fix: pass sessionID to OTP email link (#8745)

# Which Problems Are Solved OTP Email links currently could not use / include the sessionID they belong to. This prevents an easy use for redirecting and handling OTP via email through the session API. # How the Problems Are Solved Added the sessionID as placeholder for the OTP Email link template. # Additional Changes List all available placeholders in the url_templates of V2 endpoints. # Additional Context - discussed in a customer meeting
2025-08-11 18:17:35 +00:00 · 2024-10-10 15:53:32 +02:00
parent 222915ca3d
commit 16171ce3b9
8 changed files with 23 additions and 7 deletions
--- a/internal/command/session_otp.go
+++ b/internal/command/session_otp.go
@@ -61,7 +61,7 @@ func (c *Commands) OTPSMSSent(ctx context.Context, sessionID, resourceOwner stri
 }

 func (c *Commands) CreateOTPEmailChallengeURLTemplate(urlTmpl string) (SessionCommand, error) {
-	if err := domain.RenderOTPEmailURLTemplate(io.Discard, urlTmpl, "code", "userID", "loginName", "displayName", language.English); err != nil {
+	if err := domain.RenderOTPEmailURLTemplate(io.Discard, urlTmpl, "code", "userID", "loginName", "displayName", "sessionID", language.English); err != nil {
 		return nil, err
 	}
 	return c.createOTPEmailChallenge(false, urlTmpl, nil), nil
--- a/internal/domain/session.go
+++ b/internal/domain/session.go
@@ -20,16 +20,18 @@ type OTPEmailURLData struct {
 	LoginName         string
 	DisplayName       string
 	PreferredLanguage language.Tag
+	SessionID         string
 }

 // RenderOTPEmailURLTemplate parses and renders tmpl.
 // code, userID, (preferred) loginName, displayName and preferredLanguage are passed into the [OTPEmailURLData].
-func RenderOTPEmailURLTemplate(w io.Writer, tmpl, code, userID, loginName, displayName string, preferredLanguage language.Tag) error {
+func RenderOTPEmailURLTemplate(w io.Writer, tmpl, code, userID, loginName, displayName, sessionID string, preferredLanguage language.Tag) error {
 	return renderURLTemplate(w, tmpl, &OTPEmailURLData{
 		Code:              code,
 		UserID:            userID,
 		LoginName:         loginName,
 		DisplayName:       displayName,
 		PreferredLanguage: preferredLanguage,
+		SessionID:         sessionID,
 	})
 }
--- a/internal/notification/handlers/user_notifier.go
+++ b/internal/notification/handlers/user_notifier.go
@@ -442,7 +442,7 @@ func (u *userNotifier) reduceSessionOTPEmailChallenged(event eventstore.Event) (
 		if e.URLTmpl != "" {
 			urlTmpl = e.URLTmpl
 		}
-		if err := domain.RenderOTPEmailURLTemplate(&buf, urlTmpl, code, user.ID, user.PreferredLoginName, user.DisplayName, user.PreferredLanguage); err != nil {
+		if err := domain.RenderOTPEmailURLTemplate(&buf, urlTmpl, code, user.ID, user.PreferredLoginName, user.DisplayName, e.Aggregate().ID, user.PreferredLanguage); err != nil {
 			return "", err
 		}
 		return buf.String(), nil