feat: User login commands (#1228)

* feat: change login to command side * feat: change login to command side * fix: fix push on user * feat: user command side * feat: sign out * feat: command side login * feat: command side login * feat: fix register user * feat: fix register user * feat: fix web auth n events * feat: add machine keys * feat: send codes * feat: move authrequest to domain * feat: move authrequest to domain * feat: webauthn working * feat: external users * feat: external users login * feat: notify users * fix: tests * feat: cascade remove user grants on project remove * fix: webauthn * fix: pr requests * fix: register human with member * fix: fix bugs * fix: fix bugs
2025-08-15 01:57:41 +00:00 · 2021-02-08 11:30:30 +01:00
parent c65331df1a
commit 320679467b
123 changed files with 2949 additions and 1212 deletions
--- a/internal/ui/login/handler/auth_request.go
+++ b/internal/ui/login/handler/auth_request.go
@@ -1,17 +1,17 @@
 package handler

 import (
+	"github.com/caos/zitadel/internal/v2/domain"
 	"net/http"

 	http_mw "github.com/caos/zitadel/internal/api/http/middleware"
-	"github.com/caos/zitadel/internal/auth_request/model"
 )

 const (
 	queryAuthRequestID = "authRequestID"
 )

-func (l *Login) getAuthRequest(r *http.Request) (*model.AuthRequest, error) {
+func (l *Login) getAuthRequest(r *http.Request) (*domain.AuthRequest, error) {
 	authRequestID := r.FormValue(queryAuthRequestID)
 	if authRequestID == "" {
 		return nil, nil
@@ -20,7 +20,7 @@ func (l *Login) getAuthRequest(r *http.Request) (*model.AuthRequest, error) {
 	return l.authRepo.AuthRequestByID(r.Context(), authRequestID, userAgentID)
 }

-func (l *Login) getAuthRequestAndParseData(r *http.Request, data interface{}) (*model.AuthRequest, error) {
+func (l *Login) getAuthRequestAndParseData(r *http.Request, data interface{}) (*domain.AuthRequest, error) {
 	authReq, err := l.getAuthRequest(r)
 	if err != nil {
 		return nil, err
--- a/internal/ui/login/handler/callback_handler.go
+++ b/internal/ui/login/handler/callback_handler.go
@@ -1,12 +1,11 @@
 package handler

 import (
+	"github.com/caos/zitadel/internal/v2/domain"
 	"net/http"
-
-	"github.com/caos/zitadel/internal/auth_request/model"
 )

-func (l *Login) redirectToCallback(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest) {
+func (l *Login) redirectToCallback(w http.ResponseWriter, r *http.Request, authReq *domain.AuthRequest) {
 	callback := l.oidcAuthCallbackURL + authReq.ID
 	http.Redirect(w, r, callback, http.StatusFound)
 }
--- a/internal/ui/login/handler/change_password_handler.go
+++ b/internal/ui/login/handler/change_password_handler.go
@@ -1,10 +1,10 @@
 package handler

 import (
+	"github.com/caos/zitadel/internal/v2/domain"
 	"net/http"

 	http_mw "github.com/caos/zitadel/internal/api/http/middleware"
-	"github.com/caos/zitadel/internal/auth_request/model"
 )

 const (
@@ -26,7 +26,7 @@ func (l *Login) handleChangePassword(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 	userAgentID, _ := http_mw.UserAgentIDFromCtx(r.Context())
-	err = l.authRepo.ChangePassword(setContext(r.Context(), authReq.UserOrgID), authReq.UserID, data.OldPassword, data.NewPassword, userAgentID)
+	err = l.command.ChangePassword(setContext(r.Context(), authReq.UserOrgID), authReq.UserOrgID, authReq.UserID, data.OldPassword, data.NewPassword, userAgentID)
 	if err != nil {
 		l.renderChangePassword(w, r, authReq, err)
 		return
@@ -34,7 +34,7 @@ func (l *Login) handleChangePassword(w http.ResponseWriter, r *http.Request) {
 	l.renderChangePasswordDone(w, r, authReq)
 }

-func (l *Login) renderChangePassword(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, err error) {
+func (l *Login) renderChangePassword(w http.ResponseWriter, r *http.Request, authReq *domain.AuthRequest, err error) {
 	var errType, errMessage string
 	if err != nil {
 		errMessage = l.getErrorMessage(r, err)
@@ -63,7 +63,7 @@ func (l *Login) renderChangePassword(w http.ResponseWriter, r *http.Request, aut
 	l.renderer.RenderTemplate(w, r, l.renderer.Templates[tmplChangePassword], data, nil)
 }

-func (l *Login) renderChangePasswordDone(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest) {
+func (l *Login) renderChangePasswordDone(w http.ResponseWriter, r *http.Request, authReq *domain.AuthRequest) {
 	var errType, errMessage string
 	data := l.getUserData(r, authReq, "Password Change Done", errType, errMessage)
 	l.renderer.RenderTemplate(w, r, l.renderer.Templates[tmplChangePasswordDone], data, nil)
--- a/internal/ui/login/handler/external_login_handler.go
+++ b/internal/ui/login/handler/external_login_handler.go
@@ -4,14 +4,11 @@ import (
 	"github.com/caos/oidc/pkg/oidc"
 	"github.com/caos/oidc/pkg/rp"
 	http_mw "github.com/caos/zitadel/internal/api/http/middleware"
-	"github.com/caos/zitadel/internal/auth_request/model"
 	"github.com/caos/zitadel/internal/crypto"
 	"github.com/caos/zitadel/internal/errors"
 	caos_errors "github.com/caos/zitadel/internal/errors"
-	"github.com/caos/zitadel/internal/eventstore/models"
 	iam_model "github.com/caos/zitadel/internal/iam/model"
-	org_model "github.com/caos/zitadel/internal/org/model"
-	usr_model "github.com/caos/zitadel/internal/user/model"
+	"github.com/caos/zitadel/internal/v2/domain"
 	"net/http"
 	"strings"
 	"time"
@@ -41,7 +38,7 @@ type externalNotFoundOptionData struct {
 	baseData
 }

-func (l *Login) handleExternalLoginStep(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, selectedIDPConfigID string) {
+func (l *Login) handleExternalLoginStep(w http.ResponseWriter, r *http.Request, authReq *domain.AuthRequest, selectedIDPConfigID string) {
 	for _, idp := range authReq.AllowedExternalIDPs {
 		if idp.IDPConfigID == selectedIDPConfigID {
 			l.handleIDP(w, r, authReq, selectedIDPConfigID)
@@ -65,7 +62,7 @@ func (l *Login) handleExternalLogin(w http.ResponseWriter, r *http.Request) {
 	l.handleIDP(w, r, authReq, data.IDPConfigID)
 }

-func (l *Login) handleIDP(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, selectedIDPConfigID string) {
+func (l *Login) handleIDP(w http.ResponseWriter, r *http.Request, authReq *domain.AuthRequest, selectedIDPConfigID string) {
 	idpConfig, err := l.getIDPConfigByID(r, selectedIDPConfigID)
 	if err != nil {
 		l.renderError(w, r, authReq, err)
@@ -84,7 +81,7 @@ func (l *Login) handleIDP(w http.ResponseWriter, r *http.Request, authReq *model
 	l.handleOIDCAuthorize(w, r, authReq, idpConfig, EndpointExternalLoginCallback)
 }

-func (l *Login) handleOIDCAuthorize(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, idpConfig *iam_model.IDPConfigView, callbackEndpoint string) {
+func (l *Login) handleOIDCAuthorize(w http.ResponseWriter, r *http.Request, authReq *domain.AuthRequest, idpConfig *iam_model.IDPConfigView, callbackEndpoint string) {
 	provider := l.getRPConfig(w, r, authReq, idpConfig, callbackEndpoint)
 	http.Redirect(w, r, rp.AuthURL(authReq.ID, provider, rp.WithPrompt(oidc.PromptSelectAccount)), http.StatusFound)
 }
@@ -116,7 +113,7 @@ func (l *Login) handleExternalLoginCallback(w http.ResponseWriter, r *http.Reque
 	l.handleExternalUserAuthenticated(w, r, authReq, idpConfig, userAgentID, tokens)
 }

-func (l *Login) getRPConfig(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, idpConfig *iam_model.IDPConfigView, callbackEndpoint string) rp.RelayingParty {
+func (l *Login) getRPConfig(w http.ResponseWriter, r *http.Request, authReq *domain.AuthRequest, idpConfig *iam_model.IDPConfigView, callbackEndpoint string) rp.RelayingParty {
 	oidcClientSecret, err := crypto.DecryptString(idpConfig.OIDCClientSecret, l.IDPConfigAesCrypto)
 	if err != nil {
 		l.renderError(w, r, authReq, err)
@@ -130,9 +127,9 @@ func (l *Login) getRPConfig(w http.ResponseWriter, r *http.Request, authReq *mod
 	return provider
 }

-func (l *Login) handleExternalUserAuthenticated(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, idpConfig *iam_model.IDPConfigView, userAgentID string, tokens *oidc.Tokens) {
+func (l *Login) handleExternalUserAuthenticated(w http.ResponseWriter, r *http.Request, authReq *domain.AuthRequest, idpConfig *iam_model.IDPConfigView, userAgentID string, tokens *oidc.Tokens) {
 	externalUser := l.mapTokenToLoginUser(tokens, idpConfig)
-	err := l.authRepo.CheckExternalUserLogin(r.Context(), authReq.ID, userAgentID, externalUser, model.BrowserInfoFromRequest(r))
+	err := l.authRepo.CheckExternalUserLogin(r.Context(), authReq.ID, userAgentID, externalUser, domain.BrowserInfoFromRequest(r))
 	if err != nil {
 		if errors.IsNotFound(err) {
 			err = nil
@@ -143,7 +140,7 @@ func (l *Login) handleExternalUserAuthenticated(w http.ResponseWriter, r *http.R
 	l.renderNextStep(w, r, authReq)
 }

