mirror of
https://github.com/zitadel/zitadel.git
synced 2025-12-23 04:06:46 +00:00
d3713dfaed
# Which Problems Are Solved
While the lockout policy was correctly applied on the session API and other authentication and management endpoints , it had no effect on the user service v2 endpoints.
# How the Problems Are Solved
- Correctly apply lockout policy on the user service v2 endpoints.
- Added tar pitting to auth factor checks (authentication and management API) to prevent brute-force attacks or denial of service because of user lockouts.
- Tar pitting is not active if `IgnoreUnknownUsername` option is active to prevent leaking information whether a user exists or not.
# Additional Changes
None
# Additional Context
- requires backports
* cleanup
(cherry picked from commit b8db8cdf9c)
51 lines
1018 B
Go
51 lines
1018 B
Go
package systemdefaults
|
|
|
|
import (
|
|
"time"
|
|
|
|
"github.com/zitadel/zitadel/internal/crypto"
|
|
)
|
|
|
|
type SystemDefaults struct {
|
|
SecretGenerators SecretGenerators
|
|
PasswordHasher crypto.HashConfig
|
|
SecretHasher crypto.HashConfig
|
|
Multifactors MultifactorConfig
|
|
Tarpit TarpitConfig
|
|
DomainVerification DomainVerification
|
|
Notifications Notifications
|
|
KeyConfig KeyConfig
|
|
DefaultQueryLimit uint64
|
|
MaxQueryLimit uint64
|
|
MaxIdPIntentLifetime time.Duration
|
|
}
|
|
|
|
type SecretGenerators struct {
|
|
MachineKeySize uint32
|
|
ApplicationKeySize uint32
|
|
}
|
|
|
|
type MultifactorConfig struct {
|
|
OTP OTPConfig
|
|
}
|
|
|
|
type OTPConfig struct {
|
|
Issuer string
|
|
}
|
|
|
|
type DomainVerification struct {
|
|
VerificationGenerator crypto.GeneratorConfig
|
|
}
|
|
|
|
type Notifications struct {
|
|
FileSystemPath string
|
|
}
|
|
|
|
type KeyConfig struct {
|
|
Size int
|
|
PrivateKeyLifetime time.Duration
|
|
PublicKeyLifetime time.Duration
|
|
CertificateSize int
|
|
CertificateLifetime time.Duration
|
|
}
|