Options like map_group would fail silently when version=2 wasn't
set in our unix config. this detects that case and warns that it
is occuring.
To prevent this in the future, we deny unknown keys in v2 so that
if (when?) we add v3, new keys will cause an error.
If an OAuth2 auth request resume cookie was present, and at the same
time the kani instance was restarted, the cookie would now fail
to validate on the instance. This caused the user to experience an auth
loop where after every authentication they would see an error *despite*
logging in correctly, and then a refresh would show the correct
apps page.
This removes the auth_req cookie correctly even if it fails to
deserialise.
In some cases if the transport drops out from underneath unixd,
it can be difficult to diagnose and leads to inconsistent errors
and output such as prompting for a password multiple times when
it can't succeed.
This makes it clearer that the transport had an error, and it
denies the inflight authsession to prevent spurious password
prompts.
Post release some small user issues arose
* Optimise the autofocus for logins with passkeys to limit clicks
* Sort login mechs by strength
* Fix cookies to persist between browser restarts
* Re-migrate all acps to force updating
* Update server/lib/src/server/migrations.rs
---------
Co-authored-by: James Hodgkinson <james@terminaloutcomes.com>
A fault existed in the server's internal migration code, where attributes
that were multivalued would be merged rather than replaced in certain
contexts. This migration path is used for access controls, meaning that
on upgrades, attributes that were meant to be removed from access
controls or changes to access control target groups were not reflected
during the upgrade process.
This has a potentially low security impact as it may have allowed
users to change their name/displayname even if the administrator
had disable the name_self_write access control.
* More "choosing a domain" revision:
* Link to the domain rename process
* Add some hyphens to make things easier to read
* Move the OAuth 2.0 domain sharing guidance into the origin section
* Add DNS -> IP as a potential issue
* Discourage requesting public suffix list inclusion as a workaround
* Add "own hostname" section
- Resolve an issue where oauth2 could trigger the login page to
incorrectly redirect to an oauth2 application instead of apps
- Add indication of what client application we are accessing
if the session is not yet authenticated
