feat(login): add OTP (email and sms) (#6353)

* feat: login with otp * fix(i18n): japanese translation * add missing files * fix provider change * add event types translations to en * add tests * resourceOwner * remove unused handler * fix: secret generators and add comments * add setup step * rename * linting * fix setup * improve otp handling * fix autocomplete * translations for login and notifications * translations for event types * changes from review * check selected mfa type
2025-08-11 19:17:32 +00:00 · 2023-08-15 14:47:05 +02:00
parent faa9ed4de9
commit 7c494fd219
76 changed files with 3203 additions and 88 deletions
--- a/internal/notification/handlers/user_notifier.go
+++ b/internal/notification/handlers/user_notifier.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"time"

+	"github.com/zitadel/zitadel/internal/api/authz"
 	"github.com/zitadel/zitadel/internal/command"
 	"github.com/zitadel/zitadel/internal/crypto"
 	"github.com/zitadel/zitadel/internal/domain"
@@ -106,6 +107,14 @@ func (u *userNotifier) reducers() []handler.AggregateReducer {
 					Event:  user.HumanPasswordChangedType,
 					Reduce: u.reducePasswordChanged,
 				},
+				{
+					Event:  user.HumanOTPSMSCodeAddedType,
+					Reduce: u.reduceOTPSMSCodeAdded,
+				},
+				{
+					Event:  user.HumanOTPEmailCodeAddedType,
+					Reduce: u.reduceOTPEmailCodeAdded,
+				},
 			},
 		},
 	}
@@ -332,6 +341,136 @@ func (u *userNotifier) reducePasswordCodeAdded(event eventstore.Event) (*handler
 	return crdb.NewNoOpStatement(e), nil
 }