-func (l *Login) renderExternalNotFoundOption(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, err error) {
+func (l *Login) renderExternalNotFoundOption(w http.ResponseWriter, r *http.Request, authReq *domain.AuthRequest, err error) {
 	var errType, errMessage string
 	if err != nil {
 		errMessage = l.getErrorMessage(r, err)
@@ -176,7 +173,7 @@ func (l *Login) handleExternalNotFoundOptionCheck(w http.ResponseWriter, r *http
 	l.handleAutoRegister(w, r, authReq)
 }

-func (l *Login) handleAutoRegister(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest) {
+func (l *Login) handleAutoRegister(w http.ResponseWriter, r *http.Request, authReq *domain.AuthRequest) {
 	iam, err := l.authRepo.GetIAM(r.Context())
 	if err != nil {
 		l.renderExternalNotFoundOption(w, r, authReq, err)
@@ -184,13 +181,10 @@ func (l *Login) handleAutoRegister(w http.ResponseWriter, r *http.Request, authR
 	}

 	resourceOwner := iam.GlobalOrgID
-	member := &org_model.OrgMember{
-		ObjectRoot: models.ObjectRoot{AggregateID: iam.GlobalOrgID},
-		Roles:      []string{orgProjectCreatorRole},
-	}
+	memberRoles := []string{domain.RoleOrgProjectCreator}

 	if authReq.RequestedOrgID != "" && authReq.RequestedOrgID != iam.GlobalOrgID {
-		member = nil
+		memberRoles = nil
 		resourceOwner = authReq.RequestedOrgID
 	}

@@ -208,7 +202,7 @@ func (l *Login) handleAutoRegister(w http.ResponseWriter, r *http.Request, authR

 	userAgentID, _ := http_mw.UserAgentIDFromCtx(r.Context())
 	user, externalIDP := l.mapExternalUserToLoginUser(orgIamPolicy, authReq.LinkingUsers[len(authReq.LinkingUsers)-1], idpConfig)
-	err = l.authRepo.AutoRegisterExternalUser(setContext(r.Context(), resourceOwner), user, externalIDP, member, authReq.ID, userAgentID, resourceOwner, model.BrowserInfoFromRequest(r))
+	err = l.authRepo.AutoRegisterExternalUser(setContext(r.Context(), resourceOwner), user, externalIDP, memberRoles, authReq.ID, userAgentID, resourceOwner, domain.BrowserInfoFromRequest(r))
 	if err != nil {
 		l.renderExternalNotFoundOption(w, r, authReq, err)
 		return
@@ -216,7 +210,7 @@ func (l *Login) handleAutoRegister(w http.ResponseWriter, r *http.Request, authR
 	l.renderNextStep(w, r, authReq)
 }

-func (l *Login) mapTokenToLoginUser(tokens *oidc.Tokens, idpConfig *iam_model.IDPConfigView) *model.ExternalUser {
+func (l *Login) mapTokenToLoginUser(tokens *oidc.Tokens, idpConfig *iam_model.IDPConfigView) *domain.ExternalUser {
 	displayName := tokens.IDTokenClaims.GetPreferredUsername()
 	if displayName == "" && tokens.IDTokenClaims.GetEmail() != "" {
 		displayName = tokens.IDTokenClaims.GetEmail()
@@ -228,7 +222,7 @@ func (l *Login) mapTokenToLoginUser(tokens *oidc.Tokens, idpConfig *iam_model.ID
 		}
 	}

-	externalUser := &model.ExternalUser{
+	externalUser := &domain.ExternalUser{
 		IDPConfigID:       idpConfig.IDPConfigID,
 		ExternalUserID:    tokens.IDTokenClaims.GetSubject(),
 		PreferredUsername: tokens.IDTokenClaims.GetPreferredUsername(),
@@ -246,7 +240,7 @@ func (l *Login) mapTokenToLoginUser(tokens *oidc.Tokens, idpConfig *iam_model.ID
 	}
 	return externalUser
 }
-func (l *Login) mapExternalUserToLoginUser(orgIamPolicy *iam_model.OrgIAMPolicyView, linkingUser *model.ExternalUser, idpConfig *iam_model.IDPConfigView) (*usr_model.User, *usr_model.ExternalIDP) {
+func (l *Login) mapExternalUserToLoginUser(orgIamPolicy *iam_model.OrgIAMPolicyView, linkingUser *domain.ExternalUser, idpConfig *iam_model.IDPConfigView) (*domain.Human, *domain.ExternalIDP) {
 	username := linkingUser.PreferredUsername
 	switch idpConfig.OIDCUsernameMapping {
 	case iam_model.OIDCMappingFieldEmail:
@@ -262,23 +256,21 @@ func (l *Login) mapExternalUserToLoginUser(orgIamPolicy *iam_model.OrgIAMPolicyV
 		}
 	}

-	user := &usr_model.User{
-		UserName: username,
-		Human: &usr_model.Human{
-			Profile: &usr_model.Profile{
-				FirstName:         linkingUser.FirstName,
-				LastName:          linkingUser.LastName,
-				PreferredLanguage: linkingUser.PreferredLanguage,
-				NickName:          linkingUser.NickName,
-			},
-			Email: &usr_model.Email{
-				EmailAddress:    linkingUser.Email,
-				IsEmailVerified: linkingUser.IsEmailVerified,
-			},
+	human := &domain.Human{
+		Username: username,
+		Profile: &domain.Profile{
+			FirstName:         linkingUser.FirstName,
+			LastName:          linkingUser.LastName,
+			PreferredLanguage: linkingUser.PreferredLanguage,
+			NickName:          linkingUser.NickName,
+		},
+		Email: &domain.Email{
+			EmailAddress:    linkingUser.Email,
+			IsEmailVerified: linkingUser.IsEmailVerified,
 		},
 	}
 	if linkingUser.Phone != "" {
-		user.Phone = &usr_model.Phone{
+		human.Phone = &domain.Phone{
 			PhoneNumber:     linkingUser.Phone,
 			IsPhoneVerified: linkingUser.IsPhoneVerified,
 		}
@@ -292,10 +284,10 @@ func (l *Login) mapExternalUserToLoginUser(orgIamPolicy *iam_model.OrgIAMPolicyV
 		}
 	}

-	externalIDP := &usr_model.ExternalIDP{
-		IDPConfigID: idpConfig.IDPConfigID,
-		UserID:      linkingUser.ExternalUserID,
-		DisplayName: displayName,
+	externalIDP := &domain.ExternalIDP{
+		IDPConfigID:    idpConfig.IDPConfigID,
+		ExternalUserID: linkingUser.ExternalUserID,
+		DisplayName:    displayName,
 	}
-	return user, externalIDP
+	return human, externalIDP
 }
--- a/internal/ui/login/handler/external_register_handler.go
+++ b/internal/ui/login/handler/external_register_handler.go
@@ -1,20 +1,15 @@
 package handler

 import (
+	"github.com/caos/zitadel/internal/v2/domain"
 	"net/http"
 	"strings"

 	"github.com/caos/oidc/pkg/oidc"
 	"github.com/caos/oidc/pkg/rp"
-	"golang.org/x/text/language"
-
 	http_mw "github.com/caos/zitadel/internal/api/http/middleware"
-	"github.com/caos/zitadel/internal/auth_request/model"
 	caos_errors "github.com/caos/zitadel/internal/errors"
-	"github.com/caos/zitadel/internal/eventstore/models"
 	iam_model "github.com/caos/zitadel/internal/iam/model"
-	org_model "github.com/caos/zitadel/internal/org/model"
-	usr_model "github.com/caos/zitadel/internal/user/model"
 )

 func (l *Login) handleExternalRegister(w http.ResponseWriter, r *http.Request) {
@@ -73,20 +68,17 @@ func (l *Login) handleExternalRegisterCallback(w http.ResponseWriter, r *http.Re
 	l.handleExternalUserRegister(w, r, authReq, idpConfig, userAgentID, tokens)
 }

-func (l *Login) handleExternalUserRegister(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, idpConfig *iam_model.IDPConfigView, userAgentID string, tokens *oidc.Tokens) {
+func (l *Login) handleExternalUserRegister(w http.ResponseWriter, r *http.Request, authReq *domain.AuthRequest, idpConfig *iam_model.IDPConfigView, userAgentID string, tokens *oidc.Tokens) {
 	iam, err := l.authRepo.GetIAM(r.Context())
 	if err != nil {
 		l.renderRegisterOption(w, r, authReq, err)
 		return
 	}
 	resourceOwner := iam.GlobalOrgID
-	member := &org_model.OrgMember{
-		ObjectRoot: models.ObjectRoot{AggregateID: iam.GlobalOrgID},
-		Roles:      []string{orgProjectCreatorRole},
-	}
+	memberRoles := []string{domain.RoleOrgProjectCreator}

 	if authReq.RequestedOrgID != "" && authReq.RequestedOrgID != iam.GlobalOrgID {
-		member = nil
+		memberRoles = nil
 		resourceOwner = authReq.RequestedOrgID
 	}
 	orgIamPolicy, err := l.getOrgIamPolicy(r, resourceOwner)
@@ -94,8 +86,8 @@ func (l *Login) handleExternalUserRegister(w http.ResponseWriter, r *http.Reques
 		l.renderRegisterOption(w, r, authReq, err)
 		return
 	}
-	user, externalIDP := l.mapTokenToLoginUserAndExternalIDP(orgIamPolicy, tokens, idpConfig)
-	_, err = l.authRepo.RegisterExternalUser(setContext(r.Context(), resourceOwner), user, externalIDP, member, resourceOwner)
+	user, externalIDP := l.mapTokenToLoginHumanAndExternalIDP(orgIamPolicy, tokens, idpConfig)
+	_, err = l.command.RegisterHuman(setContext(r.Context(), resourceOwner), resourceOwner, user, externalIDP, memberRoles)
 	if err != nil {
 		l.renderRegisterOption(w, r, authReq, err)
 		return
@@ -103,7 +95,7 @@ func (l *Login) handleExternalUserRegister(w http.ResponseWriter, r *http.Reques
 	l.renderNextStep(w, r, authReq)
 }

