Improve error message when passkey is missing PIN
Firefox still doesn't support setting a PIN on new devices. Because
of this we need a way to return a better error message for devices
that don't have UV configured.
While testing for everything open I noticed two possible
issues. This PR fixes both.
The first is a possible recursion in the resolver. I think
I need to fix up it's transactions a bit in another PR.
The second was that the submit button on the reset form
doesn't work. This fixes that as well as post reset redirecting
to the correct location.
* feat: Add /.well-known/change-password endpoint
* fix: make the https view constants available inside the crate
---------
Co-authored-by: James Hodgkinson <james@terminaloutcomes.com>
While preparing for everything open, I found a small number of doc/book issues, some logging issues, and some minor performance wins. This pr is just small bits of various polish around the place.
Previously the code would do `key.replace("KANIDM_", "")`, this
allocates a new string, which is unnecessary, as we can simply call
`strip_prefix("KANIDM_")`.
This removes the `KANIDM_` prefix from a bunch of places, and doubles as
a check that the variable is prefixed with `KANIDM_`. Overall I believe
this change makes the code more robust and slightly reduces allocations,
speeding up an admittedly cold function (only called very infrequently).
* Add response_mode=fragment to discovery documents
* Add test for `response_mode=query`
* refactor OAuth 2.0 tests back into regular functions, because macros are messy
* Disallow some `response_type` x `response_mode` combinations per spec
During other testing I noticed that passkeys no longer worked
on a reauthentication. This was due to a regression in you
guessed it, cookies, where the auth session id wasn't being
removed properly.
* Add support for prefers-color-scheme using Bootstrap classes.
* Move stylesheet changes to separate javascript file.
* fix(html): don't specify the integrity hash in the tag for style.js
* fix(log): debug-log integrity hashes for troubleshooting
* fix(css): move to using bootstrap standard variables for colours and theming
* fix(js): rewrite to simplify and use standard bootstrap functionality
* fix(makefile): codespell thingie was complaining
* run prettier on css/js.
---------
Co-authored-by: James Hodgkinson <james@terminaloutcomes.com>
* make everything cookie consistent
* Stricter on expiry
* Relearn a painful lesson about needing domains in removal cookies
* fix: DRY cookie creation code and reduce the sins
This was a commonly requested re-addition to the new webui. This
adds the ability for someone to scan a qr code or follow a link
to enrol another device to their account.
OAuth2 session resumption was accidentally made a permanent cookie
which led to continuing issues with it causing invalid redirections
after login. Make this a session only cookie.
Rather than the generic 'invalid state' error, we now return
proper site-specific errors for credential commit failures, with
error messages to explain what went wrong.
During a re-auth flow, the password was not autocompleted once
totp was autocompleted. This is because in a normal login flow
the autocomplete is performed on the first login.html page,
but in a re-auth we skip that page.
This adds the proper handling to allow the pw to autofill
in the background once the TOTP is completed.
If an OAuth2 auth request resume cookie was present, and at the same
time the kani instance was restarted, the cookie would now fail
to validate on the instance. This caused the user to experience an auth
loop where after every authentication they would see an error *despite*
logging in correctly, and then a refresh would show the correct
apps page.
This removes the auth_req cookie correctly even if it fails to
deserialise.
Post release some small user issues arose
* Optimise the autofocus for logins with passkeys to limit clicks
* Sort login mechs by strength
* Fix cookies to persist between browser restarts
- Resolve an issue where oauth2 could trigger the login page to
incorrectly redirect to an oauth2 application instead of apps
- Add indication of what client application we are accessing
if the session is not yet authenticated
