pierre/BasicOIDC
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

base: pierre:master
Branches Tags
pierre:master
pierre:renovate/base32-0.x-lockfile
pierre:renovate/uuid-1.x-lockfile
pierre:renovate/clap-4.x-lockfile
pierre:renovate/serde-1.x-lockfile
pierre:renovate/serde_json-1.x-lockfile
pierre:renovate/mime_guess-2.x-lockfile
pierre:renovate/log-0.x-lockfile
pierre:renovate/lazy_static-1.x-lockfile
pierre:renovate/url-2.x-lockfile
pierre:renovate/include_dir-0.x-lockfile
pierre:renovate/actix-0.x-lockfile
..
compare: pierre:renovate/url-2.x
Branches Tags
pierre:master
pierre:renovate/base32-0.x-lockfile
pierre:renovate/uuid-1.x-lockfile
pierre:renovate/clap-4.x-lockfile
pierre:renovate/serde-1.x-lockfile
pierre:renovate/serde_json-1.x-lockfile
pierre:renovate/mime_guess-2.x-lockfile
pierre:renovate/log-0.x-lockfile
pierre:renovate/lazy_static-1.x-lockfile
pierre:renovate/url-2.x-lockfile
pierre:renovate/include_dir-0.x-lockfile
pierre:renovate/actix-0.x-lockfile

No commits in common. "master" and "renovate/url-2.x" have entirely different histories.
master ... renovate/u

44 changed files with 4249 additions and 11749 deletions
Show Stats Expand all files Collapse all files

1794
Cargo.lock generated
View File

File diff suppressed because it is too large Load Diff

43
Cargo.toml
View File

@ -6,37 +6,36 @@ edition = "2021"
# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
[dependencies]
actix = "0.13.3"
actix-identity = "0.7.1"
actix-web = "4.5.1"
actix-session = { version = "0.9.0", features = ["cookie-session"] }
actix = "0.13.1"
actix-identity = "0.6.0"
actix-web = "4"
actix-session = { version = "0.8.0", features = ["cookie-session"] }
actix-remote-ip = "0.1.0"
clap = { version = "4.5.4", features = ["derive", "env"] }
clap = { version = "4.4.8", features = ["derive", "env"] }
include_dir = "0.7.3"
log = "0.4.21"
serde_json = "1.0.116"
serde_yaml = "0.9.34"
env_logger = "0.11.3"
serde = { version = "1.0.200", features = ["derive"] }
bcrypt = "0.15.1"
uuid = { version = "1.8.0", features = ["v4"] }
log = "0.4.20"
serde_json = "1.0.104"
serde_yaml = "0.9.27"
env_logger = "0.10.1"
serde = { version = "1.0.181", features = ["derive"] }
bcrypt = "0.15.0"
uuid = { version = "1.6.1", features = ["v4"] }
mime_guess = "2.0.4"
askama = "0.12.1"
futures-util = "0.3.30"
futures-util = "0.3.29"
urlencoding = "2.1.3"
rand = "0.8.5"
base64 = "0.22.1"
jwt-simple = { version = "0.12.9", default-features = false, features = ["pure-rust"] }
base64 = "0.21.3"
jwt-simple = "0.11.9"
digest = "0.10.7"
sha2 = "0.10.8"
lazy-regex = "3.1.0"
totp_rfc6238 = "0.5.3"
base32 = "0.5.0"
totp_rfc6238 = "0.5.1"
base32 = "0.4.0"
qrcode-generator = "4.1.9"
webauthn-rs = { version = "0.5.0", features = ["danger-allow-state-serialisation"] }
webauthn-rs = { version = "0.4.8", features = ["danger-allow-state-serialisation"] }
url = "2.5.0"
light-openid = { version = "1.0.2", features = ["crypto-wrapper"] }
light-openid = { version = "1.0.1", features=["crypto-wrapper"] }
bincode = "2.0.0-rc.3"
chrono = "0.4.38"
lazy_static = "1.4.0"
mailchecker = "6.0.4"
chrono = "0.4.31"
lazy_static = "1.4.0"

2
Dockerfile
View File

@ -1,4 +1,4 @@
FROM debian:bookworm-slim
FROM debian:bullseye-slim
RUN apt-get update \
&& apt-get install -y libcurl4 \

35
README.md
View File

@ -13,37 +13,15 @@ BasicOIDC operates without any database, just with three files :
## Configuration
You can configure a list of clients (Relying Parties) in a `clients.yaml` file with the following syntax :
```yaml
# Client ID
- id: gitea
# Client name
name: Gitea
# Client description
description: Git with a cup of tea
# Client secret. Specify this value to use authorization code flow, remove it for implicit authentication flow
secret: TOP_SECRET
# The URL where user shall be redirected after authentication
redirect_uri: https://mygit.mywebsite.com/
# Optional, If you want new accounts to be granted access to this client by default
# If you want new accounts to be granted access to this client by default
default: true
# Optional, If you want the client to be granted to every user, regardless their account configuration
# If you want the client to be granted to every users, regardless their account configuration
granted_to_all_users: true
# Optional, If you want users to have performed recent second factor authentication before accessing this client, set this setting to true
enforce_2fa_auth: true
# Optional, claims to be added to the ID token payload.
# The following placeholders can be set, they will the replaced when the token is created:
# * {username}: user name of the user
# * {mail}: email address of the user
# * {first_name}: first name of the user
# * {last_name}: last name of the user
# * {uid}: user id of the user
claims_id_token:
groups: ["group_{user}"]
service: "auth"
# Optional, claims to be added to the user info endpoint response
# The placeholders of `claims_id_token` can also be used here
claims_user_info:
groups: ["group_{user}"]
service: "auth"
```
On the first run, BasicOIDC will create a new administrator with credentials `admin` / `admin`. On first login you will have to change these default credentials.
@ -52,10 +30,9 @@ In order to run BasicOIDC for development, you will need to create a least an em
## Features
* [x] `authorization_code` flow
* [x] `implicit` flow
* [x] Client authentication using secrets
* [x] Bruteforce protection
* [x] 2 factors authentication
* [x] 2 factor authentication
* [x] TOTP (authenticator app)
* [x] Using a security key (Webauthn)
* [ ] Fully responsive webui
@ -86,13 +63,11 @@ cargo build --release
If you want to test the solution with OAuth proxy, you can try to adapt the following commands (considering `192.168.2.103` is your local IP address):
```bash
export IP=192.168.2.103
# In a shell, start BasicOID
RUST_LOG=debug cargo run -- -s storage -w "http://$IP.nip.io:8000"
RUST_LOG=debug cargo run -- -s storage -w "http://192.168.2.103.nip.io:8000"
# In another shell, run OAuth proxy
docker run --rm -p 4180:4180 quay.io/oauth2-proxy/oauth2-proxy:latest --provider=oidc --email-domain=* --client-id=oauthproxy --client-secret=secretoauth --cookie-secret=SECRETCOOKIE1234 --oidc-issuer-url=http://$IP.nip.io:8000 --http-address 0.0.0.0:4180 --upstream http://$IP --redirect-url http://$IP:4180/oauth2/callback --cookie-secure=false
docker run --rm -p 4180:4180 quay.io/oauth2-proxy/oauth2-proxy:latest --provider=oidc --email-domain=* --client-id=oauthproxy --client-secret=secretoauth --cookie-secret=SECRETCOOKIE1234 --oidc-issuer-url=http://192.168.2.103.nip.io:8000 --http-address 0.0.0.0:4180 --upstream http://192.168.2.103 --redirect-url http://192.168.2.103:4180/oauth2/callback --cookie-secure=false
```
Corresponding client configuration:

61
assets/css/base_login_page.css
View File

@ -1,14 +1,14 @@
html,
body {
height: 100%;
height: 100%;
}
body {
display: flex;
align-items: center;
padding-top: 40px;
padding-bottom: 40px;
/* background-color: #f5f5f5; */
display: flex;
align-items: center;
padding-top: 40px;
padding-bottom: 40px;
/* background-color: #f5f5f5; */
}
/* background */
@ -26,57 +26,50 @@ body {
}
.form-signin {
width: 100%;
max-width: 330px;
padding: 15px;
margin: auto;
width: 100%;
max-width: 330px;
padding: 15px;
margin: auto;
}
.form-signin .checkbox {
font-weight: 400;
font-weight: 400;
}
.form-signin .form-floating:focus-within {
z-index: 2;
z-index: 2;
}
.form-floating:first-child input {
margin-bottom: -1px;
border-bottom-right-radius: 0;
border-bottom-left-radius: 0;
margin-bottom: -1px;
border-bottom-right-radius: 0;
border-bottom-left-radius: 0;
}
.form-floating:not(:first-child):not(:last-child) input {
margin-bottom: -1px;
border-bottom-right-radius: 0;
border-bottom-left-radius: 0;
border-top-left-radius: 0;
border-top-right-radius: 0;
margin-bottom: -1px;
border-bottom-right-radius: 0;
border-bottom-left-radius: 0;
border-top-left-radius: 0;
border-top-right-radius: 0;
}
.form-floating:last-child input {
margin-bottom: 10px;
border-top-left-radius: 0;
border-top-right-radius: 0;
margin-bottom: 10px;
border-top-left-radius: 0;
border-top-right-radius: 0;
}
.form-control {
background-color: var(--bs-gray-700);
color: var(--bs-gray-100);
background-color: var(--bs-gray-700);
color: var(--bs-gray-100);
}
.form-control:focus {
background-color: var(--bs-gray-600);
color: var(--bs-gray-100);
background-color: var(--bs-gray-600);
color: var(--bs-gray-100);
}
.text-muted {
color: #c6c4c4 !important;
}
.form-floating > .form-control:focus ~ label::after,
.form-floating > .form-control:not(:placeholder-shown) ~ label::after,
.form-floating > .form-control-plaintext ~ label::after,
.form-floating > .form-select ~ label::after {
background-color: unset !important;
}

