feat: Login, OP Support and Auth Queries (#177)

* fix: change oidc config * fix: change oidc config secret * begin models * begin repo * fix: implement grpc app funcs * fix: add application requests * fix: converter * fix: converter * fix: converter and generate clientid * fix: tests * feat: project grant aggregate * feat: project grant * fix: project grant check if role existing * fix: project grant requests * fix: project grant fixes * fix: project grant member model * fix: project grant member aggregate * fix: project grant member eventstore * fix: project grant member requests * feat: user model * begin repo * repo models and more * feat: user command side * lots of functions * user command side * profile requests * commit before rebase on user * save * local config with gopass and more * begin new auth command (user centric) * Update internal/user/model/user.go Co-Authored-By: Livio Amstutz <livio.a@gmail.com> * Update internal/user/repository/eventsourcing/model/address.go Co-Authored-By: Livio Amstutz <livio.a@gmail.com> * Update internal/user/repository/eventsourcing/model/address.go Co-Authored-By: Livio Amstutz <livio.a@gmail.com> * Update internal/user/repository/eventsourcing/model/email.go Co-Authored-By: Livio Amstutz <livio.a@gmail.com> * Update internal/user/repository/eventsourcing/model/email.go Co-Authored-By: Livio Amstutz <livio.a@gmail.com> * Update internal/user/repository/eventsourcing/model/email.go Co-Authored-By: Livio Amstutz <livio.a@gmail.com> * Update internal/user/repository/eventsourcing/model/mfa.go Co-Authored-By: Livio Amstutz <livio.a@gmail.com> * Update internal/user/repository/eventsourcing/model/mfa.go Co-Authored-By: Livio Amstutz <livio.a@gmail.com> * Update internal/user/repository/eventsourcing/model/password.go Co-Authored-By: Livio Amstutz <livio.a@gmail.com> * Update internal/user/repository/eventsourcing/model/password.go Co-Authored-By: Livio Amstutz <livio.a@gmail.com> * Update internal/user/repository/eventsourcing/model/password.go Co-Authored-By: Livio Amstutz <livio.a@gmail.com> * Update internal/user/repository/eventsourcing/model/phone.go Co-Authored-By: Livio Amstutz <livio.a@gmail.com> * Update internal/user/repository/eventsourcing/model/phone.go Co-Authored-By: Livio Amstutz <livio.a@gmail.com> * Update internal/user/repository/eventsourcing/model/phone.go Co-Authored-By: Livio Amstutz <livio.a@gmail.com> * Update internal/user/repository/eventsourcing/model/user.go Co-Authored-By: Livio Amstutz <livio.a@gmail.com> * Update internal/user/repository/eventsourcing/model/user.go Co-Authored-By: Livio Amstutz <livio.a@gmail.com> * Update internal/user/repository/eventsourcing/model/user.go Co-Authored-By: Livio Amstutz <livio.a@gmail.com> * Update internal/usergrant/repository/eventsourcing/model/user_grant.go Co-Authored-By: Livio Amstutz <livio.a@gmail.com> * Update internal/usergrant/repository/eventsourcing/model/user_grant.go Co-Authored-By: Livio Amstutz <livio.a@gmail.com> * Update internal/usergrant/repository/eventsourcing/user_grant.go Co-Authored-By: Livio Amstutz <livio.a@gmail.com> * Update internal/user/repository/eventsourcing/user_test.go Co-Authored-By: Livio Amstutz <livio.a@gmail.com> * Update internal/user/repository/eventsourcing/eventstore_mock_test.go Co-Authored-By: Livio Amstutz <livio.a@gmail.com> * changes from mr review * save files into basedir * changes from mr review * changes from mr review * move to auth request * Update internal/usergrant/repository/eventsourcing/cache.go Co-authored-by: Silvan <silvan.reusser@gmail.com> * Update internal/usergrant/repository/eventsourcing/cache.go Co-authored-by: Silvan <silvan.reusser@gmail.com> * changes requested on mr * fix generate codes * fix return if no events * password code * email verification step * more steps * lot of mfa * begin tests * more next steps * auth api * auth api (user) * auth api (user) * auth api (user) * differ requests * merge * tests * fix compilation error * mock for id generator * Update internal/user/repository/eventsourcing/model/password.go Co-authored-by: Silvan <silvan.reusser@gmail.com> * Update internal/user/repository/eventsourcing/model/user.go Co-authored-by: Silvan <silvan.reusser@gmail.com> * requests of mr * check email * begin separation of command and query * otp * change packages * some cleanup and fixes * tests for auth request / next steps * add VerificationLifetimes to config and make it run * tests * fix code challenge validation * cleanup * fix merge * begin view * repackaging tests and configs * fix startup config for auth * add migration * add PromptSelectAccount * fix copy / paste * remove user_agent files * fixes * fix sequences in user_session * token commands * token queries and signout * fix * fix set password test * add token handler and table * handle session init * add session state * add user view test cases * change VerifyMyMfaOTP * some fixes * fix user repo in auth api * cleanup * add user session view test * fix merge * begin oidc * user agent and more * config * keys * key command and query * add login statics * key handler * start login * login handlers * lot of fixes * merge oidc * add missing exports * add missing exports * fix some bugs * authrequestid in htmls * getrequest * update auth request * fix userid check * add username to authrequest * fix user session and auth request handling * fix UserSessionsByAgentID * fix auth request tests * fix user session on UserPasswordChanged and MfaOtpRemoved * fix MfaTypesSetupPossible * handle mfa * fill username * auth request query checks new events * fix userSessionByIDs * fix tokens * fix userSessionByIDs test * add user selection * init code * user code creation date * add init user step * add verification failed types * add verification failures * verify init code * user init code handle * user init code handle * fix userSessionByIDs * update logging * user agent cookie * browserinfo from request * add DeleteAuthRequest * add static login files to binary * add login statik to build * move generate to separate file and remove statik.go files * remove static dirs from startup.yaml * generate into separate namespaces * merge master * auth request code * auth request type mapping * fix keys * improve tokens * improve register and basic styling * fix ailerons font * improve password reset * add audience to token * all oidc apps as audience * fix test nextStep * fix email texts * remove "not set" * lot of style changes * improve copy to clipboard * fix footer * add cookie handler * remove placeholders * fix compilation after merge * fix auth config * remove comments * typo * use new secrets store * change default pws to match default policy * fixes * add todo * enable login * fix db name * Auth queries (#179) * my usersession * org structure/ auth handlers * working user grant spooler * auth internal user grants * search my project orgs * remove permissions file * my zitadel permissions * my zitadel permissions * remove unused code * authz * app searches in view * token verification * fix user grant load * fix tests * fix tests * read configs * remove unused const * remove todos * env variables * app_name * working authz * search projects * global resourceowner * Update internal/api/auth/permissions.go Co-authored-by: Livio Amstutz <livio.a@gmail.com> * Update internal/api/auth/permissions.go Co-authored-by: Livio Amstutz <livio.a@gmail.com> * model2 rename * at least it works * check token expiry * search my user grants * remove token table from authz Co-authored-by: Livio Amstutz <livio.a@gmail.com> * fix test * fix ports and enable console Co-authored-by: Fabiennne <fabienne.gerschwiler@gmail.com> Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> Co-authored-by: Silvan <silvan.reusser@gmail.com>
2025-08-12 10:57:35 +00:00 · 2020-06-05 07:50:04 +02:00
parent 46b60a6968
commit 8a5badddf6
293 changed files with 14189 additions and 3176 deletions
--- a/internal/user/repository/view/model/user.go
+++ b/internal/user/repository/view/model/user.go
@@ -54,6 +54,7 @@ type UserView struct {
 	OTPState               int32     `json:"-" gorm:"column:otp_state"`
 	MfaMaxSetUp            int32     `json:"-" gorm:"column:mfa_max_set_up"`
 	MfaInitSkipped         time.Time `json:"-" gorm:"column:mfa_init_skipped"`
+	InitRequired           bool      `json:"-" gorm:"column:init_required"`
 	Sequence               uint64    `json:"-" gorm:"column:sequence"`
 }

@@ -87,6 +88,7 @@ func UserFromModel(user *model.UserView) *UserView {
 		OTPState:               int32(user.OTPState),
 		MfaMaxSetUp:            int32(user.MfaMaxSetUp),
 		MfaInitSkipped:         user.MfaInitSkipped,
+		InitRequired:           user.InitRequired,
 		Sequence:               user.Sequence,
 	}
 }
@@ -121,6 +123,7 @@ func UserToModel(user *UserView) *model.UserView {
 		OTPState:               model.MfaState(user.OTPState),
 		MfaMaxSetUp:            req_model.MfaLevel(user.MfaMaxSetUp),
 		MfaInitSkipped:         user.MfaInitSkipped,
+		InitRequired:           user.InitRequired,
 		Sequence:               user.Sequence,
 	}
 }
@@ -177,6 +180,10 @@ func (u *UserView) AppendEvent(event *models.Event) (err error) {
 		u.OTPState = int32(model.MFASTATE_UNSPECIFIED)
 	case es_model.MfaInitSkipped:
 		u.MfaInitSkipped = event.CreationDate
+	case es_model.InitializedUserCodeAdded:
+		u.InitRequired = true
+	case es_model.InitializedUserCheckSucceeded:
+		u.InitRequired = false
 	}
 	u.ComputeObject()
 	return err
@@ -203,6 +210,7 @@ func (u *UserView) setPasswordData(event *models.Event) error {
 	}
 	u.PasswordSet = password.Secret != nil
 	u.PasswordChangeRequired = password.ChangeRequired
+	u.PasswordChanged = event.CreationDate
 	return nil
 }

