Make policy depend on whether the login is interactive or not

policies/compat_login/compat_login.rego

@@ -33,8 +33,7 @@ violation contains {
 	data.session_limit != null
 
 	# This is a web-based interactive login
-	# TODO not strictly correct...
-	input.login_type == "m.login.sso"
+	input.is_interactive
 
 	# Only apply if this login doesn't replace a session
 	# (As then this login is not actually increasing the number of devices)
@@ -55,7 +54,7 @@ violation contains {
 	data.session_limit != null
 
 	# This is not a web-based interactive login
-	input.login_type == "m.login.password"
+	not input.is_interactive
 
 	# Only apply if this login doesn't replace a session
 	# (As then this login is not actually increasing the number of devices)

policies/compat_login/compat_login_test.rego

@@ -10,33 +10,39 @@ import rego.v1
 
 user := {"username": "john"}
 
+# Tests session limiting when using (the interactive part of) `m.login.sso`
 test_session_limiting_sso if {
 	compat_login.allow with input.user as user
 		with input.session_counts as {"total": 1}
+		with input.is_interactive as true
 		with input.login_type as "m.login.sso"
 		with input.session_replaced as false
 		with data.session_limit as {"soft_limit": 32, "hard_limit": 64}
 
 	compat_login.allow with input.user as user
 		with input.session_counts as {"total": 31}
+		with input.is_interactive as true
 		with input.login_type as "m.login.sso"
 		with input.session_replaced as false
 		with data.session_limit as {"soft_limit": 32, "hard_limit": 64}
 
 	not compat_login.allow with input.user as user
 		with input.session_counts as {"total": 32}
+		with input.is_interactive as true
 		with input.login_type as "m.login.sso"
 		with input.session_replaced as false
 		with data.session_limit as {"soft_limit": 32, "hard_limit": 64}
 
 	not compat_login.allow with input.user as user
 		with input.session_counts as {"total": 42}
+		with input.is_interactive as true
 		with input.login_type as "m.login.sso"
 		with input.session_replaced as false
 		with data.session_limit as {"soft_limit": 32, "hard_limit": 64}
 
 	not compat_login.allow with input.user as user
 		with input.session_counts as {"total": 65}
+		with input.is_interactive as true
 		with input.login_type as "m.login.sso"
 		with input.session_replaced as false
 		with data.session_limit as {"soft_limit": 32, "hard_limit": 64}
@@ -44,32 +50,38 @@ test_session_limiting_sso if {
 	# No limit configured
 	compat_login.allow with input.user as user
 		with input.session_counts as {"total": 1}
+		with input.is_interactive as true
 		with input.login_type as "m.login.sso"
 		with input.session_replaced as false
 		with data.session_limit as null
 }
 
+# Test session limiting when using `m.login.password`
 test_session_limiting_password if {
 	compat_login.allow with input.user as user
 		with input.session_counts as {"total": 1}
+		with input.is_interactive as false
 		with input.login_type as "m.login.password"
 		with input.session_replaced as false
 		with data.session_limit as {"soft_limit": 32, "hard_limit": 64}
 
 	compat_login.allow with input.user as user
 		with input.session_counts as {"total": 63}
+		with input.is_interactive as false
 		with input.login_type as "m.login.password"
 		with input.session_replaced as false
 		with data.session_limit as {"soft_limit": 32, "hard_limit": 64}
 
 	not compat_login.allow with input.user as user
 		with input.session_counts as {"total": 64}
+		with input.is_interactive as false
 		with input.login_type as "m.login.password"
 		with input.session_replaced as false
 		with data.session_limit as {"soft_limit": 32, "hard_limit": 64}
 
 	not compat_login.allow with input.user as user
 		with input.session_counts as {"total": 65}
+		with input.is_interactive as false
 		with input.login_type as "m.login.password"
 		with input.session_replaced as false
 		with data.session_limit as {"soft_limit": 32, "hard_limit": 64}
@@ -77,6 +89,7 @@ test_session_limiting_password if {
 	# No limit configured
 	compat_login.allow with input.user as user
 		with input.session_counts as {"total": 1}
+		with input.is_interactive as false
 		with input.login_type as "m.login.password"
 		with input.session_replaced as false
 		with data.session_limit as null
@@ -85,12 +98,14 @@ test_session_limiting_password if {
 test_no_session_limiting_upon_replacement if {
 	not compat_login.allow with input.user as user
 		with input.session_counts as {"total": 65}
+		with input.is_interactive as false
 		with input.login_type as "m.login.password"
 		with input.session_replaced as false
 		with data.session_limit as {"soft_limit": 32, "hard_limit": 64}
 
 	not compat_login.allow with input.user as user
 		with input.session_counts as {"total": 65}
+		with input.is_interactive as true
 		with input.login_type as "m.login.sso"
 		with input.session_replaced as false
 		with data.session_limit as {"soft_limit": 32, "hard_limit": 64}

policies/schema/compat_login_input.json

@@ -4,6 +4,7 @@
   "description": "Input for the compatibility login policy.",
   "type": "object",
   "required": [
+    "is_interactive",
     "login_type",
     "requester",
     "session_counts",
@@ -27,6 +28,10 @@
       "description": "Whether a session will be replaced by this login",
       "type": "boolean"
     },
+    "is_interactive": {
+      "description": "Whether the user is currently in an interactive context. For `m.login.password`: false For `m.login.sso`: - true when asking for consent, - false when actually performing the login (at which point we create the compat session, but it's too late to show a web page)",
+      "type": "boolean"
+    },
     "login_type": {
       "$ref": "#/definitions/CompatLoginType"
     },