feat: add hide password reset to login policy (#1806)

* feat: add hide password reset to login policy * feat: tests * feat: hide password reset in login * feat: hide password reset to frontend * feat: hide password reset to frontend * feat: hide password reset to frontend * feat: check feature * feat: feature in frontend
2025-08-12 01:37:31 +00:00 · 2021-06-03 11:53:30 +02:00
parent 3dba12c0d4
commit 8d163163f1
45 changed files with 246 additions and 23 deletions
--- a/internal/command/features_model.go
+++ b/internal/command/features_model.go
@@ -21,6 +21,7 @@ type FeaturesWriteModel struct {
 	LoginPolicyPasswordless  bool
 	LoginPolicyRegistration  bool
 	LoginPolicyUsernameLogin bool
+	LoginPolicyPasswordReset bool
 	PasswordComplexityPolicy bool
 	LabelPolicy              bool
 	CustomDomain             bool
@@ -61,6 +62,9 @@ func (wm *FeaturesWriteModel) Reduce() error {
 			if e.LoginPolicyUsernameLogin != nil {
 				wm.LoginPolicyUsernameLogin = *e.LoginPolicyUsernameLogin
 			}
+			if e.LoginPolicyPasswordReset != nil {
+				wm.LoginPolicyPasswordReset = *e.LoginPolicyPasswordReset
+			}
 			if e.PasswordComplexityPolicy != nil {
 				wm.PasswordComplexityPolicy = *e.PasswordComplexityPolicy
 			}
--- a/internal/command/iam_converter.go
+++ b/internal/command/iam_converter.go
@@ -39,6 +39,7 @@ func writeModelToLoginPolicy(wm *LoginPolicyWriteModel) *domain.LoginPolicy {
 		AllowUsernamePassword: wm.AllowUserNamePassword,
 		AllowRegister:         wm.AllowRegister,
 		AllowExternalIDP:      wm.AllowExternalIDP,
+		HidePasswordReset:     wm.HidePasswordReset,
 		ForceMFA:              wm.ForceMFA,
 		PasswordlessType:      wm.PasswordlessType,
 	}
--- a/internal/command/iam_policy_login.go
+++ b/internal/command/iam_policy_login.go
@@ -48,7 +48,7 @@ func (c *Commands) addDefaultLoginPolicy(ctx context.Context, iamAgg *eventstore
 		return nil, caos_errs.ThrowAlreadyExists(nil, "IAM-2B0ps", "Errors.IAM.LoginPolicy.AlreadyExists")
 	}

-	return iam_repo.NewLoginPolicyAddedEvent(ctx, iamAgg, policy.AllowUsernamePassword, policy.AllowRegister, policy.AllowExternalIDP, policy.ForceMFA, policy.PasswordlessType), nil
+	return iam_repo.NewLoginPolicyAddedEvent(ctx, iamAgg, policy.AllowUsernamePassword, policy.AllowRegister, policy.AllowExternalIDP, policy.ForceMFA, policy.HidePasswordReset, policy.PasswordlessType), nil
 }

 func (c *Commands) ChangeDefaultLoginPolicy(ctx context.Context, policy *domain.LoginPolicy) (*domain.LoginPolicy, error) {
@@ -77,7 +77,7 @@ func (c *Commands) changeDefaultLoginPolicy(ctx context.Context, iamAgg *eventst
 	if existingPolicy.State == domain.PolicyStateUnspecified || existingPolicy.State == domain.PolicyStateRemoved {
 		return nil, caos_errs.ThrowNotFound(nil, "IAM-M0sif", "Errors.IAM.LoginPolicy.NotFound")
 	}
-	changedEvent, hasChanged := existingPolicy.NewChangedEvent(ctx, iamAgg, policy.AllowUsernamePassword, policy.AllowRegister, policy.AllowExternalIDP, policy.ForceMFA, policy.PasswordlessType)
+	changedEvent, hasChanged := existingPolicy.NewChangedEvent(ctx, iamAgg, policy.AllowUsernamePassword, policy.AllowRegister, policy.AllowExternalIDP, policy.ForceMFA, policy.HidePasswordReset, policy.PasswordlessType)
