Update Rust crate base32 to v0.5.1

Reviewed-on: #281

Cargo.toml

@@ -6,36 +6,37 @@ edition = "2021"
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 
 [dependencies]
-actix = "0.13.1"
-actix-identity = "0.6.0"
-actix-web = "4"
-actix-session = { version = "0.8.0", features = ["cookie-session"] }
+actix = "0.13.3"
+actix-identity = "0.7.1"
+actix-web = "4.5.1"
+actix-session = { version = "0.9.0", features = ["cookie-session"] }
 actix-remote-ip = "0.1.0"
-clap = { version = "4.4.8", features = ["derive", "env"] }
+clap = { version = "4.5.4", features = ["derive", "env"] }
 include_dir = "0.7.3"
-log = "0.4.20"
-serde_json = "1.0.104"
-serde_yaml = "0.9.27"
-env_logger = "0.10.1"
-serde = { version = "1.0.181", features = ["derive"] }
-bcrypt = "0.15.0"
-uuid = { version = "1.6.1", features = ["v4"] }
+log = "0.4.21"
+serde_json = "1.0.116"
+serde_yaml = "0.9.34"
+env_logger = "0.11.3"
+serde = { version = "1.0.200", features = ["derive"] }
+bcrypt = "0.15.1"
+uuid = { version = "1.8.0", features = ["v4"] }
 mime_guess = "2.0.4"
 askama = "0.12.1"
-futures-util = "0.3.29"
+futures-util = "0.3.30"
 urlencoding = "2.1.3"
 rand = "0.8.5"
-base64 = "0.21.3"
-jwt-simple = "0.11.9"
+base64 = "0.22.1"
+jwt-simple = { version = "0.12.9", default-features = false, features = ["pure-rust"] }
 digest = "0.10.7"
 sha2 = "0.10.8"
 lazy-regex = "3.1.0"
-totp_rfc6238 = "0.5.1"
-base32 = "0.4.0"
+totp_rfc6238 = "0.5.3"
+base32 = "0.5.0"
 qrcode-generator = "4.1.9"
-webauthn-rs = { version = "0.4.8", features = ["danger-allow-state-serialisation"] }
+webauthn-rs = { version = "0.5.0", features = ["danger-allow-state-serialisation"] }
 url = "2.5.0"
-light-openid = { version = "1.0.1", features=["crypto-wrapper"] }
+light-openid = { version = "1.0.2", features = ["crypto-wrapper"] }
 bincode = "2.0.0-rc.3"
-chrono = "0.4.31"
-lazy_static = "1.4.0"
+chrono = "0.4.38"
+lazy_static = "1.4.0"
+mailchecker = "6.0.4"

Dockerfile

@@ -1,4 +1,4 @@
-FROM debian:bullseye-slim
+FROM debian:bookworm-slim
 
 RUN apt-get update \
   && apt-get install -y libcurl4 \

README.md

@@ -13,15 +13,37 @@ BasicOIDC operates without any database, just with three files :
 ## Configuration
 You can configure a list of clients (Relying Parties) in a `clients.yaml` file with the following syntax :
 ```yaml
+  # Client ID
 - id: gitea
+  # Client name
   name: Gitea
+  # Client description
   description: Git with a cup of tea
+  # Client secret. Specify this value to use authorization code flow, remove it for implicit authentication flow
   secret: TOP_SECRET
+  # The URL where user shall be redirected after authentication
   redirect_uri: https://mygit.mywebsite.com/
-  # If you want new accounts to be granted access to this client by default
+  # Optional, If you want new accounts to be granted access to this client by default
   default: true
-  # If you want the client to be granted to every users, regardless their account configuration
+  # Optional, If you want the client to be granted to every user, regardless their account configuration
   granted_to_all_users: true
+  # Optional, If you want users to have performed recent second factor authentication before accessing this client, set this setting to true
+  enforce_2fa_auth: true
+  # Optional, claims to be added to the ID token payload.
+  # The following placeholders can be set, they will the replaced when the token is created:
+  # * {username}: user name of the user
+  # * {mail}: email address of the user
+  # * {first_name}: first name of the user
+  # * {last_name}: last name of the user
+  # * {uid}: user id of the user
+  claims_id_token:
+    groups: ["group_{user}"]
+    service: "auth"
+  # Optional, claims to be added to the user info endpoint response
+  # The placeholders of `claims_id_token` can also be used here 
+  claims_user_info:
+    groups: ["group_{user}"]
+    service: "auth"
 ```
 
 On the first run, BasicOIDC will create a new administrator with credentials `admin` / `admin`. On first login you will have to change these default credentials.
@@ -30,9 +52,10 @@ In order to run BasicOIDC for development, you will need to create a least an em
 
 ## Features
 * [x] `authorization_code` flow
+* [x] `implicit` flow
 * [x] Client authentication using secrets 
 * [x] Bruteforce protection 
-* [x] 2 factor authentication
+* [x] 2 factors authentication
   * [x] TOTP (authenticator app)
   * [x] Using a security key (Webauthn)
 * [ ] Fully responsive webui
@@ -63,11 +86,13 @@ cargo build --release
 If you want to test the solution with OAuth proxy, you can try to adapt the following commands (considering `192.168.2.103` is your local IP address):
 
 ```bash
+export IP=192.168.2.103
+
 # In a shell, start BasicOID
-RUST_LOG=debug cargo run -- -s storage -w "http://192.168.2.103.nip.io:8000"
+RUST_LOG=debug cargo run -- -s storage -w "http://$IP.nip.io:8000"
 
 # In another shell, run OAuth proxy
-docker run --rm -p 4180:4180 quay.io/oauth2-proxy/oauth2-proxy:latest --provider=oidc --email-domain=* --client-id=oauthproxy --client-secret=secretoauth --cookie-secret=SECRETCOOKIE1234 --oidc-issuer-url=http://192.168.2.103.nip.io:8000 --http-address 0.0.0.0:4180  --upstream http://192.168.2.103 --redirect-url http://192.168.2.103:4180/oauth2/callback --cookie-secure=false
+docker run --rm -p 4180:4180 quay.io/oauth2-proxy/oauth2-proxy:latest --provider=oidc --email-domain=* --client-id=oauthproxy --client-secret=secretoauth --cookie-secret=SECRETCOOKIE1234 --oidc-issuer-url=http://$IP.nip.io:8000 --http-address 0.0.0.0:4180  --upstream http://$IP --redirect-url http://$IP:4180/oauth2/callback --cookie-secure=false
 ```
 
 Corresponding client configuration:

assets/css/base_login_page.css

@@ -1,14 +1,14 @@
 html,
 body {
-  height: 100%;
+    height: 100%;
 }
 
 body {
-  display: flex;
-  align-items: center;
-  padding-top: 40px;
-  padding-bottom: 40px;
-  /* background-color: #f5f5f5; */
+    display: flex;
+    align-items: center;
+    padding-top: 40px;
+    padding-bottom: 40px;
+    /* background-color: #f5f5f5; */
 }
 
 /* background */
@@ -26,50 +26,57 @@ body {
 }
 
 .form-signin {
-  width: 100%;
-  max-width: 330px;
-  padding: 15px;
-  margin: auto;
+    width: 100%;
+    max-width: 330px;
+    padding: 15px;
+    margin: auto;
 }
 
 .form-signin .checkbox {
-  font-weight: 400;
+    font-weight: 400;
 }
 
 .form-signin .form-floating:focus-within {
-  z-index: 2;
+    z-index: 2;
 }
 
 .form-floating:first-child input {
-  margin-bottom: -1px;
-  border-bottom-right-radius: 0;
-  border-bottom-left-radius: 0;
+    margin-bottom: -1px;
+    border-bottom-right-radius: 0;
+    border-bottom-left-radius: 0;
 }
 
 .form-floating:not(:first-child):not(:last-child) input {
-  margin-bottom: -1px;
-  border-bottom-right-radius: 0;
-  border-bottom-left-radius: 0;
-  border-top-left-radius: 0;
-  border-top-right-radius: 0;
+    margin-bottom: -1px;
+    border-bottom-right-radius: 0;
+    border-bottom-left-radius: 0;
+    border-top-left-radius: 0;
+    border-top-right-radius: 0;
 }
 
 .form-floating:last-child input {
-  margin-bottom: 10px;
-  border-top-left-radius: 0;
-  border-top-right-radius: 0;
+    margin-bottom: 10px;
+    border-top-left-radius: 0;
+    border-top-right-radius: 0;
 }
 
 .form-control {
-  background-color: var(--bs-gray-700);
-  color: var(--bs-gray-100);
+    background-color: var(--bs-gray-700);
+    color: var(--bs-gray-100);
 }
 
 .form-control:focus {
-  background-color: var(--bs-gray-600);
-  color: var(--bs-gray-100);
+    background-color: var(--bs-gray-600);
+    color: var(--bs-gray-100);
 }
 
 .text-muted {
     color: #c6c4c4 !important;
+}
+
+.form-floating > .form-control:focus ~ label::after,
+.form-floating > .form-control:not(:placeholder-shown) ~ label::after,
+.form-floating > .form-control-plaintext ~ label::after,
+.form-floating > .form-select ~ label::after {
+    background-color: unset !important;
 }

assets/css/base_settings_page.css

@@ -12,4 +12,12 @@ body {
 .page_body {
     padding: 3rem;
     overflow-y: scroll;
+}
+
+.nav-link.link-dark {
+    color: white !important;
+}
+
+.form-control::placeholder {
+    color: #555;
 }

renovate.json

@@ -2,7 +2,7 @@
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
   "packageRules": [
     {
-      "matchUpdateTypes": ["minor", "patch"],
+      "matchUpdateTypes": ["major", "minor", "patch"],
       "automerge": true
     }
   ]

src/constants.rs

@@ -29,6 +29,10 @@ pub const MAX_SECOND_FACTOR_NAME_LEN: usize = 25;
 /// exempted from this IP address to use 2FA
 pub const SECOND_FACTOR_EXEMPTION_AFTER_SUCCESSFUL_LOGIN: u64 = 7 * 24 * 3600;
 
+/// The maximum acceptable interval of time between last two factors authentication of a user and
+/// access to a critical route / a critical client
+pub const SECOND_FACTOR_EXPIRATION_FOR_CRITICAL_OPERATIONS: u64 = 60 * 10;
+
 /// Minimum password length
 pub const MIN_PASS_LEN: usize = 4;
 
