From 2fe76acd14906086da66c90f9267554dbed6c192 Mon Sep 17 00:00:00 2001
From: Livio Spring <livio.a@gmail.com>
Date: Wed, 26 Jul 2023 13:00:41 +0200
Subject: [PATCH] feat: add secret generators for OTP (#6262)

This PR adds configuration options for OTP codes through Admin API.
---
 cmd/defaults.yaml                             |  14 +++
 ...dialog-add-secret-generator.component.html |   9 --
 .../dialog-add-secret-generator.component.ts  |  49 +++++----
 .../secret-generator.component.ts             |  42 ++-----
 console/src/assets/i18n/bg.json               |   4 +-
 console/src/assets/i18n/de.json               |   4 +-
 console/src/assets/i18n/en.json               |   4 +-
 console/src/assets/i18n/es.json               |   4 +-
 console/src/assets/i18n/fr.json               |   4 +-
 console/src/assets/i18n/it.json               |   4 +-
 console/src/assets/i18n/ja.json               |   4 +-
 console/src/assets/i18n/mk.json               |   4 +-
 console/src/assets/i18n/pl.json               |   4 +-
 console/src/assets/i18n/pt.json               |   4 +-
 console/src/assets/i18n/zh.json               |   4 +-
 .../manage/console/instance-settings.mdx      |   2 +
 .../api/grpc/admin/iam_settings_converter.go  |   9 ++
 internal/command/instance.go                  |   4 +
 internal/command/instance_settings.go         |  29 +++--
 internal/command/instance_settings_test.go    | 103 +++++++++++++-----
 internal/domain/secret_generator.go           |   2 +
 proto/zitadel/settings.proto                  |   2 +
 22 files changed, 199 insertions(+), 110 deletions(-)

diff --git a/cmd/defaults.yaml b/cmd/defaults.yaml
index e5244cbb17..40b2fc8d07 100644
--- a/cmd/defaults.yaml
+++ b/cmd/defaults.yaml
@@ -564,6 +564,20 @@ DefaultInstance:
       IncludeUpperLetters: true
       IncludeDigits: true
       IncludeSymbols: false
+    OTPSMS:
+      Length: 8
+      Expiry: "5m"
+      IncludeLowerLetters: false
+      IncludeUpperLetters: false
+      IncludeDigits: true
+      IncludeSymbols: false
+    OTPEmail:
+      Length: 8
+      Expiry: "5m"
+      IncludeLowerLetters: false
+      IncludeUpperLetters: false
+      IncludeDigits: true
+      IncludeSymbols: false
   PasswordComplexityPolicy:
     MinLength: 8
     HasLowercase: true
diff --git a/console/src/app/modules/policies/secret-generator/dialog-add-secret-generator/dialog-add-secret-generator.component.html b/console/src/app/modules/policies/secret-generator/dialog-add-secret-generator/dialog-add-secret-generator.component.html
index e4c3600926..5a09a71362 100644
--- a/console/src/app/modules/policies/secret-generator/dialog-add-secret-generator/dialog-add-secret-generator.component.html
+++ b/console/src/app/modules/policies/secret-generator/dialog-add-secret-generator/dialog-add-secret-generator.component.html
@@ -3,15 +3,6 @@
 </h1>
 <div mat-dialog-content>
   <form *ngIf="specsForm" (ngSubmit)="closeDialogWithRequest()" [formGroup]="specsForm">
-    <cnsl-form-field class="type-form-field" label="Access Code" required="true">
-      <cnsl-label>{{ 'SETTING.SECRETS.GENERATORTYPE' | translate }}</cnsl-label>
-      <mat-select formControlName="generatorType">
-        <mat-option *ngFor="let gen of availableGenerators" [value]="gen">
-          <span>{{ 'SETTING.SECRETS.TYPE.' + gen | translate }}</span>
-        </mat-option>
-      </mat-select>
-    </cnsl-form-field>
-
     <h2 class="generator-type">{{ 'SETTING.SECRETS.TYPE.' + generatorType?.value | translate }}</h2>
 
     <cnsl-form-field class="generator-form-field" label="Expiration">
diff --git a/console/src/app/modules/policies/secret-generator/dialog-add-secret-generator/dialog-add-secret-generator.component.ts b/console/src/app/modules/policies/secret-generator/dialog-add-secret-generator/dialog-add-secret-generator.component.ts
index c8d888f914..6d72286111 100644
--- a/console/src/app/modules/policies/secret-generator/dialog-add-secret-generator/dialog-add-secret-generator.component.ts
+++ b/console/src/app/modules/policies/secret-generator/dialog-add-secret-generator/dialog-add-secret-generator.component.ts
@@ -7,7 +7,6 @@ import {
 import { Duration } from 'google-protobuf/google/protobuf/duration_pb';
 import { requiredValidator } from 'src/app/modules/form-field/validators/validators';
 import { UpdateSecretGeneratorRequest } from 'src/app/proto/generated/zitadel/admin_pb';
-import { SecretGeneratorType } from 'src/app/proto/generated/zitadel/settings_pb';
 
