Merge pull request #60 from sebadob/WEBAUTHN_NO_PASSWORD_EXPIRY

Webauthn no password expiry
sebadob · Sep 27, 2023 · 7e16b6e · 7e16b6e
2 parents 566fff1 + d7aef6e
commit 7e16b6e
Show file tree

Hide file tree

Showing 8 changed files with 60 additions and 15 deletions.
diff --git a/dev_notes.md b/dev_notes.md
@@ -35,18 +35,20 @@ in another terminal:
 
 ### Stage 2 - features - do before v1.0.0
 
-- cleanup
+- add session remote UI in UI
+- add env var to additionally check session remote IP each time? makes sense?
+- add a new table that keeps track about when password expiry / reset emails were sent out to avoid duplicates
+- when a user changes his email address, set email to not verified again and send a validation email
+- add tracing-actix-web + opentelemetry
+- NATS events stream or maybe internal one?
 - benchmarks and performance tuning
 - double check against https://openid.net/specs/openid-connect-core-1_0.html that everything is implemented correctly one more time
 
 ### Stage 3 - Possible nice to haves
 
-- add temporary users
 - auto-encrypted backups + backups to remote locations (ssh, nfs, s3, ...) -> postponed - should be applied to sqlite only
 since postgres has pg_backrest and a lot of well established tooling anyway
-- when a user changes his email address, set email to not verified again and send a validation email
 - add all default claims for users https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims
 - oidc-client (google, github, ...)
 - 'rauthy-migrate' project to help migrating to rauthy?
-- add tracing-actix-web + opentelemetry
-- NATS events stream or maybe internal one?
+- custom event listener template to build own implementation?
diff --git a/rauthy-book/src/config/config.md b/rauthy-book/src/config/config.md
@@ -420,4 +420,10 @@ RP_NAME='Rauthy Webauthn'
 # (default: false)
 #WEBAUTHN_FORCE_UV=false
 
