anubis

mirror of https://github.com/TecharoHQ/anubis.git synced 2025-08-03 17:59:24 -04:00

Author	SHA1	Message	Date
Josh Soref	52a6a65cc4	Spelling (#445 ) * link: stackoverflow explanation of cookies Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: bazaar Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: enabling Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: expressions Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: implicitly Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: intermediate Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: nonexistent Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: open graph Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: really, really, Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: receive Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> --------- Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>	2025-05-05 10:52:02 -04:00
Xe Iaso	865d513e35	feat(checker): add CEL for matching complicated expressions (#421 ) * feat(lib/policy): add support for CEL checkers This adds the ability for administrators to use Common Expression Language[0] (CEL) for more advanced check logic than Anubis previously offered. These can be as simple as: ```yaml - name: allow-api-routes action: ALLOW expression: and: - '!(method == "HEAD" \|\| method == "GET")' - path.startsWith("/api/") ``` or get as complicated as: ```yaml - name: allow-git-clients action: ALLOW expression: and: - userAgent.startsWith("git/") \|\| userAgent.contains("libgit") \|\| userAgent.startsWith("go-git") \|\| userAgent.startsWith("JGit/") \|\| userAgent.startsWith("JGit-") - > "Git-Protocol" in headers && headers["Git-Protocol"] == "version=2" ``` Internally these are compiled and evaluated with cel-go[1]. This also leaves room for extensibility should that be desired in the future. This will intersect with #338 and eventually intersect with TLS fingerprints as in #337. [0]: https://cel.dev/ [1]: https://github.com/google/cel-go Signed-off-by: Xe Iaso <me@xeiaso.net> * feat(data/apps): add API route allow rule for non-HEAD/GET Signed-off-by: Xe Iaso <me@xeiaso.net> * docs: document expression syntax Signed-off-by: Xe Iaso <me@xeiaso.net> * fix: fixes in review Signed-off-by: Xe Iaso <me@xeiaso.net> --------- Signed-off-by: Xe Iaso <me@xeiaso.net>	2025-05-03 14:26:54 -04:00
Jareth Gomes	91275c489f	feat: make authorization cookie default expiration time customizable (#389 )	2025-05-01 10:05:33 +00:00
Xe Iaso	74d330cec5	feat(config): add ability to customize HTTP status codes Anubis returns (#393 ) Signed-off-by: Xe Iaso <me@xeiaso.net>	2025-04-29 15:13:44 -04:00
Jason Cameron	24f8ba729b	feat: add support for a base prefix (#294 ) * fix: rename variable for preventing collision in ED25519 private key handling Signed-off-by: Jason Cameron <git@jasoncameron.dev> * fix: remove unused import and debug print in xess.go Signed-off-by: Jason Cameron <git@jasoncameron.dev> * feat: introduce base path configuration for Anubis endpoints Closes: #231 Signed-off-by: Jason Cameron <git@jasoncameron.dev> * hack(internal/test): skip these tests for now Signed-off-by: Xe Iaso <me@xeiaso.net> * fix(yeet): unbreak package builds Signed-off-by: Xe Iaso <me@xeiaso.net> --------- Signed-off-by: Jason Cameron <git@jasoncameron.dev> Signed-off-by: Xe Iaso <me@xeiaso.net> Co-authored-by: Xe Iaso <me@xeiaso.net>	2025-04-25 14:39:38 -04:00
