feat: Login, OP Support and Auth Queries (#177)

* fix: change oidc config

* fix: change oidc config secret

* begin models

* begin repo

* fix: implement grpc app funcs

* fix: add application requests

* fix: converter

* fix: converter

* fix: converter and generate clientid

* fix: tests

* feat: project grant aggregate

* feat: project grant

* fix: project grant check if role existing

* fix: project grant requests

* fix: project grant fixes

* fix: project grant member model

* fix: project grant member aggregate

* fix: project grant member eventstore

* fix: project grant member requests

* feat: user model

* begin repo

* repo models and more

* feat: user command side

* lots of functions

* user command side

* profile requests

* commit before rebase on user

* save

* local config with gopass and more

* begin new auth command (user centric)

* Update internal/user/model/user.go

Co-Authored-By: Livio Amstutz <livio.a@gmail.com>

* Update internal/user/repository/eventsourcing/model/address.go

Co-Authored-By: Livio Amstutz <livio.a@gmail.com>

* Update internal/user/repository/eventsourcing/model/address.go

Co-Authored-By: Livio Amstutz <livio.a@gmail.com>

* Update internal/user/repository/eventsourcing/model/email.go

Co-Authored-By: Livio Amstutz <livio.a@gmail.com>

* Update internal/user/repository/eventsourcing/model/email.go

Co-Authored-By: Livio Amstutz <livio.a@gmail.com>

* Update internal/user/repository/eventsourcing/model/email.go

Co-Authored-By: Livio Amstutz <livio.a@gmail.com>

* Update internal/user/repository/eventsourcing/model/mfa.go

Co-Authored-By: Livio Amstutz <livio.a@gmail.com>

* Update internal/user/repository/eventsourcing/model/mfa.go

Co-Authored-By: Livio Amstutz <livio.a@gmail.com>

* Update internal/user/repository/eventsourcing/model/password.go

Co-Authored-By: Livio Amstutz <livio.a@gmail.com>

* Update internal/user/repository/eventsourcing/model/password.go

Co-Authored-By: Livio Amstutz <livio.a@gmail.com>

* Update internal/user/repository/eventsourcing/model/password.go

Co-Authored-By: Livio Amstutz <livio.a@gmail.com>

* Update internal/user/repository/eventsourcing/model/phone.go

Co-Authored-By: Livio Amstutz <livio.a@gmail.com>

* Update internal/user/repository/eventsourcing/model/phone.go

Co-Authored-By: Livio Amstutz <livio.a@gmail.com>

* Update internal/user/repository/eventsourcing/model/phone.go

Co-Authored-By: Livio Amstutz <livio.a@gmail.com>

* Update internal/user/repository/eventsourcing/model/user.go

Co-Authored-By: Livio Amstutz <livio.a@gmail.com>

* Update internal/user/repository/eventsourcing/model/user.go

Co-Authored-By: Livio Amstutz <livio.a@gmail.com>

* Update internal/user/repository/eventsourcing/model/user.go

Co-Authored-By: Livio Amstutz <livio.a@gmail.com>

* Update internal/usergrant/repository/eventsourcing/model/user_grant.go

Co-Authored-By: Livio Amstutz <livio.a@gmail.com>

* Update internal/usergrant/repository/eventsourcing/model/user_grant.go

Co-Authored-By: Livio Amstutz <livio.a@gmail.com>

* Update internal/usergrant/repository/eventsourcing/user_grant.go

Co-Authored-By: Livio Amstutz <livio.a@gmail.com>

* Update internal/user/repository/eventsourcing/user_test.go

Co-Authored-By: Livio Amstutz <livio.a@gmail.com>

* Update internal/user/repository/eventsourcing/eventstore_mock_test.go

Co-Authored-By: Livio Amstutz <livio.a@gmail.com>

* changes from mr review

* save files into basedir

* changes from mr review

* changes from mr review

* move to auth request

* Update internal/usergrant/repository/eventsourcing/cache.go

Co-authored-by: Silvan <silvan.reusser@gmail.com>

* Update internal/usergrant/repository/eventsourcing/cache.go

Co-authored-by: Silvan <silvan.reusser@gmail.com>

* changes requested on mr

* fix generate codes

* fix return if no events

* password code

* email verification step

* more steps

* lot of mfa

* begin tests

* more next steps

* auth api

* auth api (user)

* auth api (user)

* auth api (user)

* differ requests

* merge

* tests

* fix compilation error

* mock for id generator

* Update internal/user/repository/eventsourcing/model/password.go

Co-authored-by: Silvan <silvan.reusser@gmail.com>

* Update internal/user/repository/eventsourcing/model/user.go

Co-authored-by: Silvan <silvan.reusser@gmail.com>

* requests of mr

* check email

* begin separation of command and query

* otp

* change packages

* some cleanup and fixes

* tests for auth request / next steps

* add VerificationLifetimes to config and make it run

* tests

* fix code challenge validation

* cleanup

* fix merge

* begin view

* repackaging tests and configs

* fix startup config for auth

* add migration

* add PromptSelectAccount

* fix copy / paste

* remove user_agent files

* fixes

* fix sequences in user_session

* token commands

* token queries and signout

* fix

* fix set password test

* add token handler and table

* handle session init

* add session state

* add user view test cases

* change VerifyMyMfaOTP

* some fixes

* fix user repo in auth api

* cleanup

* add user session view test

* fix merge

* begin oidc

* user agent and more

* config

* keys

* key command and query

* add login statics

* key handler

* start login

* login handlers

* lot of fixes

* merge oidc

* add missing exports

* add missing exports

* fix some bugs

* authrequestid in htmls

* getrequest

* update auth request

* fix userid check

* add username to authrequest

* fix user session and auth request handling

* fix UserSessionsByAgentID

* fix auth request tests

* fix user session on UserPasswordChanged and MfaOtpRemoved

* fix MfaTypesSetupPossible

* handle mfa

* fill username

* auth request query checks new events

* fix userSessionByIDs

* fix tokens

* fix userSessionByIDs test

* add user selection

* init code

* user code creation date

* add init user step

* add verification failed types

* add verification failures

* verify init code

* user init code handle

* user init code handle

* fix userSessionByIDs

* update logging

* user agent cookie

* browserinfo from request

* add DeleteAuthRequest

* add static login files to binary

* add login statik to build

* move generate to separate file and remove statik.go files

* remove static dirs from startup.yaml

* generate into separate namespaces

* merge master

* auth request code

* auth request type mapping

* fix keys

* improve tokens

* improve register and basic styling

* fix ailerons font

* improve password reset

* add audience to token

* all oidc apps as audience

* fix test nextStep

* fix email texts

* remove "not set"

* lot of style changes

* improve copy to clipboard

* fix footer

* add cookie handler

* remove placeholders

* fix compilation after merge

* fix auth config

* remove comments

* typo

* use new secrets store

* change default pws to match default policy

* fixes

* add todo

* enable login

* fix db name

* Auth queries (#179)

