From 2e5b3b710ec384cefb169394edce549f06b4ff6c Mon Sep 17 00:00:00 2001
From: Max Peintner <peintnerm@gmail.com>
Date: Fri, 6 Dec 2024 10:53:44 +0100
Subject: [PATCH 01/21] fix: refactor user discovery search

---
 apps/login/src/lib/server/loginname.ts | 65 +++++++++++---------
 apps/login/src/lib/zitadel.ts          | 84 +++++++++++++++++++-------
 2 files changed, 100 insertions(+), 49 deletions(-)

diff --git a/apps/login/src/lib/server/loginname.ts b/apps/login/src/lib/server/loginname.ts
index 295f9b455f..4c05931f8a 100644
--- a/apps/login/src/lib/server/loginname.ts
+++ b/apps/login/src/lib/server/loginname.ts
@@ -16,6 +16,7 @@ import {
   listAuthenticationMethodTypes,
   listIDPLinks,
   listUsers,
+  ListUsersCommand,
   startIdentityProviderFlow,
 } from "../zitadel";
 import { createSessionAndUpdateCookie } from "./cookie";
@@ -29,21 +30,22 @@ export type SendLoginnameCommand = {
 const ORG_SUFFIX_REGEX = /(?<=@)(.+)/;
 
 export async function sendLoginname(command: SendLoginnameCommand) {
-  const users = await listUsers({
-    loginName: command.loginName,
+  const loginSettingsByContext = await getLoginSettings(command.organization);
+
+  let listUsersRequest: ListUsersCommand = {
+    userName: command.loginName,
     organizationId: command.organization,
-  });
+  };
 
-  const loginSettings = await getLoginSettings(command.organization);
+  if (!loginSettingsByContext?.disableLoginWithEmail) {
+    listUsersRequest.email = command.loginName;
+  }
 
-  const potentialUsers = users.result.filter((u) => {
-    const human = u.type.case === "human" ? u.type.value : undefined;
-    return loginSettings?.disableLoginWithEmail
-      ? human?.email?.isVerified && human?.email?.email !== command.loginName
-      : loginSettings?.disableLoginWithPhone
-        ? human?.phone?.isVerified && human?.phone?.phone !== command.loginName
-        : true;
-  });
+  if (!loginSettingsByContext?.disableLoginWithPhone) {
+    listUsersRequest.phone = command.loginName;
+  }
+
+  const { result: potentialUsers } = await listUsers(listUsersRequest);
 
   const redirectUserToSingleIDPIfAvailable = async () => {
     const identityProviders = await getActiveIdentityProviders(
@@ -144,9 +146,16 @@ export async function sendLoginname(command: SendLoginnameCommand) {
     }
   };
 
-  if (potentialUsers.length == 1 && potentialUsers[0].userId) {
+  if (potentialUsers.length > 1) {
+    return { error: "More than one user found. Provide a unique identifier." };
+  } else if (potentialUsers.length == 1 && potentialUsers[0].userId) {
+    const user = potentialUsers[0];
     const userId = potentialUsers[0].userId;
 
+    const userLoginSettings = await getLoginSettings(
+      user.details?.resourceOwner,
+    );
+
     const checks = create(ChecksSchema, {
       user: { search: { case: "userId", value: userId } },
     });
@@ -162,7 +171,7 @@ export async function sendLoginname(command: SendLoginnameCommand) {
     }
 
     // TODO: check if handling of userstate INITIAL is needed
-    if (potentialUsers[0].state === UserState.INITIAL) {
+    if (user.state === UserState.INITIAL) {
       return { error: "Initial User not supported" };
     }
 
@@ -172,9 +181,9 @@ export async function sendLoginname(command: SendLoginnameCommand) {
 
     if (!methods.authMethodTypes || !methods.authMethodTypes.length) {
       if (
-        potentialUsers[0].type.case === "human" &&
-        potentialUsers[0].type.value.email &&
-        !potentialUsers[0].type.value.email.isVerified
+        user.type.case === "human" &&
+        user.type.value.email &&
+        !user.type.value.email.isVerified
       ) {
         const paramsVerify = new URLSearchParams({
           loginName: session.factors?.user?.loginName,
@@ -219,7 +228,7 @@ export async function sendLoginname(command: SendLoginnameCommand) {
       const method = methods.authMethodTypes[0];
       switch (method) {
         case AuthenticationMethodType.PASSWORD: // user has only password as auth method
-          if (!loginSettings?.allowUsernamePassword) {
+          if (!userLoginSettings?.allowUsernamePassword) {
             return {
               error:
                 "Username Password not allowed! Contact your administrator for more information.",
@@ -246,7 +255,7 @@ export async function sendLoginname(command: SendLoginnameCommand) {
           };
 
         case AuthenticationMethodType.PASSKEY: // AuthenticationMethodType.AUTHENTICATION_METHOD_TYPE_PASSKEY
-          if (loginSettings?.passkeysType === PasskeysType.NOT_ALLOWED) {
+          if (userLoginSettings?.passkeysType === PasskeysType.NOT_ALLOWED) {
             return {
               error:
                 "Passkeys not allowed! Contact your administrator for more information.",
@@ -309,22 +318,24 @@ export async function sendLoginname(command: SendLoginnameCommand) {
     }
   }
 
-  // user not found, check if register is enabled on organization
-  if (loginSettings?.allowRegister && !loginSettings?.allowUsernamePassword) {
-    // TODO: do we need to handle login hints for IDPs here?
+  // user not found, check if register is enabled on instance / organization context
+  if (
+    loginSettingsByContext?.allowRegister &&
+    !loginSettingsByContext?.allowUsernamePassword
+  ) {
     const resp = await redirectUserToSingleIDPIfAvailable();
     if (resp) {
       return resp;
     }
     return { error: "Could not find user" };
   } else if (
-    loginSettings?.allowRegister &&
-    loginSettings?.allowUsernamePassword
+    loginSettingsByContext?.allowRegister &&
+    loginSettingsByContext?.allowUsernamePassword
   ) {
     let orgToRegisterOn: string | undefined = command.organization;
 
     if (
-      !loginSettings?.ignoreUnknownUsernames &&
+      !loginSettingsByContext?.ignoreUnknownUsernames &&
       !orgToRegisterOn &&
       command.loginName &&
       ORG_SUFFIX_REGEX.test(command.loginName)
@@ -344,7 +355,7 @@ export async function sendLoginname(command: SendLoginnameCommand) {
     }
 
     // do not register user if ignoreUnknownUsernames is set
-    if (orgToRegisterOn && !loginSettings?.ignoreUnknownUsernames) {
+    if (orgToRegisterOn && !loginSettingsByContext?.ignoreUnknownUsernames) {
       const params = new URLSearchParams({ organization: orgToRegisterOn });
 
       if (command.authRequestId) {
@@ -358,7 +369,7 @@ export async function sendLoginname(command: SendLoginnameCommand) {
     }
   }
 
-  if (loginSettings?.ignoreUnknownUsernames) {
+  if (loginSettingsByContext?.ignoreUnknownUsernames) {
     const paramsPasswordDefault = new URLSearchParams({
       loginName: command.loginName,
     });
diff --git a/apps/login/src/lib/zitadel.ts b/apps/login/src/lib/zitadel.ts
index 0afc4c4dc1..1858145016 100644
--- a/apps/login/src/lib/zitadel.ts
+++ b/apps/login/src/lib/zitadel.ts
@@ -291,19 +291,24 @@ export async function createInviteCode(userId: string, host: string | null) {
   );
 }
 
-export async function listUsers({
-  loginName,
-  userName,
-  email,
-  organizationId,
-}: {
+export type ListUsersCommand = {
   loginName?: string;
   userName?: string;
   email?: string;
+  phone?: string;
   organizationId?: string;
-}) {
+};
+
+export async function listUsers({
+  loginName,
+  userName,
+  phone,
+  email,
+  organizationId,
+}: ListUsersCommand) {
   const queries: SearchQuery[] = [];
 
+  // either loginName or userName and email or phone are required
   if (loginName) {
     queries.push(
       create(SearchQuerySchema, {
@@ -316,9 +321,57 @@ export async function listUsers({
         },
       }),
     );
-  }
+  } else if (userName && (email || phone)) {
+    const userNameQuery = create(SearchQuerySchema, {
+      query: {
+        case: "userNameQuery",
+        value: {
+          userName: userName,
+          method: TextQueryMethod.EQUALS,
+        },
+      },
+    });
 
-  if (userName) {
+    const orQueries: SearchQuery[] = [userNameQuery];
+
+    if (email) {
+      const emailQuery = create(SearchQuerySchema, {
+        query: {
+          case: "emailQuery",
+          value: {
+            emailAddress: email,
+            method: TextQueryMethod.EQUALS,
+          },
+        },
+      });
+      orQueries.push(emailQuery);
+    }
+
+    if (phone) {
+      // TODO add after https://github.com/zitadel/zitadel/issues/9016 is merged
+      // const phoneQuery = create(SearchQuerySchema, {
+      //   query: {
+      //     case: "phoneQuery",
+      //     value: {
+      //       emailAddress: email,
+      //       method: TextQueryMethod.EQUALS,
+      //     },
+      //   },
+      // });
+      // orQueries.push(phoneQuery);
+    }
+
+    queries.push(
+      create(SearchQuerySchema, {
+        query: {
+          case: "orQuery",
+          value: {
+            queries: orQueries,
+          },
+        },
+      }),
+    );
+  } else if (userName) {
     queries.push(
       create(SearchQuerySchema, {
         query: {
@@ -345,19 +398,6 @@ export async function listUsers({
     );
   }
 
-  if (email) {
-    queries.push(
-      create(SearchQuerySchema, {
-        query: {
-          case: "emailQuery",
-          value: {
-            emailAddress: email,
-          },
-        },
-      }),
-    );
-  }
-
   return userService.listUsers({ queries: queries });
 }
 

From d62093e48b817979498504fe355c645037fbe5fc Mon Sep 17 00:00:00 2001
From: Max Peintner <peintnerm@gmail.com>
Date: Thu, 2 Jan 2025 13:10:01 +0100
Subject: [PATCH 02/21] fix user query

---
 apps/login/src/lib/zitadel.ts | 59 ++++++++++++++---------------------
 1 file changed, 24 insertions(+), 35 deletions(-)

diff --git a/apps/login/src/lib/zitadel.ts b/apps/login/src/lib/zitadel.ts
index 62c158bb11..9666402e12 100644
--- a/apps/login/src/lib/zitadel.ts
+++ b/apps/login/src/lib/zitadel.ts
@@ -311,7 +311,7 @@ export async function listUsers({
 }: ListUsersCommand) {
   const queries: SearchQuery[] = [];
 
-  // either loginName or userName and email or phone are required
+  // either use loginName or userName, email, phone
   if (loginName) {
     queries.push(
       create(SearchQuerySchema, {
@@ -324,18 +324,20 @@ export async function listUsers({
         },
       }),
     );
-  } else if (userName && (email || phone)) {
-    const userNameQuery = create(SearchQuerySchema, {
-      query: {
-        case: "userNameQuery",
-        value: {
-          userName: userName,
-          method: TextQueryMethod.EQUALS,
+  } else if (userName || email || phone) {
+    const orQueries: SearchQuery[] = [];
+    if (userName) {
+      const userNameQuery = create(SearchQuerySchema, {
+        query: {
+          case: "userNameQuery",
+          value: {
+            userName: userName,
+            method: TextQueryMethod.EQUALS,
+          },
         },
-      },
-    });
-
-    const orQueries: SearchQuery[] = [userNameQuery];
+      });
+      orQueries.push(userNameQuery);
+    }
 
     if (email) {
       const emailQuery = create(SearchQuerySchema, {
@@ -351,17 +353,16 @@ export async function listUsers({
     }
 
     if (phone) {
-      // TODO add after https://github.com/zitadel/zitadel/issues/9016 is merged
-      // const phoneQuery = create(SearchQuerySchema, {
-      //   query: {
-      //     case: "phoneQuery",
-      //     value: {
-      //       emailAddress: email,
-      //       method: TextQueryMethod.EQUALS,
-      //     },
-      //   },
-      // });
-      // orQueries.push(phoneQuery);
+      const phoneQuery = create(SearchQuerySchema, {
+        query: {
+          case: "phoneQuery",
+          value: {
+            number: phone,
+            method: TextQueryMethod.EQUALS,
+          },
+        },
+      });
+      orQueries.push(phoneQuery);
     }
 
     queries.push(
@@ -374,18 +375,6 @@ export async function listUsers({
         },
       }),
     );
-  } else if (userName) {
-    queries.push(
-      create(SearchQuerySchema, {
-        query: {
-          case: "userNameQuery",
-          value: {
-            userName: userName,
-            method: TextQueryMethod.EQUALS,
-          },
-        },
-      }),
-    );
   }
 
   if (organizationId) {

From aa22a8027e8bbff820276f2690bae93243ed6600 Mon Sep 17 00:00:00 2001
From: Max Peintner <peintnerm@gmail.com>
Date: Thu, 2 Jan 2025 13:16:44 +0100
Subject: [PATCH 03/21] cleanup

---
 apps/login/src/lib/zitadel.ts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/apps/login/src/lib/zitadel.ts b/apps/login/src/lib/zitadel.ts
index 9666402e12..8a85a9b167 100644
--- a/apps/login/src/lib/zitadel.ts
+++ b/apps/login/src/lib/zitadel.ts
@@ -326,6 +326,7 @@ export async function listUsers({
     );
   } else if (userName || email || phone) {
     const orQueries: SearchQuery[] = [];
+
     if (userName) {
       const userNameQuery = create(SearchQuerySchema, {
         query: {

From 50cb902595cec64cf96c3c9ed0345e932cf7c657 Mon Sep 17 00:00:00 2001
From: Max Peintner <peintnerm@gmail.com>
Date: Thu, 2 Jan 2025 13:21:45 +0100
Subject: [PATCH 04/21] update readme

---
 apps/login/readme.md | 1 -
 1 file changed, 1 deletion(-)

diff --git a/apps/login/readme.md b/apps/login/readme.md
index a411b9963f..fd6ba6f48c 100644
--- a/apps/login/readme.md
+++ b/apps/login/readme.md
@@ -395,6 +395,5 @@ Timebased features like the multifactor init prompt or password expiry, are not
 - Password Expiry Settings
 - Login Settings: multifactor init prompt
 - forceMFA on login settings is not checked for IDPs
-- disablePhone / disableEmail from loginSettings will be implemented right after https://github.com/zitadel/zitadel/issues/9016 is merged
 
 Also note that IDP logins are considered as valid MFA. An additional MFA check will be implemented in future if enforced.

From a7acca52ca65e7b15867e67f9a2ae0cc3105b592 Mon Sep 17 00:00:00 2001
From: Max Peintner <peintnerm@gmail.com>
Date: Wed, 8 Jan 2025 09:54:43 +0100
Subject: [PATCH 05/21] update zitadel binary

---
 acceptance/docker-compose.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/acceptance/docker-compose.yaml b/acceptance/docker-compose.yaml
index de6990387d..85aad63d6f 100644
--- a/acceptance/docker-compose.yaml
+++ b/acceptance/docker-compose.yaml
@@ -1,7 +1,7 @@
 services:
   zitadel:
     user: "${ZITADEL_DEV_UID}"
-    image: "${ZITADEL_IMAGE:-ghcr.io/zitadel/zitadel:v2.65.0}"
+    image: "${ZITADEL_IMAGE:-ghcr.io/zitadel/zitadel:v2.67.1}"
     command: 'start-from-init --masterkey "MasterkeyNeedsToHave32Characters" --tlsMode disabled --config /zitadel.yaml --steps /zitadel.yaml'
     ports:
       - "8080:8080"
@@ -22,7 +22,7 @@ services:
       - POSTGRES_HOST_AUTH_METHOD=trust
     command: postgres -c shared_preload_libraries=pg_stat_statements -c pg_stat_statements.track=all -c shared_buffers=1GB -c work_mem=16MB -c effective_io_concurrency=100 -c wal_level=minimal -c archive_mode=off -c max_wal_senders=0
     healthcheck:
-      test: [ "CMD-SHELL", "pg_isready" ]
+      test: ["CMD-SHELL", "pg_isready"]
       interval: "10s"
       timeout: "30s"
       retries: 5

From 3809b8dc932ee41f67ce6d5c47d9334dbb365158 Mon Sep 17 00:00:00 2001
From: Max Peintner <peintnerm@gmail.com>
Date: Thu, 9 Jan 2025 09:38:29 +0100
Subject: [PATCH 06/21] change search user

