feat: Add Twilio Verification Service (#8678)

# Which Problems Are Solved Twilio supports a robust, multi-channel verification service that notably supports multi-region SMS sender numbers required for our use case. Currently, Zitadel does much of the work of the Twilio Verify (eg. localization, code generation, messaging) but doesn't support the pool of sender numbers that Twilio Verify does. # How the Problems Are Solved To support this API, we need to be able to store the Twilio Service ID and send that in a verification request where appropriate: phone number verification and SMS 2FA code paths. This PR does the following: - Adds the ability to use Twilio Verify of standard messaging through Twilio - Adds support for international numbers and more reliable verification messages sent from multiple numbers - Adds a new Twilio configuration option to support Twilio Verify in the admin console - Sends verification SMS messages through Twilio Verify - Implements Twilio Verification Checks for codes generated through the same # Additional Changes # Additional Context - base was implemented by @zhirschtritt in https://github.com/zitadel/zitadel/pull/8268 ❤️ - closes https://github.com/zitadel/zitadel/issues/8581 --------- Co-authored-by: Zachary Hirschtritt <zachary.hirschtritt@klaviyo.com> Co-authored-by: Joey Biscoglia <joey.biscoglia@klaviyo.com>
2025-08-11 18:17:35 +00:00 · 2024-09-26 09:14:33 +02:00
parent 4eaa3163b6
commit 14e2aba1bc
89 changed files with 3888 additions and 782 deletions
--- a/internal/repository/instance/sms.go
+++ b/internal/repository/instance/sms.go
@@ -28,11 +28,12 @@ const (
 type SMSConfigTwilioAddedEvent struct {
 	*eventstore.BaseEvent `json:"-"`

-	ID           string              `json:"id,omitempty"`
-	Description  string              `json:"description,omitempty"`
-	SID          string              `json:"sid,omitempty"`
-	Token        *crypto.CryptoValue `json:"token,omitempty"`
-	SenderNumber string              `json:"senderNumber,omitempty"`
+	ID               string              `json:"id,omitempty"`
+	Description      string              `json:"description,omitempty"`
+	SID              string              `json:"sid,omitempty"`
+	Token            *crypto.CryptoValue `json:"token,omitempty"`
+	SenderNumber     string              `json:"senderNumber,omitempty"`
+	VerifyServiceSID string              `json:"verifyServiceSid,omitempty"`
 }

 func NewSMSConfigTwilioAddedEvent(
@@ -43,6 +44,7 @@ func NewSMSConfigTwilioAddedEvent(
 	sid,
 	senderNumber string,
 	token *crypto.CryptoValue,
+	verifyServiceSid string,
 ) *SMSConfigTwilioAddedEvent {
 	return &SMSConfigTwilioAddedEvent{
 		BaseEvent: eventstore.NewBaseEventForPush(
@@ -50,11 +52,12 @@ func NewSMSConfigTwilioAddedEvent(
 			aggregate,
 			SMSConfigTwilioAddedEventType,
 		),
-		ID:           id,
-		Description:  description,
-		SID:          sid,
-		Token:        token,
-		SenderNumber: senderNumber,
+		ID:               id,
+		Description:      description,
+		SID:              sid,
+		Token:            token,
+		SenderNumber:     senderNumber,
+		VerifyServiceSID: verifyServiceSid,
 	}
 }

@@ -73,10 +76,11 @@ func (e *SMSConfigTwilioAddedEvent) UniqueConstraints() []*eventstore.UniqueCons
 type SMSConfigTwilioChangedEvent struct {
 	*eventstore.BaseEvent `json:"-"`

-	ID           string  `json:"id,omitempty"`
-	Description  *string `json:"description,omitempty"`
-	SID          *string `json:"sid,omitempty"`
-	SenderNumber *string `json:"senderNumber,omitempty"`
+	ID               string  `json:"id,omitempty"`
+	Description      *string `json:"description,omitempty"`
+	SID              *string `json:"sid,omitempty"`
+	SenderNumber     *string `json:"senderNumber,omitempty"`
+	VerifyServiceSID *string `json:"verifyServiceSid,omitempty"`
 }

 func NewSMSConfigTwilioChangedEvent(
@@ -122,6 +126,12 @@ func ChangeSMSConfigTwilioSenderNumber(senderNumber string) func(event *SMSConfi
 	}
 }

