Notifications and VPN Session Continuity

This release adds an option for the users to allow notifications after registering or signing up.

• Browser notifications to users: instead of just having the VPN connection to fail if a user needs to sign in to this app, they would receive a clickable notification taking them to the login page.

• Automatic VPN sessions renewal: using background notifications, if a user connects to the VPN from a new source IP address, or if they don’t have a valid VPN session but still have a valid web session in this app, the browser is requested to send a “proof of session”.

  If the session is validated by the app and the browser IP matches the VPN connection request source IP, the user is transparently allowed to connect. 
This can improve user experience significantly, and increase security a bit by allowing to set VPNSESSIONVALIDITY, relying only on the VPN user identity and the source IP, to a short duration. 
 


  This is a best-effort feature; since Strongswan blocks while waiting for the result of the ext-auth plugin calling this app, we give up after 500ms if the browser hasn’t replied with a valid “proof of session”.
 Both the user and background notifications require the browser to be running, but don't need this app to be active or even opened.

• MFAVALIDITY and VPNSESSIONVALIDITY now need to be specified as a number plus time unit. Examples: “30m”, “1d”, “12h30m”.

• Improved security: cookies are now restricted to the exact host of the app; early abort if request body is too large; all requests are now time limited.

Display OTC expiry

Display one time code expiry date
Avoid 500 errors about favicon in the log

/vpn/check endpoint protection

• The /vpn/check endpoint can now optionally be protected by a password set using the new VPNCHECKPASSWORD environment variable. In that case, the password also needs to be set in the Strongswan ext-auth configuration.
• All the environment variables have been simplified by removing the VPNWA_ prefix.
• There is a new vpn_connections table keeping an audit log of all the connections attempts received from the VPN server. Entries are purged during application startup if they are older than CONNECTIONSRETENTION days. There is currently no feature in the application to query it.

TouchID and Security keys

• The app now support Webauthn authentication, using physical security key, Apple TouchID/FaceID or Windows Hello.
  TouchID brings the best user experience and security for Apple devices users (macOS Big Sur or iOS 14 required).
  Physical security keys are devices such as Fido keys, Yubikeys.
  Users can have multiple additional authentications and are prompted to choose upon first use of the app.
  These new options offer a better user experience since the workflow is less disruptive and faster, compared to the OTP token option.

• The new VPNWA_EXCLUDEDIDENTITIES environment variable allows to specify a list of VPN identities that do not require any additional authentication and will always be allowed.

HTTPS Support

This releases adds support for running the app in a standalone mode (ie without any reverse proxy) with TLS.
The new environment variable VPNWA_SSLMODE allows to select the type of SSL setup.
3 new modes a supported
auto: Use fully automated Let's Encrypt certificate generation. Magic!
custom: Provide a custom certificate and key.
proxy: Delegate TLS termination and management to a proxy such as Nginx; however the app will set the HSTS header and the Secure flag on its cookies.
none disables any active HTTPS support. The app can still be run behind an HTTPS proxy.

Add missing embedded font

Add missing embedded font

Fully self-contained binary

Now, building this project generate a fully self-contained binary, including the html templates and static assets.

First working release

0.1

CSP for QR code