deblan-mirror/sftpgo

mirror of https://github.com/drakkan/sftpgo.git synced 2026-03-14 22:35:52 +01:00

Author	SHA1	Message	Date
Nicola Murino	a768dac29d	jwt: increase leeway and add some tests also export a constant for the Cookie name Signed-off-by: Nicola Murino <nicola.murino@gmail.com>	2025-10-11 14:14:21 +02:00
Nicola Murino	0ae2354fed	JWT: replace jwtauth/jwx with lightweight wrapper around go-jose We replaced the jwtauth and jwx libraries with a minimal custom wrapper around go-jose because we don’t need the full feature set provided by jwx. Implementing our own wrapper simplifies the codebase and improves maintainability. Moreover, go-jose depends only on the standard library, resulting in a leaner dependency that still meets all our requirements. This change also reduces the SFTPGo binary size by approximately 1MB Signed-off-by: Nicola Murino <nicola.murino@gmail.com>	2025-10-08 18:10:39 +02:00
Nicola Murino	ddbe40cefa	HTTPD, WebDAV: use http.ResponseController backport from Enterprise edition Signed-off-by: Nicola Murino <nicola.murino@gmail.com>	2025-08-02 18:00:45 +02:00
Nicola Murino	7317674b41	Remove legacy data retention API Data retention is now managed via the EventManager, introduced in v2.4.0. This allows scheduling retention checks and sending email or HTTP notifications, making the old API redundant. Signed-off-by: Nicola Murino <nicola.murino@gmail.com>	2025-07-12 22:20:54 +02:00
Nicola Murino	9e2230cc33	Support leading and trailing spaces in user passwords This improves compatibility with external authentication providers that allow such characters in passwords. Passwords created via the WebAdmin UI are still sanitized to prevent user confusion. Signed-off-by: Nicola Murino <nicola.murino@gmail.com>	2025-04-26 14:31:13 +02:00
Nicola Murino	f41f00fec2	httpd: allow to configure referrer policy header Signed-off-by: Nicola Murino <nicola.murino@gmail.com>	2025-04-07 18:48:48 +02:00
Nicola Murino	d95d773570	oidc: allow login if the password method is disabled isLoggedInWithOIDC returns false before login so we need to add a specific check Fixes #1879 Signed-off-by: Nicola Murino <nicola.murino@gmail.com>	2025-03-29 20:28:49 +01:00
Nicola Murino	69ef36b4d9	httpd: add a setting to disable login methods, deprecate the previous one the previous enabled login methods setting is hard to extend in a backward compatible way Signed-off-by: Nicola Murino <nicola.murino@gmail.com>	2025-01-25 22:00:55 +01:00
Nicola Murino	48258f6e67	httpd: add cross origin resource and embedder policy headers Signed-off-by: Nicola Murino <nicola.murino@gmail.com>	2025-01-24 19:34:57 +01:00
Nicola Murino	1f4cb7077a	bad host handler: return a generic error message Signed-off-by: Nicola Murino <nicola.murino@gmail.com>	2025-01-06 10:08:25 +01:00
Nicola Murino	deea9ff038	do not return if client IP is not allowed in login API response Signed-off-by: Nicola Murino <nicola.murino@gmail.com>	2024-12-28 18:47:04 +01:00
Nicola Murino	70fc00d7eb	Allow to choose enabled languages Fixes #1835 Signed-off-by: Nicola Murino <nicola.murino@gmail.com>	2024-12-19 19:50:19 +01:00
Nicola Murino	ec90b61bb4	allow to configure JWT tokens and cookies duration Fixes #1839 Signed-off-by: Nicola Murino <nicola.murino@gmail.com>	2024-12-18 18:33:37 +01:00