* my usersession

* org structure/ auth handlers

* working user grant spooler

* auth internal user grants

* search my project orgs

* remove permissions file

* my zitadel permissions

* my zitadel permissions

* remove unused code

* authz

* app searches in view

* token verification

* fix user grant load

* fix tests

* fix tests

* read configs

* remove unused const

* remove todos

* env variables

* app_name

* working authz

* search projects

* global resourceowner

* Update internal/api/auth/permissions.go

Co-authored-by: Livio Amstutz <livio.a@gmail.com>

* Update internal/api/auth/permissions.go

Co-authored-by: Livio Amstutz <livio.a@gmail.com>

* model2 rename

* at least it works

* check token expiry

* search my user grants

* remove token table from authz

Co-authored-by: Livio Amstutz <livio.a@gmail.com>

* fix test

* fix ports and enable console

Co-authored-by: Fabiennne <fabienne.gerschwiler@gmail.com>
Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>
Co-authored-by: Silvan <silvan.reusser@gmail.com>

internal/login/handler/auth_request.go

@@ -0,0 +1,27 @@
+package handler
+
+import (
+	"github.com/caos/zitadel/internal/auth_request/model"
+	"net/http"
+)
+
+const (
+	queryAuthRequestID = "authRequestID"
+)
+
+func (l *Login) getAuthRequest(r *http.Request) (*model.AuthRequest, error) {
+	authRequestID := r.FormValue(queryAuthRequestID)
+	if authRequestID == "" {
+		return nil, nil
+	}
+	return l.authRepo.AuthRequestByID(r.Context(), authRequestID)
+}
+
+func (l *Login) getAuthRequestAndParseData(r *http.Request, data interface{}) (*model.AuthRequest, error) {
+	authReq, err := l.getAuthRequest(r)
+	if err != nil {
+		return nil, err
+	}
+	err = l.parser.Parse(r, data)
+	return authReq, err
+}

internal/login/handler/callback_handler.go

@@ -0,0 +1,11 @@
+package handler
+
+import (
+	"github.com/caos/zitadel/internal/auth_request/model"
+	"net/http"
+)
+
+func (l *Login) redirectToCallback(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest) {
+	callback := l.oidcAuthCallbackURL + authReq.ID
+	http.Redirect(w, r, callback, http.StatusFound)
+}

internal/login/handler/change_password_handler.go

@@ -0,0 +1,52 @@
+package handler
+
+import (
+	"github.com/caos/zitadel/internal/auth_request/model"
+	"net/http"
+)
+
+const (
+	tmplChangePassword     = "changepassword"
+	tmplChangePasswordDone = "changepassworddone"
+)
+
+type changePasswordData struct {
+	OldPassword string `schema:"old_password"`
+	NewPassword string `schema:"new_password"`
+}
+
+func (l *Login) handleChangePassword(w http.ResponseWriter, r *http.Request) {
+	data := new(changePasswordData)
+	authReq, err := l.getAuthRequestAndParseData(r, data)
+	if err != nil {
+		l.renderError(w, r, authReq, err)
+		return
+	}
+	err = l.authRepo.ChangePassword(setContext(r.Context(), authReq.UserOrgID), authReq.UserID, data.OldPassword, data.NewPassword)
+	if err != nil {
+		l.renderChangePassword(w, r, authReq, err)
+		return
+	}
+	l.renderChangePasswordDone(w, r, authReq)
+}
+
+func (l *Login) renderChangePassword(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, err error) {
+	var errType, errMessage string
+	if err != nil {
+		errMessage = err.Error()
+	}
+	data := userData{
+		baseData: l.getBaseData(r, authReq, "Change Password", errType, errMessage),
+		UserName: authReq.UserName,
+	}
+	l.renderer.RenderTemplate(w, r, l.renderer.Templates[tmplChangePassword], data, nil)
+}
+
+func (l *Login) renderChangePasswordDone(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest) {
+	var errType, errMessage string
+	data := userData{
+		baseData: l.getBaseData(r, authReq, "Password Change Done", errType, errMessage),
+		UserName: authReq.UserName,
+	}
+	l.renderer.RenderTemplate(w, r, l.renderer.Templates[tmplChangePasswordDone], data, nil)
+}

internal/login/handler/health_handler.go

@@ -0,0 +1,18 @@
+package handler
+
+import (
+	"net/http"
+)
+
+func (l *Login) handleHealthz(w http.ResponseWriter, r *http.Request) {
+	w.Write([]byte("OK"))
+}
+
+func (l *Login) handleReadiness(w http.ResponseWriter, r *http.Request) {
+	err := l.authRepo.Health(r.Context())
+	if err != nil {
+		http.Error(w, "not ready", http.StatusInternalServerError)
+		return
+	}
+	w.Write([]byte("OK"))
+}

internal/login/handler/init_password_handler.go

@@ -0,0 +1,97 @@
+package handler
+
+import (
+	"github.com/caos/zitadel/internal/auth_request/model"
+	"github.com/caos/zitadel/internal/errors"
+	"net/http"
+)
+
+const (
+	queryInitPWCode   = "code"
+	queryInitPWUserID = "userID"
+
+	tmplInitPassword     = "initpassword"
+	tmplInitPasswordDone = "initpassworddone"
+)
+
+type initPasswordFormData struct {
+	Code            string `schema:"code"`
+	Password        string `schema:"password"`
+	PasswordConfirm string `schema:"passwordconfirm"`
+	UserID          string `schema:"userID"`
+	Resend          bool   `schema:"resend"`
+}
+
+type initPasswordData struct {
+	baseData
+	Code   string
+	UserID string
+}
+
+func (l *Login) handleInitPassword(w http.ResponseWriter, r *http.Request) {
+	userID := r.FormValue(queryInitPWUserID)
+	code := r.FormValue(queryInitPWCode)
+	l.renderInitPassword(w, r, nil, userID, code, nil)
+}
+
+func (l *Login) handleInitPasswordCheck(w http.ResponseWriter, r *http.Request) {
+	data := new(initPasswordFormData)
+	authReq, err := l.getAuthRequestAndParseData(r, data)
+	if err != nil {
+		l.renderError(w, r, authReq, err)
+		return
+	}
+
+	if data.Resend {
+		l.resendPasswordSet(w, r, authReq)
+		return
+	}
+	l.checkPWCode(w, r, authReq, data, nil)
+}
+
+func (l *Login) checkPWCode(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, data *initPasswordFormData, err error) {
+	if data.Password != data.PasswordConfirm {
+		err := errors.ThrowInvalidArgument(nil, "VIEW-KaGue", "passwords dont match")
+		l.renderInitPassword(w, r, authReq, data.UserID, data.Code, err)
+		return
+	}
+	userOrg := login
+	if authReq != nil {
+		userOrg = authReq.UserOrgID
+	}
+	err = l.authRepo.SetPassword(setContext(r.Context(), userOrg), data.UserID, data.Code, data.Password)
+	if err != nil {
+		l.renderInitPassword(w, r, authReq, data.UserID, "", err)
+		return
+	}
+	l.renderInitPasswordDone(w, r, authReq)
+}
+
+func (l *Login) resendPasswordSet(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest) {
+	err := l.authRepo.RequestPasswordReset(r.Context(), authReq.UserName)
+	l.renderInitPassword(w, r, authReq, authReq.UserID, "", err)
+}
+
+func (l *Login) renderInitPassword(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, userID, code string, err error) {
+	var errType, errMessage string
+	if err != nil {
+		errMessage = err.Error()
+	}
+	if userID == "" && authReq != nil {
+		userID = authReq.UserID
+	}
+	data := initPasswordData{
+		baseData: l.getBaseData(r, authReq, "Init Password", errType, errMessage),
+		UserID:   userID,
+		Code:     code,
+	}
+	l.renderer.RenderTemplate(w, r, l.renderer.Templates[tmplInitPassword], data, nil)
+}
+
+func (l *Login) renderInitPasswordDone(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest) {
+	data := userData{
+		baseData: l.getBaseData(r, authReq, "Password Init Done", "", ""),
+		UserName: authReq.UserName,
+	}
+	l.renderer.RenderTemplate(w, r, l.renderer.Templates[tmplInitPasswordDone], data, nil)
+}

