Merge branch 'main' into dependabot/go_modules/backend/github.com/lab…

…stack/echo/v4-4.11.1

.github/workflows/e2e.yml

@@ -55,3 +55,31 @@ jobs:
         if: always()
         working-directory: ./deploy/docker-compose
         run: docker compose -f "quickstart.yaml" down
+  nosignup:
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Copy config
+        working-directory: ./deploy/docker-compose
+        run: cp config-disable-signup.yaml config.yaml
+
+      - name: Start containers
+        working-directory: ./deploy/docker-compose
+        run: docker compose -f "quickstart.yaml" up -d --build
+
+      - name: Install dependencies
+        working-directory: ./e2e
+        run: |
+          npm install
+          npx playwright install chromium
+
+      - name: Run tests
+        working-directory: ./e2e
+        run: npm run 'test:nosignup'
+
+      - name: Stop containers
+        if: always()
+        working-directory: ./deploy/docker-compose
+        run: docker compose -f "quickstart.yaml" down

.github/workflows/stale.yml

@@ -0,0 +1,24 @@
+name: Close inactive issues
+on:
+  schedule:
+    - cron: "30 1 * * *"
+  workflow_dispatch:
+
+jobs:
+  close-issues:
+    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
+    steps:
+      - uses: actions/stale@v5
+        with:
+          days-before-issue-stale: 30
+          days-before-issue-close: 14
+          exempt-issue-labels: "EPIC"
+          stale-issue-label: "stale"
+          stale-issue-message: "This issue is stale because it has been open for 30 days with no activity."
+          close-issue-message: "This issue was closed because it has been inactive for 14 days since being marked as stale."
+          days-before-pr-stale: -1
+          days-before-pr-close: -1
+          repo-token: ${{ secrets.GITHUB_TOKEN }}

README.md

@@ -50,7 +50,7 @@ If you want to use the Hanko backend API but prefer to build your own UI, you ca
 # Contact us
 Schedule a Hanko demo. Learn how Hanko will speed up your registration and login flows with passkeys.
 
-<a target="_blank" href="https://cal.com/team/hanko/hanko-demo"><img alt="Book us with Cal.com"  src="https://cal.com/book-with-cal-light.svg" /></a>
+<a target="_blank" href="https://cal.com/team/hanko/demo"><img alt="Book us with Cal.com"  src="https://cal.com/book-with-cal-light.svg" /></a>
 
 
 # Roadmap
@@ -77,18 +77,21 @@ We are currently in **Beta** and may introduce breaking changes. Watch our relea
 |✅| OAuth logins (Sign in with Apple/Google/GitHub) |
 |✅| i18n & custom translations |
 |✅| User import |
+|✅| Disable sign-ups |
+|⚙️| API-supported auth flows |
 |⚙️| Mobile SDKs |
+|⚙️| Basic email templating & i8n |
+| | 2FA for securing passcodes & passwords |
+| | Webhooks |
+| | Refresh tokens / sessions |
 | | Sign in with Microsoft |
+| | OIDC support |
+| | Enterprise SSO (OIDC/SAML) |
 
 Additional features that have been requested or that we would like to build but are currently not on the roadmap:
-- Basic email templating
-- Refresh tokens / sessions
-- 2FA for securing passcodes & passwords
-- Webhooks
 - Priviledged sessions & step-up authentication
 - Bot protection / Captcha
 - SMS passcode delivery
-- SAML support
 
 # Community
 ## Questions, bugs, ideas

backend/cmd/user/import.go

@@ -62,7 +62,7 @@ func NewImportCommand() *cobra.Command {
 					log.Fatal(err)
 				}
 
-				if response.StatusCode <= 200 || response.StatusCode > 299 {
+				if response.StatusCode < 200 || response.StatusCode > 299 {
 					log.Fatal(fmt.Errorf("failed to get file from url: %s", response.Status))
 				}
 

backend/config/config_test.go

@@ -15,6 +15,12 @@ func TestDefaultConfigNotEnoughForValidation(t *testing.T) {
 	}
 }
 
+func TestDefaultConfigAccountParameters(t *testing.T) {
+	cfg := DefaultConfig()
+	assert.Equal(t, cfg.Account.AllowDeletion, false)
+	assert.Equal(t, cfg.Account.AllowSignup, true)
+}
+
 func TestParseValidConfig(t *testing.T) {
 	configPath := "./config.yaml"
 	cfg, err := Load(&configPath)

