2210: Add input validation for domain creation r=mergify[bot] a=0pc0deFR
## What type of PR?
bug-fix
## What does this PR do?
This patch add the input validation for domain creation.
### Related issue(s)
- Mention an issue like: #1817
- Auto close an issue like: closes#1817
Co-authored-by: Kevin Falcoz <0pc0defr@gmail.com>
Co-authored-by: Dimitri Huisman <diman@huisman.xyz>
2254: Send ISRG_X1 on port 25, make DANE pin that r=mergify[bot] a=nextgens
## What type of PR?
bug-fix
## What does this PR do?
Ensure we send ISRG_X1 in the handshake on port 25 (non-interactive, size doesn't really matter).
Update the DANE pin to reflect the change.
I am not sure whether we will need to add --preferred-chain= in the future; This may be the case when letsencrypt decides to use X2/the ECDSA chain
This needs to be tested on a letsencrypt account that isn't mine (I'm opted in for the alternate cert chains)
### Related issue(s)
- closes#2138
## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.
There's already a towncrier news for it
Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2116: fix 2114: redirect old path r=mergify[bot] a=nextgens
## What type of PR?
bug-fix
## What does this PR do?
Old paths may still be cached in browsers, it's easy enough to redirect them
### Related issue(s)
- close#2114
Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2094: Sessions tweaks r=mergify[bot] a=nextgens
## What type of PR?
bug-fix
## What does this PR do?
- Make all sessions permanent, introduce SESSION_TIMEOUT and PERMANENT_SESSION_LIFETIME.
- Prevent the creation of a session before there is a login attempt
- Ensure that webmail tokens are in sync with sessions
### Related issue(s)
- close#2080
## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.
- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.
Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Co-authored-by: Dimitri Huisman <diman@huisman.xyz>
2044: Vault/rspamd: don't return any key for relayed domains r=mergify[bot] a=nextgens
## What type of PR?
enhancement
## What does this PR
Don't return any key for relayed domains. We may want to revisit this (ARC signing)... but in the meantime it saves from a scary message in rspamd.
```signing failure: cannot request data from the vault url: /internal/rspamd/vault/v1/dkim/ ...```
Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2042: Add MESSAGE_RATELIMIT_EXEMPTION r=mergify[bot] a=nextgens
## What type of PR?
Enhancement
## What does this PR do?
Add a new knob called ```MESSAGE_RATELIMIT_EXEMPTION```.
### Related issue(s)
- #1774
## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.
- [x] In case of feature or enhancement: documentation updated accordingly
- [ ] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.
Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
We may want to revisit this (ARC signing)... but in the meantime
it saves from a scary message in rspamd
signing failure: cannot request data from the vault url: /internal/rspamd/vault/v1/dkim/ ...
this is working fine, but introduces a sqlalchemy warning
when using config-import:
/app/mailu/schemas.py:822:
SAWarning: Identity map already had an identity for (...),
replacing it with newly flushed object.
Are there load operations occurring inside of an event handler
within the flush?
ConfigManager should not replace app.config - this is causing trouble
with some other flask modules (swagger).
Updated ConfigManager to only modify app.config and not replace it.
1987: Enhancement to the rate limits r=mergify[bot] a=nextgens
## What type of PR?
enhancement
## What does this PR do?
Turn the rate-limiters into something useful (that won't fire for no reason).
- fix rate-limiting on /webdav/
- it changes the rate-limiting behaviour from limiting a single IP address to a subnet of a reasonable size (/24 on v4 and /56 on v6 both are now configurable) : AUTH_RATELIMIT_IP / AUTH_RATELIMIT_IP_V4_MASK / AUTH_RATELIMIT_IP_V6_MASK
- It ensures we only use IP-based rate-limits for attempts on accounts that do not exist
- it creates a new rate limit preventing attackers from targetting a specific user account (separate from what's above) : AUTH_RATELIMIT_USER
- it introduces a rate limiting exemption mechanism whereby, upon authentication, users will see their source-ip address being exempt for a specific amount of time AUTH_RATELIMIT_EXEMPTION_LENGTH. A similar mechanism is available for web-based sessions (see below)
- It introduces in AUTH_RATELIMIT_EXEMPTION a comma separated list of network CIDRs that will be exempt from both types of rate limiting
- it implements device-tokens, as described on https://owasp.org/www-community/Slow_Down_Online_Guessing_Attacks_with_Device_Cookies to ensure that genuine users aren't locked-out by a malicious attacker abusing the rate-limit feature.
