Merge branch 'master' into feat-limit-maximum-password-length

.github/workflows/ci.yaml

@@ -150,12 +150,12 @@ jobs:
         name: Start CockroachDB
       - uses: browser-actions/setup-chrome@latest
         name: Install Chrome
-      - uses: browser-actions/setup-firefox@latest
-        name: Install Firefox
-      - uses: browser-actions/setup-geckodriver@latest
-        name: Install Geckodriver
-        with:
-          geckodriver-version: 0.32.0
+      # - uses: browser-actions/setup-firefox@latest
+      #   name: Install Firefox
+      # - uses: browser-actions/setup-geckodriver@latest
+      #   name: Install Geckodriver
+      #   with:
+      #     geckodriver-version: 0.32.0
       - uses: ory/ci/checkout@master
         with:
           fetch-depth: 2

CONTRIBUTING.md

@@ -144,10 +144,12 @@ checklist to contribute an example:
    not get mixed up.
 1. Add a descriptive prefix to commits. This ensures a uniform commit history
    and helps structure the changelog. Please refer to this
-   [list of prefixes for Kratos](https://github.com/ory/kratos/blob/master/.github/semantic.yml)
-   for an overview.
+   [Convential Commits configuration](https://github.com/ory/kratos/blob/master/.github/workflows/conventional_commits.yml)
+   for the list of accepted prefixes. You can read more about the Conventional
+   Commit specification
+   [at their site](https://www.conventionalcommits.org/en/v1.0.0/).
 1. Create a `README.md` that explains how to use the example. (Use
-   [the README template](https://github.com/ory/examples/blob/master/_common/README)).
+   [the README template](https://github.com/ory/examples/blob/master/_common/README.md)).
 1. Open a pull request and maintainers will review and merge your example.
 
 ## Contribute code
@@ -172,8 +174,10 @@ request, go through this checklist:
 1. Run `make format`
 1. Add a descriptive prefix to commits. This ensures a uniform commit history
    and helps structure the changelog. Please refer to this
-   [list of prefixes for Kratos](https://github.com/ory/kratos/blob/master/.github/semantic.yml)
-   for an overview.
+   [Convential Commits configuration](https://github.com/ory/kratos/blob/master/.github/workflows/conventional_commits.yml)
+   for the list of accepted prefixes. You can read more about the Conventional
+   Commit specification
+   [at their site](https://www.conventionalcommits.org/en/v1.0.0/).
 
 If a pull request is not ready to be reviewed yet
 [it should be marked as a "Draft"](https://docs.github.com/en/github/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/changing-the-stage-of-a-pull-request).

README.md

@@ -554,7 +554,7 @@ that your company deserves a spot here, reach out to
                 </picture>
             </td>
             <td><a href="https://pinniped.dev/">pinniped.dev</a></td>
-        </tr>
+        </tr>         
         <tr>
             <td>Adopter *</td>
             <td>Pvotal</td>

continuity/manager.go

@@ -27,19 +27,18 @@ type Manager interface {
 }
 
 type managerOptions struct {
-	iid        uuid.UUID
-	ttl        time.Duration
-	payload    json.RawMessage
-	payloadRaw interface{}
-	cleanUp    bool
+	iid          uuid.UUID
+	ttl          time.Duration
+	setExpiresIn time.Duration
+	payload      json.RawMessage
+	payloadRaw   interface{}
 }
 
 type ManagerOption func(*managerOptions) error
 
 func newManagerOptions(opts []ManagerOption) (*managerOptions, error) {
 	var o = &managerOptions{
-		ttl:     time.Minute,
-		cleanUp: true,
+		ttl: time.Minute * 10,
 	}
 	for _, opt := range opts {
 		if err := opt(o); err != nil {
@@ -49,13 +48,6 @@ func newManagerOptions(opts []ManagerOption) (*managerOptions, error) {
 	return o, nil
 }
 
-func DontCleanUp() ManagerOption {
-	return func(o *managerOptions) error {
-		o.cleanUp = false
-		return nil
-	}
-}
-
 func WithIdentity(i *identity.Identity) ManagerOption {
 	return func(o *managerOptions) error {
 		if i != nil {
@@ -83,3 +75,10 @@ func WithPayload(payload interface{}) ManagerOption {
 		return nil
 	}
 }
+
+func WithExpireInsteadOfDelete(duration time.Duration) ManagerOption {
+	return func(o *managerOptions) error {
+		o.setExpiresIn = duration
+		return nil
+	}
+}

continuity/manager_cookie.go

@@ -8,6 +8,7 @@ import (
 	"context"
 	"encoding/json"
 	"net/http"
+	"time"
 
 	"github.com/gofrs/uuid"
 	"github.com/pkg/errors"
@@ -93,12 +94,22 @@ func (m *ManagerCookie) Continue(ctx context.Context, w http.ResponseWriter, r *
 		}
 	}
 
