feat(login): add OTP (email and sms) (#6353)

* feat: login with otp * fix(i18n): japanese translation * add missing files * fix provider change * add event types translations to en * add tests * resourceOwner * remove unused handler * fix: secret generators and add comments * add setup step * rename * linting * fix setup * improve otp handling * fix autocomplete * translations for login and notifications * translations for event types * changes from review * check selected mfa type
2025-08-11 20:57:31 +00:00 · 2023-08-15 14:47:05 +02:00
parent faa9ed4de9
commit 7c494fd219
76 changed files with 3203 additions and 88 deletions
--- a/internal/command/user_human_otp.go
+++ b/internal/command/user_human_otp.go
@@ -2,6 +2,7 @@ package command

 import (
 	"context"
+	"time"

 	"github.com/pquerna/otp"
 	"github.com/zitadel/logging"
@@ -15,16 +16,16 @@ import (
 	"github.com/zitadel/zitadel/internal/telemetry/tracing"
 )

-func (c *Commands) ImportHumanTOTP(ctx context.Context, userID, userAgentID, resourceowner string, key string) error {
+func (c *Commands) ImportHumanTOTP(ctx context.Context, userID, userAgentID, resourceOwner string, key string) error {
 	encryptedSecret, err := crypto.Encrypt([]byte(key), c.multifactors.OTP.CryptoMFA)
 	if err != nil {
 		return err
 	}
-	if err = c.checkUserExists(ctx, userID, resourceowner); err != nil {
+	if err = c.checkUserExists(ctx, userID, resourceOwner); err != nil {
 		return err
 	}

-	otpWriteModel, err := c.totpWriteModelByID(ctx, userID, resourceowner)
+	otpWriteModel, err := c.totpWriteModelByID(ctx, userID, resourceOwner)
 	if err != nil {
 		return err
 	}
@@ -40,11 +41,11 @@ func (c *Commands) ImportHumanTOTP(ctx context.Context, userID, userAgentID, res
 	return err
 }

-func (c *Commands) AddHumanTOTP(ctx context.Context, userID, resourceowner string) (*domain.TOTP, error) {
+func (c *Commands) AddHumanTOTP(ctx context.Context, userID, resourceOwner string) (*domain.TOTP, error) {
 	if userID == "" {
 		return nil, caos_errs.ThrowInvalidArgument(nil, "COMMAND-5M0sd", "Errors.User.UserIDMissing")
 	}
-	prep, err := c.createHumanTOTP(ctx, userID, resourceowner)
+	prep, err := c.createHumanTOTP(ctx, userID, resourceOwner)
 	if err != nil {
 		return nil, err
 	}
@@ -114,12 +115,12 @@ func (c *Commands) createHumanTOTP(ctx context.Context, userID, resourceOwner st
 	}, nil
 }

-func (c *Commands) HumanCheckMFATOTPSetup(ctx context.Context, userID, code, userAgentID, resourceowner string) (*domain.ObjectDetails, error) {
+func (c *Commands) HumanCheckMFATOTPSetup(ctx context.Context, userID, code, userAgentID, resourceOwner string) (*domain.ObjectDetails, error) {
 	if userID == "" {
 		return nil, caos_errs.ThrowPreconditionFailed(nil, "COMMAND-8N9ds", "Errors.User.UserIDMissing")
 	}

-	existingOTP, err := c.totpWriteModelByID(ctx, userID, resourceowner)
+	existingOTP, err := c.totpWriteModelByID(ctx, userID, resourceOwner)
 	if err != nil {
 		return nil, err
 	}
@@ -145,11 +146,11 @@ func (c *Commands) HumanCheckMFATOTPSetup(ctx context.Context, userID, code, use
 	return writeModelToObjectDetails(&existingOTP.WriteModel), nil
 }