---
 apps/login/src/app/(login)/loginname/page.tsx |   1 +
 apps/login/src/components/username-form.tsx   |  17 ++-
 apps/login/src/lib/server/loginname.ts        |  23 ++--
 apps/login/src/lib/zitadel.ts                 | 113 ++++++++++++++++++
 4 files changed, 140 insertions(+), 14 deletions(-)

diff --git a/apps/login/src/app/(login)/loginname/page.tsx b/apps/login/src/app/(login)/loginname/page.tsx
index 44601e1845..8f96927dd0 100644
--- a/apps/login/src/app/(login)/loginname/page.tsx
+++ b/apps/login/src/app/(login)/loginname/page.tsx
@@ -54,6 +54,7 @@ export default async function Page(props: {
           loginName={loginName}
           authRequestId={authRequestId}
           organization={organization} // stick to "organization" as we still want to do user discovery based on the searchParams not the default organization, later the organization is determined by the found user
+          loginSettings={loginSettings}
           submit={submit}
           allowRegister={!!loginSettings?.allowRegister}
         >
diff --git a/apps/login/src/components/username-form.tsx b/apps/login/src/components/username-form.tsx
index 887c454333..3a35bdd120 100644
--- a/apps/login/src/components/username-form.tsx
+++ b/apps/login/src/components/username-form.tsx
@@ -1,6 +1,7 @@
 "use client";
 
 import { sendLoginname } from "@/lib/server/loginname";
+import { LoginSettings } from "@zitadel/proto/zitadel/settings/v2/login_settings_pb";
 import { useTranslations } from "next-intl";
 import { useRouter } from "next/navigation";
 import { ReactNode, useEffect, useState } from "react";
@@ -18,6 +19,7 @@ type Inputs = {
 type Props = {
   loginName: string | undefined;
   authRequestId: string | undefined;
+  loginSettings: LoginSettings | undefined;
   organization?: string;
   submit: boolean;
   allowRegister: boolean;
@@ -28,6 +30,7 @@ export function UsernameForm({
   loginName,
   authRequestId,
   organization,
+  loginSettings,
   submit,
   allowRegister,
   children,
@@ -80,6 +83,18 @@ export function UsernameForm({
     }
   }, []);
 
+  let inputLabel = "Loginname";
+  if (
+    loginSettings?.disableLoginWithEmail &&
+    loginSettings?.disableLoginWithPhone
+  ) {
+    inputLabel = "Username";
+  } else if (loginSettings?.disableLoginWithEmail) {
+    inputLabel = "Username or phone number";
+  } else if (loginSettings?.disableLoginWithPhone) {
+    inputLabel = "Username or email";
+  }
+
   return (
     <form className="w-full">
       <div className="">
@@ -87,7 +102,7 @@ export function UsernameForm({
           type="text"
           autoComplete="username"
           {...register("loginName", { required: "This field is required" })}
-          label="Loginname"
+          label={inputLabel}
           data-testid="username-text-input"
         />
         {allowRegister && (
diff --git a/apps/login/src/lib/server/loginname.ts b/apps/login/src/lib/server/loginname.ts
index 7cb74b8d7a..704c01b967 100644
--- a/apps/login/src/lib/server/loginname.ts
+++ b/apps/login/src/lib/server/loginname.ts
@@ -16,8 +16,8 @@ import {
   getOrgsByDomain,
   listAuthenticationMethodTypes,
   listIDPLinks,
-  listUsers,
-  ListUsersCommand,
+  searchUsers,
+  SearchUsersCommand,
   startIdentityProviderFlow,
 } from "../zitadel";
 import { createSessionAndUpdateCookie } from "./cookie";
@@ -33,20 +33,17 @@ const ORG_SUFFIX_REGEX = /(?<=@)(.+)/;
 export async function sendLoginname(command: SendLoginnameCommand) {
   const loginSettingsByContext = await getLoginSettings(command.organization);
 
-  let listUsersRequest: ListUsersCommand = {
-    userName: command.loginName,
+  if (!loginSettingsByContext) {
+    return { error: "Could not get login settings" };
+  }
+
+  let searchUsersRequest: SearchUsersCommand = {
+    searchValue: command.loginName,
     organizationId: command.organization,
+    loginSettings: loginSettingsByContext,
   };
 
-  if (!loginSettingsByContext?.disableLoginWithEmail) {
-    listUsersRequest.email = command.loginName;
-  }
-
-  if (!loginSettingsByContext?.disableLoginWithPhone) {
-    listUsersRequest.phone = command.loginName;
-  }
-
-  const { result: potentialUsers } = await listUsers(listUsersRequest);
+  const { result: potentialUsers } = await searchUsers(searchUsersRequest);
 
   const redirectUserToSingleIDPIfAvailable = async () => {
     const identityProviders = await getActiveIdentityProviders(
diff --git a/apps/login/src/lib/zitadel.ts b/apps/login/src/lib/zitadel.ts
index 112b7bd81d..bda31b0ab9 100644
--- a/apps/login/src/lib/zitadel.ts
+++ b/apps/login/src/lib/zitadel.ts
@@ -26,6 +26,7 @@ import { create, Duration } from "@zitadel/client";
 import { TextQueryMethod } from "@zitadel/proto/zitadel/object/v2/object_pb";
 import { CreateCallbackRequest } from "@zitadel/proto/zitadel/oidc/v2/oidc_service_pb";
 import { Organization } from "@zitadel/proto/zitadel/org/v2/org_pb";
+import { LoginSettings } from "@zitadel/proto/zitadel/settings/v2/login_settings_pb";
 import { SendEmailVerificationCodeSchema } from "@zitadel/proto/zitadel/user/v2/email_pb";
 import type { RedirectURLsJson } from "@zitadel/proto/zitadel/user/v2/idp_pb";
 import {
@@ -408,6 +409,118 @@ export async function listUsers({
     );
   }
 
+  if (organizationId) {
+    queries.push(
+      create(SearchQuerySchema, {
+        query: {
+          case: "organizationIdQuery",
+          value: {
+            organizationId,
+          },
+        },
+      }),
+    );
+  }
+  console.log(queries);
+
+  return userService.listUsers({ queries: queries });
+}
+
+export type SearchUsersCommand = {
+  searchValue: string;
+  loginSettings: LoginSettings;
+  organizationId?: string;
+};
+
+const PhoneQuery = (searchValue: string) =>
+  create(SearchQuerySchema, {
+    query: {
+      case: "phoneQuery",
+      value: {
+        number: searchValue,
+        method: TextQueryMethod.EQUALS,
+      },
+    },
+  });
+
+const UserNameQuery = (searchValue: string) =>
+  create(SearchQuerySchema, {
+    query: {
+      case: "userNameQuery",
+      value: {
+        userName: searchValue,
+        method: TextQueryMethod.EQUALS,
+      },
+    },
+  });
+
+const EmailQuery = (searchValue: string) =>
+  create(SearchQuerySchema, {
+    query: {
+      case: "emailQuery",
+      value: {
+        emailAddress: searchValue,
+        method: TextQueryMethod.EQUALS,
+      },
+    },
+  });
+
+export async function searchUsers({
+  searchValue,
+  loginSettings,
+  organizationId,
+}: SearchUsersCommand) {
+  console.log(loginSettings);
+  const queries: SearchQuery[] = [];
+  const orQueries: SearchQuery[] = [];
+
+  // either use loginName or userName, email, phone
+  if (
+    loginSettings.disableLoginWithEmail &&
+    loginSettings.disableLoginWithPhone
+  ) {
+    const userNameQuery = UserNameQuery(searchValue);
+    queries.push(userNameQuery);
+  } else if (loginSettings.disableLoginWithEmail) {
+    const userNameQuery = UserNameQuery(searchValue);
+    orQueries.push(userNameQuery);
+
+    if (searchValue.length <= 20) {
+      const phoneQuery = PhoneQuery(searchValue);
+      orQueries.push(phoneQuery);
+    }
+  } else if (loginSettings.disableLoginWithPhone) {
+    const userNameQuery = UserNameQuery(searchValue);
+    orQueries.push(userNameQuery);
+
+    const emailQuery = EmailQuery(searchValue);
+    orQueries.push(emailQuery);
+  } else {
+    const userNameQuery = UserNameQuery(searchValue);
+    orQueries.push(userNameQuery);
+
+    const emailQuery = EmailQuery(searchValue);
+    orQueries.push(emailQuery);
+
+    if (searchValue.length <= 20) {
+      const phoneQuery = PhoneQuery(searchValue);
+      orQueries.push(phoneQuery);
+    }
+  }
+
+  if (orQueries.length > 0) {
+    queries.push(
+      create(SearchQuerySchema, {
+        query: {
+          case: "orQuery",
+          value: {
+            queries: orQueries,
+          },
+        },
+      }),
+    );
+  }
+
   if (organizationId) {
     queries.push(
       create(SearchQuerySchema, {

From 36b6362974aa891c08f5e50b5ea11fe0b4437e16 Mon Sep 17 00:00:00 2001
From: Max Peintner <peintnerm@gmail.com>
Date: Thu, 9 Jan 2025 09:47:58 +0100
Subject: [PATCH 07/21] recheck settings

---
 apps/login/src/lib/server/loginname.ts | 34 ++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)

diff --git a/apps/login/src/lib/server/loginname.ts b/apps/login/src/lib/server/loginname.ts
index 704c01b967..10d9501b05 100644
--- a/apps/login/src/lib/server/loginname.ts
+++ b/apps/login/src/lib/server/loginname.ts
@@ -154,6 +154,40 @@ export async function sendLoginname(command: SendLoginnameCommand) {
       user.details?.resourceOwner,
     );
 
+    // recheck login settings after user discovery, as the search might have been done without org scope
+    if (
+      userLoginSettings?.disableLoginWithEmail &&
+      userLoginSettings?.disableLoginWithPhone
+    ) {
+      if (user.username !== command.loginName) {
+        return { error: "User not found in the system!" };
+      }
+    } else if (userLoginSettings?.disableLoginWithEmail) {
+      const humanUser =
+        potentialUsers[0].type.case === "human"
+          ? potentialUsers[0].type.value
+          : undefined;
+
+      if (
+        user.username !== command.loginName ||
+        humanUser?.phone?.phone !== command.loginName
+      ) {
+        return { error: "User not found in the system!" };
+      }
+    } else if (userLoginSettings?.disableLoginWithPhone) {
+      const humanUser =
+        potentialUsers[0].type.case === "human"
+          ? potentialUsers[0].type.value
+          : undefined;
+
+      if (
+        user.username !== command.loginName ||
+        humanUser?.email?.email !== command.loginName
+      ) {
+        return { error: "User not found in the system!" };
+      }
+    }
+
     const checks = create(ChecksSchema, {
       user: { search: { case: "userId", value: userId } },
     });

From c93f21174b10bfd982a6ef48dc52d785d7023e86 Mon Sep 17 00:00:00 2001
From: Max Peintner <peintnerm@gmail.com>
Date: Thu, 9 Jan 2025 10:05:32 +0100
Subject: [PATCH 08/21] rm logs

---
 apps/login/src/lib/zitadel.ts | 1 -
 1 file changed, 1 deletion(-)

diff --git a/apps/login/src/lib/zitadel.ts b/apps/login/src/lib/zitadel.ts
index bda31b0ab9..c837295994 100644
--- a/apps/login/src/lib/zitadel.ts
+++ b/apps/login/src/lib/zitadel.ts
@@ -470,7 +470,6 @@ export async function searchUsers({
   loginSettings,
   organizationId,
 }: SearchUsersCommand) {
-  console.log(loginSettings);
   const queries: SearchQuery[] = [];
   const orQueries: SearchQuery[] = [];
 

From dc6454bc7def1f045592864b1d7aa2edf381ce9b Mon Sep 17 00:00:00 2001
From: Max Peintner <peintnerm@gmail.com>
Date: Thu, 9 Jan 2025 13:38:00 +0100
Subject: [PATCH 09/21] implement org suffix

---
 apps/login/src/app/(login)/loginname/page.tsx |  6 +++++-
 apps/login/src/app/login/route.ts             |  5 +++++
 apps/login/src/components/input.tsx           | 10 +++++++++-
 apps/login/src/components/username-form.tsx   |  3 +++
 4 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/apps/login/src/app/(login)/loginname/page.tsx b/apps/login/src/app/(login)/loginname/page.tsx
index 8f96927dd0..5400f64b9d 100644
--- a/apps/login/src/app/(login)/loginname/page.tsx
+++ b/apps/login/src/app/(login)/loginname/page.tsx
@@ -20,6 +20,7 @@ export default async function Page(props: {
   const loginName = searchParams?.loginName;
   const authRequestId = searchParams?.authRequestId;
   const organization = searchParams?.organization;
+  const suffix = searchParams?.suffix;
   const submit: boolean = searchParams?.submit === "true";
 
   let defaultOrganization;
@@ -34,6 +35,8 @@ export default async function Page(props: {
     organization ?? defaultOrganization,
   );
 
+  const contextLoginSettings = await getLoginSettings(organization);
+
   const identityProviders = await getActiveIdentityProviders(
     organization ?? defaultOrganization,
   ).then((resp) => {
@@ -54,7 +57,8 @@ export default async function Page(props: {
           loginName={loginName}
           authRequestId={authRequestId}
           organization={organization} // stick to "organization" as we still want to do user discovery based on the searchParams not the default organization, later the organization is determined by the found user
-          loginSettings={loginSettings}
+          loginSettings={contextLoginSettings}
+          suffix={suffix}
           submit={submit}
           allowRegister={!!loginSettings?.allowRegister}
         >
diff --git a/apps/login/src/app/login/route.ts b/apps/login/src/app/login/route.ts
index e96326518f..f5741bb39c 100644
--- a/apps/login/src/app/login/route.ts
+++ b/apps/login/src/app/login/route.ts
@@ -300,6 +300,7 @@ export async function GET(request: NextRequest) {
     const { authRequest } = await getAuthRequest({ authRequestId });
 
     let organization = "";
+    let suffix = "";
     let idpId = "";
 
     if (authRequest?.scope) {
@@ -326,6 +327,7 @@ export async function GET(request: NextRequest) {
             const orgs = await getOrgsByDomain(orgDomain);
             if (orgs.result && orgs.result.length === 1) {
               organization = orgs.result[0].id ?? "";
+              suffix = orgDomain;
             }
           }
         }
@@ -448,6 +450,9 @@ export async function GET(request: NextRequest) {
         if (organization) {
           loginNameUrl.searchParams.set("organization", organization);
         }
+        if (suffix) {
+          loginNameUrl.searchParams.set("suffix", suffix);
+        }
         return NextResponse.redirect(loginNameUrl);
       } else if (authRequest.prompt.includes(Prompt.NONE)) {
         /**
diff --git a/apps/login/src/components/input.tsx b/apps/login/src/components/input.tsx
index 0cb9e58467..4c5723858a 100644
--- a/apps/login/src/components/input.tsx
+++ b/apps/login/src/components/input.tsx
@@ -15,6 +15,7 @@ export type TextInputProps = DetailedHTMLProps<
   HTMLInputElement
 > & {
   label: string;
+  suffix?: string;
   placeholder?: string;
   defaultValue?: string;
   error?: string | ReactNode;
@@ -45,6 +46,7 @@ export const TextInput = forwardRef<HTMLInputElement, TextInputProps>(
       label,
       placeholder,
       defaultValue,
+      suffix,
       required = false,
       error,
       disabled,
@@ -56,7 +58,7 @@ export const TextInput = forwardRef<HTMLInputElement, TextInputProps>(
     ref,
   ) => {
     return (
-      <label className="flex flex-col text-12px text-input-light-label dark:text-input-dark-label">
+      <label className="relative flex flex-col text-12px text-input-light-label dark:text-input-dark-label">
         <span
           className={`leading-3 mb-1 ${
             error ? "text-warn-light-500 dark:text-warn-dark-500" : ""
@@ -78,6 +80,12 @@ export const TextInput = forwardRef<HTMLInputElement, TextInputProps>(
           {...props}
         />
 
+        {suffix && (
+          <span className="z-30 absolute right-[1px] bottom-[22px] transform translate-y-1/2 bg-background-light-500 dark:bg-background-dark-500 p-2">
+            {suffix}
+          </span>
+        )}
+
         <div className="leading-14.5px h-14.5px text-warn-light-500 dark:text-warn-dark-500 flex flex-row items-center text-12px">
           <span>{error ? error : " "}</span>
         </div>
diff --git a/apps/login/src/components/username-form.tsx b/apps/login/src/components/username-form.tsx
index 3a35bdd120..1898e37a48 100644
--- a/apps/login/src/components/username-form.tsx
+++ b/apps/login/src/components/username-form.tsx
@@ -21,6 +21,7 @@ type Props = {
   authRequestId: string | undefined;
   loginSettings: LoginSettings | undefined;
   organization?: string;
+  suffix?: string;
   submit: boolean;
   allowRegister: boolean;
   children?: ReactNode;
@@ -30,6 +31,7 @@ export function UsernameForm({
   loginName,
   authRequestId,
   organization,
+  suffix,
   loginSettings,
   submit,
   allowRegister,
@@ -104,6 +106,7 @@ export function UsernameForm({
           {...register("loginName", { required: "This field is required" })}
           label={inputLabel}
           data-testid="username-text-input"
+          suffix={suffix}
         />
         {allowRegister && (
           <button

From c7a31b6b439e74db26db215c5d3396f2e74739b2 Mon Sep 17 00:00:00 2001
From: Max Peintner <peintnerm@gmail.com>
Date: Thu, 9 Jan 2025 14:01:46 +0100
Subject: [PATCH 10/21] suffix search

