diff --git a/Cargo.lock b/Cargo.lock index 64557413c..9e9269cca 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -4800,6 +4800,9 @@ name = "rauthy-service" version = "0.32.6" dependencies = [ "actix-web", + "atrium-api", + "atrium-common", + "atrium-oauth", "chrono", "cryptr", "openssl", diff --git a/config.toml b/config.toml index 4e3008ea4..8f71669c4 100644 --- a/config.toml +++ b/config.toml @@ -2068,6 +2068,29 @@ key_path = 'tls/key.pem' # overwritten by: TLS_GENERATE_SELF_SIGNED generate_self_signed = true +[tos] + +# The timeout in seconds for a user to accept update ToS during the +# login flow. +# The initial lifetime of an AuthCode after a successful authentication +# will be extended by the `accept_timeout`. This gives the user a bit +# more time to read through updates ToS and avoids an AuthCode expiry +# if it takes a bit longer. This is mainly a UX improvement. After the +# ToS have been accepted, the original AuthCode will be re-saved with +# the actual lifetime to not weaken the security in these cases. +# +# CAUTION: Even though you can extend the lifetime on Rauthys side, you +# can run into issues with logins on the client side. For legal reasons, +# accepting updated ToS must happen after a successful login but before +# providing any access. Login flows are not only time-limited on Rauthys +# side, but most often also on the client side. This means if it takes +# too long to read and accept update ToS, the user may run into an auth +# error and do the login again. +# +# default: 900 +# overwritten by: TOS_ACCEPT_TIMEOUT +accept_timeout = 900 + [user_pictures] # The storage type for user pictures. # By default, they are saved inside the Database, which is not ideal. diff --git a/dev_notes.md b/dev_notes.md index bded038b7..98e55434a 100644 --- a/dev_notes.md +++ b/dev_notes.md @@ -2,6 +2,12 @@ ## CURRENT WORK +ToS TODO + +- handle updates during immediate login refresh +- handle updates during AuthProvider logins +- find a clean way to handle updates during Webauthn logins + ## Stage 1 - essentials [x] finished diff --git a/frontend/src/api/types/tos.ts b/frontend/src/api/types/tos.ts new file mode 100644 index 000000000..cb1b8bf52 --- /dev/null +++ b/frontend/src/api/types/tos.ts @@ -0,0 +1,35 @@ +export interface ToSRequest { + is_html: boolean; + content: string; +} + +export interface ToSUserAcceptRequest { + tos_ts: number; + // 65 char code + accept_code: string; +} + +export interface ToSResponse { + ts: number; + author: string; + is_html: boolean; + content: string; +} + +export interface ToSAwaitLoginResponse { + code: string; + user_id: string; +} + +export interface ToSLatestResponse { + ts: number; + is_html: boolean; + content: string; +} + +export interface ToSUserAcceptResponse { + user_id: string; + tos_ts: number; + accept_ts: number; + location: string; +} diff --git a/frontend/src/api/types/webauthn.ts b/frontend/src/api/types/webauthn.ts index 92fd0e8ac..4a678d9c6 100644 --- a/frontend/src/api/types/webauthn.ts +++ b/frontend/src/api/types/webauthn.ts @@ -1,13 +1,13 @@ export interface PasskeyResponse { - name: string, - /// Unix timestamp in seconds - registered: number, - /// Unix timestamp in seconds - last_used: number, - user_verified?: boolean, + name: string; + /// Unix timestamp in seconds + registered: number; + /// Unix timestamp in seconds + last_used: number; + user_verified?: boolean; } export interface WebauthnDeleteRequest { - /// 32 chars long MfaModToken.id - mfa_mod_token_id?: string, -} \ No newline at end of file + /// 32 chars long MfaModToken.id + mfa_mod_token_id?: string; +} diff --git a/frontend/src/i18n/admin/de.ts b/frontend/src/i18n/admin/de.ts index 9d3f5a81c..0e433e98b 100644 --- a/frontend/src/i18n/admin/de.ts +++ b/frontend/src/i18n/admin/de.ts @@ -1,441 +1,456 @@ -import type {I18nAdmin} from "./interface.ts"; +import type { I18nAdmin } from './interface.ts'; export let I18nAdminDe: I18nAdmin = { - api_key: { - delete1: "Soll dieser API Key wirklich gelöscht werden?", - expires: "Erlischt", - generate1: "Hier kann ein neues Secret für diesen API Key generiert werden.", - generate2: `Das Secret wird nur einmalig direkt nach dem Generieren angezeigt. + api_key: { + delete1: 'Soll dieser API Key wirklich gelöscht werden?', + expires: 'Erlischt', + generate1: 'Hier kann ein neues Secret für diesen API Key generiert werden.', + generate2: `Das Secret wird nur einmalig direkt nach dem Generieren angezeigt. Wenn ein Neues generiert wurde, wird das Alte unmittelbar, permanent überschrieben. Diese Operation kann nicht rückgängig gemacht werden!`, - generate3: `Der API Key muss im HTTP Authorization Header im folgenden + generate3: `Der API Key muss im HTTP Authorization Header im folgenden Format mitgegeben werden:`, - generate4: "Der folgende curl request kann zum Testen des Keys verwendet werden:", - generate5: "Sollte jq nicht installiert sein, hier eine Version ohne:", - keyName: "Key Name", - limitedValidity: "Begrenzte Gültigkeit", - }, - attrs: { - delete1: "Soll dieses Attribut wirklich gelöscht werden?", - defaultValue: "Standard Wert", - desc: "Beschreibung", - makeEditable: "Editierbar machen", - makeEditableP1: "Dieses Attribut kann durch Benutzer editierbar gemacht werden.", - makeEditableP2: `ACHTUNG: Diese Änderung kann niemals rückgängig gemacht werden! Jegliche Angaben durch + generate4: 'Der folgende curl request kann zum Testen des Keys verwendet werden:', + generate5: 'Sollte jq nicht installiert sein, hier eine Version ohne:', + keyName: 'Key Name', + limitedValidity: 'Begrenzte Gültigkeit' + }, + attrs: { + delete1: 'Soll dieses Attribut wirklich gelöscht werden?', + defaultValue: 'Standard Wert', + desc: 'Beschreibung', + makeEditable: 'Editierbar machen', + makeEditableP1: 'Dieses Attribut kann durch Benutzer editierbar gemacht werden.', + makeEditableP2: `ACHTUNG: Diese Änderung kann niemals rückgängig gemacht werden! Jegliche Angaben durch einen Benutzer direkt sind immer unvalidiert und dürfen NIEMALS für irgengeine Form von Authentifizierung oder Authorisierung genutzt werden!`, - makeEditableP3: `Ein Attribut kann deshalb niemals von editierbar zu nicht-editierbar gewandelt werden, weil + makeEditableP3: `Ein Attribut kann deshalb niemals von editierbar zu nicht-editierbar gewandelt werden, weil für eine gewisse Zeit, unabhängig von der Dauer, unvalidierte Eingaben erlaubt waren.`, - name: "Attribut Name", - userEditable: "Durch Benutzer Editierbar", - }, - backup: { - createBackup: "Backup Erstellen", - disabledDesc: "Diese Funktionen stehen nur zur Verfügung, wenn Hiqlite als Datenbank konfiguriert ist.", - lastModified: "Zuletzt Modifiziert", - local: "Lokal", - name: "Name", - size: "Größe", - }, - clients: { - backchannelLogout: "Sollte dieser client {{ OIDC_BCL }} unterstützen, kann die URI hier angegeben werden.", - branding: { - descHsl: `Die folgenden Werte müssen als HSL angegeben werden. Hier wird nur die Basis-Farbe + name: 'Attribut Name', + userEditable: 'Durch Benutzer Editierbar' + }, + backup: { + createBackup: 'Backup Erstellen', + disabledDesc: + 'Diese Funktionen stehen nur zur Verfügung, wenn Hiqlite als Datenbank konfiguriert ist.', + lastModified: 'Zuletzt Modifiziert', + local: 'Lokal', + name: 'Name', + size: 'Größe' + }, + clients: { + backchannelLogout: + 'Sollte dieser client {{ OIDC_BCL }} unterstützen, kann die URI hier angegeben werden.', + branding: { + descHsl: `Die folgenden Werte müssen als HSL angegeben werden. Hier wird nur die Basis-Farbe definiert. Alpha Kanäle und andere Werte werden vom Theme dynamisch angepasst.`, - descFullCss: `Die folgenden Werte müssen vollständig gültige Angaben für CSS color sein. + descFullCss: `Die folgenden Werte müssen vollständig gültige Angaben für CSS color sein. Es können auch komplexe Kalkulationen oder die oben definierten CSS Variables genutzt werden.`, - descVariables: `Jede nachfolgende Beschriftung ist gleichzeitig der Name der CSS Variable. Das heisst, + descVariables: `Jede nachfolgende Beschriftung ist gleichzeitig der Name der CSS Variable. Das heisst, dass z.B. die freien Eingaben wiederum die Variablen referenzieren können, z.B. mit - hsla(var(--action) / .7).`, - }, - confidential: "Vertraulich", - confidentialNoSecret: "Dies is kein vertraulicher Client und hat somit kein Secret.", - config: "Client Konfiguration", - delete1: "Soll dieser Client wirklich gelöscht werden?", - descAuthCode: `Die Gültigkeit der Auth Codes kann angepasst werden um zusätzliche Sicherheit + hsla(var(--action) / .7).` + }, + confidential: 'Vertraulich', + confidentialNoSecret: 'Dies is kein vertraulicher Client und hat somit kein Secret.', + config: 'Client Konfiguration', + delete1: 'Soll dieser Client wirklich gelöscht werden?', + descAuthCode: `Die Gültigkeit der Auth Codes kann angepasst werden um zusätzliche Sicherheit zu gewinnen. Auth Codes können nur einmalig verwendet werden und sind normalerweise für 60 Sekunden gültig. Je kürzer, desto besser, so lange der Client den Code schnell genug nutzen kann.`, - descClientUri: `Informationen über URI und Kontakte dieses Clients zur Anzeige + descClientUri: `Informationen über URI und Kontakte dieses Clients zur Anzeige auf der Login Seite.`, - descName: `Der Client Name kann geändert werden ohne Einfluss auf die Konfiguration. + descName: `Der Client Name kann geändert werden ohne Einfluss auf die Konfiguration. Er dient lediglich der Anzeige auf der Login Seite.`, - descGroupPrefix: `Der Login für diesen Client kann limitiert werden durch ein optionales Gruppen Prefix. + descGroupPrefix: `Der Login für diesen Client kann limitiert werden durch ein optionales Gruppen Prefix. Nur Benutzer, die zur entsprechenden Gruppe gehören, dürfen sich bei diesem Client einloggen.`, - descOrigin: `Externe, zusätzlich erlaubte Origins - normalerweise nur notwendig, wenn dieser + descOrigin: `Externe, zusätzlich erlaubte Origins - normalerweise nur notwendig, wenn dieser Client direkt aus dem Browser heraus Requests zu Rauthy machen muss, typischerweise SPAs.`, - descPKCE: `Wenn der Client Support für PKCE hat, sollte zur zusätzlichen Sicherheit immer S256 + descPKCE: `Wenn der Client Support für PKCE hat, sollte zur zusätzlichen Sicherheit immer S256 PKCE aktiviert werden. Wenn ein nicht-vertraulicher Client (z.B. eine SPA) genutzt wird, muss mindestens eine PKCE Challenge aktiviert sein, um ausreichend Sicherheit bieten zu können.`, - descPKCEEnforce: `Wenn PKCE aktiviert ist, erzwingt Rauthy die Nutzung and verweigert Logins, + descPKCEEnforce: `Wenn PKCE aktiviert ist, erzwingt Rauthy die Nutzung and verweigert Logins, die keine korrekte Challenge bereit stellen.`, - descUri: `Es können beliebig viele Redirect URIs angegeben werden. Am Ende einer Jeden wird + descUri: `Es können beliebig viele Redirect URIs angegeben werden. Am Ende einer Jeden wird optional * als Wildcard akzeptiert.`, - errConfidentialPKCE: `Der Client muss entweder vertraulich sein oder mindestens eine PKCE + errConfidentialPKCE: `Der Client muss entweder vertraulich sein oder mindestens eine PKCE Challenge aktiviert haben.`, - forceMfa: "MFA Erzwingen", - groupLoginPrefix: "Login Gruppen Prefix", - name: "Client Name", - scim: { - baseUri: `Die SCIM base URI muss jene sein, von der Sub-Routen wie + forceMfa: 'MFA Erzwingen', + groupLoginPrefix: 'Login Gruppen Prefix', + name: 'Client Name', + scim: { + baseUri: `Die SCIM base URI muss jene sein, von der Sub-Routen wie {base_uri}/Users/{id} korrekt abgeleitet werden können.`, - desc: "Sollte dieser client {{ SCIM_LINK }} unterstützen, kann es hier aktiviert werden.", - enable: "SCIMv2 aktivieren", - groupSync: "Gruppen synchronisieren", - groupSyncPrefix: "Gruppen Filter Prefix", - groupSyncPrefixDesc: `Die zu synchronisierenden Gruppen können per optionalem Prefix gefiltert werden. + desc: 'Sollte dieser client {{ SCIM_LINK }} unterstützen, kann es hier aktiviert werden.', + enable: 'SCIMv2 aktivieren', + groupSync: 'Gruppen synchronisieren', + groupSyncPrefix: 'Gruppen Filter Prefix', + groupSyncPrefixDesc: `Die zu synchronisierenden Gruppen können per optionalem Prefix gefiltert werden. Wenn z.B. Gruppen wie app:admins und app:users existieren, würde das Prefix app: dafür sorgen, dass nur diese Gruppen synchronisiert werden, wie auch nur jene Benutzer, die zu mindestens einer dieser Gruppen gehören.`, - reqDesc: "Es gibt folgende Bedingungen für die Kompaibilität:", - reqLi1: "Der client muss externalId korrekt handhaben.", - reqLi2: `Mindestens die /Users endpunkte mit filter=externalId eq "*" und + reqDesc: 'Es gibt folgende Bedingungen für die Kompaibilität:', + reqLi1: 'Der client muss externalId korrekt handhaben.', + reqLi2: `Mindestens die /Users endpunkte mit filter=externalId eq "*" und filter=userName eq "*" müssen unterstützt sein.`, - reqLi3: `Wenn Gruppen sychronisiert werden sollen, so müssen unter /Groups zusätzlich - filter=displayName eq "*" unterstützt sein.`, - }, - scopes: { - allowed: "Erlaubte Scopes", - default: "Standard Scopes", - desc: `Erlaubte Scopes sind diejenigen, die der Client dynamisch beim Redirect zum Login + reqLi3: `Wenn Gruppen sychronisiert werden sollen, so müssen unter /Groups zusätzlich + filter=displayName eq "*" unterstützt sein.` + }, + scopes: { + allowed: 'Erlaubte Scopes', + default: 'Standard Scopes', + desc: `Erlaubte Scopes sind diejenigen, die der Client dynamisch beim Redirect zum Login im authorization_code flow anfordern kann. Die standard Scopes werden hingegen immer hinzugefügt und können Probleme lösen, wenn z.B. der password Flow verwendet - wird.`, - }, - secret: { - doCache: "Client Secret cachen", - cacheDuration: "Cache Dauer (Stunden)", - generate: "Neues Secret Generieren", - rotateDesc1: `Um unterbrechungsfreie Updates durchfürhen zu können, ist es möglich, das bestehende Secret + wird.` + }, + secret: { + doCache: 'Client Secret cachen', + cacheDuration: 'Cache Dauer (Stunden)', + generate: 'Neues Secret Generieren', + rotateDesc1: `Um unterbrechungsfreie Updates durchfürhen zu können, ist es möglich, das bestehende Secret für eine gewisse Zeit im in-memory Cache zu behalten. Es kann ein Wert zwischen 1 und 24 Stunden angegeben werden.`, - rotateDesc2: "Achtung: Das derzeitige Secret sollte nicht im Cache behalten werden, wenn es ein Leak gab!", - }, - tokenLifetime: { - p1: `Die Token Lifetime wird auf Access und ID Tokens angewandt und wird in Sekunden angegeben.`, - p2: `Sollte der Client EdDSA / ed25519 Algorithmen unterstützen, sollte dies die bevorzugte Wahl + rotateDesc2: + 'Achtung: Das derzeitige Secret sollte nicht im Cache behalten werden, wenn es ein Leak gab!' + }, + tokenLifetime: { + p1: `Die Token Lifetime wird auf Access und ID Tokens angewandt und wird in Sekunden angegeben.`, + p2: `Sollte der Client EdDSA / ed25519 Algorithmen unterstützen, sollte dies die bevorzugte Wahl sein. RSA Algorithmen existieren lediglich aus Kompatibilitätsgründen.`, - p3: `Der Algorithmus für Refresh Tokens kann nicht geändert werden, da diese nur von Rauthy - genutzt werden sollten.`, - }, - }, - common: { - account: "Account", - addNew: "Neu Hinzufügen", - back: "Zurück", - caution: "ACHTUNG", - contact: "Kontakt", - copiedToClip: "Wert wurde in die Zwischenablage kopiert", - details: "Details", - edit: "Bearbeiten", - enabled: "Aktiviert", - filter: "Filter", - from: "Von", - information: "Informationen", - language: "Sprache", - loading: "Lade", - name: "Name", - nameExistsAlready: "Name existiert bereits", - note: "Notiz", - noEntries: "Keine Einträge", - reset: "Zurücksetzen", - searchOptions: "Suchoptionen", - until: "Bis", - }, - docs: { - book: "Für generelle Dokumentation für Rauthy existiert das", - encryption: "Verschlüsselung", - encKeys: { - header: "Encryption Keys", - keyActive: "Aktiver Key", - keysAvailable: "Verfügbare Keys", - migrate: "Migrieren", - migrateToKey: "Migriere alle Werte zu folgendem Encryption Key", - p1: `Diese Schlüssel werden für die zusätzliche Verschlüsselung in verschiedenen Situationen genutzt, wie + p3: `Der Algorithmus für Refresh Tokens kann nicht geändert werden, da diese nur von Rauthy + genutzt werden sollten.` + } + }, + common: { + account: 'Account', + addNew: 'Neu Hinzufügen', + back: 'Zurück', + caution: 'ACHTUNG', + contact: 'Kontakt', + copiedToClip: 'Wert wurde in die Zwischenablage kopiert', + details: 'Details', + edit: 'Bearbeiten', + enabled: 'Aktiviert', + filter: 'Filter', + from: 'Von', + information: 'Informationen', + language: 'Sprache', + loading: 'Lade', + name: 'Name', + nameExistsAlready: 'Name existiert bereits', + note: 'Notiz', + noEntries: 'Keine Einträge', + reset: 'Zurücksetzen', + searchOptions: 'Suchoptionen', + until: 'Bis' + }, + docs: { + book: 'Für generelle Dokumentation für Rauthy existiert das', + encryption: 'Verschlüsselung', + encKeys: { + header: 'Encryption Keys', + keyActive: 'Aktiver Key', + keysAvailable: 'Verfügbare Keys', + migrate: 'Migrieren', + migrateToKey: 'Migriere alle Werte zu folgendem Encryption Key', + p1: `Diese Schlüssel werden für die zusätzliche Verschlüsselung in verschiedenen Situationen genutzt, wie z.B. gewisse Werte innerhalb der Datenbank oder Session Cookies. Sie sind statisch konfiguriert, aber können als best-practice manuell rotiert werden.`, - p2: `Der aktive Schlüssel ist ebenfalls statisch im Rauthy config file gesetzt. Alle neu-verschlüsselten + p2: `Der aktive Schlüssel ist ebenfalls statisch im Rauthy config file gesetzt. Alle neu-verschlüsselten Werte werden mit dem aktiven Schlüssel verschlüsselt, während alte zur Rückwärts-Kompatibilität parallel existieren können.`, - p3: `Das Migrieren aller verschlüsselten Werte an dieser Stelle kann, je nach System, einige Zeit in + p3: `Das Migrieren aller verschlüsselten Werte an dieser Stelle kann, je nach System, einige Zeit in Anspruch nehmen.`, - pNotPossible: 'Zur Migration müssen mindestens 2 Encryption Keys vorhanden sein.', - }, - hashing: { - calculate: "Berechnen", + pNotPossible: 'Zur Migration müssen mindestens 2 Encryption Keys vorhanden sein.' + }, + hashing: { + calculate: 'Berechnen', - currValuesHead: 'Derzeitige Werte', - currValues1: 'Die derzeitigen im Backend konfigurierten Werte sind die folgenden:', - currValuesNote: `Notiz: Die Login Zeit vom Backend wird nur dann eine gute Richtlinie sein, nachdem + currValuesHead: 'Derzeitige Werte', + currValues1: 'Die derzeitigen im Backend konfigurierten Werte sind die folgenden:', + currValuesNote: `Notiz: Die Login Zeit vom Backend wird nur dann eine gute Richtlinie sein, nachdem mindestens 5 erfolgreiche Logins seit dem letzten Neustart gemacht wurden. Der Ausgangswert ist immer 2000 ms und wird mit jedem erfolgreichen Login neu gemittelt.`, - currValuesThreadsAccess: 'Threads (p_cost) die Rauthy zur Verfügung stehen', + currValuesThreadsAccess: 'Threads (p_cost) die Rauthy zur Verfügung stehen', - loginTimeHead: 'Ein paar Worte zur Login Zeit', - loginTime1: `Generell möchten User alles so schnell wie möglich. Für eine sichere Login Prozedur jedoch + loginTimeHead: 'Ein paar Worte zur Login Zeit', + loginTime1: `Generell möchten User alles so schnell wie möglich. Für eine sichere Login Prozedur jedoch sollte mindestens eine Dauer von 500 - 1000 ms anvisiert werden and kein Problem darstellen. Die Zeit zum Passwort Hashing darf nicht zu kurz gewählt werden, weil dadurch die Stärke des Hashes reduziert werden würde.`, - loginTime2: `Um standardmäßig genügend Sicherheit zu gewährleisten, erlaubt dieses Tool keine kleineren + loginTime2: `Um standardmäßig genügend Sicherheit zu gewährleisten, erlaubt dieses Tool keine kleineren Werte als 500 ms für die Login Zeit.`, - mCost1: `Die m_cost definiert die Menga an Speicher (in kB) die zum Hashing verwendet + mCost1: `Die m_cost definiert die Menga an Speicher (in kB) die zum Hashing verwendet wird. Je höher dieser Wert, umso besser (sicherer), aber die notwendigen Ressourcen müssen natürlich vorhanden sein.
Wenn z.B. 4 Passwörter zur selben Zeit gehasht werden, wird selbstverständlich 4 x m_cost an Speicher benötigt, was zu jeder Zeit zur Verfügung stehen muss.`, - mCost2: `Den "richtigen" Wert für m_cost zu finden ist glücklicherweise sehr einfach. Definiere + mCost2: `Den "richtigen" Wert für m_cost zu finden ist glücklicherweise sehr einfach. Definiere das Maximum an Speicher, das Rauthy nutzen sollte, dividiere die Menge durch die Anzahl paralleler Logins, die möglich sein sollten (MAX_HASH_THREADS) und ziehe hier von eine gewisse statische Menge ab. Die Höhe des statisch benötigten Speichers hängt von der gewählten Datenbank und Anzahl Benutzer ab, jedoch wird sie in den meisten Fällen im Bereich von 32 - 96 MB sein.`, - pCost1: `p_cost definiert den Parallelismus fürs Hashing.
+ pCost1: `p_cost definiert den Parallelismus fürs Hashing.
In den meisten Fällen erhöhen Werte jenseits von 8 nichts mehr die benötigte Zeit, weil der Algorithmus gesättigt sein wird. Dies ist auch der Standardwert für Rauthy.`, - pCost2: `Die generelle Regel lautet:
+ pCost2: `Die generelle Regel lautet:
Setze p_cost auf den zweifachen Wert der verfügbares CPU Kerne.
Wenn z.B. 4 Kerne zur Verfügung stehen, wäre eine p_cost von 8 ein guter Wert.
Der Wert muss allerdings die maximale Anzahl parallel erlaubter Logins (MAX_HASH_THREADS) berücksichtigen und ggf. entsprechend reduziert werden.`, - tCost1: `t_cost ist ein Multiplikator für die Zeit fürs Hashing. Dies ist der einzige + tCost1: `t_cost ist ein Multiplikator für die Zeit fürs Hashing. Dies ist der einzige Wert, der durch Testen auf der Zielarchitektur gefunden werden muss, weil m_cost und p_cost gewissenermaßen vorgegeben sind.`, - tCost2: `Das Finden des Wertes ist einfach: Setze m_cost und p_cost wie oben + tCost2: `Das Finden des Wertes ist einfach: Setze m_cost und p_cost wie oben erklärt und erhöhe t_cost so lange, bis die gewünschte Login Zeit erreicht wird.`, - utilityHead: 'Parameter Berechnungs-Werkzeug', - utility1: `Das folgende Werkzeug kann zum Finden passender Werte für dieses Rauthy deployment genutzt + utilityHead: 'Parameter Berechnungs-Werkzeug', + utility1: `Das folgende Werkzeug kann zum Finden passender Werte für dieses Rauthy deployment genutzt werden. Da die Werte von sehr vielen Faktoren abhängen, sollten dieser auf der finalen Architektur eingestellt werden, am besten zu Zeiten der am höchsten erwarteten Last, um keine zu hohen Werte einzustellen.`, - utility2: `m_cost ist Optional und der als minimal sichere Wert von 32768 würde automatisch + utility2: `m_cost ist Optional und der als minimal sichere Wert von 32768 würde automatisch gewählt werden. Sollte p_cost ebenfalls nicht gegeben sein, so wird Rauthy die maximal verfügbare Menge and Kernen nutzen.`, - time: "Zeit", - targetTime: "Ziel-Zeit", - tune: 'Wichtig: Diese Werten müssen auf der finalen Architektur eingestellt werden!', - pDetials: `Für eine detailiertere Einführung in den Argon2ID Alrogithmus stehen vielen Quellen online zur + time: 'Zeit', + targetTime: 'Ziel-Zeit', + tune: 'Wichtig: Diese Werten müssen auf der finalen Architektur eingestellt werden!', + pDetials: `Für eine detailiertere Einführung in den Argon2ID Alrogithmus stehen vielen Quellen online zur Verfügung. Hier werden nur ganz kurz die Werte erklärt. Die folgenden drei Werte müssen konfiguriert werden:`, - pTune: `Die Werte können stark variieren in Abhängigkeit vom System und der generellen Systemlast. Je + pTune: `Die Werte können stark variieren in Abhängigkeit vom System und der generellen Systemlast. Je stärker das System, desto sicherere Werte können gewählt werden.`, - pUtility: `Dieses Werkzeug ist eine Hilfe zum Finden der besten Argon2ID Werte für das jeweilige System. + pUtility: `Dieses Werkzeug ist eine Hilfe zum Finden der besten Argon2ID Werte für das jeweilige System. Argon2ID is der derzeit sicherste, verfügbare Passwort Hashing Algorithmus. Um das volle Potential ausschöpfen zu können, müssen die Werte allerdings auf das System angepasst werden.`, - mCost3: "Der minimal erlaubte Wert für m_cost ist 32768." - }, - openapi: "Zur Integration einer externen Applikation via Rauthy's API gibt es das", - openapiNote: `In Abhängigkeit von der Konfiguration ist das Swagger UI nicht öffentlich zugänglich übber den + mCost3: 'Der minimal erlaubte Wert für m_cost ist 32768.' + }, + openapi: "Zur Integration einer externen Applikation via Rauthy's API gibt es das", + openapiNote: `In Abhängigkeit von der Konfiguration ist das Swagger UI nicht öffentlich zugänglich übber den oben genannten Link. Es ist allerdings (standardmäßig) über den internen metrics server verfügbar zur Reduzierung der Angriffsfläche.`, - source: "Der source code kann hier gefunden werden", - }, - error: { - needsAdminRole: 'Um Zugriff zu erhalten ist die Rolle rauthy_admin notwendig.', - noAdmin: `Für Rauthy Admin Accounts ist MFA Pflicht.
+ source: 'Der source code kann hier gefunden werden' + }, + error: { + needsAdminRole: 'Um Zugriff zu erhalten ist die Rolle rauthy_admin notwendig.', + noAdmin: `Für Rauthy Admin Accounts ist MFA Pflicht.
Im Account kann ein Passkey hinterlegt und MFA aktiviert werden.
- Danach muss ein Logout und neuer Login folgen`, - }, - events: { - eventLevel: "Event Level", - eventType: "Event Typ", - }, - groups: { - delete1: "Soll diese Gruppe wirklich gelöscht werden?", - name: "Gruppenname", - }, - jwks: { - alg: "Algorithmus", - p1: "Dies sind die Json Web Keys (JWKs) die für das Signieren der Tokens genutzt werden.", - p2: `JWKs werden standardmäßig automatisch an jedem 1. des Monats rotiert. Für alle neuen Tokens wird + Danach muss ein Logout und neuer Login folgen` + }, + events: { + eventLevel: 'Event Level', + eventType: 'Event Typ' + }, + groups: { + delete1: 'Soll diese Gruppe wirklich gelöscht werden?', + name: 'Gruppenname' + }, + jwks: { + alg: 'Algorithmus', + p1: 'Dies sind die Json Web Keys (JWKs) die für das Signieren der Tokens genutzt werden.', + p2: `JWKs werden standardmäßig automatisch an jedem 1. des Monats rotiert. Für alle neuen Tokens wird immer die aktuellste Version eines Keys für den jeweiligen Algorithmus verwerndet. Alte Keys werden für eine Weile behalten um bestehende Tokens validieren zu können und nach einer gewissen Zeit automatisch gelöscht.`, - p3: `Die Keys können manuell rotiert werden. Abhängig von der Hardware auf der diese Rauthy Instanz läuft, + p3: `Die Keys können manuell rotiert werden. Abhängig von der Hardware auf der diese Rauthy Instanz läuft, kann dies einige Sekunden in Anspruch nehmen.`, - type: "Typ", - rotateKeys: "Keys Rotieren", - }, - nav: { - apiKeys: "API Keys", - attributes: "Attribute", - blacklist: "Blacklist", - clients: "Clients", - config: "Konfiguration", - docs: "Dokumentation", - events: "Events", - groups: "Gruppen", - providers: "Provider", - roles: "Rollen", - scopes: "Scopes", - sessions: "Sessions", - users: "Benutzer", - }, - options: { - expires: "Erlischt", - lastSeen: "Zuletzt Gesehen", - state: "Status", - }, - pam: { - addGroup: "Neue PAM Gruppe", - addHost: "Neuer PAM Host", - addUser: "Neuer PAM Benutzer", - deleteHost: "Soll dieser Host wirklich gelöscht werden?", - groupDescGeneric: `Generic Gruppen sind das Pendant zu Einträgen, die man überlicherweise in /etc/group finden + type: 'Typ', + rotateKeys: 'Keys Rotieren' + }, + nav: { + apiKeys: 'API Keys', + attributes: 'Attribute', + blacklist: 'Blacklist', + clients: 'Clients', + config: 'Konfiguration', + docs: 'Dokumentation', + events: 'Events', + groups: 'Gruppen', + providers: 'Provider', + roles: 'Rollen', + scopes: 'Scopes', + sessions: 'Sessions', + users: 'Benutzer' + }, + options: { + expires: 'Erlischt', + lastSeen: 'Zuletzt Gesehen', + state: 'Status' + }, + pam: { + addGroup: 'Neue PAM Gruppe', + addHost: 'Neuer PAM Host', + addUser: 'Neuer PAM Benutzer', + deleteHost: 'Soll dieser Host wirklich gelöscht werden?', + groupDescGeneric: `Generic Gruppen sind das Pendant zu Einträgen, die man überlicherweise in /etc/group finden würde. Benutzer können diesen zugewiesen werden und sie werden durch NSS Lookups ans System zurückgeliefert.`, - groupDescHost: `Host-Gruppen dienen der Gruppierung von Hosts. NSS lookups eines Hosts innerhalb der Gruppe + groupDescHost: `Host-Gruppen dienen der Gruppierung von Hosts. NSS lookups eines Hosts innerhalb der Gruppe liefern als Ergebnis sämtliche anderen Hosts innerhalb dieser zurück. Benutzer können Zugriff auf Hosts bekommen, indem sie wiederum einer Host-Gruppe zugeordnet werden.`, - groupDescLocal: `Local Gruppen verhalten sich fast identisch zu Generic Gruppen, mit dem Unterschied, dass sie + groupDescLocal: `Local Gruppen verhalten sich fast identisch zu Generic Gruppen, mit dem Unterschied, dass sie zwar eine ID in der Rauthy Datenbank haben, der NSS Proxy auf dem jeweiligen Host sie aber mit einer ID aus /etc/group verknüpft. Auf diese Weise können Rauthy Benutzer bereits lokal existierenden Gruppen zugeordnet werden.`, - groupDescUser: `Benutzer-Gruppen sind automatisch verwaltet und eng an den Benutzer mit demselben Namen + groupDescUser: `Benutzer-Gruppen sind automatisch verwaltet und eng an den Benutzer mit demselben Namen gekoppelt.`, - groupDescWheel: `Diese Gruppe ist speziell. Sie ist unveränderlich und wird Benutzern dynamisch zugewiesen in + groupDescWheel: `Diese Gruppe ist speziell. Sie ist unveränderlich und wird Benutzern dynamisch zugewiesen in Abhängigkeit von der Gruppenzugehörigkeit.`, - groupName: "Gruppenname", - groups: "Gruppen", - groupType: "Gruppen-Typ", - hostAliases: "Host Aliase", - hostLocalPwdOnly: "Lokaler Passwort Login", - hostLocalPwdOnlyInfo: `Wenn Lokaler Passwort Login gesetzt ist, überschreibt dies ein MFA Erzwingen für lokale + groupName: 'Gruppenname', + groups: 'Gruppen', + groupType: 'Gruppen-Typ', + hostAliases: 'Host Aliase', + hostLocalPwdOnly: 'Lokaler Passwort Login', + hostLocalPwdOnlyInfo: `Wenn Lokaler Passwort Login gesetzt ist, überschreibt dies ein MFA Erzwingen für lokale Logins. Ebenso wird (lokal) niemals ein Passkey verlangt, auch wenn der Nutzer MFA abgesichert ist. Diese Option sollte nur gesetzt werden, wenn absolut notwendig, wie z.B. wenn MFA-gesicherte Nutzer lokale Logins machen sollen, aber keine Hardware Passkeys verwenden.`, - ipAddresses: "IP Adressen", - member: "Mitglied", - nameExistsAlready: "Name is bereits vergeben", - notes: "Notizen", - secretShow: "Secret Anzeigen", - secretRotate: "Secret Rotieren", - userEmail: "Verlinkte Benutzer E-Mail", - username: "Benutzername", - usernameNewDesc: `Der Benutzername sollte sorgfältig gewählt werden. Er lässt sich aus sicherheitstechnischen - Gründen nachträglich nicht einfach ändern.`, - }, - passwordPolicy: { - configDesc: "Regeln für neue Passwörter.", - resetSet0: "Der Wert 0 deaktiviert die Bedingung.", - validForDays: "Gültigkeit Tage", - validityNew: "Gültigkeit für neue Passwörter.", - }, - providers: { - config: { - allowInsecureTls: "Erlaube unsicheres TLS", - autoLink: "Auto-Link Benutzer", - autoLinkDesc1: `Wenn Auto-Link Benutzer aktiviert ist, wird beim Login über diesen Provider automatisch + ipAddresses: 'IP Adressen', + member: 'Mitglied', + nameExistsAlready: 'Name is bereits vergeben', + notes: 'Notizen', + secretShow: 'Secret Anzeigen', + secretRotate: 'Secret Rotieren', + userEmail: 'Verlinkte Benutzer E-Mail', + username: 'Benutzername', + usernameNewDesc: `Der Benutzername sollte sorgfältig gewählt werden. Er lässt sich aus sicherheitstechnischen + Gründen nachträglich nicht einfach ändern.` + }, + passwordPolicy: { + configDesc: 'Regeln für neue Passwörter.', + resetSet0: 'Der Wert 0 deaktiviert die Bedingung.', + validForDays: 'Gültigkeit Tage', + validityNew: 'Gültigkeit für neue Passwörter.' + }, + providers: { + config: { + allowInsecureTls: 'Erlaube unsicheres TLS', + autoLink: 'Auto-Link Benutzer', + autoLinkDesc1: `Wenn Auto-Link Benutzer aktiviert ist, wird beim Login über diesen Provider automatisch ein eventuell existierender, nicht-verlinkter Benutzer mit diesem Provider verbunden.`, - autoLinkDesc2: `ACHTUNG: Diese Option kann sehr gefährlich sein und zur Account-Übernahme führen, wenn der + autoLinkDesc2: `ACHTUNG: Diese Option kann sehr gefährlich sein und zur Account-Übernahme führen, wenn der Provider keine vollständige E-Mail Überprüfung durchführt und es möglich macht eine fremde Adresse für einen Benutzer einzutragen! Darf in einem solchen Fall NIEMALS verwendet werden!`, - clientName: "Client Name", - custRootCa: "Eigenes Root CA PEM", - descAuthMethod: `Die Authentication Method, welche für den /token Endpunkt genutzt werden soll. + clientName: 'Client Name', + custRootCa: 'Eigenes Root CA PEM', + descAuthMethod: `Die Authentication Method, welche für den /token Endpunkt genutzt werden soll. Die meisten Provider sollten mit basic funktionieren, manche jedoch nur mit post. In seltenen Fällen müssen beide Optionen aktiviert werden, auch wenn es gegen das RFC verstößt.`, - descClientId: "Client ID, vom Auth Provider vorgegeben.", - descClientName: "Client Name der auf der Rauthy Login Form angezeigt werden soll.", - descClientSecret: `Client Secret, vom Auth Provider vorgegeben. + descClientId: 'Client ID, vom Auth Provider vorgegeben.', + descClientName: 'Client Name der auf der Rauthy Login Form angezeigt werden soll.', + descClientSecret: `Client Secret, vom Auth Provider vorgegeben. Es muss mindestens ein Secret gegeben, oder PKCE aktiviert sein.`, - descScope: `Der scope der beim Redirect zum Login genutzt werden soll. Werte müssen durch Leerzeichen + descScope: `Der scope der beim Redirect zum Login genutzt werden soll. Werte müssen durch Leerzeichen getrennt angegeben werden`, - errNoAuthMethod: "Ein client secret existiert, jedoch ist keine auth Methode aktiv", - errConfidential: "Es muss mindestens entweder ein client secret existieren oder PKCE aktiv sein.", - jsonPath: { - p1: "Werte aus dem ID Token nach einem erfolgreichen Upstream Login können automatisch gemapped werden.", - p2: `Der Pfad muss in korrekter Regex Syntax angegeben werden. Er kann auf einzelne JSON + errNoAuthMethod: 'Ein client secret existiert, jedoch ist keine auth Methode aktiv', + errConfidential: + 'Es muss mindestens entweder ein client secret existieren oder PKCE aktiv sein.', + jsonPath: { + p1: 'Werte aus dem ID Token nach einem erfolgreichen Upstream Login können automatisch gemapped werden.', + p2: `Der Pfad muss in korrekter Regex Syntax angegeben werden. Er kann auf einzelne JSON Werte verweise, oder komplexe Sturkturen wie Arrays oder Objects`, - p3: "$. markiert den Beginn eines JSON Objects", - p4: "* kann als Wildcard innerhalb des Pfads genutzt werden", - p5: "$.roles hätte als Ziel den Wert {\"roles\": \"value\"}", - p6: `$.roles.* kann auf einen Wert innerhalb eines Arrays oder Objects wie z.B.
- {"roles": ["value", "notMyValue"]} verweisen`, - }, - lookup: "Prüfen", - pathAdminClaim: "Admin Claim Pfad", - pathMfaClaim: "MFA Claim Pfad", - rootPemCert: "Root PEM Zertifikat", - mapMfa: `Sollte der Auth Provider in ID Claim bereit stellen, welches anzeigt, ob eine Art 2FA oder MFA + p3: '$. markiert den Beginn eines JSON Objects', + p4: '* kann als Wildcard innerhalb des Pfads genutzt werden', + p5: '$.roles hätte als Ziel den Wert {"roles": "value"}', + p6: `$.roles.* kann auf einen Wert innerhalb eines Arrays oder Objects wie z.B.
+ {"roles": ["value", "notMyValue"]} verweisen` + }, + lookup: 'Prüfen', + pathAdminClaim: 'Admin Claim Pfad', + pathMfaClaim: 'MFA Claim Pfad', + rootPemCert: 'Root PEM Zertifikat', + mapMfa: `Sollte der Auth Provider in ID Claim bereit stellen, welches anzeigt, ob eine Art 2FA oder MFA beim Login verwandt wurde, so kann Rauthy diesen Werten extrahieren und entsprechend weitergeben.`, - mapUser: `Es kann beim Login automatisch ein Nutzer mit der Rauthy Admin Rolle verlinkt werden, in + mapUser: `Es kann beim Login automatisch ein Nutzer mit der Rauthy Admin Rolle verlinkt werden, in Abhängigkeit von einem existierenden Upstream ID Claim.`, - valueAdminClaim: "Admin Claim Wert", - valueMfaClaim: "MFA Claim Wert", - }, - delete: { - areYouSure: "Sicher, dass dieser Provider gelöscht werden soll?", - forceDelete: "Löschen Erzwingen", - isInUse1: "Dieser Provider wird von aktiven Nutzern verwendet!", - isInUse2: `Das Löschen kann erzwungen werden. Nutzer ohne lokales Passwort oder + valueAdminClaim: 'Admin Claim Wert', + valueMfaClaim: 'MFA Claim Wert' + }, + delete: { + areYouSure: 'Sicher, dass dieser Provider gelöscht werden soll?', + forceDelete: 'Löschen Erzwingen', + isInUse1: 'Dieser Provider wird von aktiven Nutzern verwendet!', + isInUse2: `Das Löschen kann erzwungen werden. Nutzer ohne lokales Passwort oder Passkey werden jedoch nicht mehr in der Lage sein, sich einzuloggen.`, - linkedUsers: "Verbundene Nutzer", - }, - }, - roles: { - adminNoMod: "Die rauthy_admin Rolle kann nicht verändert werden.", - delete1: "Soll diese Rolle wirklich gelöscht werden?", - name: "Rollenname", - }, - scopes: { - defaultNoMod: "Dies ist ein Default OIDC Scope. Diese sind unveränderbar.", - delete1: "Soll dieser Scope wirklich gelöscht werden?", - deleteDefault: "OIDC default scopes cannot be deleted", - mapping1: "Benutzer Attribute können auf eigene Scopes gemapped werden.", - mapping2: `Jedes existierende Attribut hat einen eigenständigen Wert pro User. Diese Attribute können + linkedUsers: 'Verbundene Nutzer' + } + }, + roles: { + adminNoMod: 'Die rauthy_admin Rolle kann nicht verändert werden.', + delete1: 'Soll diese Rolle wirklich gelöscht werden?', + name: 'Rollenname' + }, + scopes: { + defaultNoMod: 'Dies ist ein Default OIDC Scope. Diese sind unveränderbar.', + delete1: 'Soll dieser Scope wirklich gelöscht werden?', + deleteDefault: 'OIDC default scopes cannot be deleted', + mapping1: 'Benutzer Attribute können auf eigene Scopes gemapped werden.', + mapping2: `Jedes existierende Attribut hat einen eigenständigen Wert pro User. Diese Attribute können auf einen Scope gemapped werden und werden in diesem Fall im Access bzw. ID Token enthalten sein.`, - name: "Scope Name", - }, - sessions: { - invalidateAll: "Alle Sessions Invalidieren", - }, - search: { - orderBy: "Sortieren nach ...", - orderChangeToAsc: "Zu aufsteigender Sortierung wechseln", - orderChangeToDesc: "Zu absteigende Sortierung wechseln", - }, - tabs: { - config: "Konfiguration", - delete: "Löschen", - }, - users: { - antiLockout: { - rule: 'Anti-Lockout Regel', - delete: 'kann nicht gelöscht werden', - disable: 'kann nicht deaktiviert werden', - rauthyAdmin: 'rauthy_admin Rolle kann nicht entfernt werden', - }, - attributes: "Attribute", - deleteUser: "Soll dieser Benutzer wirklich gelöscht werden?", - descAttr: `Setze individuelle Benutzer Attribute. Alle Key / Value Paare + name: 'Scope Name' + }, + sessions: { + invalidateAll: 'Alle Sessions Invalidieren' + }, + search: { + orderBy: 'Sortieren nach ...', + orderChangeToAsc: 'Zu aufsteigender Sortierung wechseln', + orderChangeToDesc: 'Zu absteigende Sortierung wechseln' + }, + tabs: { + config: 'Konfiguration', + delete: 'Löschen' + }, + tos: { + addNewToS: 'Neue AGB hinzufügen', + checkStatus: 'Benutzer Status prüfen', + immutable: `ACHTUNG: Nach dem Hinzufügen sind AGB unveränderlich und können auch nicht wieder + gelöscht werden!`, + noneExist: 'Es wurden noch keine Allgemeinen Geschäftsbedingungen hinzugefügt.', + tos: 'AGB' + }, + users: { + antiLockout: { + rule: 'Anti-Lockout Regel', + delete: 'kann nicht gelöscht werden', + disable: 'kann nicht deaktiviert werden', + rauthyAdmin: 'rauthy_admin Rolle kann nicht entfernt werden' + }, + attributes: 'Attribute', + deleteUser: 'Soll dieser Benutzer wirklich gelöscht werden?', + descAttr: `Setze individuelle Benutzer Attribute. Alle Key / Value Paare werden als String / JSON Wert gehandhabt.`, - forceLogout: `Sollen sämtliche, für diesen Benutzer existierenden Sessions invalidiert und + forceLogout: `Sollen sämtliche, für diesen Benutzer existierenden Sessions invalidiert und Refresh Tokens gelöscht werden?`, - lastLogin: "Letzter Login", - manualInitDesc: `Der Benutzer kann jedoch ebenfalls hier initialisiert werden. In diesem Fall muss das + lastLogin: 'Letzter Login', + manualInitDesc: `Der Benutzer kann jedoch ebenfalls hier initialisiert werden. In diesem Fall muss das Passwort allerdings direkt kommuniziert werden.`, - manualInit: "Manuell Initialisieren", - mfaDelete1: "Die Passkeys dieses Nutzers können gelöscht werden.", - mfaDelete2: `Vorsicht! Das Löschen eines Keys kann nicht rückgängig gemacht werden, ohne + manualInit: 'Manuell Initialisieren', + mfaDelete1: 'Die Passkeys dieses Nutzers können gelöscht werden.', + mfaDelete2: `Vorsicht! Das Löschen eines Keys kann nicht rückgängig gemacht werden, ohne dass der Benutzer die Registrierung erneut durchführt.`, - noMfaKeys: "Dieser Benutzer hat keine registrierten Passkeys.", - pkOnly1: "Dies ist ein Passkey-Only Account.", - pkOnly2: "Das bedeutet, dass dieser Benutzer den passwortlosen Login nutzt und kein Passwort gesetzt hat.", - pkOnly3: `Sollte dieser Benutzer alle Passkeys verloren haben, kann der Account vollständig resettet und eine + noMfaKeys: 'Dieser Benutzer hat keine registrierten Passkeys.', + pkOnly1: 'Dies ist ein Passkey-Only Account.', + pkOnly2: + 'Das bedeutet, dass dieser Benutzer den passwortlosen Login nutzt und kein Passwort gesetzt hat.', + pkOnly3: `Sollte dieser Benutzer alle Passkeys verloren haben, kann der Account vollständig resettet und eine Password Reset E-Mail versendet werden. Um dies zu tun, müssen vorher unter dem Reiter 'MFA' sämtliche Passkeys gelöscht werden.`, - pwdNoInit: "Der Benutzer hat noch nicht den initialien Passwort Reset durchgeführt.", - pwdSendEmailBtn: "Reset E-Mail Senden", - pwdSendEmailDesc: "Es kann eine neue Reset E-Mail gesendet werden, sollte der Benutzer keine erhalten haben.", - savePassword: "Passwort Speichern", - selfServiceDesc: "Es kann entweder ein neues Passwort gesetzt, order eine Reset E-Mail versendet werden.", - sendResetEmail: "Reset E-Mail Senden", - }, - validation: { - css: "Gültiger CSS Wert", - origin: "Gültige Origin", - uri: "Gültige URI", - }, -}; \ No newline at end of file + pwdNoInit: 'Der Benutzer hat noch nicht den initialien Passwort Reset durchgeführt.', + pwdSendEmailBtn: 'Reset E-Mail Senden', + pwdSendEmailDesc: + 'Es kann eine neue Reset E-Mail gesendet werden, sollte der Benutzer keine erhalten haben.', + savePassword: 'Passwort Speichern', + selfServiceDesc: + 'Es kann entweder ein neues Passwort gesetzt, order eine Reset E-Mail versendet werden.', + sendResetEmail: 'Reset E-Mail Senden' + }, + validation: { + css: 'Gültiger CSS Wert', + origin: 'Gültige Origin', + uri: 'Gültige URI' + } +}; diff --git a/frontend/src/i18n/admin/en.ts b/frontend/src/i18n/admin/en.ts index cf7346cbb..a43b26b4b 100644 --- a/frontend/src/i18n/admin/en.ts +++ b/frontend/src/i18n/admin/en.ts @@ -1,424 +1,434 @@ -import type {I18nAdmin} from "./interface.ts"; +import type { I18nAdmin } from './interface.ts'; export let I18nAdminEn: I18nAdmin = { - api_key: { - delete1: "Are you sure, that you want to delete this API Key?", - expires: "Expiry", - generate1: "Here you can generate a new secret for this API Key.", - generate2: `You will only see this secret once after the generation. + api_key: { + delete1: 'Are you sure, that you want to delete this API Key?', + expires: 'Expiry', + generate1: 'Here you can generate a new secret for this API Key.', + generate2: `You will only see this secret once after the generation. When a new one has been generated, the old secret will be overridden permanently. This operation cannot be reverted!`, - generate3: `An API Key must be provided in the HTTP Authorization + generate3: `An API Key must be provided in the HTTP Authorization header in the following format:`, - generate4: "You can use the following curl request to test your new Key:", - generate5: "If you don't have jq installed and the above fails:", - keyName: "Key Name", - limitedValidity: "Limited Validity", - }, - attrs: { - delete1: "Are you sure you want to delete this attribute?", - defaultValue: "Default Value", - desc: "Description", - makeEditable: "Make Editable", - makeEditableP1: "You can convert this attribute and make it editable by users themselves.", - makeEditableP2: `CAUTION: This can never be changed back! All inputs from a user directly are always + generate4: 'You can use the following curl request to test your new Key:', + generate5: "If you don't have jq installed and the above fails:", + keyName: 'Key Name', + limitedValidity: 'Limited Validity' + }, + attrs: { + delete1: 'Are you sure you want to delete this attribute?', + defaultValue: 'Default Value', + desc: 'Description', + makeEditable: 'Make Editable', + makeEditableP1: 'You can convert this attribute and make it editable by users themselves.', + makeEditableP2: `CAUTION: This can never be changed back! All inputs from a user directly are always untrusted data and MUST NEVER be used for any form of authentication or authorization!`, - makeEditableP3: `An attribute cannot be changed from editable to non-editable, because it allowed untrusted + makeEditableP3: `An attribute cannot be changed from editable to non-editable, because it allowed untrusted inputs in the past, no matter for how long this was the case.`, - name: "Attribute Name", - userEditable: "User Editable", - }, - backup: { - createBackup: "Create Backup", - disabledDesc: "This functionality only exists, if Hiqlite is configured as the database.", - lastModified: "Last Modified", - local: "Local", - name: "Name", - size: "Size", - }, - clients: { - backchannelLogout: "If this client supports {{ OIDC_BCL }}, you can provide the URI here.", - branding: { - descHsl: `The following values must be given as HSL values. You only provide the base colors. + name: 'Attribute Name', + userEditable: 'User Editable' + }, + backup: { + createBackup: 'Create Backup', + disabledDesc: 'This functionality only exists, if Hiqlite is configured as the database.', + lastModified: 'Last Modified', + local: 'Local', + name: 'Name', + size: 'Size' + }, + clients: { + backchannelLogout: 'If this client supports {{ OIDC_BCL }}, you can provide the URI here.', + branding: { + descHsl: `The following values must be given as HSL values. You only provide the base colors. Alpha channels and other values are manipulated dynamically by the theme.`, - descFullCss: `The following values must be fully valid CSS color values. + descFullCss: `The following values must be fully valid CSS color values. You can also use complex calculations or the above defined CSS variables.`, - descVariables: `Each following label is at the same time the name of the CSS variable. This means, - that you can reference these in the free inputs, e.g. with hsla(var(--action) / .7).`, - }, - confidential: "Confidential", - confidentialNoSecret: "This is a non-confidential client and therefore has not secret.", - config: "Client Configuration", - delete1: "Are you sure you want to delete this client?", - descAuthCode: `The validity for auth codes can be adjusted for increased security. Auth codes + descVariables: `Each following label is at the same time the name of the CSS variable. This means, + that you can reference these in the free inputs, e.g. with hsla(var(--action) / .7).` + }, + confidential: 'Confidential', + confidentialNoSecret: 'This is a non-confidential client and therefore has not secret.', + config: 'Client Configuration', + delete1: 'Are you sure you want to delete this client?', + descAuthCode: `The validity for auth codes can be adjusted for increased security. Auth codes can be used only once and are valid for 60 seconds by default. The shorter the validity, the better, as long as the client can perform the login procedure fast enough.`, - descClientUri: `Information about this clients URI and contacts to be shown on + descClientUri: `Information about this clients URI and contacts to be shown on the login page.`, - descName: `The client name can be changed without any impact on the client configuration. + descName: `The client name can be changed without any impact on the client configuration. It only exists to be shown on the login page.`, - descGroupPrefix: `The login to this client may be restricted by an optional group prefix. + descGroupPrefix: `The login to this client may be restricted by an optional group prefix. Only users, that are assigned to a matching group, will be allowed to log in.`, - descOrigin: `External, additionally allowed origins - usually only necessary, if this client + descOrigin: `External, additionally allowed origins - usually only necessary, if this client needs to make requests to Rauthy directly from the browser, typically SPAs.`, - descPKCE: `If the client supports it, you should always activate S256 PKCE for additional + descPKCE: `If the client supports it, you should always activate S256 PKCE for additional security. If a non-confidential client (e.g. a SPA) is being used, you must at least activate one of the PKCE challenges to have enough security.`, - descPKCEEnforce: `If any PKCE is activated, Rauthy will enforce the usage during Logins, and + descPKCEEnforce: `If any PKCE is activated, Rauthy will enforce the usage during Logins, and rejects login request that do not contain a valida challenge.`, - descUri: `You can provide as many redirect URIs as you like. At the end of each, you can use + descUri: `You can provide as many redirect URIs as you like. At the end of each, you can use * as a Wildcard.`, - errConfidentialPKCE: `The client must either be confidential or have at least one PKCE + errConfidentialPKCE: `The client must either be confidential or have at least one PKCE challenge activated.`, - forceMfa: "Force MFA", - groupLoginPrefix: "Login Group Prefix", - name: "Client Name", - scim: { - baseUri: `The SCIM base URI is the one from which the sub routes like + forceMfa: 'Force MFA', + groupLoginPrefix: 'Login Group Prefix', + name: 'Client Name', + scim: { + baseUri: `The SCIM base URI is the one from which the sub routes like {base_uri}/Users/{id} can be derived correctly.`, - desc: "If this client supports {{ SCIM_LINK }}, you can activate it here.", - enable: "Enable SCIMv2", - groupSync: "Synchronize Groups", - groupSyncPrefix: "Groups Filter Prefix", - groupSyncPrefixDesc: `You can filter the groups for the synchronization by an optional prefix. + desc: 'If this client supports {{ SCIM_LINK }}, you can activate it here.', + enable: 'Enable SCIMv2', + groupSync: 'Synchronize Groups', + groupSyncPrefix: 'Groups Filter Prefix', + groupSyncPrefixDesc: `You can filter the groups for the synchronization by an optional prefix. For instance, if the groups app:admins and app:users exist, the prefix app: would only sync these groups, as well as only those users that are linked to at least one of these groups.`, - reqDesc: "A few things are required for compatibility:", - reqLi1: "The client must handle externalId correctly.", - reqLi2: `At least /Users endpoints with filter=externalId eq "*" and + reqDesc: 'A few things are required for compatibility:', + reqLi1: 'The client must handle externalId correctly.', + reqLi2: `At least /Users endpoints with filter=externalId eq "*" and filter=userName eq "*" must be supported.`, - reqLi3: `If groups should be synchronized, /Groups must also support - filter=displayName eq "*".`, - }, - scopes: { - allowed: "Allowed Scopes", - default: "Default Scopes", - desc: `Allowed Scopes are the ones the client is allowed to request dynamically during + reqLi3: `If groups should be synchronized, /Groups must also support + filter=displayName eq "*".` + }, + scopes: { + allowed: 'Allowed Scopes', + default: 'Default Scopes', + desc: `Allowed Scopes are the ones the client is allowed to request dynamically during a redirect to the login when using the authorization_code flow. The default scopes will always be added to the tokens to solve some issues when using the - password for instance.`, - }, - secret: { - doCache: "Cache Client Secret", - cacheDuration: "Cache Duration (hours)", - generate: "Generate New Secret", - rotateDesc1: `To make graceful updates and secret rotations possible, you have the ability to keep the + password for instance.` + }, + secret: { + doCache: 'Cache Client Secret', + cacheDuration: 'Cache Duration (hours)', + generate: 'Generate New Secret', + rotateDesc1: `To make graceful updates and secret rotations possible, you have the ability to keep the current secret in an in-memory cache for some time. You can enter a value between 1 and 24 hours.`, - rotateDesc2: "Caution: You should not cache the current secret if you had a leak!", - }, - tokenLifetime: { - p1: `The token lifetime applies to Access and ID tokens and is given in seconds.`, - p2: `If the client supports EdDSA / ed25519 algorithms, it should always be the preferred + rotateDesc2: 'Caution: You should not cache the current secret if you had a leak!' + }, + tokenLifetime: { + p1: `The token lifetime applies to Access and ID tokens and is given in seconds.`, + p2: `If the client supports EdDSA / ed25519 algorithms, it should always be the preferred choice. RSA algorithms exist for compatibility only.`, - p3: `The algorithm for refresh tokens cannot be changed, since these are used by Rauthy only.`, - }, - }, - common: { - account: "Account", - addNew: "Add New", - back: "Back", - caution: "CAUTION", - contact: "Contact", - copiedToClip: "Value has been copied to clipboard", - details: "Details", - edit: "Edit", - enabled: "Enabled", - filter: "Filter", - from: "From", - information: "Information", - language: "Language", - loading: "Loading", - name: "Name", - nameExistsAlready: "Name exists already", - note: "Note", - noEntries: "No Entries", - reset: "Reset", - searchOptions: "Search Options", - until: "Until", - }, - docs: { - book: "For general documentation about Rauthy itself, you should take a look at the", - encryption: "Encryption", - encKeys: { - header: "Encryption Keys", - keyActive: "Active Key", - keysAvailable: "Available Keys", - migrate: "Migrate", - migrateToKey: 'Migrate all existing encrypted values to the following key', - p1: `These Keys are used for an additional encryption at rest, independently from any data store technology + p3: `The algorithm for refresh tokens cannot be changed, since these are used by Rauthy only.` + } + }, + common: { + account: 'Account', + addNew: 'Add New', + back: 'Back', + caution: 'CAUTION', + contact: 'Contact', + copiedToClip: 'Value has been copied to clipboard', + details: 'Details', + edit: 'Edit', + enabled: 'Enabled', + filter: 'Filter', + from: 'From', + information: 'Information', + language: 'Language', + loading: 'Loading', + name: 'Name', + nameExistsAlready: 'Name exists already', + note: 'Note', + noEntries: 'No Entries', + reset: 'Reset', + searchOptions: 'Search Options', + until: 'Until' + }, + docs: { + book: 'For general documentation about Rauthy itself, you should take a look at the', + encryption: 'Encryption', + encKeys: { + header: 'Encryption Keys', + keyActive: 'Active Key', + keysAvailable: 'Available Keys', + migrate: 'Migrate', + migrateToKey: 'Migrate all existing encrypted values to the following key', + p1: `These Keys are used for an additional encryption at rest, independently from any data store technology used under the hood. They are configured statically, but can be rotated and migrated on this page manually.`, - p2: `The active key is statically set in the Rauthy config file / environment variables. It cannot be changed + p2: `The active key is statically set in the Rauthy config file / environment variables. It cannot be changed here dynamically. All new JWK encryption's will always use the currently active key.`, - p3: `If you migrate all existing secrets, it might take a few seconds to finish, if you have a big + p3: `If you migrate all existing secrets, it might take a few seconds to finish, if you have a big dataset.`, - pNotPossible: 'To be able to migrate, at least 2 encryption keys need to be available.', - }, - hashing: { - calculate: "Calculate", + pNotPossible: 'To be able to migrate, at least 2 encryption keys need to be available.' + }, + hashing: { + calculate: 'Calculate', - currValuesHead: 'Current values', - currValues1: 'The current values from the backend are the following:', - currValuesNote: `Note: The Login Time from the backend does only provide a good guideline after at least 5 + currValuesHead: 'Current values', + currValues1: 'The current values from the backend are the following:', + currValuesNote: `Note: The Login Time from the backend does only provide a good guideline after at least 5 successful logins, after Rauthy has been started. The base value is always 2000 ms after a fresh restart and will adjust over time with each successful login.`, - currValuesThreadsAccess: 'Threads (p_cost) Rauthy has access to', + currValuesThreadsAccess: 'Threads (p_cost) Rauthy has access to', - loginTimeHead: 'A word about Login Time', - loginTime1: `Generally, users want everything as fast as possible. When doing a safe login though, a time + loginTimeHead: 'A word about Login Time', + loginTime1: `Generally, users want everything as fast as possible. When doing a safe login though, a time between 500 - 1000 ms should not be a problem. The login time must not be too short, since it would lower the strength of the hash, of course.`, - loginTime2: `To provide as much safety by default as possible, this utility does not allow you to go below + loginTime2: `To provide as much safety by default as possible, this utility does not allow you to go below 500 ms for the login time.`, - mCost1: `The m_cost defines the amount of memory (in kB), which is used for the hashing. + mCost1: `The m_cost defines the amount of memory (in kB), which is used for the hashing. The higher the value, the better, of course. But you need to keep in mind the servers resources.
