292 Commits

Author	SHA1	Message	Date
Benjamin Dauvergne	e57fea6e5c	misc: add Secure flag to cookies (#90240) ... It is required by the SameSite=None flag. https://developer.mozilla.org/fr/docs/Web/HTTP/Headers/Set-Cookie#samesitesamesite-value	2024-05-02 10:29:44 +02:00
Frédéric Péters	6742f25d77	misc: use samesite=None for passive cookies (#90193)	2024-04-30 14:43:33 +02:00
Benjamin Dauvergne	7f58bf9c66	misc: do not update Issuer uselessly (#86976)	2024-02-15 09:59:47 +01:00
Benjamin Dauvergne	b372884c2d	adapters: update cache file ctime on refresh (#86977)	2024-02-14 18:37:43 +01:00
Benjamin Dauvergne	244ca2abcd	misc: do not read not_on_or_after if session is not loaded (#86451)	2024-02-01 16:17:22 +01:00
Benjamin Dauvergne	a17efc6f1b	ci: fix pylint warnings (#86402)	2024-01-31 22:07:21 +01:00
Benjamin Dauvergne	c200edb746	translation update	2024-01-30 09:40:38 +01:00
Benjamin Dauvergne	51ee9d8cac	views: show message when logout is refused (#85904)	2024-01-22 10:41:23 +01:00
Benjamin Dauvergne	af81da4954	adapters: do not log errors on cold cache (#84933) ... Only log errors if the cache is older than 24 hours.	2024-01-16 12:41:25 +01:00
Benjamin Dauvergne	200e009b1e	middleware: use sec-fetch-dest=document to identify page requests (#84104)	2024-01-16 12:22:24 +01:00
Benjamin Dauvergne	c98d4629ec	middleware: check ajax request with sec-fetch-mode header header (#81211)	2023-09-14 16:41:22 +02:00
Benjamin Dauvergne	f4ad730ea1	Do not use a subquery to clean dead sessions (#80626)	2023-08-29 10:02:39 +02:00
Benjamin Dauvergne	170e728d3a	misc: allow login_hint parameter in login url (#76712)	2023-04-17 15:27:37 +02:00
Benjamin Dauvergne	0f7044e7a0	adapters: do not exclude already linked users (#76083) ... When two IdP are used with common directory accounts of if we migrate from a test IdP to a production IdP, it can be useful to relink existing users to the new source.	2023-04-01 17:32:39 +02:00
Valentin Deniaud	e54f100fdf	misc: bump black version (#75442)	2023-03-16 17:19:05 +01:00
Benjamin Dauvergne	750f869e5f	misc: do not send logout requests if SingleLogout profile is not supported (#71041)	2022-11-09 08:16:02 +01:00
Frédéric Péters	667078b0ae	translation update	2022-10-10 09:37:34 +02:00
Benjamin Dauvergne	817314b8ee	views: send all related SessionIndex in LogoutRequest (#69955) ... As we do not known which one the IdP remember, we must send them all.	2022-10-06 16:21:25 +02:00
Benjamin Dauvergne	cce77e82e5	adapters: update new UserSAMLIdentifier fields on each SSO (#69955) ... On existing UserSAMLIdentifier missing values for nid_format especially, will break the SLO code as the emitted LogoutRequest will have an unknown NameID when analyzed by the identity provider (NameID content and attributes must match exactly).	2022-10-06 16:21:17 +02:00
Benjamin Dauvergne	45f81514bc	misc: clean SessionIndex during logout (#69740) ... SessionIndex are deleted when the linked session does not exist anymore and 5 minutes after the creation of the logout request.	2022-10-05 19:53:07 +02:00
Benjamin Dauvergne	f335a403c1	views: implement a sessionless logout endpoint (#69740) ... To implement SAML single logout in authentic we need a logout endpoint which works event after the user session has been killed, to do that we store the needed information in Django signed token, and use it to initiate the logout request. Afterward the next_url is stored in short-lived session cookie instead of the session.	2022-10-05 17:23:51 +02:00
Benjamin Dauvergne	218afde9cd	misc: make logout work with transient NameID (#69740) ... Implementation of transient NameID is special, the transient NameID is ignored and an attribut value is used as the federation key. But in order to producre a proper NameID for the logout request we need the transient NameID value. To work around this problem we add a transient_name_id attribute to the SessionIndex model representing the current SSO session, and we modify the session dump template to use this value instead of UserSAMLIdentifier.name_id if transient_name_id is not None.	2022-10-05 17:23:51 +02:00
