feat: User login commands (#1228)

* feat: change login to command side

* feat: change login to command side

* fix: fix push on user

* feat: user command side

* feat: sign out

* feat: command side login

* feat: command side login

* feat: fix register user

* feat: fix register user

* feat: fix web auth n events

* feat: add machine keys

* feat: send codes

* feat: move authrequest to domain

* feat: move authrequest to domain

* feat: webauthn working

* feat: external users

* feat: external users login

* feat: notify users

* fix: tests

* feat: cascade remove user grants on project remove

* fix: webauthn

* fix: pr requests

* fix: register human with member

* fix: fix bugs

* fix: fix bugs

internal/api/oidc/auth_request.go

@@ -89,7 +89,7 @@ func (o *OPStorage) CreateToken(ctx context.Context, req op.TokenRequest) (_ str
 		userAgentID = authReq.AgentID
 		applicationID = authReq.ApplicationID
 	}
-	resp, err := o.repo.CreateToken(ctx, userAgentID, applicationID, req.GetSubject(), req.GetAudience(), req.GetScopes(), o.defaultAccessTokenLifetime) //PLANNED: lifetime from client
+	resp, err := o.command.CreateUserToken(ctx, authReq.UserOrgID, userAgentID, applicationID, req.GetSubject(), req.GetAudience(), req.GetScopes(), o.defaultAccessTokenLifetime) //PLANNED: lifetime from client
 	if err != nil {
 		return "", time.Time{}, err
 	}
@@ -113,7 +113,11 @@ func (o *OPStorage) TerminateSession(ctx context.Context, userID, clientID strin
 	if !ok {
 		return errors.ThrowPreconditionFailed(nil, "OIDC-fso7F", "no user agent id")
 	}
-	return o.repo.SignOut(ctx, userAgentID)
+	userIDs, err := o.repo.UserSessionUserIDsByAgentID(ctx, userAgentID)
+	if err != nil {
+		return err
+	}
+	return o.command.HumansSignOut(ctx, userAgentID, userIDs)
 }
 
 func (o *OPStorage) GetSigningKey(ctx context.Context, keyCh chan<- jose.SigningKey, errCh chan<- error, timer <-chan time.Time) {

internal/api/oidc/auth_request_converter.go

@@ -2,6 +2,7 @@ package oidc
 
 import (
 	"context"
+	"github.com/caos/zitadel/internal/v2/domain"
 	"net"
 	"time"
 
@@ -10,7 +11,6 @@ import (
 	"golang.org/x/text/language"
 
 	http_utils "github.com/caos/zitadel/internal/api/http"
-	"github.com/caos/zitadel/internal/auth_request/model"
 	"github.com/caos/zitadel/internal/errors"
 )
 
@@ -22,7 +22,7 @@ const (
 )
 
 type AuthRequest struct {
-	*model.AuthRequest
+	*domain.AuthRequest
 }
 
 func (a *AuthRequest) GetID() string {
@@ -92,26 +92,26 @@ func (a *AuthRequest) GetSubject() string {
 
 func (a *AuthRequest) Done() bool {
 	for _, step := range a.PossibleSteps {
-		if step.Type() == model.NextStepRedirectToCallback {
+		if step.Type() == domain.NextStepRedirectToCallback {
 			return true
 		}
 	}
 	return false
 }
 
-func (a *AuthRequest) oidc() *model.AuthRequestOIDC {
-	return a.Request.(*model.AuthRequestOIDC)
+func (a *AuthRequest) oidc() *domain.AuthRequestOIDC {
+	return a.Request.(*domain.AuthRequestOIDC)
 }
 
-func AuthRequestFromBusiness(authReq *model.AuthRequest) (_ op.AuthRequest, err error) {
-	if _, ok := authReq.Request.(*model.AuthRequestOIDC); !ok {
+func AuthRequestFromBusiness(authReq *domain.AuthRequest) (_ op.AuthRequest, err error) {
+	if _, ok := authReq.Request.(*domain.AuthRequestOIDC); !ok {
 		return nil, errors.ThrowInvalidArgument(nil, "OIDC-Haz7A", "auth request is not of type oidc")
 	}
 	return &AuthRequest{authReq}, nil
 }
 