@@ -65,6 +69,7 @@ pub const OPEN_ID_AUTHORIZATION_CODE_LEN: usize = 120;
 pub const OPEN_ID_AUTHORIZATION_CODE_TIMEOUT: u64 = 300;
 pub const OPEN_ID_ACCESS_TOKEN_LEN: usize = 50;
 pub const OPEN_ID_ACCESS_TOKEN_TIMEOUT: u64 = 3600;
+pub const OPEN_ID_ID_TOKEN_TIMEOUT: u64 = 3600;
 pub const OPEN_ID_REFRESH_TOKEN_LEN: usize = 120;
 pub const OPEN_ID_REFRESH_TOKEN_TIMEOUT: u64 = 360000;
 

src/controllers/admin_api.rs

@@ -4,8 +4,10 @@ use actix_web::{web, HttpResponse, Responder};
 
 use crate::actors::users_actor::{DeleteUserRequest, FindUserByUsername, UsersActor};
 use crate::data::action_logger::{Action, ActionLogger};
+use crate::data::critical_route::CriticalRoute;
 use crate::data::current_user::CurrentUser;
 use crate::data::user::UserID;
+use crate::utils::string_utils;
 
 #[derive(serde::Deserialize)]
 pub struct FindUserNameReq {
@@ -18,9 +20,14 @@ struct FindUserResult {
 }
 
 pub async fn find_username(
+    _critical: CriticalRoute,
     req: web::Form<FindUserNameReq>,
     users: web::Data<Addr<UsersActor>>,
 ) -> impl Responder {
+    if !string_utils::is_acceptable_login(&req.username) {
+        return HttpResponse::BadRequest().json("Invalid login!");
+    }
+
     let res = users
         .send(FindUserByUsername(req.0.username))
         .await
@@ -36,6 +43,7 @@ pub struct DeleteUserReq {
 }
 
 pub async fn delete_user(
+    _critical: CriticalRoute,
     user: CurrentUser,
     req: web::Form<DeleteUserReq>,
     users: web::Data<Addr<UsersActor>>,

src/controllers/admin_controller.rs

@@ -12,22 +12,24 @@ use crate::controllers::settings_controller::BaseSettingsPage;
 use crate::data::action_logger::{Action, ActionLogger};
 use crate::data::app_config::AppConfig;
 use crate::data::client::{Client, ClientID, ClientManager};
+use crate::data::critical_route::CriticalRoute;
 use crate::data::current_user::CurrentUser;
 use crate::data::provider::{Provider, ProviderID, ProvidersManager};
 use crate::data::user::{GeneralSettings, GrantedClients, User, UserID};
+use crate::utils::string_utils;
 use crate::utils::string_utils::rand_str;
 
 #[derive(Template)]
 #[template(path = "settings/clients_list.html")]
 struct ClientsListTemplate<'a> {
-    _p: BaseSettingsPage<'a>,
+    p: BaseSettingsPage<'a>,
     clients: Vec<Client>,
 }
 
 #[derive(Template)]
 #[template(path = "settings/providers_list.html")]
 struct ProvidersListTemplate<'a> {
-    _p: BaseSettingsPage<'a>,
+    p: BaseSettingsPage<'a>,
     providers: Vec<Provider>,
     redirect_url: String,
 }
@@ -35,14 +37,14 @@ struct ProvidersListTemplate<'a> {
 #[derive(Template)]
 #[template(path = "settings/users_list.html")]
 struct UsersListTemplate<'a> {
-    _p: BaseSettingsPage<'a>,
+    p: BaseSettingsPage<'a>,
     users: Vec<User>,
 }
 
 #[derive(Template)]
 #[template(path = "settings/edit_user.html")]
 struct EditUserTemplate<'a> {
-    _p: BaseSettingsPage<'a>,
+    p: BaseSettingsPage<'a>,
     u: User,
     clients: Vec<Client>,
     providers: Vec<Provider>,
@@ -54,7 +56,7 @@ pub async fn clients_route(
 ) -> impl Responder {
     HttpResponse::Ok().body(
         ClientsListTemplate {
-            _p: BaseSettingsPage::get("Clients list", &user, None, None),
+            p: BaseSettingsPage::get("Clients list", &user, None, None),
             clients: clients.cloned(),
         }
         .render()
@@ -68,7 +70,7 @@ pub async fn providers_route(
 ) -> impl Responder {
     HttpResponse::Ok().body(
         ProvidersListTemplate {
-            _p: BaseSettingsPage::get("OpenID Providers list", &user, None, None),
+            p: BaseSettingsPage::get("OpenID Providers list", &user, None, None),
             providers: providers.cloned(),
             redirect_url: AppConfig::get().oidc_provider_redirect_url(),
         }
@@ -97,6 +99,7 @@ pub struct UpdateUserQuery {
 }
 
 pub async fn users_route(
+    _critical: CriticalRoute,
     admin: CurrentUser,
     users: web::Data<Addr<UsersActor>>,
     update_query: Option<web::Form<UpdateUserQuery>>,
@@ -105,7 +108,16 @@ pub async fn users_route(
     let mut danger = None;
     let mut success = None;
 
-    if let Some(update) = update_query {
+    // Check update query for invalid input
+    if update_query
+        .as_ref()
+        .map(|l| string_utils::is_acceptable_login(&l.username))
+        == Some(false)
+    {
+        danger = Some("Invalid login provided, the modifications could not be saved!".to_string());
+    }
+    // Perform request (if any)
+    else if let Some(update) = update_query {
         let edited_user: Option<User> = users
             .send(users_actor::GetUserRequest(update.uid.clone()))
             .await
@@ -280,7 +292,7 @@ pub async fn users_route(
 
     HttpResponse::Ok().body(
         UsersListTemplate {
-            _p: BaseSettingsPage::get("Users list", &admin, danger, success),
+            p: BaseSettingsPage::get("Users list", &admin, danger, success),
             users,
         }
         .render()
@@ -289,6 +301,7 @@ pub async fn users_route(
 }
 
 pub async fn create_user(
+    _critical: CriticalRoute,
     admin: CurrentUser,
     clients: web::Data<Arc<ClientManager>>,
     providers: web::Data<Arc<ProvidersManager>>,
@@ -306,7 +319,7 @@ pub async fn create_user(
 
     HttpResponse::Ok().body(
         EditUserTemplate {
-            _p: BaseSettingsPage::get("Create a new user", admin.deref(), None, None),
+            p: BaseSettingsPage::get("Create a new user", admin.deref(), None, None),
             u: user,
             clients: clients.cloned(),
             providers: providers.cloned(),
@@ -322,6 +335,7 @@ pub struct EditUserQuery {
 }
 
 pub async fn edit_user(
+    _critical: CriticalRoute,
     admin: CurrentUser,
     clients: web::Data<Arc<ClientManager>>,
     providers: web::Data<Arc<ProvidersManager>>,
@@ -336,7 +350,7 @@ pub async fn edit_user(
 
     HttpResponse::Ok().body(
         EditUserTemplate {
-            _p: BaseSettingsPage::get(
+            p: BaseSettingsPage::get(
                 "Edit user account",
                 admin.deref(),
                 match edited_account.is_none() {

src/controllers/login_api.rs

@@ -25,10 +25,6 @@ pub async fn auth_webauthn(
     users: web::Data<Addr<UsersActor>>,
     logger: ActionLogger,
 ) -> impl Responder {
-    if !SessionIdentity(Some(&id)).need_2fa_auth() {
-        return HttpResponse::Unauthorized().json("No 2FA required!");
-    }
-
     let user_id = SessionIdentity(Some(&id)).user_id();
 
     match manager.finish_authentication(&user_id, &req.opaque_state, &req.credential) {
@@ -41,7 +37,9 @@ pub async fn auth_webauthn(
                 .await
                 .unwrap();
 
-            SessionIdentity(Some(&id)).set_status(&http_req, SessionStatus::SignedIn);
+            let session = SessionIdentity(Some(&id));
+            session.record_2fa_auth(&http_req);
+            session.set_status(&http_req, SessionStatus::SignedIn);
             logger.log(Action::LoginWebauthnAttempt {
                 success: true,
                 user_id,

src/controllers/login_controller.rs

@@ -13,11 +13,13 @@ use crate::controllers::base_controller::{
     build_fatal_error_page, redirect_user, redirect_user_for_login,
 };
 use crate::data::action_logger::{Action, ActionLogger};
-use crate::data::login_redirect::LoginRedirect;
+use crate::data::force_2fa_auth::Force2FAAuth;
+use crate::data::login_redirect::{get_2fa_url, LoginRedirect};
 use crate::data::provider::{Provider, ProvidersManager};
 use crate::data::session_identity::{SessionIdentity, SessionStatus};
 use crate::data::user::User;
 use crate::data::webauthn_manager::WebAuthManagerReq;
+use crate::utils::string_utils;
 
 pub struct BaseLoginPage<'a> {
     pub danger: Option<String>,
@@ -30,7 +32,7 @@ pub struct BaseLoginPage<'a> {
 #[derive(Template)]
 #[template(path = "login/login.html")]
 struct LoginTemplate<'a> {
-    _p: BaseLoginPage<'a>,
+    p: BaseLoginPage<'a>,
     login: String,
     providers: Vec<Provider>,
 }
@@ -38,27 +40,27 @@ struct LoginTemplate<'a> {
 #[derive(Template)]
 #[template(path = "login/password_reset.html")]
 struct PasswordResetTemplate<'a> {
-    _p: BaseLoginPage<'a>,
+    p: BaseLoginPage<'a>,
     min_pass_len: usize,
 }
 
 #[derive(Template)]
 #[template(path = "login/choose_second_factor.html")]
 struct ChooseSecondFactorTemplate<'a> {
-    _p: BaseLoginPage<'a>,
+    p: BaseLoginPage<'a>,
     user: &'a User,
 }
 
 #[derive(Template)]
 #[template(path = "login/otp_input.html")]
 struct LoginWithOTPTemplate<'a> {
-    _p: BaseLoginPage<'a>,
+    p: BaseLoginPage<'a>,
 }
 