When you hash 4 passwords at the same time, for instance, the backend needs 4 x m_cost during the hashing. These resources must be available.`, - mCost2: `Tuning m_cost is pretty easy. Define the max amount of memory that Rauthy should use, + mCost2: `Tuning m_cost is pretty easy. Define the max amount of memory that Rauthy should use, divide it by the number of max allowed parallel logins (MAX_HASH_THREADS) and subtract a small static amount of memory. How much static memory should be taken into account depends on the used database and the total amount of users, but will typically be in the range of 32 - 96 MB.`, - mCost3: 'The minimal allowed m_cost is 32768.', + mCost3: 'The minimal allowed m_cost is 32768.', - pCost1: `The p_cost defines the amount of parallelism for hashing. This value most often + pCost1: `The p_cost defines the amount of parallelism for hashing. This value most often tops out at ~8, which is the default for Rauthy.`, - pCost2: `The general rule is:
+ pCost2: `The general rule is:
Set the p_cost to twice the size of cores your have available.
For instance, if you have 4 cores available, set the p_cost to 8.
However, this value must take the configured allowed parallel logins (MAX_HASH_THREADS) into account and be reduced accordingly.`, - tCost1: `The t_cost defines the amount of time for hashing. This value is actually the + tCost1: `The t_cost defines the amount of time for hashing. This value is actually the only value, that needs tuning, since m_cost and p_cost are basically given by the environment.`, - tCost2: `Tuning is easy: Set m_cost and p_cost accordingly and then increase + tCost2: `Tuning is easy: Set m_cost and p_cost accordingly and then increase t_cost as long as you have not reached your hashing-time-goal.`, - utilityHead: 'Parameter Calculation Utility', - utility1: `You can use this tool to approximate good values for your deployment. Keep in mind, that this + utilityHead: 'Parameter Calculation Utility', + utility1: `You can use this tool to approximate good values for your deployment. Keep in mind, that this should be executed with Rauthy in its final place with all final resources available. You should execute this utility during load to not over tune.`, - utility2: `m_cost is optional and the safe minimal value of 32768 would be chosen, + utility2: `m_cost is optional and the safe minimal value of 32768 would be chosen, if empty. p_cost is optional too and Rauthy will utilize all threads it can see, if empty.`, - time: "Time", - targetTime: "Target Time", - tune: 'Important: These values need to be tuned on the final architecture!', - pDetials: `If you want a detailed introduction to Argon2ID, many sources exist online. This guide just + time: 'Time', + targetTime: 'Target Time', + tune: 'Important: These values need to be tuned on the final architecture!', + pDetials: `If you want a detailed introduction to Argon2ID, many sources exist online. This guide just gives very short overview about the values. Three of them need to be configured:`, - pTune: `They change depending on the capabilities of the system. The more powerful the system, the more safe + pTune: `They change depending on the capabilities of the system. The more powerful the system, the more safe these values can be.`, - pUtility: `This utility helps you find the best Argon2ID settings for your platform. + pUtility: `This utility helps you find the best Argon2ID settings for your platform. Argon2ID is currently the safest available password hashing algorithm. To use it to its fullest potential, - it has to be tuned for each deployment.`, - }, - openapi: "If you want to integrate an external application and use Rauthy's API, take a look at the", - openapiNote: `Depending on the backend configuration, the Swagger UI may not be exposed publicly at this point. + it has to be tuned for each deployment.` + }, + openapi: + "If you want to integrate an external application and use Rauthy's API, take a look at the", + openapiNote: `Depending on the backend configuration, the Swagger UI may not be exposed publicly at this point. It is however by default available via the internal metrics HTTP server to not expose any information.`, - source: "The source code can be found here", - }, - error: { - needsAdminRole: `You are not assigned to the rauthy_admin role.
+ source: 'The source code can be found here' + }, + error: { + needsAdminRole: `You are not assigned to the rauthy_admin role.
You do not have access to the admin panel.`, - noAdmin: `A Rauthy admin account must have MFA enabled.
+ noAdmin: `A Rauthy admin account must have MFA enabled.
Please navigate to your account and activate MFA.
- Afterward, you need to do a logout and log back in.`, - }, - events: { - eventLevel: "Event Level", - eventType: "Event Type", - }, - groups: { - delete1: "Are you sure you want to delete this group?", - name: "Group Name", - }, - jwks: { - alg: "Algorithm", - p1: "These are the Json Web Keys (JWKs) used for token singing.", - p2: `The JWKs will be rotated by default every 1st of a month. For all newly created tokens, only the latest + Afterward, you need to do a logout and log back in.` + }, + events: { + eventLevel: 'Event Level', + eventType: 'Event Type' + }, + groups: { + delete1: 'Are you sure you want to delete this group?', + name: 'Group Name' + }, + jwks: { + alg: 'Algorithm', + p1: 'These are the Json Web Keys (JWKs) used for token singing.', + p2: `The JWKs will be rotated by default every 1st of a month. For all newly created tokens, only the latest available key for the given algorithm will be used for signing. Old keys will be kept for a while to make sure that currently valid tokens can still be validated properly. After a while, they will be cleaned up automatically.`, - p3: `Keys can also be rotated manually. Depending on the hardware this Rauthy instance is running on, it might + p3: `Keys can also be rotated manually. Depending on the hardware this Rauthy instance is running on, it might take a few seconds.`, - type: "Type", - rotateKeys: "Rotate Keys", - }, - nav: { - apiKeys: "API Keys", - attributes: "Attributes", - blacklist: "Blacklist", - clients: "Clients", - config: "Config", - docs: "Docs", - events: "Events", - groups: "Groups", - providers: "Providers", - roles: "Roles", - scopes: "Scopes", - sessions: "Sessions", - users: "Users", - }, - options: { - expires: "Expires", - lastSeen: "Last Seen", - state: "State", - }, - pam: { - addGroup: "New PAM Group", - addHost: "New PAM Host", - addUser: "New PAM User", - deleteHost: "Do you really want to delete this host?", - groupDescGeneric: `Generic groups are the counterpart to entries that are usually found in /etc/group. Users + type: 'Type', + rotateKeys: 'Rotate Keys' + }, + nav: { + apiKeys: 'API Keys', + attributes: 'Attributes', + blacklist: 'Blacklist', + clients: 'Clients', + config: 'Config', + docs: 'Docs', + events: 'Events', + groups: 'Groups', + providers: 'Providers', + roles: 'Roles', + scopes: 'Scopes', + sessions: 'Sessions', + users: 'Users' + }, + options: { + expires: 'Expires', + lastSeen: 'Last Seen', + state: 'State' + }, + pam: { + addGroup: 'New PAM Group', + addHost: 'New PAM Host', + addUser: 'New PAM User', + deleteHost: 'Do you really want to delete this host?', + groupDescGeneric: `Generic groups are the counterpart to entries that are usually found in /etc/group. Users can be assigned to these and they are returned to the system by NSS Lookups.`, - groupDescHost: `Host groups are used to group hosts. NSS lookups of a host within the group return all other + groupDescHost: `Host groups are used to group hosts. NSS lookups of a host within the group return all other hosts within it as a result. Users can access hosts by assigning them to a host group.`, - groupDescLocal: `Local groups behave almost identically to Generic groups, with the difference that they have + groupDescLocal: `Local groups behave almost identically to Generic groups, with the difference that they have an ID in the Rauthy database, but the NSS proxy on the respective host will convert it to an ID from /etc/group. In this way, Rauthy users can be assigned to groups that already exist locally.`, - groupDescUser: `User groups are managed automatically and tightly coupled with the user with the same + groupDescUser: `User groups are managed automatically and tightly coupled with the user with the same username.`, - groupDescWheel: `This group is special. It is immutable and is assigned to users dynamically depending on their + groupDescWheel: `This group is special. It is immutable and is assigned to users dynamically depending on their group configuration.`, - groupName: "Groupname", - groups: "Groups", - groupType: "Group Type", - hostAliases: "Host Aliases", - hostLocalPwdOnly: "Local Password Login", - hostLocalPwdOnlyInfo: `When Local Password Login is set, it overwrites Force MFA for local logins. At the same + groupName: 'Groupname', + groups: 'Groups', + groupType: 'Group Type', + hostAliases: 'Host Aliases', + hostLocalPwdOnly: 'Local Password Login', + hostLocalPwdOnlyInfo: `When Local Password Login is set, it overwrites Force MFA for local logins. At the same time, passkeys will never be requested (locally) during logins, even if a user is MFA-secured. This option should only be set if really necessary, for instance if MFA-secured users should be able to do local logins while not using hardware passkeys.`, - ipAddresses: "IP Addresses", - member: "Member", - nameExistsAlready: "Name is already taken", - notes: "Notes", - secretShow: "Show Secret", - secretRotate: "Rotate Secret", - userEmail: "Linked User E-Mail", - username: "Username", - usernameNewDesc: `The Username should be chosen carefully. Once created, it cannot be changed easily afterwards - for security reasons.`, - }, - passwordPolicy: { - configDesc: "Policy for new passwords.", - resetSet0: "The value 0 deactivates the requirement.", - validForDays: "Valid For Days", - validityNew: "Validity for new passwords.", - }, - providers: { - config: { - allowInsecureTls: "Allow insecure TLS", - autoLink: "Auto-Link User", - autoLinkDesc1: `If Auto-Link User is activated, the login via this provider will automatically link a + ipAddresses: 'IP Addresses', + member: 'Member', + nameExistsAlready: 'Name is already taken', + notes: 'Notes', + secretShow: 'Show Secret', + secretRotate: 'Rotate Secret', + userEmail: 'Linked User E-Mail', + username: 'Username', + usernameNewDesc: `The Username should be chosen carefully. Once created, it cannot be changed easily afterwards + for security reasons.` + }, + passwordPolicy: { + configDesc: 'Policy for new passwords.', + resetSet0: 'The value 0 deactivates the requirement.', + validForDays: 'Valid For Days', + validityNew: 'Validity for new passwords.' + }, + providers: { + config: { + allowInsecureTls: 'Allow insecure TLS', + autoLink: 'Auto-Link User', + autoLinkDesc1: `If Auto-Link User is activated, the login via this provider will automatically link a possibly existing, non-linked user to this provider.`, - autoLinkDesc2: `CAUTION: This option can be very dangerous and lead to account takeover if the provider + autoLinkDesc2: `CAUTION: This option can be very dangerous and lead to account takeover if the provider does not fully validate E-Mail addresses for users and therefore makes it possible to add a foreign address for a user! MUST NEVER be used in such a case!`, - clientName: "Client Name", - custRootCa: "Custom Root CA PEM", - descAuthMethod: `The authentication method to use on the /token endpoint.
+ clientName: 'Client Name', + custRootCa: 'Custom Root CA PEM', + descAuthMethod: `The authentication method to use on the /token endpoint.
Most providers should work with basic, some only with post. In rare situations, you need both, while it can lead to errors with others.`, - descClientId: "Client ID given by the auth provider.", - descClientName: "Client name that should be shown on the Rauthy login page.", - descClientSecret: `Client Secret given by the auth provider. + descClientId: 'Client ID given by the auth provider.', + descClientName: 'Client name that should be shown on the Rauthy login page.', + descClientSecret: `Client Secret given by the auth provider. At least a client secret or PKCE is required.`, - descScope: `The scope the client should use when redirecting to the login. + descScope: `The scope the client should use when redirecting to the login. Provide the values separated by space.`, - errNoAuthMethod: "You have given a client secret, but no client auth method is active", - errConfidential: "Must at least be a confidential client or use PKCE", - jsonPath: { - p1: "Values from the ID token after a successful upstream login can be mapped automatically.", - p2: `The path needs to be given in a regex like syntax. It can resolve to + errNoAuthMethod: 'You have given a client secret, but no client auth method is active', + errConfidential: 'Must at least be a confidential client or use PKCE', + jsonPath: { + p1: 'Values from the ID token after a successful upstream login can be mapped automatically.', + p2: `The path needs to be given in a regex like syntax. It can resolve to single JSON values or resolve to a value in a JSON object or array.`, - p3: "$. marks the start of the JSON object", - p4: "* can be used as a wildcard in your path", - p5: "$.roles would target {\"roles\": \"value\"}", - p6: `$.roles.* can target a value inside an object or array like
- {"roles": ["value", "notMyValue"]}`, - }, - lookup: "Lookup", - pathAdminClaim: "Admin Claim Path", - pathMfaClaim: "MFA Claim Path", - rootPemCert: "Root PEM Certificate", - mapMfa: `If your provider issues a claim indicating that the user has used at least 2FA during + p3: '$. marks the start of the JSON object', + p4: '* can be used as a wildcard in your path', + p5: '$.roles would target {"roles": "value"}', + p6: `$.roles.* can target a value inside an object or array like
+ {"roles": ["value", "notMyValue"]}` + }, + lookup: 'Lookup', + pathAdminClaim: 'Admin Claim Path', + pathMfaClaim: 'MFA Claim Path', + rootPemCert: 'Root PEM Certificate', + mapMfa: `If your provider issues a claim indicating that the user has used at least 2FA during login, you can specify the mfa claim path.`, - mapUser: `You can map a user to be a Rauthy admin depending on an upstream ID claim.`, - valueAdminClaim: "Admin Claim Value", - valueMfaClaim: "MFA Claim Value", - }, - delete: { - areYouSure: "Are you sure you want to delete this provider?", - forceDelete: "Force Delete", - isInUse1: "This provider is in use by active users!", - isInUse2: `You can force delete it, but users without a local password or passkey + mapUser: `You can map a user to be a Rauthy admin depending on an upstream ID claim.`, + valueAdminClaim: 'Admin Claim Value', + valueMfaClaim: 'MFA Claim Value' + }, + delete: { + areYouSure: 'Are you sure you want to delete this provider?', + forceDelete: 'Force Delete', + isInUse1: 'This provider is in use by active users!', + isInUse2: `You can force delete it, but users without a local password or passkey will not be able to log in anymore.`, - linkedUsers: "Linked Users", - }, - }, - roles: { - adminNoMod: "The rauthy_admin role is immutable.", - delete1: "Are you sure you want to delete this role?", - name: "Role Name", - }, - scopes: { - defaultNoMod: "This is a default OIDC Scope. These are immutable.", - delete1: "Are you sure you want to delete this scope?", - deleteDefault: "Default OIDC scopes cannot be deleted.", - mapping1: "You can map custom scopes to attributes.", - mapping2: `All additional attributes, that were configured, can have a custom value for each user. + linkedUsers: 'Linked Users' + } + }, + roles: { + adminNoMod: 'The rauthy_admin role is immutable.', + delete1: 'Are you sure you want to delete this role?', + name: 'Role Name' + }, + scopes: { + defaultNoMod: 'This is a default OIDC Scope. These are immutable.', + delete1: 'Are you sure you want to delete this scope?', + deleteDefault: 'Default OIDC scopes cannot be deleted.', + mapping1: 'You can map custom scopes to attributes.', + mapping2: `All additional attributes, that were configured, can have a custom value for each user. When they are mapped to a scope, they can be included in the Access and / or ID Tokens.`, - name: "Scope Name", - }, - search: { - orderBy: "Order by ...", - orderChangeToAsc: "Change sort to ascending", - orderChangeToDesc: "Change sort to descending", - }, - sessions: { - invalidateAll: "Invalidate All Sessions", - }, - tabs: { - config: "Config", - delete: "Delete", - }, - users: { - antiLockout: { - rule: 'Anti-Lockout Rule', - delete: 'cannot be deleted', - disable: 'cannot be disabled', - rauthyAdmin: 'rauthy_admin rule cannot be removed', - }, - attributes: "Attributes", - deleteUser: "Are you sure you want to delete this user?", - descAttr: `Set custom user attributes. All key / value pairs will be handles as String / JSON Value.`, - forceLogout: `Are you sure you want to invalidate all existing sessions and delete all refresh tokens + name: 'Scope Name' + }, + search: { + orderBy: 'Order by ...', + orderChangeToAsc: 'Change sort to ascending', + orderChangeToDesc: 'Change sort to descending' + }, + sessions: { + invalidateAll: 'Invalidate All Sessions' + }, + tabs: { + config: 'Config', + delete: 'Delete' + }, + tos: { + addNewToS: 'Add new ToS', + checkStatus: 'Check user status', + immutable: `CAUTION: After adding new Terms of Service, they are immutable and cannot be + deleted!`, + noneExist: 'No Terms of Service have been added yet.', + tos: 'ToS' + }, + users: { + antiLockout: { + rule: 'Anti-Lockout Rule', + delete: 'cannot be deleted', + disable: 'cannot be disabled', + rauthyAdmin: 'rauthy_admin rule cannot be removed' + }, + attributes: 'Attributes', + deleteUser: 'Are you sure you want to delete this user?', + descAttr: `Set custom user attributes. All key / value pairs will be handles as String / JSON Value.`, + forceLogout: `Are you sure you want to invalidate all existing sessions and delete all refresh tokens for this user?`, - lastLogin: "Last Login", - manualInitDesc: `The user can also be initialized here, In this case though, you need to communicate the + lastLogin: 'Last Login', + manualInitDesc: `The user can also be initialized here, In this case though, you need to communicate the password directly.`, - manualInit: "Manual Initialization", - mfaDelete1: "You can delete Passkeys for this users.", - mfaDelete2: `Caution! The deletion of a Passkey cannot be reverted without the user + manualInit: 'Manual Initialization', + mfaDelete1: 'You can delete Passkeys for this users.', + mfaDelete2: `Caution! The deletion of a Passkey cannot be reverted without the user doing a fully new registration.`, - noMfaKeys: "This user has no registered Passkeys.", - pkOnly1: "This is a passkey-only account.", - pkOnly2: "This means that this user uses the passwordless login and has no password set at all.", - pkOnly3: `If this user has lost all Passkeys, the account can be fully reset and a new password reset E-Mail + noMfaKeys: 'This user has no registered Passkeys.', + pkOnly1: 'This is a passkey-only account.', + pkOnly2: + 'This means that this user uses the passwordless login and has no password set at all.', + pkOnly3: `If this user has lost all Passkeys, the account can be fully reset and a new password reset E-Mail can be sent. To achieve this, navigate to the 'MFA' tab an delete all existing passkeys.`, - pwdNoInit: "The user has not performed the initial password reset yet.", - pwdSendEmailBtn: "Send Reset E-Mail", - pwdSendEmailDesc: "You may send out a new reset E-Mail, if the user has not received one.", - savePassword: "Save Password", - selfServiceDesc: "You can either set a new password, or send out a reset E-Mail.", - sendResetEmail: "Send Reset E-Mail", - }, - validation: { - css: "Valid CSS Value", - origin: "Valid Origin", - uri: "Valid URI", - }, + pwdNoInit: 'The user has not performed the initial password reset yet.', + pwdSendEmailBtn: 'Send Reset E-Mail', + pwdSendEmailDesc: 'You may send out a new reset E-Mail, if the user has not received one.', + savePassword: 'Save Password', + selfServiceDesc: 'You can either set a new password, or send out a reset E-Mail.', + sendResetEmail: 'Send Reset E-Mail' + }, + validation: { + css: 'Valid CSS Value', + origin: 'Valid Origin', + uri: 'Valid URI' + } }; diff --git a/frontend/src/i18n/admin/interface.ts b/frontend/src/i18n/admin/interface.ts index 077a13e7a..18ced2444 100644 --- a/frontend/src/i18n/admin/interface.ts +++ b/frontend/src/i18n/admin/interface.ts @@ -4,360 +4,367 @@ * which does exist for the end user facing pages, the admin translation will fall back to EN. */ export interface I18nAdmin { - api_key: { - delete1: string, - expires: string, - generate1: string, - generate2: string, - // inserted as html - generate3: string, - // inserted as html - generate4: string, - // inserted as html - generate5: string, - keyName: string, - limitedValidity: string, - }, - attrs: { - delete1: string, - defaultValue: string, - desc: string, - makeEditable: string, - makeEditableP1: string, - // inserted as html - makeEditableP2: string, - makeEditableP3: string, - name: string, - userEditable: string, - }, - backup: { - createBackup: string, - disabledDesc: string, - lastModified: string, - local: string, - name: string, - size: string, - }, - clients: { - backchannelLogout: string, - branding: { - descHsl: string, - // inserted as html - descFullCss: string, - descVariables: string, - }, - confidential: string, - confidentialNoSecret: string, - config: string, - delete1: string, - descAuthCode: string, - descClientUri: string, - descGroupPrefix: string, - descName: string, - descOrigin: string, - descPKCE: string, - descPKCEEnforce: string, - // inserted as html - descUri: string, - errConfidentialPKCE: string, - forceMfa: string, - groupLoginPrefix: string, - name: string, - scim: { - // inserted as html - baseUri: string, - // inserted as html - desc: string, - enable: string, - groupSync: string, - groupSyncPrefix: string, - groupSyncPrefixDesc: string, - reqDesc: string - // inserted as html - reqLi1: string - // inserted as html - reqLi2: string - // inserted as html - reqLi3: string - }, - scopes: { - allowed: string, - default: string, - // inserted as html - desc: string, - }, - secret: { - doCache: string, - cacheDuration: string, - generate: string, - rotateDesc1: string, - rotateDesc2: string, - } - tokenLifetime: { - p1: string, - p2: string, - p3: string, - }, - } - common: { - account: string, - addNew: string, - back: string, - caution: string, - contact: string, - copiedToClip: string, - details: string, - edit: string, - enabled: string, - filter: string, - from: string, - information: string, - language: string, - loading: string, - name: string, - nameExistsAlready: string, - note: string, - noEntries: string, - reset: string, - searchOptions: string, - until: string, - } - docs: { - book: string, - encryption: string, - encKeys: { - header: string, - keyActive: string, - keysAvailable: string, - migrate: string, - migrateToKey: string, - p1: string, - p2: string, - p3: string, - pNotPossible: string, - }, - hashing: { - calculate: string, + api_key: { + delete1: string; + expires: string; + generate1: string; + generate2: string; + // inserted as html + generate3: string; + // inserted as html + generate4: string; + // inserted as html + generate5: string; + keyName: string; + limitedValidity: string; + }; + attrs: { + delete1: string; + defaultValue: string; + desc: string; + makeEditable: string; + makeEditableP1: string; + // inserted as html + makeEditableP2: string; + makeEditableP3: string; + name: string; + userEditable: string; + }; + backup: { + createBackup: string; + disabledDesc: string; + lastModified: string; + local: string; + name: string; + size: string; + }; + clients: { + backchannelLogout: string; + branding: { + descHsl: string; + // inserted as html + descFullCss: string; + descVariables: string; + }; + confidential: string; + confidentialNoSecret: string; + config: string; + delete1: string; + descAuthCode: string; + descClientUri: string; + descGroupPrefix: string; + descName: string; + descOrigin: string; + descPKCE: string; + descPKCEEnforce: string; + // inserted as html + descUri: string; + errConfidentialPKCE: string; + forceMfa: string; + groupLoginPrefix: string; + name: string; + scim: { + // inserted as html + baseUri: string; + // inserted as html + desc: string; + enable: string; + groupSync: string; + groupSyncPrefix: string; + groupSyncPrefixDesc: string; + reqDesc: string; + // inserted as html + reqLi1: string; + // inserted as html + reqLi2: string; + // inserted as html + reqLi3: string; + }; + scopes: { + allowed: string; + default: string; + // inserted as html + desc: string; + }; + secret: { + doCache: string; + cacheDuration: string; + generate: string; + rotateDesc1: string; + rotateDesc2: string; + }; + tokenLifetime: { + p1: string; + p2: string; + p3: string; + }; + }; + common: { + account: string; + addNew: string; + back: string; + caution: string; + contact: string; + copiedToClip: string; + details: string; + edit: string; + enabled: string; + filter: string; + from: string; + information: string; + language: string; + loading: string; + name: string; + nameExistsAlready: string; + note: string; + noEntries: string; + reset: string; + searchOptions: string; + until: string; + }; + docs: { + book: string; + encryption: string; + encKeys: { + header: string; + keyActive: string; + keysAvailable: string; + migrate: string; + migrateToKey: string; + p1: string; + p2: string; + p3: string; + pNotPossible: string; + }; + hashing: { + calculate: string; - currValuesHead: string, - currValues1: string, - currValuesNote: string, - currValuesThreadsAccess: string, + currValuesHead: string; + currValues1: string; + currValuesNote: string; + currValuesThreadsAccess: string; - loginTimeHead: string, - loginTime1: string, - loginTime2: string, + loginTimeHead: string; + loginTime1: string; + loginTime2: string; - // inserted as html - mCost1: string, - // inserted as html - mCost2: string, - // inserted as html - mCost3: string, + // inserted as html + mCost1: string; + // inserted as html + mCost2: string; + // inserted as html + mCost3: string; - // inserted as html - pCost1: string, - // inserted as html - pCost2: string, + // inserted as html + pCost1: string; + // inserted as html + pCost2: string; - // inserted as html - tCost1: string, - // inserted as html - tCost2: string, + // inserted as html + tCost1: string; + // inserted as html + tCost2: string; - utilityHead: string, - utility1: string, - // inserted as html - utility2: string, + utilityHead: string; + utility1: string; + // inserted as html + utility2: string; - time: string, - targetTime: string, - tune: string, - pDetials: string, - pTune: string, - pUtility: string, - }, - openapi: string, - openapiNote: string, - source: string, - } - error: { - // inserted as html - needsAdminRole: string, - // inserted as html - noAdmin: string, - }, - events: { - eventLevel: string, - eventType: string, - }, - groups: { - delete1: string, - name: string, - }, - jwks: { - alg: string, - p1: string, - p2: string, - p3: string, - type: string, - rotateKeys: string, - }, - nav: { - apiKeys: string, - attributes: string, - blacklist: string, - clients: string, - config: string, - docs: string, - events: string, - groups: string, - providers: string, - roles: string, - scopes: string, - sessions: string, - users: string, - } - options: { - expires: string, - lastSeen: string, - state: string, - }, - pam: { - addGroup: string, - addHost: string, - addUser: string, - deleteHost: string, - groupDescGeneric: string, - groupDescHost: string, - groupDescLocal: string, - groupDescUser: string, - groupDescWheel: string, - groupName: string, - groups: string, - groupType: string, - hostAliases: string, - hostLocalPwdOnly: string, - hostLocalPwdOnlyInfo: string, - ipAddresses: string, - member: string, - nameExistsAlready: string, - notes: string, - secretShow: string, - secretRotate: string, - userEmail: string, - username: string, - usernameNewDesc: string, - }, - passwordPolicy: { - configDesc: string, - resetSet0: string, - validForDays: string, - validityNew: string, - }, - providers: { - config: { - allowInsecureTls: string, - autoLink: string, - autoLinkDesc1: string, - autoLinkDesc2: string, - clientName: string, - custRootCa: string, - // inserted as html - descAuthMethod: string, - descClientId: string, - descClientName: string, - descClientSecret: string, - descScope: string, - errNoAuthMethod: string, - errConfidential: string, - jsonPath: { - p1: string, - // inserted as html - p2: string, - // inserted as html - p3: string, - // inserted as html - p4: string, - // inserted as html - p5: string, - // inserted as html - p6: string, - }, - lookup: string, - pathAdminClaim: string, - pathMfaClaim: string, - rootPemCert: string, - mapMfa: string, - mapUser: string, - valueAdminClaim: string, - valueMfaClaim: string, - }, - delete: { - areYouSure: string, - forceDelete: string, - isInUse1: string, - isInUse2: string, - linkedUsers: string, - } - } - roles: { - // inserted as html - adminNoMod: string, - delete1: string, - name: string, - }, - scopes: { - defaultNoMod: string, - delete1: string, - deleteDefault: string, - mapping1: string, - mapping2: string, - name: string, - }, - search: { - orderBy: string, - orderChangeToAsc: string, - orderChangeToDesc: string, - }, - sessions: { - invalidateAll: string, - }, - tabs: { - config: string, - delete: string, - }, - users: { - antiLockout: { - rule: string, - delete: string, - disable: string, - rauthyAdmin: string, - }, - attributes: string, - deleteUser: string, - descAttr: string, - forceLogout: string, - lastLogin: string, - manualInitDesc: string, - manualInit: string, - mfaDelete1: string, - // inserted as html - mfaDelete2: string, - noMfaKeys: string, - pkOnly1: string, - pkOnly2: string, - pkOnly3: string, - pwdNoInit: string, - pwdSendEmailBtn: string, - pwdSendEmailDesc: string, - savePassword: string, - selfServiceDesc: string, - sendResetEmail: string, - }, - validation: { - css: string, - origin: string, - uri: string, - } -} \ No newline at end of file + time: string; + targetTime: string; + tune: string; + pDetials: string; + pTune: string; + pUtility: string; + }; + openapi: string; + openapiNote: string; + source: string; + }; + error: { + // inserted as html + needsAdminRole: string; + // inserted as html + noAdmin: string; + }; + events: { + eventLevel: string; + eventType: string; + }; + groups: { + delete1: string; + name: string; + }; + jwks: { + alg: string; + p1: string; + p2: string; + p3: string; + type: string; + rotateKeys: string; + }; + nav: { + apiKeys: string; + attributes: string; + blacklist: string; + clients: string; + config: string; + docs: string; + events: string; + groups: string; + providers: string; + roles: string; + scopes: string; + sessions: string; + users: string; + }; + options: { + expires: string; + lastSeen: string; + state: string; + }; + pam: { + addGroup: string; + addHost: string; + addUser: string; + deleteHost: string; + groupDescGeneric: string; + groupDescHost: string; + groupDescLocal: string; + groupDescUser: string; + groupDescWheel: string; + groupName: string; + groups: string; + groupType: string; + hostAliases: string; + hostLocalPwdOnly: string; + hostLocalPwdOnlyInfo: string; + ipAddresses: string; + member: string; + nameExistsAlready: string; + notes: string; + secretShow: string; + secretRotate: string; + userEmail: string; + username: string; + usernameNewDesc: string; + }; + passwordPolicy: { + configDesc: string; + resetSet0: string; + validForDays: string; + validityNew: string; + }; + providers: { + config: { + allowInsecureTls: string; + autoLink: string; + autoLinkDesc1: string; + autoLinkDesc2: string; + clientName: string; + custRootCa: string; + // inserted as html + descAuthMethod: string; + descClientId: string; + descClientName: string; + descClientSecret: string; + descScope: string; + errNoAuthMethod: string; + errConfidential: string; + jsonPath: { + p1: string; + // inserted as html + p2: string; + // inserted as html + p3: string; + // inserted as html + p4: string; + // inserted as html + p5: string; + // inserted as html + p6: string; + }; + lookup: string; + pathAdminClaim: string; + pathMfaClaim: string; + rootPemCert: string; + mapMfa: string; + mapUser: string; + valueAdminClaim: string; + valueMfaClaim: string; + }; + delete: { + areYouSure: string; + forceDelete: string; + isInUse1: string; + isInUse2: string; + linkedUsers: string; + }; + }; + roles: { + // inserted as html + adminNoMod: string; + delete1: string; + name: string; + }; + scopes: { + defaultNoMod: string; + delete1: string; + deleteDefault: string; + mapping1: string; + mapping2: string; + name: string; + }; + search: { + orderBy: string; + orderChangeToAsc: string; + orderChangeToDesc: string; + }; + sessions: { + invalidateAll: string; + }; + tabs: { + config: string; + delete: string; + }; + tos: { + addNewToS: string; + checkStatus: string; + immutable: string; + noneExist: string; + tos: string; + }; + users: { + antiLockout: { + rule: string; + delete: string; + disable: string; + rauthyAdmin: string; + }; + attributes: string; + deleteUser: string; + descAttr: string; + forceLogout: string; + lastLogin: string; + manualInitDesc: string; + manualInit: string; + mfaDelete1: string; + // inserted as html + mfaDelete2: string; + noMfaKeys: string; + pkOnly1: string; + pkOnly2: string; + pkOnly3: string; + pwdNoInit: string; + pwdSendEmailBtn: string; + pwdSendEmailDesc: string; + savePassword: string; + selfServiceDesc: string; + sendResetEmail: string; + }; + validation: { + css: string; + origin: string; + uri: string; + }; +} diff --git a/frontend/src/i18n/admin/ko.ts b/frontend/src/i18n/admin/ko.ts index ec55de085..2506fa21f 100644 --- a/frontend/src/i18n/admin/ko.ts +++ b/frontend/src/i18n/admin/ko.ts @@ -1,413 +1,422 @@ -import type {I18nAdmin} from "./interface.ts"; +import type { I18nAdmin } from './interface.ts'; export let I18nAdminKo: I18nAdmin = { - api_key: { - delete1: "이 API 키를 삭제하시겠습니까?", - expires: "만료일", - generate1: "이 API 키에 대한 새 Secret을 생성할 수 있습니다.", - generate2: `이 Secret은 생성 이후 단 한 번만 볼 수 있습니다. 새 Secret이 생성되면 이전 Secret은 + api_key: { + delete1: '이 API 키를 삭제하시겠습니까?', + expires: '만료일', + generate1: '이 API 키에 대한 새 Secret을 생성할 수 있습니다.', + generate2: `이 Secret은 생성 이후 단 한 번만 볼 수 있습니다. 새 Secret이 생성되면 이전 Secret은 사용할 수 없으며, 이 작업은 되돌릴 수 없습니다!`, - generate3: `API 키는 HTTP Authorization 헤더에 다음과 같은 형식으로 제공해야 합니다.`, - generate4: "아래의 curl 요청으로 테스트할 수 있습니다.", - generate5: "jq 가 설치되어 있지 않거나 위의 코드가 실패한 경우는 아래 코드를 사용하세요.", - keyName: "API 키 이름", - limitedValidity: "만료일", - }, - attrs: { - delete1: "이 속성을 삭제하시겠습니까?", - defaultValue: "Default Value", - desc: "설명", - makeEditable: "Make Editable", - makeEditableP1: "You can convert this attribute and make it editable by users themselves.", - makeEditableP2: `CAUTION: This can never be changed back! All inputs from a user directly are always + generate3: `API 키는 HTTP Authorization 헤더에 다음과 같은 형식으로 제공해야 합니다.`, + generate4: '아래의 curl 요청으로 테스트할 수 있습니다.', + generate5: + 'jq 가 설치되어 있지 않거나 위의 코드가 실패한 경우는 아래 코드를 사용하세요.', + keyName: 'API 키 이름', + limitedValidity: '만료일' + }, + attrs: { + delete1: '이 속성을 삭제하시겠습니까?', + defaultValue: 'Default Value', + desc: '설명', + makeEditable: 'Make Editable', + makeEditableP1: 'You can convert this attribute and make it editable by users themselves.', + makeEditableP2: `CAUTION: This can never be changed back! All inputs from a user directly are always untrusted data and MUST NEVER be used for any form of authentication or authorization!`, - makeEditableP3: `An attribute cannot be changed from editable to non-editable, because it allowed untrusted + makeEditableP3: `An attribute cannot be changed from editable to non-editable, because it allowed untrusted inputs in the past, no matter for how long this was the case.`, - name: "속성 이름", - userEditable: "User Editable", - }, - backup: { - createBackup: "Create Backup", - disabledDesc: "This functionality only exists, if Hiqlite is configured as the database.", - lastModified: "Last Modified", - local: "Local", - name: "Name", - size: "Size", - }, - clients: { - backchannelLogout: "If this client supports {{ OIDC_BCL }}, you can provide the URI here.", - branding: { - descHsl: `HSL 값으로 입력해야 합니다. 기본 색상만 제공하면 알파 채널 및 기타 값은 + name: '속성 이름', + userEditable: 'User Editable' + }, + backup: { + createBackup: 'Create Backup', + disabledDesc: 'This functionality only exists, if Hiqlite is configured as the database.', + lastModified: 'Last Modified', + local: 'Local', + name: 'Name', + size: 'Size' + }, + clients: { + backchannelLogout: 'If this client supports {{ OIDC_BCL }}, you can provide the URI here.', + branding: { + descHsl: `HSL 값으로 입력해야 합니다. 기본 색상만 제공하면 알파 채널 및 기타 값은 테마에 의해 동적으로 설정됩니다.`, - descFullCss: `다음 값은 완전히 유효한 CSS 색상 값이어야 합니다. 복잡한 계산이나 위에 + descFullCss: `다음 값은 완전히 유효한 CSS 색상 값이어야 합니다. 복잡한 계산이나 위에 정의된 CSS 변수 를 사용할 수도 있습니다.`, - descVariables: `색상의 각 레이블들은 동시에 CSS 변수의 이름입니다. 즉, 입력 칸에서 이를 참조할 수 - 있습니다. (예: hsla(var(--action) / .7))`, - }, - confidential: "기밀", - confidentialNoSecret: "이 클라이언트는 기밀이 아닌 클라이언트이므로 Secret이 없습니다.", - config: "클라이언트 설정", - delete1: "이 클라이언트를 삭제하시겠습니까?", - descAuthCode: `보안을 강화하기 위해 인증 코드의 유효 기간을 조정할 수 있습니다. 인증 코드는 + descVariables: `색상의 각 레이블들은 동시에 CSS 변수의 이름입니다. 즉, 입력 칸에서 이를 참조할 수 + 있습니다. (예: hsla(var(--action) / .7))` + }, + confidential: '기밀', + confidentialNoSecret: '이 클라이언트는 기밀이 아닌 클라이언트이므로 Secret이 없습니다.', + config: '클라이언트 설정', + delete1: '이 클라이언트를 삭제하시겠습니까?', + descAuthCode: `보안을 강화하기 위해 인증 코드의 유효 기간을 조정할 수 있습니다. 인증 코드는 한 번만 사용할 수 있으며 기본적으로 60초 동안 유효합니다. 클라이언트가 로그인 절차를 충분히 빠르게 수행할 수 있다면 유효 기간이 짧을수록 좋습니다.`, - descClientUri: `로그인 페이지에 표시할 클라이언트 URI 및 연락처에 대한 정보입니다.`, - descName: `클라이언트 이름은 클라이언트 구성에 영향을 주지 않고 변경할 수 있으며, + descClientUri: `로그인 페이지에 표시할 클라이언트 URI 및 연락처에 대한 정보입니다.`, + descName: `클라이언트 이름은 클라이언트 구성에 영향을 주지 않고 변경할 수 있으며, 로그인 페이지에서만 표시됩니다.`, - descGroupPrefix: `The login to this client may be restricted by an optional group prefix. + descGroupPrefix: `The login to this client may be restricted by an optional group prefix. Only users, that are assigned to a matching group, will be allowed to log in.`, - descOrigin: `추가로 허용되는 외부 오리진을 설정합니다. 일반적으로 클라이언트가 브라우저에서 직접 + descOrigin: `추가로 허용되는 외부 오리진을 설정합니다. 일반적으로 클라이언트가 브라우저에서 직접 Rauthy에 요청해야 하는 경우(일반적으로 SPA)에만 필요합니다.`, - descPKCE: `클라이언트가 이를 지원하는 경우, 추가 보안을 위해 항상 S256 PKCE를 활성화해야 합니다. + descPKCE: `클라이언트가 이를 지원하는 경우, 추가 보안을 위해 항상 S256 PKCE를 활성화해야 합니다. 기밀이 아닌 클라이언트(예: SPA)를 사용하는 경우에는 충분한 보안을 위해 최소한 PKCE 챌린지 중 하나를 활성화해야 합니다.`, - descPKCEEnforce: `PKCE가 활성화된 경우, 반드시 사용되어야 합니다. 유효한 챌린지가 포함되지 + descPKCEEnforce: `PKCE가 활성화된 경우, 반드시 사용되어야 합니다. 유효한 챌린지가 포함되지 않은 로그인 요청은 거부됩니다.`, - descUri: `원하는 만큼 리디렉션 URI를 제공할 수 있습니다. 각각의 끝에 * 를 + descUri: `원하는 만큼 리디렉션 URI를 제공할 수 있습니다. 각각의 끝에 * 를 와일드카드로 사용할 수 있습니다.`, - errConfidentialPKCE: `클라이언트는 기밀 또는 PKCE 챌린지 중 하나 이상 활성화되어야 합니다.`, - forceMfa: "강제 MFA", - groupLoginPrefix: "Login Group Prefix", - name: "클라이언트 이름", - scim: { - baseUri: `The SCIM base URI is the one from which the sub routes like + errConfidentialPKCE: `클라이언트는 기밀 또는 PKCE 챌린지 중 하나 이상 활성화되어야 합니다.`, + forceMfa: '강제 MFA', + groupLoginPrefix: 'Login Group Prefix', + name: '클라이언트 이름', + scim: { + baseUri: `The SCIM base URI is the one from which the sub routes like {base_uri}/Users/{id} can be derived correctly.`, - desc: "If this client supports {{ SCIM_LINK }}, you can activate it here.", - enable: "Enable SCIMv2", - groupSync: "Synchronize Groups", - groupSyncPrefix: "Groups Filter Prefix", - groupSyncPrefixDesc: `You can filter the groups for the synchronization by an optional prefix. + desc: 'If this client supports {{ SCIM_LINK }}, you can activate it here.', + enable: 'Enable SCIMv2', + groupSync: 'Synchronize Groups', + groupSyncPrefix: 'Groups Filter Prefix', + groupSyncPrefixDesc: `You can filter the groups for the synchronization by an optional prefix. For instance, if the groups app:admins and app:users exist, the prefix app: would only sync these groups, as well as only those users that are linked to at least one of these groups.`, - reqDesc: "A few things are required for compatibility:", - reqLi1: "The client must handle externalId correctly.", - reqLi2: `At least /Users endpoints with filter=externalId eq "*" and + reqDesc: 'A few things are required for compatibility:', + reqLi1: 'The client must handle externalId correctly.', + reqLi2: `At least /Users endpoints with filter=externalId eq "*" and filter=userName eq "*" must be supported.`, - reqLi3: `If groups should be synchronized, /Groups must also support - filter=displayName eq "*".`, - }, - scopes: { - allowed: "허용된 범위", - default: "기본 범위", - desc: `허용된 범위는 authorization_code 플로우를 사용할 때 로그인 리디렉션 중에 + reqLi3: `If groups should be synchronized, /Groups must also support + filter=displayName eq "*".` + }, + scopes: { + allowed: '허용된 범위', + default: '기본 범위', + desc: `허용된 범위는 authorization_code 플로우를 사용할 때 로그인 리디렉션 중에 클라이언트가 동적으로 요청할 수 있는 범위입니다. 예를 들어 password 를 - 사용할 때, 일부 문제를 해결하기 위해 기본 범위가 항상 토큰에 추가됩니다.`, - }, - secret: { - doCache: "Cache Client Secret", - cacheDuration: "Cache Duration (hours)", - generate: "새 Secret 생성", - rotateDesc1: `To make graceful updates and secret rotations possible, you have the ability to keep the + 사용할 때, 일부 문제를 해결하기 위해 기본 범위가 항상 토큰에 추가됩니다.` + }, + secret: { + doCache: 'Cache Client Secret', + cacheDuration: 'Cache Duration (hours)', + generate: '새 Secret 생성', + rotateDesc1: `To make graceful updates and secret rotations possible, you have the ability to keep the current secret in an in-memory cache for some time. You can enter a value between 1 and 24 hours.`, - rotateDesc2: "Caution: You should not cache the current secret if you had a leak!", - }, - tokenLifetime: { - p1: `토큰 수명은 액세스 토큰과 ID 토큰에 적용되며, 초 단위입니다.`, - p2: `클라이언트가 EdDSA 또는 ed25519 알고리즘을 지원하면, 항상 선호되는 옵션이어야 합니다. + rotateDesc2: 'Caution: You should not cache the current secret if you had a leak!' + }, + tokenLifetime: { + p1: `토큰 수명은 액세스 토큰과 ID 토큰에 적용되며, 초 단위입니다.`, + p2: `클라이언트가 EdDSA 또는 ed25519 알고리즘을 지원하면, 항상 선호되는 옵션이어야 합니다. RSA 알고리즘은 호환성을 위해서만 존재합니다.`, - p3: `Refresh 토큰의 알고리즘은 Rauthy에서만 사용되므로, 변경할 수 없습니다.`, - }, - }, - common: { - account: "계정", - addNew: "생성", - back: "뒤로", - caution: "CAUTION", - contact: "연락처", - copiedToClip: "클립보드로 복사되었습니다.", - details: "자세히", - edit: "편집", - enabled: "활성화", - filter: "필터", - from: "부터", - information: "정보", - language: "언어", - loading: "로딩중...", - name: "이름", - nameExistsAlready: "이미 존재하는 이름입니다.", - note: "참고", - noEntries: "비어 있음", - reset: "초기화", - searchOptions: "검색 옵션", - until: "까지", - }, - docs: { - book: "Rauthy에 대한 문서:", - encryption: "암호화", - encKeys: { - header: "암호화 키", - keyActive: "활성화된 키", - keysAvailable: "가능한 키", - migrate: "마이그레이션", - migrateToKey: '기존의 모든 암호화된 값을 다음 키로 마이그레이션', - p1: `이 키는 내부에서 사용되는 데이터베이스와는 별개로, 세션, 쿠키 등 추가 암호화에 사용됩니다. + p3: `Refresh 토큰의 알고리즘은 Rauthy에서만 사용되므로, 변경할 수 없습니다.` + } + }, + common: { + account: '계정', + addNew: '생성', + back: '뒤로', + caution: 'CAUTION', + contact: '연락처', + copiedToClip: '클립보드로 복사되었습니다.', + details: '자세히', + edit: '편집', + enabled: '활성화', + filter: '필터', + from: '부터', + information: '정보', + language: '언어', + loading: '로딩중...', + name: '이름', + nameExistsAlready: '이미 존재하는 이름입니다.', + note: '참고', + noEntries: '비어 있음', + reset: '초기화', + searchOptions: '검색 옵션', + until: '까지' + }, + docs: { + book: 'Rauthy에 대한 문서:', + encryption: '암호화', + encKeys: { + header: '암호화 키', + keyActive: '활성화된 키', + keysAvailable: '가능한 키', + migrate: '마이그레이션', + migrateToKey: '기존의 모든 암호화된 값을 다음 키로 마이그레이션', + p1: `이 키는 내부에서 사용되는 데이터베이스와는 별개로, 세션, 쿠키 등 추가 암호화에 사용됩니다. 이 키는 정적으로 구성되지만 이 페이지에서 수동으로 변경 및 마이그레이션할 수 있습니다.`, - p2: `활성 키는 Rauthy 설정 파일 또는 환경 변수에 정적으로 설정됩니다. 여기에서 동적으로 생성할 수 + p2: `활성 키는 Rauthy 설정 파일 또는 환경 변수에 정적으로 설정됩니다. 여기에서 동적으로 생성할 수 없습니다. 모든 새 JWK 암호화는 항상 현재 활성 키를 사용합니다.`, - p3: `기존 Secret을 모두 마이그레이션하는 경우, 데이터 세트가 큰 경우에는 완료하는 데 수 초가 걸릴 수 + p3: `기존 Secret을 모두 마이그레이션하는 경우, 데이터 세트가 큰 경우에는 완료하는 데 수 초가 걸릴 수 있습니다.`, - pNotPossible: '마이그레이션하려면 최소 2개의 암호화 키를 사용할 수 있어야 합니다.', - }, - hashing: { - calculate: "계산", + pNotPossible: '마이그레이션하려면 최소 2개의 암호화 키를 사용할 수 있어야 합니다.' + }, + hashing: { + calculate: '계산', - currValuesHead: '현재 값', - currValues1: '백엔드의 현재 값은 다음과 같습니다.', - currValuesNote: `참고: 백엔드의 로그인 시간은 Rauthy가 시작된 후 최소 5회 이상 로그인에 성공한 후에만 + currValuesHead: '현재 값', + currValues1: '백엔드의 현재 값은 다음과 같습니다.', + currValuesNote: `참고: 백엔드의 로그인 시간은 Rauthy가 시작된 후 최소 5회 이상 로그인에 성공한 후에만 측정된 가이드라인을 제공합니다. 기본값은 항상 새로 다시 시작한 후 2000 ms이며, 로그인에 성공할 때마다 재계산됩니다.`, - currValuesThreadsAccess: '사용 가능한 스레드 개수 (p_cost)', + currValuesThreadsAccess: '사용 가능한 스레드 개수 (p_cost)', - loginTimeHead: '로그인 시간에 대한 견해', - loginTime1: `일반적으로 사용자는 모든 것이 가능한 한 빨리 처리되기를 원합니다. 하지만 안전한 로그인을 + loginTimeHead: '로그인 시간에 대한 견해', + loginTime1: `일반적으로 사용자는 모든 것이 가능한 한 빨리 처리되기를 원합니다. 하지만 안전한 로그인을 위해 500~1000 ms 정도는 문제가 되지 않습니다. 로그인 시간이 너무 짧으면 해시의 강도가 낮아질 수 있으므로 너무 짧아서는 안 됩니다.`, - loginTime2: `이 유틸리티는 최대한의 보안을 제공하기 위해 로그인 시간을 500ms 미만으로 설정할 수 + loginTime2: `이 유틸리티는 최대한의 보안을 제공하기 위해 로그인 시간을 500ms 미만으로 설정할 수 없습니다.`, - mCost1: `m_cost 는 해싱에 사용되는 메모리 (in kB) 양입니다. + mCost1: `m_cost 는 해싱에 사용되는 메모리 (in kB) 양입니다. 물론 값이 높을수록 좋지만, 시스템의 메모리를 고려하여야 합니다.
예를 들어 4개의 비밀번호를 동시에 해시하는 경우, 해시하는 동안 4 x m_cost 가 필요합니다. 이러한 리소스를 사용할 수 있어야 합니다.`, - mCost2: `m_cost 를 조정하는 것은 매우 쉽습니다. Rauthy가 사용해야 하는 최대 메모리 양을 + mCost2: `m_cost 를 조정하는 것은 매우 쉽습니다. Rauthy가 사용해야 하는 최대 메모리 양을 정의하고, 이를 최대 허용 병렬 로그인 수(MAX_HASH_THREADS)로 나눈 다음 소량의 정적 메모리를 빼면 됩니다. 얼마나 많은 정적 메모리를 고려해야 하는지는 사용되는 데이터베이스와 총 사용자 수에 따라 다르지만 일반적으로 32~96MB 범위가 적당합니다.`, - mCost3: '허용되는 m_cost 의 최소값은 32768 입니다.', - pCost1: `p_cost 는 해싱을 위한 병렬 처리 수를 정의합니다. 이 값은 대부분 Rauthy의 + mCost3: '허용되는 m_cost 의 최소값은 32768 입니다.', + pCost1: `p_cost 는 해싱을 위한 병렬 처리 수를 정의합니다. 이 값은 대부분 Rauthy의 기본값인 8 이내로 사용됩니다.`, - pCost2: `일반적인으로 p_cost 는 사용가능한 코어의 2배로 설정됩니다. + pCost2: `일반적인으로 p_cost 는 사용가능한 코어의 2배로 설정됩니다. 예를 들어, 4코어 시스템을 사용중이라면, p_cost8 로 설정됩니다. 단, 이 값은 구성된 허용된 병렬 로그인 (MAX_HASH_THREADS) 을 고려하여 적절히 줄여야 합니다.`, - tCost1: `t_cost 는 해싱을 위한 시간 을 정의합니다. m_cost 와 + tCost1: `t_cost 는 해싱을 위한 시간 을 정의합니다. m_costp_cost 는 기본적으로 환경에 의해 주어지기 때문에, 이 값은 실제로 튜닝이 필요한 유일한 값입니다.`, - tCost2: `튜닝은 간단합니다. m_costp_cost 를 적절히 설정한 다음 + tCost2: `튜닝은 간단합니다. m_costp_cost 를 적절히 설정한 다음 t_cost 를 로그인 목표 시간에 도달할 때까지 증가시키면 됩니다.`, - utilityHead: '파라메터 계산 유틸리티', - utility1: `이 도구를 사용하여 시스템에 적합한 값을 대략적으로 구할 수 있습니다. 이 도구는 시스템의 + utilityHead: '파라메터 계산 유틸리티', + utility1: `이 도구를 사용하여 시스템에 적합한 값을 대략적으로 구할 수 있습니다. 이 도구는 시스템의 실제 성능을 테스트하므로 모든 다른 서비스를 사용하는 상태에서 Rauthy를 실행해야 한다는 점에 유의하세요. 해당 시스템의 일반적인 사용 환경에서 이 유틸리티를 실행해야 오버 튜닝을 방지할 수 있습니다.`, - utility2: `m_cost 은 옵션이며, 비어 있으면 안전한 최소값인 32768 이 사용됩니다. + utility2: `m_cost 은 옵션이며, 비어 있으면 안전한 최소값인 32768 이 사용됩니다. p_cost 은 옵션이며, 비어 있으면 시스템의 모든 스레드 를 사용합니다.`, - time: "시간", - targetTime: "목표 시간", - tune: '중요: 이러한 값은 최종 아키텍처에서 설정되어야 합니다!', - pDetials: `Argon2ID에 대한 자세한 소개를 원하신다면 온라인에 많은 자료가 있습니다. 이 가이드에서는 값에 + time: '시간', + targetTime: '목표 시간', + tune: '중요: 이러한 값은 최종 아키텍처에서 설정되어야 합니다!', + pDetials: `Argon2ID에 대한 자세한 소개를 원하신다면 온라인에 많은 자료가 있습니다. 이 가이드에서는 값에 대한 아주 간략한 개요만 제공합니다. 다음 세 가지를 구성해야 합니다.`, - pTune: `시스템의 성능에 따라 다릅니다. 성능이 좋을수록 더 안전한 값을 설정할 수 있습니다.`, - pUtility: `이 유틸리티는 플랫폼에 가장 적합한 Argon2ID 설정을 찾을 수 있도록 도와줍니다. Argon2ID는 현재 + pTune: `시스템의 성능에 따라 다릅니다. 성능이 좋을수록 더 안전한 값을 설정할 수 있습니다.`, + pUtility: `이 유틸리티는 플랫폼에 가장 적합한 Argon2ID 설정을 찾을 수 있도록 도와줍니다. Argon2ID는 현재 사용 가능한 가장 안전한 비밀번호 해싱 알고리즘입니다. 이 알고리즘을 최대한 활용하려면 각 시스템에 - 맞게 조정해야 합니다.`, - }, - openapi: "외부 애플리케이션을 통합하기 위한 Rauthy의 API 사용 방법:", - openapiNote: `백엔드 설정에 따라 Swagger UI가 외부에 노출되지 않을 수도 있습니다. + 맞게 조정해야 합니다.` + }, + openapi: '외부 애플리케이션을 통합하기 위한 Rauthy의 API 사용 방법:', + openapiNote: `백엔드 설정에 따라 Swagger UI가 외부에 노출되지 않을 수도 있습니다. 하지만 기본적으로 내부에서는 Swagger UI를 통해 정보를 확인할 수 있습니다.`, - source: "Rauthy의 소스코드", - }, - error: { - needsAdminRole: `rauthy_admin 역할이 부여되지 않았습니다.
