feat: Lockout policy (#2121)

* feat: lock users if lockout policy is set * feat: setup * feat: lock user on password failes * feat: render error * feat: lock user on command side * feat: auth_req tests * feat: lockout policy docs * feat: remove show lockout failures from proto * fix: console lockout * feat: tests * fix: tests * unlock function * add unlock button * fix migration version * lockout policy * lint * Update internal/auth/repository/eventsourcing/eventstore/auth_request.go Co-authored-by: Silvan <silvan.reusser@gmail.com> * fix: err message * Update internal/command/setup_step4.go Co-authored-by: Silvan <silvan.reusser@gmail.com> Co-authored-by: Max Peintner <max@caos.ch> Co-authored-by: Livio Amstutz <livio.a@gmail.com> Co-authored-by: Silvan <silvan.reusser@gmail.com>
2025-08-11 20:47:32 +00:00 · 2021-08-11 08:36:32 +02:00
parent 272e411e27
commit bc951985ed
101 changed files with 2170 additions and 1574 deletions
--- a/internal/command/user_human_password_model.go
+++ b/internal/command/user_human_password_model.go
@@ -16,9 +16,10 @@ type HumanPasswordWriteModel struct {
 	Secret               *crypto.CryptoValue
 	SecretChangeRequired bool

-	Code             *crypto.CryptoValue
-	CodeCreationDate time.Time
-	CodeExpiry       time.Duration
+	Code                     *crypto.CryptoValue
+	CodeCreationDate         time.Time
+	CodeExpiry               time.Duration
+	PasswordCheckFailedCount uint64

 	UserState domain.UserState
 }
@@ -51,6 +52,7 @@ func (wm *HumanPasswordWriteModel) Reduce() error {
 			wm.Secret = e.Secret
 			wm.SecretChangeRequired = e.ChangeRequired
 			wm.Code = nil
+			wm.PasswordCheckFailedCount = 0
 		case *user.HumanPasswordCodeAddedEvent:
 			wm.Code = e.Code
 			wm.CodeCreationDate = e.CreationDate()
@@ -59,6 +61,12 @@ func (wm *HumanPasswordWriteModel) Reduce() error {
 			if wm.UserState == domain.UserStateInitial {
 				wm.UserState = domain.UserStateActive
 			}
+		case *user.HumanPasswordCheckFailedEvent:
+			wm.PasswordCheckFailedCount += 1
+		case *user.HumanPasswordCheckSucceededEvent:
+			wm.PasswordCheckFailedCount = 0
+		case *user.UserUnlockedEvent:
+			wm.PasswordCheckFailedCount = 0
 		case *user.UserRemovedEvent:
 			wm.UserState = domain.UserStateDeleted
 		}
@@ -78,14 +86,19 @@ func (wm *HumanPasswordWriteModel) Query() *eventstore.SearchQueryBuilder {
 			user.HumanPasswordChangedType,
 			user.HumanPasswordCodeAddedType,
 			user.HumanEmailVerifiedType,
+			user.HumanPasswordCheckFailedType,
+			user.HumanPasswordCheckSucceededType,
 			user.UserRemovedType,
+			user.UserUnlockedType,
 			user.UserV1AddedType,
 			user.UserV1RegisteredType,
 			user.UserV1InitialCodeAddedType,
 			user.UserV1InitializedCheckSucceededType,
 			user.UserV1PasswordChangedType,
 			user.UserV1PasswordCodeAddedType,
-			user.UserV1EmailVerifiedType).
+			user.UserV1EmailVerifiedType,
+			user.UserV1PasswordCheckFailedType,
+			user.UserV1PasswordCheckSucceededType).
 		Builder()

 	if wm.ResourceOwner != "" {