Sandro	6858f66a62	Add check endpoint which can be used with nginx' auth_request function (#266 ) * Add check endpoint which can be used with nginx' auth_request function * feat(cmd): allow configuring redirect domains * test: add test environment for the nginx_auth PR This is a full local setup of the nginx_auth PR including HTTPS so that it's easier to validate in isolation. This requires an install of k3s (https://k3s.io) with traefik set to listen on localhost. This will be amended in the future but for now this works enough to ship it. Signed-off-by: Xe Iaso <me@xeiaso.net> * fix(cmd\|lib): allow empty redirect domains variable Signed-off-by: Xe Iaso <me@xeiaso.net> * fix(test): add space to target variable in anubis container Signed-off-by: Xe Iaso <me@xeiaso.net> * docs(admin): rewrite subrequest auth docs, make generic * docs(install): document REDIRECT_DOMAINS flag Signed-off-by: Xe Iaso <me@xeiaso.net> * feat(lib): clamp redirects to the same HTTP host Only if REDIRECT_DOMAINS is not set. Signed-off-by: Xe Iaso <me@xeiaso.net> --------- Signed-off-by: Xe Iaso <me@xeiaso.net> Co-authored-by: Xe Iaso <me@xeiaso.net>	2025-04-25 17:38:02 +00:00
Xe Iaso	d40b5cfdab	lib: move config to yaml (#307 ) * lib: move config to yaml Signed-off-by: Xe Iaso <me@xeiaso.net> * web: run go generate Signed-off-by: Xe Iaso <me@xeiaso.net> * Add Haiku to known instances (#304) Signed-off-by: Asmodeus <46908100+AsmodeumX@users.noreply.github.com> * Add headers bot rule (#300) * Closes #291: add headers support to bot policy rules * Fix config validator * update docs for JSON -> YAML Signed-off-by: Xe Iaso <me@xeiaso.net> * docs: document http header based actions Signed-off-by: Xe Iaso <me@xeiaso.net> * lib: add missing test Signed-off-by: Xe Iaso <me@xeiaso.net> * Apply suggestions from code review Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Signed-off-by: Xe Iaso <me@xeiaso.net> --------- Signed-off-by: Xe Iaso <me@xeiaso.net> Signed-off-by: Asmodeus <46908100+AsmodeumX@users.noreply.github.com> Co-authored-by: Asmodeus <46908100+AsmodeumX@users.noreply.github.com> Co-authored-by: Neur0toxine <pashok9825@gmail.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>	2025-04-21 00:09:27 +00:00
Jason Cameron	9865e3ded8	fix(fetch): improve error handling for Content-Type parsing (#253 ) * fix(fetch): improve error handling for Content-Type parsing Signed-off-by: Jason Cameron <git@jasoncameron.dev> * fix(fetch): rename OgHandledError to ErrOgHandled for statichcheck to like me Signed-off-by: Jason Cameron <git@jasoncameron.dev> --------- Signed-off-by: Jason Cameron <git@jasoncameron.dev>	2025-04-13 15:59:58 -04:00
Jason Cameron	77436207e6	feat: Add Open Graph tag support (#195 ) * feat: Add Open Graph tag support (og-tags) Signed-off-by: Jason Cameron <git@jasoncameron.dev> * Fix: Prevent nil pointer dereference in test (og-tags) Signed-off-by: Jason Cameron <git@jasoncameron.dev> * feat!: Implement Open Graph tag caching and passthrough functionality (WIP) I'm going to sleep. currently tags are passed to renderIndex. see https://github.com/TecharoHQ/anubis/issues/131 Signed-off-by: Jason Cameron <git@jasoncameron.dev> * feat: Add configuration for air tool with build and logger settings Signed-off-by: Jason Cameron <git@jasoncameron.dev> * feat: Move OG tags to base template (og-tags) Moves the Open Graph (OG) tags from the index template to the base template. This allows OG tags to be set on any page, not just the index. Also adds a BaseWithOGTags function to the web package to allow passing OG tags to the base template. Removes the ogTags parameter from the Index function and template. Signed-off-by: Jason Cameron <git@jasoncameron.dev> * Delete CHANGELOG.md Signed-off-by: Jason Cameron <git@jasoncameron.dev> * feat: Add language attribute to HTML tag in template Signed-off-by: Jason Cameron <git@jasoncameron.dev> * fix(tests): Fix nil pointer ref Signed-off-by: Jason Cameron <git@jasoncameron.dev> * feat(og-tags): Add timeout to http client (og-tags) Signed-off-by: Jason Cameron <git@jasoncameron.dev> * style: fix line endings & indentation Signed-off-by: Jason Cameron <git@jasoncameron.dev> * style: add inspection comment for GoBoolExpressions in UnchangingCache Signed-off-by: Jason Cameron <git@jasoncameron.dev> * feat(og-tags): Implement Open Graph tag fetching and caching Signed-off-by: Jason Cameron <git@jasoncameron.dev> * fix(og-tags): Simplify Open Graph tag extraction logic Signed-off-by: Jason Cameron <git@jasoncameron.dev> * fix(og-tags): Add nil check in isOGMetaTag and enhance test cases Signed-off-by: Jason Cameron <git@jasoncameron.dev> * feat(og-tags): Add approved tags and prefixes for Open Graph extraction Signed-off-by: Jason Cameron <git@jasoncameron.dev> * test(og-tags): Update tests with approved tags and improve clarity Signed-off-by: Jason Cameron <git@jasoncameron.dev> * chore: Add changelog notes Signed-off-by: Jason Cameron <git@jasoncameron.dev> * fix: Improve stability of the target fetcher? Signed-off-by: Jason Cameron <git@jasoncameron.dev> * fix: Update template error handling and improve Open Graph tag integration Signed-off-by: Jason Cameron <git@jasoncameron.dev> * style: format files and remove deubg logs Signed-off-by: Jason Cameron <git@jasoncameron.dev> * feat: Credit CELPHASE for mascot design (og-tags) Signed-off-by: Jason Cameron <git@jasoncameron.dev> * feat: Credit CELPHASE for mascot design (og-tags) Signed-off-by: Jason Cameron <git@jasoncameron.dev> * feat: Allow twitter prefixed OG tags by default Signed-off-by: Jason Cameron <git@jasoncameron.dev> * chore: replace /tmp with /var Signed-off-by: Jason Cameron <git@jasoncameron.dev> * Update docs/docs/CHANGELOG.md Co-authored-by: Xe Iaso <me@xeiaso.net> Signed-off-by: Jason Cameron <jasoncameron.all@gmail.com> * Update docs/docs/admin/configuration/open-graph.mdx Co-authored-by: Xe Iaso <me@xeiaso.net> Signed-off-by: Jason Cameron <jasoncameron.all@gmail.com> * chore: add fediverse to default prefixes (#og-tags) Signed-off-by: Jason Cameron <git@jasoncameron.dev> * feat(og-tags): Remove og-query-distinct flag This commit removes the `og-query-distinct` flag and associated logic. URLs with different query parameters will now always be treated as the same cache key for Open Graph tags. This simplifies the caching logic and improves performance. Additionally, the http client used for fetching OG tags is now a member of the OGTagCache struct, rather than a global variable. This improves testability and allows for more flexible configuration in the future. Signed-off-by: Jason Cameron <git@jasoncameron.dev> * Update docs/docs/admin/configuration/open-graph.mdx Co-authored-by: Xe Iaso <me@xeiaso.net> Signed-off-by: Jason Cameron <jasoncameron.all@gmail.com> * docs: remove og tags references Signed-off-by: Jason Cameron <git@jasoncameron.dev> * refactor: rename url > u to not overlap package name Signed-off-by: Jason Cameron <git@jasoncameron.dev> * Update internal/ogtags/cache.go Co-authored-by: Xe Iaso <me@xeiaso.net> Signed-off-by: Jason Cameron <jasoncameron.all@gmail.com> * Update internal/ogtags/cache.go Co-authored-by: Xe Iaso <me@xeiaso.net> Signed-off-by: Jason Cameron <jasoncameron.all@gmail.com> * fix(tests): Don't use network when network access is disabled Signed-off-by: Jason Cameron <git@jasoncameron.dev> * Fix: Handle nil URL in GetOGTags (og-tags) Signed-off-by: Jason Cameron <git@jasoncameron.dev> * chore: sort installation docs alphabetically Signed-off-by: Jason Cameron <git@jasoncameron.dev> * fix(tests): validate that no duplicate requests are made Signed-off-by: Jason Cameron <git@jasoncameron.dev> * style(tests): remove unused ok var Signed-off-by: Jason Cameron <git@jasoncameron.dev> * docs: convert to table fmt Signed-off-by: Jason Cameron <git@jasoncameron.dev> * feat(og-tags): Enhance OG tag fetching and caching Adds additional approved OG tags (`keywords`, `author`), improves Signed-off-by: Jason Cameron <git@jasoncameron.dev> * chore: update generated templ's after format Signed-off-by: Jason Cameron <git@jasoncameron.dev> * fix(tests): update integration_test.go to reflect the new behavior of fetchHTMLDocument Signed-off-by: Jason Cameron <git@jasoncameron.dev> * Revert "data/botPolicies: allow iMessage scraper by default (#178)" This reverts commit 21a9d777 Signed-off-by: Jason Cameron <git@jasoncameron.dev> * Fix: Simplify ogTags access in cache test. Didn't know this was possible! wow! Signed-off-by: Jason Cameron <git@jasoncameron.dev> * Fix: Handle request timeouts when fetching OG tags (#og-tags) Cache a nil result for half the TTL to avoid repeatedly requesting a timed-out URL. Signed-off-by: Jason Cameron <git@jasoncameron.dev> * Fix: make OG tags passthrough option function. Signed-off-by: Jason Cameron <git@jasoncameron.dev> * Fix: Handle timeouts and non-200 responses when fetching OG tags (og-tags) - Cache empty results for timeouts and non-200 status codes to avoid spamming the server. - Use a non-nil empty map to represent empty results in the cache, as nil would be a cache miss. Signed-off-by: Jason Cameron <git@jasoncameron.dev> * feat(og-tags): switch to http.MaxBytesReader Signed-off-by: Jason Cameron <git@jasoncameron.dev> * chore(og-tags): add noindex, nofollow meta tag and update error line numbers Signed-off-by: Jason Cameron <git@jasoncameron.dev> --------- Signed-off-by: Jason Cameron <git@jasoncameron.dev> Signed-off-by: Jason Cameron <jasoncameron.all@gmail.com> Co-authored-by: Xe Iaso <me@xeiaso.net>	2025-04-06 20:02:12 -04:00
Henri Vasserman	b4a2e1a6a0	lib/anubis: actually check the result with the correct difficulty (#180 ) * cmd/anubis actually check the result with the correct difficulty * chore: changelog * test(cmd/anubis): make test check for difficulty * lib: add regression test for CVE-2025-24369 Signed-off-by: Xe Iaso <me@xeiaso.net> * bump VERSION and CHANGELOG Tracks #181 Signed-off-by: Xe Iaso <me@xeiaso.net> --------- Signed-off-by: Xe Iaso <me@xeiaso.net> Co-authored-by: Xe Iaso <me@xeiaso.net>	2025-03-31 18:42:12 -04:00
Henri Vasserman	57c3e9f1b2	Change how to make Anubis work without a reverse proxy (#86 ) * Change how to make Anubis work without a reverse proxy * Apply suggestions from code review Co-authored-by: Xe Iaso <me@xeiaso.net> Signed-off-by: Henri Vasserman <henv@hot.ee> * add support for unix sockets. * add env var docs * lib: fix tests Signed-off-by: Xe Iaso <me@xeiaso.net> --------- Signed-off-by: Henri Vasserman <henv@hot.ee> Signed-off-by: Xe Iaso <me@xeiaso.net> Co-authored-by: Xe Iaso <me@xeiaso.net>	2025-03-28 13:38:34 -04:00
Xe Iaso	7d4be0dcec	Apply bits of the cookie settings PR one by one (#140 ) Enables uses to change the cookie domain and partitioned flags. Signed-off-by: Xe Iaso <me@xeiaso.net>	2025-03-27 15:24:03 -04:00
Xe Iaso	ecc6b47f90	Revert "lib/anubis: support setting extended cookie flags (#120 )" (#134 ) This reverts commit e7cbd349f3ff96788dc7a8540d29808ca72e1c44.	2025-03-26 20:50:54 -04:00
Xe Iaso	e7cbd349f3	lib/anubis: support setting extended cookie flags (#120 ) * lib/anubis: support setting extended cookie flags Signed-off-by: Xe Iaso <me@xeiaso.net> * lib: use cookie name consistently Signed-off-by: Xe Iaso <me@xeiaso.net> --------- Signed-off-by: Xe Iaso <me@xeiaso.net>	2025-03-26 19:04:18 -04:00
Xe Iaso	725e11d3a6	lib: fix default difficulty (#96 ) Before this did not respect the difficulty flag and instead used difficulty 4. This has been fixed. Signed-off-by: Xe Iaso <me@xeiaso.net>	2025-03-23 18:46:01 -04:00

15 Commits