-func CreateAuthRequestToBusiness(ctx context.Context, authReq *oidc.AuthRequest, userAgentID, userID string) *model.AuthRequest {
-	return &model.AuthRequest{
+func CreateAuthRequestToBusiness(ctx context.Context, authReq *oidc.AuthRequest, userAgentID, userID string) *domain.AuthRequest {
+	return &domain.AuthRequest{
 		AgentID:       userAgentID,
 		BrowserInfo:   ParseBrowserInfoFromContext(ctx),
 		ApplicationID: authReq.ClientID,
@@ -123,7 +123,7 @@ func CreateAuthRequestToBusiness(ctx context.Context, authReq *oidc.AuthRequest,
 		LoginHint:     authReq.LoginHint,
 		MaxAuthAge:    authReq.MaxAge,
 		UserID:        userID,
-		Request: &model.AuthRequestOIDC{
+		Request: &domain.AuthRequestOIDC{
 			Scopes:        authReq.Scopes,
 			ResponseType:  ResponseTypeToBusiness(authReq.ResponseType),
 			Nonce:         authReq.Nonce,
@@ -132,10 +132,10 @@ func CreateAuthRequestToBusiness(ctx context.Context, authReq *oidc.AuthRequest,
 	}
 }
 
-func ParseBrowserInfoFromContext(ctx context.Context) *model.BrowserInfo {
+func ParseBrowserInfoFromContext(ctx context.Context) *domain.BrowserInfo {
 	userAgent, acceptLang := HttpHeadersFromContext(ctx)
 	ip := IpFromContext(ctx)
-	return &model.BrowserInfo{RemoteIP: ip, UserAgent: userAgent, AcceptLanguage: acceptLang}
+	return &domain.BrowserInfo{RemoteIP: ip, UserAgent: userAgent, AcceptLanguage: acceptLang}
 }
 
 func HttpHeadersFromContext(ctx context.Context) (userAgent, acceptLang string) {
@@ -160,22 +160,22 @@ func IpFromContext(ctx context.Context) net.IP {
 	return net.ParseIP(ipString)
 }
 
-func PromptToBusiness(prompt oidc.Prompt) model.Prompt {
+func PromptToBusiness(prompt oidc.Prompt) domain.Prompt {
 	switch prompt {
 	case oidc.PromptNone:
-		return model.PromptNone
+		return domain.PromptNone
 	case oidc.PromptLogin:
-		return model.PromptLogin
+		return domain.PromptLogin
 	case oidc.PromptConsent:
-		return model.PromptConsent
+		return domain.PromptConsent
 	case oidc.PromptSelectAccount:
-		return model.PromptSelectAccount
+		return domain.PromptSelectAccount
 	default:
-		return model.PromptUnspecified
+		return domain.PromptUnspecified
 	}
 }
 
-func ACRValuesToBusiness(values []string) []model.LevelOfAssurance {
+func ACRValuesToBusiness(values []string) []domain.LevelOfAssurance {
 	return nil
 }
 
@@ -190,52 +190,52 @@ func UILocalesToBusiness(tags []language.Tag) []string {
 	return locales
 }
 
-func ResponseTypeToBusiness(responseType oidc.ResponseType) model.OIDCResponseType {
+func ResponseTypeToBusiness(responseType oidc.ResponseType) domain.OIDCResponseType {
 	switch responseType {
 	case oidc.ResponseTypeCode:
-		return model.OIDCResponseTypeCode
+		return domain.OIDCResponseTypeCode
 	case oidc.ResponseTypeIDTokenOnly:
-		return model.OIDCResponseTypeIdToken
+		return domain.OIDCResponseTypeIDToken
 	case oidc.ResponseTypeIDToken:
-		return model.OIDCResponseTypeIdTokenToken
+		return domain.OIDCResponseTypeIDTokenToken
 	default:
-		return model.OIDCResponseTypeCode
+		return domain.OIDCResponseTypeCode
 	}
 }
 
-func ResponseTypeToOIDC(responseType model.OIDCResponseType) oidc.ResponseType {
+func ResponseTypeToOIDC(responseType domain.OIDCResponseType) oidc.ResponseType {
 	switch responseType {
-	case model.OIDCResponseTypeCode:
+	case domain.OIDCResponseTypeCode:
 		return oidc.ResponseTypeCode
-	case model.OIDCResponseTypeIdTokenToken:
+	case domain.OIDCResponseTypeIDTokenToken:
 		return oidc.ResponseTypeIDToken
-	case model.OIDCResponseTypeIdToken:
+	case domain.OIDCResponseTypeIDToken:
 		return oidc.ResponseTypeIDTokenOnly
 	default:
 		return oidc.ResponseTypeCode
 	}
 }
 