 	if !hasChanged {
 		return nil, caos_errs.ThrowPreconditionFailed(nil, "IAM-5M9vdd", "Errors.IAM.LoginPolicy.NotChanged")
 	}
--- a/internal/command/iam_policy_login_model.go
+++ b/internal/command/iam_policy_login_model.go
@@ -58,7 +58,8 @@ func (wm *IAMLoginPolicyWriteModel) NewChangedEvent(
 	allowUsernamePassword,
 	allowRegister,
 	allowExternalIDP,
-	forceMFA bool,
+	forceMFA,
+	hidePasswordReset bool,
 	passwordlessType domain.PasswordlessType,
 ) (*iam.LoginPolicyChangedEvent, bool) {

@@ -78,6 +79,9 @@ func (wm *IAMLoginPolicyWriteModel) NewChangedEvent(
 	if passwordlessType.Valid() && wm.PasswordlessType != passwordlessType {
 		changes = append(changes, policy.ChangePasswordlessType(passwordlessType))
 	}
+	if wm.HidePasswordReset != hidePasswordReset {
+		changes = append(changes, policy.ChangeHidePasswordReset(hidePasswordReset))
+	}
 	if len(changes) == 0 {
 		return nil, false
 	}
--- a/internal/command/iam_policy_login_test.go
+++ b/internal/command/iam_policy_login_test.go
@@ -2,6 +2,8 @@ package command

 import (
 	"context"
+	"testing"
+
 	"github.com/caos/zitadel/internal/domain"
 	caos_errs "github.com/caos/zitadel/internal/errors"
 	"github.com/caos/zitadel/internal/eventstore"
@@ -12,7 +14,6 @@ import (
 	"github.com/caos/zitadel/internal/repository/user"

 	"github.com/stretchr/testify/assert"
-	"testing"
 )

 func TestCommandSide_AddDefaultLoginPolicy(t *testing.T) {
@@ -46,6 +47,7 @@ func TestCommandSide_AddDefaultLoginPolicy(t *testing.T) {
 								true,
 								false,
 								false,
+								false,
 								domain.PasswordlessTypeAllowed,
 							),
 						),
@@ -79,6 +81,7 @@ func TestCommandSide_AddDefaultLoginPolicy(t *testing.T) {
 									true,
 									true,
 									true,
+									true,
 									domain.PasswordlessTypeAllowed,
 								),
 							),
@@ -93,6 +96,7 @@ func TestCommandSide_AddDefaultLoginPolicy(t *testing.T) {
 					AllowUsernamePassword: true,
 					AllowExternalIDP:      true,
 					ForceMFA:              true,
+					HidePasswordReset:     true,
 					PasswordlessType:      domain.PasswordlessTypeAllowed,
 				},
 			},
@@ -106,6 +110,7 @@ func TestCommandSide_AddDefaultLoginPolicy(t *testing.T) {
 					AllowUsernamePassword: true,
 					AllowExternalIDP:      true,
 					ForceMFA:              true,
+					HidePasswordReset:     true,
 					PasswordlessType:      domain.PasswordlessTypeAllowed,
 				},
 			},
@@ -180,6 +185,7 @@ func TestCommandSide_ChangeDefaultLoginPolicy(t *testing.T) {
 								true,
 								true,
 								true,
+								true,
 								domain.PasswordlessTypeAllowed,
 							),
 						),
@@ -193,6 +199,7 @@ func TestCommandSide_ChangeDefaultLoginPolicy(t *testing.T) {
 					AllowUsernamePassword: true,
 					AllowExternalIDP:      true,
 					ForceMFA:              true,
+					HidePasswordReset:     true,
 					PasswordlessType:      domain.PasswordlessTypeAllowed,
 				},
 			},
@@ -213,6 +220,7 @@ func TestCommandSide_ChangeDefaultLoginPolicy(t *testing.T) {
 								true,
 								true,
 								true,
+								true,
 								domain.PasswordlessTypeAllowed,
 							),
 						),
@@ -220,7 +228,7 @@ func TestCommandSide_ChangeDefaultLoginPolicy(t *testing.T) {