-func (c *Commands) HumanCheckMFATOTP(ctx context.Context, userID, code, resourceowner string, authRequest *domain.AuthRequest) error {
+func (c *Commands) HumanCheckMFATOTP(ctx context.Context, userID, code, resourceOwner string, authRequest *domain.AuthRequest) error {
 	if userID == "" {
 		return caos_errs.ThrowPreconditionFailed(nil, "COMMAND-8N9ds", "Errors.User.UserIDMissing")
 	}
-	existingOTP, err := c.totpWriteModelByID(ctx, userID, resourceowner)
+	existingOTP, err := c.totpWriteModelByID(ctx, userID, resourceOwner)
 	if err != nil {
 		return err
 	}
@@ -191,7 +192,26 @@ func (c *Commands) HumanRemoveTOTP(ctx context.Context, userID, resourceOwner st
 	return writeModelToObjectDetails(&existingOTP.WriteModel), nil
 }

+// AddHumanOTPSMS adds the OTP SMS factor to a user.
+// It can only be added if it not already is and the phone has to be verified.
 func (c *Commands) AddHumanOTPSMS(ctx context.Context, userID, resourceOwner string) (*domain.ObjectDetails, error) {
+	return c.addHumanOTPSMS(ctx, userID, resourceOwner)
+}
+
+// AddHumanOTPSMSWithCheckSucceeded adds the OTP SMS factor to a user.
+// It can only be added if it's not already and the phone has to be verified.
+// An OTPSMSCheckSucceededEvent will be added to the passed AuthRequest, if not nil.
+func (c *Commands) AddHumanOTPSMSWithCheckSucceeded(ctx context.Context, userID, resourceOwner string, authRequest *domain.AuthRequest) (*domain.ObjectDetails, error) {
+	if authRequest == nil {
+		return c.addHumanOTPSMS(ctx, userID, resourceOwner)
+	}
+	event := func(ctx context.Context, userAgg *eventstore.Aggregate) eventstore.Command {
+		return user.NewHumanOTPSMSCheckSucceededEvent(ctx, userAgg, authRequestDomainToAuthRequestInfo(authRequest))
+	}
+	return c.addHumanOTPSMS(ctx, userID, resourceOwner, event)
+}
+
+func (c *Commands) addHumanOTPSMS(ctx context.Context, userID, resourceOwner string, events ...eventCallback) (*domain.ObjectDetails, error) {
 	if userID == "" {
 		return nil, caos_errs.ThrowInvalidArgument(nil, "COMMAND-QSF2s", "Errors.User.UserIDMissing")
 	}
@@ -209,7 +229,12 @@ func (c *Commands) AddHumanOTPSMS(ctx context.Context, userID, resourceOwner str
 		return nil, caos_errs.ThrowPreconditionFailed(nil, "COMMAND-Q54j2", "Errors.User.MFA.OTP.NotReady")
 	}
 	userAgg := UserAggregateFromWriteModel(&otpWriteModel.WriteModel)
-	if err = c.pushAppendAndReduce(ctx, otpWriteModel, user.NewHumanOTPSMSAddedEvent(ctx, userAgg)); err != nil {
+	cmds := make([]eventstore.Command, len(events)+1)
+	cmds[0] = user.NewHumanOTPSMSAddedEvent(ctx, userAgg)
+	for i, event := range events {
+		cmds[i+1] = event(ctx, userAgg)
+	}
+	if err = c.pushAppendAndReduce(ctx, otpWriteModel, cmds...); err != nil {
 		return nil, err
 	}
 	return writeModelToObjectDetails(&otpWriteModel.WriteModel), nil
@@ -225,7 +250,7 @@ func (c *Commands) RemoveHumanOTPSMS(ctx context.Context, userID, resourceOwner
 		return nil, err
 	}
 	if userID != authz.GetCtxData(ctx).UserID {
-		if err := c.checkPermission(ctx, domain.PermissionUserWrite, existingOTP.ResourceOwner, userID); err != nil {
+		if err := c.checkPermission(ctx, domain.PermissionUserWrite, existingOTP.WriteModel.ResourceOwner, userID); err != nil {
 			return nil, err
 		}
 	}
@@ -239,7 +264,77 @@ func (c *Commands) RemoveHumanOTPSMS(ctx context.Context, userID, resourceOwner
 	return writeModelToObjectDetails(&existingOTP.WriteModel), nil
 }

