Documentation ¶
Index ¶
- Constants
- Variables
- func CheckSafeRedirectionPOST(ctx *middlewares.AutheliaCtx)
- func ConfigurationGET(ctx *middlewares.AutheliaCtx)
- func DuoDevicePOST(ctx *middlewares.AutheliaCtx)
- func DuoDevicesGET(duoAPI duo.API) middlewares.RequestHandler
- func DuoPOST(duoAPI duo.API) middlewares.RequestHandler
- func FirstFactorPOST(delayFunc middlewares.TimingAttackDelayFunc) middlewares.RequestHandler
- func Handle1FAResponse(ctx *middlewares.AutheliaCtx, targetURI, requestMethod string, username string, ...)
- func Handle2FAResponse(ctx *middlewares.AutheliaCtx, targetURI string)
- func HandleAllow(ctx *middlewares.AutheliaCtx, targetURL string)
- func HandleAutoSelection(ctx *middlewares.AutheliaCtx, devices []DuoDevice, username string) (string, string, error)
- func HandleInitialDeviceSelection(ctx *middlewares.AutheliaCtx, userSession *session.UserSession, duoAPI duo.API, ...) (device string, method string, err error)
- func HandlePreferredDeviceCheck(ctx *middlewares.AutheliaCtx, userSession *session.UserSession, duoAPI duo.API, ...) (string, string, error)
- func HealthGET(ctx *middlewares.AutheliaCtx)
- func JSONWebKeySetGET(ctx *middlewares.AutheliaCtx)
- func LogoutPOST(ctx *middlewares.AutheliaCtx)
- func MethodPreferencePOST(ctx *middlewares.AutheliaCtx)
- func OAuthAuthorizationServerWellKnownGET(ctx *middlewares.AutheliaCtx)
- func OAuthIntrospectionPOST(ctx *middlewares.AutheliaCtx, rw http.ResponseWriter, req *http.Request)
- func OAuthRevocationPOST(ctx *middlewares.AutheliaCtx, rw http.ResponseWriter, req *http.Request)
- func OpenIDConnectAuthorizationGET(ctx *middlewares.AutheliaCtx, rw http.ResponseWriter, r *http.Request)
- func OpenIDConnectConfigurationWellKnownGET(ctx *middlewares.AutheliaCtx)
- func OpenIDConnectConsentGET(ctx *middlewares.AutheliaCtx)
- func OpenIDConnectConsentPOST(ctx *middlewares.AutheliaCtx)
- func OpenIDConnectTokenPOST(ctx *middlewares.AutheliaCtx, rw http.ResponseWriter, req *http.Request)
- func OpenIDConnectUserinfo(ctx *middlewares.AutheliaCtx, rw http.ResponseWriter, req *http.Request)
- func PasswordPolicyConfigurationGet(ctx *middlewares.AutheliaCtx)
- func ResetPasswordPOST(ctx *middlewares.AutheliaCtx)
- func SecondFactorDuoDeviceDelete(ctx *middlewares.AutheliaCtx)
- func SecondFactorWebauthnAttestationGET(ctx *middlewares.AutheliaCtx, _ string)
- func SetStatusCodeResponse(ctx responseWriter, statusCode int)
- func SetValues(userSession session.UserSession, device string, method string, remoteIP string, ...) (url.Values, error)
- func StateGET(ctx *middlewares.AutheliaCtx)
- func TimeBasedOneTimePasswordPOST(ctx *middlewares.AutheliaCtx)
- func UserInfoGET(ctx *middlewares.AutheliaCtx)
- func UserInfoPOST(ctx *middlewares.AutheliaCtx)
- func UserTOTPInfoGET(ctx *middlewares.AutheliaCtx)
- func VerifyGET(cfg schema.AuthenticationBackendConfiguration) middlewares.RequestHandler
- func WebauthnAssertionGET(ctx *middlewares.AutheliaCtx)
- func WebauthnAssertionPOST(ctx *middlewares.AutheliaCtx)
- func WebauthnAttestationPOST(ctx *middlewares.AutheliaCtx)
- type DuoDevice
- type DuoDeviceBody
- type DuoDevicesResponse
- type DuoSignResponse
- type MethodList
- type PassworPolicyBody
- type StateResponse
- type TOTPKeyResponse
Constants ¶
const ( // ActionTOTPRegistration is the string representation of the action for which the token has been produced. ActionTOTPRegistration = "RegisterTOTPDevice" // ActionWebauthnRegistration is the string representation of the action for which the token has been produced. ActionWebauthnRegistration = "RegisterWebauthnDevice" // ActionResetPassword is the string representation of the action for which the token has been produced. ActionResetPassword = "ResetPassword" )
const ( // Forbidden means the user is forbidden the access to a resource. Forbidden authorizationMatching = iota // NotAuthorized means the user can access the resource with more permissions. NotAuthorized authorizationMatching = iota // Authorized means the user is authorized given her current permissions. Authorized authorizationMatching = iota )
Variables ¶
var ResetPasswordIdentityFinish = middlewares.IdentityVerificationFinish( middlewares.IdentityVerificationFinishArgs{ActionClaim: ActionResetPassword}, resetPasswordIdentityFinish)
ResetPasswordIdentityFinish the handler for finishing the identity validation.