-func (l *Login) mapTokenToLoginUserAndExternalIDP(orgIamPolicy *iam_model.OrgIAMPolicyView, tokens *oidc.Tokens, idpConfig *iam_model.IDPConfigView) (*usr_model.User, *usr_model.ExternalIDP) {
+func (l *Login) mapTokenToLoginHumanAndExternalIDP(orgIamPolicy *iam_model.OrgIAMPolicyView, tokens *oidc.Tokens, idpConfig *iam_model.IDPConfigView) (*domain.Human, *domain.ExternalIDP) {
 	username := tokens.IDTokenClaims.GetPreferredUsername()
 	switch idpConfig.OIDCUsernameMapping {
 	case iam_model.OIDCMappingFieldEmail:
@@ -119,23 +111,22 @@ func (l *Login) mapTokenToLoginUserAndExternalIDP(orgIamPolicy *iam_model.OrgIAM
 		}
 	}

-	user := &usr_model.User{
-		UserName: username,
-		Human: &usr_model.Human{
-			Profile: &usr_model.Profile{
-				FirstName:         tokens.IDTokenClaims.GetGivenName(),
-				LastName:          tokens.IDTokenClaims.GetFamilyName(),
-				PreferredLanguage: language.Tag(tokens.IDTokenClaims.GetLocale()),
-				NickName:          tokens.IDTokenClaims.GetNickname(),
-			},
-			Email: &usr_model.Email{
-				EmailAddress:    tokens.IDTokenClaims.GetEmail(),
-				IsEmailVerified: tokens.IDTokenClaims.IsEmailVerified(),
-			},
+	human := &domain.Human{
+		Username: username,
+		Profile: &domain.Profile{
+			FirstName:         tokens.IDTokenClaims.GetGivenName(),
+			LastName:          tokens.IDTokenClaims.GetFamilyName(),
+			PreferredLanguage: tokens.IDTokenClaims.GetLocale(),
+			NickName:          tokens.IDTokenClaims.GetNickname(),
+		},
+		Email: &domain.Email{
+			EmailAddress:    tokens.IDTokenClaims.GetEmail(),
+			IsEmailVerified: tokens.IDTokenClaims.IsEmailVerified(),
 		},
 	}
+
 	if tokens.IDTokenClaims.GetPhoneNumber() != "" {
-		user.Phone = &usr_model.Phone{
+		human.Phone = &domain.Phone{
 			PhoneNumber:     tokens.IDTokenClaims.GetPhoneNumber(),
 			IsPhoneVerified: tokens.IDTokenClaims.IsPhoneNumberVerified(),
 		}
@@ -149,10 +140,10 @@ func (l *Login) mapTokenToLoginUserAndExternalIDP(orgIamPolicy *iam_model.OrgIAM
 		}
 	}

-	externalIDP := &usr_model.ExternalIDP{
-		IDPConfigID: idpConfig.IDPConfigID,
-		UserID:      tokens.IDTokenClaims.GetSubject(),
-		DisplayName: displayName,
+	externalIDP := &domain.ExternalIDP{
+		IDPConfigID:    idpConfig.IDPConfigID,
+		ExternalUserID: tokens.IDTokenClaims.GetSubject(),
+		DisplayName:    displayName,
 	}
-	return user, externalIDP
+	return human, externalIDP
 }
--- a/internal/ui/login/handler/init_password_handler.go
+++ b/internal/ui/login/handler/init_password_handler.go
@@ -1,10 +1,10 @@
 package handler

 import (
+	"github.com/caos/zitadel/internal/v2/domain"
 	"net/http"

 	http_mw "github.com/caos/zitadel/internal/api/http/middleware"
-	"github.com/caos/zitadel/internal/auth_request/model"
 	"github.com/caos/zitadel/internal/errors"
 )

@@ -58,18 +58,18 @@ func (l *Login) handleInitPasswordCheck(w http.ResponseWriter, r *http.Request)
 	l.checkPWCode(w, r, authReq, data, nil)
 }

-func (l *Login) checkPWCode(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, data *initPasswordFormData, err error) {
+func (l *Login) checkPWCode(w http.ResponseWriter, r *http.Request, authReq *domain.AuthRequest, data *initPasswordFormData, err error) {
 	if data.Password != data.PasswordConfirm {
 		err := errors.ThrowInvalidArgument(nil, "VIEW-KaGue", "Errors.User.Password.ConfirmationWrong")
 		l.renderInitPassword(w, r, authReq, data.UserID, data.Code, err)
 		return
 	}
-	userOrg := login
+	userOrg := ""
 	if authReq != nil {
 		userOrg = authReq.UserOrgID
 	}
 	userAgentID, _ := http_mw.UserAgentIDFromCtx(r.Context())
-	err = l.authRepo.SetPassword(setContext(r.Context(), userOrg), data.UserID, data.Code, data.Password, userAgentID)
+	err = l.command.SetPassword(setContext(r.Context(), userOrg), userOrg, data.UserID, data.Code, data.Password, userAgentID)
 	if err != nil {
 		l.renderInitPassword(w, r, authReq, data.UserID, "", err)
 		return
@@ -77,16 +77,25 @@ func (l *Login) checkPWCode(w http.ResponseWriter, r *http.Request, authReq *mod
 	l.renderInitPasswordDone(w, r, authReq)
 }

-func (l *Login) resendPasswordSet(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest) {
+func (l *Login) resendPasswordSet(w http.ResponseWriter, r *http.Request, authReq *domain.AuthRequest) {
+	if authReq == nil {
+		l.renderError(w, r, nil, errors.ThrowInternal(nil, "LOGIN-8sn7s", "Errors.AuthRequest.NotFound"))
+		return
+	}
 	userOrg := login
 	if authReq != nil {
 		userOrg = authReq.UserOrgID
 	}
-	err := l.authRepo.RequestPasswordReset(setContext(r.Context(), userOrg), authReq.LoginName)
+	user, err := l.authRepo.UserByLoginName(setContext(r.Context(), userOrg), authReq.LoginName)
+	if err != nil {
+		l.renderInitPassword(w, r, authReq, authReq.UserID, "", err)
+		return
+	}
+	err = l.command.RequestSetPassword(setContext(r.Context(), userOrg), user.ID, user.ResourceOwner, domain.NotificationTypeEmail)
 	l.renderInitPassword(w, r, authReq, authReq.UserID, "", err)
 }

-func (l *Login) renderInitPassword(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, userID, code string, err error) {
+func (l *Login) renderInitPassword(w http.ResponseWriter, r *http.Request, authReq *domain.AuthRequest, userID, code string, err error) {
 	var errType, errMessage string
 	if err != nil {
 		errMessage = l.getErrorMessage(r, err)
@@ -121,7 +130,7 @@ func (l *Login) renderInitPassword(w http.ResponseWriter, r *http.Request, authR
 	l.renderer.RenderTemplate(w, r, l.renderer.Templates[tmplInitPassword], data, nil)
 }

-func (l *Login) renderInitPasswordDone(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest) {
+func (l *Login) renderInitPasswordDone(w http.ResponseWriter, r *http.Request, authReq *domain.AuthRequest) {
 	data := l.getUserData(r, authReq, "Password Init Done", "", "")
 	l.renderer.RenderTemplate(w, r, l.renderer.Templates[tmplInitPasswordDone], data, nil)
 }
--- a/internal/ui/login/handler/init_user_handler.go
+++ b/internal/ui/login/handler/init_user_handler.go
@@ -1,10 +1,10 @@
 package handler

 import (
+	"github.com/caos/zitadel/internal/v2/domain"
 	"net/http"
 	"strconv"

-	"github.com/caos/zitadel/internal/auth_request/model"
 	caos_errs "github.com/caos/zitadel/internal/errors"
 )

@@ -62,17 +62,17 @@ func (l *Login) handleInitUserCheck(w http.ResponseWriter, r *http.Request) {
 	l.checkUserInitCode(w, r, authReq, data, nil)
 }

-func (l *Login) checkUserInitCode(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, data *initUserFormData, err error) {
+func (l *Login) checkUserInitCode(w http.ResponseWriter, r *http.Request, authReq *domain.AuthRequest, data *initUserFormData, err error) {
 	if data.Password != data.PasswordConfirm {
 		err := caos_errs.ThrowInvalidArgument(nil, "VIEW-fsdfd", "Errors.User.Password.ConfirmationWrong")
 		l.renderInitUser(w, r, authReq, data.UserID, data.Code, data.PasswordSet, err)
 		return
 	}
-	userOrgID := login
+	userOrgID := ""
 	if authReq != nil {
 		userOrgID = authReq.UserOrgID
 	}
-	err = l.authRepo.VerifyInitCode(setContext(r.Context(), userOrgID), data.UserID, data.Code, data.Password)
+	err = l.command.HumanVerifyInitCode(setContext(r.Context(), userOrgID), data.UserID, userOrgID, data.Code, data.Password)
 	if err != nil {
 		l.renderInitUser(w, r, authReq, data.UserID, "", data.PasswordSet, err)
 		return
@@ -80,16 +80,16 @@ func (l *Login) checkUserInitCode(w http.ResponseWriter, r *http.Request, authRe
 	l.renderInitUserDone(w, r, authReq)
 }