 #[derive(Template)]
 #[template(path = "login/webauthn_input.html")]
 struct LoginWithWebauthnTemplate<'a> {
-    _p: BaseLoginPage<'a>,
+    p: BaseLoginPage<'a>,
     opaque_state: String,
     challenge_json: String,
 }
@@ -127,14 +129,21 @@ pub async fn login_route(
     }
     // Check if the user has to validate a second factor
     else if SessionIdentity(id.as_ref()).need_2fa_auth() {
-        return redirect_user(&format!(
-            "/2fa_auth?redirect={}",
-            query.redirect.get_encoded()
-        ));
+        return redirect_user(&get_2fa_url(&query.redirect, false));
+    }
+    // Check if given login is not acceptable
+    else if req
+        .as_ref()
+        .map(|r| string_utils::is_acceptable_login(&r.login))
+        == Some(false)
+    {
+        danger = Some(
+            "Given login could not be processed, because it has an invalid format!".to_string(),
+        );
     }
     // Try to authenticate user
     else if let Some(req) = &req {
-        login = req.login.clone();
+        login.clone_from(&req.login);
         let response: LoginResult = users
             .send(users_actor::LocalLoginRequest {
                 login: login.clone(),
@@ -199,7 +208,7 @@ pub async fn login_route(
 
     HttpResponse::Ok().content_type("text/html").body(
         LoginTemplate {
-            _p: BaseLoginPage {
+            p: BaseLoginPage {
                 page_title: "Login",
                 danger,
                 success,
@@ -247,7 +256,7 @@ pub async fn reset_password_route(
 
     let user_id = SessionIdentity(id.as_ref()).user_id();
 
-    // Check if user is setting a new  password
+    // Check if user is setting a new password
     if let Some(req) = &req {
         if req.password.len() < MIN_PASS_LEN {
             danger = Some("Password is too short!".to_string());
@@ -273,7 +282,7 @@ pub async fn reset_password_route(
 
     HttpResponse::Ok().content_type("text/html").body(
         PasswordResetTemplate {
-            _p: BaseLoginPage {
+            p: BaseLoginPage {
                 page_title: "Password reset",
                 danger,
                 success: None,
@@ -300,8 +309,9 @@ pub async fn choose_2fa_method(
     id: Option<Identity>,
     query: web::Query<ChooseSecondFactorQuery>,
     users: web::Data<Addr<UsersActor>>,
+    force2faauth: Force2FAAuth,
 ) -> impl Responder {
-    if !SessionIdentity(id.as_ref()).need_2fa_auth() {
+    if !SessionIdentity(id.as_ref()).need_2fa_auth() && !force2faauth.force {
         log::trace!("User does not require 2fa auth, redirecting");
         return redirect_user_for_login(query.redirect.get());
     }
@@ -318,12 +328,12 @@ pub async fn choose_2fa_method(
     // Automatically choose factor if there is only one factor
     if user.get_distinct_factors_types().len() == 1 && !query.force_display {
         log::trace!("User has only one factor, using it by default");
-        return redirect_user(&user.two_factor[0].login_url(&query.redirect));
+        return redirect_user(&user.two_factor[0].login_url(&query.redirect, true));
     }
 
     HttpResponse::Ok().content_type("text/html").body(
         ChooseSecondFactorTemplate {
-            _p: BaseLoginPage {
+            p: BaseLoginPage {
                 page_title: "Two factor authentication",
                 danger: None,
                 success: None,
@@ -349,6 +359,7 @@ pub struct LoginWithOTPForm {
 }
 
 /// Login with OTP
+#[allow(clippy::too_many_arguments)]
 pub async fn login_with_otp(
     id: Option<Identity>,
     query: web::Query<LoginWithOTPQuery>,
@@ -357,10 +368,11 @@ pub async fn login_with_otp(
     http_req: HttpRequest,
     remote_ip: RemoteIP,
     logger: ActionLogger,
+    force2faauth: Force2FAAuth,
 ) -> impl Responder {
     let mut danger = None;
 
-    if !SessionIdentity(id.as_ref()).need_2fa_auth() {
+    if !SessionIdentity(id.as_ref()).need_2fa_auth() && !force2faauth.force {
         return redirect_user_for_login(query.redirect.get());
     }
 
@@ -397,7 +409,9 @@ pub async fn login_with_otp(
                 .await
                 .unwrap();
 
-            SessionIdentity(id.as_ref()).set_status(&http_req, SessionStatus::SignedIn);
+            let session = SessionIdentity(id.as_ref());
+            session.record_2fa_auth(&http_req);
+            session.set_status(&http_req, SessionStatus::SignedIn);
             logger.log(Action::OTPLoginAttempt {
                 success: true,
                 user: &user,
@@ -408,7 +422,7 @@ pub async fn login_with_otp(
 
     HttpResponse::Ok().body(
         LoginWithOTPTemplate {
-            _p: BaseLoginPage {
+            p: BaseLoginPage {
                 danger,
                 success: None,
                 page_title: "Two-Factor Auth",
@@ -433,8 +447,9 @@ pub async fn login_with_webauthn(
     query: web::Query<LoginWithWebauthnQuery>,
     manager: WebAuthManagerReq,
     users: web::Data<Addr<UsersActor>>,
+    force2faauth: Force2FAAuth,
 ) -> impl Responder {
-    if !SessionIdentity(id.as_ref()).need_2fa_auth() {
+    if !SessionIdentity(id.as_ref()).need_2fa_auth() && !force2faauth.force {
         return redirect_user_for_login(query.redirect.get());
     }
 
@@ -473,7 +488,7 @@ pub async fn login_with_webauthn(
 
     HttpResponse::Ok().body(
         LoginWithWebauthnTemplate {
-            _p: BaseLoginPage {
+            p: BaseLoginPage {
                 danger: None,
                 success: None,
                 page_title: "Two-Factor Auth",

src/controllers/openid_controller.rs

@@ -13,14 +13,15 @@ use crate::actors::openid_sessions_actor::{OpenIDSessionsActor, Session, Session
 use crate::actors::users_actor::UsersActor;
 use crate::actors::{openid_sessions_actor, users_actor};
 use crate::constants::*;
-use crate::controllers::base_controller::build_fatal_error_page;
+use crate::controllers::base_controller::{build_fatal_error_page, redirect_user};
 use crate::data::action_logger::{Action, ActionLogger};
 use crate::data::app_config::AppConfig;
-use crate::data::client::{ClientID, ClientManager};
+use crate::data::client::{AdditionalClaims, AuthenticationFlow, ClientID, ClientManager};
 use crate::data::code_challenge::CodeChallenge;
 use crate::data::current_user::CurrentUser;
 use crate::data::id_token::IdToken;
 use crate::data::jwt_signer::{JWTSigner, JsonWebKey};
+use crate::data::login_redirect::{get_2fa_url, LoginRedirect};
 
 use crate::data::session_identity::SessionIdentity;
 use crate::data::user::User;
@@ -31,6 +32,7 @@ pub async fn get_configuration(req: HttpRequest) -> impl Responder {
     let is_secure_request = req
         .headers()
         .get("HTTP_X_FORWARDED_PROTO")
+        .or_else(|| req.headers().get("X-Forwarded-Proto"))
         .map(|v| v.to_str().unwrap_or_default().to_lowercase().eq("https"))
         .unwrap_or(false);
 
@@ -96,7 +98,7 @@ pub struct AuthorizeQuery {
     redirect_uri: String,
 
     /// RECOMMENDED. Opaque value used to maintain state between the request and the callback. Typically, Cross-Site Request Forgery (CSRF, XSRF) mitigation is done by cryptographically binding the value of this parameter with a browser cookie.
-    state: String,
+    state: Option<String>,
 
     /// OPTIONAL. String value used to associate a Client session with an ID Token, and to mitigate replay attacks. The value is passed through unmodified from the Authentication Request to the ID Token. Sufficient entropy MUST be present in the nonce values used to prevent attackers from guessing values.
     nonce: Option<String>,
@@ -117,61 +119,78 @@ fn error_redirect(query: &AuthorizeQuery, error: &str, description: &str) -> Htt
         .append_header((
             "Location",
             format!(
-                "{}?error={}?error_description={}&state={}",
+                "{}?error={}?error_description={}{}",
                 query.redirect_uri,
                 urlencoding::encode(error),
                 urlencoding::encode(description),
-                urlencoding::encode(&query.state)
+                match &query.state {
+                    Some(s) => format!("&state={}", urlencoding::encode(s)),
+                    None => "".to_string(),
+                }
             ),
         ))
         .finish()
 }
 
+#[allow(clippy::too_many_arguments)]
 pub async fn authorize(
+    req: HttpRequest,
     user: CurrentUser,
     id: Identity,
     query: web::Query<AuthorizeQuery>,
     clients: web::Data<Arc<ClientManager>>,
     sessions: web::Data<Addr<OpenIDSessionsActor>>,
     logger: ActionLogger,
-) -> impl Responder {
+    jwt_signer: web::Data<JWTSigner>,
+) -> actix_web::Result<HttpResponse> {
     let client = match clients.find_by_id(&query.client_id) {
         None => {
-            return HttpResponse::BadRequest().body(build_fatal_error_page("Client is invalid!"));
+            return Ok(
+                HttpResponse::BadRequest().body(build_fatal_error_page("Client is invalid!"))
+            );
         }
         Some(c) => c,
     };
 
+    // Check if 2FA is required
+    if client.enforce_2fa_auth && user.should_request_2fa_for_critical_functions() {
+        let uri = get_2fa_url(&LoginRedirect::from_req(&req), true);
+        return Ok(redirect_user(&uri));
+    }
+
+    // Validate specified redirect URI
     let redirect_uri = query.redirect_uri.trim().to_string();
     if !redirect_uri.starts_with(&client.redirect_uri) {
-        return HttpResponse::BadRequest().body(build_fatal_error_page("Redirect URI is invalid!"));
-    }
-
-    if !query.scope.split(' ').any(|x| x == "openid") {
-        return error_redirect(&query, "invalid_request", "openid scope missing!");
-    }
-
-    if !query.response_type.eq("code") {
-        return error_redirect(
-            &query,
-            "invalid_request",
-            "Only code response type is supported!",
+        return Ok(
+            HttpResponse::BadRequest().body(build_fatal_error_page("Redirect URI is invalid!"))
         );
     }
 
