feat(api): add password reset and change to user service (#6036)

* feat(api): add password reset and change to user service * integration tests * invalidate password check after password change * handle notification type * fix proto
2025-08-12 07:57:32 +00:00 · 2023-06-20 17:34:06 +02:00
parent 1017568cf1
commit 82e7333169
20 changed files with 1373 additions and 54 deletions
--- a/internal/api/grpc/user/v2/password.go
+++ b/internal/api/grpc/user/v2/password.go
@@ -0,0 +1,71 @@
+package user
+
+import (
+	"context"
+
+	"github.com/zitadel/zitadel/internal/api/authz"
+	"github.com/zitadel/zitadel/internal/api/grpc/object/v2"
+	"github.com/zitadel/zitadel/internal/domain"
+	caos_errs "github.com/zitadel/zitadel/internal/errors"
+	user "github.com/zitadel/zitadel/pkg/grpc/user/v2alpha"
+)
+
+func (s *Server) PasswordReset(ctx context.Context, req *user.PasswordResetRequest) (_ *user.PasswordResetResponse, err error) {
+	var details *domain.ObjectDetails
+	var code *string
+
+	switch m := req.GetMedium().(type) {
+	case *user.PasswordResetRequest_SendLink:
+		details, code, err = s.command.RequestPasswordResetURLTemplate(ctx, req.GetUserId(), m.SendLink.GetUrlTemplate(), notificationTypeToDomain(m.SendLink.GetNotificationType()))
+	case *user.PasswordResetRequest_ReturnCode:
+		details, code, err = s.command.RequestPasswordResetReturnCode(ctx, req.GetUserId())
+	case nil:
+		details, code, err = s.command.RequestPasswordReset(ctx, req.GetUserId())
+	default:
+		err = caos_errs.ThrowUnimplementedf(nil, "USERv2-SDeeg", "verification oneOf %T in method RequestPasswordReset not implemented", m)
+	}
+	if err != nil {
+		return nil, err
+	}
+
+	return &user.PasswordResetResponse{
+		Details:          object.DomainToDetailsPb(details),
+		VerificationCode: code,
+	}, nil
+}
+
+func notificationTypeToDomain(notificationType user.NotificationType) domain.NotificationType {
+	switch notificationType {
+	case user.NotificationType_NOTIFICATION_TYPE_Email:
+		return domain.NotificationTypeEmail
+	case user.NotificationType_NOTIFICATION_TYPE_SMS:
+		return domain.NotificationTypeSms
+	case user.NotificationType_NOTIFICATION_TYPE_Unspecified:
+		return domain.NotificationTypeEmail
+	default:
+		return domain.NotificationTypeEmail
+	}
+}
+
+func (s *Server) SetPassword(ctx context.Context, req *user.SetPasswordRequest) (_ *user.SetPasswordResponse, err error) {
+	var resourceOwner = authz.GetCtxData(ctx).ResourceOwner
+	var details *domain.ObjectDetails
+
+	switch v := req.GetVerification().(type) {
+	case *user.SetPasswordRequest_CurrentPassword:
+		details, err = s.command.ChangePassword(ctx, resourceOwner, req.GetUserId(), v.CurrentPassword, req.GetNewPassword().GetPassword(), "")
+	case *user.SetPasswordRequest_VerificationCode:
+		details, err = s.command.SetPasswordWithVerifyCode(ctx, resourceOwner, req.GetUserId(), v.VerificationCode, req.GetNewPassword().GetPassword(), "")
+	case nil:
+		details, err = s.command.SetPassword(ctx, resourceOwner, req.GetUserId(), req.GetNewPassword().GetPassword(), req.GetNewPassword().GetChangeRequired())
+	default:
+		err = caos_errs.ThrowUnimplementedf(nil, "USERv2-SFdf2", "verification oneOf %T in method SetPasswordRequest not implemented", v)
+	}
+	if err != nil {
+		return nil, err
+	}
+
+	return &user.SetPasswordResponse{
+		Details: object.DomainToDetailsPb(details),
+	}, nil
+}
--- a/internal/api/grpc/user/v2/password_integration_test.go
+++ b/internal/api/grpc/user/v2/password_integration_test.go
@@ -0,0 +1,232 @@
+//go:build integration
+
+package user_test
+
+import (
+	"context"
+	"testing"
+
+	"github.com/muhlemmer/gu"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"google.golang.org/protobuf/types/known/timestamppb"
+
+	"github.com/zitadel/zitadel/internal/integration"
+	object "github.com/zitadel/zitadel/pkg/grpc/object/v2alpha"
+	user "github.com/zitadel/zitadel/pkg/grpc/user/v2alpha"
+)
+
+func TestServer_RequestPasswordReset(t *testing.T) {
