starred/pocket-id
1
0
Fork 0
mirror of https://github.com/pocket-id/pocket-id.git synced 2025-12-09 09:13:15 +03:00
Code Issues 121 Packages Projects Releases 16 Wiki Activity

[PR #747] [MERGED] feat: adds option to OIDC client to require reauthentication #634

New Issue
Closed
opened 2025-10-07 00:19:46 +03:00 by OVERLORD · 0 comments
OVERLORD commented 2025-10-07 00:19:46 +03:00
Owner
Copy Link

📋 Pull Request Information

Original PR: https://github.com/pocket-id/pocket-id/pull/747
Author: @MorrisMorrison
Created: 7/11/2025
Status: Merged
Merged: 8/22/2025
Merged by: @stonith404

Base: mainHead: feat/oidc-client-requires-reauthentication

📝 Commits (10+)

  • 9e92b57 feat: adds option to require reauthentication for oidc clients to frontend
  • 0fe773e fix: provides proper translations
  • 0b74f2d feat: adds option to require reauthentication for oidc clients to backend
  • 06151bd feat: execute auth if oidc client is configured as requires reauthentication
  • ed6ad6f Merge remote-tracking branch 'upstream/main' into feat/oidc-client-requires-reauthentication
  • 4847d53 feat: adds test for enforced reauthentication
  • bc648a8 feat: update translation
  • 64673de fix: formatting
  • 49f4755 Merge branch 'main' into feat/oidc-client-requires-reauthentication
  • 3bb66de Merge branch 'main' of github.com:pocket-id/pocket-id into feat/oidc-client-requires-reauthentication

📊 Changes

22 files changed (+362 additions, -44 deletions)

View changed files

📝 backend/internal/bootstrap/services_bootstrap.go (+5 -6)
📝 backend/internal/common/errors.go (+9 -0)
📝 backend/internal/controller/webauthn_controller.go (+32 -0)
📝 backend/internal/dto/oidc_dto.go (+20 -17)
📝 backend/internal/job/db_cleanup_job.go (+15 -0)
📝 backend/internal/model/oidc.go (+11 -10)
📝 backend/internal/model/webauthn.go (+9 -0)
📝 backend/internal/service/oidc_service.go (+14 -0)
📝 backend/internal/service/webauthn_service.go (+133 -0)
backend/resources/migrations/postgres/20250814121300_requires_reauthentication.down.sql (+2 -0)
backend/resources/migrations/postgres/20250814121300_requires_reauthentication.up.sql (+11 -0)
backend/resources/migrations/sqlite/20250814121300_requires_reauthentication.down.sql (+3 -0)
backend/resources/migrations/sqlite/20250814121300_requires_reauthentication.up.sql (+11 -0)
📝 frontend/messages/de.json (+2 -0)
📝 frontend/messages/en.json (+2 -0)
📝 frontend/src/lib/services/oidc-service.ts (+4 -2)
📝 frontend/src/lib/services/webauthn-service.ts (+5 -0)
📝 frontend/src/lib/types/oidc.type.ts (+2 -0)
📝 frontend/src/routes/authorize/+page.svelte (+29 -5)
📝 frontend/src/routes/settings/admin/oidc-clients/[id]/+page.svelte (+8 -4)

...and 2 more files

📄 Description

Hi everyone,
this PR adds an option for OIDC Clients to enforce reauthentication.

Changes:

  • adds db migrations for postgres and sqlite to add requires_reauthentication field to oidc_clients
  • updates oidc dtos and models with RequiresReauthentication field
  • updates oidc_service.HasAuthorizedClient to evaluate if client always requires reauthentication
  • updates authorization page to check and enforce reauthentication
  • adds form controls in OIDC client settings
  • adds translations
  • adds e2e test to verify reauthentication is triggered and the user can succesfully sign in afterwards

Fixes: #544

Summary by CodeRabbit

  • New Features
    • Per‑client “Requires Re‑Authentication” option for OIDC.
    • Authorization flow supports WebAuthn reauthentication with token handling.
    • New endpoint to perform passkey reauthentication.
  • UI/Style
    • Admin OIDC client form and details show the new setting; widened labels for readability.
  • Localization
    • Added English and German strings for the new setting and its description.
  • Tests
    • Added end‑to‑end test verifying enforced reauthentication.
  • Chores
    • Database migrations for reauthentication flag and tokens; scheduled cleanup of expired tokens.