-	if err := x.SessionUnsetKey(w, r, m.d.ContinuityCookieManager(ctx), CookieName, name); err != nil {
-		return nil, err
-	}
+	if o.setExpiresIn > 0 {
+		if err := m.d.ContinuityPersister().SetContinuitySessionExpiry(
+			ctx,
+			container.ID,
+			time.Now().UTC().Add(o.setExpiresIn).Truncate(time.Second),
+		); err != nil && !errors.Is(err, sqlcon.ErrNoRows) {
+			return nil, err
+		}
+	} else {
+		if err := x.SessionUnsetKey(w, r, m.d.ContinuityCookieManager(ctx), CookieName, name); err != nil {
+			return nil, err
+		}
 
-	if err := m.d.ContinuityPersister().DeleteContinuitySession(ctx, container.ID); err != nil && !errors.Is(err, sqlcon.ErrNoRows) {
-		return nil, err
+		if err := m.d.ContinuityPersister().DeleteContinuitySession(ctx, container.ID); err != nil && !errors.Is(err, sqlcon.ErrNoRows) {
+			return nil, err
+		}
 	}
 
 	return container, nil
@@ -136,6 +147,9 @@ func (m *ManagerCookie) container(ctx context.Context, w http.ResponseWriter, r
 		return nil, errors.WithStack(ErrNotResumable.WithDebugf("Resumable ID from cookie could not be found in the datastore: %+v", err))
 	} else if err != nil {
 		return nil, err
+	} else if container.ExpiresAt.Before(time.Now()) {
+		_ = x.SessionUnsetKey(w, r, m.d.ContinuityCookieManager(ctx), CookieName, name)
+		return nil, errors.WithStack(ErrNotResumable.WithDebugf("Resumable session has expired"))
 	}
 
 	return container, err

continuity/manager_options_test.go

@@ -20,7 +20,7 @@ func TestManagerOptions(t *testing.T) {
 	}{
 		{
 			e: func(t *testing.T, actual *managerOptions) {
-				assert.EqualValues(t, time.Minute, actual.ttl)
+				assert.EqualValues(t, time.Minute*10, actual.ttl)
 			},
 		},
 		{

continuity/manager_test.go

@@ -12,6 +12,7 @@ import (
 	"net/http/httptest"
 	"strings"
 	"testing"
+	"time"
 
 	"github.com/ory/kratos/driver/config"
 
@@ -181,6 +182,50 @@ func TestManager(t *testing.T) {
 		assert.Contains(t, href, gjson.GetBytes(body, "name").String(), "%s", body)
 	})
 
+	t.Run("case=pause and use session with expiry", func(t *testing.T) {
+		cl := newClient()
+
+		tc := &persisterTestCase{
+			ro: []continuity.ManagerOption{continuity.WithPayload(&persisterTestPayload{"bar"}), continuity.WithExpireInsteadOfDelete(time.Minute)},
+			wo: []continuity.ManagerOption{continuity.WithPayload(&persisterTestPayload{}), continuity.WithExpireInsteadOfDelete(time.Minute)},
+		}
+		ts := newServer(t, p, tc)
+		genid := func() string {
+			return ts.URL + "/" + x.NewUUID().String()
+		}
+
+		href := genid()
+		res, err := cl.Do(testhelpers.NewTestHTTPRequest(t, "PUT", href, nil))
+		require.NoError(t, err)
+		require.NoError(t, res.Body.Close())
+		require.Equal(t, http.StatusNoContent, res.StatusCode)
+
+		res, err = cl.Do(testhelpers.NewTestHTTPRequest(t, "GET", href, nil))
+		require.NoError(t, err)
+		require.NoError(t, res.Body.Close())
+		require.Equal(t, http.StatusOK, res.StatusCode)
+
+		res, err = cl.Do(testhelpers.NewTestHTTPRequest(t, "GET", href, nil))
+		require.NoError(t, err)
+		require.NoError(t, res.Body.Close())
+		require.Equal(t, http.StatusOK, res.StatusCode)
+
+		tc.ro = []continuity.ManagerOption{continuity.WithPayload(&persisterTestPayload{"bar"}), continuity.WithExpireInsteadOfDelete(-time.Minute)}
+		tc.wo = []continuity.ManagerOption{continuity.WithPayload(&persisterTestPayload{""}), continuity.WithExpireInsteadOfDelete(-time.Minute)}
+
+		res, err = cl.Do(testhelpers.NewTestHTTPRequest(t, "GET", href, nil))
+		require.NoError(t, err)
+		require.NoError(t, res.Body.Close())
+		require.Equal(t, http.StatusOK, res.StatusCode)
+
+		res, err = cl.Do(testhelpers.NewTestHTTPRequest(t, "GET", href, nil))
+		require.NoError(t, err)
+		require.Equal(t, http.StatusBadRequest, res.StatusCode)
+		body := ioutilx.MustReadAll(res.Body)
+		require.NoError(t, res.Body.Close())
+		assert.Contains(t, gjson.GetBytes(body, "error.reason").String(), continuity.ErrNotResumable.ReasonField)
+	})
+
 	for k, tc := range []persisterTestCase{
 		{},
 		{

continuity/persistence.go

@@ -18,5 +18,6 @@ type Persister interface {
 	SaveContinuitySession(ctx context.Context, c *Container) error
 	GetContinuitySession(ctx context.Context, id uuid.UUID) (*Container, error)
 	DeleteContinuitySession(ctx context.Context, id uuid.UUID) error
+	SetContinuitySessionExpiry(ctx context.Context, id uuid.UUID, expiresAt time.Time) error
 	DeleteExpiredContinuitySessions(ctx context.Context, deleteOlder time.Time, pageSize int) error
 }

continuity/test/persistence.go

@@ -101,6 +101,30 @@ func TestPersister(ctx context.Context, p interface {
 			})
 		})
 
+		t.Run("case=set expiry", func(t *testing.T) {
+			// Create a new continuity session
+			expected := createContainer(t)
+			require.NoError(t, p.SaveContinuitySession(ctx, &expected))
+
+			// Set the expiry of the continuity session
+			newExpiry := time.Now().Add(48 * time.Hour).UTC().Truncate(time.Second)
+			require.NoError(t, p.SetContinuitySessionExpiry(ctx, expected.ID, newExpiry))
+
+			// Retrieve the continuity session
+			actual, err := p.GetContinuitySession(ctx, expected.ID)
+			require.NoError(t, err)
+
+			// Check if the expiry has been updated
+			assert.EqualValues(t, newExpiry, actual.ExpiresAt)
+
+			t.Run("can not update on another network", func(t *testing.T) {
+				_, p := testhelpers.NewNetwork(t, ctx, p)
+				newExpiry := time.Now().Add(12 * time.Hour).UTC().Truncate(time.Second)
+				err := p.SetContinuitySessionExpiry(ctx, expected.ID, newExpiry)
+				require.ErrorIs(t, err, sqlcon.ErrNoRows)
+			})
+		})
+
 		t.Run("case=cleanup", func(t *testing.T) {
 			id := x.NewUUID()
 			yesterday := time.Now().Add(-24 * time.Hour).UTC().Truncate(time.Second)

contrib/quickstart/kratos/email-password/kratos.yml

@@ -11,7 +11,7 @@ serve:
     base_url: http://kratos:4434/
 
 selfservice:
-  default_browser_return_url: http://127.0.0.1:4455/
+  default_browser_return_url: http://127.0.0.1:4455/welcome
   allowed_return_urls:
     - http://127.0.0.1:4455
     - http://localhost:19006/Callback
@@ -50,7 +50,7 @@ selfservice:
       ui_url: http://127.0.0.1:4455/verification
       use: code
       after:
-        default_browser_return_url: http://127.0.0.1:4455/
+        default_browser_return_url: http://127.0.0.1:4455/welcome
 
     logout:
       after:

contrib/quickstart/kratos/passkey/kratos.yml

@@ -11,7 +11,7 @@ session:
     required_aal: aal1
 
 selfservice:
-  default_browser_return_url: http://localhost:4455/
+  default_browser_return_url: http://localhost:4455/welcome
   allowed_return_urls:
     - http://localhost:4455
     - http://localhost:19006/Callback

contrib/quickstart/kratos/phone-password/kratos.yml

@@ -11,7 +11,7 @@ serve:
     base_url: http://kratos:4434/
 
 selfservice:
-  default_browser_return_url: http://127.0.0.1:4455/
+  default_browser_return_url: http://127.0.0.1:4455/welcome
   allowed_return_urls:
     - http://127.0.0.1:4455
     - http://localhost:19006/Callback
@@ -50,7 +50,7 @@ selfservice:
       ui_url: http://127.0.0.1:4455/verification
       use: code
       after:
-        default_browser_return_url: http://127.0.0.1:4455/
+        default_browser_return_url: http://127.0.0.1:4455/welcome
 
     logout:
       after:

contrib/quickstart/kratos/webauthn/kratos.yml

@@ -11,7 +11,7 @@ serve:
     base_url: http://kratos:4434/
 
 selfservice:
-  default_browser_return_url: http://localhost:4455/
+  default_browser_return_url: http://localhost:4455/welcome
   allowed_return_urls:
     - http://localhost:4455
 
@@ -58,7 +58,7 @@ selfservice:
       ui_url: http://localhost:4455/verification
       use: code
       after:
-        default_browser_return_url: http://localhost:4455/
+        default_browser_return_url: http://localhost:4455/welcome
 
     logout:
       after: