ngcp-panel

Commit Graph

Author	SHA1	Message	Date
Rene Krenn	0bd2c64b98	MT#53706 OTP: login, show registration info Change-Id: I20e6fba357b6bfed868edb8030009683b8df29ef	1 month ago
Rene Krenn	4bb352e1f8	MT#53706 rail for generating OTP secret QR code png Change-Id: I2d8d4ab1d3967a5c7ac720e09278443c0d098866	1 month ago
Rene Krenn	b0b646db5b	MT#53706 wire OTP secret validation - api, jwt Change-Id: I7f0205323811196eb0e319fcb2c888cf8a314f81	1 month ago
Rene Krenn	c0249eadbc	MT#53706 OTP generate_secret, verify_secret migrate RFC 6238 One-Time-Password (OTP) implementation Change-Id: Iffd50540037a1b502138e69be4ad7ef86aaee519	1 month ago
Kirill Solomko	d5fd8679fe	MT#62093 return 403 Banned for banned users * add banned user redirect for API requests * Urils/Auth move Redis composed keys into functions to increase consistency and avoid typos. Change-Id: I7a6f9b340ac53ffc2ee921410852e36a49587941	3 months ago
Kirill Solomko	9960cd152d	MT#62093 extend user ban keys in Redis * keys now have named fields separated by :: * admin keys now contain admin_id and reseller_id * subscriber keys now contain subscriber_id and reseller_id * this is to make it in line with API v2 implementation Change-Id: Ic32a173cad9b63e63e7754f02ac2649d142b099f	3 months ago
Rene Krenn	fc42ca7564	MT#59447 fix admin LDAP uri Change-Id: Ie9be0d5ea8428a8a96ebfbadb0d285f5082474b5	4 months ago
Rene Krenn	de0595c089	MT#59447 admin user LDAP authentication #1 Change-Id: Ic31236d933f022b567c74998959267ef9a549b7e	5 months ago
Rene Krenn	358139edee	MT#59447 admin user LDAP authentication Change-Id: I86005af30dee6285d80fe69f020f4a33cb23a608	5 months ago
Kirill Solomko	a3945269fc	MT#59449 fix perform_auth to send correct realm to ban check * perform_auth $realm is in a form of a subrealm, e.g. api_admin_http api_admin_jwt, etc. where for bans check it's 'admin' realm. Therefore, user_is_banned() is now called from there using explicit 'admin' realm as the argument. Change-Id: I3a10a9b492bf9dbe83ddd34a8851e83b23f90587	8 months ago
Kirill Solomko	46d297dec2	MT#60656 improve 403 Password Expired for expired passwords * 403 Password Expired is now correctly returned for POST /login_jwt when a password is expired, instead of returning the token. * 403 Password Expired is now correctly returned for API requests and redirect to /changepassword only happens for non API requests. * improve Utils::Auth::check_max_age() to accept also $auth_user and $ngcp_realm for cases (like /login_jwt) where there is an authenticated user but there is no $c->user. Change-Id: I302ad8654bdf16fe0882625fd6e9a8bba7a8ad42	8 months ago
Kirill Solomko	78dfb7f7d8	MT#60656 do not check max_age if user does not exist * prevent max age check if user does not exist (not logged in) and return 1 instead. Change-Id: I5d1af5f46eec6a3eea6df0d719a35d1fedb19b3e	9 months ago
Kirill Solomko	b041888807	MT#60656 add max_age password validation support * UI: password are now validated against $c->config->{security}{password}{web_max_age_days} (unless it's 0) and if the password is expired the user is redirected automatically to /changepassword page, and after successful password change back to the original page. * API: if password is expired all API requests will be returning 403 Forbidden "Password expired", except PUT/PATCH to /api/admins or /api/subscribers with the new password in place. * successful login on the UI now redirects to /dashboard instead of / (to prevent unintended redirect to v2) Change-Id: I075f8e17cc9b0658d6b3b3d526ca5b379d050ce4	9 months ago
Kirill Solomko	4a9a632da1	MT#59449 sub auth fix possible username without undef domain * perform_subscriber_auth(): check if domain is undefined and use only $user, otherwise $user . @ . $domain. Change-Id: I3d342fb2c4768c2b7b3e0c08ea41e429b83e9683	9 months ago
Kirill Solomko	2972d3b62d	MT#59449 add progressive user bans support * users are now progressively banned. * ban_min_time is used to ban a user for the first time. * consecutive ban is ban_min_time + ban_increment * ban_increment_stage * ban_max_time is the absolute maximum ban time that is not increased any further. * a successful login resets the ban_increment_stage. Change-Id: I4d7e1a93d7a21d21a0dcf69d856a872d2ed75ea0	9 months ago
