zitadel/internal/api/grpc/user/v2/human.go

package user

import (
	"context"
	"io"

	"golang.org/x/text/language"
	"google.golang.org/protobuf/types/known/timestamppb"

	"github.com/zitadel/zitadel/internal/command"
	"github.com/zitadel/zitadel/internal/domain"
	"github.com/zitadel/zitadel/internal/zerrors"
	legacyobject "github.com/zitadel/zitadel/pkg/grpc/object/v2"
	"github.com/zitadel/zitadel/pkg/grpc/user/v2"
)

func (s *Server) createUserTypeHuman(ctx context.Context, humanPb *user.CreateUserRequest_Human, orgId string, userName, userId *string) (*user.CreateUserResponse, error) {
	addHumanPb := &user.AddHumanUserRequest{
		Username: userName,
		UserId:   userId,
		Organization: &legacyobject.Organization{
			Org: &legacyobject.Organization_OrgId{OrgId: orgId},
		},
		Profile:    humanPb.Profile,
		Email:      humanPb.Email,
		Phone:      humanPb.Phone,
		IdpLinks:   humanPb.IdpLinks,
		TotpSecret: humanPb.TotpSecret,
	}
	switch pwType := humanPb.GetPasswordType().(type) {
	case *user.CreateUserRequest_Human_HashedPassword:
		addHumanPb.PasswordType = &user.AddHumanUserRequest_HashedPassword{
			HashedPassword: pwType.HashedPassword,
		}
	case *user.CreateUserRequest_Human_Password:
		addHumanPb.PasswordType = &user.AddHumanUserRequest_Password{
			Password: pwType.Password,
		}
	default:
		// optional password is not set
	}
	newHuman, err := AddUserRequestToAddHuman(addHumanPb)
	if err != nil {
		return nil, err
	}
	if err = s.command.AddUserHuman(
		ctx,
		orgId,
		newHuman,
		false,
		s.userCodeAlg,
	); err != nil {
		return nil, err
	}
	return &user.CreateUserResponse{
		Id:           newHuman.ID,
		CreationDate: timestamppb.New(newHuman.Details.EventDate),
		EmailCode:    newHuman.EmailCode,
		PhoneCode:    newHuman.PhoneCode,
	}, nil
}

func (s *Server) updateUserTypeHuman(ctx context.Context, humanPb *user.UpdateUserRequest_Human, userId string, userName *string) (*user.UpdateUserResponse, error) {
	cmd, err := updateHumanUserToCommand(userId, userName, humanPb)
	if err != nil {
		return nil, err
	}
	if err = s.command.ChangeUserHuman(ctx, cmd, s.userCodeAlg); err != nil {
		return nil, err
	}
	return &user.UpdateUserResponse{
		ChangeDate: timestamppb.New(cmd.Details.EventDate),
		EmailCode:  cmd.EmailCode,
		PhoneCode:  cmd.PhoneCode,
	}, nil
}

func updateHumanUserToCommand(userId string, userName *string, human *user.UpdateUserRequest_Human) (*command.ChangeHuman, error) {
	phone := human.GetPhone()
	if phone != nil && phone.Phone == "" && phone.GetVerification() != nil {
		return nil, zerrors.ThrowInvalidArgument(nil, "USERv2-4f3d6", "Errors.User.Phone.VerifyingRemovalIsNotSupported")
	}
	email, err := setHumanEmailToEmail(human.Email, userId)
	if err != nil {
		return nil, err
	}
	return &command.ChangeHuman{
		ID:       userId,
		Username: userName,
		Profile:  SetHumanProfileToProfile(human.Profile),
		Email:    email,
		Phone:    setHumanPhoneToPhone(human.Phone, true),
		Password: setHumanPasswordToPassword(human.Password),
	}, nil
}