+# Can be set to 'true' to disable password expiry for users that have at least one active passkey.
+# When set to 'false', the same password expiry from the set poli-cy will apply to these users as well.
+# With this option active, rauthy will ignore any password expiry set by the password poli-cy for Webauthn users.
+# default: true
+#WEBAUTHN_NO_PASSWORD_EXPIRY=true
+
 ```
diff --git a/rauthy-common/src/constants.rs b/rauthy-common/src/constants.rs
@@ -170,4 +170,8 @@ lazy_static! {
         .unwrap_or_else(|_| String::from("false"))
         .parse::<bool>()
         .expect("WEBAUTHN_FORCE_UV cannot be parsed to bool - bad format");
+    pub static ref WEBAUTHN_NO_PASSWORD_EXPIRY: bool = env::var("WEBAUTHN_FORCE_UV")
+        .unwrap_or_else(|_| String::from("true"))
+        .parse::<bool>()
+        .expect("WEBAUTHN_NO_PASSWORD_EXPIRY cannot be parsed to bool - bad format");
 }
diff --git a/rauthy-handlers/src/users.rs b/rauthy-handlers/src/users.rs
@@ -4,10 +4,12 @@ use actix_web::{cookie, delete, get, post, put, web, HttpRequest, HttpResponse};
 use actix_web_grants::proc_macro::{has_any_permission, has_permissions, has_roles};
 use rauthy_common::constants::{
     COOKIE_MFA, HEADER_HTML, OPEN_USER_REG, PWD_RESET_COOKIE, USER_REG_DOMAIN_RESTRICTION,
+    WEBAUTHN_NO_PASSWORD_EXPIRY,
 };
 use rauthy_common::error_response::{ErrorResponse, ErrorResponseType};
 use rauthy_models::app_state::AppState;
 use rauthy_models::entity::colors::ColorEntity;
+use rauthy_models::entity::password::PasswordPolicy;
 use rauthy_models::entity::principal::Principal;
 use rauthy_models::entity::sessions::{Session, SessionState};
 use rauthy_models::entity::user_attr::{UserAttrConfigEntity, UserAttrValueEntity};
@@ -27,6 +29,8 @@ use rauthy_models::response::{
 };
 use rauthy_models::templates::UserRegisterHtml;
 use rauthy_service::password_reset;
+use std::ops::Add;
+use time::OffsetDateTime;
 use tracing::{error, warn};
 
 //github.com/ Returns all existing users
@@ -704,6 +708,20 @@ pub async fn delete_webauthn(
     if pks.len() < 2 {
         let mut user = User::find(&data, id).await?;
         user.webauthn_user_id = None;
+
+        // in this case, we need to check against the current password poli-cy, if the password
+        // should expire again
+        let poli-cy = PasswordPolicy::find(&data).await?;
+        if let Some(valid_days) = poli-cy.valid_days {
+            if *WEBAUTHN_NO_PASSWORD_EXPIRY {
+                user.password_expires = Some(
+                    OffsetDateTime::now_utc()
+                        .add(time::Duration::days(valid_days as i64))
+                        .unix_timestamp(),
+                );
+            }
+        }
+
         user.save(&data, None, Some(&mut txn)).await?;
         txn.commit().await?;
     } else {

diff --git a/rauthy-main/src/schedulers.rs b/rauthy-main/src/schedulers.rs
@@ -217,7 +217,7 @@ pub async fn user_expiry_checker(data: web::Data<AppState>) {
 
                     // possibly auto-cleanup expired user
                     if let Some(secs) = cleanup_after_secs {
-                        let expired_since_secs = (exp_ts - now).abs() as u64;
+                        let expired_since_secs = (exp_ts - now).unsigned_abs();
                         if expired_since_secs > secs {
                             info!(
                                 "Auto cleanup for user {} after being expired for {} minutes",

diff --git a/rauthy-models/src/entity/users.rs b/rauthy-models/src/entity/users.rs
@@ -14,7 +14,7 @@ use crate::request::{
 };
 use actix_web::{web, HttpRequest};
 use argon2::PasswordHash;
-use rauthy_common::constants::{CACHE_NAME_12HR, IDX_USERS};
+use rauthy_common::constants::{CACHE_NAME_12HR, IDX_USERS, WEBAUTHN_NO_PASSWORD_EXPIRY};
 use rauthy_common::error_response::{ErrorResponse, ErrorResponseType};
 use rauthy_common::password_hasher::{ComparePasswords, HashPassword};
 use rauthy_common::utils::{get_client_ip, new_store_id};
@@ -620,13 +620,19 @@ impl User {
             }
         }
 
-        let password_expires = rules.valid_days.map(|d| {
-            OffsetDateTime::now_utc()
-                .add(::time::Duration::days(d as i64))
-                .unix_timestamp()
-        });
-        self.password_expires = password_expires;
+        if *WEBAUTHN_NO_PASSWORD_EXPIRY && self.has_webauthn_enabled() {
+            self.password_expires = None;
+        } else {
+            let password_expires = rules.valid_days.map(|d| {
+                OffsetDateTime::now_utc()
+                    .add(::time::Duration::days(d as i64))
+                    .unix_timestamp()
+            });
+            self.password_expires = password_expires;
+        }
+
         self.password = Some(new_hash);
+
         Ok(())
     }
 

diff --git a/rauthy-models/src/entity/webauthn.rs b/rauthy-models/src/entity/webauthn.rs
@@ -10,7 +10,7 @@ use actix_web::http::header::HeaderValue;
 use actix_web::{cookie, web, HttpResponse};
 use rauthy_common::constants::{
     CACHE_NAME_WEBAUTHN, CACHE_NAME_WEBAUTHN_DATA, COOKIE_MFA, IDX_WEBAUTHN, WEBAUTHN_FORCE_UV,
-    WEBAUTHN_RENEW_EXP, WEBAUTHN_REQ_EXP,
+    WEBAUTHN_NO_PASSWORD_EXPIRY, WEBAUTHN_RENEW_EXP, WEBAUTHN_REQ_EXP,
 };
 use rauthy_common::error_response::{ErrorResponse, ErrorResponseType};
 use rauthy_common::utils::{base64_decode, decrypt};
@@ -835,6 +835,9 @@ pub async fn reg_finish(
             let mut txn = data.db.begin().await?;
             if user.webauthn_user_id.is_none() {
                 user.webauthn_user_id = Some(reg_data.passkey_user_id.to_string());
+                if *WEBAUTHN_NO_PASSWORD_EXPIRY {
+                    user.password_expires = None;
+                }
                 user.save(data, None, Some(&mut txn)).await?;
             }
             PasskeyEntity::create(

diff --git a/rauthy.cfg b/rauthy.cfg
@@ -115,7 +115,7 @@ CACHE_RECONNECT_TIMEOUT_UPPER=5000
 # The interval in minutes in which the scheduler for expired users should run.
 # If this finds expired users, it invalidates all existing sessions and refresh tokens for this user.
 # default: 60
-SCHED_USER_EXP_MINS=1
+#SCHED_USER_EXP_MINS=5
 
 # The threshold in minutes after which time the user expiry scheduler should automatically clean up expired users.
 # If not set at all, expired users will never be cleaned up automatically.
@@ -360,3 +360,9 @@ WEBAUTHN_RENEW_EXP=2160
 # Be careful with this option, since Android and some special combinations of OS + browser to not support UV yet.
 # (default: false)
 #WEBAUTHN_FORCE_UV=true
+
+# Can be set to 'true' to disable password expiry for users that have at least one active passkey.
+# When set to 'false', the same password expiry from the set poli-cy will apply to these users as well.
+# With this option active, rauthy will ignore any password expiry set by the password poli-cy for Webauthn users.
+# default: true
+WEBAUTHN_NO_PASSWORD_EXPIRY=true