 					expectPush(
 						[]*repository.Event{
 							eventFromEventPusher(
-								newDefaultLoginPolicyChangedEvent(context.Background(), false, false, false, false, domain.PasswordlessTypeNotAllowed),
+								newDefaultLoginPolicyChangedEvent(context.Background(), false, false, false, false, false, domain.PasswordlessTypeNotAllowed),
 							),
 						},
 					),
@@ -233,6 +241,7 @@ func TestCommandSide_ChangeDefaultLoginPolicy(t *testing.T) {
 					AllowUsernamePassword: false,
 					AllowExternalIDP:      false,
 					ForceMFA:              false,
+					HidePasswordReset:     false,
 					PasswordlessType:      domain.PasswordlessTypeNotAllowed,
 				},
 			},
@@ -246,6 +255,7 @@ func TestCommandSide_ChangeDefaultLoginPolicy(t *testing.T) {
 					AllowUsernamePassword: false,
 					AllowExternalIDP:      false,
 					ForceMFA:              false,
+					HidePasswordReset:     false,
 					PasswordlessType:      domain.PasswordlessTypeNotAllowed,
 				},
 			},
@@ -345,6 +355,7 @@ func TestCommandSide_AddIDPProviderDefaultLoginPolicy(t *testing.T) {
 								true,
 								true,
 								true,
+								true,
 								domain.PasswordlessTypeAllowed,
 							),
 						),
@@ -496,6 +507,7 @@ func TestCommandSide_RemoveIDPProviderDefaultLoginPolicy(t *testing.T) {
 								true,
 								true,
 								true,
+								true,
 								domain.PasswordlessTypeAllowed,
 							),
 						),
@@ -537,6 +549,7 @@ func TestCommandSide_RemoveIDPProviderDefaultLoginPolicy(t *testing.T) {
 								true,
 								true,
 								true,
+								true,
 								domain.PasswordlessTypeAllowed,
 							),
 						),
@@ -583,6 +596,7 @@ func TestCommandSide_RemoveIDPProviderDefaultLoginPolicy(t *testing.T) {
 								true,
 								true,
 								true,
+								true,
 								domain.PasswordlessTypeAllowed,
 							),
 						),
@@ -637,6 +651,7 @@ func TestCommandSide_RemoveIDPProviderDefaultLoginPolicy(t *testing.T) {
 								true,
 								true,
 								true,
+								true,
 								domain.PasswordlessTypeAllowed,
 							),
 						),
@@ -1181,7 +1196,7 @@ func TestCommandSide_RemoveMultiFactorDefaultLoginPolicy(t *testing.T) {
 	}
 }

-func newDefaultLoginPolicyChangedEvent(ctx context.Context, allowRegister, allowUsernamePassword, allowExternalIDP, forceMFA bool, passwordlessType domain.PasswordlessType) *iam.LoginPolicyChangedEvent {
+func newDefaultLoginPolicyChangedEvent(ctx context.Context, allowRegister, allowUsernamePassword, allowExternalIDP, forceMFA, hidePasswordReset bool, passwordlessType domain.PasswordlessType) *iam.LoginPolicyChangedEvent {
 	event, _ := iam.NewLoginPolicyChangedEvent(ctx,
 		&iam.NewAggregate().Aggregate,
 		[]policy.LoginPolicyChanges{
@@ -1189,6 +1204,7 @@ func newDefaultLoginPolicyChangedEvent(ctx context.Context, allowRegister, allow
 			policy.ChangeAllowExternalIDP(allowExternalIDP),
 			policy.ChangeForceMFA(forceMFA),
 			policy.ChangeAllowUserNamePassword(allowUsernamePassword),
+			policy.ChangeHidePasswordReset(hidePasswordReset),
 			policy.ChangePasswordlessType(passwordlessType),
 		},
 	)
--- a/internal/command/org_features.go
+++ b/internal/command/org_features.go
