Compare revisions

This setting is more flexible than the existing REMAILER_LIMIT_TO_USERS config
option. The config option is therefore deprecated and will be removed in the
next major version.

Alembic runs migration scripts on SQLite and MariaDB in auto-commit mode, so
inserting many rows with individual insert statements is extremely slow.

Recent setuptools releases refuse to build packages with invalid version
strings. So instead of using the bare commit hash as the version, we now
build proper version strings like X.Y.Z.dev-git.COMMIT for CI development
builds and X.Y.Z for release builds (same as before).

- Add CI tests for Bookworm
- Disable pylint deprecation warnings for crypt
- Mitigate Flask changes that broke a few tests
- Set create_constraint=True for Booleans/Enums to mitigate SQLAlchemy changes
- Mitigate new Alembic CHECK constraint behaviour in batch mode

- Fix apt package build on Bookworm
- Adapt babel.cfg to jinja 3.x.x and break compatability with older versions

Time-based one-time password (TOTP) codes are only valid for a short period
of time. In addition they are meant to be single-use to make them more
resistant against phishing and eavesdropping (e.g. keyloggers). Prior to this
change uffd did not keep track of used codes and thus did not prevent code
reuse.

9bfd6f81 changed the format of authorization codes, but did not adapt the
invalidation code accordingly. Because of this, authorization codes were
not invalidated and could have been used multiple times to request access
tokens until expiring.

byteplow authored Jan 20, 2024 and Julian committed Jan 29, 2024

Automatically enabled based on OS/browser settings (prefers-color-scheme
CSS media query)

Co-authored-by: Julian Rother <julian@cccv.de>

Compatibility fix for Flask v2 (Debian Bookworm) and newer

SQLAlchemy v1.4 (Debian Bookworm) annoyingly warns about overlapping
user/mfa_method relationships.

Fixes #146

Firefox autofills all type="password" inputs with passwords from its built-in
password store. This breaks usability of admin pages.

This change fixes that by adding autocomplete="new-password" to these inputs.
It also adds appropriate autocomplete attributes to other forms/inputs to
improve autocomplete behaviour across browsers:

- autocomplete="off" on all non-login/signup/selfservice forms
- autocomplete="new-password" or autocomplete="current-password" on all
  type="password" inputs to workaround Firefox's misdetection
- autocomplete="username"/"email"/"nickname" on login/signup/selfservice inputs
  wherever appropriate
- Avoid type="password" where possible (e.g. on readonly fields)

SQLAlchemy v1.4 (Debian Bookworm) annoyingly warns about select statements
that result in a cartesion product of multiple tables. We actually want
cartesion products in all affected cases, so we change "SELECT FROM a,b" to
the equivalent "SELECT FROM a JOIN b ON TRUE".

See https://docs.sqlalchemy.org/en/14/changelog/migration_14.html

Limited to OpenID provider conformance profiles "Basic" and "Config":

- Support for features mandatory to implement for all OpenID Providers,
  not the feature set for Dynamic OpenID Providers
- Only Authorization Code Flow, no support for Implicit/Hybrid Flow
- Only code response type, no support for token/id_token
- Server metadata is served at /.well-known/openid-configuration

Additional/optional features:

- Support for "claims" parameter
- Support for standard scopes "profile" and "email"
- Support for non-standard scope/claim "groups" (in violation of RFC 9068)

Compatability with existing (working) uffd client setups: Authorization
requests without the "openid" scope behave the same as before  Prior to this
change authorization requests with the "openid" scope were rejected by uffd.

This change adds direct dependencies to pyjwt and cryptography. Prior to this
change both were already transitive dependencies of oauthlib.

Users with ACL_ACCESS_GROUP but without ACL_SELFSERVICE_GROUP were able to
access the 2FA setup pages. Like all selfservice pages, these pages should
only have been accessible to users with ACL_SELFSERVICE_GROUP.

Prerequisite for doing the same to OAuth2 state. This is required for
implementing missing OIDC features later.

Prerequisite for implementing missing OIDC features.

eNBeWe authored Aug 12, 2024 and Julian committed Aug 12, 2024

The return type of jwt.encode() changed from bytes in v1.x (Buster/Bullseye)
to str in v2.x (Bookworm). This let json.dumps crash on Buster und Bullseye
with "TypeError: Object of type bytes is not JSON serializable".

Flask v1.x (Buster/Bullseye) automatically uses simplejson.dumps instead of
json.dumps if it is installed. simplejson.dumps auto-converts bytes to str per
default. simplejson also happend to be installed in our CI images. This
prevented the bug from surfacing in CI tests. We removed simplejson from our
CI images in an external change.

Co-authored-by: Julian Rother <julian@cccv.de>

Closes #163