zitadel/internal/api/grpc/admin/export.go

package admin

import (
	"context"
	"time"

	"google.golang.org/protobuf/types/known/durationpb"
	"google.golang.org/protobuf/types/known/timestamppb"

	authn_grpc "github.com/zitadel/zitadel/internal/api/grpc/authn"
	"github.com/zitadel/zitadel/internal/api/grpc/org"
	text_grpc "github.com/zitadel/zitadel/internal/api/grpc/text"
	user_converter "github.com/zitadel/zitadel/internal/api/grpc/user"
	"github.com/zitadel/zitadel/internal/domain"
	"github.com/zitadel/zitadel/internal/query"
	"github.com/zitadel/zitadel/internal/telemetry/tracing"
	"github.com/zitadel/zitadel/internal/zerrors"
	admin_pb "github.com/zitadel/zitadel/pkg/grpc/admin"
	app_pb "github.com/zitadel/zitadel/pkg/grpc/app"
	idp_pb "github.com/zitadel/zitadel/pkg/grpc/idp"
	management_pb "github.com/zitadel/zitadel/pkg/grpc/management"
	org_pb "github.com/zitadel/zitadel/pkg/grpc/org"
	policy_pb "github.com/zitadel/zitadel/pkg/grpc/policy"
	project_pb "github.com/zitadel/zitadel/pkg/grpc/project"
	user_pb "github.com/zitadel/zitadel/pkg/grpc/user"
	v1_pb "github.com/zitadel/zitadel/pkg/grpc/v1"
)

func (s *Server) ExportData(ctx context.Context, req *admin_pb.ExportDataRequest) (_ *admin_pb.ExportDataResponse, err error) {
	ctx, span := tracing.NewSpan(ctx)
	defer func() { span.EndWithError(err) }()

	orgSearchQuery := &query.OrgSearchQueries{}
	if len(req.OrgIds) > 0 {
		orgIDsSearchQuery, err := query.NewOrgIDsSearchQuery(req.OrgIds...)
		if err != nil {
			return nil, err
		}
		orgSearchQuery.Queries = []query.SearchQuery{orgIDsSearchQuery}
	}
	queriedOrgs, err := s.query.SearchOrgs(ctx, orgSearchQuery, nil)
	if err != nil {
		return nil, err
	}

	orgs := make([]*admin_pb.DataOrg, len(queriedOrgs.Orgs))
	processedOrgs := make([]string, 0, len(queriedOrgs.Orgs))
	processedProjects := make([]string, 0)
	processedGrants := make([]string, 0)
	processedUsers := make([]string, 0)
	processedActions := make([]string, 0)

	for i, queriedOrg := range queriedOrgs.Orgs {
		if req.ExcludedOrgIds != nil {
			found := false
			for _, excludedOrg := range req.ExcludedOrgIds {
				if excludedOrg == queriedOrg.ID {
					found = true
				}
			}
			if found {
				continue
			}
		}
		processedOrgs = append(processedOrgs, queriedOrg.ID)

		/******************************************************************************************************************
		Organization
		******************************************************************************************************************/
		org := &admin_pb.DataOrg{OrgId: queriedOrg.ID, OrgState: org.OrgStateToPb(queriedOrg.State), Org: &management_pb.AddOrgRequest{Name: queriedOrg.Name}}
		orgs[i] = org
	}

	for _, org := range orgs {

		org.DomainPolicy, err = s.getDomainPolicy(ctx, org.GetOrgId())
		if err != nil {
			return nil, err
		}

		org.Domains, err = s.getDomains(ctx, org.GetOrgId())
		if err != nil {
			return nil, err
		}

		org.OidcIdps, org.JwtIdps, err = s.getIDPs(ctx, org.GetOrgId())
		if err != nil {
			return nil, err
		}
		orgIDPs := make([]string, 0)
		for _, idp := range org.OidcIdps {
			orgIDPs = append(orgIDPs, idp.GetIdpId())
		}
		for _, idp := range org.JwtIdps {
			orgIDPs = append(orgIDPs, idp.GetIdpId())
		}

		org.LabelPolicy, err = s.getLabelPolicy(ctx, org.GetOrgId())
		if err != nil {
			return nil, err
		}

		org.LoginPolicy, err = s.getLoginPolicy(ctx, org.GetOrgId(), orgIDPs)
		if err != nil {
			return nil, err
		}

		org.UserLinks, err = s.getUserLinks(ctx, org.GetOrgId())
		if err != nil {
			return nil, err
		}

		org.LockoutPolicy, err = s.getLockoutPolicy(ctx, org.GetOrgId())
		if err != nil {
			return nil, err
		}

		org.PasswordComplexityPolicy, err = s.getPasswordComplexityPolicy(ctx, org.GetOrgId())
		if err != nil {
			return nil, err
		}

		org.PrivacyPolicy, err = s.getPrivacyPolicy(ctx, org.GetOrgId())
		if err != nil {
			return nil, err
		}

		langResp, err := s.GetSupportedLanguages(ctx, &admin_pb.GetSupportedLanguagesRequest{})
		if err != nil {
			return nil, err
		}

		org.LoginTexts, err = s.getCustomLoginTexts(ctx, org.GetOrgId(), langResp.Languages)
		if err != nil {
			return nil, err
		}

		org.InitMessages, err = s.getCustomInitMessageTexts(ctx, org.GetOrgId(), langResp.Languages)
		if err != nil {
			return nil, err
		}

		org.PasswordResetMessages, err = s.getCustomPasswordResetMessageTexts(ctx, org.GetOrgId(), langResp.Languages)
		if err != nil {
			return nil, err
		}

		org.VerifyEmailMessages, err = s.getCustomVerifyEmailMessageTexts(ctx, org.GetOrgId(), langResp.Languages)
		if err != nil {
			return nil, err
		}

		org.VerifyPhoneMessages, err = s.getCustomVerifyPhoneMessageTexts(ctx, org.GetOrgId(), langResp.Languages)
		if err != nil {
			return nil, err
		}

		org.VerifySmsOtpMessages, err = s.getCustomVerifySMSOTPMessageTexts(ctx, org.GetOrgId(), langResp.Languages)
		if err != nil {
			return nil, err
		}

		org.VerifyEmailOtpMessages, err = s.getCustomVerifyEmailOTPMessageTexts(ctx, org.GetOrgId(), langResp.Languages)
		if err != nil {
			return nil, err
		}

		org.DomainClaimedMessages, err = s.getCustomDomainClaimedMessageTexts(ctx, org.GetOrgId(), langResp.Languages)
		if err != nil {
			return nil, err
		}

		org.PasswordlessRegistrationMessages, err = s.getCustomPasswordlessRegistrationMessageTexts(ctx, org.GetOrgId(), langResp.Languages)
		if err != nil {
			return nil, err
		}

