zitadel/internal/api/ui/login/mfa_init_sms.go

package login

import (
	"net/http"

	"github.com/zitadel/zitadel/internal/domain"
)

const (
	tmplMFASMSInit = "mfainitsms"
)

type smsInitData struct {
	userData
	Edit    bool
	MFAType domain.MFAType
	Phone   string
}

type smsInitFormData struct {
	Edit     bool   `schema:"edit"`
	Resend   bool   `schema:"resend"`
	Phone    string `schema:"phone"`
	NewPhone string `schema:"newPhone"`
	Code     string `schema:"code"`
}

// handleRegisterOTPSMS checks if the user has a verified phone number and will directly add OTP SMS as 2FA.
// It will also add a successful OTP SMS check to the auth request.
// If there's no verified phone number, the potential last phone number will be used to render the registration page
func (l *Login) handleRegisterOTPSMS(w http.ResponseWriter, r *http.Request, authReq *domain.AuthRequest) {
	user, err := l.query.GetNotifyUserByID(r.Context(), true, authReq.UserID)
	if err != nil {
		l.renderError(w, r, authReq, err)
		return
	}
	if user.VerifiedPhone == "" {
		data := new(smsInitData)
		data.Phone = user.LastPhone
		data.Edit = user.LastPhone == ""
		l.renderRegisterSMS(w, r, authReq, data, nil)
		return
	}
	_, err = l.command.AddHumanOTPSMSWithCheckSucceeded(setUserContext(r.Context(), authReq.UserID, authReq.UserOrgID), authReq.UserID, authReq.UserOrgID, authReq)
	if err != nil {
		l.renderError(w, r, authReq, err)
		return
	}
	done := &mfaDoneData{
		MFAType: domain.MFATypeOTPSMS,
	}
	l.renderMFAInitDone(w, r, authReq, done)
}

func (l *Login) renderRegisterSMS(w http.ResponseWriter, r *http.Request, authReq *domain.AuthRequest, data *smsInitData, err error) {
	var errID, errMessage string
	if err != nil {
		errID, errMessage = l.getErrorMessage(r, err)
	}
	translator := l.getTranslator(r.Context(), authReq)
	data.baseData = l.getBaseData(r, authReq, translator, "InitMFAOTP.Title", "InitMFAOTP.Description", errID, errMessage)
	data.profileData = l.getProfileData(authReq)
	data.MFAType = domain.MFATypeOTPSMS
	l.renderer.RenderTemplate(w, r, translator, l.renderer.Templates[tmplMFASMSInit], data, nil)
}

// handleRegisterSMSCheck handles form submissions of the SMS registration.
// The user can be either in edit mode, where a phone number can be entered / changed.
// If a phone was set, the user can either switch to edit mode, have a resend of the code or verify the code by entering it.
// On successful code verification, the phone will be added to the user as well as his MFA
// and a successful OTP SMS check will be added to the auth request.
func (l *Login) handleRegisterSMSCheck(w http.ResponseWriter, r *http.Request) {
	formData := new(smsInitFormData)
	authReq, err := l.getAuthRequestAndParseData(r, formData)
	if err != nil {
		l.renderError(w, r, authReq, err)
		return
	}

	ctx := setUserContext(r.Context(), authReq.UserID, authReq.UserOrgID)
	// save the current state
	data := &smsInitData{Phone: formData.Phone}

	if formData.Edit {
		data.Edit = true
		l.renderRegisterSMS(w, r, authReq, data, err)
		return
	}

	if formData.Resend {
		_, err = l.command.CreateHumanPhoneVerificationCode(ctx, authReq.UserID, authReq.UserOrgID)
		l.renderRegisterSMS(w, r, authReq, data, err)
		return
	}

	// if the user is currently in edit mode,
	// he can either change the phone number
	// or just return to the code verification again
	if formData.Code == "" {
		data.Phone = formData.NewPhone
		if formData.NewPhone != formData.Phone {
			_, err = l.command.ChangeUserPhone(ctx, authReq.UserID, formData.NewPhone, l.userCodeAlg)
			if err != nil {
				// stay in edit more
				data.Edit = true
			}
		}
		l.renderRegisterSMS(w, r, authReq, data, err)
		return
	}