---
 apps/login/src/components/username-form.tsx |   1 +
 apps/login/src/lib/server/loginname.ts      |  14 ++-
 apps/login/src/lib/zitadel.ts               | 100 +++++++++++++++-----
 3 files changed, 90 insertions(+), 25 deletions(-)

diff --git a/apps/login/src/components/username-form.tsx b/apps/login/src/components/username-form.tsx
index 1898e37a48..28193b451c 100644
--- a/apps/login/src/components/username-form.tsx
+++ b/apps/login/src/components/username-form.tsx
@@ -57,6 +57,7 @@ export function UsernameForm({
       loginName: values.loginName,
       organization,
       authRequestId,
+      suffix,
     })
       .catch(() => {
         setError("An internal error occurred");
diff --git a/apps/login/src/lib/server/loginname.ts b/apps/login/src/lib/server/loginname.ts
index 10d9501b05..263bed7bf0 100644
--- a/apps/login/src/lib/server/loginname.ts
+++ b/apps/login/src/lib/server/loginname.ts
@@ -26,6 +26,7 @@ export type SendLoginnameCommand = {
   loginName: string;
   authRequestId?: string;
   organization?: string;
+  suffix?: string;
 };
 
 const ORG_SUFFIX_REGEX = /(?<=@)(.+)/;
@@ -41,9 +42,20 @@ export async function sendLoginname(command: SendLoginnameCommand) {
     searchValue: command.loginName,
     organizationId: command.organization,
     loginSettings: loginSettingsByContext,
+    suffix: command.suffix,
   };
 
-  const { result: potentialUsers } = await searchUsers(searchUsersRequest);
+  const searchResult = await searchUsers(searchUsersRequest);
+
+  if ("error" in searchResult && searchResult.error) {
+    return searchResult;
+  }
+
+  if (!("result" in searchResult)) {
+    return { error: "Could not search users" };
+  }
+
+  const { result: potentialUsers } = searchResult;
 
   const redirectUserToSingleIDPIfAvailable = async () => {
     const identityProviders = await getActiveIdentityProviders(
diff --git a/apps/login/src/lib/zitadel.ts b/apps/login/src/lib/zitadel.ts
index c837295994..061a28f0dd 100644
--- a/apps/login/src/lib/zitadel.ts
+++ b/apps/login/src/lib/zitadel.ts
@@ -430,6 +430,7 @@ export type SearchUsersCommand = {
   searchValue: string;
   loginSettings: LoginSettings;
   organizationId?: string;
+  suffix?: string;
 };
 
 const PhoneQuery = (searchValue: string) =>
@@ -454,6 +455,17 @@ const UserNameQuery = (searchValue: string) =>
     },
   });
 
+const LoginNameQuery = (searchValue: string) =>
+  create(SearchQuerySchema, {
+    query: {
+      case: "loginNameQuery",
+      value: {
+        loginName: searchValue,
+        method: TextQueryMethod.EQUALS,
+      },
+    },
+  });
+
 const EmailQuery = (searchValue: string) =>
   create(SearchQuerySchema, {
     query: {
@@ -465,55 +477,83 @@ const EmailQuery = (searchValue: string) =>
     },
   });
 
+/**
+ * this is a dedicated search function to search for users from the loginname page
+ * it searches users based on the loginName or userName and org suffix combination, and falls back to email and phone if no users are found
+ *  */
+
 export async function searchUsers({
   searchValue,
   loginSettings,
   organizationId,
+  suffix,
 }: SearchUsersCommand) {
   const queries: SearchQuery[] = [];
   const orQueries: SearchQuery[] = [];
 
-  // either use loginName or userName, email, phone
+  // if a suffix is provided, we search for the userName concatenated with the suffix
+  if (suffix) {
+    const searchValueWithSuffix = `${searchValue}@${suffix}`;
+    const loginNameQuery = UserNameQuery(searchValueWithSuffix);
+    queries.push(loginNameQuery);
+  } else {
+    const loginNameQuery = UserNameQuery(searchValue);
+    queries.push(loginNameQuery);
+  }
+
+  if (organizationId) {
+    queries.push(
+      create(SearchQuerySchema, {
+        query: {
+          case: "organizationIdQuery",
+          value: {
+            organizationId,
+          },
+        },
+      }),
+    );
+  }
+
+  const loginNameResult = await userService.listUsers({ queries: queries });
+
+  if (loginNameResult.result.length > 1) {
+    return { error: "Multiple users found" };
+  }
+
+  if (loginNameResult.result.length == 1) {
+    return loginNameResult;
+  }
+
+  const emailAndPhoneQueries: SearchQuery[] = [];
   if (
     loginSettings.disableLoginWithEmail &&
     loginSettings.disableLoginWithPhone
   ) {
-    const userNameQuery = UserNameQuery(searchValue);
-    queries.push(userNameQuery);
-  } else if (loginSettings.disableLoginWithEmail) {
-    const userNameQuery = UserNameQuery(searchValue);
-    orQueries.push(userNameQuery);
-
-    if (searchValue.length <= 20) {
-      const phoneQuery = PhoneQuery(searchValue);
-      orQueries.push(phoneQuery);
-    }
+    return { error: "No user was found in the system" };
+  } else if (loginSettings.disableLoginWithEmail && searchValue.length <= 20) {
+    const phoneQuery = PhoneQuery(searchValue);
+    emailAndPhoneQueries.push(phoneQuery);
   } else if (loginSettings.disableLoginWithPhone) {
-    const userNameQuery = UserNameQuery(searchValue);
-    orQueries.push(userNameQuery);
-
     const emailQuery = EmailQuery(searchValue);
-    orQueries.push(emailQuery);
+    emailAndPhoneQueries.push(emailQuery);
   } else {
-    const userNameQuery = UserNameQuery(searchValue);
-    orQueries.push(userNameQuery);
+    const emailAndPhoneOrQueries: SearchQuery[] = [];
 
     const emailQuery = EmailQuery(searchValue);
-    orQueries.push(emailQuery);
+    emailAndPhoneOrQueries.push(emailQuery);
 
+    let phoneQuery;
     if (searchValue.length <= 20) {
-      const phoneQuery = PhoneQuery(searchValue);
-      orQueries.push(phoneQuery);
+      phoneQuery = PhoneQuery(searchValue);
+      emailAndPhoneOrQueries.push(phoneQuery);
     }
-  }
 
-  if (orQueries.length > 0) {
     queries.push(
       create(SearchQuerySchema, {
         query: {
           case: "orQuery",
           value: {
-            queries: orQueries,
+            queries: emailAndPhoneOrQueries,
           },
         },
       }),
@@ -533,7 +573,19 @@ export async function searchUsers({
     );
   }
 
-  return userService.listUsers({ queries: queries });
+  const emailOrPhoneResult = await userService.listUsers({
+    queries: emailAndPhoneQueries,
+  });
+
+  if (emailOrPhoneResult.result.length > 1) {
+    return { error: "Multiple users found" };
+  }
+
+  if (emailOrPhoneResult.result.length == 1) {
+    return loginNameResult;
+  }
+
+  return { error: "No user was found in the system" };
 }
 
 export async function getDefaultOrg(): Promise<Organization | null> {

From e554c383c4fea846b137060eb742f745b239745e Mon Sep 17 00:00:00 2001
From: Max Peintner <peintnerm@gmail.com>
Date: Thu, 9 Jan 2025 14:12:49 +0100
Subject: [PATCH 11/21] cleanup

---
 apps/login/src/lib/zitadel.ts | 16 ++--------------
 1 file changed, 2 insertions(+), 14 deletions(-)

diff --git a/apps/login/src/lib/zitadel.ts b/apps/login/src/lib/zitadel.ts
index 061a28f0dd..97e5f842dc 100644
--- a/apps/login/src/lib/zitadel.ts
+++ b/apps/login/src/lib/zitadel.ts
@@ -444,17 +444,6 @@ const PhoneQuery = (searchValue: string) =>
     },
   });
 
-const UserNameQuery = (searchValue: string) =>
-  create(SearchQuerySchema, {
-    query: {
-      case: "userNameQuery",
-      value: {
-        userName: searchValue,
-        method: TextQueryMethod.EQUALS,
-      },
-    },
-  });
-
 const LoginNameQuery = (searchValue: string) =>
   create(SearchQuerySchema, {
     query: {
@@ -489,15 +478,14 @@ export async function searchUsers({
   suffix,
 }: SearchUsersCommand) {
   const queries: SearchQuery[] = [];
-  const orQueries: SearchQuery[] = [];
 
   // if a suffix is provided, we search for the userName concatenated with the suffix
   if (suffix) {
     const searchValueWithSuffix = `${searchValue}@${suffix}`;
-    const loginNameQuery = UserNameQuery(searchValueWithSuffix);
+    const loginNameQuery = LoginNameQuery(searchValueWithSuffix);
     queries.push(loginNameQuery);
   } else {
-    const loginNameQuery = UserNameQuery(searchValue);
+    const loginNameQuery = LoginNameQuery(searchValue);
     queries.push(loginNameQuery);
   }
 

From 21f59826d12c5f217383f14ea48c8ee302051c54 Mon Sep 17 00:00:00 2001
From: Max Peintner <peintnerm@gmail.com>
Date: Thu, 9 Jan 2025 14:48:18 +0100
Subject: [PATCH 12/21] fix result

---
 apps/login/src/lib/zitadel.ts | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/apps/login/src/lib/zitadel.ts b/apps/login/src/lib/zitadel.ts
index 97e5f842dc..a13bb4e74c 100644
--- a/apps/login/src/lib/zitadel.ts
+++ b/apps/login/src/lib/zitadel.ts
@@ -504,11 +504,15 @@ export async function searchUsers({
 
   const loginNameResult = await userService.listUsers({ queries: queries });
 
-  if (loginNameResult.result.length > 1) {
+  if (!loginNameResult || !loginNameResult.details) {
+    return { error: "An error occurred." };
+  }
+
+  if (loginNameResult.details.totalResult > BigInt(1)) {
     return { error: "Multiple users found" };
   }
 
-  if (loginNameResult.result.length == 1) {
+  if (loginNameResult.details?.totalResult == BigInt(1)) {
     return loginNameResult;
   }
 
@@ -536,7 +540,7 @@ export async function searchUsers({
       emailAndPhoneOrQueries.push(phoneQuery);
     }
 
-    queries.push(
+    emailAndPhoneQueries.push(
       create(SearchQuerySchema, {
         query: {
           case: "orQuery",
@@ -565,8 +569,12 @@ export async function searchUsers({
     queries: emailAndPhoneQueries,
   });
 
+  if (!emailOrPhoneResult || !emailOrPhoneResult.details) {
+    return { error: "An error occurred." };
+  }
+
   if (emailOrPhoneResult.result.length > 1) {
-    return { error: "Multiple users found" };
+    return { error: "Multiple users found." };
   }
 
   if (emailOrPhoneResult.result.length == 1) {

From a85e3b1d3bb8c75d7d34b724db97b67d6e0b3aef Mon Sep 17 00:00:00 2001
From: Max Peintner <peintnerm@gmail.com>
Date: Thu, 9 Jan 2025 14:48:48 +0100
Subject: [PATCH 13/21] clean

---
 apps/login/src/lib/zitadel.ts | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/apps/login/src/lib/zitadel.ts b/apps/login/src/lib/zitadel.ts
index a13bb4e74c..0eac0e8240 100644
--- a/apps/login/src/lib/zitadel.ts
+++ b/apps/login/src/lib/zitadel.ts
@@ -508,11 +508,11 @@ export async function searchUsers({
     return { error: "An error occurred." };
   }
 
-  if (loginNameResult.details.totalResult > BigInt(1)) {
+  if (loginNameResult.result.length > 1) {
     return { error: "Multiple users found" };
   }
 
-  if (loginNameResult.details?.totalResult == BigInt(1)) {
+  if (loginNameResult.result.length == 1) {
     return loginNameResult;
   }
 

From 11c6c9ed165be8d9838d62e404507328d0871383 Mon Sep 17 00:00:00 2001
From: Stefan Benz <46600784+stebenz@users.noreply.github.com>
Date: Thu, 9 Jan 2025 15:42:30 +0100
Subject: [PATCH 14/21] test: add verify email and password change required

---
 acceptance/docker-compose.yaml                |   2 +-
 acceptance/setup.sh                           |   1 +
 acceptance/tests/email-verify-screen.ts       |  12 +
 acceptance/tests/email-verify.spec.ts         |  73 ++++++
 acceptance/tests/email-verify.ts              |  16 ++
 acceptance/tests/password-screen.ts           | 111 ++++----
 acceptance/tests/password.ts                  |   3 +-
 acceptance/tests/register.ts                  |  54 ++--
 acceptance/tests/user.ts                      |  13 +
 acceptance/tests/username-passkey.spec.ts     |   2 +
 .../username-password-change-required.spec.ts |  43 ++++
 .../tests/username-password-changed.spec.ts   |  65 ++---
 .../tests/username-password-otp_email.spec.ts |   3 +
 .../tests/username-password-otp_sms.spec.ts   |   3 +
 .../tests/username-password-set.spec.ts       |   9 +-
 .../tests/username-password-totp.spec.ts      | 109 ++++----
 acceptance/tests/username-password.spec.ts    |   3 +
 acceptance/tests/zitadel.ts                   | 241 +++++++++---------
 .../src/components/change-password-form.tsx   |   4 +-
 .../src/components/set-password-form.tsx      |   4 +-
 apps/login/src/components/verify-form.tsx     |   6 +-
 21 files changed, 496 insertions(+), 281 deletions(-)
 create mode 100644 acceptance/tests/email-verify-screen.ts
 create mode 100644 acceptance/tests/email-verify.spec.ts
 create mode 100644 acceptance/tests/email-verify.ts
 create mode 100644 acceptance/tests/username-password-change-required.spec.ts

diff --git a/acceptance/docker-compose.yaml b/acceptance/docker-compose.yaml
index de6990387d..43bd475759 100644
--- a/acceptance/docker-compose.yaml
+++ b/acceptance/docker-compose.yaml
@@ -1,7 +1,7 @@
 services:
   zitadel:
     user: "${ZITADEL_DEV_UID}"
-    image: "${ZITADEL_IMAGE:-ghcr.io/zitadel/zitadel:v2.65.0}"
+    image: "${ZITADEL_IMAGE:-ghcr.io/zitadel/zitadel:v2.67.1}"
     command: 'start-from-init --masterkey "MasterkeyNeedsToHave32Characters" --tlsMode disabled --config /zitadel.yaml --steps /zitadel.yaml'
     ports:
       - "8080:8080"
diff --git a/acceptance/setup.sh b/acceptance/setup.sh
index e6277854a7..596c985d78 100755
--- a/acceptance/setup.sh
+++ b/acceptance/setup.sh
@@ -40,6 +40,7 @@ echo "ZITADEL_API_URL=${ZITADEL_API_URL}
 ZITADEL_SERVICE_USER_ID=${ZITADEL_SERVICE_USER_ID}
 ZITADEL_SERVICE_USER_TOKEN=${PAT}
 SINK_NOTIFICATION_URL=${SINK_NOTIFICATION_URL}
+EMAIL_VERIFICATION=true
 DEBUG=true"| tee "${WRITE_ENVIRONMENT_FILE}" "${WRITE_TEST_ENVIRONMENT_FILE}" > /dev/null
 echo "Wrote environment file ${WRITE_ENVIRONMENT_FILE}"
 cat ${WRITE_ENVIRONMENT_FILE}
diff --git a/acceptance/tests/email-verify-screen.ts b/acceptance/tests/email-verify-screen.ts
new file mode 100644
index 0000000000..5431f1f3ca
--- /dev/null
+++ b/acceptance/tests/email-verify-screen.ts
@@ -0,0 +1,12 @@
+import {expect, Page} from "@playwright/test";
+
+const codeTextInput = "code-text-input";
+
+export async function emailVerifyScreen(page: Page, code: string) {
+    await page.getByTestId(codeTextInput).pressSequentially(code);
+}
+
+export async function emailVerifyScreenExpect(page: Page, code: string) {
+    await expect(page.getByTestId(codeTextInput)).toHaveValue(code);
+    await expect(page.getByTestId("error").locator("div")).toContainText("Could not verify email");
+}
diff --git a/acceptance/tests/email-verify.spec.ts b/acceptance/tests/email-verify.spec.ts
new file mode 100644
index 0000000000..fc6887db17
--- /dev/null
+++ b/acceptance/tests/email-verify.spec.ts
@@ -0,0 +1,73 @@
+import {faker} from "@faker-js/faker";
+import {test as base} from "@playwright/test";
+import dotenv from "dotenv";
+import path from "path";
+import {loginScreenExpect, loginWithPassword} from "./login";
+import {PasswordUser} from "./user";
+import {emailVerify, emailVerifyResend} from "./email-verify";
+import {emailVerifyScreenExpect} from "./email-verify-screen";
+import {getCodeFromSink} from "./sink"
+
+// Read from ".env" file.
+dotenv.config({path: path.resolve(__dirname, ".env.local")});
+
+const test = base.extend<{ user: PasswordUser }>({
+    user: async ({page}, use) => {
+        const user = new PasswordUser({
+            email: faker.internet.email(),
+            isEmailVerified: false,
+            firstName: faker.person.firstName(),
+            lastName: faker.person.lastName(),
+            organization: "",
+            phone: faker.phone.number(),
+            isPhoneVerified: false,
+            password: "Password1!",
+            passwordChangeRequired: false,
+        });
+        await user.ensure(page);
+        await use(user);
+        await user.cleanup();
+    },
+});
+
+test("user email not verified, verify", async ({user, page}) => {
+    await loginWithPassword(page, user.getUsername(), user.getPassword());
+    // auto-redirect on /verify
+    // wait for send of the code
+    await page.waitForTimeout(3000);
+    const c = await getCodeFromSink(user.getUsername());
+    await emailVerify(page, c)
+    await loginScreenExpect(page, user.getFullName());
+});
+
+test("user email not verified, resend, verify", async ({user, page}) => {
+    await loginWithPassword(page, user.getUsername(), user.getPassword());
+    // auto-redirect on /verify
+    await emailVerifyResend(page);
+    // wait for send of the code
+    await page.waitForTimeout(3000);
+    const c = await getCodeFromSink(user.getUsername());
+    await emailVerify(page, c)
+    await loginScreenExpect(page, user.getFullName());
+});
+
+test("user email not verified, resend, old code", async ({user, page}) => {
+    await loginWithPassword(page, user.getUsername(), user.getPassword());
+    // auto-redirect on /verify
+    // wait for send of the code
+    await page.waitForTimeout(3000);
+    const c = await getCodeFromSink(user.getUsername());
+    await emailVerifyResend(page);
+    // wait for resend of the code
+    await page.waitForTimeout(1000);
+    await emailVerify(page, c)
+    await emailVerifyScreenExpect(page, c);
+});
+
+test("user email not verified, wrong code", async ({user, page}) => {
+    await loginWithPassword(page, user.getUsername(), user.getPassword());
+    // auto-redirect on /verify
+    const code = "wrong"
+    await emailVerify(page, code)
+    await emailVerifyScreenExpect(page, code);
+});
diff --git a/acceptance/tests/email-verify.ts b/acceptance/tests/email-verify.ts
new file mode 100644
index 0000000000..9ef77eda34
--- /dev/null
+++ b/acceptance/tests/email-verify.ts
@@ -0,0 +1,16 @@
+import { Page } from "@playwright/test";
+import { emailVerifyScreen } from "./email-verify-screen";
+import { getOtpFromSink } from "./sink";
+
+export async function startEmailVerify(page: Page, loginname: string) {
+    await page.goto("/verify");
+}
+
+export async function emailVerify(page: Page, code: string) {
+    await emailVerifyScreen(page, code);
+    await page.getByTestId("submit-button").click();
+}
+
+export async function emailVerifyResend(page: Page) {
+    await page.getByTestId("resend-button").click();
+}
diff --git a/acceptance/tests/password-screen.ts b/acceptance/tests/password-screen.ts
index 57334a07d2..6d294e36e4 100644
--- a/acceptance/tests/password-screen.ts
+++ b/acceptance/tests/password-screen.ts
@@ -1,9 +1,13 @@
-import { expect, Page } from "@playwright/test";
-import { getCodeFromSink } from "./sink";
+import {expect, Page} from "@playwright/test";
+import {getCodeFromSink} from "./sink";
 
