Check server side sessions in session middleware for REST API endpoints.
Without it a server side session could be deleted, but can still be used at the REST API endpoints.
* feat: create otp_secrets table
* feat: create otp secret model
* feat: add mfa_only column to webauthn_credentials table
* feat: add mfa only field to webauthn credential model
* feat: add mfa config (#1607)
* feat: add otp secret persister (#1613)
* feat: MFA usage sub flow (#1614)
* feat: add mfa-usage sub-flow
---------
Co-authored-by: Lennart Fleischmann <67686424+lfleischmann@users.noreply.github.com>
* feat: include platform authenticator availybility in the preflight flow (#1615)
* feat: add mfa creation subflow
* feat: adjust registration flow
* feat: integrate mfa usage sub-flow
* feat: add pages for mfa (#1622)
* feat: profile flow adjustments for mfa support
* fix: suspension logic for mfa deletion actions
* feat: use dedicated action for security key creation options
* fix: mfa method stash entry can be stale on profile flow
The mfa_creation subflow sets an mfa_method stash value so that
when creating and persisting the credential the mfa_only flag can
be set correctly in the hook responsible for that. But the profile flow
never "ends" and and returns to the initial state so I can also
register a passkey afterwards. The mfa_method stash key remains on the
stash but is used in the hook nonetheless, so the passkey is incorrectly
recognized as a security key.
The mfa_method key is now deleted after successfully persisting the
credential/security_key. This should not have an effect on the login
flow because the mfa_creation subflow is the last subflow to be
executed. It also should not affect the registration flow, because the
hook is not applied in the registration flow (persistence of data is
all handled in the create_user hook).
* feat: add new icons and english translations (#1626)
* fix: credential id encoding corrected (#1628)
* feat: add audit logs for mfa creation
* feat: add a skip link to the mfa method chooser (#1630)
* feat: save the security key during login (#1629)
* feat: show security keys in profile
* feat: add authenticator app management to profile (#1633)
* feat: add authenticator app management to profile
* feat: passkey counts as second factor
* feat: prohibit security key first factor usage
* feat: add all WA creds to exclude list on registration
* refactor: mfa stash entries and webauthn credential persistence
Renames MFA stash entry for indicating usage (login) method to make its
meaning more explicit. Also removes code persisting a webauthn credential
from the attestation verification action in the onboarding flow because
this is already done by a shared hook.
* refactor: simplify WA creation call
Co-authored-by: bjoern-m <56024829+bjoern-m@users.noreply.github.com>
* chore: adjust mfa flow
* fix: mfa onboarding always shown during login
* fix: mfa onboarding not shown after password or email creation during login
* fix: mfa onboarding not shown without user detail onboarding
* fix: correct skip/back behaviour
* feat: reuse generated otp secret when the code is invalid
* chore: skip mfa prompt if the user only has a passkey
* chore: adjust login flow
* chore: skip mfa prompt if the user only has a passkey
* chore: refactor and improve mfa onboarding
* fix: no mfa onboarding when passwords and passkeys are disabled
* fix: only show mfa onbooarding once
* feat: add a function to the flowpilot to check whether a state has been visited
* chore: adjust recovery flow (#1655)
* feat: disable password, passcode endpoints when mfa enabled
* Feat: remember last used login method (#1674)
* chore: remove omitempty from boolean (#1676)
* chore: improved error handling (#1679)
* chore: improved error handling
* feat: add missing translations (#1681)
* feat: update aaguid list (#1678)
* fix: do not suspend webauthn action for MFA (#1778)
Do not suspend the `webauthn_verify_attestation_response` action when passkeys are disabled, but security keys and MFA are enabled.
* fix: change texts (#1785)
Change texts regarding security creation to be more consistent across the flows and to be more precise.
* Fix: UI issues (#1846)
* fix: loading spinner alignment corrected
* fix: auth app deletion link is shown while deletion is not allowed
* Chore: remove test persister (#1876)
* chore: remove deprecated test persister
* chore: replace test persister calls
* chore: add saml state fixtures
* Update backend/flow_api/services/webauthn.go
Co-authored-by: Frederic Jahn <frederic.jahn@hanko.io>
* Update backend/dto/profile.go
Co-authored-by: Frederic Jahn <frederic.jahn@hanko.io>
* fix: otp validation uses the rate limiter key for passwords
* chore: add otp-limits to the default config
* chore: add explanation for 'UserVerification' setting on security keys
---------
Co-authored-by: Lennart Fleischmann <lennart.fleischmann@hanko.io>
Co-authored-by: Lennart Fleischmann <67686424+lfleischmann@users.noreply.github.com>
Co-authored-by: Frederic Jahn <frederic.jahn@hanko.io>
* feat: add server side sessions
* feat: add lastUsed & admin endpoint
* feat: add session list to elements
* fix: fix public session endpoint
* chore: only store session info when enabled
* build: update go mod
* feat: add translations
* test: fix tests
* feat: change path
* feat: return userID on session validation endpoint
* feat: move all session endpoints to public router
* fix: add missing translation
* fix: add missing structs
* chore: align session persister with other persisters
* fix: use correct translation label
* chore: add db validator to session model
* feat: create server side session from cmd
* fix: fix review findings
This pull request introduces the new Flowpilot system along with several new features and various improvements. The key enhancements include configurable authorization, registration, and profile flows, as well as the ability to enable and disable user identifiers (e.g., email addresses and usernames) and login methods.
---------
Co-authored-by: Frederic Jahn <frederic.jahn@hanko.io>
Co-authored-by: Lennart Fleischmann <lennart.fleischmann@hanko.io>
Co-authored-by: lfleischmann <67686424+lfleischmann@users.noreply.github.com>
Co-authored-by: merlindru <hello@merlindru.com>
* add user.create event trigger to thirdparty signup
* add user.update when an email is added to an identity
* add email.create when email is created
Closes: #1361
* 1030 - Refactor SMTP settings to be outside of passcode config
* Backwards compatibility of SMTP settings
* Do not error if root smtp and passcode smtp are defined. Log warning instead
* Update warning message
* admin api: make email primary when user has no emails
* utils: move get updated user and webhook trigger to utils to reduce duplicated code
* events: remove unused user and email event - Check is replaced with string variant
* remove unused dtos
* fix tests after changes
* webhook tests: switch to test.Suite instead of TestPersister -> added deprecation annotation to test.NewPersister
* Email Verification: Fix trigger of webhook when email verification is enabled and a email is created but not validated
Closes: #692, #1051
* add tests for webhooks
* improve error handling when context does not contain webhook manager
* add logging to worker and fix nesting error overwrite
* remove enable and disable methods in favor for update method
* move data in jwt from subject claim to custom `data` claim
* add event in jwt to custom `evt` claim
* change webhook trigger to only fire once per hook (was once per subscribed event in hook before)
Closes#692
* add webhooks settings to config
* add webhooks entity for database
* add endpoints for webhooks
* add worker for asynchronously executing webhooks
* add trigger for events to user change/create/delete users/emails
Closes#692
In contrast to the admin routes, the public router does not disable logging on the health endpoints.
This change alters the behaviour of the public router to be in line with the admin router.