8
assets/css/base_settings_page.css
View File

@ -12,12 +12,4 @@ body {
.page_body {
padding: 3rem;
overflow-y: scroll;
}
.nav-link.link-dark {
color: white !important;
}
.form-control::placeholder {
color: #555;
}

6921
assets/css/bootstrap.css vendored
View File

File diff suppressed because it is too large Load Diff

6315
assets/js/bootstrap.bundle.min.js vendored
View File

File diff suppressed because one or more lines are too long

2
renovate.json
View File

@ -2,7 +2,7 @@
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"packageRules": [
{
"matchUpdateTypes": ["major", "minor", "patch"],
"matchUpdateTypes": ["minor", "patch"],
"automerge": true
}
]

5
src/constants.rs
View File

@ -29,10 +29,6 @@ pub const MAX_SECOND_FACTOR_NAME_LEN: usize = 25;
/// exempted from this IP address to use 2FA
pub const SECOND_FACTOR_EXEMPTION_AFTER_SUCCESSFUL_LOGIN: u64 = 7 * 24 * 3600;
/// The maximum acceptable interval of time between last two factors authentication of a user and
/// access to a critical route / a critical client
pub const SECOND_FACTOR_EXPIRATION_FOR_CRITICAL_OPERATIONS: u64 = 60 * 10;
/// Minimum password length
pub const MIN_PASS_LEN: usize = 4;
@ -69,7 +65,6 @@ pub const OPEN_ID_AUTHORIZATION_CODE_LEN: usize = 120;
pub const OPEN_ID_AUTHORIZATION_CODE_TIMEOUT: u64 = 300;
pub const OPEN_ID_ACCESS_TOKEN_LEN: usize = 50;
pub const OPEN_ID_ACCESS_TOKEN_TIMEOUT: u64 = 3600;
pub const OPEN_ID_ID_TOKEN_TIMEOUT: u64 = 3600;
pub const OPEN_ID_REFRESH_TOKEN_LEN: usize = 120;
pub const OPEN_ID_REFRESH_TOKEN_TIMEOUT: u64 = 360000;

8
src/controllers/admin_api.rs
View File

@ -4,10 +4,8 @@ use actix_web::{web, HttpResponse, Responder};
use crate::actors::users_actor::{DeleteUserRequest, FindUserByUsername, UsersActor};
use crate::data::action_logger::{Action, ActionLogger};
use crate::data::critical_route::CriticalRoute;
use crate::data::current_user::CurrentUser;
use crate::data::user::UserID;
use crate::utils::string_utils;
#[derive(serde::Deserialize)]
pub struct FindUserNameReq {
@ -20,14 +18,9 @@ struct FindUserResult {
}
pub async fn find_username(
_critical: CriticalRoute,
req: web::Form<FindUserNameReq>,
users: web::Data<Addr<UsersActor>>,
) -> impl Responder {
if !string_utils::is_acceptable_login(&req.username) {
return HttpResponse::BadRequest().json("Invalid login!");
}
let res = users
.send(FindUserByUsername(req.0.username))
.await
@ -43,7 +36,6 @@ pub struct DeleteUserReq {
}
pub async fn delete_user(
_critical: CriticalRoute,
user: CurrentUser,
req: web::Form<DeleteUserReq>,
users: web::Data<Addr<UsersActor>>,

34
src/controllers/admin_controller.rs
View File

@ -12,24 +12,22 @@ use crate::controllers::settings_controller::BaseSettingsPage;
use crate::data::action_logger::{Action, ActionLogger};
use crate::data::app_config::AppConfig;
use crate::data::client::{Client, ClientID, ClientManager};
use crate::data::critical_route::CriticalRoute;
use crate::data::current_user::CurrentUser;
use crate::data::provider::{Provider, ProviderID, ProvidersManager};
use crate::data::user::{GeneralSettings, GrantedClients, User, UserID};
use crate::utils::string_utils;
use crate::utils::string_utils::rand_str;
#[derive(Template)]
#[template(path = "settings/clients_list.html")]
struct ClientsListTemplate<'a> {
p: BaseSettingsPage<'a>,
_p: BaseSettingsPage<'a>,
clients: Vec<Client>,
}
#[derive(Template)]
#[template(path = "settings/providers_list.html")]
struct ProvidersListTemplate<'a> {
p: BaseSettingsPage<'a>,
_p: BaseSettingsPage<'a>,
providers: Vec<Provider>,
redirect_url: String,
}
@ -37,14 +35,14 @@ struct ProvidersListTemplate<'a> {
#[derive(Template)]
#[template(path = "settings/users_list.html")]
struct UsersListTemplate<'a> {
p: BaseSettingsPage<'a>,
_p: BaseSettingsPage<'a>,
users: Vec<User>,
}
#[derive(Template)]
#[template(path = "settings/edit_user.html")]
struct EditUserTemplate<'a> {
p: BaseSettingsPage<'a>,
_p: BaseSettingsPage<'a>,
u: User,
clients: Vec<Client>,
providers: Vec<Provider>,
@ -56,7 +54,7 @@ pub async fn clients_route(
) -> impl Responder {
HttpResponse::Ok().body(
ClientsListTemplate {
p: BaseSettingsPage::get("Clients list", &user, None, None),
_p: BaseSettingsPage::get("Clients list", &user, None, None),
clients: clients.cloned(),
}
.render()
@ -70,7 +68,7 @@ pub async fn providers_route(
) -> impl Responder {
HttpResponse::Ok().body(
ProvidersListTemplate {
p: BaseSettingsPage::get("OpenID Providers list", &user, None, None),
_p: BaseSettingsPage::get("OpenID Providers list", &user, None, None),
providers: providers.cloned(),
redirect_url: AppConfig::get().oidc_provider_redirect_url(),
}
@ -99,7 +97,6 @@ pub struct UpdateUserQuery {
}
pub async fn users_route(
_critical: CriticalRoute,
admin: CurrentUser,
users: web::Data<Addr<UsersActor>>,
update_query: Option<web::Form<UpdateUserQuery>>,
@ -108,16 +105,7 @@ pub async fn users_route(
let mut danger = None;
let mut success = None;
// Check update query for invalid input
if update_query
.as_ref()
.map(|l| string_utils::is_acceptable_login(&l.username))
== Some(false)
{
danger = Some("Invalid login provided, the modifications could not be saved!".to_string());
}
// Perform request (if any)
else if let Some(update) = update_query {
if let Some(update) = update_query {
let edited_user: Option<User> = users
.send(users_actor::GetUserRequest(update.uid.clone()))
.await
@ -292,7 +280,7 @@ pub async fn users_route(
HttpResponse::Ok().body(
UsersListTemplate {
p: BaseSettingsPage::get("Users list", &admin, danger, success),
_p: BaseSettingsPage::get("Users list", &admin, danger, success),
users,
}
.render()
@ -301,7 +289,6 @@ pub async fn users_route(
}
pub async fn create_user(
_critical: CriticalRoute,
admin: CurrentUser,
clients: web::Data<Arc<ClientManager>>,
providers: web::Data<Arc<ProvidersManager>>,
@ -319,7 +306,7 @@ pub async fn create_user(
HttpResponse::Ok().body(
EditUserTemplate {
p: BaseSettingsPage::get("Create a new user", admin.deref(), None, None),
_p: BaseSettingsPage::get("Create a new user", admin.deref(), None, None),
u: user,
clients: clients.cloned(),
providers: providers.cloned(),
@ -335,7 +322,6 @@ pub struct EditUserQuery {
}
pub async fn edit_user(
_critical: CriticalRoute,
admin: CurrentUser,
clients: web::Data<Arc<ClientManager>>,
providers: web::Data<Arc<ProvidersManager>>,
@ -350,7 +336,7 @@ pub async fn edit_user(
HttpResponse::Ok().body(
EditUserTemplate {
p: BaseSettingsPage::get(
_p: BaseSettingsPage::get(
"Edit user account",
admin.deref(),
match edited_account.is_none() {

8
src/controllers/login_api.rs
View File

@ -25,6 +25,10 @@ pub async fn auth_webauthn(
users: web::Data<Addr<UsersActor>>,
logger: ActionLogger,
) -> impl Responder {
if !SessionIdentity(Some(&id)).need_2fa_auth() {
return HttpResponse::Unauthorized().json("No 2FA required!");
}
let user_id = SessionIdentity(Some(&id)).user_id();
match manager.finish_authentication(&user_id, &req.opaque_state, &req.credential) {
@ -37,9 +41,7 @@ pub async fn auth_webauthn(
.await
.unwrap();
let session = SessionIdentity(Some(&id));
session.record_2fa_auth(&http_req);
session.set_status(&http_req, SessionStatus::SignedIn);
SessionIdentity(Some(&id)).set_status(&http_req, SessionStatus::SignedIn);
logger.log(Action::LoginWebauthnAttempt {
success: true,
user_id,

