trustchain-oc1-orchestral
/
authentik
Archived
10
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

stages/user_login: terminate others (#4754) 

* rework session list

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* use sender filtering for signals when possible

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add terminate_other_sessions

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
This commit is contained in:
Jens L 2023-02-22 14:09:28 +01:00 committed by GitHub
parent e68e6cb666
commit 122055b38b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
11 changed files with 108 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
authentik/core/models.py
View File

@ -22,7 +22,6 @@ from structlog.stdlib import get_logger
from authentik.blueprints.models import ManagedModel from authentik.blueprints.models import ManagedModel
from authentik.core.exceptions import PropertyMappingExpressionException from authentik.core.exceptions import PropertyMappingExpressionException
from authentik.core.signals import password_changed
from authentik.core.types import UILoginButton, UserSettingSerializer from authentik.core.types import UILoginButton, UserSettingSerializer
from authentik.lib.avatars import get_avatar from authentik.lib.avatars import get_avatar
from authentik.lib.config import CONFIG from authentik.lib.config import CONFIG
@ -189,6 +188,8 @@ class User(SerializerModel, GuardianUserMixin, AbstractUser):
def set_password(self, raw_password, signal=True): def set_password(self, raw_password, signal=True):
if self.pk and signal: if self.pk and signal:
from authentik.core.signals import password_changed
password_changed.send(sender=self, user=self, password=raw_password) password_changed.send(sender=self, user=self, password=raw_password)
self.password_change_date = now() self.password_change_date = now()
return super().set_password(raw_password) return super().set_password(raw_password)

20
authentik/core/signals.py
View File

@ -10,25 +10,25 @@ from django.db.models.signals import post_save, pre_delete
from django.dispatch import receiver from django.dispatch import receiver
from django.http.request import HttpRequest from django.http.request import HttpRequest
from authentik.core.models import Application, AuthenticatedSession
# Arguments: user: User, password: str # Arguments: user: User, password: str
password_changed = Signal() password_changed = Signal()
# Arguments: credentials: dict[str, any], request: HttpRequest, stage: Stage # Arguments: credentials: dict[str, any], request: HttpRequest, stage: Stage
login_failed = Signal() login_failed = Signal()
if TYPE_CHECKING: if TYPE_CHECKING:
from authentik.core.models import AuthenticatedSession, User from authentik.core.models import User
@receiver(post_save) @receiver(post_save, sender=Application)
def post_save_application(sender: type[Model], instance, created: bool, **_): def post_save_application(sender: type[Model], instance, created: bool, **_):
"""Clear user's application cache upon application creation""" """Clear user's application cache upon application creation"""
from authentik.core.api.applications import user_app_cache_key from authentik.core.api.applications import user_app_cache_key
from authentik.core.models import Application
if sender != Application:
return
if not created: # pragma: no cover if not created: # pragma: no cover
return return
# Also delete user application cache # Also delete user application cache
keys = cache.keys(user_app_cache_key("*")) keys = cache.keys(user_app_cache_key("*"))
cache.delete_many(keys) cache.delete_many(keys)
@ -37,7 +37,6 @@ def post_save_application(sender: type[Model], instance, created: bool, **_):
@receiver(user_logged_in) @receiver(user_logged_in)
def user_logged_in_session(sender, request: HttpRequest, user: "User", **_): def user_logged_in_session(sender, request: HttpRequest, user: "User", **_):
"""Create an AuthenticatedSession from request""" """Create an AuthenticatedSession from request"""
from authentik.core.models import AuthenticatedSession
session = AuthenticatedSession.from_request(request, user) session = AuthenticatedSession.from_request(request, user)
if session: if session:
@ -47,18 +46,11 @@ def user_logged_in_session(sender, request: HttpRequest, user: "User", **_):
@receiver(user_logged_out) @receiver(user_logged_out)
def user_logged_out_session(sender, request: HttpRequest, user: "User", **_): def user_logged_out_session(sender, request: HttpRequest, user: "User", **_):
"""Delete AuthenticatedSession if it exists""" """Delete AuthenticatedSession if it exists"""
from authentik.core.models import AuthenticatedSession
AuthenticatedSession.objects.filter(session_key=request.session.session_key).delete() AuthenticatedSession.objects.filter(session_key=request.session.session_key).delete()
@receiver(pre_delete) @receiver(pre_delete, sender=AuthenticatedSession)
def authenticated_session_delete(sender: type[Model], instance: "AuthenticatedSession", **_): def authenticated_session_delete(sender: type[Model], instance: "AuthenticatedSession", **_):
"""Delete session when authenticated session is deleted""" """Delete session when authenticated session is deleted"""
from authentik.core.models import AuthenticatedSession
if sender != AuthenticatedSession:
return
cache_key = f"{KEY_PREFIX}{instance.session_key}" cache_key = f"{KEY_PREFIX}{instance.session_key}"
cache.delete(cache_key) cache.delete(cache_key)