var ResetPasswordIdentityStart = middlewares.IdentityVerificationStart(middlewares.IdentityVerificationStartArgs{ MailTitle: "Reset your password", MailButtonContent: "Reset", TargetEndpoint: "/reset-password/step2", ActionClaim: ActionResetPassword, IdentityRetrieverFunc: identityRetrieverFromStorage, }, middlewares.TimingAttackDelay(10, 250, 85, time.Millisecond*500))
ResetPasswordIdentityStart the handler for initiating the identity validation for resetting a password. We need to ensure the attacker cannot perform user enumeration by always replying with 200 whatever what happens in backend.
var TOTPIdentityFinish = middlewares.IdentityVerificationFinish( middlewares.IdentityVerificationFinishArgs{ ActionClaim: ActionTOTPRegistration, IsTokenUserValidFunc: isTokenUserValidFor2FARegistration, }, totpIdentityFinish)
TOTPIdentityFinish the handler for finishing the identity validation.
var TOTPIdentityStart = middlewares.IdentityVerificationStart(middlewares.IdentityVerificationStartArgs{ MailTitle: "Register your mobile", MailButtonContent: "Register", TargetEndpoint: "/one-time-password/register", ActionClaim: ActionTOTPRegistration, IdentityRetrieverFunc: identityRetrieverFromSession, }, nil)
TOTPIdentityStart the handler for initiating the identity validation.
var WebauthnIdentityFinish = middlewares.IdentityVerificationFinish( middlewares.IdentityVerificationFinishArgs{ ActionClaim: ActionWebauthnRegistration, IsTokenUserValidFunc: isTokenUserValidFor2FARegistration, }, SecondFactorWebauthnAttestationGET)
WebauthnIdentityFinish the handler for finishing the identity validation.
var WebauthnIdentityStart = middlewares.IdentityVerificationStart(middlewares.IdentityVerificationStartArgs{ MailTitle: "Register your key", MailButtonContent: "Register", TargetEndpoint: "/webauthn/register", ActionClaim: ActionWebauthnRegistration, IdentityRetrieverFunc: identityRetrieverFromSession, }, nil)
WebauthnIdentityStart the handler for initiating the identity validation.
Functions ¶
func CheckSafeRedirectionPOST ¶ added in v4.35.0
func CheckSafeRedirectionPOST(ctx *middlewares.AutheliaCtx)
CheckSafeRedirectionPOST handler checking whether the redirection to a given URL provided in body is safe.
func ConfigurationGET ¶ added in v4.35.0
func ConfigurationGET(ctx *middlewares.AutheliaCtx)
ConfigurationGET get the configuration accessible to authenticated users.
func DuoDevicePOST ¶ added in v4.35.0
func DuoDevicePOST(ctx *middlewares.AutheliaCtx)
DuoDevicePOST update the user preferences regarding Duo device and method.
func DuoDevicesGET ¶ added in v4.35.0
func DuoDevicesGET(duoAPI duo.API) middlewares.RequestHandler
DuoDevicesGET handler for retrieving available devices and capabilities from duo api.