+func ChangeSMSConfigTwilioVerifyServiceSID(verifyServiceSID string) func(event *SMSConfigTwilioChangedEvent) {
+	return func(e *SMSConfigTwilioChangedEvent) {
+		e.VerifyServiceSID = &verifyServiceSID
+	}
+}
+
 func (e *SMSConfigTwilioChangedEvent) SetBaseEvent(event *eventstore.BaseEvent) {
 	e.BaseEvent = event
 }
--- a/internal/repository/session/session.go
+++ b/internal/repository/session/session.go
@@ -10,6 +10,7 @@ import (
 	"github.com/zitadel/zitadel/internal/crypto"
 	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/eventstore"
+	"github.com/zitadel/zitadel/internal/notification/senders"
 	"github.com/zitadel/zitadel/internal/zerrors"
 )

@@ -323,6 +324,7 @@ type OTPSMSChallengedEvent struct {
 	Code              *crypto.CryptoValue `json:"code"`
 	Expiry            time.Duration       `json:"expiry"`
 	CodeReturned      bool                `json:"codeReturned,omitempty"`
+	GeneratorID       string              `json:"generatorId,omitempty"`
 	TriggeredAtOrigin string              `json:"triggerOrigin,omitempty"`
 }

@@ -348,6 +350,7 @@ func NewOTPSMSChallengedEvent(
 	code *crypto.CryptoValue,
 	expiry time.Duration,
 	codeReturned bool,
+	generatorID string,
 ) *OTPSMSChallengedEvent {
 	return &OTPSMSChallengedEvent{
 		BaseEvent: *eventstore.NewBaseEventForPush(
@@ -358,12 +361,15 @@ func NewOTPSMSChallengedEvent(
 		Code:              code,
 		Expiry:            expiry,
 		CodeReturned:      codeReturned,
+		GeneratorID:       generatorID,
 		TriggeredAtOrigin: http.DomainContext(ctx).Origin(),
 	}
 }

 type OTPSMSSentEvent struct {
 	eventstore.BaseEvent `json:"-"`
+
+	GeneratorInfo *senders.CodeGeneratorInfo `json:"generatorInfo,omitempty"`
 }

 func (e *OTPSMSSentEvent) Payload() interface{} {
@@ -381,6 +387,7 @@ func (e *OTPSMSSentEvent) SetBaseEvent(base *eventstore.BaseEvent) {
 func NewOTPSMSSentEvent(
 	ctx context.Context,
 	aggregate *eventstore.Aggregate,
+	generatorInfo *senders.CodeGeneratorInfo,
 ) *OTPSMSSentEvent {
 	return &OTPSMSSentEvent{
 		BaseEvent: *eventstore.NewBaseEventForPush(
@@ -388,6 +395,7 @@ func NewOTPSMSSentEvent(
 			aggregate,
 			OTPSMSSentType,
 		),
+		GeneratorInfo: generatorInfo,
 	}
 }

