sebadob · sebadob · Oct 13, 2025 · Oct 13, 2025 · Oct 13, 2025 · Oct 14, 2025
diff --git a/config.toml b/config.toml
@@ -2068,6 +2068,29 @@ key_path = 'tls/key.pem'
 # overwritten by: TLS_GENERATE_SELF_SIGNED
 generate_self_signed = true
 
+[tos]
+
+# The timeout in seconds for a user to accept update ToS during the
+# login flow.
+# The initial lifetime of an AuthCode after a successful authentication
+# will be extended by the `accept_timeout`. This gives the user a bit
+# more time to read through updates ToS and avoids an AuthCode expiry
+# if it takes a bit longer. This is mainly a UX improvement. After the
+# ToS have been accepted, the original AuthCode will be re-saved with
+# the actual lifetime to not weaken the security in these cases.
+#
+# CAUTION: Even though you can extend the lifetime on Rauthys side, you
+# can run into issues with logins on the client side. For legal reasons,
+# accepting updated ToS must happen after a successful login but before
+# providing any access. Login flows are not only time-limited on Rauthys
+# side, but most often also on the client side. This means if it takes
+# too long to read and accept update ToS, the user may run into an auth
+# error and do the login again.
+#
+# default: 900
+# overwritten by: TOS_ACCEPT_TIMEOUT
+accept_timeout = 900
+
 [user_pictures]
 # The storage type for user pictures.
 # By default, they are saved inside the Database, which is not ideal.

diff --git a/dev_notes.md b/dev_notes.md
@@ -2,6 +2,12 @@
 
 ## CURRENT WORK
 
+ToS TODO
+
+- handle updates during immediate login refresh
+- handle updates during AuthProvider logins
+- find a clean way to handle updates during Webauthn logins
+
 ## Stage 1 - essentials
 
 [x] finished

diff --git a/frontend/src/api/types/tos.ts b/frontend/src/api/types/tos.ts
@@ -0,0 +1,35 @@
+export interface ToSRequest {
+	is_html: boolean;
+	content: string;
+}
+
+export interface ToSUserAcceptRequest {
+	tos_ts: number;
+	// 65 char code
+	accept_code: string;
+}
+
+export interface ToSResponse {
+	ts: number;
+	author: string;
+	is_html: boolean;
+	content: string;
+}
+
+export interface ToSAwaitLoginResponse {
+	code: string;
+	user_id: string;
+}
+
+export interface ToSLatestResponse {
+	ts: number;
+	is_html: boolean;
+	content: string;
+}
+
+export interface ToSUserAcceptResponse {
+	user_id: string;
+	tos_ts: number;
+	accept_ts: number;
+	location: string;
+}
diff --git a/frontend/src/api/types/webauthn.ts b/frontend/src/api/types/webauthn.ts
@@ -1,13 +1,13 @@
 export interface PasskeyResponse {
-    name: string,
-    /// Unix timestamp in seconds
-    registered: number,
-    /// Unix timestamp in seconds
-    last_used: number,
-    user_verified?: boolean,
+	name: string;
+	/// Unix timestamp in seconds
+	registered: number;
+	/// Unix timestamp in seconds
+	last_used: number;
+	user_verified?: boolean;
 }
 
 export interface WebauthnDeleteRequest {
-    /// 32 chars long MfaModToken.id
-    mfa_mod_token_id?: string,
-}
+	/// 32 chars long MfaModToken.id
+	mfa_mod_token_id?: string;
+}
diff --git a/frontend/src/i18n/admin/de.ts b/frontend/src/i18n/admin/de.ts
diff --git a/frontend/src/i18n/admin/en.ts b/frontend/src/i18n/admin/en.ts