security: cure53 fix (#6039)

* ATH-01-001: resolve path and check start before loading blueprints This is even less of an issue since 411ef239f6, since with that commit we only allow files that the listing returns Signed-off-by: Jens Langhammer <jens@goauthentik.io> * ATH-01-010: fix missing user filter for webauthn device This prevents an attack that is only possible when an attacker can intercept HTTP traffic and in the case of HTTPS decrypt it. * ATH-01-008: fix web forms not submitting correctly when pressing enter When submitting some forms with the Enter key instead of clicking "Confirm"/etc, the form would not get submitted correctly This would in the worst case is when setting a user's password, where the new password can end up in the URL, but the password was not actually saved to the user. * ATH-01-004: remove env from admin system endpoint this endpoint already required admin access, but for debugging the env variables are used very little Signed-off-by: Jens Langhammer <jens@goauthentik.io> * ATH-01-003 / ATH-01-012: disable htmlLabels in mermaid Signed-off-by: Jens Langhammer <jens@goauthentik.io> * ATH-01-005: use hmac.compare_digest for secret_key authentication Signed-off-by: Jens Langhammer <jens@goauthentik.io> * ATH-01-009: migrate impersonation to use API Signed-off-by: Jens Langhammer <jens@goauthentik.io> * ATH-01-010: rework Signed-off-by: Jens Langhammer <jens@goauthentik.io> * ATH-01-014: save authenticator validation state in flow context Signed-off-by: Jens Langhammer <jens@goauthentik.io> bugfixes Signed-off-by: Jens Langhammer <jens@goauthentik.io> * ATH-01-012: escape quotation marks Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add website Signed-off-by: Jens Langhammer <jens@goauthentik.io> * update release ntoes Signed-off-by: Jens Langhammer <jens@goauthentik.io> * update with all notes Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix format Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-06-22 22:25:04 +02:00
parent f099bd764e
commit b0fbd576fc
39 changed files with 505 additions and 329 deletions
--- a/web/src/user/UserInterface.ts
+++ b/web/src/user/UserInterface.ts
@ -11,6 +11,7 @@ import { me } from "@goauthentik/common/users";
 import { first } from "@goauthentik/common/utils";
 import { WebsocketClient } from "@goauthentik/common/ws";
 import { Interface } from "@goauthentik/elements/Base";
+import "@goauthentik/elements/buttons/ActionButton";
 import "@goauthentik/elements/messages/MessageContainer";
 import "@goauthentik/elements/notifications/APIDrawer";
 import "@goauthentik/elements/notifications/NotificationDrawer";
@ -35,7 +36,7 @@ import PFPage from "@patternfly/patternfly/components/Page/page.css";
 import PFBase from "@patternfly/patternfly/patternfly-base.css";
 import PFDisplay from "@patternfly/patternfly/utilities/Display/display.css";

-import { EventsApi, SessionUser } from "@goauthentik/api";
+import { CoreApi, EventsApi, SessionUser } from "@goauthentik/api";

 autoDetectLanguage();

@ -233,18 +234,23 @@ export class UserInterface extends Interface {
                            : html``}
                    </div>
                    ${this.me.original
-                        ? html`<div class="pf-c-page__header-tools">
-                              <div class="pf-c-page__header-tools-group">
-                                  <a
-                                      class="pf-c-button pf-m-warning pf-m-small"
-                                      href=${`/-/impersonation/end/?back=${encodeURIComponent(
-                                          `${window.location.pathname}#${window.location.hash}`,
-                                      )}`}
-                                  >
-                                      ${msg("Stop impersonation")}
-                                  </a>
-                              </div>
-                          </div>`
+                        ? html`&nbsp;
+                              <div class="pf-c-page__header-tools">
+                                  <div class="pf-c-page__header-tools-group">
+                                      <ak-action-button
+                                          class="pf-m-warning pf-m-small"
+                                          .apiRequest=${() => {
+                                              return new CoreApi(DEFAULT_CONFIG)
+                                                  .coreUsersImpersonateEndRetrieve()
+                                                  .then(() => {
+                                                      window.location.reload();
+                                                  });
+                                          }}
+                                      >
+                                          ${msg("Stop impersonation")}
+                                      </ak-action-button>
+                                  </div>
+                              </div>`
                        : html``}
                    <div class="pf-c-page__header-tools-group">
                        <div class="pf-c-page__header-tools-item pf-m-hidden pf-m-visible-on-md">