feat(api): add and remove OTP (SMS and email) (#6295)

* refactor: rename otp to totp

* feat: add otp sms and email

* implement tests

internal/api/grpc/user/converter.go

@@ -197,7 +197,7 @@ func AuthMethodToPb(mfa *query.AuthMethod) *user_pb.AuthFactor {
 		State: MFAStateToPb(mfa.State),
 	}
 	switch mfa.Type {
-	case domain.UserAuthMethodTypeOTP:
+	case domain.UserAuthMethodTypeTOTP:
 		factor.Type = &user_pb.AuthFactor_Otp{
 			Otp: &user_pb.AuthFactorOTP{},
 		}
@@ -208,6 +208,14 @@ func AuthMethodToPb(mfa *query.AuthMethod) *user_pb.AuthFactor {
 				Name: mfa.Name,
 			},
 		}
+	case domain.UserAuthMethodTypeOTPSMS:
+		factor.Type = &user_pb.AuthFactor_OtpSms{
+			OtpSms: &user_pb.AuthFactorOTPSMS{},
+		}
+	case domain.UserAuthMethodTypeOTPEmail:
+		factor.Type = &user_pb.AuthFactor_OtpEmail{
+			OtpEmail: &user_pb.AuthFactorOTPEmail{},
+		}
 	}
 	return factor
 }

internal/api/grpc/user/v2/otp.go

@@ -0,0 +1,43 @@
+package user
+
+import (
+	"context"
+
+	"github.com/zitadel/zitadel/internal/api/authz"
+	"github.com/zitadel/zitadel/internal/api/grpc/object/v2"
+	user "github.com/zitadel/zitadel/pkg/grpc/user/v2alpha"
+)
+
+func (s *Server) AddOTPSMS(ctx context.Context, req *user.AddOTPSMSRequest) (*user.AddOTPSMSResponse, error) {
+	details, err := s.command.AddHumanOTPSMS(ctx, req.GetUserId(), authz.GetCtxData(ctx).ResourceOwner)
+	if err != nil {
+		return nil, err
+	}
+	return &user.AddOTPSMSResponse{Details: object.DomainToDetailsPb(details)}, nil
+
+}
+
+func (s *Server) RemoveOTPSMS(ctx context.Context, req *user.RemoveOTPSMSRequest) (*user.RemoveOTPSMSResponse, error) {
+	objectDetails, err := s.command.RemoveHumanOTPSMS(ctx, req.GetUserId(), authz.GetCtxData(ctx).ResourceOwner)
+	if err != nil {
+		return nil, err
+	}
+	return &user.RemoveOTPSMSResponse{Details: object.DomainToDetailsPb(objectDetails)}, nil
+}
+
+func (s *Server) AddOTPEmail(ctx context.Context, req *user.AddOTPEmailRequest) (*user.AddOTPEmailResponse, error) {
+	details, err := s.command.AddHumanOTPEmail(ctx, req.GetUserId(), authz.GetCtxData(ctx).ResourceOwner)
+	if err != nil {
+		return nil, err
+	}
+	return &user.AddOTPEmailResponse{Details: object.DomainToDetailsPb(details)}, nil
+
+}
+
+func (s *Server) RemoveOTPEmail(ctx context.Context, req *user.RemoveOTPEmailRequest) (*user.RemoveOTPEmailResponse, error) {
+	objectDetails, err := s.command.RemoveHumanOTPEmail(ctx, req.GetUserId(), authz.GetCtxData(ctx).ResourceOwner)
+	if err != nil {
+		return nil, err
+	}
+	return &user.RemoveOTPEmailResponse{Details: object.DomainToDetailsPb(objectDetails)}, nil
+}

