feat: allow limiting lifespan of low-aal sessions #1942
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Needs tests but please do an initial review. |
cstockton
approved these changes
Feb 11, 2025
Comment on lines
+166
to
+169
| if config.AllowLowAAL != nil && *config.AllowLowAAL != 0 && CompareAAL(ParseAAL(s.AAL), userHighestPossibleAAL) < 0 && now.After(s.CreatedAt.Add(*config.AllowLowAAL)) { | ||
| return SessionLowAAL | ||
| } | ||
|
|
There was a problem hiding this comment.
A nit, but a lot here in one line but maybe:
isLowAAL := config.AllowLowAAL != nil && *config.AllowLowAAL != 0
isLowAAL = isLowAAL && CompareAAL(ParseAAL(s.AAL), userHighestPossibleAAL) < 0
isLowAAL = isLowAAL && now.After(s.CreatedAt.Add(*config.AllowLowAAL)
if isLowAAL {
return SessionLowAAL
}| @@ -34,6 +34,30 @@ func (aal AuthenticatorAssuranceLevel) String() string { | |||
| } | |||
| } | |||
|
|
|||
| // CompareAAL returns 0 if both AAL levels are equal, > 0 if A is a higher level than B or < 0 if A is a lower level than B. | |||
| func CompareAAL(a, b AuthenticatorAssuranceLevel) int { | |||
There was a problem hiding this comment.
Just a nit, b int comparisons like this can be error prone, I think we saw it in the crypto package once. It may be worth adding some helper methods:
func (aal AuthenticatorAssuranceLevel) Above(level AuthenticatorAssuranceLevel) bool
func (aal AuthenticatorAssuranceLevel) Below(level AuthenticatorAssuranceLevel) bool
func (aal AuthenticatorAssuranceLevel) Equal(level AuthenticatorAssuranceLevel) bool
func (aal AuthenticatorAssuranceLevel) Down OR Lower() (level AuthenticatorAssuranceLevel) # To lower a level (can do this instead of (Above() || Equal()) or adding AboveOrEqual() etc.)
func (aal AuthenticatorAssuranceLevel) Up OR Raise() (level AuthenticatorAssuranceLevel) # To raise a level
Pull Request Test Coverage Report for Build 13260664998Details
💛 - Coveralls |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Adds a new optional config
GOTRUE_SESSIONS_ALLOW_LOW_AAL(duration) which when set will prevent the continued refreshing of a user session if the session has not been upgraded to the highest possible AAL level of the user.For example if you set it to
1hit means that a user who has MFA factors enrolled must step-up the session to the highest AAL level for their account within 1 hour, otherwise future session refreshes will fail with aInvalid Refresh Token: Session Expired (Low AAL: User Needs MFA Verification)) message.