From 38e467bf8e819631873263c5607d75a469dab1ca Mon Sep 17 00:00:00 2001 From: "Jens L." Date: Thu, 20 Feb 2025 23:26:26 +0100 Subject: [PATCH] policies/geoip: fix math in impossible travel (#13141) * policies/geoip: fix math in impossible travel Signed-off-by: Jens Langhammer * fix threshold Signed-off-by: Jens Langhammer --------- Signed-off-by: Jens Langhammer --- authentik/policies/geoip/models.py | 4 +- authentik/policies/password/models.py | 4 +- .../admin/policies/geoip/GeoIPPolicyForm.ts | 37 ++++++++----------- 3 files changed, 20 insertions(+), 25 deletions(-) diff --git a/authentik/policies/geoip/models.py b/authentik/policies/geoip/models.py index f94341afd9..435e144c85 100644 --- a/authentik/policies/geoip/models.py +++ b/authentik/policies/geoip/models.py @@ -128,7 +128,7 @@ class GeoIPPolicy(Policy): (geoip_data["lat"], geoip_data["long"]), ) if self.check_history_distance and dist.km >= ( - self.history_max_distance_km - self.distance_tolerance_km + self.history_max_distance_km + self.distance_tolerance_km ): return PolicyResult( False, _("Distance from previous authentication is larger than threshold.") @@ -139,7 +139,7 @@ class GeoIPPolicy(Policy): # clamped to be at least 1 hour rel_time_hours = max(int((_now - previous_login.created).total_seconds() / 3600), 1) if self.check_impossible_travel and dist.km >= ( - (MAX_DISTANCE_HOUR_KM * rel_time_hours) - self.distance_tolerance_km + (MAX_DISTANCE_HOUR_KM * rel_time_hours) + self.distance_tolerance_km ): return PolicyResult(False, _("Distance is further than possible.")) return PolicyResult(True) diff --git a/authentik/policies/password/models.py b/authentik/policies/password/models.py index 15df0502cf..f94b7b4b52 100644 --- a/authentik/policies/password/models.py +++ b/authentik/policies/password/models.py @@ -148,10 +148,10 @@ class PasswordPolicy(Policy): user_inputs.append(request.user.email) if request.http_request: user_inputs.append(request.http_request.brand.branding_title) - # Only calculate result for the first 100 characters, as with over 100 char + # Only calculate result for the first 72 characters, as with over 100 char # long passwords we can be reasonably sure that they'll surpass the score anyways # See https://github.com/dropbox/zxcvbn#runtime-latency - results = zxcvbn(password[:100], user_inputs) + results = zxcvbn(password[:72], user_inputs) LOGGER.debug("password failed", check="zxcvbn", score=results["score"]) result = PolicyResult(results["score"] > self.zxcvbn_score_threshold) if not result.passing: diff --git a/web/src/admin/policies/geoip/GeoIPPolicyForm.ts b/web/src/admin/policies/geoip/GeoIPPolicyForm.ts index 1b5119ae2b..d59936c1ab 100644 --- a/web/src/admin/policies/geoip/GeoIPPolicyForm.ts +++ b/web/src/admin/policies/geoip/GeoIPPolicyForm.ts @@ -105,6 +105,22 @@ export class GeoIPPolicyForm extends BasePolicyForm { )}

+ + +

+ ${msg( + "Maximum distance a login attempt is allowed from in kilometers.", + )} +

+ { ${msg("Amount of previous login events to check against.")}

- - -

- ${msg( - "Maximum distance a login attempt is allowed from in kilometers.", - )} -

- - - - - ${msg("Distance settings (Impossible travel)")} -