feat: provide option to limit (T)OTP checks (#7693)

* feat: provide option to limit (T)OTP checks * fix requests in console * update errors pkg * cleanup * cleanup * improve naming of existing config
2025-08-11 20:47:32 +00:00 · 2024-04-10 11:14:55 +02:00
parent e3f10f7e23
commit 153df2e12f
58 changed files with 752 additions and 755 deletions
--- a/internal/command/instance_policy_password_lockout.go
+++ b/internal/command/instance_policy_password_lockout.go
@@ -12,9 +12,15 @@ import (
 	"github.com/zitadel/zitadel/internal/zerrors"
 )

-func (c *Commands) AddDefaultLockoutPolicy(ctx context.Context, maxAttempts uint64, showLockoutFailure bool) (*domain.ObjectDetails, error) {
+func (c *Commands) AddDefaultLockoutPolicy(ctx context.Context, maxPasswordAttempts, maxOTPAttempts uint64, showLockoutFailure bool) (*domain.ObjectDetails, error) {
 	instanceAgg := instance.NewAggregate(authz.GetInstance(ctx).InstanceID())
-	cmds, err := preparation.PrepareCommands(ctx, c.eventstore.Filter, prepareAddDefaultLockoutPolicy(instanceAgg, maxAttempts, showLockoutFailure))
+	//nolint:staticcheck
+	cmds, err := preparation.PrepareCommands(ctx, c.eventstore.Filter, prepareAddDefaultLockoutPolicy(
+		instanceAgg,
+		maxPasswordAttempts,
+		maxOTPAttempts,
+		showLockoutFailure,
+	))
 	if err != nil {
 		return nil, err
 	}
@@ -35,7 +41,13 @@ func (c *Commands) ChangeDefaultLockoutPolicy(ctx context.Context, policy *domai
 	}

 	instanceAgg := InstanceAggregateFromWriteModel(&existingPolicy.LockoutPolicyWriteModel.WriteModel)
-	changedEvent, hasChanged := existingPolicy.NewChangedEvent(ctx, instanceAgg, policy.MaxPasswordAttempts, policy.ShowLockOutFailures)
+	changedEvent, hasChanged := existingPolicy.NewChangedEvent(
+		ctx,
+		instanceAgg,
+		policy.MaxPasswordAttempts,
+		policy.MaxOTPAttempts,
+		policy.ShowLockOutFailures,
+	)
 	if !hasChanged {
 		return nil, zerrors.ThrowPreconditionFailed(nil, "INSTANCE-0psjF", "Errors.IAM.LockoutPolicy.NotChanged")
 	}
@@ -65,7 +77,8 @@ func (c *Commands) defaultLockoutPolicyWriteModelByID(ctx context.Context) (poli

 func prepareAddDefaultLockoutPolicy(
 	a *instance.Aggregate,
-	maxAttempts uint64,
+	maxPasswordAttempts,
+	maxOTPAttempts uint64,
 	showLockoutFailure bool,
 ) preparation.Validation {
 	return func() (preparation.CreateCommands, error) {
@@ -83,7 +96,7 @@ func prepareAddDefaultLockoutPolicy(
 				return nil, zerrors.ThrowAlreadyExists(nil, "INSTANCE-0olDf", "Errors.Instance.LockoutPolicy.AlreadyExists")
 			}
 			return []eventstore.Command{
-				instance.NewLockoutPolicyAddedEvent(ctx, &a.Aggregate, maxAttempts, showLockoutFailure),
+				instance.NewLockoutPolicyAddedEvent(ctx, &a.Aggregate, maxPasswordAttempts, maxOTPAttempts, showLockoutFailure),
 			}, nil
 		}, nil
 	}