feat(core): read sentinel policy settings (#7255)

simeng-li · web-flow · commit e73adf12b0a0 · 2025-04-11T11:24:56.000+08:00
* feat(core): read sentinel policy settings

read custom sentinel policy settings from SIE

* fix(test): fix integration tests

fix integration tests
diff --git a/packages/core/src/sentinel/basic-sentinel.test.ts b/packages/core/src/sentinel/basic-sentinel.test.ts
@@ -6,9 +6,14 @@ import {
   SentinelDecision,
 } from '@logto/schemas';
 import { addMinutes } from 'date-fns';
+import Sinon from 'sinon';
 
 import { createMockCommonQueryMethods, expectSqlString } from '#src/test-utils/query.js';
 
+import { mockSignInExperience } from '../__mocks__/sign-in-experience.js';
+import { EnvSet } from '../env-set/index.js';
+import { MockQueries } from '../test-utils/tenant.js';
+
 import BasicSentinel from './basic-sentinel.js';
 
 const { jest } = import.meta;
@@ -25,10 +30,27 @@ class TestSentinel extends BasicSentinel {
   override decide = super.decide;
 }
 
+const findDefaultSignInExperienceMock = jest.fn();
+
 const methods = createMockCommonQueryMethods();
-const sentinel = new TestSentinel(methods);
+const sentinel = new TestSentinel(
+  methods,
+  new MockQueries({
+    signInExperiences: {
+      findDefaultSignInExperience: findDefaultSignInExperienceMock,
+    },
+  })
+);
 const mockedTime = new Date('2021-01-01T00:00:00.000Z').valueOf();
-const mockedBlockedTime = addMinutes(mockedTime, 10).valueOf();
+const mockedDefaultBlockedTime = addMinutes(mockedTime, 10).valueOf();
+const customSentinelPolicy = {
+  maxAttempts: 7,
+  lockoutDuration: 15,
+};
+const mockedCustomBlockedTime = addMinutes(
+  mockedTime,
+  customSentinelPolicy.lockoutDuration
+).valueOf();
 
 beforeAll(() => {
   jest.useFakeTimers().setSystemTime(mockedTime);
@@ -39,6 +61,10 @@ afterEach(() => {
 });
 
 describe('BasicSentinel -> reportActivity()', () => {
+  beforeEach(() => {
+    findDefaultSignInExperienceMock.mockResolvedValue(mockSignInExperience);
+  });
+
   it('should insert an activity', async () => {
     methods.maybeOne.mockResolvedValueOnce(null);
     methods.oneFirst.mockResolvedValueOnce(0);
@@ -55,11 +81,11 @@ describe('BasicSentinel -> reportActivity()', () => {
 
   it('should insert a blocked activity', async () => {
     // Mock the query method to return a blocked activity
-    methods.maybeOne.mockResolvedValueOnce({ decisionExpiresAt: mockedBlockedTime });
+    methods.maybeOne.mockResolvedValueOnce({ decisionExpiresAt: mockedDefaultBlockedTime });
 
     const activity = createMockActivityReport();
     const decision = await sentinel.reportActivity(activity);
-    expect(decision).toEqual([SentinelDecision.Blocked, mockedBlockedTime]);
+    expect(decision).toEqual([SentinelDecision.Blocked, mockedDefaultBlockedTime]);
     expect(methods.query).toHaveBeenCalledTimes(1);
     expect(methods.query).toHaveBeenCalledWith(
       expectSqlString('insert into "sentinel_activities"')
@@ -68,6 +94,10 @@ describe('BasicSentinel -> reportActivity()', () => {
 });
 
 describe('BasicSentinel -> decide()', () => {
+  beforeEach(() => {
+    findDefaultSignInExperienceMock.mockResolvedValue(mockSignInExperience);
+  });
+
   it('should return existing blocked time if the activity is blocked', async () => {
     const existingBlockedTime = addMinutes(mockedTime, 5).valueOf();
     methods.maybeOne.mockResolvedValueOnce({ decisionExpiresAt: existingBlockedTime });
@@ -92,7 +122,7 @@ describe('BasicSentinel -> decide()', () => {
 
