feat: implement session lifetimes

2025-12-11 22:42:18 +00:00 · 2024-11-27 11:02:34 +01:00
parent dae8b28597
commit 9573cdba04
7 changed files with 93 additions and 64 deletions
--- a/apps/login/src/lib/server/cookie.ts
+++ b/apps/login/src/lib/server/cookie.ts
@@ -7,7 +7,7 @@ import {
  getSession,
  setSession,
 } from "@/lib/zitadel";
-import { timestampMs } from "@zitadel/client";
+import { Duration, timestampMs } from "@zitadel/client";
 import {
  Challenges,
  RequestChallenges,
@@ -30,6 +30,7 @@ export async function createSessionAndUpdateCookie(
  checks: Checks,
  challenges: RequestChallenges | undefined,
  authRequestId: string | undefined,
+  lifetime?: Duration,
 ): Promise<Session> {
  const createdSession = await createSessionFromChecks(checks, challenges);

@@ -82,10 +83,12 @@ export async function createSessionForIdpAndUpdateCookie(
    idpIntentToken?: string | undefined;
  },
  authRequestId: string | undefined,
+  lifetime?: Duration,
 ): Promise<Session> {
  const createdSession = await createSessionForUserIdAndIdpIntent(
    userId,
    idpIntent,
+    lifetime,
  );

  if (createdSession) {
@@ -140,12 +143,14 @@ export async function setSessionAndUpdateCookie(
  checks?: Checks,
  challenges?: RequestChallenges,
  authRequestId?: string,
+  lifetime?: Duration,
 ) {
  return setSession(
    recentCookie.id,
    recentCookie.token,
    challenges,
    checks,
+    lifetime,
  ).then((updatedSession) => {
    if (updatedSession) {
      const sessionCookie: CustomCookieData = {
--- a/apps/login/src/lib/server/otp.ts
+++ b/apps/login/src/lib/server/otp.ts
@@ -12,6 +12,7 @@ import {
  getSessionCookieById,
  getSessionCookieByLoginName,
 } from "../cookies";
+import { getLoginSettings } from "../zitadel";

 export type SetOTPCommand = {
  loginName?: string;
@@ -23,49 +24,52 @@ export type SetOTPCommand = {
 };

 export async function setOTP(command: SetOTPCommand) {
-  const recentPromise = command.sessionId
-    ? getSessionCookieById({ sessionId: command.sessionId }).catch((error) => {
-        return Promise.reject(error);
-      })
+  const recentSession = command.sessionId
+    ? await getSessionCookieById({ sessionId: command.sessionId }).catch(
+        (error) => {
+          return Promise.reject(error);
+        },
+      )
    : command.loginName
-      ? getSessionCookieByLoginName({
+      ? await getSessionCookieByLoginName({
          loginName: command.loginName,
          organization: command.organization,
        }).catch((error) => {
          return Promise.reject(error);
        })
-      : getMostRecentSessionCookie().catch((error) => {
+      : await getMostRecentSessionCookie().catch((error) => {
          return Promise.reject(error);
        });

-  return recentPromise.then((recent) => {
-    const checks = create(ChecksSchema, {});
+  const checks = create(ChecksSchema, {});

-    if (command.method === "time-based") {
-      checks.totp = create(CheckTOTPSchema, {
-        code: command.code,
-      });
-    } else if (command.method === "sms") {
-      checks.otpSms = create(CheckOTPSchema, {
-        code: command.code,
-      });
-    } else if (command.method === "email") {
-      checks.otpEmail = create(CheckOTPSchema, {
-        code: command.code,
-      });
-    }
-
-    return setSessionAndUpdateCookie(
-      recent,
-      checks,
-      undefined,
-      command.authRequestId,
-    ).then((session) => {
-      return {
-        sessionId: session.id,
-        factors: session.factors,
-        challenges: session.challenges,
-      };
+  if (command.method === "time-based") {
+    checks.totp = create(CheckTOTPSchema, {
+      code: command.code,
    });
+  } else if (command.method === "sms") {
+    checks.otpSms = create(CheckOTPSchema, {
+      code: command.code,
+    });
+  } else if (command.method === "email") {
+    checks.otpEmail = create(CheckOTPSchema, {
+      code: command.code,
+    });
+  }
+
+  const loginSettings = await getLoginSettings(command.organization);
+
+  return setSessionAndUpdateCookie(
+    recentSession,
+    checks,
+    undefined,
+    command.authRequestId,
+    loginSettings?.secondFactorCheckLifetime,
+  ).then((session) => {
+    return {
+      sessionId: session.id,
+      factors: session.factors,
+      challenges: session.challenges,
+    };
  });
 }
--- a/apps/login/src/lib/server/password.ts
+++ b/apps/login/src/lib/server/password.ts
@@ -17,6 +17,7 @@ import {
  Checks,
  ChecksSchema,
 } from "@zitadel/proto/zitadel/session/v2/session_service_pb";
+import { LoginSettings } from "@zitadel/proto/zitadel/settings/v2/login_settings_pb";
 import { User, UserState } from "@zitadel/proto/zitadel/user/v2/user_pb";
 import { AuthenticationMethodType } from "@zitadel/proto/zitadel/user/v2/user_service_pb";
 import { headers } from "next/headers";
@@ -66,6 +67,8 @@ export async function sendPassword(command: UpdateSessionCommand) {

  let session;
  let user: User;
+  let loginSettings: LoginSettings | undefined;
+
  if (!sessionCookie) {
    const users = await listUsers({
      loginName: command.loginName,
@@ -80,10 +83,13 @@ export async function sendPassword(command: UpdateSessionCommand) {
        password: { password: command.checks.password?.password },
      });

+      loginSettings = await getLoginSettings(command.organization);
+
      session = await createSessionAndUpdateCookie(
        checks,
        undefined,
        command.authRequestId,
+        loginSettings?.passwordCheckLifetime,
      );
    }

@@ -95,6 +101,7 @@ export async function sendPassword(command: UpdateSessionCommand) {
      command.checks,
      undefined,
      command.authRequestId,
+      loginSettings?.passwordCheckLifetime,
    );

    if (!session?.factors?.user?.id) {
@@ -110,6 +117,12 @@ export async function sendPassword(command: UpdateSessionCommand) {
    user = userResponse.user;
  }

+  if (!loginSettings) {
+    loginSettings = await getLoginSettings(
+      command.organization ?? session.factors?.user?.organizationId,
+    );
+  }
+
  if (!session?.factors?.user?.id || !sessionCookie) {
    return { error: "Could not create session for user" };
  }
@@ -241,9 +254,6 @@ export async function sendPassword(command: UpdateSessionCommand) {
  //   return router.push(`/passkey/set?` + params);
  // }
  else if (command.authRequestId && session.id) {
-    const loginSettings = await getLoginSettings(
-      command.organization ?? session.factors?.user?.organizationId,
-    );
    const nextUrl = await getNextUrl(
      {
        sessionId: session.id,
@@ -257,9 +267,6 @@ export async function sendPassword(command: UpdateSessionCommand) {
    return { redirect: nextUrl };
  }

-  const loginSettings = await getLoginSettings(
-    command.organization ?? session.factors?.user?.organizationId,
-  );
  const url = await getNextUrl(
    {
      loginName: session.factors.user.loginName,
--- a/apps/login/src/lib/server/register.ts
+++ b/apps/login/src/lib/server/register.ts
@@ -37,6 +37,8 @@ export async function registerUser(command: RegisterUserCommand) {
    return { error: "Could not create user" };
  }

+  const loginSettings = await getLoginSettings(command.organization);
+
  let checkPayload: any = {
    user: { search: { case: "userId", value: human.userId } },
  };
@@ -54,6 +56,7 @@ export async function registerUser(command: RegisterUserCommand) {
    checks,
    undefined,
    command.authRequestId,
+    command.password ? loginSettings?.passwordCheckLifetime : undefined,
  );

  if (!session || !session.factors?.user) {
@@ -72,10 +75,6 @@ export async function registerUser(command: RegisterUserCommand) {

    return { redirect: "/passkey/set?" + params };
  } else {
-    const loginSettings = await getLoginSettings(
-      session.factors.user.organizationId,
-    );
-
    const url = await getNextUrl(
      command.authRequestId && session.id
        ? {
--- a/apps/login/src/lib/server/session.ts
+++ b/apps/login/src/lib/server/session.ts
@@ -7,8 +7,10 @@ import {
 import {
  deleteSession,
  getLoginSettings,
+  getUserByID,
  listAuthenticationMethodTypes,
 } from "@/lib/zitadel";
+import { Duration } from "@zitadel/client";
 import { RequestChallenges } from "@zitadel/proto/zitadel/session/v2/challenge_pb";
 import { Session } from "@zitadel/proto/zitadel/session/v2/session_pb";
 import { Checks } from "@zitadel/proto/zitadel/session/v2/session_service_pb";
@@ -38,20 +40,26 @@ export async function createNewSessionForIdp(options: CreateNewSessionCommand) {
  if (!userId || !idpIntent) {
    throw new Error("No userId or loginName provided");
  }
+
+  const user = await getUserByID(userId);
+
+  if (!user) {
+    return { error: "Could not find user" };
+  }
+
+  const loginSettings = await getLoginSettings(user.details?.resourceOwner);
+
  const session = await createSessionForIdpAndUpdateCookie(
    userId,
    idpIntent,
    authRequestId,
+    loginSettings?.externalLoginCheckLifetime,
  );

  if (!session || !session.factors?.user) {
    return { error: "Could not create session" };
  }