internal/login/handler/init_user_handler.go

@@ -0,0 +1,105 @@
+package handler
+
+import (
+	"github.com/caos/zitadel/internal/auth_request/model"
+	caos_errs "github.com/caos/zitadel/internal/errors"
+	"net/http"
+)
+
+const (
+	queryInitUserCode   = "code"
+	queryInitUserUserID = "userID"
+
+	tmplInitUser     = "inituser"
+	tmplInitUserDone = "inituserdone"
+)
+
+type initUserFormData struct {
+	Code            string `schema:"code"`
+	Password        string `schema:"password"`
+	PasswordConfirm string `schema:"passwordconfirm"`
+	UserID          string `schema:"userID"`
+	Resend          bool   `schema:"resend"`
+}
+
+type initUserData struct {
+	baseData
+	Code   string
+	UserID string
+}
+
+func (l *Login) handleInitUser(w http.ResponseWriter, r *http.Request) {
+	userID := r.FormValue(queryInitUserUserID)
+	code := r.FormValue(queryInitUserCode)
+	l.renderInitUser(w, r, nil, userID, code, nil)
+}
+
+func (l *Login) handleInitUserCheck(w http.ResponseWriter, r *http.Request) {
+	data := new(initUserFormData)
+	authReq, err := l.getAuthRequestAndParseData(r, data)
+	if err != nil {
+		l.renderError(w, r, nil, err)
+		return
+	}
+
+	if data.Resend {
+		l.resendUserInit(w, r, authReq, data.UserID)
+		return
+	}
+	l.checkUserInitCode(w, r, authReq, data, nil)
+}
+
+func (l *Login) checkUserInitCode(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, data *initUserFormData, err error) {
+	if data.Password != data.PasswordConfirm {
+		err := caos_errs.ThrowInvalidArgument(nil, "VIEW-fsdfd", "passwords dont match")
+		l.renderInitUser(w, r, nil, data.UserID, data.Code, err)
+		return
+	}
+	userOrgID := login
+	if authReq != nil {
+		userOrgID = authReq.UserOrgID
+	}
+	err = l.authRepo.VerifyInitCode(setContext(r.Context(), userOrgID), data.UserID, data.Code, data.Password)
+	if err != nil {
+		l.renderInitUser(w, r, nil, data.UserID, "", err)
+		return
+	}
+	l.renderInitUserDone(w, r, nil)
+}
+
+func (l *Login) resendUserInit(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, userID string) {
+	userOrgID := login
+	if authReq != nil {
+		userOrgID = authReq.UserOrgID
+	}
+	err := l.authRepo.ResendInitVerificationMail(setContext(r.Context(), userOrgID), userID)
+	l.renderInitUser(w, r, authReq, userID, "", err)
+}
+
+func (l *Login) renderInitUser(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, userID, code string, err error) {
+	var errType, errMessage string
+	if err != nil {
+		errMessage = err.Error()
+	}
+	if authReq != nil {
+		userID = authReq.UserID
+	}
+	data := initUserData{
+		baseData: l.getBaseData(r, nil, "Init User", errType, errMessage),
+		UserID:   userID,
+		Code:     code,
+	}
+	l.renderer.RenderTemplate(w, r, l.renderer.Templates[tmplInitUser], data, nil)
+}
+
+func (l *Login) renderInitUserDone(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest) {
+	var errType, errMessage, userName string
+	if authReq != nil {
+		userName = authReq.UserName
+	}
+	data := userData{
+		baseData: l.getBaseData(r, authReq, "User Init Done", errType, errMessage),
+		UserName: userName,
+	}
+	l.renderer.RenderTemplate(w, r, l.renderer.Templates[tmplInitUserDone], data, nil)
+}

internal/login/handler/login.go

@@ -0,0 +1,92 @@
+package handler
+
+import (
+	"context"
+	"net"
+	"net/http"
+
+	"github.com/caos/logging"
+	"github.com/gorilla/mux"
+	"github.com/rakyll/statik/fs"
+	"golang.org/x/text/language"
+
+	"github.com/caos/zitadel/internal/api/auth"
+	"github.com/caos/zitadel/internal/auth/repository/eventsourcing"
+	"github.com/caos/zitadel/internal/form"
+
+	_ "github.com/caos/zitadel/internal/login/statik"
+)
+
+type Login struct {
+	endpoint            string
+	router              *mux.Router
+	renderer            *Renderer
+	parser              *form.Parser
+	authRepo            *eventsourcing.EsRepository
+	zitadelURL          string
+	oidcAuthCallbackURL string
+}
+
+type Config struct {
+	Port                string
+	OidcAuthCallbackURL string
+	ZitadelURL          string
+	LanguageCookieName  string
+	DefaultLanguage     language.Tag
+}
+
+const (
+	login = "LOGIN"
+)
+
+func StartLogin(ctx context.Context, config Config, authRepo *eventsourcing.EsRepository) {
+	login := &Login{
+		endpoint:            config.Port,
+		oidcAuthCallbackURL: config.OidcAuthCallbackURL,
+		zitadelURL:          config.ZitadelURL,
+		authRepo:            authRepo,
+	}
+	statikFS, err := fs.NewWithNamespace("login")
+	logging.Log("CONFI-7usEW").OnError(err).Panic("unable to start listener")
+
+	login.router = CreateRouter(login, statikFS)
+	login.renderer = CreateRenderer(statikFS, config.LanguageCookieName, config.DefaultLanguage)
+	login.parser = form.NewParser()
+	login.Listen(ctx)
+}
+
+func (l *Login) Listen(ctx context.Context) {
+	if l.endpoint == "" {
+		l.endpoint = ":80"
+	} else {
+		l.endpoint = ":" + l.endpoint
+	}
+
+	defer logging.LogWithFields("APP-xUZof", "port", l.endpoint).Info("html is listening")
+	httpListener, err := net.Listen("tcp", l.endpoint)
+	logging.Log("CONFI-W5q2O").OnError(err).Panic("unable to start listener")
+
+	httpServer := &http.Server{
+		Handler: l.router,
+	}
+
+	go func() {
+		<-ctx.Done()
+		if err = httpServer.Shutdown(ctx); err != nil {
+			logging.Log("APP-mJKTv").WithError(err)
+		}
+	}()
+
+	go func() {
+		err := httpServer.Serve(httpListener)
+		logging.Log("APP-oSklt").OnError(err).Panic("unable to start listener")
+	}()
+}
+
+func setContext(ctx context.Context, resourceOwner string) context.Context {
+	data := auth.CtxData{
+		UserID: login,
+		OrgID:  resourceOwner,
+	}
+	return auth.SetCtxData(ctx, data)
+}

