Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SECURITY] Fix Authentication HTTP Status Codes #959

Merged
merged 18 commits into from May 5, 2020
Merged

[SECURITY] Fix Authentication HTTP Status Codes #959

merged 18 commits into from May 5, 2020

Conversation

james-d-elliott
Copy link
Member

@james-d-elliott james-d-elliott commented May 2, 2020
edited

Will close #478 when merged. Adds additional mitigation options against #949

https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/401

@james-d-elliott
[FIX] Send correct HTTP status codes for 1FA
6a81e3c 
* use harmonious func to handle all 1FA attempt errors
* always send a 401 which is correct according to https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/401
@james-d-elliott
fix tests
343ee8c
@authelia
Copy link

authelia bot commented May 2, 2020

Artifacts

These changes are published for testing on Buildkite and DockerHub.

Docker Container

  • docker pull authelia/authelia:fix-1fa-return-codes

@james-d-elliott james-d-elliott changed the title Fix 1fa return codes [SECURITY] Fix 1FA HTTP Response Codes May 2, 2020
@james-d-elliott james-d-elliott changed the title [SECURITY] Fix 1FA HTTP Response Codes [SECURITY] Fix Authentication HTTP Status Codes May 2, 2020
clems4ever
clems4ever previously requested changes May 2, 2020
View reviewed changes
Copy link
Member

@clems4ever clems4ever left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PR looks good to me overall. We might also want to include fail2ban in a suite to test a concrete use case in integration phase. We might create another PR for that though.

@james-d-elliott james-d-elliott marked this pull request as ready for review May 4, 2020 07:37
@james-d-elliott james-d-elliott marked this pull request as draft May 4, 2020 08:49
@james-d-elliott james-d-elliott marked this pull request as ready for review May 4, 2020 10:25
@james-d-elliott
Merge remote-tracking branch 'origin/master' into fix-1fa-return-codes
cc854a1 
# Conflicts:
#	go.mod
#	internal/handlers/handler_verify.go
@james-d-elliott
fix padding and imports
9836bae
@james-d-elliott
harmonize remaining return messages
999b13d 
* fixup docs and layout of verifySessionHasUpToDateProfile
nightah added a commit that referenced this pull request May 5, 2020
@nightah
Implement gocritic recommendations
71c1e4c 
The outstanding recommendations are due to be addressed in #959 and #971 respectively.
@nightah nightah mentioned this pull request May 5, 2020
Merged
@james-d-elliott james-d-elliott merged commit 50f12bc into master May 5, 2020
@james-d-elliott james-d-elliott deleted the fix-1fa-return-codes branch May 5, 2020 21:27
nightah added a commit that referenced this pull request May 6, 2020
@nightah @clems4ever
[CI] Add gocritic linter (#977)
cc06ab6 
* [CI] Add gocritic linter

* Implement gocritic recommendations
The outstanding recommendations are due to be addressed in #959 and #971 respectively.

* Fix implementation tests

* Fix remaining linting issues.

* Fix tests.

Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@clems4ever clems4ever clems4ever approved these changes

@nightah nightah Awaiting requested review from nightah

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Make first factor failures non-success status codes for easy log filtering
2 participants
@james-d-elliott @clems4ever