--- a/internal/repository/user/eventstore.go
+++ b/internal/repository/user/eventstore.go
@@ -14,7 +14,7 @@ func init() {
 	eventstore.RegisterFilterEventMapper(AggregateType, UserV1SignedOutType, HumanSignedOutEventMapper)
 	eventstore.RegisterFilterEventMapper(AggregateType, UserV1PasswordChangedType, HumanPasswordChangedEventMapper)
 	eventstore.RegisterFilterEventMapper(AggregateType, UserV1PasswordCodeAddedType, HumanPasswordCodeAddedEventMapper)
-	eventstore.RegisterFilterEventMapper(AggregateType, UserV1PasswordCodeSentType, HumanPasswordCodeSentEventMapper)
+	eventstore.RegisterFilterEventMapper(AggregateType, UserV1PasswordCodeSentType, eventstore.GenericEventMapper[HumanPasswordCodeSentEvent])
 	eventstore.RegisterFilterEventMapper(AggregateType, UserV1PasswordCheckSucceededType, HumanPasswordCheckSucceededEventMapper)
 	eventstore.RegisterFilterEventMapper(AggregateType, UserV1PasswordCheckFailedType, HumanPasswordCheckFailedEventMapper)
 	eventstore.RegisterFilterEventMapper(AggregateType, UserV1EmailChangedType, HumanEmailChangedEventMapper)
@@ -27,7 +27,7 @@ func init() {
 	eventstore.RegisterFilterEventMapper(AggregateType, UserV1PhoneVerifiedType, HumanPhoneVerifiedEventMapper)
 	eventstore.RegisterFilterEventMapper(AggregateType, UserV1PhoneVerificationFailedType, HumanPhoneVerificationFailedEventMapper)
 	eventstore.RegisterFilterEventMapper(AggregateType, UserV1PhoneCodeAddedType, HumanPhoneCodeAddedEventMapper)
-	eventstore.RegisterFilterEventMapper(AggregateType, UserV1PhoneCodeSentType, HumanPhoneCodeSentEventMapper)
+	eventstore.RegisterFilterEventMapper(AggregateType, UserV1PhoneCodeSentType, eventstore.GenericEventMapper[HumanPhoneCodeSentEvent])
 	eventstore.RegisterFilterEventMapper(AggregateType, UserV1ProfileChangedType, HumanProfileChangedEventMapper)
 	eventstore.RegisterFilterEventMapper(AggregateType, UserV1AddressChangedType, HumanAddressChangedEventMapper)
 	eventstore.RegisterFilterEventMapper(AggregateType, UserV1MFAInitSkippedType, HumanMFAInitSkippedEventMapper)
@@ -60,7 +60,7 @@ func init() {
 	eventstore.RegisterFilterEventMapper(AggregateType, HumanSignedOutType, HumanSignedOutEventMapper)
 	eventstore.RegisterFilterEventMapper(AggregateType, HumanPasswordChangedType, HumanPasswordChangedEventMapper)
 	eventstore.RegisterFilterEventMapper(AggregateType, HumanPasswordCodeAddedType, HumanPasswordCodeAddedEventMapper)
-	eventstore.RegisterFilterEventMapper(AggregateType, HumanPasswordCodeSentType, HumanPasswordCodeSentEventMapper)
+	eventstore.RegisterFilterEventMapper(AggregateType, HumanPasswordCodeSentType, eventstore.GenericEventMapper[HumanPasswordCodeSentEvent])
 	eventstore.RegisterFilterEventMapper(AggregateType, HumanPasswordChangeSentType, HumanPasswordChangeSentEventMapper)
 	eventstore.RegisterFilterEventMapper(AggregateType, HumanPasswordCheckSucceededType, HumanPasswordCheckSucceededEventMapper)
 	eventstore.RegisterFilterEventMapper(AggregateType, HumanPasswordCheckFailedType, HumanPasswordCheckFailedEventMapper)
@@ -81,7 +81,7 @@ func init() {
 	eventstore.RegisterFilterEventMapper(AggregateType, HumanPhoneVerifiedType, HumanPhoneVerifiedEventMapper)
 	eventstore.RegisterFilterEventMapper(AggregateType, HumanPhoneVerificationFailedType, HumanPhoneVerificationFailedEventMapper)
 	eventstore.RegisterFilterEventMapper(AggregateType, HumanPhoneCodeAddedType, HumanPhoneCodeAddedEventMapper)
-	eventstore.RegisterFilterEventMapper(AggregateType, HumanPhoneCodeSentType, HumanPhoneCodeSentEventMapper)
+	eventstore.RegisterFilterEventMapper(AggregateType, HumanPhoneCodeSentType, eventstore.GenericEventMapper[HumanPhoneCodeSentEvent])
 	eventstore.RegisterFilterEventMapper(AggregateType, HumanProfileChangedType, HumanProfileChangedEventMapper)
 	eventstore.RegisterFilterEventMapper(AggregateType, HumanAvatarAddedType, HumanAvatarAddedEventMapper)
 	eventstore.RegisterFilterEventMapper(AggregateType, HumanAvatarRemovedType, HumanAvatarRemovedEventMapper)
--- a/internal/repository/user/human_mfa_otp.go
+++ b/internal/repository/user/human_mfa_otp.go
@@ -7,6 +7,7 @@ import (
 	"github.com/zitadel/zitadel/internal/api/http"
 	"github.com/zitadel/zitadel/internal/crypto"
 	"github.com/zitadel/zitadel/internal/eventstore"
+	"github.com/zitadel/zitadel/internal/notification/senders"
 	"github.com/zitadel/zitadel/internal/zerrors"
 )

