enterprise/policies: Add Password Uniqueness History Policy#13453
enterprise/policies: Add Password Uniqueness History Policy#13453
Conversation
…ry table If the UniquePasswordPolicy is enabled anywhere, we now record the user's hashed password.
…bound to anything
The system should aim to keep the number of historical passwords to a minimum to avoid wasting storage space. Admins can configure how many passwords they want to preserve. If multiple instances of the UniquePasswordPolicy exist, the system takes the max() value of all enabled policies to determine how many passwords should remain after trimming.
…ings Querying within post_delete for other PolicyBindings will include the PolicyBinding we're deleting. We have to account for that by checking for bindings other than the one we're looking at.
…nc task instead of prior to execution
… to a provided policy type
…PasswordPolicyForm
…rom ManagedAppConfig.
✅ Deploy Preview for authentik-docs canceled.
|
✅ Deploy Preview for authentik-storybook canceled.
|
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
9bdfe9f to
8f56e1c
Compare
| # Check if any UniquePasswordPolicy is in use | ||
| unique_pwd_policy_in_use = UniquePasswordPolicy.is_in_use() | ||
|
|
||
| if unique_pwd_policy_in_use: |
There was a problem hiding this comment.
Should we also save as long as the policy exists?
There was a problem hiding this comment.
I think that we should only save when the user explicitly wants to do that
|
|
||
|
|
||
| @CELERY_APP.task() | ||
| def trim_user_password_history(user_pk: int): |
There was a problem hiding this comment.
As this is only called from trim_all_password_histories, I think we can just have one task deleting for all users
There was a problem hiding this comment.
And it can also call check_and_purge_password_history as well.
I fail to see the difference between purge_password_history_table and check_and_purge_password_history though
There was a problem hiding this comment.
You're right, I refactored check_and_purge_password_history and purge_password_history_table into one function 👍
There was a problem hiding this comment.
as for trim_all_password_histories this approach allows us to have better error isolation(like if there's a problem with a particular user) and would scale better in huge user base
There was a problem hiding this comment.
In other tasks we don't separate like this. I still want both of those tasks to be merged. If there are several thousands of users with password histories, I don't want several thousands of tasks to be scheduled.
|
|
||
|
|
||
| @CELERY_APP.task() | ||
| def trim_user_password_history(user_pk: int): |
There was a problem hiding this comment.
In other tasks we don't separate like this. I still want both of those tasks to be merged. If there are several thousands of users with password histories, I don't want several thousands of tasks to be scheduled.
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
* main: (49 commits) core: bump uvicorn from 0.34.1 to v0.34.2 (#14175) website/integrations: add xcreds (#14163) core, web: update translations (#14179) web: update default flow background (#14115) web: bump API Client version (#14176) enterprise/policies: Add Password Uniqueness History Policy (#13453) web/xliff: fix duplicated translations (#14164) website/docs: fix postgres pool recommended settings (#14149) core: bump astral-sh/uv from 0.6.14 to 0.6.16 (#14161) web: fix scrollbar styling (#12600) website: integrations: gravity: fix issuer URL (#14155) web: Packagify live reload plugin. (#14134) web: bump API Client version (#14062) translate: Updates for file locale/en/LC_MESSAGES/django.po in zh-Hans (#14146) translate: Updates for file web/xliff/en.xlf in zh_CN (#14145) core: bump goauthentik.io/api/v3 from 3.2025024.7 to 3.2025024.8 (#14143) translate: Updates for file locale/en/LC_MESSAGES/django.po in zh_CN (#14144) translate: Updates for file web/xliff/en.xlf in zh-Hans (#14139) core, web: update translations (#14142) core: bump yarl from 1.19.0 to v1.20.0 (#14128) ...
Details
Continue work done in #10631
Closes #8307
Documentation PR: #13686
Steps to test:
Checklist
ak test authentik/)make lint-fix)If an API change has been made
make gen-build)If changes to the frontend have been made
make web)If applicable
make website)