Skip to content

feat: allow limiting lifespan of low-aal sessions #1942

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Apr 14, 2025
Merged

feat: allow limiting lifespan of low-aal sessions #1942

merged 1 commit into from
Apr 14, 2025

Conversation

hf
Copy link
Contributor

@hf hf commented Feb 11, 2025

Adds a new optional config GOTRUE_SESSIONS_ALLOW_LOW_AAL (duration) which when set will prevent the continued refreshing of a user session if the session has not been upgraded to the highest possible AAL level of the user.

For example if you set it to 1h it means that a user who has MFA factors enrolled must step-up the session to the highest AAL level for their account within 1 hour, otherwise future session refreshes will fail with a Invalid Refresh Token: Session Expired (Low AAL: User Needs MFA Verification)) message.

@hf hf requested a review from a team as a code owner February 11, 2025 10:20
@hf
Copy link
Contributor Author

hf commented Feb 11, 2025

Needs tests but please do an initial review.

cstockton
cstockton approved these changes Feb 11, 2025
View reviewed changes
@coveralls
Copy link

coveralls commented Feb 13, 2025
edited
Loading

Pull Request Test Coverage Report for Build 14443433887

Details

  • 41 of 50 (82.0%) changed or added relevant lines in 4 files are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage increased (+0.02%) to 68.121%
Changes Missing Coverage Covered Lines Changed/Added Lines %
internal/api/token_refresh.go 8 10 80.0%
internal/conf/configuration.go 5 7 71.43%
internal/models/sessions.go 22 27 81.48%
Totals Coverage Status
Change from base Build 14442240917: 0.02%
Covered Lines: 10567
Relevant Lines: 15512
💛 - Coveralls

@hf hf force-pushed the hf/limit-low-aal-sessions branch 2 times, most recently from 88f1c40 to e60d89a Compare April 14, 2025 10:21
@hf hf force-pushed the hf/limit-low-aal-sessions branch from e60d89a to e9c0c7d Compare April 14, 2025 10:30
@hf hf merged commit d7a9ca6 into master Apr 14, 2025
3 checks passed
@hf hf deleted the hf/limit-low-aal-sessions branch April 14, 2025 10:37
@github-actions github-actions bot mentioned this pull request Apr 14, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cstockton cstockton cstockton approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@hf @coveralls @cstockton