fix: allow login with user created through v2 api without password (#8291)

# Which Problems Are Solved User created through the User V2 API without any authentication method and possibly unverified email address was not able to login through the current hosted login UI. An unverified email address would result in a mail verification and not an initialization mail like it would with the management API. Also the login UI would then require the user to enter the init code, which the user never received. # How the Problems Are Solved - When verifying the email through the login UI, it will check for existing auth methods (password, IdP, passkeys). In case there are none, the user will be prompted to set a password. - When a user was created through the V2 API with a verified email and no auth method, the user will be prompted to set a password in the login UI. - Since setting a password requires a corresponding code, the code will be generated and sent when login in. # Additional Changes - Changed `RequestSetPassword` to get the codeGenerator from the eventstore instead of getting it from query. # Additional Context - closes https://github.com/zitadel/zitadel/issues/6600 - closes https://github.com/zitadel/zitadel/issues/8235 --------- Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2025-08-11 19:17:32 +00:00 · 2024-07-17 06:43:07 +02:00
parent e126ccc9aa
commit 07b2bac463
17 changed files with 465 additions and 107 deletions
--- a/internal/auth/repository/eventsourcing/eventstore/auth_request.go
+++ b/internal/auth/repository/eventsourcing/eventstore/auth_request.go
@@ -52,6 +52,7 @@ type AuthRequestRepo struct {
 	ProjectProvider           projectProvider
 	ApplicationProvider       applicationProvider
 	CustomTextProvider        customTextProvider
+	PasswordReset             passwordReset

 	IdGenerator id.Generator
 }
@@ -96,6 +97,7 @@ type idpUserLinksProvider interface {

 type userEventProvider interface {
 	UserEventsByID(ctx context.Context, id string, changeDate time.Time, eventTypes []eventstore.EventType) ([]eventstore.Event, error)
+	PasswordCodeExists(ctx context.Context, userID string) (exists bool, err error)
 }

 type userCommandProvider interface {
@@ -125,6 +127,10 @@ type customTextProvider interface {
 	CustomTextListByTemplate(ctx context.Context, aggregateID string, text string, withOwnerRemoved bool) (texts *query.CustomTexts, err error)
 }

+type passwordReset interface {
+	RequestSetPassword(ctx context.Context, userID, resourceOwner string, notifyType domain.NotificationType, authRequestID string) (objectDetails *domain.ObjectDetails, err error)
+}
+
 func (repo *AuthRequestRepo) Health(ctx context.Context) error {
 	return repo.AuthRequests.Health(ctx)
 }
@@ -1046,7 +1052,7 @@ func (repo *AuthRequestRepo) nextSteps(ctx context.Context, request *domain.Auth
 		}
 	}
 	if isInternalLogin || (!isInternalLogin && len(request.LinkingUsers) > 0) {
-		step := repo.firstFactorChecked(request, user, userSession)
+		step := repo.firstFactorChecked(ctx, request, user, userSession)
 		if step != nil {
 			return append(steps, step), nil
 		}
@@ -1065,7 +1071,9 @@ func (repo *AuthRequestRepo) nextSteps(ctx context.Context, request *domain.Auth
 		steps = append(steps, &domain.ChangePasswordStep{Expired: expired})
 	}
 	if !user.IsEmailVerified {
-		steps = append(steps, &domain.VerifyEMailStep{})
+		steps = append(steps, &domain.VerifyEMailStep{
+			InitPassword: !user.PasswordSet,
+		})
 	}
 	if user.UsernameChangeRequired {
 		steps = append(steps, &domain.ChangeUsernameStep{})
@@ -1204,7 +1212,7 @@ func (repo *AuthRequestRepo) usersForUserSelection(ctx context.Context, request
 	return users, nil
 }