func DuoPOST ¶ added in v4.35.0
func DuoPOST(duoAPI duo.API) middlewares.RequestHandler
DuoPOST handler for sending a push notification via duo api.
func FirstFactorPOST ¶ added in v4.35.0
func FirstFactorPOST(delayFunc middlewares.TimingAttackDelayFunc) middlewares.RequestHandler
FirstFactorPOST is the handler performing the first factory.
func Handle1FAResponse ¶
func Handle1FAResponse(ctx *middlewares.AutheliaCtx, targetURI, requestMethod string, username string, groups []string)
Handle1FAResponse handle the redirection upon 1FA authentication.
func Handle2FAResponse ¶
func Handle2FAResponse(ctx *middlewares.AutheliaCtx, targetURI string)
Handle2FAResponse handle the redirection upon 2FA authentication.
func HandleAllow ¶ added in v4.33.0
func HandleAllow(ctx *middlewares.AutheliaCtx, targetURL string)
HandleAllow handler for successful logins.
func HandleAutoSelection ¶ added in v4.33.0
func HandleAutoSelection(ctx *middlewares.AutheliaCtx, devices []DuoDevice, username string) (string, string, error)
HandleAutoSelection handler automatically selects preferred device if there is only one suitable option.
func HandleInitialDeviceSelection ¶ added in v4.33.0
func HandleInitialDeviceSelection(ctx *middlewares.AutheliaCtx, userSession *session.UserSession, duoAPI duo.API, targetURL string) (device string, method string, err error)
HandleInitialDeviceSelection handler for retrieving all available devices.
func HandlePreferredDeviceCheck ¶ added in v4.33.0
func HandlePreferredDeviceCheck(ctx *middlewares.AutheliaCtx, userSession *session.UserSession, duoAPI duo.API, device string, method string, targetURL string) (string, string, error)
HandlePreferredDeviceCheck handler to check if the saved device and method is still valid.
func HealthGET ¶ added in v4.35.0
func HealthGET(ctx *middlewares.AutheliaCtx)
HealthGET can be used by health checks.
func JSONWebKeySetGET ¶ added in v4.35.0
func JSONWebKeySetGET(ctx *middlewares.AutheliaCtx)
JSONWebKeySetGET returns the JSON Web Key Set. Used in OAuth 2.0 and OpenID Connect 1.0.
func LogoutPOST ¶ added in v4.35.0
func LogoutPOST(ctx *middlewares.AutheliaCtx)
LogoutPOST is the handler logging out the user attached to the given cookie.
func MethodPreferencePOST ¶ added in v4.35.0
func MethodPreferencePOST(ctx *middlewares.AutheliaCtx)
MethodPreferencePOST update the user preferences regarding 2FA method.
func OAuthAuthorizationServerWellKnownGET ¶ added in v4.35.0
func OAuthAuthorizationServerWellKnownGET(ctx *middlewares.AutheliaCtx)
OAuthAuthorizationServerWellKnownGET handles requests to a .well-known endpoint (RFC5785) which returns the OAuth 2.0 Authorization Server Metadata (RFC8414).
func OAuthIntrospectionPOST ¶ added in v4.35.0
func OAuthIntrospectionPOST(ctx *middlewares.AutheliaCtx, rw http.ResponseWriter, req *http.Request)
OAuthIntrospectionPOST handles POST requests to the OAuth 2.0 Introspection endpoint.
func OAuthRevocationPOST ¶ added in v4.35.0
func OAuthRevocationPOST(ctx *middlewares.AutheliaCtx, rw http.ResponseWriter, req *http.Request)
OAuthRevocationPOST handles POST requests to the OAuth 2.0 Revocation endpoint.
func OpenIDConnectAuthorizationGET ¶ added in v4.35.0
func OpenIDConnectAuthorizationGET(ctx *middlewares.AutheliaCtx, rw http.ResponseWriter, r *http.Request)
OpenIDConnectAuthorizationGET handles GET requests to the OpenID Connect 1.0 Authorization endpoint.
