Skip to content

Commit

Permalink
Merge pull request #179 from sebadob/prepare-release_2-0.19.1
Browse files Browse the repository at this point in the history
write changelog + bump tag to 0.19.1 in readme and docs
  • Loading branch information
sebadob authored Nov 20, 2023
2 parents d5800ce + c738f62 commit ca1e89e
Show file tree
Hide file tree
Showing 15 changed files with 72 additions and 17 deletions.
56 changes: 56 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,61 @@
# Changelog

## v0.19.1

This is a small bugfix and compatibility release regarding password reset E-Mails.

The main reason for this release are problems with the Password Reset via E-Mail when users
are using Microsoft (the only service provider where this problems can be replicated 100% of the time)
and / or Outlook. These users were unable to use password reset links at all.
The reason is a "Feature" from Microsoft. They fully scan the user's E-Mails and even follow all links
inside it. The problem is, that the binding cookie from Rauthy will go to the Microsoft servers instead
of the user, making is unusable and basically invalidating everything before the user has any chance to
use the link properly.

The usage of this config variable is **highly discouraged,** and you should **avoid it, if you can**.
However, big enterprises are moving slowly (and often not at all). This new config variable can be used
as a last resort, to make it usable by giving up some security.

```
# This value may be set to 'true' to disable the binding cookie checking
# when a user uses the password reset link from an E-Mail.
#
# When using such a link, you will get a so called binding cookie. This
# happens on the very first usage of such a reset link. From that moment on,
# you will only be able to access the password reset form with this very
# device and browser. This is just another security mechanism and prevents
# someone else who might be passively sniffing network traffic to extract
# the (unencrypted) URI from the header and just use it, before the user
# has a change to fill out the form. This is a mechanism to prevent against
# account takeovers during a password reset.
#
# The problem however are companies (e.g. Microsoft) who scan their customers
# E-Mails and even follow links and so on. They call it a "feature". The
# problem is, that their servers get this binding cookie and the user will be
# unable to use this link himself. The usage of this config option is highly
# discouraged, but since everything moves very slow in big enterprises and
# you cannot change your E-Mail provider quickly, you can use it do just make
# it work for the moment and deal with it later.
#
# default: false
#UNSAFE_NO_RESET_BINDING=false
```

### Changes

- implement `UNSAFE_NO_RESET_BINDING` like mentioned above
[1f4a146](https://github.com/sebadob/rauthy/commit/1f4a1462697e85e068edd6bbd3f670f9d1ed985b)
- prettify the expiry timestamp in some E-Mails
[1173fa0](https://github.com/sebadob/rauthy/commit/1173fa0f5ac517c7797c34e1240cbd37cb54dae6)

### Bugfixes
- It was possible to get an "Unauthorized Session" error during a password reset, if it has been
initiated by an admin and / or from another browser.
[e5d1d9d](https://github.com/sebadob/rauthy/commit/e5d1d9dd30452fdf5c33cc8e1cfac9670a514c74)
- Correctly set `ML_LT_PWD_FIRST` - set the default value in minutes (like documented) instead
of seconds. New default is `ML_LT_PWD_FIRST=4320`
[e9d1b56](https://github.com/sebadob/rauthy/commit/e9d1b5627809825241fcb0dbea4935f76d1334f1)

## v0.19.0

### Solid OIDC Support
Expand Down
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -145,7 +145,7 @@ Either just take a look at the [Rauthy Book](https://sebadob.github.io/rauthy/),
the application yourself with docker on your localhost:

```
docker run --rm -p 8080:8080 ghcr.io/sebadob/rauthy:0.19.0-lite
docker run --rm -p 8080:8080 ghcr.io/sebadob/rauthy:0.19.1-lite
```

