Felix Spöttel
7d6427904f
Typo
2020-09-12 16:38:44 +02:00
Felix Spöttel
dcb93d071c
Add TOTP secret to user_key hash
...
thanks @downtownallday
* this invalidates all user_keys after TOTP status is changed for user
* after changing TOTP state, a login is required
* due to the forced login, we can't and don't need to store the code used for setup in `mru_code`
2020-09-12 16:34:06 +02:00
Felix Spöttel
2ea97f0643
Do not log failed login attempts for MissingToken errors
...
* Due to the way that the /login UI works, this persists at least one failed login each time a user logs into the admin panel. This in turn triggers fail2ban at some point.
2020-09-06 13:08:44 +02:00
Felix Spöttel
4791c2fc62
Safeguard against empty mru_token column
...
* hmac.compare_digest() expects arguments of type string, make sure we don't pass None
* Currently, this cannot happen but we might not want to store `mru_token` during setup
2020-09-06 13:03:54 +02:00
Felix Spöttel
49c333221a
Use hmac.compare_digest() to compare mru_token
2020-09-06 12:54:45 +02:00
Felix Spöttel
481a333dc0
Address review feedback, thanks @hija
2020-09-04 20:28:15 +02:00
Felix Spöttel
b0df35eba0
conn.close() if mru_token update can't .commit()
2020-09-03 20:39:03 +02:00
Felix Spöttel
08ae3d2b7f
Rename internal validate_two_factor_secret => validate_two_factor_secret
2020-09-03 19:48:54 +02:00
Felix Spöttel
7c4eb0fb70
Add sqlite migration
2020-09-03 19:39:29 +02:00
Felix Spöttel
ee01eae55e
Decouple totp from users table by moving to totp_credentials table
...
* this allows implementation of other mfa schemes in the future (webauthn)
* also makes key management easier and enforces one totp credentials per user on db-level
2020-09-03 19:07:21 +02:00
Felix Spöttel
89b301afc7
Update OpenApi docs, rename /2fa/ => /mfa/
2020-09-03 13:54:28 +02:00
Felix Spöttel
ce70f44c58
Extract TOTPStrategy class to totp.py
...
* this decouples `TOTP` validation and storage logic from `auth` and moves it to `totp`
* reduce `pyotp.validate#valid_window` from `2` to `1`
2020-09-03 11:19:19 +02:00
Felix Spöttel
6594e19a1f
Autofocus otp input when logging in, update layout
2020-09-02 20:30:08 +02:00
Felix Spöttel
8597646a12
Update API route naming, update setup page
...
* Rename /two-factor-auth/ => /2fa/
* Nest totp routes under /2fa/totp/
* Update ids and methods in panel to allow for different setup types
2020-09-02 19:41:06 +02:00
Felix Spöttel
f205c48564
Use pyotp for validating TOTP codes
...
* also implements resynchronisation support via `pyotp`'s `valid_window option
2020-09-02 19:12:15 +02:00
Felix Spöttel
3c3683429b
implement two factor check during login
2020-09-02 17:23:32 +02:00
Felix Spöttel
a7a66929aa
add user interface for managing 2fa
...
* update user schema with 2fa columns
2020-09-02 16:48:23 +02:00
David Ferreira de Sousa Duque
a336931c95
Version release: v0.48.POWER.0
2020-08-26 23:13:41 +01:00
David Ferreira de Sousa Duque
d7d3561768
v0.48
...
Roundcube XSS vulnerability fixed.