	_, err = l.command.VerifyUserPhone(ctx, authReq.UserID, formData.Code, l.userCodeAlg)
	if err != nil {
		l.renderRegisterSMS(w, r, authReq, data, err)
		return
	}
	_, err = l.command.AddHumanOTPSMSWithCheckSucceeded(ctx, authReq.UserID, authReq.UserOrgID, authReq)
	if err != nil {
		l.renderRegisterSMS(w, r, authReq, data, err)
		return
	}
	done := &mfaDoneData{
		MFAType: domain.MFATypeOTPSMS,
	}
	l.renderMFAInitDone(w, r, authReq, done)
}
feat(login): add OTP (email and sms) (#6353) * feat: login with otp * fix(i18n): japanese translation * add missing files * fix provider change * add event types translations to en * add tests * resourceOwner * remove unused handler * fix: secret generators and add comments * add setup step * rename * linting * fix setup * improve otp handling * fix autocomplete * translations for login and notifications * translations for event types * changes from review * check selected mfa type 2023-08-15 14:47:05 +02:00			`package login`

			`import (`
			`"net/http"`

			`"github.com/zitadel/zitadel/internal/domain"`
			`)`

			`const (`
			`tmplMFASMSInit = "mfainitsms"`
			`)`

			`type smsInitData struct {`
			`userData`
			`Edit bool`
			`MFAType domain.MFAType`
			`Phone string`
			`}`

			`type smsInitFormData struct {`
			Edit bool `schema:"edit"`
			Resend bool `schema:"resend"`
			Phone string `schema:"phone"`
			NewPhone string `schema:"newPhone"`
			Code string `schema:"code"`
			`}`

			`// handleRegisterOTPSMS checks if the user has a verified phone number and will directly add OTP SMS as 2FA.`
			`// It will also add a successful OTP SMS check to the auth request.`
			`// If there's no verified phone number, the potential last phone number will be used to render the registration page`
			`func (l Login) handleRegisterOTPSMS(w http.ResponseWriter, r http.Request, authReq *domain.AuthRequest) {`
perf(oidc): optimize the introspection endpoint (#6909) * get key by id and cache them * userinfo from events for v2 tokens * improve keyset caching * concurrent token and client checks * client and project in single query * logging and otel * drop owner_removed column on apps and authN tables * userinfo and project roles in go routines * get oidc user info from projections and add actions * add avatar URL * some cleanup * pull oidc work branch * remove storage from server * add config flag for experimental introspection * legacy introspection flag * drop owner_removed column on user projections * drop owner_removed column on useer_metadata * query userinfo unit test * query introspection client test * add user_grants to the userinfo query * handle PAT scopes * bring triggers back * test instance keys query * add userinfo unit tests * unit test keys * go mod tidy * solve some bugs * fix missing preferred login name * do not run triggers in go routines, they seem to deadlock * initialize the trigger handlers late with a sync.OnceValue * Revert "do not run triggers in go routines, they seem to deadlock" This reverts commit 2a03da2127b7dc74552ec25d4772282a82cc1cba. * add missing translations * chore: update go version for linting * pin oidc version * parse a global time location for query test * fix linter complains * upgrade go lint * fix more linting issues --------- Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com> 2023-11-21 14:11:38 +02:00			`user, err := l.query.GetNotifyUserByID(r.Context(), true, authReq.UserID)`
feat(login): add OTP (email and sms) (#6353) * feat: login with otp * fix(i18n): japanese translation * add missing files * fix provider change * add event types translations to en * add tests * resourceOwner * remove unused handler * fix: secret generators and add comments * add setup step * rename * linting * fix setup * improve otp handling * fix autocomplete * translations for login and notifications * translations for event types * changes from review * check selected mfa type 2023-08-15 14:47:05 +02:00			`if err != nil {`
			`l.renderError(w, r, authReq, err)`
			`return`
			`}`
			`if user.VerifiedPhone == "" {`
			`data := new(smsInitData)`
			`data.Phone = user.LastPhone`
			`data.Edit = user.LastPhone == ""`
			`l.renderRegisterSMS(w, r, authReq, data, nil)`
			`return`
			`}`
			`_, err = l.command.AddHumanOTPSMSWithCheckSucceeded(setUserContext(r.Context(), authReq.UserID, authReq.UserOrgID), authReq.UserID, authReq.UserOrgID, authReq)`
			`if err != nil {`
			`l.renderError(w, r, authReq, err)`
			`return`
			`}`
			`done := &mfaDoneData{`
			`MFAType: domain.MFATypeOTPSMS,`
			`}`
			`l.renderMFAInitDone(w, r, authReq, done)`
			`}`