		/******************************************************************************************************************
		Users
		******************************************************************************************************************/
		org.HumanUsers, org.MachineUsers, org.UserMetadata, org.MachineKeys, err = s.getUsers(ctx, org.GetOrgId(), req.WithPasswords, req.WithOtp)
		if err != nil {
			return nil, err
		}
		for _, processedUser := range org.HumanUsers {
			processedUsers = append(processedUsers, processedUser.UserId)
		}
		for _, processedUser := range org.MachineUsers {
			processedUsers = append(processedUsers, processedUser.UserId)
		}

		/******************************************************************************************************************
		Project and Applications
		******************************************************************************************************************/
		org.Projects, org.ProjectRoles, org.OidcApps, org.ApiApps, org.AppKeys, err = s.getProjectsAndApps(ctx, org.GetOrgId())
		if err != nil {
			return nil, err
		}
		for _, processedProject := range org.Projects {
			processedProjects = append(processedProjects, processedProject.ProjectId)
		}

		/******************************************************************************************************************
		Actions
		******************************************************************************************************************/
		org.Actions, err = s.getActions(ctx, org.GetOrgId())
		if err != nil {
			return nil, err
		}
		for _, processedAction := range org.Actions {
			processedActions = append(processedActions, processedAction.ActionId)
		}
	}

	for _, org := range orgs {
		/******************************************************************************************************************
		  Flows
		  ******************************************************************************************************************/
		org.TriggerActions, err = s.getTriggerActions(ctx, org.OrgId, processedActions)
		if err != nil {
			return nil, err
		}

		/******************************************************************************************************************
		  Grants
		  ******************************************************************************************************************/
		org.ProjectGrants, err = s.getNecessaryProjectGrantsForOrg(ctx, org.OrgId, processedOrgs, processedProjects)
		if err != nil {
			return nil, err
		}
		for _, processedGrant := range org.ProjectGrants {
			processedGrants = append(processedGrants, processedGrant.GrantId)
		}

		org.UserGrants, err = s.getNecessaryUserGrantsForOrg(ctx, org.OrgId, processedProjects, processedGrants, processedUsers)
		if err != nil {
			return nil, err
		}
	}

	for _, org := range orgs {
		/******************************************************************************************************************
		  Members
		  ******************************************************************************************************************/
		org.OrgMembers, err = s.getNecessaryOrgMembersForOrg(ctx, org.OrgId, processedUsers)
		if err != nil {
			return nil, err
		}

		org.ProjectMembers, err = s.getNecessaryProjectMembersForOrg(ctx, processedProjects, processedUsers)
		if err != nil {
			return nil, err
		}

		org.ProjectGrantMembers, err = s.getNecessaryProjectGrantMembersForOrg(ctx, org.OrgId, processedProjects, processedGrants, processedUsers)
		if err != nil {
			return nil, err
		}
	}

	return &admin_pb.ExportDataResponse{
		Orgs: orgs,
	}, nil
}

func (s *Server) getDomainPolicy(ctx context.Context, orgID string) (_ *admin_pb.AddCustomDomainPolicyRequest, err error) {
	ctx, span := tracing.NewSpan(ctx)
	defer func() { span.EndWithError(err) }()

	queriedDomain, err := s.query.DomainPolicyByOrg(ctx, true, orgID, false)
	if err != nil {
		return nil, err
	}
	if !queriedDomain.IsDefault {
		return &admin_pb.AddCustomDomainPolicyRequest{
			OrgId:                                  orgID,
			UserLoginMustBeDomain:                  queriedDomain.UserLoginMustBeDomain,
			ValidateOrgDomains:                     queriedDomain.ValidateOrgDomains,
			SmtpSenderAddressMatchesInstanceDomain: queriedDomain.SMTPSenderAddressMatchesInstanceDomain,
		}, nil
	}
	return nil, nil
}

func (s *Server) getDomains(ctx context.Context, orgID string) (_ []*org_pb.Domain, err error) {
	ctx, span := tracing.NewSpan(ctx)
	defer func() { span.EndWithError(err) }()

	orgDomainOrgIDQuery, err := query.NewOrgDomainOrgIDSearchQuery(orgID)
	if err != nil {
		return nil, err
	}
	orgDomainsQuery, err := s.query.SearchOrgDomains(ctx, &query.OrgDomainSearchQueries{Queries: []query.SearchQuery{orgDomainOrgIDQuery}}, false)
	if err != nil {
		return nil, err
	}
	orgDomains := make([]*org_pb.Domain, len(orgDomainsQuery.Domains))
	for i, orgDomain := range orgDomainsQuery.Domains {
		orgDomains[i] = &org_pb.Domain{
			OrgId:          orgDomain.OrgID,
			DomainName:     orgDomain.Domain,
			IsVerified:     orgDomain.IsVerified,
			IsPrimary:      orgDomain.IsPrimary,
			ValidationType: org_pb.DomainValidationType(orgDomain.ValidationType),
		}
	}
	return orgDomains, nil
}

func (s *Server) getIDPs(ctx context.Context, orgID string) (_ []*v1_pb.DataOIDCIDP, _ []*v1_pb.DataJWTIDP, err error) {
	ctx, span := tracing.NewSpan(ctx)
	defer func() { span.EndWithError(err) }()

	ownerType, err := query.NewIDPOwnerTypeSearchQuery(domain.IdentityProviderTypeOrg)
	if err != nil {
		return nil, nil, err
	}
	idpQuery, err := query.NewIDPResourceOwnerSearchQuery(orgID)
	if err != nil {
		return nil, nil, err
	}
	idps, err := s.query.IDPs(ctx, &query.IDPSearchQueries{Queries: []query.SearchQuery{idpQuery, ownerType}}, false)
	if err != nil {
		return nil, nil, err
	}
	oidcIdps := make([]*v1_pb.DataOIDCIDP, 0)
	jwtIdps := make([]*v1_pb.DataJWTIDP, 0)
	for _, idp := range idps.IDPs {
		if idp.OIDCIDP != nil {
			clientSecret, err := s.query.GetOIDCIDPClientSecret(ctx, false, orgID, idp.ID, false)
			if err != nil && !zerrors.IsNotFound(err) {
				return nil, nil, err
			}
			oidcIdps = append(oidcIdps, &v1_pb.DataOIDCIDP{
				IdpId: idp.ID,
				Idp: &management_pb.AddOrgOIDCIDPRequest{
					Name:               idp.Name,
					StylingType:        idp_pb.IDPStylingType(idp.StylingType),
					ClientId:           idp.ClientID,
					ClientSecret:       clientSecret,
					Issuer:             idp.OIDCIDP.Issuer,
					Scopes:             idp.Scopes,
					DisplayNameMapping: idp_pb.OIDCMappingField(idp.DisplayNameMapping),
					UsernameMapping:    idp_pb.OIDCMappingField(idp.UsernameMapping),
					AutoRegister:       idp.AutoRegister,
				},
			})
		} else if idp.JWTIDP != nil {
			jwtIdps = append(jwtIdps, &v1_pb.DataJWTIDP{
				IdpId: idp.ID,
				Idp: &management_pb.AddOrgJWTIDPRequest{
					Name:         idp.Name,
					StylingType:  idp_pb.IDPStylingType(idp.StylingType),
					JwtEndpoint:  idp.JWTIDP.Endpoint,
					Issuer:       idp.JWTIDP.Issuer,
					KeysEndpoint: idp.KeysEndpoint,
					HeaderName:   idp.HeaderName,
					AutoRegister: idp.AutoRegister,
				},
			})
		}
	}
	return oidcIdps, jwtIdps, nil
}

