search

greenpau / caddy-security

🔐 Authentication, Authorization, and Accounting (AAA) App and Plugin for Caddy v2. 💎 Implements Form-Based, Basic, Local, LDAP, OpenID Connect, OAuth 2.0 (Github, Google, Facebook, Okta, etc.), SAML Authentication. MFA/2FA with App Authenticators and Yubico. 💎 Authorization with JWT/PASETO tokens. 🔐
https://authcrunch.com/
Apache License 2.0
1.49k stars 73 forks source link

breakfix: password_recovery_enabled #299

Closed slowkow closed 11 months ago

slowkow commented 1 year ago

Describe the issue

I'm trying the example Caddyfile for user registration, and it does not work. I get the error below when I do caddy run:

caddy run --config Caddyfile-registration
2023/11/14 21:09:31.010 INFO    using provided configuration    {"config_file": "Caddyfile-registration", "config_adapter": ""}
Error: adapting config using caddyfile: parsing caddyfile tokens for 'security': unsupported subdirective for security.authentication.portal.ui: password_recovery_enabled, at Caddyfile-registration:56

Configuration

It is the same config as this one:

https://github.com/authp/authp.github.io/blob/main/assets/conf/local/registration/Caddyfile

Paste full Caddyfile below:

{
    http_port 8080
    https_port 8443
    # debug

    order authenticate before respond
    order authorize before basicauth

    security {
        credentials root@localhost {
            username root
            password foobar
        }

        messaging email provider localhost-smtp-server {
            address 127.0.0.1:1025
            protocol smtp
            passwordless
            sender root@localhost "My Auth Portal"
            # credentials root@localhost
            bcc greenpau@localhost
        }

        local identity store localdb {
            realm local
            path {$HOME}/.local/caddy/users.json
        }

        oauth identity provider github {env.GITHUB_CLIENT_ID} {env.GITHUB_CLIENT_SECRET}

        user registration localdbRegistry {
            dropbox {$HOME}/.local/caddy/registrations.json
            title "User Registration"
            code "NY2020"
            require accept terms
            require domain mx
            admin email admin@localhost
            email provider localhost-smtp-server
            identity store localdb
        }

        authentication portal myportal {
            crypto default token lifetime 3600
            crypto key sign-verify {env.JWT_SHARED_KEY}
            cookie domain myfiosgateway.com
            enable identity store localdb
            enable identity provider github
            ui {
                links {
                    "My Website" https://assetq.myfiosgateway.com:8443/ icon "las la-star"
                    "Guests" https://assetq.myfiosgateway.com:8443/guests icon "las la-star"
                    "Users" https://assetq.myfiosgateway.com:8443/users icon "las la-star"
                    "Admins" https://assetq.myfiosgateway.com:8443/admins icon "las la-star"
                    "My Identity" "/whoami" icon "las la-user"
                }
                password_recovery_enabled yes
            }
            transform user {
                match origin local
                action add role authp/user
                ui link "Portal Settings" /settings icon "las la-cog"
            }
            transform user {
                match realm github
                match sub github.com/greenpau
                action add role authp/user
            }
        }

        authorization policy guests_policy {
            # disable auth redirect
            set auth url https://auth.myfiosgateway.com:8443/
            allow roles authp/admin authp/user
            crypto key verify {env.JWT_SHARED_KEY}
            acl rule {
                comment allow guests only
                match role guest authp/guest
                allow stop log info
            }
            acl rule {
                comment default deny
                match any
                deny log warn
            }
        }

        authorization policy users_policy {
            set auth url https://auth.myfiosgateway.com:8443/
            allow roles authp/admin authp/user
            crypto key verify {env.JWT_SHARED_KEY}
            acl rule {
                comment allow users
                match role authp/user
                allow stop log info
            }
            acl rule {
                comment default deny
                match any
                deny log warn
            }
        }

        authorization policy admins_policy {
            set auth url https://auth.myfiosgateway.com:8443/
            allow roles authp/admin authp/user
            crypto key verify {env.JWT_SHARED_KEY}
            acl rule {
                comment allow users
                match role authp/user
                allow stop log info
            }
            acl rule {
                comment default deny
                match any
                deny log warn
            }
        }
    }
}

(tls_config) {
    tls {$HOME}/.local/caddy/server.crt {$HOME}/.local/caddy/server.key
}

auth.myfiosgateway.com {
    import tls_config
    route {
        authenticate with myportal
    }
}

assetq.myfiosgateway.com {
    import tls_config
    route /guests* {
        authorize with guests_policy
        respond * "assetq - guests only" 200
    }

    route /users* {
        authorize with users_policy
        respond * "assetq - users" 200
    }

    route /admins* {
        authorize with admins_policy
        respond * "assetq - admins" 200
    }

    route {
        respond "assetq is running"
    }
}

Version Information

Provide output of caddy list-modules -versions | grep git below:

caddy list-modules -versions | grep git
Error: unknown shorthand flag: 'v' in -versions
caddy build-info | grep security
dep     github.com/greenpau/caddy-security      v1.1.20 h1:rjdLd1QdCNdywcCwr48ghyL2eb5Cn6/fNTudisxt0Tw=

Expected behavior

Did I get the wrong caddy version? Why isn't the config working?

slowkow commented 1 year ago

I confirmed that I get the same error for both versions of caddy:

I feel like I must be missing something ... but I don't know what. I'm just trying to get started with your documentation examples.

greenpau commented 11 months ago

@slowkow , the password recovery is not implemented.

slowkow commented 11 months ago

@greenpau What would you recommend for a newcomer who wants to get started quickly with a simple config?

I don't particularly care about password recovery (or any other feature). I just want to follow a simple tutorial that actually works. So far, no luck. Like I said, I'm just trying to get started...

greenpau commented 11 months ago

@slowkow , I would start with this Caddyfile: https://github.com/authp/authp.github.io/blob/main/assets/conf/local/Caddyfile

I would change the following with:

        local identity store localdb {
            realm local
            path {$HOME}/.local/caddy/users.json
        }

with

        local identity store localdb {
            realm local
            path {$HOME}/.local/caddy/users.json
                        user webadmin {
                                name John Smith
                                email jsmith@localhost.localdomain
                                password "My@Password123" overwrite
                                roles authp/user authp/admin
                        }
        }

This way you will have your webadmin user ready.

slowkow commented 11 months ago

Thanks. The other config you linked looks like it might work after many additional changes.

Could I please ask why the config contains https://auth.myfiosgateway.com:8443?

Why isn't this http://127.0.0.1:8443/auth or something else that newcomers could use?