Nicola Murino	e21c989038	logs: add a specific log structure for successful logins Signed-off-by: Nicola Murino <nicola.murino@gmail.com>	2024-12-07 10:29:33 +01:00
Nicola Murino	d3e76898cd	WebAdmin: refactor template permissions Signed-off-by: Nicola Murino <nicola.murino@gmail.com>	2024-11-26 20:39:36 +01:00
Nicola Murino	3dd412f6e3	WebAdmin and REST API: remove too granular permissions Our permissions system for admin users is too granular and some permissions overlap. For example, you can define an administrator with the "manage_system" permission and not with the "manage_admins" or "manage_user" permission, but the "manage_system" permission allows you to restore a backup and then create users and administrators. The following permissions will be removed: "manage_admins", "manage_apikeys", "manage_system", "retention_checks", "manage_event_rules", "manage_roles", "manage_ip_lists". Now you need to add the "*" permission to replace the removed granular permissions because the removed permissions allow actions that should only be allowed to super administrators. There is no point in having separate, overlapping permissions. Signed-off-by: Nicola Murino <nicola.murino@gmail.com>	2024-11-10 10:46:28 +01:00
Nicola Murino	7aac64531f	WebAdmin: check CSRF header when deleting blocked hosts Signed-off-by: Nicola Murino <nicola.murino@gmail.com>	2024-11-09 18:44:31 +01:00
Nicola Murino	5162c5de87	WebUIs: add a nil check for token in refresh cookie method token should never be null here because we have an authenticated user however add the same check as elsewhere Signed-off-by: Nicola Murino <nicola.murino@gmail.com>	2024-09-16 20:11:02 +02:00
Nicola Murino	fa710b36c2	httpd: allow to configure cache control header Signed-off-by: Nicola Murino <nicola.murino@gmail.com>	2024-08-12 21:19:44 +02:00
Nicola Murino	68e62d3d9b	httpd: allow to use proxy protocol Signed-off-by: Nicola Murino <nicola.murino@gmail.com>	2024-08-10 21:02:38 +02:00
Nicola Murino	d94f80c8da	replace utils.Contains with slices.Contains Signed-off-by: Nicola Murino <nicola.murino@gmail.com>	2024-07-24 18:27:13 +02:00
Nicola Murino	b5c821795a	allow to customize name and log from the WebUI Signed-off-by: Nicola Murino <nicola.murino@gmail.com>	2024-07-24 09:14:27 +02:00
Nicola Murino	363770ab84	WebClient shares: add a logout button Signed-off-by: Nicola Murino <nicola.murino@gmail.com>	2024-06-18 19:10:32 +02:00
Nicola Murino	bd5b32101f	csrf: reuse the cookie in reset password no need to generate a new cookie each time. Signed-off-by: Nicola Murino <nicola.murino@gmail.com>	2024-06-15 15:18:17 +02:00
Nicola Murino	01b666a78f	WebUIs: check login conditions before allowing password reset Signed-off-by: Nicola Murino <nicola.murino@gmail.com>	2024-06-14 19:34:42 +02:00
Nicola Murino	8294952474	WebUIs: refactor CSRF Signed-off-by: Nicola Murino <nicola.murino@gmail.com>	2024-06-14 18:09:32 +02:00
Nicola Murino	08526da153	REST API: fix token invalidation after password change Signed-off-by: Nicola Murino <nicola.murino@gmail.com>	2024-06-07 18:19:05 +02:00
Nicola Murino	50a3c0d911	defender: allow to impose a delay between login attempts Signed-off-by: Nicola Murino <nicola.murino@gmail.com>	2024-05-18 10:35:54 +02:00
Nicola Murino	d3f42e39db	move server version setting to common section Signed-off-by: Nicola Murino <nicola.murino@gmail.com>	2024-05-01 19:42:09 +02:00