func (s *Server) getLabelPolicy(ctx context.Context, orgID string) (_ *management_pb.AddCustomLabelPolicyRequest, err error) {
	ctx, span := tracing.NewSpan(ctx)
	defer func() { span.EndWithError(err) }()

	queriedLabel, err := s.query.ActiveLabelPolicyByOrg(ctx, orgID, false)
	if err != nil {
		return nil, err
	}
	if !queriedLabel.IsDefault {
		return &management_pb.AddCustomLabelPolicyRequest{
			PrimaryColor:        queriedLabel.Light.PrimaryColor,
			HideLoginNameSuffix: queriedLabel.HideLoginNameSuffix,
			WarnColor:           queriedLabel.Light.WarnColor,
			BackgroundColor:     queriedLabel.Light.BackgroundColor,
			FontColor:           queriedLabel.Light.FontColor,
			PrimaryColorDark:    queriedLabel.Dark.PrimaryColor,
			BackgroundColorDark: queriedLabel.Dark.BackgroundColor,
			WarnColorDark:       queriedLabel.Dark.WarnColor,
			FontColorDark:       queriedLabel.Dark.FontColor,
			DisableWatermark:    queriedLabel.WatermarkDisabled,
		}, nil
	}
	return nil, nil
}

func (s *Server) getLoginPolicy(ctx context.Context, orgID string, orgIDPs []string) (_ *management_pb.AddCustomLoginPolicyRequest, err error) {
	ctx, span := tracing.NewSpan(ctx)
	defer func() { span.EndWithError(err) }()

	queriedLogin, err := s.query.LoginPolicyByID(ctx, false, orgID, false)
	if err != nil {
		return nil, err
	}
	if !queriedLogin.IsDefault {
		pwCheck := durationpb.New(time.Duration(queriedLogin.PasswordCheckLifetime))
		externalLogin := durationpb.New(time.Duration(queriedLogin.ExternalLoginCheckLifetime))
		mfaInitSkip := durationpb.New(time.Duration(queriedLogin.MFAInitSkipLifetime))
		secondFactor := durationpb.New(time.Duration(queriedLogin.SecondFactorCheckLifetime))
		multiFactor := durationpb.New(time.Duration(queriedLogin.MultiFactorCheckLifetime))

		secondFactors := []policy_pb.SecondFactorType{}
		for _, factor := range queriedLogin.SecondFactors {
			secondFactors = append(secondFactors, policy_pb.SecondFactorType(factor))
		}

		multiFactors := []policy_pb.MultiFactorType{}
		for _, factor := range queriedLogin.MultiFactors {
			multiFactors = append(multiFactors, policy_pb.MultiFactorType(factor))
		}

		idpLinksQuery, err := s.query.IDPLoginPolicyLinks(ctx, orgID, &query.IDPLoginPolicyLinksSearchQuery{}, false)
		if err != nil {
			return nil, err
		}
		idpLinks := make([]*management_pb.AddCustomLoginPolicyRequest_IDP, 0)
		for _, idpLink := range idpLinksQuery.Links {
			found := false
			for _, orgIDP := range orgIDPs {
				if orgIDP == idpLink.IDPID {
					found = true
					break
				}
			}
			ownerType := idp_pb.IDPOwnerType_IDP_OWNER_TYPE_UNSPECIFIED
			if found {
				ownerType = idp_pb.IDPOwnerType_IDP_OWNER_TYPE_ORG
			} else {
				ownerType = idp_pb.IDPOwnerType_IDP_OWNER_TYPE_SYSTEM
			}
			idpLinks = append(idpLinks, &management_pb.AddCustomLoginPolicyRequest_IDP{
				IdpId:     idpLink.IDPID,
				OwnerType: ownerType,
			})
		}

		return &management_pb.AddCustomLoginPolicyRequest{
			AllowUsernamePassword:      queriedLogin.AllowUsernamePassword,
			AllowRegister:              queriedLogin.AllowRegister,
			AllowExternalIdp:           queriedLogin.AllowExternalIDPs,
			ForceMfa:                   queriedLogin.ForceMFA,
			ForceMfaLocalOnly:          queriedLogin.ForceMFALocalOnly,
			PasswordlessType:           policy_pb.PasswordlessType(queriedLogin.PasswordlessType),
			HidePasswordReset:          queriedLogin.HidePasswordReset,
			IgnoreUnknownUsernames:     queriedLogin.IgnoreUnknownUsernames,
			DefaultRedirectUri:         queriedLogin.DefaultRedirectURI,
			PasswordCheckLifetime:      pwCheck,
			ExternalLoginCheckLifetime: externalLogin,
			MfaInitSkipLifetime:        mfaInitSkip,
			SecondFactorCheckLifetime:  secondFactor,
			MultiFactorCheckLifetime:   multiFactor,
			SecondFactors:              secondFactors,
			MultiFactors:               multiFactors,
			Idps:                       idpLinks,
		}, nil
	}

	return nil, nil
}

func (s *Server) getUserLinks(ctx context.Context, orgID string) (_ []*idp_pb.IDPUserLink, err error) {
	ctx, span := tracing.NewSpan(ctx)
	defer func() { span.EndWithError(err) }()

	userLinksResourceOwner, err := query.NewIDPUserLinksResourceOwnerSearchQuery(orgID)
	if err != nil {
		return nil, err
	}
	idpUserLinks, err := s.query.IDPUserLinks(ctx, &query.IDPUserLinksSearchQuery{Queries: []query.SearchQuery{userLinksResourceOwner}}, nil)
	if err != nil {
		return nil, err
	}
	userLinks := make([]*idp_pb.IDPUserLink, 0)
	for _, idpUserLink := range idpUserLinks.Links {
		userLinks = append(userLinks, &idp_pb.IDPUserLink{
			UserId:           idpUserLink.UserID,
			IdpId:            idpUserLink.IDPID,
			IdpName:          idpUserLink.IDPName,
			ProvidedUserId:   idpUserLink.ProvidedUserID,
			ProvidedUserName: idpUserLink.ProvidedUsername,
			IdpType:          idp_pb.IDPType(idpUserLink.IDPType),
		})
	}

	return userLinks, nil
}

func (s *Server) getLockoutPolicy(ctx context.Context, orgID string) (_ *management_pb.AddCustomLockoutPolicyRequest, err error) {
	ctx, span := tracing.NewSpan(ctx)
	defer func() { span.EndWithError(err) }()

