stages/user_login: terminate others (#4754)

* rework session list

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* use sender filtering for signals when possible

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add terminate_other_sessions

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
This commit is contained in:
Jens L 2023-02-22 14:09:28 +01:00 committed by GitHub
parent e68e6cb666
commit 122055b38b
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
11 changed files with 108 additions and 25 deletions

View file

@ -22,7 +22,6 @@ from structlog.stdlib import get_logger
from authentik.blueprints.models import ManagedModel
from authentik.core.exceptions import PropertyMappingExpressionException
from authentik.core.signals import password_changed
from authentik.core.types import UILoginButton, UserSettingSerializer
from authentik.lib.avatars import get_avatar
from authentik.lib.config import CONFIG
@ -189,6 +188,8 @@ class User(SerializerModel, GuardianUserMixin, AbstractUser):
def set_password(self, raw_password, signal=True):
if self.pk and signal:
from authentik.core.signals import password_changed
password_changed.send(sender=self, user=self, password=raw_password)
self.password_change_date = now()
return super().set_password(raw_password)

View file

@ -10,25 +10,25 @@ from django.db.models.signals import post_save, pre_delete
from django.dispatch import receiver
from django.http.request import HttpRequest
from authentik.core.models import Application, AuthenticatedSession
# Arguments: user: User, password: str
password_changed = Signal()
# Arguments: credentials: dict[str, any], request: HttpRequest, stage: Stage
login_failed = Signal()
if TYPE_CHECKING:
from authentik.core.models import AuthenticatedSession, User
from authentik.core.models import User
@receiver(post_save)
@receiver(post_save, sender=Application)
def post_save_application(sender: type[Model], instance, created: bool, **_):
"""Clear user's application cache upon application creation"""
from authentik.core.api.applications import user_app_cache_key
from authentik.core.models import Application
if sender != Application:
return
if not created: # pragma: no cover
return
# Also delete user application cache
keys = cache.keys(user_app_cache_key("*"))
cache.delete_many(keys)
@ -37,7 +37,6 @@ def post_save_application(sender: type[Model], instance, created: bool, **_):
@receiver(user_logged_in)
def user_logged_in_session(sender, request: HttpRequest, user: "User", **_):
"""Create an AuthenticatedSession from request"""
from authentik.core.models import AuthenticatedSession
session = AuthenticatedSession.from_request(request, user)
if session:
@ -47,18 +46,11 @@ def user_logged_in_session(sender, request: HttpRequest, user: "User", **_):
@receiver(user_logged_out)
def user_logged_out_session(sender, request: HttpRequest, user: "User", **_):
"""Delete AuthenticatedSession if it exists"""
from authentik.core.models import AuthenticatedSession
AuthenticatedSession.objects.filter(session_key=request.session.session_key).delete()
@receiver(pre_delete)
@receiver(pre_delete, sender=AuthenticatedSession)
def authenticated_session_delete(sender: type[Model], instance: "AuthenticatedSession", **_):
"""Delete session when authenticated session is deleted"""
from authentik.core.models import AuthenticatedSession
if sender != AuthenticatedSession:
return
cache_key = f"{KEY_PREFIX}{instance.session_key}"
cache.delete(cache_key)

View file

@ -13,6 +13,7 @@ class UserLoginStageSerializer(StageSerializer):
model = UserLoginStage
fields = StageSerializer.Meta.fields + [
"session_duration",
"terminate_other_sessions",
]

View file

@ -0,0 +1,19 @@
# Generated by Django 4.1.7 on 2023-02-22 11:22
from django.db import migrations, models
class Migration(migrations.Migration):
dependencies = [
("authentik_stages_user_login", "0003_session_duration_delta"),
]
operations = [
migrations.AddField(
model_name="userloginstage",
name="terminate_other_sessions",
field=models.BooleanField(
default=False, help_text="Terminate all other sessions of the user logging in."
),
),
]

View file

@ -21,6 +21,9 @@ class UserLoginStage(Stage):
"(Format: hours=-1;minutes=-2;seconds=-3)"
),
)
terminate_other_sessions = models.BooleanField(
default=False, help_text=_("Terminate all other sessions of the user logging in.")
)
@property
def serializer(self) -> type[BaseSerializer]:

View file

@ -4,7 +4,7 @@ from django.contrib.auth import login
from django.http import HttpRequest, HttpResponse
from django.utils.translation import gettext as _
from authentik.core.models import User
from authentik.core.models import AuthenticatedSession, User
from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, PLAN_CONTEXT_SOURCE
from authentik.flows.stage import StageView
from authentik.lib.utils.time import timedelta_from_string
@ -56,4 +56,8 @@ class UserLoginStageView(StageView):
# as sources show their own success messages
if not self.executor.plan.context.get(PLAN_CONTEXT_SOURCE, None):
messages.success(self.request, _("Successfully logged in!"))
if self.executor.current_stage.terminate_other_sessions:
AuthenticatedSession.objects.filter(
user=user,
).exclude(session_key=self.request.session.session_key).delete()
return self.executor.stage_ok()

