Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
27 commits
Select commit Hold shift + click to select a range
7fb42b6
fix(mfa): default new users into MFA when it's available server-wide
lakhansamani Jul 14, 2026
ce5914e
feat(mfa): lazily backfill existing users into the MFA default on login
lakhansamani Jul 14, 2026
1ba7886
feat(mfa): add --disable-webauthn-mfa, fold WebAuthn into EnableMFA d…
lakhansamani Jul 14, 2026
af05e8a
docs(mfa): clarify --disable-mfa's effect on WebAuthn's MFA-factor role
lakhansamani Jul 14, 2026
68718a7
revert(mfa): drop persisted MFA defaults, add pure effectiveMFAEnabled
lakhansamani Jul 14, 2026
63df61f
feat(mfa): withhold token on first-time offer, unify passkey gate wit…
lakhansamani Jul 14, 2026
4190a11
feat(mfa): rework skip_mfa_setup for the withheld-token model
lakhansamani Jul 14, 2026
d247716
feat(mfa): user-initiated lockout + admin reset via _update_user
lakhansamani Jul 14, 2026
311faa5
feat(mfa): email/SMS OTP as enrolled MFA methods
lakhansamani Jul 14, 2026
f4fcbd9
feat(mfa): gate SignUp() the same way as Login()
lakhansamani Jul 14, 2026
cfa5822
feat(mfa): gate oauth_callback.go the same way as password login
lakhansamani Jul 14, 2026
af90acc
fix(mfa): close I1 -- gate Login/SignUp even when TOTP login is off
lakhansamani Jul 15, 2026
0a1b1e8
fix(mfa): close I2 -- cookie-authenticated email/SMS OTP setup
lakhansamani Jul 15, 2026
58540c1
fix(mfa): oauth gate honors email/SMS OTP, tighten weak assertion (M1…
lakhansamani Jul 15, 2026
1472bc6
fix(mfa): defer OIDC bridge SetState until after the MFA gate (M2)
lakhansamani Jul 15, 2026
8ec584c
test(mfa): complete SMS-OTP full-chain MFA setup test (M4a)
lakhansamani Jul 15, 2026
a26fa82
refactor(mfa): consolidate 3 near-duplicate OTP-generation closures (…
lakhansamani Jul 15, 2026
03b05c8
fix(meta): is_webauthn_enabled honors --disable-webauthn-mfa
lakhansamani Jul 15, 2026
974cc85
feat(grpc): add REST/gRPC parity for MFA behavior redesign (PR #686)
lakhansamani Jul 15, 2026
8b32b10
test(grpc): cover EmailOtpMfaSetup/SmsOtpMfaSetup RPCs end-to-end
lakhansamani Jul 15, 2026
b702890
chore(dev): allow localhost:5174 origin for local dev
lakhansamani Jul 15, 2026
2e6c917
chore(build): bump go toolchain to 1.26.5
lakhansamani Jul 15, 2026
0752e7c
chore(docker): apk upgrade in final stage for patched openssl
lakhansamani Jul 15, 2026
536c1e0
fix(mfa): close pre-auth account-takeover via unauthenticated MFA ses…
lakhansamani Jul 15, 2026
4b5980e
fix(e2e): disable MFA in the release smoke server
lakhansamani Jul 15, 2026
a351d83
chore(deps): bump golang.org/x/net and x/text for CVE fixes
lakhansamani Jul 16, 2026
bce9a56
fix(mfa): close two gate gaps found in UI-flow spec verification
lakhansamani Jul 16, 2026
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,8 @@ RUN cd web/app && npm run build && cd ../dashboard && npm run build

FROM alpine:3.23.3
ARG ALPINE_EDGE_MAIN=https://dl-cdn.alpinelinux.org/alpine/edge/main
RUN apk add --no-cache -X "${ALPINE_EDGE_MAIN}" "busybox>=1.37.0-r31"
RUN apk add --no-cache -X "${ALPINE_EDGE_MAIN}" "busybox>=1.37.0-r31" && \
apk upgrade --no-cache

ARG TARGETARCH=amd64

Expand Down
2 changes: 1 addition & 1 deletion Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -88,7 +88,7 @@ dev:
--admin-secret=admin \
--client-id=kbyuFDidLLm280LIwVFiazOqjO3ty8KH \
--client-secret=60Op4HFM0I8ajz0WdiStAbziZ-VFQttXuxixHHs2R7r7-CW8GR79l-mmLqMhc-Sa \
--allowed-origins=localhost:8080,localhost:8090,localhost:9091,localhost:5173
--allowed-origins=localhost:8080,localhost:8090,localhost:9091,localhost:5173,localhost:5174

test:
go clean --testcache && TEST_DBS="sqlite" $(GO_TEST_ALL)
Expand Down
3 changes: 2 additions & 1 deletion cmd/root.go
Original file line number Diff line number Diff line change
Expand Up @@ -188,9 +188,10 @@ func init() {
// the effective Enable* / EnableMFA values from these flags.
f.BoolVar(&rootArgs.config.EnforceMFA, "enforce-mfa", false, "Enforce MFA for all users")
f.BoolVar(&rootArgs.config.DisableTOTPLogin, "disable-totp-login", false, "Disable TOTP-based MFA (enabled by default)")
f.BoolVar(&rootArgs.config.DisableWebauthnMFA, "disable-webauthn-mfa", false, "Disable WebAuthn/passkey as an MFA factor (enabled by default); does not affect WebAuthn/passkey as a primary login method")
f.BoolVar(&rootArgs.config.DisableEmailOTP, "disable-email-otp", false, "Disable email OTP MFA (enabled by default when email service is configured)")
f.BoolVar(&rootArgs.config.DisableSMSOTP, "disable-sms-otp", false, "Disable SMS OTP MFA (enabled by default when SMS service is configured)")
f.BoolVar(&rootArgs.config.DisableMFA, "disable-mfa", false, "Globally disable MFA (TOTP/email/SMS OTP), overriding the per-method flags; does not affect WebAuthn/passkey")
f.BoolVar(&rootArgs.config.DisableMFA, "disable-mfa", false, "Globally disable MFA (TOTP/email/SMS OTP), overriding the per-method flags; does not affect WebAuthn/passkey as a primary login method")
f.BoolVar(&rootArgs.config.EnableSignup, "enable-signup", true, "Enable signup")

// Cookies flags
Expand Down
43 changes: 29 additions & 14 deletions gen/go/authorizer/v1/admin.pb.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading
Loading