	queriedLockout, err := s.query.LockoutPolicyByOrg(ctx, false, orgID)
	if err != nil {
		return nil, err
	}
	if !queriedLockout.IsDefault {
		return &management_pb.AddCustomLockoutPolicyRequest{
			MaxPasswordAttempts: uint32(queriedLockout.MaxPasswordAttempts),
			MaxOtpAttempts:      uint32(queriedLockout.MaxOTPAttempts),
		}, nil
	}
	return nil, nil
}

func (s *Server) getPasswordComplexityPolicy(ctx context.Context, orgID string) (_ *management_pb.AddCustomPasswordComplexityPolicyRequest, err error) {
	ctx, span := tracing.NewSpan(ctx)
	defer func() { span.EndWithError(err) }()

	queriedPasswordComplexity, err := s.query.PasswordComplexityPolicyByOrg(ctx, false, orgID, false)
	if err != nil {
		return nil, err
	}
	if !queriedPasswordComplexity.IsDefault {
		return &management_pb.AddCustomPasswordComplexityPolicyRequest{
			MinLength:    queriedPasswordComplexity.MinLength,
			HasUppercase: queriedPasswordComplexity.HasUppercase,
			HasLowercase: queriedPasswordComplexity.HasLowercase,
			HasNumber:    queriedPasswordComplexity.HasNumber,
			HasSymbol:    queriedPasswordComplexity.HasSymbol,
		}, nil
	}
	return nil, nil
}

func (s *Server) getPrivacyPolicy(ctx context.Context, orgID string) (_ *management_pb.AddCustomPrivacyPolicyRequest, err error) {
	ctx, span := tracing.NewSpan(ctx)
	defer func() { span.EndWithError(err) }()

	queriedPrivacy, err := s.query.PrivacyPolicyByOrg(ctx, false, orgID, false)
	if err != nil {
		return nil, err
	}
	if !queriedPrivacy.IsDefault {
		return &management_pb.AddCustomPrivacyPolicyRequest{
			TosLink:        queriedPrivacy.TOSLink,
			PrivacyLink:    queriedPrivacy.PrivacyLink,
			HelpLink:       queriedPrivacy.HelpLink,
			SupportEmail:   string(queriedPrivacy.SupportEmail),
			DocsLink:       queriedPrivacy.DocsLink,
			CustomLink:     queriedPrivacy.CustomLink,
			CustomLinkText: queriedPrivacy.CustomLinkText,
		}, nil
	}
	return nil, nil
}

func (s *Server) getUsers(ctx context.Context, org string, withPasswords bool, withOTP bool) (_ []*v1_pb.DataHumanUser, _ []*v1_pb.DataMachineUser, _ []*management_pb.SetUserMetadataRequest, _ []*v1_pb.DataMachineKey, err error) {
	ctx, span := tracing.NewSpan(ctx)
	defer func() { span.EndWithError(err) }()

	orgSearch, err := query.NewUserResourceOwnerSearchQuery(org, query.TextEquals)
	if err != nil {
		return nil, nil, nil, nil, err
	}
	users, err := s.query.SearchUsers(ctx, &query.UserSearchQueries{Queries: []query.SearchQuery{orgSearch}}, nil)
	if err != nil {
		return nil, nil, nil, nil, err
	}
	humanUsers := make([]*v1_pb.DataHumanUser, 0)
	machineUsers := make([]*v1_pb.DataMachineUser, 0)
	userMetadata := make([]*management_pb.SetUserMetadataRequest, 0)
	machineKeys := make([]*v1_pb.DataMachineKey, 0)
	for _, user := range users.Users {
		switch user.Type {
		case domain.UserTypeHuman:
			dataUser := &v1_pb.DataHumanUser{
				UserId: user.ID,
				State:  user_converter.UserStateToPb(user.State),
				User: &management_pb.ImportHumanUserRequest{
					UserName: user.Username,
					Profile: &management_pb.ImportHumanUserRequest_Profile{
						FirstName:         user.Human.FirstName,
						LastName:          user.Human.LastName,
						NickName:          user.Human.NickName,
						DisplayName:       user.Human.DisplayName,
						PreferredLanguage: user.Human.PreferredLanguage.String(),
						Gender:            user_pb.Gender(user.Human.Gender),
					},
				},
			}
			if user.Human.Email != "" {
				dataUser.User.Email = &management_pb.ImportHumanUserRequest_Email{
					Email:           string(user.Human.Email),
					IsEmailVerified: user.Human.IsEmailVerified,
				}
			}
			if user.Human.Phone != "" {
				dataUser.User.Phone = &management_pb.ImportHumanUserRequest_Phone{
					Phone:           string(user.Human.Phone),
					IsPhoneVerified: user.Human.IsPhoneVerified,
				}
			}
			if withPasswords {
				ctx, pwspan := tracing.NewSpan(ctx)
				encodedHash, err := s.query.GetHumanPassword(ctx, org, user.ID)
				pwspan.EndWithError(err)
				if err != nil && !zerrors.IsNotFound(err) {
					return nil, nil, nil, nil, err
				}
				if err == nil && encodedHash != "" {
					dataUser.User.HashedPassword = &management_pb.ImportHumanUserRequest_HashedPassword{
						Value: encodedHash,
					}
				}
			}
			if withOTP {
				ctx, otpspan := tracing.NewSpan(ctx)
				code, err := s.query.GetHumanOTPSecret(ctx, user.ID, org)
				otpspan.EndWithError(err)
				if err != nil && !zerrors.IsNotFound(err) {
					return nil, nil, nil, nil, err
				}
				if err == nil && code != "" {
					dataUser.User.OtpCode = code
				}
			}

			humanUsers = append(humanUsers, dataUser)
		case domain.UserTypeMachine:
			machineUsers = append(machineUsers, &v1_pb.DataMachineUser{
				UserId: user.ID,
				State:  user_converter.UserStateToPb(user.State),
				User: &management_pb.AddMachineUserRequest{
					UserName:    user.Username,
					Name:        user.Machine.Name,
					Description: user.Machine.Description,
				},
			})
			userIDQuery, err := query.NewAuthNKeyAggregateIDQuery(user.ID)
			if err != nil {
				return nil, nil, nil, nil, err
			}
			orgIDQuery, err := query.NewAuthNKeyResourceOwnerQuery(org)
			if err != nil {
				return nil, nil, nil, nil, err
			}

			keys, err := s.query.SearchAuthNKeysData(ctx, &query.AuthNKeySearchQueries{Queries: []query.SearchQuery{userIDQuery, orgIDQuery}})
			if err != nil {
				return nil, nil, nil, nil, err
			}
			for _, key := range keys.AuthNKeysData {
				machineKeys = append(machineKeys, &v1_pb.DataMachineKey{
					KeyId:          key.ID,
					UserId:         user.ID,
					Type:           authn_grpc.KeyTypeToPb(key.Type),
					ExpirationDate: timestamppb.New(key.Expiration),
					PublicKey:      key.PublicKey,
				})
			}
		}

		ctx, metaspan := tracing.NewSpan(ctx)
		metadataOrgSearch, err := query.NewUserMetadataResourceOwnerSearchQuery(org)
		if err != nil {
			return nil, nil, nil, nil, err
		}
		metadataList, err := s.query.SearchUserMetadata(ctx, false, user.ID, &query.UserMetadataSearchQueries{Queries: []query.SearchQuery{metadataOrgSearch}}, nil)
		metaspan.EndWithError(err)
		if err != nil {
			return nil, nil, nil, nil, err
		}
		for _, metadata := range metadataList.Metadata {
			userMetadata = append(userMetadata, &management_pb.SetUserMetadataRequest{
				Id:    user.ID,
				Key:   metadata.Key,
				Value: metadata.Value,
			})
		}
	}
	return humanUsers, machineUsers, userMetadata, machineKeys, nil
}

func (s *Server) getTriggerActions(ctx context.Context, org string, processedActions []string) (_ []*management_pb.SetTriggerActionsRequest, err error) {
	ctx, span := tracing.NewSpan(ctx)
	defer func() { span.EndWithError(err) }()
	flowTypes := []domain.FlowType{domain.FlowTypeExternalAuthentication, domain.FlowTypeInternalAuthentication}
	triggerActions := make([]*management_pb.SetTriggerActionsRequest, 0)

	for _, flowType := range flowTypes {
		flow, err := s.query.GetFlow(ctx, flowType, org)
		if err != nil {
			return nil, err
		}

		for triggerType, triggerAction := range flow.TriggerActions {
			actions := make([]string, 0)
			for _, action := range triggerAction {
				for _, actionID := range processedActions {
					if action.ID == actionID {
						actions = append(actions, action.ID)
					}
				}
			}

			triggerActions = append(triggerActions, &management_pb.SetTriggerActionsRequest{
				FlowType:    flowType.ID(),
				TriggerType: triggerType.ID(),
				ActionIds:   actions,
			})
		}
	}
	return triggerActions, nil
}

func (s *Server) getActions(ctx context.Context, org string) ([]*v1_pb.DataAction, error) {
	actionSearch, err := query.NewActionResourceOwnerQuery(org)
	if err != nil {
		return nil, err
	}
	queriedActions, err := s.query.SearchActions(ctx, &query.ActionSearchQueries{Queries: []query.SearchQuery{actionSearch}}, false)
	if err != nil {
		return nil, err
	}
	actions := make([]*v1_pb.DataAction, len(queriedActions.Actions))
	for i, action := range queriedActions.Actions {
		timeout := durationpb.New(action.Timeout())

		actions[i] = &v1_pb.DataAction{
			ActionId: action.ID,
			Action: &management_pb.CreateActionRequest{
				Name:          action.Name,
				Script:        action.Script,
				Timeout:       timeout,
				AllowedToFail: action.AllowedToFail,
			},
		}
	}

	return actions, nil
}

func (s *Server) getProjectsAndApps(ctx context.Context, org string) ([]*v1_pb.DataProject, []*management_pb.AddProjectRoleRequest, []*v1_pb.DataOIDCApplication, []*v1_pb.DataAPIApplication, []*v1_pb.DataAppKey, error) {
	projectSearch, err := query.NewProjectResourceOwnerSearchQuery(org)
	if err != nil {
		return nil, nil, nil, nil, nil, err
	}
	queriedProjects, err := s.query.SearchProjects(ctx, &query.ProjectSearchQueries{Queries: []query.SearchQuery{projectSearch}}, nil)
	if err != nil {
		return nil, nil, nil, nil, nil, err
	}

	projects := make([]*v1_pb.DataProject, len(queriedProjects.Projects))
	orgProjectRoles := make([]*management_pb.AddProjectRoleRequest, 0)
	oidcApps := make([]*v1_pb.DataOIDCApplication, 0)
	apiApps := make([]*v1_pb.DataAPIApplication, 0)
	appKeys := make([]*v1_pb.DataAppKey, 0)
	for i, queriedProject := range queriedProjects.Projects {
		projects[i] = &v1_pb.DataProject{
			ProjectId: queriedProject.ID,
			Project: &management_pb.AddProjectRequest{
				Name:                   queriedProject.Name,
				ProjectRoleAssertion:   queriedProject.ProjectRoleAssertion,
				ProjectRoleCheck:       queriedProject.ProjectRoleCheck,
				HasProjectCheck:        queriedProject.HasProjectCheck,
				PrivateLabelingSetting: project_pb.PrivateLabelingSetting(queriedProject.PrivateLabelingSetting),
			},
		}

		projectRoleSearch, err := query.NewProjectRoleProjectIDSearchQuery(queriedProject.ID)
		if err != nil {
			return nil, nil, nil, nil, nil, err
		}

		queriedProjectRoles, err := s.query.SearchProjectRoles(ctx, false, &query.ProjectRoleSearchQueries{Queries: []query.SearchQuery{projectRoleSearch}}, nil)
		if err != nil {
			return nil, nil, nil, nil, nil, err
		}
		for _, role := range queriedProjectRoles.ProjectRoles {
			orgProjectRoles = append(orgProjectRoles, &management_pb.AddProjectRoleRequest{
				ProjectId:   role.ProjectID,
				RoleKey:     role.Key,
				DisplayName: role.DisplayName,
				Group:       role.Group,
			})
		}

		appSearch, err := query.NewAppProjectIDSearchQuery(queriedProject.ID)
		if err != nil {
			return nil, nil, nil, nil, nil, err
		}
		apps, err := s.query.SearchApps(ctx, &query.AppSearchQueries{Queries: []query.SearchQuery{appSearch}}, nil)
		if err != nil {
			return nil, nil, nil, nil, nil, err
		}
		for _, app := range apps.Apps {
			if app.OIDCConfig != nil {
				responseTypes := make([]app_pb.OIDCResponseType, 0)
				for _, ty := range app.OIDCConfig.ResponseTypes {
					responseTypes = append(responseTypes, app_pb.OIDCResponseType(ty))
				}

				grantTypes := make([]app_pb.OIDCGrantType, 0)
				for _, ty := range app.OIDCConfig.GrantTypes {
					grantTypes = append(grantTypes, app_pb.OIDCGrantType(ty))
				}

				oidcApps = append(oidcApps, &v1_pb.DataOIDCApplication{
					AppId: app.ID,
					App: &management_pb.AddOIDCAppRequest{
						ProjectId:                app.ProjectID,
						Name:                     app.Name,
						RedirectUris:             app.OIDCConfig.RedirectURIs,
						ResponseTypes:            responseTypes,
						GrantTypes:               grantTypes,
						AppType:                  app_pb.OIDCAppType(app.OIDCConfig.AppType),
						AuthMethodType:           app_pb.OIDCAuthMethodType(app.OIDCConfig.AuthMethodType),
						PostLogoutRedirectUris:   app.OIDCConfig.PostLogoutRedirectURIs,
						Version:                  app_pb.OIDCVersion(app.OIDCConfig.Version),
						DevMode:                  app.OIDCConfig.IsDevMode,
						AccessTokenType:          app_pb.OIDCTokenType(app.OIDCConfig.AccessTokenType),
						AccessTokenRoleAssertion: app.OIDCConfig.AssertAccessTokenRole,
						IdTokenRoleAssertion:     app.OIDCConfig.AssertIDTokenRole,
						IdTokenUserinfoAssertion: app.OIDCConfig.AssertIDTokenUserinfo,
						ClockSkew:                durationpb.New(app.OIDCConfig.ClockSkew),
						AdditionalOrigins:        app.OIDCConfig.AdditionalOrigins,
						SkipNativeAppSuccessPage: app.OIDCConfig.SkipNativeAppSuccessPage,
					},
				})
			}
			if app.APIConfig != nil {
				apiApps = append(apiApps, &v1_pb.DataAPIApplication{
					AppId: app.ID,
					App: &management_pb.AddAPIAppRequest{
						ProjectId:      app.ProjectID,
						Name:           app.Name,
						AuthMethodType: app_pb.APIAuthMethodType(app.APIConfig.AuthMethodType),
					},
				})
			}
			appIDQuery, err := query.NewAuthNKeyObjectIDQuery(app.ID)
			if err != nil {
				return nil, nil, nil, nil, nil, err
			}
			projectIDQuery, err := query.NewAuthNKeyAggregateIDQuery(app.ProjectID)
			if err != nil {
				return nil, nil, nil, nil, nil, err
			}
			orgIDQuery, err := query.NewAuthNKeyResourceOwnerQuery(org)
			if err != nil {
				return nil, nil, nil, nil, nil, err
			}
			keys, err := s.query.SearchAuthNKeysData(ctx, &query.AuthNKeySearchQueries{Queries: []query.SearchQuery{appIDQuery, projectIDQuery, orgIDQuery}})
			if err != nil {
				return nil, nil, nil, nil, nil, err
			}
			for _, key := range keys.AuthNKeysData {
				appKeys = append(appKeys, &v1_pb.DataAppKey{
					Id:             key.ID,
					ProjectId:      app.ProjectID,
					AppId:          app.ID,
					Type:           authn_grpc.KeyTypeToPb(key.Type),
					ExpirationDate: timestamppb.New(key.Expiration),
					ClientId:       key.Identifier,
					PublicKey:      key.PublicKey,
				})
			}
		}
	}
	return projects, orgProjectRoles, oidcApps, apiApps, appKeys, nil
}

func (s *Server) getNecessaryProjectGrantMembersForOrg(ctx context.Context, org string, processedProjects []string, processedGrants []string, processedUsers []string) ([]*management_pb.AddProjectGrantMemberRequest, error) {
	projectMembers := make([]*management_pb.AddProjectGrantMemberRequest, 0)

	for _, projectID := range processedProjects {
		for _, grantID := range processedGrants {
			search, err := query.NewMemberResourceOwnerSearchQuery(org)
			if err != nil {
				return nil, err
			}

			queriedProjectMembers, err := s.query.ProjectGrantMembers(ctx, &query.ProjectGrantMembersQuery{ProjectID: projectID, OrgID: org, GrantID: grantID, MembersQuery: query.MembersQuery{Queries: []query.SearchQuery{search}}})
			if err != nil {
				return nil, err
			}
			for _, projectMember := range queriedProjectMembers.Members {
				for _, userID := range processedUsers {
					if userID == projectMember.UserID {

						projectMembers = append(projectMembers, &management_pb.AddProjectGrantMemberRequest{
							ProjectId: projectID,
							UserId:    userID,
							GrantId:   grantID,
							Roles:     projectMember.Roles,
						})
						break
					}
				}
			}
		}
	}
	return projectMembers, nil
}

func (s *Server) getNecessaryProjectMembersForOrg(ctx context.Context, processedProjects []string, processedUsers []string) ([]*management_pb.AddProjectMemberRequest, error) {
	projectMembers := make([]*management_pb.AddProjectMemberRequest, 0)

	for _, projectID := range processedProjects {
		queriedProjectMembers, err := s.query.ProjectMembers(ctx, &query.ProjectMembersQuery{ProjectID: projectID})
		if err != nil {
			return nil, err
		}
		for _, projectMember := range queriedProjectMembers.Members {
			for _, userID := range processedUsers {
				if userID == projectMember.UserID {
					projectMembers = append(projectMembers, &management_pb.AddProjectMemberRequest{
						ProjectId: projectID,
						UserId:    userID,
						Roles:     projectMember.Roles,
					})
					break
				}
			}
		}
	}
	return projectMembers, nil
}

func (s *Server) getNecessaryOrgMembersForOrg(ctx context.Context, org string, processedUsers []string) ([]*management_pb.AddOrgMemberRequest, error) {
	queriedOrgMembers, err := s.query.OrgMembers(ctx, &query.OrgMembersQuery{OrgID: org})
	if err != nil {
		return nil, err
	}
	orgMembers := make([]*management_pb.AddOrgMemberRequest, 0, len(queriedOrgMembers.Members))
	for _, orgMember := range queriedOrgMembers.Members {
		for _, userID := range processedUsers {
			if userID == orgMember.UserID {
				orgMembers = append(orgMembers, &management_pb.AddOrgMemberRequest{
					UserId: orgMember.UserID,
					Roles:  orgMember.Roles,
				})
				break
			}
		}
	}
	return orgMembers, nil
}

func (s *Server) getNecessaryProjectGrantsForOrg(ctx context.Context, org string, processedOrgs []string, processedProjects []string) ([]*v1_pb.DataProjectGrant, error) {
	projectGrantSearchOrg, err := query.NewProjectGrantResourceOwnerSearchQuery(org)
	if err != nil {
		return nil, err
	}
	queriedProjectGrants, err := s.query.SearchProjectGrants(ctx, &query.ProjectGrantSearchQueries{Queries: []query.SearchQuery{projectGrantSearchOrg}}, nil)
	if err != nil {
		return nil, err
	}
	projectGrants := make([]*v1_pb.DataProjectGrant, 0, len(queriedProjectGrants.ProjectGrants))
	for _, projectGrant := range queriedProjectGrants.ProjectGrants {
		for _, projectID := range processedProjects {
			if projectID == projectGrant.ProjectID {
				foundOrg := false
				for _, orgID := range processedOrgs {
					if orgID == projectGrant.GrantedOrgID {
						projectGrants = append(projectGrants, &v1_pb.DataProjectGrant{
							GrantId: projectGrant.GrantID,
							ProjectGrant: &management_pb.AddProjectGrantRequest{
								ProjectId:    projectGrant.ProjectID,
								GrantedOrgId: projectGrant.GrantedOrgID,
								RoleKeys:     projectGrant.GrantedRoleKeys,
							},
						})
						foundOrg = true
						break
					}
				}
				if foundOrg {
					break
				}
			}
		}
	}
	return projectGrants, nil
}

func (s *Server) getNecessaryUserGrantsForOrg(ctx context.Context, org string, processedProjects []string, processedGrants []string, processedUsers []string) ([]*management_pb.AddUserGrantRequest, error) {
	userGrantSearchOrg, err := query.NewUserGrantResourceOwnerSearchQuery(org)
	if err != nil {
		return nil, err
	}

	queriedUserGrants, err := s.query.UserGrants(ctx, &query.UserGrantsQueries{Queries: []query.SearchQuery{userGrantSearchOrg}}, true, nil)
	if err != nil {
		return nil, err
	}
	userGrants := make([]*management_pb.AddUserGrantRequest, 0, len(queriedUserGrants.UserGrants))
	for _, userGrant := range queriedUserGrants.UserGrants {
		for _, projectID := range processedProjects {
			if projectID == userGrant.ProjectID {
				// if usergrant is on a granted project
				if userGrant.GrantID != "" {
					for _, grantID := range processedGrants {
						if grantID == userGrant.GrantID {
							for _, userID := range processedUsers {
								if userID == userGrant.UserID {
									userGrants = append(userGrants, &management_pb.AddUserGrantRequest{
										UserId:         userGrant.UserID,
										ProjectId:      userGrant.ProjectID,
										ProjectGrantId: userGrant.GrantID,
										RoleKeys:       userGrant.Roles,
									})
								}
							}
						}
					}
				} else {
					for _, userID := range processedUsers {
						if userID == userGrant.UserID {
							userGrants = append(userGrants, &management_pb.AddUserGrantRequest{
								UserId:         userGrant.UserID,
								ProjectId:      userGrant.ProjectID,
								ProjectGrantId: userGrant.GrantID,
								RoleKeys:       userGrant.Roles,
							})
						}
					}
				}
			}
		}
	}
	return userGrants, nil
}

func (s *Server) getCustomLoginTexts(ctx context.Context, org string, languages []string) ([]*management_pb.SetCustomLoginTextsRequest, error) {
	customTexts := make([]*management_pb.SetCustomLoginTextsRequest, 0, len(languages))
	for _, lang := range languages {
		text, err := s.query.GetCustomLoginTexts(ctx, org, lang)
		if err != nil {
			return nil, err
		}
		if !text.IsDefault {
			customTexts = append(customTexts, &management_pb.SetCustomLoginTextsRequest{
				Language:                             lang,
				SelectAccountText:                    text_grpc.SelectAccountScreenToPb(text.SelectAccount),
				LoginText:                            text_grpc.LoginScreenTextToPb(text.Login),
				PasswordText:                         text_grpc.PasswordScreenTextToPb(text.Password),
				UsernameChangeText:                   text_grpc.UsernameChangeScreenTextToPb(text.UsernameChange),
				UsernameChangeDoneText:               text_grpc.UsernameChangeDoneScreenTextToPb(text.UsernameChangeDone),
				InitPasswordText:                     text_grpc.InitPasswordScreenTextToPb(text.InitPassword),
				InitPasswordDoneText:                 text_grpc.InitPasswordDoneScreenTextToPb(text.InitPasswordDone),
				EmailVerificationText:                text_grpc.EmailVerificationScreenTextToPb(text.EmailVerification),
				EmailVerificationDoneText:            text_grpc.EmailVerificationDoneScreenTextToPb(text.EmailVerificationDone),
				InitializeUserText:                   text_grpc.InitializeUserScreenTextToPb(text.InitUser),
				InitializeDoneText:                   text_grpc.InitializeUserDoneScreenTextToPb(text.InitUserDone),
				InitMfaPromptText:                    text_grpc.InitMFAPromptScreenTextToPb(text.InitMFAPrompt),
				InitMfaOtpText:                       text_grpc.InitMFAOTPScreenTextToPb(text.InitMFAOTP),
				InitMfaU2FText:                       text_grpc.InitMFAU2FScreenTextToPb(text.InitMFAU2F),
				InitMfaDoneText:                      text_grpc.InitMFADoneScreenTextToPb(text.InitMFADone),
				MfaProvidersText:                     text_grpc.MFAProvidersTextToPb(text.MFAProvider),
				VerifyMfaOtpText:                     text_grpc.VerifyMFAOTPScreenTextToPb(text.VerifyMFAOTP),
				VerifyMfaU2FText:                     text_grpc.VerifyMFAU2FScreenTextToPb(text.VerifyMFAU2F),
				PasswordlessText:                     text_grpc.PasswordlessScreenTextToPb(text.Passwordless),
				PasswordlessPromptText:               text_grpc.PasswordlessPromptScreenTextToPb(text.PasswordlessPrompt),
				PasswordlessRegistrationText:         text_grpc.PasswordlessRegistrationScreenTextToPb(text.PasswordlessRegistration),
				PasswordlessRegistrationDoneText:     text_grpc.PasswordlessRegistrationDoneScreenTextToPb(text.PasswordlessRegistrationDone),
				PasswordChangeText:                   text_grpc.PasswordChangeScreenTextToPb(text.PasswordChange),
				PasswordChangeDoneText:               text_grpc.PasswordChangeDoneScreenTextToPb(text.PasswordChangeDone),
				PasswordResetDoneText:                text_grpc.PasswordResetDoneScreenTextToPb(text.PasswordResetDone),
				RegistrationOptionText:               text_grpc.RegistrationOptionScreenTextToPb(text.RegisterOption),
				RegistrationUserText:                 text_grpc.RegistrationUserScreenTextToPb(text.RegistrationUser),
				ExternalRegistrationUserOverviewText: text_grpc.ExternalRegistrationUserOverviewScreenTextToPb(text.ExternalRegistrationUserOverview),
				RegistrationOrgText:                  text_grpc.RegistrationOrgScreenTextToPb(text.RegistrationOrg),
				LinkingUserDoneText:                  text_grpc.LinkingUserDoneScreenTextToPb(text.LinkingUsersDone),
				ExternalUserNotFoundText:             text_grpc.ExternalUserNotFoundScreenTextToPb(text.ExternalNotFound),
				SuccessLoginText:                     text_grpc.SuccessLoginScreenTextToPb(text.LoginSuccess),
				LogoutText:                           text_grpc.LogoutDoneScreenTextToPb(text.LogoutDone),
				FooterText:                           text_grpc.FooterTextToPb(text.Footer),
			})
		}
	}

	return customTexts, nil
}

func (s *Server) getCustomInitMessageTexts(ctx context.Context, org string, languages []string) ([]*management_pb.SetCustomInitMessageTextRequest, error) {
	customTexts := make([]*management_pb.SetCustomInitMessageTextRequest, 0, len(languages))
	for _, lang := range languages {
		text, err := s.query.CustomMessageTextByTypeAndLanguage(ctx, org, domain.InitCodeMessageType, lang, false)
		if err != nil {
			return nil, err
		}

		if !text.IsDefault {
			customTexts = append(customTexts, &management_pb.SetCustomInitMessageTextRequest{
				Language:   lang,
				Title:      text.Title,
				PreHeader:  text.PreHeader,
				Subject:    text.Subject,
				Greeting:   text.Greeting,
				Text:       text.Text,
				ButtonText: text.ButtonText,
				FooterText: text.Footer,
			})
		}
	}

	return customTexts, nil
}

func (s *Server) getCustomPasswordResetMessageTexts(ctx context.Context, org string, languages []string) ([]*management_pb.SetCustomPasswordResetMessageTextRequest, error) {
	customTexts := make([]*management_pb.SetCustomPasswordResetMessageTextRequest, 0, len(languages))
	for _, lang := range languages {
		text, err := s.query.CustomMessageTextByTypeAndLanguage(ctx, org, domain.PasswordResetMessageType, lang, false)
		if err != nil {
			return nil, err
		}

		if !text.IsDefault {
			customTexts = append(customTexts, &management_pb.SetCustomPasswordResetMessageTextRequest{
				Language:   lang,
				Title:      text.Title,
				PreHeader:  text.PreHeader,
				Subject:    text.Subject,
				Greeting:   text.Greeting,
				Text:       text.Text,
				ButtonText: text.ButtonText,
				FooterText: text.Footer,
			})
		}
	}

	return customTexts, nil
}

func (s *Server) getCustomVerifyEmailMessageTexts(ctx context.Context, org string, languages []string) ([]*management_pb.SetCustomVerifyEmailMessageTextRequest, error) {
	customTexts := make([]*management_pb.SetCustomVerifyEmailMessageTextRequest, 0, len(languages))
	for _, lang := range languages {
		text, err := s.query.CustomMessageTextByTypeAndLanguage(ctx, org, domain.VerifyEmailMessageType, lang, false)
		if err != nil {
			return nil, err
		}

		if !text.IsDefault {
			customTexts = append(customTexts, &management_pb.SetCustomVerifyEmailMessageTextRequest{
				Language:   lang,
				Title:      text.Title,
				PreHeader:  text.PreHeader,
				Subject:    text.Subject,
				Greeting:   text.Greeting,
				Text:       text.Text,
				ButtonText: text.ButtonText,
				FooterText: text.Footer,
			})
		}
	}

	return customTexts, nil
}

func (s *Server) getCustomVerifyPhoneMessageTexts(ctx context.Context, org string, languages []string) ([]*management_pb.SetCustomVerifyPhoneMessageTextRequest, error) {
	customTexts := make([]*management_pb.SetCustomVerifyPhoneMessageTextRequest, 0, len(languages))
	for _, lang := range languages {
		text, err := s.query.CustomMessageTextByTypeAndLanguage(ctx, org, domain.VerifyPhoneMessageType, lang, false)
		if err != nil {
			return nil, err
		}

		if !text.IsDefault {
			customTexts = append(customTexts, &management_pb.SetCustomVerifyPhoneMessageTextRequest{
				Language:   lang,
				Title:      text.Title,
				PreHeader:  text.PreHeader,
				Subject:    text.Subject,
				Greeting:   text.Greeting,
				Text:       text.Text,
				ButtonText: text.ButtonText,
				FooterText: text.Footer,
			})
		}
	}

	return customTexts, nil
}

func (s *Server) getCustomVerifySMSOTPMessageTexts(ctx context.Context, org string, languages []string) ([]*management_pb.SetCustomVerifySMSOTPMessageTextRequest, error) {
	customTexts := make([]*management_pb.SetCustomVerifySMSOTPMessageTextRequest, 0, len(languages))
	for _, lang := range languages {
		text, err := s.query.CustomMessageTextByTypeAndLanguage(ctx, org, domain.VerifySMSOTPMessageType, lang, false)
		if err != nil {
			return nil, err
		}

		if !text.IsDefault {
			customTexts = append(customTexts, &management_pb.SetCustomVerifySMSOTPMessageTextRequest{
				Language: lang,
				Text:     text.Text,
			})
		}
	}

	return customTexts, nil
}

func (s *Server) getCustomVerifyEmailOTPMessageTexts(ctx context.Context, org string, languages []string) ([]*management_pb.SetCustomVerifyEmailOTPMessageTextRequest, error) {
	customTexts := make([]*management_pb.SetCustomVerifyEmailOTPMessageTextRequest, 0, len(languages))
	for _, lang := range languages {
		text, err := s.query.CustomMessageTextByTypeAndLanguage(ctx, org, domain.VerifyEmailOTPMessageType, lang, false)
		if err != nil {
			return nil, err
		}

		if !text.IsDefault {
			customTexts = append(customTexts, &management_pb.SetCustomVerifyEmailOTPMessageTextRequest{
				Language:   lang,
				Title:      text.Title,
				PreHeader:  text.PreHeader,
				Subject:    text.Subject,
				Greeting:   text.Greeting,
				Text:       text.Text,
				ButtonText: text.ButtonText,
				FooterText: text.Footer,
			})
		}
	}

	return customTexts, nil
}

func (s *Server) getCustomDomainClaimedMessageTexts(ctx context.Context, org string, languages []string) ([]*management_pb.SetCustomDomainClaimedMessageTextRequest, error) {
	customTexts := make([]*management_pb.SetCustomDomainClaimedMessageTextRequest, 0, len(languages))
	for _, lang := range languages {
		text, err := s.query.CustomMessageTextByTypeAndLanguage(ctx, org, domain.DomainClaimedMessageType, lang, false)
		if err != nil {
			return nil, err
		}

		if !text.IsDefault {
			customTexts = append(customTexts, &management_pb.SetCustomDomainClaimedMessageTextRequest{
				Language:   lang,
				Title:      text.Title,
				PreHeader:  text.PreHeader,
				Subject:    text.Subject,
				Greeting:   text.Greeting,
				Text:       text.Text,
				ButtonText: text.ButtonText,
				FooterText: text.Footer,
			})
		}
	}

	return customTexts, nil
}

func (s *Server) getCustomPasswordlessRegistrationMessageTexts(ctx context.Context, org string, languages []string) ([]*management_pb.SetCustomPasswordlessRegistrationMessageTextRequest, error) {
	customTexts := make([]*management_pb.SetCustomPasswordlessRegistrationMessageTextRequest, 0, len(languages))
	for _, lang := range languages {
		text, err := s.query.CustomMessageTextByTypeAndLanguage(ctx, org, domain.DomainClaimedMessageType, lang, false)
		if err != nil {
			return nil, err
		}

		if !text.IsDefault {
			customTexts = append(customTexts, &management_pb.SetCustomPasswordlessRegistrationMessageTextRequest{
				Language:   lang,
				Title:      text.Title,
				PreHeader:  text.PreHeader,
				Subject:    text.Subject,
				Greeting:   text.Greeting,
				Text:       text.Text,
				ButtonText: text.ButtonText,
				FooterText: text.Footer,
			})
		}
	}

	return customTexts, nil
}