* change ALLOW_SIGNUP to default to false
* add 1.4.0 tag for OIDC docs
* new notes on security inline with security/policy review
* safer transport for external requests
* fix linter errors
* docs: Tidy up wording/formatting
* fix request errors
* whoops
* fix implementation with std lib
* format
* Remove check on netloc_parts. It only includes URL after any @
---------
Co-authored-by: boc-the-git <3479092+boc-the-git@users.noreply.github.com>
Co-authored-by: Brendan <b.oconnell14@gmail.com>
* initial oidc implementation
* add dynamic scheme
* e2e test setup
* add caching
* fix
* try this
* add libldap-2.5 to runtime dependencies (#2849)
* New translations en-us.json (Norwegian) (#2851)
* New Crowdin updates (#2855)
* New translations en-us.json (Italian)
* New translations en-us.json (Norwegian)
* New translations en-us.json (Portuguese)
* fix
* remove cache
* cache yarn deps
* cache docker image
* cleanup action
* lint
* fix tests
* remove not needed variables
* run code gen
* fix tests
* add docs
* move code into custom scheme
* remove unneeded type
* fix oidc admin
* add more tests
* add better spacing on login page
* create auth providers
* clean up testing stuff
* type fixes
* add OIDC auth method to postgres enum
* add option to bypass login screen and go directly to iDP
* remove check so we can fallback to another auth method oauth fails
* Add provider name to be shown at the login screen
* add new properties to admin about api
* fix spec
* add a prompt to change auth method when changing password
* Create new auth section. Add more info on auth methods
* update docs
* run ruff
* update docs
* format
* docs gen
* formatting
* initialize logger in class
* mypy type fixes
* docs gen
* add models to get proper fields in docs and fix serialization
* validate id token before using it
* only request a mealie token on initial callback
* remove unused method
* fix unit tests
* docs gen
* check for valid idToken before getting token
* add iss to mealie token
* check to see if we already have a mealie token before getting one
* fix lock file
* update authlib
* update lock file
* add remember me environment variable
* add user group setting to allow only certain groups to log in
---------
Co-authored-by: Carter Mintey <cmintey8@gmail.com>
Co-authored-by: Carter <35710697+cmintey@users.noreply.github.com>
* 'hide' default email and password env variables
* first login API endpoint
* run code-generators
* frontend indicators for default username and pw
* remove old env variables from docs
* fix env set variable
* remove password from tests
* add groupSlug to most routes
* fixed more routing issues
* fixed jank and incorrect routes
* remove public explore links
* remove unused groupSlug and explore routes
* nuked explore pages
* fixed public toolstore bug
* fixed various routes missing group slug
* restored public app header menu
* fix janky login redirect
* 404 recipe API call returns to login
* removed unused explore layout
* force redirect when using the wrong group slug
* fixed dead admin links
* removed unused middleware from earlier attempt
* 🧹
* improve cookbooks sidebar
fixed sidebar link not working
fixed sidebar link target
hide cookbooks header when there are none
* added group slug to user
* fix $auth typehints
* vastly simplified groupSlug logic
* allow logged-in users to view other groups
* fixed some edgecases that bypassed isOwnGroup
* fixed static home ref
* 🧹
* fixed redirect logic
* lint warning
* removed group slug from group and user pages
refactored all components to use route groupSlug or user group slug
moved some group pages to recipe pages
* fixed some bad types
* 🧹
* moved groupSlug routes under /g/groupSlug
* move /recipe/ to /r/
* fix backend url generation and metadata injection
* moved shopping lists to root/other route fixes
* changed shared from /recipes/ to /r/
* fixed 404 redirect not awaiting
* removed unused import
* fix doc links
* fix public recipe setting not affecting public API
* fixed backend tests
* fix nuxt-generate command
---------
Co-authored-by: Hayden <64056131+hay-kot@users.noreply.github.com>
* fix(security): reset login attempts after successful login
Enforce a maximum number of consecutive failed logins. Successfully logging in should reset the
count.
#2569
* fix(security): fix when user is unlocked
The user should be unlocked when locked_at is set, but the lock has expired.
#2569
`email.com` is not a reserved domain, incorrect configuration could result in unintentional effects.
`example.com` is reserved by IANA for bogus purposes, see RFC 6761.
