feat(session api): respect lockout policy (#8027)

# Which Problems Are Solved The session API was designed to be flexible enough for multiple use cases / login scenarios, where the login could respect the login policy or not. The session API itself does not have a corresponding policy and would not check for a required MFA or alike. It therefore also did not yet respect the lockout policy and would leave it to the login UI to handle that. Since the lockout policy is related to the user and not the login itself, we decided to handle the lockout also on calls of the session API. # How the Problems Are Solved If a lockout policy is set for either password or (T)OTP checks, the corresponding check on the session API be run against the lockout check. This means that any failed check, regardless if occurred in the session API or the current hosted login will be counted against the maximum allowed checks of that authentication mechanism. TOTP, OTP SMS and OTP Email are each treated as a separate mechanism. For implementation: - The existing lockout check functions were refactored to be usable for session API calls. - `SessionCommand` type now returns not only an error, but also `[]eventstore.Command` - these will be executed in case of an error # Additional Changes None. # Additional Context Closes #7967 --------- Co-authored-by: Elio Bischof <elio@zitadel.com>
2025-08-11 21:37:32 +00:00 · 2024-05-31 00:08:48 +02:00
parent 7ede3ec189
commit aabefb9382
13 changed files with 732 additions and 250 deletions
--- a/internal/api/grpc/session/v2/session_integration_test.go
+++ b/internal/api/grpc/session/v2/session_integration_test.go
@@ -14,12 +14,15 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/zitadel/logging"
+	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/metadata"
+	"google.golang.org/grpc/status"
 	"google.golang.org/protobuf/proto"
 	"google.golang.org/protobuf/types/known/durationpb"
 	"google.golang.org/protobuf/types/known/timestamppb"

 	"github.com/zitadel/zitadel/internal/integration"
+	mgmt "github.com/zitadel/zitadel/pkg/grpc/management"
 	object "github.com/zitadel/zitadel/pkg/grpc/object/v2beta"
 	session "github.com/zitadel/zitadel/pkg/grpc/session/v2beta"
 	user "github.com/zitadel/zitadel/pkg/grpc/user/v2beta"
@@ -27,6 +30,7 @@ import (

 var (
 	CTX             context.Context
+	IAMOwnerCTX     context.Context
 	Tester          *integration.Tester
 	Client          session.SessionServiceClient
 	User            *user.AddHumanUserResponse
@@ -44,6 +48,7 @@ func TestMain(m *testing.M) {
 		Client = Tester.Client.SessionV2

 		CTX, _ = Tester.WithAuthorization(ctx, integration.OrgOwner), errCtx
+		IAMOwnerCTX = Tester.WithAuthorization(ctx, integration.IAMOwner)
 		User = createFullUser(CTX)
 		DeactivatedUser = createDeactivatedUser(CTX)
 		LockedUser = createLockedUser(CTX)
@@ -341,6 +346,48 @@ func TestServer_CreateSession(t *testing.T) {
 	}
 }

+func TestServer_CreateSession_lock_user(t *testing.T) {
+	// create a separate org so we don't interfere with any other test
+	org := Tester.CreateOrganization(IAMOwnerCTX,
+		fmt.Sprintf("TestServer_CreateSession_lock_user_%d", time.Now().UnixNano()),
+		fmt.Sprintf("%d@mouse.com", time.Now().UnixNano()),
+	)
+	userID := org.CreatedAdmins[0].GetUserId()
+	Tester.SetUserPassword(IAMOwnerCTX, userID, integration.UserPassword, false)
+
+	// enable password lockout
+	maxAttempts := 2
+	ctxOrg := metadata.AppendToOutgoingContext(IAMOwnerCTX, "x-zitadel-orgid", org.GetOrganizationId())
+	_, err := Tester.Client.Mgmt.AddCustomLockoutPolicy(ctxOrg, &mgmt.AddCustomLockoutPolicyRequest{
+		MaxPasswordAttempts: uint32(maxAttempts),
+	})
+	require.NoError(t, err)
+
+	for i := 0; i <= maxAttempts; i++ {
+		_, err := Client.CreateSession(CTX, &session.CreateSessionRequest{
+			Checks: &session.Checks{
+				User: &session.CheckUser{
+					Search: &session.CheckUser_UserId{
+						UserId: userID,
+					},
+				},
+				Password: &session.CheckPassword{
+					Password: "invalid",
+				},
+			},
+		})
+		assert.Error(t, err)
+		statusCode := status.Code(err)
+		expectedCode := codes.InvalidArgument
+		// as soon as we hit the limit the user is locked and following request will
+		// already deny any check with a precondition failed since the user is locked
+		if i >= maxAttempts {
+			expectedCode = codes.FailedPrecondition
+		}
+		assert.Equal(t, expectedCode, statusCode)
+	}
+}
+
 func TestServer_CreateSession_webauthn(t *testing.T) {
 	// create new session with user and request the webauthn challenge
 	createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{