* initial oidc implementation
* add dynamic scheme
* e2e test setup
* add caching
* fix
* try this
* add libldap-2.5 to runtime dependencies (#2849)
* New translations en-us.json (Norwegian) (#2851)
* New Crowdin updates (#2855)
* New translations en-us.json (Italian)
* New translations en-us.json (Norwegian)
* New translations en-us.json (Portuguese)
* fix
* remove cache
* cache yarn deps
* cache docker image
* cleanup action
* lint
* fix tests
* remove not needed variables
* run code gen
* fix tests
* add docs
* move code into custom scheme
* remove unneeded type
* fix oidc admin
* add more tests
* add better spacing on login page
* create auth providers
* clean up testing stuff
* type fixes
* add OIDC auth method to postgres enum
* add option to bypass login screen and go directly to iDP
* remove check so we can fallback to another auth method oauth fails
* Add provider name to be shown at the login screen
* add new properties to admin about api
* fix spec
* add a prompt to change auth method when changing password
* Create new auth section. Add more info on auth methods
* update docs
* run ruff
* update docs
* format
* docs gen
* formatting
* initialize logger in class
* mypy type fixes
* docs gen
* add models to get proper fields in docs and fix serialization
* validate id token before using it
* only request a mealie token on initial callback
* remove unused method
* fix unit tests
* docs gen
* check for valid idToken before getting token
* add iss to mealie token
* check to see if we already have a mealie token before getting one
* fix lock file
* update authlib
* update lock file
* add remember me environment variable
* add user group setting to allow only certain groups to log in
---------
Co-authored-by: Carter Mintey <cmintey8@gmail.com>
Co-authored-by: Carter <35710697+cmintey@users.noreply.github.com>
* fix(security): reset login attempts after successful login
Enforce a maximum number of consecutive failed logins. Successfully logging in should reset the
count.
#2569
* fix(security): fix when user is unlocked
The user should be unlocked when locked_at is set, but the lock has expired.
#2569
* validate user attributes on user creation
add logs for invalid or missing attributes
* only update admin flag when admin status changes
* move ldap functions into separate file
* fix linter issues
* actually use the search_user function
* fix types
* add option to enable starttls for ldap
* add integration test for ldap service
* document new, optional environment variable
* fix: support anonymous bind
* id and mail attributes in LDAP_USER_FILTER should be implied
* remove print statement
* adds authentication method for users
* fix db migration with postgres
* tests for auth method
* update migration ids
* hide auth method on user creation form
* (docs): Added documentation for the new authentication method
* update migration
* add to auto-form instead of having hidden fields
* Corrected if statement to check if a results was returned by the LDAP search. And decoded the user_attributes from binary data to string
* removed trailing spaces
* Revert asserts in LDAP unit test back
Since an empty tuple is still a result, an user is created and the result should not be false.
* Simplified code
* Extended the LDAP implementation
* fix ldap authentication and user creation
* modified docs to include new LDAP environment variables
* update tests and linting
* add libldap-2.4-2 as runtime dependency for the api
---------
Co-authored-by: Erik Landkroon <eriklandkroon@gmail.com>
* Use Base DN for LDAP and fetch user attrs
Requires that a Base DN be set for LDAP
Set `full_name` and `email` based on LDAP attributes when creating user
* Add support for secure LDAP
Allow insecure LDAP connection (disabled by default)
Use CA when connecting to secure LDAP server
* Added missing quotes to example
* Update security.py
* Update security.py formatting
* Update security.py
Switched to f-String formatting
* formatting
* Update test_security.py
Added at attributes for testing
* Update test_security.py
Modified tests for base DN
* Update test_security.py
Set proper base DN for testing
* Update test_security.py
Corrected testing for LDAP
* Update test_security.py
Defined base_dn
* Authenticated user not in base DN
Add check for when user can authenticate but is not in base DN
* Update test_security.py
LDAP user cannot exist as it is searched before it is created and the list returns False
Co-authored-by: Hayden <64056131+hay-kot@users.noreply.github.com>
* add data-types required for login security
* implement user lockout checking at login
* cleanup legacy patterns
* expose passwords in test_user
* test user lockout after bad attempts
* test user service
* bump alembic version
* save increment to database
* add locked_at to datetime transformer on import
* do proper test cleanup
* implement scheduled task
* spelling
* document env variables
* implement context manager for session
* use context manager
* implement reset script
* cleanup generator
* run generator
* implement API endpoint for resetting locked users
* add button to reset all locked users
* add info when account is locked
* use ignore instead of expect-error
* Delay server response whenever username is non existing
* utilize hasher to achieve constant timing
Co-authored-by: Hayden <64056131+hay-kot@users.noreply.github.com>
