Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
45 commits
Select commit Hold shift + click to select a range
7fb42b6
fix(mfa): default new users into MFA when it's available server-wide
lakhansamani Jul 14, 2026
ce5914e
feat(mfa): lazily backfill existing users into the MFA default on login
lakhansamani Jul 14, 2026
1ba7886
feat(mfa): add --disable-webauthn-mfa, fold WebAuthn into EnableMFA d…
lakhansamani Jul 14, 2026
af05e8a
docs(mfa): clarify --disable-mfa's effect on WebAuthn's MFA-factor role
lakhansamani Jul 14, 2026
68718a7
revert(mfa): drop persisted MFA defaults, add pure effectiveMFAEnabled
lakhansamani Jul 14, 2026
63df61f
feat(mfa): withhold token on first-time offer, unify passkey gate wit…
lakhansamani Jul 14, 2026
4190a11
feat(mfa): rework skip_mfa_setup for the withheld-token model
lakhansamani Jul 14, 2026
d247716
feat(mfa): user-initiated lockout + admin reset via _update_user
lakhansamani Jul 14, 2026
311faa5
feat(mfa): email/SMS OTP as enrolled MFA methods
lakhansamani Jul 14, 2026
f4fcbd9
feat(mfa): gate SignUp() the same way as Login()
lakhansamani Jul 14, 2026
cfa5822
feat(mfa): gate oauth_callback.go the same way as password login
lakhansamani Jul 14, 2026
af90acc
fix(mfa): close I1 -- gate Login/SignUp even when TOTP login is off
lakhansamani Jul 15, 2026
0a1b1e8
fix(mfa): close I2 -- cookie-authenticated email/SMS OTP setup
lakhansamani Jul 15, 2026
58540c1
fix(mfa): oauth gate honors email/SMS OTP, tighten weak assertion (M1…
lakhansamani Jul 15, 2026
1472bc6
fix(mfa): defer OIDC bridge SetState until after the MFA gate (M2)
lakhansamani Jul 15, 2026
8ec584c
test(mfa): complete SMS-OTP full-chain MFA setup test (M4a)
lakhansamani Jul 15, 2026
a26fa82
refactor(mfa): consolidate 3 near-duplicate OTP-generation closures (…
lakhansamani Jul 15, 2026
03b05c8
fix(meta): is_webauthn_enabled honors --disable-webauthn-mfa
lakhansamani Jul 15, 2026
974cc85
feat(grpc): add REST/gRPC parity for MFA behavior redesign (PR #686)
lakhansamani Jul 15, 2026
8b32b10
test(grpc): cover EmailOtpMfaSetup/SmsOtpMfaSetup RPCs end-to-end
lakhansamani Jul 15, 2026
b702890
chore(dev): allow localhost:5174 origin for local dev
lakhansamani Jul 15, 2026
2e6c917
chore(build): bump go toolchain to 1.26.5
lakhansamani Jul 15, 2026
0752e7c
chore(docker): apk upgrade in final stage for patched openssl
lakhansamani Jul 15, 2026
536c1e0
fix(mfa): close pre-auth account-takeover via unauthenticated MFA ses…
lakhansamani Jul 15, 2026
4b5980e
fix(e2e): disable MFA in the release smoke server
lakhansamani Jul 15, 2026
a351d83
chore(deps): bump golang.org/x/net and x/text for CVE fixes
lakhansamani Jul 16, 2026
bce9a56
fix(mfa): close two gate gaps found in UI-flow spec verification
lakhansamani Jul 16, 2026
9a59bce
feat(mfa): resolve OAuth-return MFA continuation from session alone
lakhansamani Jul 16, 2026
a3c3b98
fix(mfa): route VerifyEmail through resolveMFAGate
lakhansamani Jul 16, 2026
15de56e
fix(storage)!: rename mangled authorizer_o_auth_states table
lakhansamani Jul 12, 2026
442eee6
feat(mfa): add totp_mfa_setup mutation for settings-mode enrollment
lakhansamani Jul 16, 2026
ab6d39f
fix(mfa): re-arm the MFA session in Email/SMS/TOTPMFASetup
lakhansamani Jul 16, 2026
af44086
fix(oauth): deny delegation seeded by a deactivated service-account s…
lakhansamani Jul 16, 2026
5408023
test(oauth): add multi-hop delegation coverage, fix a vacuous scope a…
lakhansamani Jul 16, 2026
ae8dab2
test(clientauth): cover JWKS cache per-issuer isolation and hit/miss
lakhansamani Jul 16, 2026
d32c000
test(saml): isolate Destination check from Recipient in ACS test
lakhansamani Jul 16, 2026
0243bbe
fix(scim,token): close request-auth revocation gap for deprovisioned …
lakhansamani Jul 16, 2026
63f209f
fix(app): bump authorizer-react to the fixed MFA-behavior build
lakhansamani Jul 17, 2026
3b6e5e0
fix(auth): close MFA-gate and revocation bypass in REST verify_email
lakhansamani Jul 17, 2026
da9a244
feat(app): handle the mfa_required redirect in web/app's own router
lakhansamani Jul 17, 2026
ae2047e
fix(mongodb): use bson.D for the remaining compound indexes
lakhansamani Jul 17, 2026
ce3fb37
fix(sso): close org-disabled mid-flow race in OIDC callback
lakhansamani Jul 17, 2026
7148462
test(scim): cover cross-org isolation over the real SCIM HTTP surface
lakhansamani Jul 17, 2026
9a25224
fix(mfa): challenge Email-OTP/SMS-OTP factors on verify_email and pas…
lakhansamani Jul 17, 2026
1a81535
fix(server): recognize web/app's index.css in the SPA no-cache allowlist
lakhansamani Jul 17, 2026
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 44 additions & 0 deletions .github/workflows/storage-matrix.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
name: Storage backend matrix