func updateHumanUserRequestToChangeHuman(req *user.UpdateHumanUserRequest) (*command.ChangeHuman, error) {
	email, err := setHumanEmailToEmail(req.Email, req.GetUserId())
	if err != nil {
		return nil, err
	}
	changeHuman := &command.ChangeHuman{
		ID:       req.GetUserId(),
		Username: req.Username,
		Email:    email,
		Phone:    setHumanPhoneToPhone(req.Phone, false),
		Password: setHumanPasswordToPassword(req.Password),
	}
	if profile := req.GetProfile(); profile != nil {
		var firstName *string
		if profile.GivenName != "" {
			firstName = &profile.GivenName
		}
		var lastName *string
		if profile.FamilyName != "" {
			lastName = &profile.FamilyName
		}
		changeHuman.Profile = SetHumanProfileToProfile(&user.UpdateUserRequest_Human_Profile{
			GivenName:         firstName,
			FamilyName:        lastName,
			NickName:          profile.NickName,
			DisplayName:       profile.DisplayName,
			PreferredLanguage: profile.PreferredLanguage,
			Gender:            profile.Gender,
		})
	}
	return changeHuman, nil
}

func SetHumanProfileToProfile(profile *user.UpdateUserRequest_Human_Profile) *command.Profile {
	if profile == nil {
		return nil
	}
	return &command.Profile{
		FirstName:         profile.GivenName,
		LastName:          profile.FamilyName,
		NickName:          profile.NickName,
		DisplayName:       profile.DisplayName,
		PreferredLanguage: ifNotNilPtr(profile.PreferredLanguage, language.Make),
		Gender:            ifNotNilPtr(profile.Gender, genderToDomain),
	}
}

func setHumanEmailToEmail(email *user.SetHumanEmail, userID string) (*command.Email, error) {
	if email == nil {
		return nil, nil
	}
	var urlTemplate string
	if email.GetSendCode() != nil && email.GetSendCode().UrlTemplate != nil {
		urlTemplate = *email.GetSendCode().UrlTemplate
		if err := domain.RenderConfirmURLTemplate(io.Discard, urlTemplate, userID, "code", "orgID"); err != nil {
			return nil, err
		}
	}
	return &command.Email{
		Address:     domain.EmailAddress(email.Email),
		Verified:    email.GetIsVerified(),
		ReturnCode:  email.GetReturnCode() != nil,
		URLTemplate: urlTemplate,
	}, nil
}

func setHumanPhoneToPhone(phone *user.SetHumanPhone, withRemove bool) *command.Phone {
	if phone == nil {
		return nil
	}
	number := phone.GetPhone()
	return &command.Phone{
		Number:     domain.PhoneNumber(number),
		Verified:   phone.GetIsVerified(),
		ReturnCode: phone.GetReturnCode() != nil,
		Remove:     withRemove && number == "",
	}
}

func setHumanPasswordToPassword(password *user.SetPassword) *command.Password {
	if password == nil {
		return nil
	}
	return &command.Password{
		PasswordCode:        password.GetVerificationCode(),
		OldPassword:         password.GetCurrentPassword(),
		Password:            password.GetPassword().GetPassword(),
		EncodedPasswordHash: password.GetHashedPassword().GetHash(),
		ChangeRequired:      password.GetPassword().GetChangeRequired() || password.GetHashedPassword().GetChangeRequired(),
	}
}
feat: user api requests to resource API (#9794) # Which Problems Are Solved This pull request addresses a significant gap in the user service v2 API, which currently lacks methods for managing machine users. # How the Problems Are Solved This PR adds new API endpoints to the user service v2 to manage machine users including their secret, keys and personal access tokens. Additionally, there's now a CreateUser and UpdateUser endpoints which allow to create either a human or machine user and update them. The existing `CreateHumanUser` endpoint has been deprecated along the corresponding management service endpoints. For details check the additional context section. # Additional Context - Closes https://github.com/zitadel/zitadel/issues/9349 ## More details - API changes: https://github.com/zitadel/zitadel/pull/9680 - Implementation: https://github.com/zitadel/zitadel/pull/9763 - Tests: https://github.com/zitadel/zitadel/pull/9771 ## Follow-ups - Metadata: support managing user metadata using resource API https://github.com/zitadel/zitadel/pull/10005 - Machine token type: support managing the machine token type (migrate to new enum with zero value unspecified?) --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: Livio Spring <livio.a@gmail.com> 2025-06-04 09:17:23 +02:00			`package user`