-func CodeChallengeToBusiness(challenge string, method oidc.CodeChallengeMethod) *model.OIDCCodeChallenge {
+func CodeChallengeToBusiness(challenge string, method oidc.CodeChallengeMethod) *domain.OIDCCodeChallenge {
 	if challenge == "" {
 		return nil
 	}
-	challengeMethod := model.CodeChallengeMethodPlain
+	challengeMethod := domain.CodeChallengeMethodPlain
 	if method == oidc.CodeChallengeMethodS256 {
-		challengeMethod = model.CodeChallengeMethodS256
+		challengeMethod = domain.CodeChallengeMethodS256
 	}
-	return &model.OIDCCodeChallenge{
+	return &domain.OIDCCodeChallenge{
 		Challenge: challenge,
 		Method:    challengeMethod,
 	}
 }
 
-func CodeChallengeToOIDC(challenge *model.OIDCCodeChallenge) *oidc.CodeChallenge {
+func CodeChallengeToOIDC(challenge *domain.OIDCCodeChallenge) *oidc.CodeChallenge {
 	if challenge == nil {
 		return nil
 	}
 	challengeMethod := oidc.CodeChallengeMethodPlain
-	if challenge.Method == model.CodeChallengeMethodS256 {
+	if challenge.Method == domain.CodeChallengeMethodS256 {
 		challengeMethod = oidc.CodeChallengeMethodS256
 	}
 	return &oidc.CodeChallenge{
@@ -244,12 +244,12 @@ func CodeChallengeToOIDC(challenge *model.OIDCCodeChallenge) *oidc.CodeChallenge
 	}
 }
 
-func AMRFromMFAType(mfaType model.MFAType) string {
+func AMRFromMFAType(mfaType domain.MFAType) string {
 	switch mfaType {
-	case model.MFATypeOTP:
+	case domain.MFATypeOTP:
 		return amrOTP
-	case model.MFATypeU2F,
-		model.MFATypeU2FUserVerification:
+	case domain.MFATypeU2F,
+		domain.MFATypeU2FUserVerification:
 		return amrUserPresence
 	default:
 		return ""

internal/api/oidc/op.go

@@ -3,6 +3,8 @@ package oidc
 import (
 	"context"
 	"github.com/caos/zitadel/internal/telemetry/metrics"
+	"github.com/caos/zitadel/internal/v2/command"
+	"github.com/caos/zitadel/internal/v2/query"
 	"time"
 
 	"github.com/caos/logging"
@@ -46,13 +48,15 @@ type Endpoint struct {
 
 type OPStorage struct {
 	repo                       repository.Repository
+	command                    *command.CommandSide
+	query                      *query.QuerySide
 	defaultLoginURL            string
 	defaultAccessTokenLifetime time.Duration
 	defaultIdTokenLifetime     time.Duration
 	signingKeyAlgorithm        string
 }
 
-func NewProvider(ctx context.Context, config OPHandlerConfig, repo repository.Repository, localDevMode bool) op.OpenIDProvider {
+func NewProvider(ctx context.Context, config OPHandlerConfig, command *command.CommandSide, query *query.QuerySide, repo repository.Repository, localDevMode bool) op.OpenIDProvider {
 	cookieHandler, err := middleware.NewUserAgentHandler(config.UserAgentCookieConfig, id.SonyFlakeGenerator, localDevMode)
 	logging.Log("OIDC-sd4fd").OnError(err).WithField("traceID", tracing.TraceIDFromCtx(ctx)).Panic("cannot user agent handler")
 	config.OPConfig.CodeMethodS256 = true
@@ -60,7 +64,7 @@ func NewProvider(ctx context.Context, config OPHandlerConfig, repo repository.Re
 	provider, err := op.NewOpenIDProvider(
 		ctx,
 		config.OPConfig,
-		newStorage(config.StorageConfig, repo),
+		newStorage(config.StorageConfig, command, query, repo),
 		op.WithHttpInterceptors(
 			middleware.MetricsHandler(metricTypes),
 			middleware.TelemetryHandler(),
@@ -79,9 +83,11 @@ func NewProvider(ctx context.Context, config OPHandlerConfig, repo repository.Re
 	return provider
 }
 
-func newStorage(config StorageConfig, repo repository.Repository) *OPStorage {
+func newStorage(config StorageConfig, command *command.CommandSide, query *query.QuerySide, repo repository.Repository) *OPStorage {
 	return &OPStorage{
 		repo:                       repo,
+		command:                    command,
+		query:                      query,
 		defaultLoginURL:            config.DefaultLoginURL,
 		signingKeyAlgorithm:        config.SigningKeyAlgorithm,
 		defaultAccessTokenLifetime: config.DefaultAccessTokenLifetime.Duration,