-----BEGIN PGP SIGNATURE-----
iQFDBAABCgAtFiEEX0wOcxPM10RpOyrquSBB9MEL3YEFAl9GpkcPHGp0QG9jY2Ft
cy5pbmZvAAoJELkgQfTBC92BoYAH/2NjdfN2d6f45uPq/X32bBAc6wfI7Cs9yCKp
LOrAfPlmE0jRSm9ThATfZvaWci2r2IFhsFzQ9bWHpbIP5YD7mDD50I2uTnZa9BV4
MsI40VXoh0BAgkWRqK60rTw0lQ9YGT+1TNLDEs1Y7vBjfTCOh4MMn4jUXkIEHDQg
2pSHY1RUq7T0wRaHS+rTPDccotS/xCGg6uZJ+gSlvhRdxakAe9mo8139KD/4fjT8
HK6igpwHsn3POg7mmJoSYXtScmWRYfnSV9kyfYyVyjhu5/uIowdICwFOzX7G7ruM
yA/azBlyMs898e5jYFR1tQqQ1rVYVy/nqCQOiyJa34ngHGSi41U=
=a9fn
-----END PGP SIGNATURE-----
gpgsig -----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEAKK/toPAcMkE+dinLzJ3OKPArjoFAl9G3ZEACgkQLzJ3OKPA
rjpEvQ//cG844Wv3samnABlRv2ZIjg6OXtjsE9OuN/O2exGhJ7wNhlJ5F3VyXP5Z
Tufm2HNc3sg9lQUVmyvFbSx03f/tgRdykH2HDS55Q3Q9YdpmZJBGlqsoMN/GIfjU
PDcLpN30XBt6S8qB/7d/U37ZW69OuFZLDRlwQZ66N/shxXkZSOp9U/9nH1Vf5OEU
/L5RVtsi/baDnauXDJWpyNsLKKEB4jCrlEiVI437cN2Yr3Y/d1u4pf3zQOEQmAGV
/A6fu2a9Kkc7IvcAKeoIvlyt+2gYw1zUDkBHf+LuSXGkxTt07L9Bjc7I6SY3DGo2
QiEVOMDPiKWl+0UQ73w/lwCUS7FbzaG/Mj2+c1pJ85UaZYbU5ovjJLesk+UPIG8Q
LmVCAHTw6QctZZi0BwP5epPk01zbeSBmRosT6b4l95G2sqh91CMNUjNRc7963yzB
Z36hpaWSqpGKyEjma9XFvGi9Tfkg1JxblLjmPVqbyez7bpAMgSw5FBWU1zjxjOmi
XOvGu/Fdu+gCre6IHfl8nTJNRc27UtJWTZjbQVl1OlbRx/h2QS/tKMpgN9VOrSV5
koi4TuX+T4kSE2S+atzlPOQuDIOHfdlxaU2mlwtqVfHBjlwE7FEcdfIGa5Pl6Blj
fFsDI7T6VGw2zup40vk/tRn5GY2KCPdp6rHhuCMA1PY6gerhhLw=
=3X2X
-----END PGP SIGNATURE-----
Merge upstream v0.48
2020-08-26 23:09:14 +01:00
Joshua Tauberer
0d72566c99
Merge v0.48 point release branch
2020-08-26 14:11:56 -04:00
Joshua Tauberer
62db58eaaf
v0.48
2020-08-26 14:11:01 -04:00
Joshua Tauberer
891de8d6c3
Upgrade Roundcube to 1.4.8
...
Merges #1809
2020-08-26 14:10:04 -04:00
Richard Willis
62b9b1f15f
Add OpenAPI HTTP spec ( #1804 )
2020-08-22 15:44:19 -04:00
David Duque
24c5d54f49
start.sh: Generate locales properly
2020-08-10 03:07:45 +01:00
David Duque
3d9f0e2135
Vagrant: Use libvirt/debian
2020-08-10 03:06:59 +01:00
David Duque
94da7bb088
status_checks.py: Properly terminate the process pools ( #1795 )
...
* Only spawn a thread pool when strictly needed
For --check-primary-hostname, the pool is not used.
When exiting, the other processes are left alive and will hang.
* Acquire pools with the 'with' statement
2020-08-09 11:42:39 -04:00
David Duque
0cf4ed9a24
Version bump
2020-07-30 15:43:48 +01:00
David Duque
1ba62c6112
v0.47
...
v0.47 (July 29, 2020)
---------------------
Security fixes:
* Roundcube is updated to version 1.4.7 fixing a cross-site scripting (XSS) vulnerability with HTML messages with malicious svg/na$
* SSH connections are now rate-limited at the firewall level (in addition to fail2ban).