+ source: 'Rauthy의 소스코드' + }, + error: { + needsAdminRole: `rauthy_admin 역할이 부여되지 않았습니다.
관리자 패널에 접근할 수 없습니다.`, - noAdmin: `Rauthy 관리자 계정에는 MFA가 활성화되어 있어야 합니다.
+ noAdmin: `Rauthy 관리자 계정에는 MFA가 활성화되어 있어야 합니다.
계정 으로 이동 후 MFA를 활성화하세요.
- 활성화 후에는 로그아웃한 뒤 다시 로그인해야 합니다.`, - }, - events: { - eventLevel: "이벤트 레벨", - eventType: "이벤트 타입", - }, - groups: { - delete1: "이 그룹을 삭제하시겠습니까?", - name: "그룹 이름", - }, - jwks: { - alg: "알고리즘", - p1: "토큰 서명에 사용되는 Json Web Keys(JWKs)입니다.", - p2: `JWKs는 기본적으로 매월 1일마다 회전됩니다. 새로 생성된 모든 토큰의 경우, 주어진 알고리즘에 대해 + 활성화 후에는 로그아웃한 뒤 다시 로그인해야 합니다.` + }, + events: { + eventLevel: '이벤트 레벨', + eventType: '이벤트 타입' + }, + groups: { + delete1: '이 그룹을 삭제하시겠습니까?', + name: '그룹 이름' + }, + jwks: { + alg: '알고리즘', + p1: '토큰 서명에 사용되는 Json Web Keys(JWKs)입니다.', + p2: `JWKs는 기본적으로 매월 1일마다 회전됩니다. 새로 생성된 모든 토큰의 경우, 주어진 알고리즘에 대해 사용 가능한 최신 키만 서명에 사용됩니다. 현재 유효한 토큰에 대해 유효성을 검사하기 위해 이전 키는 잠시 보관되며, 이후 자동으로 정리됩니다.`, - p3: `키를 수동으로 회전할 수도 있습니다. Rauthy 인스턴스가 실행 중인 하드웨어에 따라 수 초가 걸릴 수 + p3: `키를 수동으로 회전할 수도 있습니다. Rauthy 인스턴스가 실행 중인 하드웨어에 따라 수 초가 걸릴 수 있습니다.`, - type: "타입", - rotateKeys: "키 회전", - }, - nav: { - apiKeys: "API 키", - attributes: "속성", - blacklist: "블랙리스트", - clients: "클라이언트", - config: "설정", - docs: "문서", - events: "이벤트", - groups: "그룹", - providers: "공급자", - roles: "역할", - scopes: "범위", - sessions: "세션", - users: "사용자", - }, - options: { - expires: "만료일", - lastSeen: "마지막 사용시간", - state: "상태", - }, - pam: { - addGroup: "New PAM Group", - addHost: "New PAM Host", - addUser: "New PAM User", - deleteHost: "Do you really want to delete this host?", - groupDescGeneric: `Generic groups are the counterpart to entries that are usually found in /etc/group. Users + type: '타입', + rotateKeys: '키 회전' + }, + nav: { + apiKeys: 'API 키', + attributes: '속성', + blacklist: '블랙리스트', + clients: '클라이언트', + config: '설정', + docs: '문서', + events: '이벤트', + groups: '그룹', + providers: '공급자', + roles: '역할', + scopes: '범위', + sessions: '세션', + users: '사용자' + }, + options: { + expires: '만료일', + lastSeen: '마지막 사용시간', + state: '상태' + }, + pam: { + addGroup: 'New PAM Group', + addHost: 'New PAM Host', + addUser: 'New PAM User', + deleteHost: 'Do you really want to delete this host?', + groupDescGeneric: `Generic groups are the counterpart to entries that are usually found in /etc/group. Users can be assigned to these and they are returned to the system by NSS Lookups.`, - groupDescHost: `Host groups are used to group hosts. NSS lookups of a host within the group return all other + groupDescHost: `Host groups are used to group hosts. NSS lookups of a host within the group return all other hosts within it as a result. Users can access hosts by assigning them to a host group.`, - groupDescLocal: `Local groups behave almost identically to Generic groups, with the difference that they have + groupDescLocal: `Local groups behave almost identically to Generic groups, with the difference that they have an ID in the Rauthy database, but the NSS proxy on the respective host will convert it to an ID from /etc/group. In this way, Rauthy users can be assigned to groups that already exist locally.`, - groupDescUser: `User groups are managed automatically and tightly coupled with the user with the same + groupDescUser: `User groups are managed automatically and tightly coupled with the user with the same username.`, - groupDescWheel: `This group is special. It is immutable and is assigned to users dynamically depending on their + groupDescWheel: `This group is special. It is immutable and is assigned to users dynamically depending on their group configuration.`, - groupName: "Groupname", - groups: "Groups", - groupType: "Group Type", - hostAliases: "Host Aliases", - hostLocalPwdOnly: "Local Password Login", - hostLocalPwdOnlyInfo: `When Local Password Login is set, it overwrites Force MFA for local logins. At the same + groupName: 'Groupname', + groups: 'Groups', + groupType: 'Group Type', + hostAliases: 'Host Aliases', + hostLocalPwdOnly: 'Local Password Login', + hostLocalPwdOnlyInfo: `When Local Password Login is set, it overwrites Force MFA for local logins. At the same time, passkeys will never be requested (locally) during logins, even if a user is MFA-secured. This option should only be set if really necessary, for instance if MFA-secured users should be able to do local logins while not using hardware passkeys.`, - ipAddresses: "IP Addresses", - member: "Member", - nameExistsAlready: "Name is already taken", - notes: "Notes", - secretShow: "Show Secret", - secretRotate: "Rotate Secret", - userEmail: "Linked User E-Mail", - username: "Username", - usernameNewDesc: `The Username should be chosen carefully. Once created, it cannot be changed easily afterwards - for security reasons.`, - }, - passwordPolicy: { - configDesc: "새 비밀번호에 대한 정책입니다.", - resetSet0: "0으로 설정하면 비활성화됩니다.", - validForDays: "기간 제한", - validityNew: "이전 비밀번호 사용 제한 정책입니다.", - }, - providers: { - config: { - allowInsecureTls: "안전하지 않은 TLS 허용", - autoLink: "Auto-Link User", - autoLinkDesc1: `If Auto-Link User is activated, the login via this provider will automatically link a + ipAddresses: 'IP Addresses', + member: 'Member', + nameExistsAlready: 'Name is already taken', + notes: 'Notes', + secretShow: 'Show Secret', + secretRotate: 'Rotate Secret', + userEmail: 'Linked User E-Mail', + username: 'Username', + usernameNewDesc: `The Username should be chosen carefully. Once created, it cannot be changed easily afterwards + for security reasons.` + }, + passwordPolicy: { + configDesc: '새 비밀번호에 대한 정책입니다.', + resetSet0: '0으로 설정하면 비활성화됩니다.', + validForDays: '기간 제한', + validityNew: '이전 비밀번호 사용 제한 정책입니다.' + }, + providers: { + config: { + allowInsecureTls: '안전하지 않은 TLS 허용', + autoLink: 'Auto-Link User', + autoLinkDesc1: `If Auto-Link User is activated, the login via this provider will automatically link a possibly existing, non-linked user to this provider.`, - autoLinkDesc2: `CAUTION: This option can be very dangerous and lead to account takeover if the provider + autoLinkDesc2: `CAUTION: This option can be very dangerous and lead to account takeover if the provider does not fully validate E-Mail addresses for users and therefore makes it possible to add a foreign address for a user! MUST NEVER be used in such a case!`, - clientName: "클라이언트 이름", - custRootCa: "사용자 지정 Root CA PEM 사용", - descAuthMethod: `/token 엔드포인트에서 사용할 인증 방법입니다.
+ clientName: '클라이언트 이름', + custRootCa: '사용자 지정 Root CA PEM 사용', + descAuthMethod: `/token 엔드포인트에서 사용할 인증 방법입니다.
대부분의 인증 공급자는 basic 으로 작업해야 하며, 일부 인증 공급자는 post 만 사용해야 합니다. 드문 경우지만 두 가지를 모두 사용해야 하는 경우도 있습니다. 인증 공급자의 가이드대로 설정하시면 됩니다.`, - descClientId: "인증 공급자가 제공한 클라이언트 ID", - descClientName: "로그인 페이지에 표시될 클라이언트 이름", - descClientSecret: `인증 공급자가 제공한 클라이언트 Secret입니다. 최소한 클라이언트 + descClientId: '인증 공급자가 제공한 클라이언트 ID', + descClientName: '로그인 페이지에 표시될 클라이언트 이름', + descClientSecret: `인증 공급자가 제공한 클라이언트 Secret입니다. 최소한 클라이언트 Secret 또는 PKCE가 필요합니다.`, - descScope: `로그인 리디렉션에 사용할 범위입니다. 공백으로 구분하여 입력합니다.`, - errNoAuthMethod: `클라이언트 Secret이 입력되어 있지만, 클라이언트 인증 방법이 활성화되어 + descScope: `로그인 리디렉션에 사용할 범위입니다. 공백으로 구분하여 입력합니다.`, + errNoAuthMethod: `클라이언트 Secret이 입력되어 있지만, 클라이언트 인증 방법이 활성화되어 있지 않습니다.`, - errConfidential: "최소한 기밀 클라이언트이거나 PKCE를 사용해야 합니다.", - jsonPath: { - p1: "업스트림 로그인 성공 후, ID 토큰의 값을 자동으로 매핑할 수 있습니다.", - p2: `경로는 정규식과 같은 구문으로 지정해야 합니다. 단일 JSON 값이나 + errConfidential: '최소한 기밀 클라이언트이거나 PKCE를 사용해야 합니다.', + jsonPath: { + p1: '업스트림 로그인 성공 후, ID 토큰의 값을 자동으로 매핑할 수 있습니다.', + p2: `경로는 정규식과 같은 구문으로 지정해야 합니다. 단일 JSON 값이나 JSON 객체 또는 배열의 값으로 처리할 수 있습니다.`, - p3: "$. 는 JSON 객체의 시작을 표시합니다.", - p4: "* 는 경로에서 와일드카드로 사용됩니다.", - p5: `$.roles{\"roles\": \"value\"} 을 목표로 + p3: '$. 는 JSON 객체의 시작을 표시합니다.', + p4: '* 는 경로에서 와일드카드로 사용됩니다.', + p5: `$.roles{\"roles\": \"value\"} 을 목표로 할 수 있습니다.`, - p6: `$.roles.*{"roles": ["value", "notMyValue"]} - 과 같이 객체 또는 배열 내부의 값을 목표로 할 수 있습니다.`, - }, - lookup: "조회", - pathAdminClaim: "관리자 Claim 경로", - pathMfaClaim: "MFA Claim 경로", - rootPemCert: "Root CA의 PEM 인증서", - mapMfa: `공급자에서 사용자가 로그인하는 동안 2FA 이상을 사용했음을 나타내는 Claim을 발행하는 경우, + p6: `$.roles.*{"roles": ["value", "notMyValue"]} + 과 같이 객체 또는 배열 내부의 값을 목표로 할 수 있습니다.` + }, + lookup: '조회', + pathAdminClaim: '관리자 Claim 경로', + pathMfaClaim: 'MFA Claim 경로', + rootPemCert: 'Root CA의 PEM 인증서', + mapMfa: `공급자에서 사용자가 로그인하는 동안 2FA 이상을 사용했음을 나타내는 Claim을 발행하는 경우, MFA Claim 경로를 지정할 수 있습니다.`, - mapUser: `업스트림 ID Claim 에 따라 사용자를 Rauthy 관리자로 매핑할 수 있습니다.`, - valueAdminClaim: "관리자 Claim 값", - valueMfaClaim: "MFA Claim 값", - }, - delete: { - areYouSure: "이 공급자를 삭제하시겠습니까?", - forceDelete: "강제 삭제", - isInUse1: "이 공급자는 활성 사용자가 사용 중입니다!", - isInUse2: `강제로 삭제할 수는 있지만 로컬 비밀번호나 패스키가 없는 사용자는 더 이상 로그인할 수 + mapUser: `업스트림 ID Claim 에 따라 사용자를 Rauthy 관리자로 매핑할 수 있습니다.`, + valueAdminClaim: '관리자 Claim 값', + valueMfaClaim: 'MFA Claim 값' + }, + delete: { + areYouSure: '이 공급자를 삭제하시겠습니까?', + forceDelete: '강제 삭제', + isInUse1: '이 공급자는 활성 사용자가 사용 중입니다!', + isInUse2: `강제로 삭제할 수는 있지만 로컬 비밀번호나 패스키가 없는 사용자는 더 이상 로그인할 수 없습니다.`, - linkedUsers: "연결된 사용자", - }, - }, - roles: { - adminNoMod: "rauthy_admin 역할은 변경할 수 없습니다.", - delete1: "이 역할을 삭제하시겠습니까?", - name: "역할 이름", - }, - scopes: { - defaultNoMod: "이것은 OIDC 기본 범위 중 하나입니다. 변경할 수 없습니다.", - delete1: "이 범위를 삭제하시겠습니까?", - deleteDefault: "OIDC 기본 범위는 삭제할 수 없습니다.", - mapping1: "사용자 지정 범위를 속성에 매핑할 수 있습니다.", - mapping2: `구성된 모든 추가 속성은 각 사용자에 대해 사용자 지정 값을 가질 수 있습니다. + linkedUsers: '연결된 사용자' + } + }, + roles: { + adminNoMod: 'rauthy_admin 역할은 변경할 수 없습니다.', + delete1: '이 역할을 삭제하시겠습니까?', + name: '역할 이름' + }, + scopes: { + defaultNoMod: '이것은 OIDC 기본 범위 중 하나입니다. 변경할 수 없습니다.', + delete1: '이 범위를 삭제하시겠습니까?', + deleteDefault: 'OIDC 기본 범위는 삭제할 수 없습니다.', + mapping1: '사용자 지정 범위를 속성에 매핑할 수 있습니다.', + mapping2: `구성된 모든 추가 속성은 각 사용자에 대해 사용자 지정 값을 가질 수 있습니다. 이러한 속성이 범위에 매핑되면 액세스 및 ID 토큰에 포함될 수 있습니다.`, - name: "범위 이름", - }, - search: { - orderBy: "정렬 기준", - orderChangeToAsc: "오름차순으로 정렬", - orderChangeToDesc: "내림차순으로 정렬", - }, - sessions: { - invalidateAll: "모든 세션 삭제", - }, - tabs: { - config: "설정", - delete: "삭제", - }, - users: { - antiLockout: { - rule: 'Anti-Lockout Rule', - delete: 'cannot be deleted', - disable: 'cannot be disabled', - rauthyAdmin: 'rauthy_admin rule cannot be removed', - }, - attributes: "속성", - deleteUser: "이 사용자를 삭제하시겠습니까?", - descAttr: `사용자 지정 속성을 설정합니다. 모든 키/값 쌍은 문자열/JSON 값으로 처리됩니다.`, - forceLogout: `기존 세션을 모두 삭제하고, 이 사용자의 모든 Refresh 토큰을 삭제하시겠습니까?`, - lastLogin: "마지막 로그인", - manualInitDesc: `The user can also be initialized here, In this case though, you need to communicate the + name: '범위 이름' + }, + search: { + orderBy: '정렬 기준', + orderChangeToAsc: '오름차순으로 정렬', + orderChangeToDesc: '내림차순으로 정렬' + }, + sessions: { + invalidateAll: '모든 세션 삭제' + }, + tabs: { + config: '설정', + delete: '삭제' + }, + tos: { + addNewToS: 'Add new ToS', + checkStatus: 'Check user status', + immutable: `CAUTION: After adding new Terms of Service, they are immutable and cannot be + deleted!`, + noneExist: 'No Terms of Service have been added yet.', + tos: 'ToS' + }, + users: { + antiLockout: { + rule: 'Anti-Lockout Rule', + delete: 'cannot be deleted', + disable: 'cannot be disabled', + rauthyAdmin: 'rauthy_admin rule cannot be removed' + }, + attributes: '속성', + deleteUser: '이 사용자를 삭제하시겠습니까?', + descAttr: `사용자 지정 속성을 설정합니다. 모든 키/값 쌍은 문자열/JSON 값으로 처리됩니다.`, + forceLogout: `기존 세션을 모두 삭제하고, 이 사용자의 모든 Refresh 토큰을 삭제하시겠습니까?`, + lastLogin: '마지막 로그인', + manualInitDesc: `The user can also be initialized here, In this case though, you need to communicate the password directly.`, - manualInit: "Manual Initialization", - mfaDelete1: "이 사용자의 패스키를 삭제할 수 있습니다.", - mfaDelete2: `이 작업은 되돌릴 수 없습니다!`, - noMfaKeys: "등록된 패스키 없음", - pkOnly1: "이 사용자는 패스키 전용 계정입니다.", - pkOnly2: "이 사용자는 비밀번호 없는 로그인을 사용하며, 설정된 비밀번호가 없습니다.", - pkOnly3: `이 사용자가 모든 비밀번호를 분실한 경우, 계정을 완전히 재설정하고 새로운 비밀번호 + manualInit: 'Manual Initialization', + mfaDelete1: '이 사용자의 패스키를 삭제할 수 있습니다.', + mfaDelete2: `이 작업은 되돌릴 수 없습니다!`, + noMfaKeys: '등록된 패스키 없음', + pkOnly1: '이 사용자는 패스키 전용 계정입니다.', + pkOnly2: '이 사용자는 비밀번호 없는 로그인을 사용하며, 설정된 비밀번호가 없습니다.', + pkOnly3: `이 사용자가 모든 비밀번호를 분실한 경우, 계정을 완전히 재설정하고 새로운 비밀번호 재설정 이메일을 보낼 수 있습니다. 이렇게 하려면 'MFA' 탭으로 이동하여 기존의 모든 패스키를 삭제하세요.`, - pwdNoInit: "사용자가 아직 초기 비밀번호 재설정을 수행하지 않았습니다.", - pwdSendEmailBtn: "재설정 이메일 보내기", - pwdSendEmailDesc: "새 비밀번호를 설정하거나, 재설정 이메일을 보낼 수 있습니다.", - savePassword: "비밀번호 저장", - selfServiceDesc: "새 비밀번호를 설정하거나, 재설정 이메일을 보낼 수 있습니다.", - sendResetEmail: "재설정 이메일 보내기", - }, - validation: { - css: "비정상적인 CSS", - origin: "비정상적인 오리진", - uri: "비정상적인 URI", - }, + pwdNoInit: '사용자가 아직 초기 비밀번호 재설정을 수행하지 않았습니다.', + pwdSendEmailBtn: '재설정 이메일 보내기', + pwdSendEmailDesc: '새 비밀번호를 설정하거나, 재설정 이메일을 보낼 수 있습니다.', + savePassword: '비밀번호 저장', + selfServiceDesc: '새 비밀번호를 설정하거나, 재설정 이메일을 보낼 수 있습니다.', + sendResetEmail: '재설정 이메일 보내기' + }, + validation: { + css: '비정상적인 CSS', + origin: '비정상적인 오리진', + uri: '비정상적인 URI' + } }; diff --git a/frontend/src/i18n/admin/nb.ts b/frontend/src/i18n/admin/nb.ts index cad8537c8..2f86cd69d 100644 --- a/frontend/src/i18n/admin/nb.ts +++ b/frontend/src/i18n/admin/nb.ts @@ -1,392 +1,406 @@ -import type {I18nAdmin} from "./interface.ts"; +import type { I18nAdmin } from './interface.ts'; export let I18nAdminNb: I18nAdmin = { - api_key: { - delete1: "Skal denne API nøkkelen slettes?", - expires: "Utløper", - generate1: "Her kan man opprette et nytt Secret for denne API nøkkelen.", - generate2: `Secreten vises kun en gang etter opprettelse. + api_key: { + delete1: 'Skal denne API nøkkelen slettes?', + expires: 'Utløper', + generate1: 'Her kan man opprette et nytt Secret for denne API nøkkelen.', + generate2: `Secreten vises kun en gang etter opprettelse. Hvis en ny genereres, vil den gamle umiddelbart og permanent overskrives. Denne operasjonen kan ikke angres!`, - generate3: `API nøkkelen må sendes i HTTP Authorization headeren i følgende + generate3: `API nøkkelen må sendes i HTTP Authorization headeren i følgende format:`, - generate4: "Følgende curl spørringen kan brukes til testing av nøkkelen:", - generate5: "Hivs jq ikke er installiert, bruk denne versjonen uten:", - keyName: "Nøkkel navn", - limitedValidity: "Begrenset gyldighet", - }, - attrs: { - delete1: "Skal dette attributtet slettes?", - defaultValue: "Standardverdi", - desc: "Beskrivelse", - makeEditable: "Gjør redigerbart", - makeEditableP1: "Dette attributtet kan gjøres redigerbart av brukere.", - makeEditableP2: `ADVARSEL: Denne endringen kan aldri angres! Alle opplysninger gitt direkte av en + generate4: 'Følgende curl spørringen kan brukes til testing av nøkkelen:', + generate5: 'Hivs jq ikke er installiert, bruk denne versjonen uten:', + keyName: 'Nøkkel navn', + limitedValidity: 'Begrenset gyldighet' + }, + attrs: { + delete1: 'Skal dette attributtet slettes?', + defaultValue: 'Standardverdi', + desc: 'Beskrivelse', + makeEditable: 'Gjør redigerbart', + makeEditableP1: 'Dette attributtet kan gjøres redigerbart av brukere.', + makeEditableP2: `ADVARSEL: Denne endringen kan aldri angres! Alle opplysninger gitt direkte av en bruker er alltid uvalidert og må ALDRI brukes for noen form for autentisering eller autorisasjon!`, - makeEditableP3: `Et attributt kan derfor aldri endres fra redigerbart til ikke-redigerbart, fordi + makeEditableP3: `Et attributt kan derfor aldri endres fra redigerbart til ikke-redigerbart, fordi for en viss tid, uavhengig av varighet, ble uvalidert input tillatt.`, - name: "Attribut navn", - userEditable: "Redigerbart av brukere", - }, - backup: { - createBackup: "Lag Backup", - disabledDesc: "Disse funksjonene er kun tilgjengelige hvis Hiqlite er konfigurert som database.", - lastModified: "Sist endret", - local: "Lokal", - name: "Navn", - size: "Størrelse", - }, - clients: { - backchannelLogout: "Hvis denne klienten støtter {{ OIDC_BCL }}, kan URIen angis her.", - branding: { - descHsl: `Fargene må angis som HSL. Her defineres kun basisfargen. + name: 'Attribut navn', + userEditable: 'Redigerbart av brukere' + }, + backup: { + createBackup: 'Lag Backup', + disabledDesc: + 'Disse funksjonene er kun tilgjengelige hvis Hiqlite er konfigurert som database.', + lastModified: 'Sist endret', + local: 'Lokal', + name: 'Navn', + size: 'Størrelse' + }, + clients: { + backchannelLogout: 'Hvis denne klienten støtter {{ OIDC_BCL }}, kan URIen angis her.', + branding: { + descHsl: `Fargene må angis som HSL. Her defineres kun basisfargen. Alpha kanaler og andre verdier justeres dynamisk av temaet.`, - descFullCss: `Fargene må angis som fullstendige, gyldige CSS color verdier. + descFullCss: `Fargene må angis som fullstendige, gyldige CSS color verdier. Kompleks kalkulasjon og definerte CSS variablene over kan også brukes.`, - descVariables: `Hver påfølgende etikett er samtidig navnet på CSS variabelen. Det betyr at + descVariables: `Hver påfølgende etikett er samtidig navnet på CSS variabelen. Det betyr at for eksempel fritekst kan referere til variablene, like som med - hsla(var(--action) / .7).`, - }, - confidential: "Følsomt", - confidentialNoSecret: "Dette er ikke en følsom klient, og har derfor ingen hemmelighet.", - config: "Klient konfigurasjon", - delete1: "Skal denne klienten slettes?", - descAuthCode: `Gyldigheten til Auth kodene kan justeres for å oppnå ekstra sikkerhet. + hsla(var(--action) / .7).` + }, + confidential: 'Følsomt', + confidentialNoSecret: 'Dette er ikke en følsom klient, og har derfor ingen hemmelighet.', + config: 'Klient konfigurasjon', + delete1: 'Skal denne klienten slettes?', + descAuthCode: `Gyldigheten til Auth kodene kan justeres for å oppnå ekstra sikkerhet. Auth kodene kan kun brukes en gang og er normalt gyldige i 60 sekunder. Jo kortere, jo bedre så lenge klienten kan bruke koden raskt nok.`, - descClientUri: `Informasjon om URI og kontakter for denne klienten, som vises + descClientUri: `Informasjon om URI og kontakter for denne klienten, som vises på innloggingssiden.`, - descName: `Klientnavnet kan endres uten å påvirke konfigurasjonen. + descName: `Klientnavnet kan endres uten å påvirke konfigurasjonen. Det brukes kun for visning på innloggingssiden.`, - descGroupPrefix: `Pålogging for denne klienten kan begrenses ved et valgfritt gruppeprefiks. + descGroupPrefix: `Pålogging for denne klienten kan begrenses ved et valgfritt gruppeprefiks. Kun brukere som tilhører den tilsvarende gruppen får lov til å logge inn på denne klienten.`, - descOrigin: `Eksterne, ytterligere tillatte Origins - vanligvis bare nødvendig hvis denne + descOrigin: `Eksterne, ytterligere tillatte Origins - vanligvis bare nødvendig hvis denne klienten må gjøre forespørsler til Rauthy direkte fra nettleseren, typisk SPAs.`, - descPKCE: `Hvis klienten støtter PKCE, bør S256 PKCE alltid aktiveres for ekstra sikkerhet. + descPKCE: `Hvis klienten støtter PKCE, bør S256 PKCE alltid aktiveres for ekstra sikkerhet. Hvis en ikke-følsom klient (f.eks. en SPA) brukes, må minst én PKCE Challenge aktiveres for å tilby tilstrekkelig sikkerhet.`, - descPKCEEnforce: `Hvis PKCE er aktivert, håndhever Rauthy bruken og nekter pålogginger + descPKCEEnforce: `Hvis PKCE er aktivert, håndhever Rauthy bruken og nekter pålogginger som ikke gir en gyldig Challenge.`, - descUri: `Det kan angis et vilkårlig antall Redirect URIs. På slutten av hver kan + descUri: `Det kan angis et vilkårlig antall Redirect URIs. På slutten av hver kan valgfritt * aksepteres som en jokertegn.`, - errConfidentialPKCE: `Klienten må enten være følsom eller ha minst én PKCE + errConfidentialPKCE: `Klienten må enten være følsom eller ha minst én PKCE Challenge aktivert.`, - forceMfa: "Tving MFA", - groupLoginPrefix: "Gruppepåloggingsprefiks", - name: "Klientnavn", - scim: { - baseUri: `SCIM Base URI'en må være den som underordnede ruter som + forceMfa: 'Tving MFA', + groupLoginPrefix: 'Gruppepåloggingsprefiks', + name: 'Klientnavn', + scim: { + baseUri: `SCIM Base URI'en må være den som underordnede ruter som {base_uri}/Users/{id} kan avledes korrekt fra.`, - desc: "Hvis denne klienten støtter {{ SCIM_LINK }}, kan den aktiveres her.", - enable: "Aktiver SCIMv2", - groupSync: "Synkroniser grupper", - groupSyncPrefix: "Gruppe filterprefiks", - groupSyncPrefixDesc: `Grupper som bør synkroniseres kan filtreres med et valgfritt prefiks. + desc: 'Hvis denne klienten støtter {{ SCIM_LINK }}, kan den aktiveres her.', + enable: 'Aktiver SCIMv2', + groupSync: 'Synkroniser grupper', + groupSyncPrefix: 'Gruppe filterprefiks', + groupSyncPrefixDesc: `Grupper som bør synkroniseres kan filtreres med et valgfritt prefiks. Hvis det for eksempel finnes grupper som app:admins og app:users, vil prefikset app: sørge for at bare disse gruppene synkroniseres, og bare brukere som tilhører minst én av disse gruppene.`, - reqDesc: "Følgende betingelser må være oppfylt for kompatibilitet:", - reqLi1: "Klienten må håndtere externalId korrekt.", - reqLi2: `Minst /Users endepunkter med filter=externalId eq "*" og + reqDesc: 'Følgende betingelser må være oppfylt for kompatibilitet:', + reqLi1: 'Klienten må håndtere externalId korrekt.', + reqLi2: `Minst /Users endepunkter med filter=externalId eq "*" og filter=userName eq "*" må støttes.`, - reqLi3: `Hvis grupper skal synkroniseres, må i tillegg under /Groups - filter=displayName eq "*" støttes.`, - }, - scopes: { - allowed: "Tillatte Scopes", - default: "Standard Scopes", - desc: `Tillatte Scopes er de som klienten dynamisk kan be om ved + reqLi3: `Hvis grupper skal synkroniseres, må i tillegg under /Groups + filter=displayName eq "*" støttes.` + }, + scopes: { + allowed: 'Tillatte Scopes', + default: 'Standard Scopes', + desc: `Tillatte Scopes er de som klienten dynamisk kan be om ved omdirigering til innlogging i authorization_code flyten. Standard Scopes legges derimot alltid til og kan løse problemer hvis - for eksempel password flyten brukes.`, - }, - secret: { - doCache: "Cacher klient hemmelighet", - cacheDuration: "Cache lengde (timer)", - generate: "Generer nytt hemmelighet", - rotateDesc1: `For å muliggjøre oppdateringer uten nedetid, kan den eksisterende hemmeligheten + for eksempel password flyten brukes.` + }, + secret: { + doCache: 'Cacher klient hemmelighet', + cacheDuration: 'Cache lengde (timer)', + generate: 'Generer nytt hemmelighet', + rotateDesc1: `For å muliggjøre oppdateringer uten nedetid, kan den eksisterende hemmeligheten beholdes i in-memory cachen i en viss tid. En verdi mellom 1 og 24 timer kan angis.`, - rotateDesc2: "ADVARSEL: Den nåværende hemmeligheten bør ikke beholdes i cachen hvis det har vært et lekkasje!", - }, - tokenLifetime: { - p1: "Tokenets levetid brukes for Access og ID Tokens og angis i sekunder.", - p2: `Hvis klienten støtter EdDSA / ed25519 algoritmer, bør dette være det foretrukne valget. + rotateDesc2: + 'ADVARSEL: Den nåværende hemmeligheten bør ikke beholdes i cachen hvis det har vært et lekkasje!' + }, + tokenLifetime: { + p1: 'Tokenets levetid brukes for Access og ID Tokens og angis i sekunder.', + p2: `Hvis klienten støtter EdDSA / ed25519 algoritmer, bør dette være det foretrukne valget. RSA algoritmer eksisterer kun av kompatibilitetsgrunner.`, - p3: `Algoritmen for Refresh Tokens kan ikke endres, da disse kun skal brukes av Rauthy.`, - }, - }, - common: { - account: "Konto", - addNew: "Legg til ny", - back: "Tilbake", - caution: "ADVARSEL", - contact: "Kontakt", - copiedToClip: "Kopiert til utklippstavle", - details: "Detaljer", - edit: "Rediger", - enabled: "Aktivert", - filter: "Filter", - from: "Fra", - information: "Informasjon", - language: "Språk", - loading: "Laster", - name: "Navn", - nameExistsAlready: "Navnet finnes allerede", - note: "Notat", - noEntries: "Ingen oppføringer", - reset: "Tilbakestill", - searchOptions: "Søkealternativer", - until: "Til", - }, - docs: { - book: "For generell dokumentasjon for Rauthy, se", - encryption: "Kryptering", - encKeys: { - header: "Krypteringsnøkler", - keyActive: "Aktivert nøkkel", - keysAvailable: "Tilgjengelige nøkler", - migrate: "Migrere", - migrateToKey: "Migrere alle verdiene til følgende krypteringsnøkkel", - p1: `Disse nøklene brukes for ekstra kryptering i forskjellige situasjoner, som for eksempel + p3: `Algoritmen for Refresh Tokens kan ikke endres, da disse kun skal brukes av Rauthy.` + } + }, + common: { + account: 'Konto', + addNew: 'Legg til ny', + back: 'Tilbake', + caution: 'ADVARSEL', + contact: 'Kontakt', + copiedToClip: 'Kopiert til utklippstavle', + details: 'Detaljer', + edit: 'Rediger', + enabled: 'Aktivert', + filter: 'Filter', + from: 'Fra', + information: 'Informasjon', + language: 'Språk', + loading: 'Laster', + name: 'Navn', + nameExistsAlready: 'Navnet finnes allerede', + note: 'Notat', + noEntries: 'Ingen oppføringer', + reset: 'Tilbakestill', + searchOptions: 'Søkealternativer', + until: 'Til' + }, + docs: { + book: 'For generell dokumentasjon for Rauthy, se', + encryption: 'Kryptering', + encKeys: { + header: 'Krypteringsnøkler', + keyActive: 'Aktivert nøkkel', + keysAvailable: 'Tilgjengelige nøkler', + migrate: 'Migrere', + migrateToKey: 'Migrere alle verdiene til følgende krypteringsnøkkel', + p1: `Disse nøklene brukes for ekstra kryptering i forskjellige situasjoner, som for eksempel visse verdier i databasen eller sesjonscookies. De er statisk konfigurert, men kan roteres manuelt som en beste praksis.`, - p2: `Den aktive nøkkelen er også statisk satt i Rauthy konfigurasjonsfilen. Alle ny-krypterte + p2: `Den aktive nøkkelen er også statisk satt i Rauthy konfigurasjonsfilen. Alle ny-krypterte verdier vil bli kryptert med den aktive nøkkelen, mens gamle kan eksistere parallelt for bakoverkompatibilitet.`, - p3: `Migrering av alle krypterte verdier på dette tidspunktet kan, avhengig av systemet, + p3: `Migrering av alle krypterte verdier på dette tidspunktet kan, avhengig av systemet, ta litt tid.`, - pNotPossible: "For å migrere må det finnes minst 2 kypteringsnøkler.", - }, - hashing: { - calculate: "Beregn", + pNotPossible: 'For å migrere må det finnes minst 2 kypteringsnøkler.' + }, + hashing: { + calculate: 'Beregn', - currValuesHead: 'Nåværende verdier', - currValues1: "Nåværende konfigurerte veridene i backenden er følgende:", - currValuesNote: `Notat: Logintiden fra backenden vil kun være en god retningslinje etter at minst + currValuesHead: 'Nåværende verdier', + currValues1: 'Nåværende konfigurerte veridene i backenden er følgende:', + currValuesNote: `Notat: Logintiden fra backenden vil kun være en god retningslinje etter at minst 5 gylidge Logins har blitt gjort siden siste omstart. Startverdien er alltid 2000 ms og vil tilpasses med hver gylidg Login.`, - currValuesThreadsAccess: "Tråder (p_cost) tilgjengelig for Rauthy", + currValuesThreadsAccess: 'Tråder (p_cost) tilgjengelig for Rauthy', - loginTimeHead: "Noe ord om login tid", - loginTime1: `Generelt ønsker brukere at alt skal gå så raskt som mulig. For en sikker + loginTimeHead: 'Noe ord om login tid', + loginTime1: `Generelt ønsker brukere at alt skal gå så raskt som mulig. For en sikker login prosedyre bør imidlertid en tid på minst 500 - 1000 ms siktes mot og bør ikke være et problem. Tiden for passord hashing bør ikke være for kort, da dette vil redusere styrken til hashen.`, - loginTime2: `For å sikre tilstrekkelig sikkerhet som standard, tillater dette verktøyet ikke + loginTime2: `For å sikre tilstrekkelig sikkerhet som standard, tillater dette verktøyet ikke småere verider enn 500ms for login tid.`, - mCost1: `m_cost definerer mengden minne (i kB) som brukes til hashing. Jo høyere + mCost1: `m_cost definerer mengden minne (i kB) som brukes til hashing. Jo høyere denne verdien er,jo bedre (sikrere), men de nødvendige ressursene må selvfølgelig være tilgjengelige.
Hvis f.eks. 4 passord skal hashes samtidig, vil det naturligvis kreves 4 x m_cost minne, som alltid må være tilgjengelig.`, - mCost2: `Å finne den "riktige" verdien for m_cost er heldigvis veldig enkelt. + mCost2: `Å finne den "riktige" verdien for m_cost er heldigvis veldig enkelt. Definer maksimum minne Rauthy skal bruke, del mengden på antall parallelle innlogginger som skal være mulig (MAX_HASH_THREADS) og trekk fra en viss statisk mengde. Mengden statisk minne som trengs avhenger av valgt database og antall brukere, men vil i de fleste tilfeller ligge mellom 32 - 96 MB.`, - pCost1: `p_cost definerer parallellismen for hashing.
+ pCost1: `p_cost definerer parallellismen for hashing.
I de fleste tilfeller vil verdier over 8 ikke øke den nødvendige tiden, fordi algoritmen vil være mettet. Dette er også standardverdien for Rauthy.`, - pCost2: `Den generelle regelen er:
+ pCost2: `Den generelle regelen er:
Sett p_cost til det dobbelte av antall tilgjengelige CPU-kjerner.
Hvis f.eks. 4 kjerner er tilgjengelig, vil en p_cost på 8 være en god verdi.
Verdien må imidlertid ta hensyn til maksimalt antall tillatte parallelle innlogginger (MAX_HASH_THREADS) og eventuelt justeres deretter.`, - tCost1: `t_cost er en multiplikator for tiden til hashing. Dette er den eneste verdien som må finnes ved testing på målarkitekturen, fordi m_cost og p_cost i stor grad er forhåndsdefinert.`, - tCost2: `Å finne verdien er enkelt: Sett m_cost og p_cost som forklart ovenfor og øk t_cost til ønsket innloggingstid er oppnådd.`, + tCost1: `t_cost er en multiplikator for tiden til hashing. Dette er den eneste verdien som må finnes ved testing på målarkitekturen, fordi m_cost og p_cost i stor grad er forhåndsdefinert.`, + tCost2: `Å finne verdien er enkelt: Sett m_cost og p_cost som forklart ovenfor og øk t_cost til ønsket innloggingstid er oppnådd.`, - utilityHead: 'Parameter Beregningsverktøy', - utility1: `Verktøyet nedenfor kan brukes til å finne passende verdier for denne Rauthy-installasjonen. Siden verdiene avhenger av mange faktorer, bør de settes på den endelige arkitekturen, helst på tidspunkter med forventet høyest belastning, for å unngå å sette for høye verdier.`, - utility2: `m_cost er valgfritt og den minimale sikre verdien på 32768 vil automatisk + utilityHead: 'Parameter Beregningsverktøy', + utility1: `Verktøyet nedenfor kan brukes til å finne passende verdier for denne Rauthy-installasjonen. Siden verdiene avhenger av mange faktorer, bør de settes på den endelige arkitekturen, helst på tidspunkter med forventet høyest belastning, for å unngå å sette for høye verdier.`, + utility2: `m_cost er valgfritt og den minimale sikre verdien på 32768 vil automatisk vælges. Skulle p_cost heller ikke være angitt, vil Rauthy bruke den maksimale tilgjengelige mengden kjerner.`, - time: "Tid", - targetTime: "Mål-Tid", - tune: 'Viktig: Disse verdiene må settes på den endelige arkitekturen!', - pDetials: `For en mer detaljert innføring i Argon2ID-algoritmen finnes det mange kilder på nettet. + time: 'Tid', + targetTime: 'Mål-Tid', + tune: 'Viktig: Disse verdiene må settes på den endelige arkitekturen!', + pDetials: `For en mer detaljert innføring i Argon2ID-algoritmen finnes det mange kilder på nettet. Her forklares bare verdiene veldig kort. De følgende tre verdiene må konfigureres:`, - pTune: `Verdiene kan variere sterkt avhengig av systemet og den generelle systembelastningen. Jo + pTune: `Verdiene kan variere sterkt avhengig av systemet og den generelle systembelastningen. Jo kraftigere systemet er, desto sikrere verdier kan velges.`, - pUtility: `Dette verktøyet er en hjelp til å finne de beste Argon2ID-verdiene for det aktuelle systemet. + pUtility: `Dette verktøyet er en hjelp til å finne de beste Argon2ID-verdiene for det aktuelle systemet. Argon2ID er den for tiden sikreste tilgjengelige passordhash-algoritmen. For å kunne utnytte det fulle potensialet må imidlertid verdiene tilpasses systemet.`, - mCost3: "Den minimale tillatte verdien for m_cost er 32768." - }, - openapi: "For integrering av en ekstern applikasjon via Rauthys API, se", - openapiNote: `Avhengig av konfigurasjonen er Swagger UI kanskje ikke offentlig tilgjengelig via lenken over. + mCost3: 'Den minimale tillatte verdien for m_cost er 32768.' + }, + openapi: 'For integrering av en ekstern applikasjon via Rauthys API, se', + openapiNote: `Avhengig av konfigurasjonen er Swagger UI kanskje ikke offentlig tilgjengelig via lenken over. Den er imidlertid (som standard) tilgjengelig via den interne metrics-serveren for å redusere angrepsflaten.`, - source: "Kildekoden finnes her", - }, - error: { - needsAdminRole: 'For å få tilgang må du ha rollen rauthy_admin.', - noAdmin: `For Rauthy admin-kontoer er MFA påkrevd.
+ source: 'Kildekoden finnes her' + }, + error: { + needsAdminRole: 'For å få tilgang må du ha rollen rauthy_admin.', + noAdmin: `For Rauthy admin-kontoer er MFA påkrevd.
Gå til konto og aktiver MFA.
- Deretter må du logge ut og inn igjen`, - }, - events: { - eventLevel: "Hendelsesnivå", - eventType: "Hendelsestype", - }, - groups: { - delete1: "Skal denne gruppen slettes?", - name: "Gruppenavn", - }, - jwks: { - alg: "Algoritme", - p1: "Dette er Json Web Keys (JWKs) som brukes til signering av tokens.", - p2: `JWKs roteres automatisk den 1. hver måned. For alle nye tokens brukes alltid den nyeste versjonen av en nøkkel for den aktuelle algoritmen. Gamle nøkler beholdes en stund for å validere eksisterende tokens og slettes automatisk etter en tid.`, - p3: `Nøkler kan også roteres manuelt. Avhengig av maskinvaren denne Rauthy-instansen kjører på, kan dette ta noen sekunder.`, - type: "Type", - rotateKeys: "Roter nøkler", - }, - nav: { - apiKeys: "API-nøkler", - attributes: "Attributter", - blacklist: "Svarteliste", - clients: "Klienter", - config: "Konfigurasjon", - docs: "Dokumentasjon", - events: "Hendelser", - groups: "Grupper", - providers: "Leverandører", - roles: "Roller", - scopes: "Scopes", - sessions: "Økter", - users: "Brukere", - }, - options: { - expires: "Utløper", - lastSeen: "Sist sett", - state: "Status", - }, - pam: { - addGroup: "Ny PAM-gruppe", - addHost: "Ny PAM-vert", - addUser: "Ny PAM-bruker", - deleteHost: "Skal denne verten slettes?", - groupDescGeneric: `Generiske grupper tilsvarer oppføringer man vanligvis finner i /etc/group. Brukere kan tilordnes disse og de returneres til systemet via NSS-oppslag.`, - groupDescHost: `Vertgrupper brukes til å gruppere verter. NSS-oppslag av en vert i gruppen returnerer alle andre verter i gruppen. Brukere får tilgang til verter ved å tilordnes en vertgruppe.`, - groupDescLocal: `Lokale grupper oppfører seg nesten identisk med generiske grupper, med den forskjellen at de har en ID i Rauthy-databasen, men NSS-proxyen på den aktuelle verten kobler dem til en ID fra /etc/group. Slik kan Rauthy-brukere tilordnes grupper som allerede finnes lokalt.`, - groupDescUser: `Brukergrupper administreres automatisk og er tett koblet til brukeren med samme brukernavn.`, - groupDescWheel: `Denne gruppen er spesiell. Den er uforanderlig og tildeles brukere dynamisk avhengig av gruppeoppsettet.`, - groupName: "Gruppenavn", - groups: "Grupper", - groupType: "Gruppetype", - hostAliases: "Vert-aliaser", - hostLocalPwdOnly: "Lokal passordpålogging", - hostLocalPwdOnlyInfo: `Hvis lokal passordpålogging er aktivert, overstyrer dette tvungen MFA for lokale pålogginger. Det vil heller aldri bli bedt om passnøkkel (lokalt), selv om brukeren har MFA aktivert. Denne innstillingen bør kun brukes hvis det er absolutt nødvendig, for eksempel hvis MFA-sikrede brukere skal kunne logge inn lokalt uten å bruke maskinvare-passnøkler.`, - ipAddresses: "IP-adresser", - member: "Medlem", - nameExistsAlready: "Navnet er allerede tatt", - notes: "Notater", - secretShow: "Vis hemmelighet", - secretRotate: "Roter hemmelighet", - userEmail: "Koblet bruker-e-post", - username: "Brukernavn", - usernameNewDesc: `Brukernavnet bør velges nøye. Når det er opprettet, kan det ikke enkelt endres senere av sikkerhetsgrunner.`, - }, - passwordPolicy: { - configDesc: "Regler for nye passord.", - resetSet0: "Verdien 0 deaktiverer kravet.", - validForDays: "Gyldig i dager", - validityNew: "Gyldighet for nye passord.", - }, - providers: { - config: { - allowInsecureTls: "Tillat usikker TLS", - autoLink: "Auto-link bruker", - autoLinkDesc1: `Hvis auto-link bruker er aktivert, vil en eventuell eksisterende, ikke-koblet bruker automatisk kobles til denne leverandøren ved innlogging.`, - autoLinkDesc2: `ADVARSEL: Dette kan være svært farlig og føre til kontoovertakelse hvis leverandøren ikke utfører fullstendig e-postverifisering og lar en fremmed adresse bli registrert for en bruker! MÅ ALDRI brukes i slike tilfeller!`, - clientName: "Klientnavn", - custRootCa: "Egen Root CA PEM", - descAuthMethod: `Autentiseringsmetoden som skal brukes på /token-endepunktet.
De fleste leverandører bør fungere med basic, noen kun med post. I sjeldne tilfeller må begge aktiveres, selv om det kan føre til feil med andre leverandører.`, - descClientId: "Klient-ID gitt av leverandøren.", - descClientName: "Klientnavn som skal vises på Rauthy-innloggingssiden.", - descClientSecret: `Klienthemmelighet gitt av leverandøren. Minst én hemmelighet eller PKCE må være aktivert.`, - descScope: `Omfanget klienten skal bruke ved omdirigering til innlogging. Verdier skilles med mellomrom.`, - errNoAuthMethod: "Du har oppgitt en klienthemmelighet, men ingen autentiseringsmetode er aktiv", - errConfidential: "Må være enten en følsom klient eller bruke PKCE", - jsonPath: { - p1: "Verdier fra ID-token etter vellykket innlogging kan mappes automatisk.", - p2: `Stien må oppgis i regex-lignende syntaks. Den kan referere til enkeltverdier eller verdier i et JSON-objekt eller array.`, - p3: "$. markerer starten på JSON-objektet", - p4: "* kan brukes som jokertegn i stien", - p5: "$.roles vil treffe {\"roles\": \"verdi\"}", - p6: `$.roles.* kan treffe en verdi i et objekt eller array som
{\"roles\": [\"verdi\", \"ikkeMinVerdi\"]}`, - }, - lookup: "Søk", - pathAdminClaim: "Sti til admin-claim", - pathMfaClaim: "Sti til MFA-claim", - rootPemCert: "Root PEM-sertifikat", - mapMfa: `Hvis leverandøren gir en claim som indikerer at brukeren har brukt minst 2FA ved innlogging, kan du oppgi stien til MFA-claimen her.`, - mapUser: `Du kan mappe en bruker til å være Rauthy-admin basert på en upstream ID-claim.`, - valueAdminClaim: "Verdi for admin-claim", - valueMfaClaim: "Verdi for MFA-claim", - }, - delete: { - areYouSure: "Er du sikker på at denne leverandøren skal slettes?", - forceDelete: "Tving sletting", - isInUse1: "Denne leverandøren brukes av aktive brukere!", - isInUse2: `Du kan tvinge sletting, men brukere uten lokalt passord eller passnøkkel vil ikke kunne logge inn lenger.`, - linkedUsers: "Koblede brukere", - }, - }, - roles: { - adminNoMod: "Rollen rauthy_admin kan ikke endres.", - delete1: "Skal denne rollen slettes?", - name: "Rollenavn", - }, - scopes: { - defaultNoMod: "Dette er en standard OIDC Scope. Disse kan ikke endres.", - delete1: "Skal denne scope slettes?", - deleteDefault: "OIDC standard scopes kan ikke slettes", - mapping1: "Bruker-attributter kan mappes til egne scopes.", - mapping2: `Hvert eksisterende attributt har en egen verdi per bruker. Disse attributtene kan mappes til en scope og vil da inkluderes i Access- eller ID-tokenet.`, - name: "Scope-navn", - }, - sessions: { - invalidateAll: "Invalidér alle økter", - }, - search: { - orderBy: "Sorter etter ...", - orderChangeToAsc: "Bytt til stigende sortering", - orderChangeToDesc: "Bytt til synkende sortering", - }, - tabs: { - config: "Konfigurasjon", - delete: "Slett", - }, - users: { - antiLockout: { - rule: 'Anti-lockout-regel', - delete: 'kan ikke slettes', - disable: 'kan ikke deaktiveres', - rauthyAdmin: 'rauthy_admin-rollen kan ikke fjernes', - }, - attributes: "Attributter", - deleteUser: "Skal denne brukeren slettes?", - descAttr: `Sett individuelle bruker-attributter. Alle nøkkel/verdi-par håndteres som String/JSON-verdi.`, - forceLogout: `Skal alle økter for denne brukeren invalidiseres og alle refresh tokens slettes?`, - lastLogin: "Siste innlogging", - manualInitDesc: `Brukeren kan også initialiseres her. I så fall må passordet kommuniseres direkte.`, - manualInit: "Manuell initialisering", - mfaDelete1: "Passnøkler for denne brukeren kan slettes.", - mfaDelete2: `Advarsel! Sletting av en passnøkkel kan ikke angres uten at brukeren registrerer seg på nytt.`, - noMfaKeys: "Denne brukeren har ingen registrerte passnøkler.", - pkOnly1: "Dette er en passkey-only-konto.", - pkOnly2: "Det betyr at denne brukeren bruker passordløs innlogging og ikke har noe passord satt.", - pkOnly3: `Hvis denne brukeren har mistet alle passnøkler, kan kontoen tilbakestilles og en ny e-post for tilbakestilling av passord sendes. For å gjøre dette, gå til 'MFA'-fanen og slett alle eksisterende passnøkler først.`, - pwdNoInit: "Brukeren har ikke gjennomført den første tilbakestillingen av passord ennå.", - pwdSendEmailBtn: "Send e-post for tilbakestilling", - pwdSendEmailDesc: "Du kan sende en ny e-post for tilbakestilling hvis brukeren ikke har mottatt en.", - savePassword: "Lagre passord", - selfServiceDesc: "Du kan enten sette et nytt passord eller sende en e-post for tilbakestilling.", - sendResetEmail: "Send e-post for tilbakestilling", - }, - validation: { - css: "Gyldig CSS-verdi", - origin: "Gyldig origin", - uri: "Gyldig URI", - }, + Deretter må du logge ut og inn igjen` + }, + events: { + eventLevel: 'Hendelsesnivå', + eventType: 'Hendelsestype' + }, + groups: { + delete1: 'Skal denne gruppen slettes?', + name: 'Gruppenavn' + }, + jwks: { + alg: 'Algoritme', + p1: 'Dette er Json Web Keys (JWKs) som brukes til signering av tokens.', + p2: `JWKs roteres automatisk den 1. hver måned. For alle nye tokens brukes alltid den nyeste versjonen av en nøkkel for den aktuelle algoritmen. Gamle nøkler beholdes en stund for å validere eksisterende tokens og slettes automatisk etter en tid.`, + p3: `Nøkler kan også roteres manuelt. Avhengig av maskinvaren denne Rauthy-instansen kjører på, kan dette ta noen sekunder.`, + type: 'Type', + rotateKeys: 'Roter nøkler' + }, + nav: { + apiKeys: 'API-nøkler', + attributes: 'Attributter', + blacklist: 'Svarteliste', + clients: 'Klienter', + config: 'Konfigurasjon', + docs: 'Dokumentasjon', + events: 'Hendelser', + groups: 'Grupper', + providers: 'Leverandører', + roles: 'Roller', + scopes: 'Scopes', + sessions: 'Økter', + users: 'Brukere' + }, + options: { + expires: 'Utløper', + lastSeen: 'Sist sett', + state: 'Status' + }, + pam: { + addGroup: 'Ny PAM-gruppe', + addHost: 'Ny PAM-vert', + addUser: 'Ny PAM-bruker', + deleteHost: 'Skal denne verten slettes?', + groupDescGeneric: `Generiske grupper tilsvarer oppføringer man vanligvis finner i /etc/group. Brukere kan tilordnes disse og de returneres til systemet via NSS-oppslag.`, + groupDescHost: `Vertgrupper brukes til å gruppere verter. NSS-oppslag av en vert i gruppen returnerer alle andre verter i gruppen. Brukere får tilgang til verter ved å tilordnes en vertgruppe.`, + groupDescLocal: `Lokale grupper oppfører seg nesten identisk med generiske grupper, med den forskjellen at de har en ID i Rauthy-databasen, men NSS-proxyen på den aktuelle verten kobler dem til en ID fra /etc/group. Slik kan Rauthy-brukere tilordnes grupper som allerede finnes lokalt.`, + groupDescUser: `Brukergrupper administreres automatisk og er tett koblet til brukeren med samme brukernavn.`, + groupDescWheel: `Denne gruppen er spesiell. Den er uforanderlig og tildeles brukere dynamisk avhengig av gruppeoppsettet.`, + groupName: 'Gruppenavn', + groups: 'Grupper', + groupType: 'Gruppetype', + hostAliases: 'Vert-aliaser', + hostLocalPwdOnly: 'Lokal passordpålogging', + hostLocalPwdOnlyInfo: `Hvis lokal passordpålogging er aktivert, overstyrer dette tvungen MFA for lokale pålogginger. Det vil heller aldri bli bedt om passnøkkel (lokalt), selv om brukeren har MFA aktivert. Denne innstillingen bør kun brukes hvis det er absolutt nødvendig, for eksempel hvis MFA-sikrede brukere skal kunne logge inn lokalt uten å bruke maskinvare-passnøkler.`, + ipAddresses: 'IP-adresser', + member: 'Medlem', + nameExistsAlready: 'Navnet er allerede tatt', + notes: 'Notater', + secretShow: 'Vis hemmelighet', + secretRotate: 'Roter hemmelighet', + userEmail: 'Koblet bruker-e-post', + username: 'Brukernavn', + usernameNewDesc: `Brukernavnet bør velges nøye. Når det er opprettet, kan det ikke enkelt endres senere av sikkerhetsgrunner.` + }, + passwordPolicy: { + configDesc: 'Regler for nye passord.', + resetSet0: 'Verdien 0 deaktiverer kravet.', + validForDays: 'Gyldig i dager', + validityNew: 'Gyldighet for nye passord.' + }, + providers: { + config: { + allowInsecureTls: 'Tillat usikker TLS', + autoLink: 'Auto-link bruker', + autoLinkDesc1: `Hvis auto-link bruker er aktivert, vil en eventuell eksisterende, ikke-koblet bruker automatisk kobles til denne leverandøren ved innlogging.`, + autoLinkDesc2: `ADVARSEL: Dette kan være svært farlig og føre til kontoovertakelse hvis leverandøren ikke utfører fullstendig e-postverifisering og lar en fremmed adresse bli registrert for en bruker! MÅ ALDRI brukes i slike tilfeller!`, + clientName: 'Klientnavn', + custRootCa: 'Egen Root CA PEM', + descAuthMethod: `Autentiseringsmetoden som skal brukes på /token-endepunktet.
De fleste leverandører bør fungere med basic, noen kun med post. I sjeldne tilfeller må begge aktiveres, selv om det kan føre til feil med andre leverandører.`, + descClientId: 'Klient-ID gitt av leverandøren.', + descClientName: 'Klientnavn som skal vises på Rauthy-innloggingssiden.', + descClientSecret: `Klienthemmelighet gitt av leverandøren. Minst én hemmelighet eller PKCE må være aktivert.`, + descScope: `Omfanget klienten skal bruke ved omdirigering til innlogging. Verdier skilles med mellomrom.`, + errNoAuthMethod: + 'Du har oppgitt en klienthemmelighet, men ingen autentiseringsmetode er aktiv', + errConfidential: 'Må være enten en følsom klient eller bruke PKCE', + jsonPath: { + p1: 'Verdier fra ID-token etter vellykket innlogging kan mappes automatisk.', + p2: `Stien må oppgis i regex-lignende syntaks. Den kan referere til enkeltverdier eller verdier i et JSON-objekt eller array.`, + p3: '$. markerer starten på JSON-objektet', + p4: '* kan brukes som jokertegn i stien', + p5: '$.roles vil treffe {"roles": "verdi"}', + p6: `$.roles.* kan treffe en verdi i et objekt eller array som
