zitadel/apps/login/src/lib/server/verify.ts

"use server";

import {
  getLoginSettings,
  getSession,
  getUserByID,
  listAuthenticationMethodTypes,
  resendEmailCode,
  resendInviteCode,
  verifyEmail,
  verifyInviteCode,
} from "@/lib/zitadel";
import { create } from "@zitadel/client";
import { Session } from "@zitadel/proto/zitadel/session/v2/session_pb";
import { ChecksSchema } from "@zitadel/proto/zitadel/session/v2/session_service_pb";
import { User } from "@zitadel/proto/zitadel/user/v2/user_pb";
import { headers } from "next/headers";
import { getNextUrl } from "../client";
import { getSessionCookieByLoginName } from "../cookies";
import { checkMFAFactors } from "../verify-helper";
import { createSessionAndUpdateCookie } from "./cookie";

type VerifyUserByEmailCommand = {
  userId: string;
  loginName?: string; // to determine already existing session
  organization?: string;
  code: string;
  isInvite: boolean;
  authRequestId?: string;
};

export async function sendVerification(command: VerifyUserByEmailCommand) {
  const verifyResponse = command.isInvite
    ? await verifyInviteCode(command.userId, command.code).catch(() => {
        return { error: "Could not verify invite" };
      })
    : await verifyEmail(command.userId, command.code).catch(() => {
        return { error: "Could not verify email" };
      });

  if (!verifyResponse) {
    return { error: "Could not verify user" };
  }

  let session: Session | undefined;
  let user: User | undefined;

  if ("loginName" in command) {
    const sessionCookie = await getSessionCookieByLoginName({
      loginName: command.loginName,
      organization: command.organization,
    }).catch((error) => {
      console.warn("Ignored error:", error);
    });

    if (!sessionCookie) {
      return { error: "Could not load session cookie" };
    }

    session = await getSession({
      sessionId: sessionCookie.id,
      sessionToken: sessionCookie.token,
    }).then((response) => {
      if (response?.session) {
        return response.session;
      }
    });

    if (!session?.factors?.user?.id) {
      return { error: "Could not create session for user" };
    }

    const userResponse = await getUserByID(session?.factors?.user?.id);

    if (!userResponse?.user) {
      return { error: "Could not load user" };
    }

    user = userResponse.user;
  } else {
    const userResponse = await getUserByID(command.userId);

    if (!userResponse || !userResponse.user) {
      return { error: "Could not load user" };
    }

    user = userResponse.user;

    const checks = create(ChecksSchema, {
      user: {
        search: {
          case: "loginName",
          value: userResponse.user.preferredLoginName,
        },
      },
    });

    session = await createSessionAndUpdateCookie(
      checks,
      undefined,
      command.authRequestId,
    );
  }

  if (!session?.factors?.user?.id) {
    return { error: "Could not create session for user" };
  }

  if (!session?.factors?.user?.id) {
    return { error: "Could not create session for user" };
  }

  if (!user) {
    return { error: "Could not load user" };
  }

  const loginSettings = await getLoginSettings(user.details?.resourceOwner);

  const authMethodResponse = await listAuthenticationMethodTypes(user.userId);

  if (!authMethodResponse || !authMethodResponse.authMethodTypes) {
    return { error: "Could not load possible authenticators" };
  }

  // if no authmethods are found on the user, redirect to set one up
  if (
    authMethodResponse &&
    authMethodResponse.authMethodTypes &&
    authMethodResponse.authMethodTypes.length == 0
  ) {
    const params = new URLSearchParams({
      sessionId: session.id,
    });

    if (session.factors?.user?.loginName) {
      params.set("loginName", session.factors?.user?.loginName);
    }
    return { redirect: `/authenticator/set?${params}` };
  }

  // redirect to mfa factor if user has one, or redirect to set one up
  checkMFAFactors(
    session,
    loginSettings,
    authMethodResponse.authMethodTypes,
    command.organization,
    command.authRequestId,
  );

  // login user if no additional steps are required
  if (command.authRequestId && session.id) {
    const nextUrl = await getNextUrl(
      {
        sessionId: session.id,
        authRequestId: command.authRequestId,
        organization:
          command.organization ?? session.factors?.user?.organizationId,
      },
      loginSettings?.defaultRedirectUri,
    );

    return { redirect: nextUrl };
  }

  const url = await getNextUrl(
    {
      loginName: session.factors.user.loginName,
      organization: session.factors?.user?.organizationId,
    },
    loginSettings?.defaultRedirectUri,
  );

  return { redirect: url };
}

type resendVerifyEmailCommand = {
  userId: string;
  isInvite: boolean;
  authRequestId?: string;
};

export async function resendVerification(command: resendVerifyEmailCommand) {
  const host = (await headers()).get("host");

  return command.isInvite
    ? resendInviteCode(command.userId)
    : resendEmailCode(command.userId, host, command.authRequestId);
}

export type SendVerificationRedirectWithoutCheckCommand = {
  organization?: string;
  authRequestId?: string;
} & (
  | { userId: string; loginName?: never }
  | { userId?: never; loginName: string }
);

export async function sendVerificationRedirectWithoutCheck(
  command: SendVerificationRedirectWithoutCheckCommand,
) {
  if (!("loginName" in command || "userId" in command)) {
    return { error: "No userId, nor loginname provided" };
  }

  let session: Session | undefined;
  let user: User | undefined;

  if ("loginName" in command) {
    const sessionCookie = await getSessionCookieByLoginName({
      loginName: command.loginName,
      organization: command.organization,
    }).catch((error) => {
      console.warn("Ignored error:", error);
    });

    if (!sessionCookie) {
      return { error: "Could not load session cookie" };
    }

    session = await getSession({
      sessionId: sessionCookie.id,
      sessionToken: sessionCookie.token,
    }).then((response) => {
      if (response?.session) {
        return response.session;
      }
    });

    if (!session?.factors?.user?.id) {
      return { error: "Could not create session for user" };
    }

    const userResponse = await getUserByID(session?.factors?.user?.id);

    if (!userResponse?.user) {
      return { error: "Could not load user" };
    }

    user = userResponse.user;
  } else if ("userId" in command) {
    const userResponse = await getUserByID(command.userId);

    if (!userResponse?.user) {
      return { error: "Could not load user" };
    }

    user = userResponse.user;

    const checks = create(ChecksSchema, {
      user: {
        search: {
          case: "loginName",
          value: userResponse.user.preferredLoginName,
        },
      },
    });

    session = await createSessionAndUpdateCookie(
      checks,
      undefined,
      command.authRequestId,
    );
  }

  if (!session?.factors?.user?.id) {
    return { error: "Could not create session for user" };
  }

  if (!session?.factors?.user?.id) {
    return { error: "Could not create session for user" };
  }

  if (!user) {
    return { error: "Could not load user" };
  }

  const authMethodResponse = await listAuthenticationMethodTypes(user.userId);

  if (!authMethodResponse || !authMethodResponse.authMethodTypes) {
    return { error: "Could not load possible authenticators" };
  }

  // if no authmethods are found on the user, redirect to set one up
  if (
    authMethodResponse &&
    authMethodResponse.authMethodTypes &&
    authMethodResponse.authMethodTypes.length == 0
  ) {
    const params = new URLSearchParams({
      sessionId: session.id,
    });

    if (session.factors?.user?.loginName) {
      params.set("loginName", session.factors?.user?.loginName);
    }
    return { redirect: `/authenticator/set?${params}` };
  }

  const loginSettings = await getLoginSettings(user.details?.resourceOwner);

  // redirect to mfa factor if user has one, or redirect to set one up
  checkMFAFactors(
    session,
    loginSettings,
    authMethodResponse.authMethodTypes,
    command.organization,
    command.authRequestId,
  );

  // login user if no additional steps are required
  if (command.authRequestId && session.id) {
    const nextUrl = await getNextUrl(
      {
        sessionId: session.id,
        authRequestId: command.authRequestId,
        organization:
          command.organization ?? session.factors?.user?.organizationId,
      },
      loginSettings?.defaultRedirectUri,
    );

    return { redirect: nextUrl };
  }

  const url = await getNextUrl(
    {
      loginName: session.factors.user.loginName,
      organization: session.factors?.user?.organizationId,
    },
    loginSettings?.defaultRedirectUri,
  );

  return { redirect: url };
}
fix: verify email 2024-12-17 15:57:42 +01:00			`"use server";`