 @Component({
   selector: 'cnsl-dialog-add-secret-generator',
@@ -15,15 +14,6 @@ import { SecretGeneratorType } from 'src/app/proto/generated/zitadel/settings_pb
   styleUrls: ['./dialog-add-secret-generator.component.scss'],
 })
 export class DialogAddSecretGeneratorComponent {
-  public SecretGeneratorType: any = SecretGeneratorType;
-  public availableGenerators: SecretGeneratorType[] = [
-    SecretGeneratorType.SECRET_GENERATOR_TYPE_INIT_CODE,
-    SecretGeneratorType.SECRET_GENERATOR_TYPE_VERIFY_EMAIL_CODE,
-    SecretGeneratorType.SECRET_GENERATOR_TYPE_VERIFY_PHONE_CODE,
-    SecretGeneratorType.SECRET_GENERATOR_TYPE_PASSWORD_RESET_CODE,
-    SecretGeneratorType.SECRET_GENERATOR_TYPE_PASSWORDLESS_INIT_CODE,
-    SecretGeneratorType.SECRET_GENERATOR_TYPE_APP_SECRET,
-  ];
   public req: UpdateSecretGeneratorRequest = new UpdateSecretGeneratorRequest();
 
   public specsForm!: UntypedFormGroup;
@@ -33,17 +23,19 @@ export class DialogAddSecretGeneratorComponent {
     public dialogRef: MatDialogRef<DialogAddSecretGeneratorComponent>,
     @Inject(MAT_DIALOG_DATA) public data: any,
   ) {
+    let exp = 1;
+    if (data.config?.expiry !== undefined) {
+      exp = this.durationToHour(data.config?.expiry);
+    }
     this.specsForm = this.fb.group({
-      generatorType: [SecretGeneratorType.SECRET_GENERATOR_TYPE_APP_SECRET, [requiredValidator]],
-      expiry: [1, [requiredValidator]],
-      includeDigits: [true, [requiredValidator]],
-      includeLowerLetters: [true, [requiredValidator]],
-      includeSymbols: [true, [requiredValidator]],
-      includeUpperLetters: [true, [requiredValidator]],
-      length: [6, [requiredValidator]],
+      generatorType: [data.type, [requiredValidator]],
+      expiry: [exp, [requiredValidator]],
+      length: [data.config?.length ?? 6, [requiredValidator]],
+      includeDigits: [data.config?.includeDigits ?? true, [requiredValidator]],
+      includeLowerLetters: [data.config?.includeSymbols ?? true, [requiredValidator]],
+      includeSymbols: [data.config?.includeLowerLetters ?? true, [requiredValidator]],
+      includeUpperLetters: [data.config?.includeUpperLetters ?? true, [requiredValidator]],
     });
-
-    this.generatorType?.setValue(data.type);
   }
 
   public closeDialog(): void {
@@ -52,10 +44,7 @@ export class DialogAddSecretGeneratorComponent {
 