59
src/controllers/login_controller.rs
View File

@ -13,13 +13,11 @@ use crate::controllers::base_controller::{
build_fatal_error_page, redirect_user, redirect_user_for_login,
};
use crate::data::action_logger::{Action, ActionLogger};
use crate::data::force_2fa_auth::Force2FAAuth;
use crate::data::login_redirect::{get_2fa_url, LoginRedirect};
use crate::data::login_redirect::LoginRedirect;
use crate::data::provider::{Provider, ProvidersManager};
use crate::data::session_identity::{SessionIdentity, SessionStatus};
use crate::data::user::User;
use crate::data::webauthn_manager::WebAuthManagerReq;
use crate::utils::string_utils;
pub struct BaseLoginPage<'a> {
pub danger: Option<String>,
@ -32,7 +30,7 @@ pub struct BaseLoginPage<'a> {
#[derive(Template)]
#[template(path = "login/login.html")]
struct LoginTemplate<'a> {
p: BaseLoginPage<'a>,
_p: BaseLoginPage<'a>,
login: String,
providers: Vec<Provider>,
}
@ -40,27 +38,27 @@ struct LoginTemplate<'a> {
#[derive(Template)]
#[template(path = "login/password_reset.html")]
struct PasswordResetTemplate<'a> {
p: BaseLoginPage<'a>,
_p: BaseLoginPage<'a>,
min_pass_len: usize,
}
#[derive(Template)]
#[template(path = "login/choose_second_factor.html")]
struct ChooseSecondFactorTemplate<'a> {
p: BaseLoginPage<'a>,
_p: BaseLoginPage<'a>,
user: &'a User,
}
#[derive(Template)]
#[template(path = "login/otp_input.html")]
struct LoginWithOTPTemplate<'a> {
p: BaseLoginPage<'a>,
_p: BaseLoginPage<'a>,
}
#[derive(Template)]
#[template(path = "login/webauthn_input.html")]
struct LoginWithWebauthnTemplate<'a> {
p: BaseLoginPage<'a>,
_p: BaseLoginPage<'a>,
opaque_state: String,
challenge_json: String,
}
@ -129,21 +127,14 @@ pub async fn login_route(
}
// Check if the user has to validate a second factor
else if SessionIdentity(id.as_ref()).need_2fa_auth() {
return redirect_user(&get_2fa_url(&query.redirect, false));
}
// Check if given login is not acceptable
else if req
.as_ref()
.map(|r| string_utils::is_acceptable_login(&r.login))
== Some(false)
{
danger = Some(
"Given login could not be processed, because it has an invalid format!".to_string(),
);
return redirect_user(&format!(
"/2fa_auth?redirect={}",
query.redirect.get_encoded()
));
}
// Try to authenticate user
else if let Some(req) = &req {
login.clone_from(&req.login);
login = req.login.clone();
let response: LoginResult = users
.send(users_actor::LocalLoginRequest {
login: login.clone(),
@ -208,7 +199,7 @@ pub async fn login_route(
HttpResponse::Ok().content_type("text/html").body(
LoginTemplate {
p: BaseLoginPage {
_p: BaseLoginPage {
page_title: "Login",
danger,
success,
@ -256,7 +247,7 @@ pub async fn reset_password_route(
let user_id = SessionIdentity(id.as_ref()).user_id();
// Check if user is setting a new password
// Check if user is setting a new password
if let Some(req) = &req {
if req.password.len() < MIN_PASS_LEN {
danger = Some("Password is too short!".to_string());
@ -282,7 +273,7 @@ pub async fn reset_password_route(
HttpResponse::Ok().content_type("text/html").body(
PasswordResetTemplate {
p: BaseLoginPage {
_p: BaseLoginPage {
page_title: "Password reset",
danger,
success: None,
@ -309,9 +300,8 @@ pub async fn choose_2fa_method(
id: Option<Identity>,
query: web::Query<ChooseSecondFactorQuery>,
users: web::Data<Addr<UsersActor>>,
force2faauth: Force2FAAuth,
) -> impl Responder {
if !SessionIdentity(id.as_ref()).need_2fa_auth() && !force2faauth.force {
if !SessionIdentity(id.as_ref()).need_2fa_auth() {
log::trace!("User does not require 2fa auth, redirecting");
return redirect_user_for_login(query.redirect.get());
}
@ -328,12 +318,12 @@ pub async fn choose_2fa_method(
// Automatically choose factor if there is only one factor
if user.get_distinct_factors_types().len() == 1 && !query.force_display {
log::trace!("User has only one factor, using it by default");
return redirect_user(&user.two_factor[0].login_url(&query.redirect, true));
return redirect_user(&user.two_factor[0].login_url(&query.redirect));
}
HttpResponse::Ok().content_type("text/html").body(
ChooseSecondFactorTemplate {
p: BaseLoginPage {
_p: BaseLoginPage {
page_title: "Two factor authentication",
danger: None,
success: None,
@ -359,7 +349,6 @@ pub struct LoginWithOTPForm {
}
/// Login with OTP
#[allow(clippy::too_many_arguments)]
pub async fn login_with_otp(
id: Option<Identity>,
query: web::Query<LoginWithOTPQuery>,
@ -368,11 +357,10 @@ pub async fn login_with_otp(
http_req: HttpRequest,
remote_ip: RemoteIP,
logger: ActionLogger,
force2faauth: Force2FAAuth,
) -> impl Responder {
let mut danger = None;
if !SessionIdentity(id.as_ref()).need_2fa_auth() && !force2faauth.force {
if !SessionIdentity(id.as_ref()).need_2fa_auth() {
return redirect_user_for_login(query.redirect.get());
}
@ -409,9 +397,7 @@ pub async fn login_with_otp(
.await
.unwrap();
let session = SessionIdentity(id.as_ref());
session.record_2fa_auth(&http_req);
session.set_status(&http_req, SessionStatus::SignedIn);
SessionIdentity(id.as_ref()).set_status(&http_req, SessionStatus::SignedIn);
logger.log(Action::OTPLoginAttempt {
success: true,
user: &user,
@ -422,7 +408,7 @@ pub async fn login_with_otp(
HttpResponse::Ok().body(
LoginWithOTPTemplate {
p: BaseLoginPage {
_p: BaseLoginPage {
danger,
success: None,
page_title: "Two-Factor Auth",
@ -447,9 +433,8 @@ pub async fn login_with_webauthn(
query: web::Query<LoginWithWebauthnQuery>,
manager: WebAuthManagerReq,
users: web::Data<Addr<UsersActor>>,
force2faauth: Force2FAAuth,
) -> impl Responder {
if !SessionIdentity(id.as_ref()).need_2fa_auth() && !force2faauth.force {
if !SessionIdentity(id.as_ref()).need_2fa_auth() {
return redirect_user_for_login(query.redirect.get());
}
@ -488,7 +473,7 @@ pub async fn login_with_webauthn(
HttpResponse::Ok().body(
LoginWithWebauthnTemplate {
p: BaseLoginPage {
_p: BaseLoginPage {
danger: None,
success: None,
page_title: "Two-Factor Auth",