 const codeField = "code-text-input";
 const passwordField = "password-text-input";
 const passwordConfirmField = "password-confirm-text-input";
+const passwordChangeField = "password-change-text-input";
+const passwordChangeConfirmField = "password-change-confirm-text-input";
+const passwordSetField = "password-set-text-input";
+const passwordSetConfirmField = "password-set-confirm-text-input";
 const lengthCheck = "length-check";
 const symbolCheck = "symbol-check";
 const numberCheck = "number-check";
@@ -15,68 +19,83 @@ const matchText = "Matches";
 const noMatchText = "Doesn't match";
 
 export async function changePasswordScreen(page: Page, password1: string, password2: string) {
-  await page.getByTestId(passwordField).pressSequentially(password1);
-  await page.getByTestId(passwordConfirmField).pressSequentially(password2);
+    await page.getByTestId(passwordChangeField).pressSequentially(password1);
+    await page.getByTestId(passwordChangeConfirmField).pressSequentially(password2);
 }
 
 export async function passwordScreen(page: Page, password: string) {
-  await page.getByTestId(passwordField).pressSequentially(password);
+    await page.getByTestId(passwordField).pressSequentially(password);
 }
 
 export async function passwordScreenExpect(page: Page, password: string) {
-  await expect(page.getByTestId(passwordField)).toHaveValue(password);
-  await expect(page.getByTestId("error").locator("div")).toContainText("Could not verify password");
+    await expect(page.getByTestId(passwordField)).toHaveValue(password);
+    await expect(page.getByTestId("error").locator("div")).toContainText("Could not verify password");
 }
 
 export async function changePasswordScreenExpect(
-  page: Page,
-  password1: string,
-  password2: string,
-  length: boolean,
-  symbol: boolean,
-  number: boolean,
-  uppercase: boolean,
-  lowercase: boolean,
-  equals: boolean,
+    page: Page,
+    password1: string,
+    password2: string,
+    length: boolean,
+    symbol: boolean,
+    number: boolean,
+    uppercase: boolean,
+    lowercase: boolean,
+    equals: boolean,
 ) {
-  await expect(page.getByTestId(passwordField)).toHaveValue(password1);
-  await expect(page.getByTestId(passwordConfirmField)).toHaveValue(password2);
+    await expect(page.getByTestId(passwordChangeField)).toHaveValue(password1);
+    await expect(page.getByTestId(passwordChangeConfirmField)).toHaveValue(password2);
 
-  await checkContent(page, lengthCheck, length);
-  await checkContent(page, symbolCheck, symbol);
-  await checkContent(page, numberCheck, number);
-  await checkContent(page, uppercaseCheck, uppercase);
-  await checkContent(page, lowercaseCheck, lowercase);
-  await checkContent(page, equalCheck, equals);
+    await checkComplexity(page, length, symbol, number, uppercase, lowercase, equals);
+}
+
+async function checkComplexity(
+    page: Page,
+    length: boolean,
+    symbol: boolean,
+    number: boolean,
+    uppercase: boolean,
+    lowercase: boolean,
+    equals: boolean,
+) {
+    await checkContent(page, lengthCheck, length);
+    await checkContent(page, symbolCheck, symbol);
+    await checkContent(page, numberCheck, number);
+    await checkContent(page, uppercaseCheck, uppercase);
+    await checkContent(page, lowercaseCheck, lowercase);
+    await checkContent(page, equalCheck, equals);
 }
 
 async function checkContent(page: Page, testid: string, match: boolean) {
-  if (match) {
-    await expect(page.getByTestId(testid)).toContainText(matchText);
-  } else {
-    await expect(page.getByTestId(testid)).toContainText(noMatchText);
-  }
+    if (match) {
+        await expect(page.getByTestId(testid)).toContainText(matchText);
+    } else {
+        await expect(page.getByTestId(testid)).toContainText(noMatchText);
+    }
 }
 
 export async function resetPasswordScreen(page: Page, username: string, password1: string, password2: string) {
-  // wait for send of the code
-  await page.waitForTimeout(3000);
-  const c = await getCodeFromSink(username);
-  await page.getByTestId(codeField).pressSequentially(c);
-  await page.getByTestId(passwordField).pressSequentially(password1);
-  await page.getByTestId(passwordConfirmField).pressSequentially(password2);
+    // wait for send of the code
+    await page.waitForTimeout(3000);
+    const c = await getCodeFromSink(username);
+    await page.getByTestId(codeField).pressSequentially(c);
+    await page.getByTestId(passwordSetField).pressSequentially(password1);
+    await page.getByTestId(passwordSetConfirmField).pressSequentially(password2);
 }
 
 export async function resetPasswordScreenExpect(
-  page: Page,
-  password1: string,
-  password2: string,
-  length: boolean,
-  symbol: boolean,
-  number: boolean,
-  uppercase: boolean,
-  lowercase: boolean,
-  equals: boolean,
+    page: Page,
+    password1: string,
+    password2: string,
+    length: boolean,
+    symbol: boolean,
+    number: boolean,
+    uppercase: boolean,
+    lowercase: boolean,
+    equals: boolean,
 ) {
-  await changePasswordScreenExpect(page, password1, password2, length, symbol, number, uppercase, lowercase, equals);
-}
+    await expect(page.getByTestId(passwordSetField)).toHaveValue(password1);
+    await expect(page.getByTestId(passwordSetConfirmField)).toHaveValue(password2);
+
+    await checkComplexity(page, length, symbol, number, uppercase, lowercase, equals);
+}
\ No newline at end of file
diff --git a/acceptance/tests/password.ts b/acceptance/tests/password.ts
index b3d31fcaee..1dc304cc84 100644
--- a/acceptance/tests/password.ts
+++ b/acceptance/tests/password.ts
@@ -8,8 +8,7 @@ export async function startChangePassword(page: Page, loginname: string) {
   await page.goto("/password/change?" + new URLSearchParams({ loginName: loginname }));
 }
 
-export async function changePassword(page: Page, loginname: string, password: string) {
-  await startChangePassword(page, loginname);
+export async function changePassword(page: Page, password: string) {
   await changePasswordScreen(page, password, password);
   await page.getByTestId(passwordSubmitButton).click();
 }
diff --git a/acceptance/tests/register.ts b/acceptance/tests/register.ts
index 693bdfbc0d..2bc2c79e16 100644
--- a/acceptance/tests/register.ts
+++ b/acceptance/tests/register.ts
@@ -1,29 +1,43 @@
-import { Page } from "@playwright/test";
-import { passkeyRegister } from "./passkey";
-import { registerPasswordScreen, registerUserScreenPasskey, registerUserScreenPassword } from "./register-screen";
+import {Page} from "@playwright/test";
+import {passkeyRegister} from "./passkey";
+import {registerPasswordScreen, registerUserScreenPasskey, registerUserScreenPassword} from "./register-screen";
+import {getCodeFromSink} from "./sink";
+import {emailVerify} from "./email-verify";
 
 export async function registerWithPassword(
-  page: Page,
-  firstname: string,
-  lastname: string,
-  email: string,
-  password1: string,
-  password2: string,
+    page: Page,
+    firstname: string,
+    lastname: string,
+    email: string,
+    password1: string,
+    password2: string,
 ) {
-  await page.goto("/register");
-  await registerUserScreenPassword(page, firstname, lastname, email);
-  await page.getByTestId("submit-button").click();
-  await registerPasswordScreen(page, password1, password2);
-  await page.getByTestId("submit-button").click();
+    await page.goto("/register");
+    await registerUserScreenPassword(page, firstname, lastname, email);
+    await page.getByTestId("submit-button").click();
+    await registerPasswordScreen(page, password1, password2);
+    await page.getByTestId("submit-button").click();
+    await page.waitForTimeout(3000);
+
+    await verifyEmail(page, email)
 }
 
 export async function registerWithPasskey(page: Page, firstname: string, lastname: string, email: string): Promise<string> {
-  await page.goto("/register");
-  await registerUserScreenPasskey(page, firstname, lastname, email);
-  await page.getByTestId("submit-button").click();
+    await page.goto("/register");
+    await registerUserScreenPasskey(page, firstname, lastname, email);
+    await page.getByTestId("submit-button").click();
 
-  // wait for projection of user
-  await page.waitForTimeout(2000);
+    // wait for projection of user
+    await page.waitForTimeout(3000);
+    const authId = await passkeyRegister(page);
 
-  return await passkeyRegister(page);
+    await verifyEmail(page, email)
+    return authId
 }
+
+
+async function verifyEmail(page: Page, email: string) {
+    await page.waitForTimeout(1000);
+    const c = await getCodeFromSink(email);
+    await emailVerify(page, c)
+}
\ No newline at end of file
diff --git a/acceptance/tests/user.ts b/acceptance/tests/user.ts
index 3daefdff08..68a8eecd2b 100644
--- a/acceptance/tests/user.ts
+++ b/acceptance/tests/user.ts
@@ -4,11 +4,14 @@ import { activateOTP, addTOTP, addUser, getUserByUsername, removeUser } from "./
 
 export interface userProps {
   email: string;
+  isEmailVerified?: boolean;
   firstName: string;
   lastName: string;
   organization: string;
   password: string;
+  passwordChangeRequired?: boolean;
   phone: string;
+  isPhoneVerified?: boolean;
 }
 
 class User {
@@ -77,11 +80,14 @@ export enum OtpType {
 
 export interface otpUserProps {
   email: string;
+  isEmailVerified?: boolean;
   firstName: string;
   lastName: string;
   organization: string;
   password: string;
+  passwordChangeRequired?: boolean;
   phone: string;
+  isPhoneVerified?: boolean;
   type: OtpType;
 }
 
@@ -96,6 +102,9 @@ export class PasswordUserWithOTP extends User {
       organization: props.organization,
       password: props.password,
       phone: props.phone,
+      isEmailVerified: props.isEmailVerified,
+      isPhoneVerified: props.isPhoneVerified,
+      passwordChangeRequired: props.passwordChangeRequired,
     });
     this.type = props.type;
   }
@@ -133,6 +142,8 @@ export interface passkeyUserProps {
   lastName: string;
   organization: string;
   phone: string;
+  isEmailVerified?: boolean;
+  isPhoneVerified?: boolean;
 }
 
 export class PasskeyUser extends User {
@@ -146,6 +157,8 @@ export class PasskeyUser extends User {
       organization: props.organization,
       password: "",
       phone: props.phone,
+      isEmailVerified: props.isEmailVerified,
+      isPhoneVerified: props.isPhoneVerified,
     });
   }
 
diff --git a/acceptance/tests/username-passkey.spec.ts b/acceptance/tests/username-passkey.spec.ts
index e73de3547f..54b1bf0a29 100644
--- a/acceptance/tests/username-passkey.spec.ts
+++ b/acceptance/tests/username-passkey.spec.ts
@@ -12,10 +12,12 @@ const test = base.extend<{ user: PasskeyUser }>({
   user: async ({ page }, use) => {
     const user = new PasskeyUser({
       email: faker.internet.email(),
+      isEmailVerified: true,
       firstName: faker.person.firstName(),
       lastName: faker.person.lastName(),
       organization: "",
       phone: faker.phone.number(),
+      isPhoneVerified: false,
     });
     await user.ensure(page);
     await use(user);
diff --git a/acceptance/tests/username-password-change-required.spec.ts b/acceptance/tests/username-password-change-required.spec.ts
new file mode 100644
index 0000000000..faf007233f
--- /dev/null
+++ b/acceptance/tests/username-password-change-required.spec.ts
@@ -0,0 +1,43 @@
+import { faker } from "@faker-js/faker";
+import { test as base } from "@playwright/test";
+import dotenv from "dotenv";
+import path from "path";
+import { loginScreenExpect, loginWithPassword, startLogin } from "./login";
+import { loginname } from "./loginname";
+import {changePassword, resetPassword, startResetPassword} from "./password";
+import { resetPasswordScreen, resetPasswordScreenExpect } from "./password-screen";
+import { PasswordUser } from "./user";
+
+// Read from ".env" file.
+dotenv.config({ path: path.resolve(__dirname, ".env.local") });
+
+const test = base.extend<{ user: PasswordUser }>({
+  user: async ({ page }, use) => {
+    const user = new PasswordUser({
+      email: faker.internet.email(),
+      isEmailVerified: true,
+      firstName: faker.person.firstName(),
+      lastName: faker.person.lastName(),
+      organization: "",
+      phone: faker.phone.number(),
+      isPhoneVerified: false,
+      password: "Password1!",
+      passwordChangeRequired: true,
+    });
+    await user.ensure(page);
+    await use(user);
+    await user.cleanup();
+  },
+});
+
+test("username and password login, change required", async ({ user, page }) => {
+  const changedPw = "ChangedPw1!";
+
+  await loginWithPassword(page, user.getUsername(), user.getPassword());
+  await page.waitForTimeout(100);
+  await changePassword(page, changedPw);
+  await loginScreenExpect(page, user.getFullName());
+
+  await loginWithPassword(page, user.getUsername(), changedPw);
+  await loginScreenExpect(page, user.getFullName());
+});
diff --git a/acceptance/tests/username-password-changed.spec.ts b/acceptance/tests/username-password-changed.spec.ts
index c185e51ec9..acbe1f91fe 100644
--- a/acceptance/tests/username-password-changed.spec.ts
+++ b/acceptance/tests/username-password-changed.spec.ts
@@ -1,53 +1,54 @@
-import { faker } from "@faker-js/faker";
-import { test as base } from "@playwright/test";
+import {faker} from "@faker-js/faker";
+import {test as base} from "@playwright/test";
 import dotenv from "dotenv";
 import path from "path";
-import { loginWithPassword } from "./login";
-import { startChangePassword } from "./password";
-import { changePasswordScreen, changePasswordScreenExpect } from "./password-screen";
-import { PasswordUser } from "./user";
+import {loginScreenExpect, loginWithPassword} from "./login";
+import {changePassword, startChangePassword} from "./password";
+import {changePasswordScreen, changePasswordScreenExpect} from "./password-screen";
+import {PasswordUser} from "./user";
 