Kirill Solomko	cfe0a44b8d	MT#60585 add user ban by IP address, ban JWT invalid attempts * ban users by IP addresses * ban invalid JWT attempts Change-Id: I0c7746aa751ca96cba0ce4d1388646ba4890a422	9 months ago
Kirill Solomko	60fa23cb68	MT#60585 add user ban support * users for admin/subscriber realms are now banned if failed to login X amount of times (UI/API). * rework Redis connection and it's now a Catalyst plugin NGCP::Redis accessed by $c->redis_get_connection({database => 19}), the connection per database, per worker process is established only once and then reused (with auto built-in reconnect support). * remove Utils::Redis.pm as it does not have any code/logic anymore. * ban values are taken from $config->{security}{login} as - ban_enable: 1 - ban_expire_time: 3600 ban expire time in seconds - max_attempts: 5 * if max_attempts set to 0, the ban functionality is disabled as it requires to be at least 1 to work. * upon successful login or ban, the failed attempts counter is removed * the failed attempts counter is also removed automatically with the expire time equals "ban_expire_time" or otherwise 3600 seconds. * user bans are logged into panel.log * banned user receives exactly the same return page/codes as per invalid logic. Change-Id: I05cc68c623ee289488fc64f1af50527004dcaae1	9 months ago
Kirill Solomko	d9f283cbc8	MT#59449 enhance password validation and handling * passwords are now validated based on - minlen - maxlen - min lower case chars - min uppper case chars - min digits - min special chars * Data::Password::zxcvbn is used to calculate password score and reject passwords with score < 3 as weak (this library is ported from the Dropbox password validation) * Add password journals and check last used passwords in the journals * Improve password generator javascript function to generate a password with at least 4 of each of the char group types. * Currently affected are subcriber and admin entry creation or modification via UI/API * NGCP::Utils::Auth add optional bcrypt_cost support as last argument for generate_salted_hash and get_usr_salted_pass Change-Id: I100c25107d91741d5101bc58d29a3fa558b0b017	9 months ago
Rene Krenn	65b5c62e48	TT#188950 ignore domain for subscriber authentication when ignore_auth_realm is "yes", it should no longer be required to provide the domain part for subscriber logins. Change-Id: I346f94278c9b0d9a598858c24d797b03217123d4	3 years ago
Kirill Solomko	f91797cbc5	TT#170500 password reset v2 fix redirect url * v2 redirect url is changed to /v2/#/recoverpassword Change-Id: If8624624dad5f31188ef47060ee3bb07a2531112	3 years ago
Rene Krenn	eac6c2dc4c	TT#146101 add external base url parameter for deployments that expose panel/csc via a proxy, the auto-generated base url printed in emails can be unreachable. we therefore introduce the option to explicitly specify a base url to use. it will support an sprintf pattern with individual params for eg.: - protocol scheme - domain part - port - base url path Change-Id: I6a9ca23126c669d249ef7f3e092cae0161235ebe	3 years ago
Rene Krenn	599dd0613b	TT#151751 fix plaintext sippassword no longer returned this fix addresses regression reported by dominik: * $resource{_password}/{_webpassword} cannot be set before the form validation as they are effectively removed by it, causing /api/susbcribers returning no passwords at all for 'subscriber' roles * Having them after the patch makes no sense either as next resource_from_item call will effectively remove them again (in PATCH) (cherry picked from commit `5e9066c4fb`) Change-Id: I88c9ec40843f1e9a6983952b96c0b0e70fbb1bb1	3 years ago
