Fix security settings links and enable 2FA for customer stacks

- Update dashboard buttons to use correct Authelia paths: /settings/two-factor-authentication and /settings/security - Change customer stack ACL from one_factor to two_factor so Authelia enables the 2FA registration UI (passkeys, TOTP) Made-with: Cursor
2026-03-03 18:26:20 -05:00 · 2026-03-03 18:26:20 -05:00 · ab11e62c04
parent 8f55b9802b
commit ab11e62c04
2 changed files with 3 additions and 4 deletions
--- a/docker/ss-atlas/templates/pages/dashboard.html
+++ b/docker/ss-atlas/templates/pages/dashboard.html
@ -245,9 +245,8 @@
        best way to ensure your account is never compromised and used without your knowledge.
      </div>
      <div class="actions">
-        <a href="{{.AutheliaURL}}/#/settings" class="btn btn-outline btn-sm">Set Up Passkey</a>
+        <a href="{{.AutheliaURL}}/settings/two-factor-authentication" class="btn btn-outline btn-sm">Set Up Passkey / TOTP</a>
-        <a href="{{.AutheliaURL}}/#/settings" class="btn btn-outline btn-sm">Set Up TOTP App</a>
+        <a href="{{.AutheliaURL}}/settings/security" class="btn btn-outline btn-sm">Change Password</a>
        <a href="{{.AutheliaURL}}/#/settings" class="btn btn-outline btn-sm">Change Password</a>
      </div>
    </div>
    {{else}}
--- a/stack.yml
+++ b/stack.yml
@ -77,7 +77,7 @@ services:
        echo "$${CLIENT_SECRET_HEADADMIN}" > /run/secrets/CLIENT_SECRET_HEADADMIN
        echo "$${CLIENT_SECRET_PORTAINER}" > /run/secrets/CLIENT_SECRET_PORTAINER
        echo "$${CLIENT_SECRET_GITEA}" > /run/secrets/CLIENT_SECRET_GITEA
-        { echo 'access_control:'; echo '  default_policy: deny'; echo '  rules:'; echo '    - domain: login.bc.a250.ca'; echo '      policy: bypass'; echo '    - domain: app.bc.a250.ca'; echo '      policy: bypass'; echo '      resources:'; echo "        - '^/$$'"; echo "        - '^/subscribe$$'"; echo "        - '^/success(\\?.*)?$$'"; echo "        - '^/webhook/stripe$$'"; echo "        - '^/resend-reset$$'"; echo "        - '^/health$$'"; echo "        - '^/version$$'"; echo '    - domain: app.bc.a250.ca'; echo '      policy: one_factor'; echo '      resources:'; echo "        - '^/dashboard$$'"; echo "        - '^/activate$$'"; echo "        - '^/portal$$'"; echo "        - '^/resubscribe$$'"; echo "        - '^/stack-manage$$'"; echo '    - domain:'; echo '        - lldap.bc.a250.ca'; echo '        - whoami.bc.a250.ca'; echo '      policy: bypass'; echo '    - domain: "{user}.bc.a250.ca"'; echo '      policy: one_factor'; echo '    - domain: "*.bc.a250.ca"'; echo '      policy: deny'; } > /config/configuration.acl.yml
+        { echo 'access_control:'; echo '  default_policy: deny'; echo '  rules:'; echo '    - domain: login.bc.a250.ca'; echo '      policy: bypass'; echo '    - domain: app.bc.a250.ca'; echo '      policy: bypass'; echo '      resources:'; echo "        - '^/$$'"; echo "        - '^/subscribe$$'"; echo "        - '^/success(\\?.*)?$$'"; echo "        - '^/webhook/stripe$$'"; echo "        - '^/resend-reset$$'"; echo "        - '^/health$$'"; echo "        - '^/version$$'"; echo '    - domain: app.bc.a250.ca'; echo '      policy: one_factor'; echo '      resources:'; echo "        - '^/dashboard$$'"; echo "        - '^/activate$$'"; echo "        - '^/portal$$'"; echo "        - '^/resubscribe$$'"; echo "        - '^/stack-manage$$'"; echo '    - domain:'; echo '        - lldap.bc.a250.ca'; echo '        - whoami.bc.a250.ca'; echo '      policy: bypass'; echo '    - domain: "{user}.bc.a250.ca"'; echo '      policy: two_factor'; echo '    - domain: "*.bc.a250.ca"'; echo '      policy: deny'; } > /config/configuration.acl.yml
        exec authelia --config=/config/configuration.server.yml --config=/config/configuration.ldap.yml --config=/config/configuration.acl.yml --config=/config/configuration.notifier.yml --config=/config/configuration.identity.providers.yml --config=/config/configuration.oidc.clients.yml
    environment:
      X_AUTHELIA_EMAIL: authelia@a250.ca