feat: password age policy (#8132)

# Which Problems Are Solved Some organizations / customers have the requirement, that there users regularly need to change their password. ZITADEL already had the possibility to manage a `password age policy` ( thought the API) with the maximum amount of days a password should be valid, resp. days after with the user should be warned of the upcoming expiration. The policy could not be managed though the Console UI and was not checked in the Login UI. # How the Problems Are Solved - The policy can be managed in the Console UI's settings sections on an instance and organization level. - During an authentication in the Login UI, if a policy is set with an expiry (>0) and the user's last password change exceeds the amount of days set, the user will be prompted to change their password. - The prompt message of the Login UI can be customized in the Custom Login Texts though the Console and API on the instance and each organization. - The information when the user last changed their password is returned in the Auth, Management and User V2 API. - The policy can be retrieved in the settings service as `password expiry settings`. # Additional Changes None. # Additional Context - closes #8081 --------- Co-authored-by: Tim Möhlmann <tim+github@zitadel.com>
2025-08-11 21:17:32 +00:00 · 2024-06-18 13:27:44 +02:00
parent 65f787cc02
commit fb8cd18f93
93 changed files with 1250 additions and 487 deletions
--- a/internal/auth/repository/eventsourcing/eventstore/auth_request.go
+++ b/internal/auth/repository/eventsourcing/eventstore/auth_request.go
@@ -44,6 +44,7 @@ type AuthRequestRepo struct {
 	OrgViewProvider           orgViewProvider
 	LoginPolicyViewProvider   loginPolicyViewProvider
 	LockoutPolicyViewProvider lockoutPolicyViewProvider
+	PasswordAgePolicyProvider passwordAgePolicyProvider
 	PrivacyPolicyProvider     privacyPolicyProvider
 	IDPProviderViewProvider   idpProviderViewProvider
 	IDPUserLinksProvider      idpUserLinksProvider
@@ -81,6 +82,10 @@ type lockoutPolicyViewProvider interface {
 	LockoutPolicyByOrg(context.Context, bool, string) (*query.LockoutPolicy, error)
 }

+type passwordAgePolicyProvider interface {
+	PasswordAgePolicyByOrg(context.Context, bool, string, bool) (*query.PasswordAgePolicy, error)
+}
+
 type idpProviderViewProvider interface {
 	IDPLoginPolicyLinks(context.Context, string, *query.IDPLoginPolicyLinksSearchQuery, bool) (*query.IDPLoginPolicyLinks, error)
 }
@@ -685,6 +690,13 @@ func (repo *AuthRequestRepo) fillPolicies(ctx context.Context, request *domain.A
 		}
 		request.LabelPolicy = labelPolicy
 	}
+	if request.PasswordAgePolicy == nil || request.PolicyOrgID() != orgID {
+		passwordPolicy, err := repo.getPasswordAgePolicy(ctx, orgID)
+		if err != nil {
+			return err
+		}
+		request.PasswordAgePolicy = passwordPolicy
+	}
 	if len(request.DefaultTranslations) == 0 {
 		defaultLoginTranslations, err := repo.getLoginTexts(ctx, instance.InstanceID())
 		if err != nil {
@@ -1048,8 +1060,9 @@ func (repo *AuthRequestRepo) nextSteps(ctx context.Context, request *domain.Auth
 		return append(steps, step), nil
 	}

-	if user.PasswordChangeRequired {
-		steps = append(steps, &domain.ChangePasswordStep{})
+	expired := passwordAgeChangeRequired(request.PasswordAgePolicy, user.PasswordChanged)
+	if expired || user.PasswordChangeRequired {
+		steps = append(steps, &domain.ChangePasswordStep{Expired: expired})
 	}
 	if !user.IsEmailVerified {
 		steps = append(steps, &domain.VerifyEMailStep{})
@@ -1058,7 +1071,7 @@ func (repo *AuthRequestRepo) nextSteps(ctx context.Context, request *domain.Auth
 		steps = append(steps, &domain.ChangeUsernameStep{})
 	}

-	if user.PasswordChangeRequired || !user.IsEmailVerified || user.UsernameChangeRequired {
+	if expired || user.PasswordChangeRequired || !user.IsEmailVerified || user.UsernameChangeRequired {
 		return steps, nil
 	}

@@ -1093,6 +1106,14 @@ func (repo *AuthRequestRepo) nextSteps(ctx context.Context, request *domain.Auth
 	return append(steps, &domain.RedirectToCallbackStep{}), nil
 }

