nemunaire/chldapasswd
1
0
Fork 0
Code Issues Pull requests Releases Activity
49 commits 1 branch 0 tags 293 KiB
Commit graph

49 commits

This branch
This branch
All branches
Author SHA1 Message Date
Pierre-Olivier Mercier
7b568607a6 fix(security): require configurable secret for X-Special-Auth docker registry bypass 
Replace hardcoded "docker-registry" check with a configurable secret via
DOCKER_REGISTRY_SECRET env var. When the env var is unset, the anonymous
docker registry bypass is disabled entirely, closing the unauthenticated
access path if the service is accidentally exposed directly.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-06 15:30:48 +07:00
Pierre-Olivier Mercier
2a9eec233a fix(security): add per-IP rate limiting to all authentication endpoints 
Implement sliding window rate limiter to prevent brute-force attacks:
- /auth and /login: 20 requests/minute per IP
- /change: 10 POST requests/minute per IP
- /lost: 5 POST requests/minute per IP (prevents email spam and user enumeration)
- /reset: 10 POST requests/minute per IP
- /api/v1/aliases: 30 requests/minute per IP

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-06 15:30:48 +07:00
Pierre-Olivier Mercier
93673510d8 fix(security): escape LDAP attribute data in HTML output to prevent XSS (CWE-79) 
Use html.EscapeString for attribute names and values when building HTML.
Move dynamic data (alias URL, API token) to data-* attributes and use
a self-contained onclick function to read them, eliminating JS string
injection via LDAP-controlled values.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-06 15:30:48 +07:00
Pierre-Olivier Mercier
57775bbf89 fix(security): redesign password reset tokens using crypto/rand with server-side storage 
- Replace SHA512-based deterministic token with 32-byte crypto/rand token
- Store tokens server-side with 1-hour expiry and single-use semantics
- Remove genToken (previously broken due to time.Add immutability bug)
- Add CSRF double-submit cookie protection to change/lost/reset forms
- Remove token from form action URL (use hidden fields only, POST body)
- Add MailFrom field and SMTP_FROM env var for configurable sender address
- Add SMTP_PASSWORD_FILE env var for secure SMTP password loading
- Add PUBLIC_URL env var and --public-url flag for configurable reset link domain
- Use generic error messages in handlers to avoid information disclosure