--- a/internal/user/repository/view/model/user_session.go
+++ b/internal/user/repository/view/model/user_session.go
@@ -14,7 +14,6 @@ import (
 )

 const (
-	UserSessionKeySessionID     = "id"
 	UserSessionKeyUserAgentID   = "user_agent_id"
 	UserSessionKeyUserID        = "user_id"
 	UserSessionKeyState         = "state"
@@ -22,18 +21,19 @@ const (
 )

 type UserSessionView struct {
-	ID                      string    `json:"-" gorm:"column:id;primary_key"`
-	CreationDate            time.Time `json:"-" gorm:"column:creation_date"`
-	ChangeDate              time.Time `json:"-" gorm:"column:change_date"`
-	ResourceOwner           string    `json:"-" gorm:"column:resource_owner"`
-	State                   int32     `json:"-" gorm:"column:state"`
-	UserAgentID             string    `json:"userAgentID" gorm:"column:user_agent_id"`
-	UserID                  string    `json:"userID" gorm:"column:user_id"`
-	UserName                string    `json:"userName" gorm:"column:user_name"`
-	PasswordVerification    time.Time `json:"-" gorm:"column:password_verification"`
-	MfaSoftwareVerification time.Time `json:"-" gorm:"column:mfa_software_verification"`
-	MfaHardwareVerification time.Time `json:"-" gorm:"column:mfa_hardware_verification"`
-	Sequence                uint64    `json:"-" gorm:"column:sequence"`
+	CreationDate                time.Time `json:"-" gorm:"column:creation_date"`
+	ChangeDate                  time.Time `json:"-" gorm:"column:change_date"`
+	ResourceOwner               string    `json:"-" gorm:"column:resource_owner"`
+	State                       int32     `json:"-" gorm:"column:state"`
+	UserAgentID                 string    `json:"userAgentID" gorm:"column:user_agent_id;primary_key"`
+	UserID                      string    `json:"userID" gorm:"column:user_id;primary_key"`
+	UserName                    string    `json:"userName" gorm:"column:user_name"`
+	PasswordVerification        time.Time `json:"-" gorm:"column:password_verification"`
+	MfaSoftwareVerification     time.Time `json:"-" gorm:"column:mfa_software_verification"`
+	MfaSoftwareVerificationType int32     `json:"-" gorm:"column:mfa_software_verification_type"`
+	MfaHardwareVerification     time.Time `json:"-" gorm:"column:mfa_hardware_verification"`
+	MfaHardwareVerificationType int32     `json:"-" gorm:"column:mfa_hardware_verification_type"`
+	Sequence                    uint64    `json:"-" gorm:"column:sequence"`
 }

 func UserSessionFromEvent(event *models.Event) (*UserSessionView, error) {
@@ -47,18 +47,19 @@ func UserSessionFromEvent(event *models.Event) (*UserSessionView, error) {