     const activity = createMockActivityReport();
     const decision = await sentinel.decide(activity);
-    expect(decision).toEqual([SentinelDecision.Blocked, mockedBlockedTime]);
+    expect(decision).toEqual([SentinelDecision.Blocked, mockedDefaultBlockedTime]);
   });
 
   it('should return blocked if the activity is not blocked and there are 4 failed attempts and the current activity is failed', async () => {
@@ -103,6 +133,83 @@ describe('BasicSentinel -> decide()', () => {
     // eslint-disable-next-line @silverhand/fp/no-mutation
     activity.actionResult = SentinelActionResult.Failed;
     const decision = await sentinel.decide(activity);
-    expect(decision).toEqual([SentinelDecision.Blocked, mockedBlockedTime]);
+    expect(decision).toEqual([SentinelDecision.Blocked, mockedDefaultBlockedTime]);
+  });
+});
+
+describe('BasicSentinel  with custom policy', () => {
+  // eslint-disable-next-line @silverhand/fp/no-let
+  let stub: Sinon.SinonStub;
+
+  // TODO: Remove this when the sentinel policy is fully integrated into the system.
+  beforeAll(() => {
+    // eslint-disable-next-line @silverhand/fp/no-mutation
+    stub = Sinon.stub(EnvSet, 'values').value({
+      ...EnvSet.values,
+      isProduction: true,
+      isDevFeaturesEnabled: true,
+    });
+  });
+
+  afterAll(() => {
+    stub.restore();
+  });
+
+  beforeEach(() => {
+    findDefaultSignInExperienceMock.mockResolvedValue({
+      ...mockSignInExperience,
+      sentinelPolicy: customSentinelPolicy,
+    });
+  });
+
+  it('should insert a blocked activity', async () => {
+    // Mock the query method to return a blocked activity
+    methods.maybeOne.mockResolvedValueOnce({ decisionExpiresAt: mockedCustomBlockedTime });
+
+    const activity = createMockActivityReport();
+    const decision = await sentinel.reportActivity(activity);
+    expect(decision).toEqual([SentinelDecision.Blocked, mockedCustomBlockedTime]);
+    expect(methods.query).toHaveBeenCalledTimes(1);
+    expect(methods.query).toHaveBeenCalledWith(
+      expectSqlString('insert into "sentinel_activities"')
+    );
+  });
+
+  it('should return existing blocked time if the activity is blocked', async () => {
+    const existingBlockedTime = addMinutes(mockedTime, 5).valueOf();
+    methods.maybeOne.mockResolvedValueOnce({ decisionExpiresAt: existingBlockedTime });
+
+    const activity = createMockActivityReport();
+    const decision = await sentinel.decide(activity);
+    expect(decision).toEqual([SentinelDecision.Blocked, existingBlockedTime]);
+  });
+
+  it('should return allowed if the activity is not blocked and there are less than 7 failed attempts', async () => {
+    methods.maybeOne.mockResolvedValueOnce(null);
+    methods.oneFirst.mockResolvedValueOnce(6);
+
+    const activity = createMockActivityReport();
+    const decision = await sentinel.decide(activity);
+    expect(decision).toEqual([SentinelDecision.Allowed, mockedTime]);
+  });
+
+  it('should return blocked if the activity is not blocked and there are 7 failed attempts', async () => {
+    methods.maybeOne.mockResolvedValueOnce(null);
+    methods.oneFirst.mockResolvedValueOnce(7);
+
+    const activity = createMockActivityReport();
+    const decision = await sentinel.decide(activity);
+    expect(decision).toEqual([SentinelDecision.Blocked, mockedCustomBlockedTime]);
+  });
+
+  it('should return blocked if the activity is not blocked and there are 4 failed attempts and the current activity is failed', async () => {
+    methods.maybeOne.mockResolvedValueOnce(null);
+    methods.oneFirst.mockResolvedValueOnce(6);
+
+    const activity = createMockActivityReport();
+    // eslint-disable-next-line @silverhand/fp/no-mutation
+    activity.actionResult = SentinelActionResult.Failed;
+    const decision = await sentinel.decide(activity);
+    expect(decision).toEqual([SentinelDecision.Blocked, mockedCustomBlockedTime]);
   });
 });
diff --git a/packages/core/src/sentinel/basic-sentinel.ts b/packages/core/src/sentinel/basic-sentinel.ts
@@ -14,8 +14,11 @@ import { sql, type CommonQueryMethods } from '@silverhand/slonik';
 import { addMinutes } from 'date-fns';
 