{\"roles\": [\"verdi\", \"ikkeMinVerdi\"]}` + }, + lookup: 'Søk', + pathAdminClaim: 'Sti til admin-claim', + pathMfaClaim: 'Sti til MFA-claim', + rootPemCert: 'Root PEM-sertifikat', + mapMfa: `Hvis leverandøren gir en claim som indikerer at brukeren har brukt minst 2FA ved innlogging, kan du oppgi stien til MFA-claimen her.`, + mapUser: `Du kan mappe en bruker til å være Rauthy-admin basert på en upstream ID-claim.`, + valueAdminClaim: 'Verdi for admin-claim', + valueMfaClaim: 'Verdi for MFA-claim' + }, + delete: { + areYouSure: 'Er du sikker på at denne leverandøren skal slettes?', + forceDelete: 'Tving sletting', + isInUse1: 'Denne leverandøren brukes av aktive brukere!', + isInUse2: `Du kan tvinge sletting, men brukere uten lokalt passord eller passnøkkel vil ikke kunne logge inn lenger.`, + linkedUsers: 'Koblede brukere' + } + }, + roles: { + adminNoMod: 'Rollen rauthy_admin kan ikke endres.', + delete1: 'Skal denne rollen slettes?', + name: 'Rollenavn' + }, + scopes: { + defaultNoMod: 'Dette er en standard OIDC Scope. Disse kan ikke endres.', + delete1: 'Skal denne scope slettes?', + deleteDefault: 'OIDC standard scopes kan ikke slettes', + mapping1: 'Bruker-attributter kan mappes til egne scopes.', + mapping2: `Hvert eksisterende attributt har en egen verdi per bruker. Disse attributtene kan mappes til en scope og vil da inkluderes i Access- eller ID-tokenet.`, + name: 'Scope-navn' + }, + sessions: { + invalidateAll: 'Invalidér alle økter' + }, + search: { + orderBy: 'Sorter etter ...', + orderChangeToAsc: 'Bytt til stigende sortering', + orderChangeToDesc: 'Bytt til synkende sortering' + }, + tabs: { + config: 'Konfigurasjon', + delete: 'Slett' + }, + tos: { + addNewToS: 'Add new ToS', + checkStatus: 'Check user status', + immutable: `CAUTION: After adding new Terms of Service, they are immutable and cannot be + deleted!`, + noneExist: 'No Terms of Service have been added yet.', + tos: 'ToS' + }, + users: { + antiLockout: { + rule: 'Anti-lockout-regel', + delete: 'kan ikke slettes', + disable: 'kan ikke deaktiveres', + rauthyAdmin: 'rauthy_admin-rollen kan ikke fjernes' + }, + attributes: 'Attributter', + deleteUser: 'Skal denne brukeren slettes?', + descAttr: `Sett individuelle bruker-attributter. Alle nøkkel/verdi-par håndteres som String/JSON-verdi.`, + forceLogout: `Skal alle økter for denne brukeren invalidiseres og alle refresh tokens slettes?`, + lastLogin: 'Siste innlogging', + manualInitDesc: `Brukeren kan også initialiseres her. I så fall må passordet kommuniseres direkte.`, + manualInit: 'Manuell initialisering', + mfaDelete1: 'Passnøkler for denne brukeren kan slettes.', + mfaDelete2: `Advarsel! Sletting av en passnøkkel kan ikke angres uten at brukeren registrerer seg på nytt.`, + noMfaKeys: 'Denne brukeren har ingen registrerte passnøkler.', + pkOnly1: 'Dette er en passkey-only-konto.', + pkOnly2: + 'Det betyr at denne brukeren bruker passordløs innlogging og ikke har noe passord satt.', + pkOnly3: `Hvis denne brukeren har mistet alle passnøkler, kan kontoen tilbakestilles og en ny e-post for tilbakestilling av passord sendes. For å gjøre dette, gå til 'MFA'-fanen og slett alle eksisterende passnøkler først.`, + pwdNoInit: 'Brukeren har ikke gjennomført den første tilbakestillingen av passord ennå.', + pwdSendEmailBtn: 'Send e-post for tilbakestilling', + pwdSendEmailDesc: + 'Du kan sende en ny e-post for tilbakestilling hvis brukeren ikke har mottatt en.', + savePassword: 'Lagre passord', + selfServiceDesc: + 'Du kan enten sette et nytt passord eller sende en e-post for tilbakestilling.', + sendResetEmail: 'Send e-post for tilbakestilling' + }, + validation: { + css: 'Gyldig CSS-verdi', + origin: 'Gyldig origin', + uri: 'Gyldig URI' + } }; diff --git a/frontend/src/i18n/common/de.ts b/frontend/src/i18n/common/de.ts index 5aab88989..c6e54277a 100644 --- a/frontend/src/i18n/common/de.ts +++ b/frontend/src/i18n/common/de.ts @@ -1,268 +1,282 @@ -import {type I18n} from "./interface"; +import { type I18n } from './interface'; export const I18nDe: I18n = { - lang: "de", - common: { - activeTheme: "Aktives Farbschema", - authenticate: "Authentifizieren", - cancel: "Abbrechen", - changeTheme: "Farbschema wechseln - Aktiv: {{ CURRENT }}", - close: "Schließen", - copyToClip: "Wert in Zwischenablage kopieren", - delete: "Löschen", - details: "Details", - email: "E-Mail", - errTooShort: "Eingabe zu kurz", - errTooLong: "Eingabe zu lang", - expandContent: "Inhalt ausklappen", - hide: "Verbergen", - hours: "Stunden", - invalidInput: "Ungültige Eingabe", - legend: "Legende", - maxFileSize: "Maximale Dateigröße", - minutes: "Minuten", - month: "Monat", - months: [ - "Januar", - "Februar", - "März", - "April", - "Mai", - "Juni", - "Juli", - "August", - "September", - "Oktober", - "November", - "Dezember" - ], - never: "Niemals", - password: "Passwort", - refresh: "Erneuern", - required: "Notwendig", - save: "Speichern", - search: "Suchen", - seconds: "Sekunden", - selectI18n: "Sprache wählen", - show: "Anzeigen", - summary: "Zusammenfassung", - weekDaysShort: [ - "Mo", - "Di", - "Mi", - "Do", - "Fr", - "Sa", - "So", - ], - year: "Jahr", - }, - account: { - account: "Benutzer Account", - accType: "Account Typ", - accTypePasskeyText1: "Dies ist ein \"Passkey-Only\" Account. Das bedeutet, dass\ndieser Account kein Passwort hat und auch keines benötigt.", - accTypePasskeyText2: "Der Account kann in einen Passwort-Account umgewandelt\nwerden. Das würde allerdings bedeuten, dass ein Login auf einem neuen Gerät ohne vorherige, zumindest\neinmalige zusätzliche Verifizierung des Passwortes nicht mehr möglich sein wird.", - accTypePasskeyText3: "Soll dieser Account gewandelt und ein Passwort hinzugefügt werden?", - accessExp: "Zugang erlischt", - accessRenew: "Zugang erneuerbar bis", - accessRenewDelete: "Möglichkeit zur Erneuerung löschen", - birthdate: "Geburtsdatum", - canModifyFor: "Passkeys können modifiziert werden für:", - city: "Stadt", - changePassword: "Passwort wechseln", - convertAccount: "Account Umwandeln", - convertAccountP1: "Dieser Account kann in einen Passkey-Only Account umgewandelt\nwerden. Diese Umwandling löscht das Passwort und erlaubt den alleinigen Login mit den registrieren\nPasskeys. Nur Passkeys mit zusätzlicher Benutzerverifizierung werden akzeptiert. Diese sind auf der\n'MFA' Seite durch das zusätzliche Symbol hinter dem Passkey Namen gekennzeichnet.", - country: "Land", - deviceId: "ID", - deviceName: "Name", - devices: "Geräte", - devicesDesc: "Mit diesem Account verknüpfte Geräte", - emailUpdateConfirm: "Die E-Mail Adresse wurde noch nicht aktualisiert. Eine Nachricht\nmit einem Bestätigungslink wurde an die neue Adresse geschickt. Das Update muss über den\nenthaltenen Link bestätigt werden. Nach der Bestätigung wird die neue Adresse gesetzt.", - emailVerified: "E-Mail verifiziert", - familyName: "Nachname", - federatedConvertPassword1: "Dies ist ein verknüpfter Account. Das bedeutet, dass\nder Login via externem Provider zur Authenzifizierung geschieht. Der derzeitige Provider ist:", - federatedConvertPassword2: "Es kann ein Passwort Reset via E-Mail angefordert\nwerden. Das würde nach Abschluss diesem Account ein lokales Passwort hinzufügen. Danach wäre der\nLogin entweder per externem Provider oder lokalem Password möglich. Passwort Reset anfordern?", - generateRandom: "Zufällig generiert", - givenName: "Vorname", - groups: "Gruppen", - key: "Schlüssel", - keyUnique: "Schlüssel muss einzigartig sein", - lastLogin: "Letzter Login", - mfaActivated: "MFA aktiviert", - navInfo: "Info", - navEdit: "Editieren", - navMfa: "MFA", - navLogout: "Logout", - other: "Sonstiges", - pam: { - generatePassword: "Neues Passwort", - username: 'Benutzername', - validFor: "Passwort gültig für {{ secs }} Sekunden", - }, - passwordConfirm: "Passwort bestätigen", - passwordCurr: "Derzeitiges Passwort", - passwordCurrReq: "Derzeitiges Passwort ist notwendig", - passwordNew: "Neues Passwort", - passwordNewReq: "Neues Passwort ist notwendig", - passwordNoMatch: "Passwörter stimmen nicht überein", - passwordExpiry: "Passwort Ablauf", - passwordPolicyFollow: "Befolgen Sie die Passwort Regeln", - passwordReset: "Passwort Reset", - phone: "Telefon", - providerLink: "Account Verbinden", - providerLinkDesc: "Dieser Account kann mit einem der folgenden Login Provider\nverbunden werden. Nach der Aktivierung des Prozesses wird eine Weiterleitung auf die Login Seite\ndes gewählten Providers ausgelöst. Nach erfolgreichem Login und bei Übereinstimmung der E-Mail\nAdressen wird dieser Account verknüpft.", - providerUnlink: "Verbindung Trennen", - providerUnlinkDesc: "Nur wenn mindestens ein Passwort oder ein Passkey für diesen\nAccount gesetzt ist, kann die Verbindung zum Provider gelöst werden.", - regDate: "Datum der Registrierung", - regIp: "Registrierung von IP", - roles: "Rollen", - street: "Straße", - user: "Benutzer", - userCreated: "Benutzer erstellt", - userEnabled: "Benutzer Aktiviert", - userExpiry: "Benutzer Ablauf", - userVerifiedTooltip: "Abgesichert durch Fingerabdruck oder PIN", - webIdDesc: "Hier können Sie die Felder festlegen, die über Ihre WebID veröffentlicht\nwerden. Dies ist ein Feature, was von manchen Netzwerken für dezentrale Logins genutzt wird.\nSollten Sie nicht wissen, was die WebID ist, brauchen Sie sie höchstwahrscheinlich nicht.", - webIdDescData: "Sie können eigene Daten zu Ihrer WebID in gültigem FOAF Vokabular\nhinzufügen:", - webIdExpertMode: "Expertenmodus aktivieren", - zip: "PLZ" - }, - authorize: { - clientForceMfa: "Dieser Login setzt MFA voraus für eine erhöhte Sicherheit.\nUm Zugang zu bekommen, müssen Sie sie in Ihren Account einloggen und mindestens einen Passkey\nhinzufügen.", - clientGroupPrefixForbidden: "Fehlende Gruppenzugehörigkeit für diesen Login", - email: "E-Mail", - emailBadFormat: "Inkorrektes E-Mail Format", - emailRequired: "E-Mail ist notwendig", - emailSentMsg: "Sollte Ihre Adresse registriert sein, wurde eine Nachricht versandt", - expectingPasskey: "Erwarte Authentifizierung per Passkey", - http429: "Zu viele ungültige Versuche. Gesperrt bis:", - invalidCredentials: "Ungültige Zugangsdaten", - invalidKeyUsed: "Ungültiger Sicherheitsschlüssel", - login: "Login", - mfaAck: "Bestätigt", - orLoginWith: "oder einloggen mit", - password: "Password", - passwordForgotten: "Password vergessen?", - passwordRequest: "Anfordern", - passwordRequired: "Password ist notwendig", - passwordResetDesc: `Bitte E-Mail Adresse angeben, um einen Password Reset Link anzufordern. Sollte die Adresse + lang: 'de', + common: { + accept: 'Akzeptieren', + activeTheme: 'Aktives Farbschema', + authenticate: 'Authentifizieren', + cancel: 'Abbrechen', + changeTheme: 'Farbschema wechseln - Aktiv: {{ CURRENT }}', + close: 'Schließen', + copyToClip: 'Wert in Zwischenablage kopieren', + delete: 'Löschen', + details: 'Details', + email: 'E-Mail', + errTooShort: 'Eingabe zu kurz', + errTooLong: 'Eingabe zu lang', + expandContent: 'Inhalt ausklappen', + hide: 'Verbergen', + hours: 'Stunden', + invalidInput: 'Ungültige Eingabe', + legend: 'Legende', + maxFileSize: 'Maximale Dateigröße', + minutes: 'Minuten', + month: 'Monat', + months: [ + 'Januar', + 'Februar', + 'März', + 'April', + 'Mai', + 'Juni', + 'Juli', + 'August', + 'September', + 'Oktober', + 'November', + 'Dezember' + ], + never: 'Niemals', + password: 'Passwort', + refresh: 'Erneuern', + required: 'Notwendig', + save: 'Speichern', + search: 'Suchen', + seconds: 'Sekunden', + selectI18n: 'Sprache wählen', + show: 'Anzeigen', + summary: 'Zusammenfassung', + weekDaysShort: ['Mo', 'Di', 'Mi', 'Do', 'Fr', 'Sa', 'So'], + year: 'Jahr' + }, + account: { + account: 'Benutzer Account', + accType: 'Account Typ', + accTypePasskeyText1: + 'Dies ist ein "Passkey-Only" Account. Das bedeutet, dass\ndieser Account kein Passwort hat und auch keines benötigt.', + accTypePasskeyText2: + 'Der Account kann in einen Passwort-Account umgewandelt\nwerden. Das würde allerdings bedeuten, dass ein Login auf einem neuen Gerät ohne vorherige, zumindest\neinmalige zusätzliche Verifizierung des Passwortes nicht mehr möglich sein wird.', + accTypePasskeyText3: 'Soll dieser Account gewandelt und ein Passwort hinzugefügt werden?', + accessExp: 'Zugang erlischt', + accessRenew: 'Zugang erneuerbar bis', + accessRenewDelete: 'Möglichkeit zur Erneuerung löschen', + birthdate: 'Geburtsdatum', + canModifyFor: 'Passkeys können modifiziert werden für:', + city: 'Stadt', + changePassword: 'Passwort wechseln', + convertAccount: 'Account Umwandeln', + convertAccountP1: + "Dieser Account kann in einen Passkey-Only Account umgewandelt\nwerden. Diese Umwandling löscht das Passwort und erlaubt den alleinigen Login mit den registrieren\nPasskeys. Nur Passkeys mit zusätzlicher Benutzerverifizierung werden akzeptiert. Diese sind auf der\n'MFA' Seite durch das zusätzliche Symbol hinter dem Passkey Namen gekennzeichnet.", + country: 'Land', + deviceId: 'ID', + deviceName: 'Name', + devices: 'Geräte', + devicesDesc: 'Mit diesem Account verknüpfte Geräte', + emailUpdateConfirm: + 'Die E-Mail Adresse wurde noch nicht aktualisiert. Eine Nachricht\nmit einem Bestätigungslink wurde an die neue Adresse geschickt. Das Update muss über den\nenthaltenen Link bestätigt werden. Nach der Bestätigung wird die neue Adresse gesetzt.', + emailVerified: 'E-Mail verifiziert', + familyName: 'Nachname', + federatedConvertPassword1: + 'Dies ist ein verknüpfter Account. Das bedeutet, dass\nder Login via externem Provider zur Authenzifizierung geschieht. Der derzeitige Provider ist:', + federatedConvertPassword2: + 'Es kann ein Passwort Reset via E-Mail angefordert\nwerden. Das würde nach Abschluss diesem Account ein lokales Passwort hinzufügen. Danach wäre der\nLogin entweder per externem Provider oder lokalem Password möglich. Passwort Reset anfordern?', + generateRandom: 'Zufällig generiert', + givenName: 'Vorname', + groups: 'Gruppen', + key: 'Schlüssel', + keyUnique: 'Schlüssel muss einzigartig sein', + lastLogin: 'Letzter Login', + mfaActivated: 'MFA aktiviert', + navInfo: 'Info', + navEdit: 'Editieren', + navMfa: 'MFA', + navLogout: 'Logout', + other: 'Sonstiges', + pam: { + generatePassword: 'Neues Passwort', + username: 'Benutzername', + validFor: 'Passwort gültig für {{ secs }} Sekunden' + }, + passwordConfirm: 'Passwort bestätigen', + passwordCurr: 'Derzeitiges Passwort', + passwordCurrReq: 'Derzeitiges Passwort ist notwendig', + passwordNew: 'Neues Passwort', + passwordNewReq: 'Neues Passwort ist notwendig', + passwordNoMatch: 'Passwörter stimmen nicht überein', + passwordExpiry: 'Passwort Ablauf', + passwordPolicyFollow: 'Befolgen Sie die Passwort Regeln', + passwordReset: 'Passwort Reset', + phone: 'Telefon', + providerLink: 'Account Verbinden', + providerLinkDesc: + 'Dieser Account kann mit einem der folgenden Login Provider\nverbunden werden. Nach der Aktivierung des Prozesses wird eine Weiterleitung auf die Login Seite\ndes gewählten Providers ausgelöst. Nach erfolgreichem Login und bei Übereinstimmung der E-Mail\nAdressen wird dieser Account verknüpft.', + providerUnlink: 'Verbindung Trennen', + providerUnlinkDesc: + 'Nur wenn mindestens ein Passwort oder ein Passkey für diesen\nAccount gesetzt ist, kann die Verbindung zum Provider gelöst werden.', + regDate: 'Datum der Registrierung', + regIp: 'Registrierung von IP', + roles: 'Rollen', + street: 'Straße', + user: 'Benutzer', + userCreated: 'Benutzer erstellt', + userEnabled: 'Benutzer Aktiviert', + userExpiry: 'Benutzer Ablauf', + userVerifiedTooltip: 'Abgesichert durch Fingerabdruck oder PIN', + webIdDesc: + 'Hier können Sie die Felder festlegen, die über Ihre WebID veröffentlicht\nwerden. Dies ist ein Feature, was von manchen Netzwerken für dezentrale Logins genutzt wird.\nSollten Sie nicht wissen, was die WebID ist, brauchen Sie sie höchstwahrscheinlich nicht.', + webIdDescData: 'Sie können eigene Daten zu Ihrer WebID in gültigem FOAF Vokabular\nhinzufügen:', + webIdExpertMode: 'Expertenmodus aktivieren', + zip: 'PLZ' + }, + authorize: { + clientForceMfa: + 'Dieser Login setzt MFA voraus für eine erhöhte Sicherheit.\nUm Zugang zu bekommen, müssen Sie sie in Ihren Account einloggen und mindestens einen Passkey\nhinzufügen.', + clientGroupPrefixForbidden: 'Fehlende Gruppenzugehörigkeit für diesen Login', + email: 'E-Mail', + emailBadFormat: 'Inkorrektes E-Mail Format', + emailRequired: 'E-Mail ist notwendig', + emailSentMsg: 'Sollte Ihre Adresse registriert sein, wurde eine Nachricht versandt', + expectingPasskey: 'Erwarte Authentifizierung per Passkey', + http429: 'Zu viele ungültige Versuche. Gesperrt bis:', + invalidCredentials: 'Ungültige Zugangsdaten', + invalidKeyUsed: 'Ungültiger Sicherheitsschlüssel', + login: 'Login', + mfaAck: 'Bestätigt', + orLoginWith: 'oder einloggen mit', + password: 'Password', + passwordForgotten: 'Password vergessen?', + passwordRequest: 'Anfordern', + passwordRequired: 'Password ist notwendig', + passwordResetDesc: `Bitte E-Mail Adresse angeben, um einen Password Reset Link anzufordern. Sollte die Adresse in der Datenbank existieren, wird and diese ein Link verschickt.`, - passwordResetSuccess: "Anfrage erhalten. Dieses Fenster kann nun geschlossen werden.", - requestExpires: "Anfrage läuft ab", - requestExpired: "Anfrage ist abgelaufen", - signUp: "Benutzer Registrierung", - validEmail: "Gültige E-Mail Adresse angeben", - }, - device: { - accept: "Akzeptieren", - autoRedirectAccount: "Automatische Weiterleitung zum Account folgt", - closeWindow: "Dieses Fenster kann nun geschlossen werden.", - decline: "Ablehnen", - desc: "Bitte den {{count}}-stelligen vom Gerät angezeigten Benutzer Code eingeben.", - descScopes: "Das Gerät fragt Zugang an zu:", - isAccepted: "Die Anfrage wurde akzeptiert", - isDeclined: "Die Anfrage wurde abgewiesen", - submit: "Absenden", - title: "Gerät Authorisierung", - userCode: "Benutzer Code", - wrongOrExpired: "Ungültiger oder abgelaufener Code" - }, - emailChange: { - title: "E-Mail Wechsel bestätigt", - textChanged: "Ihre E-Mail Adresse wurde erfolgreich geändert von", - textLogin: "Sie können sich jetzt mit der neuen Adresse einloggen.", - to: "zu", - }, - error: { - // errorText: "Die angeforderte Seite konnte nicht gefunden werden.", - details: "Details Anzeigen", - // detailsText: undefined, - }, - index: { - register: "Registrieren", - accountLogin: "Account", - adminLogin: "Admin", - }, - logout: { - logout: "Logout", - confirmMsg: "Sind Sie sicher, dass Sie sich ausloggen und die Session beenden möchten?", - cancel: "Abbrechen" - }, - mfa: { - p1: "Wenn Sie mehrere Systeme parallel nutzen möchten, wie z.B. Windows und Android, sollten Sie die Registrierung mit Android durchführen.", - p2: "Android ist diejenige Plattform, die derzeit die wenigsten Features der passwortlosen Technologie unterstützt. Schlüssel, die dort registriert werden, funktionieren auf anderen Geräten gleichermaßen. Dies gilt jedoch nicht andersherum.", - errorReg: "Fehler beim Starten der Registrierung", - lastUsed: "Zuletzt genutzt", - noKey: "Es wurde in diesem Speicher noch kein Sicherheitsschlüssel registriert", - reAuthenticatePasskey: "Bevor Passkeys bearbeitet werden können, muss zuerst einer der bestehenden überprüft werden:", - reAuthenticatePwd: "Bevor Passkeys bearbeitet werden können, ist eine erneute Bestätigung des Passworts notwendig.", - register: "Registrieren", - registerNew: "Neuen Key Registrieren", - registerd: "Registriert", - registerdKeys: "Registrierte Keys", - passkeyName: "Passkey Name", - passkeyNameErr: "2 - 32 Buchstaben, keine Sonderzeichen", - passwordInvalid: "Ungültiges Password", - test: "Test", - testError: "Fehler beim Starten des Tests", - testSuccess: "Test erfolgreich" - }, - pagination: { - entries: "Einträge", - gotoPage: "Gehe zu Seite", - gotoPagePrev: "Gehe zu vorheriger Seite", - gotoPageNext: "Gehe zu nächster Seite", - pagination: "Seitennummerierung", - showCount: "Anzahl anzeigen", - total: "Gesamt", - }, - passwordPolicy: { - passwordPolicy: "Passwort Regeln", - lengthMin: "Länge min", - lengthMax: "Länge max", - lowercaseMin: "Kleinbuchstaben min", - uppercaseMin: "Großbuchstaben min", - digitsMin: "Ziffern min", - specialMin: "Spezielle Buchstaben min", - notRecent: "Keins der letzten Passwörter" - }, - passwordReset: { - accountLogin: "Account Login", - badFormat: "Ungültiges Format", - fidoLink: "https://fidoalliance.org/fido2", - generate: "Generieren", - newAccDesc1: "Sie haben die Option zwischen zwei Account Typen zu wählen: Passwortlos oder\ntraditionalles Passwort.", - newAccDesc2: "Der passwortlose Account Typ ist immer zu bevorzugen. Er bietet einen\nsehr viel höheren Sicherheitsstandard als traditionelle Passwörter und gleichzeitig einen einfacheren\nund schnelleren Login.\nDazu wird mindestens ein Passkey (Yubikey, Apple Touch ID, Windows Hello, ...) benötigt, welcher dem\nFIDO2 Standard gerecht wird. Für weitere Informationen können Sie diesem Link folgen: ", - newAccount: "Neuer Account", - passwordReset: "Passwort Zurücksetzen", - password: "Passwort", - passwordless: "Passkey", - passwordConfirm: "Passwort bestätigen", - passwordNoMatch: "Passwörter stimmen nicht überein", - required: "Notwendig", - save: "Speichern", - success1: "Das Passwort wurde erfolgreich zurückgesetzt.", - success2: "Sie werden in Kürze weitergeleitet.", - success3: "Sollte Sie nicht weitergeleitet werden, klicken Sie bitte hier:", - successPasskey1: "Der neue Passkey wurde erfolgreich registriert.", - successPasskey2: "Bitte loggen Sie sich direkt in Ihren Account ein und registrieren\nSie mindestens einen weiteren Backup Passkey. Ein passwortloser Account kann nicht den Passwort\nReset via E-Mail nutzen für den Fall, dass der derzeitige Passkey abhanden kommt." - }, - register: { - alreadyRegistered: "E-Mail is bereits registriert", - domainAllowed: "Erlaubte Domain:", - domainErr: "E-Mail Domain ist nicht erlaubt", - domainRestricted: "E-Mail Domains sind beschränkt", - email: "E-Mail", - emailBadFormat: "Ungültiges E-Mail Format", - emailCheck: "Bitte prüfen Sie Ihren E-Mail Posteingang", - regexName: "Name mit 2 - 32 Buchstaben ohne Sonderzeichen", - register: "Registrieren", - success: "Registrierung erfolgreich", - userReg: "Benutzer Registrierung" - }, - userRevoke: { - title: "Logins widerrufen", - desc1: "Sämtliche Logins und Sessions für diesen Benutzer wurden soweit wie möglich widerrufen.", - desc2: "Passwörter sollten auf der Stelle erneuert werden!", - } + passwordResetSuccess: 'Anfrage erhalten. Dieses Fenster kann nun geschlossen werden.', + requestExpires: 'Anfrage läuft ab', + requestExpired: 'Anfrage ist abgelaufen', + signUp: 'Benutzer Registrierung', + validEmail: 'Gültige E-Mail Adresse angeben' + }, + device: { + accept: 'Akzeptieren', + autoRedirectAccount: 'Automatische Weiterleitung zum Account folgt', + closeWindow: 'Dieses Fenster kann nun geschlossen werden.', + decline: 'Ablehnen', + desc: 'Bitte den {{count}}-stelligen vom Gerät angezeigten Benutzer Code eingeben.', + descScopes: 'Das Gerät fragt Zugang an zu:', + isAccepted: 'Die Anfrage wurde akzeptiert', + isDeclined: 'Die Anfrage wurde abgewiesen', + submit: 'Absenden', + title: 'Gerät Authorisierung', + userCode: 'Benutzer Code', + wrongOrExpired: 'Ungültiger oder abgelaufener Code' + }, + emailChange: { + title: 'E-Mail Wechsel bestätigt', + textChanged: 'Ihre E-Mail Adresse wurde erfolgreich geändert von', + textLogin: 'Sie können sich jetzt mit der neuen Adresse einloggen.', + to: 'zu' + }, + error: { + // errorText: "Die angeforderte Seite konnte nicht gefunden werden.", + details: 'Details Anzeigen' + // detailsText: undefined, + }, + index: { + register: 'Registrieren', + accountLogin: 'Account', + adminLogin: 'Admin' + }, + logout: { + logout: 'Logout', + confirmMsg: 'Sind Sie sicher, dass Sie sich ausloggen und die Session beenden möchten?', + cancel: 'Abbrechen' + }, + mfa: { + p1: 'Wenn Sie mehrere Systeme parallel nutzen möchten, wie z.B. Windows und Android, sollten Sie die Registrierung mit Android durchführen.', + p2: 'Android ist diejenige Plattform, die derzeit die wenigsten Features der passwortlosen Technologie unterstützt. Schlüssel, die dort registriert werden, funktionieren auf anderen Geräten gleichermaßen. Dies gilt jedoch nicht andersherum.', + p3: 'Für weitere Informationen, siehe', + errorReg: 'Fehler beim Starten der Registrierung', + lastUsed: 'Zuletzt genutzt', + noKey: 'Es wurde in diesem Speicher noch kein Sicherheitsschlüssel registriert', + reAuthenticatePasskey: + 'Bevor Passkeys bearbeitet werden können, muss zuerst einer der bestehenden überprüft werden:', + reAuthenticatePwd: + 'Bevor Passkeys bearbeitet werden können, ist eine erneute Bestätigung des Passworts notwendig.', + register: 'Registrieren', + registerNew: 'Neuen Key Registrieren', + registerd: 'Registriert', + registerdKeys: 'Registrierte Keys', + passkeyName: 'Passkey Name', + passkeyNameErr: '2 - 32 Buchstaben, keine Sonderzeichen', + passwordInvalid: 'Ungültiges Password', + test: 'Test', + testError: 'Fehler beim Starten des Tests', + testSuccess: 'Test erfolgreich', + docLinkText: '' + }, + pagination: { + entries: 'Einträge', + gotoPage: 'Gehe zu Seite', + gotoPagePrev: 'Gehe zu vorheriger Seite', + gotoPageNext: 'Gehe zu nächster Seite', + pagination: 'Seitennummerierung', + showCount: 'Anzahl anzeigen', + total: 'Gesamt' + }, + passwordPolicy: { + passwordPolicy: 'Passwort Regeln', + lengthMin: 'Länge min', + lengthMax: 'Länge max', + lowercaseMin: 'Kleinbuchstaben min', + uppercaseMin: 'Großbuchstaben min', + digitsMin: 'Ziffern min', + specialMin: 'Spezielle Buchstaben min', + notRecent: 'Keins der letzten Passwörter' + }, + passwordReset: { + accountLogin: 'Account Login', + badFormat: 'Ungültiges Format', + fidoLink: 'https://fidoalliance.org/fido2', + generate: 'Generieren', + newAccDesc1: + 'Sie haben die Option zwischen zwei Account Typen zu wählen: Passwortlos oder\ntraditionalles Passwort.', + newAccDesc2: + 'Der passwortlose Account Typ ist immer zu bevorzugen. Er bietet einen\nsehr viel höheren Sicherheitsstandard als traditionelle Passwörter und gleichzeitig einen einfacheren\nund schnelleren Login.\nDazu wird mindestens ein Passkey (Yubikey, Apple Touch ID, Windows Hello, ...) benötigt, welcher dem\nFIDO2 Standard gerecht wird. Für weitere Informationen können Sie diesem Link folgen: ', + newAccount: 'Neuer Account', + passwordReset: 'Passwort Zurücksetzen', + password: 'Passwort', + passwordless: 'Passkey', + passwordConfirm: 'Passwort bestätigen', + passwordNoMatch: 'Passwörter stimmen nicht überein', + required: 'Notwendig', + save: 'Speichern', + success1: 'Das Passwort wurde erfolgreich zurückgesetzt.', + success2: 'Sie werden in Kürze weitergeleitet.', + success3: 'Sollte Sie nicht weitergeleitet werden, klicken Sie bitte hier:', + successPasskey1: 'Der neue Passkey wurde erfolgreich registriert.', + successPasskey2: + 'Bitte loggen Sie sich direkt in Ihren Account ein und registrieren\nSie mindestens einen weiteren Backup Passkey. Ein passwortloser Account kann nicht den Passwort\nReset via E-Mail nutzen für den Fall, dass der derzeitige Passkey abhanden kommt.' + }, + register: { + alreadyRegistered: 'E-Mail is bereits registriert', + domainAllowed: 'Erlaubte Domain:', + domainErr: 'E-Mail Domain ist nicht erlaubt', + domainRestricted: 'E-Mail Domains sind beschränkt', + email: 'E-Mail', + emailBadFormat: 'Ungültiges E-Mail Format', + emailCheck: 'Bitte prüfen Sie Ihren E-Mail Posteingang', + regexName: 'Name mit 2 - 32 Buchstaben ohne Sonderzeichen', + register: 'Registrieren', + success: 'Registrierung erfolgreich', + userReg: 'Benutzer Registrierung' + }, + tos: { + tos: 'Allgemeine Geschäftsbedingungen' + }, + userRevoke: { + title: 'Logins widerrufen', + desc1: + 'Sämtliche Logins und Sessions für diesen Benutzer wurden soweit wie möglich widerrufen.', + desc2: 'Passwörter sollten auf der Stelle erneuert werden!' + } }; diff --git a/frontend/src/i18n/common/en.ts b/frontend/src/i18n/common/en.ts index 16a3a576c..8553f7985 100644 --- a/frontend/src/i18n/common/en.ts +++ b/frontend/src/i18n/common/en.ts @@ -1,270 +1,281 @@ -import {type I18n} from "./interface"; +import { type I18n } from './interface'; export const I18nEn: I18n = { - lang: "en", - common: { - activeTheme: "Active color scheme", - authenticate: "Authenticate", - cancel: "Cancel", - changeTheme: "Change Theme - Active: {{ CURRENT }}", - close: "Close", - copyToClip: "Copy value to clipboard", - delete: "Delete", - details: "Details", - email: "E-Mail", - errTooShort: "Input too short", - errTooLong: "Input too long", - expandContent: "Expand content", - hide: "Hide", - hours: "Hours", - invalidInput: "Invalid Input", - legend: "Legend", - maxFileSize: "Max File Size", - minutes: "Minutes", - month: "Month", - months: [ - "January", - "February", - "March", - "April", - "May", - "June", - "July", - "August", - "September", - "October", - "November", - "December" - ], - never: "Never", - password: "Password", - refresh: "Refresh", - required: "Required", - save: "Save", - search: "Search", - seconds: "seconds", - selectI18n: "Select Language", - show: "Show", - summary: "Summary", - weekDaysShort: [ - "Sun", - "Mon", - "Tue", - "Wed", - "Thu", - "Fri", - "Sat", - ], - year: "Year", - }, - account: { - account: "User Account", - accType: "Account Type", - accTypePasskeyText1: "This account is currently a passkey only account.\nThis means, that you do not have any password, because you don't need one.", - accTypePasskeyText2: "You can convert your account and add a password. But keep\nin mind, that this implies, that you need to verify each new device with the password additionally.\nYou then cannot just log in on any device, where you have not entered the password beforehand at\nleast once.", - accTypePasskeyText3: "Do you want to convert your account and add a password?", - accessExp: "Access Expires", - accessRenew: "Access renewable until", - accessRenewDelete: "Delete the possibility to renew", - birthdate: "Birthdate", - canModifyFor: "Passkeys can be modified for:", - city: "City", - changePassword: "Change Password", - convertAccount: "Convert Account", - convertAccountP1: "You can convert your account to a Passkey-Only account.\nThis conversion deletes your password and you can and must only ever login with your registered\npasskeys. Keep in mind, that only passkeys with the additional User Verification will be accepted.\nIf you passkeys support this, you will find a small symbol behind the name of the key on the 'MFA'\npage.", - country: "Country", - deviceId: "ID", - deviceName: "Name", - devices: "Devices", - devicesDesc: "Devices linked to this account", - emailUpdateConfirm: "The E-Mail address has not been updated yet. A message has been\nsent out to your new address. You need to click the confirmation link inside it. Once it has been\nconfirmed, your new address will be updated.", - emailVerified: "E-Mail verified", - familyName: "Family Name", - federatedConvertPassword1: "You have a federated account. This means you log in\nby using an external authentication provider. Your current provider is:", - federatedConvertPassword2: "You can request a password reset via email. This will\nadd a local password to your account upon completion. You would then be able to log in via your\nexternal provider or by local password. Do you want to request a reset?", - generateRandom: "Generate Randomly", - givenName: "Given Name", - groups: "Groups", - key: "Key", - keyUnique: "Key must be unique", - lastLogin: "Last Login", - mfaActivated: "MFA activated", - navInfo: "Info", - navEdit: "Edit", - navMfa: "MFA", - navLogout: "Logout", - other: "Other", - pam: { - generatePassword: "New Password", - username: 'Username', - validFor: "Password valid for {{ secs }} seconds", - }, - passwordConfirm: "Confirm Password", - passwordCurr: "Current Password", - passwordCurrReq: "Current password is required", - passwordNew: "New Password", - passwordNewReq: "New password is required", - passwordNoMatch: "Password verification is required", - passwordExpiry: "Password expiry", - passwordPolicyFollow: "You must follow the password policy", - passwordReset: "Password Reset", - phone: "Phone", - providerLink: "Federate Account", - providerLinkDesc: "You can link this account to one of the following login providers.\nAfter activating this function, you will be redirected to the login page of the chosen one.\nAfter a successful login and if the email matches, your account will be linked.", - providerUnlink: "Unlink Federation", - providerUnlinkDesc: "Only if you have set up at least a password or a passkey for this\naccount, you can unlink it from the upstream provider.", - regDate: "Registration Date", - regIp: "Registration from IP", - roles: "Roles", - street: "Street", - user: "User", - userCreated: "User Created", - userEnabled: "User Enabled", - userExpiry: "User Expires", - userVerifiedTooltip: "Secured with fingerprint or PIN", - webIdDesc: "You can configure the fields that should be exposed with your WebID.\nThis is a feature used by some networks for decentralized logins. If you do not know what it is,\nyou most probably do not need it.", - webIdDescData: "You can add custom data fields to your WebID in valid FOAF Vocabulary", - webIdExpertMode: "Enable Expert Mode", - zip: "ZIP / Postal Code" - }, - authorize: { - clientForceMfa: "This login forces MFA to achieve higher security.\nTo get access, you need to log in to your account and add at least one additional Passkey", - clientGroupPrefixForbidden: "Missing group assignment for this login", - email: "E-Mail", - emailBadFormat: "Bad E-Mail format", - emailRequired: "E-Mail is required", - emailSentMsg: "If your E-Mail exists, a request has been sent", - expectingPasskey: "Expecting Passkey Authentication", - http429: "Too many invalid inputs. Locked until:", - invalidCredentials: "Invalid credentials", - invalidKeyUsed: "Invalid Key", - login: "Login", - mfaAck: "Acknowledged", - orLoginWith: "or login with", - password: "Password", - passwordForgotten: "Password forgotten?", - passwordRequest: "Request", - passwordRequired: "Password is required", - passwordResetDesc: `Please provide your E-Mail to request a password reset link. If your address exists in out + lang: 'en', + common: { + accept: 'Accept', + activeTheme: 'Active color scheme', + authenticate: 'Authenticate', + cancel: 'Cancel', + changeTheme: 'Change Theme - Active: {{ CURRENT }}', + close: 'Close', + copyToClip: 'Copy value to clipboard', + delete: 'Delete', + details: 'Details', + email: 'E-Mail', + errTooShort: 'Input too short', + errTooLong: 'Input too long', + expandContent: 'Expand content', + hide: 'Hide', + hours: 'Hours', + invalidInput: 'Invalid Input', + legend: 'Legend', + maxFileSize: 'Max File Size', + minutes: 'Minutes', + month: 'Month', + months: [ + 'January', + 'February', + 'March', + 'April', + 'May', + 'June', + 'July', + 'August', + 'September', + 'October', + 'November', + 'December' + ], + never: 'Never', + password: 'Password', + refresh: 'Refresh', + required: 'Required', + save: 'Save', + search: 'Search', + seconds: 'seconds', + selectI18n: 'Select Language', + show: 'Show', + summary: 'Summary', + weekDaysShort: ['Sun', 'Mon', 'Tue', 'Wed', 'Thu', 'Fri', 'Sat'], + year: 'Year' + }, + account: { + account: 'User Account', + accType: 'Account Type', + accTypePasskeyText1: + "This account is currently a passkey only account.\nThis means, that you do not have any password, because you don't need one.", + accTypePasskeyText2: + 'You can convert your account and add a password. But keep\nin mind, that this implies, that you need to verify each new device with the password additionally.\nYou then cannot just log in on any device, where you have not entered the password beforehand at\nleast once.', + accTypePasskeyText3: 'Do you want to convert your account and add a password?', + accessExp: 'Access Expires', + accessRenew: 'Access renewable until', + accessRenewDelete: 'Delete the possibility to renew', + birthdate: 'Birthdate', + canModifyFor: 'Passkeys can be modified for:', + city: 'City', + changePassword: 'Change Password', + convertAccount: 'Convert Account', + convertAccountP1: + "You can convert your account to a Passkey-Only account.\nThis conversion deletes your password and you can and must only ever login with your registered\npasskeys. Keep in mind, that only passkeys with the additional User Verification will be accepted.\nIf you passkeys support this, you will find a small symbol behind the name of the key on the 'MFA'\npage.", + country: 'Country', + deviceId: 'ID', + deviceName: 'Name', + devices: 'Devices', + devicesDesc: 'Devices linked to this account', + emailUpdateConfirm: + 'The E-Mail address has not been updated yet. A message has been\nsent out to your new address. You need to click the confirmation link inside it. Once it has been\nconfirmed, your new address will be updated.', + emailVerified: 'E-Mail verified', + familyName: 'Family Name', + federatedConvertPassword1: + 'You have a federated account. This means you log in\nby using an external authentication provider. Your current provider is:', + federatedConvertPassword2: + 'You can request a password reset via email. This will\nadd a local password to your account upon completion. You would then be able to log in via your\nexternal provider or by local password. Do you want to request a reset?', + generateRandom: 'Generate Randomly', + givenName: 'Given Name', + groups: 'Groups', + key: 'Key', + keyUnique: 'Key must be unique', + lastLogin: 'Last Login', + mfaActivated: 'MFA activated', + navInfo: 'Info', + navEdit: 'Edit', + navMfa: 'MFA', + navLogout: 'Logout', + other: 'Other', + pam: { + generatePassword: 'New Password', + username: 'Username', + validFor: 'Password valid for {{ secs }} seconds' + }, + passwordConfirm: 'Confirm Password', + passwordCurr: 'Current Password', + passwordCurrReq: 'Current password is required', + passwordNew: 'New Password', + passwordNewReq: 'New password is required', + passwordNoMatch: 'Password verification is required', + passwordExpiry: 'Password expiry', + passwordPolicyFollow: 'You must follow the password policy', + passwordReset: 'Password Reset', + phone: 'Phone', + providerLink: 'Federate Account', + providerLinkDesc: + 'You can link this account to one of the following login providers.\nAfter activating this function, you will be redirected to the login page of the chosen one.\nAfter a successful login and if the email matches, your account will be linked.', + providerUnlink: 'Unlink Federation', + providerUnlinkDesc: + 'Only if you have set up at least a password or a passkey for this\naccount, you can unlink it from the upstream provider.', + regDate: 'Registration Date', + regIp: 'Registration from IP', + roles: 'Roles', + street: 'Street', + user: 'User', + userCreated: 'User Created', + userEnabled: 'User Enabled', + userExpiry: 'User Expires', + userVerifiedTooltip: 'Secured with fingerprint or PIN', + webIdDesc: + 'You can configure the fields that should be exposed with your WebID.\nThis is a feature used by some networks for decentralized logins. If you do not know what it is,\nyou most probably do not need it.', + webIdDescData: 'You can add custom data fields to your WebID in valid FOAF Vocabulary', + webIdExpertMode: 'Enable Expert Mode', + zip: 'ZIP / Postal Code' + }, + authorize: { + clientForceMfa: + 'This login forces MFA to achieve higher security.\nTo get access, you need to log in to your account and add at least one additional Passkey', + clientGroupPrefixForbidden: 'Missing group assignment for this login', + email: 'E-Mail', + emailBadFormat: 'Bad E-Mail format', + emailRequired: 'E-Mail is required', + emailSentMsg: 'If your E-Mail exists, a request has been sent', + expectingPasskey: 'Expecting Passkey Authentication', + http429: 'Too many invalid inputs. Locked until:', + invalidCredentials: 'Invalid credentials', + invalidKeyUsed: 'Invalid Key', + login: 'Login', + mfaAck: 'Acknowledged', + orLoginWith: 'or login with', + password: 'Password', + passwordForgotten: 'Password forgotten?', + passwordRequest: 'Request', + passwordRequired: 'Password is required', + passwordResetDesc: `Please provide your E-Mail to request a password reset link. If your address exists in out database, you will receive a link via E-Mail.`, - passwordResetSuccess: "Request received. You can close this window now.", - requestExpires: "Request expires", - requestExpired: "Request has expired", - signUp: "User Registration", - validEmail: "Provide valid E-Mail address", - }, - device: { - accept: "Accept", - autoRedirectAccount: "You will be redirected to your account now", - closeWindow: "You can close this window now.", - decline: "Decline", - desc: "Please enter the {{count}} characters user code from your device.", - descScopes: "The device requests access to:", - isAccepted: "The request has been accepted.", - isDeclined: "The request has been declined.", - submit: "Submit", - title: "Device Authorization", - userCode: "User Code", - wrongOrExpired: "Wrong or expired code" - }, - emailChange: { - title: "E-Mail Change confirmed", - textChanged: "Your E-Mail address has been changed from", - textLogin: "You can now log in using your new address.", - to: "to", - }, - error: { - // errorText: "The requested data could not be found", - details: "Show Details", - // detailsText: undefined, - }, - index: { - register: "Register", - accountLogin: "Account", - adminLogin: "Admin", - }, - logout: { - logout: "Logout", - confirmMsg: "Do you really want to logout and end your session?", - cancel: "Cancel" - }, - mfa: { - p1: "If you plan on using your MFA key with multiple systems like Windows and Android, you should do the registration with Android.", - p2: "Android is the platform with the least supported features for the passwordless technology. Keys you register with Android work elsewhere too. However, this does not apply the other way around.", - p3: "For more information, see", - docLinkText: "the documentation about passkeys", - errorReg: "Error starting the Registration process", - lastUsed: "Last used", - noKey: "No Security key registered on this slot", - reAuthenticatePasskey: "Before you can modify Passkeys, you need to authenticate with an already registered one:", - reAuthenticatePwd: "Before you can modify Passkeys, you need to re-authenticate with your password.", - register: "Register", - registerNew: "Register New Key", - registerd: "Registered", - registerdKeys: "Registered Keys", - passkeyName: "Passkey Name", - passkeyNameErr: "2 - 32 non-special characters", - passwordInvalid: "Password Invalid", - test: "Test", - testError: "Error starting the Test", - testSuccess: "Test successful" - }, - pagination: { - entries: "Entries", - gotoPage: "Go to page", - gotoPagePrev: "Go to previous page", - gotoPageNext: "Go to next page", - pagination: "Pagination", - showCount: "Show count", - total: "Total", - }, - passwordPolicy: { - passwordPolicy: "Password Policy", - lengthMin: "Length min", - lengthMax: "Length max", - lowercaseMin: "Lowercase letters min", - uppercaseMin: "Uppercase letters min", - digitsMin: "Digits min", - specialMin: "Special characters min", - notRecent: "Not one of last recent passwords" - }, - passwordReset: { - accountLogin: "Account Login", - badFormat: "Bad Format", - fidoLink: "https://fidoalliance.org/fido2", - generate: "Generate", - newAccDesc1: "You have the option between two account types: passwordless or traditional password", - newAccDesc2: "The passwordless account is always preferred, because it provides\na way with stronger security. You will need at least one passkey (Yubikey, Apple Touch ID, Windows Hello,\n...) to create such an account. Your device must embrace the FIDO2 standard. For more information\nabout this, you may follow this link: ", - newAccount: "New Account", - passwordReset: "Password Reset", - password: "Password", - passwordless: "Passkey", - passwordConfirm: "Password Confirm", - passwordNoMatch: "Passwords do not match", - required: "Required", - save: "Save", - success1: "The password has been updated successfully.", - success2: "You will be redirected shortly.", - success3: "If you are not being redirected, please click here:", - successPasskey1: "Your new passkey has been registered successfully.", - successPasskey2: "Please log into your account and register a second backup key as\nsoon as possible. With a passkey only account, you wil not be able to use a password reset via\nE-Mail in case you lose your current key." - }, - register: { - alreadyRegistered: "E-Mail is already registered", - domainAllowed: "Allowed domain:", - domainErr: "E-Mail domain not allowed", - domainRestricted: "E-Mail domains are restricted", - email: "E-Mail", - emailBadFormat: "Bad E-Mail format", - emailCheck: "Please check your E-Mail inbox", - regexName: "Name should have 2 - 32 non-special characters", - register: "Register", - success: "Registration successful", - userReg: "User Registration" - }, - userRevoke: { - title: "Revoke Logins", - desc1: "All Logins and Sessions have been revoked for this user as much as possible.", - desc2: "You should immediately renew all your passwords!", - } + passwordResetSuccess: 'Request received. You can close this window now.', + requestExpires: 'Request expires', + requestExpired: 'Request has expired', + signUp: 'User Registration', + validEmail: 'Provide valid E-Mail address' + }, + device: { + accept: 'Accept', + autoRedirectAccount: 'You will be redirected to your account now', + closeWindow: 'You can close this window now.', + decline: 'Decline', + desc: 'Please enter the {{count}} characters user code from your device.', + descScopes: 'The device requests access to:', + isAccepted: 'The request has been accepted.', + isDeclined: 'The request has been declined.', + submit: 'Submit', + title: 'Device Authorization', + userCode: 'User Code', + wrongOrExpired: 'Wrong or expired code' + }, + emailChange: { + title: 'E-Mail Change confirmed', + textChanged: 'Your E-Mail address has been changed from', + textLogin: 'You can now log in using your new address.', + to: 'to' + }, + error: { + // errorText: "The requested data could not be found", + details: 'Show Details' + // detailsText: undefined, + }, + index: { + register: 'Register', + accountLogin: 'Account', + adminLogin: 'Admin' + }, + logout: { + logout: 'Logout', + confirmMsg: 'Do you really want to logout and end your session?', + cancel: 'Cancel' + }, + mfa: { + p1: 'If you plan on using your MFA key with multiple systems like Windows and Android, you should do the registration with Android.', + p2: 'Android is the platform with the least supported features for the passwordless technology. Keys you register with Android work elsewhere too. However, this does not apply the other way around.', + p3: 'For more information, see', + docLinkText: 'the documentation about passkeys', + errorReg: 'Error starting the Registration process', + lastUsed: 'Last used', + noKey: 'No Security key registered on this slot', + reAuthenticatePasskey: + 'Before you can modify Passkeys, you need to authenticate with an already registered one:', + reAuthenticatePwd: + 'Before you can modify Passkeys, you need to re-authenticate with your password.', + register: 'Register', + registerNew: 'Register New Key', + registerd: 'Registered', + registerdKeys: 'Registered Keys', + passkeyName: 'Passkey Name', + passkeyNameErr: '2 - 32 non-special characters', + passwordInvalid: 'Password Invalid', + test: 'Test', + testError: 'Error starting the Test', + testSuccess: 'Test successful' + }, + pagination: { + entries: 'Entries', + gotoPage: 'Go to page', + gotoPagePrev: 'Go to previous page', + gotoPageNext: 'Go to next page', + pagination: 'Pagination', + showCount: 'Show count', + total: 'Total' + }, + passwordPolicy: { + passwordPolicy: 'Password Policy', + lengthMin: 'Length min', + lengthMax: 'Length max', + lowercaseMin: 'Lowercase letters min', + uppercaseMin: 'Uppercase letters min', + digitsMin: 'Digits min', + specialMin: 'Special characters min', + notRecent: 'Not one of last recent passwords' + }, + passwordReset: { + accountLogin: 'Account Login', + badFormat: 'Bad Format', + fidoLink: 'https://fidoalliance.org/fido2', + generate: 'Generate', + newAccDesc1: + 'You have the option between two account types: passwordless or traditional password', + newAccDesc2: + 'The passwordless account is always preferred, because it provides\na way with stronger security. You will need at least one passkey (Yubikey, Apple Touch ID, Windows Hello,\n...) to create such an account. Your device must embrace the FIDO2 standard. For more information\nabout this, you may follow this link: ', + newAccount: 'New Account', + passwordReset: 'Password Reset', + password: 'Password', + passwordless: 'Passkey', + passwordConfirm: 'Password Confirm', + passwordNoMatch: 'Passwords do not match', + required: 'Required', + save: 'Save', + success1: 'The password has been updated successfully.', + success2: 'You will be redirected shortly.', + success3: 'If you are not being redirected, please click here:', + successPasskey1: 'Your new passkey has been registered successfully.', + successPasskey2: + 'Please log into your account and register a second backup key as\nsoon as possible. With a passkey only account, you wil not be able to use a password reset via\nE-Mail in case you lose your current key.' + }, + register: { + alreadyRegistered: 'E-Mail is already registered', + domainAllowed: 'Allowed domain:', + domainErr: 'E-Mail domain not allowed', + domainRestricted: 'E-Mail domains are restricted', + email: 'E-Mail', + emailBadFormat: 'Bad E-Mail format', + emailCheck: 'Please check your E-Mail inbox', + regexName: 'Name should have 2 - 32 non-special characters', + register: 'Register', + success: 'Registration successful', + userReg: 'User Registration' + }, + tos: { + tos: 'Terms of Service' + }, + userRevoke: { + title: 'Revoke Logins', + desc1: 'All Logins and Sessions have been revoked for this user as much as possible.', + desc2: 'You should immediately renew all your passwords!' + } }; diff --git a/frontend/src/i18n/common/interface.ts b/frontend/src/i18n/common/interface.ts index f56b97a12..b0be14c97 100644 --- a/frontend/src/i18n/common/interface.ts +++ b/frontend/src/i18n/common/interface.ts @@ -3,247 +3,251 @@ * Admin specific translations are separated to reduce the overall payload for end users. */ export interface I18n { - lang: string, - common: { - activeTheme: string, - authenticate: string, - cancel: string, - changeTheme: string, - close: string, - copyToClip: string, - delete: string, - details: string, - email: string, - errTooShort: string, - errTooLong: string, - expandContent: string, - hide: string, - hours: string, - invalidInput: string, - legend: string, - maxFileSize: string, - minutes: string, - month: string, - months: string[], - never: string, - password: string, - refresh: string, - required: string, - save: string, - search: string, - seconds: string, - selectI18n: string, - show: string, - summary: string, - weekDaysShort: string[], - year: string, - }, - account: { - account: string, - accType: string, - accTypePasskeyText1: string, - accTypePasskeyText2: string, - accTypePasskeyText3: string, - accessExp: string, - accessRenew: string, - accessRenewDelete: string, - birthdate: string, - canModifyFor: string, - city: string, - changePassword: string, - convertAccount: string, - convertAccountP1: string, - country: string, - deviceId: string, - deviceName: string, - devices: string, - devicesDesc: string, - emailUpdateConfirm: string, - emailVerified: string, - familyName: string, - federatedConvertPassword1: string, - federatedConvertPassword2: string, - generateRandom: string, - givenName: string, - groups: string, - key: string, - keyUnique: string, - lastLogin: string, - mfaActivated: string, - navInfo: string, - navEdit: string, - navMfa: string, - navLogout: string, - other: string, - pam: { - generatePassword: string, - username: string, - validFor: string, - }, - passwordConfirm: string, - passwordCurr: string, - passwordCurrReq: string, - passwordNew: string, - passwordNewReq: string, - passwordNoMatch: string, - passwordExpiry: string, - passwordPolicyFollow: string, - passwordReset: string, - phone: string, - providerLink: string, - providerLinkDesc: string, - providerUnlink: string, - providerUnlinkDesc: string, - regDate: string, - regIp: string, - roles: string, - street: string, - user: string, - userCreated: string, - userEnabled: string, - userExpiry: string, - userVerifiedTooltip: string, - webIdDesc: string, - webIdDescData: string, - webIdExpertMode: string, - zip: string, - }, - authorize: { - clientForceMfa: string, - clientGroupPrefixForbidden: string, - email: string, - emailBadFormat: string, - emailRequired: string, - emailSentMsg: string, - http429: string, - invalidCredentials: string, - invalidKeyUsed: string, - login: string, - mfaAck: string, - orLoginWith: string, - password: string, - passwordForgotten: string, - passwordRequest: string, - passwordRequired: string, - passwordResetDesc: string, - passwordResetSuccess: string, - expectingPasskey: string, - requestExpires: string, - requestExpired: string, - signUp: string, - validEmail: string, - }, - device: { - accept: string, - autoRedirectAccount: string, - closeWindow: string, - decline: string, - desc: string, - descScopes: string, - isAccepted: string, - isDeclined: string, - submit: string, - title: string, - userCode: string, - wrongOrExpired: string, - }, - emailChange: { - title: string, - textChanged: string, - textLogin: string, - to: string, - }, - error: { - details: string, - }, - index: { - register: string, - accountLogin: string, - adminLogin: string, - }, - logout: { - logout: string, - confirmMsg: string, - cancel: string, - }, - mfa: { - p1: string, - p2: string, - p3: string, - docLinkText: string, + lang: string; + common: { + accept: string; + activeTheme: string; + authenticate: string; + cancel: string; + changeTheme: string; + close: string; + copyToClip: string; + delete: string; + details: string; + email: string; + errTooShort: string; + errTooLong: string; + expandContent: string; + hide: string; + hours: string; + invalidInput: string; + legend: string; + maxFileSize: string; + minutes: string; + month: string; + months: string[]; + never: string; + password: string; + refresh: string; + required: string; + save: string; + search: string; + seconds: string; + selectI18n: string; + show: string; + summary: string; + weekDaysShort: string[]; + year: string; + }; + account: { + account: string; + accType: string; + accTypePasskeyText1: string; + accTypePasskeyText2: string; + accTypePasskeyText3: string; + accessExp: string; + accessRenew: string; + accessRenewDelete: string; + birthdate: string; + canModifyFor: string; + city: string; + changePassword: string; + convertAccount: string; + convertAccountP1: string; + country: string; + deviceId: string; + deviceName: string; + devices: string; + devicesDesc: string; + emailUpdateConfirm: string; + emailVerified: string; + familyName: string; + federatedConvertPassword1: string; + federatedConvertPassword2: string; + generateRandom: string; + givenName: string; + groups: string; + key: string; + keyUnique: string; + lastLogin: string; + mfaActivated: string; + navInfo: string; + navEdit: string; + navMfa: string; + navLogout: string; + other: string; + pam: { + generatePassword: string; + username: string; + validFor: string; + }; + passwordConfirm: string; + passwordCurr: string; + passwordCurrReq: string; + passwordNew: string; + passwordNewReq: string; + passwordNoMatch: string; + passwordExpiry: string; + passwordPolicyFollow: string; + passwordReset: string; + phone: string; + providerLink: string; + providerLinkDesc: string; + providerUnlink: string; + providerUnlinkDesc: string; + regDate: string; + regIp: string; + roles: string; + street: string; + user: string; + userCreated: string; + userEnabled: string; + userExpiry: string; + userVerifiedTooltip: string; + webIdDesc: string; + webIdDescData: string; + webIdExpertMode: string; + zip: string; + }; + authorize: { + clientForceMfa: string; + clientGroupPrefixForbidden: string; + email: string; + emailBadFormat: string; + emailRequired: string; + emailSentMsg: string; + http429: string; + invalidCredentials: string; + invalidKeyUsed: string; + login: string; + mfaAck: string; + orLoginWith: string; + password: string; + passwordForgotten: string; + passwordRequest: string; + passwordRequired: string; + passwordResetDesc: string; + passwordResetSuccess: string; + expectingPasskey: string; + requestExpires: string; + requestExpired: string; + signUp: string; + validEmail: string; + }; + device: { + accept: string; + autoRedirectAccount: string; + closeWindow: string; + decline: string; + desc: string; + descScopes: string; + isAccepted: string; + isDeclined: string; + submit: string; + title: string; + userCode: string; + wrongOrExpired: string; + }; + emailChange: { + title: string; + textChanged: string; + textLogin: string; + to: string; + }; + error: { + details: string; + }; + index: { + register: string; + accountLogin: string; + adminLogin: string; + }; + logout: { + logout: string; + confirmMsg: string; + cancel: string; + }; + mfa: { + p1: string; + p2: string; + p3: string; + docLinkText: string; - errorReg: string, - lastUsed: string, - noKey: string, - reAuthenticatePasskey: string, - reAuthenticatePwd: string, - register: string, - registerNew: string, - registerd: string, - registerdKeys: string, - passkeyName: string, - passkeyNameErr: string, - passwordInvalid: string, - test: string, - testError: string, - testSuccess: string, - }, - pagination: { - entries: string, - gotoPage: string, - gotoPageNext: string, - gotoPagePrev: string, - pagination: string, - showCount: string, - total: string, - }, - passwordPolicy: { - passwordPolicy: string, - lengthMin: string, - lengthMax: string, - lowercaseMin: string, - uppercaseMin: string, - digitsMin: string, - specialMin: string, - notRecent: string, - }, - passwordReset: { - accountLogin: string, - badFormat: string, - fidoLink: string, - generate: string, - newAccDesc1: string, - newAccDesc2: string, - newAccount: string, - passwordReset: string, - password: string, - passwordless: string, - passwordConfirm: string, - passwordNoMatch: string, - required: string, - save: string, - success1: string, - success2: string, - success3: string, - successPasskey1: string, - successPasskey2: string, - }, - register: { - alreadyRegistered: string, - domainAllowed: string, - domainErr: string, - domainRestricted: string, - email: string, - emailBadFormat: string, - emailCheck: string, - regexName: string, - register: string, - success: string, - userReg: string, - }, - userRevoke: { - title: string, - desc1: string, - desc2: string, - } + errorReg: string; + lastUsed: string; + noKey: string; + reAuthenticatePasskey: string; + reAuthenticatePwd: string; + register: string; + registerNew: string; + registerd: string; + registerdKeys: string; + passkeyName: string; + passkeyNameErr: string; + passwordInvalid: string; + test: string; + testError: string; + testSuccess: string; + }; + pagination: { + entries: string; + gotoPage: string; + gotoPageNext: string; + gotoPagePrev: string; + pagination: string; + showCount: string; + total: string; + }; + passwordPolicy: { + passwordPolicy: string; + lengthMin: string; + lengthMax: string; + lowercaseMin: string; + uppercaseMin: string; + digitsMin: string; + specialMin: string; + notRecent: string; + }; + passwordReset: { + accountLogin: string; + badFormat: string; + fidoLink: string; + generate: string; + newAccDesc1: string; + newAccDesc2: string; + newAccount: string; + passwordReset: string; + password: string; + passwordless: string; + passwordConfirm: string; + passwordNoMatch: string; + required: string; + save: string; + success1: string; + success2: string; + success3: string; + successPasskey1: string; + successPasskey2: string; + }; + register: { + alreadyRegistered: string; + domainAllowed: string; + domainErr: string; + domainRestricted: string; + email: string; + emailBadFormat: string; + emailCheck: string; + regexName: string; + register: string; + success: string; + userReg: string; + }; + tos: { + tos: string; + }; + userRevoke: { + title: string; + desc1: string; + desc2: string; + }; } diff --git a/frontend/src/i18n/common/ko.ts b/frontend/src/i18n/common/ko.ts index 0d49c4939..8d8715786 100644 --- a/frontend/src/i18n/common/ko.ts +++ b/frontend/src/i18n/common/ko.ts @@ -1,268 +1,268 @@ -import {type I18n} from "./interface"; +import { type I18n } from './interface'; export const I18nKo: I18n = { - lang: "ko", - common: { - activeTheme: "Active color scheme", - authenticate: "Authenticate", - cancel: "취소", - changeTheme: "Change Theme - Active: {{ CURRENT }}", - close: "닫기", - copyToClip: "클립보드로 복사", - delete: "삭제", - details: "자세히", - email: "이메일", - errTooShort: "입력이 너무 짧습니다.", - errTooLong: "입력이 너무 깁니다.", - expandContent: "내용 확장", - hide: "숨기기", - hours: "시간", - invalidInput: "비정상적인 값", - legend: "범례", - maxFileSize: "최대 파일크기", - minutes: "분", - month: "월", - months: [ - "1월", - "2월", - "3월", - "4월", - "5월", - "6월", - "7월", - "8월", - "9월", - "10월", - "11월", - "12월" - ], - never: "없음", - password: "비밀번호", - refresh: "Refresh", - required: "필수 항목", - save: "저장", - search: "검색", - seconds: "seconds", - selectI18n: "언어 선택", - show: "보이기", - summary: "요약", - weekDaysShort: [ - "일", - "월", - "화", - "수", - "목", - "금", - "토", - ], - year: "년", - }, - account: { - account: "사용자 계정", - accType: "계정 종류", - accTypePasskeyText1: "이 계정은 현재 패스키 전용 계정입니다.