This validator splits every line (on LF) of a given value and append
the result to the ListField values.
It only works on ListField[string] and trims spaces (and CR) on each
item.
Nothing special except that the elements in .field-h are now aligned
to the start instead of baseline. That way, textarea labels are aligned
to the textarea first line instead of its bottom.
They don't need to be in a fixed position with a z-index; the
backdrop pseudo-element already takes care of that.
.dialog is now centered on the page using flexbox on the backdrop with
a default to 100% and 100vh but it can be overridden when needed.
body:has(.dialog:open) would not work on webkit and is replaced by
body:has(.dialog[open]) (same for .dialog-image and .dialog-video)
dialogs always receive the default font (face and size) and a background
and foreground color so they don't inherit from the element they're in.
All dialog classes are components so we can override their properties.
- Renamed "Password" to "Security" in user profile
- Added a section about totp in profile/password
- TOTP activation page
- TOTP removal from profile/password
- Sign out is always possible when any MFA is enabled
This is only the first part. When a totp_secret exists for a user, the
authentication then asks for the code and carries on.
The totp lib can handle 6 or 8 letter codes and sha1, sha256 and sha512.
For maximum compatibility with Google Authenticator though, it sticks
to 6 character and sha1.
- PUT /api/profile/password (was undocumented and not used)
- POST /api/auth
With the introduction of MFA, you can't authenticate with a username
and password anymore. OAuth is now the only way to obtain an access
token.
The password update through the API was not documented so quite safe
to remove.
- removed log noise (not authenticated)
- on /login, go to redirect when a session already exists
- in SessionAuthProvider, clear session when external while forwarded
authentication is disabled
When externally authenticated, a session gains an "External" flag,
which is used to lock the request's user. When locked, the following
is disabled:
- sign-out
- username, email and password update
Note: the password page becomes empty but it will gain some content
once TOTP is merged.
- new auth configuration section, with auth.forwarded
- renamed server.ca_file to server.client_ca_file
- provisioning form in internal/auth/users
- use crypto/rand in internal/auth/users to generate the seed
- added a password generator for users
- ForwardedAuthProvider in internal/server
- tests for TokenAuthProvider and ForwardedAuthProvider
Authentication providers are very much tied to server operations and
function and having them in internal/auth made it impossible to deal
with the session cookie handler when we need it.
internal/auth depended on the request ID for logging, removed this as
well with a specific logger interface.
Introducing a server.SessionHandler function to retrieve the cookie
handler so we can create cookies from scratch when needed.
This adds a new server.ca_file entry that can target a CA file for
requests with a client certificate.
The client certificate is only verified when provided and it will be up
to middlewares to make it mandatory when needed.
Instead of authentication providers having a method to indicate when
they're active or not, we compose a chain of HTTP handlers where
providers need to add themselves based on their own conditions.
This lets us do a few interesting things like:
- stop when a provider meets some conditions (ie. an HTTP header)
- prepare information for the next provider to pick up (for a forwarded auth)
- return an HTTP response and terminate everything if we need to.
The public internal/auth API remains unchanged.
MathJax v2 outputs HTML+CSS and MathML together. Since we're satisfied with
just MathML, this strips the HTML+CSS part since that would look bad if ever
viewed in Readeck.
MathJax v3 supports CHTML and SVG output modes, but neither outputs MathML.
However, MathJax does expose the original LaTeX expression via the "data-latex"
attribute. Fetch the value of that attribute and use a 3rd-party library to
render LaTeX to MathML when archiving the bookmark.
KaTeX does output MathML, but it also outputs its own HTML-CSS format that is
marked with `aria-hidden="true"`. Ensure that this is stripped even in the
mode when Readability is disabled.