## Contributing
Expand Down
6 changes: 3 additions & 3 deletions docs/getting_started/docker.html
Original file line number Diff line number Diff line change
Expand Up @@ -179,7 +179,7 @@ <h2 id="testing--local-evaluation"><a class="header" href="#testing--local-evalu
<pre><code>docker run --rm \
-p 8080:8080 \
--name rauthy \
ghcr.io/sebadob/rauthy:0.19.0-lite
ghcr.io/sebadob/rauthy:0.19.1-lite
</code></pre>
<p>This will start the container in interactive mode with an in-memory SQLite database. Just take a look at the log at the
logs to see the URL and first password.</p>
Expand All @@ -188,7 +188,7 @@ <h2 id="testing--local-evaluation"><a class="header" href="#testing--local-evalu
-e DATABASE_URL=sqlite:data/rauthy.db \
-p 8080:8080 \
--name rauthy \
ghcr.io/sebadob/rauthy:0.19.0-lite
ghcr.io/sebadob/rauthy:0.19.1-lite
</code></pre>
<div id="admonition-note" class="admonition note">
<div class="admonition-title">
Expand Down Expand Up @@ -273,7 +273,7 @@ <h2 id="production-setup"><a class="header" href="#production-setup">Production
-v $(pwd)/rauthy/data:/app/data \
-p 8080:8080 \
--name rauthy \
ghcr.io/sebadob/rauthy:0.19.0-lite
ghcr.io/sebadob/rauthy:0.19.1-lite
</code></pre>
<p><strong>6. Restrict DB files access even more</strong><br />
After rauthy has done the first start, you could harden the access rights of the SQLite files even more.<br />
Expand Down
2 changes: 1 addition & 1 deletion docs/getting_started/k8s.html
Original file line number Diff line number Diff line change
Expand Up @@ -318,7 +318,7 @@ <h3 id="create-and-apply-the-stateful-set"><a class="header" href="#create-and-a
fsGroup: 10001
containers:
- name: rauthy
image: ghcr.io/sebadob/rauthy:0.19.0-lite
image: ghcr.io/sebadob/rauthy:0.19.1-lite
imagePullPolicy: IfNotPresent
securityContext:
# User ID 10001 is actually built into the container at the creation for
Expand Down
8 changes: 4 additions & 4 deletions docs/print.html
Original file line number Diff line number Diff line change
Expand Up @@ -290,7 +290,7 @@ <h2 id="testing--local-evaluation"><a class="header" href="#testing--local-evalu
<pre><code>docker run --rm \
-p 8080:8080 \
--name rauthy \
ghcr.io/sebadob/rauthy:0.19.0-lite
ghcr.io/sebadob/rauthy:0.19.1-lite
</code></pre>
<p>This will start the container in interactive mode with an in-memory SQLite database. Just take a look at the log at the
logs to see the URL and first password.</p>
Expand All @@ -299,7 +299,7 @@ <h2 id="testing--local-evaluation"><a class="header" href="#testing--local-evalu
-e DATABASE_URL=sqlite:data/rauthy.db \
-p 8080:8080 \
--name rauthy \
ghcr.io/sebadob/rauthy:0.19.0-lite
ghcr.io/sebadob/rauthy:0.19.1-lite
</code></pre>
<div id="admonition-note" class="admonition note">
<div class="admonition-title">
Expand Down Expand Up @@ -384,7 +384,7 @@ <h2 id="production-setup"><a class="header" href="#production-setup">Production
-v $(pwd)/rauthy/data:/app/data \
-p 8080:8080 \
--name rauthy \
ghcr.io/sebadob/rauthy:0.19.0-lite
ghcr.io/sebadob/rauthy:0.19.1-lite
</code></pre>
<p><strong>6. Restrict DB files access even more</strong><br />
After rauthy has done the first start, you could harden the access rights of the SQLite files even more.<br />
Expand Down Expand Up @@ -539,7 +539,7 @@ <h3 id="create-and-apply-the-stateful-set"><a class="header" href="#create-and-a
fsGroup: 10001
containers:
- name: rauthy
image: ghcr.io/sebadob/rauthy:0.19.0-lite
image: ghcr.io/sebadob/rauthy:0.19.1-lite
imagePullPolicy: IfNotPresent
securityContext:
# User ID 10001 is actually built into the container at the creation for
Expand Down
2 changes: 1 addition & 1 deletion docs/searchindex.js

Large diffs are not rendered by default.

Loading

0 comments on commit ca1e89e

Please sign in to comment.