Our latest news
2024 ended with a lot of new developments on Canaille, funded by NLNet. You can read it all on our dedicated blog post. We went through another round of developments, still under the same fund. You can read it all on this page!
Security audit and improvements
Canaille started 2025 with a security audit, conducted by Radically Open Security. Our main objectives were to know the weaknesses of our product and implement fixes before the end of march.
Better password reset security
The implementation of the flask TRUSTED_HOSTS
(see documentation here) configuration variable prevents our "magic links" at user registration and password reset to be falsified and hijacked by a malicious host.
We also improved the way these links are generated to make them more secure and introduce a time limit in their validity.
Logo retrieval vulnerability
We removed a vulnerability that could theoretically permit a server-side request forgery (SSRF) when retrieving the logo of the application.
Better user URL validation
We improved the validation of the user website's URL to make it more restrictive.
Implementation of Content Security Policy
Content Security Policy (CSP) has been implemented on Canaille via Flask-Talisman. CSP makes it harder to disrupt our application, for example with cross-site scripting (XSS) attacks.
OIDC Certification
The OpenID Certification process was expected to be much less trouble than it was. We made a lot of progress on making the certification tests pass but still have a lot to do in order to be certified. We implemented features and fixes as well as raised issues and contributed to Authlib to get better support of the OpenID Specification.
Part of the progress done was:
- Match OIDC specification on redirect URIs validation.
- Update our models to implement attributes required by OIDC.
- Displaying Terms of Service and Privacy policy links if the client requesting authorization issues them.
- Displaying most request errors as JSON error pages.
- Responding with JSON web tokens when requested by the client.
- Improvement on Canaille's handling of JWTs and JWKS.
Packaging: Docker image
Canaille can be tested more easily thanks to a docker image hosted on a public hub docker repository. Users can discover Canaille via an administrator profile.
The creation of this docker image was made possible by building a nix package.
Accessibility audit and improvements
Canaille benefited from an Accessibility audit as well, conducted by HAN accessibility lab. The results provided underlined several contrast issues and lack of differentiation of links from regular text, and a few keyboard navigation issues.
Accessibility improvements
- Most color contrast issues have been fixed.
- Most link differentiation and visual changes on focus and hover have been fixed.
- A skip link has been added at the top of every page.
SCIM Provisioning
Canaille already provided a SCIM server implementation since our last security update. It now also supports SCIM client features, allowing a Canaille instance to automatically broadcast changes on users and groups to client applications. This should make it easier for all applications to remain synchronized without needing additional user intervention.
Thanks for reading, we will keep you updated on our next progress, and you can still read about our other free software contributions on our *seasonal contributions* blog posts.