			`import (`
			`"context"`
			`"io"`

			`"golang.org/x/text/language"`
			`"google.golang.org/protobuf/types/known/timestamppb"`

			`"github.com/zitadel/zitadel/internal/command"`
			`"github.com/zitadel/zitadel/internal/domain"`
			`"github.com/zitadel/zitadel/internal/zerrors"`
			`legacyobject "github.com/zitadel/zitadel/pkg/grpc/object/v2"`
			`"github.com/zitadel/zitadel/pkg/grpc/user/v2"`
			`)`

			`func (s Server) createUserTypeHuman(ctx context.Context, humanPb user.CreateUserRequest_Human, orgId string, userName, userId string) (user.CreateUserResponse, error) {`
			`addHumanPb := &user.AddHumanUserRequest{`
			`Username: userName,`
			`UserId: userId,`
			`Organization: &legacyobject.Organization{`
			`Org: &legacyobject.Organization_OrgId{OrgId: orgId},`
			`},`
			`Profile: humanPb.Profile,`
			`Email: humanPb.Email,`
			`Phone: humanPb.Phone,`
			`IdpLinks: humanPb.IdpLinks,`
			`TotpSecret: humanPb.TotpSecret,`
			`}`
			`switch pwType := humanPb.GetPasswordType().(type) {`
			`case *user.CreateUserRequest_Human_HashedPassword:`
			`addHumanPb.PasswordType = &user.AddHumanUserRequest_HashedPassword{`
			`HashedPassword: pwType.HashedPassword,`
			`}`
			`case *user.CreateUserRequest_Human_Password:`
			`addHumanPb.PasswordType = &user.AddHumanUserRequest_Password{`
			`Password: pwType.Password,`
			`}`
			`default:`
			`// optional password is not set`
			`}`
			`newHuman, err := AddUserRequestToAddHuman(addHumanPb)`
			`if err != nil {`
			`return nil, err`
			`}`
			`if err = s.command.AddUserHuman(`
			`ctx,`
			`orgId,`
			`newHuman,`
			`false,`
			`s.userCodeAlg,`
			`); err != nil {`
			`return nil, err`
			`}`
			`return &user.CreateUserResponse{`
			`Id: newHuman.ID,`
			`CreationDate: timestamppb.New(newHuman.Details.EventDate),`
			`EmailCode: newHuman.EmailCode,`
			`PhoneCode: newHuman.PhoneCode,`
			`}, nil`
			`}`

			`func (s Server) updateUserTypeHuman(ctx context.Context, humanPb user.UpdateUserRequest_Human, userId string, userName string) (user.UpdateUserResponse, error) {`
			`cmd, err := updateHumanUserToCommand(userId, userName, humanPb)`
			`if err != nil {`
			`return nil, err`
			`}`
			`if err = s.command.ChangeUserHuman(ctx, cmd, s.userCodeAlg); err != nil {`
			`return nil, err`
			`}`
			`return &user.UpdateUserResponse{`
			`ChangeDate: timestamppb.New(cmd.Details.EventDate),`
			`EmailCode: cmd.EmailCode,`
			`PhoneCode: cmd.PhoneCode,`
			`}, nil`
			`}`

			`func updateHumanUserToCommand(userId string, userName string, human user.UpdateUserRequest_Human) (*command.ChangeHuman, error) {`
			`phone := human.GetPhone()`
			`if phone != nil && phone.Phone == "" && phone.GetVerification() != nil {`
			`return nil, zerrors.ThrowInvalidArgument(nil, "USERv2-4f3d6", "Errors.User.Phone.VerifyingRemovalIsNotSupported")`
			`}`
			`email, err := setHumanEmailToEmail(human.Email, userId)`
			`if err != nil {`
			`return nil, err`
			`}`
			`return &command.ChangeHuman{`
			`ID: userId,`
			`Username: userName,`
			`Profile: SetHumanProfileToProfile(human.Profile),`
			`Email: email,`
			`Phone: setHumanPhoneToPhone(human.Phone, true),`
			`Password: setHumanPasswordToPassword(human.Password),`
			`}, nil`
			`}`

