4791c2fc62
Safeguard against empty mru_token column
...
* hmac.compare_digest() expects arguments of type string, make sure we don't pass None
* Currently, this cannot happen but we might not want to store `mru_token` during setup
2020-09-06 13:03:54 +02:00
49c333221a
Use hmac.compare_digest() to compare mru_token
2020-09-06 12:54:45 +02:00
481a333dc0
Address review feedback, thanks @hija
2020-09-04 20:28:15 +02:00
b0df35eba0
conn.close() if mru_token update can't .commit()
2020-09-03 20:39:03 +02:00
08ae3d2b7f
Rename internal validate_two_factor_secret => validate_two_factor_secret
2020-09-03 19:48:54 +02:00
7c4eb0fb70
Add sqlite migration
2020-09-03 19:39:29 +02:00
ee01eae55e
Decouple totp from users table by moving to totp_credentials table
...
* this allows implementation of other mfa schemes in the future (webauthn)
* also makes key management easier and enforces one totp credentials per user on db-level
2020-09-03 19:07:21 +02:00
89b301afc7
Update OpenApi docs, rename /2fa/ => /mfa/
2020-09-03 13:54:28 +02:00
ce70f44c58
Extract TOTPStrategy class to totp.py
...
* this decouples `TOTP` validation and storage logic from `auth` and moves it to `totp`
* reduce `pyotp.validate#valid_window` from `2` to `1`
2020-09-03 11:19:19 +02:00
6594e19a1f
Autofocus otp input when logging in, update layout
2020-09-02 20:30:08 +02:00
8597646a12
Update API route naming, update setup page
...
* Rename /two-factor-auth/ => /2fa/
* Nest totp routes under /2fa/totp/
* Update ids and methods in panel to allow for different setup types
2020-09-02 19:41:06 +02:00
f205c48564
Use pyotp for validating TOTP codes
...
* also implements resynchronisation support via `pyotp`'s `valid_window option
2020-09-02 19:12:15 +02:00
3c3683429b
implement two factor check during login
2020-09-02 17:23:32 +02:00
a7a66929aa
add user interface for managing 2fa
...
* update user schema with 2fa columns
2020-09-02 16:48:23 +02:00
a336931c95
Version release: v0.48.POWER.0
2020-08-26 23:13:41 +01:00
d7d3561768
v0.48
...
Roundcube XSS vulnerability fixed.
-----BEGIN PGP SIGNATURE-----
iQFDBAABCgAtFiEEX0wOcxPM10RpOyrquSBB9MEL3YEFAl9GpkcPHGp0QG9jY2Ft
cy5pbmZvAAoJELkgQfTBC92BoYAH/2NjdfN2d6f45uPq/X32bBAc6wfI7Cs9yCKp
LOrAfPlmE0jRSm9ThATfZvaWci2r2IFhsFzQ9bWHpbIP5YD7mDD50I2uTnZa9BV4
MsI40VXoh0BAgkWRqK60rTw0lQ9YGT+1TNLDEs1Y7vBjfTCOh4MMn4jUXkIEHDQg
2pSHY1RUq7T0wRaHS+rTPDccotS/xCGg6uZJ+gSlvhRdxakAe9mo8139KD/4fjT8
HK6igpwHsn3POg7mmJoSYXtScmWRYfnSV9kyfYyVyjhu5/uIowdICwFOzX7G7ruM
yA/azBlyMs898e5jYFR1tQqQ1rVYVy/nqCQOiyJa34ngHGSi41U=
=a9fn
-----END PGP SIGNATURE-----
gpgsig -----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEAKK/toPAcMkE+dinLzJ3OKPArjoFAl9G3ZEACgkQLzJ3OKPA
rjpEvQ//cG844Wv3samnABlRv2ZIjg6OXtjsE9OuN/O2exGhJ7wNhlJ5F3VyXP5Z
Tufm2HNc3sg9lQUVmyvFbSx03f/tgRdykH2HDS55Q3Q9YdpmZJBGlqsoMN/GIfjU
PDcLpN30XBt6S8qB/7d/U37ZW69OuFZLDRlwQZ66N/shxXkZSOp9U/9nH1Vf5OEU
