a117918cd6
website/docs: add page about the Cobalt pentest ( #12249 )
...
* draft for collab
* links
* added link to see all audits
* corrections and fix explanations
Signed-off-by: Fletcher Heisler <fheisler@users.noreply.github.com >
---------
Signed-off-by: Fletcher Heisler <fheisler@users.noreply.github.com >
Co-authored-by: Tana M Berry <tana@goauthentik.com >
Co-authored-by: Fletcher Heisler <fheisler@users.noreply.github.com >
2024-12-09 07:57:34 -06:00
3996bdac33
website: Bump prettier from 3.3.3 to 3.4.1 in /website ( #12205 )
...
* website: Bump prettier from 3.3.3 to 3.4.1 in /website
Bumps [prettier](https://github.com/prettier/prettier ) from 3.3.3 to 3.4.1.
- [Release notes](https://github.com/prettier/prettier/releases )
- [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md )
- [Commits](https://github.com/prettier/prettier/compare/3.3.3...3.4.1 )
---
updated-dependencies:
- dependency-name: prettier
dependency-type: direct:development
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
* update formatting
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* sigh
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* disable flaky test
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: dependabot[bot] <support@github.com >
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Jens Langhammer <jens@goauthentik.io >
2024-11-27 15:14:19 +01:00
6c1ad982a1
website/docs: Fix CSP syntax ( #12124 )
...
Fix CSP syntax
Scheme sources need to not have quotes https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#scheme-source
Signed-off-by: Felix Schäfer <felix.schaefer@tu-dortmund.de >
2024-11-25 18:58:44 +01:00
85bb638243
security: fix CVE 2024 52289 ( #12113 )
...
* initial migration
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* migrate tests
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix loading
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* start dynamic ui
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* initial ui
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add serialize
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add error message handling
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix/add tests
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* prepare docs
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* migrate to new input
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix tests
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2024-11-21 14:46:43 +01:00
5ea4580884
security: fix CVE 2024 52307 ( #12115 )
...
* security: fix CVE-2024-52307
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add docs
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix tests
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2024-11-21 14:24:28 +01:00
e9c29e1644
security: fix CVE 2024 52287 ( #12114 )
...
* security: CVE-2024-52287
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add tests
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2024-11-21 14:22:46 +01:00
a9b3a4cf25
website/docs: add CSP to hardening ( #11970 )
...
* add CSP to hardening
* re-word docs
Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com >
Signed-off-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com >
* fix typo
* use the correct term "location" instead of "origin" in CSP docs
* reword docs
* add comments to permissive CSP directives
* add warning about overwriting existing CSP headers
---------
Signed-off-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com >
Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com >
2024-11-21 14:20:04 +01:00
6b155621fe
blueprints: add default Password policy ( #11793 )
...
* add password policy to default password change flow
This change complies with the minimal compositional requirements by
NIST SP 800-63 Digital Identity Guidelines. See
https://pages.nist.gov/800-63-4/sp800-63b.html#password
More work is needed to comply with other parts of the Guidelines,
specifically
> If the chosen password is found on the blocklist, the CSP or verifier
> [...] SHALL provide the reason for rejection.
and
> Verifiers SHALL offer guidance to the subscriber to assist the user in
> choosing a strong password. This is particularly important following
> the rejection of a password on the blocklist as it discourages trivial
> modification of listed weak passwords.
* add docs for default Password policy
* remove HIBP from default Password policy
* add zxcvbn to default Password policy
* add fallback password error message to password policy, fix validation policy
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* reword docs
Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com >
Signed-off-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com >
* add HIBP caveat
Co-authored-by: Jens L. <jens@goauthentik.io >
Signed-off-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com >
* separate policy into separate blueprint
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* use password policy for oobe flow
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* kiss
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Signed-off-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com >
Co-authored-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com >
2024-11-11 13:31:30 +01:00
1932993b2c
website/docs: fix some broken links ( #11742 )
...
* Update security-hardening.md broken links
Signed-off-by: Norbert Takács <bokker11@hotmail.com >
* Removed extra link
Signed-off-by: Norbert Takács <bokker11@hotmail.com >
* added space back
Signed-off-by: Norbert Takács <bokker11@hotmail.com >
* fix netlify redirects
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
* use relative links
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
---------
Signed-off-by: Norbert Takács <bokker11@hotmail.com >
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
2024-10-21 09:54:14 -05:00
6d5172d18a
website: latest PR for new Docs structure ( #11639 )
...
* first pass
* dependency shenanigans
* move blueprints
* few broken links
* change config the throw errors
* internal file edits
* fighting links
* remove sidebarDev
* fix subdomain
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix relative URL
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix mismatched package versions
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix api reference build
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* test tweak
* links hell
* more links hell
* links hell2
* yep last of the links
* last broken link fixed
* re-add cves
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add devdocs redirects
* add dir
* tweak netlify.toml
* move latest 2 CVES into dir
* fix links to moved cves
* typoed title fix
* fix link
* remove banner
* remove committed api docs
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
* integrations: remove version dropdown
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
* Update Makefile
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
* change doc links in web as well
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
* fix some more docs paths
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
* fix more docs paths
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
* ci: require ci-web.build for merging
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
* Revert "ci: require ci-web.build for merging"
This reverts commit b99a4842a9jens@goauthentik.io >
* remove explicit index.md
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* remove mdx first
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* then remove .md
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add missing prefix
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
Co-authored-by: Tana M Berry <tana@goauthentik.com >
Co-authored-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
2024-10-09 09:33:40 -05:00
6b2fced1b9
Revert "website: latest migration to new structure" ( #11634 )
...
Revert "website: latest migration to new structure (#11522 )"
This reverts commit 9a89a5f94b
2024-10-09 00:30:50 +02:00
9a89a5f94b
website: latest migration to new structure ( #11522 )
...
* first pass
* dependency shenanigans
* move blueprints
* few broken links
* change config the throw errors
* internal file edits
* fighting links
* remove sidebarDev
* fix subdomain
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix relative URL
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix mismatched package versions
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix api reference build
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* test tweak
* links hell
* more links hell
* links hell2
* yep last of the links
* last broken link fixed
* re-add cves
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add devdocs redirects
* add dir
* tweak netlify.toml
* move latest 2 CVES into dir
* fix links to moved cves
* typoed title fix
* fix link
* remove banner
* remove committed api docs
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
* integrations: remove version dropdown
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
* Update Makefile
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
* change doc links in web as well
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
* fix some more docs paths
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
* fix more docs paths
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
* ci: require ci-web.build for merging
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
* Revert "ci: require ci-web.build for merging"
This reverts commit b99a4842a9jens@goauthentik.io >
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
Co-authored-by: Tana M Berry <tana@goauthentik.com >
Co-authored-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
2024-10-08 14:07:19 -05:00
ba28e6de41
security: fix CVE-2024-47070 ( #11536 )
...
* security: fix CVE-2024-47070
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* Update website/docs/security/CVE-2024-47070.md
Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com >
Signed-off-by: Jens L. <jens@beryju.org >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Signed-off-by: Jens L. <jens@beryju.org >
Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com >
2024-09-27 16:18:37 +02:00
97a36b6c4e
security: fix CVE-2024-47077 ( #11535 )
...
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2024-09-27 16:17:07 +02:00
3daf8f8db4
security: fix CVE-2024-42490 ( #11022 )
...
CVE-2024-42490
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2024-08-22 17:17:06 +02:00
7fee9fd868
website/docs: fix formatting on CVE-2024-23647 ( #10955 )
...
Update CVE-2024-23647.md
Formatting errors fixed
Signed-off-by: Davide <69810644+ItzDavi@users.noreply.github.com >
2024-08-19 14:06:44 +02:00
322ae4c4ed
website/docs: add source property mappings, rework provider property mappings ( #10652 )
2024-08-07 19:30:29 +00:00
cc18f352aa
security: fix CVE-2024-37905 ( #10230 )
...
Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
2024-06-26 12:07:44 +02:00
422eb0890c
security: fix CVE-2024-38371 ( #10229 )
2024-06-26 11:24:05 +02:00
09cacbd76b
website/docs: add hardening advice and link directly to Cure53 results ( #9670 )
...
docs: add hardening advice and link directly to Cure53 results
Signed-off-by: Fletcher Heisler <fheisler@users.noreply.github.com >
2024-05-10 09:07:19 -04:00
85594a119c
website/docs: add new doc about extra steps for hardening authentik ( #9649 )
...
* add to sidebar
* tweaks
* tweaks
* add derek edit
* ken edit
* Update website/docs/security/security-hardening.md
Co-authored-by: Jens L. <jens@goauthentik.io >
Signed-off-by: Tana M Berry <tanamarieberry@yahoo.com >
* tweaks
---------
Signed-off-by: Tana M Berry <tanamarieberry@yahoo.com >
Co-authored-by: Tana M Berry <tana@goauthentik.com >
Co-authored-by: Jens L. <jens@goauthentik.io >
2024-05-09 10:02:51 -05:00
1db322b42f
security: fix CVE-2024-23647 ( #8345 )
...
* security: fix CVE-2024-23647
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add tests
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add website
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2024-01-29 17:40:24 +01:00
6649f7ab72
providers/oauth2: fix CVE-2024-21637 ( #8104 )
...
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2024-01-09 18:14:12 +01:00
f2aa83a731
root: update security policy to include link to cure53 report ( #7853 )
...
* add links to the cure53 audit results
* fix link
* link
* fighting with Docu
* removed link for now
* use absolute link
---------
Co-authored-by: Tana Berry <tana@goauthentik.io >
2023-12-11 15:26:36 -06:00
b88e39411c
security: fix CVE-2023-48228 ( #7666 )
...
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2023-11-21 18:10:07 +01:00
261879022d
security: fix oobe-flow reuse when akadmin is deleted ( #7361 )
...
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2023-10-28 21:24:06 +02:00
aa874dd92a
security: fix CVE-2023-39522 ( #6665 )
...
* stages/email: don't disclose whether a user exists or not when recovering
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* update website
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2023-08-29 19:07:49 +02:00
d22d147c8e
security: fix CVE-2023-36456 ( #6171 )
...
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2023-07-06 18:16:26 +02:00
b0fbd576fc
security: cure53 fix ( #6039 )
...
* ATH-01-001: resolve path and check start before loading blueprints
This is even less of an issue since 411ef239f6jens@goauthentik.io >
* ATH-01-010: fix missing user filter for webauthn device
This prevents an attack that is only possible when an attacker can intercept HTTP traffic and in the case of HTTPS decrypt it.
* ATH-01-008: fix web forms not submitting correctly when pressing enter
When submitting some forms with the Enter key instead of clicking "Confirm"/etc, the form would not get submitted correctly
This would in the worst case is when setting a user's password, where the new password can end up in the URL, but the password was not actually saved to the user.
* ATH-01-004: remove env from admin system endpoint
this endpoint already required admin access, but for debugging the env variables are used very little
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* ATH-01-003 / ATH-01-012: disable htmlLabels in mermaid
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* ATH-01-005: use hmac.compare_digest for secret_key authentication
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* ATH-01-009: migrate impersonation to use API
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* ATH-01-010: rework
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* ATH-01-014: save authenticator validation state in flow context
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
bugfixes
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* ATH-01-012: escape quotation marks
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add website
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* update release ntoes
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* update with all notes
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix format
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2023-06-22 22:25:04 +02:00
972dce1462
security: fix CVE-2023-26481 ( #4832 )
...
fix CVE-2023-26481
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2023-03-02 20:15:33 +01:00
7046944bf6
website: link CVE and attribute reporter
...
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org >
2022-12-25 14:17:17 +01:00
9f846d94be
security: fix CVE 2022 23555 ( #4274 )
...
* add flow to invitation
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org >
* show warning on invitation page
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org >
* add security advisory
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org >
* add tests
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org >
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org >
2022-12-23 14:13:49 +01:00
84fbeb5721
security: fix CVE 2022 46172 ( #4275 )
...
* fallback to current user in user_write, add flag to disable user creation
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org >
* update api and web ui
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org >
* update default flows
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org >
* add cve post to website
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org >
* add tests
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org >
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org >
2022-12-23 14:12:58 +01:00
db95dfe38d
security: fix CVE 2022 46145 ( #4140 )
...
* add flow authentication requirement
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org >
* add website for cve
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org >
* add tests
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org >
* flows: handle FlowNonApplicableException without policy result
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org >
* add release notes
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org >
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org >
2022-12-02 16:14:25 +01:00
147ebf1a5e
root: rework and expand security policy
...
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org >
2022-11-28 12:10:53 +01:00