-  const loginSettings = await getLoginSettings(
-    session.factors.user.organizationId,
-  );
-
  const url = await getNextUrl(
    authRequestId && session.id
      ? {
@@ -110,6 +118,7 @@ export type UpdateSessionCommand = {
  checks?: Checks;
  authRequestId?: string;
  challenges?: RequestChallenges;
+  lifetime?: Duration;
 };

 export async function updateSession(options: UpdateSessionCommand) {
@@ -121,17 +130,17 @@ export async function updateSession(options: UpdateSessionCommand) {
    authRequestId,
    challenges,
  } = options;
-  const sessionPromise = sessionId
-    ? getSessionCookieById({ sessionId }).catch((error) => {
+  const recentSession = sessionId
+    ? await getSessionCookieById({ sessionId }).catch((error) => {
        return Promise.reject(error);
      })
    : loginName
-      ? getSessionCookieByLoginName({ loginName, organization }).catch(
+      ? await getSessionCookieByLoginName({ loginName, organization }).catch(
          (error) => {
            return Promise.reject(error);
          },
        )
-      : getMostRecentSessionCookie().catch((error) => {
+      : await getMostRecentSessionCookie().catch((error) => {
          return Promise.reject(error);
        });

@@ -148,13 +157,20 @@ export async function updateSession(options: UpdateSessionCommand) {
    challenges.webAuthN.domain = hostname;
  }

-  const recent = await sessionPromise;
+  const loginSettings = await getLoginSettings(organization);
+
+  const lifetime = checks?.webAuthN
+    ? loginSettings?.multiFactorCheckLifetime // TODO different lifetime for webauthn u2f/passkey
+    : checks?.otpEmail || checks?.otpSms
+      ? loginSettings?.secondFactorCheckLifetime
+      : undefined;

  const session = await setSessionAndUpdateCookie(
-    recent,
+    recentSession,
    checks,
    challenges,
    authRequestId,
+    lifetime,
  );

  // if password, check if user has MFA methods
--- a/apps/login/src/lib/zitadel.ts
+++ b/apps/login/src/lib/zitadel.ts
@@ -18,7 +18,7 @@ import {
  VerifyU2FRegistrationRequest,
 } from "@zitadel/proto/zitadel/user/v2/user_service_pb";

-import { create } from "@zitadel/client";
+import { create, Duration } from "@zitadel/client";
 import { TextQueryMethod } from "@zitadel/proto/zitadel/object/v2/object_pb";
 import { CreateCallbackRequest } from "@zitadel/proto/zitadel/oidc/v2/oidc_service_pb";
 import { Organization } from "@zitadel/proto/zitadel/org/v2/org_pb";
@@ -132,15 +132,13 @@ export async function getPasswordComplexitySettings(organization?: string) {
 export async function createSessionFromChecks(
  checks: Checks,
  challenges: RequestChallenges | undefined,
+  lifetime?: Duration,
 ) {
  return sessionService.createSession(
    {
      checks: checks,
      challenges,
-      lifetime: {
-        seconds: BigInt(SESSION_LIFETIME_S),
-        nanos: 0,
-      },
+      lifetime,
    },
    {},
  );
@@ -152,6 +150,7 @@ export async function createSessionForUserIdAndIdpIntent(
    idpIntentId?: string | undefined;
    idpIntentToken?: string | undefined;
  },
+  lifetime?: Duration,
 ) {
  return sessionService.createSession({
    checks: {
@@ -163,10 +162,7 @@ export async function createSessionForUserIdAndIdpIntent(
      },
      idpIntent,
    },
-    // lifetime: {
-    //   seconds: 300,
-    //   nanos: 0,
-    // },
+    lifetime,
  });
 }

@@ -175,6 +171,7 @@ export async function setSession(
  sessionToken: string,
  challenges: RequestChallenges | undefined,
  checks?: Checks,
+  lifetime?: Duration,
 ) {
  return sessionService.setSession(
    {
@@ -183,6 +180,7 @@ export async function setSession(
      challenges,
      checks: checks ? checks : {},
      metadata: {},
+      lifetime,
    },
    {},
  );
--- a/packages/zitadel-client/src/index.ts
+++ b/packages/zitadel-client/src/index.ts
@@ -4,4 +4,4 @@ export { NewAuthorizationBearerInterceptor } from "./interceptors";
 // TODO: Move this to `./protobuf.ts` and export it from there
 export { create, fromJson, toJson } from "@bufbuild/protobuf";
 export { TimestampSchema, timestampDate, timestampFromDate, timestampFromMs, timestampMs } from "@bufbuild/protobuf/wkt";
-export type { Timestamp } from "@bufbuild/protobuf/wkt";
+export type { Duration, Timestamp } from "@bufbuild/protobuf/wkt";