 // Read from ".env" file.
-dotenv.config({ path: path.resolve(__dirname, ".env.local") });
+dotenv.config({path: path.resolve(__dirname, ".env.local")});
 
 const test = base.extend<{ user: PasswordUser }>({
-  user: async ({ page }, use) => {
-    const user = new PasswordUser({
-      email: faker.internet.email(),
-      firstName: faker.person.firstName(),
-      lastName: faker.person.lastName(),
-      organization: "",
-      phone: faker.phone.number(),
-      password: "Password1!",
-    });
-    await user.ensure(page);
-    await use(user);
-    await user.cleanup();
-  },
+    user: async ({page}, use) => {
+        const user = new PasswordUser({
+            email: faker.internet.email(),
+            isEmailVerified: true,
+            firstName: faker.person.firstName(),
+            lastName: faker.person.lastName(),
+            organization: "",
+            phone: faker.phone.number(),
+            isPhoneVerified: false,
+            password: "Password1!",
+            passwordChangeRequired: false,
+        });
+        await user.ensure(page);
+        await use(user);
+        await user.cleanup();
+    },
 });
 
-test("username and password changed login", async ({ user, page }) => {
-  // commented, fix in https://github.com/zitadel/zitadel/pull/8807
-  /*
+test("username and password changed login", async ({user, page}) => {
     const changedPw = "ChangedPw1!";
     await loginWithPassword(page, user.getUsername(), user.getPassword());
 
     // wait for projection of token
     await page.waitForTimeout(2000);
 
-    await changePassword(page, user.getUsername(), changedPw);
+    await startChangePassword(page, user.getUsername());
+    await changePassword(page, changedPw);
     await loginScreenExpect(page, user.getFullName());
 
     await loginWithPassword(page, user.getUsername(), changedPw);
     await loginScreenExpect(page, user.getFullName());
-     */
 });
 
-test("password change not with desired complexity", async ({ user, page }) => {
-  const changedPw1 = "change";
-  const changedPw2 = "chang";
-  await loginWithPassword(page, user.getUsername(), user.getPassword());
-  await startChangePassword(page, user.getUsername());
-  await changePasswordScreen(page, changedPw1, changedPw2);
-  await changePasswordScreenExpect(page, changedPw1, changedPw2, false, false, false, false, true, false);
+test("password change not with desired complexity", async ({user, page}) => {
+    const changedPw1 = "change";
+    const changedPw2 = "chang";
+    await loginWithPassword(page, user.getUsername(), user.getPassword());
+    await startChangePassword(page, user.getUsername());
+    await changePasswordScreen(page, changedPw1, changedPw2);
+    await changePasswordScreenExpect(page, changedPw1, changedPw2, false, false, false, false, true, false);
 });
diff --git a/acceptance/tests/username-password-otp_email.spec.ts b/acceptance/tests/username-password-otp_email.spec.ts
index daa2e0a429..d06cc87834 100644
--- a/acceptance/tests/username-password-otp_email.spec.ts
+++ b/acceptance/tests/username-password-otp_email.spec.ts
@@ -14,11 +14,14 @@ const test = base.extend<{ user: PasswordUserWithOTP; sink: any }>({
   user: async ({ page }, use) => {
     const user = new PasswordUserWithOTP({
       email: faker.internet.email(),
+      isEmailVerified: true,
       firstName: faker.person.firstName(),
       lastName: faker.person.lastName(),
       organization: "",
       phone: faker.phone.number(),
+      isPhoneVerified: false,
       password: "Password1!",
+      passwordChangeRequired: false,
       type: OtpType.email,
     });
 
diff --git a/acceptance/tests/username-password-otp_sms.spec.ts b/acceptance/tests/username-password-otp_sms.spec.ts
index 8fb91a66c7..ac69b25f08 100644
--- a/acceptance/tests/username-password-otp_sms.spec.ts
+++ b/acceptance/tests/username-password-otp_sms.spec.ts
@@ -14,11 +14,14 @@ const test = base.extend<{ user: PasswordUserWithOTP; sink: any }>({
   user: async ({ page }, use) => {
     const user = new PasswordUserWithOTP({
       email: faker.internet.email(),
+      isEmailVerified: true,
       firstName: faker.person.firstName(),
       lastName: faker.person.lastName(),
       organization: "",
       phone: faker.phone.number({ style: "international" }),
+      isPhoneVerified: true,
       password: "Password1!",
+      passwordChangeRequired: false,
       type: OtpType.sms,
     });
 
diff --git a/acceptance/tests/username-password-set.spec.ts b/acceptance/tests/username-password-set.spec.ts
index 30d442df50..c622ab712c 100644
--- a/acceptance/tests/username-password-set.spec.ts
+++ b/acceptance/tests/username-password-set.spec.ts
@@ -4,8 +4,8 @@ import dotenv from "dotenv";
 import path from "path";
 import { loginScreenExpect, loginWithPassword, startLogin } from "./login";
 import { loginname } from "./loginname";
-import { resetPassword, startResetPassword } from "./password";
-import { resetPasswordScreen, resetPasswordScreenExpect } from "./password-screen";
+import {changePassword, resetPassword, startResetPassword} from "./password";
+import {changePasswordScreen, resetPasswordScreen, resetPasswordScreenExpect} from "./password-screen";
 import { PasswordUser } from "./user";
 
 // Read from ".env" file.
@@ -15,11 +15,14 @@ const test = base.extend<{ user: PasswordUser }>({
   user: async ({ page }, use) => {
     const user = new PasswordUser({
       email: faker.internet.email(),
+      isEmailVerified: true,
       firstName: faker.person.firstName(),
       lastName: faker.person.lastName(),
       organization: "",
       phone: faker.phone.number(),
+      isPhoneVerified: false,
       password: "Password1!",
+      passwordChangeRequired: false,
     });
     await user.ensure(page);
     await use(user);
@@ -28,8 +31,6 @@ const test = base.extend<{ user: PasswordUser }>({
 });
 
 test("username and password set login", async ({ user, page }) => {
-  // commented, fix in https://github.com/zitadel/zitadel/pull/8807
-
   const changedPw = "ChangedPw1!";
   await startLogin(page);
   await loginname(page, user.getUsername());
diff --git a/acceptance/tests/username-password-totp.spec.ts b/acceptance/tests/username-password-totp.spec.ts
index 4b6e678931..2eb5ff4e65 100644
--- a/acceptance/tests/username-password-totp.spec.ts
+++ b/acceptance/tests/username-password-totp.spec.ts
@@ -1,67 +1,70 @@
-import { faker } from "@faker-js/faker";
-import { test as base } from "@playwright/test";
+import {faker} from "@faker-js/faker";
+import {test as base} from "@playwright/test";
 import dotenv from "dotenv";
 import path from "path";
-import { code } from "./code";
-import { codeScreenExpect } from "./code-screen";
-import { loginScreenExpect, loginWithPassword, loginWithPasswordAndTOTP } from "./login";
-import { PasswordUserWithTOTP } from "./user";
+import {code} from "./code";
+import {codeScreenExpect} from "./code-screen";
+import {loginScreenExpect, loginWithPassword, loginWithPasswordAndTOTP} from "./login";
+import {PasswordUserWithTOTP} from "./user";
 
 // Read from ".env" file.
-dotenv.config({ path: path.resolve(__dirname, ".env.local") });
+dotenv.config({path: path.resolve(__dirname, ".env.local")});
 
 const test = base.extend<{ user: PasswordUserWithTOTP; sink: any }>({
-  user: async ({ page }, use) => {
-    const user = new PasswordUserWithTOTP({
-      email: faker.internet.email(),
-      firstName: faker.person.firstName(),
-      lastName: faker.person.lastName(),
-      organization: "",
-      phone: faker.phone.number({ style: "international" }),
-      password: "Password1!",
-    });
+    user: async ({page}, use) => {
+        const user = new PasswordUserWithTOTP({
+            email: faker.internet.email(),
+            isEmailVerified: true,
+            firstName: faker.person.firstName(),
+            lastName: faker.person.lastName(),
+            organization: "",
+            phone: faker.phone.number({style: "international"}),
+            isPhoneVerified: true,
+            password: "Password1!",
+            passwordChangeRequired: false,
+        });
 
-    await user.ensure(page);
-    await use(user);
-    await user.cleanup();
-  },
+        await user.ensure(page);
+        await use(user);
+        await user.cleanup();
+    },
 });
 
-test("username, password and totp login", async ({ user, page }) => {
-  // Given totp is enabled on the organization of the user
-  // Given the user has only totp configured as second factor
-  // User enters username
-  // User enters password
-  // Screen for entering the code is shown directly
-  // User enters the code into the ui
-  // User is redirected to the app (default redirect url)
-  await loginWithPasswordAndTOTP(page, user.getUsername(), user.getPassword(), user.getSecret());
-  await loginScreenExpect(page, user.getFullName());
+test("username, password and totp login", async ({user, page}) => {
+    // Given totp is enabled on the organization of the user
+    // Given the user has only totp configured as second factor
+    // User enters username
+    // User enters password
+    // Screen for entering the code is shown directly
+    // User enters the code into the ui
+    // User is redirected to the app (default redirect url)
+    await loginWithPasswordAndTOTP(page, user.getUsername(), user.getPassword(), user.getSecret());
+    await loginScreenExpect(page, user.getFullName());
 });
 
-test("username, password and totp otp login, wrong code", async ({ user, page }) => {
-  // Given totp is enabled on the organization of the user
-  // Given the user has only totp configured as second factor
-  // User enters username
-  // User enters password
-  // Screen for entering the code is shown directly
-  // User enters a wrond code
-  // Error message - "Invalid code" is shown
-  const c = "wrongcode";
-  await loginWithPassword(page, user.getUsername(), user.getPassword());
-  await code(page, c);
-  await codeScreenExpect(page, c);
+test("username, password and totp otp login, wrong code", async ({user, page}) => {
+    // Given totp is enabled on the organization of the user
+    // Given the user has only totp configured as second factor
+    // User enters username
+    // User enters password
+    // Screen for entering the code is shown directly
+    // User enters a wrond code
+    // Error message - "Invalid code" is shown
+    const c = "wrongcode";
+    await loginWithPassword(page, user.getUsername(), user.getPassword());
+    await code(page, c);
+    await codeScreenExpect(page, c);
 });
 
-test("username, password and totp login, multiple mfa options", async ({ page }) => {
-  // Given totp and email otp is enabled on the organization of the user
-  // Given the user has totp and email otp configured as second factor
-  // User enters username
-  // User enters password
-  // Screen for entering the code is shown directly
-  // Button to switch to email otp is shown
-  // User clicks button to use email otp instead
-  // User receives an email with a verification code
-  // User enters code in ui
-  // User is redirected to the app (default redirect url)
+test("username, password and totp login, multiple mfa options", async ({page}) => {
+    // Given totp and email otp is enabled on the organization of the user
+    // Given the user has totp and email otp configured as second factor
+    // User enters username
+    // User enters password
+    // Screen for entering the code is shown directly
+    // Button to switch to email otp is shown
+    // User clicks button to use email otp instead
+    // User receives an email with a verification code
+    // User enters code in ui
+    // User is redirected to the app (default redirect url)
 });
diff --git a/acceptance/tests/username-password.spec.ts b/acceptance/tests/username-password.spec.ts
index fcb6aad037..209c415511 100644
--- a/acceptance/tests/username-password.spec.ts
+++ b/acceptance/tests/username-password.spec.ts
@@ -16,11 +16,14 @@ const test = base.extend<{ user: PasswordUser }>({
   user: async ({ page }, use) => {
     const user = new PasswordUser({
       email: faker.internet.email(),
+      isEmailVerified: true,
       firstName: faker.person.firstName(),
       lastName: faker.person.lastName(),
       organization: "",
       phone: faker.phone.number(),
+      isPhoneVerified: false,
       password: "Password1!",
+      passwordChangeRequired: false,
     });
     await user.ensure(page);
     await use(user);
diff --git a/acceptance/tests/zitadel.ts b/acceptance/tests/zitadel.ts
index 587723f10d..8e15339384 100644
--- a/acceptance/tests/zitadel.ts
+++ b/acceptance/tests/zitadel.ts
@@ -1,159 +1,166 @@
-import { Authenticator } from "@otplib/core";
-import { createDigest, createRandomBytes } from "@otplib/plugin-crypto";
-import { keyDecoder, keyEncoder } from "@otplib/plugin-thirty-two"; // use your chosen base32 plugin
+import {Authenticator} from "@otplib/core";
+import {createDigest, createRandomBytes} from "@otplib/plugin-crypto";
+import {keyDecoder, keyEncoder} from "@otplib/plugin-thirty-two"; // use your chosen base32 plugin
 import axios from "axios";
-import { OtpType, userProps } from "./user";
+import {OtpType, userProps} from "./user";
 
 export async function addUser(props: userProps) {
-  const body = {
-    username: props.email,
-    organization: {
-      orgId: props.organization,
-    },
-    profile: {
-      givenName: props.firstName,
-      familyName: props.lastName,
-    },
-    email: {
-      email: props.email,
-      isVerified: true,
-    },
-    phone: {
-      phone: props.phone!,
-      isVerified: true,
-    },
-    password: {
-      password: props.password!,
-    },
-  };
+    const body = {
+        username: props.email,
+        organization: {
+            orgId: props.organization,
+        },
+        profile: {
+            givenName: props.firstName,
+            familyName: props.lastName,
+        },
+        email: {
+            email: props.email,
+            isVerified: true,
+        },
+        phone: {
+            phone: props.phone,
+            isVerified: true,
+        },
+        password: {
+            password: props.password,
+            changeRequired: props.passwordChangeRequired ?? false,
+        },
+    };
+    if (!props.isEmailVerified) {
+        delete body.email.isVerified;
+    }
+    if (!props.isPhoneVerified) {
+        delete body.phone.isVerified;
+    }
 
-  return await listCall(`${process.env.ZITADEL_API_URL}/v2/users/human`, body);
+    return await listCall(`${process.env.ZITADEL_API_URL}/v2/users/human`, body);
 }
 
 export async function removeUserByUsername(username: string) {
-  const resp = await getUserByUsername(username);
-  if (!resp || !resp.result || !resp.result[0]) {
-    return;
-  }
-  await removeUser(resp.result[0].userId);
+    const resp = await getUserByUsername(username);
+    if (!resp || !resp.result || !resp.result[0]) {
+        return;
+    }
+    await removeUser(resp.result[0].userId);
 }
 
 export async function removeUser(id: string) {
-  await deleteCall(`${process.env.ZITADEL_API_URL}/v2/users/${id}`);
+    await deleteCall(`${process.env.ZITADEL_API_URL}/v2/users/${id}`);
 }
 
 async function deleteCall(url: string) {
-  try {
-    const response = await axios.delete(url, {
-      headers: {
-        Authorization: `Bearer ${process.env.ZITADEL_SERVICE_USER_TOKEN}`,
-      },
-    });
+    try {
+        const response = await axios.delete(url, {
+            headers: {
+                Authorization: `Bearer ${process.env.ZITADEL_SERVICE_USER_TOKEN}`,
+            },
+        });
 
-    if (response.status >= 400 && response.status !== 404) {
-      const error = `HTTP Error: ${response.status} - ${response.statusText}`;
-      console.error(error);
-      throw new Error(error);
+        if (response.status >= 400 && response.status !== 404) {
+            const error = `HTTP Error: ${response.status} - ${response.statusText}`;
+            console.error(error);
+            throw new Error(error);
+        }
+    } catch (error) {
+        console.error("Error making request:", error);
+        throw error;
     }
-  } catch (error) {
-    console.error("Error making request:", error);
-    throw error;
-  }
 }
 
 export async function getUserByUsername(username: string): Promise<any> {
-  const listUsersBody = {
-    queries: [
-      {
-        userNameQuery: {
-          userName: username,
-        },
-      },
-    ],
-  };
+    const listUsersBody = {
+        queries: [
+            {
+                userNameQuery: {
+                    userName: username,
+                },
+            },
+        ],
+    };
 
-  return await listCall(`${process.env.ZITADEL_API_URL}/v2/users`, listUsersBody);
+    return await listCall(`${process.env.ZITADEL_API_URL}/v2/users`, listUsersBody);
 }
 
 async function listCall(url: string, data: any): Promise<any> {
-  try {
-    const response = await axios.post(url, data, {
-      headers: {
-        "Content-Type": "application/json",
-        Authorization: `Bearer ${process.env.ZITADEL_SERVICE_USER_TOKEN}`,
-      },
-    });
+    try {
+        const response = await axios.post(url, data, {
+            headers: {
+                "Content-Type": "application/json",
+                Authorization: `Bearer ${process.env.ZITADEL_SERVICE_USER_TOKEN}`,
+            },
+        });
 
-    if (response.status >= 400) {
-      const error = `HTTP Error: ${response.status} - ${response.statusText}`;
-      console.error(error);
-      throw new Error(error);
+        if (response.status >= 400) {
+            const error = `HTTP Error: ${response.status} - ${response.statusText}`;
+            console.error(error);
+            throw new Error(error);
+        }
+
+        return response.data;
+    } catch (error) {
+        console.error("Error making request:", error);
+        throw error;
     }
-
-    return response.data;
-  } catch (error) {
-    console.error("Error making request:", error);
-    throw error;
-  }
 }
 
 export async function activateOTP(userId: string, type: OtpType) {
-  let url = "otp_";
-  switch (type) {
-    case OtpType.sms:
-      url = url + "sms";
-      break;
-    case OtpType.email:
-      url = url + "email";
-      break;
-  }
+    let url = "otp_";
+    switch (type) {
+        case OtpType.sms:
+            url = url + "sms";
+            break;
+        case OtpType.email:
+            url = url + "email";
+            break;
+    }
 