internal/login/handler/login_handler.go

@@ -0,0 +1,63 @@
+package handler
+
+import (
+	"github.com/caos/zitadel/internal/auth_request/model"
+	"net/http"
+)
+
+const (
+	tmplLogin = "login"
+)
+
+type loginData struct {
+	UserName string `schema:"username"`
+}
+
+func (l *Login) handleLogin(w http.ResponseWriter, r *http.Request) {
+	authReq, err := l.getAuthRequest(r)
+	if err != nil {
+		l.renderError(w, r, authReq, err)
+		return
+	}
+	if authReq == nil {
+		http.Redirect(w, r, l.zitadelURL, http.StatusFound)
+		return
+	}
+	l.renderNextStep(w, r, authReq)
+}
+
+func (l *Login) handleUsername(w http.ResponseWriter, r *http.Request) {
+	authSession, err := l.getAuthRequest(r)
+	if err != nil {
+		l.renderError(w, r, authSession, err)
+		return
+	}
+	l.renderLogin(w, r, authSession, nil)
+}
+
+func (l *Login) handleUsernameCheck(w http.ResponseWriter, r *http.Request) {
+	data := new(loginData)
+	authReq, err := l.getAuthRequestAndParseData(r, data)
+	if err != nil {
+		l.renderError(w, r, authReq, err)
+		return
+	}
+	err = l.authRepo.CheckUsername(r.Context(), authReq.ID, data.UserName)
+	if err != nil {
+		l.renderLogin(w, r, authReq, err)
+		return
+	}
+	l.renderNextStep(w, r, authReq)
+}
+
+func (l *Login) renderLogin(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, err error) {
+	var errType, errMessage string
+	if err != nil {
+		errMessage = err.Error()
+	}
+	data := userData{
+		baseData: l.getBaseData(r, authReq, "Login", errType, errMessage),
+		UserName: authReq.UserName,
+	}
+	l.renderer.RenderTemplate(w, r, l.renderer.Templates[tmplLogin], data, nil)
+}

internal/login/handler/logout_handler.go

@@ -0,0 +1,20 @@
+package handler
+
+import (
+	"net/http"
+)
+
+const (
+	tmplLogoutDone = "logoutdone"
+)
+
+func (l *Login) handleLogoutDone(w http.ResponseWriter, r *http.Request) {
+	l.renderLogoutDone(w, r)
+}
+
+func (l *Login) renderLogoutDone(w http.ResponseWriter, r *http.Request) {
+	data := userData{
+		baseData: l.getBaseData(r, nil, "Logout Done", "", ""),
+	}
+	l.renderer.RenderTemplate(w, r, l.renderer.Templates[tmplLogoutDone], data, nil)
+}

internal/login/handler/mail_verify_handler.go

@@ -0,0 +1,90 @@
+package handler
+
+import (
+	"github.com/caos/zitadel/internal/auth_request/model"
+	"net/http"
+)
+
+const (
+	queryCode   = "code"
+	queryUserID = "userID"
+
+	tmplMailVerification = "mail_verification"
+	tmplMailVerified     = "mail_verified"
+)
+
+type mailVerificationFormData struct {
+	Code   string `schema:"code"`
+	UserID string `schema:"userID"`
+	Resend bool   `schema:"resend"`
+}
+
+type mailVerificationData struct {
+	baseData
+	UserID string
+}
+
+func (l *Login) handleMailVerification(w http.ResponseWriter, r *http.Request) {
+	userID := r.FormValue(queryUserID)
+	code := r.FormValue(queryCode)
+	if code != "" {
+		l.checkMailCode(w, r, nil, userID, code)
+		return
+	}
+	l.renderMailVerification(w, r, nil, userID, nil)
+}
+
+func (l *Login) handleMailVerificationCheck(w http.ResponseWriter, r *http.Request) {
+	data := new(mailVerificationFormData)
+	authReq, err := l.getAuthRequestAndParseData(r, data)
+	if err != nil {
+		l.renderError(w, r, authReq, err)
+		return
+	}
+	if !data.Resend {
+		l.checkMailCode(w, r, authReq, data.UserID, data.Code)
+		return
+	}
+	userOrg := login
+	if authReq != nil {
+		userOrg = authReq.UserOrgID
+	}
+	err = l.authRepo.ResendEmailVerificationMail(setContext(r.Context(), userOrg), data.UserID)
+	l.renderMailVerification(w, r, authReq, data.UserID, err)
+}
+
+func (l *Login) checkMailCode(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, userID, code string) {
+	userOrg := login
+	if authReq != nil {
+		userID = authReq.UserID
+		userOrg = authReq.UserOrgID
+	}
+	err := l.authRepo.VerifyEmail(setContext(r.Context(), userOrg), userID, code)
+	if err != nil {
+		l.renderMailVerification(w, r, authReq, userID, err)
+		return
+	}
+	l.renderMailVerified(w, r, authReq)
+}
+
+func (l *Login) renderMailVerification(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, userID string, err error) {
+	var errType, errMessage string
+	if err != nil {
+		errMessage = err.Error()
+	}
+	if userID == "" {
+		userID = authReq.UserID
+	}
+	data := mailVerificationData{
+		baseData: l.getBaseData(r, authReq, "Mail Verification", errType, errMessage),
+		UserID:   userID,
+	}
+	l.renderer.RenderTemplate(w, r, l.renderer.Templates[tmplMailVerification], data, nil)
+}
+
+func (l *Login) renderMailVerified(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest) {
+	data := mailVerificationData{
+		baseData: l.getBaseData(r, authReq, "Mail Verified", "", ""),
+	}
+	l.renderer.RenderTemplate(w, r, l.renderer.Templates[tmplMailVerified], data, nil)
+}

internal/login/handler/mfa_init_done_handler.go

@@ -0,0 +1,20 @@
+package handler
+
+import (
+	"github.com/caos/zitadel/internal/auth_request/model"
+	"net/http"
+)
+
+const (
+	tmplMfaInitDone = "mfainitdone"
+)
+
+type mfaInitDoneData struct {
+}
+
+func (l *Login) renderMfaInitDone(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, data *mfaDoneData) {
+	var errType, errMessage string
+	data.baseData = l.getBaseData(r, authReq, "Mfa Init Done", errType, errMessage)
+	data.UserName = authReq.UserName
+	l.renderer.RenderTemplate(w, r, l.renderer.Templates[tmplMfaInitDone], data, nil)
+}