https://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint
func OpenIDConnectConfigurationWellKnownGET ¶ added in v4.35.0
func OpenIDConnectConfigurationWellKnownGET(ctx *middlewares.AutheliaCtx)
OpenIDConnectConfigurationWellKnownGET handles requests to a .well-known endpoint (RFC5785) which returns the OpenID Connect Discovery 1.0 metadata.
func OpenIDConnectConsentGET ¶ added in v4.35.0
func OpenIDConnectConsentGET(ctx *middlewares.AutheliaCtx)
OpenIDConnectConsentGET handles requests to provide consent for OpenID Connect.
func OpenIDConnectConsentPOST ¶ added in v4.35.0
func OpenIDConnectConsentPOST(ctx *middlewares.AutheliaCtx)
OpenIDConnectConsentPOST handles consent responses for OpenID Connect.
func OpenIDConnectTokenPOST ¶ added in v4.35.0
func OpenIDConnectTokenPOST(ctx *middlewares.AutheliaCtx, rw http.ResponseWriter, req *http.Request)
OpenIDConnectTokenPOST handles POST requests to the OpenID Connect 1.0 Token endpoint.
https://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint
func OpenIDConnectUserinfo ¶ added in v4.35.0
func OpenIDConnectUserinfo(ctx *middlewares.AutheliaCtx, rw http.ResponseWriter, req *http.Request)
OpenIDConnectUserinfo handles GET/POST requests to the OpenID Connect 1.0 UserInfo endpoint.
https://openid.net/specs/openid-connect-core-1_0.html#UserInfo
func PasswordPolicyConfigurationGet ¶ added in v4.35.0
func PasswordPolicyConfigurationGet(ctx *middlewares.AutheliaCtx)
PasswordPolicyConfigurationGet get the password policy configuration.
func ResetPasswordPOST ¶ added in v4.35.0
func ResetPasswordPOST(ctx *middlewares.AutheliaCtx)
ResetPasswordPOST handler for resetting passwords.
func SecondFactorDuoDeviceDelete ¶ added in v4.33.0
func SecondFactorDuoDeviceDelete(ctx *middlewares.AutheliaCtx)
SecondFactorDuoDeviceDelete deletes the useres preferred Duo device and method.
func SecondFactorWebauthnAttestationGET ¶ added in v4.34.0
func SecondFactorWebauthnAttestationGET(ctx *middlewares.AutheliaCtx, _ string)
SecondFactorWebauthnAttestationGET returns the attestation challenge from the server.
func SetStatusCodeResponse ¶ added in v4.35.0
func SetStatusCodeResponse(ctx responseWriter, statusCode int)
SetStatusCodeResponse writes a response status code and an appropriate body on either a *fasthttp.RequestCtx or *middlewares.AutheliaCtx.
func SetValues ¶ added in v4.33.0
func SetValues(userSession session.UserSession, device string, method string, remoteIP string, targetURL string, passcode string) (url.Values, error)
SetValues sets all appropriate Values for the Auth Request.
func StateGET ¶ added in v4.35.0
func StateGET(ctx *middlewares.AutheliaCtx)
StateGET is the handler serving the user state.
func TimeBasedOneTimePasswordPOST ¶ added in v4.35.0
func TimeBasedOneTimePasswordPOST(ctx *middlewares.AutheliaCtx)
TimeBasedOneTimePasswordPOST validate the TOTP passcode provided by the user.
func UserInfoGET ¶ added in v4.34.6
func UserInfoGET(ctx *middlewares.AutheliaCtx)
UserInfoGET get the info related to the user identified by the session.
func UserInfoPOST ¶ added in v4.34.6
func UserInfoPOST(ctx *middlewares.AutheliaCtx)
UserInfoPOST handles setting up info for users if necessary when they login.
func UserTOTPInfoGET ¶ added in v4.35.0
func UserTOTPInfoGET(ctx *middlewares.AutheliaCtx)
UserTOTPInfoGET returns the users TOTP configuration.
func VerifyGET ¶ added in v4.35.0
func VerifyGET(cfg schema.AuthenticationBackendConfiguration) middlewares.RequestHandler
VerifyGET returns the handler verifying if a request is allowed to go through.