   public closeDialogWithRequest(): void {
     this.req.setGeneratorType(this.generatorType?.value);
-
-    const expiry = new Duration().setSeconds((this.expiry?.value ?? 1) * 60 * 60);
-
-    this.req.setExpiry(expiry);
+    this.req.setExpiry(this.hourToDuration(this.expiry?.value));
     this.req.setIncludeDigits(this.includeDigits?.value);
     this.req.setIncludeLowerLetters(this.includeLowerLetters?.value);
     this.req.setIncludeSymbols(this.includeSymbols?.value);
@@ -92,4 +81,18 @@ export class DialogAddSecretGeneratorComponent {
   public get length(): AbstractControl | null {
     return this.specsForm.get('length');
   }
+
+  private durationToHour(duration: Duration.AsObject): number {
+    if (duration.seconds === 0) {
+      return 0;
+    }
+    return (duration.seconds + duration.nanos / 1000000) / 3600;
+  }
+
+  private hourToDuration(hour: number): Duration {
+    const exp = hour * 60 * 60;
+    const sec = Math.floor(exp);
+    const nanos = Math.round((exp - sec) * 1000000);
+    return new Duration().setSeconds(sec).setNanos(nanos);
+  }
 }
diff --git a/console/src/app/modules/policies/secret-generator/secret-generator.component.ts b/console/src/app/modules/policies/secret-generator/secret-generator.component.ts
index 1bae7b67e5..44fc85df3d 100644
--- a/console/src/app/modules/policies/secret-generator/secret-generator.component.ts
+++ b/console/src/app/modules/policies/secret-generator/secret-generator.component.ts
@@ -1,6 +1,6 @@
 import { Component, OnInit } from '@angular/core';
 import { MatLegacyDialog as MatDialog } from '@angular/material/legacy-dialog';
-import { UpdateSecretGeneratorRequest, UpdateSecretGeneratorResponse } from 'src/app/proto/generated/zitadel/admin_pb';
+import { UpdateSecretGeneratorRequest } from 'src/app/proto/generated/zitadel/admin_pb';
 import { OIDCSettings, SecretGenerator, SecretGeneratorType } from 'src/app/proto/generated/zitadel/settings_pb';
 import { AdminService } from 'src/app/services/admin.service';
 import { ToastService } from 'src/app/services/toast.service';
@@ -25,7 +25,10 @@ export class SecretGeneratorComponent implements OnInit {
     SecretGeneratorType.SECRET_GENERATOR_TYPE_PASSWORD_RESET_CODE,
     SecretGeneratorType.SECRET_GENERATOR_TYPE_PASSWORDLESS_INIT_CODE,
     SecretGeneratorType.SECRET_GENERATOR_TYPE_APP_SECRET,
+    SecretGeneratorType.SECRET_GENERATOR_TYPE_OTP_SMS,
+    SecretGeneratorType.SECRET_GENERATOR_TYPE_OTP_EMAIL,
   ];
+
   constructor(private service: AdminService, private toast: ToastService, private dialog: MatDialog) {}
 
   ngOnInit(): void {
@@ -48,25 +51,12 @@ export class SecretGeneratorComponent implements OnInit {
       });
   }
 