			`import {`
			`getLoginSettings,`
context on verification pages 2024-12-19 08:59:39 +01:00			`getSession,`
fix: verify email 2024-12-17 15:57:42 +01:00			`getUserByID,`
			`listAuthenticationMethodTypes,`
			`resendEmailCode,`
			`resendInviteCode,`
			`verifyEmail,`
			`verifyInviteCode,`
			`} from "@/lib/zitadel";`
			`import { create } from "@zitadel/client";`
context on verification pages 2024-12-19 08:59:39 +01:00			`import { Session } from "@zitadel/proto/zitadel/session/v2/session_pb";`
fix: verify email 2024-12-17 15:57:42 +01:00			`import { ChecksSchema } from "@zitadel/proto/zitadel/session/v2/session_service_pb";`
			`import { User } from "@zitadel/proto/zitadel/user/v2/user_pb";`
verify commands 2024-12-19 11:28:35 +01:00			`import { headers } from "next/headers";`
context on verification pages 2024-12-19 08:59:39 +01:00			`import { getNextUrl } from "../client";`
fix: verify email 2024-12-17 15:57:42 +01:00			`import { getSessionCookieByLoginName } from "../cookies";`
verify commands 2024-12-19 11:28:35 +01:00			`import { checkMFAFactors } from "../verify-helper";`
context on verification pages 2024-12-19 08:59:39 +01:00			`import { createSessionAndUpdateCookie } from "./cookie";`
fix: verify email 2024-12-17 15:57:42 +01:00
			`type VerifyUserByEmailCommand = {`
			`userId: string;`
verify commands 2024-12-19 11:28:35 +01:00			`loginName?: string; // to determine already existing session`
			`organization?: string;`
fix: verify email 2024-12-17 15:57:42 +01:00			`code: string;`
			`isInvite: boolean;`
			`authRequestId?: string;`
			`};`

			`export async function sendVerification(command: VerifyUserByEmailCommand) {`
			`const verifyResponse = command.isInvite`
			`? await verifyInviteCode(command.userId, command.code).catch(() => {`
			`return { error: "Could not verify invite" };`
			`})`
			`: await verifyEmail(command.userId, command.code).catch(() => {`
			`return { error: "Could not verify email" };`
			`});`

			`if (!verifyResponse) {`
			`return { error: "Could not verify user" };`
			`}`

verify commands 2024-12-19 11:28:35 +01:00			`let session: Session \| undefined;`
			`let user: User \| undefined;`
fix: verify email 2024-12-17 15:57:42 +01:00
verify commands 2024-12-19 11:28:35 +01:00			`if ("loginName" in command) {`
			`const sessionCookie = await getSessionCookieByLoginName({`
			`loginName: command.loginName,`
			`organization: command.organization,`
			`}).catch((error) => {`
			`console.warn("Ignored error:", error);`
			`});`

			`if (!sessionCookie) {`
			`return { error: "Could not load session cookie" };`
			`}`

			`session = await getSession({`
			`sessionId: sessionCookie.id,`
			`sessionToken: sessionCookie.token,`
			`}).then((response) => {`
			`if (response?.session) {`
			`return response.session;`
			`}`
			`});`

			`if (!session?.factors?.user?.id) {`
			`return { error: "Could not create session for user" };`
			`}`
fix: verify email 2024-12-17 15:57:42 +01:00
verify commands 2024-12-19 11:28:35 +01:00			`const userResponse = await getUserByID(session?.factors?.user?.id);`

			`if (!userResponse?.user) {`
			`return { error: "Could not load user" };`
			`}`

			`user = userResponse.user;`
			`} else {`
			`const userResponse = await getUserByID(command.userId);`

			`if (!userResponse \|\| !userResponse.user) {`
			`return { error: "Could not load user" };`
			`}`

			`user = userResponse.user;`

			`const checks = create(ChecksSchema, {`
			`user: {`
			`search: {`
			`case: "loginName",`
			`value: userResponse.user.preferredLoginName,`
			`},`
fix: verify email 2024-12-17 15:57:42 +01:00			`},`
verify commands 2024-12-19 11:28:35 +01:00			`});`
fix: verify email 2024-12-17 15:57:42 +01:00
verify commands 2024-12-19 11:28:35 +01:00			`session = await createSessionAndUpdateCookie(`
			`checks,`
			`undefined,`
			`command.authRequestId,`
			`);`
			`}`
fix: verify email 2024-12-17 15:57:42 +01:00
verify commands 2024-12-19 11:28:35 +01:00			`if (!session?.factors?.user?.id) {`
			`return { error: "Could not create session for user" };`
			`}`