internal/login/handler/mfa_init_verify_handler.go

@@ -0,0 +1,95 @@
+package handler
+
+import (
+	"bytes"
+	"net/http"
+
+	"github.com/aaronarduino/goqrsvg"
+	svg "github.com/ajstarks/svgo"
+	"github.com/boombuler/barcode/qr"
+	"github.com/caos/zitadel/internal/auth_request/model"
+)
+
+const (
+	tmplMfaInitVerify = "mfainitverify"
+)
+
+type mfaInitVerifyData struct {
+	MfaType model.MfaType `schema:"mfaType"`
+	Code    string        `schema:"code"`
+	URL     string        `schema:"url"`
+	Secret  string        `schema:"secret"`
+}
+
+func (l *Login) handleMfaInitVerify(w http.ResponseWriter, r *http.Request) {
+	data := new(mfaInitVerifyData)
+	authReq, err := l.getAuthRequestAndParseData(r, data)
+	if err != nil {
+		l.renderError(w, r, authReq, err)
+		return
+	}
+	var verifyData *mfaVerifyData
+	switch data.MfaType {
+	case model.MfaTypeOTP:
+		verifyData = l.handleOtpVerify(w, r, authReq, data)
+	}
+
+	if verifyData != nil {
+		l.renderMfaInitVerify(w, r, authReq, verifyData, err)
+		return
+	}
+
+	done := &mfaDoneData{
+		MfaType: data.MfaType,
+	}
+	l.renderMfaInitDone(w, r, authReq, done)
+}
+
+func (l *Login) handleOtpVerify(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, data *mfaInitVerifyData) *mfaVerifyData {
+	err := l.authRepo.VerifyMfaOTPSetup(setContext(r.Context(), authReq.UserOrgID), authReq.UserID, data.Code)
+	if err == nil {
+		return nil
+	}
+	mfadata := &mfaVerifyData{
+		MfaType: data.MfaType,
+		otpData: otpData{
+			Secret: data.Secret,
+			Url:    data.URL,
+		},
+	}
+
+	return mfadata
+}
+
+func (l *Login) renderMfaInitVerify(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, data *mfaVerifyData, err error) {
+	var errType, errMessage string
+	if err != nil {
+		errMessage = err.Error()
+	}
+	data.baseData = l.getBaseData(r, authReq, "Mfa Init Verify", errType, errMessage)
+	data.UserName = authReq.UserName
+	if data.MfaType == model.MfaTypeOTP {
+		code, err := generateQrCode(data.otpData.Url)
+		if err == nil {
+			data.otpData.QrCode = code
+		}
+	}
+
+	l.renderer.RenderTemplate(w, r, l.renderer.Templates[tmplMfaInitVerify], data, nil)
+}
+
+func generateQrCode(url string) (string, error) {
+	var b bytes.Buffer
+	s := svg.New(&b)
+
+	qrCode, err := qr.Encode(url, qr.M, qr.Auto)
+	if err != nil {
+		return "", err
+	}
+	qs := goqrsvg.NewQrSVG(qrCode, 5)
+	qs.StartQrSVG(s)
+	qs.WriteQrSVG(s)
+
+	s.End()
+	return string(b.Bytes()), nil
+}

internal/login/handler/mfa_prompt_handler.go

@@ -0,0 +1,88 @@
+package handler
+
+import (
+	"github.com/caos/zitadel/internal/auth_request/model"
+	caos_errs "github.com/caos/zitadel/internal/errors"
+	"net/http"
+)
+
+const (
+	tmplMfaPrompt = "mfaprompt"
+)
+
+type mfaPromptData struct {
+	MfaProvider model.MfaType `schema:"provider"`
+	Skip        bool          `schema:"skip"`
+}
+
+func (l *Login) handleMfaPrompt(w http.ResponseWriter, r *http.Request) {
+	data := new(mfaPromptData)
+	authSession, err := l.getAuthRequestAndParseData(r, data)
+	if err != nil {
+		l.renderError(w, r, authSession, err)
+		return
+	}
+	if !data.Skip {
+		mfaVerifyData := new(mfaVerifyData)
+		mfaVerifyData.MfaType = data.MfaProvider
+		l.handleMfaCreation(w, r, authSession, mfaVerifyData)
+		return
+	}
+	err = l.authRepo.SkipMfaInit(setContext(r.Context(), authSession.UserOrgID), authSession.UserID)
+	if err != nil {
+		l.renderError(w, r, authSession, err)
+		return
+	}
+	l.handleLogin(w, r)
+}
+
+func (l *Login) renderMfaPrompt(w http.ResponseWriter, r *http.Request, authSession *model.AuthRequest, mfaPromptData *model.MfaPromptStep, err error) {
+	var errType, errMessage string
+	if err != nil {
+		errMessage = err.Error()
+	}
+	data := mfaData{
+		baseData: l.getBaseData(r, authSession, "Mfa Prompt", errType, errMessage),
+		UserName: authSession.UserName,
+	}
+
+	if mfaPromptData == nil {
+		l.renderError(w, r, authSession, caos_errs.ThrowPreconditionFailed(nil, "APP-XU0tj", "No available mfa providers"))
+		return
+	}
+
+	data.MfaProviders = mfaPromptData.MfaProviders
+	data.MfaRequired = mfaPromptData.Required
+
+	if len(mfaPromptData.MfaProviders) == 1 && mfaPromptData.Required {
+		data := &mfaVerifyData{
+			MfaType: mfaPromptData.MfaProviders[0],
+		}
+		l.handleMfaCreation(w, r, authSession, data)
+		return
+	}
+	l.renderer.RenderTemplate(w, r, l.renderer.Templates[tmplMfaPrompt], data, nil)
+}
+
+func (l *Login) handleMfaCreation(w http.ResponseWriter, r *http.Request, authSession *model.AuthRequest, data *mfaVerifyData) {
+	switch data.MfaType {
+	case model.MfaTypeOTP:
+		l.handleOtpCreation(w, r, authSession, data)
+		return
+	}
+	l.renderError(w, r, authSession, caos_errs.ThrowPreconditionFailed(nil, "APP-Or3HO", "No available mfa providers"))
+}
+
+func (l *Login) handleOtpCreation(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, data *mfaVerifyData) {
+	otp, err := l.authRepo.AddMfaOTP(setContext(r.Context(), authReq.UserOrgID), authReq.UserID)
+	if err != nil {
+		l.renderError(w, r, authReq, err)
+		return
+	}
+
+	data.otpData = otpData{
+		Secret: otp.SecretString,
+		Url:    otp.Url,
+	}
+	l.renderMfaInitVerify(w, r, authReq, data, nil)
+}

internal/login/handler/mfa_verify_handler.go

@@ -0,0 +1,49 @@
+package handler
+
+import (
+	"net/http"
+
+	"github.com/caos/zitadel/internal/auth_request/model"
+)
+
+const (
+	tmplMfaVerify = "mfaverify"
+)
+
+type mfaVerifyFormData struct {
+	MfaType model.MfaType `schema:"mfaType"`
+	Code    string        `schema:"code"`
+}
+
+func (l *Login) handleMfaVerify(w http.ResponseWriter, r *http.Request) {
+	data := new(mfaVerifyFormData)
+	authReq, err := l.getAuthRequestAndParseData(r, data)
+	if err != nil {
+		l.renderError(w, r, authReq, err)
+		return
+	}
+	if data.MfaType == model.MfaTypeOTP {
+		err = l.authRepo.VerifyMfaOTP(setContext(r.Context(), authReq.UserOrgID), authReq.ID, authReq.UserID, data.Code, model.BrowserInfoFromRequest(r))
+	}
+	if err != nil {
+		l.renderError(w, r, authReq, err)
+		return
+	}
+	l.renderNextStep(w, r, authReq)
+}
+
+func (l *Login) renderMfaVerify(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, verificationStep *model.MfaVerificationStep, err error) {
+	var errType, errMessage string
+	if err != nil {
+		errMessage = err.Error()
+	}
+	data := userData{
+		baseData: l.getBaseData(r, authReq, "Mfa Verify", errType, errMessage),
+		UserName: authReq.UserName,
+	}
+	if verificationStep != nil {
+		data.MfaProviders = verificationStep.MfaProviders
+		data.SelectedMfaProvider = verificationStep.MfaProviders[0]
+	}
+	l.renderer.RenderTemplate(w, r, l.renderer.Templates[tmplMfaVerify], data, nil)
+}

internal/login/handler/password_handler.go

@@ -0,0 +1,42 @@
+package handler
+
+import (
+	"net/http"
+
+	"github.com/caos/zitadel/internal/auth_request/model"
+)
+
+const (
+	tmplPassword = "password"
+)
+
+type passwordData struct {
+	Password string `schema:"password"`
+}
+
+func (l *Login) renderPassword(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, err error) {
+	var errType, errMessage string
+	if err != nil {
+		errMessage = err.Error()
+	}
+	data := userData{
+		baseData: l.getBaseData(r, authReq, "Password", errType, errMessage),
+		UserName: authReq.UserName,
+	}
+	l.renderer.RenderTemplate(w, r, l.renderer.Templates[tmplPassword], data, nil)
+}
+
+func (l *Login) handlePasswordCheck(w http.ResponseWriter, r *http.Request) {
+	data := new(passwordData)
+	authReq, err := l.getAuthRequestAndParseData(r, data)
+	if err != nil {
+		l.renderError(w, r, authReq, err)
+		return
+	}
+	err = l.authRepo.VerifyPassword(setContext(r.Context(), authReq.UserOrgID), authReq.ID, authReq.UserID, data.Password, model.BrowserInfoFromRequest(r))
+	if err != nil {
+		l.renderPassword(w, r, authReq, err)
+		return
+	}
+	l.renderNextStep(w, r, authReq)
+}

internal/login/handler/password_reset_handler.go

@@ -0,0 +1,32 @@
+package handler
+
+import (
+	"github.com/caos/zitadel/internal/auth_request/model"
+	"net/http"
+)
+
+const (
+	tmplPasswordResetDone = "passwordresetdone"
+)
+
+func (l *Login) handlePasswordReset(w http.ResponseWriter, r *http.Request) {
+	authReq, err := l.getAuthRequest(r)
+	if err != nil {
+		l.renderError(w, r, authReq, err)
+		return
+	}
+	err = l.authRepo.RequestPasswordReset(setContext(r.Context(), authReq.UserOrgID), authReq.UserName)
+	l.renderPasswordResetDone(w, r, authReq, err)
+}
+
+func (l *Login) renderPasswordResetDone(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, err error) {
+	var errType, errMessage string
+	if err != nil {
+		errMessage = err.Error()
+	}
+	data := userData{
+		baseData: l.getBaseData(r, authReq, "Password Reset Done", errType, errMessage),
+		UserName: authReq.UserName,
+	}
+	l.renderer.RenderTemplate(w, r, l.renderer.Templates[tmplPasswordResetDone], data, nil)
+}

internal/login/handler/register_handler.go

@@ -0,0 +1,119 @@
+package handler
+
+import (
+	"github.com/caos/zitadel/internal/auth_request/model"
+	caos_errs "github.com/caos/zitadel/internal/errors"
+	usr_model "github.com/caos/zitadel/internal/user/model"
+	"golang.org/x/text/language"
+	"net/http"
+)
+
+const (
+	tmplRegister = "register"
+
+	globalRO = "GlobalResourceOwner"
+)
+
+type registerFormData struct {
+	Email     string `schema:"email"`
+	Firstname string `schema:"firstname"`
+	Lastname  string `schema:"lastname"`
+	Language  string `schema:"language"`
+	Gender    int32  `schema:"gender"`
+	Password  string `schema:"password"`
+	Password2 string `schema:"password2"`
+}
+
+type registerData struct {
+	baseData
+	registerFormData
+}
+
+func (l *Login) handleRegister(w http.ResponseWriter, r *http.Request) {
+	data := new(registerFormData)
+	authRequest, err := l.getAuthRequestAndParseData(r, data)
+	if err != nil {
+		l.renderError(w, r, authRequest, err)
+		return
+	}
+	l.renderRegister(w, r, authRequest, data, nil)
+}
+
+func (l *Login) handleRegisterCheck(w http.ResponseWriter, r *http.Request) {
+	data := new(registerFormData)
+	authRequest, err := l.getAuthRequestAndParseData(r, data)
+	if err != nil {
+		l.renderError(w, r, authRequest, err)
+		return
+	}
+	if data.Password != data.Password2 {
+		err := caos_errs.ThrowInvalidArgument(nil, "VIEW-KaGue", "passwords dont match")
+		l.renderRegister(w, r, authRequest, data, err)
+		return
+	}
+	iam, err := l.authRepo.GetIam(r.Context())
+	if err != nil {
+		l.renderRegister(w, r, authRequest, data, err)
+		return
+	}
+	user, err := l.authRepo.Register(setContext(r.Context(), iam.GlobalOrgID), data.toUserModel(), iam.GlobalOrgID)
+	if err != nil {
+		l.renderRegister(w, r, authRequest, data, err)
+		return
+	}
+	if authRequest == nil {
+		http.Redirect(w, r, l.zitadelURL, http.StatusFound)
+		return
+	}
+	authRequest.UserName = user.UserName
+	l.renderNextStep(w, r, authRequest)
+}
+
+func (l *Login) renderRegister(w http.ResponseWriter, r *http.Request, authRequest *model.AuthRequest, formData *registerFormData, err error) {
+	var errType, errMessage string
+	if err != nil {
+		errMessage = err.Error()
+	}
+	if formData == nil {
+		formData = new(registerFormData)
+	}
+	if formData.Language == "" {
+		formData.Language = l.renderer.Lang(r).String()
+	}
+	data := registerData{
+		baseData:         l.getBaseData(r, authRequest, "Register", errType, errMessage),
+		registerFormData: *formData,
+	}
+	funcs := map[string]interface{}{
+		"selectedLanguage": func(l string) bool {
+			if formData == nil {
+				return false
+			}
+			return formData.Language == l
+		},
+		"selectedGender": func(g int32) bool {
+			if formData == nil {
+				return false
+			}
+			return formData.Gender == g
+		},
+	}
+	l.renderer.RenderTemplate(w, r, l.renderer.Templates[tmplRegister], data, funcs)
+}
+
+func (d registerFormData) toUserModel() *usr_model.User {
+	return &usr_model.User{
+		Profile: &usr_model.Profile{
+			FirstName:         d.Firstname,
+			LastName:          d.Lastname,
+			PreferredLanguage: language.Make(d.Language),
+			Gender:            usr_model.Gender(d.Gender),
+		},
+		Password: &usr_model.Password{
+			SecretString: d.Password,
+		},
+		Email: &usr_model.Email{
+			EmailAddress: d.Email,
+		},
+	}
+}