internal/api/grpc/user/v2/otp_integration_test.go

@@ -0,0 +1,302 @@
+//go:build integration
+
+package user_test
+
+import (
+	"context"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+
+	"github.com/zitadel/zitadel/internal/integration"
+	object "github.com/zitadel/zitadel/pkg/grpc/object/v2alpha"
+	user "github.com/zitadel/zitadel/pkg/grpc/user/v2alpha"
+)
+
+func TestServer_AddOTPSMS(t *testing.T) {
+	userID := Tester.CreateHumanUser(CTX).GetUserId()
+	Tester.RegisterUserPasskey(CTX, userID)
+	_, sessionToken, _, _ := Tester.CreatePasskeySession(t, CTX, userID)
+
+	// TODO: add when phone can be added to user
+	/*
+		userIDPhone := Tester.CreateHumanUser(CTX).GetUserId()
+		Tester.RegisterUserPasskey(CTX, userIDPhone)
+		_, sessionTokenPhone, _, _ := Tester.CreatePasskeySession(t, CTX, userIDPhone)
+	*/
+	type args struct {
+		ctx context.Context
+		req *user.AddOTPSMSRequest
+	}
+	tests := []struct {
+		name    string
+		args    args
+		want    *user.AddOTPSMSResponse
+		wantErr bool
+	}{
+		{
+			name: "missing user id",
+			args: args{
+				ctx: CTX,
+				req: &user.AddOTPSMSRequest{},
+			},
+			wantErr: true,
+		},
+		{
+			name: "user mismatch",
+			args: args{
+				ctx: CTX,
+				req: &user.AddOTPSMSRequest{
+					UserId: "wrong",
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "phone not verified",
+			args: args{
+				ctx: Tester.WithAuthorizationToken(context.Background(), sessionToken),
+				req: &user.AddOTPSMSRequest{
+					UserId: userID,
+				},
+			},
+			wantErr: true,
+		},
+		// TODO: add when phone can be added to user
+		/*
+			{
+				name: "add success",
+				args: args{
+					ctx: Tester.WithAuthorizationToken(context.Background(), sessionTokenPhone),
+					req: &user.AddOTPSMSRequest{
+						UserId: userID,
+					},
+				},
+				want: &user.AddOTPSMSResponse{
+					Details: &object.Details{
+						ResourceOwner: Tester.Organisation.ID,
+					},
+				},
+			},
+		*/
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := Client.AddOTPSMS(tt.args.ctx, tt.args.req)
+			if tt.wantErr {
+				require.Error(t, err)
+				return
+			}
+			require.NoError(t, err)
+			require.NotNil(t, got)
+			integration.AssertDetails(t, tt.want, got)
+		})
+	}
+}
+
+func TestServer_RemoveOTPSMS(t *testing.T) {
+	// TODO: add when phone can be added to user
+	/*
+		userID := Tester.CreateHumanUser(CTX).GetUserId()
+		Tester.RegisterUserPasskey(CTX, userID)
+		_, sessionToken, _, _ := Tester.CreatePasskeySession(t, CTX, userID)
+	*/
+
+	type args struct {
+		ctx context.Context
+		req *user.RemoveOTPSMSRequest
+	}
+	tests := []struct {
+		name    string
+		args    args
+		want    *user.RemoveOTPSMSResponse
+		wantErr bool
+	}{
+		{
+			name: "not added",
+			args: args{
+				ctx: CTX,
+				req: &user.RemoveOTPSMSRequest{
+					UserId: "wrong",
+				},
+			},
+			wantErr: true,
+		},
+		// TODO: add when phone can be added to user
+		/*
+			{
+				name: "success",
+				args: args{
+					ctx: Tester.WithAuthorizationToken(context.Background(), sessionToken),
+					req: &user.RemoveOTPSMSRequest{
+						UserId: userID,
+					},
+				},
+				want: &user.RemoveOTPSMSResponse{
+					Details: &object.Details{
+						ResourceOwner: Tester.Organisation.ResourceOwner,
+					},
+				},
+			},
+		*/
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := Client.RemoveOTPSMS(tt.args.ctx, tt.args.req)
+			if tt.wantErr {
+				require.Error(t, err)
+				return
+			}
+			require.NoError(t, err)
+			require.NotNil(t, got)
+			integration.AssertDetails(t, tt.want, got)
+		})
+	}
+}
+
+func TestServer_AddOTPEmail(t *testing.T) {
+	userID := Tester.CreateHumanUser(CTX).GetUserId()
+	Tester.RegisterUserPasskey(CTX, userID)
+	_, sessionToken, _, _ := Tester.CreatePasskeySession(t, CTX, userID)
+
+	userVerified := Tester.CreateHumanUser(CTX)
+	_, err := Tester.Client.UserV2.VerifyEmail(CTX, &user.VerifyEmailRequest{
+		UserId:           userVerified.GetUserId(),
+		VerificationCode: userVerified.GetEmailCode(),
+	})
+	require.NoError(t, err)
+	Tester.RegisterUserPasskey(CTX, userVerified.GetUserId())
+	_, sessionTokenVerified, _, _ := Tester.CreatePasskeySession(t, CTX, userVerified.GetUserId())
+
+	type args struct {
+		ctx context.Context
+		req *user.AddOTPEmailRequest
+	}
+	tests := []struct {
+		name    string
+		args    args
+		want    *user.AddOTPEmailResponse
+		wantErr bool
+	}{
+		{
+			name: "missing user id",
+			args: args{
+				ctx: CTX,
+				req: &user.AddOTPEmailRequest{},
+			},
+			wantErr: true,
+		},
+		{
+			name: "user mismatch",
+			args: args{
+				ctx: CTX,
+				req: &user.AddOTPEmailRequest{
+					UserId: "wrong",
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "email not verified",
+			args: args{
+				ctx: Tester.WithAuthorizationToken(context.Background(), sessionToken),
+				req: &user.AddOTPEmailRequest{
+					UserId: userID,
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "add success",
+			args: args{
+				ctx: Tester.WithAuthorizationToken(context.Background(), sessionTokenVerified),
+				req: &user.AddOTPEmailRequest{
+					UserId: userVerified.GetUserId(),
+				},
+			},
+			want: &user.AddOTPEmailResponse{
+				Details: &object.Details{
+					ResourceOwner: Tester.Organisation.ID,
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := Client.AddOTPEmail(tt.args.ctx, tt.args.req)
+			if tt.wantErr {
+				require.Error(t, err)
+				return
+			}
+			require.NoError(t, err)
+			require.NotNil(t, got)
+			integration.AssertDetails(t, tt.want, got)
+		})
+	}
+}
+
+func TestServer_RemoveOTPEmail(t *testing.T) {
+	userID := Tester.CreateHumanUser(CTX).GetUserId()
+	Tester.RegisterUserPasskey(CTX, userID)
+	_, sessionToken, _, _ := Tester.CreatePasskeySession(t, CTX, userID)
+
+	userVerified := Tester.CreateHumanUser(CTX)
+	Tester.RegisterUserPasskey(CTX, userVerified.GetUserId())
+	_, sessionTokenVerified, _, _ := Tester.CreatePasskeySession(t, CTX, userVerified.GetUserId())
+	userVerifiedCtx := Tester.WithAuthorizationToken(context.Background(), sessionTokenVerified)
+	_, err := Tester.Client.UserV2.VerifyEmail(userVerifiedCtx, &user.VerifyEmailRequest{
+		UserId:           userVerified.GetUserId(),
+		VerificationCode: userVerified.GetEmailCode(),
+	})
+	require.NoError(t, err)
+	_, err = Tester.Client.UserV2.AddOTPEmail(userVerifiedCtx, &user.AddOTPEmailRequest{UserId: userVerified.GetUserId()})
+	require.NoError(t, err)
+
+	type args struct {
+		ctx context.Context
+		req *user.RemoveOTPEmailRequest
+	}
+	tests := []struct {
+		name    string
+		args    args
+		want    *user.RemoveOTPEmailResponse
+		wantErr bool
+	}{
+		{
+			name: "not added",
+			args: args{
+				ctx: Tester.WithAuthorizationToken(context.Background(), sessionToken),
+				req: &user.RemoveOTPEmailRequest{
+					UserId: userID,
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "success",
+			args: args{
+				ctx: userVerifiedCtx,
+				req: &user.RemoveOTPEmailRequest{
+					UserId: userVerified.GetUserId(),
+				},
+			},
+			want: &user.RemoveOTPEmailResponse{
+				Details: &object.Details{
+					ResourceOwner: Tester.Organisation.ResourceOwner,
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := Client.RemoveOTPEmail(tt.args.ctx, tt.args.req)
+			if tt.wantErr {
+				require.Error(t, err)
+				return
+			}
+			require.NoError(t, err)
+			require.NotNil(t, got)
+			integration.AssertDetails(t, tt.want, got)
+		})
+	}
+}

internal/api/grpc/user/v2/user.go

@@ -213,7 +213,7 @@ func authMethodTypesToPb(methodTypes []domain.UserAuthMethodType) []user.Authent
 
 func authMethodTypeToPb(methodType domain.UserAuthMethodType) user.AuthenticationMethodType {
 	switch methodType {
-	case domain.UserAuthMethodTypeOTP:
+	case domain.UserAuthMethodTypeTOTP:
 		return user.AuthenticationMethodType_AUTHENTICATION_METHOD_TYPE_TOTP
 	case domain.UserAuthMethodTypeU2F:
 		return user.AuthenticationMethodType_AUTHENTICATION_METHOD_TYPE_U2F
@@ -223,6 +223,10 @@ func authMethodTypeToPb(methodType domain.UserAuthMethodType) user.Authenticatio
 		return user.AuthenticationMethodType_AUTHENTICATION_METHOD_TYPE_PASSWORD
 	case domain.UserAuthMethodTypeIDP:
 		return user.AuthenticationMethodType_AUTHENTICATION_METHOD_TYPE_IDP
+	case domain.UserAuthMethodTypeOTPSMS:
+		return user.AuthenticationMethodType_AUTHENTICATION_METHOD_TYPE_OTP_SMS
+	case domain.UserAuthMethodTypeOTPEmail:
+		return user.AuthenticationMethodType_AUTHENTICATION_METHOD_TYPE_OTP_EMAIL
 	case domain.UserAuthMethodTypeUnspecified:
 		return user.AuthenticationMethodType_AUTHENTICATION_METHOD_TYPE_UNSPECIFIED
 	default:

internal/api/grpc/user/v2/user_test.go

@@ -194,8 +194,8 @@ func Test_authMethodTypeToPb(t *testing.T) {
 			user.AuthenticationMethodType_AUTHENTICATION_METHOD_TYPE_UNSPECIFIED,
 		},
 		{
-			"(t)otp",
-			domain.UserAuthMethodTypeOTP,
+			"totp",
+			domain.UserAuthMethodTypeTOTP,
 			user.AuthenticationMethodType_AUTHENTICATION_METHOD_TYPE_TOTP,
 		},
 		{
@@ -218,6 +218,16 @@ func Test_authMethodTypeToPb(t *testing.T) {
 			domain.UserAuthMethodTypeIDP,
 			user.AuthenticationMethodType_AUTHENTICATION_METHOD_TYPE_IDP,
 		},
+		{
+			"otp sms",
+			domain.UserAuthMethodTypeOTPSMS,
+			user.AuthenticationMethodType_AUTHENTICATION_METHOD_TYPE_OTP_SMS,
+		},
+		{
+			"otp email",
+			domain.UserAuthMethodTypeOTPEmail,
+			user.AuthenticationMethodType_AUTHENTICATION_METHOD_TYPE_OTP_EMAIL,
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {