Merge pull request #59 from sebadob/impl-user-expiry-for-new-user

Impl user expiry for new user

frontend/src/components/account/AccInfo.svelte

@@ -71,6 +71,13 @@
         <div class={classLabel}><b>{t.user} {t.created}:</b></div>
         <span class="value">{formatDateFromTs(user.created_at)}</span>
     </div>
+
+    {#if user.user_expires}
+        <div class={classRow}>
+            <div class={classLabel}><b>{t.userExpiry}:</b></div>
+            <span class="value">{formatDateFromTs(user.user_expires)}</span>
+        </div>
+    {/if}
 </div>
 
 <style>

frontend/src/components/admin/users/UserTileAddNew.svelte

@@ -3,12 +3,13 @@
     import * as yup from "yup";
     import {LANGUAGES, REGEX_NAME} from "../../../utils/constants.js";
     import {globalGroupsNames, globalRolesNames} from "../../../stores/admin.js";
-    import {extractFormErrors} from "../../../utils/helpers.js";
+    import {extractFormErrors, formatUtcTsFromDateInput} from "../../../utils/helpers.js";
     import Button from "$lib/Button.svelte";
     import {postUser} from "../../../utils/dataFetchingAdmin.js";
     import ItemTiles from "$lib/itemTiles/ItemTiles.svelte";
     import Input from "$lib/inputs/Input.svelte";
     import OptionSelect from "$lib/OptionSelect.svelte";
+    import Switch from "$lib/Switch.svelte";
 
     export let idx = -1;
     export let onSave;
@@ -18,6 +19,8 @@
     let expandContainer;
 
     let language = 'EN';
+    let limitLifetime = false;
+    let userExpires = undefined;
     let formValues = {
         email: '',
         family_name: '',
@@ -54,10 +57,26 @@
         let data = formValues;
         data.language = language.toLowerCase();
 
+        if (limitLifetime) {
+            let d = formatUtcTsFromDateInput(userExpires);
+            if (!d) {
+                err = 'Invalid Date Input: User Expires';
+                return;
+            }
+            data.user_expires = d;
+        }
+
         let res = await postUser(formValues);
         if (res.ok) {
             formValues = {};
             expandContainer = false;
+            formValues = {
+                email: '',
+                family_name: '',
+                given_name: '',
+                roles: [],
+                groups: [],
+            };
             onSave();
         } else {
             let body = await res.json();
@@ -144,6 +163,29 @@
                     searchThreshold={4}
             />
         </div>
+
+        <div class="unit" style:margin-top="12px">
+            <div class="label font-label">
+                LIMIT LIFETIME
+            </div>
+            <div class="value">
+                <Switch bind:selected={limitLifetime}/>
+            </div>
+        </div>
+        {#if limitLifetime}
+            <Input
+                    type="datetime-local"
+                    step="60"
+                    width="18rem"
+                    bind:value={userExpires}
+                    on:input={validateForm}
+                    min={new Date().toISOString().split('.')[0]}
+                    max="2099-01-01T00:00"
+            >
+                USER EXPIRES
+            </Input>
+        {/if}
+
         <div class="btn">
             <Button on:click={onSubmit} level={1}>SAVE</Button>
 
@@ -187,6 +229,10 @@
         gap: .33rem;
     }
 
+    .unit {
+        margin: 7px 5px;
+    }
+
     .tiles {
         margin-left: 5px;
     }

frontend/src/components/admin/users/Users.svelte

@@ -46,6 +46,7 @@
             msg = 'Error fetching users: ' + res.body.message;
         } else {
             let u = await res.json();
+            console.log(u);
             users = [...u];
             resUsers = [...u];
         }

frontend/src/routes/users/{id}/reset/reset/+page.svelte

@@ -39,7 +39,6 @@
 
     let schema;
     $: if (t) {
-        console.log(t);
         schema = yup.object().shape({
             email: yup.string().required(t.required).email(t.badFormat),
             password: yup.string().required(t.required),
@@ -51,6 +50,12 @@
         showCopy = true;
     }
 
+    $: if (success) {
+        setTimeout(() => {
+            window.location.replace('/auth/v1/account');
+        }, 5000);
+    }
+
     onMount(async () => {
         // const policy_vals = '10, 128, 1, 1, 1, 1, 3';
         const policy_vals = document.getElementsByName('rauthy-data')[0].id;

rauthy-main/tests/handler_users.rs

@@ -41,6 +41,7 @@ async fn test_users() -> Result<(), Box<dyn Error>> {
             // check groups sanitization
             "non_existent".to_string(),
         ]),
+        user_expires: None,
     };
     let res = reqwest::Client::new()
         .post(&url)