-    if query.state.is_empty() {
-        return error_redirect(&query, "invalid_request", "State is empty!");
+    if !query.scope.split(' ').any(|x| x == "openid") {
+        return Ok(error_redirect(
+            &query,
+            "invalid_request",
+            "openid scope missing!",
+        ));
+    }
+
+    if query.state.as_ref().map(String::is_empty).unwrap_or(false) {
+        return Ok(error_redirect(
+            &query,
+            "invalid_request",
+            "State is specified but empty!",
+        ));
     }
 
     let code_challenge = match query.0.code_challenge.clone() {
         Some(chal) => {
             let meth = query.0.code_challenge_method.as_deref().unwrap_or("plain");
             if !meth.eq("S256") && !meth.eq("plain") {
-                return error_redirect(
+                return Ok(error_redirect(
                     &query,
                     "invalid_request",
                     "Only S256 and plain code challenge methods are supported!",
-                );
+                ));
             }
             Some(CodeChallenge {
                 code_challenge: chal,
@@ -183,49 +202,111 @@ pub async fn authorize(
 
     // Check if user is authorized to access the application
     if !user.can_access_app(&client) {
-        return error_redirect(
+        return Ok(error_redirect(
             &query,
             "invalid_request",
             "User is not authorized to access this application!",
-        );
+        ));
     }
 
-    // Save all authentication information in memory
-    let session = Session {
-        session_id: SessionID(rand_str(OPEN_ID_SESSION_LEN)),
-        client: client.id.clone(),
-        user: user.uid.clone(),
-        auth_time: SessionIdentity(Some(&id)).auth_time(),
-        redirect_uri,
-        authorization_code: rand_str(OPEN_ID_AUTHORIZATION_CODE_LEN),
-        authorization_code_expire_at: time() + OPEN_ID_AUTHORIZATION_CODE_TIMEOUT,
-        access_token: None,
-        access_token_expire_at: time() + OPEN_ID_ACCESS_TOKEN_TIMEOUT,
-        refresh_token: "".to_string(),
-        refresh_token_expire_at: 0,
-        nonce: query.0.nonce,
-        code_challenge,
-    };
-    sessions
-        .send(openid_sessions_actor::PushNewSession(session.clone()))
-        .await
-        .unwrap();
+    // Check that requested authorization flow is supported
+    if query.response_type != "code" && query.response_type != "id_token" {
+        return Ok(error_redirect(
+            &query,
+            "invalid_request",
+            "Unsupported authorization flow!",
+        ));
+    }
 
-    log::trace!("New OpenID session: {:#?}", session);
-    logger.log(Action::NewOpenIDSession { client: &client });
+    match (client.auth_flow(), query.response_type.as_str()) {
+        (AuthenticationFlow::AuthorizationCode, "code") => {
+            // Save all authentication information in memory
+            let session = Session {
+                session_id: SessionID(rand_str(OPEN_ID_SESSION_LEN)),
+                client: client.id.clone(),
+                user: user.uid.clone(),
+                auth_time: SessionIdentity(Some(&id)).auth_time(),
+                redirect_uri,
+                authorization_code: rand_str(OPEN_ID_AUTHORIZATION_CODE_LEN),
+                authorization_code_expire_at: time() + OPEN_ID_AUTHORIZATION_CODE_TIMEOUT,
+                access_token: None,
+                access_token_expire_at: time() + OPEN_ID_ACCESS_TOKEN_TIMEOUT,
+                refresh_token: "".to_string(),
+                refresh_token_expire_at: 0,
+                nonce: query.0.nonce,
+                code_challenge,
+            };
+            sessions
+                .send(openid_sessions_actor::PushNewSession(session.clone()))
+                .await
+                .unwrap();
 
-    HttpResponse::Found()
-        .append_header((
-            "Location",
-            format!(
-                "{}?state={}&session_state={}&code={}",
-                session.redirect_uri,
-                urlencoding::encode(&query.0.state),
-                urlencoding::encode(&session.session_id.0),
-                urlencoding::encode(&session.authorization_code)
-            ),
-        ))
-        .finish()
+            log::trace!("New OpenID session: {:#?}", session);
+            logger.log(Action::NewOpenIDSession { client: &client });
+
+            Ok(HttpResponse::Found()
+                .append_header((
+                    "Location",
+                    format!(
+                        "{}?{}session_state={}&code={}",
+                        session.redirect_uri,
+                        match &query.0.state {
+                            Some(state) => format!("state={}&", urlencoding::encode(state)),
+                            None => "".to_string(),
+                        },
+                        urlencoding::encode(&session.session_id.0),
+                        urlencoding::encode(&session.authorization_code)
+                    ),
+                ))
+                .finish())
+        }
+
+        (AuthenticationFlow::Implicit, "id_token") => {
+            let id_token = IdToken {
+                issuer: AppConfig::get().website_origin.to_string(),
+                subject_identifier: user.uid.0.clone(),
+                audience: client.id.0.to_string(),
+                expiration_time: time() + OPEN_ID_ID_TOKEN_TIMEOUT,
+                issued_at: time(),
+                auth_time: SessionIdentity(Some(&id)).auth_time(),
+                nonce: query.nonce.clone(),
+                email: user.email.clone(),
+                additional_claims: client.claims_id_token(&user),
+            };
+
+            log::trace!("New OpenID id token: {:#?}", &id_token);
+            logger.log(Action::NewOpenIDSuccessfulImplicitAuth { client: &client });
+
+            Ok(HttpResponse::Found()
+                .append_header((
+                    "Location",
+                    format!(
+                        "{}?{}token_type=bearer&id_token={}&expires_in={OPEN_ID_ID_TOKEN_TIMEOUT}",
+                        client.redirect_uri,
+                        match &query.0.state {
+                            Some(state) => format!("state={}&", urlencoding::encode(state)),
+                            None => "".to_string(),
+                        },
+                        jwt_signer.sign_token(id_token.to_jwt_claims())?
+                    ),
+                ))
+                .finish())
+        }
+
+        (flow, code) => {
+            log::warn!(
+                "For client {:?}, configured with flow {:?}, made request with code {}",
+                client.id,
+                flow,
+                code
+            );
+            Ok(error_redirect(
+                &query,
+                "invalid_request",
+                "Requested authentication flow is unsupported / not configured for this client!",
+            ))
+        }
+    }
 }
 
 #[derive(serde::Serialize)]
@@ -336,7 +417,8 @@ pub async fn token(
         .find_by_id(&client_id)
         .ok_or_else(|| ErrorUnauthorized("Client not found"))?;
 
-    if !client.secret.eq(&client_secret) {
+    // Retrieving token requires the client to have a defined secret
+    if client.secret != Some(client_secret) {
         return Ok(error_response(
             &query,
             "invalid_request",
@@ -453,7 +535,8 @@ pub async fn token(
                 issued_at: time(),
                 auth_time: session.auth_time,
                 nonce: session.nonce,
-                email: user.email,
+                email: user.email.to_string(),
+                additional_claims: client.claims_id_token(&user),
             };
 
             OpenIDTokenResponse {
@@ -561,6 +644,7 @@ pub async fn user_info_post(
     query: web::Query<UserInfoQuery>,
     sessions: web::Data<Addr<OpenIDSessionsActor>>,
     users: web::Data<Addr<UsersActor>>,
+    clients: web::Data<Arc<ClientManager>>,
 ) -> impl Responder {
     user_info(
         req,
@@ -569,6 +653,7 @@ pub async fn user_info_post(
             .or(query.0.access_token),
         sessions,
         users,
+        clients,
     )
     .await
 }
@@ -578,8 +663,18 @@ pub async fn user_info_get(
     query: web::Query<UserInfoQuery>,
     sessions: web::Data<Addr<OpenIDSessionsActor>>,
     users: web::Data<Addr<UsersActor>>,
+    clients: web::Data<Arc<ClientManager>>,
 ) -> impl Responder {
-    user_info(req, query.0.access_token, sessions, users).await
+    user_info(req, query.0.access_token, sessions, users, clients).await
+}
+
+#[derive(serde::Serialize)]
+pub struct UserInfoWithCustomClaims {
+    #[serde(flatten)]
+    info: OpenIDUserInfo,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    #[serde(flatten)]
+    additional_claims: Option<AdditionalClaims>,
 }
 
 /// Authenticate request using RFC6750 <https://datatracker.ietf.org/doc/html/rfc6750>///
@@ -588,6 +683,7 @@ async fn user_info(
     token: Option<String>,
     sessions: web::Data<Addr<OpenIDSessionsActor>>,
     users: web::Data<Addr<UsersActor>>,
+    clients: web::Data<Arc<ClientManager>>,
 ) -> impl Responder {
     let token = match token {
         Some(t) => t,
@@ -631,6 +727,10 @@ async fn user_info(
         return user_info_error("invalid_request", "Access token has expired!");
     }
 
+    let client = clients
+        .find_by_id(&session.client)
+        .expect("Could not extract client information!");
+
     let user: Option<User> = users
         .send(users_actor::GetUserRequest(session.user))
         .await
@@ -643,13 +743,16 @@ async fn user_info(
         Some(u) => u,
     };
 
-    HttpResponse::Ok().json(OpenIDUserInfo {
-        name: Some(user.full_name()),
-        sub: user.uid.0,
-        given_name: Some(user.first_name),
-        family_name: Some(user.last_name),
-        preferred_username: Some(user.username),
-        email: Some(user.email),
-        email_verified: Some(true),
+    HttpResponse::Ok().json(UserInfoWithCustomClaims {
+        info: OpenIDUserInfo {
+            name: Some(user.full_name()),
+            sub: user.uid.0.to_string(),
+            given_name: Some(user.first_name.to_string()),
+            family_name: Some(user.last_name.to_string()),
+            preferred_username: Some(user.username.to_string()),
+            email: Some(user.email.to_string()),
+            email_verified: Some(true),
+        },
+        additional_claims: client.claims_user_info(&user),
     })
 }

src/controllers/providers_controller.rs

@@ -22,14 +22,14 @@ use crate::data::session_identity::{SessionIdentity, SessionStatus};
 #[derive(askama::Template)]
 #[template(path = "login/prov_login_error.html")]
 struct ProviderLoginError<'a> {
-    _p: BaseLoginPage<'a>,
+    p: BaseLoginPage<'a>,
     message: &'a str,
 }
 
 impl<'a> ProviderLoginError<'a> {
     pub fn get(message: &'a str, redirect_uri: &'a LoginRedirect) -> HttpResponse {
         let body = Self {
-            _p: BaseLoginPage {
+            p: BaseLoginPage {
                 danger: None,
                 success: None,
                 page_title: "Upstream login",

src/controllers/settings_controller.rs

@@ -45,14 +45,14 @@ impl<'a> BaseSettingsPage<'a> {
 #[derive(Template)]
 #[template(path = "settings/account_details.html")]
 struct AccountDetailsPage<'a> {
-    _p: BaseSettingsPage<'a>,
+    p: BaseSettingsPage<'a>,
     remote_ip: String,
 }
 
 #[derive(Template)]
 #[template(path = "settings/change_password.html")]
 struct ChangePasswordPage<'a> {
-    _p: BaseSettingsPage<'a>,
+    p: BaseSettingsPage<'a>,
     min_pwd_len: usize,
 }
 
@@ -61,7 +61,7 @@ pub async fn account_settings_details_route(user: CurrentUser, ip: RemoteIP) ->
     let user = user.into();
     HttpResponse::Ok().body(
         AccountDetailsPage {
-            _p: BaseSettingsPage::get("Account details", &user, None, None),
+            p: BaseSettingsPage::get("Account details", &user, None, None),
             remote_ip: ip.0.to_string(),
         }
         .render()
@@ -145,7 +145,7 @@ pub async fn change_password_route(
 
     HttpResponse::Ok().body(
         ChangePasswordPage {
-            _p: BaseSettingsPage::get("Change password", &user, danger, success),
+            p: BaseSettingsPage::get("Change password", &user, danger, success),
             min_pwd_len: MIN_PASS_LEN,
         }
         .render()

src/controllers/two_factor_api.rs

@@ -7,6 +7,7 @@ use crate::actors::users_actor;
 use crate::actors::users_actor::UsersActor;
 use crate::constants::MAX_SECOND_FACTOR_NAME_LEN;
 use crate::data::action_logger::{Action, ActionLogger};
+use crate::data::critical_route::CriticalRoute;
 use crate::data::current_user::CurrentUser;
 use crate::data::totp_key::TotpKey;
 use crate::data::user::{FactorID, TwoFactor, TwoFactorType};
@@ -29,6 +30,7 @@ pub struct AddTOTPRequest {
 }
 
 pub async fn save_totp_factor(
+    _critical: CriticalRoute,
     user: CurrentUser,
     form: web::Json<AddTOTPRequest>,
     users: web::Data<Addr<UsersActor>>,
@@ -38,9 +40,10 @@ pub async fn save_totp_factor(
 
     if !key.check_code(&form.first_code).unwrap_or(false) {
         return HttpResponse::BadRequest().body(format!(
-            "Given code is invalid (expected {} or {})!",
+            "Given code is invalid (expected {}, {} or {})!",
+            key.previous_code().unwrap_or_default(),
             key.current_code().unwrap_or_default(),
-            key.previous_code().unwrap_or_default()
+            key.following_code().unwrap_or_default(),
         ));
     }
 
@@ -76,6 +79,7 @@ pub struct AddWebauthnRequest {
 }
 
 pub async fn save_webauthn_factor(
+    _critical: CriticalRoute,
     user: CurrentUser,
     form: web::Json<AddWebauthnRequest>,
     users: web::Data<Addr<UsersActor>>,
@@ -120,6 +124,7 @@ pub struct DeleteFactorRequest {
 }
 
 pub async fn delete_factor(
+    _critical: CriticalRoute,
     user: CurrentUser,
     form: web::Json<DeleteFactorRequest>,
     users: web::Data<Addr<UsersActor>>,
@@ -144,6 +149,7 @@ pub async fn delete_factor(
 }
 
 pub async fn clear_login_history(
+    _critical: CriticalRoute,
     user: CurrentUser,
     users: web::Data<Addr<UsersActor>>,
     logger: ActionLogger,

src/controllers/two_factors_controller.rs

@@ -9,22 +9,25 @@ use qrcode_generator::QrCodeEcc;
 use crate::constants::MAX_SECOND_FACTOR_NAME_LEN;
 use crate::controllers::settings_controller::BaseSettingsPage;
 use crate::data::app_config::AppConfig;
+use crate::data::critical_route::CriticalRoute;
 use crate::data::current_user::CurrentUser;
 use crate::data::totp_key::TotpKey;
 use crate::data::user::User;
 use crate::data::webauthn_manager::WebAuthManagerReq;
+use crate::utils::time::fmt_time;
 
 #[derive(Template)]
 #[template(path = "settings/two_factors_page.html")]
 struct TwoFactorsPage<'a> {
-    _p: BaseSettingsPage<'a>,
+    p: BaseSettingsPage<'a>,
     user: &'a User,
+    last_2fa_auth: Option<String>,
 }
 
 #[derive(Template)]
 #[template(path = "settings/add_2fa_totp_page.html")]
 struct AddTotpPage<'a> {
-    _p: BaseSettingsPage<'a>,
+    p: BaseSettingsPage<'a>,
     qr_code: String,
     account_name: String,
     secret_key: String,
@@ -34,18 +37,19 @@ struct AddTotpPage<'a> {
 #[derive(Template)]
 #[template(path = "settings/add_webauthn_page.html")]
 struct AddWebauhtnPage<'a> {
-    _p: BaseSettingsPage<'a>,
+    p: BaseSettingsPage<'a>,
     opaque_state: String,
     challenge_json: String,
     max_name_len: usize,
 }
 
 /// Manage two factors authentication methods route
-pub async fn two_factors_route(user: CurrentUser) -> impl Responder {
+pub async fn two_factors_route(_critical: CriticalRoute, user: CurrentUser) -> impl Responder {
     HttpResponse::Ok().body(
         TwoFactorsPage {
-            _p: BaseSettingsPage::get("Two factor auth", &user, None, None),
+            p: BaseSettingsPage::get("Two factor auth", &user, None, None),
             user: user.deref(),
+            last_2fa_auth: user.last_2fa_auth.map(fmt_time),
         }
         .render()
         .unwrap(),
@@ -53,7 +57,7 @@ pub async fn two_factors_route(user: CurrentUser) -> impl Responder {
 }
 
 /// Configure a new TOTP authentication factor
-pub async fn add_totp_factor_route(user: CurrentUser) -> impl Responder {
+pub async fn add_totp_factor_route(_critical: CriticalRoute, user: CurrentUser) -> impl Responder {
     let key = TotpKey::new_random();
 
     let qr_code = qrcode_generator::to_png_to_vec(
@@ -71,7 +75,7 @@ pub async fn add_totp_factor_route(user: CurrentUser) -> impl Responder {
 
     HttpResponse::Ok().body(
         AddTotpPage {
-            _p: BaseSettingsPage::get("New authenticator app", &user, None, None),
+            p: BaseSettingsPage::get("New authenticator app", &user, None, None),
             qr_code: BASE64_STANDARD.encode(qr_code),
             account_name: key.account_name(&user, AppConfig::get()),
             secret_key: key.get_secret(),
@@ -84,6 +88,7 @@ pub async fn add_totp_factor_route(user: CurrentUser) -> impl Responder {
 
 /// Configure a new security key factor
 pub async fn add_webauthn_factor_route(
+    _critical: CriticalRoute,
     user: CurrentUser,
     manager: WebAuthManagerReq,
 ) -> impl Responder {
@@ -106,7 +111,7 @@ pub async fn add_webauthn_factor_route(
 
     HttpResponse::Ok().body(
         AddWebauhtnPage {
-            _p: BaseSettingsPage::get("New security key", &user, None, None),
+            p: BaseSettingsPage::get("New security key", &user, None, None),
 
             opaque_state: registration_request.opaque_state,
             challenge_json: urlencoding::encode(&challenge_json).to_string(),

src/data/action_logger.rs

@@ -90,6 +90,9 @@ pub enum Action<'a> {
     NewOpenIDSession {
         client: &'a Client,
     },
+    NewOpenIDSuccessfulImplicitAuth {
+        client: &'a Client,
+    },
     ChangedHisPassword,
     ClearedHisLoginHistory,
     AddNewFactor(&'a TwoFactor),
@@ -199,6 +202,7 @@ impl<'a> Action<'a> {
             Action::NewOpenIDSession { client } => {
                 format!("opened a new OpenID session with {:?}", client.id)
             }
+            Action::NewOpenIDSuccessfulImplicitAuth { client } => format!("finished an implicit flow connection for client {:?}", client.id),
             Action::ChangedHisPassword => "changed his password".to_string(),
             Action::ClearedHisLoginHistory => "cleared his login history".to_string(),
             Action::AddNewFactor(factor) => format!(
@@ -206,7 +210,6 @@ impl<'a> Action<'a> {
                 factor.quick_description(),
             ),
             Action::Removed2FAFactor { factor_id } => format!("Removed his factor {factor_id:?}"),
-
         }
     }
 }

src/data/client.rs

@@ -1,9 +1,20 @@
 use crate::data::entity_manager::EntityManager;
+use crate::data::user::User;
 use crate::utils::string_utils::apply_env_vars;
+use serde_json::Value;
+use std::collections::HashMap;
 
 #[derive(Clone, Debug, serde::Serialize, serde::Deserialize, Eq, PartialEq)]
 pub struct ClientID(pub String);
 
+#[derive(Debug, Copy, Clone, Eq, PartialEq)]
+pub enum AuthenticationFlow {
+    AuthorizationCode,
+    Implicit,
+}
+
+pub type AdditionalClaims = HashMap<String, Value>;
+
 #[derive(Clone, Debug, serde::Serialize, serde::Deserialize)]
 pub struct Client {
     /// The ID of the client
@@ -16,7 +27,8 @@ pub struct Client {
     pub description: String,
 
     /// The secret used by the client to retrieve authenticated users information
-    pub secret: String,
+    /// This value is absent if implicit authentication flow is used
+    pub secret: Option<String>,
 