-----BEGIN PGP SIGNATURE-----
iQFDBAABCgAtFiEEX0wOcxPM10RpOyrquSBB9MEL3YEFAl8hh4APHGp0QG9jY2Ft
cy5pbmZvAAoJELkgQfTBC92BD8EIAKuNEHxgL0C0kkpAhuTlVXuoNEH/2FF6hYS7
7NqVrqOO1iVPGkGPhAh77CLpnvvJEhu9GeSWFhTrpI//5CvfafUQowmELClmDcYL
yxHqgoHX9O0PAd+uCLgO3MdAzFMVLNbPmt/uPgEHufnrrQGIGieB2iGWnf9xnnpf
wFSyQQnLofFpq7nH6qQvLNvh//zPQd7l/YV3ieEuT0dV4izg/Sr7Q5W6Zwn/q/ed
Btp4CizRFRFTmulIEM8an+jSXMMvdVkut6WDcl6ct8LZLoWwtEkWVeru9IVu4n9L
Lj8Bkt+8aRR6updnI/2tm0d7ZgFXWHc/+dfLCaK+aOlMD3qV9p0=
=xsgn
-----END PGP SIGNATURE-----
gpgsig -----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEAKK/toPAcMkE+dinLzJ3OKPArjoFAl8i0EQACgkQLzJ3OKPA
rjopbg//T75ZyceGJVvDnzylhW65bIL8oUYiFLy/GOA39rmR1gjcwzHSaIP0kOtX
HPpm6rhPhVUKo8pjuWSvLnnNfz9QfJ4b6SqAN2Zg/hiqFdMEShGZNqvSQVvLkfxi
HHwa1C+TlRTD57HlVi9Y6TLX7YH65T9YmJol6KO30dGJRMIPssLg6K5k0Wf2Y2uG
E+6tipkiTPcHEaKIHUPdi5xxTL/QHVn+c+C0nsiflX7i9vC6P30e3yNsOvpk3q7V
XwD/bJfycUq8Qc5WhPsKoo287QY9XrkUco8vsVMDJJ1oCSIO1Ek5H/tgu2qB1QNJ
EGtcAYr09Fi8+5PLhmbTgRRWJ6ez6SaNnxsh8W5FhRpymgujoe4ghMiuYCwfHW13
ESB1KKZHGUiqP4nxHIgYyANrSP97qsZmVWUEQcwqhcP8BZY4NOzEsUKgIjTCTpVJ
CbRUJlgQow7s/R76aH3Crb7xhbE+2eQPDgKQ6AwDySWbPTDd3T6MtL0Oe2MZS8Wg
8mv02U+eqDfQ0TfD30vGIESARXJ1UJWfsLQzyyg7jBCTrIfSQt1IwFzXCASm78hs
kHN0/gmXUULQq0FslKV/zrfOsNEzKX+sCwjOMG7RMlWVcEVkRyXFvcajBj72mvZl
3kFOEqah8nErTStsP89Z+ltwfkVsWehu+vwP67NryRy4/B3y9fQ=
=CTVK
-----END PGP SIGNATURE-----
Merge upstream v0.47
2020-07-30 14:51:00 +01:00
Joshua Tauberer
65983b8ac7
Merge v0.47 point release branch
2020-07-29 10:27:06 -04:00
hija
56d0289ed9
v0.47
2020-07-29 10:24:56 -04:00
Marcus Bointon
f253c40012
[backport] Add rate limiting of SSH in the firewall ( #1770 )
...
See #1767 . Backport of cfc8fb484c
.
2020-07-29 10:24:23 -04:00
Joshua Tauberer
4bbe4af377
Update CHANGELOG
2020-07-29 10:23:02 -04:00
Hilko
2c34a6df2b
Update roundcube to 1.4.7
2020-07-29 10:15:12 -04:00
Hilko
1098e2b48e
Add noindex to www_default meta tags ( #1791 )
2020-07-29 10:03:33 -04:00
Richard Willis
c50170b816
Update "Remove Alias" modal title ( #1800 )
2020-07-29 10:01:20 -04:00
Marcus Bointon
cd518e6820
Raise Dovecot per user connection limit ( #1799 )
2020-07-27 06:37:52 -04:00
David Duque
dd7899acca
Version bump
2020-07-26 01:03:28 +01:00
David Duque
5e597bb536
Update deprecated function from dnspython
2020-07-26 01:00:17 +01:00
David Duque
60911515fd
Support Ubuntu LTS point releases
2020-07-26 00:26:35 +01:00
David Duque
ac8c0ae762
Release v0.46.POWER.4
2020-07-22 12:45:18 +01:00
David Duque
16ae3038b3
Merge branch 'development'
2020-07-22 12:44:04 +01:00
David Duque
fc0bd12631
Acquire pools with the 'with' statement
2020-07-22 12:42:10 +01:00
David Duque
311e6c63e8
Render the 'Backup now' buttons even if there are already backups
2020-07-21 19:25:48 +01:00
David Duque
a0da88834c
Terminate the status checks process pool before exiting
2020-07-21 19:21:46 +01:00
David Duque
967409b157
Drop requirement for passwords to have no spaces ( #1789 )
2020-07-16 07:23:11 -04:00
David Duque
1b2711fc42
Add 'always' modifier to the HSTS add_header directive ( #1790 )
...
This will make it so that the HSTS header is sent regardless of the request status code (until this point it would only be sent if "the response code equals 200, 201, 206, 301, 302, 303, 307, or 308." - according to thttp://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header )
2020-07-16 07:21:14 -04:00
David Duque
20b4f26e42
Use ubuntu/focal64 as main testbed
2020-07-15 15:28:47 +01:00
David Duque
c8fbe2dd5d
Determine the PHP version at runtime (instead of at setup-time)
2020-07-15 15:28:02 +01:00
David Duque
515a74ba11
Render the lsb_release at flask init time
...
Don't change the index.html file at setup time
2020-07-14 11:51:25 +01:00
David Duque
b562e7eefa
Hide the 'Create Backup' buttons when backups are turned off
2020-07-11 15:45:50 +01:00