 func UserSessionToModel(userSession *UserSessionView) *model.UserSessionView {
 	return &model.UserSessionView{
-		ID:                      userSession.ID,
-		ChangeDate:              userSession.ChangeDate,
-		CreationDate:            userSession.CreationDate,
-		ResourceOwner:           userSession.ResourceOwner,
-		State:                   req_model.UserSessionState(userSession.State),
-		UserAgentID:             userSession.UserAgentID,
-		UserID:                  userSession.UserID,
-		UserName:                userSession.UserName,
-		PasswordVerification:    userSession.PasswordVerification,
-		MfaSoftwareVerification: userSession.MfaSoftwareVerification,
-		MfaHardwareVerification: userSession.MfaHardwareVerification,
-		Sequence:                userSession.Sequence,
+		ChangeDate:                  userSession.ChangeDate,
+		CreationDate:                userSession.CreationDate,
+		ResourceOwner:               userSession.ResourceOwner,
+		State:                       req_model.UserSessionState(userSession.State),
+		UserAgentID:                 userSession.UserAgentID,
+		UserID:                      userSession.UserID,
+		UserName:                    userSession.UserName,
+		PasswordVerification:        userSession.PasswordVerification,
+		MfaSoftwareVerification:     userSession.MfaSoftwareVerification,
+		MfaSoftwareVerificationType: req_model.MfaType(userSession.MfaSoftwareVerificationType),
+		MfaHardwareVerification:     userSession.MfaHardwareVerification,
+		MfaHardwareVerificationType: req_model.MfaType(userSession.MfaHardwareVerificationType),
+		Sequence:                    userSession.Sequence,
 	}
 }

@@ -80,6 +81,7 @@ func (v *UserSessionView) AppendEvent(event *models.Event) {
 		v.PasswordVerification = time.Time{}
 	case es_model.MfaOtpCheckSucceeded:
 		v.MfaSoftwareVerification = event.CreationDate
+		v.MfaSoftwareVerificationType = int32(req_model.MfaTypeOTP)
 	case es_model.MfaOtpCheckFailed,
 		es_model.MfaOtpRemoved:
 		v.MfaSoftwareVerification = time.Time{}
--- a/internal/user/repository/view/model/user_session_query.go
+++ b/internal/user/repository/view/model/user_session_query.go
@@ -51,8 +51,6 @@ func (req UserSessionSearchQuery) GetValue() interface{} {

 func (key UserSessionSearchKey) ToColumnName() string {
 	switch usr_model.UserSessionSearchKey(key) {
-	case usr_model.USERSESSIONSEARCHKEY_SESSION_ID:
-		return UserSessionKeySessionID
 	case usr_model.USERSESSIONSEARCHKEY_USER_AGENT_ID:
 		return UserSessionKeyUserAgentID
 	case usr_model.USERSESSIONSEARCHKEY_USER_ID:
--- a/internal/user/repository/view/user_session_view.go
+++ b/internal/user/repository/view/user_session_view.go
@@ -9,13 +9,6 @@ import (
 	"github.com/caos/zitadel/internal/view"
 )

-func UserSessionByID(db *gorm.DB, table, sessionID string) (*model.UserSessionView, error) {
-	userSession := new(model.UserSessionView)
-	query := view.PrepareGetByKey(table, model.UserSessionSearchKey(usr_model.USERSESSIONSEARCHKEY_SESSION_ID), sessionID)
-	err := query(db, userSession)
-	return userSession, err
-}
-
 func UserSessionByIDs(db *gorm.DB, table, agentID, userID string) (*model.UserSessionView, error) {
 	userSession := new(model.UserSessionView)
 	userAgentQuery := model.UserSessionSearchQuery{
@@ -33,6 +26,20 @@ func UserSessionByIDs(db *gorm.DB, table, agentID, userID string) (*model.UserSe
 	return userSession, err
 }

+func UserSessionsByUserID(db *gorm.DB, table, userID string) ([]*model.UserSessionView, error) {
+	userSessions := make([]*model.UserSessionView, 0)
+	userAgentQuery := &usr_model.UserSessionSearchQuery{
+		Key:    usr_model.USERSESSIONSEARCHKEY_USER_ID,
+		Method: global_model.SEARCHMETHOD_EQUALS,
+		Value:  userID,
+	}
+	query := view.PrepareSearchQuery(table, model.UserSessionSearchRequest{
+		Queries: []*usr_model.UserSessionSearchQuery{userAgentQuery},
+	})
+	_, err := query(db, &userSessions)
+	return userSessions, err
+}
+
 func UserSessionsByAgentID(db *gorm.DB, table, agentID string) ([]*model.UserSessionView, error) {
 	userSessions := make([]*model.UserSessionView, 0)
 	userAgentQuery := &usr_model.UserSessionSearchQuery{
@@ -43,7 +50,7 @@ func UserSessionsByAgentID(db *gorm.DB, table, agentID string) ([]*model.UserSes
 	query := view.PrepareSearchQuery(table, model.UserSessionSearchRequest{
 		Queries: []*usr_model.UserSessionSearchQuery{userAgentQuery},
 	})
-	_, err := query(db, userSessions)
+	_, err := query(db, &userSessions)
 	return userSessions, err
 }