-func (l *Login) resendUserInit(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, userID string, showPassword bool) {
-	userOrgID := login
+func (l *Login) resendUserInit(w http.ResponseWriter, r *http.Request, authReq *domain.AuthRequest, userID string, showPassword bool) {
+	userOrgID := ""
 	if authReq != nil {
 		userOrgID = authReq.UserOrgID
 	}
-	err := l.authRepo.ResendInitVerificationMail(setContext(r.Context(), userOrgID), userID)
+	err := l.command.ResendInitialMail(setContext(r.Context(), userOrgID), userID, "", userOrgID)
 	l.renderInitUser(w, r, authReq, userID, "", showPassword, err)
 }

-func (l *Login) renderInitUser(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, userID, code string, passwordSet bool, err error) {
+func (l *Login) renderInitUser(w http.ResponseWriter, r *http.Request, authReq *domain.AuthRequest, userID, code string, passwordSet bool, err error) {
 	var errType, errMessage string
 	if err != nil {
 		errMessage = l.getErrorMessage(r, err)
@@ -124,7 +124,7 @@ func (l *Login) renderInitUser(w http.ResponseWriter, r *http.Request, authReq *
 	l.renderer.RenderTemplate(w, r, l.renderer.Templates[tmplInitUser], data, nil)
 }

-func (l *Login) renderInitUserDone(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest) {
+func (l *Login) renderInitUserDone(w http.ResponseWriter, r *http.Request, authReq *domain.AuthRequest) {
 	data := l.getUserData(r, authReq, "User Init Done", "", "")
 	l.renderer.RenderTemplate(w, r, l.renderer.Templates[tmplInitUserDone], data, nil)
 }
--- a/internal/ui/login/handler/link_users_handler.go
+++ b/internal/ui/login/handler/link_users_handler.go
@@ -2,22 +2,21 @@ package handler

 import (
 	http_mw "github.com/caos/zitadel/internal/api/http/middleware"
+	"github.com/caos/zitadel/internal/v2/domain"
 	"net/http"
-
-	"github.com/caos/zitadel/internal/auth_request/model"
 )

 const (
 	tmplLinkUsersDone = "linkusersdone"
 )

-func (l *Login) linkUsers(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, err error) {
+func (l *Login) linkUsers(w http.ResponseWriter, r *http.Request, authReq *domain.AuthRequest, err error) {
 	userAgentID, _ := http_mw.UserAgentIDFromCtx(r.Context())
-	err = l.authRepo.LinkExternalUsers(setContext(r.Context(), authReq.UserOrgID), authReq.ID, userAgentID, model.BrowserInfoFromRequest(r))
+	err = l.authRepo.LinkExternalUsers(setContext(r.Context(), authReq.UserOrgID), authReq.ID, userAgentID, domain.BrowserInfoFromRequest(r))
 	l.renderLinkUsersDone(w, r, authReq, err)
 }

-func (l *Login) renderLinkUsersDone(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, err error) {
+func (l *Login) renderLinkUsersDone(w http.ResponseWriter, r *http.Request, authReq *domain.AuthRequest, err error) {
 	var errType, errMessage string
 	data := l.getUserData(r, authReq, "Linking Users Done", errType, errMessage)
 	l.renderer.RenderTemplate(w, r, l.renderer.Templates[tmplLinkUsersDone], data, nil)
--- a/internal/ui/login/handler/login_handler.go
+++ b/internal/ui/login/handler/login_handler.go
@@ -1,10 +1,10 @@
 package handler

 import (
+	"github.com/caos/zitadel/internal/v2/domain"
 	"net/http"

 	http_mw "github.com/caos/zitadel/internal/api/http/middleware"
-	"github.com/caos/zitadel/internal/auth_request/model"
 )

 const (
@@ -62,7 +62,7 @@ func (l *Login) handleLoginNameCheck(w http.ResponseWriter, r *http.Request) {
 	l.renderNextStep(w, r, authReq)
 }

-func (l *Login) renderLogin(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, err error) {
+func (l *Login) renderLogin(w http.ResponseWriter, r *http.Request, authReq *domain.AuthRequest, err error) {
 	var errType, errMessage string
 	if err != nil {
 		errMessage = l.getErrorMessage(r, err)
--- a/internal/ui/login/handler/mail_verify_handler.go
+++ b/internal/ui/login/handler/mail_verify_handler.go
@@ -1,9 +1,8 @@
 package handler

 import (
+	"github.com/caos/zitadel/internal/v2/domain"
 	"net/http"
-
-	"github.com/caos/zitadel/internal/auth_request/model"
 )

 const (
@@ -47,21 +46,21 @@ func (l *Login) handleMailVerificationCheck(w http.ResponseWriter, r *http.Reque
 		l.checkMailCode(w, r, authReq, data.UserID, data.Code)
 		return
 	}
-	userOrg := login
+	userOrg := ""
 	if authReq != nil {
 		userOrg = authReq.UserOrgID
 	}
-	err = l.authRepo.ResendEmailVerificationMail(setContext(r.Context(), userOrg), data.UserID)
+	err = l.command.CreateHumanEmailVerificationCode(setContext(r.Context(), userOrg), data.UserID, userOrg)
 	l.renderMailVerification(w, r, authReq, data.UserID, err)
 }

-func (l *Login) checkMailCode(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, userID, code string) {
-	userOrg := login
+func (l *Login) checkMailCode(w http.ResponseWriter, r *http.Request, authReq *domain.AuthRequest, userID, code string) {
+	userOrg := ""
 	if authReq != nil {
 		userID = authReq.UserID
 		userOrg = authReq.UserOrgID
 	}
-	err := l.authRepo.VerifyEmail(setContext(r.Context(), userOrg), userID, code)
+	err := l.command.VerifyHumanEmail(setContext(r.Context(), userOrg), userID, code, userOrg)
 	if err != nil {
 		l.renderMailVerification(w, r, authReq, userID, err)
 		return
@@ -69,7 +68,7 @@ func (l *Login) checkMailCode(w http.ResponseWriter, r *http.Request, authReq *m
 	l.renderMailVerified(w, r, authReq)
 }

-func (l *Login) renderMailVerification(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, userID string, err error) {
+func (l *Login) renderMailVerification(w http.ResponseWriter, r *http.Request, authReq *domain.AuthRequest, userID string, err error) {
 	var errType, errMessage string
 	if err != nil {
 		errMessage = l.getErrorMessage(r, err)
@@ -85,7 +84,7 @@ func (l *Login) renderMailVerification(w http.ResponseWriter, r *http.Request, a
 	l.renderer.RenderTemplate(w, r, l.renderer.Templates[tmplMailVerification], data, nil)
 }

-func (l *Login) renderMailVerified(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest) {
+func (l *Login) renderMailVerified(w http.ResponseWriter, r *http.Request, authReq *domain.AuthRequest) {
 	data := mailVerificationData{
 		baseData:    l.getBaseData(r, authReq, "Mail Verified", "", ""),
 		profileData: l.getProfileData(authReq),
--- a/internal/ui/login/handler/mfa_init_done_handler.go
+++ b/internal/ui/login/handler/mfa_init_done_handler.go
@@ -1,9 +1,8 @@
 package handler

 import (
+	"github.com/caos/zitadel/internal/v2/domain"
 	"net/http"
-
-	"github.com/caos/zitadel/internal/auth_request/model"
 )

 const (
@@ -13,7 +12,7 @@ const (
 type mfaInitDoneData struct {
 }

-func (l *Login) renderMFAInitDone(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, data *mfaDoneData) {
+func (l *Login) renderMFAInitDone(w http.ResponseWriter, r *http.Request, authReq *domain.AuthRequest, data *mfaDoneData) {
 	var errType, errMessage string
 	data.baseData = l.getBaseData(r, authReq, "MFA Init Done", errType, errMessage)
 	data.profileData = l.getProfileData(authReq)
--- a/internal/ui/login/handler/mfa_init_u2f.go
+++ b/internal/ui/login/handler/mfa_init_u2f.go
@@ -2,11 +2,11 @@ package handler

 import (
 	"encoding/base64"
+	"github.com/caos/zitadel/internal/v2/domain"
 	"net/http"

 	http_mw "github.com/caos/zitadel/internal/api/http/middleware"
 	"github.com/caos/zitadel/internal/auth_request/model"
-	user_model "github.com/caos/zitadel/internal/user/model"
 )

 const (
@@ -18,11 +18,11 @@ type u2fInitData struct {
 	MFAType model.MFAType
 }

-func (l *Login) renderRegisterU2F(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, err error) {
+func (l *Login) renderRegisterU2F(w http.ResponseWriter, r *http.Request, authReq *domain.AuthRequest, err error) {
 	var errType, errMessage, credentialData string
-	var u2f *user_model.WebAuthNToken
+	var u2f *domain.WebAuthNToken
 	if err == nil {
-		u2f, err = l.authRepo.AddMFAU2F(setContext(r.Context(), authReq.UserOrgID), authReq.UserID)
+		u2f, err = l.command.HumanAddU2FSetup(setContext(r.Context(), authReq.UserOrgID), authReq.UserID, authReq.UserOrgID, true)
 	}
 	if err != nil {
 		errMessage = l.getErrorMessage(r, err)
@@ -54,12 +54,12 @@ func (l *Login) handleRegisterU2F(w http.ResponseWriter, r *http.Request) {
 	}

 	userAgentID, _ := http_mw.UserAgentIDFromCtx(r.Context())
-	if err = l.authRepo.VerifyMFAU2FSetup(setContext(r.Context(), authReq.UserOrgID), authReq.UserID, data.Name, userAgentID, credData); err != nil {
+	if err = l.command.HumanVerifyU2FSetup(setContext(r.Context(), authReq.UserOrgID), authReq.UserID, authReq.UserOrgID, data.Name, userAgentID, credData); err != nil {
 		l.renderRegisterU2F(w, r, authReq, err)
 		return
 	}
 	done := &mfaDoneData{
-		MFAType: model.MFATypeU2F,
+		MFAType: domain.MFATypeU2F,
 	}
 	l.renderMFAInitDone(w, r, authReq, done)
 }
--- a/internal/ui/login/handler/mfa_init_verify_handler.go
+++ b/internal/ui/login/handler/mfa_init_verify_handler.go
@@ -2,13 +2,13 @@ package handler

 import (
 	"bytes"
+	"github.com/caos/zitadel/internal/v2/domain"
 	"net/http"

 	svg "github.com/ajstarks/svgo"
 	"github.com/boombuler/barcode/qr"

 	http_mw "github.com/caos/zitadel/internal/api/http/middleware"
-	"github.com/caos/zitadel/internal/auth_request/model"
 	"github.com/caos/zitadel/internal/qrcode"
 )