rauthy-main/tests/yyy_handler_password_policy.rs

@@ -88,6 +88,7 @@ async fn test_password_policy() -> Result<(), Box<dyn Error>> {
         language: Language::En,
         roles: vec!["user".to_string()],
         groups: None,
+        user_expires: None,
     };
     let mut res = reqwest::Client::new()
         .post(&url)
@@ -109,6 +110,7 @@ async fn test_password_policy() -> Result<(), Box<dyn Error>> {
         groups: None,
         enabled: true,
         email_verified: false,
+        user_expires: None,
     };
     let user_url = format!("{}/{}", url, user.id);
     let mut res = reqwest::Client::new()

rauthy-models/src/entity/sessions.rs

@@ -114,10 +114,11 @@ impl Session {
     // Returns a session by id
     pub async fn find(data: &web::Data<AppState>, id: String) -> Result<Self, ErrorResponse> {
         // TODO set remote lookup to true here to be able to switch to in-memory sessions store only?
+        let idx = format!("{}{}", IDX_SESSION, id);
         let session = cache_get!(
             Session,
             CACHE_NAME_SESSIONS.to_string(),
-            id.clone(),
+            idx.clone(),
             &data.caches.ha_cache_config,
             false
         )
@@ -130,7 +131,6 @@ impl Session {
             .fetch_one(&data.db)
             .await?;
 
-        let idx = format!("{}{}", IDX_SESSION, session.id);
         cache_insert(
             CACHE_NAME_SESSIONS.to_string(),
             idx,

rauthy-models/src/entity/users.rs

@@ -278,7 +278,7 @@ impl User {
             IDX_USERS.to_string(),
             &data.caches.ha_cache_config,
             &res,
-            AckLevel::Leader,
+            AckLevel::Quorum,
         )
         .await?;
         Ok(res)
@@ -644,7 +644,7 @@ impl User {
         if let Some(ts) = self.user_expires {
             if OffsetDateTime::now_utc().unix_timestamp() > ts {
                 return Err(ErrorResponse::new(
-                    ErrorResponseType::Forbidden,
+                    ErrorResponseType::Disabled,
                     String::from("User has expired"),
                 ));
             }
@@ -722,6 +722,7 @@ impl User {
             language: new_user.language,
             roles,
             groups,
+            user_expires: new_user.user_expires,
             ..Default::default()
         };
 

rauthy-models/src/i18n/account.rs

@@ -38,6 +38,7 @@ pub struct I18nAccount<'a> {
     roles: &'a str,
     save: &'a str,
     user: &'a str,
+    user_expiry: &'a str,
     valid_email: &'a str,
     valid_given_name: &'a str,
     valid_family_name: &'a str,
@@ -91,6 +92,7 @@ impl I18nAccount<'_> {
             roles: "Roles",
             save: "Save",
             user: "User",
+            user_expiry: "User Expires",
             valid_email: "Valid E-Mail format",
             valid_given_name: "Your given name with 2 - 32 non-special characters",
             valid_family_name: "Your family name with 2 - 32 non-special characters",
@@ -131,6 +133,7 @@ impl I18nAccount<'_> {
             roles: "Rollen",
             save: "Speichern",
             user: "Benutzer",
+            user_expiry: "Benutzer Ablauf",
             valid_email: "Gültige E-Mail Adresse",
             valid_given_name: "Vorname, 2 - 32 Buchstaben, keine Sonderzeichen",
             valid_family_name: "Nachname, 2 - 32  Buchstaben, keine Sonderzeichen",

rauthy-models/src/i18n/password_reset.rs

@@ -47,7 +47,7 @@ impl I18nPasswordReset<'_> {
             required: "Required",
             save: "Save",
             success_1: "The password has been updated successfully.",
-            success_2: "You can close this window now.",
+            success_2: "You will be redirected to your account shortly.",
         }
     }
 
@@ -63,8 +63,8 @@ impl I18nPasswordReset<'_> {
             password_no_match: "Passwörter stimmen nicht überein",
             required: "Notwendig",
             save: "Speichern",
-            success_1: "Das Passwort wurde erfolgreich zurückgesetzt",
-            success_2: "Sie können dieses Fenster jetzt schließen",
+            success_1: "Das Passwort wurde erfolgreich zurückgesetzt.",
+            success_2: "Sie werden in Kürze zu Ihrem Account weitergeleitet.",
         }
     }
 }

rauthy-models/src/request.rs

@@ -326,6 +326,8 @@ pub struct NewUserRequest {
     /// Validation: `Vec<^[a-z0-9-_/,]{2,128}$>`
     #[validate(custom(function = "validate_vec_groups"))]
     pub roles: Vec<String>,
+    #[validate(range(min = 1672527600, max = 4070905200))]
+    pub user_expires: Option<i64>,
 }
 
 #[derive(Debug, Serialize, Deserialize, Validate, ToSchema)]

rauthy-service/src/auth.rs

@@ -65,6 +65,7 @@ pub async fn authorize(
             )
         })?;
     user.check_enabled()?;
+    user.check_expired()?;
 
     let mfa_cookie =
         if let Ok(c) = WebauthnCookie::parse_validate(&req.cookie(COOKIE_MFA), &data.enc_keys) {