     /// The URI where the users should be redirected once authenticated
     pub redirect_uri: String,
@@ -28,6 +40,16 @@ pub struct Client {
     /// Specify whether a client is granted to all users
     #[serde(default = "bool::default")]
     pub granted_to_all_users: bool,
+
+    /// Specify whether recent Second Factor Authentication is required to access this client
+    #[serde(default = "bool::default")]
+    pub enforce_2fa_auth: bool,
+
+    /// Additional claims to return with the id token
+    claims_id_token: Option<AdditionalClaims>,
+
+    /// Additional claims to return through the user info endpoint
+    claims_user_info: Option<AdditionalClaims>,
 }
 
 impl PartialEq for Client {
@@ -38,6 +60,78 @@ impl PartialEq for Client {
 
 impl Eq for Client {}
 
+impl Client {
+    /// Get the client authentication flow
+    pub fn auth_flow(&self) -> AuthenticationFlow {
+        match self.secret {
+            None => AuthenticationFlow::Implicit,
+            Some(_) => AuthenticationFlow::AuthorizationCode,
+        }
+    }
+
+    /// Process a single claim value
+    fn process_claim_string(&self, user: &User, str: &str) -> String {
+        str.replace("{username}", &user.username)
+            .replace("{mail}", &user.email)
+            .replace("{first_name}", &user.first_name)
+            .replace("{last_name}", &user.last_name)
+            .replace("{uid}", &user.uid.0)
+    }
+
+    /// Recurse claims processing
+    fn recurse_claims_processing(&self, user: &User, value: &Value) -> Value {
+        match value {
+            Value::String(s) => Value::String(self.process_claim_string(user, s)),
+            Value::Array(arr) => Value::Array(
+                arr.iter()
+                    .map(|v| self.recurse_claims_processing(user, v))
+                    .collect(),
+            ),
+            Value::Object(obj) => obj
+                .iter()
+                .map(|(k, v)| {
+                    (
+                        self.process_claim_string(user, k),
+                        self.recurse_claims_processing(user, v),
+                    )
+                })
+                .collect(),
+            v => v.clone(),
+        }
+    }
+
+    /// Process additional claims, processing placeholders
+    fn process_additional_claims(
+        &self,
+        user: &User,
+        claims: &Option<AdditionalClaims>,
+    ) -> Option<AdditionalClaims> {
+        let claims = claims.as_ref()?;
+
+        let res = claims
+            .iter()
+            .map(|(k, v)| {
+                (
+                    self.process_claim_string(user, k),
+                    self.recurse_claims_processing(user, v),
+                )
+            })
+            .collect();
+
+        Some(res)
+    }
+
+    /// Get additional claims for id_token for a successful authentication
+    pub fn claims_id_token(&self, user: &User) -> Option<AdditionalClaims> {
+        self.process_additional_claims(user, &self.claims_id_token)
+    }
+
+    /// Get additional claims for user info for a successful authentication
+    pub fn claims_user_info(&self, user: &User) -> Option<AdditionalClaims> {
+        self.process_additional_claims(user, &self.claims_user_info)
+    }
+}
+
 pub type ClientManager = EntityManager<Client>;
 
 impl EntityManager<Client> {
@@ -62,7 +156,7 @@ impl EntityManager<Client> {
             c.id = ClientID(apply_env_vars(&c.id.0));
             c.name = apply_env_vars(&c.name);
             c.description = apply_env_vars(&c.description);
-            c.secret = apply_env_vars(&c.secret);
+            c.secret = c.secret.as_deref().map(apply_env_vars);
             c.redirect_uri = apply_env_vars(&c.redirect_uri);
         }
     }

src/data/critical_route.rs

@@ -0,0 +1,32 @@
+use crate::data::current_user::CurrentUser;
+use crate::data::from_request_redirect::FromRequestRedirect;
+use crate::data::login_redirect::{get_2fa_url, LoginRedirect};
+use actix_web::dev::Payload;
+use actix_web::{FromRequest, HttpRequest};
+use std::future::Future;
+use std::pin::Pin;
+
+pub struct CriticalRoute;
+
+impl FromRequest for CriticalRoute {
+    type Error = FromRequestRedirect;
+    type Future = Pin<Box<dyn Future<Output = Result<Self, Self::Error>>>>;
+
+    fn from_request(req: &HttpRequest, _: &mut Payload) -> Self::Future {
+        let req = req.clone();
+
+        Box::pin(async move {
+            let current_user = CurrentUser::from_request(&req, &mut Payload::None)
+                .await
+                .expect("Failed to extract user identity!");
+
+            if current_user.should_request_2fa_for_critical_functions() {
+                let uri = get_2fa_url(&LoginRedirect::from_req(&req), true);
+
+                return Err(FromRequestRedirect::new(uri));
+            }
+
+            Ok(Self)
+        })
+    }
+}

src/data/current_user.rs

@@ -10,14 +10,30 @@ use actix_web::{web, Error, FromRequest, HttpRequest};
 
 use crate::actors::users_actor;
 use crate::actors::users_actor::UsersActor;
+use crate::constants::SECOND_FACTOR_EXPIRATION_FOR_CRITICAL_OPERATIONS;
 use crate::data::session_identity::SessionIdentity;
 use crate::data::user::User;
+use crate::utils::time::time;
 
-pub struct CurrentUser(User);
+pub struct CurrentUser {
+    user: User,
+    pub auth_time: u64,
+    pub last_2fa_auth: Option<u64>,
+}
+
+impl CurrentUser {
+    pub fn should_request_2fa_for_critical_functions(&self) -> bool {
+        self.user.has_two_factor()
+            && self
+                .last_2fa_auth
+                .map(|t| t + SECOND_FACTOR_EXPIRATION_FOR_CRITICAL_OPERATIONS < time())
+                .unwrap_or(true)
+    }
+}
 
 impl From<CurrentUser> for User {
     fn from(user: CurrentUser) -> Self {
-        user.0
+        user.user
     }
 }
 
@@ -25,7 +41,7 @@ impl Deref for CurrentUser {
     type Target = User;
 
     fn deref(&self) -> &Self::Target {
-        &self.0
+        &self.user
     }
 }
 
@@ -40,7 +56,10 @@ impl FromRequest for CurrentUser {
         let identity: Identity = Identity::from_request(req, payload)
             .into_inner()
             .expect("Failed to get identity!");
-        let user_id = SessionIdentity(Some(&identity)).user_id();
+        let id = SessionIdentity(Some(&identity));
+        let user_id = id.user_id();
+        let last_2fa_auth = id.last_2fa_auth();
+        let auth_time = id.auth_time();
 
         Box::pin(async move {
             let user = match user_actor
@@ -57,7 +76,11 @@ impl FromRequest for CurrentUser {
                 }
             };
 
-            Ok(CurrentUser(user))
+            Ok(CurrentUser {
+                user,
+                auth_time,
+                last_2fa_auth,
+            })
         })
     }
 }

src/data/force_2fa_auth.rs

@@ -0,0 +1,45 @@
+use crate::data::current_user::CurrentUser;
+use crate::data::session_identity::SessionIdentity;
+use actix_identity::Identity;
+use actix_web::dev::Payload;
+use actix_web::{web, Error, FromRequest, HttpRequest};
+use std::future::Future;
+use std::pin::Pin;
+
+#[derive(serde::Deserialize)]
+pub struct Force2FAAuthQuery {
+    #[serde(default)]
+    force_2fa: bool,
+}
+
+pub struct Force2FAAuth {
+    pub force: bool,
+}
+
+impl FromRequest for Force2FAAuth {
+    type Error = Error;
+    type Future = Pin<Box<dyn Future<Output = Result<Self, Self::Error>>>>;
+
+    fn from_request(req: &HttpRequest, _: &mut Payload) -> Self::Future {
+        let req = req.clone();
+
+        Box::pin(async move {
+            // It is impossible to force authentication for an unauthenticated user
+            let identity = Identity::from_request(&req, &mut Payload::None)
+                .into_inner()
+                .ok();
+            if !SessionIdentity(identity.as_ref()).is_authenticated() {
+                return Ok(Self { force: false });
+            }
+
+            let query = web::Query::<Force2FAAuthQuery>::from_request(&req, &mut Payload::None)
+                .into_inner()?;
+
+            let user = CurrentUser::from_request(&req, &mut Payload::None).await?;
+
+            Ok(Self {
+                force: query.force_2fa && user.has_two_factor(),
+            })
+        })
+    }
+}

src/data/from_request_redirect.rs

@@ -0,0 +1,32 @@
+use actix_web::body::BoxBody;
+use actix_web::http::StatusCode;
+use actix_web::{HttpResponse, ResponseError};
+use std::fmt::{Debug, Display, Formatter};
+
+#[derive(Debug)]
+pub struct FromRequestRedirect {
+    url: String,
+}
+
+impl FromRequestRedirect {
+    pub fn new(url: String) -> Self {
+        Self { url }
+    }
+}
+
+impl Display for FromRequestRedirect {
+    fn fmt(&self, f: &mut Formatter<'_>) -> std::fmt::Result {
+        write!(f, "Redirect to {}", self.url)
+    }
+}
+
+impl ResponseError for FromRequestRedirect {
+    fn status_code(&self) -> StatusCode {
+        StatusCode::FOUND
+    }
+    fn error_response(&self) -> HttpResponse<BoxBody> {
+        HttpResponse::Found()
+            .insert_header(("Location", self.url.as_str()))
+            .body("Redirecting...")
+    }
+}

src/data/id_token.rs

@@ -1,7 +1,8 @@
+use crate::data::client::AdditionalClaims;
 use jwt_simple::claims::Audiences;
 use jwt_simple::prelude::{Duration, JWTClaims};
 
-#[derive(serde::Serialize)]
+#[derive(serde::Serialize, Debug)]
 pub struct IdToken {
     /// REQUIRED. Issuer Identifier for the Issuer of the response. The iss value is a case sensitive URL using the https scheme that contains scheme, host, and optionally, port number and path components and no query or fragment components.
     #[serde(rename = "iss")]
@@ -24,12 +25,19 @@ pub struct IdToken {
     #[serde(skip_serializing_if = "Option::is_none")]
     pub nonce: Option<String>,
     pub email: String,
+    /// Additional claims
+    #[serde(skip_serializing_if = "Option::is_none")]
+    #[serde(flatten)]
+    pub additional_claims: Option<AdditionalClaims>,
 }
 
