external/mailinabox
1
0
Fork 0
mirror of https://github.com/mail-in-a-box/mailinabox.git synced 2026-03-14 17:27:23 +01:00
Code Issues Releases Wiki Activity
2,172 Commits 6 Branches 88 Tags
617dcbded9142827dd5c0bcec0847560ca9a6821
Commit Graph

809 Commits

Author SHA1 Message Date
Felix Spöttel
4dced10a3f Fix handling of bad input when enabling mfa 2020-09-28 21:06:59 +02:00
Joshua Tauberer
b80f225691 Reorganize MFA front-end and add label column 2020-09-27 08:31:23 -04:00
0pis
7f0f28f8e3 Use tabs instead of spaces in nginx conf (#1827) 
* conf/nginx-primaryonly.conf: Use tabs instead of spaces
* management/web_update.py: Includes the tabs so they display with the correct indentation when added to the local.conf

Co-authored-by: 0pis <0pis>
 2020-09-27 07:13:33 -04:00
David Duque
2bfa65329a Keep root in actual local.conf file 2020-09-27 02:17:49 +01:00
David Duque
4b7f6e20da Update nginx files to discard non-essential locations for non-primary domains 2020-09-27 02:01:17 +01:00
David Duque
7725e6efe6 Revert .nginx.conf file features 2020-09-27 01:31:51 +01:00
Joshua Tauberer
a8ea456b49 Reorganize the MFA backend methods 2020-09-26 09:58:25 -04:00
David Duque
7de99aa690 Merge v0.50 from upstream 2020-09-26 10:21:01 +01:00
Joshua Tauberer
51aedcf6c3 Drop the MTA-STS TLSRPT record unless set explicitly 2020-09-21 15:57:17 -04:00
Felix Spöttel
7d6427904f Typo 2020-09-12 16:38:44 +02:00
Felix Spöttel
dcb93d071c Add TOTP secret to user_key hash 
thanks @downtownallday
* this invalidates all user_keys after TOTP status is changed for user
* after changing TOTP state, a login is required
* due to the forced login, we can't and don't need to store the code used for setup in `mru_code`
 2020-09-12 16:34:06 +02:00
Felix Spöttel
2ea97f0643 Do not log failed login attempts for MissingToken errors 
* Due to the way that the /login UI works, this persists at least one failed login each time a user logs into the admin panel. This in turn triggers fail2ban at some point.
 2020-09-06 13:08:44 +02:00
Felix Spöttel
4791c2fc62 Safeguard against empty mru_token column 
* hmac.compare_digest() expects arguments of type string, make sure we don't pass None
 * Currently, this cannot happen but we might not want to store `mru_token` during setup
 2020-09-06 13:03:54 +02:00
Felix Spöttel
49c333221a Use hmac.compare_digest() to compare mru_token 2020-09-06 12:54:45 +02:00
Felix Spöttel
481a333dc0 Address review feedback, thanks @hija 2020-09-04 20:28:15 +02:00
Felix Spöttel
b0df35eba0 conn.close() if mru_token update can't .commit() 2020-09-03 20:39:03 +02:00
Felix Spöttel
08ae3d2b7f Rename internal validate_two_factor_secret => validate_two_factor_secret 2020-09-03 19:48:54 +02:00
Felix Spöttel
7c4eb0fb70 Add sqlite migration 2020-09-03 19:39:29 +02:00
Felix Spöttel
ee01eae55e Decouple totp from users table by moving to totp_credentials table 
* this allows implementation of other mfa schemes in the future (webauthn)
* also makes key management easier and enforces one totp credentials per user on db-level
 2020-09-03 19:07:21 +02:00
Felix Spöttel
89b301afc7 Update OpenApi docs, rename /2fa/ => /mfa/ 2020-09-03 13:54:28 +02:00
Felix Spöttel
ce70f44c58 Extract TOTPStrategy class to totp.py 
* this decouples `TOTP` validation and storage logic from `auth` and moves it to `totp`
* reduce `pyotp.validate#valid_window` from `2` to `1`
 2020-09-03 11:19:19 +02:00
Felix Spöttel
6594e19a1f Autofocus otp input when logging in, update layout 2020-09-02 20:30:08 +02:00
Felix Spöttel
8597646a12 Update API route naming, update setup page 
* Rename /two-factor-auth/ => /2fa/
* Nest totp routes under /2fa/totp/
* Update ids and methods in panel to allow for different setup types
 2020-09-02 19:41:06 +02:00
Felix Spöttel
f205c48564 Use pyotp for validating TOTP codes 
* also implements resynchronisation support via `pyotp`'s `valid_window option
 2020-09-02 19:12:15 +02:00
Felix Spöttel
3c3683429b implement two factor check during login 2020-09-02 17:23:32 +02:00
Felix Spöttel
a7a66929aa add user interface for managing 2fa 
* update user schema with 2fa columns
 2020-09-02 16:48:23 +02:00
David Duque
94da7bb088 status_checks.py: Properly terminate the process pools (#1795) 
* Only spawn a thread pool when strictly needed