func WebauthnAssertionGET ¶ added in v4.35.0
func WebauthnAssertionGET(ctx *middlewares.AutheliaCtx)
WebauthnAssertionGET handler starts the assertion ceremony.
func WebauthnAssertionPOST ¶ added in v4.35.0
func WebauthnAssertionPOST(ctx *middlewares.AutheliaCtx)
WebauthnAssertionPOST handler completes the assertion ceremony after verifying the challenge.
func WebauthnAttestationPOST ¶ added in v4.35.0
func WebauthnAttestationPOST(ctx *middlewares.AutheliaCtx)
WebauthnAttestationPOST processes the attestation challenge response from the client.
Types ¶
type DuoDevice ¶ added in v4.33.0
type DuoDevice struct { Device string `json:"device"` DisplayName string `json:"display_name"` Capabilities []string `json:"capabilities"` }
DuoDevice represents Duo devices and methods.
func DuoPreAuth ¶ added in v4.33.0
func DuoPreAuth(ctx *middlewares.AutheliaCtx, duoAPI duo.API) (string, string, []DuoDevice, string, error)
DuoPreAuth helper function for retrieving supported devices and capabilities from duo api.
type DuoDeviceBody ¶ added in v4.33.0
type DuoDeviceBody struct { Device string `json:"device" valid:"required"` Method string `json:"method" valid:"required"` }
DuoDeviceBody the selected Duo device and method.
type DuoDevicesResponse ¶ added in v4.33.0
type DuoDevicesResponse struct { Result string `json:"result" valid:"required"` Devices []DuoDevice `json:"devices,omitempty"` EnrollURL string `json:"enroll_url,omitempty"` }
DuoDevicesResponse represents all available user devices and methods as well as an optional enrollment url.
type DuoSignResponse ¶ added in v4.33.0
type DuoSignResponse struct { Result string `json:"result" valid:"required"` Devices []DuoDevice `json:"devices,omitempty"` Redirect string `json:"redirect,omitempty"` EnrollURL string `json:"enroll_url,omitempty"` }
DuoSignResponse represents a result of the preauth and or auth call with further optional info.
type PassworPolicyBody ¶ added in v4.35.0
type PassworPolicyBody struct { Mode string `json:"mode"` MinLength int `json:"min_length"` MaxLength int `json:"max_length"` MinScore int `json:"min_score"` RequireUppercase bool `json:"require_uppercase"` RequireLowercase bool `json:"require_lowercase"` RequireNumber bool `json:"require_number"` RequireSpecial bool `json:"require_special"` }
PassworPolicyBody represents the response sent by the password reset step 2.
type StateResponse ¶
type StateResponse struct { Username string `json:"username"` AuthenticationLevel authentication.Level `json:"authentication_level"` DefaultRedirectionURL string `json:"default_redirection_url"` }
StateResponse represents the response sent by the state endpoint.
type TOTPKeyResponse ¶
type TOTPKeyResponse struct { Base32Secret string `json:"base32_secret"` OTPAuthURL string `json:"otpauth_url"` }
TOTPKeyResponse is the model of response that is sent to the client up successful identity verification.
Source Files ¶
- const.go
- duo.go
- handler_checks_safe_redirection.go
- handler_configuration.go
- handler_configuration_password_policy.go
- handler_firstfactor.go
- handler_health.go
- handler_jwks.go
- handler_logout.go
- handler_oauth_introspection.go
- handler_oauth_revocation.go
- handler_oidc_authorization.go
- handler_oidc_authorization_consent.go
- handler_oidc_consent.go
- handler_oidc_token.go
- handler_oidc_userinfo.go
- handler_oidc_wellknown.go
- handler_register_duo_device.go
- handler_register_totp.go
- handler_register_webauthn.go
- handler_reset_password_step1.go
- handler_reset_password_step2.go
- handler_sign_duo.go
- handler_sign_totp.go
- handler_sign_webauthn.go
- handler_state.go
- handler_user_info.go
- handler_user_totp.go
- handler_verify.go
- oidc.go
- response.go
- types.go
- webauthn.go