Things that could be improved include:
- the IP-based rate limiter flags attempts against "non-existing" accounts: it could go further and flag the number of unique non-existing accounts attempted (to prevent the case of a user making a typo in his MUA configuration)
- the IP address exemption mechanism doesn't pin the exemption to a specific username: any real user can trivially bypass the rate limits (and attempt to brute-force someone else's account)
### Related issue(s)
- close#1926
- close#1745
- close#1915
## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.
- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.
Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Co-authored-by: Diman0 <diman@huisman.xyz>
Co-authored-by: Florent Daigniere <nextgens@users.noreply.github.com>
2018: show dmarc record for report domain in domain details r=mergify[bot] a=ghostwheel42
## What type of PR?
documentation
## What does this PR do?
show dmarc record for report domain in domain details
### Related issue(s)
closes#1382
## Prerequisites
- [X] In case of feature or enhancement: documentation updated accordingly
- [X] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.
Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
1986: Document how to setup client autoconfig r=mergify[bot] a=nextgens
## What type of PR?
enhancement
## What does this PR do?
Document how to setup autoconfig. This works with most open-source MUAs (thunderbird, evolution, ...)
We could go further than that by providing dynamic configuration (issue an auth token for each MUA request)... but it won't work unless a new DNS entry (and matching certificate) is created.
### Related issue(s)
- #224
## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.
- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.
2014: Update Chinese translation r=mergify[bot] a=qy117121
## What type of PR?
translation
## What does this PR do?
Update Chinese translation. Use `zh` instead of `zh_CN`.
### Related issue(s)
none
## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.
- [X] In case of feature or enhancement: documentation updated accordingly
- [X] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.
Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Co-authored-by: qy117121 <mixuan121@gmail.com>
Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
2017: rspamd: get dkim keys via REST API instead of filesystem r=mergify[bot] a=ghostwheel42
## What type of PR?
enhancement
## What does this PR do?
rspamd now uses hashicorp's vault api v1 to get dkim keys and selectors for a domain.
this allows future enhancement (multiple keys) without reconfiguring and restarting rspamd.
it also makes mounting the /dkim volume into the rspamd container unnecessary.
### Related issue(s)
- improves and closes#2012
- allows to implement key rotation using multiple selectors (see #1700)
- allows to implement dkim for alternate domains (see #1519)
- fixes and closes#1345 (selector transmitted by admin container is used)
- closes#1179 (no keys on disk)
- allows to implement key rotation from the outside (ie. via a helper script talking to some dns provider's api) (see #547)
## Prerequisites
- [X] In case of feature or enhancement: documentation updated accordingly
- [X] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.
Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
1997: Prevent traceback when using non-email in login r=mergify[bot] a=ghostwheel42
There's a traceback when the username used to log via SMTPAUTH
in is not an email address:
=== before ===
```
[...] ERROR in app: Exception on /internal/auth/email [GET]
Traceback (most recent call last):
File "/usr/lib/python3.9/site-packages/sqlalchemy/engine/base.py", line 1179, in _execute_context
context = constructor(dialect, self, conn, *args)
File "/usr/lib/python3.9/site-packages/sqlalchemy/engine/default.py", line 719, in _init_compiled
param.append(processors[key](compiled_params[key]))
File "/usr/lib/python3.9/site-packages/sqlalchemy/sql/type_api.py", line 1201, in process
return process_param(value, dialect)
File "/app/mailu/models.py", line 60, in process_bind_param
localpart, domain_name = value.lower().rsplit('`@',` 1)
ValueError: not enough values to unpack (expected 2, got 1)
[...]
[parameters: [{'%(140657157923216 param)s': 'foobar'}]]
```
=== after ===
```
[...] WARNING in nginx: Invalid user 'foobar': (builtins.ValueError) invalid email address (no "`@")`
```
## What type of PR?
enhancement
## What does this PR do?
replace traceback (ERROR) with error message (WARNING)
### Related issue(s)
## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.
- [ ] In case of feature or enhancement: documentation updated accordingly
- [ ] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.
Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
2007: allow sending emails as user+detail@domain.tld r=mergify[bot] a=ghostwheel42
## What type of PR?
bug-fix or enhancement
## What does this PR do?
Allows sending emails with an added "+detail" in the local part.
### Related issue(s)
closes#1948
## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.
- [ ] In case of feature or enhancement: documentation updated accordingly
- [X] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.
Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
Co-authored-by: root <ghostwheel42@users.noreply.github.com>
Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
There's a traceback when the username used to log via SMTPAUTH
in is not an email address:
=== before ===
```
[...] ERROR in app: Exception on /internal/auth/email [GET]
Traceback (most recent call last):
File "/usr/lib/python3.9/site-packages/sqlalchemy/engine/base.py", line 1179, in _execute_context
context = constructor(dialect, self, conn, *args)
File "/usr/lib/python3.9/site-packages/sqlalchemy/engine/default.py", line 719, in _init_compiled
param.append(processors[key](compiled_params[key]))
File "/usr/lib/python3.9/site-packages/sqlalchemy/sql/type_api.py", line 1201, in process
return process_param(value, dialect)
File "/app/mailu/models.py", line 60, in process_bind_param
localpart, domain_name = value.lower().rsplit('@', 1)
ValueError: not enough values to unpack (expected 2, got 1)
[...]
[parameters: [{'%(140657157923216 param)s': 'foobar'}]]
```
=== after ===
```
[...] WARNING in nginx: Invalid user 'foobar': (builtins.ValueError) invalid email address (no "@")
```
1966: AdminLTE3 optimizations & compression and caching r=mergify[bot] a=ghostwheel42
## What type of PR?
enhancement, bugfix
## What does this PR do?
Optimization and cleanup of styles and javascript code for AdminLTE 3
Adds caching headers, gzip and robots.txt to nginx.
### Related issue(s)
Makes #1800 even better. Thanks to `@DjVinnii` and `@Diman0` for the good work.
Closes#1905
## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.
- [X] In case of feature or enhancement: documentation updated accordingly
- [X] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.
Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
Co-authored-by: Dimitri Huisman <diman@huisman.xyz>
1971: Updated Polish translation. r=mergify[bot] a=ghostwheel42
## What type of PR?
translation
## What does this PR do?
Update polish translation. Used `pl/LC_MESSAGES/messages.po` from PR #1751 created by `@martys71`
Part of Discussion of 1.9 roadmap #1930
### Related issue(s)
closes#1751
## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.
- [X] In case of feature or enhancement: documentation updated accordingly
- [X] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.
Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
1968: optimize handle_authentication r=mergify[bot] a=ghostwheel42
## What type of PR?
bug-fix
## What does this PR do?
catch utf-8 decoding errors and log a warning in handle_authentication instead of writing a traceback into the log.
### Related issue(s)
closes#1361
## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.
- [X] In case of feature or enhancement: documentation updated accordingly
- [X] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.
Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
- fixed copy of qemu-arm-static for alpine
- added 'set -eu' safeguard
- silenced npm update notification
- added color to webpack call
- changed Admin-LTE default blue
(core/admin/Dockerfile)
- AdminLTE 3 style tweaks
(core/admin/assets/app.css)
(core/admin/mailu/ui/templates/base.html)
(core/admin/mailu/ui/templates/sidebar.html)
- localized datatables
(core/admin/Dockerfile)
(core/admin/assets/app.js)
(core/admin/package.json)
- moved external javascript code to vendor.js
(core/admin/assets/app.js)
(core/admin/assets/vendor.js)
(core/admin/webpack.config.js)
- added mailu logo
(core/admin/assets/app.js)
(core/admin/assets/app.css)
(core/admin/assets/mailu.png)
- moved all inline javascript to app.js
(core/admin/assets/app.js)
(core/admin/mailu/ui/templates/domain/create.html)
(core/admin/mailu/ui/templates/user/create.html)
- added iframe display of rspamd page
(core/admin/assets/app.js)
(core/admin/mailu/ui/views/base.py)
(core/admin/mailu/ui/templates/sidebar.html)
(core/admin/mailu/ui/templates/antispam.html)
- updated language-selector to display full language names and use post