For --check-primary-hostname, the pool is not used.
When exiting, the other processes are left alive and will hang.

* Acquire pools with the 'with' statement
 2020-08-09 11:42:39 -04:00
Richard Willis
c50170b816 Update "Remove Alias" modal title (#1800) 2020-07-29 10:01:20 -04:00
David Duque
5e597bb536 Update deprecated function from dnspython 2020-07-26 01:00:17 +01:00
David Duque
fc0bd12631 Acquire pools with the 'with' statement 2020-07-22 12:42:10 +01:00
David Duque
311e6c63e8 Render the 'Backup now' buttons even if there are already backups 2020-07-21 19:25:48 +01:00
David Duque
a0da88834c Terminate the status checks process pool before exiting 2020-07-21 19:21:46 +01:00
David Duque
967409b157 Drop requirement for passwords to have no spaces (#1789) 2020-07-16 07:23:11 -04:00
David Duque
1b2711fc42 Add 'always' modifier to the HSTS add_header directive (#1790) 
This will make it so that the HSTS header is sent regardless of the request status code (until this point it would only be sent if "the response code equals 200, 201, 206, 301, 302, 303, 307, or 308." - according to thttp://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header)
 2020-07-16 07:21:14 -04:00
David Duque
c8fbe2dd5d Determine the PHP version at runtime (instead of at setup-time) 2020-07-15 15:28:02 +01:00
David Duque
515a74ba11 Render the lsb_release at flask init time 
Don't change the index.html file at setup time
 2020-07-14 11:51:25 +01:00
David Duque
b562e7eefa Hide the 'Create Backup' buttons when backups are turned off 2020-07-11 15:45:50 +01:00
David Duque
ccf60c7017 Backups: User-initiated and cron-initiated jobs will have the same lockname 
So that some poor timing (initiating a backup when there's a cron-initiated backup)
doesn't screw everything up.
 2020-07-11 09:16:32 +01:00
David Duque
79e2398d71 Fix comment 2020-07-11 08:30:05 +01:00
David Duque
af9ef186b3 Add manual backup option 2020-07-10 15:48:37 +01:00
David Duque
e6102eacfb AXFR Transfers (for secondary DNS servers): Allow IPv6 addresses (#1787) 2020-07-08 18:26:47 -04:00
David Duque
199c2c50ba Backups: Fix backup target selector width 2020-07-08 19:32:24 +01:00
David Duque
b98111b4e1 Fix unassigned php version 2020-06-29 09:13:50 +01:00
David Duque
fcb44dafa3 Let's encrypt certbot hotfix 2020-06-27 21:32:36 +01:00
David Duque
022a11e159 Merge remote-tracking branch 'up/master' 2020-06-21 15:52:31 +01:00
David Duque
5d6c23cff9 Finalize php configuration 2020-06-21 15:18:46 +01:00
David Duque
0ccbf1b809 Only spawn a thread pool when strictly needed 
For --check-primary-hostname, the pool is not used.
When exiting, the other processes are left alive and will hang.
 2020-06-21 15:05:17 +01:00
Joshua Tauberer
6fd3195275 Fix MTA-STS policy id so it does not have invalid characters, fixes #1779 2020-06-12 13:09:11 -04:00
David Duque
d01069f7f2 Automatically agree to ToS on SSL provision 2020-06-12 09:27:08 +01:00
Joshua Tauberer
9db2fc7f05 In web proxies, add X-{Forwarded-{Host,Proto},Real-IP} and 'proxy_set_header Host' when there is a flag 
Merges #1432, more or less.
 2020-06-11 12:20:17 -04:00