@@ -280,6 +281,7 @@ type HumanOTPSMSCodeAddedEvent struct {
 	Code              *crypto.CryptoValue `json:"code,omitempty"`
 	Expiry            time.Duration       `json:"expiry,omitempty"`
 	TriggeredAtOrigin string              `json:"triggerOrigin,omitempty"`
+	GeneratorID       string              `json:"generatorId,omitempty"`
 	*AuthRequestInfo
 }

@@ -305,6 +307,7 @@ func NewHumanOTPSMSCodeAddedEvent(
 	code *crypto.CryptoValue,
 	expiry time.Duration,
 	info *AuthRequestInfo,
+	generatorID string,
 ) *HumanOTPSMSCodeAddedEvent {
 	return &HumanOTPSMSCodeAddedEvent{
 		BaseEvent: *eventstore.NewBaseEventForPush(
@@ -316,15 +319,14 @@ func NewHumanOTPSMSCodeAddedEvent(
 		Expiry:            expiry,
 		TriggeredAtOrigin: http.DomainContext(ctx).Origin(),
 		AuthRequestInfo:   info,
+		GeneratorID:       generatorID,
 	}
 }

 type HumanOTPSMSCodeSentEvent struct {
 	eventstore.BaseEvent `json:"-"`

-	Code   *crypto.CryptoValue `json:"code,omitempty"`
-	Expiry time.Duration       `json:"expiry,omitempty"`
-	*AuthRequestInfo
+	GeneratorInfo *senders.CodeGeneratorInfo `json:"generatorInfo,omitempty"`
 }

 func (e *HumanOTPSMSCodeSentEvent) Payload() interface{} {
@@ -342,6 +344,7 @@ func (e *HumanOTPSMSCodeSentEvent) SetBaseEvent(event *eventstore.BaseEvent) {
 func NewHumanOTPSMSCodeSentEvent(
 	ctx context.Context,
 	aggregate *eventstore.Aggregate,
+	generatorInfo *senders.CodeGeneratorInfo,
 ) *HumanOTPSMSCodeSentEvent {
 	return &HumanOTPSMSCodeSentEvent{
 		BaseEvent: *eventstore.NewBaseEventForPush(
@@ -349,6 +352,7 @@ func NewHumanOTPSMSCodeSentEvent(
 			aggregate,
 			HumanOTPSMSCodeSentType,
 		),
+		GeneratorInfo: generatorInfo,
 	}
 }

--- a/internal/repository/user/human_password.go
+++ b/internal/repository/user/human_password.go
@@ -8,6 +8,7 @@ import (
 	"github.com/zitadel/zitadel/internal/crypto"
 	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/eventstore"
+	"github.com/zitadel/zitadel/internal/notification/senders"
 	"github.com/zitadel/zitadel/internal/zerrors"
 )

@@ -89,6 +90,7 @@ type HumanPasswordCodeAddedEvent struct {
 	TriggeredAtOrigin string                  `json:"triggerOrigin,omitempty"`
 	// AuthRequest is only used in V1 Login UI
 	AuthRequestID string `json:"authRequestID,omitempty"`
+	GeneratorID   string `json:"generatorId,omitempty"`
 }

 func (e *HumanPasswordCodeAddedEvent) Payload() interface{} {
@@ -109,7 +111,8 @@ func NewHumanPasswordCodeAddedEvent(
 	code *crypto.CryptoValue,
 	expiry time.Duration,
 	notificationType domain.NotificationType,
-	authRequestID string,
+	authRequestID,
+	generatorID string,
 ) *HumanPasswordCodeAddedEvent {
 	return &HumanPasswordCodeAddedEvent{
 		BaseEvent: *eventstore.NewBaseEventForPush(
@@ -122,6 +125,7 @@ func NewHumanPasswordCodeAddedEvent(
 		NotificationType:  notificationType,
 		TriggeredAtOrigin: http.DomainContext(ctx).Origin(),
 		AuthRequestID:     authRequestID,
+		GeneratorID:       generatorID,
 	}
 }