-  private updateData(): Promise<UpdateSecretGeneratorResponse.AsObject> | void {
-    const dialogRef = this.dialog.open(DialogAddSecretGeneratorComponent, {
-      data: {},
-      width: '400px',
-    });
-
-    dialogRef.afterClosed().subscribe((req: UpdateSecretGeneratorRequest) => {
-      if (req) {
-        return (this.service as AdminService).updateSecretGenerator(req);
-      } else {
-        return;
-      }
-    });
-  }
-
   public openGeneratorDialog(generatorType: SecretGeneratorType): void {
+    let config = this.generators.find((gen) => gen.generatorType === generatorType);
     const dialogRef = this.dialog.open(DialogAddSecretGeneratorComponent, {
       data: {
         type: generatorType,
+        config: config,
       },
       width: '400px',
     });
@@ -77,6 +67,9 @@ export class SecretGeneratorComponent implements OnInit {
           .updateSecretGenerator(req)
           .then(() => {
             this.toast.showInfo('SETTING.SECRETS.UPDATED', true);
+            setTimeout(() => {
+              this.fetchData();
+            }, 2000);
           })
           .catch((error) => {
             this.toast.showError(error);
@@ -86,21 +79,4 @@ export class SecretGeneratorComponent implements OnInit {
       }
     });
   }
-
-  public savePolicy(): void {
-    const prom = this.updateData();
-    if (prom) {
-      prom
-        .then(() => {
-          this.toast.showInfo('SETTING.SMTP.SAVED', true);
-          this.loading = true;
-          setTimeout(() => {
-            this.fetchData();
-          }, 2000);
-        })
-        .catch((error) => {
-          this.toast.showError(error);
-        });
-    }
-  }
 }
diff --git a/console/src/assets/i18n/bg.json b/console/src/assets/i18n/bg.json
index ddfc380835..b5a2abb5a0 100644
--- a/console/src/assets/i18n/bg.json
+++ b/console/src/assets/i18n/bg.json
@@ -1095,7 +1095,9 @@
         "3": "Телефонна проверка",
         "4": "Нулиране на парола",
         "5": "Инициализация без парола",
-        "6": "Тайна на приложението"
+        "6": "Тайна на приложението",
+        "7": "Еднократна парола (OTP) - SMS",
+        "8": "Еднократна парола (OTP) – имейл"
       },
       "ADDGENERATOR": "Определете тайния външен вид",
       "GENERATORTYPE": "Тип",
diff --git a/console/src/assets/i18n/de.json b/console/src/assets/i18n/de.json
index 87b6e83fd0..01c8fb03bd 100644
--- a/console/src/assets/i18n/de.json
+++ b/console/src/assets/i18n/de.json
@@ -1101,7 +1101,9 @@
         "3": "Telefonnummer Verificationscode",
         "4": "Passwort Zurücksetzen Code",
         "5": "Passwordless Initialisierungscode",
-        "6": "Applicationssecret"
+        "6": "Applicationssecret",
+        "7": "One Time Password (OTP) - SMS",
+        "8": "One Time Password (OTP) - Email"
       },
       "ADDGENERATOR": "Secret Erscheinungsbild definieren",
       "GENERATORTYPE": "Typ",
diff --git a/console/src/assets/i18n/en.json b/console/src/assets/i18n/en.json
index c858d5acbb..e4c8d5dd2d 100644
--- a/console/src/assets/i18n/en.json
+++ b/console/src/assets/i18n/en.json
@@ -1102,7 +1102,9 @@
         "3": "Phone verification",
         "4": "Password Reset",
         "5": "Passwordless Initialization",
-        "6": "App Secret"
+        "6": "App Secret",
+        "7": "One Time Password (OTP) - SMS",
+        "8": "One Time Password (OTP) - Email"
       },
       "ADDGENERATOR": "Define Secret Appearance",
       "GENERATORTYPE": "Type",
diff --git a/console/src/assets/i18n/es.json b/console/src/assets/i18n/es.json
index 3a0df8980f..bc7af48408 100644
--- a/console/src/assets/i18n/es.json
+++ b/console/src/assets/i18n/es.json
@@ -1102,7 +1102,9 @@
         "3": "Verificación de teléfono",
         "4": "Restablecimiento de contraseña",
         "5": "Inicialización de acceso sin contraseña",
-        "6": "Secreto de App"
+        "6": "Secreto de App",
+        "7": "One Time Password (OTP) - SMS",
+        "8": "One Time Password (OTP) - email"
       },
       "ADDGENERATOR": "Definir apariencia del secreto",
       "GENERATORTYPE": "Tipo",
diff --git a/console/src/assets/i18n/fr.json b/console/src/assets/i18n/fr.json
index a81c6eae5d..61f2f7f780 100644
--- a/console/src/assets/i18n/fr.json
+++ b/console/src/assets/i18n/fr.json
@@ -1101,7 +1101,9 @@