internal/login/handler/renderer.go

@@ -0,0 +1,260 @@
+package handler
+
+import (
+	"fmt"
+	"github.com/caos/zitadel/internal/auth_request/model"
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/i18n"
+	"github.com/caos/zitadel/internal/renderer"
+	"net/http"
+	"path"
+
+	"github.com/caos/logging"
+	"golang.org/x/text/language"
+)
+
+const (
+	tmplError = "error"
+)
+
+type Renderer struct {
+	*renderer.Renderer
+}
+
+func CreateRenderer(staticDir http.FileSystem, cookieName string, defaultLanguage language.Tag) *Renderer {
+	r := new(Renderer)
+	tmplMapping := map[string]string{
+		tmplError:              "error.html",
+		tmplLogin:              "login.html",
+		tmplUserSelection:      "select_user.html",
+		tmplPassword:           "password.html",
+		tmplMfaVerify:          "mfa_verify.html",
+		tmplMfaPrompt:          "mfa_prompt.html",
+		tmplMfaInitVerify:      "mfa_init_verify.html",
+		tmplMfaInitDone:        "mfa_init_done.html",
+		tmplMailVerification:   "mail_verification.html",
+		tmplMailVerified:       "mail_verified.html",
+		tmplInitPassword:       "init_password.html",
+		tmplInitPasswordDone:   "init_password_done.html",
+		tmplInitUser:           "init_user.html",
+		tmplInitUserDone:       "init_user_done.html",
+		tmplPasswordResetDone:  "password_reset_done.html",
+		tmplChangePassword:     "change_password.html",
+		tmplChangePasswordDone: "change_password_done.html",
+		tmplRegister:           "register.html",
+		tmplLogoutDone:         "logout_done.html",
+	}
+	funcs := map[string]interface{}{
+		"resourceUrl": func(file string) string {
+			return path.Join(EndpointResources, file)
+		},
+		"resourceThemeUrl": func(file, theme string) string {
+			return path.Join(EndpointResources, "themes", theme, file)
+		},
+		"loginUrl": func() string {
+			return EndpointLogin
+		},
+		"registerUrl": func(id string) string {
+			return fmt.Sprintf("%s?%s=%s", EndpointRegister, queryAuthRequestID, id)
+		},
+		"usernameUrl": func() string {
+			return EndpointUsername
+		},
+		"usernameChangeUrl": func(id string) string {
+			return fmt.Sprintf("%s?%s=%s", EndpointUsername, queryAuthRequestID, id)
+		},
+		"userSelectionUrl": func() string {
+			return EndpointUserSelection
+		},
+		"passwordResetUrl": func(id string) string {
+			return fmt.Sprintf("%s?%s=%s", EndpointPasswordReset, queryAuthRequestID, id)
+		},
+		"passwordUrl": func() string {
+			return EndpointPassword
+		},
+		"mfaVerifyUrl": func() string {
+			return EndpointMfaVerify
+		},
+		"mfaPromptUrl": func() string {
+			return EndpointMfaPrompt
+		},
+		"mfaInitVerifyUrl": func() string {
+			return EndpointMfaInitVerify
+		},
+		"mailVerificationUrl": func() string {
+			return EndpointMailVerification
+		},
+		"initPasswordUrl": func() string {
+			return EndpointInitPassword
+		},
+		"initUserUrl": func() string {
+			return EndpointInitUser
+		},
+		"changePasswordUrl": func() string {
+			return EndpointChangePassword
+		},
+		"registrationUrl": func() string {
+			return EndpointRegister
+		},
+		"selectedLanguage": func(l string) bool {
+			return false
+		},
+		"selectedGender": func(g int32) bool {
+			return false
+		},
+	}
+	var err error
+	r.Renderer, err = renderer.NewRenderer(
+		staticDir,
+		tmplMapping, funcs,
+		i18n.TranslatorConfig{DefaultLanguage: defaultLanguage, CookieName: cookieName},
+	)
+	logging.Log("APP-40tSoJ").OnError(err).WithError(err).Panic("error creating renderer")
+	return r
+}
+
+func (l *Login) renderNextStep(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest) {
+	authReq, err := l.authRepo.AuthRequestByID(r.Context(), authReq.ID)
+	if err != nil {
+		l.renderInternalError(w, r, authReq, errors.ThrowInternal(nil, "APP-sio0W", "could not get authreq"))
+	}
+	if len(authReq.PossibleSteps) == 0 {
+		l.renderInternalError(w, r, authReq, errors.ThrowInternal(nil, "APP-9sdp4", "no possible steps"))
+		return
+	}
+	l.chooseNextStep(w, r, authReq, 0, nil)
+}
+
+func (l *Login) renderError(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, err error) {
+	if authReq == nil || len(authReq.PossibleSteps) == 0 {
+		l.renderInternalError(w, r, authReq, errors.ThrowInternal(err, "APP-OVOiT", "no possible steps"))
+		return
+	}
+	l.chooseNextStep(w, r, authReq, 0, err)
+}
+
+func (l *Login) chooseNextStep(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, stepNumber int, err error) {
+	switch step := authReq.PossibleSteps[stepNumber].(type) {
+	case *model.LoginStep:
+		if len(authReq.PossibleSteps) > 1 {
+			l.chooseNextStep(w, r, authReq, 1, err)
+			return
+		}
+		l.renderLogin(w, r, authReq, err)
+	case *model.SelectUserStep:
+		l.renderUserSelection(w, r, authReq, step)
+	case *model.InitPasswordStep:
+		l.renderInitPassword(w, r, authReq, authReq.UserID, "", err)
+	case *model.PasswordStep:
+		l.renderPassword(w, r, authReq, nil)
+	case *model.MfaVerificationStep:
+		l.renderMfaVerify(w, r, authReq, step, err)
+	case *model.RedirectToCallbackStep:
+		if len(authReq.PossibleSteps) > 1 {
+			l.chooseNextStep(w, r, authReq, 1, err)
+			return
+		}
+		l.redirectToCallback(w, r, authReq)
+	case *model.ChangePasswordStep:
+		l.renderChangePassword(w, r, authReq, err)
+	case *model.VerifyEMailStep:
+		l.renderMailVerification(w, r, authReq, "", err)
+	case *model.MfaPromptStep:
+		l.renderMfaPrompt(w, r, authReq, step, err)
+	case *model.InitUserStep:
+		l.renderInitUser(w, r, authReq, "", "", nil)
+	default:
+		l.renderInternalError(w, r, authReq, errors.ThrowInternal(nil, "APP-ds3QF", "step no possible"))
+	}
+}
+
+func (l *Login) renderInternalError(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, err error) {
+	var msg string
+	if err != nil {
+		msg = err.Error()
+	}
+	data := l.getBaseData(r, authReq, "Error", "Internal", msg)
+	l.renderer.RenderTemplate(w, r, l.renderer.Templates[tmplError], data, nil)
+}
+
+func (l *Login) getBaseData(r *http.Request, authReq *model.AuthRequest, title string, errType, errMessage string) baseData {
+	return baseData{
+		errorData: errorData{
+			ErrType:    errType,
+			ErrMessage: errMessage,
+		},
+		Lang:      l.renderer.Lang(r).String(),
+		Title:     title,
+		Theme:     l.getTheme(r),
+		ThemeMode: l.getThemeMode(r),
+		AuthReqID: getRequestID(authReq, r),
+	}
+}
+
+func (l *Login) getTheme(r *http.Request) string {
+	return "zitadel" //TODO: impl
+}
+
+func (l *Login) getThemeMode(r *http.Request) string {
+	return "" //TODO: impl
+}
+
+func getRequestID(authReq *model.AuthRequest, r *http.Request) string {
+	if authReq != nil {
+		return authReq.ID
+	}
+	return r.FormValue(queryAuthRequestID)
+}
+
+type baseData struct {
+	errorData
+	Lang      string
+	Title     string
+	Theme     string
+	ThemeMode string
+	AuthReqID string
+}
+
+type errorData struct {
+	ErrType    string
+	ErrMessage string
+}
+
+type userData struct {
+	baseData
+	UserName            string
+	PasswordChecked     string
+	MfaProviders        []model.MfaType
+	SelectedMfaProvider model.MfaType
+}
+
+type userSelectionData struct {
+	baseData
+	Users []model.UserSelection
+}
+
+type mfaData struct {
+	baseData
+	UserName     string
+	MfaProviders []model.MfaType
+	MfaRequired  bool
+}
+
+type mfaVerifyData struct {
+	baseData
+	UserName string
+	MfaType  model.MfaType
+	otpData
+}
+
+type mfaDoneData struct {
+	baseData
+	UserName string
+	MfaType  model.MfaType
+}
+
+type otpData struct {
+	Url    string
+	Secret string
+	QrCode string
+}

