feat: Login verification lifetimes (#3190)

* feat: add login check lifetimes to login policy * feat: org features test * feat: read lifetimes from loginpolicy
2025-08-11 19:07:30 +00:00 · 2022-02-21 16:05:02 +01:00
parent 7d235e3eed
commit f05d4063bf
33 changed files with 1188 additions and 421 deletions
--- a/internal/repository/policy/login.go
+++ b/internal/repository/policy/login.go
@@ -2,6 +2,7 @@ package policy

 import (
 	"encoding/json"
+	"time"

 	"github.com/caos/zitadel/internal/domain"
 	"github.com/caos/zitadel/internal/errors"
@@ -19,12 +20,17 @@ const (
 type LoginPolicyAddedEvent struct {
 	eventstore.BaseEvent `json:"-"`

-	AllowUserNamePassword bool                    `json:"allowUsernamePassword,omitempty"`
-	AllowRegister         bool                    `json:"allowRegister,omitempty"`
-	AllowExternalIDP      bool                    `json:"allowExternalIdp,omitempty"`
-	ForceMFA              bool                    `json:"forceMFA,omitempty"`
-	HidePasswordReset     bool                    `json:"hidePasswordReset,omitempty"`
-	PasswordlessType      domain.PasswordlessType `json:"passwordlessType,omitempty"`
+	AllowUserNamePassword      bool                    `json:"allowUsernamePassword,omitempty"`
+	AllowRegister              bool                    `json:"allowRegister,omitempty"`
+	AllowExternalIDP           bool                    `json:"allowExternalIdp,omitempty"`
+	ForceMFA                   bool                    `json:"forceMFA,omitempty"`
+	HidePasswordReset          bool                    `json:"hidePasswordReset,omitempty"`
+	PasswordlessType           domain.PasswordlessType `json:"passwordlessType,omitempty"`
+	PasswordCheckLifetime      time.Duration           `json:"passwordCheckLifetime,omitempty"`
+	ExternalLoginCheckLifetime time.Duration           `json:"externalLoginCheckLifetime,omitempty"`
+	MFAInitSkipLifetime        time.Duration           `json:"mfaInitSkipLifetime,omitempty"`
+	SecondFactorCheckLifetime  time.Duration           `json:"secondFactorCheckLifetime,omitempty"`
+	MultiFactorCheckLifetime   time.Duration           `json:"multiFactorCheckLifetime,omitempty"`
 }

 func (e *LoginPolicyAddedEvent) Data() interface{} {
@@ -43,15 +49,25 @@ func NewLoginPolicyAddedEvent(
 	forceMFA,
 	hidePasswordReset bool,
 	passwordlessType domain.PasswordlessType,
+	passwordCheckLifetime,
+	externalLoginCheckLifetime,
+	mfaInitSkipLifetime,
+	secondFactorCheckLifetime,
+	multiFactorCheckLifetime time.Duration,
 ) *LoginPolicyAddedEvent {
 	return &LoginPolicyAddedEvent{
-		BaseEvent:             *base,
-		AllowExternalIDP:      allowExternalIDP,
-		AllowRegister:         allowRegister,
-		AllowUserNamePassword: allowUserNamePassword,
-		ForceMFA:              forceMFA,
-		PasswordlessType:      passwordlessType,
-		HidePasswordReset:     hidePasswordReset,
+		BaseEvent:                  *base,
+		AllowExternalIDP:           allowExternalIDP,
+		AllowRegister:              allowRegister,
+		AllowUserNamePassword:      allowUserNamePassword,
+		ForceMFA:                   forceMFA,
+		PasswordlessType:           passwordlessType,
+		HidePasswordReset:          hidePasswordReset,
+		PasswordCheckLifetime:      passwordCheckLifetime,
+		ExternalLoginCheckLifetime: externalLoginCheckLifetime,
+		MFAInitSkipLifetime:        mfaInitSkipLifetime,
+		SecondFactorCheckLifetime:  secondFactorCheckLifetime,
+		MultiFactorCheckLifetime:   multiFactorCheckLifetime,
 	}
 }