235
src/controllers/openid_controller.rs
View File

@ -13,15 +13,14 @@ use crate::actors::openid_sessions_actor::{OpenIDSessionsActor, Session, Session
use crate::actors::users_actor::UsersActor;
use crate::actors::{openid_sessions_actor, users_actor};
use crate::constants::*;
use crate::controllers::base_controller::{build_fatal_error_page, redirect_user};
use crate::controllers::base_controller::build_fatal_error_page;
use crate::data::action_logger::{Action, ActionLogger};
use crate::data::app_config::AppConfig;
use crate::data::client::{AdditionalClaims, AuthenticationFlow, ClientID, ClientManager};
use crate::data::client::{ClientID, ClientManager};
use crate::data::code_challenge::CodeChallenge;
use crate::data::current_user::CurrentUser;
use crate::data::id_token::IdToken;
use crate::data::jwt_signer::{JWTSigner, JsonWebKey};
use crate::data::login_redirect::{get_2fa_url, LoginRedirect};
use crate::data::session_identity::SessionIdentity;
use crate::data::user::User;
@ -32,7 +31,6 @@ pub async fn get_configuration(req: HttpRequest) -> impl Responder {
let is_secure_request = req
.headers()
.get("HTTP_X_FORWARDED_PROTO")
.or_else(|| req.headers().get("X-Forwarded-Proto"))
.map(|v| v.to_str().unwrap_or_default().to_lowercase().eq("https"))
.unwrap_or(false);
@ -98,7 +96,7 @@ pub struct AuthorizeQuery {
redirect_uri: String,
/// RECOMMENDED. Opaque value used to maintain state between the request and the callback. Typically, Cross-Site Request Forgery (CSRF, XSRF) mitigation is done by cryptographically binding the value of this parameter with a browser cookie.
state: Option<String>,
state: String,
/// OPTIONAL. String value used to associate a Client session with an ID Token, and to mitigate replay attacks. The value is passed through unmodified from the Authentication Request to the ID Token. Sufficient entropy MUST be present in the nonce values used to prevent attackers from guessing values.
nonce: Option<String>,
@ -119,78 +117,61 @@ fn error_redirect(query: &AuthorizeQuery, error: &str, description: &str) -> Htt
.append_header((
"Location",
format!(
"{}?error={}?error_description={}{}",
"{}?error={}?error_description={}&state={}",
query.redirect_uri,
urlencoding::encode(error),
urlencoding::encode(description),
match &query.state {
Some(s) => format!("&state={}", urlencoding::encode(s)),
None => "".to_string(),
}
urlencoding::encode(&query.state)
),
))
.finish()
}
#[allow(clippy::too_many_arguments)]
pub async fn authorize(
req: HttpRequest,
user: CurrentUser,
id: Identity,
query: web::Query<AuthorizeQuery>,
clients: web::Data<Arc<ClientManager>>,
sessions: web::Data<Addr<OpenIDSessionsActor>>,
logger: ActionLogger,
jwt_signer: web::Data<JWTSigner>,
) -> actix_web::Result<HttpResponse> {
) -> impl Responder {
let client = match clients.find_by_id(&query.client_id) {
None => {
return Ok(
HttpResponse::BadRequest().body(build_fatal_error_page("Client is invalid!"))
);
return HttpResponse::BadRequest().body(build_fatal_error_page("Client is invalid!"));
}
Some(c) => c,
};
// Check if 2FA is required
if client.enforce_2fa_auth && user.should_request_2fa_for_critical_functions() {
let uri = get_2fa_url(&LoginRedirect::from_req(&req), true);
return Ok(redirect_user(&uri));
}
// Validate specified redirect URI
let redirect_uri = query.redirect_uri.trim().to_string();
if !redirect_uri.starts_with(&client.redirect_uri) {
return Ok(
HttpResponse::BadRequest().body(build_fatal_error_page("Redirect URI is invalid!"))
);
return HttpResponse::BadRequest().body(build_fatal_error_page("Redirect URI is invalid!"));
}
if !query.scope.split(' ').any(|x| x == "openid") {
return Ok(error_redirect(
&query,
"invalid_request",
"openid scope missing!",
));
return error_redirect(&query, "invalid_request", "openid scope missing!");
}
if query.state.as_ref().map(String::is_empty).unwrap_or(false) {
return Ok(error_redirect(
if !query.response_type.eq("code") {
return error_redirect(
&query,
"invalid_request",
"State is specified but empty!",
));
"Only code response type is supported!",
);
}
if query.state.is_empty() {
return error_redirect(&query, "invalid_request", "State is empty!");
}
let code_challenge = match query.0.code_challenge.clone() {
Some(chal) => {
let meth = query.0.code_challenge_method.as_deref().unwrap_or("plain");
if !meth.eq("S256") && !meth.eq("plain") {
return Ok(error_redirect(
return error_redirect(
&query,
"invalid_request",
"Only S256 and plain code challenge methods are supported!",
));
);
}
Some(CodeChallenge {
code_challenge: chal,
@ -202,111 +183,49 @@ pub async fn authorize(
// Check if user is authorized to access the application
if !user.can_access_app(&client) {
return Ok(error_redirect(
return error_redirect(
&query,
"invalid_request",
"User is not authorized to access this application!",
));
);
}
// Check that requested authorization flow is supported
if query.response_type != "code" && query.response_type != "id_token" {
return Ok(error_redirect(
&query,
"invalid_request",
"Unsupported authorization flow!",
));
}
// Save all authentication information in memory
let session = Session {
session_id: SessionID(rand_str(OPEN_ID_SESSION_LEN)),
client: client.id.clone(),
user: user.uid.clone(),
auth_time: SessionIdentity(Some(&id)).auth_time(),
redirect_uri,
authorization_code: rand_str(OPEN_ID_AUTHORIZATION_CODE_LEN),
authorization_code_expire_at: time() + OPEN_ID_AUTHORIZATION_CODE_TIMEOUT,
access_token: None,
access_token_expire_at: time() + OPEN_ID_ACCESS_TOKEN_TIMEOUT,
refresh_token: "".to_string(),
refresh_token_expire_at: 0,
nonce: query.0.nonce,
code_challenge,
};
sessions
.send(openid_sessions_actor::PushNewSession(session.clone()))
.await
.unwrap();
match (client.auth_flow(), query.response_type.as_str()) {
(AuthenticationFlow::AuthorizationCode, "code") => {
// Save all authentication information in memory
let session = Session {
session_id: SessionID(rand_str(OPEN_ID_SESSION_LEN)),
client: client.id.clone(),
user: user.uid.clone(),
auth_time: SessionIdentity(Some(&id)).auth_time(),
redirect_uri,
authorization_code: rand_str(OPEN_ID_AUTHORIZATION_CODE_LEN),
authorization_code_expire_at: time() + OPEN_ID_AUTHORIZATION_CODE_TIMEOUT,
access_token: None,
access_token_expire_at: time() + OPEN_ID_ACCESS_TOKEN_TIMEOUT,
refresh_token: "".to_string(),
refresh_token_expire_at: 0,
nonce: query.0.nonce,
code_challenge,
};
sessions
.send(openid_sessions_actor::PushNewSession(session.clone()))
.await
.unwrap();
log::trace!("New OpenID session: {:#?}", session);
logger.log(Action::NewOpenIDSession { client: &client });
log::trace!("New OpenID session: {:#?}", session);
logger.log(Action::NewOpenIDSession { client: &client });
Ok(HttpResponse::Found()
.append_header((
"Location",
format!(
"{}?{}session_state={}&code={}",
session.redirect_uri,
match &query.0.state {
Some(state) => format!("state={}&", urlencoding::encode(state)),
None => "".to_string(),
},
urlencoding::encode(&session.session_id.0),
urlencoding::encode(&session.authorization_code)
),
))
.finish())
}
(AuthenticationFlow::Implicit, "id_token") => {
let id_token = IdToken {
issuer: AppConfig::get().website_origin.to_string(),
subject_identifier: user.uid.0.clone(),
audience: client.id.0.to_string(),
expiration_time: time() + OPEN_ID_ID_TOKEN_TIMEOUT,
issued_at: time(),
auth_time: SessionIdentity(Some(&id)).auth_time(),
nonce: query.nonce.clone(),
email: user.email.clone(),
additional_claims: client.claims_id_token(&user),
};
log::trace!("New OpenID id token: {:#?}", &id_token);
logger.log(Action::NewOpenIDSuccessfulImplicitAuth { client: &client });
Ok(HttpResponse::Found()
.append_header((
"Location",
format!(
"{}?{}token_type=bearer&id_token={}&expires_in={OPEN_ID_ID_TOKEN_TIMEOUT}",
client.redirect_uri,
match &query.0.state {
Some(state) => format!("state={}&", urlencoding::encode(state)),
None => "".to_string(),
},
jwt_signer.sign_token(id_token.to_jwt_claims())?
),
))
.finish())
}
(flow, code) => {
log::warn!(
"For client {:?}, configured with flow {:?}, made request with code {}",
client.id,
flow,
code
);
Ok(error_redirect(
&query,
"invalid_request",
"Requested authentication flow is unsupported / not configured for this client!",
))
}
}
HttpResponse::Found()
.append_header((
"Location",
format!(
"{}?state={}&session_state={}&code={}",
session.redirect_uri,
urlencoding::encode(&query.0.state),
urlencoding::encode(&session.session_id.0),
urlencoding::encode(&session.authorization_code)
),
))
.finish()
}
#[derive(serde::Serialize)]
@ -417,8 +336,7 @@ pub async fn token(
.find_by_id(&client_id)
.ok_or_else(|| ErrorUnauthorized("Client not found"))?;
// Retrieving token requires the client to have a defined secret
if client.secret != Some(client_secret) {
if !client.secret.eq(&client_secret) {
return Ok(error_response(
&query,
"invalid_request",
@ -535,8 +453,7 @@ pub async fn token(
issued_at: time(),
auth_time: session.auth_time,
nonce: session.nonce,
email: user.email.to_string(),
additional_claims: client.claims_id_token(&user),
email: user.email,
};
OpenIDTokenResponse {
@ -644,7 +561,6 @@ pub async fn user_info_post(
query: web::Query<UserInfoQuery>,
sessions: web::Data<Addr<OpenIDSessionsActor>>,
users: web::Data<Addr<UsersActor>>,
clients: web::Data<Arc<ClientManager>>,
) -> impl Responder {
user_info(
req,
@ -653,7 +569,6 @@ pub async fn user_info_post(
.or(query.0.access_token),
sessions,
users,
clients,
)
.await
}
@ -663,18 +578,8 @@ pub async fn user_info_get(
query: web::Query<UserInfoQuery>,
sessions: web::Data<Addr<OpenIDSessionsActor>>,
users: web::Data<Addr<UsersActor>>,
clients: web::Data<Arc<ClientManager>>,
) -> impl Responder {
user_info(req, query.0.access_token, sessions, users, clients).await
}
#[derive(serde::Serialize)]
pub struct UserInfoWithCustomClaims {
#[serde(flatten)]
info: OpenIDUserInfo,
#[serde(skip_serializing_if = "Option::is_none")]
#[serde(flatten)]
additional_claims: Option<AdditionalClaims>,
user_info(req, query.0.access_token, sessions, users).await
}
/// Authenticate request using RFC6750 <https://datatracker.ietf.org/doc/html/rfc6750>///
@ -683,7 +588,6 @@ async fn user_info(
token: Option<String>,
sessions: web::Data<Addr<OpenIDSessionsActor>>,
users: web::Data<Addr<UsersActor>>,
clients: web::Data<Arc<ClientManager>>,
) -> impl Responder {
let token = match token {
Some(t) => t,
@ -727,10 +631,6 @@ async fn user_info(
return user_info_error("invalid_request", "Access token has expired!");
}
let client = clients
.find_by_id(&session.client)
.expect("Could not extract client information!");
let user: Option<User> = users
.send(users_actor::GetUserRequest(session.user))
.await
@ -743,16 +643,13 @@ async fn user_info(
Some(u) => u,
};
HttpResponse::Ok().json(UserInfoWithCustomClaims {
info: OpenIDUserInfo {
name: Some(user.full_name()),
sub: user.uid.0.to_string(),
given_name: Some(user.first_name.to_string()),
family_name: Some(user.last_name.to_string()),
preferred_username: Some(user.username.to_string()),
email: Some(user.email.to_string()),
email_verified: Some(true),
},
additional_claims: client.claims_user_info(&user),
HttpResponse::Ok().json(OpenIDUserInfo {
name: Some(user.full_name()),
sub: user.uid.0,
given_name: Some(user.first_name),
family_name: Some(user.last_name),
preferred_username: Some(user.username),
email: Some(user.email),
email_verified: Some(true),
})
}