Benjamin Dauvergne	7f9602c528	utils: add method to build a session dump from models (#69740) ... Storing the LassoSession dump in the Django session is no longer needed, we can rebuild it from the information in the models.	2022-10-05 17:23:51 +02:00
Benjamin Dauvergne	600c8cfbc0	misc: keep nameid attributes to rebuild it (#69740) ... Logout requests need a properly built NameID element, but we did not store enough information in models to do that, we uses the LassoSession dump from the session as a work-around. In order to have a session-less logout endpoint, we need to store those informations in the UserSAMLIdentifier model.	2022-10-05 17:23:51 +02:00
Benjamin Dauvergne	e98308d45c	views: allow overriding the default return url after logout (#69740)	2022-10-05 17:23:50 +02:00
Benjamin Dauvergne	86d3cad3b8	views: improve handling of next_url for sp initiated logout (#69740)	2022-10-05 17:23:20 +02:00
Benjamin Dauvergne	43ce1d8141	utils: use same_origin() from authentic2 (#69740)	2022-10-05 12:29:13 +02:00
Valentin Deniaud	e7a1aa5646	translation update	2022-09-29 14:57:26 +02:00
Valentin Deniaud	591344d21f	templates: add blocktrans trimmed where useful (#69422)	2022-09-29 14:56:48 +02:00
Valentin Deniaud	d20066dc44	misc: apply djhtml (#69422)	2022-09-29 12:20:38 +02:00
Valentin Deniaud	a7a3582c97	views: show debug login view on lasso exception (#68962)	2022-09-14 13:53:49 +02:00
Agate	98783c8574	django4: access request headers through request.headers instead of request.META (#68571)	2022-08-31 09:13:37 +02:00
Agate	7050da2320	django4: replaced urls.url with url.path equivalent (#68571)	2022-08-31 09:13:14 +02:00
Agate	1740cd7483	django4: replaced deprecated request.is_ajax() call (#68571)	2022-08-31 09:12:39 +02:00
Frédéric Péters	366758a54d	misc: log when login is refused because of authn_classref mismatch (#68236)	2022-08-18 15:09:20 +02:00
Benjamin Dauvergne	437d1a3063	middleware: clear PASSIVE_TRIED_COOKIE when logged in (#67084)	2022-07-06 16:11:39 +02:00
Paul Marillonnet	1fa1541c02	views: use MELLON_OPENED_SESSION to anchor local session to the global session (#66747) ... If the MELLON_OPENED_SESSION cookie change or disappear during an opened session, the user is automatically logged out. If it changes after a previous passive login try, passive login is allowed again.	2022-06-29 11:14:05 +02:00
Paul Marillonnet	dedd924f99	use force_str only when necessary (#64309)	2022-04-20 09:54:54 +02:00
Paul Marillonnet	b4704b16c9	use django3.2-compatible re_path urls util (#64309)	2022-04-20 09:54:05 +02:00
Paul Marillonnet	509beeb6c4	discard deprecated ugettext* i18n utils (#64309)	2022-04-20 09:52:47 +02:00
Benjamin Dauvergne	7c9ca09de7	misc: remove six module usage (#63688)	2022-04-08 10:14:54 +02:00
Frédéric Péters	8f49eb59b5	translation update	2022-03-25 09:02:58 +01:00
Frédéric Péters	ff98a87158	translations: close quotes around username (#63178)	2022-03-25 09:02:43 +01:00
Benjamin Dauvergne	fc4f78c039	translation update	2022-02-04 13:25:52 +01:00
Benjamin Dauvergne	104d57f753	views: do not logout in sp_response_logout (#61431) ... It's already done in the initialization view, if a new session has been open since we must keep it open.	2022-02-04 13:02:12 +01:00
Benjamin Dauvergne	947c355baf	views: keep next_url trough sp logout (#61431) ... * first, create relaystate before build logout.msgUrl * second, retrieve it in sp_logout_response	2022-02-04 13:00:55 +01:00
Frédéric Péters	a2019a930c	properly close meta refresh tag (#61020)	2022-01-24 16:57:02 +01:00
Benjamin Dauvergne	be1e50e826	views: log SAML response and assertion in debug view (#58915)	2021-11-23 19:21:23 +01:00
Valentin Deniaud	50cb52b160	views: render debug login template at the last moment (#58906)	2021-11-23 14:41:34 +01:00
Frédéric Péters	090a133d85	translation update	2021-10-05 22:11:08 +02:00