@@ -31,6 +31,7 @@ func (c *Commands) SetOrgFeatures(ctx context.Context, resourceOwner string, fea
 		features.LoginPolicyPasswordless,
 		features.LoginPolicyRegistration,
 		features.LoginPolicyUsernameLogin,
+		features.LoginPolicyPasswordReset,
 		features.PasswordComplexityPolicy,
 		features.LabelPolicy,
 		features.CustomDomain,
@@ -165,7 +166,10 @@ func (c *Commands) setAllowedLoginPolicy(ctx context.Context, orgID string, feat
 	if !features.LoginPolicyUsernameLogin && defaultPolicy.AllowUsernamePassword != existingPolicy.AllowUserNamePassword {
 		policy.AllowUserNamePassword = defaultPolicy.AllowUsernamePassword
 	}
-	changedEvent, hasChanged := existingPolicy.NewChangedEvent(ctx, OrgAggregateFromWriteModel(&existingPolicy.WriteModel), policy.AllowUserNamePassword, policy.AllowRegister, policy.AllowExternalIDP, policy.ForceMFA, policy.PasswordlessType)
+	if !features.LoginPolicyPasswordReset && defaultPolicy.HidePasswordReset != existingPolicy.HidePasswordReset {
+		policy.HidePasswordReset = defaultPolicy.HidePasswordReset
+	}
+	changedEvent, hasChanged := existingPolicy.NewChangedEvent(ctx, OrgAggregateFromWriteModel(&existingPolicy.WriteModel), policy.AllowUserNamePassword, policy.AllowRegister, policy.AllowExternalIDP, policy.ForceMFA, policy.HidePasswordReset, policy.PasswordlessType)
 	if hasChanged {
 		events = append(events, changedEvent)
 	}
--- a/internal/command/org_features_model.go
+++ b/internal/command/org_features_model.go
@@ -67,6 +67,7 @@ func (wm *OrgFeaturesWriteModel) NewSetEvent(
 	loginPolicyPasswordless,
 	loginPolicyRegistration,
 	loginPolicyUsernameLogin,
+	loginPolicyPasswordReset,
 	passwordComplexityPolicy,
 	labelPolicy,
 	customDomain bool,
@@ -104,6 +105,9 @@ func (wm *OrgFeaturesWriteModel) NewSetEvent(
 	if wm.LoginPolicyUsernameLogin != loginPolicyUsernameLogin {
 		changes = append(changes, features.ChangeLoginPolicyUsernameLogin(loginPolicyUsernameLogin))
 	}
+	if wm.LoginPolicyPasswordReset != loginPolicyPasswordReset {
+		changes = append(changes, features.ChangeLoginPolicyPasswordReset(loginPolicyPasswordReset))
+	}
 	if wm.PasswordComplexityPolicy != passwordComplexityPolicy {
 		changes = append(changes, features.ChangePasswordComplexityPolicy(passwordComplexityPolicy))
 	}
--- a/internal/command/org_features_test.go
+++ b/internal/command/org_features_test.go
@@ -54,6 +54,7 @@ func TestCommandSide_SetOrgFeatures(t *testing.T) {
 					LoginPolicyPasswordless:  false,
 					LoginPolicyRegistration:  false,
 					LoginPolicyUsernameLogin: false,
+					LoginPolicyPasswordReset: false,
 					PasswordComplexityPolicy: false,
 					LabelPolicy:              false,
 					CustomDomain:             false,
@@ -87,6 +88,7 @@ func TestCommandSide_SetOrgFeatures(t *testing.T) {
 					LoginPolicyPasswordless:  false,
 					LoginPolicyRegistration:  false,
 					LoginPolicyUsernameLogin: false,
+					LoginPolicyPasswordReset: false,
 					PasswordComplexityPolicy: false,
 					LabelPolicy:              false,
 					CustomDomain:             false,
@@ -111,6 +113,7 @@ func TestCommandSide_SetOrgFeatures(t *testing.T) {
 								false,
 								false,
 								false,
+								false,
 								domain.PasswordlessTypeAllowed,
 							),