1
authentik/stages/user_login/api.py
View File

@ -13,6 +13,7 @@ class UserLoginStageSerializer(StageSerializer):
model = UserLoginStage model = UserLoginStage
fields = StageSerializer.Meta.fields + [ fields = StageSerializer.Meta.fields + [
"session_duration", "session_duration",
"terminate_other_sessions",
] ]

19
authentik/stages/user_login/migrations/0004_userloginstage_terminate_other_sessions.py Normal file
View File

@ -0,0 +1,19 @@
# Generated by Django 4.1.7 on 2023-02-22 11:22
from django.db import migrations, models
class Migration(migrations.Migration):
dependencies = [
("authentik_stages_user_login", "0003_session_duration_delta"),
]
operations = [
migrations.AddField(
model_name="userloginstage",
name="terminate_other_sessions",
field=models.BooleanField(
default=False, help_text="Terminate all other sessions of the user logging in."
),
),
]

3
authentik/stages/user_login/models.py
View File

@ -21,6 +21,9 @@ class UserLoginStage(Stage):
"(Format: hours=-1;minutes=-2;seconds=-3)" "(Format: hours=-1;minutes=-2;seconds=-3)"
), ),
) )
terminate_other_sessions = models.BooleanField(
default=False, help_text=_("Terminate all other sessions of the user logging in.")
)
@property @property
def serializer(self) -> type[BaseSerializer]: def serializer(self) -> type[BaseSerializer]:

6
authentik/stages/user_login/stage.py
View File

@ -4,7 +4,7 @@ from django.contrib.auth import login
from django.http import HttpRequest, HttpResponse from django.http import HttpRequest, HttpResponse
from django.utils.translation import gettext as _ from django.utils.translation import gettext as _
from authentik.core.models import User from authentik.core.models import AuthenticatedSession, User
from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, PLAN_CONTEXT_SOURCE from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, PLAN_CONTEXT_SOURCE
from authentik.flows.stage import StageView from authentik.flows.stage import StageView
from authentik.lib.utils.time import timedelta_from_string from authentik.lib.utils.time import timedelta_from_string
@ -56,4 +56,8 @@ class UserLoginStageView(StageView):
# as sources show their own success messages # as sources show their own success messages
if not self.executor.plan.context.get(PLAN_CONTEXT_SOURCE, None): if not self.executor.plan.context.get(PLAN_CONTEXT_SOURCE, None):
messages.success(self.request, _("Successfully logged in!")) messages.success(self.request, _("Successfully logged in!"))
if self.executor.current_stage.terminate_other_sessions:
AuthenticatedSession.objects.filter(
user=user,
).exclude(session_key=self.request.session.session_key).delete()
return self.executor.stage_ok() return self.executor.stage_ok()

32
authentik/stages/user_login/tests.py
View File

@ -2,8 +2,11 @@
from time import sleep from time import sleep
from unittest.mock import patch from unittest.mock import patch
from django.contrib.sessions.backends.cache import KEY_PREFIX
from django.core.cache import cache
from django.urls import reverse from django.urls import reverse
from authentik.core.models import AuthenticatedSession
from authentik.core.tests.utils import create_test_admin_user, create_test_flow from authentik.core.tests.utils import create_test_admin_user, create_test_flow
from authentik.flows.markers import StageMarker from authentik.flows.markers import StageMarker
from authentik.flows.models import FlowDesignation, FlowStageBinding from authentik.flows.models import FlowDesignation, FlowStageBinding
@ -11,6 +14,8 @@ from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlan
from authentik.flows.tests import FlowTestCase from authentik.flows.tests import FlowTestCase
from authentik.flows.tests.test_executor import TO_STAGE_RESPONSE_MOCK from authentik.flows.tests.test_executor import TO_STAGE_RESPONSE_MOCK
from authentik.flows.views.executor import SESSION_KEY_PLAN from authentik.flows.views.executor import SESSION_KEY_PLAN
from authentik.lib.generators import generate_id
from authentik.lib.utils.http import DEFAULT_IP
from authentik.stages.user_login.models import UserLoginStage from authentik.stages.user_login.models import UserLoginStage
@ -55,6 +60,33 @@ class TestUserLoginStage(FlowTestCase):
self.assertEqual(response.status_code, 200) self.assertEqual(response.status_code, 200)
self.assertStageRedirects(response, reverse("authentik_core:root-redirect")) self.assertStageRedirects(response, reverse("authentik_core:root-redirect"))
def test_terminate_other_sessions(self):
"""Test terminate_other_sessions"""
self.stage.terminate_other_sessions = True
self.stage.save()
plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
plan.context[PLAN_CONTEXT_PENDING_USER] = self.user
session = self.client.session
session[SESSION_KEY_PLAN] = plan
session.save()
key = generate_id()
other_session = AuthenticatedSession.objects.create(
user=self.user,
session_key=key,
last_ip=DEFAULT_IP,
)
cache.set(f"{KEY_PREFIX}{other_session.session_key}", "foo")
response = self.client.post(
reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug})
)
self.assertEqual(response.status_code, 200)
self.assertStageRedirects(response, reverse("authentik_core:root-redirect"))
self.assertFalse(AuthenticatedSession.objects.filter(session_key=key))
self.assertFalse(cache.has_key(f"{KEY_PREFIX}{key}"))
def test_expiry(self): def test_expiry(self):
"""Test with expiry""" """Test with expiry"""
self.stage.session_duration = "seconds=2" self.stage.session_duration = "seconds=2"