on:
# CI's `test` job only exercises SQLite (make test). This job runs the
# same provider_test.go suite against all 6 other backends via Docker
# containers (make test-all-db) - real coverage that otherwise never runs
# anywhere. Kept off the PR path since it's slow (multiple DB containers,
# Couchbase alone takes minutes to become healthy); PRs touching storage
# code get fast feedback via the path filter below instead of waiting on
# every unrelated PR.
pull_request:
paths:
- "internal/storage/**"
- "Makefile"
- "scripts/couchbase-test.sh"
- ".github/workflows/storage-matrix.yml"
schedule:
- cron: "0 3 * * *" # daily, catches regressions within a day either way
workflow_dispatch: {}

permissions:
contents: read

concurrency:
group: storage-matrix-${{ github.ref }}
cancel-in-progress: true

jobs:
test-all-db:
name: Go tests (all storage backends)
runs-on: ubuntu-latest
timeout-minutes: 45
steps:
- uses: actions/checkout@v5
with:
persist-credentials: false

- uses: actions/setup-go@v6
with:
go-version-file: go.mod
cache: true

- name: Run tests across all storage backends
run: make test-all-db
3 changes: 2 additions & 1 deletion Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,8 @@ RUN cd web/app && npm run build && cd ../dashboard && npm run build

FROM alpine:3.23.3
ARG ALPINE_EDGE_MAIN=https://dl-cdn.alpinelinux.org/alpine/edge/main
RUN apk add --no-cache -X "${ALPINE_EDGE_MAIN}" "busybox>=1.37.0-r31"
RUN apk add --no-cache -X "${ALPINE_EDGE_MAIN}" "busybox>=1.37.0-r31" && \
apk upgrade --no-cache

ARG TARGETARCH=amd64

Expand Down
2 changes: 1 addition & 1 deletion Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -88,7 +88,7 @@ dev:
--admin-secret=admin \
--client-id=kbyuFDidLLm280LIwVFiazOqjO3ty8KH \
--client-secret=60Op4HFM0I8ajz0WdiStAbziZ-VFQttXuxixHHs2R7r7-CW8GR79l-mmLqMhc-Sa \
--allowed-origins=localhost:8080,localhost:8090,localhost:9091,localhost:5173
--allowed-origins=localhost:8080,localhost:8090,localhost:9091,localhost:5173,localhost:5174

test:
go clean --testcache && TEST_DBS="sqlite" $(GO_TEST_ALL)
Expand Down
1 change: 1 addition & 0 deletions cmd/mcp.go
Original file line number Diff line number Diff line change
Expand Up @@ -100,6 +100,7 @@ func runMCP(_ *cobra.Command, _ []string) {
tokenProvider, err := token.New(&rootArgs.config, &token.Dependencies{
Log: &log,
MemoryStoreProvider: memoryStoreProvider,
StorageProvider: storageProvider,
})
if err != nil {
log.Fatal().Err(err).Msg("failed to create token provider")
Expand Down
4 changes: 3 additions & 1 deletion cmd/root.go
Original file line number Diff line number Diff line change
Expand Up @@ -188,9 +188,10 @@ func init() {
// the effective Enable* / EnableMFA values from these flags.
f.BoolVar(&rootArgs.config.EnforceMFA, "enforce-mfa", false, "Enforce MFA for all users")
f.BoolVar(&rootArgs.config.DisableTOTPLogin, "disable-totp-login", false, "Disable TOTP-based MFA (enabled by default)")
f.BoolVar(&rootArgs.config.DisableWebauthnMFA, "disable-webauthn-mfa", false, "Disable WebAuthn/passkey as an MFA factor (enabled by default); does not affect WebAuthn/passkey as a primary login method")
f.BoolVar(&rootArgs.config.DisableEmailOTP, "disable-email-otp", false, "Disable email OTP MFA (enabled by default when email service is configured)")
f.BoolVar(&rootArgs.config.DisableSMSOTP, "disable-sms-otp", false, "Disable SMS OTP MFA (enabled by default when SMS service is configured)")
f.BoolVar(&rootArgs.config.DisableMFA, "disable-mfa", false, "Globally disable MFA (TOTP/email/SMS OTP), overriding the per-method flags; does not affect WebAuthn/passkey")
f.BoolVar(&rootArgs.config.DisableMFA, "disable-mfa", false, "Globally disable MFA (TOTP/email/SMS OTP), overriding the per-method flags; does not affect WebAuthn/passkey as a primary login method")
f.BoolVar(&rootArgs.config.EnableSignup, "enable-signup", true, "Enable signup")

// Cookies flags
Expand Down Expand Up @@ -535,6 +536,7 @@ func runRoot(c *cobra.Command, args []string) {
tokenProvider, err := token.New(&rootArgs.config, &token.Dependencies{
Log: &log,
MemoryStoreProvider: memoryStoreProvider,
StorageProvider: storageProvider,
})
if err != nil {
log.Fatal().Err(err).Msg("failed to create token provider")
Expand Down
43 changes: 29 additions & 14 deletions gen/go/authorizer/v1/admin.pb.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading
Loading