 						),
@@ -191,6 +194,7 @@ func TestCommandSide_SetOrgFeatures(t *testing.T) {
 					LoginPolicyPasswordless:  false,
 					LoginPolicyRegistration:  false,
 					LoginPolicyUsernameLogin: false,
+					LoginPolicyPasswordReset: false,
 					PasswordComplexityPolicy: false,
 					LabelPolicy:              false,
 					CustomDomain:             false,
@@ -217,6 +221,7 @@ func TestCommandSide_SetOrgFeatures(t *testing.T) {
 								false,
 								false,
 								false,
+								false,
 								domain.PasswordlessTypeAllowed,
 							),
 						),
@@ -325,6 +330,7 @@ func TestCommandSide_SetOrgFeatures(t *testing.T) {
 					LoginPolicyPasswordless:  false,
 					LoginPolicyRegistration:  false,
 					LoginPolicyUsernameLogin: false,
+					LoginPolicyPasswordReset: false,
 					PasswordComplexityPolicy: false,
 					LabelPolicy:              false,
 					CustomDomain:             false,
@@ -351,6 +357,7 @@ func TestCommandSide_SetOrgFeatures(t *testing.T) {
 								false,
 								false,
 								false,
+								false,
 								domain.PasswordlessTypeAllowed,
 							),
 						),
@@ -469,6 +476,7 @@ func TestCommandSide_SetOrgFeatures(t *testing.T) {
 					LoginPolicyPasswordless:  false,
 					LoginPolicyRegistration:  false,
 					LoginPolicyUsernameLogin: false,
+					LoginPolicyPasswordReset: false,
 					PasswordComplexityPolicy: false,
 					LabelPolicy:              false,
 					CustomDomain:             false,
@@ -495,6 +503,7 @@ func TestCommandSide_SetOrgFeatures(t *testing.T) {
 								false,
 								false,
 								false,
+								false,
 								domain.PasswordlessTypeAllowed,
 							),
 						),
@@ -623,6 +632,7 @@ func TestCommandSide_SetOrgFeatures(t *testing.T) {
 					LoginPolicyPasswordless:  false,
 					LoginPolicyRegistration:  false,
 					LoginPolicyUsernameLogin: false,
+					LoginPolicyPasswordReset: false,
 					PasswordComplexityPolicy: false,
 					LabelPolicy:              false,
 					CustomDomain:             false,
@@ -653,6 +663,7 @@ func TestCommandSide_SetOrgFeatures(t *testing.T) {
 								true,
 								true,
 								true,
+								true,
 								domain.PasswordlessTypeAllowed,
 							),
 						),
@@ -664,6 +675,7 @@ func TestCommandSide_SetOrgFeatures(t *testing.T) {
 								false,
 								false,
 								false,
+								false,
 								domain.PasswordlessTypeNotAllowed,
 							),
 						),
@@ -678,6 +690,7 @@ func TestCommandSide_SetOrgFeatures(t *testing.T) {
 								true,
 								true,
 								true,
+								true,
 								domain.PasswordlessTypeAllowed,
 							),
 						),
@@ -790,7 +803,7 @@ func TestCommandSide_SetOrgFeatures(t *testing.T) {
 								org.NewLoginPolicyMultiFactorAddedEvent(context.Background(), &org.NewAggregate("org1", "org1").Aggregate, domain.MultiFactorTypeU2FWithPIN),
 							),
 							eventFromEventPusher(
-								newLoginPolicyChangedEvent(context.Background(), "org1", true, true, true, true, domain.PasswordlessTypeAllowed),
+								newLoginPolicyChangedEvent(context.Background(), "org1", true, true, true, true, true, domain.PasswordlessTypeAllowed),
 							),
 							eventFromEventPusher(
 								org.NewPasswordComplexityPolicyRemovedEvent(context.Background(), &org.NewAggregate("org1", "org1").Aggregate),
@@ -920,6 +933,7 @@ func TestCommandSide_RemoveOrgFeatures(t *testing.T) {
 								false,
 								false,
 								false,
+								false,
 								domain.PasswordlessTypeAllowed,
 							),
 						),
--- a/internal/command/org_policy_login.go
+++ b/internal/command/org_policy_login.go
@@ -42,6 +42,7 @@ func (c *Commands) AddLoginPolicy(ctx context.Context, resourceOwner string, pol
 			policy.AllowRegister,
 			policy.AllowExternalIDP,
 			policy.ForceMFA,
+			policy.HidePasswordReset,
 			policy.PasswordlessType))
 	if err != nil {
 		return nil, err
@@ -81,7 +82,16 @@ func (c *Commands) ChangeLoginPolicy(ctx context.Context, resourceOwner string,
 	}

 	orgAgg := OrgAggregateFromWriteModel(&existingPolicy.LoginPolicyWriteModel.WriteModel)
-	changedEvent, hasChanged := existingPolicy.NewChangedEvent(ctx, orgAgg, policy.AllowUsernamePassword, policy.AllowRegister, policy.AllowExternalIDP, policy.ForceMFA, policy.PasswordlessType)
+	changedEvent, hasChanged := existingPolicy.NewChangedEvent(
+		ctx,
+		orgAgg,
+		policy.AllowUsernamePassword,
+		policy.AllowRegister,
+		policy.AllowExternalIDP,
+		policy.ForceMFA,
+		policy.HidePasswordReset,
+		policy.PasswordlessType)
+
 	if !hasChanged {
 		return nil, caos_errs.ThrowPreconditionFailed(nil, "Org-5M9vdd", "Errors.Org.LoginPolicy.NotChanged")
 	}
@@ -118,6 +128,9 @@ func (c *Commands) checkLoginPolicyAllowed(ctx context.Context, resourceOwner st
 	if defaultPolicy.AllowUsernamePassword != policy.AllowUsernamePassword {
 		requiredFeatures = append(requiredFeatures, domain.FeatureLoginPolicyUsernameLogin)
 	}
+	if defaultPolicy.HidePasswordReset != policy.HidePasswordReset {
+		requiredFeatures = append(requiredFeatures, domain.FeatureLoginPolicyPasswordReset)
+	}
 	return authz.CheckOrgFeatures(ctx, c.tokenVerifier, resourceOwner, requiredFeatures...)
 }

--- a/internal/command/org_policy_login_model.go
+++ b/internal/command/org_policy_login_model.go
@@ -61,7 +61,8 @@ func (wm *OrgLoginPolicyWriteModel) NewChangedEvent(
 	allowUsernamePassword,
 	allowRegister,
 	allowExternalIDP,
-	forceMFA bool,
+	forceMFA,
+	hidePasswordReset bool,
 	passwordlessType domain.PasswordlessType,
 ) (*org.LoginPolicyChangedEvent, bool) {

@@ -78,6 +79,9 @@ func (wm *OrgLoginPolicyWriteModel) NewChangedEvent(
 	if wm.ForceMFA != forceMFA {
 		changes = append(changes, policy.ChangeForceMFA(forceMFA))
 	}
+	if wm.HidePasswordReset != hidePasswordReset {
+		changes = append(changes, policy.ChangeHidePasswordReset(hidePasswordReset))
+	}
 	if passwordlessType.Valid() && wm.PasswordlessType != passwordlessType {
 		changes = append(changes, policy.ChangePasswordlessType(passwordlessType))
 	}
--- a/internal/command/org_policy_login_test.go
+++ b/internal/command/org_policy_login_test.go
@@ -70,6 +70,7 @@ func TestCommandSide_AddLoginPolicy(t *testing.T) {
 								true,
 								true,
 								true,
+								true,
 								domain.PasswordlessTypeAllowed,
 							),
 						),
@@ -105,6 +106,7 @@ func TestCommandSide_AddLoginPolicy(t *testing.T) {
 								true,
 								true,
 								true,
+								true,
 								domain.PasswordlessTypeAllowed,
 							),
 						),