-func (repo *AuthRequestRepo) firstFactorChecked(request *domain.AuthRequest, user *user_model.UserView, userSession *user_model.UserSessionView) domain.NextStep {
+func (repo *AuthRequestRepo) firstFactorChecked(ctx context.Context, request *domain.AuthRequest, user *user_model.UserView, userSession *user_model.UserSessionView) domain.NextStep {
 	if user.InitRequired {
 		return &domain.InitUserStep{PasswordSet: user.PasswordSet}
 	}
@@ -1226,6 +1234,15 @@ func (repo *AuthRequestRepo) firstFactorChecked(request *domain.AuthRequest, use
 	}

 	if user.PasswordInitRequired {
+		if !user.IsEmailVerified {
+			return &domain.VerifyEMailStep{InitPassword: true}
+		}
+		exists, err := repo.UserEventProvider.PasswordCodeExists(ctx, user.ID)
+		logging.WithFields("userID", user.ID).OnError(err).Error("unable to check if password code exists")
+		if err == nil && !exists {
+			_, err = repo.PasswordReset.RequestSetPassword(ctx, user.ID, user.ResourceOwner, domain.NotificationTypeEmail, request.ID)
+			logging.WithFields("userID", user.ID).OnError(err).Error("unable to create password code")
+		}
 		return &domain.InitPasswordStep{}
 	}

--- a/internal/auth/repository/eventsourcing/eventstore/auth_request_test.go
+++ b/internal/auth/repository/eventsourcing/eventstore/auth_request_test.go
@@ -108,7 +108,8 @@ func (m *mockViewNoUser) UserByID(string, string) (*user_view_model.UserView, er
 }

 type mockEventUser struct {
-	Event eventstore.Event
+	Event      eventstore.Event
+	CodeExists bool
 }

 func (m *mockEventUser) UserEventsByID(ctx context.Context, id string, changeDate time.Time, types []eventstore.EventType) ([]eventstore.Event, error) {
@@ -118,6 +119,10 @@ func (m *mockEventUser) UserEventsByID(ctx context.Context, id string, changeDat
 	return nil, nil
 }

+func (m *mockEventUser) PasswordCodeExists(ctx context.Context, userID string) (bool, error) {
+	return m.CodeExists, nil
+}
+
 func (m *mockEventUser) GetLatestUserSessionSequence(ctx context.Context, instanceID string) (*query.CurrentState, error) {
 	return &query.CurrentState{State: query.State{Sequence: 0}}, nil
 }
@@ -132,8 +137,8 @@ func (m *mockEventErrUser) UserEventsByID(ctx context.Context, id string, change
 	return nil, zerrors.ThrowInternal(nil, "id", "internal error")
 }

-func (m *mockEventErrUser) BulkAddExternalIDPs(ctx context.Context, userID string, externalIDPs []*user_model.ExternalIDP) error {
-	return zerrors.ThrowInternal(nil, "id", "internal error")
+func (m *mockEventErrUser) PasswordCodeExists(ctx context.Context, userID string) (bool, error) {
+	return false, zerrors.ThrowInternal(nil, "id", "internal error")
 }

 type mockViewUser struct {
@@ -298,6 +303,28 @@ func (m *mockIDPUserLinks) IDPUserLinks(ctx context.Context, queries *query.IDPU
 	return &query.IDPUserLinks{Links: m.idps}, nil
 }