			`func (l Login) renderRegisterSMS(w http.ResponseWriter, r http.Request, authReq domain.AuthRequest, data smsInitData, err error) {`
			`var errID, errMessage string`
			`if err != nil {`
			`errID, errMessage = l.getErrorMessage(r, err)`
			`}`
feat: restrict languages (#6931) * feat: return 404 or 409 if org reg disallowed * fix: system limit permissions * feat: add iam limits api * feat: disallow public org registrations on default instance * add integration test * test: integration * fix test * docs: describe public org registrations * avoid updating docs deps * fix system limits integration test * silence integration tests * fix linting * ignore strange linter complaints * review * improve reset properties naming * redefine the api * use restrictions aggregate * test query * simplify and test projection * test commands * fix unit tests * move integration test * support restrictions on default instance * also test GetRestrictions * self review * lint * abstract away resource owner * fix tests * configure supported languages * fix allowed languages * fix tests * default lang must not be restricted * preferred language must be allowed * change preferred languages * check languages everywhere * lint * test command side * lint * add integration test * add integration test * restrict supported ui locales * lint * lint * cleanup * lint * allow undefined preferred language * fix integration tests * update main * fix env var * ignore linter * ignore linter * improve integration test config * reduce cognitive complexity * compile * check for duplicates * remove useless restriction checks * review * revert restriction renaming * fix language restrictions * lint * generate * allow custom texts for supported langs for now * fix tests * cleanup * cleanup * cleanup * lint * unsupported preferred lang is allowed * fix integration test * finish reverting to old property name * finish reverting to old property name * load languages * refactor(i18n): centralize translators and fs * lint * amplify no validations on preferred languages * fix integration test * lint * fix resetting allowed languages * test unchanged restrictions 2023-12-05 12:12:01 +01:00			`translator := l.getTranslator(r.Context(), authReq)`
			`data.baseData = l.getBaseData(r, authReq, translator, "InitMFAOTP.Title", "InitMFAOTP.Description", errID, errMessage)`
feat(login): add OTP (email and sms) (#6353) * feat: login with otp * fix(i18n): japanese translation * add missing files * fix provider change * add event types translations to en * add tests * resourceOwner * remove unused handler * fix: secret generators and add comments * add setup step * rename * linting * fix setup * improve otp handling * fix autocomplete * translations for login and notifications * translations for event types * changes from review * check selected mfa type 2023-08-15 14:47:05 +02:00			`data.profileData = l.getProfileData(authReq)`
			`data.MFAType = domain.MFATypeOTPSMS`
feat: restrict languages (#6931) * feat: return 404 or 409 if org reg disallowed * fix: system limit permissions * feat: add iam limits api * feat: disallow public org registrations on default instance * add integration test * test: integration * fix test * docs: describe public org registrations * avoid updating docs deps * fix system limits integration test * silence integration tests * fix linting * ignore strange linter complaints * review * improve reset properties naming * redefine the api * use restrictions aggregate * test query * simplify and test projection * test commands * fix unit tests * move integration test * support restrictions on default instance * also test GetRestrictions * self review * lint * abstract away resource owner * fix tests * configure supported languages * fix allowed languages * fix tests * default lang must not be restricted * preferred language must be allowed * change preferred languages * check languages everywhere * lint * test command side * lint * add integration test * add integration test * restrict supported ui locales * lint * lint * cleanup * lint * allow undefined preferred language * fix integration tests * update main * fix env var * ignore linter * ignore linter * improve integration test config * reduce cognitive complexity * compile * check for duplicates * remove useless restriction checks * review * revert restriction renaming * fix language restrictions * lint * generate * allow custom texts for supported langs for now * fix tests * cleanup * cleanup * cleanup * lint * unsupported preferred lang is allowed * fix integration test * finish reverting to old property name * finish reverting to old property name * load languages * refactor(i18n): centralize translators and fs * lint * amplify no validations on preferred languages * fix integration test * lint * fix resetting allowed languages * test unchanged restrictions 2023-12-05 12:12:01 +01:00			`l.renderer.RenderTemplate(w, r, translator, l.renderer.Templates[tmplMFASMSInit], data, nil)`
feat(login): add OTP (email and sms) (#6353) * feat: login with otp * fix(i18n): japanese translation * add missing files * fix provider change * add event types translations to en * add tests * resourceOwner * remove unused handler * fix: secret generators and add comments * add setup step * rename * linting * fix setup * improve otp handling * fix autocomplete * translations for login and notifications * translations for event types * changes from review * check selected mfa type 2023-08-15 14:47:05 +02:00			`}`

			`// handleRegisterSMSCheck handles form submissions of the SMS registration.`
			`// The user can be either in edit mode, where a phone number can be entered / changed.`
			`// If a phone was set, the user can either switch to edit mode, have a resend of the code or verify the code by entering it.`
			`// On successful code verification, the phone will be added to the user as well as his MFA`
			`// and a successful OTP SMS check will be added to the auth request.`
			`func (l Login) handleRegisterSMSCheck(w http.ResponseWriter, r http.Request) {`
			`formData := new(smsInitFormData)`
			`authReq, err := l.getAuthRequestAndParseData(r, formData)`
			`if err != nil {`
			`l.renderError(w, r, authReq, err)`
			`return`
			`}`

			`ctx := setUserContext(r.Context(), authReq.UserID, authReq.UserOrgID)`
			`// save the current state`
			`data := &smsInitData{Phone: formData.Phone}`

			`if formData.Edit {`
			`data.Edit = true`
			`l.renderRegisterSMS(w, r, authReq, data, err)`
			`return`
			`}`

			`if formData.Resend {`
			`_, err = l.command.CreateHumanPhoneVerificationCode(ctx, authReq.UserID, authReq.UserOrgID)`
			`l.renderRegisterSMS(w, r, authReq, data, err)`
			`return`
			`}`

			`// if the user is currently in edit mode,`
			`// he can either change the phone number`
			`// or just return to the code verification again`
			`if formData.Code == "" {`
			`data.Phone = formData.NewPhone`
			`if formData.NewPhone != formData.Phone {`
feat: add implementation for resend of email and phone code (#7348) * fix: add implementation for resend of email and phone code * fix: add implementation for resend of email and phone code * fix: add implementation for resend of email and phone code * fix: add implementation for resend of email and phone code * fix: add implementation for resend of email and phone code * fix: add implementation for resend of email and phone code * fix: apply suggestions from code review Co-authored-by: Livio Spring <livio.a@gmail.com> * fix: review changes to remove resourceowner as parameters --------- Co-authored-by: Livio Spring <livio.a@gmail.com> 2024-02-14 08:22:55 +01:00			`_, err = l.command.ChangeUserPhone(ctx, authReq.UserID, formData.NewPhone, l.userCodeAlg)`
feat(login): add OTP (email and sms) (#6353) * feat: login with otp * fix(i18n): japanese translation * add missing files * fix provider change * add event types translations to en * add tests * resourceOwner * remove unused handler * fix: secret generators and add comments * add setup step * rename * linting * fix setup * improve otp handling * fix autocomplete * translations for login and notifications * translations for event types * changes from review * check selected mfa type 2023-08-15 14:47:05 +02:00			`if err != nil {`
			`// stay in edit more`
			`data.Edit = true`
			`}`
			`}`
			`l.renderRegisterSMS(w, r, authReq, data, err)`
			`return`
			`}`

feat: add implementation for resend of email and phone code (#7348) * fix: add implementation for resend of email and phone code * fix: add implementation for resend of email and phone code * fix: add implementation for resend of email and phone code * fix: add implementation for resend of email and phone code * fix: add implementation for resend of email and phone code * fix: add implementation for resend of email and phone code * fix: apply suggestions from code review Co-authored-by: Livio Spring <livio.a@gmail.com> * fix: review changes to remove resourceowner as parameters --------- Co-authored-by: Livio Spring <livio.a@gmail.com> 2024-02-14 08:22:55 +01:00			`_, err = l.command.VerifyUserPhone(ctx, authReq.UserID, formData.Code, l.userCodeAlg)`
feat(login): add OTP (email and sms) (#6353) * feat: login with otp * fix(i18n): japanese translation * add missing files * fix provider change * add event types translations to en * add tests * resourceOwner * remove unused handler * fix: secret generators and add comments * add setup step * rename * linting * fix setup * improve otp handling * fix autocomplete * translations for login and notifications * translations for event types * changes from review * check selected mfa type 2023-08-15 14:47:05 +02:00			`if err != nil {`
			`l.renderRegisterSMS(w, r, authReq, data, err)`
			`return`
			`}`
			`_, err = l.command.AddHumanOTPSMSWithCheckSucceeded(ctx, authReq.UserID, authReq.UserOrgID, authReq)`
			`if err != nil {`
			`l.renderRegisterSMS(w, r, authReq, data, err)`
			`return`
			`}`
			`done := &mfaDoneData{`
			`MFAType: domain.MFATypeOTPSMS,`
			`}`
			`l.renderMFAInitDone(w, r, authReq, done)`
			`}`