 import { buildInsertIntoWithPool } from '#src/database/insert-into.js';
+import type Queries from '#src/tenants/Queries.js';
 import { convertToIdentifiers } from '#src/utils/sql.js';
 
+import { EnvSet } from '../env-set/index.js';
+
 const { fields, table } = convertToIdentifiers(SentinelActivities);
 
 /**
@@ -31,6 +34,17 @@ export default class BasicSentinel extends Sentinel {
     SentinelActivityAction.OneTimeToken,
   ] as const);
 
+  /**
+   * The default policy for this sentinel.
+   *
+   * - `maxAttempts`: 5
+   * - `lockoutDuration`: 10 minutes
+   */
+  static defaultPolicy = Object.freeze({
+    maxAttempts: 5,
+    lockoutDuration: 10,
+  });
+
   /** The array of all supported actions in SQL format. */
   static supportedActionArray = sql.array(BasicSentinel.supportedActions, 'varchar');
 
@@ -55,8 +69,12 @@ export default class BasicSentinel extends Sentinel {
    * designed to be used as an isolated module that can be separated from the core business logic.
    *
    * @param pool A database pool with methods {@link CommonQueryMethods}.
+   * @param {Queries} queries Tenant-level queries.
    */
-  constructor(protected readonly pool: CommonQueryMethods) {
+  constructor(
+    protected readonly pool: CommonQueryMethods,
+    protected readonly queries: Queries
+  ) {
     super();
   }
 
@@ -111,6 +129,24 @@ export default class BasicSentinel extends Sentinel {
     return blocked && [SentinelDecision.Blocked, blocked.decisionExpiresAt];
   }
 
+  protected async getSentinelPolicy() {
+    // TODO: remove this check when the sentinel policy is fully integrated into the system.
+    if (!EnvSet.values.isDevFeaturesEnabled) {
+      return BasicSentinel.defaultPolicy;
+    }
+
+    const {
+      signInExperiences: { findDefaultSignInExperience },
+    } = this.queries;
+
+    const { sentinelPolicy } = await findDefaultSignInExperience();
+
+    return {
+      ...BasicSentinel.defaultPolicy,
+      ...sentinelPolicy,
+    };
+  }
+
   protected async decide(
     query: Pick<SentinelActivity, 'targetType' | 'targetHash' | 'actionResult'>
   ): Promise<SentinelDecisionTuple> {
@@ -129,10 +165,13 @@ export default class BasicSentinel extends Sentinel {
         and ${fields.decision} != ${SentinelDecision.Blocked}
         and ${fields.createdAt} > now() - interval '1 hour'
     `);
+    const { maxAttempts, lockoutDuration } = await this.getSentinelPolicy();
+
     const now = new Date();
 
-    return failedAttempts + (query.actionResult === SentinelActionResult.Failed ? 1 : 0) >= 5
-      ? [SentinelDecision.Blocked, addMinutes(now, 10).valueOf()]
+    return failedAttempts + (query.actionResult === SentinelActionResult.Failed ? 1 : 0) >=
+      maxAttempts
+      ? [SentinelDecision.Blocked, addMinutes(now, lockoutDuration).valueOf()]
       : [SentinelDecision.Allowed, now.valueOf()];
   }
 }
diff --git a/packages/core/src/tenants/Tenant.ts b/packages/core/src/tenants/Tenant.ts
@@ -100,7 +100,7 @@ export default class Tenant implements TenantContext {
       logtoConfigs,
       subscription
     ),
-    public readonly sentinel = new BasicSentinel(envSet.pool)
+    public readonly sentinel = new BasicSentinel(envSet.pool, queries)
   ) {
     const isAdminTenant = id === adminTenantId;
     const mountedApps = [