-  await pushCall(`${process.env.ZITADEL_API_URL}/v2/users/${userId}/${url}`, {});
+    await pushCall(`${process.env.ZITADEL_API_URL}/v2/users/${userId}/${url}`, {});
 }
 
 async function pushCall(url: string, data: any) {
-  try {
-    const response = await axios.post(url, data, {
-      headers: {
-        "Content-Type": "application/json",
-        Authorization: `Bearer ${process.env.ZITADEL_SERVICE_USER_TOKEN}`,
-      },
-    });
+    try {
+        const response = await axios.post(url, data, {
+            headers: {
+                "Content-Type": "application/json",
+                Authorization: `Bearer ${process.env.ZITADEL_SERVICE_USER_TOKEN}`,
+            },
+        });
 
-    if (response.status >= 400) {
-      const error = `HTTP Error: ${response.status} - ${response.statusText}`;
-      console.error(error);
-      throw new Error(error);
+        if (response.status >= 400) {
+            const error = `HTTP Error: ${response.status} - ${response.statusText}`;
+            console.error(error);
+            throw new Error(error);
+        }
+    } catch (error) {
+        console.error("Error making request:", error);
+        throw error;
     }
-  } catch (error) {
-    console.error("Error making request:", error);
-    throw error;
-  }
 }
 
 export async function addTOTP(userId: string): Promise<string> {
-  const response = await listCall(`${process.env.ZITADEL_API_URL}/v2/users/${userId}/totp`, {});
-  const code = totp(response.secret);
-  await pushCall(`${process.env.ZITADEL_API_URL}/v2/users/${userId}/totp/verify`, { code: code });
-  return response.secret;
+    const response = await listCall(`${process.env.ZITADEL_API_URL}/v2/users/${userId}/totp`, {});
+    const code = totp(response.secret);
+    await pushCall(`${process.env.ZITADEL_API_URL}/v2/users/${userId}/totp/verify`, {code: code});
+    return response.secret;
 }
 
 export function totp(secret: string) {
-  const authenticator = new Authenticator({
-    createDigest,
-    createRandomBytes,
-    keyDecoder,
-    keyEncoder,
-  });
-  // google authenticator usage
-  const token = authenticator.generate(secret);
+    const authenticator = new Authenticator({
+        createDigest,
+        createRandomBytes,
+        keyDecoder,
+        keyEncoder,
+    });
+    // google authenticator usage
+    const token = authenticator.generate(secret);
 
-  // check if token can be used
-  if (!authenticator.verify({ token: token, secret: secret })) {
-    const error = `Generated token could not be verified`;
-    console.error(error);
-    throw new Error(error);
-  }
+    // check if token can be used
+    if (!authenticator.verify({token: token, secret: secret})) {
+        const error = `Generated token could not be verified`;
+        console.error(error);
+        throw new Error(error);
+    }
 
-  return token;
+    return token;
 }
diff --git a/apps/login/src/components/change-password-form.tsx b/apps/login/src/components/change-password-form.tsx
index f8c22029f7..c581a40b8d 100644
--- a/apps/login/src/components/change-password-form.tsx
+++ b/apps/login/src/components/change-password-form.tsx
@@ -161,7 +161,7 @@ export function ChangePasswordForm({
             })}
             label="New Password"
             error={errors.password?.message as string}
-            data-testid="password-text-input"
+            data-testid="password-change-text-input"
           />
         </div>
         <div className="">
@@ -174,7 +174,7 @@ export function ChangePasswordForm({
             })}
             label="Confirm Password"
             error={errors.confirmPassword?.message as string}
-            data-testid="password-confirm-text-input"
+            data-testid="password-change-confirm-text-input"
           />
         </div>
       </div>
diff --git a/apps/login/src/components/set-password-form.tsx b/apps/login/src/components/set-password-form.tsx
index d093d1d131..ec6cf3cc6b 100644
--- a/apps/login/src/components/set-password-form.tsx
+++ b/apps/login/src/components/set-password-form.tsx
@@ -237,7 +237,7 @@ export function SetPasswordForm({
             })}
             label="New Password"
             error={errors.password?.message as string}
-            data-testid="password-text-input"
+            data-testid="password-set-text-input"
           />
         </div>
         <div>
@@ -250,7 +250,7 @@ export function SetPasswordForm({
             })}
             label="Confirm Password"
             error={errors.confirmPassword?.message as string}
-            data-testid="password-confirm-text-input"
+            data-testid="password-set-confirm-text-input"
           />
         </div>
       </div>
diff --git a/apps/login/src/components/verify-form.tsx b/apps/login/src/components/verify-form.tsx
index 6b6189297e..1982375ba1 100644
--- a/apps/login/src/components/verify-form.tsx
+++ b/apps/login/src/components/verify-form.tsx
@@ -115,7 +115,7 @@ export function VerifyForm({
               {t("verify.noCodeReceived")}
             </span>
             <button
-              aria-label="Resend OTP Code"
+              aria-label="Resend Code"
               disabled={loading}
               type="button"
               className="ml-4 text-primary-light-500 dark:text-primary-dark-500 hover:dark:text-primary-dark-400 hover:text-primary-light-400 cursor-pointer disabled:cursor-default disabled:text-gray-400 dark:disabled:text-gray-700"
@@ -134,11 +134,12 @@ export function VerifyForm({
             autoComplete="one-time-code"
             {...register("code", { required: "This field is required" })}
             label="Code"
+            data-testid="code-text-input"
           />
         </div>
 
         {error && (
-          <div className="py-4">
+          <div className="py-4" data-testid="error">
             <Alert>{error}</Alert>
           </div>
         )}
@@ -152,6 +153,7 @@ export function VerifyForm({
             variant={ButtonVariants.Primary}
             disabled={loading || !formState.isValid}
             onClick={handleSubmit(fcn)}
+            data-testid="submit-button"
           >
             {loading && <Spinner className="h-5 w-5 mr-2" />}
             {t("verify.submit")}

From 3443482d2b84542340063bd75c44f5a62ebe73d7 Mon Sep 17 00:00:00 2001
From: Stefan Benz <46600784+stebenz@users.noreply.github.com>
Date: Thu, 9 Jan 2025 15:49:44 +0100
Subject: [PATCH 15/21] test: add verify email and password change required

---
 acceptance/tests/email-verify-screen.ts       |   8 +-
 acceptance/tests/email-verify.spec.ts         | 116 ++++----
 acceptance/tests/email-verify.ts              |   9 +-
 acceptance/tests/password-screen.ts           | 112 ++++----
 acceptance/tests/register.ts                  |  61 +++--
 .../username-password-change-required.spec.ts |   6 +-
 .../tests/username-password-changed.spec.ts   |  80 +++---
 .../tests/username-password-set.spec.ts       |   4 +-
 .../tests/username-password-totp.spec.ts      | 112 ++++----
 acceptance/tests/zitadel.ts                   | 248 +++++++++---------
 10 files changed, 376 insertions(+), 380 deletions(-)

diff --git a/acceptance/tests/email-verify-screen.ts b/acceptance/tests/email-verify-screen.ts
index 5431f1f3ca..b077ecb424 100644
--- a/acceptance/tests/email-verify-screen.ts
+++ b/acceptance/tests/email-verify-screen.ts
@@ -1,12 +1,12 @@
-import {expect, Page} from "@playwright/test";
+import { expect, Page } from "@playwright/test";
 
 const codeTextInput = "code-text-input";
 
 export async function emailVerifyScreen(page: Page, code: string) {
-    await page.getByTestId(codeTextInput).pressSequentially(code);
+  await page.getByTestId(codeTextInput).pressSequentially(code);
 }
 
 export async function emailVerifyScreenExpect(page: Page, code: string) {
-    await expect(page.getByTestId(codeTextInput)).toHaveValue(code);
-    await expect(page.getByTestId("error").locator("div")).toContainText("Could not verify email");
+  await expect(page.getByTestId(codeTextInput)).toHaveValue(code);
+  await expect(page.getByTestId("error").locator("div")).toContainText("Could not verify email");
 }
diff --git a/acceptance/tests/email-verify.spec.ts b/acceptance/tests/email-verify.spec.ts
index fc6887db17..d95c1f691d 100644
--- a/acceptance/tests/email-verify.spec.ts
+++ b/acceptance/tests/email-verify.spec.ts
@@ -1,73 +1,73 @@
-import {faker} from "@faker-js/faker";
-import {test as base} from "@playwright/test";
+import { faker } from "@faker-js/faker";
+import { test as base } from "@playwright/test";
 import dotenv from "dotenv";
 import path from "path";
-import {loginScreenExpect, loginWithPassword} from "./login";
-import {PasswordUser} from "./user";
-import {emailVerify, emailVerifyResend} from "./email-verify";
-import {emailVerifyScreenExpect} from "./email-verify-screen";
-import {getCodeFromSink} from "./sink"
+import { emailVerify, emailVerifyResend } from "./email-verify";
+import { emailVerifyScreenExpect } from "./email-verify-screen";
+import { loginScreenExpect, loginWithPassword } from "./login";
+import { getCodeFromSink } from "./sink";
+import { PasswordUser } from "./user";
 
 // Read from ".env" file.
-dotenv.config({path: path.resolve(__dirname, ".env.local")});
+dotenv.config({ path: path.resolve(__dirname, ".env.local") });
 
 const test = base.extend<{ user: PasswordUser }>({
-    user: async ({page}, use) => {
-        const user = new PasswordUser({
-            email: faker.internet.email(),
-            isEmailVerified: false,
-            firstName: faker.person.firstName(),
-            lastName: faker.person.lastName(),
-            organization: "",
-            phone: faker.phone.number(),
-            isPhoneVerified: false,
-            password: "Password1!",
-            passwordChangeRequired: false,
-        });
-        await user.ensure(page);
-        await use(user);
-        await user.cleanup();
-    },
+  user: async ({ page }, use) => {
+    const user = new PasswordUser({
+      email: faker.internet.email(),
+      isEmailVerified: false,
+      firstName: faker.person.firstName(),
+      lastName: faker.person.lastName(),
+      organization: "",
+      phone: faker.phone.number(),
+      isPhoneVerified: false,
+      password: "Password1!",
+      passwordChangeRequired: false,
+    });
+    await user.ensure(page);
+    await use(user);
+    await user.cleanup();
+  },
 });
 
-test("user email not verified, verify", async ({user, page}) => {
-    await loginWithPassword(page, user.getUsername(), user.getPassword());
-    // auto-redirect on /verify
-    // wait for send of the code
-    await page.waitForTimeout(3000);
-    const c = await getCodeFromSink(user.getUsername());
-    await emailVerify(page, c)
-    await loginScreenExpect(page, user.getFullName());
+test("user email not verified, verify", async ({ user, page }) => {
+  await loginWithPassword(page, user.getUsername(), user.getPassword());
+  // auto-redirect on /verify
+  // wait for send of the code
+  await page.waitForTimeout(3000);
+  const c = await getCodeFromSink(user.getUsername());
+  await emailVerify(page, c);
+  await loginScreenExpect(page, user.getFullName());
 });
 
-test("user email not verified, resend, verify", async ({user, page}) => {
-    await loginWithPassword(page, user.getUsername(), user.getPassword());
-    // auto-redirect on /verify
-    await emailVerifyResend(page);
-    // wait for send of the code
-    await page.waitForTimeout(3000);
-    const c = await getCodeFromSink(user.getUsername());
-    await emailVerify(page, c)
-    await loginScreenExpect(page, user.getFullName());
+test("user email not verified, resend, verify", async ({ user, page }) => {
+  await loginWithPassword(page, user.getUsername(), user.getPassword());
+  // auto-redirect on /verify
+  await emailVerifyResend(page);
+  // wait for send of the code
+  await page.waitForTimeout(3000);
+  const c = await getCodeFromSink(user.getUsername());
+  await emailVerify(page, c);
+  await loginScreenExpect(page, user.getFullName());
 });
 
-test("user email not verified, resend, old code", async ({user, page}) => {
-    await loginWithPassword(page, user.getUsername(), user.getPassword());
-    // auto-redirect on /verify
-    // wait for send of the code
-    await page.waitForTimeout(3000);
-    const c = await getCodeFromSink(user.getUsername());
-    await emailVerifyResend(page);
-    // wait for resend of the code
-    await page.waitForTimeout(1000);
-    await emailVerify(page, c)
-    await emailVerifyScreenExpect(page, c);
+test("user email not verified, resend, old code", async ({ user, page }) => {
+  await loginWithPassword(page, user.getUsername(), user.getPassword());
+  // auto-redirect on /verify
+  // wait for send of the code
+  await page.waitForTimeout(3000);
+  const c = await getCodeFromSink(user.getUsername());
+  await emailVerifyResend(page);
+  // wait for resend of the code
+  await page.waitForTimeout(1000);
+  await emailVerify(page, c);
+  await emailVerifyScreenExpect(page, c);
 });
 
-test("user email not verified, wrong code", async ({user, page}) => {
-    await loginWithPassword(page, user.getUsername(), user.getPassword());
-    // auto-redirect on /verify
-    const code = "wrong"
-    await emailVerify(page, code)
-    await emailVerifyScreenExpect(page, code);
+test("user email not verified, wrong code", async ({ user, page }) => {
+  await loginWithPassword(page, user.getUsername(), user.getPassword());
+  // auto-redirect on /verify
+  const code = "wrong";
+  await emailVerify(page, code);
+  await emailVerifyScreenExpect(page, code);
 });
diff --git a/acceptance/tests/email-verify.ts b/acceptance/tests/email-verify.ts
index 9ef77eda34..dd7f74b29a 100644
--- a/acceptance/tests/email-verify.ts
+++ b/acceptance/tests/email-verify.ts
@@ -1,16 +1,15 @@
 import { Page } from "@playwright/test";
 import { emailVerifyScreen } from "./email-verify-screen";
-import { getOtpFromSink } from "./sink";
 
 export async function startEmailVerify(page: Page, loginname: string) {
-    await page.goto("/verify");
+  await page.goto("/verify");
 }
 
 export async function emailVerify(page: Page, code: string) {
-    await emailVerifyScreen(page, code);
-    await page.getByTestId("submit-button").click();
+  await emailVerifyScreen(page, code);
+  await page.getByTestId("submit-button").click();
 }
 
 export async function emailVerifyResend(page: Page) {
-    await page.getByTestId("resend-button").click();
+  await page.getByTestId("resend-button").click();
 }
diff --git a/acceptance/tests/password-screen.ts b/acceptance/tests/password-screen.ts
index 6d294e36e4..f207b17035 100644
--- a/acceptance/tests/password-screen.ts
+++ b/acceptance/tests/password-screen.ts
@@ -1,5 +1,5 @@
-import {expect, Page} from "@playwright/test";
-import {getCodeFromSink} from "./sink";
+import { expect, Page } from "@playwright/test";
+import { getCodeFromSink } from "./sink";
 
 const codeField = "code-text-input";
 const passwordField = "password-text-input";
@@ -19,83 +19,83 @@ const matchText = "Matches";
 const noMatchText = "Doesn't match";
 
 export async function changePasswordScreen(page: Page, password1: string, password2: string) {
-    await page.getByTestId(passwordChangeField).pressSequentially(password1);
-    await page.getByTestId(passwordChangeConfirmField).pressSequentially(password2);
+  await page.getByTestId(passwordChangeField).pressSequentially(password1);
+  await page.getByTestId(passwordChangeConfirmField).pressSequentially(password2);
 }
 
 export async function passwordScreen(page: Page, password: string) {
-    await page.getByTestId(passwordField).pressSequentially(password);
+  await page.getByTestId(passwordField).pressSequentially(password);
 }
 
 export async function passwordScreenExpect(page: Page, password: string) {
-    await expect(page.getByTestId(passwordField)).toHaveValue(password);
-    await expect(page.getByTestId("error").locator("div")).toContainText("Could not verify password");
+  await expect(page.getByTestId(passwordField)).toHaveValue(password);
+  await expect(page.getByTestId("error").locator("div")).toContainText("Could not verify password");
 }
 
 export async function changePasswordScreenExpect(
-    page: Page,
-    password1: string,
-    password2: string,
-    length: boolean,
-    symbol: boolean,
-    number: boolean,
-    uppercase: boolean,
-    lowercase: boolean,
-    equals: boolean,
+  page: Page,
+  password1: string,
+  password2: string,
+  length: boolean,
+  symbol: boolean,
+  number: boolean,
+  uppercase: boolean,
+  lowercase: boolean,
+  equals: boolean,
 ) {
-    await expect(page.getByTestId(passwordChangeField)).toHaveValue(password1);
-    await expect(page.getByTestId(passwordChangeConfirmField)).toHaveValue(password2);
+  await expect(page.getByTestId(passwordChangeField)).toHaveValue(password1);
+  await expect(page.getByTestId(passwordChangeConfirmField)).toHaveValue(password2);
 
-    await checkComplexity(page, length, symbol, number, uppercase, lowercase, equals);
+  await checkComplexity(page, length, symbol, number, uppercase, lowercase, equals);
 }
 
 async function checkComplexity(
-    page: Page,
-    length: boolean,
-    symbol: boolean,
-    number: boolean,
-    uppercase: boolean,
-    lowercase: boolean,
-    equals: boolean,
+  page: Page,
+  length: boolean,
+  symbol: boolean,
+  number: boolean,
+  uppercase: boolean,
+  lowercase: boolean,
+  equals: boolean,
 ) {
-    await checkContent(page, lengthCheck, length);
-    await checkContent(page, symbolCheck, symbol);
-    await checkContent(page, numberCheck, number);
-    await checkContent(page, uppercaseCheck, uppercase);
-    await checkContent(page, lowercaseCheck, lowercase);
-    await checkContent(page, equalCheck, equals);
+  await checkContent(page, lengthCheck, length);
+  await checkContent(page, symbolCheck, symbol);
+  await checkContent(page, numberCheck, number);
+  await checkContent(page, uppercaseCheck, uppercase);
+  await checkContent(page, lowercaseCheck, lowercase);
+  await checkContent(page, equalCheck, equals);
 }
 
 async function checkContent(page: Page, testid: string, match: boolean) {
-    if (match) {
-        await expect(page.getByTestId(testid)).toContainText(matchText);
-    } else {
-        await expect(page.getByTestId(testid)).toContainText(noMatchText);
-    }
+  if (match) {
+    await expect(page.getByTestId(testid)).toContainText(matchText);
+  } else {
+    await expect(page.getByTestId(testid)).toContainText(noMatchText);
+  }
 }
 
 export async function resetPasswordScreen(page: Page, username: string, password1: string, password2: string) {
-    // wait for send of the code
-    await page.waitForTimeout(3000);
-    const c = await getCodeFromSink(username);
-    await page.getByTestId(codeField).pressSequentially(c);
-    await page.getByTestId(passwordSetField).pressSequentially(password1);
-    await page.getByTestId(passwordSetConfirmField).pressSequentially(password2);
+  // wait for send of the code
+  await page.waitForTimeout(3000);
+  const c = await getCodeFromSink(username);
+  await page.getByTestId(codeField).pressSequentially(c);
+  await page.getByTestId(passwordSetField).pressSequentially(password1);
+  await page.getByTestId(passwordSetConfirmField).pressSequentially(password2);
 }
 
 export async function resetPasswordScreenExpect(
-    page: Page,
-    password1: string,
-    password2: string,
-    length: boolean,
-    symbol: boolean,
-    number: boolean,
-    uppercase: boolean,
-    lowercase: boolean,
-    equals: boolean,
+  page: Page,
+  password1: string,
+  password2: string,
+  length: boolean,
+  symbol: boolean,
+  number: boolean,
+  uppercase: boolean,
+  lowercase: boolean,
+  equals: boolean,
 ) {
-    await expect(page.getByTestId(passwordSetField)).toHaveValue(password1);
-    await expect(page.getByTestId(passwordSetConfirmField)).toHaveValue(password2);
+  await expect(page.getByTestId(passwordSetField)).toHaveValue(password1);
+  await expect(page.getByTestId(passwordSetConfirmField)).toHaveValue(password2);
 
-    await checkComplexity(page, length, symbol, number, uppercase, lowercase, equals);
-}
\ No newline at end of file
+  await checkComplexity(page, length, symbol, number, uppercase, lowercase, equals);
+}
diff --git a/acceptance/tests/register.ts b/acceptance/tests/register.ts
index 2bc2c79e16..19cb0f04fd 100644
--- a/acceptance/tests/register.ts
+++ b/acceptance/tests/register.ts
@@ -1,43 +1,42 @@
-import {Page} from "@playwright/test";
-import {passkeyRegister} from "./passkey";
-import {registerPasswordScreen, registerUserScreenPasskey, registerUserScreenPassword} from "./register-screen";
-import {getCodeFromSink} from "./sink";
-import {emailVerify} from "./email-verify";
+import { Page } from "@playwright/test";
+import { emailVerify } from "./email-verify";
+import { passkeyRegister } from "./passkey";
+import { registerPasswordScreen, registerUserScreenPasskey, registerUserScreenPassword } from "./register-screen";
+import { getCodeFromSink } from "./sink";
 
 export async function registerWithPassword(
-    page: Page,
-    firstname: string,
-    lastname: string,
-    email: string,
-    password1: string,
-    password2: string,
+  page: Page,
+  firstname: string,
+  lastname: string,
+  email: string,
+  password1: string,
+  password2: string,
 ) {
-    await page.goto("/register");
-    await registerUserScreenPassword(page, firstname, lastname, email);
-    await page.getByTestId("submit-button").click();
-    await registerPasswordScreen(page, password1, password2);
-    await page.getByTestId("submit-button").click();
-    await page.waitForTimeout(3000);
+  await page.goto("/register");
+  await registerUserScreenPassword(page, firstname, lastname, email);
+  await page.getByTestId("submit-button").click();
+  await registerPasswordScreen(page, password1, password2);
+  await page.getByTestId("submit-button").click();
+  await page.waitForTimeout(3000);
 
-    await verifyEmail(page, email)
+  await verifyEmail(page, email);
 }
 
 export async function registerWithPasskey(page: Page, firstname: string, lastname: string, email: string): Promise<string> {
-    await page.goto("/register");
-    await registerUserScreenPasskey(page, firstname, lastname, email);
-    await page.getByTestId("submit-button").click();
+  await page.goto("/register");
+  await registerUserScreenPasskey(page, firstname, lastname, email);
+  await page.getByTestId("submit-button").click();
 
-    // wait for projection of user
-    await page.waitForTimeout(3000);
-    const authId = await passkeyRegister(page);
+  // wait for projection of user
+  await page.waitForTimeout(3000);
+  const authId = await passkeyRegister(page);
 
-    await verifyEmail(page, email)
-    return authId
+  await verifyEmail(page, email);
+  return authId;
 }
 
-
 async function verifyEmail(page: Page, email: string) {
-    await page.waitForTimeout(1000);
-    const c = await getCodeFromSink(email);
-    await emailVerify(page, c)
-}
\ No newline at end of file
+  await page.waitForTimeout(1000);
+  const c = await getCodeFromSink(email);
+  await emailVerify(page, c);
+}
diff --git a/acceptance/tests/username-password-change-required.spec.ts b/acceptance/tests/username-password-change-required.spec.ts
index faf007233f..50177d95e9 100644
--- a/acceptance/tests/username-password-change-required.spec.ts
+++ b/acceptance/tests/username-password-change-required.spec.ts
@@ -2,10 +2,8 @@ import { faker } from "@faker-js/faker";
 import { test as base } from "@playwright/test";
 import dotenv from "dotenv";
 import path from "path";
-import { loginScreenExpect, loginWithPassword, startLogin } from "./login";
-import { loginname } from "./loginname";
-import {changePassword, resetPassword, startResetPassword} from "./password";
-import { resetPasswordScreen, resetPasswordScreenExpect } from "./password-screen";
+import { loginScreenExpect, loginWithPassword } from "./login";
+import { changePassword } from "./password";
 import { PasswordUser } from "./user";
 
 // Read from ".env" file.
diff --git a/acceptance/tests/username-password-changed.spec.ts b/acceptance/tests/username-password-changed.spec.ts
index acbe1f91fe..c43ec13797 100644
--- a/acceptance/tests/username-password-changed.spec.ts
+++ b/acceptance/tests/username-password-changed.spec.ts
@@ -1,54 +1,54 @@
-import {faker} from "@faker-js/faker";
-import {test as base} from "@playwright/test";
+import { faker } from "@faker-js/faker";
+import { test as base } from "@playwright/test";
 import dotenv from "dotenv";
 import path from "path";
-import {loginScreenExpect, loginWithPassword} from "./login";
-import {changePassword, startChangePassword} from "./password";
-import {changePasswordScreen, changePasswordScreenExpect} from "./password-screen";
-import {PasswordUser} from "./user";
+import { loginScreenExpect, loginWithPassword } from "./login";
+import { changePassword, startChangePassword } from "./password";
+import { changePasswordScreen, changePasswordScreenExpect } from "./password-screen";
+import { PasswordUser } from "./user";
 
 // Read from ".env" file.
-dotenv.config({path: path.resolve(__dirname, ".env.local")});
+dotenv.config({ path: path.resolve(__dirname, ".env.local") });
 
 const test = base.extend<{ user: PasswordUser }>({
-    user: async ({page}, use) => {
-        const user = new PasswordUser({
-            email: faker.internet.email(),
-            isEmailVerified: true,
-            firstName: faker.person.firstName(),
-            lastName: faker.person.lastName(),
-            organization: "",
-            phone: faker.phone.number(),
-            isPhoneVerified: false,
-            password: "Password1!",
-            passwordChangeRequired: false,
-        });
-        await user.ensure(page);
-        await use(user);
-        await user.cleanup();
-    },
+  user: async ({ page }, use) => {
+    const user = new PasswordUser({
+      email: faker.internet.email(),
+      isEmailVerified: true,
+      firstName: faker.person.firstName(),
+      lastName: faker.person.lastName(),
+      organization: "",
+      phone: faker.phone.number(),
+      isPhoneVerified: false,
+      password: "Password1!",
+      passwordChangeRequired: false,
+    });
+    await user.ensure(page);
+    await use(user);
+    await user.cleanup();
+  },
 });
 
-test("username and password changed login", async ({user, page}) => {
-    const changedPw = "ChangedPw1!";
-    await loginWithPassword(page, user.getUsername(), user.getPassword());
+test("username and password changed login", async ({ user, page }) => {
+  const changedPw = "ChangedPw1!";
+  await loginWithPassword(page, user.getUsername(), user.getPassword());
 
-    // wait for projection of token
-    await page.waitForTimeout(2000);
+  // wait for projection of token
+  await page.waitForTimeout(2000);
 
-    await startChangePassword(page, user.getUsername());
-    await changePassword(page, changedPw);
-    await loginScreenExpect(page, user.getFullName());
+  await startChangePassword(page, user.getUsername());
+  await changePassword(page, changedPw);
+  await loginScreenExpect(page, user.getFullName());
 
-    await loginWithPassword(page, user.getUsername(), changedPw);
-    await loginScreenExpect(page, user.getFullName());
+  await loginWithPassword(page, user.getUsername(), changedPw);
+  await loginScreenExpect(page, user.getFullName());
 });
 
-test("password change not with desired complexity", async ({user, page}) => {
-    const changedPw1 = "change";
-    const changedPw2 = "chang";
-    await loginWithPassword(page, user.getUsername(), user.getPassword());
-    await startChangePassword(page, user.getUsername());
-    await changePasswordScreen(page, changedPw1, changedPw2);
-    await changePasswordScreenExpect(page, changedPw1, changedPw2, false, false, false, false, true, false);
+test("password change not with desired complexity", async ({ user, page }) => {
+  const changedPw1 = "change";
+  const changedPw2 = "chang";
+  await loginWithPassword(page, user.getUsername(), user.getPassword());
+  await startChangePassword(page, user.getUsername());
+  await changePasswordScreen(page, changedPw1, changedPw2);
+  await changePasswordScreenExpect(page, changedPw1, changedPw2, false, false, false, false, true, false);
 });
diff --git a/acceptance/tests/username-password-set.spec.ts b/acceptance/tests/username-password-set.spec.ts
index c622ab712c..dcdfbb1c52 100644
--- a/acceptance/tests/username-password-set.spec.ts
+++ b/acceptance/tests/username-password-set.spec.ts
@@ -4,8 +4,8 @@ import dotenv from "dotenv";
 import path from "path";
 import { loginScreenExpect, loginWithPassword, startLogin } from "./login";
 import { loginname } from "./loginname";
-import {changePassword, resetPassword, startResetPassword} from "./password";
-import {changePasswordScreen, resetPasswordScreen, resetPasswordScreenExpect} from "./password-screen";
+import { resetPassword, startResetPassword } from "./password";
+import { resetPasswordScreen, resetPasswordScreenExpect } from "./password-screen";
 import { PasswordUser } from "./user";
 
 // Read from ".env" file.
diff --git a/acceptance/tests/username-password-totp.spec.ts b/acceptance/tests/username-password-totp.spec.ts
index 2eb5ff4e65..e897cd7748 100644
--- a/acceptance/tests/username-password-totp.spec.ts
+++ b/acceptance/tests/username-password-totp.spec.ts
@@ -1,70 +1,70 @@
-import {faker} from "@faker-js/faker";
-import {test as base} from "@playwright/test";
+import { faker } from "@faker-js/faker";
+import { test as base } from "@playwright/test";
 import dotenv from "dotenv";
 import path from "path";
-import {code} from "./code";
-import {codeScreenExpect} from "./code-screen";
-import {loginScreenExpect, loginWithPassword, loginWithPasswordAndTOTP} from "./login";
-import {PasswordUserWithTOTP} from "./user";
+import { code } from "./code";
+import { codeScreenExpect } from "./code-screen";
+import { loginScreenExpect, loginWithPassword, loginWithPasswordAndTOTP } from "./login";
+import { PasswordUserWithTOTP } from "./user";
 
 // Read from ".env" file.
-dotenv.config({path: path.resolve(__dirname, ".env.local")});
+dotenv.config({ path: path.resolve(__dirname, ".env.local") });
 
 const test = base.extend<{ user: PasswordUserWithTOTP; sink: any }>({
-    user: async ({page}, use) => {
-        const user = new PasswordUserWithTOTP({
-            email: faker.internet.email(),
-            isEmailVerified: true,
-            firstName: faker.person.firstName(),
-            lastName: faker.person.lastName(),
-            organization: "",
-            phone: faker.phone.number({style: "international"}),
-            isPhoneVerified: true,
-            password: "Password1!",
-            passwordChangeRequired: false,
-        });
+  user: async ({ page }, use) => {
+    const user = new PasswordUserWithTOTP({
+      email: faker.internet.email(),
+      isEmailVerified: true,
+      firstName: faker.person.firstName(),
+      lastName: faker.person.lastName(),
+      organization: "",
+      phone: faker.phone.number({ style: "international" }),
+      isPhoneVerified: true,
+      password: "Password1!",
+      passwordChangeRequired: false,
+    });
 
-        await user.ensure(page);
-        await use(user);
-        await user.cleanup();
-    },
+    await user.ensure(page);
+    await use(user);
+    await user.cleanup();
+  },
 });
 
-test("username, password and totp login", async ({user, page}) => {
-    // Given totp is enabled on the organization of the user
-    // Given the user has only totp configured as second factor
-    // User enters username
-    // User enters password
-    // Screen for entering the code is shown directly
-    // User enters the code into the ui
-    // User is redirected to the app (default redirect url)
-    await loginWithPasswordAndTOTP(page, user.getUsername(), user.getPassword(), user.getSecret());
-    await loginScreenExpect(page, user.getFullName());
+test("username, password and totp login", async ({ user, page }) => {
+  // Given totp is enabled on the organization of the user
+  // Given the user has only totp configured as second factor
+  // User enters username
+  // User enters password
+  // Screen for entering the code is shown directly
+  // User enters the code into the ui
+  // User is redirected to the app (default redirect url)
+  await loginWithPasswordAndTOTP(page, user.getUsername(), user.getPassword(), user.getSecret());
+  await loginScreenExpect(page, user.getFullName());
 });
 
-test("username, password and totp otp login, wrong code", async ({user, page}) => {
-    // Given totp is enabled on the organization of the user
-    // Given the user has only totp configured as second factor
-    // User enters username
-    // User enters password
-    // Screen for entering the code is shown directly
-    // User enters a wrond code
-    // Error message - "Invalid code" is shown
-    const c = "wrongcode";
-    await loginWithPassword(page, user.getUsername(), user.getPassword());
-    await code(page, c);
-    await codeScreenExpect(page, c);
+test("username, password and totp otp login, wrong code", async ({ user, page }) => {
+  // Given totp is enabled on the organization of the user
+  // Given the user has only totp configured as second factor
+  // User enters username
+  // User enters password
+  // Screen for entering the code is shown directly
+  // User enters a wrond code
+  // Error message - "Invalid code" is shown
+  const c = "wrongcode";
+  await loginWithPassword(page, user.getUsername(), user.getPassword());
+  await code(page, c);
+  await codeScreenExpect(page, c);
 });
 
