From b2dcf94abae1a05ab7110bbcb41fbd734e61fdf8 Mon Sep 17 00:00:00 2001
From: "gcp-cherry-pick-bot[bot]"
 <98988430+gcp-cherry-pick-bot[bot]@users.noreply.github.com>
Date: Thu, 20 Feb 2025 23:46:21 +0100
Subject: [PATCH] policies/geoip: fix math in impossible travel (cherry-pick
 #13141) (#13145)

policies/geoip: fix math in impossible travel (#13141)

* policies/geoip: fix math in impossible travel



* fix threshold



---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Jens L. <jens@goauthentik.io>
---
 authentik/policies/geoip/models.py            |  4 +-
 authentik/policies/password/models.py         |  4 +-
 .../admin/policies/geoip/GeoIPPolicyForm.ts   | 37 ++++++++-----------
 3 files changed, 20 insertions(+), 25 deletions(-)

diff --git a/authentik/policies/geoip/models.py b/authentik/policies/geoip/models.py
index f94341afd9..435e144c85 100644
--- a/authentik/policies/geoip/models.py
+++ b/authentik/policies/geoip/models.py
@@ -128,7 +128,7 @@ class GeoIPPolicy(Policy):
                 (geoip_data["lat"], geoip_data["long"]),
             )
             if self.check_history_distance and dist.km >= (
-                self.history_max_distance_km - self.distance_tolerance_km
+                self.history_max_distance_km + self.distance_tolerance_km
             ):
                 return PolicyResult(
                     False, _("Distance from previous authentication is larger than threshold.")
@@ -139,7 +139,7 @@ class GeoIPPolicy(Policy):
             # clamped to be at least 1 hour
             rel_time_hours = max(int((_now - previous_login.created).total_seconds() / 3600), 1)
             if self.check_impossible_travel and dist.km >= (
-                (MAX_DISTANCE_HOUR_KM * rel_time_hours) - self.distance_tolerance_km
+                (MAX_DISTANCE_HOUR_KM * rel_time_hours) + self.distance_tolerance_km
             ):
                 return PolicyResult(False, _("Distance is further than possible."))
         return PolicyResult(True)
diff --git a/authentik/policies/password/models.py b/authentik/policies/password/models.py
index 15df0502cf..f94b7b4b52 100644
--- a/authentik/policies/password/models.py
+++ b/authentik/policies/password/models.py
@@ -148,10 +148,10 @@ class PasswordPolicy(Policy):
             user_inputs.append(request.user.email)
         if request.http_request:
             user_inputs.append(request.http_request.brand.branding_title)
-        # Only calculate result for the first 100 characters, as with over 100 char
+        # Only calculate result for the first 72 characters, as with over 100 char
         # long passwords we can be reasonably sure that they'll surpass the score anyways
         # See https://github.com/dropbox/zxcvbn#runtime-latency
-        results = zxcvbn(password[:100], user_inputs)
+        results = zxcvbn(password[:72], user_inputs)
         LOGGER.debug("password failed", check="zxcvbn", score=results["score"])
         result = PolicyResult(results["score"] > self.zxcvbn_score_threshold)
         if not result.passing:
diff --git a/web/src/admin/policies/geoip/GeoIPPolicyForm.ts b/web/src/admin/policies/geoip/GeoIPPolicyForm.ts
index 1b5119ae2b..d59936c1ab 100644
--- a/web/src/admin/policies/geoip/GeoIPPolicyForm.ts
+++ b/web/src/admin/policies/geoip/GeoIPPolicyForm.ts
@@ -105,6 +105,22 @@ export class GeoIPPolicyForm extends BasePolicyForm<GeoIPPolicy> {
                             )}
                         </p>
                     </ak-form-element-horizontal>
+                    <ak-form-element-horizontal
+                        label=${msg("Maximum distance")}
+                        name="historyMaxDistanceKm"
+                    >
+                        <input
+                            type="number"
+                            min="1"
+                            value="${first(this.instance?.historyMaxDistanceKm, 100)}"
+                            class="pf-c-form-control"
+                        />
+                        <p class="pf-c-form__helper-text">
+                            ${msg(
+                                "Maximum distance a login attempt is allowed from in kilometers.",
+                            )}
+                        </p>
+                    </ak-form-element-horizontal>
                     <ak-form-element-horizontal
                         label=${msg("Distance tolerance")}
                         name="distanceToleranceKm"
@@ -133,27 +149,6 @@ export class GeoIPPolicyForm extends BasePolicyForm<GeoIPPolicy> {
                             ${msg("Amount of previous login events to check against.")}
                         </p>
                     </ak-form-element-horizontal>
-                    <ak-form-element-horizontal
-                        label=${msg("Maximum distance")}
-                        name="historyMaxDistanceKm"
-                    >
-                        <input
-                            type="number"
-                            min="1"
-                            value="${first(this.instance?.historyMaxDistanceKm, 100)}"
-                            class="pf-c-form-control"
-                        />
-                        <p class="pf-c-form__helper-text">
-                            ${msg(
-                                "Maximum distance a login attempt is allowed from in kilometers.",
-                            )}
-                        </p>
-                    </ak-form-element-horizontal>
-                </div>
-            </ak-form-group>
-            <ak-form-group>
-                <span slot="header"> ${msg("Distance settings (Impossible travel)")} </span>
-                <div slot="body" class="pf-c-form">
                     <ak-form-element-horizontal name="checkImpossibleTravel">
                         <label class="pf-c-switch">
                             <input