TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-12-24 01:47:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: respect lockout policy on password change (with old password) and add tar pit for checks

Browse Source 
# Which Problems Are Solved

While the lockout policy was correctly applied on the session API and other authentication and management endpoints , it had no effect on the user service v2 endpoints.

# How the Problems Are Solved

- Correctly apply lockout policy on the user service v2 endpoints.
- Added tar pitting to auth factor checks (authentication and management API) to prevent brute-force attacks or denial of service because of user lockouts.
- Tar pitting is not active if `IgnoreUnknownUsername` option is active to prevent leaking information whether a user exists or not.

# Additional Changes

None

# Additional Context

- requires backports

* cleanup

(cherry picked from commit b8db8cdf9c)
This commit is contained in:
Livio Spring
2025-10-29 10:07:35 +01:00
parent 7520450e11
commit d3713dfaed
17 changed files with 618 additions and 49 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
internal/command/session.go
View File

@@ -43,6 +43,7 @@ type SessionCommands struct {
getCodeVerifier func(ctx context.Context, id string) (senders.CodeGenerator, error)
now func() time.Time
maxIdPIntentLifetime time.Duration
tarpit func(failedAttempts uint64)
}
func (c *Commands) NewSessionCommands(cmds []SessionCommand, session *SessionWriteModel) *SessionCommands {
@@ -60,6 +61,7 @@ func (c *Commands) NewSessionCommands(cmds []SessionCommand, session *SessionWri
getCodeVerifier: c.phoneCodeVerifierFromConfig,
now: time.Now,
maxIdPIntentLifetime: c.maxIdPIntentLifetime,
tarpit: c.tarpit,
}
}
@@ -76,7 +78,7 @@ func CheckUser(id string, resourceOwner string, preferredLanguage *language.Tag)
// CheckPassword defines a password check to be executed for a session update
func CheckPassword(password string) SessionCommand {
return func(ctx context.Context, cmd *SessionCommands) ([]eventstore.Command, error) {
commands, err := checkPassword(ctx, cmd.sessionWriteModel.UserID, password, cmd.eventstore, cmd.hasher, nil)
commands, err := checkPassword(ctx, cmd.sessionWriteModel.UserID, password, cmd.eventstore, cmd.hasher, nil, cmd.tarpit)
if err != nil {
return commands, err
}
@@ -135,6 +137,7 @@ func CheckTOTP(code string) SessionCommand {
cmd.eventstore.FilterToQueryReducer,
cmd.totpAlg,
nil,
cmd.tarpit,
)
if err != nil {
return commands, err