external
/
mailinabox
mirror of https://github.com/mail-in-a-box/mailinabox.git
1
0
Fork 0
Code Issues Releases Wiki Activity
1,898 Commits 6 Branches 83 Tags 38 MiB
Commit Graph

52 Commits

Author SHA1 Message Date
Joshua Tauberer 79966e36e3 Set a cookie for /admin/munin pages to grant access to Munin reports 
The /admin/munin routes used the same Authorization: header logic as the other API routes, but they are browsed directly in the browser because they are handled as static pages or as a proxy to a CGI script.

This required users to enter their email username/password for HTTP basic authentication in the standard browser auth prompt, which wasn't ideal (and may leak the password in browser storage). It also stopped working when MFA was enabled for user accounts.

A token is now set in a cookie when visiting /admin/munin which is then checked in the routes that proxy the Munin pages. The cookie's lifetime is kept limited to limit the opportunity for any unknown CSRF attacks via the Munin CGI script.
 2021-09-24 08:11:36 -04:00
Elsie Hupp 353084ce67
Use "smart invert" for dark mode (#2038) 
* Use "smart invert" for dark mode

Signed-off-by: Elsie Hupp <9206310+elsiehupp@users.noreply.github.com>

* Add more contrast to form controls

Co-authored-by: Joshua Tauberer <jt@occams.info>
 2021-09-19 09:53:03 -04:00
Joshua Tauberer e5909a6287 Allow non-admin login to the control panel and show/hide menu items depending on the login state 
* When logged out, no menu items are shown.
* When logged in, Log Out is shown.
* When logged in as an admin, the remaining menu items are also shown.
* When logged in as a non-admin, the mail and contacts/calendar instruction pages are shown.

Fixes #1987
 2021-09-06 09:23:58 -04:00
Joshua Tauberer 26932ecb10 Add a 'welcome' panel to the control panel and make it the default page instead of the status checks which take too long to load 
Fixes #2014
 2021-09-06 09:23:58 -04:00
Joshua Tauberer e884c4774f Replace HMAC-based session API keys with tokens stored in memory in the daemon process 
Since the session cache clears keys after a period of time, this fixes #1821.

Based on https://github.com/mail-in-a-box/mailinabox/pull/2012, and so:

Co-Authored-By: NewbieOrange <NewbieOrange@users.noreply.github.com>

Also fixes #2029 by not revealing through the login failure error message whether a user exists or not.
 2021-09-06 09:23:58 -04:00
Joshua Tauberer b80f225691 Reorganize MFA front-end and add label column 2020-09-27 08:31:23 -04:00
Felix Spöttel dcb93d071c Add TOTP secret to user_key hash 
thanks @downtownallday
* this invalidates all user_keys after TOTP status is changed for user
* after changing TOTP state, a login is required
* due to the forced login, we can't and don't need to store the code used for setup in `mru_code`
 2020-09-12 16:34:06 +02:00
Felix Spöttel ee01eae55e Decouple totp from users table by moving to totp_credentials table 
* this allows implementation of other mfa schemes in the future (webauthn)
* also makes key management easier and enforces one totp credentials per user on db-level
 2020-09-03 19:07:21 +02:00
Felix Spöttel 8597646a12 Update API route naming, update setup page 
* Rename /two-factor-auth/ => /2fa/
* Nest totp routes under /2fa/totp/
* Update ids and methods in panel to allow for different setup types
 2020-09-02 19:41:06 +02:00
Felix Spöttel 3c3683429b implement two factor check during login 2020-09-02 17:23:32 +02:00
Felix Spöttel a7a66929aa add user interface for managing 2fa 
* update user schema with 2fa columns
 2020-09-02 16:48:23 +02:00
Marius Blüm 48ff664ee9 Remove the ? from "Log out" (#1231) 
Signed-off-by: Marius Blüm <marius@lineone.io>
 2017-08-23 19:46:45 -04:00
Michael Kroes e49c99890b fetch whole bootstrap - fixes missing icons in admin (#1185) 2017-05-31 07:36:17 -04:00
Git Repository 18f1689f45 changed the location we store the web-assets for the admin pages to /usr/local/mailinabox (#1179) 2017-05-23 19:22:53 -04:00
Git Repository 8234a5a9f4 download jQuery and Bootstrap during setup and serve locally so that we don't rely on a CDN which is blocked in some parts of the world (#1167) (#1171) 2017-05-08 07:25:16 -04:00
Marius Blüm 942bcfc7c5 Update Bootstrap to 3.3.7 (#909) 
Signed-off-by: Marius Blüm <marius@lineone.io>
 2016-08-15 18:06:12 -04:00
Arnaud ff7d4196a6 target to blank for munin link in tempalte (#822) 
adding :
target="_blank"
to 
<li><a href="/admin/munin">Munin Monitoring</a></li> on line 96
Why ?
Because when you click on munin link, and follow links, you lose your index, or click back many times...
So i propose my pull request.
Et voilà ^^
 2016-05-17 19:46:45 -04:00
aspdye f65d9d3196 Upgrade Bootstrap 3.3.5 to 3.3.6 2016-04-09 13:27:27 +02:00
Jeroen Jacobs 70111dafbc Removes border and rounded corners from navbar 2016-01-14 15:48:39 +01:00
Joshua Tauberer 4b4f670adf s/SSL/TLS/ in user-visible text throughout the project 2016-01-04 18:43:16 -05:00
Joshua Tauberer 6c8ee1862a use subresource integrity attributes to guard against CDNs being used as an attack vector; drop external resources that we can't protect this way (fonts); fixes #234 2015-09-18 19:04:28 +00:00
Joshua Tauberer 75a75a6f84 admin: rename my ajax javascript function to ajax_with_indicator; see 79c57c2303 2015-09-04 18:40:56 -04:00
Joshua Tauberer 2e99589336 admin: fix jumpyness when a modal is shown (move overflow-y to body; make the navbar not fixed to top) 2015-09-04 22:21:10 +00:00
Joshua Tauberer 188b21dd36 bump bootstrap to 3.3.5 and jquery to 1.11.3 on the admin 2015-09-04 22:13:56 +00:00
Norman Stanke 1a525df8ad Add Mail-in-a-Box version status check. 2015-08-28 11:55:21 +00:00
Joshua Tauberer 7527b4dc27 show the Mail-in-a-Box version in the control panel and a button to ping the MiaB website for the latest version 
fixes #441
 2015-06-25 13:43:11 +00:00
Joshua Tauberer 1990f32ca4 typo, fixes #435 2015-06-06 13:22:50 +00:00
Joshua Tauberer 9857db96cd add a link to the /admin/munin page from the control panel nav bar 2015-06-06 12:52:16 +00:00
Joshua Tauberer 1e9c587b92 rewrite the DNS API to permit setting multiple records of the same type on the same domain 
e.g. multiple TXT records