+func (c *Commands) HumanSendOTPSMS(ctx context.Context, userID, resourceOwner string, authRequest *domain.AuthRequest) error {
+	smsWriteModel := func(ctx context.Context, userID string, resourceOwner string) (OTPWriteModel, error) {
+		return c.otpSMSWriteModelByID(ctx, userID, resourceOwner)
+	}
+	codeAddedEvent := func(ctx context.Context, aggregate *eventstore.Aggregate, code *crypto.CryptoValue, expiry time.Duration, info *user.AuthRequestInfo) eventstore.Command {
+		return user.NewHumanOTPSMSCodeAddedEvent(ctx, aggregate, code, expiry, info)
+	}
+	return c.sendHumanOTP(
+		ctx,
+		userID,
+		resourceOwner,
+		authRequest,
+		smsWriteModel,
+		domain.SecretGeneratorTypeOTPSMS,
+		codeAddedEvent,
+	)
+}
+
+func (c *Commands) HumanOTPSMSCodeSent(ctx context.Context, userID, resourceOwner string) (err error) {
+	smsWriteModel := func(ctx context.Context, userID string, resourceOwner string) (OTPWriteModel, error) {
+		return c.otpSMSWriteModelByID(ctx, userID, resourceOwner)
+	}
+	codeSentEvent := func(ctx context.Context, aggregate *eventstore.Aggregate) eventstore.Command {
+		return user.NewHumanOTPSMSCodeSentEvent(ctx, aggregate)
+	}
+	return c.humanOTPSent(ctx, userID, resourceOwner, smsWriteModel, codeSentEvent)
+}
+
+func (c *Commands) HumanCheckOTPSMS(ctx context.Context, userID, code, resourceOwner string, authRequest *domain.AuthRequest) error {
+	writeModel := func(ctx context.Context, userID string, resourceOwner string) (OTPCodeWriteModel, error) {
+		return c.otpSMSCodeWriteModelByID(ctx, userID, resourceOwner)
+	}
+	succeededEvent := func(ctx context.Context, aggregate *eventstore.Aggregate, info *user.AuthRequestInfo) eventstore.Command {
+		return user.NewHumanOTPSMSCheckSucceededEvent(ctx, aggregate, authRequestDomainToAuthRequestInfo(authRequest))
+	}
+	failedEvent := func(ctx context.Context, aggregate *eventstore.Aggregate, info *user.AuthRequestInfo) eventstore.Command {
+		return user.NewHumanOTPSMSCheckFailedEvent(ctx, aggregate, authRequestDomainToAuthRequestInfo(authRequest))
+	}
+	return c.humanCheckOTP(
+		ctx,
+		userID,
+		code,
+		resourceOwner,
+		authRequest,
+		writeModel,
+		domain.SecretGeneratorTypeOTPSMS,
+		succeededEvent,
+		failedEvent,
+	)
+}
+
+// AddHumanOTPEmail adds the OTP Email factor to a user.
+// It can only be added if it not already is and the phone has to be verified.
 func (c *Commands) AddHumanOTPEmail(ctx context.Context, userID, resourceOwner string) (*domain.ObjectDetails, error) {
+	return c.addHumanOTPEmail(ctx, userID, resourceOwner)
+}
+
+// AddHumanOTPEmailWithCheckSucceeded adds the OTP Email factor to a user.
+// It can only be added if it's not already and the email has to be verified.
+// An OTPEmailCheckSucceededEvent will be added to the passed AuthRequest, if not nil.
+func (c *Commands) AddHumanOTPEmailWithCheckSucceeded(ctx context.Context, userID, resourceOwner string, authRequest *domain.AuthRequest) (*domain.ObjectDetails, error) {
+	if authRequest == nil {
+		return c.addHumanOTPEmail(ctx, userID, resourceOwner)
+	}
+	event := func(ctx context.Context, userAgg *eventstore.Aggregate) eventstore.Command {
+		return user.NewHumanOTPEmailCheckSucceededEvent(ctx, userAgg, authRequestDomainToAuthRequestInfo(authRequest))
+	}
+	return c.addHumanOTPEmail(ctx, userID, resourceOwner, event)
+}
+
+func (c *Commands) addHumanOTPEmail(ctx context.Context, userID, resourceOwner string, events ...eventCallback) (*domain.ObjectDetails, error) {
 	if userID == "" {
 		return nil, caos_errs.ThrowInvalidArgument(nil, "COMMAND-Sg1hz", "Errors.User.UserIDMissing")
 	}
@@ -254,7 +349,12 @@ func (c *Commands) AddHumanOTPEmail(ctx context.Context, userID, resourceOwner s
 		return nil, caos_errs.ThrowPreconditionFailed(nil, "COMMAND-KLJ2d", "Errors.User.MFA.OTP.NotReady")
 	}
 	userAgg := UserAggregateFromWriteModel(&otpWriteModel.WriteModel)
-	if err = c.pushAppendAndReduce(ctx, otpWriteModel, user.NewHumanOTPEmailAddedEvent(ctx, userAgg)); err != nil {
+	cmds := make([]eventstore.Command, len(events)+1)
+	cmds[0] = user.NewHumanOTPEmailAddedEvent(ctx, userAgg)
+	for i, event := range events {
+		cmds[i+1] = event(ctx, userAgg)
+	}
+	if err = c.pushAppendAndReduce(ctx, otpWriteModel, cmds...); err != nil {
 		return nil, err
 	}
 	return writeModelToObjectDetails(&otpWriteModel.WriteModel), nil
@@ -270,7 +370,7 @@ func (c *Commands) RemoveHumanOTPEmail(ctx context.Context, userID, resourceOwne
 		return nil, err
 	}
 	if userID != authz.GetCtxData(ctx).UserID {
-		if err := c.checkPermission(ctx, domain.PermissionUserWrite, existingOTP.ResourceOwner, userID); err != nil {
+		if err := c.checkPermission(ctx, domain.PermissionUserWrite, existingOTP.WriteModel.ResourceOwner, userID); err != nil {
 			return nil, err
 		}
 	}
@@ -284,6 +384,147 @@ func (c *Commands) RemoveHumanOTPEmail(ctx context.Context, userID, resourceOwne
 	return writeModelToObjectDetails(&existingOTP.WriteModel), nil
 }

