 
-	"github.com/fasthttp/session/v2"
-	"github.com/fasthttp/session/v2/providers/redis"
+	"github.com/authelia/session/v2"
+	"github.com/authelia/session/v2/providers/redis"
 
 	"github.com/valyala/fasthttp"
 

internal/session/provider_config_test.go

@@ -5,7 +5,7 @@ import (
 	"testing"
 	"time"
 
-	"github.com/fasthttp/session/v2"
+	"github.com/authelia/session/v2"
 
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"

internal/session/types.go

@@ -3,8 +3,8 @@ package session
 import (
 	"time"
 
-	"github.com/fasthttp/session/v2"
-	"github.com/fasthttp/session/v2/providers/redis"
+	"github.com/authelia/session/v2"
+	"github.com/authelia/session/v2/providers/redis"
 	"github.com/tstranex/u2f"
 
 	"github.com/authelia/authelia/internal/authentication"