2021-01-05 08:33:45 +00:00
|
|
|
package domain
|
|
|
|
|
|
2021-02-08 10:30:30 +00:00
|
|
|
import (
|
|
|
|
|
"bytes"
|
2021-08-02 13:24:58 +00:00
|
|
|
"fmt"
|
|
|
|
|
"time"
|
|
|
|
|
|
2022-04-26 23:01:45 +00:00
|
|
|
es_models "github.com/zitadel/zitadel/internal/eventstore/v1/models"
|
2021-02-08 10:30:30 +00:00
|
|
|
)
|
2021-01-05 08:33:45 +00:00
|
|
|
|
|
|
|
|
type WebAuthNToken struct {
|
|
|
|
|
es_models.ObjectRoot
|
|
|
|
|
|
|
|
|
|
WebAuthNTokenID string
|
|
|
|
|
CredentialCreationData []byte
|
|
|
|
|
State MFAState
|
|
|
|
|
Challenge string
|
|
|
|
|
AllowedCredentialIDs [][]byte
|
|
|
|
|
UserVerification UserVerificationRequirement
|
|
|
|
|
KeyID []byte
|
|
|
|
|
PublicKey []byte
|
|
|
|
|
AttestationType string
|
|
|
|
|
AAGUID []byte
|
|
|
|
|
SignCount uint32
|
|
|
|
|
WebAuthNTokenName string
|
2023-06-27 12:36:07 +00:00
|
|
|
RPID string
|
2021-01-05 08:33:45 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
type WebAuthNLogin struct {
|
|
|
|
|
es_models.ObjectRoot
|
|
|
|
|
|
|
|
|
|
CredentialAssertionData []byte
|
|
|
|
|
Challenge string
|
|
|
|
|
AllowedCredentialIDs [][]byte
|
|
|
|
|
UserVerification UserVerificationRequirement
|
2023-06-27 12:36:07 +00:00
|
|
|
RPID string
|
2021-01-05 08:33:45 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
type UserVerificationRequirement int32
|
|
|
|
|
|
|
|
|
|
const (
|
|
|
|
|
UserVerificationRequirementUnspecified UserVerificationRequirement = iota
|
|
|
|
|
UserVerificationRequirementRequired
|
|
|
|
|
UserVerificationRequirementPreferred
|
|
|
|
|
UserVerificationRequirementDiscouraged
|
|
|
|
|
)
|
2021-01-07 15:06:45 +00:00
|
|
|
|
2021-01-15 08:32:59 +00:00
|
|
|
type AuthenticatorAttachment int32
|
2021-01-07 15:06:45 +00:00
|
|
|
|
|
|
|
|
const (
|
2021-01-15 08:32:59 +00:00
|
|
|
AuthenticatorAttachmentUnspecified AuthenticatorAttachment = iota
|
|
|
|
|
AuthenticatorAttachmentPlattform
|
|
|
|
|
AuthenticatorAttachmentCrossPlattform
|
2021-01-07 15:06:45 +00:00
|
|
|
)
|
|
|
|
|
|
2021-01-15 08:32:59 +00:00
|
|
|
func GetTokenToVerify(tokens []*WebAuthNToken) (int, *WebAuthNToken) {
|
|
|
|
|
for i, u2f := range tokens {
|
|
|
|
|
if u2f.State == MFAStateNotReady {
|
|
|
|
|
return i, u2f
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return -1, nil
|
2021-01-07 15:06:45 +00:00
|
|
|
}
|
2021-02-08 10:30:30 +00:00
|
|
|
|
|
|
|
|
func GetTokenByKeyID(tokens []*WebAuthNToken, keyID []byte) (int, *WebAuthNToken) {
|
|
|
|
|
for i, token := range tokens {
|
|
|
|
|
if bytes.Compare(token.KeyID, keyID) == 0 {
|
|
|
|
|
return i, token
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return -1, nil
|
|
|
|
|
}
|
2021-08-02 13:24:58 +00:00
|
|
|
|
|
|
|
|
type PasswordlessInitCodeState int32
|
|
|
|
|
|
|
|
|
|
const (
|
|
|
|
|
PasswordlessInitCodeStateUnspecified PasswordlessInitCodeState = iota
|
|
|
|
|
PasswordlessInitCodeStateRequested
|
|
|
|
|
PasswordlessInitCodeStateActive
|
|
|
|
|
PasswordlessInitCodeStateRemoved
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
type PasswordlessInitCode struct {
|
|
|
|
|
es_models.ObjectRoot
|
|
|
|
|
|
|
|
|
|
CodeID string
|
|
|
|
|
Code string
|
|
|
|
|
Expiration time.Duration
|
|
|
|
|
State PasswordlessInitCodeState
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (p *PasswordlessInitCode) Link(baseURL string) string {
|
|
|
|
|
return PasswordlessInitCodeLink(baseURL, p.AggregateID, p.ResourceOwner, p.CodeID, p.Code)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func PasswordlessInitCodeLink(baseURL, userID, resourceOwner, codeID, code string) string {
|
|
|
|
|
return fmt.Sprintf("%s?userID=%s&orgID=%s&codeID=%s&code=%s", baseURL, userID, resourceOwner, codeID, code)
|
|
|
|
|
}
|
feat(notification): use event worker pool (#8962)
# Which Problems Are Solved
The current handling of notification follows the same pattern as all
other projections:
Created events are handled sequentially (based on "position") by a
handler. During the process, a lot of information is aggregated (user,
texts, templates, ...).
This leads to back pressure on the projection since the handling of
events might take longer than the time before a new event (to be
handled) is created.
# How the Problems Are Solved
- The current user notification handler creates separate notification
events based on the user / session events.
- These events contain all the present and required information
including the userID.
- These notification events get processed by notification workers, which
gather the necessary information (recipient address, texts, templates)
to send out these notifications.
- If a notification fails, a retry event is created based on the current
notification request including the current state of the user (this
prevents race conditions, where a user is changed in the meantime and
the notification already gets the new state).
- The retry event will be handled after a backoff delay. This delay
increases with every attempt.
- If the configured amount of attempts is reached or the message expired
(based on config), a cancel event is created, letting the workers know,
the notification must no longer be handled.
- In case of successful send, a sent event is created for the
notification aggregate and the existing "sent" events for the user /
session object is stored.
- The following is added to the defaults.yaml to allow configuration of
the notification workers:
```yaml
Notifications:
# The amount of workers processing the notification request events.
# If set to 0, no notification request events will be handled. This can be useful when running in
# multi binary / pod setup and allowing only certain executables to process the events.
Workers: 1 # ZITADEL_NOTIFIACATIONS_WORKERS
# The amount of events a single worker will process in a run.
BulkLimit: 10 # ZITADEL_NOTIFIACATIONS_BULKLIMIT
# Time interval between scheduled notifications for request events
RequeueEvery: 2s # ZITADEL_NOTIFIACATIONS_REQUEUEEVERY
# The amount of workers processing the notification retry events.
# If set to 0, no notification retry events will be handled. This can be useful when running in
# multi binary / pod setup and allowing only certain executables to process the events.
RetryWorkers: 1 # ZITADEL_NOTIFIACATIONS_RETRYWORKERS
# Time interval between scheduled notifications for retry events
RetryRequeueEvery: 2s # ZITADEL_NOTIFIACATIONS_RETRYREQUEUEEVERY
# Only instances are projected, for which at least a projection-relevant event exists within the timeframe
# from HandleActiveInstances duration in the past until the projection's current time
# If set to 0 (default), every instance is always considered active
HandleActiveInstances: 0s # ZITADEL_NOTIFIACATIONS_HANDLEACTIVEINSTANCES
# The maximum duration a transaction remains open
# before it spots left folding additional events
# and updates the table.
TransactionDuration: 1m # ZITADEL_NOTIFIACATIONS_TRANSACTIONDURATION
# Automatically cancel the notification after the amount of failed attempts
MaxAttempts: 3 # ZITADEL_NOTIFIACATIONS_MAXATTEMPTS
# Automatically cancel the notification if it cannot be handled within a specific time
MaxTtl: 5m # ZITADEL_NOTIFIACATIONS_MAXTTL
# Failed attempts are retried after a confogired delay (with exponential backoff).
# Set a minimum and maximum delay and a factor for the backoff
MinRetryDelay: 1s # ZITADEL_NOTIFIACATIONS_MINRETRYDELAY
MaxRetryDelay: 20s # ZITADEL_NOTIFIACATIONS_MAXRETRYDELAY
# Any factor below 1 will be set to 1
RetryDelayFactor: 1.5 # ZITADEL_NOTIFIACATIONS_RETRYDELAYFACTOR
```
# Additional Changes
None
# Additional Context
- closes #8931
2024-11-27 15:01:17 +00:00
|
|
|
|
|
|
|
|
func PasswordlessInitCodeLinkTemplate(baseURL, userID, resourceOwner, codeID string) string {
|
|
|
|
|
return PasswordlessInitCodeLink(baseURL, userID, resourceOwner, codeID, "{{.Code}}")
|
|
|
|
|
}
|