external/mailinabox
1
0
Fork 0
mirror of https://github.com/mail-in-a-box/mailinabox.git synced 2026-03-15 17:37:22 +01:00
Code Issues Releases Wiki Activity
1,986 Commits 6 Branches 88 Tags
f60d0f4f1eab197ba4274e06f5d63ebdc7a026cf
Commit Graph

1986 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Felix Spöttel
2ea97f0643 Do not log failed login attempts for MissingToken errors 
* Due to the way that the /login UI works, this persists at least one failed login each time a user logs into the admin panel. This in turn triggers fail2ban at some point.
 2020-09-06 13:08:44 +02:00
Felix Spöttel
4791c2fc62 Safeguard against empty mru_token column 
* hmac.compare_digest() expects arguments of type string, make sure we don't pass None
 * Currently, this cannot happen but we might not want to store `mru_token` during setup
 2020-09-06 13:03:54 +02:00
Felix Spöttel
49c333221a Use hmac.compare_digest() to compare mru_token 2020-09-06 12:54:45 +02:00
Felix Spöttel
481a333dc0 Address review feedback, thanks @hija 2020-09-04 20:28:15 +02:00
Felix Spöttel
b0df35eba0 conn.close() if mru_token update can't .commit() 2020-09-03 20:39:03 +02:00
Felix Spöttel
08ae3d2b7f Rename internal validate_two_factor_secret => validate_two_factor_secret 2020-09-03 19:48:54 +02:00
Felix Spöttel
7c4eb0fb70 Add sqlite migration 2020-09-03 19:39:29 +02:00
Felix Spöttel
ee01eae55e Decouple totp from users table by moving to totp_credentials table 
* this allows implementation of other mfa schemes in the future (webauthn)
* also makes key management easier and enforces one totp credentials per user on db-level
 2020-09-03 19:07:21 +02:00
Felix Spöttel
89b301afc7 Update OpenApi docs, rename /2fa/ => /mfa/ 2020-09-03 13:54:28 +02:00
Felix Spöttel
ce70f44c58 Extract TOTPStrategy class to totp.py 
* this decouples `TOTP` validation and storage logic from `auth` and moves it to `totp`
* reduce `pyotp.validate#valid_window` from `2` to `1`
 2020-09-03 11:19:19 +02:00
Felix Spöttel
6594e19a1f Autofocus otp input when logging in, update layout 2020-09-02 20:30:08 +02:00
Felix Spöttel
8597646a12 Update API route naming, update setup page 
* Rename /two-factor-auth/ => /2fa/
* Nest totp routes under /2fa/totp/
* Update ids and methods in panel to allow for different setup types
 2020-09-02 19:41:06 +02:00
Felix Spöttel
f205c48564 Use pyotp for validating TOTP codes 
* also implements resynchronisation support via `pyotp`'s `valid_window option
 2020-09-02 19:12:15 +02:00
Felix Spöttel
3c3683429b implement two factor check during login 2020-09-02 17:23:32 +02:00
Felix Spöttel
a7a66929aa add user interface for managing 2fa 
* update user schema with 2fa columns
 2020-09-02 16:48:23 +02:00
David Ferreira de Sousa Duque
a336931c95 Version release: v0.48.POWER.0 2020-08-26 23:13:41 +01:00
David Ferreira de Sousa Duque
d7d3561768 Merge upstream v0.48 2020-08-26 23:09:14 +01:00
Joshua Tauberer
0d72566c99 Merge v0.48 point release branch 2020-08-26 14:11:56 -04:00
Joshua Tauberer
62db58eaaf v0.48 v0.48 2020-08-26 14:11:01 -04:00
Joshua Tauberer
891de8d6c3 Upgrade Roundcube to 1.4.8 
Merges #1809
 2020-08-26 14:10:04 -04:00
Richard Willis
62b9b1f15f Add OpenAPI HTTP spec (#1804) 2020-08-22 15:44:19 -04:00
David Duque
24c5d54f49 start.sh: Generate locales properly 2020-08-10 03:07:45 +01:00
David Duque
3d9f0e2135 Vagrant: Use libvirt/debian 2020-08-10 03:06:59 +01:00
David Duque
94da7bb088 status_checks.py: Properly terminate the process pools (#1795) 
* Only spawn a thread pool when strictly needed

For --check-primary-hostname, the pool is not used.
When exiting, the other processes are left alive and will hang.

