Merge pull request #178 from sebadob/prepare-release-0.19.1

Prepare release 0.19.1
sebadob · Nov 20, 2023 · d5800ce · d5800ce
2 parents 1f4a146 + 17cb8b6
commit d5800ce
Show file tree

Hide file tree

Showing 11 changed files with 224 additions and 154 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -10,7 +10,7 @@ members = [
 ]
 
 [workspace.package]
-version = "0.19.1-20231123"
+version = "0.19.1"
 edition = "2021"
 authors = ["Sebastian Dobe <[email protected]>"]
 license = "Apache-2.0"

diff --git a/docs/config/config.html b/docs/config/config.html
@@ -199,26 +199,50 @@ <h1 id="reference-config"><a class="header" href="#reference-config">Reference C
 # registrations with '[email protected]' (default: '')
 #USER_REG_DOMAIN_RESTRICTION=some-domain.com
 
-# If set to 'true', this will validate the remote peer IP address with each request 
-# and compare it with the IP which was used during the initial session creation / login.
-# If the IP is different, the session will be rejected.
-# This is a security hardening and prevents stolen access credentials, for instance if
-# an attacker might have copied the encrypted session cookie and the XSRF token from
-# the local storage from a user. However, this event is really unlikely, since it may
-# only happen if an attacker has direct access to the machine itself.
+# If set to 'true', this will validate the remote peer IP address with
+# each request and compare it with the IP which was used during the initial
+# session creation / login. If the IP is different, the session will be
+# rejected. This is a security hardening and prevents stolen access credentials,
+# for instance if an attacker might have copied the encrypted session cookie
+# and the XSRF token from the local storage from a user. However, this event
+# is really unlikely, since it may only happen if an attacker has direct access
+# to the machine itself.
 #
-# If your users are using mobile networks and get new IP addresses all the time, this
-# means they have to do a new login each time. This is no big deal at all with 
+# If your users are using mobile networks and get new IP addresses all the time,
+# this means they have to do a new login each time. This is no big deal at all with 
 # Webauthn / FIDO keys anyway and should not be a reason to deactivate this feature.
 #
 # Caution: If you are running behind a reverse proxy which does not provide the 
-# X-FORWARDED-FOR header correctly, or you have the PROXY_MODE in this config disabled,
-# this feature will not work. You can validate the IPs for each session in the Admin
-# UI. If these are correct, your setup is okay.
+# X-FORWARDED-FOR header correctly, or you have the PROXY_MODE in this config
+# disabled, this feature will not work. You can validate the IPs for each session
+# in the Admin UI. If these are correct, your setup is okay.
 #
 # (default: true)
 #SESSION_VALIDATE_IP=true
 
+# This value may be set to 'true' to disable the binding cookie checking
+# when a user uses the password reset link from an E-Mail.
+#
+# When using such a link, you will get a so called binding cookie. This
+# happens on the very first usage of such a reset link. From that moment on,
+# you will only be able to access the password reset form with this very 
+# device and browser. This is just another security mechanism and prevents
+# someone else who might be passively sniffing network traffic to extract 
+# the (unencrypted) URI from the header and just use it, before the user 
+# has a change to fill out the form. This is a mechanism to prevent against
+# account takeovers during a password reset.
+#
+# The problem however are companies (e.g. Microsoft) who scan their customers
+# E-Mails and even follow links and so on. They call it a &quot;feature&quot;. The
+# problem is, that their servers get this binding cookie and the user will be
+# unable to use this link himself. The usage of this config option is highly
+# discouraged, but since everything moves very slow in big enterprises and
+# you cannot change your E-Mail provider quickly, you can use it do just make
+# it work for the moment and deal with it later.
+#
+# default: false
+#UNSAFE_NO_RESET_BINDING=false
+
 #####################################
 ############# BACKUPS ###############
 #####################################
@@ -616,8 +640,8 @@ <h1 id="reference-config"><a class="header" href="#reference-config">Reference C
 #ML_LT_PWD_RESET=30
 
 # Lifetime in minutes for the first password magic link, for
-# setting the initial password. (default: 86400)
-#ML_LT_PWD_FIRST=86400
+# setting the initial password. (default: 4320)
+#ML_LT_PWD_FIRST=4320
 
 # The interval in seconds in which keep-alives should be sent to SSE clients.
 # Depending on your network setup, proxy timeouts, ...