+func (c *Commands) HumanSendOTPEmail(ctx context.Context, userID, resourceOwner string, authRequest *domain.AuthRequest) error {
+	smsWriteModel := func(ctx context.Context, userID string, resourceOwner string) (OTPWriteModel, error) {
+		return c.otpEmailWriteModelByID(ctx, userID, resourceOwner)
+	}
+	codeAddedEvent := func(ctx context.Context, aggregate *eventstore.Aggregate, code *crypto.CryptoValue, expiry time.Duration, info *user.AuthRequestInfo) eventstore.Command {
+		return user.NewHumanOTPEmailCodeAddedEvent(ctx, aggregate, code, expiry, info)
+	}
+	return c.sendHumanOTP(
+		ctx,
+		userID,
+		resourceOwner,
+		authRequest,
+		smsWriteModel,
+		domain.SecretGeneratorTypeOTPEmail,
+		codeAddedEvent,
+	)
+}
+
+func (c *Commands) HumanOTPEmailCodeSent(ctx context.Context, userID, resourceOwner string) (err error) {
+	smsWriteModel := func(ctx context.Context, userID string, resourceOwner string) (OTPWriteModel, error) {
+		return c.otpEmailWriteModelByID(ctx, userID, resourceOwner)
+	}
+	codeSentEvent := func(ctx context.Context, aggregate *eventstore.Aggregate) eventstore.Command {
+		return user.NewHumanOTPEmailCodeSentEvent(ctx, aggregate)
+	}
+	return c.humanOTPSent(ctx, userID, resourceOwner, smsWriteModel, codeSentEvent)
+}
+
+func (c *Commands) HumanCheckOTPEmail(ctx context.Context, userID, code, resourceOwner string, authRequest *domain.AuthRequest) error {
+	writeModel := func(ctx context.Context, userID string, resourceOwner string) (OTPCodeWriteModel, error) {
+		return c.otpEmailCodeWriteModelByID(ctx, userID, resourceOwner)
+	}
+	succeededEvent := func(ctx context.Context, aggregate *eventstore.Aggregate, info *user.AuthRequestInfo) eventstore.Command {
+		return user.NewHumanOTPEmailCheckSucceededEvent(ctx, aggregate, authRequestDomainToAuthRequestInfo(authRequest))
+	}
+	failedEvent := func(ctx context.Context, aggregate *eventstore.Aggregate, info *user.AuthRequestInfo) eventstore.Command {
+		return user.NewHumanOTPEmailCheckFailedEvent(ctx, aggregate, authRequestDomainToAuthRequestInfo(authRequest))
+	}
+	return c.humanCheckOTP(
+		ctx,
+		userID,
+		code,
+		resourceOwner,
+		authRequest,
+		writeModel,
+		domain.SecretGeneratorTypeOTPEmail,
+		succeededEvent,
+		failedEvent,
+	)
+}
+
+// sendHumanOTP creates a code for a registered mechanism (sms / email), which is used for a check (during login)
+func (c *Commands) sendHumanOTP(
+	ctx context.Context,
+	userID, resourceOwner string,
+	authRequest *domain.AuthRequest,
+	writeModelByID func(ctx context.Context, userID string, resourceOwner string) (OTPWriteModel, error),
+	secretGeneratorType domain.SecretGeneratorType,
+	codeAddedEvent func(ctx context.Context, aggregate *eventstore.Aggregate, code *crypto.CryptoValue, expiry time.Duration, info *user.AuthRequestInfo) eventstore.Command,
+) (err error) {
+	if userID == "" {
+		return caos_errs.ThrowInvalidArgument(nil, "COMMAND-S3SF1", "Errors.User.UserIDMissing")
+	}
+	existingOTP, err := writeModelByID(ctx, userID, resourceOwner)
+	if err != nil {
+		return err
+	}
+	if !existingOTP.OTPAdded() {
+		return caos_errs.ThrowPreconditionFailed(nil, "COMMAND-SFD52", "Errors.User.MFA.OTP.NotReady")
+	}
+	config, err := secretGeneratorConfig(ctx, c.eventstore.Filter, secretGeneratorType)