4
src/controllers/providers_controller.rs
View File

@ -22,14 +22,14 @@ use crate::data::session_identity::{SessionIdentity, SessionStatus};
#[derive(askama::Template)]
#[template(path = "login/prov_login_error.html")]
struct ProviderLoginError<'a> {
p: BaseLoginPage<'a>,
_p: BaseLoginPage<'a>,
message: &'a str,
}
impl<'a> ProviderLoginError<'a> {
pub fn get(message: &'a str, redirect_uri: &'a LoginRedirect) -> HttpResponse {
let body = Self {
p: BaseLoginPage {
_p: BaseLoginPage {
danger: None,
success: None,
page_title: "Upstream login",

8
src/controllers/settings_controller.rs
View File

@ -45,14 +45,14 @@ impl<'a> BaseSettingsPage<'a> {
#[derive(Template)]
#[template(path = "settings/account_details.html")]
struct AccountDetailsPage<'a> {
p: BaseSettingsPage<'a>,
_p: BaseSettingsPage<'a>,
remote_ip: String,
}
#[derive(Template)]
#[template(path = "settings/change_password.html")]
struct ChangePasswordPage<'a> {
p: BaseSettingsPage<'a>,
_p: BaseSettingsPage<'a>,
min_pwd_len: usize,
}
@ -61,7 +61,7 @@ pub async fn account_settings_details_route(user: CurrentUser, ip: RemoteIP) ->
let user = user.into();
HttpResponse::Ok().body(
AccountDetailsPage {
p: BaseSettingsPage::get("Account details", &user, None, None),
_p: BaseSettingsPage::get("Account details", &user, None, None),
remote_ip: ip.0.to_string(),
}
.render()
@ -145,7 +145,7 @@ pub async fn change_password_route(
HttpResponse::Ok().body(
ChangePasswordPage {
p: BaseSettingsPage::get("Change password", &user, danger, success),
_p: BaseSettingsPage::get("Change password", &user, danger, success),
min_pwd_len: MIN_PASS_LEN,
}
.render()

10
src/controllers/two_factor_api.rs
View File

@ -7,7 +7,6 @@ use crate::actors::users_actor;
use crate::actors::users_actor::UsersActor;
use crate::constants::MAX_SECOND_FACTOR_NAME_LEN;
use crate::data::action_logger::{Action, ActionLogger};
use crate::data::critical_route::CriticalRoute;
use crate::data::current_user::CurrentUser;
use crate::data::totp_key::TotpKey;
use crate::data::user::{FactorID, TwoFactor, TwoFactorType};
@ -30,7 +29,6 @@ pub struct AddTOTPRequest {
}
pub async fn save_totp_factor(
_critical: CriticalRoute,
user: CurrentUser,
form: web::Json<AddTOTPRequest>,
users: web::Data<Addr<UsersActor>>,
@ -40,10 +38,9 @@ pub async fn save_totp_factor(
if !key.check_code(&form.first_code).unwrap_or(false) {
return HttpResponse::BadRequest().body(format!(
"Given code is invalid (expected {}, {} or {})!",
key.previous_code().unwrap_or_default(),
"Given code is invalid (expected {} or {})!",
key.current_code().unwrap_or_default(),
key.following_code().unwrap_or_default(),
key.previous_code().unwrap_or_default()
));
}
@ -79,7 +76,6 @@ pub struct AddWebauthnRequest {
}
pub async fn save_webauthn_factor(
_critical: CriticalRoute,
user: CurrentUser,
form: web::Json<AddWebauthnRequest>,
users: web::Data<Addr<UsersActor>>,
@ -124,7 +120,6 @@ pub struct DeleteFactorRequest {
}
pub async fn delete_factor(
_critical: CriticalRoute,
user: CurrentUser,
form: web::Json<DeleteFactorRequest>,
users: web::Data<Addr<UsersActor>>,
@ -149,7 +144,6 @@ pub async fn delete_factor(
}
pub async fn clear_login_history(
_critical: CriticalRoute,
user: CurrentUser,
users: web::Data<Addr<UsersActor>>,
logger: ActionLogger,

21
src/controllers/two_factors_controller.rs
View File

@ -9,25 +9,22 @@ use qrcode_generator::QrCodeEcc;
use crate::constants::MAX_SECOND_FACTOR_NAME_LEN;
use crate::controllers::settings_controller::BaseSettingsPage;
use crate::data::app_config::AppConfig;
use crate::data::critical_route::CriticalRoute;
use crate::data::current_user::CurrentUser;
use crate::data::totp_key::TotpKey;
use crate::data::user::User;
use crate::data::webauthn_manager::WebAuthManagerReq;
use crate::utils::time::fmt_time;
#[derive(Template)]
#[template(path = "settings/two_factors_page.html")]
struct TwoFactorsPage<'a> {
p: BaseSettingsPage<'a>,
_p: BaseSettingsPage<'a>,
user: &'a User,
last_2fa_auth: Option<String>,
}
#[derive(Template)]
#[template(path = "settings/add_2fa_totp_page.html")]
struct AddTotpPage<'a> {
p: BaseSettingsPage<'a>,
_p: BaseSettingsPage<'a>,
qr_code: String,
account_name: String,
secret_key: String,
@ -37,19 +34,18 @@ struct AddTotpPage<'a> {
#[derive(Template)]
#[template(path = "settings/add_webauthn_page.html")]
struct AddWebauhtnPage<'a> {
p: BaseSettingsPage<'a>,
_p: BaseSettingsPage<'a>,
opaque_state: String,
challenge_json: String,
max_name_len: usize,
}
/// Manage two factors authentication methods route
pub async fn two_factors_route(_critical: CriticalRoute, user: CurrentUser) -> impl Responder {
pub async fn two_factors_route(user: CurrentUser) -> impl Responder {
HttpResponse::Ok().body(
TwoFactorsPage {
p: BaseSettingsPage::get("Two factor auth", &user, None, None),
_p: BaseSettingsPage::get("Two factor auth", &user, None, None),
user: user.deref(),
last_2fa_auth: user.last_2fa_auth.map(fmt_time),
}
.render()
.unwrap(),
@ -57,7 +53,7 @@ pub async fn two_factors_route(_critical: CriticalRoute, user: CurrentUser) -> i
}
/// Configure a new TOTP authentication factor
pub async fn add_totp_factor_route(_critical: CriticalRoute, user: CurrentUser) -> impl Responder {
pub async fn add_totp_factor_route(user: CurrentUser) -> impl Responder {
let key = TotpKey::new_random();
let qr_code = qrcode_generator::to_png_to_vec(
@ -75,7 +71,7 @@ pub async fn add_totp_factor_route(_critical: CriticalRoute, user: CurrentUser)
HttpResponse::Ok().body(
AddTotpPage {
p: BaseSettingsPage::get("New authenticator app", &user, None, None),
_p: BaseSettingsPage::get("New authenticator app", &user, None, None),
qr_code: BASE64_STANDARD.encode(qr_code),
account_name: key.account_name(&user, AppConfig::get()),
secret_key: key.get_secret(),
@ -88,7 +84,6 @@ pub async fn add_totp_factor_route(_critical: CriticalRoute, user: CurrentUser)
/// Configure a new security key factor
pub async fn add_webauthn_factor_route(
_critical: CriticalRoute,
user: CurrentUser,
manager: WebAuthManagerReq,
) -> impl Responder {
@ -111,7 +106,7 @@ pub async fn add_webauthn_factor_route(
HttpResponse::Ok().body(
AddWebauhtnPage {
p: BaseSettingsPage::get("New security key", &user, None, None),
_p: BaseSettingsPage::get("New security key", &user, None, None),
opaque_state: registration_request.opaque_state,
challenge_json: urlencoding::encode(&challenge_json).to_string(),

5
src/data/action_logger.rs
View File

@ -90,9 +90,6 @@ pub enum Action<'a> {
NewOpenIDSession {
client: &'a Client,
},
NewOpenIDSuccessfulImplicitAuth {
client: &'a Client,
},
ChangedHisPassword,
ClearedHisLoginHistory,
AddNewFactor(&'a TwoFactor),
@ -202,7 +199,6 @@ impl<'a> Action<'a> {
Action::NewOpenIDSession { client } => {
format!("opened a new OpenID session with {:?}", client.id)
}
Action::NewOpenIDSuccessfulImplicitAuth { client } => format!("finished an implicit flow connection for client {:?}", client.id),
Action::ChangedHisPassword => "changed his password".to_string(),
Action::ClearedHisLoginHistory => "cleared his login history".to_string(),
Action::AddNewFactor(factor) => format!(
@ -210,6 +206,7 @@ impl<'a> Action<'a> {
factor.quick_description(),
),
Action::Removed2FAFactor { factor_id } => format!("Removed his factor {factor_id:?}"),
}
}
}

