769 Commits (87884213c466472a98cbd19e988b65c9190fea62)

Author SHA1 Message Date
Alexander Graf 87884213c4 update misc helper libs 3 years ago
Alexander Graf 56f65d724d update babel 3 years ago
Alexander Graf 5238b00f0b update alembic 3 years ago
Alexander Graf f613205fe1 update tenacity 3 years ago
Alexander Graf 833ccb5544 reload page using GET when selecting language 3 years ago
Alexander Graf 8b15820b01 fix sso login button spacing 3 years ago
Alexander Graf 26fb108a3f updated Flask-Login 3 years ago
Alexander Graf abc4112242 updated Werkzeug, Click and Flask-Migrate 3 years ago
Alexander Graf f1d7bedd1b fix display of range inputs (again) 3 years ago
Alexander Graf 13e6793c9f Merge remote-tracking branch 'upstream/master' into update_deps 3 years ago
Alexander Graf aca1e13648 update socrate - will be removed later 3 years ago
Alexander Graf 866741bcbe updated WTForms-Components deps 3 years ago
Alexander Graf ef19869cde updated redis 3 years ago
Alexander Graf d8efd3057c updated idna 3 years ago
Alexander Graf 8ad8cde0e2 removed some obsolete requirements 3 years ago
Alexander Graf 3ac1b3d86c update pyyaml and pygments 3 years ago
Alexander Graf 40cdff4911 updated dnspython 3 years ago
Alexander Graf dcbe55f062 updated crypto 3 years ago
Alexander Graf 771b2d1112 duh 3 years ago
Alexander Graf 23d0cd0466 update tabluate. fix audit.py and include in container 3 years ago
Alexander Graf 8d90a74624 update werkzeug to 1.x 3 years ago
bors[bot] 5e212ea46d
Merge #2036
2036: round display of range inputs to 2 decimals r=mergify[bot] a=ghostwheel42

## What type of PR?

small fix

## What does this PR do?

rounds display of range inputs to 2 decimals 

### Related issue(s)

- small fix to #1966

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [X] In case of feature or enhancement: documentation updated accordingly
- [X] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
3 years ago
Alexander Graf 80be3506da upgrade pip. completed reqs via pip freeze 3 years ago
Alexander Graf 598b2df5a0 update wtforms 3 years ago
Alexander Graf e8b5f1a185 round display of range inputs to 2 decimals 3 years ago
Florent Daigniere f3c93212c6 The Rate-limiter should run after the deny 3 years ago
Alexander Graf 9bc685c30b removed some more whitespace 3 years ago
Alexander Graf 8c31699baf fixed locale selector for no_NB 3 years ago
Alexander Graf 882a27f87c simplified if's and added external link icon 3 years ago
Alexander Graf 3141ffe791 removed some whitespace 3 years ago
Dimitri Huisman 6b16756d92 Fix acessing antispam via sidebar. 3 years ago
Dimitri Huisman 3449b67c86 Process code review remarks PR2023 3 years ago
Dimitri Huisman 8784971b7f Merge rate limiting and failed login logging 3 years ago
Dimitri Huisman 503044ef6e Reintroduce ProxyFix. Use two buttons for logging in. 3 years ago
Dimitri Huisman c42ad8e71e Forgot to include changes for url_for of base.html 3 years ago
Dimitri Huisman fb0f005343 Get rid of complicated prefix logic. Further simplify /static handling and nginx config. 3 years ago
Dimitri Huisman da788ddee3 Merge branch 'fix-sso-1929' of github.com:Diman0/Mailu into fix-sso-1929 3 years ago
Dimitri Huisman bdcc183165 Redirect to configured ENV VAR for Admin/Webmail, further simplify nginx config. 3 years ago
Florent Daigniere fee13e6c4b Save a redirect 3 years ago
Florent Daigniere d3f07a0882 Simplify the handling of /static 3 years ago
Dimitri Huisman a47afec4ee Make logic more readable. 3 years ago
Dimitri Huisman 48764f0400 Ensure all requests from the page sso go through the page sso. 3 years ago
Dimitri Huisman aab258d284 Move handling of logging out in admin, to sso logout page. 3 years ago
Dimitri Huisman 615743b331 Improve indendation of conditions. 3 years ago
Dimitri Huisman 5d81846c5d Introduce the shared stub /static for providing all static files 3 years ago
Dimitri Huisman 44d2448412 Updated SSO logic for webmails. Fixed small bug rate limiting. 3 years ago
Dimitri Huisman f9eee0cbaf Adapt HEALTHCHECK to new URL 3 years ago
Dimitri Huisman ed7adf52a6 Merge branch 'master' of github.com:Diman0/Mailu into fix-sso-1929 3 years ago
Dimitri Huisman 913a6304a7 Finishing touches. Introduce /static stub for handling all static files. 3 years ago
bors[bot] a1192d8039
Merge #1987
1987: Enhancement to the rate limits r=mergify[bot] a=nextgens

## What type of PR?

enhancement

## What does this PR do?

Turn the rate-limiters into something useful (that won't fire for no reason).

- fix rate-limiting on /webdav/
- it changes the rate-limiting behaviour from limiting a single IP address to a subnet of a reasonable size (/24 on v4 and /56 on v6 both are now configurable) : AUTH_RATELIMIT_IP / AUTH_RATELIMIT_IP_V4_MASK / AUTH_RATELIMIT_IP_V6_MASK
- It ensures we only use IP-based rate-limits for attempts on accounts that do not exist
- it creates a new rate limit preventing attackers from targetting a specific user account (separate from what's above) : AUTH_RATELIMIT_USER
- it introduces a rate limiting exemption mechanism whereby, upon authentication, users will see their source-ip address being exempt for a specific amount of time AUTH_RATELIMIT_EXEMPTION_LENGTH. A similar mechanism is available for web-based sessions (see below)
- It introduces in AUTH_RATELIMIT_EXEMPTION a comma separated list of network CIDRs that will be exempt from both types of rate limiting
- it implements device-tokens, as described on https://owasp.org/www-community/Slow_Down_Online_Guessing_Attacks_with_Device_Cookies to ensure that genuine users aren't locked-out by a malicious attacker abusing the rate-limit feature.

Things that could be improved include:
- the IP-based rate limiter flags attempts against "non-existing" accounts: it could go further and flag the number of unique non-existing accounts attempted (to prevent the case of a user making a typo in his MUA configuration)
- the IP address exemption mechanism doesn't pin the exemption to a specific username: any real user can trivially bypass the rate limits (and attempt to brute-force someone else's account)

### Related issue(s)
- close #1926
- close #1745 
- close #1915


## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Co-authored-by: Diman0 <diman@huisman.xyz>
Co-authored-by: Florent Daigniere <nextgens@users.noreply.github.com>
3 years ago