fix: improvements for login flow (incl. webauthn) (#1026)

* fix: typo ZITADEL uppercase for OTP Issuer * fix: password validation after change in current user agent * fix: otp validation after setup in current user agent * add waiting * add waiting * show u2f state * regenerate css * add useragentID to webauthn verify * return mfa attribute in mgmt * switch between providers * use preferredLoginName for webauthn display * some fixes * correct translations for login * add some missing event translations * fix usersession test * remove unnecessary cancel button on password change done
2025-08-12 10:57:35 +00:00 · 2020-12-07 12:09:10 +01:00
parent 8b88a0ab86
commit 077a9a628e
48 changed files with 451 additions and 123 deletions
--- a/internal/user/repository/view/model/user_session.go
+++ b/internal/user/repository/view/model/user_session.go
@@ -81,7 +81,7 @@ func UserSessionsToModel(userSessions []*UserSessionView) []*model.UserSessionVi
 	return result
 }

-func (v *UserSessionView) AppendEvent(event *models.Event) {
+func (v *UserSessionView) AppendEvent(event *models.Event) error {
 	v.Sequence = event.Sequence
 	v.ChangeDate = event.CreationDate
 	switch event.Type {
@@ -91,7 +91,10 @@ func (v *UserSessionView) AppendEvent(event *models.Event) {
 		v.State = int32(req_model.UserSessionStateActive)
 	case es_model.HumanExternalLoginCheckSucceeded:
 		data := new(es_model.AuthRequest)
-		data.SetData(event)
+		err := data.SetData(event)
+		if err != nil {
+			return err
+		}
 		v.ExternalLoginVerification = event.CreationDate
 		v.SelectedIDPConfigID = data.SelectedIDPConfigID
 		v.State = int32(req_model.UserSessionStateActive)
@@ -105,15 +108,31 @@ func (v *UserSessionView) AppendEvent(event *models.Event) {
 		v.PasswordlessVerification = time.Time{}
 		v.MultiFactorVerification = time.Time{}
 	case es_model.UserPasswordCheckFailed,
-		es_model.UserPasswordChanged,
-		es_model.HumanPasswordCheckFailed,
-		es_model.HumanPasswordChanged:
+		es_model.HumanPasswordCheckFailed:
 		v.PasswordVerification = time.Time{}
+	case es_model.UserPasswordChanged,
+		es_model.HumanPasswordChanged:
+		data := new(es_model.PasswordChange)
+		err := data.SetData(event)
+		if err != nil {
+			return err
+		}
+		if v.UserAgentID != data.UserAgentID {
+			v.PasswordVerification = time.Time{}
+		}
+	case es_model.MFAOTPVerified,
+		es_model.HumanMFAOTPVerified:
+		data := new(es_model.OTPVerified)
+		err := data.SetData(event)
+		if err != nil {
+			return err
+		}
+		if v.UserAgentID == data.UserAgentID {
+			v.setSecondFactorVerification(event.CreationDate, req_model.MFATypeOTP)
+		}
 	case es_model.MFAOTPCheckSucceeded,
 		es_model.HumanMFAOTPCheckSucceeded:
-		v.SecondFactorVerification = event.CreationDate
-		v.SecondFactorVerificationType = int32(req_model.MFATypeOTP)
-		v.State = int32(req_model.UserSessionStateActive)
+		v.setSecondFactorVerification(event.CreationDate, req_model.MFATypeOTP)
 	case es_model.MFAOTPCheckFailed,
 		es_model.MFAOTPRemoved,
 		es_model.HumanMFAOTPCheckFailed,
@@ -121,10 +140,17 @@ func (v *UserSessionView) AppendEvent(event *models.Event) {
 		es_model.HumanMFAU2FTokenCheckFailed,
 		es_model.HumanMFAU2FTokenRemoved:
 		v.SecondFactorVerification = time.Time{}
+	case es_model.HumanMFAU2FTokenVerified:
+		data := new(es_model.WebAuthNVerify)
+		err := data.SetData(event)
+		if err != nil {
+			return err
+		}
+		if v.UserAgentID == data.UserAgentID {
+			v.setSecondFactorVerification(event.CreationDate, req_model.MFATypeU2F)
+		}
 	case es_model.HumanMFAU2FTokenCheckSucceeded:
-		v.SecondFactorVerification = event.CreationDate
-		v.SecondFactorVerificationType = int32(req_model.MFATypeU2F)
-		v.State = int32(req_model.UserSessionStateActive)
+		v.setSecondFactorVerification(event.CreationDate, req_model.MFATypeU2F)
 	case es_model.SignedOut,
 		es_model.HumanSignedOut,
 		es_model.UserLocked,
@@ -137,4 +163,11 @@ func (v *UserSessionView) AppendEvent(event *models.Event) {
 		v.ExternalLoginVerification = time.Time{}
 		v.SelectedIDPConfigID = ""
 	}
+	return nil
+}
+
+func (v *UserSessionView) setSecondFactorVerification(verificationTime time.Time, mfaType req_model.MFAType) {
+	v.SecondFactorVerification = verificationTime
+	v.SecondFactorVerificationType = int32(mfaType)
+	v.State = int32(req_model.UserSessionStateActive)
 }
--- a/internal/user/repository/view/model/user_session_test.go
+++ b/internal/user/repository/view/model/user_session_test.go
@@ -1,11 +1,13 @@
 package model