98
src/data/client.rs
View File

@ -1,20 +1,9 @@
use crate::data::entity_manager::EntityManager;
use crate::data::user::User;
use crate::utils::string_utils::apply_env_vars;
use serde_json::Value;
use std::collections::HashMap;
#[derive(Clone, Debug, serde::Serialize, serde::Deserialize, Eq, PartialEq)]
pub struct ClientID(pub String);
#[derive(Debug, Copy, Clone, Eq, PartialEq)]
pub enum AuthenticationFlow {
AuthorizationCode,
Implicit,
}
pub type AdditionalClaims = HashMap<String, Value>;
#[derive(Clone, Debug, serde::Serialize, serde::Deserialize)]
pub struct Client {
/// The ID of the client
@ -27,8 +16,7 @@ pub struct Client {
pub description: String,
/// The secret used by the client to retrieve authenticated users information
/// This value is absent if implicit authentication flow is used
pub secret: Option<String>,
pub secret: String,
/// The URI where the users should be redirected once authenticated
pub redirect_uri: String,
@ -40,16 +28,6 @@ pub struct Client {
/// Specify whether a client is granted to all users
#[serde(default = "bool::default")]
pub granted_to_all_users: bool,
/// Specify whether recent Second Factor Authentication is required to access this client
#[serde(default = "bool::default")]
pub enforce_2fa_auth: bool,
/// Additional claims to return with the id token
claims_id_token: Option<AdditionalClaims>,
/// Additional claims to return through the user info endpoint
claims_user_info: Option<AdditionalClaims>,
}
impl PartialEq for Client {
@ -60,78 +38,6 @@ impl PartialEq for Client {
impl Eq for Client {}
impl Client {
/// Get the client authentication flow
pub fn auth_flow(&self) -> AuthenticationFlow {
match self.secret {
None => AuthenticationFlow::Implicit,
Some(_) => AuthenticationFlow::AuthorizationCode,
}
}
/// Process a single claim value
fn process_claim_string(&self, user: &User, str: &str) -> String {
str.replace("{username}", &user.username)
.replace("{mail}", &user.email)
.replace("{first_name}", &user.first_name)
.replace("{last_name}", &user.last_name)
.replace("{uid}", &user.uid.0)
}
/// Recurse claims processing
fn recurse_claims_processing(&self, user: &User, value: &Value) -> Value {
match value {
Value::String(s) => Value::String(self.process_claim_string(user, s)),
Value::Array(arr) => Value::Array(
arr.iter()
.map(|v| self.recurse_claims_processing(user, v))
.collect(),
),
Value::Object(obj) => obj
.iter()
.map(|(k, v)| {
(
self.process_claim_string(user, k),
self.recurse_claims_processing(user, v),
)
})
.collect(),
v => v.clone(),
}
}
/// Process additional claims, processing placeholders
fn process_additional_claims(
&self,
user: &User,
claims: &Option<AdditionalClaims>,
) -> Option<AdditionalClaims> {
let claims = claims.as_ref()?;
let res = claims
.iter()
.map(|(k, v)| {
(
self.process_claim_string(user, k),
self.recurse_claims_processing(user, v),
)
})
.collect();
Some(res)
}
/// Get additional claims for id_token for a successful authentication
pub fn claims_id_token(&self, user: &User) -> Option<AdditionalClaims> {
self.process_additional_claims(user, &self.claims_id_token)
}
/// Get additional claims for user info for a successful authentication
pub fn claims_user_info(&self, user: &User) -> Option<AdditionalClaims> {
self.process_additional_claims(user, &self.claims_user_info)
}
}
pub type ClientManager = EntityManager<Client>;
impl EntityManager<Client> {
@ -156,7 +62,7 @@ impl EntityManager<Client> {
c.id = ClientID(apply_env_vars(&c.id.0));
c.name = apply_env_vars(&c.name);
c.description = apply_env_vars(&c.description);
c.secret = c.secret.as_deref().map(apply_env_vars);
c.secret = apply_env_vars(&c.secret);
c.redirect_uri = apply_env_vars(&c.redirect_uri);
}
}

32
src/data/critical_route.rs
View File

@ -1,32 +0,0 @@
use crate::data::current_user::CurrentUser;
use crate::data::from_request_redirect::FromRequestRedirect;
use crate::data::login_redirect::{get_2fa_url, LoginRedirect};
use actix_web::dev::Payload;
use actix_web::{FromRequest, HttpRequest};
use std::future::Future;
use std::pin::Pin;
pub struct CriticalRoute;
impl FromRequest for CriticalRoute {
type Error = FromRequestRedirect;
type Future = Pin<Box<dyn Future<Output = Result<Self, Self::Error>>>>;
fn from_request(req: &HttpRequest, _: &mut Payload) -> Self::Future {
let req = req.clone();
Box::pin(async move {
let current_user = CurrentUser::from_request(&req, &mut Payload::None)
.await
.expect("Failed to extract user identity!");
if current_user.should_request_2fa_for_critical_functions() {
let uri = get_2fa_url(&LoginRedirect::from_req(&req), true);
return Err(FromRequestRedirect::new(uri));
}
Ok(Self)
})
}
}

33
src/data/current_user.rs
View File

@ -10,30 +10,14 @@ use actix_web::{web, Error, FromRequest, HttpRequest};
use crate::actors::users_actor;
use crate::actors::users_actor::UsersActor;
use crate::constants::SECOND_FACTOR_EXPIRATION_FOR_CRITICAL_OPERATIONS;
use crate::data::session_identity::SessionIdentity;
use crate::data::user::User;
use crate::utils::time::time;
pub struct CurrentUser {
user: User,
pub auth_time: u64,
pub last_2fa_auth: Option<u64>,
}
impl CurrentUser {
pub fn should_request_2fa_for_critical_functions(&self) -> bool {
self.user.has_two_factor()
&& self
.last_2fa_auth
.map(|t| t + SECOND_FACTOR_EXPIRATION_FOR_CRITICAL_OPERATIONS < time())
.unwrap_or(true)
}
}
pub struct CurrentUser(User);
impl From<CurrentUser> for User {
fn from(user: CurrentUser) -> Self {
user.user
user.0
}
}
@ -41,7 +25,7 @@ impl Deref for CurrentUser {
type Target = User;
fn deref(&self) -> &Self::Target {
&self.user
&self.0
}
}
@ -56,10 +40,7 @@ impl FromRequest for CurrentUser {
let identity: Identity = Identity::from_request(req, payload)
.into_inner()
.expect("Failed to get identity!");
let id = SessionIdentity(Some(&identity));
let user_id = id.user_id();
let last_2fa_auth = id.last_2fa_auth();
let auth_time = id.auth_time();
let user_id = SessionIdentity(Some(&identity)).user_id();
Box::pin(async move {
let user = match user_actor
@ -76,11 +57,7 @@ impl FromRequest for CurrentUser {
}
};
Ok(CurrentUser {
user,
auth_time,
last_2fa_auth,
})
Ok(CurrentUser(user))
})
}
}

45
src/data/force_2fa_auth.rs
View File

@ -1,45 +0,0 @@
use crate::data::current_user::CurrentUser;
use crate::data::session_identity::SessionIdentity;
use actix_identity::Identity;
use actix_web::dev::Payload;
use actix_web::{web, Error, FromRequest, HttpRequest};
use std::future::Future;
use std::pin::Pin;
#[derive(serde::Deserialize)]
pub struct Force2FAAuthQuery {
#[serde(default)]
force_2fa: bool,
}
pub struct Force2FAAuth {
pub force: bool,
}
impl FromRequest for Force2FAAuth {
type Error = Error;
type Future = Pin<Box<dyn Future<Output = Result<Self, Self::Error>>>>;
fn from_request(req: &HttpRequest, _: &mut Payload) -> Self::Future {
let req = req.clone();
Box::pin(async move {
// It is impossible to force authentication for an unauthenticated user
let identity = Identity::from_request(&req, &mut Payload::None)
.into_inner()
.ok();
if !SessionIdentity(identity.as_ref()).is_authenticated() {
return Ok(Self { force: false });
}
let query = web::Query::<Force2FAAuthQuery>::from_request(&req, &mut Payload::None)
.into_inner()?;
let user = CurrentUser::from_request(&req, &mut Payload::None).await?;
Ok(Self {
force: query.force_2fa && user.has_two_factor(),
})
})
}
}

32
src/data/from_request_redirect.rs
View File

@ -1,32 +0,0 @@
use actix_web::body::BoxBody;
use actix_web::http::StatusCode;
use actix_web::{HttpResponse, ResponseError};
use std::fmt::{Debug, Display, Formatter};
#[derive(Debug)]
pub struct FromRequestRedirect {
url: String,
}
impl FromRequestRedirect {
pub fn new(url: String) -> Self {
Self { url }
}
}
impl Display for FromRequestRedirect {
fn fmt(&self, f: &mut Formatter<'_>) -> std::fmt::Result {
write!(f, "Redirect to {}", self.url)
}
}
impl ResponseError for FromRequestRedirect {
fn status_code(&self) -> StatusCode {
StatusCode::FOUND
}
fn error_response(&self) -> HttpResponse<BoxBody> {
HttpResponse::Found()
.insert_header(("Location", self.url.as_str()))
.body("Redirecting...")
}
}

11
src/data/id_token.rs
View File

@ -1,8 +1,7 @@
use crate::data::client::AdditionalClaims;
use jwt_simple::claims::Audiences;
use jwt_simple::prelude::{Duration, JWTClaims};
#[derive(serde::Serialize, Debug)]
#[derive(serde::Serialize)]
pub struct IdToken {
/// REQUIRED. Issuer Identifier for the Issuer of the response. The iss value is a case sensitive URL using the https scheme that contains scheme, host, and optionally, port number and path components and no query or fragment components.
#[serde(rename = "iss")]
@ -25,19 +24,12 @@ pub struct IdToken {
#[serde(skip_serializing_if = "Option::is_none")]
pub nonce: Option<String>,
pub email: String,
/// Additional claims
#[serde(skip_serializing_if = "Option::is_none")]
#[serde(flatten)]
pub additional_claims: Option<AdditionalClaims>,
}
#[derive(serde::Serialize, serde::Deserialize)]
pub struct CustomIdTokenClaims {
auth_time: u64,
email: String,
#[serde(skip_serializing_if = "Option::is_none")]
#[serde(flatten)]
additional_claims: Option<AdditionalClaims>,
}
impl IdToken {
@ -54,7 +46,6 @@ impl IdToken {
custom: CustomIdTokenClaims {
auth_time: self.auth_time,
email: self.email,
additional_claims: self.additional_claims,
},
}
}