backend/docs/Config.md

@@ -251,6 +251,19 @@ webauthn:
   # Default: 60000
   #
   timeout: 60000
+  ## user_verification ##
+  #
+  # Describes your requirements regarding local authorization with an authenticator through
+  # various authorization gesture modalities; for example, through a touch plus pin code,
+  # password entry, or biometric recognition.
+  #
+  # Must be one of "required", "preferred" or "discouraged".
+  #
+  # The setting applies to both WebAuthn registration and authentication ceremonies.
+  #
+  # Default: preferred
+  #
+  user_verification: preferred
   relying_party:
     ## id ##
     #
@@ -566,4 +579,11 @@ account:
   # Default: false
   #
   allow_deletion: false
+  ## allow_signup
+  #
+  # Users are able to sign up new accounts.
+  #
+  # Default: true
+  #
+  allow_signup: true
 ```

backend/dto/intern/WebauthnSessionData.go

@@ -4,6 +4,7 @@ import (
 	"encoding/base64"
 	"github.com/go-webauthn/webauthn/protocol"
 	"github.com/go-webauthn/webauthn/webauthn"
+	"github.com/gobuffalo/nulls"
 	"github.com/gofrs/uuid"
 	"github.com/teamhanko/hanko/backend/persistence/models"
 	"time"
@@ -27,6 +28,7 @@ func WebauthnSessionDataFromModel(data *models.WebauthnSessionData) *webauthn.Se
 		UserID:               userId,
 		AllowedCredentialIDs: allowedCredentials,
 		UserVerification:     protocol.UserVerificationRequirement(data.UserVerification),
+		Expires:              data.ExpiresAt.Time,
 	}
 }
 
@@ -58,5 +60,6 @@ func WebauthnSessionDataToModel(data *webauthn.SessionData, operation models.Ope
 		UpdatedAt:          now,
 		Operation:          operation,
 		AllowedCredentials: allowedCredentials,
+		ExpiresAt:          nulls.NewTime(data.Expires),
 	}
 }

backend/go.mod

@@ -3,12 +3,13 @@ module github.com/teamhanko/hanko/backend
 go 1.20
 
 require (
-	github.com/brianvoe/gofakeit/v6 v6.23.0
+	github.com/brianvoe/gofakeit/v6 v6.23.1
 	github.com/fatih/structs v1.1.0
-	github.com/go-playground/validator/v10 v10.14.1
+	github.com/go-playground/validator/v10 v10.15.0
 	github.com/go-sql-driver/mysql v1.7.1
 	github.com/go-testfixtures/testfixtures/v3 v3.9.0
-	github.com/go-webauthn/webauthn v0.8.2
+	github.com/go-webauthn/webauthn v0.8.6
+	github.com/gobuffalo/nulls v0.4.2
 	github.com/gobuffalo/pop/v6 v6.1.1
 	github.com/gobuffalo/validate/v3 v3.3.3
 	github.com/gobwas/glob v0.2.3
@@ -27,14 +28,15 @@ require (
 	github.com/nicksnyder/go-i18n/v2 v2.2.1
 	github.com/ory/dockertest/v3 v3.10.0
 	github.com/pkg/errors v0.9.1
-	github.com/rs/zerolog v1.29.1
+	github.com/rs/zerolog v1.30.0
 	github.com/sethvargo/go-limiter v0.7.2
 	github.com/sethvargo/go-redisstore v0.3.0
 	github.com/spf13/cobra v1.7.0
 	github.com/stretchr/testify v1.8.4
-	golang.org/x/crypto v0.11.0
-	golang.org/x/oauth2 v0.10.0
-	golang.org/x/text v0.11.0
+	golang.org/x/crypto v0.12.0
+	golang.org/x/exp v0.0.0-20230713183714-613f0c0eb8a1
+	golang.org/x/oauth2 v0.11.0
+	golang.org/x/text v0.12.0
 	gopkg.in/gomail.v2 v2.0.0-20160411212932-81ebce5c23df
 	gopkg.in/yaml.v3 v3.0.1
 )
@@ -66,21 +68,21 @@ require (
 	github.com/go-faster/errors v0.6.1 // indirect
 	github.com/go-playground/locales v0.14.1 // indirect
 	github.com/go-playground/universal-translator v0.18.1 // indirect
-	github.com/go-webauthn/revoke v0.1.9 // indirect
+	github.com/go-webauthn/x v0.1.4 // indirect
 	github.com/gobuffalo/envy v1.10.2 // indirect
 	github.com/gobuffalo/fizz v1.14.4 // indirect
 	github.com/gobuffalo/flect v1.0.0 // indirect
 	github.com/gobuffalo/github_flavored_markdown v1.1.3 // indirect
 	github.com/gobuffalo/helpers v0.6.7 // indirect
-	github.com/gobuffalo/nulls v0.4.2 // indirect
 	github.com/gobuffalo/plush/v4 v4.1.18 // indirect
 	github.com/gobuffalo/tags/v3 v3.1.4 // indirect
 	github.com/goccy/go-json v0.10.2 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang-jwt/jwt v3.2.2+incompatible // indirect
 	github.com/golang-jwt/jwt/v4 v4.5.0 // indirect
+	github.com/golang-jwt/jwt/v5 v5.0.0 // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
-	github.com/google/go-tpm v0.3.3 // indirect
+	github.com/google/go-tpm v0.9.0 // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
 	github.com/google/uuid v1.3.0 // indirect
 	github.com/gorilla/css v1.0.0 // indirect
@@ -148,10 +150,10 @@ require (
 	github.com/xeipuuv/gojsonschema v1.2.0 // indirect
 	go.opentelemetry.io/otel v1.15.0 // indirect
 	go.opentelemetry.io/otel/trace v1.15.0 // indirect
-	golang.org/x/mod v0.9.0 // indirect
-	golang.org/x/net v0.12.0 // indirect
+	golang.org/x/mod v0.11.0 // indirect
+	golang.org/x/net v0.14.0 // indirect
 	golang.org/x/sync v0.1.0 // indirect
-	golang.org/x/sys v0.10.0 // indirect
+	golang.org/x/sys v0.11.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
 	golang.org/x/tools v0.7.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect