zitadel/internal/api/grpc/user/v2/passkey.go

package user

import (
	"context"

	"google.golang.org/protobuf/types/known/structpb"

	"github.com/zitadel/zitadel/internal/api/authz"
	"github.com/zitadel/zitadel/internal/api/grpc/object/v2"
	"github.com/zitadel/zitadel/internal/domain"
	caos_errs "github.com/zitadel/zitadel/internal/errors"
	object_pb "github.com/zitadel/zitadel/pkg/grpc/object/v2beta"
	user "github.com/zitadel/zitadel/pkg/grpc/user/v2beta"
)

func (s *Server) RegisterPasskey(ctx context.Context, req *user.RegisterPasskeyRequest) (resp *user.RegisterPasskeyResponse, err error) {
	var (
		resourceOwner = authz.GetCtxData(ctx).ResourceOwner
		authenticator = passkeyAuthenticatorToDomain(req.GetAuthenticator())
	)
	if code := req.GetCode(); code != nil {
		return passkeyRegistrationDetailsToPb(
			s.command.RegisterUserPasskeyWithCode(ctx, req.GetUserId(), resourceOwner, authenticator, code.Id, code.Code, req.GetDomain(), s.userCodeAlg),
		)
	}
	return passkeyRegistrationDetailsToPb(
		s.command.RegisterUserPasskey(ctx, req.GetUserId(), resourceOwner, req.GetDomain(), authenticator),
	)
}

func passkeyAuthenticatorToDomain(pa user.PasskeyAuthenticator) domain.AuthenticatorAttachment {
	switch pa {
	case user.PasskeyAuthenticator_PASSKEY_AUTHENTICATOR_UNSPECIFIED:
		return domain.AuthenticatorAttachmentUnspecified
	case user.PasskeyAuthenticator_PASSKEY_AUTHENTICATOR_PLATFORM:
		return domain.AuthenticatorAttachmentPlattform
	case user.PasskeyAuthenticator_PASSKEY_AUTHENTICATOR_CROSS_PLATFORM:
		return domain.AuthenticatorAttachmentCrossPlattform
	default:
		return domain.AuthenticatorAttachmentUnspecified
	}
}

func webAuthNRegistrationDetailsToPb(details *domain.WebAuthNRegistrationDetails, err error) (*object_pb.Details, *structpb.Struct, error) {
	if err != nil {
		return nil, nil, err
	}
	options := new(structpb.Struct)
	if err := options.UnmarshalJSON(details.PublicKeyCredentialCreationOptions); err != nil {
		return nil, nil, caos_errs.ThrowInternal(err, "USERv2-Dohr6", "Errors.Internal")
	}
	return object.DomainToDetailsPb(details.ObjectDetails), options, nil
}

func passkeyRegistrationDetailsToPb(details *domain.WebAuthNRegistrationDetails, err error) (*user.RegisterPasskeyResponse, error) {
	objectDetails, options, err := webAuthNRegistrationDetailsToPb(details, err)
	if err != nil {
		return nil, err
	}
	return &user.RegisterPasskeyResponse{
		Details:                            objectDetails,
		PasskeyId:                          details.ID,
		PublicKeyCredentialCreationOptions: options,
	}, nil
}

func (s *Server) VerifyPasskeyRegistration(ctx context.Context, req *user.VerifyPasskeyRegistrationRequest) (*user.VerifyPasskeyRegistrationResponse, error) {
	resourceOwner := authz.GetCtxData(ctx).ResourceOwner
	pkc, err := req.GetPublicKeyCredential().MarshalJSON()
	if err != nil {
		return nil, caos_errs.ThrowInternal(err, "USERv2-Pha2o", "Errors.Internal")
	}
	objectDetails, err := s.command.HumanHumanPasswordlessSetup(ctx, req.GetUserId(), resourceOwner, req.GetPasskeyName(), "", pkc)
	if err != nil {
		return nil, err
	}
	return &user.VerifyPasskeyRegistrationResponse{
		Details: object.DomainToDetailsPb(objectDetails),
	}, nil
}

func (s *Server) CreatePasskeyRegistrationLink(ctx context.Context, req *user.CreatePasskeyRegistrationLinkRequest) (resp *user.CreatePasskeyRegistrationLinkResponse, err error) {
	resourceOwner := authz.GetCtxData(ctx).ResourceOwner

	switch medium := req.Medium.(type) {
	case nil:
		return passkeyDetailsToPb(
			s.command.AddUserPasskeyCode(ctx, req.GetUserId(), resourceOwner, s.userCodeAlg),
		)
	case *user.CreatePasskeyRegistrationLinkRequest_SendLink:
		return passkeyDetailsToPb(
			s.command.AddUserPasskeyCodeURLTemplate(ctx, req.GetUserId(), resourceOwner, s.userCodeAlg, medium.SendLink.GetUrlTemplate()),
		)
	case *user.CreatePasskeyRegistrationLinkRequest_ReturnCode:
		return passkeyCodeDetailsToPb(
			s.command.AddUserPasskeyCodeReturn(ctx, req.GetUserId(), resourceOwner, s.userCodeAlg),
		)
	default:
		return nil, caos_errs.ThrowUnimplementedf(nil, "USERv2-gaD8y", "verification oneOf %T in method CreatePasskeyRegistrationLink not implemented", medium)
	}
}

func passkeyDetailsToPb(details *domain.ObjectDetails, err error) (*user.CreatePasskeyRegistrationLinkResponse, error) {
	if err != nil {
		return nil, err
	}
	return &user.CreatePasskeyRegistrationLinkResponse{
		Details: object.DomainToDetailsPb(details),
	}, nil
}

func passkeyCodeDetailsToPb(details *domain.PasskeyCodeDetails, err error) (*user.CreatePasskeyRegistrationLinkResponse, error) {
	if err != nil {
		return nil, err
	}
	return &user.CreatePasskeyRegistrationLinkResponse{
		Details: object.DomainToDetailsPb(details.ObjectDetails),
		Code: &user.PasskeyRegistrationCode{
			Id:   details.CodeID,
			Code: details.Code,
		},
	}, nil
}
feat: implement register Passkey user API v2 (#5873) * command/crypto: DRY the code - reuse the the algorithm switch to create a secret generator - add a verifyCryptoCode function * command: crypto code tests * migrate webauthn package * finish integration tests with webauthn mock client 2023-05-24 10:22:00 +00:00			`package user`

			`import (`
			`"context"`

feat: session v2 passkey authentication (#5952) 2023-06-07 15:28:42 +00:00			`"google.golang.org/protobuf/types/known/structpb"`

feat: implement register Passkey user API v2 (#5873) * command/crypto: DRY the code - reuse the the algorithm switch to create a secret generator - add a verifyCryptoCode function * command: crypto code tests * migrate webauthn package * finish integration tests with webauthn mock client 2023-05-24 10:22:00 +00:00			`"github.com/zitadel/zitadel/internal/api/authz"`
			`"github.com/zitadel/zitadel/internal/api/grpc/object/v2"`
			`"github.com/zitadel/zitadel/internal/domain"`
			`caos_errs "github.com/zitadel/zitadel/internal/errors"`
feat(api): move resource apis to beta (#6530) Moves UserService, SessionService, SettingsService and OIDCService to beta state. This includes gRPC and HTTP path changes. 2023-09-13 12:43:01 +00:00			`object_pb "github.com/zitadel/zitadel/pkg/grpc/object/v2beta"`
			`user "github.com/zitadel/zitadel/pkg/grpc/user/v2beta"`
feat: implement register Passkey user API v2 (#5873) * command/crypto: DRY the code - reuse the the algorithm switch to create a secret generator - add a verifyCryptoCode function * command: crypto code tests * migrate webauthn package * finish integration tests with webauthn mock client 2023-05-24 10:22:00 +00:00			`)`

			`func (s Server) RegisterPasskey(ctx context.Context, req user.RegisterPasskeyRequest) (resp *user.RegisterPasskeyResponse, err error) {`
			`var (`
			`resourceOwner = authz.GetCtxData(ctx).ResourceOwner`
			`authenticator = passkeyAuthenticatorToDomain(req.GetAuthenticator())`
			`)`
			`if code := req.GetCode(); code != nil {`
			`return passkeyRegistrationDetailsToPb(`
fix: provide domain in session, passkey and u2f (#6097) This fix provides a possibility to pass a domain on the session, which will be used (as rpID) to create a passkey / u2f assertion and attestation. This is useful in cases where the login UI is served under a different domain / origin than the ZITADEL API. 2023-06-27 12:36:07 +00:00			`s.command.RegisterUserPasskeyWithCode(ctx, req.GetUserId(), resourceOwner, authenticator, code.Id, code.Code, req.GetDomain(), s.userCodeAlg),`
feat: implement register Passkey user API v2 (#5873) * command/crypto: DRY the code - reuse the the algorithm switch to create a secret generator - add a verifyCryptoCode function * command: crypto code tests * migrate webauthn package * finish integration tests with webauthn mock client 2023-05-24 10:22:00 +00:00			`)`
			`}`
			`return passkeyRegistrationDetailsToPb(`
fix: provide domain in session, passkey and u2f (#6097) This fix provides a possibility to pass a domain on the session, which will be used (as rpID) to create a passkey / u2f assertion and attestation. This is useful in cases where the login UI is served under a different domain / origin than the ZITADEL API. 2023-06-27 12:36:07 +00:00			`s.command.RegisterUserPasskey(ctx, req.GetUserId(), resourceOwner, req.GetDomain(), authenticator),`
feat: implement register Passkey user API v2 (#5873) * command/crypto: DRY the code - reuse the the algorithm switch to create a secret generator - add a verifyCryptoCode function * command: crypto code tests * migrate webauthn package * finish integration tests with webauthn mock client 2023-05-24 10:22:00 +00:00			`)`
			`}`

			`func passkeyAuthenticatorToDomain(pa user.PasskeyAuthenticator) domain.AuthenticatorAttachment {`
			`switch pa {`
			`case user.PasskeyAuthenticator_PASSKEY_AUTHENTICATOR_UNSPECIFIED:`
			`return domain.AuthenticatorAttachmentUnspecified`
			`case user.PasskeyAuthenticator_PASSKEY_AUTHENTICATOR_PLATFORM:`
			`return domain.AuthenticatorAttachmentPlattform`
			`case user.PasskeyAuthenticator_PASSKEY_AUTHENTICATOR_CROSS_PLATFORM:`
			`return domain.AuthenticatorAttachmentCrossPlattform`
			`default:`
			`return domain.AuthenticatorAttachmentUnspecified`
			`}`
			`}`

feat(v2): register user u2f (#6020) 2023-06-15 05:32:40 +00:00			`func webAuthNRegistrationDetailsToPb(details domain.WebAuthNRegistrationDetails, err error) (object_pb.Details, *structpb.Struct, error) {`
feat: implement register Passkey user API v2 (#5873) * command/crypto: DRY the code - reuse the the algorithm switch to create a secret generator - add a verifyCryptoCode function * command: crypto code tests * migrate webauthn package * finish integration tests with webauthn mock client 2023-05-24 10:22:00 +00:00			`if err != nil {`
feat(v2): register user u2f (#6020) 2023-06-15 05:32:40 +00:00			`return nil, nil, err`
feat: implement register Passkey user API v2 (#5873) * command/crypto: DRY the code - reuse the the algorithm switch to create a secret generator - add a verifyCryptoCode function * command: crypto code tests * migrate webauthn package * finish integration tests with webauthn mock client 2023-05-24 10:22:00 +00:00			`}`
feat: session v2 passkey authentication (#5952) 2023-06-07 15:28:42 +00:00			`options := new(structpb.Struct)`
feat(v2): register user u2f (#6020) 2023-06-15 05:32:40 +00:00			`if err := options.UnmarshalJSON(details.PublicKeyCredentialCreationOptions); err != nil {`
			`return nil, nil, caos_errs.ThrowInternal(err, "USERv2-Dohr6", "Errors.Internal")`
			`}`
			`return object.DomainToDetailsPb(details.ObjectDetails), options, nil`
			`}`

			`func passkeyRegistrationDetailsToPb(details domain.WebAuthNRegistrationDetails, err error) (user.RegisterPasskeyResponse, error) {`
			`objectDetails, options, err := webAuthNRegistrationDetailsToPb(details, err)`
			`if err != nil {`
			`return nil, err`
feat: session v2 passkey authentication (#5952) 2023-06-07 15:28:42 +00:00			`}`
feat: implement register Passkey user API v2 (#5873) * command/crypto: DRY the code - reuse the the algorithm switch to create a secret generator - add a verifyCryptoCode function * command: crypto code tests * migrate webauthn package * finish integration tests with webauthn mock client 2023-05-24 10:22:00 +00:00			`return &user.RegisterPasskeyResponse{`
feat(v2): register user u2f (#6020) 2023-06-15 05:32:40 +00:00			`Details: objectDetails,`
			`PasskeyId: details.ID,`
feat: session v2 passkey authentication (#5952) 2023-06-07 15:28:42 +00:00			`PublicKeyCredentialCreationOptions: options,`
feat: implement register Passkey user API v2 (#5873) * command/crypto: DRY the code - reuse the the algorithm switch to create a secret generator - add a verifyCryptoCode function * command: crypto code tests * migrate webauthn package * finish integration tests with webauthn mock client 2023-05-24 10:22:00 +00:00			`}, nil`
			`}`

			`func (s Server) VerifyPasskeyRegistration(ctx context.Context, req user.VerifyPasskeyRegistrationRequest) (*user.VerifyPasskeyRegistrationResponse, error) {`
			`resourceOwner := authz.GetCtxData(ctx).ResourceOwner`
feat(v2): register user u2f (#6020) 2023-06-15 05:32:40 +00:00			`pkc, err := req.GetPublicKeyCredential().MarshalJSON()`
feat: session v2 passkey authentication (#5952) 2023-06-07 15:28:42 +00:00			`if err != nil {`
			`return nil, caos_errs.ThrowInternal(err, "USERv2-Pha2o", "Errors.Internal")`
			`}`
			`objectDetails, err := s.command.HumanHumanPasswordlessSetup(ctx, req.GetUserId(), resourceOwner, req.GetPasskeyName(), "", pkc)`
feat: implement register Passkey user API v2 (#5873) * command/crypto: DRY the code - reuse the the algorithm switch to create a secret generator - add a verifyCryptoCode function * command: crypto code tests * migrate webauthn package * finish integration tests with webauthn mock client 2023-05-24 10:22:00 +00:00			`if err != nil {`
			`return nil, err`
			`}`
			`return &user.VerifyPasskeyRegistrationResponse{`
			`Details: object.DomainToDetailsPb(objectDetails),`
			`}, nil`
			`}`

			`func (s Server) CreatePasskeyRegistrationLink(ctx context.Context, req user.CreatePasskeyRegistrationLinkRequest) (resp *user.CreatePasskeyRegistrationLinkResponse, err error) {`
			`resourceOwner := authz.GetCtxData(ctx).ResourceOwner`

			`switch medium := req.Medium.(type) {`
			`case nil:`
			`return passkeyDetailsToPb(`
			`s.command.AddUserPasskeyCode(ctx, req.GetUserId(), resourceOwner, s.userCodeAlg),`
			`)`
			`case *user.CreatePasskeyRegistrationLinkRequest_SendLink:`
			`return passkeyDetailsToPb(`
			`s.command.AddUserPasskeyCodeURLTemplate(ctx, req.GetUserId(), resourceOwner, s.userCodeAlg, medium.SendLink.GetUrlTemplate()),`
			`)`
			`case *user.CreatePasskeyRegistrationLinkRequest_ReturnCode:`
			`return passkeyCodeDetailsToPb(`
			`s.command.AddUserPasskeyCodeReturn(ctx, req.GetUserId(), resourceOwner, s.userCodeAlg),`
			`)`
			`default:`
			`return nil, caos_errs.ThrowUnimplementedf(nil, "USERv2-gaD8y", "verification oneOf %T in method CreatePasskeyRegistrationLink not implemented", medium)`
			`}`
			`}`

			`func passkeyDetailsToPb(details domain.ObjectDetails, err error) (user.CreatePasskeyRegistrationLinkResponse, error) {`
			`if err != nil {`
			`return nil, err`
			`}`
			`return &user.CreatePasskeyRegistrationLinkResponse{`
			`Details: object.DomainToDetailsPb(details),`
			`}, nil`
			`}`

			`func passkeyCodeDetailsToPb(details domain.PasskeyCodeDetails, err error) (user.CreatePasskeyRegistrationLinkResponse, error) {`
			`if err != nil {`
			`return nil, err`
			`}`
			`return &user.CreatePasskeyRegistrationLinkResponse{`
			`Details: object.DomainToDetailsPb(details.ObjectDetails),`
			`Code: &user.PasskeyRegistrationCode{`
			`Id: details.CodeID,`
			`Code: details.Code,`
			`},`
			`}, nil`
			`}`