         "3": "Vérification par téléphone",
         "4": "Réinitialisation du mot de passe",
         "5": "Initialisation sans mot de passe",
-        "6": "Secret de l'application"
+        "6": "Secret de l'application",
+        "7": "Mot de passe à usage unique (OTP) - SMS",
+        "8": "Mot de passe à usage unique (OTP) - e-mail"
       },
       "ADDGENERATOR": "Définir l'apparence du secret",
       "GENERATORTYPE": "Type",
diff --git a/console/src/assets/i18n/it.json b/console/src/assets/i18n/it.json
index 387bc187d7..ed6e2fd811 100644
--- a/console/src/assets/i18n/it.json
+++ b/console/src/assets/i18n/it.json
@@ -1101,7 +1101,9 @@
         "3": "Verificazione del numero di telefono",
         "4": "Ripristino Password",
         "5": "Inizializzazione Passwordless",
-        "6": "Segreto dell'applicazione"
+        "6": "Segreto dell'applicazione",
+        "7": "One Time Password (OTP) - SMS",
+        "8": "One Time Password (OTP) - email"
       },
       "ADDGENERATOR": "Definisci aspetto",
       "GENERATORTYPE": "Tipo",
diff --git a/console/src/assets/i18n/ja.json b/console/src/assets/i18n/ja.json
index 8ac4692d38..bdba41562b 100644
--- a/console/src/assets/i18n/ja.json
+++ b/console/src/assets/i18n/ja.json
@@ -1102,7 +1102,9 @@
         "3": "電話番号認証",
         "4": "パスワードのリセット",
         "5": "パスワードレスの初期設定",
-        "6": "アプリのシークレット"
+        "6": "アプリのシークレット",
+        "7": "ワンタイムパスワード (OTP) - SMS",
+        "8": "ワンタイムパスワード (OTP) - 電子メール"
       },
       "ADDGENERATOR": "シークレットの設定を定義する",
       "GENERATORTYPE": "タイプ",
diff --git a/console/src/assets/i18n/mk.json b/console/src/assets/i18n/mk.json
index b511a8ced9..87d2e8a6ef 100644
--- a/console/src/assets/i18n/mk.json
+++ b/console/src/assets/i18n/mk.json
@@ -1102,7 +1102,9 @@
         "3": "Телефонска верификација",
         "4": "Промена на лозинка",
         "5": "Иницијализација на најава без лозинка",
-        "6": "Апликациска тајна"
+        "6": "Апликациска тајна",
+        "7": "Еднократна лозинка (OTP) - СМС",
+        "8": "Еднократна лозинка (OTP) - е-пошта"
       },
       "ADDGENERATOR": "Дефинирајте изглед на тајна",
       "GENERATORTYPE": "Тип",
diff --git a/console/src/assets/i18n/pl.json b/console/src/assets/i18n/pl.json
index 774038f7ce..cd79105421 100644
--- a/console/src/assets/i18n/pl.json
+++ b/console/src/assets/i18n/pl.json
@@ -1101,7 +1101,9 @@
         "3": "Weryfikacja telefonu",
         "4": "Resetowanie hasła",
         "5": "Inicjalizacja bez hasła",
-        "6": "Sekret aplikacji"
+        "6": "Sekret aplikacji",
+        "7": "Hasło jednorazowe (OTP) - SMS",
+        "8": "Hasło jednorazowe (OTP) — e-mail"
       },
       "ADDGENERATOR": "Zdefiniuj wygląd sekretu",
       "GENERATORTYPE": "Typ",
diff --git a/console/src/assets/i18n/pt.json b/console/src/assets/i18n/pt.json
index 00607c1596..21e5d79359 100644
--- a/console/src/assets/i18n/pt.json
+++ b/console/src/assets/i18n/pt.json
@@ -1102,7 +1102,9 @@
         "3": "Verificação de telefone",
         "4": "Redefinição de senha",
         "5": "Inicialização sem senha",
-        "6": "Segredo do aplicativo"
+        "6": "Segredo do aplicativo",
+        "7": "Senha única (OTP) - SMS",
+        "8": "Senha única (OTP) - e-mail"
       },
       "ADDGENERATOR": "Definir aparência de segredo",
       "GENERATORTYPE": "Tipo",
diff --git a/console/src/assets/i18n/zh.json b/console/src/assets/i18n/zh.json
index 423fbf027a..5247d16913 100644
--- a/console/src/assets/i18n/zh.json
+++ b/console/src/assets/i18n/zh.json
@@ -1101,7 +1101,9 @@
         "3": "电话号码验证",
         "4": "重置密码",
         "5": "无密码认证初始化",
-        "6": "App 验证"
+        "6": "App 验证",
+        "7": "一次性密码 (OTP) - SMS",
+        "8": "一次性密码 (OTP) - 电子邮件"
       },
       "ADDGENERATOR": "定义验证码外观",
       "GENERATORTYPE": "类型",
diff --git a/docs/docs/guides/manage/console/instance-settings.mdx b/docs/docs/guides/manage/console/instance-settings.mdx
index 2603caee52..913661c33d 100644
--- a/docs/docs/guides/manage/console/instance-settings.mdx
+++ b/docs/docs/guides/manage/console/instance-settings.mdx
@@ -279,6 +279,8 @@ The following secrets can be configured:
 - Password reset code
 - Passwordless initialization code
 - Application secrets
+- One Time Password (OTP) - SMS
+- One Time Password (OTP) - Email
 
 <img
   src="/docs/img/guides/console/secretappearance.png"
diff --git a/internal/api/grpc/admin/iam_settings_converter.go b/internal/api/grpc/admin/iam_settings_converter.go
index 7dfd1a381e..5b3429d757 100644
--- a/internal/api/grpc/admin/iam_settings_converter.go
+++ b/internal/api/grpc/admin/iam_settings_converter.go
@@ -72,6 +72,7 @@ func SecretGeneratorsToPb(generators []*query.SecretGenerator) []*settings_pb.Se
 
 func SecretGeneratorToPb(generator *query.SecretGenerator) *settings_pb.SecretGenerator {
 	mapped := &settings_pb.SecretGenerator{
+		GeneratorType:       SecretGeneratorTypeToPb(generator.GeneratorType),
 		Length:              uint32(generator.Length),
 		Expiry:              durationpb.New(generator.Expiry),
 		IncludeUpperLetters: generator.IncludeUpperLetters,
@@ -97,6 +98,10 @@ func SecretGeneratorTypeToPb(generatorType domain.SecretGeneratorType) settings_
 		return settings_pb.SecretGeneratorType_SECRET_GENERATOR_TYPE_PASSWORDLESS_INIT_CODE
 	case domain.SecretGeneratorTypeAppSecret:
 		return settings_pb.SecretGeneratorType_SECRET_GENERATOR_TYPE_APP_SECRET
+	case domain.SecretGeneratorTypeOTPSMS:
+		return settings_pb.SecretGeneratorType_SECRET_GENERATOR_TYPE_OTP_SMS
+	case domain.SecretGeneratorTypeOTPEmail:
+		return settings_pb.SecretGeneratorType_SECRET_GENERATOR_TYPE_OTP_EMAIL
 	default:
 		return settings_pb.SecretGeneratorType_SECRET_GENERATOR_TYPE_UNSPECIFIED
 	}
@@ -116,6 +121,10 @@ func SecretGeneratorTypeToDomain(generatorType settings_pb.SecretGeneratorType)
 		return domain.SecretGeneratorTypePasswordlessInitCode
 	case settings_pb.SecretGeneratorType_SECRET_GENERATOR_TYPE_APP_SECRET:
 		return domain.SecretGeneratorTypeAppSecret
+	case settings_pb.SecretGeneratorType_SECRET_GENERATOR_TYPE_OTP_SMS:
+		return domain.SecretGeneratorTypeOTPSMS
+	case settings_pb.SecretGeneratorType_SECRET_GENERATOR_TYPE_OTP_EMAIL:
+		return domain.SecretGeneratorTypeOTPEmail
 	default:
 		return domain.SecretGeneratorTypeUnspecified
 	}
diff --git a/internal/command/instance.go b/internal/command/instance.go
index ac52c351d6..6ae4776521 100644
--- a/internal/command/instance.go
+++ b/internal/command/instance.go
@@ -48,6 +48,8 @@ type InstanceSetup struct {
 		PasswordVerificationCode *crypto.GeneratorConfig
 		PasswordlessInitCode     *crypto.GeneratorConfig
 		DomainVerification       *crypto.GeneratorConfig
+		OTPSMS                   *crypto.GeneratorConfig
+		OTPEmail                 *crypto.GeneratorConfig
 	}
 	PasswordComplexityPolicy struct {
 		MinLength    uint64
@@ -201,6 +203,8 @@ func (c *Commands) SetUpInstance(ctx context.Context, setup *InstanceSetup) (str
 		prepareAddSecretGeneratorConfig(instanceAgg, domain.SecretGeneratorTypePasswordResetCode, setup.SecretGenerators.PasswordVerificationCode),
 		prepareAddSecretGeneratorConfig(instanceAgg, domain.SecretGeneratorTypePasswordlessInitCode, setup.SecretGenerators.PasswordlessInitCode),
 		prepareAddSecretGeneratorConfig(instanceAgg, domain.SecretGeneratorTypeVerifyDomain, setup.SecretGenerators.DomainVerification),
+		prepareAddSecretGeneratorConfig(instanceAgg, domain.SecretGeneratorTypeOTPSMS, setup.SecretGenerators.OTPSMS),
+		prepareAddSecretGeneratorConfig(instanceAgg, domain.SecretGeneratorTypeOTPEmail, setup.SecretGenerators.OTPEmail),
 
 		prepareAddDefaultPasswordComplexityPolicy(
 			instanceAgg,
diff --git a/internal/command/instance_settings.go b/internal/command/instance_settings.go
index 3105f58dcc..05684ed933 100644
--- a/internal/command/instance_settings.go
+++ b/internal/command/instance_settings.go
@@ -79,10 +79,26 @@ func (c *Commands) ChangeSecretGeneratorConfig(ctx context.Context, generatorTyp
 	if err != nil {
 		return nil, err
 	}
-	if generatorWriteModel.State == domain.SecretGeneratorStateUnspecified || generatorWriteModel.State == domain.SecretGeneratorStateRemoved {
-		return nil, errors.ThrowNotFound(nil, "COMMAND-3n9ls", "Errors.SecretGenerator.NotFound")
-	}
 	instanceAgg := InstanceAggregateFromWriteModel(&generatorWriteModel.WriteModel)
+	if generatorWriteModel.State == domain.SecretGeneratorStateUnspecified || generatorWriteModel.State == domain.SecretGeneratorStateRemoved {
+		err = c.pushAppendAndReduce(ctx, generatorWriteModel,
+			instance.NewSecretGeneratorAddedEvent(
+				ctx,
+				instanceAgg,
+				generatorType,
+				config.Length,
+				config.Expiry,
+				config.IncludeLowerLetters,
+				config.IncludeUpperLetters,
+				config.IncludeDigits,
+				config.IncludeSymbols,
+			),
+		)
+		if err != nil {
+			return nil, err
+		}
+		return writeModelToObjectDetails(&generatorWriteModel.WriteModel), nil
+	}
 
 	changedEvent, hasChanged, err := generatorWriteModel.NewChangedEvent(
 		ctx,
@@ -100,12 +116,7 @@ func (c *Commands) ChangeSecretGeneratorConfig(ctx context.Context, generatorTyp
 	if !hasChanged {
 		return nil, errors.ThrowPreconditionFailed(nil, "COMMAND-m0o3f", "Errors.NoChangesFound")
 	}
-	pushedEvents, err := c.eventstore.Push(ctx, changedEvent)
-	if err != nil {
-		return nil, err
-	}
-	err = AppendAndReduce(generatorWriteModel, pushedEvents...)
-	if err != nil {
+	if err = c.pushAppendAndReduce(ctx, generatorWriteModel, changedEvent); err != nil {
 		return nil, err
 	}
 	return writeModelToObjectDetails(&generatorWriteModel.WriteModel), nil
diff --git a/internal/command/instance_settings_test.go b/internal/command/instance_settings_test.go
index ad95fc0612..6b0011511d 100644
--- a/internal/command/instance_settings_test.go
+++ b/internal/command/instance_settings_test.go
@@ -6,8 +6,8 @@ import (
 	"time"
 
