auth icon indicating copy to clipboard operation
auth copied to clipboard

Published 20 hours ago verified publisher icon supabase

feat: allow limiting lifespan of low-aal sessions

Open hf opened this issue 10 months ago • 2 comments

Adds a new optional config GOTRUE_SESSIONS_ALLOW_LOW_AAL (duration) which when set will prevent the continued refreshing of a user session if the session has not been upgraded to the highest possible AAL level of the user.

For example if you set it to 1h it means that a user who has MFA factors enrolled must step-up the session to the highest AAL level for their account within 1 hour, otherwise future session refreshes will fail with a Invalid Refresh Token: Session Expired (Low AAL: User Needs MFA Verification)) message.

hf avatar Feb 11 '25 10:02 hf

Needs tests but please do an initial review.

hf avatar Feb 11 '25 10:02 hf

Pull Request Test Coverage Report for Build 14443433887

Details

  • 41 of 50 (82.0%) changed or added relevant lines in 4 files are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage increased (+0.02%) to 68.121%
Changes Missing Coverage Covered Lines Changed/Added Lines %
internal/api/token_refresh.go 8 10 80.0%
internal/conf/configuration.go 5 7 71.43%
internal/models/sessions.go 22 27 81.48%
<!-- Total: 41 50
Totals Coverage Status
Change from base Build 14442240917: 0.02%
Covered Lines: 10567
Relevant Lines: 15512
💛 - Coveralls

coveralls avatar Feb 13 '25 06:02 coveralls

The only

Farivo avatar May 24 '25 01:05 Farivo