* WIP: proof of concept
* basic meta tag injection
* add support for scraping public/private links
* make tests go brrrrr
* cleanup initialization
* rewrite build config
* remove recipe meta on frontend
* make type checker happy
* remove other deployment methods
* fix issue with JSON response on un-authenticated request
* docs updates
* update tivy scanner
* fix linter stuff
* change registry tag
* build fixes
* fix same mistake I always make
* fixed incorrect var ref
* added public recipe pagination route
* refactored frontend public/explore API
* fixed broken public cards
* hid context menu from cards when public
* fixed public app header
* fixed random recipe
* added public food, category, tag, and tool routes
* not sure why I thought that would work
* added public organizer/foods stores
* disabled clicking on tags/categories
* added public link to profile page
* linting
* force a 404 if the group slug is missing or invalid
* oops
* refactored to fit sidebar into explore
* fixed invalid logic for app header
* removed most sidebar options from public
* added backend routes for public cookbooks
* added explore cookbook pages/apis
* codegen
* added backend tests
* lint
* fixes v-for keys
* I do not understand but sure why not
---------
Co-authored-by: Hayden <64056131+hay-kot@users.noreply.github.com>
* validate user attributes on user creation
add logs for invalid or missing attributes
* only update admin flag when admin status changes
* move ldap functions into separate file
* fix linter issues
* actually use the search_user function
* fix types
* add option to enable starttls for ldap
* add integration test for ldap service
* document new, optional environment variable
* fix: support anonymous bind
* id and mail attributes in LDAP_USER_FILTER should be implied
* remove print statement
* adds authentication method for users
* fix db migration with postgres
* tests for auth method
* update migration ids
* hide auth method on user creation form
* (docs): Added documentation for the new authentication method
* update migration
* add to auto-form instead of having hidden fields
* Corrected if statement to check if a results was returned by the LDAP search. And decoded the user_attributes from binary data to string
* removed trailing spaces
* Revert asserts in LDAP unit test back
Since an empty tuple is still a result, an user is created and the result should not be false.
* Simplified code
* Extended the LDAP implementation
* fix ldap authentication and user creation
* modified docs to include new LDAP environment variables
* update tests and linting
* add libldap-2.4-2 as runtime dependency for the api
---------
Co-authored-by: Erik Landkroon <eriklandkroon@gmail.com>
* Scheduled tasks log to Debug, not Info
* Add LOG_LEVEL config to .env
* Update some other log levels and fix typos
* fix logger initializer
---------
Co-authored-by: Jakob Rubin <647846+Grygon@users.noreply.github.com>
* docs: fix typos
* typos: fix typos found by `codespell` across the codebase
* docs: fix `macOS` spelling
* docs: fix `authentification` terminology
"Authentification" is not a thing.
* docs: fix `localhost` typo in example link
* typos: fix in-code typos
These are potentially higher risk, but no other mentions of these typos
show up in the codebase.
* Use Base DN for LDAP and fetch user attrs
Requires that a Base DN be set for LDAP
Set `full_name` and `email` based on LDAP attributes when creating user
* Add support for secure LDAP
Allow insecure LDAP connection (disabled by default)
Use CA when connecting to secure LDAP server
* Added missing quotes to example
* Update security.py
* Update security.py formatting
* Update security.py
Switched to f-String formatting
* formatting
* Update test_security.py
Added at attributes for testing
* Update test_security.py
Modified tests for base DN
* Update test_security.py
Set proper base DN for testing
* Update test_security.py
Corrected testing for LDAP
* Update test_security.py
Defined base_dn
* Authenticated user not in base DN
Add check for when user can authenticate but is not in base DN
* Update test_security.py
LDAP user cannot exist as it is searched before it is created and the list returns False
Co-authored-by: Hayden <64056131+hay-kot@users.noreply.github.com>
* refactored event dispatching
added EventDocumentType and EventOperation to Event
added event listeners to bulk recipe changes
overhauled shopping list item events to be more useful
modified shopping list item repo to return more information
* added internal documentation for event types
* renamed message_types.py to event_types.py
* added unique event id and fixed instantiation
* generalized event listeners and publishers
moved apprise publisher to new apprise event listener
fixed duplicate message bug with apprise publisher
* added JWT field for user-specified integration id
* removed obselete test notification route
* tuned up existing notification tests
* added dependency to get integration_id from jwt
* added base crud controller to facilitate events
* simplified event publishing
* temporarily fixed test notification
* add data-types required for login security
* implement user lockout checking at login
* cleanup legacy patterns
* expose passwords in test_user
* test user lockout after bad attempts
* test user service
* bump alembic version
* save increment to database
* add locked_at to datetime transformer on import
* do proper test cleanup
* implement scheduled task
* spelling
* document env variables
* implement context manager for session
* use context manager
* implement reset script
* cleanup generator
* run generator
* implement API endpoint for resetting locked users
* add button to reset all locked users
* add info when account is locked
* use ignore instead of expect-error
* Delay server response whenever username is non existing
* utilize hasher to achieve constant timing
Co-authored-by: Hayden <64056131+hay-kot@users.noreply.github.com>
* Changes Settings to use new SMTP_AUTH_STRATEGY variable in place of SMTP_TLS with transition support
#1187
* Wires up default email client to use ssl or tls authentication if enabled in settings
* Updates the docs
* Update template file
* remove SMTP_TLS and use staticmethod for validate
* consolidate test cases with params
Co-authored-by: Hayden <64056131+hay-kot@users.noreply.github.com>