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-06 15:30:48 +07:00
Pierre-Olivier Mercier
a2f368eb02 fix(security): add missing return after redirect in resetPassword handler 
http.Redirect only sets response headers; without return, handler execution
continued with empty login/token strings, potentially causing unexpected
LDAP queries and information leakage.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-06 15:30:48 +07:00
Pierre-Olivier Mercier
10f41e4ef8 fix(security): escape LDAP filter inputs to prevent filter injection (CWE-90) 
Use ldap.EscapeFilter() on all user-controlled inputs before interpolating
them into LDAP search filter strings in SearchDN and SearchMailAlias.
Prevents authentication bypass via filter manipulation.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-06 15:30:48 +07:00
Renovate Bot
121770c18a chore(deps): update dependency go to v1.26.0 2026-03-06 15:30:48 +07:00
Renovate Bot
4b7405fc61 chore(deps): update dependency go to v1.25.5 2026-03-06 15:30:48 +07:00
Renovate Bot
000f04a8f6 chore(deps): update module github.com/go-ldap/ldap/v3 to v3.4.12 2026-03-06 15:30:48 +07:00
Renovate Bot
399e8b6367 chore(deps): update module github.com/go-ldap/ldap/v3 to v3.4.11 2026-03-06 15:30:48 +07:00
Pierre-Olivier Mercier
6836e70e83 Can launch the executable with arguments to get reset token 2026-03-06 15:30:48 +07:00
Renovate Bot
0197446952 chore(deps): update module github.com/go-ldap/ldap/v3 to v3.4.10 2026-03-06 15:30:48 +07:00
Pierre-Olivier Mercier
ee1f8ce69f Hide krbPrincipalKey 2026-03-06 15:30:48 +07:00
Pierre-Olivier Mercier
65d0d4a53e Can delete own aliases 2026-03-06 15:30:48 +07:00
Pierre-Olivier Mercier
e6a4271a75 Add an API compatibly with addy.io to generate aliases
All checks were successful
continuous-integration/drone/push Build is passing
Details
2024-05-31 16:19:53 +02:00
Pierre-Olivier Mercier
b197fcd9af Replace bindata by embed 2024-05-31 15:52:25 +02:00
Pierre-Olivier Mercier
6fddff0b9c ci: Add triggers to avoid pull
All checks were successful
continuous-integration/drone/push Build is passing
Details
2024-05-24 10:40:20 +02:00
Renovate Bot
e724173bfe Update module github.com/go-ldap/ldap/v3 to v3.4.8
Some checks failed
continuous-integration/drone/pr Build is failing
Details
continuous-integration/drone/push Build is passing
Details
2024-04-16 17:04:11 +00:00
Renovate Bot
5f4467750b Update module github.com/go-ldap/ldap/v3 to v3.4.6
Some checks failed
continuous-integration/drone/pr Build is failing
Details
continuous-integration/drone/push Build is passing
Details
2023-09-16 12:08:02 +00:00
Renovate Bot
61165a3265 Update module github.com/go-ldap/ldap/v3 to v3.4.5
Some checks failed
continuous-integration/drone/pr Build is failing
Details
continuous-integration/drone/push Build is passing
Details
2023-06-09 19:09:35 +00:00
Renovate Bot
dec12304a1 Update module github.com/go-ldap/ldap/v3 to v3.4.4 2022-07-28 09:19:01 +00:00
Pierre-Olivier Mercier
907f496b91 Add button to display the password fields
All checks were successful
continuous-integration/drone/push Build is passing
Details
2022-05-29 00:53:20 +02:00
Renovate Bot
b85f9b42c1 Update module github.com/go-ldap/ldap/v3 to v3.4.3
Some checks failed
continuous-integration/drone/pr Build is failing
Details
continuous-integration/drone/push Build is passing
Details
2022-04-24 13:14:51 +00:00
Renovate Bot
3d948da818 Update github.com/amoghe/go-crypt commit hash to 20eada5
Some checks failed
continuous-integration/drone/pr Build is failing
Details
continuous-integration/drone/push Build is passing
Details
2022-02-22 12:05:04 +00:00
Pierre-Olivier Mercier
d4a12f8205 Make go binaries lighter
All checks were successful
continuous-integration/drone/push Build is passing
Details
2022-02-19 15:57:45 +01:00
Pierre-Olivier Mercier
1c55277edf Run container as user 2022-02-19 15:57:45 +01:00
Renovate Bot
86676c61e5 Update module github.com/go-ldap/ldap/v3 to v3.4.2
Some checks failed
continuous-integration/drone/pr Build is failing
Details
continuous-integration/drone/push Build is passing
Details
2022-02-15 14:05:21 +00:00
Pierre-Olivier Mercier
8be6706460 docker-registry: Also need pass to display /, to have a working UI
All checks were successful
continuous-integration/drone/push Build is passing
Details
2021-11-28 16:36:39 +01:00
Pierre-Olivier Mercier
e5046b108b Allow login of simpleSecurityObjects
All checks were successful
continuous-integration/drone/push Build is passing
Details
2021-09-15 18:25:11 +02:00
Pierre-Olivier Mercier
5643713c54 /auth: special case for docker-registry 2021-09-15 18:25:11 +02:00
Renovate Bot
82233a4b84 Update module github.com/go-ldap/ldap/v3 to v3.4.1
Some checks failed
continuous-integration/drone/pr Build is failing
Details
continuous-integration/drone/push Build is passing
Details
2021-08-17 18:38:49 +00:00
Renovate Bot
9a7e8be351 Update module gopkg.in/ldap.v2 to v3
Some checks reported errors
continuous-integration/drone/pr Build was killed
Details
continuous-integration/drone/push Build is passing
Details
2021-08-12 03:32:34 +02:00
Pierre-Olivier Mercier
e9019026ff Include username in response header (for use by nginx auth_request)
All checks were successful
continuous-integration/drone/push Build is passing
Details
2021-08-11 18:33:14 +02:00
Renovate Bot
f54f54e538 Add renovate.json
Some checks failed
continuous-integration/drone/pr Build is failing
Details
continuous-integration/drone/push Build is passing
Details
2021-08-03 09:02:00 +00:00
Pierre-Olivier Mercier
b014c3fb3c Can send mail through a smtp relay
All checks were successful
continuous-integration/drone/push Build is passing
Details
2021-06-12 10:03:32 +02:00
Pierre-Olivier Mercier
fa494910cf chldapasswd is now a go module 2021-02-03 15:16:19 +01:00
Pierre-Olivier Mercier
0d0438135c Add route for Basic HTTP auth
All checks were successful
continuous-integration/drone/push Build is passing
Details
2020-09-05 12:20:19 +02:00
Pierre-Olivier Mercier
ee30a37c41 Also use config from environment
Some checks reported errors
continuous-integration/drone/push Build was killed
Details
2020-09-04 23:28:38 +02:00
Pierre-Olivier Mercier
7de1404f4d Add Dockerfile 2020-09-04 23:16:55 +02:00
Pierre-Olivier Mercier
4203f6e26b Add drone CI 2020-09-04 21:56:09 +02:00
Pierre-Olivier Mercier
cd8d7388a6 Use go-bindata instead of esc 2020-09-04 21:56:09 +02:00
Pierre-Olivier Mercier
b8d9118b56 go fmt 2020-09-02 15:09:14 +02:00
Pierre-Olivier Mercier
f819320f5a Continue reset form on bad entry 2018-12-31 01:00:24 +01:00
Pierre-Olivier Mercier
7226e9f1e2 Use esc to embed static assets 2018-12-31 01:00:24 +01:00
Pierre-Olivier Mercier
1d3ad672cb Theming 2018-12-31 01:00:24 +01:00
nemunaire
1a8301657c Avoid SMTP bug with .\n 2018-11-13 01:24:41 +01:00
nemunaire
3fd2231721 Use green background when message are not error 2018-11-13 01:19:23 +01:00
nemunaire
a375c6d2b1 Configuration filename is now an option 2018-11-13 01:17:09 +01:00
nemunaire
b99a321ded Initial commit 2018-11-13 01:14:42 +01:00