@@ -141,6 +143,7 @@ func TestCommandSide_AddLoginPolicy(t *testing.T) {
 								true,
 								true,
 								true,
+								true,
 								domain.PasswordlessTypeAllowed,
 							),
 						),
@@ -154,6 +157,7 @@ func TestCommandSide_AddLoginPolicy(t *testing.T) {
 									true,
 									true,
 									true,
+									true,
 									domain.PasswordlessTypeAllowed,
 								),
 							),
@@ -170,6 +174,7 @@ func TestCommandSide_AddLoginPolicy(t *testing.T) {
 					AllowUsernamePassword: true,
 					AllowExternalIDP:      true,
 					ForceMFA:              true,
+					HidePasswordReset:     true,
 					PasswordlessType:      domain.PasswordlessTypeAllowed,
 				},
 			},
@@ -183,6 +188,7 @@ func TestCommandSide_AddLoginPolicy(t *testing.T) {
 					AllowUsernamePassword: true,
 					AllowExternalIDP:      true,
 					ForceMFA:              true,
+					HidePasswordReset:     true,
 					PasswordlessType:      domain.PasswordlessTypeAllowed,
 				},
 			},
@@ -285,6 +291,7 @@ func TestCommandSide_ChangeLoginPolicy(t *testing.T) {
 								true,
 								true,
 								true,
+								true,
 								domain.PasswordlessTypeAllowed,
 							),
 						),
@@ -297,6 +304,7 @@ func TestCommandSide_ChangeLoginPolicy(t *testing.T) {
 								true,
 								true,
 								true,
+								true,
 								domain.PasswordlessTypeAllowed,
 							),
 						),
@@ -332,6 +340,7 @@ func TestCommandSide_ChangeLoginPolicy(t *testing.T) {
 								true,
 								true,
 								true,
+								true,
 								domain.PasswordlessTypeAllowed,
 							),
 						),
@@ -344,6 +353,7 @@ func TestCommandSide_ChangeLoginPolicy(t *testing.T) {
 								true,
 								true,
 								true,
+								true,
 								domain.PasswordlessTypeAllowed,
 							),
 						),
@@ -359,6 +369,7 @@ func TestCommandSide_ChangeLoginPolicy(t *testing.T) {
 					AllowUsernamePassword: true,
 					AllowExternalIDP:      true,
 					ForceMFA:              true,
+					HidePasswordReset:     true,
 					PasswordlessType:      domain.PasswordlessTypeAllowed,
 				},
 			},
@@ -379,6 +390,7 @@ func TestCommandSide_ChangeLoginPolicy(t *testing.T) {
 								true,
 								true,
 								true,
+								true,
 								domain.PasswordlessTypeAllowed,
 							),
 						),
@@ -391,6 +403,7 @@ func TestCommandSide_ChangeLoginPolicy(t *testing.T) {
 								false,
 								false,
 								false,
+								false,
 								domain.PasswordlessTypeNotAllowed,
 							),
 						),
@@ -398,7 +411,7 @@ func TestCommandSide_ChangeLoginPolicy(t *testing.T) {
 					expectPush(
 						[]*repository.Event{
 							eventFromEventPusher(
-								newLoginPolicyChangedEvent(context.Background(), "org1", false, false, false, false, domain.PasswordlessTypeNotAllowed),
+								newLoginPolicyChangedEvent(context.Background(), "org1", false, false, false, false, false, domain.PasswordlessTypeNotAllowed),
 							),
 						},
 					),
@@ -426,6 +439,7 @@ func TestCommandSide_ChangeLoginPolicy(t *testing.T) {
 					AllowUsernamePassword: false,
 					AllowExternalIDP:      false,
 					ForceMFA:              false,
+					HidePasswordReset:     false,
 					PasswordlessType:      domain.PasswordlessTypeNotAllowed,
 				},
 			},