\n비밀번호를 입력하지 않아도 됩니다.", - accTypePasskeyText2: "계정을 전환하고 비밀번호를 추가할 수 있습니다.\n하지만 이렇게 하면 새 기기를 인증할 때마다 추가적으로 비밀번호 인증을 해야 됩니다.\n한 번도 비밀번호를 입력한 적이 없는 기기에서는 바로 로그인할 수 없습니다.", - accTypePasskeyText3: "계정을 전환하고 비밀번호를 추가하겠습니까?", - accessExp: "만료일", - accessRenew: "접근 갱신 기한", - accessRenewDelete: "갱신 비활성화", - birthdate: "생년월일", - canModifyFor: "Passkeys can be modified for:", - city: "도시", - changePassword: "비밀번호 변경", - convertAccount: "계정 전환", - convertAccountP1: "계정을 패스키 전용 계정으로 전환할 수 있습니다.\n이 전환은 비밀번호를 삭제하며, 등록된 패스키를 사용해서만 로그인할 수 있습니다.\n추가적인 사용자 인증이 가능한 패스키만 허용됩니다.\n이러한 패스키는 'MFA' 페이지에서 패스키 이름 뒤에 있는 추가 기호로 식별할 수 있습니다.", - country: "국가", - deviceId: "아이디", - deviceName: "이름", - devices: "기기", - devicesDesc: "이 계정에 연결된 기기", - emailUpdateConfirm: "이메일 주소가 아직 변경되지 않았습니다. 확인 링크가 포함된 메시지가 새 주소로 전송되었습니다.\n메세지의 승인 링크를 클릭해야 합니다. 확인이 완료되면 새 주소로 변경됩니다.", - emailVerified: "이메일 인증", - familyName: "성", - federatedConvertPassword1: "이 계정은 연결된 계정입니다. 즉, 외부 인증 공급자를 통해 로그인이 이루어집니다. 현재 공급자는 다음과 같습니다:", - federatedConvertPassword2: "이메일을 통해 비밀번호 초기화를 요청할 수 있습니다.\n완료 후 이 계정에 로컬 비밀번호가 추가되며, 외부 공급자 또는 로컬 비밀번호를 사용하여 로그인할 수 있습니다. 초기화를 요청하겠습니까?", - generateRandom: "무작위로 생성", - givenName: "이름", - groups: "그룹", - key: "키", - keyUnique: "키는 고유해야 합니다.", - lastLogin: "마지막 로그인", - mfaActivated: "MFA 활성화", - navInfo: "정보", - navEdit: "수정", - navMfa: "MFA", - navLogout: "로그아웃", - other: "Other", - pam: { - generatePassword: "New Password", - username: 'Username', - validFor: "Password valid for {{ secs }} seconds", - }, - passwordConfirm: "비밀번호 확인", - passwordCurr: "현재 비밀번호", - passwordCurrReq: "현재 비밀번호가 필요합니다.", - passwordNew: "새 비밀번호", - passwordNewReq: "새 비밀번호가 필요합니다.", - passwordNoMatch: "비밀번호 확인이 필요합니다.", - passwordExpiry: "비밀번호 만료일", - passwordPolicyFollow: "비밀번호 정책을 준수해야 합니다.", - passwordReset: "비밀번호 초기화", - phone: "전화번호", - providerLink: "계정 연결", - providerLinkDesc: "이 계정은 다음 로그인 공급자 중 하나에 연결할 수 있습니다.\n 프로세스를 활성화하면 선택한 공급자의 로그인 페이지로 리디렉션이 트리거됩니다. 로그인에 성공하고 이메일 주소가 일치하면 이 계정이 연결됩니다.", - providerUnlink: "연결 해제", - providerUnlinkDesc: "이 계정에 최소 하나 이상의 비밀번호 또는 패스키가 설정되어 있는 경우에만 공급자 연결을 해제할 수 있습니다.", - regDate: "가입일", - regIp: "IP에서 가입", - roles: "역할", - street: "주소", - user: "사용자", - userCreated: "사용자 생성일", - userEnabled: "사용자 활성화", - userExpiry: "사용자 만료", - userVerifiedTooltip: "지문 또는 PIN을 통해 보호", - webIdDesc: "WebID를 통해 게시되는 필드를 정의할 수 있습니다.\n이는 일부 네트워크에서 분산 로그인을 위해 사용하는 기능입니다. WebID가 무엇인지 모른다면 필요하지 않을 것입니다.", - webIdDescData: "유효한 FOAF 어휘로 자신의 데이터를 WebID에 추가할 수 있습니다:", - webIdExpertMode: "전문가 모드 활성화", - zip: "우편번호" - }, - authorize: { - clientForceMfa: "이 로그인은 더 높은 수준의 보안을 위해서 MFA를 강제합니다.\n접근하려면, 계정에 로그인하고 최소 하나 이상의 패스키를 추가해야 합니다.", - clientGroupPrefixForbidden: "Missing group assignment for this login", - email: "이메일", - emailBadFormat: "잘못된 이메일 형식입니다.", - emailRequired: "이메일이 필요합니다.", - emailSentMsg: "이메일로 메세지가 발송되었습니다.", - expectingPasskey: "MFA 기기를 통해 로그인해 주세요.", - http429: "유효하지 않은 입력이 너무 많습니다. 다음 시간 전까지 비활성화합니다:", - invalidCredentials: "유효하지 않은 인증 정보입니다.", - invalidKeyUsed: "유효하지 않은 키입니다.", - login: "로그인", - mfaAck: "확인되었습니다.", - orLoginWith: "또는 다음으로 로그인", - password: "비밀번호", - passwordForgotten: "비밀번호를 잊으셨나요?", - passwordRequest: "요청", - passwordRequired: "비밀번호는 필수입니다.", - passwordResetDesc: `Please provide your E-Mail to request a password reset link. If your address exists in out + lang: 'ko', + common: { + accept: 'Accept', + activeTheme: 'Active color scheme', + authenticate: 'Authenticate', + cancel: '취소', + changeTheme: 'Change Theme - Active: {{ CURRENT }}', + close: '닫기', + copyToClip: '클립보드로 복사', + delete: '삭제', + details: '자세히', + email: '이메일', + errTooShort: '입력이 너무 짧습니다.', + errTooLong: '입력이 너무 깁니다.', + expandContent: '내용 확장', + hide: '숨기기', + hours: '시간', + invalidInput: '비정상적인 값', + legend: '범례', + maxFileSize: '최대 파일크기', + minutes: '분', + month: '월', + months: ['1월', '2월', '3월', '4월', '5월', '6월', '7월', '8월', '9월', '10월', '11월', '12월'], + never: '없음', + password: '비밀번호', + refresh: 'Refresh', + required: '필수 항목', + save: '저장', + search: '검색', + seconds: 'seconds', + selectI18n: '언어 선택', + show: '보이기', + summary: '요약', + weekDaysShort: ['일', '월', '화', '수', '목', '금', '토'], + year: '년' + }, + account: { + account: '사용자 계정', + accType: '계정 종류', + accTypePasskeyText1: + '이 계정은 현재 패스키 전용 계정입니다.\n비밀번호를 입력하지 않아도 됩니다.', + accTypePasskeyText2: + '계정을 전환하고 비밀번호를 추가할 수 있습니다.\n하지만 이렇게 하면 새 기기를 인증할 때마다 추가적으로 비밀번호 인증을 해야 됩니다.\n한 번도 비밀번호를 입력한 적이 없는 기기에서는 바로 로그인할 수 없습니다.', + accTypePasskeyText3: '계정을 전환하고 비밀번호를 추가하겠습니까?', + accessExp: '만료일', + accessRenew: '접근 갱신 기한', + accessRenewDelete: '갱신 비활성화', + birthdate: '생년월일', + canModifyFor: 'Passkeys can be modified for:', + city: '도시', + changePassword: '비밀번호 변경', + convertAccount: '계정 전환', + convertAccountP1: + "계정을 패스키 전용 계정으로 전환할 수 있습니다.\n이 전환은 비밀번호를 삭제하며, 등록된 패스키를 사용해서만 로그인할 수 있습니다.\n추가적인 사용자 인증이 가능한 패스키만 허용됩니다.\n이러한 패스키는 'MFA' 페이지에서 패스키 이름 뒤에 있는 추가 기호로 식별할 수 있습니다.", + country: '국가', + deviceId: '아이디', + deviceName: '이름', + devices: '기기', + devicesDesc: '이 계정에 연결된 기기', + emailUpdateConfirm: + '이메일 주소가 아직 변경되지 않았습니다. 확인 링크가 포함된 메시지가 새 주소로 전송되었습니다.\n메세지의 승인 링크를 클릭해야 합니다. 확인이 완료되면 새 주소로 변경됩니다.', + emailVerified: '이메일 인증', + familyName: '성', + federatedConvertPassword1: + '이 계정은 연결된 계정입니다. 즉, 외부 인증 공급자를 통해 로그인이 이루어집니다. 현재 공급자는 다음과 같습니다:', + federatedConvertPassword2: + '이메일을 통해 비밀번호 초기화를 요청할 수 있습니다.\n완료 후 이 계정에 로컬 비밀번호가 추가되며, 외부 공급자 또는 로컬 비밀번호를 사용하여 로그인할 수 있습니다. 초기화를 요청하겠습니까?', + generateRandom: '무작위로 생성', + givenName: '이름', + groups: '그룹', + key: '키', + keyUnique: '키는 고유해야 합니다.', + lastLogin: '마지막 로그인', + mfaActivated: 'MFA 활성화', + navInfo: '정보', + navEdit: '수정', + navMfa: 'MFA', + navLogout: '로그아웃', + other: 'Other', + pam: { + generatePassword: 'New Password', + username: 'Username', + validFor: 'Password valid for {{ secs }} seconds' + }, + passwordConfirm: '비밀번호 확인', + passwordCurr: '현재 비밀번호', + passwordCurrReq: '현재 비밀번호가 필요합니다.', + passwordNew: '새 비밀번호', + passwordNewReq: '새 비밀번호가 필요합니다.', + passwordNoMatch: '비밀번호 확인이 필요합니다.', + passwordExpiry: '비밀번호 만료일', + passwordPolicyFollow: '비밀번호 정책을 준수해야 합니다.', + passwordReset: '비밀번호 초기화', + phone: '전화번호', + providerLink: '계정 연결', + providerLinkDesc: + '이 계정은 다음 로그인 공급자 중 하나에 연결할 수 있습니다.\n 프로세스를 활성화하면 선택한 공급자의 로그인 페이지로 리디렉션이 트리거됩니다. 로그인에 성공하고 이메일 주소가 일치하면 이 계정이 연결됩니다.', + providerUnlink: '연결 해제', + providerUnlinkDesc: + '이 계정에 최소 하나 이상의 비밀번호 또는 패스키가 설정되어 있는 경우에만 공급자 연결을 해제할 수 있습니다.', + regDate: '가입일', + regIp: 'IP에서 가입', + roles: '역할', + street: '주소', + user: '사용자', + userCreated: '사용자 생성일', + userEnabled: '사용자 활성화', + userExpiry: '사용자 만료', + userVerifiedTooltip: '지문 또는 PIN을 통해 보호', + webIdDesc: + 'WebID를 통해 게시되는 필드를 정의할 수 있습니다.\n이는 일부 네트워크에서 분산 로그인을 위해 사용하는 기능입니다. WebID가 무엇인지 모른다면 필요하지 않을 것입니다.', + webIdDescData: '유효한 FOAF 어휘로 자신의 데이터를 WebID에 추가할 수 있습니다:', + webIdExpertMode: '전문가 모드 활성화', + zip: '우편번호' + }, + authorize: { + clientForceMfa: + '이 로그인은 더 높은 수준의 보안을 위해서 MFA를 강제합니다.\n접근하려면, 계정에 로그인하고 최소 하나 이상의 패스키를 추가해야 합니다.', + clientGroupPrefixForbidden: 'Missing group assignment for this login', + email: '이메일', + emailBadFormat: '잘못된 이메일 형식입니다.', + emailRequired: '이메일이 필요합니다.', + emailSentMsg: '이메일로 메세지가 발송되었습니다.', + expectingPasskey: 'MFA 기기를 통해 로그인해 주세요.', + http429: '유효하지 않은 입력이 너무 많습니다. 다음 시간 전까지 비활성화합니다:', + invalidCredentials: '유효하지 않은 인증 정보입니다.', + invalidKeyUsed: '유효하지 않은 키입니다.', + login: '로그인', + mfaAck: '확인되었습니다.', + orLoginWith: '또는 다음으로 로그인', + password: '비밀번호', + passwordForgotten: '비밀번호를 잊으셨나요?', + passwordRequest: '요청', + passwordRequired: '비밀번호는 필수입니다.', + passwordResetDesc: `Please provide your E-Mail to request a password reset link. If your address exists in out database, you will receive a link via E-Mail.`, - passwordResetSuccess: "Request received. You can close this window now.", - requestExpires: "만료일", - requestExpired: "요청이 만료되었습니다.", - signUp: "사용자 가입", - validEmail: "비정상적인 이메일 주소", - }, - device: { - accept: "수락", - autoRedirectAccount: "지금 계정으로 리다이렉트될 예정입니다.", - closeWindow: "이제 창을 닫아도 됩니다.", - decline: "거절", - desc: "기기에서 {{count}}자의 사용자 코드를 입력해 주세요.", - descScopes: "다음 기기가 접근을 요청합니다:", - isAccepted: "요청이 수락되었습니다.", - isDeclined: "요청이 거절되었습니다.", - submit: "제출", - title: "기기 인증", - userCode: "사용자 코드", - wrongOrExpired: "잘못되었거나 만료된 코드입니다." - }, - emailChange: { - title: "이메일 변경이 승인되었습니다.", - textChanged: "이메일 주소가 다음으로부터 변경되었습니다", - textLogin: "이제 새로운 주소로 로그인할 수 있습니다.", - to: "에서", - }, - error: { - // errorText: "요청 정보를 찾을 수 없습니다.", - details: "자세한 정보 표시", - // detailsText: undefined, - }, - index: { - register: "가입", - accountLogin: "계정", - adminLogin: "관리", - }, - logout: { - logout: "로그아웃", - confirmMsg: "로그아웃하고 세션을 종료하겠습니까?", - cancel: "취소", - }, - mfa: { - p1: "윈도우와 안드로이드 등 다양한 시스템에서 MFA를 사용하려면, 안드로이드에서 키를 등록하여야 합니다.", - p2: "안드로이드는 비밀번호 없이 인증하는 기술을 가장 적게 지원하는 플랫폼입니다. 안드로이드에서 등록한 키는 다른 곳에서도 작동하지만, 그 반대로는 작동되지 않습니다.", - errorReg: "가입 절차 시작 중 오류 발생", - lastUsed: "마지막 사용일", - noKey: "이 슬롯에 등록된 보안 키가 없습니다.", - reAuthenticatePasskey: "Before you can modify Passkeys, you need to authenticate with an already registered one:", - reAuthenticatePwd: "Before you can modify Passkeys, you need to re-authenticate with your password.", - register: "등록", - registerNew: "새 키 등록", - registerd: "등록일", - registerdKeys: "등록된 키", - passkeyName: "패스키 이름", - passkeyNameErr: "특수문자를 제외한 2자에서 32자이어야 합니다.", - passwordInvalid: "Password Invalid", - test: "테스트", - testError: "테스트 시작 중 오류 발생", - testSuccess: "테스트 성공" - }, - pagination: { - entries: "표시 개수", - gotoPage: "이동", - gotoPagePrev: "이전 페이지", - gotoPageNext: "다음 페이지", - pagination: "페이지 처리", - showCount: "개수 보기", - total: "전체", - }, - passwordPolicy: { - passwordPolicy: "비밀번호 정책", - lengthMin: "최소 길이", - lengthMax: "최대 길이", - lowercaseMin: "최소 소문자수", - uppercaseMin: "최소 대문자수", - digitsMin: "최소 숫자수", - specialMin: "최소 특수문자수", - notRecent: "최근 비밀번호 제한" - }, - passwordReset: { - accountLogin: "계정 로그인", - badFormat: "잘못된 형식", - fidoLink: "https://fidoalliance.org/fido2/?lang=ko", - generate: "생성", - newAccDesc1: "계정 종류는 비밀번호가 없는 계정 또는 기존의 비밀번호가 있는 계정 중 하나를 선택할 수 있습니다.", - newAccDesc2: "비밀번호가 없는 계정은 더 강력한 보안 방법을 제공하기 때문에 항상 선호됩니다.\n이러한 계정을 생성하려면 최소 하나의 패스키(Yubikey, Apple Touch ID, Windows Hello, ...)가 필요합니다. 기기가 FIDO2 표준을 지원해야 합니다.\n더 자세한 사항은 다음 링크를 참고해 주세요: ", - newAccount: "새 계정", - passwordReset: "비밀번호 초기화", - password: "비밀번호", - passwordless: "패스키", - passwordConfirm: "비밀번호 확인", - passwordNoMatch: "비밀번호가 일치하지 않습니다.", - required: "필수", - save: "저장", - success1: "비밀번호가 성공적으로 변경되었습니다.", - success2: "곧 리다이렉트됩니다.", - success3: "만약 리다이렉트가 되지 않으면, 여기를 클릭해 주세요:", - successPasskey1: "새로운 패스키가 성공적으로 등록되었습니다.", - successPasskey2: "계정에 로그인하여 가능한 한 빨리 두 번째 백업 키를 등록해 주세요.\n패스키 전용 계정은 현재 패스키를 잃어버리면, 이메일을 통하여 비밀번호 초기화할 수 없습니다." - }, - register: { - alreadyRegistered: "이미 등록된 이메일입니다.", - domainAllowed: "허용된 도메인:", - domainErr: "허용되지 않은 이메일의 도메인입니다.", - domainRestricted: "이메일의 도메인이 제한되어 있습니다.", - email: "이메일", - emailBadFormat: "잘못된 이메일 형식입니다.", - emailCheck: "이메일 보관함을 확인해 주세요.", - regexName: "이름은 특수문자 없이 2~32자여야 합니다.", - register: "가입", - success: "성공적으로 가입되었습니다.", - userReg: "사용자 가입" - }, - userRevoke: { - title: "Revoke Logins", - desc1: "All Logins and Sessions have been revoked for this user as much as possible.", - desc2: "You should immediately renew all your passwords!", - } + passwordResetSuccess: 'Request received. You can close this window now.', + requestExpires: '만료일', + requestExpired: '요청이 만료되었습니다.', + signUp: '사용자 가입', + validEmail: '비정상적인 이메일 주소' + }, + device: { + accept: '수락', + autoRedirectAccount: '지금 계정으로 리다이렉트될 예정입니다.', + closeWindow: '이제 창을 닫아도 됩니다.', + decline: '거절', + desc: '기기에서 {{count}}자의 사용자 코드를 입력해 주세요.', + descScopes: '다음 기기가 접근을 요청합니다:', + isAccepted: '요청이 수락되었습니다.', + isDeclined: '요청이 거절되었습니다.', + submit: '제출', + title: '기기 인증', + userCode: '사용자 코드', + wrongOrExpired: '잘못되었거나 만료된 코드입니다.' + }, + emailChange: { + title: '이메일 변경이 승인되었습니다.', + textChanged: '이메일 주소가 다음으로부터 변경되었습니다', + textLogin: '이제 새로운 주소로 로그인할 수 있습니다.', + to: '에서' + }, + error: { + // errorText: "요청 정보를 찾을 수 없습니다.", + details: '자세한 정보 표시' + // detailsText: undefined, + }, + index: { + register: '가입', + accountLogin: '계정', + adminLogin: '관리' + }, + logout: { + logout: '로그아웃', + confirmMsg: '로그아웃하고 세션을 종료하겠습니까?', + cancel: '취소' + }, + mfa: { + p1: '윈도우와 안드로이드 등 다양한 시스템에서 MFA를 사용하려면, 안드로이드에서 키를 등록하여야 합니다.', + p2: '안드로이드는 비밀번호 없이 인증하는 기술을 가장 적게 지원하는 플랫폼입니다. 안드로이드에서 등록한 키는 다른 곳에서도 작동하지만, 그 반대로는 작동되지 않습니다.', + p3: 'For more information, see', + errorReg: '가입 절차 시작 중 오류 발생', + lastUsed: '마지막 사용일', + noKey: '이 슬롯에 등록된 보안 키가 없습니다.', + reAuthenticatePasskey: + 'Before you can modify Passkeys, you need to authenticate with an already registered one:', + reAuthenticatePwd: + 'Before you can modify Passkeys, you need to re-authenticate with your password.', + register: '등록', + registerNew: '새 키 등록', + registerd: '등록일', + registerdKeys: '등록된 키', + passkeyName: '패스키 이름', + passkeyNameErr: '특수문자를 제외한 2자에서 32자이어야 합니다.', + passwordInvalid: 'Password Invalid', + test: '테스트', + testError: '테스트 시작 중 오류 발생', + testSuccess: '테스트 성공', + docLinkText: '' + }, + pagination: { + entries: '표시 개수', + gotoPage: '이동', + gotoPagePrev: '이전 페이지', + gotoPageNext: '다음 페이지', + pagination: '페이지 처리', + showCount: '개수 보기', + total: '전체' + }, + passwordPolicy: { + passwordPolicy: '비밀번호 정책', + lengthMin: '최소 길이', + lengthMax: '최대 길이', + lowercaseMin: '최소 소문자수', + uppercaseMin: '최소 대문자수', + digitsMin: '최소 숫자수', + specialMin: '최소 특수문자수', + notRecent: '최근 비밀번호 제한' + }, + passwordReset: { + accountLogin: '계정 로그인', + badFormat: '잘못된 형식', + fidoLink: 'https://fidoalliance.org/fido2/?lang=ko', + generate: '생성', + newAccDesc1: + '계정 종류는 비밀번호가 없는 계정 또는 기존의 비밀번호가 있는 계정 중 하나를 선택할 수 있습니다.', + newAccDesc2: + '비밀번호가 없는 계정은 더 강력한 보안 방법을 제공하기 때문에 항상 선호됩니다.\n이러한 계정을 생성하려면 최소 하나의 패스키(Yubikey, Apple Touch ID, Windows Hello, ...)가 필요합니다. 기기가 FIDO2 표준을 지원해야 합니다.\n더 자세한 사항은 다음 링크를 참고해 주세요: ', + newAccount: '새 계정', + passwordReset: '비밀번호 초기화', + password: '비밀번호', + passwordless: '패스키', + passwordConfirm: '비밀번호 확인', + passwordNoMatch: '비밀번호가 일치하지 않습니다.', + required: '필수', + save: '저장', + success1: '비밀번호가 성공적으로 변경되었습니다.', + success2: '곧 리다이렉트됩니다.', + success3: '만약 리다이렉트가 되지 않으면, 여기를 클릭해 주세요:', + successPasskey1: '새로운 패스키가 성공적으로 등록되었습니다.', + successPasskey2: + '계정에 로그인하여 가능한 한 빨리 두 번째 백업 키를 등록해 주세요.\n패스키 전용 계정은 현재 패스키를 잃어버리면, 이메일을 통하여 비밀번호 초기화할 수 없습니다.' + }, + register: { + alreadyRegistered: '이미 등록된 이메일입니다.', + domainAllowed: '허용된 도메인:', + domainErr: '허용되지 않은 이메일의 도메인입니다.', + domainRestricted: '이메일의 도메인이 제한되어 있습니다.', + email: '이메일', + emailBadFormat: '잘못된 이메일 형식입니다.', + emailCheck: '이메일 보관함을 확인해 주세요.', + regexName: '이름은 특수문자 없이 2~32자여야 합니다.', + register: '가입', + success: '성공적으로 가입되었습니다.', + userReg: '사용자 가입' + }, + tos: { + tos: 'Terms of Service' + }, + userRevoke: { + title: 'Revoke Logins', + desc1: 'All Logins and Sessions have been revoked for this user as much as possible.', + desc2: 'You should immediately renew all your passwords!' + } }; diff --git a/frontend/src/i18n/common/nb.ts b/frontend/src/i18n/common/nb.ts index 436522fb3..85a6f5627 100644 --- a/frontend/src/i18n/common/nb.ts +++ b/frontend/src/i18n/common/nb.ts @@ -1,265 +1,278 @@ -import {type I18n} from "./interface"; +import { type I18n } from './interface'; export const I18nNb: I18n = { - lang: "nb", - common: { - activeTheme: "Aktivt fargetema", - authenticate: "Autentiser", - cancel: "Avbryt", - changeTheme: "Bytt fargetema - Aktivt: {{ CURRENT }}", - close: "Lukk", - copyToClip: "Kopiert til utklippstavle", - delete: "Slett", - details: "Detaljer", - email: "E-post", - errTooShort: "Inndata er for kort", - errTooLong: "Inndata er for lang", - expandContent: "Utvid innhold", - hide: "Skjul", - hours: "Timer", - invalidInput: "Ugyldig inndata", - legend: "Forklaring", - maxFileSize: "Maks filstørrelse", - minutes: "Minutter", - month: "Måned", - months: [ - "Januar", - "Februar", - "Mars", - "April", - "Mai", - "Juni", - "Juli", - "August", - "September", - "Oktober", - "November", - "Desember" - ], - never: "Aldri", - password: "Passord", - refresh: "Oppdater", - required: "Påkrevd", - save: "Lagre", - search: "Søk", - seconds: "Sekunder", - selectI18n: "Velg språk", - show: "Vis", - summary: "Sammendrag", - weekDaysShort: [ - "Ma", - "Ti", - "On", - "To", - "Fr", - "Lø", - "Sø", - ], - year: "År", - }, - account: { - account: "Brukerkonto", - accType: "Kontotype", - accTypePasskeyText1: "Dette er en 'Passkey-Only' konto. Det betyr at denne kontoen ikke har passord og heller ikke trenger det.", - accTypePasskeyText2: "Du kan endre kontoen til en passord-konto. Men husk at dette innebærer at du må verifisere hver nye enhet med passord i tillegg. Du kan da ikke bare logge inn på en hvilken som helst enhet hvor du ikke har skrevet inn passordet minst én gang før.", - accTypePasskeyText3: "Vil du endre denne kontoen og legge til et passord?", - accessExp: "Tilgang utløper", - accessRenew: "Tilgang kan fornyes til", - accessRenewDelete: "Fjern mulighet for fornyelse", - birthdate: "Fødselsdato", - canModifyFor: "Passkeys kan endres for:", - city: "By", - changePassword: "Bytt passord", - convertAccount: "Endre konto", - convertAccountP1: "Denne kontoen kan endres til en Passkey-Only konto. Denne endringen sletter passordet og tillater kun innlogging med registrerte passkeys. Kun passkeys med ekstra brukerverifisering aksepteres. Disse er markert med et ekstra symbol bak passkey-navnet på 'MFA'-siden.", - country: "Land", - deviceId: "ID", - deviceName: "Navn", - devices: "Enheter", - devicesDesc: "Enheter tilknyttet denne kontoen", - emailUpdateConfirm: "E-postadressen er ikke oppdatert ennå. En melding med bekreftelseslenke er sendt til den nye adressen. Oppdateringen må bekreftes via lenken. Etter bekreftelse settes den nye adressen.", - emailVerified: "E-post verifisert", - familyName: "Etternavn", - federatedConvertPassword1: "Dette er en tilknyttet konto. Det betyr at innlogging skjer via ekstern leverandør. Nåværende leverandør er:", - federatedConvertPassword2: "Du kan be om tilbakestilling av passord via e-post. Dette vil legge til et lokalt passord til denne kontoen. Etterpå kan du logge inn enten med ekstern leverandør eller lokalt passord. Be om tilbakestilling av passord?", - generateRandom: "Generert tilfeldig", - givenName: "Fornavn", - groups: "Grupper", - key: "Nøkkel", - keyUnique: "Nøkkelen må være unik", - lastLogin: "Siste innlogging", - mfaActivated: "MFA aktivert", - navInfo: "Info", - navEdit: "Rediger", - navMfa: "MFA", - navLogout: "Logg ut", - other: "Annet", - pam: { - generatePassword: "Nytt passord", - username: 'Brukernavn', - validFor: "Passord gyldig i {{ secs }} sekunder", - }, - passwordConfirm: "Bekreft passord", - passwordCurr: "Nåværende passord", - passwordCurrReq: "Nåværende passord er påkrevd", - passwordNew: "Nytt passord", - passwordNewReq: "Nytt passord er påkrevd", - passwordNoMatch: "Passordene stemmer ikke overens", - passwordExpiry: "Passord utløper", - passwordPolicyFollow: "Følg passordreglene", - passwordReset: "Tilbakestill passord", - phone: "Telefon", - providerLink: "Koble konto", - providerLinkDesc: "Denne kontoen kan kobles til en av følgende innloggingsleverandører. Etter aktivering blir du videresendt til leverandørens innloggingsside. Ved vellykket innlogging og samsvarende e-postadresser kobles kontoen.", - providerUnlink: "Fjern kobling", - providerUnlinkDesc: "Du kan kun fjerne koblingen til leverandøren hvis minst ett passord eller en passkey er satt for denne kontoen.", - regDate: "Registreringsdato", - regIp: "Registrert fra IP", - roles: "Roller", - street: "Gateadresse", - user: "Bruker", - userCreated: "Bruker opprettet", - userEnabled: "Bruker aktivert", - userExpiry: "Bruker utløper", - userVerifiedTooltip: "Sikret med fingeravtrykk eller PIN", - webIdDesc: "Her kan du angi feltene som skal publiseres via din WebID. Dette er en funksjon som brukes av enkelte nettverk for desentraliserte pålogginger. Hvis du ikke vet hva WebID er, trenger du sannsynligvis ikke å bruke det.", - webIdDescData: "Du kan legge til egne data til din WebID i gyldig FOAF-vokabular:", - webIdExpertMode: "Aktiver ekspertmodus", - zip: "Postnummer" - }, - authorize: { - clientForceMfa: "Denne påloggingen krever MFA for økt sikkerhet. For å få tilgang, må du logge inn på kontoen din og legge til minst én passkey.", - clientGroupPrefixForbidden: "Manglende gruppetilhørighet for denne påloggingen", - email: "E-post", - emailBadFormat: "Ugyldig e-postformat", - emailRequired: "E-post er påkrevd", - emailSentMsg: "Hvis adressen din er registrert, er det sendt en melding", - expectingPasskey: "Forventer autentisering med passkey", - http429: "For mange ugyldige forsøk. Sperret til:", - invalidCredentials: "Ugyldige påloggingsopplysninger", - invalidKeyUsed: "Ugyldig sikkerhetsnøkkel", - login: "Logg inn", - mfaAck: "Bekreftet", - orLoginWith: "eller logg inn med", - password: "Passord", - passwordForgotten: "Glemt passord?", - passwordRequest: "Be om tilbakestilling", - passwordRequired: "Passord er påkrevd", - passwordResetDesc: `Vennligst oppgi e-postadressen for å be om en tilbakestillingslenke for passord. Hvis adressen finnes i databasen, vil en lenke bli sendt dit.`, - passwordResetSuccess: "Forespørsel mottatt. Dette vinduet kan nå lukkes.", - requestExpires: "Forespørselen utløper", - requestExpired: "Forespørselen er utløpt", - signUp: "Brukerregistrering", - validEmail: "Oppgi gyldig e-postadresse", - }, - device: { - accept: "Godta", - autoRedirectAccount: "Automatisk omdirigering til kontoen følger", - closeWindow: "Dette vinduet kan nå lukkes.", - decline: "Avslå", - desc: "Vennligst skriv inn brukerkoden som vises på enheten, med {{count}} sifre.", - descScopes: "Enheten ber om tilgang til:", - isAccepted: "Forespørselen ble akseptert", - isDeclined: "Forespørselen ble avslått", - submit: "Send", - title: "Enhetsautorisering", - userCode: "Brukerkode", - wrongOrExpired: "Ugyldig eller utløpt kode" - }, - emailChange: { - title: "E-postbytte bekreftet", - textChanged: "Din e-postadresse ble vellykket endret fra", - textLogin: "Du kan nå logge inn med den nye adressen.", - to: "til", - }, - error: { - details: "Vis detaljer", - }, - index: { - register: "Registrer", - accountLogin: "Konto", - adminLogin: "Admin", - }, - logout: { - logout: "Logg ut", - confirmMsg: "Er du sikker på at du vil logge ut og avslutte økten?", - cancel: "Avbryt" - }, - mfa: { - p1: "Hvis du ønsker å bruke flere systemer parallelt, som f.eks. Windows og Android, bør du registrere deg med Android først.", - p2: "Android er plattformen som for øyeblikket støtter færrest funksjoner av den passordløse teknologien. Nøkler som registreres der, fungerer på andre enheter på samme måte. Dette gjelder imidlertid ikke omvendt.", - errorReg: "Feil ved oppstart av registrering", - lastUsed: "Sist brukt", - noKey: "Det er ikke registrert noen sikkerhetsnøkkel i denne lagringen ennå", - reAuthenticatePasskey: "Før passkeys kan redigeres, må en av de eksisterende først verifiseres:", - reAuthenticatePwd: "Før passkeys kan redigeres, er det nødvendig med en ny bekreftelse av passordet.", - register: "Registrer", - registerNew: "Registrer ny nøkkel", - registerd: "Registrert", - registerdKeys: "Registrerte nøkler", - passkeyName: "Passkey-navn", - passkeyNameErr: "2 - 32 bokstaver, ingen spesialtegn", - passwordInvalid: "Ugyldig passord", - test: "Test", - testError: "Feil ved oppstart av testen", - testSuccess: "Test vellykket" - }, - pagination: { - entries: "Oppføringer", - gotoPage: "Gå til side", - gotoPagePrev: "Gå til forrige side", - gotoPageNext: "Gå til neste side", - pagination: "Sidenummerering", - showCount: "Vis antall", - total: "Totalt", - }, - passwordPolicy: { - passwordPolicy: "Passordregler", - lengthMin: "Min lengde", - lengthMax: "Max lengde", - lowercaseMin: "Min små bokstaver", - uppercaseMin: "Min store bokstaver", - digitsMin: "Min antall sifre", - specialMin: "Min antall spesialtegn", - notRecent: "Ikke noe av de siste passordene" - }, - passwordReset: { - accountLogin: "Konto pålogging", - badFormat: "Ugyldig format", - fidoLink: "https://fidoalliance.org/fido2", - generate: "Generer", - newAccDesc1: "Du har valget mellom to kontotyper: Passordløs eller tradisjonell passord.", - newAccDesc2: "Den passordløse kontotypen bør alltid foretrekkes. Den tilbyr en mye høyere sikkerhetsstandard enn tradisjonelle passord, samtidig som den gir en enklere og raskere pålogging. For å bruke denne typen konto, trengs det minst én passkey (f.eks. Yubikey, Apple Touch ID, Windows Hello, ...) som oppfyller FIDO2-standarden. For mer informasjon, følg denne lenken: ", - newAccount: "Ny konto", - passwordReset: "Tilbakestill passord", - password: "Passord", - passwordless: "Passkey", - passwordConfirm: "Bekreft passord", - passwordNoMatch: "Passordene stemmer ikke overens", - required: "Påkrevd", - save: "Lagre", - success1: "Passordet ble vellykket tilbakestilt.", - success2: "Du vil bli videresendt snart.", - success3: "Hvis du ikke blir videresendt, vennligst klikk her:", - successPasskey1: "Den nye passkeyen ble vellykket registrert.", - successPasskey2: "Vennligst logg inn direkte på kontoen din og registrer minst én annen backup passkey. En passordløs konto kan ikke bruke passordtilbakestilling via e-post i tilfelle den nåværende passkeyen blir borte." - }, - register: { - alreadyRegistered: "E-posten er allerede registrert", - domainAllowed: "Tillatt domene:", - domainErr: "E-postdomene er ikke tillatt", - domainRestricted: "E-postdomener er begrenset", - email: "E-post", - emailBadFormat: "Ugyldig e-postformat", - emailCheck: "Vennligst sjekk e-postinnboksen din", - regexName: "Navn med 2 - 32 bokstaver uten spesialtegn", - register: "Registrer", - success: "Registrering vellykket", - userReg: "Brukerregistrering" - }, - userRevoke: { - title: "Tilbakekalling av pålogginger", - desc1: "Alle pålogginger og økter for denne brukeren har blitt tilbakekalt så langt det er mulig.", - desc2: "Passord bør umiddelbart tilbakestilles!", - } + lang: 'nb', + common: { + accept: 'Accept', + activeTheme: 'Aktivt fargetema', + authenticate: 'Autentiser', + cancel: 'Avbryt', + changeTheme: 'Bytt fargetema - Aktivt: {{ CURRENT }}', + close: 'Lukk', + copyToClip: 'Kopiert til utklippstavle', + delete: 'Slett', + details: 'Detaljer', + email: 'E-post', + errTooShort: 'Inndata er for kort', + errTooLong: 'Inndata er for lang', + expandContent: 'Utvid innhold', + hide: 'Skjul', + hours: 'Timer', + invalidInput: 'Ugyldig inndata', + legend: 'Forklaring', + maxFileSize: 'Maks filstørrelse', + minutes: 'Minutter', + month: 'Måned', + months: [ + 'Januar', + 'Februar', + 'Mars', + 'April', + 'Mai', + 'Juni', + 'Juli', + 'August', + 'September', + 'Oktober', + 'November', + 'Desember' + ], + never: 'Aldri', + password: 'Passord', + refresh: 'Oppdater', + required: 'Påkrevd', + save: 'Lagre', + search: 'Søk', + seconds: 'Sekunder', + selectI18n: 'Velg språk', + show: 'Vis', + summary: 'Sammendrag', + weekDaysShort: ['Ma', 'Ti', 'On', 'To', 'Fr', 'Lø', 'Sø'], + year: 'År' + }, + account: { + account: 'Brukerkonto', + accType: 'Kontotype', + accTypePasskeyText1: + "Dette er en 'Passkey-Only' konto. Det betyr at denne kontoen ikke har passord og heller ikke trenger det.", + accTypePasskeyText2: + 'Du kan endre kontoen til en passord-konto. Men husk at dette innebærer at du må verifisere hver nye enhet med passord i tillegg. Du kan da ikke bare logge inn på en hvilken som helst enhet hvor du ikke har skrevet inn passordet minst én gang før.', + accTypePasskeyText3: 'Vil du endre denne kontoen og legge til et passord?', + accessExp: 'Tilgang utløper', + accessRenew: 'Tilgang kan fornyes til', + accessRenewDelete: 'Fjern mulighet for fornyelse', + birthdate: 'Fødselsdato', + canModifyFor: 'Passkeys kan endres for:', + city: 'By', + changePassword: 'Bytt passord', + convertAccount: 'Endre konto', + convertAccountP1: + "Denne kontoen kan endres til en Passkey-Only konto. Denne endringen sletter passordet og tillater kun innlogging med registrerte passkeys. Kun passkeys med ekstra brukerverifisering aksepteres. Disse er markert med et ekstra symbol bak passkey-navnet på 'MFA'-siden.", + country: 'Land', + deviceId: 'ID', + deviceName: 'Navn', + devices: 'Enheter', + devicesDesc: 'Enheter tilknyttet denne kontoen', + emailUpdateConfirm: + 'E-postadressen er ikke oppdatert ennå. En melding med bekreftelseslenke er sendt til den nye adressen. Oppdateringen må bekreftes via lenken. Etter bekreftelse settes den nye adressen.', + emailVerified: 'E-post verifisert', + familyName: 'Etternavn', + federatedConvertPassword1: + 'Dette er en tilknyttet konto. Det betyr at innlogging skjer via ekstern leverandør. Nåværende leverandør er:', + federatedConvertPassword2: + 'Du kan be om tilbakestilling av passord via e-post. Dette vil legge til et lokalt passord til denne kontoen. Etterpå kan du logge inn enten med ekstern leverandør eller lokalt passord. Be om tilbakestilling av passord?', + generateRandom: 'Generert tilfeldig', + givenName: 'Fornavn', + groups: 'Grupper', + key: 'Nøkkel', + keyUnique: 'Nøkkelen må være unik', + lastLogin: 'Siste innlogging', + mfaActivated: 'MFA aktivert', + navInfo: 'Info', + navEdit: 'Rediger', + navMfa: 'MFA', + navLogout: 'Logg ut', + other: 'Annet', + pam: { + generatePassword: 'Nytt passord', + username: 'Brukernavn', + validFor: 'Passord gyldig i {{ secs }} sekunder' + }, + passwordConfirm: 'Bekreft passord', + passwordCurr: 'Nåværende passord', + passwordCurrReq: 'Nåværende passord er påkrevd', + passwordNew: 'Nytt passord', + passwordNewReq: 'Nytt passord er påkrevd', + passwordNoMatch: 'Passordene stemmer ikke overens', + passwordExpiry: 'Passord utløper', + passwordPolicyFollow: 'Følg passordreglene', + passwordReset: 'Tilbakestill passord', + phone: 'Telefon', + providerLink: 'Koble konto', + providerLinkDesc: + 'Denne kontoen kan kobles til en av følgende innloggingsleverandører. Etter aktivering blir du videresendt til leverandørens innloggingsside. Ved vellykket innlogging og samsvarende e-postadresser kobles kontoen.', + providerUnlink: 'Fjern kobling', + providerUnlinkDesc: + 'Du kan kun fjerne koblingen til leverandøren hvis minst ett passord eller en passkey er satt for denne kontoen.', + regDate: 'Registreringsdato', + regIp: 'Registrert fra IP', + roles: 'Roller', + street: 'Gateadresse', + user: 'Bruker', + userCreated: 'Bruker opprettet', + userEnabled: 'Bruker aktivert', + userExpiry: 'Bruker utløper', + userVerifiedTooltip: 'Sikret med fingeravtrykk eller PIN', + webIdDesc: + 'Her kan du angi feltene som skal publiseres via din WebID. Dette er en funksjon som brukes av enkelte nettverk for desentraliserte pålogginger. Hvis du ikke vet hva WebID er, trenger du sannsynligvis ikke å bruke det.', + webIdDescData: 'Du kan legge til egne data til din WebID i gyldig FOAF-vokabular:', + webIdExpertMode: 'Aktiver ekspertmodus', + zip: 'Postnummer' + }, + authorize: { + clientForceMfa: + 'Denne påloggingen krever MFA for økt sikkerhet. For å få tilgang, må du logge inn på kontoen din og legge til minst én passkey.', + clientGroupPrefixForbidden: 'Manglende gruppetilhørighet for denne påloggingen', + email: 'E-post', + emailBadFormat: 'Ugyldig e-postformat', + emailRequired: 'E-post er påkrevd', + emailSentMsg: 'Hvis adressen din er registrert, er det sendt en melding', + expectingPasskey: 'Forventer autentisering med passkey', + http429: 'For mange ugyldige forsøk. Sperret til:', + invalidCredentials: 'Ugyldige påloggingsopplysninger', + invalidKeyUsed: 'Ugyldig sikkerhetsnøkkel', + login: 'Logg inn', + mfaAck: 'Bekreftet', + orLoginWith: 'eller logg inn med', + password: 'Passord', + passwordForgotten: 'Glemt passord?', + passwordRequest: 'Be om tilbakestilling', + passwordRequired: 'Passord er påkrevd', + passwordResetDesc: `Vennligst oppgi e-postadressen for å be om en tilbakestillingslenke for passord. Hvis adressen finnes i databasen, vil en lenke bli sendt dit.`, + passwordResetSuccess: 'Forespørsel mottatt. Dette vinduet kan nå lukkes.', + requestExpires: 'Forespørselen utløper', + requestExpired: 'Forespørselen er utløpt', + signUp: 'Brukerregistrering', + validEmail: 'Oppgi gyldig e-postadresse' + }, + device: { + accept: 'Godta', + autoRedirectAccount: 'Automatisk omdirigering til kontoen følger', + closeWindow: 'Dette vinduet kan nå lukkes.', + decline: 'Avslå', + desc: 'Vennligst skriv inn brukerkoden som vises på enheten, med {{count}} sifre.', + descScopes: 'Enheten ber om tilgang til:', + isAccepted: 'Forespørselen ble akseptert', + isDeclined: 'Forespørselen ble avslått', + submit: 'Send', + title: 'Enhetsautorisering', + userCode: 'Brukerkode', + wrongOrExpired: 'Ugyldig eller utløpt kode' + }, + emailChange: { + title: 'E-postbytte bekreftet', + textChanged: 'Din e-postadresse ble vellykket endret fra', + textLogin: 'Du kan nå logge inn med den nye adressen.', + to: 'til' + }, + error: { + details: 'Vis detaljer' + }, + index: { + register: 'Registrer', + accountLogin: 'Konto', + adminLogin: 'Admin' + }, + logout: { + logout: 'Logg ut', + confirmMsg: 'Er du sikker på at du vil logge ut og avslutte økten?', + cancel: 'Avbryt' + }, + mfa: { + p1: 'Hvis du ønsker å bruke flere systemer parallelt, som f.eks. Windows og Android, bør du registrere deg med Android først.', + p2: 'Android er plattformen som for øyeblikket støtter færrest funksjoner av den passordløse teknologien. Nøkler som registreres der, fungerer på andre enheter på samme måte. Dette gjelder imidlertid ikke omvendt.', + p3: 'For more information, see', + docLinkText: 'the documentation about passkeys', + errorReg: 'Feil ved oppstart av registrering', + lastUsed: 'Sist brukt', + noKey: 'Det er ikke registrert noen sikkerhetsnøkkel i denne lagringen ennå', + reAuthenticatePasskey: + 'Før passkeys kan redigeres, må en av de eksisterende først verifiseres:', + reAuthenticatePwd: + 'Før passkeys kan redigeres, er det nødvendig med en ny bekreftelse av passordet.', + register: 'Registrer', + registerNew: 'Registrer ny nøkkel', + registerd: 'Registrert', + registerdKeys: 'Registrerte nøkler', + passkeyName: 'Passkey-navn', + passkeyNameErr: '2 - 32 bokstaver, ingen spesialtegn', + passwordInvalid: 'Ugyldig passord', + test: 'Test', + testError: 'Feil ved oppstart av testen', + testSuccess: 'Test vellykket' + }, + pagination: { + entries: 'Oppføringer', + gotoPage: 'Gå til side', + gotoPagePrev: 'Gå til forrige side', + gotoPageNext: 'Gå til neste side', + pagination: 'Sidenummerering', + showCount: 'Vis antall', + total: 'Totalt' + }, + passwordPolicy: { + passwordPolicy: 'Passordregler', + lengthMin: 'Min lengde', + lengthMax: 'Max lengde', + lowercaseMin: 'Min små bokstaver', + uppercaseMin: 'Min store bokstaver', + digitsMin: 'Min antall sifre', + specialMin: 'Min antall spesialtegn', + notRecent: 'Ikke noe av de siste passordene' + }, + passwordReset: { + accountLogin: 'Konto pålogging', + badFormat: 'Ugyldig format', + fidoLink: 'https://fidoalliance.org/fido2', + generate: 'Generer', + newAccDesc1: 'Du har valget mellom to kontotyper: Passordløs eller tradisjonell passord.', + newAccDesc2: + 'Den passordløse kontotypen bør alltid foretrekkes. Den tilbyr en mye høyere sikkerhetsstandard enn tradisjonelle passord, samtidig som den gir en enklere og raskere pålogging. For å bruke denne typen konto, trengs det minst én passkey (f.eks. Yubikey, Apple Touch ID, Windows Hello, ...) som oppfyller FIDO2-standarden. For mer informasjon, følg denne lenken: ', + newAccount: 'Ny konto', + passwordReset: 'Tilbakestill passord', + password: 'Passord', + passwordless: 'Passkey', + passwordConfirm: 'Bekreft passord', + passwordNoMatch: 'Passordene stemmer ikke overens', + required: 'Påkrevd', + save: 'Lagre', + success1: 'Passordet ble vellykket tilbakestilt.', + success2: 'Du vil bli videresendt snart.', + success3: 'Hvis du ikke blir videresendt, vennligst klikk her:', + successPasskey1: 'Den nye passkeyen ble vellykket registrert.', + successPasskey2: + 'Vennligst logg inn direkte på kontoen din og registrer minst én annen backup passkey. En passordløs konto kan ikke bruke passordtilbakestilling via e-post i tilfelle den nåværende passkeyen blir borte.' + }, + register: { + alreadyRegistered: 'E-posten er allerede registrert', + domainAllowed: 'Tillatt domene:', + domainErr: 'E-postdomene er ikke tillatt', + domainRestricted: 'E-postdomener er begrenset', + email: 'E-post', + emailBadFormat: 'Ugyldig e-postformat', + emailCheck: 'Vennligst sjekk e-postinnboksen din', + regexName: 'Navn med 2 - 32 bokstaver uten spesialtegn', + register: 'Registrer', + success: 'Registrering vellykket', + userReg: 'Brukerregistrering' + }, + tos: { + tos: 'Terms of Service' + }, + userRevoke: { + title: 'Tilbakekalling av pålogginger', + desc1: + 'Alle pålogginger og økter for denne brukeren har blitt tilbakekalt så langt det er mulig.', + desc2: 'Passord bør umiddelbart tilbakestilles!' + } }; diff --git a/frontend/src/i18n/common/zh.ts b/frontend/src/i18n/common/zh.ts index 381dc6269..1deb3fc01 100644 --- a/frontend/src/i18n/common/zh.ts +++ b/frontend/src/i18n/common/zh.ts @@ -1,268 +1,278 @@ -import {type I18n} from "./interface"; +import { type I18n } from './interface'; export const I18nZh: I18n = { - lang: "zh", - common: { - activeTheme: "Active color scheme", - authenticate: "Authenticate", - cancel: "取消", - changeTheme: "Change Theme - Active: {{ CURRENT }}", - close: "关闭", - copyToClip: "复制到剪贴板", - delete: "删除", - details: "详情", - email: "电子邮箱", - errTooShort: "输入过短", - errTooLong: "输入过长", - expandContent: "展开内容", - hide: "隐藏", - hours: "小时", - invalidInput: "无效输入", - legend: "标题", - maxFileSize: "最大文件大小", - minutes: "分", - month: "月", - months: [ - "一月", - "二月", - "三月", - "四月", - "五月", - "六月", - "七月", - "八月", - "九月", - "十月", - "十一月", - "十二月" - ], - never: "从不", - password: "密码", - refresh: "Refresh", - required: "必填", - save: "保存", - search: "Search", - seconds: "seconds", - selectI18n: "选择语言", - show: "显示", - summary: "概要", - weekDaysShort: [ - "星期日", - "星期一", - "星期二", - "星期三", - "星期四", - "星期五", - "星期六", - ], - year: "年", - }, - account: { - account: "用户账户", - accType: "账户类型", - accTypePasskeyText1: "此账户目前为仅密钥登录账户。\n因此,此账户没有密码,也无需设置密码。", - accTypePasskeyText2: "您可以转换此账户并添加密码。\n但请注意,调整后在新设备上登录时需额外进行密码验证。\n如果您没有事先输入过至少一次密码,您将无法在任何设备上登录。", - accTypePasskeyText3: "您想要转换您的账户并添加一个密码吗?", - accessExp: "过期", - accessRenew: "续期至", - accessRenewDelete: "禁止续期", - birthdate: "生日", - canModifyFor: "Passkeys can be modified for:", - city: "城市", - changePassword: "更改密码", - convertAccount: "转换账户", - convertAccountP1: "您可以将您的账户转换为仅密钥登陆账户。\n此转换将删除您的密码,您将仅能够通过注册的密钥进行登陆。\n请注意,只有支持额外用户验证的密钥可被用于登陆。\n如果您的密钥支持用户验证,您可以在“MFA”页面中,密钥名称的后面看到一个符号。", - country: "国家", - deviceId: "ID", - deviceName: "名称", - devices: "设备", - devicesDesc: "链接到此账户的设备", - emailUpdateConfirm: "电子邮件地址未被更新。我们已向您的新邮箱发送了一封消息。\n您需要点击其中的确认链接,电子邮件地址将在被确认后更新。", - emailVerified: "已验证电子邮箱", - familyName: "姓", - federatedConvertPassword1: "您有一个联合账户。\n这意味着您是通过外部鉴权提供者登陆的。您当前的提供者是:", - federatedConvertPassword2: "您可以通过电子邮件请求密码重置。这将向您的本地账户添加密码,\n之后您可以通过本地密码或您的外部提供者进行登陆。您想要请求密码重置吗?", - generateRandom: "随机生成", - givenName: "名", - groups: "组", - key: "密钥", - keyUnique: "密钥必须唯一", - lastLogin: "最后登录", - mfaActivated: "多因子认证", - navInfo: "信息", - navEdit: "编辑", - navMfa: "多因子认证", - navLogout: "退出登录", - other: "Other", - pam: { - generatePassword: "New Password", - username: 'Username', - validFor: "Password valid for {{ secs }} seconds", - }, - passwordConfirm: "确认密码", - passwordCurr: "当前密码", - passwordCurrReq: "当前密码必填。", - passwordNew: "新密码", - passwordNewReq: "新密码必填", - passwordNoMatch: "密码验证必填。", - passwordExpiry: "密码过期", - passwordPolicyFollow: "密码不符合要求。", - passwordReset: "重置密码", - phone: "手机", - providerLink: "联合账户", - providerLinkDesc: "您可以将此账户连接到下列登陆提供者之一。\n激活此功能后,您将被重定向至所选提供者的登陆页面。在成功登陆后,如果电子邮件匹配,您的账户将被连接。", - providerUnlink: "取消联合", - providerUnlinkDesc: "仅当您已设置至少一个密码或登陆密钥后,您才能和登陆提供者取消连接。", - regDate: "注册日期", - regIp: "注册IP地址", - roles: "角色", - street: "街道", - user: "用户", - userCreated: "创建于", - userEnabled: "启用", - userExpiry: "过期", - userVerifiedTooltip: "指纹或PIN保护", - webIdDesc: "您可以选择哪些字段能够通过WebID发布。\nWebID被一些网络用于去中心化登陆。如果您不知道这是什么,您通常不需要选择。", - webIdDescData: "您可以以FOAF词汇格式向您的 WebID 添加自定义数据字段", - webIdExpertMode: "启用专家模式", - zip: "邮政编码" - }, - authorize: { - clientForceMfa: "本次登陆强制使用多因子认证以增强安全性。\n要完成登陆,请登入您的账户并添加一个登陆密钥。", - clientGroupPrefixForbidden: "Missing group assignment for this login", - email: "电子邮件地址", - emailBadFormat: "错误的电子邮件地址格式", - emailRequired: "电子邮件地址必填。", - emailSentMsg: "如果您的电子邮件存在,我们已发送请求邮件。", - expectingPasskey: "请使用MFA设备登陆", - http429: "过多无效输入,已锁定至:", - invalidCredentials: "无效证明", - invalidKeyUsed: "无效密钥", - login: "登陆", - mfaAck: "已确认", - orLoginWith: "或使用其他方式:", - password: "密码", - passwordForgotten: "忘记密码", - passwordRequest: "请求", - passwordRequired: "密码必填。", - passwordResetDesc: `Please provide your E-Mail to request a password reset link. If your address exists in out + lang: 'zh', + common: { + accept: 'Accept', + activeTheme: 'Active color scheme', + authenticate: 'Authenticate', + cancel: '取消', + changeTheme: 'Change Theme - Active: {{ CURRENT }}', + close: '关闭', + copyToClip: '复制到剪贴板', + delete: '删除', + details: '详情', + email: '电子邮箱', + errTooShort: '输入过短', + errTooLong: '输入过长', + expandContent: '展开内容', + hide: '隐藏', + hours: '小时', + invalidInput: '无效输入', + legend: '标题', + maxFileSize: '最大文件大小', + minutes: '分', + month: '月', + months: [ + '一月', + '二月', + '三月', + '四月', + '五月', + '六月', + '七月', + '八月', + '九月', + '十月', + '十一月', + '十二月' + ], + never: '从不', + password: '密码', + refresh: 'Refresh', + required: '必填', + save: '保存', + search: 'Search', + seconds: 'seconds', + selectI18n: '选择语言', + show: '显示', + summary: '概要', + weekDaysShort: ['星期日', '星期一', '星期二', '星期三', '星期四', '星期五', '星期六'], + year: '年' + }, + account: { + account: '用户账户', + accType: '账户类型', + accTypePasskeyText1: '此账户目前为仅密钥登录账户。\n因此,此账户没有密码,也无需设置密码。', + accTypePasskeyText2: + '您可以转换此账户并添加密码。\n但请注意,调整后在新设备上登录时需额外进行密码验证。\n如果您没有事先输入过至少一次密码,您将无法在任何设备上登录。', + accTypePasskeyText3: '您想要转换您的账户并添加一个密码吗?', + accessExp: '过期', + accessRenew: '续期至', + accessRenewDelete: '禁止续期', + birthdate: '生日', + canModifyFor: 'Passkeys can be modified for:', + city: '城市', + changePassword: '更改密码', + convertAccount: '转换账户', + convertAccountP1: + '您可以将您的账户转换为仅密钥登陆账户。\n此转换将删除您的密码,您将仅能够通过注册的密钥进行登陆。\n请注意,只有支持额外用户验证的密钥可被用于登陆。\n如果您的密钥支持用户验证,您可以在“MFA”页面中,密钥名称的后面看到一个符号。', + country: '国家', + deviceId: 'ID', + deviceName: '名称', + devices: '设备', + devicesDesc: '链接到此账户的设备', + emailUpdateConfirm: + '电子邮件地址未被更新。我们已向您的新邮箱发送了一封消息。\n您需要点击其中的确认链接,电子邮件地址将在被确认后更新。', + emailVerified: '已验证电子邮箱', + familyName: '姓', + federatedConvertPassword1: + '您有一个联合账户。\n这意味着您是通过外部鉴权提供者登陆的。您当前的提供者是:', + federatedConvertPassword2: + '您可以通过电子邮件请求密码重置。这将向您的本地账户添加密码,\n之后您可以通过本地密码或您的外部提供者进行登陆。您想要请求密码重置吗?', + generateRandom: '随机生成', + givenName: '名', + groups: '组', + key: '密钥', + keyUnique: '密钥必须唯一', + lastLogin: '最后登录', + mfaActivated: '多因子认证', + navInfo: '信息', + navEdit: '编辑', + navMfa: '多因子认证', + navLogout: '退出登录', + other: 'Other', + pam: { + generatePassword: 'New Password', + username: 'Username', + validFor: 'Password valid for {{ secs }} seconds' + }, + passwordConfirm: '确认密码', + passwordCurr: '当前密码', + passwordCurrReq: '当前密码必填。', + passwordNew: '新密码', + passwordNewReq: '新密码必填', + passwordNoMatch: '密码验证必填。', + passwordExpiry: '密码过期', + passwordPolicyFollow: '密码不符合要求。', + passwordReset: '重置密码', + phone: '手机', + providerLink: '联合账户', + providerLinkDesc: + '您可以将此账户连接到下列登陆提供者之一。\n激活此功能后,您将被重定向至所选提供者的登陆页面。在成功登陆后,如果电子邮件匹配,您的账户将被连接。', + providerUnlink: '取消联合', + providerUnlinkDesc: '仅当您已设置至少一个密码或登陆密钥后,您才能和登陆提供者取消连接。', + regDate: '注册日期', + regIp: '注册IP地址', + roles: '角色', + street: '街道', + user: '用户', + userCreated: '创建于', + userEnabled: '启用', + userExpiry: '过期', + userVerifiedTooltip: '指纹或PIN保护', + webIdDesc: + '您可以选择哪些字段能够通过WebID发布。\nWebID被一些网络用于去中心化登陆。如果您不知道这是什么,您通常不需要选择。', + webIdDescData: '您可以以FOAF词汇格式向您的 WebID 添加自定义数据字段', + webIdExpertMode: '启用专家模式', + zip: '邮政编码' + }, + authorize: { + clientForceMfa: + '本次登陆强制使用多因子认证以增强安全性。\n要完成登陆,请登入您的账户并添加一个登陆密钥。', + clientGroupPrefixForbidden: 'Missing group assignment for this login', + email: '电子邮件地址', + emailBadFormat: '错误的电子邮件地址格式', + emailRequired: '电子邮件地址必填。', + emailSentMsg: '如果您的电子邮件存在,我们已发送请求邮件。', + expectingPasskey: '请使用MFA设备登陆', + http429: '过多无效输入,已锁定至:', + invalidCredentials: '无效证明', + invalidKeyUsed: '无效密钥', + login: '登陆', + mfaAck: '已确认', + orLoginWith: '或使用其他方式:', + password: '密码', + passwordForgotten: '忘记密码', + passwordRequest: '请求', + passwordRequired: '密码必填。', + passwordResetDesc: `Please provide your E-Mail to request a password reset link. If your address exists in out database, you will receive a link via E-Mail.`, - passwordResetSuccess: "Request received. You can close this window now.", - requestExpires: "请求过期于", - requestExpired: "请求已过期", - signUp: "用户注册", - validEmail: "验证电子邮件地址", - }, - device: { - accept: "接受", - autoRedirectAccount: "您将被自动重定向至您的账户。", - closeWindow: "您现在可以关闭此窗口了。", - decline: "拒绝", - desc: "请输入来自您的设备的{{count}}位用户代码。", - descScopes: "此设备请求访问:", - isAccepted: "请求已被接受。", - isDeclined: "请求已被拒绝。", - submit: "提交", - title: "设备授权", - userCode: "用户代码", - wrongOrExpired: "代码错误或已过期" - }, - emailChange: { - title: "电子邮件地址已更新", - textChanged: "您的电子邮件地址已从", - textLogin: "您现在可以使用您的新地址进行登陆。", - to: "更新为", - }, - error: { - // errorText: "找不到请求的资源", - details: "显示详情", - // detailsText: undefined, - }, - index: { - register: "注册", - accountLogin: "登陆", - adminLogin: "管理", - }, - logout: { - logout: "退出登录", - confirmMsg: "您确定要退出登录并结束会话吗?", - cancel: "取消", - }, - mfa: { - p1: "如果您计划在多个系统上使用您的MFA密钥,例如Windows和Android,您应该在Android上进行注册。", - p2: "Android是支持无密码登陆特性最少的平台。能够在Android上进行注册的密钥也应能在其他平台上使用。", - errorReg: "开始注册过程时出现错误。", - lastUsed: "最后使用", - noKey: "此槽位没有已注册的安全密钥", - reAuthenticatePasskey: "Before you can modify Passkeys, you need to authenticate with an already registered one:", - reAuthenticatePwd: "Before you can modify Passkeys, you need to re-authenticate with your password.", - register: "注册", - registerNew: "注册新的密钥", - registerd: "注册时间", - registerdKeys: "已注册的密钥", - passkeyName: "密钥名称", - passkeyNameErr: "需要名称需要有2-32个非特殊字符", - passwordInvalid: "Password Invalid", - test: "测试", - testError: "开始测试时出现错误", - testSuccess: "测试成功!" - }, - pagination: { - entries: "项目", - gotoPage: "转到页面", - gotoPagePrev: "转到前一页", - gotoPageNext: "转到后一页", - pagination: "分页", - showCount: "显示数量", - total: "总数", - }, - passwordPolicy: { - passwordPolicy: "密码要求", - lengthMin: "最小长度", - lengthMax: "最长长度", - lowercaseMin: "最少小写字母", - uppercaseMin: "最少大写字母", - digitsMin: "最少数字", - specialMin: "最少特殊字符", - notRecent: "不是最近使用过的密码之一" - }, - passwordReset: { - accountLogin: "账户登录", - badFormat: "格式错误", - fidoLink: "https://fidoalliance.org/fido2/?lang=zh-hans", - generate: "生成", - newAccDesc1: "您可以在无密码账户和传统的密码账户之中选择其一。", - newAccDesc2: "无密码账户应被优先考虑,因为其提供更强的安全性。\n您需要至少一个支持FIDO2标准的通行密钥(Yubikey、Apple Touch ID或Windows Hello等)以完成账户创建。\n获取更多信息:", - newAccount: "新账户", - passwordReset: "密码重置", - password: "密码", - passwordless: "通行密钥", - passwordConfirm: "密码确认", - passwordNoMatch: "密码不匹配", - required: "必填", - save: "保存", - success1: "密码已成功更新。", - success2: "您将被重定向。", - success3: "如果您未被重定向,请点击此链接:", - successPasskey1: "您的通行密钥已成功注册。", - successPasskey2: "请登入您的账户并尽快注册一个备份密钥。\n对于仅密钥登陆的账户,在丢失您当前的密钥时,您无法通过电子邮件进行密码重置。" - }, - register: { - alreadyRegistered: "电子邮件地址已被注册", - domainAllowed: "允许的域名:", - domainErr: "此电子邮件域名不被允许", - domainRestricted: "电子邮件域名被限制", - email: "电子邮件", - emailBadFormat: "错误的电子邮件地址格式", - emailCheck: "请检查您的电子邮件收件箱", - regexName: "名字应有2至32个非特殊字符。", - register: "注册", - success: "注册成功", - userReg: "用户注册" - }, - userRevoke: { - title: "Revoke Logins", - desc1: "All Logins and Sessions have been revoked for this user as much as possible.", - desc2: "You should immediately renew all your passwords!", - } -}; \ No newline at end of file + passwordResetSuccess: 'Request received. You can close this window now.', + requestExpires: '请求过期于', + requestExpired: '请求已过期', + signUp: '用户注册', + validEmail: '验证电子邮件地址' + }, + device: { + accept: '接受', + autoRedirectAccount: '您将被自动重定向至您的账户。', + closeWindow: '您现在可以关闭此窗口了。', + decline: '拒绝', + desc: '请输入来自您的设备的{{count}}位用户代码。', + descScopes: '此设备请求访问:', + isAccepted: '请求已被接受。', + isDeclined: '请求已被拒绝。', + submit: '提交', + title: '设备授权', + userCode: '用户代码', + wrongOrExpired: '代码错误或已过期' + }, + emailChange: { + title: '电子邮件地址已更新', + textChanged: '您的电子邮件地址已从', + textLogin: '您现在可以使用您的新地址进行登陆。', + to: '更新为' + }, + error: { + // errorText: "找不到请求的资源", + details: '显示详情' + // detailsText: undefined, + }, + index: { + register: '注册', + accountLogin: '登陆', + adminLogin: '管理' + }, + logout: { + logout: '退出登录', + confirmMsg: '您确定要退出登录并结束会话吗?', + cancel: '取消' + }, + mfa: { + p1: '如果您计划在多个系统上使用您的MFA密钥,例如Windows和Android,您应该在Android上进行注册。', + p2: 'Android是支持无密码登陆特性最少的平台。能够在Android上进行注册的密钥也应能在其他平台上使用。', + p3: 'For more information, see', + docLinkText: 'the documentation about passkeys', + errorReg: '开始注册过程时出现错误。', + lastUsed: '最后使用', + noKey: '此槽位没有已注册的安全密钥', + reAuthenticatePasskey: + 'Before you can modify Passkeys, you need to authenticate with an already registered one:', + reAuthenticatePwd: + 'Before you can modify Passkeys, you need to re-authenticate with your password.', + register: '注册', + registerNew: '注册新的密钥', + registerd: '注册时间', + registerdKeys: '已注册的密钥', + passkeyName: '密钥名称', + passkeyNameErr: '需要名称需要有2-32个非特殊字符', + passwordInvalid: 'Password Invalid', + test: '测试', + testError: '开始测试时出现错误', + testSuccess: '测试成功!' + }, + pagination: { + entries: '项目', + gotoPage: '转到页面', + gotoPagePrev: '转到前一页', + gotoPageNext: '转到后一页', + pagination: '分页', + showCount: '显示数量', + total: '总数' + }, + passwordPolicy: { + passwordPolicy: '密码要求', + lengthMin: '最小长度', + lengthMax: '最长长度', + lowercaseMin: '最少小写字母', + uppercaseMin: '最少大写字母', + digitsMin: '最少数字', + specialMin: '最少特殊字符', + notRecent: '不是最近使用过的密码之一' + }, + passwordReset: { + accountLogin: '账户登录', + badFormat: '格式错误', + fidoLink: 'https://fidoalliance.org/fido2/?lang=zh-hans', + generate: '生成', + newAccDesc1: '您可以在无密码账户和传统的密码账户之中选择其一。', + newAccDesc2: + '无密码账户应被优先考虑,因为其提供更强的安全性。\n您需要至少一个支持FIDO2标准的通行密钥(Yubikey、Apple Touch ID或Windows Hello等)以完成账户创建。\n获取更多信息:', + newAccount: '新账户', + passwordReset: '密码重置', + password: '密码', + passwordless: '通行密钥', + passwordConfirm: '密码确认', + passwordNoMatch: '密码不匹配', + required: '必填', + save: '保存', + success1: '密码已成功更新。', + success2: '您将被重定向。', + success3: '如果您未被重定向,请点击此链接:', + successPasskey1: '您的通行密钥已成功注册。', + successPasskey2: + '请登入您的账户并尽快注册一个备份密钥。\n对于仅密钥登陆的账户,在丢失您当前的密钥时,您无法通过电子邮件进行密码重置。' + }, + register: { + alreadyRegistered: '电子邮件地址已被注册', + domainAllowed: '允许的域名:', + domainErr: '此电子邮件域名不被允许', + domainRestricted: '电子邮件域名被限制', + email: '电子邮件', + emailBadFormat: '错误的电子邮件地址格式', + emailCheck: '请检查您的电子邮件收件箱', + regexName: '名字应有2至32个非特殊字符。', + register: '注册', + success: '注册成功', + userReg: '用户注册' + }, + tos: { + tos: 'Terms of Service' + }, + userRevoke: { + title: 'Revoke Logins', + desc1: 'All Logins and Sessions have been revoked for this user as much as possible.', + desc2: 'You should immediately renew all your passwords!' + } +}; diff --git a/frontend/src/lib/admin/config/ToS.svelte b/frontend/src/lib/admin/config/ToS.svelte new file mode 100644 index 000000000..40386dc15 --- /dev/null +++ b/frontend/src/lib/admin/config/ToS.svelte @@ -0,0 +1,226 @@ + + +