 #[derive(serde::Serialize, serde::Deserialize)]
 pub struct CustomIdTokenClaims {
     auth_time: u64,
     email: String,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    #[serde(flatten)]
+    additional_claims: Option<AdditionalClaims>,
 }
 
 impl IdToken {
@@ -46,6 +54,7 @@ impl IdToken {
             custom: CustomIdTokenClaims {
                 auth_time: self.auth_time,
                 email: self.email,
+                additional_claims: self.additional_claims,
             },
         }
     }

src/data/login_redirect.rs

@@ -1,7 +1,13 @@
+use actix_web::HttpRequest;
+
 #[derive(serde::Serialize, serde::Deserialize, Debug, Eq, PartialEq, Clone)]
 pub struct LoginRedirect(String);
 
 impl LoginRedirect {
+    pub fn from_req(req: &HttpRequest) -> Self {
+        Self(req.uri().to_string())
+    }
+
     pub fn get(&self) -> &str {
         match self.0.starts_with('/') && !self.0.starts_with("//") {
             true => self.0.as_str(),
@@ -19,3 +25,11 @@ impl Default for LoginRedirect {
         Self("/".to_string())
     }
 }
+
+/// Get the URL for 2FA authentication
+pub fn get_2fa_url(redir: &LoginRedirect, force_2fa: bool) -> String {
+    format!(
+        "/2fa_auth?redirect={}&force_2fa={force_2fa}",
+        redir.get_encoded()
+    )
+}

src/data/mod.rs

@@ -3,8 +3,11 @@ pub mod action_logger;
 pub mod app_config;
 pub mod client;
 pub mod code_challenge;
+pub mod critical_route;
 pub mod current_user;
 pub mod entity_manager;
+pub mod force_2fa_auth;
+pub mod from_request_redirect;
 pub mod id_token;
 pub mod jwt_signer;
 pub mod login_redirect;

src/data/session_identity.rs

@@ -24,6 +24,7 @@ pub struct SessionIdentityData {
     pub id: Option<UserID>,
     pub is_admin: bool,
     pub auth_time: u64,
+    pub last_2fa_auth: Option<u64>,
     pub status: SessionStatus,
 }
 
@@ -75,6 +76,7 @@ impl<'a> SessionIdentity<'a> {
             &SessionIdentityData {
                 id: Some(user.uid.clone()),
                 is_admin: user.admin,
+                last_2fa_auth: None,
                 auth_time: time(),
                 status,
             },
@@ -87,6 +89,12 @@ impl<'a> SessionIdentity<'a> {
         self.set_session_data(req, &sess);
     }
 
+    pub fn record_2fa_auth(&self, req: &HttpRequest) {
+        let mut sess = self.get_session_data().unwrap_or_default();
+        sess.last_2fa_auth = Some(time());
+        self.set_session_data(req, &sess);
+    }
+
     pub fn is_authenticated(&self) -> bool {
         self.get_session_data()
             .map(|s| s.status == SessionStatus::SignedIn)
@@ -119,4 +127,8 @@ impl<'a> SessionIdentity<'a> {
     pub fn auth_time(&self) -> u64 {
         self.get_session_data().unwrap_or_default().auth_time
     }
+
+    pub fn last_2fa_auth(&self) -> Option<u64> {
+        self.get_session_data().unwrap_or_default().last_2fa_auth
+    }
 }

src/data/totp_key.rs

@@ -9,7 +9,7 @@ use crate::data::user::User;
 use crate::utils::err::Res;
 use crate::utils::time::time;
 
-const BASE32_ALPHABET: Alphabet = Alphabet::RFC4648 { padding: true };
+const BASE32_ALPHABET: Alphabet = Alphabet::Rfc4648 { padding: true };
 const NUM_DIGITS: usize = 6;
 const PERIOD: u64 = 30;
 
@@ -73,6 +73,11 @@ impl TotpKey {
         self.get_code_at(|| time() - PERIOD)
     }
 
+    /// Get following code
+    pub fn following_code(&self) -> Res<String> {
+        self.get_code_at(|| time() + PERIOD)
+    }
+
     /// Get the code at a specific time
     fn get_code_at<F: Fn() -> u64>(&self, get_time: F) -> Res<String> {
         let gen = TotpGenerator::new()
@@ -98,7 +103,9 @@ impl TotpKey {
 
     /// Check a code's validity
     pub fn check_code(&self, code: &str) -> Res<bool> {
-        Ok(self.current_code()?.eq(code) || self.previous_code()?.eq(code))
+        Ok(self.previous_code()?.eq(code)
+            || self.current_code()?.eq(code)
+            || self.following_code()?.eq(code))
     }
 }
 
@@ -111,7 +118,10 @@ mod test {
         let key = TotpKey::new_random();
         let code = key.current_code().unwrap();
         let old_code = key.previous_code().unwrap();
+        let following_code = key.following_code().unwrap();
         assert_ne!(code, old_code);
+        assert_ne!(code, following_code);
+        assert_ne!(old_code, following_code);
     }
 
     #[test]

src/data/user.rs

@@ -90,11 +90,17 @@ impl TwoFactor {
         }
     }
 
-    pub fn login_url(&self, redirect_uri: &LoginRedirect) -> String {
+    pub fn login_url(&self, redirect_uri: &LoginRedirect, force_2fa: bool) -> String {
         match self.kind {
-            TwoFactorType::TOTP(_) => format!("/2fa_otp?redirect={}", redirect_uri.get_encoded()),
+            TwoFactorType::TOTP(_) => format!(
+                "/2fa_otp?redirect={}&force_2fa={force_2fa}",
+                redirect_uri.get_encoded()
+            ),
             TwoFactorType::WEBAUTHN(_) => {
-                format!("/2fa_webauthn?redirect={}", redirect_uri.get_encoded())
+                format!(
+                    "/2fa_webauthn?redirect={}&force_2fa={force_2fa}",
+                    redirect_uri.get_encoded()
+                )
             }
         }
     }
@@ -311,7 +317,7 @@ impl Eq for User {}
 impl Default for User {
     fn default() -> Self {
         Self {
-            uid: UserID("".to_string()),
+            uid: UserID(uuid::Uuid::new_v4().to_string()),
             first_name: "".to_string(),
             last_name: "".to_string(),
             username: "".to_string(),

src/utils/string_utils.rs

@@ -36,9 +36,14 @@ pub fn apply_env_vars(val: &str) -> String {
     val
 }
 
+/// Check out whether a given login is acceptable or not
+pub fn is_acceptable_login(login: &str) -> bool {
+    mailchecker::is_valid(login) || lazy_regex::regex!("^[a-zA-Z0-9-+]+$").is_match(login)
+}
+
 #[cfg(test)]
 mod test {
-    use crate::utils::string_utils::apply_env_vars;
+    use crate::utils::string_utils::{apply_env_vars, is_acceptable_login};
     use std::env;
 
     const VAR_ONE: &str = "VAR_ONE";
@@ -56,4 +61,12 @@ mod test {
         let src = format!("This is ${{{}}}", VAR_INVALID);
         assert_eq!(src, apply_env_vars(&src));
     }
+
+    #[test]
+    fn test_is_acceptable_login() {
+        assert!(is_acceptable_login("admin"));
+        assert!(is_acceptable_login("someone@somewhere.fr"));
+        assert!(!is_acceptable_login("someone@somewhere.#fr"));
+        assert!(!is_acceptable_login("bad bad"));
+    }
 }

src/utils/time.rs

@@ -1,4 +1,4 @@
-use chrono::{DateTime, NaiveDateTime, Utc};
+use chrono::DateTime;
 use std::time::{SystemTime, UNIX_EPOCH};
 
 /// Get the current time since epoch
@@ -11,12 +11,9 @@ pub fn time() -> u64 {
 
 /// Format unix timestamp to a human-readable string
 pub fn fmt_time(timestamp: u64) -> String {
-    // Create a NaiveDateTime from the timestamp
-    let naive =
-        NaiveDateTime::from_timestamp_opt(timestamp as i64, 0).expect("Failed to parse timestamp!");
-
-    // Create a normal DateTime from the NaiveDateTime
-    let datetime: DateTime<Utc> = DateTime::from_naive_utc_and_offset(naive, Utc);
+    // Create a DateTime from the timestamp
+    let datetime =
+        DateTime::from_timestamp(timestamp as i64, 0).expect("Failed to parse timestamp!");
 
     // Format the datetime how you want
     datetime.format("%Y-%m-%d %H:%M:%S").to_string()

templates/login/base_login_page.html

@@ -8,7 +8,7 @@
     <!-- No indexing -->
     <meta name="robots" content="noindex, nofollow">
 
-    <title>{{ _p.app_name }} - {{ _p.page_title }}</title>
+    <title>{{ p.app_name }} - {{ p.page_title }}</title>
 
     <!-- Bootstrap core CSS -->
     <link href="/assets/css/bootstrap.css" rel="stylesheet" crossorigin="anonymous"/>
@@ -43,15 +43,15 @@
 
 <main class="form-signin">
 
-    <h1 class="h3 mb-3 fw-normal" style="margin-bottom: 2rem !important;">{{ _p.page_title }}</h1>
+    <h1 class="h3 mb-3 fw-normal" style="margin-bottom: 2rem !important;">{{ p.page_title }}</h1>
 
-    {% if let Some(danger) = _p.danger %}
+    {% if let Some(danger) = p.danger %}
     <div class="alert alert-danger" role="alert">
         {{ danger }}
     </div>
     {% endif %}
 
-    {% if let Some(success) = _p.success %}
+    {% if let Some(success) = p.success %}
     <div class="alert alert-success" role="alert">
         {{ success }}
     </div>

templates/login/choose_second_factor.html

@@ -5,14 +5,16 @@
     <p>You need to validate a second factor to complete your login.</p>
 
