feat: Login verification lifetimes (#3190)

* feat: add login check lifetimes to login policy * feat: org features test * feat: read lifetimes from loginpolicy
2025-08-12 09:27:33 +00:00 · 2022-02-21 16:05:02 +01:00
parent 7d235e3eed
commit f05d4063bf
33 changed files with 1188 additions and 421 deletions
--- a/internal/api/grpc/admin/login_policy_converter.go
+++ b/internal/api/grpc/admin/login_policy_converter.go
@@ -10,12 +10,17 @@ import (

 func updateLoginPolicyToDomain(p *admin_pb.UpdateLoginPolicyRequest) *domain.LoginPolicy {
 	return &domain.LoginPolicy{
-		AllowUsernamePassword: p.AllowUsernamePassword,
-		AllowRegister:         p.AllowRegister,
-		AllowExternalIDP:      p.AllowExternalIdp,
-		ForceMFA:              p.ForceMfa,
-		PasswordlessType:      policy_grpc.PasswordlessTypeToDomain(p.PasswordlessType),
-		HidePasswordReset:     p.HidePasswordReset,
+		AllowUsernamePassword:      p.AllowUsernamePassword,
+		AllowRegister:              p.AllowRegister,
+		AllowExternalIDP:           p.AllowExternalIdp,
+		ForceMFA:                   p.ForceMfa,
+		PasswordlessType:           policy_grpc.PasswordlessTypeToDomain(p.PasswordlessType),
+		HidePasswordReset:          p.HidePasswordReset,
+		PasswordCheckLifetime:      p.PasswordCheckLifetime.AsDuration(),
+		ExternalLoginCheckLifetime: p.ExternalLoginCheckLifetime.AsDuration(),
+		MFAInitSkipLifetime:        p.MfaInitSkipLifetime.AsDuration(),
+		SecondFactorCheckLifetime:  p.SecondFactorCheckLifetime.AsDuration(),
+		MultiFactorCheckLifetime:   p.MultiFactorCheckLifetime.AsDuration(),
 	}
 }

--- a/internal/api/grpc/management/policy_login_converter.go
+++ b/internal/api/grpc/management/policy_login_converter.go
@@ -10,23 +10,33 @@ import (

 func addLoginPolicyToDomain(p *mgmt_pb.AddCustomLoginPolicyRequest) *domain.LoginPolicy {
 	return &domain.LoginPolicy{
-		AllowUsernamePassword: p.AllowUsernamePassword,
-		AllowRegister:         p.AllowRegister,
-		AllowExternalIDP:      p.AllowExternalIdp,
-		ForceMFA:              p.ForceMfa,
-		PasswordlessType:      policy_grpc.PasswordlessTypeToDomain(p.PasswordlessType),
-		HidePasswordReset:     p.HidePasswordReset,
+		AllowUsernamePassword:      p.AllowUsernamePassword,
+		AllowRegister:              p.AllowRegister,
+		AllowExternalIDP:           p.AllowExternalIdp,
+		ForceMFA:                   p.ForceMfa,
+		PasswordlessType:           policy_grpc.PasswordlessTypeToDomain(p.PasswordlessType),
+		HidePasswordReset:          p.HidePasswordReset,
+		PasswordCheckLifetime:      p.PasswordCheckLifetime.AsDuration(),
+		ExternalLoginCheckLifetime: p.ExternalLoginCheckLifetime.AsDuration(),
+		MFAInitSkipLifetime:        p.MfaInitSkipLifetime.AsDuration(),
+		SecondFactorCheckLifetime:  p.SecondFactorCheckLifetime.AsDuration(),
+		MultiFactorCheckLifetime:   p.MultiFactorCheckLifetime.AsDuration(),
 	}
 }

 func updateLoginPolicyToDomain(p *mgmt_pb.UpdateCustomLoginPolicyRequest) *domain.LoginPolicy {
 	return &domain.LoginPolicy{
-		AllowUsernamePassword: p.AllowUsernamePassword,
-		AllowRegister:         p.AllowRegister,
-		AllowExternalIDP:      p.AllowExternalIdp,
-		ForceMFA:              p.ForceMfa,
-		PasswordlessType:      policy_grpc.PasswordlessTypeToDomain(p.PasswordlessType),
-		HidePasswordReset:     p.HidePasswordReset,
+		AllowUsernamePassword:      p.AllowUsernamePassword,
+		AllowRegister:              p.AllowRegister,
+		AllowExternalIDP:           p.AllowExternalIdp,
+		ForceMFA:                   p.ForceMfa,
+		PasswordlessType:           policy_grpc.PasswordlessTypeToDomain(p.PasswordlessType),
+		HidePasswordReset:          p.HidePasswordReset,
+		PasswordCheckLifetime:      p.PasswordCheckLifetime.AsDuration(),
+		ExternalLoginCheckLifetime: p.ExternalLoginCheckLifetime.AsDuration(),
+		MFAInitSkipLifetime:        p.MfaInitSkipLifetime.AsDuration(),
+		SecondFactorCheckLifetime:  p.SecondFactorCheckLifetime.AsDuration(),
+		MultiFactorCheckLifetime:   p.MultiFactorCheckLifetime.AsDuration(),
 	}
 }

--- a/internal/api/grpc/policy/login_policy.go
+++ b/internal/api/grpc/policy/login_policy.go
@@ -5,18 +5,24 @@ import (
 	"github.com/caos/zitadel/internal/query"
 	"github.com/caos/zitadel/pkg/grpc/object"
 	policy_pb "github.com/caos/zitadel/pkg/grpc/policy"
+	"google.golang.org/protobuf/types/known/durationpb"
 	timestamp_pb "google.golang.org/protobuf/types/known/timestamppb"
 )

 func ModelLoginPolicyToPb(policy *query.LoginPolicy) *policy_pb.LoginPolicy {
 	return &policy_pb.LoginPolicy{
-		IsDefault:             policy.IsDefault,
-		AllowUsernamePassword: policy.AllowUsernamePassword,
-		AllowRegister:         policy.AllowRegister,
-		AllowExternalIdp:      policy.AllowExternalIDPs,
-		ForceMfa:              policy.ForceMFA,
-		PasswordlessType:      ModelPasswordlessTypeToPb(policy.PasswordlessType),
-		HidePasswordReset:     policy.HidePasswordReset,
+		IsDefault:                  policy.IsDefault,
+		AllowUsernamePassword:      policy.AllowUsernamePassword,
+		AllowRegister:              policy.AllowRegister,
+		AllowExternalIdp:           policy.AllowExternalIDPs,
+		ForceMfa:                   policy.ForceMFA,
+		PasswordlessType:           ModelPasswordlessTypeToPb(policy.PasswordlessType),
+		HidePasswordReset:          policy.HidePasswordReset,
+		PasswordCheckLifetime:      durationpb.New(policy.PasswordCheckLifetime),
+		ExternalLoginCheckLifetime: durationpb.New(policy.ExternalLoginCheckLifetime),
+		MfaInitSkipLifetime:        durationpb.New(policy.MFAInitSkipLifetime),
+		SecondFactorCheckLifetime:  durationpb.New(policy.SecondFactorCheckLifetime),
+		MultiFactorCheckLifetime:   durationpb.New(policy.MultiFactorCheckLifetime),
 		Details: &object.ObjectDetails{
 			Sequence:      policy.Sequence,
 			CreationDate:  timestamp_pb.New(policy.CreationDate),