/L5RVtsi/baDnauXDJWpyNsLKKEB4jCrlEiVI437cN2Yr3Y/d1u4pf3zQOEQmAGV
/A6fu2a9Kkc7IvcAKeoIvlyt+2gYw1zUDkBHf+LuSXGkxTt07L9Bjc7I6SY3DGo2
QiEVOMDPiKWl+0UQ73w/lwCUS7FbzaG/Mj2+c1pJ85UaZYbU5ovjJLesk+UPIG8Q
LmVCAHTw6QctZZi0BwP5epPk01zbeSBmRosT6b4l95G2sqh91CMNUjNRc7963yzB
Z36hpaWSqpGKyEjma9XFvGi9Tfkg1JxblLjmPVqbyez7bpAMgSw5FBWU1zjxjOmi
XOvGu/Fdu+gCre6IHfl8nTJNRc27UtJWTZjbQVl1OlbRx/h2QS/tKMpgN9VOrSV5
koi4TuX+T4kSE2S+atzlPOQuDIOHfdlxaU2mlwtqVfHBjlwE7FEcdfIGa5Pl6Blj
fFsDI7T6VGw2zup40vk/tRn5GY2KCPdp6rHhuCMA1PY6gerhhLw=
=3X2X
-----END PGP SIGNATURE-----
Merge upstream v0.48
2020-08-26 23:09:14 +01:00
0d72566c99
Merge v0.48 point release branch
2020-08-26 14:11:56 -04:00
62db58eaaf
v0.48
2020-08-26 14:11:01 -04:00
891de8d6c3
Upgrade Roundcube to 1.4.8
...
Merges #1809
2020-08-26 14:10:04 -04:00
62b9b1f15f
Add OpenAPI HTTP spec ( #1804 )
2020-08-22 15:44:19 -04:00
24c5d54f49
start.sh: Generate locales properly
2020-08-10 03:07:45 +01:00
3d9f0e2135
Vagrant: Use libvirt/debian
2020-08-10 03:06:59 +01:00
94da7bb088
status_checks.py: Properly terminate the process pools ( #1795 )
...
* Only spawn a thread pool when strictly needed
For --check-primary-hostname, the pool is not used.
When exiting, the other processes are left alive and will hang.
* Acquire pools with the 'with' statement
2020-08-09 11:42:39 -04:00
0cf4ed9a24
Version bump
2020-07-30 15:43:48 +01:00
1ba62c6112
v0.47
...
v0.47 (July 29, 2020)
---------------------
Security fixes:
* Roundcube is updated to version 1.4.7 fixing a cross-site scripting (XSS) vulnerability with HTML messages with malicious svg/na$
* SSH connections are now rate-limited at the firewall level (in addition to fail2ban).
-----BEGIN PGP SIGNATURE-----
iQFDBAABCgAtFiEEX0wOcxPM10RpOyrquSBB9MEL3YEFAl8hh4APHGp0QG9jY2Ft
cy5pbmZvAAoJELkgQfTBC92BD8EIAKuNEHxgL0C0kkpAhuTlVXuoNEH/2FF6hYS7
7NqVrqOO1iVPGkGPhAh77CLpnvvJEhu9GeSWFhTrpI//5CvfafUQowmELClmDcYL
yxHqgoHX9O0PAd+uCLgO3MdAzFMVLNbPmt/uPgEHufnrrQGIGieB2iGWnf9xnnpf
wFSyQQnLofFpq7nH6qQvLNvh//zPQd7l/YV3ieEuT0dV4izg/Sr7Q5W6Zwn/q/ed
Btp4CizRFRFTmulIEM8an+jSXMMvdVkut6WDcl6ct8LZLoWwtEkWVeru9IVu4n9L
Lj8Bkt+8aRR6updnI/2tm0d7ZgFXWHc/+dfLCaK+aOlMD3qV9p0=
=xsgn
-----END PGP SIGNATURE-----
gpgsig -----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEAKK/toPAcMkE+dinLzJ3OKPArjoFAl8i0EQACgkQLzJ3OKPA
rjopbg//T75ZyceGJVvDnzylhW65bIL8oUYiFLy/GOA39rmR1gjcwzHSaIP0kOtX
HPpm6rhPhVUKo8pjuWSvLnnNfz9QfJ4b6SqAN2Zg/hiqFdMEShGZNqvSQVvLkfxi
HHwa1C+TlRTD57HlVi9Y6TLX7YH65T9YmJol6KO30dGJRMIPssLg6K5k0Wf2Y2uG
E+6tipkiTPcHEaKIHUPdi5xxTL/QHVn+c+C0nsiflX7i9vC6P30e3yNsOvpk3q7V
XwD/bJfycUq8Qc5WhPsKoo287QY9XrkUco8vsVMDJJ1oCSIO1Ek5H/tgu2qB1QNJ
EGtcAYr09Fi8+5PLhmbTgRRWJ6ez6SaNnxsh8W5FhRpymgujoe4ghMiuYCwfHW13
ESB1KKZHGUiqP4nxHIgYyANrSP97qsZmVWUEQcwqhcP8BZY4NOzEsUKgIjTCTpVJ
CbRUJlgQow7s/R76aH3Crb7xhbE+2eQPDgKQ6AwDySWbPTDd3T6MtL0Oe2MZS8Wg