(core/admin/assets/app.js)
(core/admin/mailu/__init__.py)
(core/admin/mailu/utils.py)
(core/admin/mailu/ui/views/languages.py)
- added fieldset to group and en/disable input fields
(core/admin/assets/app.js)
(core/admin/mailu/ui/templates/macros.html)
(core/admin/mailu/ui/templates/user/settings.html)
(core/admin/mailu/ui/templates/user/reply.html)
- added clipboard copy buttons
(core/admin/assets/app.js)
(core/admin/assets/vendor.js)
(core/admin/mailu/ui/templates/macros.html)
(core/admin/mailu/ui/templates/domain/details.html)
- cleaned external javascript imports
(core/admin/assets/vendor.js)
- pre-split first hostname for further use
(core/admin/mailu/__init__.py)
(core/admin/mailu/models.py)
(core/admin/mailu/ui/templates/client.html)
(core/admin/mailu/ui/templates/domain/signup.html)
- cache dns_* properties of domain object (immutable during runtime)
(core/admin/mailu/models.py)
(core/admin/mailu/ui/templates/domain/details.html)
- fixed and splitted dns_dkim property of domain object (space missing)
- added autoconfig and tlsa properties to domain object
(core/admin/mailu/models.py)
- suppressed extra vertical spacing in jinja2 templates
- improved accessibility for screen reader
(core/admin/mailu/ui/templates/**.html)
- deleted unused/broken /user/forward route
(core/admin/mailu/ui/templates/user/forward.html)
(core/admin/mailu/ui/views/users.py)
- updated gunicorn to 20.1.0 to get rid of buffering error at startup
(core/admin/requirements-prod.txt)
- switched webpack to production mode
(core/admin/webpack.config.js)
- added css and javascript minimization
- added pre-compression of assets (gzip)
(core/admin/webpack.config.js)
(core/admin/package.json)
- removed obsolte dependencies
- switched from node-sass to dart-sass
(core/admin/package.json)
- changed startup cleaning message from error to info
(core/admin/mailu/utils.py)
- move client config to "my account" section when logged in
(core/admin/mailu/ui/templates/sidebar.html)
1873: Completed Hebrew translation r=mergify[bot] a=yarons
The Hebrew translation is incomplete so I've completed it.
Co-authored-by: Yaron Shahrabani <sh.yaron@gmail.com>
1916: Ratelimit outgoing emails per user r=mergify[bot] a=nextgens
## What type of PR?
Feature
## What does this PR do?
A conflict-free version of #1360 implementing per-user sender limits
### Related issue(s)
- close#1360
- close#1031
- close#1774
## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.
- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.
Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Co-authored-by: Dimitri Huisman <diman@huisman.xyz>
1901: treat localpart case insensitive again r=mergify[bot] a=ghostwheel42
## What type of PR?
bug-fix
## What does this PR do?
fixes error introduced by #1604 where the localpart of an email address was handled case sensitive.
this screwed things up at various other places.
### Related issue(s)
closes#1895closes#1900
Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
1896: save dkim key after creation r=mergify[bot] a=ghostwheel42
## What type of PR?
bug-fix
## What does this PR do?
saves generated dkim key after creation vi web ui.
after the model change the domain object needs to be added and flushed via sqlalchemy.
### Related issue(s)
closes#1892
Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
1857: disable startdate when autoreply is disabled r=mergify[bot] a=ghostwheel42
## What type of PR?
bug-fix
## What does this PR do?
disable the reply startdate field when autoreply is disabled
Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
1791: Enhanced session handling r=mergify[bot] a=ghostwheel42
## What type of PR?
bug-fix
## What does this PR do?
- replaces flask_kvsession and simplekv with a mailu-specific session store
- call cleanup_sessions before first request and not on startup.
this allows to run cmdline actions without redis (and makes it faster)
- allow running without redis for debugging purposes by setting MEMORY_SESSIONS to True
- don't sign session id, as it has plenty of entropy (as suggested by nextgens)
- adds method to prune a user's sessions
### Related issue(s)
- enhances and close#1787
Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
1754: centralize Webmail authentication behind the admin panel (SSO) r=mergify[bot] a=nextgens
## What type of PR?
Enhancement: it centralizes the authentication of webmails to the admin interface.
## What does this PR do?
It implements the glue required for webmails to do SSO using the admin interface.