{ta.tos.tos}

+ +

+ {#if noneExist} + {ta.tos.noneExist} + {:else if tos} + {tos.content} + {/if} +

+ +
+ + {#if tos} + + {/if} +
+ + +
+

{ta.tos.addNewToS}

+ +
+ +
+ +
+ {ta.tos.immutable} +
+ + + + + {#if error} +
+ {error} +
+ {/if} +
+ + +{#if tos} + +

{ta.tos.checkStatus}

+ +
+ +
+ {#each searchOptions as opt} + + {/each} +
+
+ + {#if userStatus && userStatus.length > 0} +
+

{selectedEmail}

+ + {#each userStatus as stat} +
+ {stat.tos_ts} + {stat.location} +
+ {/each} +
+ {/if} + + + +{/if} + + diff --git a/frontend/src/lib/admin/users/Users.svelte b/frontend/src/lib/admin/users/Users.svelte index a423ffe60..8e202b818 100644 --- a/frontend/src/lib/admin/users/Users.svelte +++ b/frontend/src/lib/admin/users/Users.svelte @@ -92,7 +92,7 @@ idx = 'id'; } - let res = await fetchSearchServer({ty: 'user', idx, q}); + let res = await fetchSearchServer({ty: 'user', idx, q}); if (res.body) { users = res.body; } else { diff --git a/frontend/src/lib/search_bar/SearchBar.svelte b/frontend/src/lib/search_bar/SearchBar.svelte index 96dd19fe8..b0fbf3de5 100644 --- a/frontend/src/lib/search_bar/SearchBar.svelte +++ b/frontend/src/lib/search_bar/SearchBar.svelte @@ -12,7 +12,7 @@ let { id = genKey(), - ariaLabel, + ariaLabel = t.common.search, value = $bindable(''), placeholder = t.common.search, datalist, diff --git a/frontend/src/lib/text_edit/EditorText.svelte b/frontend/src/lib/text_edit/EditorText.svelte new file mode 100644 index 000000000..c1c07ccf6 --- /dev/null +++ b/frontend/src/lib/text_edit/EditorText.svelte @@ -0,0 +1,109 @@ + + +
ref?.focus()}> + {@render children?.()} + +
+
+ + {#if appendCustomText} +
+ 
{appendCustomText}
+
+ {/if} + + {#if !hideButtons} + + + {/if} +
+ + diff --git a/frontend/src/routes/admin/config/+layout.svelte b/frontend/src/routes/admin/config/+layout.svelte index 2b98cbb8b..6e823b91b 100644 --- a/frontend/src/routes/admin/config/+layout.svelte +++ b/frontend/src/routes/admin/config/+layout.svelte @@ -38,6 +38,9 @@ Backups + + {ta.tos.tos} + diff --git a/frontend/src/routes/admin/config/tos/+page.svelte b/frontend/src/routes/admin/config/tos/+page.svelte new file mode 100644 index 000000000..91e5358d7 --- /dev/null +++ b/frontend/src/routes/admin/config/tos/+page.svelte @@ -0,0 +1,9 @@ + + + + Rauthy Terms of Service + + + diff --git a/frontend/src/routes/oidc/authorize/+page.svelte b/frontend/src/routes/oidc/authorize/+page.svelte index ff050d724..0454626d5 100644 --- a/frontend/src/routes/oidc/authorize/+page.svelte +++ b/frontend/src/routes/oidc/authorize/+page.svelte @@ -29,7 +29,7 @@ import type {AuthProviderTemplate} from "$api/templates/AuthProvider.ts"; import InputPassword from "$lib5/form/InputPassword.svelte"; import type {MfaPurpose, WebauthnAdditionalData} from "$webauthn/types.ts"; - import {fetchPost, type IResponse} from "$api/fetch"; + import {fetchGet, fetchPost, type IResponse} from "$api/fetch"; import type { CodeChallengeMethod, LoginRefreshRequest, @@ -46,6 +46,13 @@ import {fetchSolvePow} from "$utils/pow"; import {generatePKCE} from "$utils/pkce"; import {PATTERN_ATPROTO_ID} from "$utils/patterns"; + import type { + ToSAwaitLoginResponse, + ToSLatestResponse, + ToSUserAcceptRequest, + ToSUserAcceptResponse + } from "$api/types/tos"; + import Modal from "$lib/Modal.svelte"; const inputWidth = "18rem"; @@ -97,6 +104,13 @@ let userId = $state(''); let showPasswordInput = $derived(needsPassword && existingMfaUser !== email && !showReset && !isAtproto); + let refToS: undefined | HTMLParagraphElement = $state(); + let showModal = $state(false); + let closeModal: undefined | (() => void) = $state(); + let tos: undefined | ToSLatestResponse = $state(); + let tosRead = $state(false); + let tosAcceptCode = $state(''); + onMount(() => { if (!needsPassword) { refEmail?.focus(); @@ -134,6 +148,14 @@ } }); + $effect(() => { + if (refToS) { + setTimeout(() => { + onScrollEndToS(); + }, 1000); + } + }); + $effect(() => { if (IS_DEV) { // Make sure to create a session manually during dev. @@ -153,6 +175,18 @@ } } + async function fetchTos() { + if (!tos) { + let res = await fetchGet('/auth/v1/tos/latest'); + if (res.body) { + tos = res.body; + } else if (res.status === 204) { + console.error('No ToS exists when the user should update'); + } + } + showModal = true; + } + function handleShowReset() { err = ''; showReset = true; @@ -265,6 +299,12 @@ } else { console.error('did not receive a proper WebauthnLoginResponse after HTTP200'); } + } else if (res.status === 206) { + // login successful, but the user needs to accept updated ToS + let body = res.body as ToSAwaitLoginResponse; + userId = body.user_id; + tosAcceptCode = body.code; + await fetchTos(); } else if (res.status === 400) { err = res.error?.message || ''; } else if (res.status === 403) { @@ -338,6 +378,45 @@ }); } + function onScrollEndToS() { + if (!refToS) { + return false; + } + + // allow 50px diff for better UX + if (!tosRead && refToS.scrollHeight <= refToS.scrollTop + refToS.offsetHeight + 50) { + tosRead = true; + } + } + + async function onToSAccept() { + if (!tos) { + return; + } + + isLoading = true; + closeModal?.(); + + let payload: ToSUserAcceptRequest = { + accept_code: tosAcceptCode, + tos_ts: tos.ts, + }; + let res = await fetchPost('/auth/v1/tos/accept', payload); + await handleAuthRes(res); + } + + async function onToSCancel() { + password = ''; + userId = ''; + tosAcceptCode = ''; + tosRead = false; + isLoading = false; + mfaPurpose = undefined; + closeModal?.(); + // TODO probably add a `grace_time` feature for better UX? + // TODO we could add a deny endpoint in the backend to cleanup left-over data early + } + async function providerLoginPkce(id: string, pkce_challenge: string) { // make sure to reset input fields to not trigger a failing validation email = ''; @@ -394,8 +473,17 @@ } function onWebauthnSuccess(data?: WebauthnAdditionalData) { - if (data && 'loc' in data) { + if (!data) { + return; + } + + if ('loc' in data) { window.location.replace(data.loc as string); + } else if ('tos_await_code' in data) { + // login successful, but the user needs to accept updated ToS + tosAcceptCode = data.tos_await_code as string; + mfaPurpose = undefined; + fetchTos(); } } @@ -591,6 +679,35 @@ {/if} + {#if tos} + +

