46 commits

This branch

This branch

All branches

Author	SHA1	Message	Date
Pierre-Olivier Mercier	57775bbf89	fix(security): redesign password reset tokens using crypto/rand with server-side storage ... - Replace SHA512-based deterministic token with 32-byte crypto/rand token - Store tokens server-side with 1-hour expiry and single-use semantics - Remove genToken (previously broken due to time.Add immutability bug) - Add CSRF double-submit cookie protection to change/lost/reset forms - Remove token from form action URL (use hidden fields only, POST body) - Add MailFrom field and SMTP_FROM env var for configurable sender address - Add SMTP_PASSWORD_FILE env var for secure SMTP password loading - Add PUBLIC_URL env var and --public-url flag for configurable reset link domain - Use generic error messages in handlers to avoid information disclosure Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-06 15:30:48 +07:00
Pierre-Olivier Mercier	a2f368eb02	fix(security): add missing return after redirect in resetPassword handler ... http.Redirect only sets response headers; without return, handler execution continued with empty login/token strings, potentially causing unexpected LDAP queries and information leakage. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-06 15:30:48 +07:00
Pierre-Olivier Mercier	10f41e4ef8	fix(security): escape LDAP filter inputs to prevent filter injection (CWE-90) ... Use ldap.EscapeFilter() on all user-controlled inputs before interpolating them into LDAP search filter strings in SearchDN and SearchMailAlias. Prevents authentication bypass via filter manipulation. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-06 15:30:48 +07:00
Renovate Bot	121770c18a	chore(deps): update dependency go to v1.26.0	2026-03-06 15:30:48 +07:00
Renovate Bot	4b7405fc61	chore(deps): update dependency go to v1.25.5	2026-03-06 15:30:48 +07:00
Renovate Bot	000f04a8f6	chore(deps): update module github.com/go-ldap/ldap/v3 to v3.4.12	2026-03-06 15:30:48 +07:00
Renovate Bot	399e8b6367	chore(deps): update module github.com/go-ldap/ldap/v3 to v3.4.11	2026-03-06 15:30:48 +07:00
Pierre-Olivier Mercier	6836e70e83	Can launch the executable with arguments to get reset token	2026-03-06 15:30:48 +07:00
Renovate Bot	0197446952	chore(deps): update module github.com/go-ldap/ldap/v3 to v3.4.10	2026-03-06 15:30:48 +07:00
Pierre-Olivier Mercier	ee1f8ce69f	Hide krbPrincipalKey	2026-03-06 15:30:48 +07:00
Pierre-Olivier Mercier	65d0d4a53e	Can delete own aliases	2026-03-06 15:30:48 +07:00
Pierre-Olivier Mercier	e6a4271a75	Add an API compatibly with addy.io to generate aliases	2024-05-31 16:19:53 +02:00
Pierre-Olivier Mercier	b197fcd9af	Replace bindata by embed	2024-05-31 15:52:25 +02:00
Pierre-Olivier Mercier	6fddff0b9c	ci: Add triggers to avoid pull	2024-05-24 10:40:20 +02:00
Renovate Bot	e724173bfe	Update module github.com/go-ldap/ldap/v3 to v3.4.8	2024-04-16 17:04:11 +00:00
Renovate Bot	5f4467750b	Update module github.com/go-ldap/ldap/v3 to v3.4.6	2023-09-16 12:08:02 +00:00
Renovate Bot	61165a3265	Update module github.com/go-ldap/ldap/v3 to v3.4.5	2023-06-09 19:09:35 +00:00
Renovate Bot	dec12304a1	Update module github.com/go-ldap/ldap/v3 to v3.4.4	2022-07-28 09:19:01 +00:00
Pierre-Olivier Mercier	907f496b91	Add button to display the password fields	2022-05-29 00:53:20 +02:00
Renovate Bot	b85f9b42c1	Update module github.com/go-ldap/ldap/v3 to v3.4.3	2022-04-24 13:14:51 +00:00
Renovate Bot	3d948da818	Update github.com/amoghe/go-crypt commit hash to 20eada5	2022-02-22 12:05:04 +00:00
Pierre-Olivier Mercier	d4a12f8205	Make go binaries lighter	2022-02-19 15:57:45 +01:00
Pierre-Olivier Mercier	1c55277edf	Run container as user	2022-02-19 15:57:45 +01:00
Renovate Bot	86676c61e5	Update module github.com/go-ldap/ldap/v3 to v3.4.2	2022-02-15 14:05:21 +00:00
Pierre-Olivier Mercier	8be6706460	docker-registry: Also need pass to display /, to have a working UI	2021-11-28 16:36:39 +01:00
Pierre-Olivier Mercier	e5046b108b	Allow login of simpleSecurityObjects	2021-09-15 18:25:11 +02:00
Pierre-Olivier Mercier	5643713c54	/auth: special case for docker-registry	2021-09-15 18:25:11 +02:00
Renovate Bot	82233a4b84	Update module github.com/go-ldap/ldap/v3 to v3.4.1	2021-08-17 18:38:49 +00:00
Renovate Bot	9a7e8be351	Update module gopkg.in/ldap.v2 to v3	2021-08-12 03:32:34 +02:00
Pierre-Olivier Mercier	e9019026ff	Include username in response header (for use by nginx auth_request)	2021-08-11 18:33:14 +02:00
Renovate Bot	f54f54e538	Add renovate.json	2021-08-03 09:02:00 +00:00
Pierre-Olivier Mercier	b014c3fb3c	Can send mail through a smtp relay	2021-06-12 10:03:32 +02:00
Pierre-Olivier Mercier	fa494910cf	chldapasswd is now a go module	2021-02-03 15:16:19 +01:00
Pierre-Olivier Mercier	0d0438135c	Add route for Basic HTTP auth	2020-09-05 12:20:19 +02:00
Pierre-Olivier Mercier	ee30a37c41	Also use config from environment	2020-09-04 23:28:38 +02:00
Pierre-Olivier Mercier	7de1404f4d	Add Dockerfile	2020-09-04 23:16:55 +02:00
Pierre-Olivier Mercier	4203f6e26b	Add drone CI	2020-09-04 21:56:09 +02:00
Pierre-Olivier Mercier	cd8d7388a6	Use go-bindata instead of esc	2020-09-04 21:56:09 +02:00
Pierre-Olivier Mercier	b8d9118b56	go fmt	2020-09-02 15:09:14 +02:00
Pierre-Olivier Mercier	f819320f5a	Continue reset form on bad entry	2018-12-31 01:00:24 +01:00
Pierre-Olivier Mercier	7226e9f1e2	Use esc to embed static assets	2018-12-31 01:00:24 +01:00
Pierre-Olivier Mercier	1d3ad672cb	Theming	2018-12-31 01:00:24 +01:00
nemunaire	1a8301657c	Avoid SMTP bug with .\n	2018-11-13 01:24:41 +01:00
nemunaire	3fd2231721	Use green background when message are not error	2018-11-13 01:19:23 +01:00
nemunaire	a375c6d2b1	Configuration filename is now an option	2018-11-13 01:17:09 +01:00
nemunaire	b99a321ded	Initial commit	2018-11-13 01:14:42 +01:00