@@ -17,10 +17,10 @@ const (
 )

 type mfaInitVerifyData struct {
-	MFAType model.MFAType `schema:"mfaType"`
-	Code    string        `schema:"code"`
-	URL     string        `schema:"url"`
-	Secret  string        `schema:"secret"`
+	MFAType domain.MFAType `schema:"mfaType"`
+	Code    string         `schema:"code"`
+	URL     string         `schema:"url"`
+	Secret  string         `schema:"secret"`
 }

 func (l *Login) handleMFAInitVerify(w http.ResponseWriter, r *http.Request) {
@@ -32,7 +32,7 @@ func (l *Login) handleMFAInitVerify(w http.ResponseWriter, r *http.Request) {
 	}
 	var verifyData *mfaVerifyData
 	switch data.MFAType {
-	case model.MFATypeOTP:
+	case domain.MFATypeOTP:
 		verifyData = l.handleOTPVerify(w, r, authReq, data)
 	}

@@ -47,9 +47,9 @@ func (l *Login) handleMFAInitVerify(w http.ResponseWriter, r *http.Request) {
 	l.renderMFAInitDone(w, r, authReq, done)
 }

-func (l *Login) handleOTPVerify(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, data *mfaInitVerifyData) *mfaVerifyData {
+func (l *Login) handleOTPVerify(w http.ResponseWriter, r *http.Request, authReq *domain.AuthRequest, data *mfaInitVerifyData) *mfaVerifyData {
 	userAgentID, _ := http_mw.UserAgentIDFromCtx(r.Context())
-	err := l.authRepo.VerifyMFAOTPSetup(setContext(r.Context(), authReq.UserOrgID), authReq.UserID, data.Code, userAgentID)
+	err := l.command.HumanCheckMFAOTPSetup(setContext(r.Context(), authReq.UserOrgID), authReq.UserID, data.Code, userAgentID, authReq.UserOrgID)
 	if err == nil {
 		return nil
 	}
@@ -64,14 +64,14 @@ func (l *Login) handleOTPVerify(w http.ResponseWriter, r *http.Request, authReq
 	return mfadata
 }

-func (l *Login) renderMFAInitVerify(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, data *mfaVerifyData, err error) {
+func (l *Login) renderMFAInitVerify(w http.ResponseWriter, r *http.Request, authReq *domain.AuthRequest, data *mfaVerifyData, err error) {
 	var errType, errMessage string
 	if err != nil {
 		errMessage = l.getErrorMessage(r, err)
 	}
 	data.baseData = l.getBaseData(r, authReq, "MFA Init Verify", errType, errMessage)
 	data.profileData = l.getProfileData(authReq)
-	if data.MFAType == model.MFATypeOTP {
+	if data.MFAType == domain.MFATypeOTP {
 		code, err := generateQrCode(data.otpData.Url)
 		if err == nil {
 			data.otpData.QrCode = code
--- a/internal/ui/login/handler/mfa_prompt_handler.go
+++ b/internal/ui/login/handler/mfa_prompt_handler.go
@@ -1,9 +1,9 @@
 package handler

 import (
+	"github.com/caos/zitadel/internal/v2/domain"
 	"net/http"

-	"github.com/caos/zitadel/internal/auth_request/model"
 	caos_errs "github.com/caos/zitadel/internal/errors"
 )

@@ -12,8 +12,8 @@ const (
 )

 type mfaPromptData struct {
-	MFAProvider model.MFAType `schema:"provider"`
-	Skip        bool          `schema:"skip"`
+	MFAProvider domain.MFAType `schema:"provider"`
+	Skip        bool           `schema:"skip"`
 }

 func (l *Login) handleMFAPrompt(w http.ResponseWriter, r *http.Request) {
@@ -29,7 +29,7 @@ func (l *Login) handleMFAPrompt(w http.ResponseWriter, r *http.Request) {
 		l.handleMFACreation(w, r, authReq, mfaVerifyData)
 		return
 	}
-	err = l.authRepo.SkipMFAInit(setContext(r.Context(), authReq.UserOrgID), authReq.UserID)
+	err = l.command.HumanSkipMFAInit(setContext(r.Context(), authReq.UserOrgID), authReq.UserID, authReq.UserOrgID)
 	if err != nil {
 		l.renderError(w, r, authReq, err)
 		return
@@ -48,7 +48,7 @@ func (l *Login) handleMFAPromptSelection(w http.ResponseWriter, r *http.Request)
 	l.renderNextStep(w, r, authReq)
 }

-func (l *Login) renderMFAPrompt(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, mfaPromptData *model.MFAPromptStep, err error) {
+func (l *Login) renderMFAPrompt(w http.ResponseWriter, r *http.Request, authReq *domain.AuthRequest, mfaPromptData *domain.MFAPromptStep, err error) {
 	var errType, errMessage string
 	if err != nil {
 		errMessage = l.getErrorMessage(r, err)
@@ -76,20 +76,20 @@ func (l *Login) renderMFAPrompt(w http.ResponseWriter, r *http.Request, authReq
 	l.renderer.RenderTemplate(w, r, l.renderer.Templates[tmplMFAPrompt], data, nil)
 }

-func (l *Login) handleMFACreation(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, data *mfaVerifyData) {
+func (l *Login) handleMFACreation(w http.ResponseWriter, r *http.Request, authReq *domain.AuthRequest, data *mfaVerifyData) {
 	switch data.MFAType {
-	case model.MFATypeOTP:
+	case domain.MFATypeOTP:
 		l.handleOTPCreation(w, r, authReq, data)
 		return
-	case model.MFATypeU2F:
+	case domain.MFATypeU2F:
 		l.renderRegisterU2F(w, r, authReq, nil)
 		return
 	}
 	l.renderError(w, r, authReq, caos_errs.ThrowPreconditionFailed(nil, "APP-Or3HO", "Errors.User.MFA.NoProviders"))
 }

-func (l *Login) handleOTPCreation(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, data *mfaVerifyData) {
-	otp, err := l.authRepo.AddMFAOTP(setContext(r.Context(), authReq.UserOrgID), authReq.UserID)
+func (l *Login) handleOTPCreation(w http.ResponseWriter, r *http.Request, authReq *domain.AuthRequest, data *mfaVerifyData) {
+	otp, err := l.command.AddHumanOTP(setContext(r.Context(), authReq.UserOrgID), authReq.UserID, authReq.UserOrgID)
 	if err != nil {
 		l.renderError(w, r, authReq, err)
 		return
--- a/internal/ui/login/handler/mfa_verify_handler.go
+++ b/internal/ui/login/handler/mfa_verify_handler.go
@@ -1,6 +1,7 @@
 package handler

 import (
+	"github.com/caos/zitadel/internal/v2/domain"
 	"net/http"

 	http_mw "github.com/caos/zitadel/internal/api/http/middleware"
@@ -25,7 +26,7 @@ func (l *Login) handleMFAVerify(w http.ResponseWriter, r *http.Request) {
 	}
 	if data.MFAType == model.MFATypeOTP {
 		userAgentID, _ := http_mw.UserAgentIDFromCtx(r.Context())
-		err = l.authRepo.VerifyMFAOTP(setContext(r.Context(), authReq.UserOrgID), authReq.ID, authReq.UserID, data.Code, userAgentID, model.BrowserInfoFromRequest(r))
+		err = l.authRepo.VerifyMFAOTP(setContext(r.Context(), authReq.UserOrgID), authReq.ID, authReq.UserID, authReq.UserOrgID, data.Code, userAgentID, domain.BrowserInfoFromRequest(r))
 	}
 	if err != nil {
 		l.renderError(w, r, authReq, err)
@@ -34,7 +35,7 @@ func (l *Login) handleMFAVerify(w http.ResponseWriter, r *http.Request) {
 	l.renderNextStep(w, r, authReq)
 }

-func (l *Login) renderMFAVerify(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, verificationStep *model.MFAVerificationStep, err error) {
+func (l *Login) renderMFAVerify(w http.ResponseWriter, r *http.Request, authReq *domain.AuthRequest, verificationStep *domain.MFAVerificationStep, err error) {
 	if verificationStep == nil {
 		l.renderError(w, r, authReq, err)
 		return
@@ -43,7 +44,7 @@ func (l *Login) renderMFAVerify(w http.ResponseWriter, r *http.Request, authReq
 	l.renderMFAVerifySelected(w, r, authReq, verificationStep, provider, err)
 }

