GO-2024-3160: Ory Kratos's setting required_aal `highest_available` does not properly respect code + mfa credentials in github.com/ory/kratos

password

package

v0.4.3-alpha.1 Latest Latest Go to latest Published: Jul 8, 2020 License: Apache-2.0 Imports: 37 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/ory/kratos

Documentation ¶

Index ¶

Constants
type CredentialsConfig
type DefaultPasswordValidator
- func NewDefaultPasswordValidatorStrategy() *DefaultPasswordValidator
- func NewDefaultPasswordValidatorStrategyStrict() *DefaultPasswordValidator
- func (s *DefaultPasswordValidator) Validate(identifier, password string) error
type LoginFormPayload
type RegistrationFormPayload
type RequestMethod
type Strategy
- func NewStrategy(d registrationStrategyDependencies, c configuration.Provider) *Strategy
type ValidationProvider
type Validator

Constants ¶

View Source

const (
	LoginPath = "/self-service/browser/flows/login/strategies/password"
)

View Source

const (
	RegistrationPath = "/self-service/browser/flows/registration/strategies/password"
)

View Source

const (
	SettingsPath = "/self-service/browser/flows/settings/strategies/password"
)

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type CredentialsConfig ¶

type CredentialsConfig struct {
	// HashedPassword is a hash-representation of the password.
	HashedPassword string `json:"hashed_password"`
}

CredentialsConfig is the struct that is being used as part of the identity credentials.

type DefaultPasswordValidator ¶

type DefaultPasswordValidator struct {
	sync.RWMutex
	// contains filtered or unexported fields
}

DefaultPasswordValidator implements Validator. It is based on best practices as defined in the following blog posts:

- https://www.troyhunt.com/passwords-evolved-authentication-guidance-for-the-modern-era/ - https://www.microsoft.com/en-us/research/wp-content/uploads/2016/06/Microsoft_Password_Guidance-1.pdf

Additionally passwords are being checked against Troy Hunt's [haveibeenpwnd](https://haveibeenpwned.com/API/v2#SearchingPwnedPasswordsByRange) service to check if the password has been breached in a previous data leak using k-anonymity.

func NewDefaultPasswordValidatorStrategy ¶

func NewDefaultPasswordValidatorStrategy() *DefaultPasswordValidator

func NewDefaultPasswordValidatorStrategyStrict ¶

func NewDefaultPasswordValidatorStrategyStrict() *DefaultPasswordValidator

func (*DefaultPasswordValidator) Validate ¶

func (s *DefaultPasswordValidator) Validate(identifier, password string) error

type LoginFormPayload ¶

type LoginFormPayload struct {
	Password   string `form:"password"`
	Identifier string `form:"identifier"`
}

LoginFormPayload is used to decode the login form payload.

type RegistrationFormPayload ¶

type RegistrationFormPayload struct {
	Password string          `json:"password"`
	Traits   json.RawMessage `json:"traits"`
}

type RequestMethod ¶

type RequestMethod struct {
	*form.HTMLForm
}

RequestMethod contains the configuration for this selfservice strategy.

type Strategy ¶

type Strategy struct {
	// contains filtered or unexported fields
}

func NewStrategy ¶

func NewStrategy(
	d registrationStrategyDependencies,
	c configuration.Provider,
) *Strategy

func (*Strategy) CountActiveCredentials ¶

func (s *Strategy) CountActiveCredentials(cc map[identity.CredentialsType]identity.Credentials) (count int, err error)

func (*Strategy) ID ¶

func (s *Strategy) ID() identity.CredentialsType

func (*Strategy) PopulateLoginMethod ¶

func (s *Strategy) PopulateLoginMethod(r *http.Request, sr *login.Request) error

func (*Strategy) PopulateRegistrationMethod ¶

func (s *Strategy) PopulateRegistrationMethod(r *http.Request, sr *registration.Request) error

func (*Strategy) PopulateSettingsMethod ¶

func (s *Strategy) PopulateSettingsMethod(r *http.Request, ss *session.Session, pr *settings.Request) error

func (*Strategy) RegisterLoginRoutes ¶

func (s *Strategy) RegisterLoginRoutes(r *x.RouterPublic)

func (*Strategy) RegisterRegistrationRoutes ¶

func (s *Strategy) RegisterRegistrationRoutes(r *x.RouterPublic)

func (*Strategy) RegisterSettingsRoutes ¶

func (s *Strategy) RegisterSettingsRoutes(router *x.RouterPublic)

func (*Strategy) SettingsStrategyID ¶

func (s *Strategy) SettingsStrategyID() string

type ValidationProvider ¶

type ValidationProvider interface {
	PasswordValidator() Validator
}

type Validator ¶

type Validator interface {
	// Validate returns nil if the password is passing the validation strategy and an error otherwise. If a validation error
	// occurs, a regular error will be returned. If some other type of error occurs (e.g. HTTP request failed), an error
	// of type *herodot.DefaultError will be returned.
	Validate(identifier, password string) error
}

Validator implements a validation strategy for passwords. One example is that the password has to have at least 6 characters and at least one lower and one uppercase password.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL