fix(login): prevent init mail on idp registration (#7895)

2025-08-12 03:37:34 +00:00 · 2024-05-03 09:23:40 +02:00
parent b72ecf69f3
commit 900894161f
9 changed files with 204 additions and 35 deletions
--- a/internal/command/user_v2_human_test.go
+++ b/internal/command/user_v2_human_test.go
@@ -16,6 +16,7 @@ import (
 	"github.com/zitadel/zitadel/internal/eventstore"
 	"github.com/zitadel/zitadel/internal/id"
 	id_mock "github.com/zitadel/zitadel/internal/id/mock"
+	"github.com/zitadel/zitadel/internal/repository/idp"
 	"github.com/zitadel/zitadel/internal/repository/org"
 	"github.com/zitadel/zitadel/internal/repository/user"
 	"github.com/zitadel/zitadel/internal/zerrors"
@@ -492,6 +493,7 @@ func TestCommandSide_AddUserHuman(t *testing.T) {
 							1*time.Hour,
 							"https://example.com/email/verify?userID={{.UserID}}&code={{.Code}}",
 							false,
+							"",
 						),
 					),
 				),
@@ -565,6 +567,7 @@ func TestCommandSide_AddUserHuman(t *testing.T) {
 							1*time.Hour,
 							"",
 							true,
+							"",
 						),
 					),
 				),
@@ -1224,6 +1227,173 @@ func TestCommandSide_AddUserHuman(t *testing.T) {
 				wantID: "user1",
 			},
 		},
+		{
+			name: "register human with idp, unverified email, allow init mail, ok (verify mail)",
+			fields: fields{
+				eventstore: expectEventstore(
+					expectFilter(),
+					expectFilter(
+						eventFromEventPusher(
+							org.NewDomainPolicyAddedEvent(context.Background(),
+								&userAgg.Aggregate,
+								true,
+								true,
+								true,
+							),
+						),
+					),
+					expectFilter(
+						eventFromEventPusher(
+							org.NewGoogleIDPAddedEvent(context.Background(),
+								&org.NewAggregate("org1").Aggregate,
+								"idpID",
+								"google",
+								"clientID",
+								nil,
+								[]string{"openid"},
+								idp.Options{},
+							),
+						),
+					),
+					expectPush(
+						newRegisterHumanEvent("email@test.ch", "", false, true, "", language.English),
+						user.NewHumanEmailCodeAddedEvent(
+							context.Background(),
+							&userAgg.Aggregate,
+							&crypto.CryptoValue{
+								CryptoType: crypto.TypeEncryption,
+								Algorithm:  "enc",
+								KeyID:      "id",
+								Crypted:    []byte("mailVerify"),
+							},
+							time.Hour,
+							"authRequestID",
+						),
+						user.NewUserIDPLinkAddedEvent(
+							context.Background(),
+							&userAgg.Aggregate,
+							"idpID",
+							"displayName",
+							"externalID",
+						),
+					),
+				),
+				checkPermission: newMockPermissionCheckAllowed(),
+				idGenerator:     id_mock.NewIDGeneratorExpectIDs(t, "user1"),
+				newCode:         mockEncryptedCode("mailVerify", time.Hour),
+			},
+			args: args{
+				ctx:   context.Background(),
+				orgID: "org1",
+				human: &AddHuman{
+					Username:  "email@test.ch",
+					FirstName: "firstname",
+					LastName:  "lastname",
+					Email: Email{
+						Address: "email@test.ch",
+					},
+					PreferredLanguage: language.English,
+					Register:          true,
+					Links: []*AddLink{
+						{
+							IDPID:         "idpID",
+							DisplayName:   "displayName",
+							IDPExternalID: "externalID",
+						},
+					},
+					AuthRequestID: "authRequestID",
+				},
+				secretGenerator: GetMockSecretGenerator(t),
+				allowInitMail:   true,
+				codeAlg:         crypto.CreateMockEncryptionAlg(gomock.NewController(t)),
+			},
+			res: res{
+				want: &domain.ObjectDetails{
+					ResourceOwner: "org1",
+				},
+				wantID: "user1",
+			},
+		},
+		{
+			name: "register human with idp, verified email, ok",
+			fields: fields{
+				eventstore: expectEventstore(
+					expectFilter(),
+					expectFilter(
+						eventFromEventPusher(
+							org.NewDomainPolicyAddedEvent(context.Background(),
+								&userAgg.Aggregate,
+								true,
+								true,
+								true,
+							),
+						),
+					),
+					expectFilter(
+						eventFromEventPusher(
+							org.NewGoogleIDPAddedEvent(context.Background(),
+								&org.NewAggregate("org1").Aggregate,
+								"idpID",
+								"google",
+								"clientID",
+								nil,
+								[]string{"openid"},
+								idp.Options{},
+							),
+						),
+					),
+					expectPush(
+						newRegisterHumanEvent("email@test.ch", "", false, true, "", language.English),
+						user.NewHumanEmailVerifiedEvent(
+							context.Background(),
+							&userAgg.Aggregate,
+						),
+						user.NewUserIDPLinkAddedEvent(
+							context.Background(),
+							&userAgg.Aggregate,
+							"idpID",
+							"displayName",
+							"externalID",
+						),
+					),
+				),
+				checkPermission: newMockPermissionCheckAllowed(),
+				idGenerator:     id_mock.NewIDGeneratorExpectIDs(t, "user1"),
+				newCode:         mockEncryptedCode("mailVerify", time.Hour),
+			},
+			args: args{
+				ctx:   context.Background(),
+				orgID: "org1",
+				human: &AddHuman{
+					Username:  "email@test.ch",
+					FirstName: "firstname",
+					LastName:  "lastname",
+					Email: Email{
+						Address:  "email@test.ch",
+						Verified: true,
+					},
+					PreferredLanguage: language.English,
+					Register:          true,
+					Links: []*AddLink{
+						{
+							IDPID:         "idpID",
+							DisplayName:   "displayName",
+							IDPExternalID: "externalID",
+						},
+					},
+					AuthRequestID: "authRequestID",
+				},
+				secretGenerator: GetMockSecretGenerator(t),
+				allowInitMail:   false,
+				codeAlg:         crypto.CreateMockEncryptionAlg(gomock.NewController(t)),
+			},
+			res: res{
+				want: &domain.ObjectDetails{
+					ResourceOwner: "org1",
+				},
+				wantID: "user1",
+			},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -1566,6 +1736,7 @@ func TestCommandSide_ChangeUserHuman(t *testing.T) {
 							time.Hour,
 							"",
 							false,
+							"",
 						),
 					),
 				),
@@ -1745,6 +1916,7 @@ func TestCommandSide_ChangeUserHuman(t *testing.T) {
 							time.Hour,
 							"",
 							true,
+							"",
 						),
 					),
 				),