+func (u *userNotifier) reduceOTPSMSCodeAdded(event eventstore.Event) (*handler.Statement, error) {
+	e, ok := event.(*user.HumanOTPSMSCodeAddedEvent)
+	if !ok {
+		return nil, errors.ThrowInvalidArgumentf(nil, "HANDL-ASF3g", "reduce.wrong.event.type %s", user.HumanOTPSMSCodeAddedType)
+	}
+	ctx := HandlerContext(event.Aggregate())
+	alreadyHandled, err := u.checkIfCodeAlreadyHandledOrExpired(ctx, event, e.Expiry, nil,
+		user.HumanOTPSMSCodeAddedType, user.HumanOTPSMSCodeSentType)
+	if err != nil {
+		return nil, err
+	}
+	if alreadyHandled {
+		return crdb.NewNoOpStatement(e), nil
+	}
+	code, err := crypto.DecryptString(e.Code, u.queries.UserDataCrypto)
+	if err != nil {
+		return nil, err
+	}
+	colors, err := u.queries.ActiveLabelPolicyByOrg(ctx, e.Aggregate().ResourceOwner, false)
+	if err != nil {
+		return nil, err
+	}
+
+	notifyUser, err := u.queries.GetNotifyUserByID(ctx, true, e.Aggregate().ID, false)
+	if err != nil {
+		return nil, err
+	}
+	translator, err := u.queries.GetTranslatorWithOrgTexts(ctx, notifyUser.ResourceOwner, domain.VerifySMSOTPMessageType)
+	if err != nil {
+		return nil, err
+	}
+
+	ctx, origin, err := u.queries.Origin(ctx)
+	if err != nil {
+		return nil, err
+	}
+	notify := types.SendSMSTwilio(
+		ctx,
+		translator,
+		notifyUser,
+		u.queries.GetTwilioConfig,
+		u.queries.GetFileSystemProvider,
+		u.queries.GetLogProvider,
+		colors,
+		u.assetsPrefix(ctx),
+		e,
+		u.metricSuccessfulDeliveriesSMS,
+		u.metricFailedDeliveriesSMS,
+	)
+	err = notify.SendOTPSMSCode(authz.GetInstance(ctx).RequestedDomain(), origin, code, e.Expiry)
+	if err != nil {
+		return nil, err
+	}
+	err = u.commands.HumanOTPSMSCodeSent(ctx, e.Aggregate().ID, e.Aggregate().ResourceOwner)
+	if err != nil {
+		return nil, err
+	}
+	return crdb.NewNoOpStatement(e), nil
+}
+
+func (u *userNotifier) reduceOTPEmailCodeAdded(event eventstore.Event) (*handler.Statement, error) {
+	e, ok := event.(*user.HumanOTPEmailCodeAddedEvent)
+	if !ok {
+		return nil, errors.ThrowInvalidArgumentf(nil, "HANDL-JL3hw", "reduce.wrong.event.type %s", user.HumanOTPEmailCodeAddedType)
+	}
+	ctx := HandlerContext(event.Aggregate())
+	alreadyHandled, err := u.checkIfCodeAlreadyHandledOrExpired(ctx, event, e.Expiry, nil,
+		user.HumanOTPEmailCodeAddedType, user.HumanOTPEmailCodeSentType)
+	if err != nil {
+		return nil, err
+	}
+	if alreadyHandled {
+		return crdb.NewNoOpStatement(e), nil
+	}
+	code, err := crypto.DecryptString(e.Code, u.queries.UserDataCrypto)
+	if err != nil {
+		return nil, err
+	}
+	colors, err := u.queries.ActiveLabelPolicyByOrg(ctx, e.Aggregate().ResourceOwner, false)
+	if err != nil {
+		return nil, err
+	}
+
+	template, err := u.queries.MailTemplateByOrg(ctx, e.Aggregate().ResourceOwner, false)
+	if err != nil {
+		return nil, err
+	}
+
+	notifyUser, err := u.queries.GetNotifyUserByID(ctx, true, e.Aggregate().ID, false)
+	if err != nil {
+		return nil, err
+	}
+	translator, err := u.queries.GetTranslatorWithOrgTexts(ctx, notifyUser.ResourceOwner, domain.VerifyEmailOTPMessageType)
+	if err != nil {
+		return nil, err
+	}
+
+	ctx, origin, err := u.queries.Origin(ctx)
+	if err != nil {
+		return nil, err
+	}
+	var authRequestID string
+	if e.AuthRequestInfo != nil {
+		authRequestID = e.AuthRequestInfo.ID
+	}
+	notify := types.SendEmail(
+		ctx,
+		string(template.Template),
+		translator,
+		notifyUser,
+		u.queries.GetSMTPConfig,
+		u.queries.GetFileSystemProvider,
+		u.queries.GetLogProvider,
+		colors,
+		u.assetsPrefix(ctx),
+		e,
+		u.metricSuccessfulDeliveriesEmail,
+		u.metricFailedDeliveriesEmail,
+	)
+	err = notify.SendOTPEmailCode(notifyUser, authz.GetInstance(ctx).RequestedDomain(), origin, code, authRequestID, e.Expiry)
+	if err != nil {
+		return nil, err
+	}
+	err = u.commands.HumanOTPEmailCodeSent(ctx, e.Aggregate().ID, e.Aggregate().ResourceOwner)
+	if err != nil {
+		return nil, err
+	}
+	return crdb.NewNoOpStatement(e), nil
+}
+
 func (u *userNotifier) reduceDomainClaimed(event eventstore.Event) (*handler.Statement, error) {
 	e, ok := event.(*user.DomainClaimedEvent)
 	if !ok {
@@ -583,7 +722,7 @@ func (u *userNotifier) reducePhoneCodeAdded(event eventstore.Event) (*handler.St
 		e,
 		u.metricSuccessfulDeliveriesSMS,
 		u.metricFailedDeliveriesSMS,
-	).SendPhoneVerificationCode(notifyUser, origin, code)
+	).SendPhoneVerificationCode(notifyUser, origin, code, authz.GetInstance(ctx).RequestedDomain())
 	if err != nil {
 		return nil, err
 	}