 	"github.com/stretchr/testify/assert"
-	"github.com/zitadel/zitadel/internal/api/authz"
 
+	"github.com/zitadel/zitadel/internal/api/authz"
 	"github.com/zitadel/zitadel/internal/crypto"
 	"github.com/zitadel/zitadel/internal/domain"
 	caos_errs "github.com/zitadel/zitadel/internal/errors"
@@ -155,7 +155,7 @@ func TestCommandSide_AddSecretGenerator(t *testing.T) {
 
 func TestCommandSide_ChangeSecretGenerator(t *testing.T) {
 	type fields struct {
-		eventstore *eventstore.Eventstore
+		eventstore func(t *testing.T) *eventstore.Eventstore
 	}
 	type args struct {
 		ctx           context.Context
@@ -176,12 +176,10 @@ func TestCommandSide_ChangeSecretGenerator(t *testing.T) {
 		{
 			name: "empty generatortype, invalid error",
 			fields: fields{
-				eventstore: eventstoreExpect(
-					t,
-				),
+				eventstore: expectEventstore(),
 			},
 			args: args{
-				ctx:           context.Background(),
+				ctx:           authz.WithInstanceID(context.Background(), "INSTANCE"),
 				generator:     &crypto.GeneratorConfig{},
 				generatorType: domain.SecretGeneratorTypeUnspecified,
 			},
@@ -190,26 +188,53 @@ func TestCommandSide_ChangeSecretGenerator(t *testing.T) {
 			},
 		},
 		{
-			name: "generator not existing, not found error",
+			name: "generator not existing, new added ok",
 			fields: fields{
-				eventstore: eventstoreExpect(
-					t,
+				eventstore: expectEventstore(
 					expectFilter(),
+					expectPush(
+						[]*repository.Event{
+							eventFromEventPusherWithInstanceID(
+								"INSTANCE",
+								instance.NewSecretGeneratorAddedEvent(
+									context.Background(),
+									&instance.NewAggregate("INSTANCE").Aggregate,
+									domain.SecretGeneratorTypeInitCode,
+									4,
+									time.Hour*1,
+									true,
+									true,
+									true,
+									true,
+								),
+							),
+						},
+						uniqueConstraintsFromEventConstraintWithInstanceID("INSTANCE", instance.NewAddSecretGeneratorTypeUniqueConstraint(domain.SecretGeneratorTypeInitCode)),
+					),
 				),
 			},
 			args: args{
-				ctx:           context.Background(),
+				ctx: authz.WithInstanceID(context.Background(), "INSTANCE"),
+				generator: &crypto.GeneratorConfig{
+					Length:              4,
+					Expiry:              1 * time.Hour,
+					IncludeLowerLetters: true,
+					IncludeUpperLetters: true,
+					IncludeDigits:       true,
+					IncludeSymbols:      true,
+				},
 				generatorType: domain.SecretGeneratorTypeInitCode,
 			},
 			res: res{
-				err: caos_errs.IsNotFound,
+				want: &domain.ObjectDetails{
+					ResourceOwner: "INSTANCE",
+				},
 			},
 		},
 		{
-			name: "generator removed, not found error",
+			name: "generator removed, new added ok",
 			fields: fields{
-				eventstore: eventstoreExpect(
-					t,
+				eventstore: expectEventstore(
 					expectFilter(
 						eventFromEventPusher(
 							instance.NewSecretGeneratorAddedEvent(
@@ -230,21 +255,49 @@ func TestCommandSide_ChangeSecretGenerator(t *testing.T) {
 								domain.SecretGeneratorTypeInitCode),
 						),
 					),
+					expectPush(
+						[]*repository.Event{
+							eventFromEventPusherWithInstanceID(
+								"INSTANCE",
+								instance.NewSecretGeneratorAddedEvent(
+									context.Background(),
+									&instance.NewAggregate("INSTANCE").Aggregate,
+									domain.SecretGeneratorTypeInitCode,
+									4,
+									time.Hour*1,
+									true,
+									true,
+									true,
+									true,
+								),
+							),
+						},
+						uniqueConstraintsFromEventConstraintWithInstanceID("INSTANCE", instance.NewAddSecretGeneratorTypeUniqueConstraint(domain.SecretGeneratorTypeInitCode)),
+					),
 				),
 			},
 			args: args{
-				ctx:           context.Background(),
+				ctx: authz.WithInstanceID(context.Background(), "INSTANCE"),
+				generator: &crypto.GeneratorConfig{
+					Length:              4,
+					Expiry:              1 * time.Hour,
+					IncludeLowerLetters: true,
+					IncludeUpperLetters: true,
+					IncludeDigits:       true,
+					IncludeSymbols:      true,
+				},
 				generatorType: domain.SecretGeneratorTypeInitCode,
 			},
 			res: res{
-				err: caos_errs.IsNotFound,
+				want: &domain.ObjectDetails{
+					ResourceOwner: "INSTANCE",
+				},
 			},
 		},
 		{
 			name: "no changes, precondition error",
 			fields: fields{
-				eventstore: eventstoreExpect(
-					t,
+				eventstore: expectEventstore(
 					expectFilter(
 						eventFromEventPusher(
 							instance.NewSecretGeneratorAddedEvent(
@@ -263,7 +316,7 @@ func TestCommandSide_ChangeSecretGenerator(t *testing.T) {
 				),
 			},
 			args: args{
-				ctx: context.Background(),
+				ctx: authz.WithInstanceID(context.Background(), "INSTANCE"),
 				generator: &crypto.GeneratorConfig{
 					Length:              4,
 					Expiry:              1 * time.Hour,
@@ -281,8 +334,7 @@ func TestCommandSide_ChangeSecretGenerator(t *testing.T) {
 		{
 			name: "secret generator change, ok",
 			fields: fields{
-				eventstore: eventstoreExpect(
-					t,
+				eventstore: expectEventstore(
 					expectFilter(
 						eventFromEventPusher(
 							instance.NewSecretGeneratorAddedEvent(
@@ -300,7 +352,7 @@ func TestCommandSide_ChangeSecretGenerator(t *testing.T) {
 					),
 					expectPush(
 						[]*repository.Event{
-							eventFromEventPusher(
+							eventFromEventPusherWithInstanceID("INSTANCE",
 								newSecretGeneratorChangedEvent(context.Background(),
 									domain.SecretGeneratorTypeInitCode,
 									8,
@@ -308,14 +360,15 @@ func TestCommandSide_ChangeSecretGenerator(t *testing.T) {
 									false,
 									false,
 									false,
-									false),
+									false,
+								),
 							),
 						},
 					),
 				),
 			},
 			args: args{
-				ctx: context.Background(),
+				ctx: authz.WithInstanceID(context.Background(), "INSTANCE"),
 				generator: &crypto.GeneratorConfig{
 					Length:              8,
 					Expiry:              2 * time.Hour,
@@ -336,7 +389,7 @@ func TestCommandSide_ChangeSecretGenerator(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			r := &Commands{
-				eventstore: tt.fields.eventstore,
+				eventstore: tt.fields.eventstore(t),
 			}
 			got, err := r.ChangeSecretGeneratorConfig(tt.args.ctx, tt.args.generatorType, tt.args.generator)
 			if tt.res.err == nil {
diff --git a/internal/domain/secret_generator.go b/internal/domain/secret_generator.go
index 892fd463b8..4a3300a1bf 100644
--- a/internal/domain/secret_generator.go
+++ b/internal/domain/secret_generator.go
@@ -11,6 +11,8 @@ const (
 	SecretGeneratorTypePasswordResetCode
 	SecretGeneratorTypePasswordlessInitCode
 	SecretGeneratorTypeAppSecret
+	SecretGeneratorTypeOTPSMS
+	SecretGeneratorTypeOTPEmail
 
 	secretGeneratorTypeCount
 )
diff --git a/proto/zitadel/settings.proto b/proto/zitadel/settings.proto
index c8e879f54b..37cc4e9569 100644
--- a/proto/zitadel/settings.proto
+++ b/proto/zitadel/settings.proto
@@ -48,6 +48,8 @@ enum SecretGeneratorType {
   SECRET_GENERATOR_TYPE_PASSWORD_RESET_CODE = 4;
   SECRET_GENERATOR_TYPE_PASSWORDLESS_INIT_CODE = 5;
   SECRET_GENERATOR_TYPE_APP_SECRET = 6;
+  SECRET_GENERATOR_TYPE_OTP_SMS = 7;
+  SECRET_GENERATOR_TYPE_OTP_EMAIL = 8;
 }
 
 message SMTPConfig {