13
schema.yml
View File

@ -24129,6 +24129,10 @@ paths:
schema: schema:
type: string type: string
format: uuid format: uuid
- in: query
name: terminate_other_sessions
schema:
type: boolean
tags: tags:
- stages - stages
security: security:
@ -35024,6 +35028,9 @@ components:
minLength: 1 minLength: 1
description: 'Determines how long a session lasts. Default of 0 means that description: 'Determines how long a session lasts. Default of 0 means that
the sessions lasts until the browser is closed. (Format: hours=-1;minutes=-2;seconds=-3)' the sessions lasts until the browser is closed. (Format: hours=-1;minutes=-2;seconds=-3)'
terminate_other_sessions:
type: boolean
description: Terminate all other sessions of the user logging in.
PatchedUserLogoutStageRequest: PatchedUserLogoutStageRequest:
type: object type: object
description: UserLogoutStage Serializer description: UserLogoutStage Serializer
@ -38000,6 +38007,9 @@ components:
type: string type: string
description: 'Determines how long a session lasts. Default of 0 means that description: 'Determines how long a session lasts. Default of 0 means that
the sessions lasts until the browser is closed. (Format: hours=-1;minutes=-2;seconds=-3)' the sessions lasts until the browser is closed. (Format: hours=-1;minutes=-2;seconds=-3)'
terminate_other_sessions:
type: boolean
description: Terminate all other sessions of the user logging in.
required: required:
- component - component
- meta_model_name - meta_model_name
@ -38023,6 +38033,9 @@ components:
minLength: 1 minLength: 1
description: 'Determines how long a session lasts. Default of 0 means that description: 'Determines how long a session lasts. Default of 0 means that
the sessions lasts until the browser is closed. (Format: hours=-1;minutes=-2;seconds=-3)' the sessions lasts until the browser is closed. (Format: hours=-1;minutes=-2;seconds=-3)'
terminate_other_sessions:
type: boolean
description: Terminate all other sessions of the user logging in.
required: required:
- name - name
UserLogoutStage: UserLogoutStage:

18
web/src/admin/stages/user_login/UserLoginStageForm.ts
View File

@ -81,6 +81,24 @@ export class UserLoginStageForm extends ModelForm<UserLoginStage, string> {
</a> </a>
</ak-alert> </ak-alert>
</ak-form-element-horizontal> </ak-form-element-horizontal>
<ak-form-element-horizontal name="terminateOtherSessions">
<label class="pf-c-switch">
<input
class="pf-c-switch__input"
type="checkbox"
?checked=${first(this.instance?.terminateOtherSessions, false)}
/>
<span class="pf-c-switch__toggle">
<span class="pf-c-switch__toggle-icon">
<i class="fas fa-check" aria-hidden="true"></i>
</span>
</span>
<span class="pf-c-switch__label">${t`Terminate other sessions`}</span>
</label>
<p class="pf-c-form__helper-text">
${t`When enabled, all previous sessions of the user will be terminated.`}
</p>
</ak-form-element-horizontal>
</div> </div>
</ak-form-group> </ak-form-group>
</form>`; </form>`;

14
web/src/elements/user/SessionList.ts
View File

@ -29,12 +29,7 @@ export class AuthenticatedSessionList extends Table<AuthenticatedSession> {
order = "-expires"; order = "-expires";
columns(): TableColumn[] { columns(): TableColumn[] {
return [ return [new TableColumn(t`Last IP`, "last_ip"), new TableColumn(t`Expires`, "expires")];
new TableColumn(t`Last IP`, "last_ip"),
new TableColumn(t`Browser`, "user_agent"),
new TableColumn(t`Device`, "user_agent"),
new TableColumn(t`Expires`, "expires"),
];
} }
renderToolbarSelected(): TemplateResult { renderToolbarSelected(): TemplateResult {
@ -67,9 +62,10 @@ export class AuthenticatedSessionList extends Table<AuthenticatedSession> {
row(item: AuthenticatedSession): TemplateResult[] { row(item: AuthenticatedSession): TemplateResult[] {
return [ return [
html`${item.lastIp}`, html`<div>
html`${item.userAgent.userAgent?.family}`, ${item.current ? html`${t`(Current session)`}&nbsp;` : html``}${item.lastIp}
html`${item.userAgent.os?.family}`, </div>
<small>${item.userAgent.userAgent?.family}, ${item.userAgent.os?.family}</small>`,
html`${item.expires?.toLocaleString()}`, html`${item.expires?.toLocaleString()}`,
]; ];
} }

4
website/docs/flow/stages/user_login.md
View File

@ -25,3 +25,7 @@ You can set the session to expire after any duration using the syntax of `hours=
- Weeks - Weeks
All values accept floating-point values. All values accept floating-point values.
## Terminate other sessions
When enabled, previous sessions of the user logging in will be revoked. This has no affect on OAuth refresh tokens.