-func (l *Login) renderMFAVerifySelected(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, verificationStep *model.MFAVerificationStep, selectedProvider model.MFAType, err error) {
+func (l *Login) renderMFAVerifySelected(w http.ResponseWriter, r *http.Request, authReq *domain.AuthRequest, verificationStep *domain.MFAVerificationStep, selectedProvider domain.MFAType, err error) {
 	var errType, errMessage string
 	if err != nil {
 		errMessage = l.getErrorMessage(r, err)
@@ -54,12 +55,12 @@ func (l *Login) renderMFAVerifySelected(w http.ResponseWriter, r *http.Request,
 		return
 	}
 	switch selectedProvider {
-	case model.MFATypeU2F:
-		l.renderU2FVerification(w, r, authReq, removeSelectedProviderFromList(verificationStep.MFAProviders, model.MFATypeU2F), nil)
+	case domain.MFATypeU2F:
+		l.renderU2FVerification(w, r, authReq, removeSelectedProviderFromList(verificationStep.MFAProviders, domain.MFATypeU2F), nil)
 		return
-	case model.MFATypeOTP:
-		data.MFAProviders = removeSelectedProviderFromList(verificationStep.MFAProviders, model.MFATypeOTP)
-		data.SelectedMFAProvider = model.MFATypeOTP
+	case domain.MFATypeOTP:
+		data.MFAProviders = removeSelectedProviderFromList(verificationStep.MFAProviders, domain.MFATypeOTP)
+		data.SelectedMFAProvider = domain.MFATypeOTP
 	default:
 		l.renderError(w, r, authReq, err)
 		return
@@ -67,7 +68,7 @@ func (l *Login) renderMFAVerifySelected(w http.ResponseWriter, r *http.Request,
 	l.renderer.RenderTemplate(w, r, l.renderer.Templates[tmplMFAVerify], data, nil)
 }

-func removeSelectedProviderFromList(providers []model.MFAType, selected model.MFAType) []model.MFAType {
+func removeSelectedProviderFromList(providers []domain.MFAType, selected domain.MFAType) []domain.MFAType {
 	for i := len(providers) - 1; i >= 0; i-- {
 		if providers[i] == selected {
 			copy(providers[i:], providers[i+1:])
--- a/internal/ui/login/handler/mfa_verify_u2f_handler.go
+++ b/internal/ui/login/handler/mfa_verify_u2f_handler.go
@@ -2,11 +2,10 @@ package handler

 import (
 	"encoding/base64"
+	"github.com/caos/zitadel/internal/v2/domain"
 	"net/http"

 	http_mw "github.com/caos/zitadel/internal/api/http/middleware"
-	"github.com/caos/zitadel/internal/auth_request/model"
-	user_model "github.com/caos/zitadel/internal/user/model"
 )

 const (
@@ -15,21 +14,21 @@ const (

 type mfaU2FData struct {
 	webAuthNData
-	MFAProviders     []model.MFAType
-	SelectedProvider model.MFAType
+	MFAProviders     []domain.MFAType
+	SelectedProvider domain.MFAType
 }

 type mfaU2FFormData struct {
 	webAuthNFormData
-	SelectedProvider model.MFAType `schema:"provider"`
+	SelectedProvider domain.MFAType `schema:"provider"`
 }

-func (l *Login) renderU2FVerification(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, providers []model.MFAType, err error) {
+func (l *Login) renderU2FVerification(w http.ResponseWriter, r *http.Request, authReq *domain.AuthRequest, providers []domain.MFAType, err error) {
 	var errType, errMessage, credentialData string
-	var webAuthNLogin *user_model.WebAuthNLogin
+	var webAuthNLogin *domain.WebAuthNLogin
 	if err == nil {
 		userAgentID, _ := http_mw.UserAgentIDFromCtx(r.Context())
-		webAuthNLogin, err = l.authRepo.BeginMFAU2FLogin(setContext(r.Context(), authReq.UserOrgID), authReq.UserID, authReq.ID, userAgentID)
+		webAuthNLogin, err = l.authRepo.BeginMFAU2FLogin(setContext(r.Context(), authReq.UserOrgID), authReq.UserID, authReq.UserOrgID, authReq.ID, userAgentID)
 	}
 	if err != nil {
 		errMessage = l.getErrorMessage(r, err)
@@ -55,7 +54,7 @@ func (l *Login) handleU2FVerification(w http.ResponseWriter, r *http.Request) {
 		l.renderError(w, r, authReq, err)
 		return
 	}
-	step, ok := authReq.PossibleSteps[0].(*model.MFAVerificationStep)
+	step, ok := authReq.PossibleSteps[0].(*domain.MFAVerificationStep)
 	if !ok {
 		l.renderError(w, r, authReq, err)
 		return
@@ -70,7 +69,7 @@ func (l *Login) handleU2FVerification(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 	userAgentID, _ := http_mw.UserAgentIDFromCtx(r.Context())
-	err = l.authRepo.VerifyMFAU2F(setContext(r.Context(), authReq.UserOrgID), authReq.UserID, authReq.ID, userAgentID, credData, model.BrowserInfoFromRequest(r))
+	err = l.authRepo.VerifyMFAU2F(setContext(r.Context(), authReq.UserOrgID), authReq.UserID, authReq.UserOrgID, authReq.ID, userAgentID, credData, domain.BrowserInfoFromRequest(r))
 	if err != nil {
 		l.renderU2FVerification(w, r, authReq, step.MFAProviders, err)
 		return
--- a/internal/ui/login/handler/password_handler.go
+++ b/internal/ui/login/handler/password_handler.go
@@ -1,10 +1,10 @@
 package handler

 import (
+	"github.com/caos/zitadel/internal/v2/domain"
 	"net/http"

 	http_mw "github.com/caos/zitadel/internal/api/http/middleware"
-	"github.com/caos/zitadel/internal/auth_request/model"
 )

 const (
@@ -15,7 +15,7 @@ type passwordFormData struct {
 	Password string `schema:"password"`
 }

-func (l *Login) renderPassword(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, err error) {
+func (l *Login) renderPassword(w http.ResponseWriter, r *http.Request, authReq *domain.AuthRequest, err error) {
 	var errType, errMessage string
 	if err != nil {
 		errMessage = l.getErrorMessage(r, err)
@@ -32,7 +32,7 @@ func (l *Login) handlePasswordCheck(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 	userAgentID, _ := http_mw.UserAgentIDFromCtx(r.Context())
-	err = l.authRepo.VerifyPassword(setContext(r.Context(), authReq.UserOrgID), authReq.ID, authReq.UserID, data.Password, userAgentID, model.BrowserInfoFromRequest(r))
+	err = l.authRepo.VerifyPassword(setContext(r.Context(), authReq.UserOrgID), authReq.ID, authReq.UserID, authReq.UserOrgID, data.Password, userAgentID, domain.BrowserInfoFromRequest(r))
 	if err != nil {
 		l.renderPassword(w, r, authReq, err)
 		return
--- a/internal/ui/login/handler/password_reset_handler.go
+++ b/internal/ui/login/handler/password_reset_handler.go
@@ -1,9 +1,8 @@
 package handler

 import (
+	"github.com/caos/zitadel/internal/v2/domain"
 	"net/http"
-
-	"github.com/caos/zitadel/internal/auth_request/model"
 )

 const (
@@ -16,11 +15,16 @@ func (l *Login) handlePasswordReset(w http.ResponseWriter, r *http.Request) {
 		l.renderError(w, r, authReq, err)
 		return
 	}
-	err = l.authRepo.RequestPasswordReset(setContext(r.Context(), authReq.UserOrgID), authReq.LoginName)
+	user, err := l.authRepo.UserByLoginName(setContext(r.Context(), authReq.UserOrgID), authReq.LoginName)
+	if err != nil {
+		l.renderPasswordResetDone(w, r, authReq, err)
+		return
+	}
+	err = l.command.RequestSetPassword(setContext(r.Context(), authReq.UserOrgID), user.ID, authReq.UserOrgID, domain.NotificationTypeEmail)
 	l.renderPasswordResetDone(w, r, authReq, err)
 }

-func (l *Login) renderPasswordResetDone(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, err error) {
+func (l *Login) renderPasswordResetDone(w http.ResponseWriter, r *http.Request, authReq *domain.AuthRequest, err error) {
 	var errType, errMessage string
 	if err != nil {
 		errMessage = l.getErrorMessage(r, err)
--- a/internal/ui/login/handler/passwordless_login_handler.go
+++ b/internal/ui/login/handler/passwordless_login_handler.go
@@ -2,11 +2,10 @@ package handler

 import (
 	"encoding/base64"
+	"github.com/caos/zitadel/internal/v2/domain"
 	"net/http"

 	http_mw "github.com/caos/zitadel/internal/api/http/middleware"
-	"github.com/caos/zitadel/internal/auth_request/model"
-	user_model "github.com/caos/zitadel/internal/user/model"
 )

 const (
@@ -23,12 +22,12 @@ type passwordlessFormData struct {
 	PasswordLogin bool `schema:"passwordlogin"`
 }

-func (l *Login) renderPasswordlessVerification(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, err error) {
+func (l *Login) renderPasswordlessVerification(w http.ResponseWriter, r *http.Request, authReq *domain.AuthRequest, err error) {
 	var errType, errMessage, credentialData string
-	var webAuthNLogin *user_model.WebAuthNLogin
+	var webAuthNLogin *domain.WebAuthNLogin
 	if err == nil {
 		userAgentID, _ := http_mw.UserAgentIDFromCtx(r.Context())
-		webAuthNLogin, err = l.authRepo.BeginPasswordlessLogin(setContext(r.Context(), authReq.UserOrgID), authReq.UserID, authReq.ID, userAgentID)
+		webAuthNLogin, err = l.authRepo.BeginPasswordlessLogin(setContext(r.Context(), authReq.UserOrgID), authReq.UserID, authReq.UserOrgID, authReq.ID, userAgentID)
 	}
 	if err != nil {
 		errMessage = l.getErrorMessage(r, err)
@@ -67,7 +66,7 @@ func (l *Login) handlePasswordlessVerification(w http.ResponseWriter, r *http.Re
 		return
 	}
 	userAgentID, _ := http_mw.UserAgentIDFromCtx(r.Context())
-	err = l.authRepo.VerifyPasswordless(setContext(r.Context(), authReq.UserOrgID), authReq.UserID, authReq.ID, userAgentID, credData, model.BrowserInfoFromRequest(r))
+	err = l.authRepo.VerifyPasswordless(setContext(r.Context(), authReq.UserOrgID), authReq.UserID, authReq.UserOrgID, authReq.ID, userAgentID, credData, domain.BrowserInfoFromRequest(r))
 	if err != nil {
 		l.renderPasswordlessVerification(w, r, authReq, err)
 		return
--- a/internal/ui/login/handler/register_handler.go
+++ b/internal/ui/login/handler/register_handler.go
@@ -1,20 +1,16 @@
 package handler

 import (
+	"github.com/caos/zitadel/internal/v2/domain"
 	"net/http"

 	"golang.org/x/text/language"

-	"github.com/caos/zitadel/internal/auth_request/model"
 	caos_errs "github.com/caos/zitadel/internal/errors"
-	"github.com/caos/zitadel/internal/eventstore/models"
-	org_model "github.com/caos/zitadel/internal/org/model"
-	usr_model "github.com/caos/zitadel/internal/user/model"
 )

 const (
-	tmplRegister          = "register"
-	orgProjectCreatorRole = "ORG_PROJECT_CREATOR"
+	tmplRegister = "register"
 )

 type registerFormData struct {
@@ -68,15 +64,13 @@ func (l *Login) handleRegisterCheck(w http.ResponseWriter, r *http.Request) {
 	}

 	resourceOwner := iam.GlobalOrgID
-	member := &org_model.OrgMember{
-		ObjectRoot: models.ObjectRoot{AggregateID: iam.GlobalOrgID},
-		Roles:      []string{orgProjectCreatorRole},
-	}
+	memberRoles := []string{domain.RoleOrgProjectCreator}
+
 	if authRequest.RequestedOrgID != "" && authRequest.RequestedOrgID != iam.GlobalOrgID {
-		member = nil
+		memberRoles = nil
 		resourceOwner = authRequest.RequestedOrgID
 	}
-	user, err := l.authRepo.Register(setContext(r.Context(), resourceOwner), data.toUserModel(), member, resourceOwner)
+	user, err := l.command.RegisterHuman(setContext(r.Context(), resourceOwner), resourceOwner, data.toHumanDomain(), nil, memberRoles)
 	if err != nil {
 		l.renderRegister(w, r, authRequest, data, err)
 		return
@@ -89,7 +83,7 @@ func (l *Login) handleRegisterCheck(w http.ResponseWriter, r *http.Request) {
 	l.renderNextStep(w, r, authRequest)
 }

-func (l *Login) renderRegister(w http.ResponseWriter, r *http.Request, authRequest *model.AuthRequest, formData *registerFormData, err error) {
+func (l *Login) renderRegister(w http.ResponseWriter, r *http.Request, authRequest *domain.AuthRequest, formData *registerFormData, err error) {
 	var errType, errMessage string
 	if err != nil {
 		errMessage = l.getErrorMessage(r, err)
@@ -142,21 +136,19 @@ func (l *Login) renderRegister(w http.ResponseWriter, r *http.Request, authReque
 	l.renderer.RenderTemplate(w, r, l.renderer.Templates[tmplRegister], data, funcs)
 }

-func (d registerFormData) toUserModel() *usr_model.User {
-	return &usr_model.User{
-		Human: &usr_model.Human{
-			Profile: &usr_model.Profile{
-				FirstName:         d.Firstname,
-				LastName:          d.Lastname,
-				PreferredLanguage: language.Make(d.Language),
-				Gender:            usr_model.Gender(d.Gender),
-			},
-			Password: &usr_model.Password{
-				SecretString: d.Password,
-			},
-			Email: &usr_model.Email{
-				EmailAddress: d.Email,
-			},
+func (d registerFormData) toHumanDomain() *domain.Human {
+	return &domain.Human{
+		Profile: &domain.Profile{
+			FirstName:         d.Firstname,
+			LastName:          d.Lastname,
+			PreferredLanguage: language.Make(d.Language),
+			Gender:            domain.Gender(d.Gender),
+		},
+		Password: &domain.Password{
+			SecretString: d.Password,
+		},
+		Email: &domain.Email{
+			EmailAddress: d.Email,
 		},
 	}
 }
--- a/internal/ui/login/handler/register_option_handler.go
+++ b/internal/ui/login/handler/register_option_handler.go
@@ -1,7 +1,7 @@
 package handler

 import (
-	"github.com/caos/zitadel/internal/auth_request/model"
+	"github.com/caos/zitadel/internal/v2/domain"
 	"net/http"
 )

@@ -27,7 +27,7 @@ func (l *Login) handleRegisterOption(w http.ResponseWriter, r *http.Request) {
 	l.renderRegisterOption(w, r, authRequest, nil)
 }

-func (l *Login) renderRegisterOption(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, err error) {
+func (l *Login) renderRegisterOption(w http.ResponseWriter, r *http.Request, authReq *domain.AuthRequest, err error) {
 	var errType, errMessage string
 	if err != nil {
 		errMessage = l.getErrorMessage(r, err)
--- a/internal/ui/login/handler/register_org_handler.go
+++ b/internal/ui/login/handler/register_org_handler.go
@@ -1,10 +1,10 @@
 package handler

 import (
+	"github.com/caos/zitadel/internal/v2/domain"
 	"net/http"

 	auth_model "github.com/caos/zitadel/internal/auth/model"
-	"github.com/caos/zitadel/internal/auth_request/model"
 	caos_errs "github.com/caos/zitadel/internal/errors"
 	org_model "github.com/caos/zitadel/internal/org/model"
 	usr_model "github.com/caos/zitadel/internal/user/model"
@@ -78,7 +78,7 @@ func (l *Login) handleRegisterOrgCheck(w http.ResponseWriter, r *http.Request) {
 	l.renderNextStep(w, r, authRequest)
 }

-func (l *Login) renderRegisterOrg(w http.ResponseWriter, r *http.Request, authRequest *model.AuthRequest, formData *registerOrgFormData, err error) {
+func (l *Login) renderRegisterOrg(w http.ResponseWriter, r *http.Request, authRequest *domain.AuthRequest, formData *registerOrgFormData, err error) {
 	var errType, errMessage string
 	if err != nil {
 		errMessage = l.getErrorMessage(r, err)
--- a/internal/ui/login/handler/renderer.go
+++ b/internal/ui/login/handler/renderer.go
@@ -3,6 +3,7 @@ package handler
 import (
 	"errors"
 	"fmt"
+	"github.com/caos/zitadel/internal/v2/domain"
 	"html/template"
 	"net/http"
 	"path"
@@ -15,7 +16,6 @@ import (
 	"github.com/caos/zitadel/internal/auth_request/model"
 	caos_errs "github.com/caos/zitadel/internal/errors"
 	"github.com/caos/zitadel/internal/i18n"
-	iam_model "github.com/caos/zitadel/internal/iam/model"
 	"github.com/caos/zitadel/internal/renderer"
 )

@@ -153,7 +153,7 @@ func CreateRenderer(pathPrefix string, staticDir http.FileSystem, cookieName str
 		"hasExternalLogin": func() bool {
 			return false
 		},
-		"idpProviderClass": func(stylingType iam_model.IDPStylingType) string {
+		"idpProviderClass": func(stylingType domain.IDPConfigStylingType) string {
 			return stylingType.GetCSSClass()
 		},
 	}
@@ -167,7 +167,7 @@ func CreateRenderer(pathPrefix string, staticDir http.FileSystem, cookieName str
 	return r
 }

-func (l *Login) renderNextStep(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest) {
+func (l *Login) renderNextStep(w http.ResponseWriter, r *http.Request, authReq *domain.AuthRequest) {
 	userAgentID, _ := http_mw.UserAgentIDFromCtx(r.Context())
 	authReq, err := l.authRepo.AuthRequestByID(r.Context(), authReq.ID, userAgentID)
 	if err != nil {
@@ -181,7 +181,7 @@ func (l *Login) renderNextStep(w http.ResponseWriter, r *http.Request, authReq *
 	l.chooseNextStep(w, r, authReq, 0, nil)
 }

-func (l *Login) renderError(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, err error) {
+func (l *Login) renderError(w http.ResponseWriter, r *http.Request, authReq *domain.AuthRequest, err error) {
 	if authReq == nil || len(authReq.PossibleSteps) == 0 {
 		l.renderInternalError(w, r, authReq, caos_errs.ThrowInternal(err, "APP-OVOiT", "no possible steps"))
 		return
@@ -189,54 +189,54 @@ func (l *Login) renderError(w http.ResponseWriter, r *http.Request, authReq *mod
 	l.chooseNextStep(w, r, authReq, 0, err)
 }