+type mockPasswordReset struct {
+	t          *testing.T
+	expectCall bool
+}
+
+func newMockPasswordReset(expectCall bool) func(*testing.T) passwordReset {
+	return func(t *testing.T) passwordReset {
+		return &mockPasswordReset{
+			t:          t,
+			expectCall: expectCall,
+		}
+	}
+}
+
+func (m *mockPasswordReset) RequestSetPassword(ctx context.Context, userID, resourceOwner string, notifyType domain.NotificationType, authRequestID string) (objectDetails *domain.ObjectDetails, err error) {
+	if !m.expectCall {
+		m.t.Error("unexpected call to RequestSetPassword")
+		return nil, nil
+	}
+	return nil, err
+}
+
 func TestAuthRequestRepo_nextSteps(t *testing.T) {
 	type fields struct {
 		AuthRequests              cache.AuthRequestCache
@@ -316,6 +343,7 @@ func TestAuthRequestRepo_nextSteps(t *testing.T) {
 		labelPolicyProvider       labelPolicyProvider
 		passwordAgePolicyProvider passwordAgePolicyProvider
 		customTextProvider        customTextProvider
+		passwordReset             func(t *testing.T) passwordReset
 	}
 	type args struct {
 		request       *domain.AuthRequest
@@ -687,7 +715,7 @@ func TestAuthRequestRepo_nextSteps(t *testing.T) {
 			fields{
 				userViewProvider: &mockViewUser{},
 				userEventProvider: &mockEventUser{
-					&es_models.Event{
+					Event: &es_models.Event{
 						AggregateType: user_repo.AggregateType,
 						Typ:           user_repo.UserDeactivatedType,
 					},
@@ -709,7 +737,7 @@ func TestAuthRequestRepo_nextSteps(t *testing.T) {
 			fields{
 				userViewProvider: &mockViewUser{},
 				userEventProvider: &mockEventUser{
-					&es_models.Event{
+					Event: &es_models.Event{
 						AggregateType: user_repo.AggregateType,
 						Typ:           user_repo.UserLockedType,
 					},
@@ -929,7 +957,7 @@ func TestAuthRequestRepo_nextSteps(t *testing.T) {
 			nil,
 		},
 		{
-			"password not set, init password step",
+			"password not set (email not verified), init password step",
 			fields{
 				userSessionViewProvider: &mockViewUserSession{},
 				userViewProvider: &mockViewUser{
@@ -945,6 +973,54 @@ func TestAuthRequestRepo_nextSteps(t *testing.T) {
 				idpUserLinksProvider: &mockIDPUserLinks{},
 			},
 			args{&domain.AuthRequest{UserID: "UserID", LoginPolicy: &domain.LoginPolicy{}}, false},
+			[]domain.NextStep{&domain.VerifyEMailStep{InitPassword: true}},
+			nil,
+		},
+		{
+			"password not set (email verified), init password step",
+			fields{
+				userSessionViewProvider: &mockViewUserSession{},
+				userViewProvider: &mockViewUser{
+					PasswordInitRequired: true,
+					IsEmailVerified:      true,
+				},
+				userEventProvider: &mockEventUser{
+					CodeExists: true,
+				},
+				lockoutPolicyProvider: &mockLockoutPolicy{
+					policy: &query.LockoutPolicy{
+						ShowFailures: true,
+					},
+				},
+				orgViewProvider:      &mockViewOrg{State: domain.OrgStateActive},
+				idpUserLinksProvider: &mockIDPUserLinks{},
+				passwordReset:        newMockPasswordReset(false),
+			},
+			args{&domain.AuthRequest{UserID: "UserID", LoginPolicy: &domain.LoginPolicy{}}, false},
+			[]domain.NextStep{&domain.InitPasswordStep{}},
+			nil,
+		},
+		{
+			"password not set (email verified, password code not exists), create code, init password step",
+			fields{
+				userSessionViewProvider: &mockViewUserSession{},
+				userViewProvider: &mockViewUser{
+					PasswordInitRequired: true,
+					IsEmailVerified:      true,
+				},
+				userEventProvider: &mockEventUser{
+					CodeExists: false,
+				},
+				lockoutPolicyProvider: &mockLockoutPolicy{
+					policy: &query.LockoutPolicy{
+						ShowFailures: true,
+					},
+				},
+				orgViewProvider:      &mockViewOrg{State: domain.OrgStateActive},
+				idpUserLinksProvider: &mockIDPUserLinks{},
+				passwordReset:        newMockPasswordReset(true),
+			},
+			args{&domain.AuthRequest{UserID: "UserID", LoginPolicy: &domain.LoginPolicy{}}, false},
 			[]domain.NextStep{&domain.InitPasswordStep{}},
 			nil,
 		},
@@ -1720,6 +1796,9 @@ func TestAuthRequestRepo_nextSteps(t *testing.T) {
 				PasswordAgePolicyProvider: tt.fields.passwordAgePolicyProvider,
 				CustomTextProvider:        tt.fields.customTextProvider,
 			}
+			if tt.fields.passwordReset != nil {
+				repo.PasswordReset = tt.fields.passwordReset(t)
+			}
 			got, err := repo.nextSteps(context.Background(), tt.args.request, tt.args.checkLoggedIn)
 			if (err != nil && tt.wantErr == nil) || (tt.wantErr != nil && !tt.wantErr(err)) {
 				t.Errorf("nextSteps() wrong error = %v", err)
@@ -2201,7 +2280,7 @@ func Test_userSessionByIDs(t *testing.T) {
 				agentID: "agentID",
 				user:    &user_model.UserView{ID: "id", HumanView: &user_model.HumanView{FirstName: "FirstName"}},
 				eventProvider: &mockEventUser{
-					&es_models.Event{
+					Event: &es_models.Event{
 						AggregateType: user_repo.AggregateType,
 						Typ:           user_repo.UserV1MFAOTPCheckSucceededType,
 						CreationDate:  testNow,
@@ -2224,7 +2303,7 @@ func Test_userSessionByIDs(t *testing.T) {
 				agentID: "agentID",
 				user:    &user_model.UserView{ID: "id"},
 				eventProvider: &mockEventUser{
-					&es_models.Event{
+					Event: &es_models.Event{
 						AggregateType: user_repo.AggregateType,
 						Typ:           user_repo.UserV1MFAOTPCheckSucceededType,
 						CreationDate:  testNow,
@@ -2251,7 +2330,7 @@ func Test_userSessionByIDs(t *testing.T) {
 				agentID: "agentID",
 				user:    &user_model.UserView{ID: "id", HumanView: &user_model.HumanView{FirstName: "FirstName"}},
 				eventProvider: &mockEventUser{
-					&es_models.Event{
+					Event: &es_models.Event{
 						AggregateType: user_repo.AggregateType,
 						Typ:           user_repo.UserV1MFAOTPCheckSucceededType,
 						CreationDate:  testNow,
@@ -2278,7 +2357,7 @@ func Test_userSessionByIDs(t *testing.T) {
 				agentID: "agentID",
 				user:    &user_model.UserView{ID: "id"},
 				eventProvider: &mockEventUser{
-					&es_models.Event{
+					Event: &es_models.Event{
 						AggregateType: user_repo.AggregateType,
 						Typ:           user_repo.UserRemovedType,
 					},
@@ -2367,7 +2446,7 @@ func Test_userByID(t *testing.T) {
 					PasswordChangeRequired: true,
 				},
 				eventProvider: &mockEventUser{
-					&es_models.Event{
+					Event: &es_models.Event{
 						AggregateType: user_repo.AggregateType,
 						Typ:           user_repo.UserV1PasswordChangedType,
 						CreationDate:  testNow,
--- a/internal/auth/repository/eventsourcing/eventstore/user.go
+++ b/internal/auth/repository/eventsourcing/eventstore/user.go
@@ -10,7 +10,9 @@ import (
 	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/eventstore"
 	"github.com/zitadel/zitadel/internal/query"
+	"github.com/zitadel/zitadel/internal/repository/user"
 	usr_view "github.com/zitadel/zitadel/internal/user/repository/view"
+	"github.com/zitadel/zitadel/internal/zerrors"
 )