Kirill Solomko	81ebdb8dcf	Revert "TT#151751 refactor persisting subscriber webpassword" This reverts commit `5e9066c4fb`. This implementation breaks: * $resource{_password}/{_webpassword} cannot be set before the form validation as they are effectively removed by it, causing /api/susbcribers returning no passwords at all for 'subscriber' roles * Having them after the patch makes no sense either as next resource_from_item call will effectively remove them again (in PATCH) Change-Id: I0e8389e8ab34ad72f1b87a684daba77f1030f8ba	3 years ago
Rene Krenn	5e9066c4fb	TT#151751 refactor persisting subscriber webpassword a multitude of issues popped after introducing bcrypted webpasswords in the database. most recently the PATCH /api/susbcribers rail was reported to reset the webpassword unintentionally. subscriber login fails afterwards, which is a severe issue. the bugs are adressed by this refactorings. the change also introduces a global variable $NGCP::Panel::Utils::Auth::ENCRYPT_SUBSCRIBER_WEBPASSWORDS to control encrypting webpasswords. it is still enabled as of now, but it's worth to consider disabling it. there other ways to have a "cost" for an authentication request, eg. adding a simple sleep(1sec). Change-Id: I2d47d54a2d83568546ffdd2b211337a5f56be3a2	3 years ago
Kirill Solomko	cc10506b2e	TT#129162 fix subscriber webpassword field validation * 'webpassword' field is now also validated for invalid (non-ascii) characters * Fix multiple APP input field validation erros to comma joined. * Adjust 'webpassword' field validation errors to have better readability when there are multiple validation errors Change-Id: I21536f97a4da78cc5192a3abd8cd5adef1b819ec	4 years ago
Kirill Solomko	1cdae0b1e0	TT#125902 add Login CSC v2 support * Login CSC v2 button is shown on the subscriber's master data page if www_admin.http_csc.csc_js_enable == 1 or 2 * When the login is triggered an auth token is generated internally followed by a redirect to CSC as /?a=auth_token * move generate_auth_token() into Utils/Auth * improve generate_auth_token() arguments support * add /api/authtokens error handling Change-Id: Idd65400bf8ce6ce48979c736f6a199fb567ffaa4	4 years ago
Kirill Solomko	63812835c0	TT#129162 fix passwork characters check * check that the password variable contains a value Change-Id: Iba1cf809d5cd81b3dbbeb4686765a667e339d93f	4 years ago
Kirill Solomko	f4597b6ed7	TT#129162 add bcrypt password characters check Change-Id: I08723d02a7e4bc042351444b201d1f96cc986af3	4 years ago
Rene Krenn	8238204682	TT#105100 fix update case for webpasswd db encrytion Change-Id: I91de91430434edef744c6b3791749ea81053d1cb	4 years ago
Flaviu Mates	654bb1aabe	TT#92550 - Implement /api/passwordrecovery * The new endpoint will only accept POSTs * The request body should have two parameters called 'new_password' and 'token' * First, look for the token in redis (for admins), if not found, look for it in DB (for subscribers), if neither is found, return Change-Id: I4163a0d5bd886961317b21aeca20c8ccfdeab0dd	5 years ago
Flaviu Mates	be14a9242e	TT#84337 - Implement /api/passwordreset * The new endpoint will only accept POSTs * The request body should have two parameters called 'type', 'username' and 'domain' * 'type' will accept either 'administrator', in which case only 'username' is needed, or 'subscriber', in which case 'username' and 'domain' will be needed * The regular password reset email will be sent to either the admin or the subscriber Change-Id: If1457c8c625a95295e5e93b6637927e3905698d9	5 years ago
Flaviu Mates	6c645490e6	TT#84453 - Fix error when subscriber logs in on old CSC * Add check for existence of webpassword on subscriber log in to prevent the code from trying to use the undefined password * Subscribers with no webpassword cannot log in the old CSC Change-Id: I7b82c014fa5f70fa36ee7282db94a747e54ce2ae	5 years ago
Andreas Granig	8f8e1d5fc9	TT#78557 - Use bcrypt to hash webpassword * Change the way webpassword is handled accross NGCP Panel UI/API to comply with new password encryption * At login, if password is not encrypted with high cost due to the ngcp-bcrypt-webpassword script, encrypt it with proper cost * Accept old password format as well until all webpasswords are encrypted Change-Id: Iefa9584a62ab4b7d2a224d10bdd415e9cbb8dfb5	5 years ago

33 Commits (master)