diff --git a/docs/print.html b/docs/print.html
@@ -1335,26 +1335,50 @@ <h4 id="config-adjustments---rest-api"><a class="header" href="#config-adjustmen
 # registrations with '[email protected]' (default: '')
 #USER_REG_DOMAIN_RESTRICTION=some-domain.com
 
-# If set to 'true', this will validate the remote peer IP address with each request 
-# and compare it with the IP which was used during the initial session creation / login.
-# If the IP is different, the session will be rejected.
-# This is a security hardening and prevents stolen access credentials, for instance if
-# an attacker might have copied the encrypted session cookie and the XSRF token from
-# the local storage from a user. However, this event is really unlikely, since it may
-# only happen if an attacker has direct access to the machine itself.
+# If set to 'true', this will validate the remote peer IP address with
+# each request and compare it with the IP which was used during the initial
+# session creation / login. If the IP is different, the session will be
+# rejected. This is a security hardening and prevents stolen access credentials,
+# for instance if an attacker might have copied the encrypted session cookie
+# and the XSRF token from the local storage from a user. However, this event
+# is really unlikely, since it may only happen if an attacker has direct access
+# to the machine itself.
 #
-# If your users are using mobile networks and get new IP addresses all the time, this
-# means they have to do a new login each time. This is no big deal at all with 
+# If your users are using mobile networks and get new IP addresses all the time,
+# this means they have to do a new login each time. This is no big deal at all with 
 # Webauthn / FIDO keys anyway and should not be a reason to deactivate this feature.
 #
 # Caution: If you are running behind a reverse proxy which does not provide the 
-# X-FORWARDED-FOR header correctly, or you have the PROXY_MODE in this config disabled,
-# this feature will not work. You can validate the IPs for each session in the Admin
-# UI. If these are correct, your setup is okay.
+# X-FORWARDED-FOR header correctly, or you have the PROXY_MODE in this config
+# disabled, this feature will not work. You can validate the IPs for each session
+# in the Admin UI. If these are correct, your setup is okay.
 #
 # (default: true)
 #SESSION_VALIDATE_IP=true
 
+# This value may be set to 'true' to disable the binding cookie checking
+# when a user uses the password reset link from an E-Mail.
+#
+# When using such a link, you will get a so called binding cookie. This
+# happens on the very first usage of such a reset link. From that moment on,
+# you will only be able to access the password reset form with this very 
+# device and browser. This is just another security mechanism and prevents
+# someone else who might be passively sniffing network traffic to extract 
+# the (unencrypted) URI from the header and just use it, before the user 
+# has a change to fill out the form. This is a mechanism to prevent against
+# account takeovers during a password reset.
+#
+# The problem however are companies (e.g. Microsoft) who scan their customers
+# E-Mails and even follow links and so on. They call it a &quot;feature&quot;. The
+# problem is, that their servers get this binding cookie and the user will be
+# unable to use this link himself. The usage of this config option is highly
+# discouraged, but since everything moves very slow in big enterprises and
+# you cannot change your E-Mail provider quickly, you can use it do just make
+# it work for the moment and deal with it later.
+#
+# default: false
+#UNSAFE_NO_RESET_BINDING=false
+
 #####################################
 ############# BACKUPS ###############
 #####################################
@@ -1752,8 +1776,8 @@ <h4 id="config-adjustments---rest-api"><a class="header" href="#config-adjustmen
 #ML_LT_PWD_RESET=30
 
 # Lifetime in minutes for the first password magic link, for
-# setting the initial password. (default: 86400)
-#ML_LT_PWD_FIRST=86400
+# setting the initial password. (default: 4320)
+#ML_LT_PWD_FIRST=4320
 
 # The interval in seconds in which keep-alives should be sent to SSE clients.
 # Depending on your network setup, proxy timeouts, ...

diff --git a/docs/searchindex.js b/docs/searchindex.js
diff --git a/docs/searchindex.json b/docs/searchindex.json
diff --git a/frontend/package-lock.json b/frontend/package-lock.json
diff --git a/rauthy-book/src/config/config.md b/rauthy-book/src/config/config.md
@@ -65,7 +65,7 @@ extract these values, create Kubernetes Secrets and provide them as environment
 # it work for the moment and deal with it later.
 #
 # default: false
-UNSAFE_NO_RESET_BINDING=true
+#UNSAFE_NO_RESET_BINDING=false
 
 #####################################
 ############# BACKUPS ###############
@@ -464,8 +464,8 @@ EVENT_LEVEL_FAILED_LOGIN=info
 #ML_LT_PWD_RESET=30
 