 type UserRepo struct {
@@ -46,3 +48,40 @@ func (repo *UserRepo) UserEventsByID(ctx context.Context, id string, changeDate
 	}
 	return repo.Eventstore.Filter(ctx, query) //nolint:staticcheck
 }
+
+type passwordCodeCheck struct {
+	userID string
+
+	exists bool
+	events int
+}
+
+func (p *passwordCodeCheck) Reduce() error {
+	p.exists = p.events > 0
+	return nil
+}
+
+func (p *passwordCodeCheck) AppendEvents(events ...eventstore.Event) {
+	p.events += len(events)
+}
+
+func (p *passwordCodeCheck) Query() *eventstore.SearchQueryBuilder {
+	return eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent).
+		AddQuery().
+		AggregateTypes(user.AggregateType).
+		AggregateIDs(p.userID).
+		EventTypes(user.UserV1PasswordCodeAddedType, user.UserV1PasswordCodeSentType,
+			user.HumanPasswordCodeAddedType, user.HumanPasswordCodeSentType).
+		Builder()
+}
+
+func (repo *UserRepo) PasswordCodeExists(ctx context.Context, userID string) (exists bool, err error) {
+	model := &passwordCodeCheck{
+		userID: userID,
+	}
+	err = repo.Eventstore.FilterToQueryReducer(ctx, model)
+	if err != nil {
+		return false, zerrors.ThrowPermissionDenied(err, "EVENT-SJ642", "Errors.Internal")
+	}
+	return model.exists, nil
+}
--- a/internal/auth/repository/eventsourcing/repository.go
+++ b/internal/auth/repository/eventsourcing/repository.go
@@ -78,6 +78,7 @@ func Start(ctx context.Context, conf Config, systemDefaults sd.SystemDefaults, c
 			ProjectProvider:           queryView,
 			ApplicationProvider:       queries,
 			CustomTextProvider:        queries,
+			PasswordReset:             command,
 			IdGenerator:               id.SonyFlakeGenerator(),
 		},
 		eventstore.TokenRepo{