@@ -162,33 +166,34 @@ func HumanPasswordCodeAddedEventMapper(event eventstore.Event) (eventstore.Event
 }

 type HumanPasswordCodeSentEvent struct {
-	eventstore.BaseEvent `json:"-"`
+	*eventstore.BaseEvent `json:"-"`
+
+	GeneratorInfo *senders.CodeGeneratorInfo `json:"generatorInfo,omitempty"`
+}
+
+func (e *HumanPasswordCodeSentEvent) SetBaseEvent(event *eventstore.BaseEvent) {
+	e.BaseEvent = event
 }

 func (e *HumanPasswordCodeSentEvent) Payload() interface{} {
-	return nil
+	return e
 }

 func (e *HumanPasswordCodeSentEvent) UniqueConstraints() []*eventstore.UniqueConstraint {
 	return nil
 }

-func NewHumanPasswordCodeSentEvent(ctx context.Context, aggregate *eventstore.Aggregate) *HumanPasswordCodeSentEvent {
+func NewHumanPasswordCodeSentEvent(ctx context.Context, aggregate *eventstore.Aggregate, generatorInfo *senders.CodeGeneratorInfo) *HumanPasswordCodeSentEvent {
 	return &HumanPasswordCodeSentEvent{
-		BaseEvent: *eventstore.NewBaseEventForPush(
+		BaseEvent: eventstore.NewBaseEventForPush(
 			ctx,
 			aggregate,
 			HumanPasswordCodeSentType,
 		),
+		GeneratorInfo: generatorInfo,
 	}
 }

-func HumanPasswordCodeSentEventMapper(event eventstore.Event) (eventstore.Event, error) {
-	return &HumanPasswordCodeSentEvent{
-		BaseEvent: *eventstore.BaseEventFromRepo(event),
-	}, nil
-}
-
 type HumanPasswordChangeSentEvent struct {
 	eventstore.BaseEvent `json:"-"`
 }
--- a/internal/repository/user/human_phone.go
+++ b/internal/repository/user/human_phone.go
@@ -8,6 +8,7 @@ import (
 	"github.com/zitadel/zitadel/internal/crypto"
 	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/eventstore"
+	"github.com/zitadel/zitadel/internal/notification/senders"
 	"github.com/zitadel/zitadel/internal/zerrors"
 )

@@ -151,6 +152,7 @@ type HumanPhoneCodeAddedEvent struct {
 	Code              *crypto.CryptoValue `json:"code,omitempty"`
 	Expiry            time.Duration       `json:"expiry,omitempty"`
 	CodeReturned      bool                `json:"code_returned,omitempty"`
+	GeneratorID       string              `json:"generatorId,omitempty"`
 	TriggeredAtOrigin string              `json:"triggerOrigin,omitempty"`
 }

@@ -171,15 +173,18 @@ func NewHumanPhoneCodeAddedEvent(
 	aggregate *eventstore.Aggregate,
 	code *crypto.CryptoValue,
 	expiry time.Duration,
+	generatorID string,
 ) *HumanPhoneCodeAddedEvent {
-	return NewHumanPhoneCodeAddedEventV2(ctx, aggregate, code, expiry, false)
+	return NewHumanPhoneCodeAddedEventV2(ctx, aggregate, code, expiry, false, generatorID)
 }
+
 func NewHumanPhoneCodeAddedEventV2(
 	ctx context.Context,
 	aggregate *eventstore.Aggregate,
 	code *crypto.CryptoValue,
 	expiry time.Duration,
 	codeReturned bool,
+	generatorID string,
 ) *HumanPhoneCodeAddedEvent {
 	return &HumanPhoneCodeAddedEvent{
 		BaseEvent: *eventstore.NewBaseEventForPush(
@@ -190,6 +195,7 @@ func NewHumanPhoneCodeAddedEventV2(
 		Code:              code,
 		Expiry:            expiry,
 		CodeReturned:      codeReturned,
+		GeneratorID:       generatorID,
 		TriggeredAtOrigin: http.DomainContext(ctx).Origin(),
 	}
 }
@@ -207,7 +213,13 @@ func HumanPhoneCodeAddedEventMapper(event eventstore.Event) (eventstore.Event, e
 }