+	userID := Tester.CreateHumanUser(CTX).GetUserId()
+
+	tests := []struct {
+		name    string
+		req     *user.PasswordResetRequest
+		want    *user.PasswordResetResponse
+		wantErr bool
+	}{
+		{
+			name: "default medium",
+			req: &user.PasswordResetRequest{
+				UserId: userID,
+			},
+			want: &user.PasswordResetResponse{
+				Details: &object.Details{
+					Sequence:      1,
+					ChangeDate:    timestamppb.Now(),
+					ResourceOwner: Tester.Organisation.ID,
+				},
+			},
+		},
+		{
+			name: "custom url template",
+			req: &user.PasswordResetRequest{
+				UserId: userID,
+				Medium: &user.PasswordResetRequest_SendLink{
+					SendLink: &user.SendPasswordResetLink{
+						NotificationType: user.NotificationType_NOTIFICATION_TYPE_Email,
+						UrlTemplate:      gu.Ptr("https://example.com/password/change?userID={{.UserID}}&code={{.Code}}&orgID={{.OrgID}}"),
+					},
+				},
+			},
+			want: &user.PasswordResetResponse{
+				Details: &object.Details{
+					Sequence:      1,
+					ChangeDate:    timestamppb.Now(),
+					ResourceOwner: Tester.Organisation.ID,
+				},
+			},
+		},
+		{
+			name: "template error",
+			req: &user.PasswordResetRequest{
+				UserId: userID,
+				Medium: &user.PasswordResetRequest_SendLink{
+					SendLink: &user.SendPasswordResetLink{
+						UrlTemplate: gu.Ptr("{{"),
+					},
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "return code",
+			req: &user.PasswordResetRequest{
+				UserId: userID,
+				Medium: &user.PasswordResetRequest_ReturnCode{
+					ReturnCode: &user.ReturnPasswordResetCode{},
+				},
+			},
+			want: &user.PasswordResetResponse{
+				Details: &object.Details{
+					Sequence:      1,
+					ChangeDate:    timestamppb.Now(),
+					ResourceOwner: Tester.Organisation.ID,
+				},
+				VerificationCode: gu.Ptr("xxx"),
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := Client.PasswordReset(CTX, tt.req)
+			if tt.wantErr {
+				require.Error(t, err)
+			} else {
+				require.NoError(t, err)
+			}
+			integration.AssertDetails(t, tt.want, got)
+			if tt.want.GetVerificationCode() != "" {
+				assert.NotEmpty(t, got.GetVerificationCode())
+			}
+		})
+	}
+}
+
+func TestServer_SetPassword(t *testing.T) {
+	type args struct {
+		ctx context.Context
+		req *user.SetPasswordRequest
+	}
+	tests := []struct {
+		name    string
+		prepare func(request *user.SetPasswordRequest) error
+		args    args
+		want    *user.SetPasswordResponse
+		wantErr bool
+	}{
+		{
+			name: "missing user id",
+			prepare: func(request *user.SetPasswordRequest) error {
+				return nil
+			},
+			args: args{
+				ctx: CTX,
+				req: &user.SetPasswordRequest{},
+			},
+			wantErr: true,
+		},
+		{
+			name: "set successful",
+			prepare: func(request *user.SetPasswordRequest) error {
+				userID := Tester.CreateHumanUser(CTX).GetUserId()
+				request.UserId = userID
+				return nil
+			},
+			args: args{
+				ctx: CTX,
+				req: &user.SetPasswordRequest{
+					NewPassword: &user.Password{
+						Password: "Secr3tP4ssw0rd!",
+					},
+				},
+			},
+			want: &user.SetPasswordResponse{
+				Details: &object.Details{
+					ResourceOwner: Tester.Organisation.ID,
+				},
+			},
+		},
+		{
+			name: "change successful",
+			prepare: func(request *user.SetPasswordRequest) error {
+				userID := Tester.CreateHumanUser(CTX).GetUserId()
+				request.UserId = userID
+				_, err := Client.SetPassword(CTX, &user.SetPasswordRequest{
+					UserId: userID,
+					NewPassword: &user.Password{
+						Password: "InitialPassw0rd!",
+					},
+				})
+				if err != nil {
+					return err
+				}
+				return nil
+			},
+			args: args{
+				ctx: CTX,
+				req: &user.SetPasswordRequest{
+					NewPassword: &user.Password{
+						Password: "Secr3tP4ssw0rd!",
+					},
+					Verification: &user.SetPasswordRequest_CurrentPassword{
+						CurrentPassword: "InitialPassw0rd!",
+					},
+				},
+			},
+			want: &user.SetPasswordResponse{
+				Details: &object.Details{