internal/login/handler/resources_handler.go

@@ -0,0 +1,9 @@
+package handler
+
+import (
+	"net/http"
+)
+
+func (l *Login) handleResources(staticDir http.FileSystem) http.Handler {
+	return http.FileServer(staticDir)
+}

internal/login/handler/router.go

@@ -0,0 +1,58 @@
+package handler
+
+import (
+	"net/http"
+
+	"github.com/gorilla/mux"
+)
+
+const (
+	EndpointRoot             = "/"
+	EndpointHealthz          = "/healthz"
+	EndpointReadiness        = "/ready"
+	EndpointLogin            = "/login"
+	EndpointUsername         = "/username"
+	EndpointUserSelection    = "/userselection"
+	EndpointPassword         = "/password"
+	EndpointInitPassword     = "/password/init"
+	EndpointChangePassword   = "/password/change"
+	EndpointPasswordReset    = "/password/reset"
+	EndpointInitUser         = "/user/init"
+	EndpointMfaVerify        = "/mfa/verify"
+	EndpointMfaPrompt        = "/mfa/prompt"
+	EndpointMfaInitVerify    = "/mfa/init/verify"
+	EndpointMailVerification = "/mail/verification"
+	EndpointMailVerified     = "/mail/verified"
+	EndpointRegister         = "/register"
+	EndpointLogoutDone       = "/logout/done"
+
+	EndpointResources = "/resources"
+)
+
+func CreateRouter(login *Login, staticDir http.FileSystem) *mux.Router {
+	router := mux.NewRouter()
+	router.HandleFunc(EndpointRoot, login.handleLogin).Methods(http.MethodGet)
+	router.HandleFunc(EndpointHealthz, login.handleHealthz).Methods(http.MethodGet)
+	router.HandleFunc(EndpointReadiness, login.handleReadiness).Methods(http.MethodGet)
+	router.HandleFunc(EndpointLogin, login.handleLogin).Methods(http.MethodGet, http.MethodPost)
+	router.HandleFunc(EndpointUsername, login.handleUsername).Methods(http.MethodGet)
+	router.HandleFunc(EndpointUsername, login.handleUsernameCheck).Methods(http.MethodPost)
+	router.HandleFunc(EndpointUserSelection, login.handleSelectUser).Methods(http.MethodPost)
+	router.HandleFunc(EndpointPassword, login.handlePasswordCheck).Methods(http.MethodPost)
+	router.HandleFunc(EndpointInitPassword, login.handleInitPassword).Methods(http.MethodGet)
+	router.HandleFunc(EndpointInitPassword, login.handleInitPasswordCheck).Methods(http.MethodPost)
+	router.HandleFunc(EndpointPasswordReset, login.handlePasswordReset).Methods(http.MethodGet)
+	router.HandleFunc(EndpointInitUser, login.handleInitUser).Methods(http.MethodGet)
+	router.HandleFunc(EndpointInitUser, login.handleInitUserCheck).Methods(http.MethodPost)
+	router.HandleFunc(EndpointMfaVerify, login.handleMfaVerify).Methods(http.MethodPost)
+	router.HandleFunc(EndpointMfaPrompt, login.handleMfaPrompt).Methods(http.MethodPost)
+	router.HandleFunc(EndpointMfaInitVerify, login.handleMfaInitVerify).Methods(http.MethodPost)
+	router.HandleFunc(EndpointMailVerification, login.handleMailVerification).Methods(http.MethodGet)
+	router.HandleFunc(EndpointMailVerification, login.handleMailVerificationCheck).Methods(http.MethodPost)
+	router.HandleFunc(EndpointChangePassword, login.handleChangePassword).Methods(http.MethodPost)
+	router.HandleFunc(EndpointRegister, login.handleRegister).Methods(http.MethodGet)
+	router.HandleFunc(EndpointRegister, login.handleRegisterCheck).Methods(http.MethodPost)
+	router.HandleFunc(EndpointLogoutDone, login.handleLogoutDone).Methods(http.MethodGet)
+	router.PathPrefix(EndpointResources).Handler(login.handleResources(staticDir)).Methods(http.MethodGet)
+	return router
+}

internal/login/handler/select_user_handler.go

@@ -0,0 +1,42 @@
+package handler
+
+import (
+	"github.com/caos/zitadel/internal/auth_request/model"
+	"net/http"
+)
+
+const (
+	tmplUserSelection = "userselection"
+)
+
+type userSelectionFormData struct {
+	UserID string `schema:"userID"`
+}
+
+func (l *Login) renderUserSelection(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, selectionData *model.SelectUserStep) {
+	var errType, errMessage string
+	data := userSelectionData{
+		baseData: l.getBaseData(r, authReq, "Select User", errType, errMessage),
+		Users:    selectionData.Users,
+	}
+	l.renderer.RenderTemplate(w, r, l.renderer.Templates[tmplUserSelection], data, nil)
+}
+
+func (l *Login) handleSelectUser(w http.ResponseWriter, r *http.Request) {
+	data := new(userSelectionFormData)
+	authSession, err := l.getAuthRequestAndParseData(r, data)
+	if err != nil {
+		l.renderError(w, r, authSession, err)
+		return
+	}
+	if data.UserID == "0" {
+		l.renderLogin(w, r, authSession, nil)
+		return
+	}
+	err = l.authRepo.SelectUser(r.Context(), authSession.ID, data.UserID)
+	if err != nil {
+		l.renderError(w, r, authSession, err)
+		return
+	}
+	l.renderNextStep(w, r, authSession)
+}