14
src/data/login_redirect.rs
View File

@ -1,13 +1,7 @@
use actix_web::HttpRequest;
#[derive(serde::Serialize, serde::Deserialize, Debug, Eq, PartialEq, Clone)]
pub struct LoginRedirect(String);
impl LoginRedirect {
pub fn from_req(req: &HttpRequest) -> Self {
Self(req.uri().to_string())
}
pub fn get(&self) -> &str {
match self.0.starts_with('/') && !self.0.starts_with("//") {
true => self.0.as_str(),
@ -25,11 +19,3 @@ impl Default for LoginRedirect {
Self("/".to_string())
}
}
/// Get the URL for 2FA authentication
pub fn get_2fa_url(redir: &LoginRedirect, force_2fa: bool) -> String {
format!(
"/2fa_auth?redirect={}&force_2fa={force_2fa}",
redir.get_encoded()
)
}

3
src/data/mod.rs
View File

@ -3,11 +3,8 @@ pub mod action_logger;
pub mod app_config;
pub mod client;
pub mod code_challenge;
pub mod critical_route;
pub mod current_user;
pub mod entity_manager;
pub mod force_2fa_auth;
pub mod from_request_redirect;
pub mod id_token;
pub mod jwt_signer;
pub mod login_redirect;

12
src/data/session_identity.rs
View File

@ -24,7 +24,6 @@ pub struct SessionIdentityData {
pub id: Option<UserID>,
pub is_admin: bool,
pub auth_time: u64,
pub last_2fa_auth: Option<u64>,
pub status: SessionStatus,
}
@ -76,7 +75,6 @@ impl<'a> SessionIdentity<'a> {
&SessionIdentityData {
id: Some(user.uid.clone()),
is_admin: user.admin,
last_2fa_auth: None,
auth_time: time(),
status,
},
@ -89,12 +87,6 @@ impl<'a> SessionIdentity<'a> {
self.set_session_data(req, &sess);
}
pub fn record_2fa_auth(&self, req: &HttpRequest) {
let mut sess = self.get_session_data().unwrap_or_default();
sess.last_2fa_auth = Some(time());
self.set_session_data(req, &sess);
}
pub fn is_authenticated(&self) -> bool {
self.get_session_data()
.map(|s| s.status == SessionStatus::SignedIn)
@ -127,8 +119,4 @@ impl<'a> SessionIdentity<'a> {
pub fn auth_time(&self) -> u64 {
self.get_session_data().unwrap_or_default().auth_time
}
pub fn last_2fa_auth(&self) -> Option<u64> {
self.get_session_data().unwrap_or_default().last_2fa_auth
}
}

14
src/data/totp_key.rs
View File

@ -9,7 +9,7 @@ use crate::data::user::User;
use crate::utils::err::Res;
use crate::utils::time::time;
const BASE32_ALPHABET: Alphabet = Alphabet::Rfc4648 { padding: true };
const BASE32_ALPHABET: Alphabet = Alphabet::RFC4648 { padding: true };
const NUM_DIGITS: usize = 6;
const PERIOD: u64 = 30;
@ -73,11 +73,6 @@ impl TotpKey {
self.get_code_at(|| time() - PERIOD)
}
/// Get following code
pub fn following_code(&self) -> Res<String> {
self.get_code_at(|| time() + PERIOD)
}
/// Get the code at a specific time
fn get_code_at<F: Fn() -> u64>(&self, get_time: F) -> Res<String> {
let gen = TotpGenerator::new()
@ -103,9 +98,7 @@ impl TotpKey {
/// Check a code's validity
pub fn check_code(&self, code: &str) -> Res<bool> {
Ok(self.previous_code()?.eq(code)
|| self.current_code()?.eq(code)
|| self.following_code()?.eq(code))
Ok(self.current_code()?.eq(code) || self.previous_code()?.eq(code))
}
}
@ -118,10 +111,7 @@ mod test {
let key = TotpKey::new_random();
let code = key.current_code().unwrap();
let old_code = key.previous_code().unwrap();
let following_code = key.following_code().unwrap();
assert_ne!(code, old_code);
assert_ne!(code, following_code);
assert_ne!(old_code, following_code);
}
#[test]

14
src/data/user.rs
View File

@ -90,17 +90,11 @@ impl TwoFactor {
}
}
pub fn login_url(&self, redirect_uri: &LoginRedirect, force_2fa: bool) -> String {
pub fn login_url(&self, redirect_uri: &LoginRedirect) -> String {
match self.kind {
TwoFactorType::TOTP(_) => format!(
"/2fa_otp?redirect={}&force_2fa={force_2fa}",
redirect_uri.get_encoded()
),
TwoFactorType::TOTP(_) => format!("/2fa_otp?redirect={}", redirect_uri.get_encoded()),
TwoFactorType::WEBAUTHN(_) => {
format!(
"/2fa_webauthn?redirect={}&force_2fa={force_2fa}",
redirect_uri.get_encoded()
)
format!("/2fa_webauthn?redirect={}", redirect_uri.get_encoded())
}
}
}
@ -317,7 +311,7 @@ impl Eq for User {}
impl Default for User {
fn default() -> Self {
Self {
uid: UserID(uuid::Uuid::new_v4().to_string()),
uid: UserID("".to_string()),
first_name: "".to_string(),
last_name: "".to_string(),
username: "".to_string(),

15
src/utils/string_utils.rs
View File

@ -36,14 +36,9 @@ pub fn apply_env_vars(val: &str) -> String {
val
}
/// Check out whether a given login is acceptable or not
pub fn is_acceptable_login(login: &str) -> bool {
mailchecker::is_valid(login) || lazy_regex::regex!("^[a-zA-Z0-9-+]+$").is_match(login)
}
#[cfg(test)]
mod test {
use crate::utils::string_utils::{apply_env_vars, is_acceptable_login};
use crate::utils::string_utils::apply_env_vars;
use std::env;
const VAR_ONE: &str = "VAR_ONE";
@ -61,12 +56,4 @@ mod test {
let src = format!("This is ${{{}}}", VAR_INVALID);
assert_eq!(src, apply_env_vars(&src));
}
#[test]
fn test_is_acceptable_login() {
assert!(is_acceptable_login("admin"));
assert!(is_acceptable_login("someone@somewhere.fr"));
assert!(!is_acceptable_login("someone@somewhere.#fr"));
assert!(!is_acceptable_login("bad bad"));
}
}

11
src/utils/time.rs
View File

@ -1,4 +1,4 @@
use chrono::DateTime;
use chrono::{DateTime, NaiveDateTime, Utc};
use std::time::{SystemTime, UNIX_EPOCH};
/// Get the current time since epoch
@ -11,9 +11,12 @@ pub fn time() -> u64 {
/// Format unix timestamp to a human-readable string
pub fn fmt_time(timestamp: u64) -> String {
// Create a DateTime from the timestamp
let datetime =
DateTime::from_timestamp(timestamp as i64, 0).expect("Failed to parse timestamp!");
// Create a NaiveDateTime from the timestamp
let naive =
NaiveDateTime::from_timestamp_opt(timestamp as i64, 0).expect("Failed to parse timestamp!");
// Create a normal DateTime from the NaiveDateTime
let datetime: DateTime<Utc> = DateTime::from_naive_utc_and_offset(naive, Utc);
// Format the datetime how you want
datetime.format("%Y-%m-%d %H:%M:%S").to_string()

8
templates/login/base_login_page.html
View File

@ -8,7 +8,7 @@
<!-- No indexing -->
<meta name="robots" content="noindex, nofollow">
<title>{{ p.app_name }} - {{ p.page_title }}</title>
<title>{{ _p.app_name }} - {{ _p.page_title }}</title>
<!-- Bootstrap core CSS -->
<link href="/assets/css/bootstrap.css" rel="stylesheet" crossorigin="anonymous"/>
@ -43,15 +43,15 @@
<main class="form-signin">
<h1 class="h3 mb-3 fw-normal" style="margin-bottom: 2rem !important;">{{ p.page_title }}</h1>
<h1 class="h3 mb-3 fw-normal" style="margin-bottom: 2rem !important;">{{ _p.page_title }}</h1>
{% if let Some(danger) = p.danger %}
{% if let Some(danger) = _p.danger %}
<div class="alert alert-danger" role="alert">
{{ danger }}
</div>
{% endif %}
{% if let Some(success) = p.success %}
{% if let Some(success) = _p.success %}
<div class="alert alert-success" role="alert">
{{ success }}
</div>

8
templates/login/choose_second_factor.html
View File

@ -5,16 +5,14 @@
<p>You need to validate a second factor to complete your login.</p>
{% for factor in user.get_distinct_factors_types() %}
<!-- We can ask to force 2FA, because once we are here, it means 2FA is required anyway... -->
<a class="btn btn-primary btn-lg" href="{{ factor.login_url(p.redirect_uri, true) }}"
style="width: 100%; display: flex;">
<img src="{{ factor.type_image() }}" alt="Factor icon" style="margin-right: 1em;"/>
<a class="btn btn-primary btn-lg" href="{{ factor.login_url(_p.redirect_uri) }}" style="width: 100%; display: flex;">
<img src="{{ factor.type_image() }}" alt="Factor icon" style="margin-right: 1em;" />
<div style="text-align: left;">
{{ factor.type_str() }} <br/>
<small style="font-size: 0.7em;">{{ factor.description_str() }}</small>
</div>
</a>
<br/>
<br />
{% endfor %}
</div>

