Infrastructure/logto
0
Fork 0
mirror of https://github.com/logto-io/logto.git synced 2025-01-06 20:40:08 -05:00
Code Issues Activity

feat(core,phrases): add re-authentication check function for protected access (#2327)

Browse source
This commit is contained in:
Charles Zhao 2022-11-09 15:38:07 +08:00 committed by GitHub
parent 605161b8d2
commit d015aa934c
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
8 changed files with 32 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

25
packages/core/src/lib/session.ts
View file

@ -3,6 +3,7 @@ import { getUnixTime } from 'date-fns';
import type { Context } from 'koa';
import type { InteractionResults, Provider } from 'oidc-provider';
import RequestError from '@/errors/RequestError';
import { findUserById, updateUserById } from '@/queries/user';
export const assignInteractionResults = async (
@ -44,6 +45,30 @@ export const assignInteractionResults = async (
ctx.body = { redirectTo, ts };
};
export const checkSessionHealth = async (
ctx: Context,
provider: Provider,
tolerance = 10 * 60 // 10 mins
) => {
const { result } = await provider.interactionDetails(ctx.req, ctx.res);
if (!result?.login?.accountId) {
throw new RequestError('auth.unauthorized');
}
if (!result.login.ts || result.login.ts < getUnixTime(new Date()) - tolerance) {
const { passwordEncrypted, primaryPhone, primaryEmail } = await findUserById(
result.login.accountId
);
// No authenticated method configured for this user. Pass!
if (!passwordEncrypted && !primaryPhone && !primaryEmail) {
return;
}
throw new RequestError('auth.require_re_authentication');
}
};
export const saveUserFirstConsentedAppId = async (userId: string, applicationId: string) => {
const { applicationId: firstConsentedAppId } = await findUserById(userId);

1
packages/phrases/src/locales/de/errors.ts
View file

@ -7,6 +7,7 @@ const errors = {
expected_role_not_found:
'Erwartete Rolle nicht gefunden. Bitte überprüfe deine Rollen und Berechtigungen.',
jwt_sub_missing: '`sub` fehlt in JWT.',
require_re_authentication: 'Re-authentication is required to perform a protected action.', // UNTRANSLATED
},
guard: {
invalid_input: 'Die Anfrage {{type}} ist ungültig.',

1
packages/phrases/src/locales/en/errors.ts
View file

@ -7,6 +7,7 @@ const errors = {
expected_role_not_found:
'Expected role not found. Please check your user roles and permissions.',
jwt_sub_missing: 'Missing `sub` in JWT.',
require_re_authentication: 'Re-authentication is required to perform a protected action.',
},
guard: {
invalid_input: 'The request {{type}} is invalid.',

1
packages/phrases/src/locales/fr/errors.ts
View file

@ -8,6 +8,7 @@ const errors = {
expected_role_not_found:
'Expected role not found. Please check your user roles and permissions.',
jwt_sub_missing: '`sub` manquant dans JWT.',
require_re_authentication: 'Re-authentication is required to perform a protected action.', // UNTRANSLATED
},
guard: {
invalid_input: "La requête {{type}} n'est pas valide.",

1
packages/phrases/src/locales/ko/errors.ts
View file

@ -7,6 +7,7 @@ const errors = {
expected_role_not_found:
'Expected role not found. Please check your user roles and permissions.',
jwt_sub_missing: 'JWT에서 `sub`를 찾을 수 없어요.',
require_re_authentication: 'Re-authentication is required to perform a protected action.', // UNTRANSLATED
},
guard: {
invalid_input: '{{type}} 요청 타입은 유효하지 않아요.',

1
packages/phrases/src/locales/pt-pt/errors.ts
View file

@ -6,6 +6,7 @@ const errors = {
forbidden: 'Proibido. Verifique os seus cargos e permissões.',
expected_role_not_found: 'Role esperado não encontrado. Verifique os seus cargos e permissões.',
jwt_sub_missing: 'Campo `sub` está ausente no JWT.',
require_re_authentication: 'Re-authentication is required to perform a protected action.', // UNTRANSLATED
},
guard: {
invalid_input: 'O pedido {{type}} é inválido.',

1
packages/phrases/src/locales/tr-tr/errors.ts
View file

@ -7,6 +7,7 @@ const errors = {
expected_role_not_found:
'Expected role not found. Please check your user roles and permissions.',
jwt_sub_missing: 'JWTde `sub` eksik.',
require_re_authentication: 'Re-authentication is required to perform a protected action.', // UNTRANSLATED
},
guard: {
invalid_input: 'İstek {{type}} geçersiz.',

1
packages/phrases/src/locales/zh-cn/errors.ts
View file

@ -6,6 +6,7 @@ const errors = {
forbidden: '禁止访问。请检查用户 role 与权限。',
expected_role_not_found: '未找到期望的 role。请检查用户 role 与权限。',
jwt_sub_missing: 'JWT 缺失 `sub`',
require_re_authentication: '需要重新认证以进行受保护操作。',
},
guard: {
invalid_input: '请求中 {{type}} 无效',