One of the main advantages of centralizing things this way is that it reduces significantly the attack surface available to an unauthenticated attacker (no webmail access until there is a valid Flask session).
Others include the ability to implement 2FA down the line and rate-limit things as required.
### Related issue(s)
- #783
## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.
- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.
Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
1758: Implement a simpler credential cache (alternative to #1755) r=mergify[bot] a=nextgens
## What type of PR?
Feature: it implements a credential cache to speedup authentication requests.
## What does this PR do?
Credentials are stored in cold-storage using a slow, salted/iterated hash function to prevent offline bruteforce attacks. This creates a performance bottleneck for no valid reason (see the
rationale/long version on https://github.com/Mailu/Mailu/issues/1194#issuecomment-762115549).
The new credential cache makes things fast again.
This is the simpler version of #1755 (with no new dependencies)
### Related issue(s)
- close#1411
- close#1194
- close#1755
## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.
- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.
1776: optimize generation of transport nexthop r=mergify[bot] a=ghostwheel42
## What type of PR?
bug-fix and enhancement.
## What does this PR do?
Possibly there should be more input validation when editing a relay, but for now this tries to make the best out of the existing "smtp" attribute while maintaining backwards compatibility. When relay is empty, the transport's nexthop is the MX of the relayed domain to fix#1588
```
RELAY NEXTHOP TRANSPORT
empty use MX of relay domain smtp:domain
:port use MX of relay domain and use port smtp:domain:port
target resolve A/AAAA of target smtp:[target]
target:port resolve A/AAAA of target and use port smtp:[target]:port
mx:target resolve MX of target smtp:target
mx:target:port resolve MX of target and use port smtp:target:port
lmtp:target resolve A/AAAA of target lmtp:target
lmtp:target:port resolve A/AAAA of target and use port lmtp:target:port
target can also be an IPv4 or IPv6 address (an IPv6 address must be enclosed in []: [2001:DB8::]).
```
When there is proper input validation and existing database entries are migrated this function can be made much shorter again.
### Related issue(s)
- closes#1588
- closes#1815
## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.
- [x] In case of feature or enhancement: documentation updated accordingly
- [X] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.
Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
1746: DNS records for client autoconfiguration (RFC6186) r=Diman0 a=nextgens
## What type of PR?
Feature
## What does this PR do?
Add instructions on how to configure rfc6186 DNS records for client autoconfiguration
### Related issue(s)
- #224
- #498
## Prerequistes
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.
- [x ] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file.
Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
- the session key is now generated using
- a hash of the uid seeded by the apps secret_key (size: SESSION_KEY_BITS)
- a random token (size: 128 bits)
- the session's creation time (size: 32 bits)
- redis server side sessions are now refreshed after 1/2 the session lifetime
even if not modified
- the cookie is also updated if necessary
This can be used to delete all sessions belonging to a user/login.
For no it just iterates over all sessions.
This could be enhanced by using a prefix for and deleting by prefix.
- call cleanup_sessions on first kvstore access
this allows to run cmdline actions without redis (and makes it faster)
- Allow development using DictStore by setting REDIS_ADDRESS to the empty string in env
- don't sign 64bit random session id as suggested by nextgens
1783: Switch to server-side sessions r=mergify[bot] a=nextgens
## What type of PR?
bug-fix
## What does this PR do?
It simplifies session management.
- it ensures that sessions will eventually expire (*)
- it implements some mitigation against session-fixation attacks
- it switches from client-side to server-side sessions (in Redis)
It doesn't prevent us from (re)-implementing a "remember_me" type of feature if that's considered useful by some.
Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
- remove PASSWORD_SCHEME altogether
- introduce CREDENTIAL_ROUNDS
- migrate all old hashes to the current format
- auto-detect/enable all hash types that passlib supports
- upgrade passlib to 1.7.4 (see #1706: ldap_salted_sha512 support)
1765: Set sensible cookie flags on the admin app r=mergify[bot] a=nextgens
## What type of PR?
Bugfix
## What does this PR do?
It sets the right flags on the session cookie issued by the admin app.
This should probably be backported as the lack of secure flag on TLS-enabled setup is a high risk vulnerability.
SameSite is hardening / helps against CSRF on modern browsers
HTTPOnly is hardening / helps reduce the impact of XSS
Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