4
templates/login/login.html
View File

@ -18,7 +18,7 @@
</style>
<form action="/login?redirect={{ p.redirect_uri.get_encoded() }}" method="post">
<form action="/login?redirect={{ _p.redirect_uri.get_encoded() }}" method="post">
<div>
<div class="form-floating">
<input name="login" type="text" required class="form-control" id="floatingName" placeholder="unsername"
@ -41,7 +41,7 @@
{% if !providers.is_empty() %}
<div id="providers">
{% for prov in providers %}
<a class="btn btn-secondary btn-lg provider-button" href="{{ prov.login_url(p.redirect_uri) }}">
<a class="btn btn-secondary btn-lg provider-button" href="{{ prov.login_url(_p.redirect_uri) }}">
<img src="{{ prov.logo_url() }}" alt="Provider icon"/>
<div style="text-align: left;">
Login using {{ prov.name }} <br/>

2
templates/login/otp_input.html
View File

@ -28,7 +28,7 @@
<div style="margin-top: 10px;">
<a href="/2fa_auth?force_display=true&redirect={{ p.redirect_uri.get_encoded() }}&force_2fa=true">Sign in using another factor</a><br/>
<a href="/2fa_auth?force_display=true&redirect={{ _p.redirect_uri.get_encoded() }}">Sign in using another factor</a><br/>
<a href="/logout">Sign out</a>
</div>

2
templates/login/password_reset.html
View File

@ -1,6 +1,6 @@
{% extends "base_login_page.html" %}
{% block content %}
<form action="/reset_password?redirect={{ p.redirect_uri.get_encoded() }}" method="post" id="reset_password_form">
<form action="/reset_password?redirect={{ _p.redirect_uri.get_encoded() }}" method="post" id="reset_password_form">
<div>
<p>You need to configure a new password:</p>

2
templates/login/prov_login_error.html
View File

@ -7,7 +7,7 @@
<p style="margin-top: 10px; text-align: justify;">{{ message }}</p>
</div>
<a href="/login?redirect={{ p.redirect_uri.get_encoded() }}">Go back to login</a>
<a href="/login?redirect={{ _p.redirect_uri.get_encoded() }}">Go back to login</a>
{% endblock content %}

4
templates/login/webauthn_input.html
View File

@ -12,13 +12,13 @@
</div>
<div style="margin-top: 10px;">
<a href="/2fa_auth?force_display=true&redirect={{ p.redirect_uri.get_encoded() }}&force_2fa=true">Sign in using another factor</a><br/>
<a href="/2fa_auth?force_display=true&redirect={{ _p.redirect_uri.get_encoded() }}">Sign in using another factor</a><br/>
<a href="/logout">Sign out</a>
</div>
<script src="/assets/js/base64_lib.js"></script>
<script>
const REDIRECT_URI = decodeURIComponent("{{ p.redirect_uri.get_encoded() }}");
const REDIRECT_URI = decodeURIComponent("{{ _p.redirect_uri.get_encoded() }}");
const OPAQUE_STATE = "{{ opaque_state }}";
const AUTH_CHALLENGE = JSON.parse(decodeURIComponent("{{ challenge_json }}"));
// Decode data

12
templates/settings/account_details.html
View File

@ -5,27 +5,27 @@
<tbody>
<tr>
<th scope="row">User ID</th>
<td>{{ p.user.uid.0 }}</td>
<td>{{ _p.user.uid.0 }}</td>
</tr>
<tr>
<th scope="row">First name</th>
<td>{{ p.user.first_name }}</td>
<td>{{ _p.user.first_name }}</td>
</tr>
<tr>
<th scope="row">Last name</th>
<td>{{ p.user.last_name }}</td>
<td>{{ _p.user.last_name }}</td>
</tr>
<tr>
<th scope="row">Username</th>
<td>{{ p.user.username }}</td>
<td>{{ _p.user.username }}</td>
</tr>
<tr>
<th scope="row">Email</th>
<td>{{ p.user.email }}</td>
<td>{{ _p.user.email }}</td>
</tr>
<tr>
<th scope="row">Account type</th>
<td>{% if p.user.admin %}Admin{% else %}Regular user{% endif %}</td>
<td>{% if _p.user.admin %}Admin{% else %}Regular user{% endif %}</td>
</tr>
</tbody>
</table>

24
templates/settings/base_settings_page.html
View File

@ -2,7 +2,7 @@
<html lang="en">
<head>
<meta charset="UTF-8">
<title>{{ p.page_title }} - {{ p.app_name }}</title>
<title>{{ _p.page_title }} - {{ _p.app_name }}</title>
<!-- Bootstrap core CSS -->
<link href="/assets/css/bootstrap.css" rel="stylesheet" crossorigin="anonymous"/>
@ -12,10 +12,10 @@
<body>
<div class="d-flex flex-column flex-shrink-0 p-3 bg-light" style="width: 280px;">
<a href="/" class="d-flex align-items-center mb-3 mb-md-0 me-md-auto link-dark text-decoration-none">
<span class="fs-4">{{ p.app_name }}</span>
<span class="fs-4">{{ _p.app_name }}</span>
</a>
{% if p.user.admin %}
<span>Version {{ p.version }}</span>
{% if _p.user.admin %}
<span>Version {{ _p.version }}</span>
{% endif %}
<hr>
<ul class="nav nav-pills flex-column mb-auto">
@ -24,7 +24,7 @@
Account details
</a>
</li>
{% if p.user.allow_local_login %}
{% if _p.user.allow_local_login %}
<li>
<a href="/settings/change_password" class="nav-link link-dark">
Change password
@ -37,7 +37,7 @@
</a>
</li>
{% if p.user.admin %}
{% if _p.user.admin %}
<hr/>
<li>
<a href="/admin/clients" class="nav-link link-dark">
@ -61,7 +61,7 @@
<a href="#" class="d-flex align-items-center link-dark text-decoration-none dropdown-toggle" id="dropdownUser"
data-bs-toggle="dropdown" aria-expanded="false">
<img src="/assets/img/account.png" alt="" width="32" height="32" class="rounded-circle me-2">
<strong>{{ p.user.username }}</strong>
<strong>{{ _p.user.username }}</strong>
</a>
<ul class="dropdown-menu text-small shadow" aria-labelledby="dropdownUser">
<li><a class="dropdown-item" href="/logout">Sign out</a></li>
@ -70,14 +70,14 @@
</div>
<div class="page_body" style="flex: 1">
{% if let Some(msg) = p.danger_message %}
{% if let Some(msg) = _p.danger_message %}
<div class="alert alert-danger">{{ msg }}</div>
{% endif %}
{% if let Some(msg) = p.success_message %}
{% if let Some(msg) = _p.success_message %}
<div class="alert alert-success">{{ msg }}</div>
{% endif %}
<h2 class="bd-title mt-0" style="margin-bottom: 40px;">{{ p.page_title }}</h2>
<h2 class="bd-title mt-0" style="margin-bottom: 40px;">{{ _p.page_title }}</h2>
{% block content %}
TO_REPLACE
@ -92,8 +92,8 @@
})
</script>
{% if p.ip_location_api.is_some() %}
<script>const IP_LOCATION_API = "{{ p.ip_location_api.unwrap() }}"</script>
{% if _p.ip_location_api.is_some() %}
<script>const IP_LOCATION_API = "{{ _p.ip_location_api.unwrap() }}"</script>
{% endif %}
<script src="/assets/js/ip_location_service.js"></script>
</body>

2
templates/settings/edit_user.html
View File

@ -195,7 +195,7 @@
</div>
</fieldset>
<input type="submit" class="btn btn-primary mt-4" value="{{ p.page_title }}">
<input type="submit" class="btn btn-primary mt-4" value="{{ _p.page_title }}">
</form>
<script>

18
templates/settings/two_factors_page.html
View File

@ -26,9 +26,7 @@
<tbody>
{% for f in user.two_factor %}
<tr id="factor-{{ f.id.0 }}">
<td><img src="{{ f.type_image() }}" alt="Factor icon" style="height: 1.5em; margin-right: 0.5em;"/>{{
f.type_str() }}
</td>
<td><img src="{{ f.type_image() }}" alt="Factor icon" style="height: 1.5em; margin-right: 0.5em;" />{{ f.type_str() }}</td>
<td>{{ f.name }}</td>
<td><a href="javascript:delete_factor('{{ f.id.0 }}');">Delete</a></td>
</tr>
@ -55,9 +53,7 @@
{% for e in user.get_formatted_2fa_successful_logins() %}
<tr>
<td>{{ e.ip }}</td>
<td>
<locateip ip="{{ e.ip }}"></locateip>
</td>
<td><locateip ip="{{ e.ip }}"></locateip></td>
<td>{{ e.fmt_time() }}</td>
<td>{% if e.can_bypass_2fa %}YES{% else %}NO{% endif %}</td>
</tr>
@ -67,10 +63,6 @@
{% endif %}
</div>
{% if let Some(last_2fa_auth) = last_2fa_auth %}
<p>Last successful 2FA authentication on this browser: {{ last_2fa_auth }}</p>
{% endif %}
<script>
async function delete_factor(id) {
if (!confirm("Do you really want to remove this factor?"))
@ -80,7 +72,7 @@
const res = await fetch("/settings/api/two_factor/delete_factor", {
method: "post",
headers: {
'Content-Type': 'application/json',
'Content-Type': 'application/json',
},
body: JSON.stringify({
id: id,
@ -92,7 +84,7 @@
if (res.status == 200)
document.getElementById("factor-" + id).remove();
} catch (e) {
} catch(e) {
console.error(e);
alert("Failed to remove factor!");
}
@ -112,7 +104,7 @@
if (res.status == 200)
document.getElementById("2fa_history_container").remove();
} catch (e) {
} catch(e) {
console.error(e);
alert("Failed to clear 2FA history!");
}