{t.tos.tos}

+

+ {#if tos.is_html} + {@html tos.content} + {:else} + {tos.content} + {/if} +

+ + + + {/if} + {#if !clientMfaForce && providers.length > 0 && !isAtproto}
diff --git a/frontend/src/routes/users/register/+page.svelte b/frontend/src/routes/users/register/+page.svelte index ddbbaeb7c..e3d06621c 100644 --- a/frontend/src/routes/users/register/+page.svelte +++ b/frontend/src/routes/users/register/+page.svelte @@ -12,27 +12,67 @@ import Form from "$lib5/form/Form.svelte"; import {PATTERN_USER_NAME} from "$utils/patterns"; import type {NewUserRegistrationRequest} from "$api/types/register.ts"; - import {fetchPost} from "$api/fetch"; + import {fetchGet, fetchPost} from "$api/fetch"; + import type {ToSLatestResponse} from "$api/types/tos"; + import Modal from "$lib/Modal.svelte"; + import {onMount} from "svelte"; + import {fetchSolvePow} from "$utils/pow"; let t = useI18n(); + let refToS: undefined | HTMLParagraphElement = $state(); + let showModal = $state(false); + let closeModal: undefined | (() => void) = $state(); + let restrictedDomain = $state(''); let redirectUri = useParam('redirect_uri'); let isLoading = $state(false); let err = $state(''); let success = $state(false); + let tos: undefined | ToSLatestResponse = $state(); + let tosRead = $state(false); + let noTosExists = $state(false); + + let email = $state(''); + let givenName = $state(''); + let familyName = $state(''); + let action = $derived(IS_DEV ? '/auth/v1/dev/register' : '/auth/v1/users/register'); + $effect(() => { + if (refToS) { + setTimeout(() => { + onScrollEndToS(); + }, 1000); + } + }); + + async function fetchTos() { + let res = await fetchGet('/auth/v1/tos/latest'); + if (res.body) { + tos = res.body; + } else if (res.status === 204) { + noTosExists = true; + } + } + + function onScrollEndToS() { + if (!refToS) { + return false; + } + + // allow 50px diff for better UX + if (!tosRead && refToS.scrollHeight <= refToS.scrollTop + refToS.offsetHeight + 50) { + tosRead = true; + } + } + async function onSubmit(form: HTMLFormElement, params: URLSearchParams) { success = false; err = ''; - let email = params.get('email'); - let given_name = params.get('given_name'); - let pow = params.get('pow'); - - if (!email || !given_name || !pow) { + if (!email || !givenName) { console.error('email, given_name, pow missing'); return; } @@ -42,22 +82,40 @@ return; } + if (!tos) { + await fetchTos(); + } + + if (tos) { + showModal = true; + } else if (noTosExists) { + await submitRegistration(); + } else { + console.error('logic error in ToS fetch / accept'); + } + } + + async function acceptToS() { + closeModal?.(); + await submitRegistration(); + } + + async function submitRegistration() { + isLoading = true; + let payload: NewUserRegistrationRequest = { email, - given_name, - family_name: params.get('family_name') || undefined, - pow, - redirect_uri: params.get('redirect_uri') || undefined, + given_name: givenName, + family_name: familyName || undefined, + pow: await fetchSolvePow() || '', + redirect_uri: redirectUri.get(), }; - isLoading = true; - // await tick(); - - const res = await fetchPost(form.action, payload); + const res = await fetchPost(action, payload); if (res.error) { let error = res.error.message || 'Error'; if (error.includes("UNIQUE constraint")) { - err = 'E-Mail is already registered'; + err = t.register.alreadyRegistered; } else { err = error; } @@ -92,16 +150,14 @@ {/if}
-
- {#if redirectUri.get()} - - {/if} + @@ -117,6 +174,7 @@ autocomplete="family-name" label={t.account.familyName} placeholder={t.account.familyName} + bind:value={familyName} pattern={PATTERN_USER_NAME} /> @@ -137,6 +195,35 @@
+ {#if tos} + +