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/pocket-id/pocket-id/pull/747 **Author:** [@MorrisMorrison](https://github.com/MorrisMorrison) **Created:** 7/11/2025 **Status:** ✅ Merged **Merged:** 8/22/2025 **Merged by:** [@stonith404](https://github.com/stonith404) **Base:** `main` ← **Head:** `feat/oidc-client-requires-reauthentication` --- ### 📝 Commits (10+) - [`9e92b57`](https://github.com/pocket-id/pocket-id/commit/9e92b5782ef16c6a946718f1bf167f9f6cd7a07d) feat: adds option to require reauthentication for oidc clients to frontend - [`0fe773e`](https://github.com/pocket-id/pocket-id/commit/0fe773e21c6669fd86e5321c9bd3a5272ed36b5b) fix: provides proper translations - [`0b74f2d`](https://github.com/pocket-id/pocket-id/commit/0b74f2d9ee980a803f1d8b88744563101189377b) feat: adds option to require reauthentication for oidc clients to backend - [`06151bd`](https://github.com/pocket-id/pocket-id/commit/06151bda77ff5f5a60caf96c85c1d3df9315a47a) feat: execute auth if oidc client is configured as requires reauthentication - [`ed6ad6f`](https://github.com/pocket-id/pocket-id/commit/ed6ad6f5d1a5a0888a8e1cd2a9341e8149a03b7f) Merge remote-tracking branch 'upstream/main' into feat/oidc-client-requires-reauthentication - [`4847d53`](https://github.com/pocket-id/pocket-id/commit/4847d533b8826f5f4fcaca75eddf6af7033fb79a) feat: adds test for enforced reauthentication - [`bc648a8`](https://github.com/pocket-id/pocket-id/commit/bc648a8fdd1981139d5dff9d12d8bfdfd96cadba) feat: update translation - [`64673de`](https://github.com/pocket-id/pocket-id/commit/64673ded6734db34d7339113ee7d6a4eb1848843) fix: formatting - [`49f4755`](https://github.com/pocket-id/pocket-id/commit/49f47556586a59f450c3ff73bb9db6ff0ef50fa5) Merge branch 'main' into feat/oidc-client-requires-reauthentication - [`3bb66de`](https://github.com/pocket-id/pocket-id/commit/3bb66de4e78a209282c674c837294d523ec711fc) Merge branch 'main' of github.com:pocket-id/pocket-id into feat/oidc-client-requires-reauthentication ### 📊 Changes **22 files changed** (+362 additions, -44 deletions) <details> <summary>View changed files</summary> 📝 `backend/internal/bootstrap/services_bootstrap.go` (+5 -6) 📝 `backend/internal/common/errors.go` (+9 -0) 📝 `backend/internal/controller/webauthn_controller.go` (+32 -0) 📝 `backend/internal/dto/oidc_dto.go` (+20 -17) 📝 `backend/internal/job/db_cleanup_job.go` (+15 -0) 📝 `backend/internal/model/oidc.go` (+11 -10) 📝 `backend/internal/model/webauthn.go` (+9 -0) 📝 `backend/internal/service/oidc_service.go` (+14 -0) 📝 `backend/internal/service/webauthn_service.go` (+133 -0) ➕ `backend/resources/migrations/postgres/20250814121300_requires_reauthentication.down.sql` (+2 -0) ➕ `backend/resources/migrations/postgres/20250814121300_requires_reauthentication.up.sql` (+11 -0) ➕ `backend/resources/migrations/sqlite/20250814121300_requires_reauthentication.down.sql` (+3 -0) ➕ `backend/resources/migrations/sqlite/20250814121300_requires_reauthentication.up.sql` (+11 -0) 📝 `frontend/messages/de.json` (+2 -0) 📝 `frontend/messages/en.json` (+2 -0) 📝 `frontend/src/lib/services/oidc-service.ts` (+4 -2) 📝 `frontend/src/lib/services/webauthn-service.ts` (+5 -0) 📝 `frontend/src/lib/types/oidc.type.ts` (+2 -0) 📝 `frontend/src/routes/authorize/+page.svelte` (+29 -5) 📝 `frontend/src/routes/settings/admin/oidc-clients/[id]/+page.svelte` (+8 -4) _...and 2 more files_ </details> ### 📄 Description Hi everyone, this PR adds an option for OIDC Clients to enforce reauthentication. Changes: - adds db migrations for postgres and sqlite to add requires_reauthentication field to oidc_clients - updates oidc dtos and models with RequiresReauthentication field - updates oidc_service.HasAuthorizedClient to evaluate if client always requires reauthentication - updates authorization page to check and enforce reauthentication - adds form controls in OIDC client settings - adds translations - adds e2e test to verify reauthentication is triggered and the user can succesfully sign in afterwards Fixes: #544 <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit - New Features - Per‑client “Requires Re‑Authentication” option for OIDC. - Authorization flow supports WebAuthn reauthentication with token handling. - New endpoint to perform passkey reauthentication. - UI/Style - Admin OIDC client form and details show the new setting; widened labels for readability. - Localization - Added English and German strings for the new setting and its description. - Tests - Added end‑to‑end test verifying enforced reauthentication. - Chores - Database migrations for reauthentication flag and tokens; scheduled cleanup of expired tokens. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
OVERLORD added the pull-request label 2025-10-07 00:19:46 +03:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
breaking
bug
documentation
feature
needs more upvotes
open to pull requests
pull-request
Mirrored from GitHub Pull Request
No Label pull-request
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/pocket-id#634
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?