Skip to content
Snippets Groups Projects
Select Git revision
  • claims-in-idtoke
  • master default protected
  • jwt_encode_inconsistencies
  • recovery-code-pwhash
  • incremental-sync
  • redis-rate-limits
  • typehints
  • v1.2.x
  • v1.x.x
  • v1.1.x
  • feature_invite_validuntil_minmax
  • Dockerfile
  • v1.0.x
  • roles-recursive-cte
  • v2.3.1
  • v2.3.0
  • v2.2.0
  • v2.1.0
  • v2.0.1
  • v2.0.0
  • v1.2.0
  • v1.1.2
  • v1.1.1
  • v1.0.2
  • v1.1.0
  • v1.0.1
  • v1.0.0
  • v0.3.0
  • v0.2.0
  • v0.1.5
  • v0.1.4
  • v0.1.2
32 results
Search by author
  • Any Author
  • Luca (strifel) Luca (strifel) strifel
1 author
  1. Sep 04, 2021
    • Julian's avatar
      Dedicated error page for permission errors · 2d0ed84b
      Julian authored 
      Prior to this change permission errors (i.e. the user is logged in but does
not have a required group) were reported with flash('Access denied') and a
redirect to the selfservice index page. This causes two problems: The error
is reported with HTTP status 301/200 which is difficult to check for in tests.
This can also cause redirect loops as soon as the selfservice uses more
differentiated permission checks (see #104).

With this change a dedicated error page is displayed in place the requested
page and the HTTP status 403 is returned. This is implemented with
flask's errorhandler concept for 403.
      2d0ed84b
    • Julian's avatar
      Display per-client-customizable message on login page · 02454f5b
      Julian authored
      02454f5b
    • Julian's avatar
      Don't display login page if user is already logged in · 6fc1fca3
      Julian authored 
      Fixes #103.
      6fc1fca3
  3. Sep 02, 2021
    • Julian's avatar
      Fix for 45d4598e (Replace flask_oauthlib with plain oauthlib) · 883301c8
      Julian authored 
      45d4598e accidentally removed the OAuth2.0 access permission check based on
Client.required_group. This change adds it again.
      883301c8
    • Julian's avatar
      Replace flask_oauthlib with plain oauthlib · 45d4598e
      Julian authored 
      flask_oauthlib is no longer available in Debian Bullseye. It is only a
wrapper around oauthlib, which is still available. While this change does
increase the OAuth2 code size, it achieves compatability with both Debian
Buster and Bullseye.

Aside from error handling, this change has no noticable effects on OAuth2.0
clients. In terms of error handling, a few cases that were not properly
handled before now return appropriate error pages.

Fixes #101
      45d4598e
  5. Aug 30, 2021
    • Julian's avatar
      Restrict password alphabet to SASLprep-safe ASCII subset · cb2d7f35
      Julian authored 
      Prior to this change user passwords were not validated on change aside from
their length, but validated on login/bind by ldap3 with SASLprep. Instead of
using SASLprep on password change, this change restricts passwords to 7-bit
ASCII without control characters. Control characters are forbidden by
SASLprep. Multi-byte characters are uncommon in password, especially in those
generated by password managers. This ensures that passwords are always
SASLprep-safe without implementing the rather complex SASLprep algorithm. It
also allows us to fully describe the alphabet restrictions in the relevant
forms.

Fixes #100
      cb2d7f35
    • Julian's avatar
      Catch LDAPSASLPrepError on login · 3f6a67ea
      Julian authored 
      Ldap3 raises LDAPSASLPrepError on bind if the password contains characters
forbidden by SASLPrep (string preperation/normalization algorithm for user
names and passwords). Examples are carriage return ("\r") or newline ("\n")
characters. See #100.
      3f6a67ea
  7. Aug 14, 2021
  9. Aug 13, 2021
  11. Aug 12, 2021
  13. Aug 11, 2021
  15. Aug 04, 2021
  17. Aug 02, 2021
  19. Aug 01, 2021
  21. Jul 31, 2021

Impressum - Datenschutzerklärung