IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
Use a custom result type to return success/failure and the
need to save the user data to the caller, while having
logged the error messages rather than returning them.
We count general TFA failures and also TOTP specifically,
and lock the user out of their 2nd factors on too many
failures.
To this end, all errors are now treated as failures.
While technically we can have crypto errors the user might
not be able to cause, we can't always know, and not all
errors are guaranteed to be a host side configuration issue,
so instead, all errors (since they are rare) now now counted
as a regular TFA error.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
TfaUserData uses `#[serde(deny_unknown_fields)]`, so we add
this now, but using it will require explicitly enabling it.
If the TOTP count is high, the user should be locked out of
TOTP entirely until they use a recovery key to reset the
count.
If a user's TFA try count is too high, they should get rate
limited.
In both cases they should receive some kind of notification.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
without adding the entire API as well, so API clients can
actually use the types used by the api methods without
requiring the backend implementation being built in as
well...
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
If WA or U2F fail to produce a challenge, the user may still
log in with other factors and the challenge will be
considered to not be empty.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
This should only ever be explicitly removed.
Similarly, include an empty array of recovery keys in the
tfa challenge, so that clients know about empty recoveries
rather than getting an empty challenge when there are no
other factors available.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
the requests are all created via the agent that already contains the user
agent, so this internal helper isn't needed anymore.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
this allows us to slim down our code, and once
https://github.com/algesten/ureq/pull/597 is merged upstream (and/or we update
to a version containing the fix) it also means the custom user agent is used
for requests to the proxy host, if one is configured.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
To the existing `.alias(item)`, add a
`.aliases(into-item-iter)` similar to how `Extend` works.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
The connection submodule now allows building an "acceptor"
for hyper connections which can either take an explicit ssl
acceptor, or builds a default one with a self signed
certificate.
The rate-limited-stream feature enables a method to
lookup/update rate limiters for connections.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
rest-server can now optionally provide a PeerAddress
implementation for RateLimitedStream by activating its
'rate-limited-stream' feature
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
instead of implementing 'peer_addr' specifically for
RateLimitedStream<tokio::net::TcpStream>, just provide
.inner() and .inner_mut() so the user can reach the inner
stream directly.
This way we can drop the tokio/net feature as well
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