     {% for factor in user.get_distinct_factors_types() %}
-    <a class="btn btn-primary btn-lg" href="{{ factor.login_url(_p.redirect_uri) }}" style="width: 100%; display: flex;">
-        <img src="{{ factor.type_image() }}" alt="Factor icon" style="margin-right: 1em;" />
+    <!-- We can ask to force 2FA, because once we are here, it means 2FA is required anyway... -->
+    <a class="btn btn-primary btn-lg" href="{{ factor.login_url(p.redirect_uri, true) }}"
+       style="width: 100%; display: flex;">
+        <img src="{{ factor.type_image() }}" alt="Factor icon" style="margin-right: 1em;"/>
         <div style="text-align: left;">
             {{ factor.type_str() }} <br/>
             <small style="font-size: 0.7em;">{{ factor.description_str() }}</small>
         </div>
     </a>
-    <br />
+    <br/>
     {% endfor %}
 </div>
 

templates/login/login.html

@@ -18,7 +18,7 @@
 
 </style>
 
-<form action="/login?redirect={{ _p.redirect_uri.get_encoded() }}" method="post">
+<form action="/login?redirect={{ p.redirect_uri.get_encoded() }}" method="post">
     <div>
         <div class="form-floating">
             <input name="login" type="text" required class="form-control" id="floatingName" placeholder="unsername"
@@ -41,7 +41,7 @@
 {% if !providers.is_empty() %}
 <div id="providers">
     {% for prov in providers %}
-    <a class="btn btn-secondary btn-lg provider-button" href="{{ prov.login_url(_p.redirect_uri) }}">
+    <a class="btn btn-secondary btn-lg provider-button" href="{{ prov.login_url(p.redirect_uri) }}">
         <img src="{{ prov.logo_url() }}" alt="Provider icon"/>
         <div style="text-align: left;">
             Login using {{ prov.name }} <br/>

templates/login/otp_input.html

@@ -28,7 +28,7 @@
 
 
 <div style="margin-top: 10px;">
-    <a href="/2fa_auth?force_display=true&redirect={{ _p.redirect_uri.get_encoded() }}">Sign in using another factor</a><br/>
+    <a href="/2fa_auth?force_display=true&redirect={{ p.redirect_uri.get_encoded() }}&force_2fa=true">Sign in using another factor</a><br/>
     <a href="/logout">Sign out</a>
 </div>
 

templates/login/password_reset.html

@@ -1,6 +1,6 @@
 {% extends "base_login_page.html" %}
 {% block content %}
-<form action="/reset_password?redirect={{ _p.redirect_uri.get_encoded() }}" method="post" id="reset_password_form">
+<form action="/reset_password?redirect={{ p.redirect_uri.get_encoded() }}" method="post" id="reset_password_form">
     <div>
         <p>You need to configure a new password:</p>
 

templates/login/prov_login_error.html

@@ -7,7 +7,7 @@
     <p style="margin-top: 10px; text-align: justify;">{{ message }}</p>
 </div>
 
-<a href="/login?redirect={{ _p.redirect_uri.get_encoded() }}">Go back to login</a>
+<a href="/login?redirect={{ p.redirect_uri.get_encoded() }}">Go back to login</a>
 
 
 {% endblock content %}

templates/login/webauthn_input.html

@@ -12,13 +12,13 @@
 </div>
 
 <div style="margin-top: 10px;">
-    <a href="/2fa_auth?force_display=true&redirect={{ _p.redirect_uri.get_encoded() }}">Sign in using another factor</a><br/>
+    <a href="/2fa_auth?force_display=true&redirect={{ p.redirect_uri.get_encoded() }}&force_2fa=true">Sign in using another factor</a><br/>
     <a href="/logout">Sign out</a>
 </div>
 
 <script src="/assets/js/base64_lib.js"></script>
 <script>
-    const REDIRECT_URI = decodeURIComponent("{{ _p.redirect_uri.get_encoded() }}");
+    const REDIRECT_URI = decodeURIComponent("{{ p.redirect_uri.get_encoded() }}");
     const OPAQUE_STATE = "{{ opaque_state }}";
     const AUTH_CHALLENGE = JSON.parse(decodeURIComponent("{{ challenge_json }}"));
     // Decode data

templates/settings/account_details.html

@@ -5,27 +5,27 @@
     <tbody>
     <tr>
         <th scope="row">User ID</th>
-        <td>{{ _p.user.uid.0 }}</td>
+        <td>{{ p.user.uid.0 }}</td>
     </tr>
     <tr>
         <th scope="row">First name</th>
-        <td>{{ _p.user.first_name }}</td>
+        <td>{{ p.user.first_name }}</td>
     </tr>
     <tr>
         <th scope="row">Last name</th>
-        <td>{{ _p.user.last_name }}</td>
+        <td>{{ p.user.last_name }}</td>
     </tr>
     <tr>
         <th scope="row">Username</th>
-        <td>{{ _p.user.username }}</td>
+        <td>{{ p.user.username }}</td>
     </tr>
     <tr>
         <th scope="row">Email</th>
-        <td>{{ _p.user.email }}</td>
+        <td>{{ p.user.email }}</td>
     </tr>
     <tr>
         <th scope="row">Account type</th>
-        <td>{% if _p.user.admin %}Admin{% else %}Regular user{% endif %}</td>
+        <td>{% if p.user.admin %}Admin{% else %}Regular user{% endif %}</td>
     </tr>
     </tbody>
 </table>

templates/settings/base_settings_page.html

@@ -2,7 +2,7 @@
 <html lang="en">
 <head>
     <meta charset="UTF-8">
-    <title>{{ _p.page_title }} - {{ _p.app_name }}</title>
+    <title>{{ p.page_title }} - {{ p.app_name }}</title>
 
     <!-- Bootstrap core CSS -->
     <link href="/assets/css/bootstrap.css" rel="stylesheet" crossorigin="anonymous"/>
@@ -12,10 +12,10 @@
 <body>
 <div class="d-flex flex-column flex-shrink-0 p-3 bg-light" style="width: 280px;">
     <a href="/" class="d-flex align-items-center mb-3 mb-md-0 me-md-auto link-dark text-decoration-none">
-        <span class="fs-4">{{ _p.app_name }}</span>
+        <span class="fs-4">{{ p.app_name }}</span>
     </a>
-    {% if _p.user.admin %}
-    <span>Version {{ _p.version }}</span>
+    {% if p.user.admin %}
+    <span>Version {{ p.version }}</span>
     {% endif %}
     <hr>
     <ul class="nav nav-pills flex-column mb-auto">
@@ -24,7 +24,7 @@
                 Account details
             </a>
         </li>
-        {% if _p.user.allow_local_login %}
+        {% if p.user.allow_local_login %}
         <li>
             <a href="/settings/change_password" class="nav-link link-dark">
                 Change password
@@ -37,7 +37,7 @@
             </a>
         </li>
 
-        {% if _p.user.admin %}
+        {% if p.user.admin %}
         <hr/>
         <li>
             <a href="/admin/clients" class="nav-link link-dark">
@@ -61,7 +61,7 @@
         <a href="#" class="d-flex align-items-center link-dark text-decoration-none dropdown-toggle" id="dropdownUser"
            data-bs-toggle="dropdown" aria-expanded="false">
             <img src="/assets/img/account.png" alt="" width="32" height="32" class="rounded-circle me-2">
-            <strong>{{ _p.user.username }}</strong>
+            <strong>{{ p.user.username }}</strong>
         </a>
         <ul class="dropdown-menu text-small shadow" aria-labelledby="dropdownUser">
             <li><a class="dropdown-item" href="/logout">Sign out</a></li>
@@ -70,14 +70,14 @@
 </div>
 
 <div class="page_body" style="flex: 1">
-    {% if let Some(msg) = _p.danger_message %}
+    {% if let Some(msg) = p.danger_message %}
     <div class="alert alert-danger">{{ msg }}</div>
     {% endif %}
-    {% if let Some(msg) = _p.success_message %}
+    {% if let Some(msg) = p.success_message %}
     <div class="alert alert-success">{{ msg }}</div>
     {% endif %}
 
-    <h2 class="bd-title mt-0" style="margin-bottom: 40px;">{{ _p.page_title }}</h2>
+    <h2 class="bd-title mt-0" style="margin-bottom: 40px;">{{ p.page_title }}</h2>
 
     {% block content %}
     TO_REPLACE
@@ -92,8 +92,8 @@
   })
 
 </script>
-{% if _p.ip_location_api.is_some() %}
-<script>const IP_LOCATION_API = "{{ _p.ip_location_api.unwrap() }}"</script>
+{% if p.ip_location_api.is_some() %}
+<script>const IP_LOCATION_API = "{{ p.ip_location_api.unwrap() }}"</script>
 {% endif %}
 <script src="/assets/js/ip_location_service.js"></script>
 </body>

templates/settings/edit_user.html

@@ -195,7 +195,7 @@
         </div>
     </fieldset>
 
-    <input type="submit" class="btn btn-primary mt-4" value="{{ _p.page_title }}">
+    <input type="submit" class="btn btn-primary mt-4" value="{{ p.page_title }}">
 </form>
 
 <script>

templates/settings/two_factors_page.html

@@ -26,7 +26,9 @@
     <tbody>
     {% for f in user.two_factor %}
     <tr id="factor-{{ f.id.0 }}">
-        <td><img src="{{ f.type_image() }}" alt="Factor icon" style="height: 1.5em; margin-right: 0.5em;" />{{ f.type_str() }}</td>
+        <td><img src="{{ f.type_image() }}" alt="Factor icon" style="height: 1.5em; margin-right: 0.5em;"/>{{
+            f.type_str() }}
+        </td>
         <td>{{ f.name }}</td>
         <td><a href="javascript:delete_factor('{{ f.id.0 }}');">Delete</a></td>
     </tr>
@@ -53,7 +55,9 @@
         {% for e in user.get_formatted_2fa_successful_logins() %}
         <tr>
             <td>{{ e.ip }}</td>
-            <td><locateip ip="{{ e.ip }}"></locateip></td>
+            <td>
+                <locateip ip="{{ e.ip }}"></locateip>
+            </td>
             <td>{{ e.fmt_time() }}</td>
             <td>{% if e.can_bypass_2fa %}YES{% else %}NO{% endif %}</td>
         </tr>
@@ -63,6 +67,10 @@
     {% endif %}
 </div>
 
+{% if let Some(last_2fa_auth) = last_2fa_auth %}
+<p>Last successful 2FA authentication on this browser: {{ last_2fa_auth }}</p>
+{% endif %}
+
 <script>
     async function delete_factor(id) {
         if (!confirm("Do you really want to remove this factor?"))
@@ -72,7 +80,7 @@
             const res = await fetch("/settings/api/two_factor/delete_factor", {
                 method: "post",
                 headers: {
-                  'Content-Type': 'application/json',
+                    'Content-Type': 'application/json',
                 },
                 body: JSON.stringify({
                     id: id,
@@ -84,7 +92,7 @@
 
             if (res.status == 200)
                 document.getElementById("factor-" + id).remove();
-        } catch(e) {
+        } catch (e) {
             console.error(e);
             alert("Failed to remove factor!");
         }
@@ -104,7 +112,7 @@
 
             if (res.status == 200)
                 document.getElementById("2fa_history_container").remove();
-        } catch(e) {
+        } catch (e) {
             console.error(e);
             alert("Failed to clear 2FA history!");
         }