+func passwordAgeChangeRequired(policy *domain.PasswordAgePolicy, changed time.Time) bool {
+	if policy == nil || policy.MaxAgeDays == 0 {
+		return false
+	}
+	maxDays := time.Duration(policy.MaxAgeDays) * 24 * time.Hour
+	return time.Now().Add(-maxDays).After(changed)
+}
+
 func (repo *AuthRequestRepo) nextStepsUser(ctx context.Context, request *domain.AuthRequest) (_ []domain.NextStep, err error) {
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()
@@ -1371,6 +1392,28 @@ func labelPolicyToDomain(p *query.LabelPolicy) *domain.LabelPolicy {
 	}
 }

+func (repo *AuthRequestRepo) getPasswordAgePolicy(ctx context.Context, orgID string) (*domain.PasswordAgePolicy, error) {
+	policy, err := repo.PasswordAgePolicyProvider.PasswordAgePolicyByOrg(ctx, false, orgID, false)
+	if err != nil {
+		return nil, err
+	}
+	return passwordAgePolicyToDomain(policy), nil
+}
+
+func passwordAgePolicyToDomain(policy *query.PasswordAgePolicy) *domain.PasswordAgePolicy {
+	return &domain.PasswordAgePolicy{
+		ObjectRoot: es_models.ObjectRoot{
+			AggregateID:   policy.ID,
+			Sequence:      policy.Sequence,
+			ResourceOwner: policy.ResourceOwner,
+			CreationDate:  policy.CreationDate,
+			ChangeDate:    policy.ChangeDate,
+		},
+		MaxAgeDays:     policy.MaxAgeDays,
+		ExpireWarnDays: policy.ExpireWarnDays,
+	}
+}
+
 func (repo *AuthRequestRepo) getLoginTexts(ctx context.Context, aggregateID string) ([]*domain.CustomText, error) {
 	loginTexts, err := repo.CustomTextProvider.CustomTextListByTemplate(ctx, aggregateID, domain.LoginCustomText, false)
 	if err != nil {
--- a/internal/auth/repository/eventsourcing/eventstore/auth_request_test.go
+++ b/internal/auth/repository/eventsourcing/eventstore/auth_request_test.go
@@ -140,6 +140,7 @@ type mockViewUser struct {
 	InitRequired             bool
 	PasswordInitRequired     bool
 	PasswordSet              bool
+	PasswordChanged          time.Time
 	PasswordChangeRequired   bool
 	IsEmailVerified          bool
 	OTPState                 int32
@@ -189,6 +190,14 @@ func (m *mockLockoutPolicy) LockoutPolicyByOrg(context.Context, bool, string) (*
 	return m.policy, nil
 }

+type mockPasswordAgePolicy struct {
+	policy *query.PasswordAgePolicy
+}
+
+func (m *mockPasswordAgePolicy) PasswordAgePolicyByOrg(context.Context, bool, string, bool) (*query.PasswordAgePolicy, error) {
+	return m.policy, nil
+}
+
 func (m *mockViewUser) UserByID(string, string) (*user_view_model.UserView, error) {
 	return &user_view_model.UserView{
 		State:    int32(user_model.UserStateActive),
@@ -291,21 +300,22 @@ func (m *mockIDPUserLinks) IDPUserLinks(ctx context.Context, queries *query.IDPU

 func TestAuthRequestRepo_nextSteps(t *testing.T) {
 	type fields struct {
-		AuthRequests            cache.AuthRequestCache
-		View                    *view.View
-		userSessionViewProvider userSessionViewProvider
-		userViewProvider        userViewProvider
-		userEventProvider       userEventProvider
-		orgViewProvider         orgViewProvider
-		userGrantProvider       userGrantProvider
-		projectProvider         projectProvider
-		applicationProvider     applicationProvider
-		loginPolicyProvider     loginPolicyViewProvider
-		lockoutPolicyProvider   lockoutPolicyViewProvider
-		idpUserLinksProvider    idpUserLinksProvider
-		privacyPolicyProvider   privacyPolicyProvider
-		labelPolicyProvider     labelPolicyProvider
-		customTextProvider      customTextProvider
+		AuthRequests              cache.AuthRequestCache
+		View                      *view.View
+		userSessionViewProvider   userSessionViewProvider
+		userViewProvider          userViewProvider
+		userEventProvider         userEventProvider
+		orgViewProvider           orgViewProvider
+		userGrantProvider         userGrantProvider
+		projectProvider           projectProvider
+		applicationProvider       applicationProvider
+		loginPolicyProvider       loginPolicyViewProvider
+		lockoutPolicyProvider     lockoutPolicyViewProvider
+		idpUserLinksProvider      idpUserLinksProvider
+		privacyPolicyProvider     privacyPolicyProvider
+		labelPolicyProvider       labelPolicyProvider
+		passwordAgePolicyProvider passwordAgePolicyProvider
+		customTextProvider        customTextProvider
 	}
 	type args struct {
 		request       *domain.AuthRequest
@@ -529,6 +539,9 @@ func TestAuthRequestRepo_nextSteps(t *testing.T) {
 				labelPolicyProvider: &mockLabelPolicy{
 					policy: &query.LabelPolicy{},
 				},
+				passwordAgePolicyProvider: &mockPasswordAgePolicy{
+					policy: &query.PasswordAgePolicy{},
+				},
 				customTextProvider: &mockCustomText{
 					texts: &query.CustomTexts{},
 				},
@@ -1304,6 +1317,48 @@ func TestAuthRequestRepo_nextSteps(t *testing.T) {
 			[]domain.NextStep{&domain.ChangePasswordStep{}, &domain.VerifyEMailStep{}},
 			nil,
 		},
+		{
+			"password change expired, password change step",
+			fields{
+				userSessionViewProvider: &mockViewUserSession{
+					PasswordVerification:     testNow.Add(-5 * time.Minute),
+					SecondFactorVerification: testNow.Add(-5 * time.Minute),
+				},
+				userViewProvider: &mockViewUser{
+					PasswordSet:            true,
+					PasswordChangeRequired: false,
+					PasswordChanged:        testNow.Add(-50 * 24 * time.Hour),
+					IsEmailVerified:        true,
+					MFAMaxSetUp:            int32(domain.MFALevelSecondFactor),
+				},
+				userEventProvider: &mockEventUser{},
+				orgViewProvider:   &mockViewOrg{State: domain.OrgStateActive},
+				lockoutPolicyProvider: &mockLockoutPolicy{
+					policy: &query.LockoutPolicy{
+						ShowFailures: true,
+					},
+				},
+				passwordAgePolicyProvider: &mockPasswordAgePolicy{
+					policy: &query.PasswordAgePolicy{
+						MaxAgeDays: 30,
+					},
+				},
+				idpUserLinksProvider: &mockIDPUserLinks{},
+			},
+			args{&domain.AuthRequest{
+				UserID: "UserID",
+				LoginPolicy: &domain.LoginPolicy{
+					SecondFactors:             []domain.SecondFactorType{domain.SecondFactorTypeTOTP},
+					PasswordCheckLifetime:     10 * 24 * time.Hour,
+					SecondFactorCheckLifetime: 18 * time.Hour,
+				},
+				PasswordAgePolicy: &domain.PasswordAgePolicy{
+					MaxAgeDays: 30,
+				},
+			}, false},
+			[]domain.NextStep{&domain.ChangePasswordStep{Expired: true}},
+			nil,
+		},
 		{
 			"email verified and no password change required, redirect to callback step",
 			fields{
@@ -1662,6 +1717,7 @@ func TestAuthRequestRepo_nextSteps(t *testing.T) {
 				IDPUserLinksProvider:      tt.fields.idpUserLinksProvider,
 				PrivacyPolicyProvider:     tt.fields.privacyPolicyProvider,
 				LabelPolicyProvider:       tt.fields.labelPolicyProvider,
+				PasswordAgePolicyProvider: tt.fields.passwordAgePolicyProvider,
 				CustomTextProvider:        tt.fields.customTextProvider,
 			}
 			got, err := repo.nextSteps(context.Background(), tt.args.request, tt.args.checkLoggedIn)
--- a/internal/auth/repository/eventsourcing/repository.go
+++ b/internal/auth/repository/eventsourcing/repository.go
@@ -73,6 +73,7 @@ func Start(ctx context.Context, conf Config, systemDefaults sd.SystemDefaults, c
 			IDPUserLinksProvider:      queries,
 			LockoutPolicyViewProvider: queries,
 			LoginPolicyViewProvider:   queries,
+			PasswordAgePolicyProvider: queries,
 			UserGrantProvider:         queryView,
 			ProjectProvider:           queryView,
 			ApplicationProvider:       queries,