(ctx context.Context, store *store.Store, licenseService *enterprise.LicenseService, workspaceID string)
| 61 | } |
| 62 | |
| 63 | func GetRefreshTokenDuration(ctx context.Context, store *store.Store, licenseService *enterprise.LicenseService, workspaceID string) time.Duration { |
| 64 | refreshTokenDuration := DefaultRefreshTokenDuration |
| 65 | |
| 66 | // If the sign-in frequency control feature is not enabled, return default duration |
| 67 | if err := licenseService.IsFeatureEnabled(ctx, workspaceID, v1pb.PlanFeature_FEATURE_TOKEN_DURATION_CONTROL); err != nil { |
| 68 | return refreshTokenDuration |
| 69 | } |
| 70 | |
| 71 | workspaceProfile, err := store.GetWorkspaceProfileSetting(ctx, workspaceID) |
| 72 | if err != nil { |
| 73 | return refreshTokenDuration |
| 74 | } |
| 75 | |
| 76 | if workspaceProfile.GetRefreshTokenDuration().GetSeconds() > 0 { |
| 77 | refreshTokenDuration = workspaceProfile.GetRefreshTokenDuration().AsDuration() |
| 78 | } |
| 79 | |
| 80 | if err := licenseService.IsFeatureEnabled(ctx, workspaceID, v1pb.PlanFeature_FEATURE_PASSWORD_RESTRICTIONS); err != nil { |
| 81 | return refreshTokenDuration |
| 82 | } |
| 83 | // Currently we implement the password rotation restriction in a simple way: |
| 84 | // 1. Only check if users need to reset their password during login. |
| 85 | // 2. For the 1st time login, if `RequireResetPasswordForFirstLogin` is true, `require_reset_password` in the response will be true |
| 86 | // 3. Otherwise if the `PasswordRotation` exists, check the password last updated time to decide if the `require_reset_password` is true. |
| 87 | // So we will use the minimum value between (`refreshTokenDuration`, `passwordRestriction.PasswordRotation`) to force to expire the token. |
| 88 | passwordRestriction := workspaceProfile.GetPasswordRestriction() |
| 89 | if passwordRestriction.GetPasswordRotation().GetSeconds() > 0 { |
| 90 | passwordRotation := passwordRestriction.GetPasswordRotation().AsDuration() |
| 91 | if passwordRotation.Seconds() < refreshTokenDuration.Seconds() { |
| 92 | refreshTokenDuration = passwordRotation |
| 93 | } |
| 94 | } |
| 95 | |
| 96 | return refreshTokenDuration |
| 97 | } |
| 98 | |
| 99 | // GetRefreshTokenCookie creates a cookie for the refresh token. |
| 100 | // token="" => unset (clears cookie) |
no test coverage detected