 type HumanPhoneCodeSentEvent struct {
-	eventstore.BaseEvent `json:"-"`
+	*eventstore.BaseEvent `json:"-"`
+
+	GeneratorInfo *senders.CodeGeneratorInfo `json:"generatorInfo,omitempty"`
+}
+
+func (e *HumanPhoneCodeSentEvent) SetBaseEvent(event *eventstore.BaseEvent) {
+	e.BaseEvent = event
 }

 func (e *HumanPhoneCodeSentEvent) Payload() interface{} {
@@ -218,18 +230,13 @@ func (e *HumanPhoneCodeSentEvent) UniqueConstraints() []*eventstore.UniqueConstr
 	return nil
 }

-func NewHumanPhoneCodeSentEvent(ctx context.Context, aggregate *eventstore.Aggregate) *HumanPhoneCodeSentEvent {
+func NewHumanPhoneCodeSentEvent(ctx context.Context, aggregate *eventstore.Aggregate, generatorInfo *senders.CodeGeneratorInfo) *HumanPhoneCodeSentEvent {
 	return &HumanPhoneCodeSentEvent{
-		BaseEvent: *eventstore.NewBaseEventForPush(
+		BaseEvent: eventstore.NewBaseEventForPush(
 			ctx,
 			aggregate,
 			HumanPhoneCodeSentType,
 		),
+		GeneratorInfo: generatorInfo,
 	}
 }
-
-func HumanPhoneCodeSentEventMapper(event eventstore.Event) (eventstore.Event, error) {
-	return &HumanPhoneCodeSentEvent{
-		BaseEvent: *eventstore.BaseEventFromRepo(event),
-	}, nil
-}
--- a/internal/repository/user/schemauser/phone.go
+++ b/internal/repository/user/schemauser/phone.go
@@ -8,6 +8,7 @@ import (
 	"github.com/zitadel/zitadel/internal/crypto"
 	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/eventstore"
+	"github.com/zitadel/zitadel/internal/notification/senders"
 )

 const (
@@ -107,6 +108,7 @@ type PhoneCodeAddedEvent struct {
 	Code              *crypto.CryptoValue `json:"code,omitempty"`
 	Expiry            time.Duration       `json:"expiry,omitempty"`
 	CodeReturned      bool                `json:"code_returned,omitempty"`
+	GeneratorID       string              `json:"generatorId,omitempty"`
 	TriggeredAtOrigin string              `json:"triggerOrigin,omitempty"`
 }

@@ -132,6 +134,7 @@ func NewPhoneCodeAddedEvent(
 	code *crypto.CryptoValue,
 	expiry time.Duration,
 	codeReturned bool,
+	generatorID string,
 ) *PhoneCodeAddedEvent {
 	return &PhoneCodeAddedEvent{
 		BaseEvent: eventstore.NewBaseEventForPush(
@@ -142,12 +145,15 @@ func NewPhoneCodeAddedEvent(
 		Code:              code,
 		Expiry:            expiry,
 		CodeReturned:      codeReturned,
+		GeneratorID:       generatorID,
 		TriggeredAtOrigin: http.DomainContext(ctx).Origin(),
 	}
 }

 type PhoneCodeSentEvent struct {
 	*eventstore.BaseEvent `json:"-"`
+
+	GeneratorInfo *senders.CodeGeneratorInfo `json:"generatorInfo,omitempty"`
 }

 func (e *PhoneCodeSentEvent) Payload() interface{} {
@@ -162,12 +168,13 @@ func (e *PhoneCodeSentEvent) SetBaseEvent(event *eventstore.BaseEvent) {
 	e.BaseEvent = event
 }

-func NewPhoneCodeSentEvent(ctx context.Context, aggregate *eventstore.Aggregate) *PhoneCodeSentEvent {
+func NewPhoneCodeSentEvent(ctx context.Context, aggregate *eventstore.Aggregate, generatorInfo *senders.CodeGeneratorInfo) *PhoneCodeSentEvent {
 	return &PhoneCodeSentEvent{
 		BaseEvent: eventstore.NewBaseEventForPush(
 			ctx,
 			aggregate,
 			PhoneCodeSentType,
 		),
+		GeneratorInfo: generatorInfo,
 	}
 }