@@ -512,6 +526,7 @@ func TestCommandSide_RemoveLoginPolicy(t *testing.T) {
 								true,
 								true,
 								true,
+								true,
 								domain.PasswordlessTypeAllowed,
 							),
 						),
@@ -655,6 +670,7 @@ func TestCommandSide_AddIDPProviderLoginPolicy(t *testing.T) {
 								true,
 								true,
 								true,
+								true,
 								domain.PasswordlessTypeAllowed,
 							),
 						),
@@ -839,6 +855,7 @@ func TestCommandSide_RemoveIDPProviderLoginPolicy(t *testing.T) {
 								true,
 								true,
 								true,
+								true,
 								domain.PasswordlessTypeAllowed,
 							),
 						),
@@ -882,6 +899,7 @@ func TestCommandSide_RemoveIDPProviderLoginPolicy(t *testing.T) {
 								true,
 								true,
 								true,
+								true,
 								domain.PasswordlessTypeAllowed,
 							),
 						),
@@ -932,6 +950,7 @@ func TestCommandSide_RemoveIDPProviderLoginPolicy(t *testing.T) {
 								true,
 								true,
 								true,
+								true,
 								domain.PasswordlessTypeAllowed,
 							),
 						),
@@ -990,6 +1009,7 @@ func TestCommandSide_RemoveIDPProviderLoginPolicy(t *testing.T) {
 								true,
 								true,
 								true,
+								true,
 								domain.PasswordlessTypeAllowed,
 							),
 						),
@@ -1600,7 +1620,7 @@ func TestCommandSide_RemoveMultiFactorLoginPolicy(t *testing.T) {
 	}
 }

-func newLoginPolicyChangedEvent(ctx context.Context, orgID string, usernamePassword, register, externalIDP, mfa bool, passwordlessType domain.PasswordlessType) *org.LoginPolicyChangedEvent {
+func newLoginPolicyChangedEvent(ctx context.Context, orgID string, usernamePassword, register, externalIDP, mfa, passwordReset bool, passwordlessType domain.PasswordlessType) *org.LoginPolicyChangedEvent {
 	event, _ := org.NewLoginPolicyChangedEvent(ctx,
 		&org.NewAggregate(orgID, orgID).Aggregate,
 		[]policy.LoginPolicyChanges{
@@ -1608,6 +1628,7 @@ func newLoginPolicyChangedEvent(ctx context.Context, orgID string, usernamePassw
 			policy.ChangeAllowRegister(register),
 			policy.ChangeAllowExternalIDP(externalIDP),
 			policy.ChangeForceMFA(mfa),
+			policy.ChangeHidePasswordReset(passwordReset),
 			policy.ChangePasswordlessType(passwordlessType),
 		},
 	)
--- a/internal/command/policy_login_model.go
+++ b/internal/command/policy_login_model.go
@@ -13,6 +13,7 @@ type LoginPolicyWriteModel struct {
 	AllowRegister         bool
 	AllowExternalIDP      bool
 	ForceMFA              bool
+	HidePasswordReset     bool
 	PasswordlessType      domain.PasswordlessType
 	State                 domain.PolicyState
 }
@@ -26,6 +27,7 @@ func (wm *LoginPolicyWriteModel) Reduce() error {
 			wm.AllowExternalIDP = e.AllowExternalIDP
 			wm.ForceMFA = e.ForceMFA
 			wm.PasswordlessType = e.PasswordlessType
+			wm.HidePasswordReset = e.HidePasswordReset
 			wm.State = domain.PolicyStateActive
 		case *policy.LoginPolicyChangedEvent:
 			if e.AllowRegister != nil {
@@ -40,6 +42,9 @@ func (wm *LoginPolicyWriteModel) Reduce() error {
 			if e.ForceMFA != nil {
 				wm.ForceMFA = *e.ForceMFA
 			}
+			if e.HidePasswordReset != nil {
+				wm.HidePasswordReset = *e.HidePasswordReset
+			}
 			if e.PasswordlessType != nil {
 				wm.PasswordlessType = *e.PasswordlessType
 			}