			`if (!session?.factors?.user?.id) {`
			`return { error: "Could not create session for user" };`
			`}`

			`if (!user) {`
			`return { error: "Could not load user" };`
			`}`

			`const loginSettings = await getLoginSettings(user.details?.resourceOwner);`

			`const authMethodResponse = await listAuthenticationMethodTypes(user.userId);`
fix: verify email 2024-12-17 15:57:42 +01:00
			`if (!authMethodResponse \|\| !authMethodResponse.authMethodTypes) {`
			`return { error: "Could not load possible authenticators" };`
			`}`
verify commands 2024-12-19 11:28:35 +01:00
fix: verify email 2024-12-17 15:57:42 +01:00			`// if no authmethods are found on the user, redirect to set one up`
			`if (`
			`authMethodResponse &&`
			`authMethodResponse.authMethodTypes &&`
			`authMethodResponse.authMethodTypes.length == 0`
			`) {`
			`const params = new URLSearchParams({`
			`sessionId: session.id,`
			`});`

			`if (session.factors?.user?.loginName) {`
			`params.set("loginName", session.factors?.user?.loginName);`
			`}`
			return { redirect: `/authenticator/set?${params}` };
			`}`
verify commands 2024-12-19 11:28:35 +01:00
			`// redirect to mfa factor if user has one, or redirect to set one up`
			`checkMFAFactors(`
			`session,`
			`loginSettings,`
			`authMethodResponse.authMethodTypes,`
			`command.organization,`
			`command.authRequestId,`
			`);`

			`// login user if no additional steps are required`
			`if (command.authRequestId && session.id) {`
			`const nextUrl = await getNextUrl(`
			`{`
			`sessionId: session.id,`
			`authRequestId: command.authRequestId,`
			`organization:`
			`command.organization ?? session.factors?.user?.organizationId,`
			`},`
			`loginSettings?.defaultRedirectUri,`
			`);`

			`return { redirect: nextUrl };`
			`}`

			`const url = await getNextUrl(`
			`{`
			`loginName: session.factors.user.loginName,`
			`organization: session.factors?.user?.organizationId,`
			`},`
			`loginSettings?.defaultRedirectUri,`
			`);`

			`return { redirect: url };`
fix: verify email 2024-12-17 15:57:42 +01:00			`}`

			`type resendVerifyEmailCommand = {`
			`userId: string;`
			`isInvite: boolean;`
verify commands 2024-12-19 11:28:35 +01:00			`authRequestId?: string;`
fix: verify email 2024-12-17 15:57:42 +01:00			`};`

			`export async function resendVerification(command: resendVerifyEmailCommand) {`
verify commands 2024-12-19 11:28:35 +01:00			`const host = (await headers()).get("host");`

fix: verify email 2024-12-17 15:57:42 +01:00			`return command.isInvite`
			`? resendInviteCode(command.userId)`
verify commands 2024-12-19 11:28:35 +01:00			`: resendEmailCode(command.userId, host, command.authRequestId);`
fix: verify email 2024-12-17 15:57:42 +01:00			`}`

context on verification pages 2024-12-19 08:59:39 +01:00			`export type SendVerificationRedirectWithoutCheckCommand = {`
			`organization?: string;`
			`authRequestId?: string;`
			`} & (`
			`\| { userId: string; loginName?: never }`
			`\| { userId?: never; loginName: string }`
			`);`
fix: verify email 2024-12-17 15:57:42 +01:00
			`export async function sendVerificationRedirectWithoutCheck(`
			`command: SendVerificationRedirectWithoutCheckCommand,`
			`) {`
			`if (!("loginName" in command \|\| "userId" in command)) {`
			`return { error: "No userId, nor loginname provided" };`
			`}`

context on verification pages 2024-12-19 08:59:39 +01:00			`let session: Session \| undefined;`
			`let user: User \| undefined;`

fix: verify email 2024-12-17 15:57:42 +01:00			`if ("loginName" in command) {`
context on verification pages 2024-12-19 08:59:39 +01:00			`const sessionCookie = await getSessionCookieByLoginName({`
fix: verify email 2024-12-17 15:57:42 +01:00			`loginName: command.loginName,`
			`organization: command.organization,`
			`}).catch((error) => {`
			`console.warn("Ignored error:", error);`
			`});`

context on verification pages 2024-12-19 08:59:39 +01:00			`if (!sessionCookie) {`
			`return { error: "Could not load session cookie" };`
fix: verify email 2024-12-17 15:57:42 +01:00			`}`

context on verification pages 2024-12-19 08:59:39 +01:00			`session = await getSession({`
			`sessionId: sessionCookie.id,`
			`sessionToken: sessionCookie.token,`
			`}).then((response) => {`
			`if (response?.session) {`
			`return response.session;`
			`}`
			`});`
fix: verify email 2024-12-17 15:57:42 +01:00
			`if (!session?.factors?.user?.id) {`
			`return { error: "Could not create session for user" };`
			`}`