-test("username, password and totp login, multiple mfa options", async ({page}) => {
-    // Given totp and email otp is enabled on the organization of the user
-    // Given the user has totp and email otp configured as second factor
-    // User enters username
-    // User enters password
-    // Screen for entering the code is shown directly
-    // Button to switch to email otp is shown
-    // User clicks button to use email otp instead
-    // User receives an email with a verification code
-    // User enters code in ui
-    // User is redirected to the app (default redirect url)
+test("username, password and totp login, multiple mfa options", async ({ page }) => {
+  // Given totp and email otp is enabled on the organization of the user
+  // Given the user has totp and email otp configured as second factor
+  // User enters username
+  // User enters password
+  // Screen for entering the code is shown directly
+  // Button to switch to email otp is shown
+  // User clicks button to use email otp instead
+  // User receives an email with a verification code
+  // User enters code in ui
+  // User is redirected to the app (default redirect url)
 });
diff --git a/acceptance/tests/zitadel.ts b/acceptance/tests/zitadel.ts
index 8e15339384..1923b63dce 100644
--- a/acceptance/tests/zitadel.ts
+++ b/acceptance/tests/zitadel.ts
@@ -1,166 +1,166 @@
-import {Authenticator} from "@otplib/core";
-import {createDigest, createRandomBytes} from "@otplib/plugin-crypto";
-import {keyDecoder, keyEncoder} from "@otplib/plugin-thirty-two"; // use your chosen base32 plugin
+import { Authenticator } from "@otplib/core";
+import { createDigest, createRandomBytes } from "@otplib/plugin-crypto";
+import { keyDecoder, keyEncoder } from "@otplib/plugin-thirty-two"; // use your chosen base32 plugin
 import axios from "axios";
-import {OtpType, userProps} from "./user";
+import { OtpType, userProps } from "./user";
 
 export async function addUser(props: userProps) {
-    const body = {
-        username: props.email,
-        organization: {
-            orgId: props.organization,
-        },
-        profile: {
-            givenName: props.firstName,
-            familyName: props.lastName,
-        },
-        email: {
-            email: props.email,
-            isVerified: true,
-        },
-        phone: {
-            phone: props.phone,
-            isVerified: true,
-        },
-        password: {
-            password: props.password,
-            changeRequired: props.passwordChangeRequired ?? false,
-        },
-    };
-    if (!props.isEmailVerified) {
-        delete body.email.isVerified;
-    }
-    if (!props.isPhoneVerified) {
-        delete body.phone.isVerified;
-    }
+  const body = {
+    username: props.email,
+    organization: {
+      orgId: props.organization,
+    },
+    profile: {
+      givenName: props.firstName,
+      familyName: props.lastName,
+    },
+    email: {
+      email: props.email,
+      isVerified: true,
+    },
+    phone: {
+      phone: props.phone,
+      isVerified: true,
+    },
+    password: {
+      password: props.password,
+      changeRequired: props.passwordChangeRequired ?? false,
+    },
+  };
+  if (!props.isEmailVerified) {
+    delete body.email.isVerified;
+  }
+  if (!props.isPhoneVerified) {
+    delete body.phone.isVerified;
+  }
 
-    return await listCall(`${process.env.ZITADEL_API_URL}/v2/users/human`, body);
+  return await listCall(`${process.env.ZITADEL_API_URL}/v2/users/human`, body);
 }
 
 export async function removeUserByUsername(username: string) {
-    const resp = await getUserByUsername(username);
-    if (!resp || !resp.result || !resp.result[0]) {
-        return;
-    }
-    await removeUser(resp.result[0].userId);
+  const resp = await getUserByUsername(username);
+  if (!resp || !resp.result || !resp.result[0]) {
+    return;
+  }
+  await removeUser(resp.result[0].userId);
 }
 
 export async function removeUser(id: string) {
-    await deleteCall(`${process.env.ZITADEL_API_URL}/v2/users/${id}`);
+  await deleteCall(`${process.env.ZITADEL_API_URL}/v2/users/${id}`);
 }
 
 async function deleteCall(url: string) {
-    try {
-        const response = await axios.delete(url, {
-            headers: {
-                Authorization: `Bearer ${process.env.ZITADEL_SERVICE_USER_TOKEN}`,
-            },
-        });
+  try {
+    const response = await axios.delete(url, {
+      headers: {
+        Authorization: `Bearer ${process.env.ZITADEL_SERVICE_USER_TOKEN}`,
+      },
+    });
 
-        if (response.status >= 400 && response.status !== 404) {
-            const error = `HTTP Error: ${response.status} - ${response.statusText}`;
-            console.error(error);
-            throw new Error(error);
-        }
-    } catch (error) {
-        console.error("Error making request:", error);
-        throw error;
+    if (response.status >= 400 && response.status !== 404) {
+      const error = `HTTP Error: ${response.status} - ${response.statusText}`;
+      console.error(error);
+      throw new Error(error);
     }
+  } catch (error) {
+    console.error("Error making request:", error);
+    throw error;
+  }
 }
 
 export async function getUserByUsername(username: string): Promise<any> {
-    const listUsersBody = {
-        queries: [
-            {
-                userNameQuery: {
-                    userName: username,
-                },
-            },
-        ],
-    };
+  const listUsersBody = {
+    queries: [
+      {
+        userNameQuery: {
+          userName: username,
+        },
+      },
+    ],
+  };
 
-    return await listCall(`${process.env.ZITADEL_API_URL}/v2/users`, listUsersBody);
+  return await listCall(`${process.env.ZITADEL_API_URL}/v2/users`, listUsersBody);
 }
 
 async function listCall(url: string, data: any): Promise<any> {
-    try {
-        const response = await axios.post(url, data, {
-            headers: {
-                "Content-Type": "application/json",
-                Authorization: `Bearer ${process.env.ZITADEL_SERVICE_USER_TOKEN}`,
-            },
-        });
+  try {
+    const response = await axios.post(url, data, {
+      headers: {
+        "Content-Type": "application/json",
+        Authorization: `Bearer ${process.env.ZITADEL_SERVICE_USER_TOKEN}`,
+      },
+    });
 
-        if (response.status >= 400) {
-            const error = `HTTP Error: ${response.status} - ${response.statusText}`;
-            console.error(error);
-            throw new Error(error);
-        }
-
-        return response.data;
-    } catch (error) {
-        console.error("Error making request:", error);
-        throw error;
+    if (response.status >= 400) {
+      const error = `HTTP Error: ${response.status} - ${response.statusText}`;
+      console.error(error);
+      throw new Error(error);
     }
+
+    return response.data;
+  } catch (error) {
+    console.error("Error making request:", error);
+    throw error;
+  }
 }
 
 export async function activateOTP(userId: string, type: OtpType) {
-    let url = "otp_";
-    switch (type) {
-        case OtpType.sms:
-            url = url + "sms";
-            break;
-        case OtpType.email:
-            url = url + "email";
-            break;
-    }
+  let url = "otp_";
+  switch (type) {
+    case OtpType.sms:
+      url = url + "sms";
+      break;
+    case OtpType.email:
+      url = url + "email";
+      break;
+  }
 
-    await pushCall(`${process.env.ZITADEL_API_URL}/v2/users/${userId}/${url}`, {});
+  await pushCall(`${process.env.ZITADEL_API_URL}/v2/users/${userId}/${url}`, {});
 }
 
 async function pushCall(url: string, data: any) {
-    try {
-        const response = await axios.post(url, data, {
-            headers: {
-                "Content-Type": "application/json",
-                Authorization: `Bearer ${process.env.ZITADEL_SERVICE_USER_TOKEN}`,
-            },
-        });
+  try {
+    const response = await axios.post(url, data, {
+      headers: {
+        "Content-Type": "application/json",
+        Authorization: `Bearer ${process.env.ZITADEL_SERVICE_USER_TOKEN}`,
+      },
+    });
 
-        if (response.status >= 400) {
-            const error = `HTTP Error: ${response.status} - ${response.statusText}`;
-            console.error(error);
-            throw new Error(error);
-        }
-    } catch (error) {
-        console.error("Error making request:", error);
-        throw error;
+    if (response.status >= 400) {
+      const error = `HTTP Error: ${response.status} - ${response.statusText}`;
+      console.error(error);
+      throw new Error(error);
     }
+  } catch (error) {
+    console.error("Error making request:", error);
+    throw error;
+  }
 }
 
 export async function addTOTP(userId: string): Promise<string> {
-    const response = await listCall(`${process.env.ZITADEL_API_URL}/v2/users/${userId}/totp`, {});
-    const code = totp(response.secret);
-    await pushCall(`${process.env.ZITADEL_API_URL}/v2/users/${userId}/totp/verify`, {code: code});
-    return response.secret;
+  const response = await listCall(`${process.env.ZITADEL_API_URL}/v2/users/${userId}/totp`, {});
+  const code = totp(response.secret);
+  await pushCall(`${process.env.ZITADEL_API_URL}/v2/users/${userId}/totp/verify`, { code: code });
+  return response.secret;
 }
 
 export function totp(secret: string) {
-    const authenticator = new Authenticator({
-        createDigest,
-        createRandomBytes,
-        keyDecoder,
-        keyEncoder,
-    });
-    // google authenticator usage
-    const token = authenticator.generate(secret);
+  const authenticator = new Authenticator({
+    createDigest,
+    createRandomBytes,
+    keyDecoder,
+    keyEncoder,
+  });
+  // google authenticator usage
+  const token = authenticator.generate(secret);
 
-    // check if token can be used
-    if (!authenticator.verify({token: token, secret: secret})) {
-        const error = `Generated token could not be verified`;
-        console.error(error);
-        throw new Error(error);
-    }
+  // check if token can be used
+  if (!authenticator.verify({ token: token, secret: secret })) {
+    const error = `Generated token could not be verified`;
+    console.error(error);
+    throw new Error(error);
+  }
 
-    return token;
+  return token;
 }

From c1137cc3a3196734d337e6317602980dfa19d45e Mon Sep 17 00:00:00 2001
From: Max Peintner <peintnerm@gmail.com>
Date: Fri, 10 Jan 2025 12:51:34 +0100
Subject: [PATCH 16/21] error text

---
 apps/login/src/lib/zitadel.ts | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/apps/login/src/lib/zitadel.ts b/apps/login/src/lib/zitadel.ts
index 0eac0e8240..7f9a44e8fa 100644
--- a/apps/login/src/lib/zitadel.ts
+++ b/apps/login/src/lib/zitadel.ts
@@ -521,7 +521,7 @@ export async function searchUsers({
     loginSettings.disableLoginWithEmail &&
     loginSettings.disableLoginWithPhone
   ) {
-    return { error: "No user was found in the system" };
+    return { error: "User not found in the system" };
   } else if (loginSettings.disableLoginWithEmail && searchValue.length <= 20) {
     const phoneQuery = PhoneQuery(searchValue);
     emailAndPhoneQueries.push(phoneQuery);
@@ -581,7 +581,7 @@ export async function searchUsers({
     return loginNameResult;
   }
 
-  return { error: "No user was found in the system" };
+  return { error: "User not found in the system" };
 }
 
 export async function getDefaultOrg(): Promise<Organization | null> {

From 93d5cdd190309cd7133766c8fd6d579960d48103 Mon Sep 17 00:00:00 2001
From: Max Peintner <peintnerm@gmail.com>
Date: Fri, 10 Jan 2025 13:09:07 +0100
Subject: [PATCH 17/21] align styles

---
 apps/login/src/components/input.tsx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/login/src/components/input.tsx b/apps/login/src/components/input.tsx
index 4c5723858a..e866504767 100644
--- a/apps/login/src/components/input.tsx
+++ b/apps/login/src/components/input.tsx
@@ -81,7 +81,7 @@ export const TextInput = forwardRef<HTMLInputElement, TextInputProps>(
         />
 
         {suffix && (
-          <span className="z-30 absolute right-[1px] bottom-[22px] transform translate-y-1/2 bg-background-light-500 dark:bg-background-dark-500 p-2">
+          <span className="z-30 absolute right-[3px] bottom-[22px] transform translate-y-1/2 bg-background-light-500 dark:bg-background-dark-500 p-2 rounded-sm">
             {suffix}
           </span>
         )}

From 3e22d348eb57f6dec32d52ffeedd73b8e10b8c56 Mon Sep 17 00:00:00 2001
From: Max Peintner <peintnerm@gmail.com>
Date: Fri, 10 Jan 2025 13:09:30 +0100
Subject: [PATCH 18/21] add @

---
 apps/login/src/components/input.tsx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/login/src/components/input.tsx b/apps/login/src/components/input.tsx
index e866504767..de19156b91 100644
--- a/apps/login/src/components/input.tsx
+++ b/apps/login/src/components/input.tsx
@@ -82,7 +82,7 @@ export const TextInput = forwardRef<HTMLInputElement, TextInputProps>(
 
         {suffix && (
           <span className="z-30 absolute right-[3px] bottom-[22px] transform translate-y-1/2 bg-background-light-500 dark:bg-background-dark-500 p-2 rounded-sm">
-            {suffix}
+            @{suffix}
           </span>
         )}
 

From 9d3f6e0bea0435b20623c3f8499619a326796cb4 Mon Sep 17 00:00:00 2001
From: Max Peintner <peintnerm@gmail.com>
Date: Fri, 10 Jan 2025 13:21:35 +0100
Subject: [PATCH 19/21] cleanup

---
 apps/login/src/lib/server/loginname.ts | 31 +++++++++++---------------
 apps/login/src/lib/zitadel.ts          |  1 -
 2 files changed, 13 insertions(+), 19 deletions(-)

diff --git a/apps/login/src/lib/server/loginname.ts b/apps/login/src/lib/server/loginname.ts
index 263bed7bf0..65acb80bf0 100644
--- a/apps/login/src/lib/server/loginname.ts
+++ b/apps/login/src/lib/server/loginname.ts
@@ -166,34 +166,34 @@ export async function sendLoginname(command: SendLoginnameCommand) {
       user.details?.resourceOwner,
     );
 
+    // compare with the concatenated suffix when set
+    const concatLoginname = command.suffix
+      ? `${command.loginName}@${command.suffix}`
+      : command.loginName;
+
+    const humanUser =
+      potentialUsers[0].type.case === "human"
+        ? potentialUsers[0].type.value
+        : undefined;
+
     // recheck login settings after user discovery, as the search might have been done without org scope
     if (
       userLoginSettings?.disableLoginWithEmail &&
       userLoginSettings?.disableLoginWithPhone
     ) {
-      if (user.username !== command.loginName) {
+      if (user.preferredLoginName !== concatLoginname) {
         return { error: "User not found in the system!" };
       }
     } else if (userLoginSettings?.disableLoginWithEmail) {
-      const humanUser =
-        potentialUsers[0].type.case === "human"
-          ? potentialUsers[0].type.value
-          : undefined;
-
       if (
-        user.username !== command.loginName ||
+        user.preferredLoginName !== concatLoginname ||
         humanUser?.phone?.phone !== command.loginName
       ) {
         return { error: "User not found in the system!" };
       }
     } else if (userLoginSettings?.disableLoginWithPhone) {
-      const humanUser =
-        potentialUsers[0].type.case === "human"
-          ? potentialUsers[0].type.value
-          : undefined;
-
       if (
-        user.username !== command.loginName ||
+        user.preferredLoginName !== concatLoginname ||
         humanUser?.email?.email !== command.loginName
       ) {
         return { error: "User not found in the system!" };
@@ -225,11 +225,6 @@ export async function sendLoginname(command: SendLoginnameCommand) {
 
     // this can be expected to be an invite as users created in console have a password set.
     if (!methods.authMethodTypes || !methods.authMethodTypes.length) {
-      const humanUser =
-        potentialUsers[0].type.case === "human"
-          ? potentialUsers[0].type.value
-          : undefined;
-
       // redirect to /verify invite if no auth method is set and email is not verified
       const inviteCheck = checkInvite(
         session,
diff --git a/apps/login/src/lib/zitadel.ts b/apps/login/src/lib/zitadel.ts
index 7f9a44e8fa..835b16a46b 100644
--- a/apps/login/src/lib/zitadel.ts
+++ b/apps/login/src/lib/zitadel.ts
@@ -421,7 +421,6 @@ export async function listUsers({
       }),
     );
   }
-  console.log(queries);
 
   return userService.listUsers({ queries: queries });
 }

From 7e5812b18121c659fd17fa315c7a3d067525b76f Mon Sep 17 00:00:00 2001
From: Max Peintner <max@caos.ch>
Date: Mon, 13 Jan 2025 21:20:32 +0100
Subject: [PATCH 20/21] Update acceptance/docker-compose.yaml

Co-authored-by: Elio Bischof <elio@zitadel.com>
---
 acceptance/docker-compose.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/acceptance/docker-compose.yaml b/acceptance/docker-compose.yaml
index 43bd475759..c962f8024d 100644
--- a/acceptance/docker-compose.yaml
+++ b/acceptance/docker-compose.yaml
@@ -1,7 +1,7 @@
 services:
   zitadel:
     user: "${ZITADEL_DEV_UID}"
-    image: "${ZITADEL_IMAGE:-ghcr.io/zitadel/zitadel:v2.67.1}"
+    image: "${ZITADEL_IMAGE:-ghcr.io/zitadel/zitadel:v2.67.2}"
     command: 'start-from-init --masterkey "MasterkeyNeedsToHave32Characters" --tlsMode disabled --config /zitadel.yaml --steps /zitadel.yaml'
     ports:
       - "8080:8080"

From 16e245e4519ab8415c34ca388b370d9501c3ace1 Mon Sep 17 00:00:00 2001
From: Max Peintner <max@caos.ch>
Date: Mon, 13 Jan 2025 21:21:41 +0100
Subject: [PATCH 21/21] Update acceptance/docker-compose.yaml

Co-authored-by: Elio Bischof <elio@zitadel.com>
---
 acceptance/docker-compose.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/acceptance/docker-compose.yaml b/acceptance/docker-compose.yaml
index 85aad63d6f..240d91553a 100644
--- a/acceptance/docker-compose.yaml
+++ b/acceptance/docker-compose.yaml
@@ -1,7 +1,7 @@
 services:
   zitadel:
     user: "${ZITADEL_DEV_UID}"
-    image: "${ZITADEL_IMAGE:-ghcr.io/zitadel/zitadel:v2.67.1}"
+    image: "${ZITADEL_IMAGE:-ghcr.io/zitadel/zitadel:v2.67.2}"
     command: 'start-from-init --masterkey "MasterkeyNeedsToHave32Characters" --tlsMode disabled --config /zitadel.yaml --steps /zitadel.yaml'
     ports:
       - "8080:8080"