 import (
+	"encoding/json"
 	"testing"
 	"time"

 	"github.com/stretchr/testify/assert"

+	"github.com/caos/zitadel/internal/crypto"
 	es_models "github.com/caos/zitadel/internal/eventstore/models"
 	es_model "github.com/caos/zitadel/internal/user/repository/eventsourcing/model"
 )
@@ -59,18 +61,87 @@ func TestAppendEvent(t *testing.T) {
 		{
 			name: "append user password changed event",
 			args: args{
-				event:    &es_models.Event{CreationDate: now(), Type: es_model.UserPasswordChanged},
-				userView: &UserSessionView{PasswordVerification: now()},
+				event: &es_models.Event{
+					CreationDate: now(),
+					Type:         es_model.UserPasswordChanged,
+					Data: func() []byte {
+						d, _ := json.Marshal(&es_model.Password{
+							Secret: &crypto.CryptoValue{Crypted: []byte("test")},
+						})
+						return d
+					}(),
+				},
+				userView: &UserSessionView{UserAgentID: "id", PasswordVerification: now()},
 			},
-			result: &UserSessionView{ChangeDate: now(), PasswordVerification: time.Time{}},
+			result: &UserSessionView{UserAgentID: "id", ChangeDate: now(), PasswordVerification: time.Time{}},
 		},
 		{
 			name: "append human password changed event",
 			args: args{
-				event:    &es_models.Event{CreationDate: now(), Type: es_model.HumanPasswordChanged},
-				userView: &UserSessionView{PasswordVerification: now()},
+				event: &es_models.Event{
+					CreationDate: now(),
+					Type:         es_model.HumanPasswordChanged,
+					Data: func() []byte {
+						d, _ := json.Marshal(&es_model.PasswordChange{
+							Password: es_model.Password{
+								Secret: &crypto.CryptoValue{Crypted: []byte("test")},
+							},
+						})
+						return d
+					}(),
+				},
+				userView: &UserSessionView{UserAgentID: "id", PasswordVerification: now()},
 			},
-			result: &UserSessionView{ChangeDate: now(), PasswordVerification: time.Time{}},
+			result: &UserSessionView{UserAgentID: "id", ChangeDate: now(), PasswordVerification: time.Time{}},
+		},
+		{
+			name: "append human password changed event same user agent",
+			args: args{
+				event: &es_models.Event{
+					CreationDate: now(),
+					Type:         es_model.HumanPasswordChanged,
+					Data: func() []byte {
+						d, _ := json.Marshal(&es_model.PasswordChange{
+							Password: es_model.Password{
+								Secret: &crypto.CryptoValue{Crypted: []byte("test")},
+							},
+							UserAgentID: "id",
+						})
+						return d
+					}(),
+				},
+				userView: &UserSessionView{UserAgentID: "id", PasswordVerification: now()},
+			},
+			result: &UserSessionView{UserAgentID: "id", ChangeDate: now(), PasswordVerification: now()},
+		},
+		{
+			name: "append user otp verified event",
+			args: args{
+				event: &es_models.Event{
+					CreationDate: now(),
+					Type:         es_model.MFAOTPVerified,
+					Data:         nil,
+				},
+				userView: &UserSessionView{UserAgentID: "id"},
+			},
+			result: &UserSessionView{UserAgentID: "id", ChangeDate: now()},
+		},
+		{
+			name: "append user otp verified event same user agent",
+			args: args{
+				event: &es_models.Event{
+					CreationDate: now(),
+					Type:         es_model.MFAOTPVerified,
+					Data: func() []byte {
+						d, _ := json.Marshal(&es_model.OTPVerified{
+							UserAgentID: "id",
+						})
+						return d
+					}(),
+				},
+				userView: &UserSessionView{UserAgentID: "id"},
+			},
+			result: &UserSessionView{UserAgentID: "id", ChangeDate: now(), SecondFactorVerification: now()},
 		},
 		{
 			name: "append user otp check succeeded event",