Redirect unauthenticated users to the sign in page
instead. Rationale:
- The content on the welcome page is what often belongs
to a separate "marketing site". The marketing content
is of no use on self-hosted instances, which typically
have new signups disabled and are for internal use only
- (the real reason, let's be honest) a number of
self-hosted instances are accessible over the public
internet. Search engines index the nearly identical
landing pages and see them as duplicated content.
This commit adds a {% absolute_site_logo_url %} template tag.
The tag emits an absolute url pointing to either
SITE_LOGO_URL or to the fallback picture.
The tag is used in base email template, in slack message
template, and in "Add MS Teams" page.
This commit also fixes a couple instances where absolute URLs
were constructed like so:
{% site_root %}/docs/
This would result in incorrect links if Healthchecks is not
running at webserver's root. The correct way is:
{% site_root %}{% url 'hc-docs' %}
Finally, this commit removes stuff/logo.svg and
stuff/logo-full.svg. Selfhosted sites should not use the
official Healthchecks.io logos, so no point keeping them around
there.
This fixes a security issue:
- attacker can crafts a redirect URL to an external site
- attacker gets victim to click on it
- victim logs in
- after login, Healthchecks redirects victim to the external site
The _allow_redirect function now additionally
requires the redirect URL is relative (has no scheme or domain).
If user has both WebAuthn and TOTP configured,
when logging in, they will be asked to choose between
"Use security keys" and "Use authenticator app".
The "Use authenticator app" is a link to a different
page (/accounts/login/two_factor/totp/). This commit makes
sure the ?next= query parameter is preserved when navigating
to that page.
For reference, the ?next= query parameter is the URL we should
redirect to after a successful login. Use case:
User is logged out. They click on a bookmarked "Check Details"
link. They get redirected to the login form. After
entering username & password and completing 2FA,
they get redirected to the "Check Details" page they
originally wanted to visit.
Profile.next_nag_date tracks when the next hourly/daily reminder
should be sent. Normally, sendalerts sets this field when
a check goes down, and sendreports clears it out whenever
it is about to send a reminder but realizes all checks are up.
The problem: sendalerts can set next_nag_date to a non-null
value, but it does not clear it out when all checks are up.
This can result in a hourly/daily reminder being sent out
at the wrong time. Specific example, assuming hourly reminders:
13:00: Check A goes down. next_nag_date gets set to 14:00.
13:05: Check A goes up. next_nag_date remains set to 14:00.
13:55: Check B goes down. next_nag_date remains set to 14:00.
14:00: Healthchecks sends a hourly reminder, just 5 minutes
after Check B going down. It should have sent the reminder
at 13:55 + 1 hour = 14:55
The fix: sendalerts can now both set and clear the next_nag_date
field. The main changes are in Project.update_next_nag_dates()
and in Profile.update_next_nag_date(). With the fix:
13:00: Check A goes down. next_nag_date gets set to 14:00.
13:05: Check A goes up. next_nag_date gets set to null.
13:55: Check B goes down. next_nag_date gets set to 14:55.
14:55: Healthchecks sends a hourly reminder.
* Add HTTP header authentiation backend/middleware
* Add docs for remote header auth
* Improve docs on external auth
* Add warning for unknown REMOTE_USER_HEADER_TYPE
* Move active check for header auth to middleware
Add extra header type sanity check to the backend
* Add test cases for remote header login
* Improve header-based authentication
- remove the 'ID' mode
- add CustomHeaderBackend to AUTHENTICATION_BACKENDS conditionally
- rewrite CustomHeaderBackend and CustomHeaderMiddleware to
use less inherited code
- add more test cases
Co-authored-by: Pēteris Caune <[email protected]>
Pēteris Caune
swoga
Shea Polansky