8mv02U+eqDfQ0TfD30vGIESARXJ1UJWfsLQzyyg7jBCTrIfSQt1IwFzXCASm78hs
kHN0/gmXUULQq0FslKV/zrfOsNEzKX+sCwjOMG7RMlWVcEVkRyXFvcajBj72mvZl
3kFOEqah8nErTStsP89Z+ltwfkVsWehu+vwP67NryRy4/B3y9fQ=
=CTVK
-----END PGP SIGNATURE-----
Merge upstream v0.47
2020-07-30 14:51:00 +01:00
65983b8ac7
Merge v0.47 point release branch
2020-07-29 10:27:06 -04:00
56d0289ed9
v0.47
2020-07-29 10:24:56 -04:00
f253c40012
[backport] Add rate limiting of SSH in the firewall ( #1770 )
...
See #1767 . Backport of cfc8fb484c
2020-07-29 10:24:23 -04:00
4bbe4af377
Update CHANGELOG
2020-07-29 10:23:02 -04:00
2c34a6df2b
Update roundcube to 1.4.7
2020-07-29 10:15:12 -04:00
1098e2b48e
Add noindex to www_default meta tags ( #1791 )
2020-07-29 10:03:33 -04:00
c50170b816
Update "Remove Alias" modal title ( #1800 )
2020-07-29 10:01:20 -04:00
cd518e6820
Raise Dovecot per user connection limit ( #1799 )
2020-07-27 06:37:52 -04:00
dd7899acca
Version bump
2020-07-26 01:03:28 +01:00
5e597bb536
Update deprecated function from dnspython
2020-07-26 01:00:17 +01:00
60911515fd
Support Ubuntu LTS point releases
2020-07-26 00:26:35 +01:00
ac8c0ae762
Release v0.46.POWER.4
2020-07-22 12:45:18 +01:00
16ae3038b3
Merge branch 'development'
2020-07-22 12:44:04 +01:00
fc0bd12631
Acquire pools with the 'with' statement
2020-07-22 12:42:10 +01:00
311e6c63e8
Render the 'Backup now' buttons even if there are already backups
2020-07-21 19:25:48 +01:00
a0da88834c
Terminate the status checks process pool before exiting
2020-07-21 19:21:46 +01:00
967409b157
Drop requirement for passwords to have no spaces ( #1789 )
2020-07-16 07:23:11 -04:00
1b2711fc42
Add 'always' modifier to the HSTS add_header directive ( #1790 )
...
This will make it so that the HSTS header is sent regardless of the request status code (until this point it would only be sent if "the response code equals 200, 201, 206, 301, 302, 303, 307, or 308." - according to thttp://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header )
2020-07-16 07:21:14 -04:00
20b4f26e42
Use ubuntu/focal64 as main testbed
2020-07-15 15:28:47 +01:00
c8fbe2dd5d
Determine the PHP version at runtime (instead of at setup-time)
2020-07-15 15:28:02 +01:00
515a74ba11
Render the lsb_release at flask init time
...
Don't change the index.html file at setup time
2020-07-14 11:51:25 +01:00
b562e7eefa
Hide the 'Create Backup' buttons when backups are turned off
2020-07-11 15:45:50 +01:00
ccf60c7017
Backups: User-initiated and cron-initiated jobs will have the same lockname
...
So that some poor timing (initiating a backup when there's a cron-initiated backup)
doesn't screw everything up.
2020-07-11 09:16:32 +01:00
e224b6b3b2
Update project status
2020-07-11 08:43:46 +01:00
79e2398d71
Fix comment
2020-07-11 08:30:05 +01:00
Felix Spöttel
David Ferreira de Sousa Duque
Joshua Tauberer
Richard Willis
David Duque
hija
Marcus Bointon
Hilko