			`func updateHumanUserRequestToChangeHuman(req user.UpdateHumanUserRequest) (command.ChangeHuman, error) {`
			`email, err := setHumanEmailToEmail(req.Email, req.GetUserId())`
			`if err != nil {`
			`return nil, err`
			`}`
			`changeHuman := &command.ChangeHuman{`
			`ID: req.GetUserId(),`
			`Username: req.Username,`
			`Email: email,`
			`Phone: setHumanPhoneToPhone(req.Phone, false),`
			`Password: setHumanPasswordToPassword(req.Password),`
			`}`
			`if profile := req.GetProfile(); profile != nil {`
			`var firstName *string`
			`if profile.GivenName != "" {`
			`firstName = &profile.GivenName`
			`}`
			`var lastName *string`
			`if profile.FamilyName != "" {`
			`lastName = &profile.FamilyName`
			`}`
			`changeHuman.Profile = SetHumanProfileToProfile(&user.UpdateUserRequest_Human_Profile{`
			`GivenName: firstName,`
			`FamilyName: lastName,`
			`NickName: profile.NickName,`
			`DisplayName: profile.DisplayName,`
			`PreferredLanguage: profile.PreferredLanguage,`
			`Gender: profile.Gender,`
			`})`
			`}`
			`return changeHuman, nil`
			`}`

			`func SetHumanProfileToProfile(profile user.UpdateUserRequest_Human_Profile) command.Profile {`
			`if profile == nil {`
			`return nil`
			`}`
			`return &command.Profile{`
			`FirstName: profile.GivenName,`
			`LastName: profile.FamilyName,`
			`NickName: profile.NickName,`
			`DisplayName: profile.DisplayName,`
			`PreferredLanguage: ifNotNilPtr(profile.PreferredLanguage, language.Make),`
			`Gender: ifNotNilPtr(profile.Gender, genderToDomain),`
			`}`
			`}`

			`func setHumanEmailToEmail(email user.SetHumanEmail, userID string) (command.Email, error) {`
			`if email == nil {`
			`return nil, nil`
			`}`
			`var urlTemplate string`
			`if email.GetSendCode() != nil && email.GetSendCode().UrlTemplate != nil {`
			`urlTemplate = *email.GetSendCode().UrlTemplate`
			`if err := domain.RenderConfirmURLTemplate(io.Discard, urlTemplate, userID, "code", "orgID"); err != nil {`
			`return nil, err`
			`}`
			`}`
			`return &command.Email{`
			`Address: domain.EmailAddress(email.Email),`
			`Verified: email.GetIsVerified(),`
			`ReturnCode: email.GetReturnCode() != nil,`
			`URLTemplate: urlTemplate,`
			`}, nil`
			`}`

			`func setHumanPhoneToPhone(phone user.SetHumanPhone, withRemove bool) command.Phone {`
			`if phone == nil {`
			`return nil`
			`}`
			`number := phone.GetPhone()`
			`return &command.Phone{`
			`Number: domain.PhoneNumber(number),`
			`Verified: phone.GetIsVerified(),`
			`ReturnCode: phone.GetReturnCode() != nil,`
			`Remove: withRemove && number == "",`
			`}`
			`}`

			`func setHumanPasswordToPassword(password user.SetPassword) command.Password {`
			`if password == nil {`
			`return nil`
			`}`
			`return &command.Password{`
			`PasswordCode: password.GetVerificationCode(),`
			`OldPassword: password.GetCurrentPassword(),`
			`Password: password.GetPassword().GetPassword(),`
			`EncodedPasswordHash: password.GetHashedPassword().GetHash(),`
			`ChangeRequired: password.GetPassword().GetChangeRequired() \|\| password.GetHashedPassword().GetChangeRequired(),`
			`}`
			`}`