-func (l *Login) chooseNextStep(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, stepNumber int, err error) {
+func (l *Login) chooseNextStep(w http.ResponseWriter, r *http.Request, authReq *domain.AuthRequest, stepNumber int, err error) {
 	switch step := authReq.PossibleSteps[stepNumber].(type) {
-	case *model.LoginStep:
+	case *domain.LoginStep:
 		if len(authReq.PossibleSteps) > 1 {
 			l.chooseNextStep(w, r, authReq, 1, err)
 			return
 		}
 		l.renderLogin(w, r, authReq, err)
-	case *model.SelectUserStep:
+	case *domain.SelectUserStep:
 		l.renderUserSelection(w, r, authReq, step)
-	case *model.InitPasswordStep:
+	case *domain.InitPasswordStep:
 		l.renderInitPassword(w, r, authReq, authReq.UserID, "", err)
-	case *model.PasswordStep:
+	case *domain.PasswordStep:
 		l.renderPassword(w, r, authReq, nil)
-	case *model.PasswordlessStep:
+	case *domain.PasswordlessStep:
 		l.renderPasswordlessVerification(w, r, authReq, nil)
-	case *model.MFAVerificationStep:
+	case *domain.MFAVerificationStep:
 		l.renderMFAVerify(w, r, authReq, step, err)
-	case *model.RedirectToCallbackStep:
+	case *domain.RedirectToCallbackStep:
 		if len(authReq.PossibleSteps) > 1 {
 			l.chooseNextStep(w, r, authReq, 1, err)
 			return
 		}
 		l.redirectToCallback(w, r, authReq)
-	case *model.ChangePasswordStep:
+	case *domain.ChangePasswordStep:
 		l.renderChangePassword(w, r, authReq, err)
-	case *model.VerifyEMailStep:
+	case *domain.VerifyEMailStep:
 		l.renderMailVerification(w, r, authReq, "", err)
-	case *model.MFAPromptStep:
+	case *domain.MFAPromptStep:
 		l.renderMFAPrompt(w, r, authReq, step, err)
-	case *model.InitUserStep:
+	case *domain.InitUserStep:
 		l.renderInitUser(w, r, authReq, "", "", step.PasswordSet, nil)
-	case *model.ChangeUsernameStep:
+	case *domain.ChangeUsernameStep:
 		l.renderChangeUsername(w, r, authReq, nil)
-	case *model.LinkUsersStep:
+	case *domain.LinkUsersStep:
 		l.linkUsers(w, r, authReq, err)
-	case *model.ExternalNotFoundOptionStep:
+	case *domain.ExternalNotFoundOptionStep:
 		l.renderExternalNotFoundOption(w, r, authReq, err)
-	case *model.ExternalLoginStep:
+	case *domain.ExternalLoginStep:
 		l.handleExternalLoginStep(w, r, authReq, step.SelectedIDPConfigID)
-	case *model.GrantRequiredStep:
+	case *domain.GrantRequiredStep:
 		l.renderInternalError(w, r, authReq, caos_errs.ThrowPreconditionFailed(nil, "APP-asb43", "Errors.User.GrantRequired"))
 	default:
 		l.renderInternalError(w, r, authReq, caos_errs.ThrowInternal(nil, "APP-ds3QF", "step no possible"))
 	}
 }

-func (l *Login) renderInternalError(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, err error) {
+func (l *Login) renderInternalError(w http.ResponseWriter, r *http.Request, authReq *domain.AuthRequest, err error) {
 	var msg string
 	if err != nil {
 		msg = err.Error()
@@ -245,7 +245,7 @@ func (l *Login) renderInternalError(w http.ResponseWriter, r *http.Request, auth
 	l.renderer.RenderTemplate(w, r, l.renderer.Templates[tmplError], data, nil)
 }

-func (l *Login) getUserData(r *http.Request, authReq *model.AuthRequest, title string, errType, errMessage string) userData {
+func (l *Login) getUserData(r *http.Request, authReq *domain.AuthRequest, title string, errType, errMessage string) userData {
 	userData := userData{
 		baseData:    l.getBaseData(r, authReq, title, errType, errMessage),
 		profileData: l.getProfileData(authReq),
@@ -256,7 +256,7 @@ func (l *Login) getUserData(r *http.Request, authReq *model.AuthRequest, title s
 	return userData
 }

-func (l *Login) getBaseData(r *http.Request, authReq *model.AuthRequest, title string, errType, errMessage string) baseData {
+func (l *Login) getBaseData(r *http.Request, authReq *domain.AuthRequest, title string, errType, errMessage string) baseData {
 	baseData := baseData{
 		errorData: errorData{
 			ErrType:    errType,
@@ -279,7 +279,7 @@ func (l *Login) getBaseData(r *http.Request, authReq *model.AuthRequest, title s
 	return baseData
 }

-func (l *Login) getProfileData(authReq *model.AuthRequest) profileData {
+func (l *Login) getProfileData(authReq *domain.AuthRequest) profileData {
 	var loginName, displayName string
 	if authReq != nil {
 		loginName = authReq.LoginName
@@ -309,7 +309,7 @@ func (l *Login) getThemeMode(r *http.Request) string {
 	return "" //TODO: impl
 }

-func (l *Login) getOrgID(authReq *model.AuthRequest) string {
+func (l *Login) getOrgID(authReq *domain.AuthRequest) string {
 	if authReq == nil {
 		return ""
 	}
@@ -319,14 +319,14 @@ func (l *Login) getOrgID(authReq *model.AuthRequest) string {
 	return authReq.UserOrgID
 }

-func (l *Login) getOrgName(authReq *model.AuthRequest) string {
+func (l *Login) getOrgName(authReq *domain.AuthRequest) string {
 	if authReq == nil {
 		return ""
 	}
 	return authReq.RequestedOrgName
 }

-func getRequestID(authReq *model.AuthRequest, r *http.Request) string {
+func getRequestID(authReq *domain.AuthRequest, r *http.Request) string {
 	if authReq != nil {
 		return authReq.ID
 	}
@@ -357,8 +357,8 @@ type baseData struct {
 	AuthReqID    string
 	CSRF         template.HTML
 	Nonce        string
-	LoginPolicy  *iam_model.LoginPolicyView
-	IDPProviders []*iam_model.IDPProviderView
+	LoginPolicy  *domain.LoginPolicy
+	IDPProviders []*domain.IDPProvider
 }

 type errorData struct {
@@ -370,8 +370,8 @@ type userData struct {
 	baseData
 	profileData
 	PasswordChecked     string
-	MFAProviders        []model.MFAType
-	SelectedMFAProvider model.MFAType
+	MFAProviders        []domain.MFAType
+	SelectedMFAProvider domain.MFAType
 	Linking             bool
 }

@@ -393,28 +393,28 @@ type passwordData struct {

 type userSelectionData struct {
 	baseData
-	Users   []model.UserSelection
+	Users   []domain.UserSelection
 	Linking bool
 }

 type mfaData struct {
 	baseData
 	profileData
-	MFAProviders []model.MFAType
+	MFAProviders []domain.MFAType
 	MFARequired  bool
 }

 type mfaVerifyData struct {
 	baseData
 	profileData
-	MFAType model.MFAType
+	MFAType domain.MFAType
 	otpData
 }

 type mfaDoneData struct {
 	baseData
 	profileData
-	MFAType model.MFAType
+	MFAType domain.MFAType
 }

 type otpData struct {
--- a/internal/ui/login/handler/select_user_handler.go
+++ b/internal/ui/login/handler/select_user_handler.go
@@ -1,10 +1,10 @@
 package handler

 import (
+	"github.com/caos/zitadel/internal/v2/domain"
 	"net/http"

 	http_mw "github.com/caos/zitadel/internal/api/http/middleware"
-	"github.com/caos/zitadel/internal/auth_request/model"
 )

 const (
@@ -15,7 +15,7 @@ type userSelectionFormData struct {
 	UserID string `schema:"userID"`
 }

-func (l *Login) renderUserSelection(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, selectionData *model.SelectUserStep) {
+func (l *Login) renderUserSelection(w http.ResponseWriter, r *http.Request, authReq *domain.AuthRequest, selectionData *domain.SelectUserStep) {
 	data := userSelectionData{
 		baseData: l.getBaseData(r, authReq, "Select User", "", ""),
 		Users:    selectionData.Users,
--- a/internal/ui/login/handler/username_change_handler.go
+++ b/internal/ui/login/handler/username_change_handler.go
@@ -1,9 +1,8 @@
 package handler

 import (
+	"github.com/caos/zitadel/internal/v2/domain"
 	"net/http"
-
-	"github.com/caos/zitadel/internal/auth_request/model"
 )

 const (
@@ -15,7 +14,7 @@ type changeUsernameData struct {
 	Username string `schema:"username"`
 }

-func (l *Login) renderChangeUsername(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, err error) {
+func (l *Login) renderChangeUsername(w http.ResponseWriter, r *http.Request, authReq *domain.AuthRequest, err error) {
 	var errType, errMessage string
 	if err != nil {
 		errMessage = l.getErrorMessage(r, err)
@@ -31,7 +30,7 @@ func (l *Login) handleChangeUsername(w http.ResponseWriter, r *http.Request) {
 		l.renderError(w, r, authReq, err)
 		return
 	}
-	err = l.authRepo.ChangeUsername(setContext(r.Context(), authReq.UserOrgID), authReq.UserID, data.Username)
+	err = l.command.ChangeUsername(setContext(r.Context(), authReq.UserOrgID), authReq.UserOrgID, authReq.UserID, data.Username)
 	if err != nil {
 		l.renderChangeUsername(w, r, authReq, err)
 		return
@@ -39,7 +38,7 @@ func (l *Login) handleChangeUsername(w http.ResponseWriter, r *http.Request) {
 	l.renderChangeUsernameDone(w, r, authReq)
 }

-func (l *Login) renderChangeUsernameDone(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest) {
+func (l *Login) renderChangeUsernameDone(w http.ResponseWriter, r *http.Request, authReq *domain.AuthRequest) {
 	var errType, errMessage string
 	data := l.getUserData(r, authReq, "Username Change Done", errType, errMessage)
 	l.renderer.RenderTemplate(w, r, l.renderer.Templates[tmplChangeUsernameDone], data, nil)
--- a/internal/ui/login/static/templates/password_reset_done.html
+++ b/internal/ui/login/static/templates/password_reset_done.html
@@ -12,6 +12,8 @@

    <input type="hidden" name="authRequestID" value="{{ .AuthReqID }}" />

+
+    {{template "error-message" .}}
    <div class="actions">
        <button class="primary right" type="submit">{{t "Actions.Next"}}</button>
    </div>