Nicola Murino	e1fdc10ef8	remove robots.txt endpoint This reverts #833 because the contributor did not respond to our request to sign the CLA Signed-off-by: Nicola Murino <nicola.murino@gmail.com>	2024-04-26 11:00:55 +02:00
Nicola Murino	f38966c6ac	WebClient: refactor long-running tasks to improve browser compatibility Signed-off-by: Nicola Murino <nicola.murino@gmail.com>	2024-03-11 18:19:57 +01:00
Nicola Murino	799fdd7098	allow IPs in defender safe list to exceed max per-host connections Signed-off-by: Nicola Murino <nicola.murino@gmail.com>	2024-02-27 18:22:21 +01:00
Nicola Murino	12f599fd65	WebUI: skip checks for static resource Signed-off-by: Nicola Murino <nicola.murino@gmail.com>	2024-02-25 18:19:21 +01:00
Nicola Murino	a577d8b3cd	WebAdmin: allow to disable 2FA Before it was only possible using REST API Signed-off-by: Nicola Murino <nicola.murino@gmail.com>	2024-02-23 18:24:07 +01:00
Nicola Murino	de089e51fd	Web: allow to require password change and two-factor for admins Signed-off-by: Nicola Murino <nicola.murino@gmail.com>	2024-02-21 20:45:10 +01:00
Nicola Murino	e61fb42cbc	remove metadata plugin Signed-off-by: Nicola Murino <nicola.murino@gmail.com>	2024-02-17 12:30:47 +01:00
Nicola Murino	ae309d64c4	WebClient: disable indicator if we redirect from the login page Signed-off-by: Nicola Murino <nicola.murino@gmail.com>	2024-02-04 21:13:04 +01:00
Nicola Murino	8385acd0e3	Redirect to two-factor auth page after creating the first admin Signed-off-by: Nicola Murino <nicola.murino@gmail.com>	2024-02-04 20:58:29 +01:00
Nicola Murino	c23d779280	WebClient: load shares using an async request instead of rendering them directly within the template Signed-off-by: Nicola Murino <nicola.murino@gmail.com>	2024-02-04 14:33:51 +01:00
Nicola Murino	ad80d4e475	WIP new WebAdmin: event rules Signed-off-by: Nicola Murino <nicola.murino@gmail.com>	2024-02-01 20:32:43 +01:00
Nicola Murino	c85601146d	WIP new WebAdmin: event actions Signed-off-by: Nicola Murino <nicola.murino@gmail.com>	2024-01-31 20:49:25 +01:00
Nicola Murino	d381304136	WIP new WebAdmin: admin/admins pages Signed-off-by: Nicola Murino <nicola.murino@gmail.com>	2024-01-22 20:22:41 +01:00
Nicola Murino	3f479c5537	WIP new WebAdmin: roles page Signed-off-by: Nicola Murino <nicola.murino@gmail.com>	2024-01-21 16:49:04 +01:00
Nicola Murino	8648351fc7	WIP new WebAdmin: connections page Signed-off-by: Nicola Murino <nicola.murino@gmail.com>	2024-01-20 15:35:05 +01:00
Nicola Murino	91802fad3e	WIP new WebAdmin: profile, change password, message pages Signed-off-by: Nicola Murino <nicola.murino@gmail.com>	2024-01-18 19:18:57 +01:00
Nicola Murino	d939a82225	user: add TLS certificates Signed-off-by: Nicola Murino <nicola.murino@gmail.com>	2024-01-14 21:36:23 +01:00
Nicola Murino	0722c4369b	WIP new WebAdmin: folders page Signed-off-by: Nicola Murino <nicola.murino@gmail.com>	2024-01-14 16:59:27 +01:00
Nicola Murino	5c8214e121	WIP new WebAdmin: groups page Signed-off-by: Nicola Murino <nicola.murino@gmail.com>	2024-01-11 19:26:13 +01:00
Nicola Murino	e1b5d2fe39	WebAdmin: use the new UI for user pages Signed-off-by: Nicola Murino <nicola.murino@gmail.com>	2024-01-09 19:54:08 +01:00
Nicola Murino	784b7585c1	remove end year from Copyright notice in files so we don't have to update all the files every year Signed-off-by: Nicola Murino <nicola.murino@gmail.com>	2024-01-01 11:31:45 +01:00

1 2

98 commits