d2b194f6b7
website/docs: add CSP to hardening (cherry-pick #11970 ) ( #12116 )
...
website/docs: add CSP to hardening (#11970 )
* add CSP to hardening
* re-word docs
* fix typo
* use the correct term "location" instead of "origin" in CSP docs
* reword docs
* add comments to permissive CSP directives
* add warning about overwriting existing CSP headers
---------
Signed-off-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com >
Co-authored-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com >
Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com >
2024-11-21 14:21:11 +01:00
780a59c908
internal: add CSP header to files in /media (cherry-pick #12092 ) ( #12108 )
...
internal: add CSP header to files in `/media` (#12092 )
add CSP header to files in `/media`
This fixes a security issue of stored cross-site scripting via embedding
JavaScript in SVG files by a malicious user with `can_save_media`
capability.
This can be exploited if:
- the uploaded file is served from the same origin as authentik, and
- the user opens the uploaded file directly in their browser
Co-authored-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com >
Co-authored-by: Jens L. <jens@goauthentik.io >
2024-11-21 09:58:42 +01:00
f8015fccd8
website/docs: group CVEs by year (cherry-pick #12099 ) ( #12100 )
...
website/docs: group CVEs by year (#12099 )
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: Jens L. <jens@goauthentik.io >
2024-11-20 23:05:37 +01:00
05f4e738a1
root: check remote IP for proxy protocol same as HTTP/etc (cherry-pick #12094 ) ( #12097 )
...
root: check remote IP for proxy protocol same as HTTP/etc (#12094 )
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: Jens L. <jens@goauthentik.io >
2024-11-20 21:49:53 +01:00
f535a23c03
root: fix activation of locale not being scoped (cherry-pick #12091 ) ( #12096 )
...
root: fix activation of locale not being scoped (#12091 )
closes #12088
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: Jens L. <jens@goauthentik.io >
2024-11-20 21:33:08 +01:00
91905530c7
providers/scim: accept string and int for SCIM IDs (cherry-pick #12093 ) ( #12095 )
...
providers/scim: accept string and int for SCIM IDs (#12093 )
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: Jens L. <jens@goauthentik.io >
2024-11-20 18:36:50 +01:00
40a970e321
core: fix source_flow_manager throwing error when authenticated user attempts to re-authenticate with existing link (cherry-pick #12080 ) ( #12081 )
...
core: fix source_flow_manager throwing error when authenticated user attempts to re-authenticate with existing link (#12080 )
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: Jens L. <jens@goauthentik.io >
2024-11-19 18:33:43 +01:00
b51d8d0ba3
web/flows: fix invisible captcha call (cherry-pick #12048 ) ( #12049 )
...
web/flows: fix invisible captcha call (#12048 )
* fix invisible captcha call
* fix invisible captcha DOM removal
Co-authored-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com >
2024-11-15 18:50:57 +01:00
7e8891338f
rbac: fix incorrect object_description for object-level permissions (cherry-pick #12029 ) ( #12043 )
...
rbac: fix incorrect object_description for object-level permissions (#12029 )
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: Jens L. <jens@goauthentik.io >
2024-11-15 14:22:22 +01:00
3ae0001bb5
providers/ldap: fix global search_full_directory permission not being sufficient (cherry-pick #12028 ) ( #12030 )
...
providers/ldap: fix global search_full_directory permission not being sufficient (#12028 )
* providers/ldap: fix global search_full_directory permission not being sufficient
* use full name of permission
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: Jens L. <jens@goauthentik.io >
2024-11-15 13:52:39 +01:00
66a4970014
release: 2024.10.2
2024-11-14 17:05:40 +01:00
7ab9300761
website/docs: 2024.10.2 release notes (cherry-pick #12025 ) ( #12026 )
...
website/docs: 2024.10.2 release notes (#12025 )
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: Jens L. <jens@goauthentik.io >
2024-11-14 17:00:32 +01:00
a2eccd5022
core: use versioned_script for path only (cherry-pick #12003 ) ( #12023 )
...
core: use versioned_script for path only (#12003 )
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: Jens L. <jens@goauthentik.io >
2024-11-14 14:03:03 +01:00
31aeaa247f
providers/oauth2: fix manual device code entry (cherry-pick #12017 ) ( #12019 )
...
providers/oauth2: fix manual device code entry (#12017 )
* providers/oauth2: fix manual device code entry
* make code input a char field to prevent leading 0s from being cut off
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: Jens L. <jens@goauthentik.io >
2024-11-13 21:59:10 +01:00
f49008bbb6
crypto: validate that generated certificate's name is unique (cherry-pick #12015 ) ( #12016 )
...
crypto: validate that generated certificate's name is unique (#12015 )
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: Jens L. <jens@goauthentik.io >
2024-11-13 17:05:59 +01:00
feb13c8ee5
providers/proxy: fix Issuer when AUTHENTIK_HOST_BROWSER is set (cherry-pick #11968 ) ( #12005 )
...
providers/proxy: fix Issuer when AUTHENTIK_HOST_BROWSER is set (#11968 )
correctly use host_browser's hostname as host header for token requests to ensure Issuer is identical
Co-authored-by: Jens L. <jens@goauthentik.io >
2024-11-13 00:59:10 +01:00
d5ef831718
web: bump API Client version ( #11992 )
...
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
# Conflicts:
# web/package-lock.json
# web/package.json
2024-11-11 14:30:24 +01:00
64676819ec
blueprints: add default Password policy (cherry-pick #11793 ) ( #11993 )
...
blueprints: add default Password policy (#11793 )
* add password policy to default password change flow
This change complies with the minimal compositional requirements by
NIST SP 800-63 Digital Identity Guidelines. See
https://pages.nist.gov/800-63-4/sp800-63b.html#password
More work is needed to comply with other parts of the Guidelines,
specifically
> If the chosen password is found on the blocklist, the CSP or verifier
> [...] SHALL provide the reason for rejection.
and
> Verifiers SHALL offer guidance to the subscriber to assist the user in
> choosing a strong password. This is particularly important following
> the rejection of a password on the blocklist as it discourages trivial
> modification of listed weak passwords.
* add docs for default Password policy
* remove HIBP from default Password policy
* add zxcvbn to default Password policy
* add fallback password error message to password policy, fix validation policy
* reword docs
* add HIBP caveat
* separate policy into separate blueprint
* use password policy for oobe flow
* kiss
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Signed-off-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com >
Co-authored-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com >
Co-authored-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com >
2024-11-11 13:54:44 +01:00
7ed268fef4
stages/captcha: Run interactive captcha in Frame (cherry-pick #11857 ) ( #11991 )
...
stages/captcha: Run interactive captcha in Frame (#11857 )
* initial turnstile frame
* add interactive flag
* add interactive support for all
* fix missing migration
* don't hide in identification stage if interactive
* fixup
* require less hacky css
* update docs
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: Jens L. <jens@goauthentik.io >
2024-11-11 13:31:01 +01:00
f6526d1be9
stages/password: use recovery flow from brand (cherry-pick #11953 ) ( #11969 )
...
stages/password: use recovery flow from brand (#11953 )
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: Jens L. <jens@goauthentik.io >
2024-11-08 16:56:16 +01:00
12f8b4566b
website/docs: fix slug matching redirect URI causing broken refresh (cherry-pick #11950 ) ( #11954 )
...
website/docs: fix slug matching redirect URI causing broken refresh (#11950 )
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: Jens L. <jens@goauthentik.io >
2024-11-07 19:26:49 +01:00
665de8ef22
release: 2024.10.1
2024-11-05 18:06:32 +01:00
9eaa723bf8
website/docs: 2024.10.1 Release Notes (cherry-pick #11926 ) ( #11928 )
...
website/docs: `2024.10.1` Release Notes (#11926 )
* fix API Changes in `2024.10` changelog
* add `2024.10.1` API Changes to changelog
* add changes in `2024.10.1` to changelog
* change `details` to `h3` in changelog
Co-authored-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com >
2024-11-05 18:05:00 +01:00
b2ca9c8cbc
website: remove RC disclaimer for version 2024.10 (cherry-pick #11871 ) ( #11920 )
...
website: remove RC disclaimer for version 2024.10 (#11871 )
Co-authored-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com >
2024-11-05 12:13:11 +01:00
7927392100
website/docs: add info about invalidation flow, default flows in general (cherry-pick #11800 ) ( #11921 )
...
website/docs: add info about invalidation flow, default flows in general (#11800 )
* restructure
* tweak
* fix header
* added more definitions
* jens excellent idea
* restructure the Layouts content
* tweaks
* links fix
* links still
* fighting links and cache
* argh links
* ditto
* remove link
* anothe link
* Jens' edit
* listed default flows set by brand
* add links back
* tweaks
* used import for list
* tweak
* rewrite some stuff
* format
* mangled rebase, fixed
* bump
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com >
Co-authored-by: Tana M Berry <tana@goauthentik.com >
Co-authored-by: Jens Langhammer <jens@goauthentik.io >
2024-11-05 12:12:59 +01:00
d8d07e32cb
website: fix docs redirect (cherry-pick #11873 ) ( #11922 )
...
website: fix docs redirect (#11873 )
fix docs redirect
Co-authored-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com >
2024-11-05 12:12:46 +01:00
f7c5d329eb
website/docs: fix release notes to say Federation (cherry-pick #11889 ) ( #11923 )
...
website/docs: fix release notes to say Federation (#11889 )
* fix Federation
* typo
* added back should
* slooooow down
---------
Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com >
Co-authored-by: Tana M Berry <tana@goauthentik.com >
2024-11-05 12:12:27 +01:00
92dec32547
enterprise/rac: fix API Schema for invalidation_flow (cherry-pick #11907 ) ( #11908 )
...
enterprise/rac: fix API Schema for invalidation_flow (#11907 )
* enterprise/rac: fix API Schema for invalidation_flow
* fix tests
* add tests
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: Jens L. <jens@goauthentik.io >
2024-11-04 20:42:41 +01:00
510feccd31
core: add None check to a device's extra_description (cherry-pick #11904 ) ( #11906 )
...
core: add `None` check to a device's `extra_description` (#11904 )
Co-authored-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com >
2024-11-04 18:12:34 +01:00
364a9a1f02
web: fix missing status code on failed build ( #11903 )
...
* fix missing status code on failed build
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix locale
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix format
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
# Conflicts:
# web/xliff/tr.xlf
2024-11-04 18:06:22 +01:00
40cbb7567b
providers/oauth2: fix size limited index for tokens (cherry-pick #11879 ) ( #11905 )
...
providers/oauth2: fix size limited index for tokens (#11879 )
* providers/oauth2: fix size limited index for tokens
I preserved the migrations as comments so the index IDs and migration
IDs remain searchable without accessing git history.
* rename migration file to more descriptive
Co-authored-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com >
2024-11-04 18:05:55 +01:00
8ad0f63994
website: update supported versions (cherry-pick #11841 ) ( #11872 )
...
website: update supported versions (#11841 )
update supported versions
Co-authored-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com >
2024-10-31 12:59:54 +01:00
6ce33ab912
root: bumpversion 2024.10 ( #11865 )
...
release: 2024.10.0
2024-10-30 22:45:48 +01:00
d96b577abd
web/admin: fix code-based MFA toggle not working in wizard (cherry-pick #11854 ) ( #11855 )
...
web/admin: fix code-based MFA toggle not working in wizard (#11854 )
closes #11834
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: Jens L. <jens@goauthentik.io >
2024-10-29 20:19:54 +01:00
8c547589f6
sources/kerberos: add kiprop to ignored system principals (cherry-pick #11852 ) ( #11853 )
...
sources/kerberos: add kiprop to ignored system principals (#11852 )
Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
2024-10-29 17:31:32 +01:00
3775e5b84f
website: 2024.10 Release Notes (cherry-pick #11839 ) ( #11840 )
...
website: 2024.10 Release Notes (#11839 )
* generate diffs and changelog
* add 2024.10 release notes
* reorder release note highlights
* lint website
* reorder release note new features
* reword Kerberos
* extend JWE description
---------
Signed-off-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com >
Co-authored-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com >
Co-authored-by: Jens L. <jens@goauthentik.io >
2024-10-28 17:27:59 +01:00
fa30339f65
website/docs: remove � (cherry-pick #11823 ) ( #11835 )
...
website/docs: remove � (#11823 )
remove �
Signed-off-by: Tobias <5702338+T0biii@users.noreply.github.com >
Co-authored-by: Tobias <5702338+T0biii@users.noreply.github.com >
2024-10-28 13:21:02 +01:00
e825eda106
website/docs: Update social-logins github (cherry-pick #11822 ) ( #11836 )
...
website/docs: Update social-logins github (#11822 )
Update index.md
Signed-off-by: Tobias <5702338+T0biii@users.noreply.github.com >
Co-authored-by: Tobias <5702338+T0biii@users.noreply.github.com >
2024-10-28 13:20:38 +01:00
246cae3dfa
lifecycle: fix kdc5-config missing (cherry-pick #11826 ) ( #11829 )
...
lifecycle: fix kdc5-config missing (#11826 )
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: Jens L. <jens@goauthentik.io >
2024-10-28 01:15:50 +01:00
6cfd2bd1af
website/docs: update preview status of different features (cherry-pick #11817 ) ( #11818 )
...
website/docs: update preview status of different features (#11817 )
* remove preview from RAC
* add preview page instead of info box
* remove preview from rbac
* add preview to gdtc
* add preview to kerberos source
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: Jens L. <jens@goauthentik.io >
2024-10-25 21:42:45 +02:00
f0e4f93fe6
lifecycle: fix missing krb5 deps for full testing in image (cherry-pick #11815 ) ( #11816 )
...
lifecycle: fix missing krb5 deps for full testing in image (#11815 )
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: Jens L. <jens@goauthentik.io >
2024-10-25 18:46:55 +02:00
434aa57ba7
release: 2024.10.0-rc1
2024-10-25 17:26:39 +02:00
31014ba1e5
translate: Updates for file web/xliff/en.xlf in zh-Hans ( #11810 )
...
* Translate web/xliff/en.xlf in zh-Hans
100% translated source file: 'web/xliff/en.xlf'
on 'zh-Hans'.
* Removing web/xliff/en.xlf in zh-Hans
99% of minimum 100% translated source file: 'web/xliff/en.xlf'
on 'zh-Hans'.
---------
Co-authored-by: transifex-integration[bot] <43880903+transifex-integration[bot]@users.noreply.github.com>
2024-10-25 14:54:51 +02:00
5c76145d10
translate: Updates for file locale/en/LC_MESSAGES/django.po in zh-Hans ( #11809 )
...
Translate django.po in zh-Hans
100% translated source file: 'django.po'
on 'zh-Hans'.
Co-authored-by: transifex-integration[bot] <43880903+transifex-integration[bot]@users.noreply.github.com>
2024-10-25 14:39:58 +02:00
cdfe4ccf71
translate: Updates for file locale/en/LC_MESSAGES/django.po in zh_CN ( #11808 )
...
Translate locale/en/LC_MESSAGES/django.po in zh_CN
100% translated source file: 'locale/en/LC_MESSAGES/django.po'
on 'zh_CN'.
Co-authored-by: transifex-integration[bot] <43880903+transifex-integration[bot]@users.noreply.github.com>
2024-10-25 14:39:42 +02:00
bd21431c53
web: bump API Client version ( #11807 )
...
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
2024-10-25 14:39:23 +02:00
1c4d4ff5f2
core: bump goauthentik.io/api/v3 from 3.2024083.12 to 3.2024083.13 ( #11806 )
...
Bumps [goauthentik.io/api/v3](https://github.com/goauthentik/client-go ) from 3.2024083.12 to 3.2024083.13.
- [Release notes](https://github.com/goauthentik/client-go/releases )
- [Changelog](https://github.com/goauthentik/client-go/blob/main/model_version_history.go )
- [Commits](https://github.com/goauthentik/client-go/compare/v3.2024083.12...v3.2024083.13 )
---
updated-dependencies:
- dependency-name: goauthentik.io/api/v3
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-10-25 14:39:01 +02:00
5efeae0f39
core: bump ruff from 0.7.0 to 0.7.1 ( #11805 )
...
Bumps [ruff](https://github.com/astral-sh/ruff ) from 0.7.0 to 0.7.1.
- [Release notes](https://github.com/astral-sh/ruff/releases )
- [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md )
- [Commits](https://github.com/astral-sh/ruff/compare/0.7.0...0.7.1 )
---
updated-dependencies:
- dependency-name: ruff
dependency-type: direct:development
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-10-25 14:38:54 +02:00
4253d7e115
core: bump twilio from 9.3.4 to 9.3.5 ( #11804 )
...
Bumps [twilio](https://github.com/twilio/twilio-python ) from 9.3.4 to 9.3.5.
- [Release notes](https://github.com/twilio/twilio-python/releases )
- [Changelog](https://github.com/twilio/twilio-python/blob/main/CHANGES.md )
- [Commits](https://github.com/twilio/twilio-python/compare/9.3.4...9.3.5 )
---
updated-dependencies:
- dependency-name: twilio
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-10-25 14:38:41 +02:00
0a9d88e49a
core, web: update translations ( #11803 )
...
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: rissson <18313093+rissson@users.noreply.github.com >
2024-10-25 14:38:26 +02:00