+	if err != nil {
+		return err
+	}
+	gen := crypto.NewEncryptionGenerator(*config, c.userEncryption)
+	value, _, err := crypto.NewCode(gen)
+	if err != nil {
+		return err
+	}
+	userAgg := &user.NewAggregate(userID, resourceOwner).Aggregate
+	_, err = c.eventstore.Push(ctx, codeAddedEvent(ctx, userAgg, value, gen.Expiry(), authRequestDomainToAuthRequestInfo(authRequest)))
+	return err
+}
+
+func (c *Commands) humanOTPSent(
+	ctx context.Context,
+	userID, resourceOwner string,
+	writeModelByID func(ctx context.Context, userID string, resourceOwner string) (OTPWriteModel, error),
+	codeSentEvent func(ctx context.Context, aggregate *eventstore.Aggregate) eventstore.Command,
+) (err error) {
+	if userID == "" {
+		return caos_errs.ThrowInvalidArgument(nil, "COMMAND-AE2h2", "Errors.User.UserIDMissing")
+	}
+	existingOTP, err := writeModelByID(ctx, userID, resourceOwner)
+	if err != nil {
+		return err
+	}
+	if !existingOTP.OTPAdded() {
+		return caos_errs.ThrowPreconditionFailed(nil, "COMMAND-SD3gh", "Errors.User.MFA.OTP.NotReady")
+	}
+	userAgg := &user.NewAggregate(userID, resourceOwner).Aggregate
+	_, err = c.eventstore.Push(ctx, codeSentEvent(ctx, userAgg))
+	return err
+}
+
+func (c *Commands) humanCheckOTP(
+	ctx context.Context,
+	userID, code, resourceOwner string,
+	authRequest *domain.AuthRequest,
+	writeModelByID func(ctx context.Context, userID string, resourceOwner string) (OTPCodeWriteModel, error),
+	secretGeneratorType domain.SecretGeneratorType,
+	checkSucceededEvent func(ctx context.Context, aggregate *eventstore.Aggregate, info *user.AuthRequestInfo) eventstore.Command,
+	checkFailedEvent func(ctx context.Context, aggregate *eventstore.Aggregate, info *user.AuthRequestInfo) eventstore.Command,
+) error {
+	if userID == "" {
+		return caos_errs.ThrowInvalidArgument(nil, "COMMAND-S453v", "Errors.User.UserIDMissing")
+	}
+	if code == "" {
+		return caos_errs.ThrowInvalidArgument(nil, "COMMAND-SJl2g", "Errors.User.Code.Empty")
+	}
+	existingOTP, err := writeModelByID(ctx, userID, resourceOwner)
+	if err != nil {
+		return err
+	}
+	if !existingOTP.OTPAdded() {
+		return caos_errs.ThrowPreconditionFailed(nil, "COMMAND-d2r52", "Errors.User.MFA.OTP.NotReady")
+	}
+	if existingOTP.Code() == nil {
+		return caos_errs.ThrowPreconditionFailed(nil, "COMMAND-S34gh", "Errors.User.Code.NotFound")
+	}
+	userAgg := &user.NewAggregate(userID, existingOTP.ResourceOwner()).Aggregate
+	err = crypto.VerifyCodeWithAlgorithm(existingOTP.CodeCreationDate(), existingOTP.CodeExpiry(), existingOTP.Code(), code, c.userEncryption)
+	if err == nil {
+		_, err = c.eventstore.Push(ctx, checkSucceededEvent(ctx, userAgg, authRequestDomainToAuthRequestInfo(authRequest)))
+		return err
+	}
+	_, pushErr := c.eventstore.Push(ctx, checkFailedEvent(ctx, userAgg, authRequestDomainToAuthRequestInfo(authRequest)))
+	logging.WithFields("userID", userID).OnError(pushErr).Error("otp failure check push failed")
+	return err
+}
+
 func (c *Commands) totpWriteModelByID(ctx context.Context, userID, resourceOwner string) (writeModel *HumanTOTPWriteModel, err error) {
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()
@@ -308,6 +549,18 @@ func (c *Commands) otpSMSWriteModelByID(ctx context.Context, userID, resourceOwn
 	return writeModel, nil
 }

+func (c *Commands) otpSMSCodeWriteModelByID(ctx context.Context, userID, resourceOwner string) (writeModel *HumanOTPSMSCodeWriteModel, err error) {
+	ctx, span := tracing.NewSpan(ctx)
+	defer func() { span.EndWithError(err) }()
+
+	writeModel = NewHumanOTPSMSCodeWriteModel(userID, resourceOwner)
+	err = c.eventstore.FilterToQueryReducer(ctx, writeModel)
+	if err != nil {
+		return nil, err
+	}
+	return writeModel, nil
+}
+
 func (c *Commands) otpEmailWriteModelByID(ctx context.Context, userID, resourceOwner string) (writeModel *HumanOTPEmailWriteModel, err error) {
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()
@@ -319,3 +572,15 @@ func (c *Commands) otpEmailWriteModelByID(ctx context.Context, userID, resourceO
 	}
 	return writeModel, nil
 }
+
+func (c *Commands) otpEmailCodeWriteModelByID(ctx context.Context, userID, resourceOwner string) (writeModel *HumanOTPEmailCodeWriteModel, err error) {
+	ctx, span := tracing.NewSpan(ctx)
+	defer func() { span.EndWithError(err) }()
+
+	writeModel = NewHumanOTPEmailCodeWriteModel(userID, resourceOwner)
+	err = c.eventstore.FilterToQueryReducer(ctx, writeModel)
+	if err != nil {
+		return nil, err
+	}
+	return writeModel, nil
+}