{t.tos.tos}

+

+ {#if tos.is_html} + {@html tos.content} + {:else} + {tos.content} + {/if} +

+ + + + {/if} + @@ -167,4 +254,11 @@ .domainTxt { margin: .5rem 0; } + + .tosContent { + max-height: min(75dvh, 40rem); + margin-bottom: 1rem; + padding-right: 1rem; + overflow-y: auto; + } diff --git a/frontend/src/utils/search.ts b/frontend/src/utils/search.ts index 9b2e58ea8..13ecc9879 100644 --- a/frontend/src/utils/search.ts +++ b/frontend/src/utils/search.ts @@ -1,23 +1,23 @@ -import {fetchGet, type IResponse} from "$api/fetch.ts"; +import { fetchGet, type IResponse } from '$api/fetch'; export type SearchParamsType = 'user' | 'session'; export type SearchParamsIdxUser = 'id' | 'email'; export type SearchParamsIdxSession = 'userid' | 'sessionid' | 'ip'; export interface SearchParams { - /// Data type - ty: SearchParamsType, - /// Index - idx: SearchParamsIdxUser | SearchParamsIdxSession, - /// The actual search query - validation: `[a-zA-Z0-9,.:/_\-&?=~#!$'()*+%@]+` - q: string, - limit?: number, + /// Data type + ty: SearchParamsType; + /// Index + idx: SearchParamsIdxUser | SearchParamsIdxSession; + /// The actual search query - validation: `[a-zA-Z0-9,.:/_\-&?=~#!$'()*+%@]+` + q: string; + limit?: number; } export async function fetchSearchServer(params: SearchParams): Promise> { - let url = `/auth/v1/search?ty=${params.ty}&idx=${params.idx}&q=${params.q}`; - if (params.limit) { - url += `$limit=${params.limit}`; - } - return await fetchGet(url); -} \ No newline at end of file + let url = `/auth/v1/search?ty=${params.ty}&idx=${params.idx}&q=${params.q}`; + if (params.limit) { + url += `$limit=${params.limit}`; + } + return await fetchGet(url); +} diff --git a/frontend/src/webauthn/authentication.ts b/frontend/src/webauthn/authentication.ts index 17aac2ed4..93677388e 100644 --- a/frontend/src/webauthn/authentication.ts +++ b/frontend/src/webauthn/authentication.ts @@ -1,116 +1,122 @@ -import {arrBufToBase64UrlSafe, promiseTimeout} from "$utils/helpers"; -import {fetchPost} from "$api/fetch"; +import { arrBufToBase64UrlSafe, promiseTimeout } from '$utils/helpers'; +import { fetchPost } from '$api/fetch'; import type { - MfaPurpose, WebauthnAdditionalData, - WebauthnAuthFinishRequest, - WebauthnAuthStartRequest, - WebauthnAuthStartResponse -} from "./types.ts"; -import {base64UrlSafeToArrBuf} from "./utils"; + MfaPurpose, + WebauthnAdditionalData, + WebauthnAuthFinishRequest, + WebauthnAuthStartRequest, + WebauthnAuthStartResponse +} from './types.ts'; +import { base64UrlSafeToArrBuf } from './utils'; export interface WebauthnAuthResult { - error?: string, - data?: WebauthnAdditionalData, + error?: string; + data?: WebauthnAdditionalData; } export async function webauthnAuth( - userId: string, - purpose: MfaPurpose, - errorI18nInvalidKey: string, - errorI18nTimeout: string, + userId: string, + purpose: MfaPurpose, + errorI18nInvalidKey: string, + errorI18nTimeout: string ): Promise { - let payloadStart: WebauthnAuthStartRequest = { - purpose, - }; - let res = await fetchPost(`/auth/v1/users/${userId}/webauthn/auth/start`, payloadStart); - if (res.error) { - console.error(res.error); - return { - error: res.error.message || 'Error starting the Authentication' - }; - } - if (!res.body) { - let error = 'Did not receive a valid webauthn body'; - console.error(error); - return {error}; - } + let payloadStart: WebauthnAuthStartRequest = { + purpose + }; + let res = await fetchPost( + `/auth/v1/users/${userId}/webauthn/auth/start`, + payloadStart + ); + if (res.error) { + console.error(res.error); + return { + error: res.error.message || 'Error starting the Authentication' + }; + } + if (!res.body) { + let error = 'Did not receive a valid webauthn body'; + console.error(error); + return { error }; + } - let resp = res.body; - // We need to apply a small hack to make TS happy. - // The browser expects ArrayBuffers in some places, but the backend sends them as base64 encoded data, - // which we will decode properly in the following lines. - let challenge = resp.rcr as unknown as CredentialRequestOptions; - if (!challenge.publicKey) { - let error = 'no publicKey in challenge from the backend'; - console.error(error); - return { - error, - }; - } + let resp = res.body; + // We need to apply a small hack to make TS happy. + // The browser expects ArrayBuffers in some places, but the backend sends them as base64 encoded data, + // which we will decode properly in the following lines. + let challenge = resp.rcr as unknown as CredentialRequestOptions; + if (!challenge.publicKey) { + let error = 'no publicKey in challenge from the backend'; + console.error(error); + return { + error + }; + } - // convert base64 into ArrayBuffers - challenge.publicKey.challenge = base64UrlSafeToArrBuf(challenge.publicKey.challenge); - if (challenge.publicKey.allowCredentials) { - for (let cred of challenge.publicKey.allowCredentials) { - cred.id = base64UrlSafeToArrBuf(cred.id); - } - } + // convert base64 into ArrayBuffers + challenge.publicKey.challenge = base64UrlSafeToArrBuf(challenge.publicKey.challenge); + if (challenge.publicKey.allowCredentials) { + for (let cred of challenge.publicKey.allowCredentials) { + cred.id = base64UrlSafeToArrBuf(cred.id); + } + } - // prompt for the passkey and get its public key - const exp = (resp.exp - 1) * 1000; - const expTime = new Date().getTime() + exp; - let credential: Credential; - try { - const cred = await promiseTimeout(navigator.credentials.get(challenge), exp); - if (cred) { - credential = cred; - } else { - return { - error: errorI18nInvalidKey, - }; - } - } catch (e) { - const timeout = new Date().getTime() >= expTime; - return { - error: timeout ? errorI18nTimeout : errorI18nInvalidKey, - }; - } + // prompt for the passkey and get its public key + const exp = (resp.exp - 1) * 1000; + const expTime = new Date().getTime() + exp; + let credential: Credential; + try { + const cred = await promiseTimeout(navigator.credentials.get(challenge), exp); + if (cred) { + credential = cred; + } else { + return { + error: errorI18nInvalidKey + }; + } + } catch (e) { + const timeout = new Date().getTime() >= expTime; + return { + error: timeout ? errorI18nTimeout : errorI18nInvalidKey + }; + } - // The backend expects base64 url safe strings instead of array buffers. - // The values we need to modify are not publicly exported in the TS type though, but they exist. - let payloadFinish: WebauthnAuthFinishRequest = { - code: resp.code, - data: { - id: credential.id, - // @ts-ignore the `response.rawId` actually exists - rawId: arrBufToBase64UrlSafe(credential.rawId), - response: { - // @ts-ignore the `response.authenticatorData` actually exists - authenticatorData: arrBufToBase64UrlSafe(credential.response.authenticatorData), - // @ts-ignore the `response.clientDataJSON` actually exists - clientDataJSON: arrBufToBase64UrlSafe(credential.response.clientDataJSON), - // @ts-ignore the `response.signature` actually exists - signature: arrBufToBase64UrlSafe(credential.response.signature), - }, - // @ts-ignore the `response.getClientExtensionResults()` actually exists - extensions: credential.getClientExtensionResults(), - type: credential.type, - } - } + // The backend expects base64 url safe strings instead of array buffers. + // The values we need to modify are not publicly exported in the TS type though, but they exist. + let payloadFinish: WebauthnAuthFinishRequest = { + code: resp.code, + data: { + id: credential.id, + // @ts-ignore the `response.rawId` actually exists + rawId: arrBufToBase64UrlSafe(credential.rawId), + response: { + // @ts-ignore the `response.authenticatorData` actually exists + authenticatorData: arrBufToBase64UrlSafe(credential.response.authenticatorData), + // @ts-ignore the `response.clientDataJSON` actually exists + clientDataJSON: arrBufToBase64UrlSafe(credential.response.clientDataJSON), + // @ts-ignore the `response.signature` actually exists + signature: arrBufToBase64UrlSafe(credential.response.signature) + }, + // @ts-ignore the `response.getClientExtensionResults()` actually exists + extensions: credential.getClientExtensionResults(), + type: credential.type + } + }; - // finish the ceremony - let resFinish = await fetchPost( - `/auth/v1/users/${userId}/webauthn/auth/finish`, - payloadFinish, - ); - if (resFinish.status === 202) { - return { - data: resFinish.body, - }; - } else { - console.error(resFinish); - return { - error: resFinish.error?.message || 'Authentication Error', - }; - } + // finish the ceremony + let resFinish = await fetchPost( + `/auth/v1/users/${userId}/webauthn/auth/finish`, + payloadFinish + ); + // 202 -> normal success + // 206 -> Webauthn success during login, but needs additional ToS update accept + if (resFinish.status === 202 || resFinish.status === 206) { + return { + data: resFinish.body + }; + } else { + console.error(resFinish); + return { + error: resFinish.error?.message || 'Authentication Error' + }; + } } diff --git a/frontend/vite.config.js b/frontend/vite.config.js index b13ac20f5..6d0df81c0 100644 --- a/frontend/vite.config.js +++ b/frontend/vite.config.js @@ -59,6 +59,7 @@ const config = { '/auth/v1/sessions': backend, '/auth/v1/template': backend, '/auth/v1/theme': backend, + '/auth/v1/tos': backend, '/auth/v1/update_language': backend, '/auth/v1/version': backend, '/docs/v1/': backend diff --git a/migrations/hiqlite/20_tos.sql b/migrations/hiqlite/20_tos.sql new file mode 100644 index 000000000..e05e4eccd --- /dev/null +++ b/migrations/hiqlite/20_tos.sql @@ -0,0 +1,25 @@ +CREATE TABLE tos +( + ts INTEGER NOT NULL + CONSTRAINT tos_pk + PRIMARY KEY, + author TEXT NOT NULL, + is_html INTEGER NOT NULL, + content TEXT NOT NULL +) STRICT; + +CREATE UNIQUE INDEX tos_ts_uindex + ON tos (ts DESC); + +CREATE TABLE tos_user_accept +( + user_id TEXT NOT NULL, + tos_ts INTEGER NOT NULL, + accept_ts INTEGER NOT NULL, + location TEXT NOT NULL, + CONSTRAINT tos_user_accept_pk + PRIMARY KEY (user_id, tos_ts) +) STRICT; + +CREATE UNIQUE INDEX tos_user_accept_user_id_tos_Ts_uindex + ON tos_user_accept (user_id, tos_Ts); diff --git a/migrations/postgres/V15__tos.sql b/migrations/postgres/V15__tos.sql new file mode 100644 index 000000000..e9d8bd43b --- /dev/null +++ b/migrations/postgres/V15__tos.sql @@ -0,0 +1,25 @@ +CREATE TABLE tos +( + ts BIGINT NOT NULL + CONSTRAINT tos_pk + PRIMARY KEY, + author VARCHAR NOT NULL, + is_html BOOLEAN NOT NULL, + content VARCHAR NOT NULL +); + +CREATE UNIQUE INDEX tos_ts_uindex + ON tos (ts DESC); + +CREATE TABLE tos_user_accept +( + user_id VARCHAR NOT NULL, + tos_ts BIGINT NOT NULL, + accept_ts BIGINT NOT NULL, + location VARCHAR NOT NULL, + CONSTRAINT tos_user_accept_pk + PRIMARY KEY (user_id, tos_ts) +); + +CREATE UNIQUE INDEX tos_user_accept_user_id_tos_Ts_uindex + ON tos_user_accept (user_id, tos_Ts); diff --git a/src/api/src/auth_providers.rs b/src/api/src/auth_providers.rs index 076e07aef..2d811de17 100644 --- a/src/api/src/auth_providers.rs +++ b/src/api/src/auth_providers.rs @@ -12,7 +12,7 @@ use rauthy_api_types::generic::LogoParams; use rauthy_api_types::users::{UserResponse, WebauthnLoginResponse}; use rauthy_common::constants::{HEADER_JSON, PROVIDER_ATPROTO}; use rauthy_data::entity::auth_providers::{ - AuthProvider, AuthProviderCallback, AuthProviderLinkCookie, AuthProviderTemplate, + AuthProvider, AuthProviderLinkCookie, AuthProviderTemplate, }; use rauthy_data::entity::logos::{Logo, LogoType}; use rauthy_data::entity::theme::ThemeCssFull; @@ -151,7 +151,8 @@ pub async fn post_provider_login( Pow::validate(&payload.pow)?; - let (cookie, xsrf_token, location) = AuthProviderCallback::login_start(payload).await?; + let (cookie, xsrf_token, location) = + rauthy_service::oidc::auth_providers::login_start::login_start(payload).await?; Ok(HttpResponse::Accepted() .insert_header((LOCATION, location)) @@ -207,8 +208,12 @@ pub async fn post_provider_callback_handle( payload.validate()?; let session = principal.get_session()?; - let (auth_step, cookie) = - AuthProviderCallback::login_finish(&req, &payload, session.clone()).await?; + let (auth_step, cookie) = rauthy_service::oidc::auth_providers::login_finish::login_finish( + &req, + &payload, + session.clone(), + ) + .await?; let mut resp = map_auth_step(auth_step, &req).await?; resp.add_cookie(&cookie).map_err(|err| { @@ -504,7 +509,8 @@ pub async fn post_provider_link( }; // directly redirect to the provider login page - let (login_cookie, xsrf_token, location) = AuthProviderCallback::login_start(payload).await?; + let (login_cookie, xsrf_token, location) = + rauthy_service::oidc::auth_providers::login_start::login_start(payload).await?; Ok(HttpResponse::Accepted() .insert_header((LOCATION, location)) diff --git a/src/api/src/lib.rs b/src/api/src/lib.rs index f10ddc73d..03fcf509b 100644 --- a/src/api/src/lib.rs +++ b/src/api/src/lib.rs @@ -2,10 +2,12 @@ #![forbid(unsafe_code)] +use actix_web::http::StatusCode; use actix_web::http::header::{ ACCESS_CONTROL_ALLOW_CREDENTIALS, ACCESS_CONTROL_ALLOW_METHODS, HeaderMap, HeaderValue, }; -use actix_web::{HttpRequest, HttpResponse, web}; +use actix_web::{HttpRequest, HttpResponse, HttpResponseBuilder, web}; +use rauthy_api_types::tos::ToSAwaitLoginResponse; use rauthy_api_types::users::WebauthnLoginResponse; use rauthy_common::constants::COOKIE_MFA; use rauthy_data::AuthStep; @@ -39,6 +41,7 @@ pub mod scopes; pub mod sessions; pub mod swagger_ui; pub mod themes; +pub mod tos; pub mod users; pub type ReqApiKey = web::ReqData>; @@ -117,6 +120,33 @@ pub async fn map_auth_step( Ok(resp) } + AuthStep::AwaitToSAccept(res) => { + // Partial Content as return code is technically probably not "correct", as you + // would expect it during downloads, but it makes the checks in the UI a lot more + // resilient, when we have a dedicated code for each possible situation we need to + // handle. + let mut resp = HttpResponseBuilder::new(StatusCode::from_u16(206).unwrap()) + .insert_header(fed_cm_header) + .insert_header(res.header_csrf) + .json(&ToSAwaitLoginResponse { + tos_await_code: res.code, + user_id: Some(res.user_id), + // TODO do we actually need the session object at this point? + }); + if let Some((name, value)) = res.header_origin { + resp.headers_mut().insert(name, value); + resp.headers_mut().insert( + ACCESS_CONTROL_ALLOW_METHODS, + HeaderValue::from_static("POST"), + ); + resp.headers_mut().insert( + ACCESS_CONTROL_ALLOW_CREDENTIALS, + HeaderValue::from_static("true"), + ); + } + Ok(resp) + } + AuthStep::AwaitWebauthn(res) => { let body = WebauthnLoginResponse { code: res.code, diff --git a/src/api/src/tos.rs b/src/api/src/tos.rs new file mode 100644 index 000000000..803c4c6fa --- /dev/null +++ b/src/api/src/tos.rs @@ -0,0 +1,192 @@ +use crate::ReqPrincipal; +use actix_web::http::header::{ + ACCESS_CONTROL_ALLOW_CREDENTIALS, ACCESS_CONTROL_ALLOW_METHODS, HeaderValue, LOCATION, ORIGIN, +}; +use actix_web::web::{Json, Path}; +use actix_web::{HttpRequest, HttpResponse, get, post}; +use rauthy_api_types::tos::{ + ToSAcceptRequest, ToSLatestResponse, ToSRequest, ToSResponse, ToSUserAcceptResponse, +}; +use rauthy_common::utils::real_ip_from_req; +use rauthy_data::entity::auth_codes::{AuthCode, AuthCodeToSAwait}; +use rauthy_data::entity::tos::ToS; +use rauthy_data::entity::tos_user_accept::ToSUserAccept; +use rauthy_data::entity::users::User; +use rauthy_data::ipgeo::get_location; +use rauthy_error::{ErrorResponse, ErrorResponseType}; + +/// Returns all ToS +/// +/// **Permissions** +/// - rauthy_admin +#[utoipa::path( + get, + path = "/tos", + tag = "tos", + responses( + (status = 200, description = "Ok", body = [ToSResponse]), + (status = 401, description = "Unauthorized", body = ErrorResponse), + (status = 403, description = "Forbidden", body = ErrorResponse), + ), +)] +#[get("/tos")] +pub async fn get_tos(principal: ReqPrincipal) -> Result { + principal.validate_admin_session()?; + + let resp = ToS::find_all() + .await? + .into_iter() + .map(ToSResponse::from) + .collect::>(); + + Ok(HttpResponse::Ok().json(resp)) +} + +/// Create and publish new ToS +/// +/// **Permissions** +/// - rauthy_admin +#[utoipa::path( + post, + path = "/tos", + tag = "tos", + responses( + (status = 201, description = "Created"), + (status = 401, description = "Unauthorized", body = ErrorResponse), + (status = 403, description = "Forbidden", body = ErrorResponse), + ), +)] +#[post("/tos")] +pub async fn post_tos( + principal: ReqPrincipal, + payload: Json, +) -> Result { + principal.validate_admin_session()?; + + let payload = payload.into_inner(); + let user = User::find(principal.user_id()?.to_string()).await?; + + // Note: We do not use an FK here on purpose. We still want to be able to know the email even + // if this user gets deleted at some point in the future. + ToS::create(user.email, payload.is_html, payload.content).await?; + + Ok(HttpResponse::Created().finish()) +} + +/// Returns the latest ToS +#[utoipa::path( + get, + path = "/tos/latest", + tag = "tos", + responses( + (status = 200, description = "Ok", body = ToSLatestResponse), + (status = 204, description = "NoContent"), + (status = 401, description = "Unauthorized", body = ErrorResponse), + (status = 403, description = "Forbidden", body = ErrorResponse), + ), +)] +#[get("/tos/latest")] +pub async fn get_tos_latest() -> Result { + if let Some(tos) = ToS::find_latest().await? { + Ok(HttpResponse::Ok().json(ToSLatestResponse::from(tos))) + } else { + Ok(HttpResponse::NoContent().finish()) + } +} + +/// GET user accept status for all existing ToS +/// +/// **Permissions** +/// - rauthy_admin +#[utoipa::path( + get, + path = "/tos/user/{id}", + tag = "tos", + responses( + (status = 200, description = "Ok", body = [ToSUserAcceptResponse]), + (status = 204, description = "NoContent"), + (status = 401, description = "Unauthorized", body = ErrorResponse), + (status = 403, description = "Forbidden", body = ErrorResponse), + ), +)] +#[get("/tos/user/{id}")] +pub async fn get_tos_user_status( + principal: ReqPrincipal, + uid: Path, +) -> Result { + principal.validate_admin_session()?; + + let res = ToSUserAccept::find_all(uid.into_inner()) + .await? + .into_iter() + .map(ToSUserAcceptResponse::from) + .collect::>(); + + Ok(HttpResponse::Ok().json(res)) +} + +/// Accept an updated ToS for existing accounts +/// +/// **Permissions** +/// - session in init or auth state +#[utoipa::path( + post, + path = "/tos/accept", + tag = "tos", + responses( + (status = 200, description = "Ok"), + (status = 401, description = "Unauthorized", body = ErrorResponse), + (status = 403, description = "Forbidden", body = ErrorResponse), + ), +)] +#[post("/tos/accept")] +pub async fn post_tos_accept( + principal: ReqPrincipal, + req: HttpRequest, + payload: Json, +) -> Result { + principal.validate_session_auth_or_init()?; + + let Some(code_await) = AuthCodeToSAwait::find(&payload.accept_code).await? else { + return Err(ErrorResponse::new( + ErrorResponseType::NotFound, + "Invalid ToS accept code", + )); + }; + + let Some(mut auth_code) = AuthCode::find(code_await.auth_code.clone()).await? else { + return Err(ErrorResponse::new( + ErrorResponseType::NotFound, + "AuthCode does not exist anymore", + )); + }; + + let user = User::find(auth_code.user_id.clone()).await?; + user.check_enabled()?; + user.check_expired()?; + + let tos = ToS::find(payload.tos_ts).await?; + let ip = real_ip_from_req(&req)?; + let loc = get_location(&req, ip)?; + ToSUserAccept::create(user.id, tos.ts, ip, loc).await?; + + auth_code.reset_exp(code_await.auth_code_lifetime).await?; + code_await.delete().await?; + + let mut resp = HttpResponse::Accepted() + .insert_header((LOCATION, code_await.header_loc)) + .finish(); + if let Some(value) = code_await.header_origin { + resp.headers_mut() + .insert(ORIGIN, HeaderValue::from_str(&value)?); + resp.headers_mut().insert( + ACCESS_CONTROL_ALLOW_METHODS, + HeaderValue::from_static("POST"), + ); + resp.headers_mut().insert( + ACCESS_CONTROL_ALLOW_CREDENTIALS, + HeaderValue::from_static("true"), + ); + } + Ok(resp) +} diff --git a/src/api/src/users.rs b/src/api/src/users.rs index 940e99abd..86d1b06ca 100644 --- a/src/api/src/users.rs +++ b/src/api/src/users.rs @@ -39,6 +39,8 @@ use rauthy_data::entity::pow::PowEntity; use rauthy_data::entity::refresh_tokens::RefreshToken; use rauthy_data::entity::sessions::Session; use rauthy_data::entity::theme::ThemeCssFull; +use rauthy_data::entity::tos::ToS; +use rauthy_data::entity::tos_user_accept::ToSUserAccept; use rauthy_data::entity::user_attr::{UserAttrConfigEntity, UserAttrValueEntity}; use rauthy_data::entity::user_revoke::UserRevoke; use rauthy_data::entity::users::User; @@ -50,6 +52,7 @@ use rauthy_data::events::event::Event; use rauthy_data::html::HtmlCached; use rauthy_data::html::templates::{Error3Html, ErrorHtml, UserRevokeHtml}; use rauthy_data::ipgeo; +use rauthy_data::ipgeo::get_location; use rauthy_data::language::Language; use rauthy_data::rauthy_config::RauthyConfig; use rauthy_error::{ErrorResponse, ErrorResponseType}; @@ -404,7 +407,7 @@ pub async fn post_users_register_handle( if !RauthyConfig::get().vars.user_registration.enable { return Err(ErrorResponse::new( ErrorResponseType::Forbidden, - "Open User Registration is not allowed".to_string(), + "Open User Registration is not allowed", )); } payload.validate()?; @@ -462,6 +465,12 @@ pub async fn post_users_register_handle( .await .unwrap(); + if let Some(tos) = ToS::find_latest().await? { + let ip = real_ip_from_req(&req)?; + let loc = get_location(&req, ip)?; + ToSUserAccept::create(user.id.clone(), tos.ts, ip, loc).await?; + } + task::spawn(async move { let email = user.email.clone(); if let Err(err) = ClientScim::create_update_user(user).await { diff --git a/src/api_types/src/lib.rs b/src/api_types/src/lib.rs index 8e750b21c..14ac117de 100644 --- a/src/api_types/src/lib.rs +++ b/src/api_types/src/lib.rs @@ -18,6 +18,7 @@ pub mod roles; pub mod scopes; pub mod sessions; pub mod themes; +pub mod tos; pub mod users; #[derive(Deserialize, ToSchema)] diff --git a/src/api_types/src/tos.rs b/src/api_types/src/tos.rs new file mode 100644 index 000000000..714e7a7bc --- /dev/null +++ b/src/api_types/src/tos.rs @@ -0,0 +1,46 @@ +use serde::{Deserialize, Serialize}; +use utoipa::ToSchema; +use validator::Validate; + +#[derive(Deserialize, ToSchema, Validate)] +pub struct ToSRequest { + pub is_html: bool, + #[validate(length(min = 1, max = 8192))] + pub content: String, +} + +#[derive(Deserialize, ToSchema, Validate)] +pub struct ToSAcceptRequest { + pub tos_ts: i64, + #[validate(length(min = 64, max = 64))] + pub accept_code: String, +} + +#[derive(Serialize, ToSchema)] +pub struct ToSResponse { + pub ts: i64, + pub author: String, + pub is_html: bool, + pub content: String, +} + +#[derive(Serialize, ToSchema)] +pub struct ToSAwaitLoginResponse { + pub tos_await_code: String, + pub user_id: Option, +} + +#[derive(Serialize, ToSchema)] +pub struct ToSLatestResponse { + pub ts: i64, + pub is_html: bool, + pub content: String, +} + +#[derive(Serialize, ToSchema)] +pub struct ToSUserAcceptResponse { + pub user_id: String, + pub tos_ts: i64, + pub accept_ts: i64, + pub location: String, +} diff --git a/src/bin/src/main.rs b/src/bin/src/main.rs index c48760bd5..c260d960a 100644 --- a/src/bin/src/main.rs +++ b/src/bin/src/main.rs @@ -137,6 +137,30 @@ async fn main() -> Result<(), Box> { // whole App cache to make sure config changes are always updated DB::hql().clear_cache(Cache::App).await.unwrap(); + #[cfg(debug_assertions)] + { + DB::hql().clear_cache(Cache::Atproto).await.unwrap(); + DB::hql().clear_cache(Cache::DeviceCode).await.unwrap(); + DB::hql() + .clear_cache(Cache::AuthProviderCallback) + .await + .unwrap(); + DB::hql().clear_cache(Cache::ClientDynamic).await.unwrap(); + DB::hql().clear_cache(Cache::ClientEphemeral).await.unwrap(); + DB::hql().clear_cache(Cache::ClientSecret).await.unwrap(); + DB::hql().clear_cache(Cache::DPoPNonce).await.unwrap(); + DB::hql().clear_cache(Cache::JwksRemote).await.unwrap(); + DB::hql().clear_cache(Cache::ThemeTs).await.unwrap(); + DB::hql().clear_cache(Cache::IpBlacklist).await.unwrap(); + DB::hql().clear_cache(Cache::IpRateLimit).await.unwrap(); + DB::hql().clear_cache(Cache::Session).await.unwrap(); + DB::hql().clear_cache(Cache::PoW).await.unwrap(); + DB::hql().clear_cache(Cache::ToS).await.unwrap(); + DB::hql().clear_cache(Cache::User).await.unwrap(); + DB::hql().clear_cache(Cache::Webauthn).await.unwrap(); + DB::hql().clear_cache(Cache::PAM).await.unwrap(); + } + { let cfg = &RauthyConfig::get().vars.server; if cfg.swagger_ui_enable { diff --git a/src/bin/src/server.rs b/src/bin/src/server.rs index b0cdc5812..cf84df506 100644 --- a/src/bin/src/server.rs +++ b/src/bin/src/server.rs @@ -9,7 +9,7 @@ use rauthy_data::ListenScheme; use rauthy_data::rauthy_config::RauthyConfig; use rauthy_handlers::{ api_keys, atproto, auth_providers, backup, blacklist, clients, dev_only, events, fed_cm, - generic, groups, html, oidc, pam, roles, scopes, sessions, swagger_ui, themes, users, + generic, groups, html, oidc, pam, roles, scopes, sessions, swagger_ui, themes, tos, users, }; use rauthy_middlewares::csrf_protection::CsrfProtectionMiddleware; use rauthy_middlewares::ip_blacklist::RauthyIpBlacklistMiddleware; @@ -413,6 +413,11 @@ fn api_services() -> actix_web::Scope { .service(sessions::delete_sessions) .service(sessions::delete_session_by_id) .service(sessions::delete_sessions_for_user) + .service(tos::get_tos) + .service(tos::post_tos) + .service(tos::get_tos_latest) + .service(tos::get_tos_user_status) + .service(tos::post_tos_accept) .service(users::get_user_password_reset) .service(users::put_user_password_reset) .service(users::get_user_by_email) diff --git a/src/data/src/database.rs b/src/data/src/database.rs index f689bfe14..5e81b600c 100644 --- a/src/data/src/database.rs +++ b/src/data/src/database.rs @@ -30,6 +30,10 @@ mod migrations_postgres { struct MigrationsHiqlite; /// Cache Index for the `hiqlite` cache layer +/// +/// CAUTION: DO NOT change the order when adding new entries to now have false-positive +/// during updates for already existing environments. Caches are not indexed via String / Name, +/// but via u32 internally. #[derive(Debug, strum::EnumIter)] pub enum Cache { Atproto, @@ -51,6 +55,7 @@ pub enum Cache { User, Webauthn, PAM, + ToS, } impl CacheIndex for Cache { diff --git a/src/data/src/entity/auth_codes.rs b/src/data/src/entity/auth_codes.rs index 7f79851dd..070bbfe61 100644 --- a/src/data/src/entity/auth_codes.rs +++ b/src/data/src/entity/auth_codes.rs @@ -1,11 +1,13 @@ use crate::database::{Cache, DB}; use crate::rauthy_config::RauthyConfig; +use chrono::Utc; use rauthy_common::utils::get_rand; use rauthy_error::ErrorResponse; use serde::{Deserialize, Serialize}; +use std::fmt::Write; use std::fmt::{Debug, Formatter}; use std::ops::Add; -use time::OffsetDateTime; +use utoipa::ToSchema; #[derive(Deserialize, Serialize)] pub struct AuthCode { @@ -48,16 +50,29 @@ impl AuthCode { } // Saves an Authorization Code - pub async fn save(&self) -> Result<(), ErrorResponse> { - let ttl = (300 + RauthyConfig::get().vars.webauthn.req_exp) as i64; + pub async fn save(&self, ttl: i32) -> Result<(), ErrorResponse> { DB::hql() - .put(Cache::AuthCode, self.id.clone(), self, Some(ttl)) + .put(Cache::AuthCode, self.id.clone(), self, Some(ttl as i64)) .await?; Ok(()) } } impl AuthCode { + #[inline] + pub fn build_location_header( + &self, + redirect_uri: &str, + state: Option<&str>, + ) -> Result { + let append_char = if redirect_uri.contains('?') { '&' } else { '?' }; + let mut loc = format!("{}{}code={}", redirect_uri, append_char, self.id); + if let Some(state) = state { + write!(loc, "&state={state}")?; + }; + Ok(loc) + } + #[allow(clippy::too_many_arguments)] pub fn new( user_id: String, @@ -70,9 +85,9 @@ impl AuthCode { lifetime_secs: i32, ) -> Self { let id = get_rand(64); - let exp = OffsetDateTime::now_utc() - .add(time::Duration::seconds(lifetime_secs as i64)) - .unix_timestamp(); + let exp = Utc::now() + .add(chrono::Duration::seconds(lifetime_secs as i64)) + .timestamp(); Self { id, exp, @@ -85,4 +100,65 @@ impl AuthCode { scopes, } } + + /// CAUTION: DO NOT use this reset in any other case than after accepting updated ToS! + pub async fn reset_exp(&mut self, auth_code_lifetime: i32) -> Result<(), ErrorResponse> { + self.exp = Utc::now() + .add(chrono::Duration::seconds(auth_code_lifetime as i64)) + .timestamp(); + + self.save(auth_code_lifetime).await + } +} + +#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize, ToSchema)] +pub struct AuthCodeToSAwait { + pub auth_code: String, + pub await_code: String, + pub auth_code_lifetime: i32, + pub header_loc: String, + pub header_origin: Option, +} + +// CRUD +impl AuthCodeToSAwait { + pub async fn delete(&self) -> Result<(), ErrorResponse> { + DB::hql() + .delete(Cache::AuthCode, Self::cache_idx(&self.await_code)) + .await?; + Ok(()) + } + + pub async fn find(code: &str) -> Result, ErrorResponse> { + Ok(DB::hql() + .get(Cache::AuthCode, Self::cache_idx(code)) + .await?) + } + + pub async fn save(&self) -> Result<(), ErrorResponse> { + DB::hql() + .put( + Cache::AuthCode, + Self::cache_idx(&self.await_code), + &self, + Some(RauthyConfig::get().vars.tos.accept_timeout as i64), + ) + .await?; + + Ok(()) + } +} + +impl AuthCodeToSAwait { + #[inline] + fn cache_idx(await_code: &str) -> String { + // Note: We don't want to simply index the await + // codes by id to never have an accidental misuse. + format!("tos_aw_{await_code}") + } + + #[inline] + pub fn generate_code() -> String { + get_rand(64) + } } diff --git a/src/data/src/entity/auth_providers.rs b/src/data/src/entity/auth_providers.rs index 0d18aff3f..95b553aac 100644 --- a/src/data/src/entity/auth_providers.rs +++ b/src/data/src/entity/auth_providers.rs @@ -1,54 +1,34 @@ use crate::api_cookie::ApiCookie; use crate::database::{Cache, DB}; -use crate::entity::auth_codes::AuthCode; -use crate::entity::clients::Client; use crate::entity::logos::{Logo, LogoType}; -use crate::entity::sessions::Session; use crate::entity::users::User; use crate::entity::users_values::UserValues; -use crate::entity::webauthn::WebauthnLoginReq; -use crate::entity::{atproto, auth_provider_cust_impl}; use crate::language::Language; use crate::rauthy_config::RauthyConfig; -use crate::{AuthStep, AuthStepAwaitWebauthn, AuthStepLoggedIn}; -use actix_web::HttpRequest; use actix_web::cookie::Cookie; -use actix_web::http::header; -use actix_web::http::header::HeaderValue; -use atrium_api::agent::Agent; -use atrium_common::store::Store; -use atrium_oauth::{AuthorizeOptions, CallbackParams, KnownScope, Scope}; use chrono::Utc; use cryptr::EncValue; -use cryptr::utils::secure_random_alnum; use hiqlite::Row; use hiqlite_macros::params; -use image::EncodableLayout; use itertools::Itertools; -use rauthy_api_types::auth_providers::{ - ProviderCallbackRequest, ProviderLoginRequest, ProviderLookupRequest, ProviderRequest, -}; use rauthy_api_types::auth_providers::{ ProviderLinkedUserResponse, ProviderLookupResponse, ProviderResponse, }; +use rauthy_api_types::auth_providers::{ProviderLookupRequest, ProviderRequest}; use rauthy_api_types::users::UserValuesRequest; use rauthy_common::constants::{ - APPLICATION_JSON, CACHE_TTL_APP, CACHE_TTL_AUTH_PROVIDER_CALLBACK, COOKIE_UPSTREAM_CALLBACK, - IDX_AUTH_PROVIDER, IDX_AUTH_PROVIDER_TEMPLATE, PROVIDER_ATPROTO, PROVIDER_LINK_COOKIE, - UPSTREAM_AUTH_CALLBACK_TIMEOUT_SECS, + CACHE_TTL_APP, CACHE_TTL_AUTH_PROVIDER_CALLBACK, IDX_AUTH_PROVIDER, IDX_AUTH_PROVIDER_TEMPLATE, + PROVIDER_ATPROTO, PROVIDER_LINK_COOKIE, }; use rauthy_common::utils::{ - base64_decode, base64_encode, base64_url_encode, base64_url_no_pad_decode, deserialize, - get_rand, new_store_id, serialize, + base64_decode, base64_encode, base64_url_no_pad_decode, deserialize, new_store_id, serialize, }; -use rauthy_common::{http_client, is_hiqlite, sha256}; +use rauthy_common::{http_client, is_hiqlite}; use rauthy_error::{ErrorResponse, ErrorResponseType}; -use reqwest::header::{ACCEPT, AUTHORIZATION}; use serde::{Deserialize, Serialize}; use serde_json::{Value, value}; use serde_json_path::JsonPath; use std::borrow::Cow; -use std::fmt::Write; use std::str::FromStr; use tracing::{debug, error}; use utoipa::ToSchema; @@ -664,7 +644,7 @@ impl AuthProvider { } } - pub fn get_secret_cleartext(secret: &Option>) -> Result, ErrorResponse> { + pub fn secret_cleartext(secret: &Option>) -> Result, ErrorResponse> { if let Some(secret) = &secret { let bytes = EncValue::try_from(secret.clone())?.decrypt()?; let cleartext = String::from_utf8_lossy(bytes.as_ref()).to_string(); @@ -679,7 +659,7 @@ impl TryFrom for ProviderResponse { type Error = ErrorResponse; fn try_from(value: AuthProvider) -> Result { - let secret = AuthProvider::get_secret_cleartext(&value.secret)?; + let secret = AuthProvider::secret_cleartext(&value.secret)?; Ok(Self { id: value.id, name: value.name, @@ -737,7 +717,7 @@ impl AuthProviderCallback { Ok(()) } - async fn find(callback_id: String) -> Result { + pub async fn find(callback_id: String) -> Result { let opt: Option = DB::hql() .get(Cache::AuthProviderCallback, callback_id) .await?; @@ -751,7 +731,7 @@ impl AuthProviderCallback { } } - async fn save(&self) -> Result<(), ErrorResponse> { + pub async fn save(&self) -> Result<(), ErrorResponse> { DB::hql() .put( Cache::AuthProviderCallback, @@ -765,444 +745,6 @@ impl AuthProviderCallback { } } -impl AuthProviderCallback { - /// returns (encrypted cookie, xsrf token, location header, optional allowed origins) - pub async fn login_start<'a>( - payload: ProviderLoginRequest, - ) -> Result<(Cookie<'a>, String, HeaderValue), ErrorResponse> { - let provider = AuthProvider::find(&payload.provider_id).await?; - - if !RauthyConfig::get().vars.atproto.enable && provider.issuer == PROVIDER_ATPROTO { - return Err(ErrorResponse::new( - ErrorResponseType::BadRequest, - "atproto is disabled", - )); - } - - let client = Client::find(payload.client_id).await?; - - let slf = Self { - callback_id: secure_random_alnum(32), - xsrf_token: secure_random_alnum(32), - typ: provider.typ, - - req_client_id: client.id, - req_scopes: payload.scopes, - req_redirect_uri: payload.redirect_uri, - req_state: payload.state, - req_nonce: payload.nonce, - req_code_challenge: payload.code_challenge, - req_code_challenge_method: payload.code_challenge_method, - - provider_id: provider.id, - - pkce_challenge: payload.pkce_challenge, - }; - - let mut location = format!( - "{}{}client_id={}&redirect_uri={}&response_type=code&scope={}&state={}", - provider.authorization_endpoint, - // append parameters if there are already some parameters - if provider.authorization_endpoint.contains('?') { - '&' - } else { - '?' - }, - provider.client_id, - RauthyConfig::get().provider_callback_uri_encoded, - provider.scope, - slf.callback_id - ); - if provider.use_pkce { - write!( - location, - "&code_challenge={}&code_challenge_method=S256", - slf.pkce_challenge - ) - .expect("write to always succeed"); - } - - if let Some(input) = payload - .handle - .filter(|_| provider.issuer == PROVIDER_ATPROTO) - { - let atproto = atproto::Client::get(); - - let options = AuthorizeOptions { - state: Some(slf.callback_id.clone()), - redirect_uri: Some(RauthyConfig::get().provider_callback_uri.clone()), - scopes: vec![ - Scope::Unknown("transition:email".to_owned()), - Scope::Known(KnownScope::Atproto), - Scope::Known(KnownScope::TransitionGeneric), - ], - ..Default::default() - }; - - location = atproto - .authorize(input, options) - .await - .map_err(|error| { - error!(%error, "failed to start authorization for ATProto"); - }) - .unwrap(); - } - - let cookie = ApiCookie::build( - COOKIE_UPSTREAM_CALLBACK, - &slf.callback_id, - UPSTREAM_AUTH_CALLBACK_TIMEOUT_SECS as i64, - ); - - slf.save().await?; - - Ok(( - cookie, - slf.xsrf_token, - HeaderValue::from_str(&location).expect("Location HeaderValue to be correct"), - )) - } - - /// In case of any error, the callback code will be fully deleted for security reasons. - pub async fn login_finish<'a>( - req: &'a HttpRequest, - payload: &'a ProviderCallbackRequest, - mut session: Session, - ) -> Result<(AuthStep, Cookie<'a>), ErrorResponse> { - // the callback id for the cache should be inside the encrypted cookie - let callback_id = ApiCookie::from_req(req, COOKIE_UPSTREAM_CALLBACK).ok_or_else(|| { - ErrorResponse::new( - ErrorResponseType::Forbidden, - "Missing encrypted callback cookie", - ) - })?; - - // validate state - if payload.iss_atproto.is_none() && callback_id != payload.state { - Self::delete(callback_id).await?; - - error!("`state` does not match"); - return Err(ErrorResponse::new( - ErrorResponseType::BadRequest, - "`state` does not match", - )); - } - debug!("callback state is valid"); - - // validate csrf token - let slf = Self::find(callback_id).await?; - if slf.xsrf_token != payload.xsrf_token { - Self::delete(slf.callback_id).await?; - - error!("invalid CSRF token"); - return Err(ErrorResponse::new( - ErrorResponseType::Unauthorized, - "invalid CSRF token", - )); - } - debug!("callback csrf token is valid"); - - // validate PKCE verifier - let hash_base64 = base64_url_encode(sha256!(payload.pkce_verifier.as_bytes())); - if slf.pkce_challenge != hash_base64 { - Self::delete(slf.callback_id).await?; - - error!("invalid PKCE verifier"); - return Err(ErrorResponse::new( - ErrorResponseType::Unauthorized, - "invalid PKCE verifier", - )); - } - debug!("callback pkce verifier is valid"); - - // request is valid -> fetch token for the user - let provider = AuthProvider::find(&slf.provider_id).await?; - - // extract a possibly existing provider link cookie for - // linking an existing account to a provider - let link_cookie = ApiCookie::from_req(req, PROVIDER_LINK_COOKIE) - .and_then(|value| AuthProviderLinkCookie::try_from(value.as_str()).ok()); - - // deserialize payload and validate the information - let (user, provider_mfa_login) = if provider.issuer == PROVIDER_ATPROTO { - let atproto = atproto::Client::get(); - - let params = CallbackParams { - code: payload.code.clone(), - state: Some(payload.state.clone()), - iss: payload.iss_atproto.clone(), - }; - // return early if we got any error - let (session_manager, app_state) = atproto.callback(params).await.map_err(|error| { - error!(%error, "failed to complete authorization callback for ATProto"); - - ErrorResponse::new( - ErrorResponseType::Internal, - "failed to complete authorization callback for ATProto", - ) - })?; - - let Some(app_state) = app_state else { - return Err(ErrorResponse::new( - ErrorResponseType::Forbidden, - "missing callback state for ATProto", - )); - }; - - if app_state != slf.callback_id { - return Err(ErrorResponse::new( - ErrorResponseType::Forbidden, - "callback state mismatch for ATProto", - )); - } - - let agent = Agent::new(session_manager); - - let Some(did) = agent.did().await else { - panic!("missing DID for ATProto session"); - }; - - let Some(session) = DB.get(&did).await.map_err(|error| { - error!(%error, "failed to get session for ATProto callback"); - - ErrorResponse::new( - ErrorResponseType::Internal, - "failed to get session for ATProto callback", - ) - })? - else { - return Err(ErrorResponse::new( - ErrorResponseType::BadRequest, - "failed to complete authorization callback for atproto", - )); - }; - - let data = match agent.api.com.atproto.server.get_session().await { - Ok(atrium_api::types::Object { data, .. }) => data, - Err(error) => { - error!(%error, "failed to get session for ATProto callback"); - - return Err(ErrorResponse::new( - ErrorResponseType::Internal, - "failed to get session for ATProto callback", - )); - } - }; - - let claims = AuthProviderIdClaims { - sub: Some(Value::String(session.token_set.sub.to_string())), - email: data.email.map(Cow::from), - email_verified: data.email_confirmed, - ..Default::default() - }; - - claims.validate_update_user(&provider, &link_cookie).await? - } else { - let mut payload = OidcCodeRequestParams { - // a client MAY add the `client_id`, but it MUST add it when it's public - client_id: &provider.client_id, - client_secret: None, - code: &payload.code, - code_verifier: provider.use_pkce.then_some(&payload.pkce_verifier), - grant_type: "authorization_code", - redirect_uri: &RauthyConfig::get().provider_callback_uri, - }; - if provider.client_secret_post { - payload.client_secret = AuthProvider::get_secret_cleartext(&provider.secret)?; - } - - let res = { - let mut builder = http_client() - .post(&provider.token_endpoint) - .header(ACCEPT, APPLICATION_JSON); - - if provider.client_secret_basic { - builder = builder.basic_auth( - &provider.client_id, - AuthProvider::get_secret_cleartext(&provider.secret)?, - ) - } - - builder - } - .form(&payload) - .send() - .await?; - - let status = res.status().as_u16(); - debug!("POST /token auth provider status: {status}"); - - // return early if we got any error - if !res.status().is_success() { - let err = match res.text().await { - Ok(body) => format!( - "HTTP {status} during POST {} for upstream auth provider '{}'\n{body}", - provider.token_endpoint, provider.client_id - ), - Err(_) => format!( - "HTTP {status} during POST {} for upstream auth provider '{}' without any body", - provider.token_endpoint, provider.client_id - ), - }; - error!("{}", err); - return Err(ErrorResponse::new(ErrorResponseType::Internal, err)); - } - - let ts = match res.json::().await { - Ok(ts) => ts, - Err(err) => { - let err = format!( - "Deserializing /token response from auth provider {}: {err}", - provider.client_id - ); - error!("{err}"); - return Err(ErrorResponse::new(ErrorResponseType::Internal, err)); - } - }; - - if let Some(err) = ts.error { - let msg = format!( - "/token request error: {err}: {}", - ts.error_description.unwrap_or_default() - ); - error!("{msg}"); - return Err(ErrorResponse::new(ErrorResponseType::Internal, msg)); - } - - // in case of a standard OIDC provider, we only care about the ID token - if let Some(id_token) = ts.id_token { - let claims_bytes = AuthProviderIdClaims::self_as_bytes_from_token(&id_token)?; - let claims = AuthProviderIdClaims::try_from(claims_bytes.as_slice())?; - - claims.validate_update_user(&provider, &link_cookie).await? - } else if let Some(access_token) = ts.access_token { - // the id_token only exists, if we actually have an OIDC provider. - // If we only get an access token, we need to do another request to the - // userinfo endpoint - let res = http_client() - .get(&provider.userinfo_endpoint) - .header(AUTHORIZATION, format!("Bearer {access_token}")) - .header(ACCEPT, APPLICATION_JSON) - .send() - .await?; - - let status = res.status().as_u16(); - debug!("GET /userinfo auth provider status: {status}"); - - let res_bytes = res.bytes().await?; - let mut claims = AuthProviderIdClaims::try_from(res_bytes.as_bytes())?; - - if claims.email.is_none() && provider.typ == AuthProviderType::Github { - auth_provider_cust_impl::get_github_private_email(&access_token, &mut claims) - .await?; - } - - claims.validate_update_user(&provider, &link_cookie).await? - } else { - let err = "Neither `access_token` nor `id_token` existed"; - error!("{err}"); - return Err(ErrorResponse::new(ErrorResponseType::BadRequest, err)); - } - }; - - user.check_enabled()?; - user.check_expired()?; - - if link_cookie.is_some() { - // If this is the case, we don't need to validate any further client values. - // We will not generate a new auth code at all -> this is just a request to federate - // an existing account. The federation has been done in the step above already. - return Ok(( - AuthStep::ProviderLink, - AuthProviderLinkCookie::deletion_cookie(), - )); - } - - // validate client values - let client = Client::find_maybe_ephemeral(slf.req_client_id).await?; - let force_mfa = client.force_mfa(); - if force_mfa { - if provider_mfa_login == ProviderMfaLogin::No && !user.has_webauthn_enabled() { - return Err(ErrorResponse::new( - ErrorResponseType::MfaRequired, - "MFA is required for this client", - )); - } - session.set_mfa(true).await?; - } - client.validate_redirect_uri(&slf.req_redirect_uri)?; - client.validate_code_challenge(&slf.req_code_challenge, &slf.req_code_challenge_method)?; - let header_origin = client.get_validated_origin_header(req)?; - - // ###################################### - // all good, we can generate an auth code - - // authorization code - let webauthn_req_exp = RauthyConfig::get().vars.webauthn.req_exp; - let code_lifetime = if force_mfa && user.has_webauthn_enabled() { - client.auth_code_lifetime + webauthn_req_exp as i32 - } else { - client.auth_code_lifetime - }; - let scopes = client.sanitize_login_scopes(&slf.req_scopes)?; - let code = AuthCode::new( - user.id.clone(), - client.id, - Some(session.id.clone()), - slf.req_code_challenge, - slf.req_code_challenge_method, - slf.req_nonce, - scopes, - code_lifetime, - ); - code.save().await?; - - // location header - let mut loc = format!("{}?code={}", slf.req_redirect_uri, code.id); - if let Some(state) = slf.req_state { - write!(loc, "&state={state}")?; - }; - - let auth_step = if user.has_webauthn_enabled() { - let step = AuthStepAwaitWebauthn { - code: get_rand(48), - header_csrf: Session::get_csrf_header(&session.csrf_token), - header_origin, - user_id: user.id.clone(), - email: user.email, - exp: webauthn_req_exp as u64, - session, - }; - - WebauthnLoginReq { - code: step.code.clone(), - user_id: user.id, - header_loc: loc, - header_origin: step - .header_origin - .as_ref() - .map(|h| h.1.to_str().unwrap().to_string()), - } - .save() - .await?; - - AuthStep::AwaitWebauthn(step) - } else { - AuthStep::LoggedIn(AuthStepLoggedIn { - user_id: user.id, - email: user.email, - header_loc: (header::LOCATION, HeaderValue::from_str(&loc)?), - header_csrf: Session::get_csrf_header(&session.csrf_token), - header_origin, - }) - }; - - // callback data deletion cookie - let cookie = ApiCookie::build(COOKIE_UPSTREAM_CALLBACK, "", 0); - Ok((auth_step, cookie)) - } -} - /// Auth Provider as template value for SSR of the Login page #[derive(Debug, Clone, Serialize, Deserialize, ToSchema)] pub struct AuthProviderTemplate { @@ -1266,7 +808,7 @@ pub struct AuthProviderAddressClaims<'a> { } #[derive(Debug, PartialEq)] -enum ProviderMfaLogin { +pub enum ProviderMfaLogin { Yes, No, } @@ -1336,7 +878,7 @@ impl AuthProviderIdClaims<'_> { } } - fn self_as_bytes_from_token(token: &str) -> Result, ErrorResponse> { + pub fn self_as_bytes_from_token(token: &str) -> Result, ErrorResponse> { let mut parts = token.split('.'); let _header = parts.next().ok_or_else(|| { ErrorResponse::new( @@ -1352,7 +894,7 @@ impl AuthProviderIdClaims<'_> { Ok(json_bytes) } - async fn validate_update_user( + pub async fn validate_update_user( &self, provider: &AuthProvider, link_cookie: &Option, @@ -1703,25 +1245,6 @@ impl AuthProviderIdClaims<'_> { } } -#[derive(Debug, Deserialize)] -struct AuthProviderTokenSet { - pub access_token: Option, - // pub token_type: Option, - pub id_token: Option, - pub error: Option, - pub error_description: Option, -} - -#[derive(Debug, Serialize)] -struct OidcCodeRequestParams<'a> { - client_id: &'a str, - client_secret: Option, - code: &'a str, - code_verifier: Option<&'a str>, - grant_type: &'static str, - redirect_uri: &'a str, -} - #[cfg(test)] mod tests { use super::*; diff --git a/src/data/src/entity/clients.rs b/src/data/src/entity/clients.rs index da44b9470..fa9a125c5 100644 --- a/src/data/src/entity/clients.rs +++ b/src/data/src/entity/clients.rs @@ -1,4 +1,5 @@ use crate::database::{Cache, DB}; +use crate::entity::auth_providers::ProviderMfaLogin; use crate::entity::clients_dyn::ClientDyn; use crate::entity::clients_scim::ClientScim; use crate::entity::jwk::JwkKeyPairAlg; @@ -868,11 +869,6 @@ impl Client { } } - #[inline(always)] - pub fn force_mfa(&self) -> bool { - self.force_mfa || self.id == "rauthy" && RauthyConfig::get().vars.mfa.admin_force_mfa - } - /// Generates a new random 64 character long client secret and returns the cleartext and /// encrypted version /// # Panics @@ -1102,8 +1098,16 @@ impl Client { /// possible without MFA. The force MFA for the Rauthy admin UI is done in /// Principal::validate_admin_session() depending on the `ADMIN_FORCE_MFA` config variable. #[inline] - pub fn validate_mfa(&self, user: &User) -> Result<(), ErrorResponse> { - if &self.id != "rauthy" && self.force_mfa && !user.has_webauthn_enabled() { + pub fn validate_mfa( + &self, + user: &User, + provider_mfa_login: Option, + ) -> Result<(), ErrorResponse> { + let force_mfa = self.id != "rauthy" && self.force_mfa; + let has_mfa = + user.has_webauthn_enabled() || provider_mfa_login == Some(ProviderMfaLogin::Yes); + + if force_mfa && !has_mfa { trace!("MFA required for this client but the user has none"); Err(ErrorResponse::new( ErrorResponseType::MfaRequired, diff --git a/src/data/src/entity/mod.rs b/src/data/src/entity/mod.rs index 16a6fde9b..0855508a3 100644 --- a/src/data/src/entity/mod.rs +++ b/src/data/src/entity/mod.rs @@ -6,7 +6,6 @@ pub mod api_keys; pub mod app_version; pub mod atproto; pub mod auth_codes; -mod auth_provider_cust_impl; pub mod auth_providers; pub mod ca_self_signed; pub mod clients; @@ -43,6 +42,8 @@ pub mod scim_types; pub mod scopes; pub mod sessions; pub mod theme; +pub mod tos; +pub mod tos_user_accept; pub mod user_attr; pub mod user_login_states; pub mod user_revoke; diff --git a/src/data/src/entity/sessions.rs b/src/data/src/entity/sessions.rs index cf7cc0fd7..2ce7ea299 100644 --- a/src/data/src/entity/sessions.rs +++ b/src/data/src/entity/sessions.rs @@ -678,6 +678,7 @@ impl Session { "/auth/v1/providers/login", "/auth/v1/providers/callback", "/auth/v1/dev/providers_callback", + "/auth/v1/tos/accept", ]; #[cfg(not(debug_assertions))] let exceptions = [ @@ -687,6 +688,7 @@ impl Session { "/auth/v1/oidc/token", "/auth/v1/providers/login", "/auth/v1/providers/callback", + "/auth/v1/tos/accept", ]; if exceptions.contains(&req_path) || req_path.contains("/webauthn/auth/") { return true; @@ -762,6 +764,7 @@ impl Session { if self.csrf_token.eq(csrf?) { return Ok(()); } + Err(ErrorResponse::new( ErrorResponseType::CSRFTokenError, "CSRF Token is not correct", diff --git a/src/data/src/entity/tos.rs b/src/data/src/entity/tos.rs new file mode 100644 index 000000000..df1d88652 --- /dev/null +++ b/src/data/src/entity/tos.rs @@ -0,0 +1,121 @@ +use crate::database::{Cache, DB}; +use chrono::Utc; +use hiqlite_macros::params; +use rauthy_api_types::tos::{ToSLatestResponse, ToSResponse}; +use rauthy_common::is_hiqlite; +use rauthy_error::ErrorResponse; +use serde::{Deserialize, Serialize}; + +static CACHE_IDX: &str = "tos_latest"; + +#[derive(Debug, Serialize, Deserialize)] +pub struct ToS { + pub ts: i64, + pub author: String, + pub is_html: bool, + pub content: String, +} + +impl From for ToS { + fn from(row: tokio_postgres::Row) -> Self { + Self { + ts: row.get("ts"), + author: row.get("author"), + is_html: row.get("is_html"), + content: row.get("content"), + } + } +} + +impl ToS { + pub async fn create( + author: String, + is_html: bool, + content: String, + ) -> Result<(), ErrorResponse> { + let ts = Utc::now().timestamp(); + + let sql = r#" +INSERT INTO tos (ts, author, is_html, content) +VALUES ($1, $2, $3, $4)"#; + + if is_hiqlite() { + DB::hql() + .execute(sql, params!(ts, &author, is_html, &content)) + .await?; + } else { + DB::pg_execute(sql, &[&ts, &author, &is_html, &content]).await?; + } + + let slf = Self { + ts, + author, + is_html, + content, + }; + DB::hql() + .put(Cache::ToS, CACHE_IDX, &Some(&slf), None) + .await?; + + Ok(()) + } + + pub async fn find(ts: i64) -> Result { + let sql = "SELECT * FROM tos WHERE ts = $1"; + let res = if is_hiqlite() { + DB::hql().query_as_one(sql, params!(ts)).await? + } else { + DB::pg_query_one(sql, &[&ts]).await? + }; + Ok(res) + } + + pub async fn find_all() -> Result, ErrorResponse> { + let sql = "SELECT * FROM tos"; + let res: Vec = if is_hiqlite() { + DB::hql().query_as(sql, params!()).await? + } else { + DB::pg_query(sql, &[], 0).await? + }; + + Ok(res) + } + + pub async fn find_latest() -> Result, ErrorResponse> { + if let Some(slf) = DB::hql().get(Cache::ToS, CACHE_IDX).await? { + return Ok(slf); + } + + let sql = "SELECT * FROM tos ORDER BY ts DESC LIMIT 1"; + let slf: Option = if is_hiqlite() { + DB::hql().query_as_optional(sql, params!()).await? + } else { + DB::pg_query_opt(sql, &[]).await? + }; + + DB::hql().put(Cache::ToS, CACHE_IDX, &slf, None).await?; + + Ok(slf) + } +} + +impl From for ToSResponse { + fn from(tos: ToS) -> Self { + Self { + ts: tos.ts, + author: tos.author, + is_html: tos.is_html, + content: tos.content, + } + } +} + +impl From for ToSLatestResponse { + fn from(tos: ToS) -> Self { + Self { + ts: tos.ts, + is_html: tos.is_html, + content: tos.content, + } + } +} diff --git a/src/data/src/entity/tos_user_accept.rs b/src/data/src/entity/tos_user_accept.rs new file mode 100644 index 000000000..331b4299d --- /dev/null +++ b/src/data/src/entity/tos_user_accept.rs @@ -0,0 +1,125 @@ +use crate::database::{Cache, DB}; +use chrono::Utc; +use hiqlite_macros::params; +use rauthy_api_types::tos::ToSUserAcceptResponse; +use rauthy_common::is_hiqlite; +use rauthy_error::ErrorResponse; +use serde::{Deserialize, Serialize}; +use std::net::IpAddr; +use tokio_postgres::Row; + +#[derive(Debug, Serialize, Deserialize)] +pub struct ToSUserAccept { + pub user_id: String, + pub tos_ts: i64, + pub accept_ts: i64, + pub location: String, +} + +impl From for ToSUserAccept { + fn from(row: Row) -> Self { + Self { + user_id: row.get("user_id"), + tos_ts: row.get("tos_ts"), + accept_ts: row.get("accept_ts"), + location: row.get("location"), + } + } +} + +impl ToSUserAccept { + pub async fn create( + user_id: String, + tos_ts: i64, + ip: IpAddr, + location: Option, + ) -> Result<(), ErrorResponse> { + let accept_ts = Utc::now().timestamp(); + let location = format!("{} {}", ip, location.unwrap_or_default()); + + let sql = r#" +INSERT INTO tos_user_accept (user_id, tos_ts, accept_ts, location) +VALUES ($1, $2, $3, $4)"#; + if is_hiqlite() { + DB::hql() + .execute(sql, params!(&user_id, tos_ts, accept_ts, &location)) + .await?; + } else { + DB::pg_execute(sql, &[&user_id, &tos_ts, &accept_ts, &location]).await?; + } + + DB::hql() + .put( + Cache::ToS, + Self::cache_idx(&user_id), + &Some(Self { + user_id, + tos_ts, + accept_ts, + location, + }), + Some(600), + ) + .await?; + + Ok(()) + } + + pub async fn find_all(user_id: String) -> Result, ErrorResponse> { + let sql = r#" +SELECT * FROM tos_user_accept +WHERE user_id = $1"#; + + let res = if is_hiqlite() { + DB::hql().query_as(sql, params!(user_id)).await? + } else { + DB::pg_query(sql, &[&user_id], 0).await? + }; + + Ok(res) + } + + pub async fn find_latest(user_id: String) -> Result, ErrorResponse> { + if let Some(slf) = DB::hql().get(Cache::ToS, Self::cache_idx(&user_id)).await? { + return Ok(slf); + } + + let cache_idx = Self::cache_idx(&user_id); + let sql = r#" +SELECT * FROM tos_user_accept +WHERE user_id = $1 +ORDER BY tos_ts DESC +LIMIT 1 +"#; + + let slf = if is_hiqlite() { + DB::hql().query_as_optional(sql, params!(user_id)).await? + } else { + DB::pg_query_opt(sql, &[&user_id]).await? + }; + + DB::hql() + .put(Cache::ToS, cache_idx, &slf, Some(600)) + .await?; + + Ok(slf) + } +} + +impl ToSUserAccept { + #[inline] + fn cache_idx(user_id: &str) -> String { + format!("uid_{user_id}") + } +} + +impl From for ToSUserAcceptResponse { + fn from(value: ToSUserAccept) -> Self { + Self { + user_id: value.user_id, + tos_ts: value.tos_ts, + accept_ts: value.accept_ts, + location: value.location, + } + } +} diff --git a/src/data/src/entity/users.rs b/src/data/src/entity/users.rs index a217ccba9..6d9a0ec18 100644 --- a/src/data/src/entity/users.rs +++ b/src/data/src/entity/users.rs @@ -12,6 +12,8 @@ use crate::entity::refresh_tokens::RefreshToken; use crate::entity::roles::Role; use crate::entity::sessions::Session; use crate::entity::theme::ThemeCssFull; +use crate::entity::tos::ToS; +use crate::entity::tos_user_accept::ToSUserAccept; use crate::entity::users_values::UserValues; use crate::entity::webauthn::{PasskeyEntity, WebauthnServiceReq}; use crate::events::event::Event; @@ -1752,6 +1754,26 @@ impl User { ComparePasswords::is_match(plain, hash).await } + /// Checks if this user needs to accept a updated ToS + #[inline(always)] + pub async fn needs_tos_update(&self) -> Result { + let needs_update = if let Some(latest) = ToS::find_latest().await.expect("TosLatest") { + if let Some(accepted) = ToSUserAccept::find_latest(self.id.clone()) + .await + .expect("TosUserAccept") + { + accepted.tos_ts != latest.ts + } else { + true + } + } else { + false + }; + + debug!(needs_update, "User needs to accept updated ToS"); + Ok(needs_update) + } + pub fn picture_uri(&self) -> Option { self.picture_id.as_ref().map(|pic_id| { format!( diff --git a/src/data/src/entity/webauthn.rs b/src/data/src/entity/webauthn.rs index 7ac0a61e0..c64953b6f 100644 --- a/src/data/src/entity/webauthn.rs +++ b/src/data/src/entity/webauthn.rs @@ -1,26 +1,29 @@ use crate::api_cookie::ApiCookie; use crate::database::{Cache, DB}; +use crate::entity::auth_codes::AuthCodeToSAwait; use crate::entity::login_locations::LoginLocation; use crate::entity::password::PasswordPolicy; use crate::entity::users::{AccountType, User}; use crate::rauthy_config::RauthyConfig; use actix_web::cookie::Cookie; -use actix_web::http::header; -use actix_web::http::header::HeaderValue; -use actix_web::{HttpRequest, HttpResponse}; +use actix_web::http::header::{ + ACCESS_CONTROL_ALLOW_CREDENTIALS, ACCESS_CONTROL_ALLOW_METHODS, HeaderValue, +}; +use actix_web::http::{StatusCode, header}; +use actix_web::{HttpRequest, HttpResponse, HttpResponseBuilder}; use chrono::Utc; use cryptr::EncValue; use deadpool_postgres::GenericClient; use hiqlite::Params; use hiqlite_macros::params; +use rauthy_api_types::tos::ToSAwaitLoginResponse; use rauthy_api_types::users::{ MfaPurpose, PasskeyResponse, WebauthnAuthFinishRequest, WebauthnAuthStartResponse, WebauthnLoginFinishResponse, WebauthnRegFinishRequest, WebauthnRegStartRequest, }; use rauthy_common::constants::{COOKIE_MFA, IDX_WEBAUTHN}; use rauthy_common::is_hiqlite; -use rauthy_common::utils::{base64_decode, deserialize, serialize}; -use rauthy_common::utils::{base64_encode, get_rand}; +use rauthy_common::utils::{base64_decode, base64_encode, deserialize, get_rand, serialize}; use rauthy_error::{ErrorResponse, ErrorResponseType}; use serde::{Deserialize, Serialize}; use std::fmt::{Debug, Formatter}; @@ -574,14 +577,18 @@ pub enum WebauthnAdditionalData { Login(WebauthnLoginReq), Service(WebauthnServiceReq), Test, + LoginToSAwait(WebauthnLoginToSAwaitCode), } impl WebauthnAdditionalData { pub async fn delete(&self) -> Result<(), ErrorResponse> { match self { Self::Login(d) => d.delete().await, - Self::Service(_uid) => Ok(()), + // The service req data is not deleted here, but actually further down the road + // after the service req has been made. + Self::Service(_) => Ok(()), Self::Test => Ok(()), + Self::LoginToSAwait(_) => Ok(()), } } @@ -610,6 +617,28 @@ impl WebauthnAdditionalData { Self::Service(svc_req) => HttpResponse::Accepted().json(svc_req), Self::Test => HttpResponse::Accepted().finish(), + + Self::LoginToSAwait(tos_req) => { + let mut resp = HttpResponseBuilder::new(StatusCode::from_u16(206).unwrap()).json( + &ToSAwaitLoginResponse { + tos_await_code: tos_req.await_code, + user_id: None, + }, + ); + if let Some(origin) = tos_req.header_origin { + resp.headers_mut() + .insert(header::ORIGIN, HeaderValue::from_str(&origin).unwrap()); + resp.headers_mut().insert( + ACCESS_CONTROL_ALLOW_METHODS, + HeaderValue::from_static("POST"), + ); + resp.headers_mut().insert( + ACCESS_CONTROL_ALLOW_CREDENTIALS, + HeaderValue::from_static("true"), + ); + } + resp + } } } } @@ -620,6 +649,13 @@ pub struct WebauthnLoginReq { pub user_id: String, pub header_loc: String, pub header_origin: Option, + pub tos_await_data: Option, +} + +#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize, ToSchema)] +pub struct WebauthnToSAwaitData { + pub auth_code: String, + pub auth_code_lifetime: i32, } // CRUD @@ -689,6 +725,13 @@ impl WebauthnServiceReq { } } +#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize, ToSchema)] +pub struct WebauthnLoginToSAwaitCode { + await_code: String, + user_id: String, + header_origin: Option, +} + pub async fn auth_start( user_id: String, purpose: MfaPurpose, @@ -783,6 +826,7 @@ pub async fn auth_finish( payload: WebauthnAuthFinishRequest, ) -> Result { let auth_data = WebauthnData::find(payload.code).await?; + auth_data.delete().await?; let auth_state = serde_json::from_str(&auth_data.auth_state_json)?; let mut user = User::find(user_id).await?; @@ -847,13 +891,38 @@ pub async fn auth_finish( info!(user.id = uid, "Webauthn Authentication successful"); - Ok(auth_data.data) + if let WebauthnAdditionalData::Login(data) = auth_data.data { + data.delete().await?; + + if let Some(tos_data) = data.tos_await_data { + let code_await = AuthCodeToSAwait { + auth_code: tos_data.auth_code, + await_code: AuthCodeToSAwait::generate_code(), + auth_code_lifetime: tos_data.auth_code_lifetime, + header_loc: data.header_loc, + header_origin: data.header_origin.clone(), + }; + code_await.save().await?; + + Ok(WebauthnAdditionalData::LoginToSAwait( + WebauthnLoginToSAwaitCode { + await_code: code_await.await_code, + user_id: uid, + header_origin: data.header_origin, + }, + )) + } else { + Ok(WebauthnAdditionalData::Login(data)) + } + } else { + Ok(auth_data.data) + } } Err(err) => { error!(?err, "Webauthn Auth Finish"); Err(ErrorResponse::new( ErrorResponseType::Unauthorized, - format!("{err}"), + err.to_string(), )) } } diff --git a/src/data/src/lib.rs b/src/data/src/lib.rs index 8078d1bed..22eec1180 100644 --- a/src/data/src/lib.rs +++ b/src/data/src/lib.rs @@ -19,6 +19,7 @@ pub mod vault_config; pub enum AuthStep { LoggedIn(AuthStepLoggedIn), + AwaitToSAccept(AwaitToSAccept), AwaitWebauthn(AuthStepAwaitWebauthn), ProviderLink, } @@ -31,6 +32,13 @@ pub struct AuthStepLoggedIn { pub header_origin: Option<(HeaderName, HeaderValue)>, } +pub struct AwaitToSAccept { + pub code: String, + pub header_csrf: (HeaderName, HeaderValue), + pub header_origin: Option<(HeaderName, HeaderValue)>, + pub user_id: String, +} + pub struct AuthStepAwaitWebauthn { pub code: String, pub header_csrf: (HeaderName, HeaderValue), diff --git a/src/data/src/rauthy_config.rs b/src/data/src/rauthy_config.rs index 0c6dccd62..cb857d00b 100644 --- a/src/data/src/rauthy_config.rs +++ b/src/data/src/rauthy_config.rs @@ -269,6 +269,7 @@ pub struct Vars { pub suspicious_requests: VarsSuspiciousRequests, pub templates: VarsTemplates, pub tls: VarsTls, + pub tos: VarsToS, pub user_pictures: VarsUserPictures, pub user_registration: VarsUserRegistration, pub webauthn: VarsWebauthn, @@ -672,6 +673,9 @@ impl Default for Vars { key_path: None, generate_self_signed: false, }, + tos: VarsToS { + accept_timeout: 900, + }, user_pictures: VarsUserPictures { storage_type: "db".into(), path: "./pictures".into(), @@ -771,6 +775,7 @@ impl Vars { slf.parse_suspicious_requests(&mut table); slf.parse_templates(&mut table); slf.parse_tls(&mut table); + slf.parse_tos(&mut table); slf.parse_user_pictures(&mut table); slf.parse_user_registration(&mut table); slf.parse_webauthn(&mut table); @@ -2343,6 +2348,14 @@ impl Vars { } } + fn parse_tos(&mut self, table: &mut toml::Table) { + let mut table = t_table(table, "tos"); + + if let Some(v) = t_u16(&mut table, "tos", "accept_timeout", "TOS_ACCEPT_TIMEOUT") { + self.tos.accept_timeout = v; + } + } + fn parse_user_pictures(&mut self, table: &mut toml::Table) { let mut table = t_table(table, "user_pictures"); @@ -2879,6 +2892,11 @@ pub struct VarsTls { pub generate_self_signed: bool, } +#[derive(Debug)] +pub struct VarsToS { + pub accept_timeout: u16, +} + #[derive(Debug)] pub struct VarsUserPictures { pub storage_type: Cow<'static, str>, diff --git a/src/service/Cargo.toml b/src/service/Cargo.toml index f0c11e50e..41c0ac43a 100644 --- a/src/service/Cargo.toml +++ b/src/service/Cargo.toml @@ -13,6 +13,9 @@ rauthy-jwt = { path = "../jwt" } rauthy-data = { path = "../data" } actix-web = { workspace = true } +atrium-api = { workspace = true } +atrium-common = { workspace = true } +atrium-oauth = { workspace = true } chrono = { workspace = true } cryptr = { workspace = true } openssl = { workspace = true } diff --git a/src/service/src/encryption.rs b/src/service/src/encryption.rs index 7a8a1c6b4..b43eecd82 100644 --- a/src/service/src/encryption.rs +++ b/src/service/src/encryption.rs @@ -76,7 +76,7 @@ pub async fn migrate_encryption_alg(new_kid: &str) -> Result<(), ErrorResponse> // migrate auth providers let providers = AuthProvider::find_all().await?; for mut provider in providers { - match AuthProvider::get_secret_cleartext(&provider.secret) { + match AuthProvider::secret_cleartext(&provider.secret) { Ok(plaintext_opt) => { if let Some(plaintext) = plaintext_opt { provider.secret = Some( diff --git a/src/service/src/forward_auth.rs b/src/service/src/forward_auth.rs index 603ac3937..00d12fa50 100644 --- a/src/service/src/forward_auth.rs +++ b/src/service/src/forward_auth.rs @@ -144,7 +144,7 @@ pub async fn get_forward_auth_client( user.check_enabled()?; user.check_expired()?; client.validate_user_groups(&user)?; - client.validate_mfa(&user)?; + client.validate_mfa(&user, None)?; let headers = &RauthyConfig::get().vars.auth_headers; if headers.enable { @@ -248,7 +248,7 @@ pub async fn get_forward_auth_client_callback( user.check_enabled()?; user.check_expired()?; client.validate_user_groups(&user)?; - client.validate_mfa(&user)?; + client.validate_mfa(&user, None)?; // all good diff --git a/src/data/src/entity/auth_provider_cust_impl.rs b/src/service/src/oidc/auth_providers/cust_impls.rs similarity index 97% rename from src/data/src/entity/auth_provider_cust_impl.rs rename to src/service/src/oidc/auth_providers/cust_impls.rs index 4813bf933..4a242562b 100644 --- a/src/data/src/entity/auth_provider_cust_impl.rs +++ b/src/service/src/oidc/auth_providers/cust_impls.rs @@ -1,6 +1,6 @@ -use crate::entity::auth_providers::AuthProviderIdClaims; use rauthy_common::constants::APPLICATION_JSON; use rauthy_common::http_client; +use rauthy_data::entity::auth_providers::AuthProviderIdClaims; use rauthy_error::{ErrorResponse, ErrorResponseType}; use reqwest::header::{ACCEPT, AUTHORIZATION}; use serde::Deserialize; diff --git a/src/service/src/oidc/auth_providers/login_finish.rs b/src/service/src/oidc/auth_providers/login_finish.rs new file mode 100644 index 000000000..2cbcc7f00 --- /dev/null +++ b/src/service/src/oidc/auth_providers/login_finish.rs @@ -0,0 +1,334 @@ +use crate::oidc; +use crate::oidc::auth_providers::cust_impls; +use crate::oidc::authorize::AuthorizeData; +use actix_web::HttpRequest; +use actix_web::cookie::Cookie; +use atrium_common::store::Store; +use rauthy_api_types::auth_providers::ProviderCallbackRequest; +use rauthy_common::constants::{ + APPLICATION_JSON, COOKIE_UPSTREAM_CALLBACK, PROVIDER_ATPROTO, PROVIDER_LINK_COOKIE, +}; +use rauthy_common::utils::base64_url_encode; +use rauthy_common::{http_client, sha256}; +use rauthy_data::AuthStep; +use rauthy_data::api_cookie::ApiCookie; +use rauthy_data::database::DB; +use rauthy_data::entity::atproto; +use rauthy_data::entity::auth_providers::{ + AuthProvider, AuthProviderCallback, AuthProviderIdClaims, AuthProviderLinkCookie, + AuthProviderType, ProviderMfaLogin, +}; +use rauthy_data::entity::clients::Client; +use rauthy_data::entity::sessions::Session; +use rauthy_data::rauthy_config::RauthyConfig; +use rauthy_error::{ErrorResponse, ErrorResponseType}; +use reqwest::header::{ACCEPT, AUTHORIZATION}; +use serde::{Deserialize, Serialize}; +use serde_json::Value; +use std::borrow::Cow; +use tracing::{debug, error}; + +#[derive(Debug, Deserialize)] +struct AuthProviderTokenSet { + access_token: Option, + // token_type: Option, + id_token: Option, + error: Option, + error_description: Option, +} + +#[derive(Debug, Serialize)] +struct OidcCodeRequestParams<'a> { + client_id: &'a str, + client_secret: Option, + code: &'a str, + code_verifier: Option<&'a str>, + grant_type: &'static str, + redirect_uri: &'a str, +} + +/// In case of any error, the callback code will be fully deleted for security reasons. +pub async fn login_finish<'a>( + req: &'a HttpRequest, + payload: &'a ProviderCallbackRequest, + mut session: Session, +) -> Result<(AuthStep, Cookie<'a>), ErrorResponse> { + // the callback id for the cache should be inside the encrypted cookie + let callback_id = ApiCookie::from_req(req, COOKIE_UPSTREAM_CALLBACK).ok_or_else(|| { + ErrorResponse::new( + ErrorResponseType::Forbidden, + "Missing encrypted callback cookie", + ) + })?; + + // validate state + if payload.iss_atproto.is_none() && callback_id != payload.state { + AuthProviderCallback::delete(callback_id).await?; + + error!("`state` does not match"); + return Err(ErrorResponse::new( + ErrorResponseType::BadRequest, + "`state` does not match", + )); + } + + // validate csrf token + let slf = AuthProviderCallback::find(callback_id).await?; + if slf.xsrf_token != payload.xsrf_token { + AuthProviderCallback::delete(slf.callback_id).await?; + + error!("invalid CSRF token"); + return Err(ErrorResponse::new( + ErrorResponseType::Unauthorized, + "invalid CSRF token", + )); + } + + // validate PKCE verifier + let hash_base64 = base64_url_encode(sha256!(payload.pkce_verifier.as_bytes())); + if slf.pkce_challenge != hash_base64 { + AuthProviderCallback::delete(slf.callback_id).await?; + + error!("invalid PKCE verifier"); + return Err(ErrorResponse::new( + ErrorResponseType::Unauthorized, + "invalid PKCE verifier", + )); + } + + // request is valid -> fetch token for the user + let provider = AuthProvider::find(&slf.provider_id).await?; + + // extract a possibly existing provider link cookie for + // linking an existing account to a provider + let link_cookie = ApiCookie::from_req(req, PROVIDER_LINK_COOKIE) + .and_then(|value| AuthProviderLinkCookie::try_from(value.as_str()).ok()); + + // deserialize payload and validate the information + let (user, provider_mfa_login) = if provider.issuer == PROVIDER_ATPROTO { + let atproto = atproto::Client::get(); + + let params = atrium_oauth::CallbackParams { + code: payload.code.clone(), + state: Some(payload.state.clone()), + iss: payload.iss_atproto.clone(), + }; + // return early if we got any error + let (session_manager, app_state) = atproto.callback(params).await.map_err(|error| { + error!(%error, "failed to complete authorization callback for ATProto"); + + ErrorResponse::new( + ErrorResponseType::Internal, + "failed to complete authorization callback for ATProto", + ) + })?; + + let Some(app_state) = app_state else { + return Err(ErrorResponse::new( + ErrorResponseType::Forbidden, + "missing callback state for ATProto", + )); + }; + + if app_state != slf.callback_id { + return Err(ErrorResponse::new( + ErrorResponseType::Forbidden, + "callback state mismatch for ATProto", + )); + } + + let agent = atrium_api::agent::Agent::new(session_manager); + + let Some(did) = agent.did().await else { + panic!("missing DID for ATProto session"); + }; + + let Some(session) = DB.get(&did).await.map_err(|error| { + error!(%error, "failed to get session for ATProto callback"); + + ErrorResponse::new( + ErrorResponseType::Internal, + "failed to get session for ATProto callback", + ) + })? + else { + return Err(ErrorResponse::new( + ErrorResponseType::BadRequest, + "failed to complete authorization callback for atproto", + )); + }; + + let data = match agent.api.com.atproto.server.get_session().await { + Ok(atrium_api::types::Object { data, .. }) => data, + Err(error) => { + error!(%error, "failed to get session for ATProto callback"); + + return Err(ErrorResponse::new( + ErrorResponseType::Internal, + "failed to get session for ATProto callback", + )); + } + }; + + let claims = AuthProviderIdClaims { + sub: Some(Value::String(session.token_set.sub.to_string())), + email: data.email.map(Cow::from), + email_verified: data.email_confirmed, + ..Default::default() + }; + + claims.validate_update_user(&provider, &link_cookie).await? + } else { + let mut payload = OidcCodeRequestParams { + // a client MAY add the `client_id`, but it MUST add it when it's public + client_id: &provider.client_id, + client_secret: None, + code: &payload.code, + code_verifier: provider.use_pkce.then_some(&payload.pkce_verifier), + grant_type: "authorization_code", + redirect_uri: &RauthyConfig::get().provider_callback_uri, + }; + if provider.client_secret_post { + payload.client_secret = AuthProvider::secret_cleartext(&provider.secret)?; + } + + let res = { + let mut builder = http_client() + .post(&provider.token_endpoint) + .header(ACCEPT, APPLICATION_JSON); + + if provider.client_secret_basic { + builder = builder.basic_auth( + &provider.client_id, + AuthProvider::secret_cleartext(&provider.secret)?, + ) + } + + builder + } + .form(&payload) + .send() + .await?; + + let status = res.status().as_u16(); + debug!("POST /token auth provider status: {status}"); + + // return early if we got any error + if !res.status().is_success() { + let err = match res.text().await { + Ok(body) => format!( + "HTTP {status} during POST {} for upstream auth provider '{}'\n{body}", + provider.token_endpoint, provider.client_id + ), + Err(_) => format!( + "HTTP {status} during POST {} for upstream auth provider '{}' without any body", + provider.token_endpoint, provider.client_id + ), + }; + error!("{}", err); + return Err(ErrorResponse::new(ErrorResponseType::Internal, err)); + } + + let ts = match res.json::().await { + Ok(ts) => ts, + Err(err) => { + let err = format!( + "Deserializing /token response from auth provider {}: {err}", + provider.client_id + ); + error!("{err}"); + return Err(ErrorResponse::new(ErrorResponseType::Internal, err)); + } + }; + + if let Some(err) = ts.error { + let msg = format!( + "/token request error: {err}: {}", + ts.error_description.unwrap_or_default() + ); + error!("{msg}"); + return Err(ErrorResponse::new(ErrorResponseType::Internal, msg)); + } + + // in case of a standard OIDC provider, we only care about the ID token + if let Some(id_token) = ts.id_token { + let claims_bytes = AuthProviderIdClaims::self_as_bytes_from_token(&id_token)?; + let claims = AuthProviderIdClaims::try_from(claims_bytes.as_slice())?; + + claims.validate_update_user(&provider, &link_cookie).await? + } else if let Some(access_token) = ts.access_token { + // the id_token only exists, if we actually have an OIDC provider. + // If we only get an access token, we need to do another request to the + // userinfo endpoint + let res = http_client() + .get(&provider.userinfo_endpoint) + .header(AUTHORIZATION, format!("Bearer {access_token}")) + .header(ACCEPT, APPLICATION_JSON) + .send() + .await?; + + let status = res.status().as_u16(); + debug!("GET /userinfo auth provider status: {status}"); + + let res_bytes = res.bytes().await?; + let mut claims = AuthProviderIdClaims::try_from(res_bytes.as_ref())?; + + if claims.email.is_none() && provider.typ == AuthProviderType::Github { + cust_impls::get_github_private_email(&access_token, &mut claims).await?; + } + + claims.validate_update_user(&provider, &link_cookie).await? + } else { + let err = "Neither `access_token` nor `id_token` existed"; + error!("{err}"); + return Err(ErrorResponse::new(ErrorResponseType::BadRequest, err)); + } + }; + + user.check_enabled()?; + user.check_expired()?; + + if link_cookie.is_some() { + // If this is the case, we don't need to validate any further client values. + // We will not generate a new auth code at all -> this is just a request to federate + // an existing account. The federation has been done in the step above already. + return Ok(( + AuthStep::ProviderLink, + AuthProviderLinkCookie::deletion_cookie(), + )); + } + + // From here on, we deal with a normal login instead of just an account federation. + + let require_webauthn = user.has_webauthn_enabled(); + session + .set_mfa(provider_mfa_login == ProviderMfaLogin::Yes || require_webauthn) + .await?; + + let client = Client::find_maybe_ephemeral(slf.req_client_id).await?; + let header_origin = client.get_validated_origin_header(req)?; + + let auth_step = oidc::authorize::finish_authorize( + user, + client, + &session, + AuthorizeData { + redirect_uri: slf.req_redirect_uri, + scopes: slf.req_scopes, + state: slf.req_state, + nonce: slf.req_nonce, + code_challenge: slf.req_code_challenge, + code_challenge_method: slf.req_code_challenge_method, + header_origin, + require_webauthn, + }, + None, + Some(provider_mfa_login), + ) + .await?; + + // callback data deletion cookie + let cookie = ApiCookie::build(COOKIE_UPSTREAM_CALLBACK, "", 0); + + Ok((auth_step, cookie)) +} diff --git a/src/service/src/oidc/auth_providers/login_start.rs b/src/service/src/oidc/auth_providers/login_start.rs new file mode 100644 index 000000000..850a9ce5b --- /dev/null +++ b/src/service/src/oidc/auth_providers/login_start.rs @@ -0,0 +1,113 @@ +use actix_web::cookie::Cookie; +use actix_web::http::header::HeaderValue; +use atrium_oauth::{AuthorizeOptions, KnownScope, Scope as ScopeAtproto}; +use cryptr::utils::secure_random_alnum; +use rauthy_api_types::auth_providers::ProviderLoginRequest; +use rauthy_common::constants::{ + COOKIE_UPSTREAM_CALLBACK, PROVIDER_ATPROTO, UPSTREAM_AUTH_CALLBACK_TIMEOUT_SECS, +}; +use rauthy_data::api_cookie::ApiCookie; +use rauthy_data::entity::atproto; +use rauthy_data::entity::auth_providers::{AuthProvider, AuthProviderCallback}; +use rauthy_data::entity::clients::Client; +use rauthy_data::rauthy_config::RauthyConfig; +use rauthy_error::{ErrorResponse, ErrorResponseType}; +use std::fmt::Write; +use tracing::error; + +/// returns (encrypted cookie, xsrf token, location header, optional allowed origins) +pub async fn login_start<'a>( + payload: ProviderLoginRequest, +) -> Result<(Cookie<'a>, String, HeaderValue), ErrorResponse> { + let provider = AuthProvider::find(&payload.provider_id).await?; + + if !RauthyConfig::get().vars.atproto.enable && provider.issuer == PROVIDER_ATPROTO { + return Err(ErrorResponse::new( + ErrorResponseType::BadRequest, + "atproto is disabled", + )); + } + + let client = Client::find(payload.client_id).await?; + + let slf = AuthProviderCallback { + callback_id: secure_random_alnum(32), + xsrf_token: secure_random_alnum(32), + typ: provider.typ, + + req_client_id: client.id, + req_scopes: payload.scopes, + req_redirect_uri: payload.redirect_uri, + req_state: payload.state, + req_nonce: payload.nonce, + req_code_challenge: payload.code_challenge, + req_code_challenge_method: payload.code_challenge_method, + + provider_id: provider.id, + + pkce_challenge: payload.pkce_challenge, + }; + + let mut location = format!( + "{}{}client_id={}&redirect_uri={}&response_type=code&scope={}&state={}", + provider.authorization_endpoint, + // append parameters if there are already some parameters + if provider.authorization_endpoint.contains('?') { + '&' + } else { + '?' + }, + provider.client_id, + RauthyConfig::get().provider_callback_uri_encoded, + provider.scope, + slf.callback_id + ); + if provider.use_pkce { + write!( + location, + "&code_challenge={}&code_challenge_method=S256", + slf.pkce_challenge + ) + .expect("write to always succeed"); + } + + if let Some(input) = payload + .handle + .filter(|_| provider.issuer == PROVIDER_ATPROTO) + { + let atproto = atproto::Client::get(); + + let options = AuthorizeOptions { + state: Some(slf.callback_id.clone()), + redirect_uri: Some(RauthyConfig::get().provider_callback_uri.clone()), + scopes: vec![ + ScopeAtproto::Unknown("transition:email".to_owned()), + ScopeAtproto::Known(KnownScope::Atproto), + ScopeAtproto::Known(KnownScope::TransitionGeneric), + ], + ..Default::default() + }; + + location = atproto + .authorize(input, options) + .await + .map_err(|error| { + error!(%error, "failed to start authorization for ATProto"); + }) + .unwrap(); + } + + let cookie = ApiCookie::build( + COOKIE_UPSTREAM_CALLBACK, + &slf.callback_id, + UPSTREAM_AUTH_CALLBACK_TIMEOUT_SECS as i64, + ); + + slf.save().await?; + + Ok(( + cookie, + slf.xsrf_token, + HeaderValue::from_str(&location).expect("Location HeaderValue to be correct"), + )) +} diff --git a/src/service/src/oidc/auth_providers/mod.rs b/src/service/src/oidc/auth_providers/mod.rs new file mode 100644 index 000000000..96d6efe3a --- /dev/null +++ b/src/service/src/oidc/auth_providers/mod.rs @@ -0,0 +1,3 @@ +mod cust_impls; +pub mod login_finish; +pub mod login_start; diff --git a/src/service/src/oidc/authorize.rs b/src/service/src/oidc/authorize.rs index e35382c9e..4e4ebe665 100644 --- a/src/service/src/oidc/authorize.rs +++ b/src/service/src/oidc/authorize.rs @@ -6,16 +6,16 @@ use rauthy_api_types::oidc::{LoginRefreshRequest, LoginRequest}; use rauthy_common::constants::COOKIE_MFA; use rauthy_common::utils::get_rand; use rauthy_data::api_cookie::ApiCookie; -use rauthy_data::entity::auth_codes::AuthCode; +use rauthy_data::entity::auth_codes::{AuthCode, AuthCodeToSAwait}; +use rauthy_data::entity::auth_providers::ProviderMfaLogin; use rauthy_data::entity::clients::Client; use rauthy_data::entity::login_locations::LoginLocation; use rauthy_data::entity::sessions::Session; use rauthy_data::entity::users::{AccountType, User}; -use rauthy_data::entity::webauthn::{WebauthnCookie, WebauthnLoginReq}; +use rauthy_data::entity::webauthn::{WebauthnCookie, WebauthnLoginReq, WebauthnToSAwaitData}; use rauthy_data::rauthy_config::RauthyConfig; -use rauthy_data::{AuthStep, AuthStepAwaitWebauthn, AuthStepLoggedIn}; +use rauthy_data::{AuthStep, AuthStepAwaitWebauthn, AuthStepLoggedIn, AwaitToSAccept}; use rauthy_error::{ErrorResponse, ErrorResponseType}; -use std::fmt::Write; use tracing::trace; pub async fn post_authorize( @@ -104,83 +104,31 @@ pub async fn post_authorize( // client validations let client = Client::find_maybe_ephemeral(req_data.client_id).await?; - client.validate_enabled()?; - client.validate_mfa(&user).inspect_err(|_| { - // in this case, we do not want to add a login delay - // the user password was correct, we only need a passkey being added to the account - *user_needs_mfa = true; - })?; - client.validate_user_groups(&user)?; - client.validate_redirect_uri(&req_data.redirect_uri)?; - client.validate_code_challenge(&req_data.code_challenge, &req_data.code_challenge_method)?; let header_origin = client.get_validated_origin_header(req)?; - // build authorization code - let webauthn_req_exp = RauthyConfig::get().vars.webauthn.req_exp; - let code_lifetime = if user.has_webauthn_enabled() { - client.auth_code_lifetime + webauthn_req_exp as i32 - } else { - client.auth_code_lifetime - }; - let scopes = client.sanitize_login_scopes(&req_data.scopes)?; - let code = AuthCode::new( - user.id.clone(), - client.id, - Some(session.id.clone()), - req_data.code_challenge, - req_data.code_challenge_method, - req_data.nonce, - scopes, - code_lifetime, - ); - code.save().await?; - - let append_char = if req_data.redirect_uri.contains('?') { - '&' - } else { - '?' - }; - let mut loc = format!("{}{}code={}", req_data.redirect_uri, append_char, code.id); - if let Some(state) = req_data.state { - write!(loc, "&state={state}")?; - }; - - // check if we need to validate the 2nd factor - if user.has_webauthn_enabled() { + let require_webauthn = user.has_webauthn_enabled(); + if require_webauthn { session.set_mfa(true).await?; + } - let step = AuthStepAwaitWebauthn { - code: get_rand(48), - header_csrf: Session::get_csrf_header(&session.csrf_token), - header_origin, - user_id: user.id.clone(), - email: user.email, - exp: webauthn_req_exp as u64, - session, - }; - - WebauthnLoginReq { - code: step.code.clone(), - user_id: user.id, - header_loc: loc, - header_origin: step - .header_origin - .as_ref() - .map(|h| h.1.to_str().unwrap().to_string()), - } - .save() - .await?; - - Ok(AuthStep::AwaitWebauthn(step)) - } else { - Ok(AuthStep::LoggedIn(AuthStepLoggedIn { - user_id: user.id, - email: user.email, - header_loc: (header::LOCATION, HeaderValue::from_str(&loc)?), - header_csrf: Session::get_csrf_header(&session.csrf_token), + finish_authorize( + user, + client, + &session, + AuthorizeData { + redirect_uri: req_data.redirect_uri, + scopes: req_data.scopes, + state: req_data.state, + nonce: req_data.nonce, + code_challenge: req_data.code_challenge, + code_challenge_method: req_data.code_challenge_method, header_origin, - })) - } + require_webauthn, + }, + Some(user_needs_mfa), + None, + ) + .await } pub async fn post_authorize_refresh( @@ -199,52 +147,110 @@ pub async fn post_authorize_refresh( user.check_enabled()?; user.check_expired()?; - client.validate_mfa(&user)?; + let require_webauthn = + user.has_webauthn_enabled() && RauthyConfig::get().vars.lifetimes.session_renew_mfa; + + finish_authorize( + user, + client, + session, + AuthorizeData { + redirect_uri: req_data.redirect_uri, + scopes: req_data.scopes, + state: req_data.state, + nonce: req_data.nonce, + code_challenge: req_data.code_challenge, + code_challenge_method: req_data.code_challenge_method, + header_origin, + require_webauthn, + }, + None, + None, + ) + .await +} + +pub(crate) struct AuthorizeData { + pub redirect_uri: String, + pub scopes: Option>, + pub state: Option, + pub nonce: Option, + pub code_challenge: Option, + pub code_challenge_method: Option, + pub header_origin: Option<(HeaderName, HeaderValue)>, + pub require_webauthn: bool, +} + +/// Expects the user checks already been done, but does all the necessary client validations. +/// `user_needs_mfa` is used to add a login delay during `POST /authorize` and not necessary +/// otherwise. +pub(crate) async fn finish_authorize( + user: User, + client: Client, + session: &Session, + data: AuthorizeData, + user_needs_mfa: Option<&mut bool>, + provider_mfa_login: Option, +) -> Result { + client.validate_enabled()?; + client + .validate_mfa(&user, provider_mfa_login) + .inspect_err(|_| { + // in this case, we do not want to add a login delay + // the user password was correct, we only need a passkey being added to the account + if let Some(needs_mfa) = user_needs_mfa { + *needs_mfa = true; + } + })?; client.validate_user_groups(&user)?; + client.validate_redirect_uri(&data.redirect_uri)?; + client.validate_code_challenge(&data.code_challenge, &data.code_challenge_method)?; - let scopes = client.sanitize_login_scopes(&req_data.scopes)?; - let webauthn_req_exp = RauthyConfig::get().vars.webauthn.req_exp; - let code_lifetime = if user.has_webauthn_enabled() { - client.auth_code_lifetime + webauthn_req_exp as i32 - } else { - client.auth_code_lifetime - }; + let scopes = client.sanitize_login_scopes(&data.scopes)?; + + let config = RauthyConfig::get(); + let mut code_lifetime = client.auth_code_lifetime; + if data.require_webauthn { + code_lifetime += config.vars.webauthn.req_exp as i32 + } + let need_tos_accept = user.needs_tos_update().await?; + if need_tos_accept { + code_lifetime += config.vars.tos.accept_timeout as i32; + } let code = AuthCode::new( user.id.clone(), client.id, Some(session.id.clone()), - req_data.code_challenge, - req_data.code_challenge_method, - req_data.nonce, + data.code_challenge, + data.code_challenge_method, + data.nonce, scopes, code_lifetime, ); - code.save().await?; + code.save(code_lifetime).await?; // We don't need another location check - we can only get here with an already authenticated // session and no auth-check is being performed. - // build location header - let header_loc = if let Some(s) = req_data.state { - format!("{}?code={}&state={s}", req_data.redirect_uri, code.id) - } else { - format!("{}?code={}", req_data.redirect_uri, code.id) - }; + let header_loc = code.build_location_header(&data.redirect_uri, data.state.as_deref())?; // check if we need to validate the 2nd factor - if user.has_webauthn_enabled() && RauthyConfig::get().vars.lifetimes.session_renew_mfa { + // if user.has_webauthn_enabled() && RauthyConfig::get().vars.lifetimes.session_renew_mfa { + if data.require_webauthn { + // Webauthn-enabled account + let step = AuthStepAwaitWebauthn { code: get_rand(48), header_csrf: Session::get_csrf_header(&session.csrf_token), - header_origin, + header_origin: data.header_origin, user_id: user.id.clone(), email: user.email, - exp: webauthn_req_exp as u64, + exp: config.vars.webauthn.req_exp as u64, session: session.clone(), }; - let login_req = WebauthnLoginReq { + WebauthnLoginReq { code: step.code.clone(), user_id: user.id, header_loc, @@ -252,17 +258,45 @@ pub async fn post_authorize_refresh( .header_origin .as_ref() .map(|h| h.1.to_str().unwrap().to_string()), - }; - login_req.save().await?; + tos_await_data: need_tos_accept.then_some(WebauthnToSAwaitData { + auth_code: code.id, + auth_code_lifetime: client.auth_code_lifetime, + }), + } + .save() + .await?; Ok(AuthStep::AwaitWebauthn(step)) } else { - Ok(AuthStep::LoggedIn(AuthStepLoggedIn { - user_id: user.id, - email: user.email, - header_loc: (header::LOCATION, HeaderValue::from_str(&header_loc)?), - header_csrf: Session::get_csrf_header(&session.csrf_token), - header_origin, - })) + // password only account + + if need_tos_accept { + let code_await = AuthCodeToSAwait { + auth_code: code.id, + await_code: AuthCodeToSAwait::generate_code(), + auth_code_lifetime: client.auth_code_lifetime, + header_loc, + header_origin: data + .header_origin + .as_ref() + .map(|(_, v)| v.to_str().unwrap().to_string()), + }; + code_await.save().await?; + + Ok(AuthStep::AwaitToSAccept(AwaitToSAccept { + code: code_await.await_code, + user_id: user.id, + header_csrf: Session::get_csrf_header(&session.csrf_token), + header_origin: data.header_origin, + })) + } else { + Ok(AuthStep::LoggedIn(AuthStepLoggedIn { + user_id: user.id, + email: user.email, + header_loc: (header::LOCATION, HeaderValue::from_str(&header_loc)?), + header_csrf: Session::get_csrf_header(&session.csrf_token), + header_origin: data.header_origin, + })) + } } } diff --git a/src/service/src/oidc/mod.rs b/src/service/src/oidc/mod.rs index 06379e5dc..457d0bd8a 100644 --- a/src/service/src/oidc/mod.rs +++ b/src/service/src/oidc/mod.rs @@ -10,6 +10,7 @@ use rauthy_error::{ErrorResponse, ErrorResponseType}; pub use grant_types::device_code::grant_type_device_code; +pub mod auth_providers; pub mod authorize; pub mod bcl_logout_token; mod grant_types;