View file

@ -2,8 +2,11 @@
from time import sleep
from unittest.mock import patch
from django.contrib.sessions.backends.cache import KEY_PREFIX
from django.core.cache import cache
from django.urls import reverse
from authentik.core.models import AuthenticatedSession
from authentik.core.tests.utils import create_test_admin_user, create_test_flow
from authentik.flows.markers import StageMarker
from authentik.flows.models import FlowDesignation, FlowStageBinding
@ -11,6 +14,8 @@ from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlan
from authentik.flows.tests import FlowTestCase
from authentik.flows.tests.test_executor import TO_STAGE_RESPONSE_MOCK
from authentik.flows.views.executor import SESSION_KEY_PLAN
from authentik.lib.generators import generate_id
from authentik.lib.utils.http import DEFAULT_IP
from authentik.stages.user_login.models import UserLoginStage
@ -55,6 +60,33 @@ class TestUserLoginStage(FlowTestCase):
self.assertEqual(response.status_code, 200)
self.assertStageRedirects(response, reverse("authentik_core:root-redirect"))
def test_terminate_other_sessions(self):
"""Test terminate_other_sessions"""
self.stage.terminate_other_sessions = True
self.stage.save()
plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
plan.context[PLAN_CONTEXT_PENDING_USER] = self.user
session = self.client.session
session[SESSION_KEY_PLAN] = plan
session.save()
key = generate_id()
other_session = AuthenticatedSession.objects.create(
user=self.user,
session_key=key,
last_ip=DEFAULT_IP,
)
cache.set(f"{KEY_PREFIX}{other_session.session_key}", "foo")
response = self.client.post(
reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug})
)
self.assertEqual(response.status_code, 200)
self.assertStageRedirects(response, reverse("authentik_core:root-redirect"))
self.assertFalse(AuthenticatedSession.objects.filter(session_key=key))
self.assertFalse(cache.has_key(f"{KEY_PREFIX}{key}"))
def test_expiry(self):
"""Test with expiry"""
self.stage.session_duration = "seconds=2"

View file

@ -24129,6 +24129,10 @@ paths:
schema:
type: string
format: uuid
- in: query
name: terminate_other_sessions
schema:
type: boolean
tags:
- stages
security:
@ -35024,6 +35028,9 @@ components:
minLength: 1
description: 'Determines how long a session lasts. Default of 0 means that
the sessions lasts until the browser is closed. (Format: hours=-1;minutes=-2;seconds=-3)'
terminate_other_sessions:
type: boolean
description: Terminate all other sessions of the user logging in.
PatchedUserLogoutStageRequest:
type: object
description: UserLogoutStage Serializer
@ -38000,6 +38007,9 @@ components:
type: string
description: 'Determines how long a session lasts. Default of 0 means that
the sessions lasts until the browser is closed. (Format: hours=-1;minutes=-2;seconds=-3)'
terminate_other_sessions:
type: boolean
description: Terminate all other sessions of the user logging in.
required:
- component
- meta_model_name
@ -38023,6 +38033,9 @@ components:
minLength: 1
description: 'Determines how long a session lasts. Default of 0 means that
the sessions lasts until the browser is closed. (Format: hours=-1;minutes=-2;seconds=-3)'
terminate_other_sessions:
type: boolean
description: Terminate all other sessions of the user logging in.
required:
- name
UserLogoutStage:

View file

@ -81,6 +81,24 @@ export class UserLoginStageForm extends ModelForm<UserLoginStage, string> {
</a>
</ak-alert>
</ak-form-element-horizontal>
<ak-form-element-horizontal name="terminateOtherSessions">
<label class="pf-c-switch">
<input
class="pf-c-switch__input"
type="checkbox"
?checked=${first(this.instance?.terminateOtherSessions, false)}
/>
<span class="pf-c-switch__toggle">
<span class="pf-c-switch__toggle-icon">
<i class="fas fa-check" aria-hidden="true"></i>
</span>
</span>
<span class="pf-c-switch__label">${t`Terminate other sessions`}</span>
</label>
<p class="pf-c-form__helper-text">
${t`When enabled, all previous sessions of the user will be terminated.`}
</p>
</ak-form-element-horizontal>
</div>
</ak-form-group>
</form>`;

View file

@ -29,12 +29,7 @@ export class AuthenticatedSessionList extends Table<AuthenticatedSession> {
order = "-expires";
columns(): TableColumn[] {
return [
new TableColumn(t`Last IP`, "last_ip"),
new TableColumn(t`Browser`, "user_agent"),
new TableColumn(t`Device`, "user_agent"),
new TableColumn(t`Expires`, "expires"),
];
return [new TableColumn(t`Last IP`, "last_ip"), new TableColumn(t`Expires`, "expires")];
}
renderToolbarSelected(): TemplateResult {
@ -67,9 +62,10 @@ export class AuthenticatedSessionList extends Table<AuthenticatedSession> {
row(item: AuthenticatedSession): TemplateResult[] {
return [
html`${item.lastIp}`,
html`${item.userAgent.userAgent?.family}`,
html`${item.userAgent.os?.family}`,
html`<div>
${item.current ? html`${t`(Current session)`}&nbsp;` : html``}${item.lastIp}
</div>
<small>${item.userAgent.userAgent?.family}, ${item.userAgent.os?.family}</small>`,
html`${item.expires?.toLocaleString()}`,
];
}

View file

@ -25,3 +25,7 @@ You can set the session to expire after any duration using the syntax of `hours=
- Weeks
All values accept floating-point values.
## Terminate other sessions
When enabled, previous sessions of the user logging in will be revoked. This has no affect on OAuth refresh tokens.