fixes #333
 2015-05-03 13:43:38 +00:00
Joshua Tauberer 542877ee46 use the font-awesome .fa-spinner.fa-pulse classes for the AJAX loading indicator, rather than the static glyphicon-time icon 2015-05-03 13:43:38 +00:00
Joshua Tauberer f1760b516d control panel: sometimes the ajax loading modal would show after operations were already done 
Needed to add the clearQueue flag to jQuery's stop() method
 2015-05-03 13:43:38 +00:00
Joshua Tauberer 35f4a49d10 my html5 stub was wrong; 8c3aed2846 2015-04-19 13:21:38 +00:00
Joshua Tauberer 8c3aed2846 update the control panel html template to my latest html5 stub 
jquery 1.11.1, bootstrap 3.3.0, better accessibility, see https://github.com/JoshData/html5-stub
 2015-04-11 15:40:19 -04:00
Joshua Tauberer ec039719de prevent caching of ajax responses in the control panel 
GET requests might be cached. Definitely happens on Internet Explorer. Makes it look like the user is getting unauthorized access.

See https://discourse.mailinabox.email/t/fresh-install-can-login-to-webmail-but-not-admin/394/4.
 2015-03-31 14:52:11 +00:00
Joshua Tauberer 2b76fd299e admin: ensure multiple concurrent api calls dont confuse the ajax loading indicator (track number of open requets, stop fade animation when it is time to hide) 2014-12-21 22:47:11 +00:00
Joshua Tauberer 90592bb157 add a control panel for setting custom dns records so that we dont have to use the api manually 2014-12-21 11:31:24 -05:00
Joshua Tauberer 47dd59c2a7 admin mail guide: use bootstrap .panel to style the tips 
also give more space for the login settings and less space to the tips
 2014-10-21 11:17:49 +00:00
Joshua Tauberer cce1184090 admin: change the css class name around the panels to not invoke the bootstrap 'panel' css 2014-10-21 11:17:49 +00:00
Joshua Tauberer 1adb1d8307 admin: there is no need to make each panel a separate bootstrap container 
* also fixes the footer alignment to be within a container rather than a container-fluid
* this changed the width of the login form slightly, so am cleaning that up too

see #244
 2014-10-21 11:17:28 +00:00
Joshua Tauberer 82851d6d2d suppress "Something went wrong, sorry." when the management daemon's api key has changed 2014-10-11 17:06:22 +00:00
Joshua Tauberer 17331e7d82 adding a really slick ssl certificate installation form in the control panel 2014-10-10 15:49:14 +00:00
Joshua Tauberer 6ab29c3244 add instructions for static web hosting into the control panel 2014-10-07 16:05:42 +00:00
Joshua Tauberer 9210ebdb9f control panel tweaks 2014-10-07 15:12:35 +00:00
Joshua Tauberer 092c842a87 split external/custom dns into separate pages in the admin 2014-10-05 13:38:23 +00:00
Joshua Tauberer c2ddabe683 fix ajax loading indicator positioning 2014-09-21 17:41:46 +00:00
Joshua Tauberer 846768efcb admin: update user's password from the admin 2014-09-21 17:24:01 +00:00
Joshua Tauberer f77f1e656c split CardDAV instrctions into a new page and add CalDAV instructions; create nice redirects at /cloud/calendar and /cloud/contacts 2014-09-03 10:51:19 +00:00
Joshua Tauberer 3853e8dd93 show the status of backups in the control panel 2014-09-01 13:06:53 +00:00
Joshua Tauberer 684d9b3c70 prettify the custom DNS docs 2014-08-27 12:57:47 +00:00
Joshua Tauberer b76cbae5a0 document the DNS API in the control panel 
see #140, #155, df20d447a9
 2014-08-25 23:52:41 +00:00