* Acquire pools with the 'with' statement
 2020-08-09 11:42:39 -04:00
David Duque
0cf4ed9a24 Version bump 2020-07-30 15:43:48 +01:00
David Duque
1ba62c6112 Merge upstream v0.47 2020-07-30 14:51:00 +01:00
Joshua Tauberer
65983b8ac7 Merge v0.47 point release branch 2020-07-29 10:27:06 -04:00
hija
56d0289ed9 v0.47 v0.47 2020-07-29 10:24:56 -04:00
Marcus Bointon
f253c40012 [backport] Add rate limiting of SSH in the firewall (#1770) 
See #1767. Backport of cfc8fb484c.
 2020-07-29 10:24:23 -04:00
Joshua Tauberer
4bbe4af377 Update CHANGELOG 2020-07-29 10:23:02 -04:00
Hilko
2c34a6df2b Update roundcube to 1.4.7 2020-07-29 10:15:12 -04:00
Hilko
1098e2b48e Add noindex to www_default meta tags (#1791) 2020-07-29 10:03:33 -04:00
Richard Willis
c50170b816 Update "Remove Alias" modal title (#1800) 2020-07-29 10:01:20 -04:00
Marcus Bointon
cd518e6820 Raise Dovecot per user connection limit (#1799) 2020-07-27 06:37:52 -04:00
David Duque
dd7899acca Version bump 2020-07-26 01:03:28 +01:00
David Duque
5e597bb536 Update deprecated function from dnspython 2020-07-26 01:00:17 +01:00
David Duque
60911515fd Support Ubuntu LTS point releases 2020-07-26 00:26:35 +01:00
David Duque
ac8c0ae762 Release v0.46.POWER.4 2020-07-22 12:45:18 +01:00
David Duque
16ae3038b3 Merge branch 'development' 2020-07-22 12:44:04 +01:00
David Duque
fc0bd12631 Acquire pools with the 'with' statement 2020-07-22 12:42:10 +01:00
David Duque
311e6c63e8 Render the 'Backup now' buttons even if there are already backups 2020-07-21 19:25:48 +01:00
David Duque
a0da88834c Terminate the status checks process pool before exiting 2020-07-21 19:21:46 +01:00
David Duque
967409b157 Drop requirement for passwords to have no spaces (#1789) 2020-07-16 07:23:11 -04:00
David Duque
1b2711fc42 Add 'always' modifier to the HSTS add_header directive (#1790) 
This will make it so that the HSTS header is sent regardless of the request status code (until this point it would only be sent if "the response code equals 200, 201, 206, 301, 302, 303, 307, or 308." - according to thttp://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header)
 2020-07-16 07:21:14 -04:00
David Duque
20b4f26e42 Use ubuntu/focal64 as main testbed 2020-07-15 15:28:47 +01:00
David Duque
c8fbe2dd5d Determine the PHP version at runtime (instead of at setup-time) 2020-07-15 15:28:02 +01:00
David Duque
515a74ba11 Render the lsb_release at flask init time 
Don't change the index.html file at setup time
 2020-07-14 11:51:25 +01:00
David Duque
b562e7eefa Hide the 'Create Backup' buttons when backups are turned off 2020-07-11 15:45:50 +01:00
David Duque
ccf60c7017 Backups: User-initiated and cron-initiated jobs will have the same lockname 
So that some poor timing (initiating a backup when there's a cron-initiated backup)
doesn't screw everything up.
 2020-07-11 09:16:32 +01:00
David Duque
e224b6b3b2 Update project status 2020-07-11 08:43:46 +01:00