 # Lifetime in minutes for the first password magic link, for
-# setting the initial password. (default: 86400)
-#ML_LT_PWD_FIRST=86400
+# setting the initial password. (default: 4320)
+#ML_LT_PWD_FIRST=4320
 
 # The interval in seconds in which keep-alives should be sent to SSE clients.
 # Depending on your network setup, proxy timeouts, ...

diff --git a/rauthy-models/src/app_state.rs b/rauthy-models/src/app_state.rs
@@ -156,7 +156,7 @@ impl AppState {
             .expect("SESSION_TIMEOUT cannot be parsed to u32 - bad format");
 
         let ml_lt_pwd_first = env::var("ML_LT_PWD_FIRST")
-            .unwrap_or_else(|_| String::from("86400"))
+            .unwrap_or_else(|_| String::from("4320"))
             .trim()
             .parse::<u32>()
             .expect("ML_LT_PWD_FIRST cannot be parsed to u32 - bad format");

diff --git a/rauthy-models/src/email.rs b/rauthy-models/src/email.rs
@@ -8,6 +8,7 @@ use crate::i18n::email_reset_info::I18nEmailResetInfo;
 use crate::i18n::SsrJson;
 use actix_web::web;
 use askama_actix::Template;
+use chrono::DateTime;
 use lettre::message::{MultiPart, SinglePart};
 use lettre::transport::smtp::authentication;
 use lettre::{AsyncSmtpTransport, AsyncTransport};
@@ -17,7 +18,6 @@ use rauthy_common::constants::{
 use rauthy_common::error_response::{ErrorResponse, ErrorResponseType};
 use rauthy_notify::Notification;
 use std::time::Duration;
-use time::OffsetDateTime;
 use tokio::sync::mpsc;
 use tokio::sync::mpsc::Receiver;
 use tracing::{debug, error, info, warn};
@@ -188,9 +188,7 @@ pub async fn send_email_change_info_new(
         "{}/users/{}/email_confirm/{}",
         data.issuer, magic_link.user_id, &magic_link.id,
     );
-    let exp = OffsetDateTime::from_unix_timestamp(magic_link.exp)
-        .unwrap()
-        .to_string();
+    let exp = email_ts_prettify(magic_link.exp);
 
     let i18n = I18nEmailChangeInfoNew::build(&user.language);
     let text = EMailChangeInfoNewTxt {
@@ -297,9 +295,7 @@ pub async fn send_pwd_reset(data: &web::Data<AppState>, magic_link: &MagicLink,
         "{}/users/{}/reset/{}?type={}",
         data.issuer, magic_link.user_id, &magic_link.id, magic_link.usage,
     );
-    let exp = OffsetDateTime::from_unix_timestamp(magic_link.exp)
-        .unwrap()
-        .to_string();
+    let exp = email_ts_prettify(magic_link.exp);
 
     let i18n = I18nEmailReset::build(&user.language);
     let text = EmailResetTxt {
@@ -344,8 +340,7 @@ pub async fn send_pwd_reset(data: &web::Data<AppState>, magic_link: &MagicLink,
 }
 
 pub async fn send_pwd_reset_info(data: &web::Data<AppState>, user: &User) {
-    let exp = OffsetDateTime::from_unix_timestamp(user.password_expires.unwrap())
-        .expect("Corrupt user password expiry timestamp");
+    let exp = email_ts_prettify(user.password_expires.unwrap());
     let link = format!("{}/auth/v1/account.html", data.public_url);
 
     let i18n = I18nEmailResetInfo::build(&user.language);
@@ -528,3 +523,11 @@ async fn connect_test_smtp(
 
     Ok(conn)
 }
+
+/// Prettifies unix timestamps for E-Mails in a better readable format for end users
+#[inline]
+fn email_ts_prettify(ts: i64) -> String {
+    let dt = DateTime::from_timestamp(ts, 0).unwrap_or_default();
+    let fmt = dt.format("%d/%m/%Y %H:%M:%S");
+    format!("{} UTC", fmt)
+}
diff --git a/rauthy.cfg b/rauthy.cfg
@@ -437,8 +437,8 @@ SESSION_TIMEOUT=5400
 # Lifetime in minutes for reset password magic links (default: 30)
 ML_LT_PWD_RESET=30
 
-# Lifetime in minutes for the first password magic link, for setting the initial password. (default: 86400)
-ML_LT_PWD_FIRST=86400
+# Lifetime in minutes for the first password magic link, for setting the initial password. (default: 4320)
+ML_LT_PWD_FIRST=4320
 
 #####################################
 ############# LOGGING ###############