@@ -71,12 +87,17 @@ func LoginPolicyAddedEventMapper(event *repository.Event) (eventstore.Event, err
 type LoginPolicyChangedEvent struct {
 	eventstore.BaseEvent `json:"-"`

-	AllowUserNamePassword *bool                    `json:"allowUsernamePassword,omitempty"`
-	AllowRegister         *bool                    `json:"allowRegister,omitempty"`
-	AllowExternalIDP      *bool                    `json:"allowExternalIdp,omitempty"`
-	ForceMFA              *bool                    `json:"forceMFA,omitempty"`
-	HidePasswordReset     *bool                    `json:"hidePasswordReset,omitempty"`
-	PasswordlessType      *domain.PasswordlessType `json:"passwordlessType,omitempty"`
+	AllowUserNamePassword      *bool                    `json:"allowUsernamePassword,omitempty"`
+	AllowRegister              *bool                    `json:"allowRegister,omitempty"`
+	AllowExternalIDP           *bool                    `json:"allowExternalIdp,omitempty"`
+	ForceMFA                   *bool                    `json:"forceMFA,omitempty"`
+	HidePasswordReset          *bool                    `json:"hidePasswordReset,omitempty"`
+	PasswordlessType           *domain.PasswordlessType `json:"passwordlessType,omitempty"`
+	PasswordCheckLifetime      *time.Duration           `json:"passwordCheckLifetime,omitempty"`
+	ExternalLoginCheckLifetime *time.Duration           `json:"externalLoginCheckLifetime,omitempty"`
+	MFAInitSkipLifetime        *time.Duration           `json:"mfaInitSkipLifetime,omitempty"`
+	SecondFactorCheckLifetime  *time.Duration           `json:"secondFactorCheckLifetime,omitempty"`
+	MultiFactorCheckLifetime   *time.Duration           `json:"multiFactorCheckLifetime,omitempty"`
 }

 func (e *LoginPolicyChangedEvent) Data() interface{} {
@@ -141,6 +162,31 @@ func ChangeHidePasswordReset(hidePasswordReset bool) func(*LoginPolicyChangedEve
 	}
 }

+func ChangePasswordCheckLifetime(passwordCheckLifetime time.Duration) func(*LoginPolicyChangedEvent) {
+	return func(e *LoginPolicyChangedEvent) {
+		e.PasswordCheckLifetime = &passwordCheckLifetime
+	}
+}
+func ChangeExternalLoginCheckLifetime(externalLoginCheckLifetime time.Duration) func(*LoginPolicyChangedEvent) {
+	return func(e *LoginPolicyChangedEvent) {
+		e.ExternalLoginCheckLifetime = &externalLoginCheckLifetime
+	}
+}
+func ChangeMFAInitSkipLifetime(mfaInitSkipLifetime time.Duration) func(*LoginPolicyChangedEvent) {
+	return func(e *LoginPolicyChangedEvent) {
+		e.MFAInitSkipLifetime = &mfaInitSkipLifetime
+	}
+}
+func ChangeSecondFactorCheckLifetime(secondFactorCheckLifetime time.Duration) func(*LoginPolicyChangedEvent) {
+	return func(e *LoginPolicyChangedEvent) {
+		e.SecondFactorCheckLifetime = &secondFactorCheckLifetime
+	}
+}
+func ChangeMultiFactorCheckLifetime(multiFactorCheckLifetime time.Duration) func(*LoginPolicyChangedEvent) {
+	return func(e *LoginPolicyChangedEvent) {
+		e.MultiFactorCheckLifetime = &multiFactorCheckLifetime
+	}
+}
 func LoginPolicyChangedEventMapper(event *repository.Event) (eventstore.Event, error) {
 	e := &LoginPolicyChangedEvent{
 		BaseEvent: *eventstore.BaseEventFromRepo(event),