+					ResourceOwner: Tester.Organisation.ID,
+				},
+			},
+		},
+		{
+			name: "set with code successful",
+			prepare: func(request *user.SetPasswordRequest) error {
+				userID := Tester.CreateHumanUser(CTX).GetUserId()
+				request.UserId = userID
+				resp, err := Client.PasswordReset(CTX, &user.PasswordResetRequest{
+					UserId: userID,
+					Medium: &user.PasswordResetRequest_ReturnCode{
+						ReturnCode: &user.ReturnPasswordResetCode{},
+					},
+				})
+				if err != nil {
+					return err
+				}
+				request.Verification = &user.SetPasswordRequest_VerificationCode{
+					VerificationCode: resp.GetVerificationCode(),
+				}
+				return nil
+			},
+			args: args{
+				ctx: CTX,
+				req: &user.SetPasswordRequest{
+					NewPassword: &user.Password{
+						Password: "Secr3tP4ssw0rd!",
+					},
+				},
+			},
+			want: &user.SetPasswordResponse{
+				Details: &object.Details{
+					ResourceOwner: Tester.Organisation.ID,
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := tt.prepare(tt.args.req)
+			require.NoError(t, err)
+
+			got, err := Client.SetPassword(tt.args.ctx, tt.args.req)
+			if tt.wantErr {
+				require.Error(t, err)
+				return
+			}
+			require.NoError(t, err)
+			require.NotNil(t, got)
+			integration.AssertDetails(t, tt.want, got)
+		})
+	}
+}
--- a/internal/api/grpc/user/v2/password_test.go
+++ b/internal/api/grpc/user/v2/password_test.go
@@ -0,0 +1,39 @@
+package user
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+
+	"github.com/zitadel/zitadel/internal/domain"
+	user "github.com/zitadel/zitadel/pkg/grpc/user/v2alpha"
+)
+
+func Test_notificationTypeToDomain(t *testing.T) {
+	tests := []struct {
+		name             string
+		notificationType user.NotificationType
+		want             domain.NotificationType
+	}{
+		{
+			"unspecified",
+			user.NotificationType_NOTIFICATION_TYPE_Unspecified,
+			domain.NotificationTypeEmail,
+		},
+		{
+			"email",
+			user.NotificationType_NOTIFICATION_TYPE_Email,
+			domain.NotificationTypeEmail,
+		},
+		{
+			"sms",
+			user.NotificationType_NOTIFICATION_TYPE_SMS,
+			domain.NotificationTypeSms,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			assert.Equalf(t, tt.want, notificationTypeToDomain(tt.notificationType), "notificationTypeToDomain(%v)", tt.notificationType)
+		})
+	}
+}
--- a/internal/api/ui/login/init_password_handler.go
+++ b/internal/api/ui/login/init_password_handler.go
@@ -60,10 +60,10 @@ func (l *Login) handleInitPasswordCheck(w http.ResponseWriter, r *http.Request)
 		l.resendPasswordSet(w, r, authReq)
 		return
 	}
-	l.checkPWCode(w, r, authReq, data, nil)
+	l.checkPWCode(w, r, authReq, data)
 }

-func (l *Login) checkPWCode(w http.ResponseWriter, r *http.Request, authReq *domain.AuthRequest, data *initPasswordFormData, err error) {
+func (l *Login) checkPWCode(w http.ResponseWriter, r *http.Request, authReq *domain.AuthRequest, data *initPasswordFormData) {
 	if data.Password != data.PasswordConfirm {
 		err := errors.ThrowInvalidArgument(nil, "VIEW-KaGue", "Errors.User.Password.ConfirmationWrong")
 		l.renderInitPassword(w, r, authReq, data.UserID, data.Code, err)
@@ -74,12 +74,7 @@ func (l *Login) checkPWCode(w http.ResponseWriter, r *http.Request, authReq *dom
 		userOrg = authReq.UserOrgID
 	}
 	userAgentID, _ := http_mw.UserAgentIDFromCtx(r.Context())
-	passwordCodeGenerator, err := l.query.InitEncryptionGenerator(r.Context(), domain.SecretGeneratorTypePasswordResetCode, l.userCodeAlg)
-	if err != nil {
-		l.renderInitPassword(w, r, authReq, data.UserID, "", err)
-		return
-	}
-	err = l.command.SetPasswordWithVerifyCode(setContext(r.Context(), userOrg), userOrg, data.UserID, data.Code, data.Password, userAgentID, passwordCodeGenerator)
+	_, err := l.command.SetPasswordWithVerifyCode(setContext(r.Context(), userOrg), userOrg, data.UserID, data.Code, data.Password, userAgentID)
 	if err != nil {
 		l.renderInitPassword(w, r, authReq, data.UserID, "", err)
 		return