			`const userResponse = await getUserByID(session?.factors?.user?.id);`

context on verification pages 2024-12-19 08:59:39 +01:00			`if (!userResponse?.user) {`
			`return { error: "Could not load user" };`
fix: verify email 2024-12-17 15:57:42 +01:00			`}`

			`user = userResponse.user;`
context on verification pages 2024-12-19 08:59:39 +01:00			`} else if ("userId" in command) {`
			`const userResponse = await getUserByID(command.userId);`
fix: verify email 2024-12-17 15:57:42 +01:00
context on verification pages 2024-12-19 08:59:39 +01:00			`if (!userResponse?.user) {`
			`return { error: "Could not load user" };`
			`}`

			`user = userResponse.user;`

			`const checks = create(ChecksSchema, {`
			`user: {`
			`search: {`
			`case: "loginName",`
			`value: userResponse.user.preferredLoginName,`
			`},`
			`},`
			`});`

			`session = await createSessionAndUpdateCookie(`
			`checks,`
			`undefined,`
			`command.authRequestId,`
fix: verify email 2024-12-17 15:57:42 +01:00			`);`
			`}`

context on verification pages 2024-12-19 08:59:39 +01:00			`if (!session?.factors?.user?.id) {`
fix: verify email 2024-12-17 15:57:42 +01:00			`return { error: "Could not create session for user" };`
			`}`

context on verification pages 2024-12-19 08:59:39 +01:00			`if (!session?.factors?.user?.id) {`
			`return { error: "Could not create session for user" };`
			`}`

			`if (!user) {`
			`return { error: "Could not load user" };`
			`}`

			`const authMethodResponse = await listAuthenticationMethodTypes(user.userId);`
fix: verify email 2024-12-17 15:57:42 +01:00
			`if (!authMethodResponse \|\| !authMethodResponse.authMethodTypes) {`
			`return { error: "Could not load possible authenticators" };`
			`}`
context on verification pages 2024-12-19 08:59:39 +01:00
fix: verify email 2024-12-17 15:57:42 +01:00			`// if no authmethods are found on the user, redirect to set one up`
			`if (`
			`authMethodResponse &&`
			`authMethodResponse.authMethodTypes &&`
			`authMethodResponse.authMethodTypes.length == 0`
			`) {`
			`const params = new URLSearchParams({`
			`sessionId: session.id,`
			`});`

			`if (session.factors?.user?.loginName) {`
			`params.set("loginName", session.factors?.user?.loginName);`
			`}`
			return { redirect: `/authenticator/set?${params}` };
			`}`
context on verification pages 2024-12-19 08:59:39 +01:00
verify commands 2024-12-19 11:28:35 +01:00			`const loginSettings = await getLoginSettings(user.details?.resourceOwner);`

context on verification pages 2024-12-19 08:59:39 +01:00			`// redirect to mfa factor if user has one, or redirect to set one up`
			`checkMFAFactors(`
			`session,`
			`loginSettings,`
			`authMethodResponse.authMethodTypes,`
			`command.organization,`
			`command.authRequestId,`
			`);`

			`// login user if no additional steps are required`
			`if (command.authRequestId && session.id) {`
			`const nextUrl = await getNextUrl(`
			`{`
			`sessionId: session.id,`
			`authRequestId: command.authRequestId,`
			`organization:`
			`command.organization ?? session.factors?.user?.organizationId,`
			`},`
			`loginSettings?.defaultRedirectUri,`
			`);`

			`return { redirect: nextUrl };`
			`}`

			`const url = await getNextUrl(`
			`{`
			`loginName: session.factors.user.loginName,`
			`organization: session.factors?.user?.organizationId,`
			`},`
			`loginSettings?.defaultRedirectUri,`
			`);`

			`return { redirect: url };`
fix: verify email 2024-12-17 15:57:42 +01:00			`}`