feat(api): add and remove OTP (SMS and email) (#6295)

* refactor: rename otp to totp * feat: add otp sms and email * implement tests
2025-08-12 01:47:33 +00:00 · 2023-08-02 18:57:53 +02:00
parent ca13e70c92
commit a1942ecdaa
44 changed files with 2253 additions and 215 deletions
--- a/internal/domain/auth_request.go
+++ b/internal/domain/auth_request.go
@@ -102,7 +102,7 @@ const (
 type MFAType int

 const (
-	MFATypeOTP MFAType = iota
+	MFATypeTOTP MFAType = iota
 	MFATypeU2F
 	MFATypeU2FUserVerification
 )
--- a/internal/domain/human_otp.go
+++ b/internal/domain/human_otp.go
@@ -3,20 +3,11 @@ package domain
 import (
 	"github.com/pquerna/otp"
 	"github.com/pquerna/otp/totp"
+
 	"github.com/zitadel/zitadel/internal/crypto"
 	caos_errs "github.com/zitadel/zitadel/internal/errors"
-	es_models "github.com/zitadel/zitadel/internal/eventstore/v1/models"
 )

-type OTP struct {
-	es_models.ObjectRoot
-
-	Secret       *crypto.CryptoValue
-	SecretString string
-	Url          string
-	State        MFAState
-}
-
 type TOTP struct {
 	*ObjectDetails

@@ -24,7 +15,7 @@ type TOTP struct {
 	URI    string
 }

-func NewOTPKey(issuer, accountName string, cryptoAlg crypto.EncryptionAlgorithm) (*otp.Key, *crypto.CryptoValue, error) {
+func NewTOTPKey(issuer, accountName string, cryptoAlg crypto.EncryptionAlgorithm) (*otp.Key, *crypto.CryptoValue, error) {
 	key, err := totp.Generate(totp.GenerateOpts{Issuer: issuer, AccountName: accountName})
 	if err != nil {
 		return nil, nil, caos_errs.ThrowInternal(err, "TOTP-ieY3o", "Errors.Internal")
@@ -36,7 +27,7 @@ func NewOTPKey(issuer, accountName string, cryptoAlg crypto.EncryptionAlgorithm)
 	return key, encryptedSecret, nil
 }

-func VerifyMFAOTP(code string, secret *crypto.CryptoValue, cryptoAlg crypto.EncryptionAlgorithm) error {
+func VerifyTOTP(code string, secret *crypto.CryptoValue, cryptoAlg crypto.EncryptionAlgorithm) error {
 	decrypt, err := crypto.DecryptString(secret, cryptoAlg)
 	if err != nil {
 		return err
--- a/internal/domain/user.go
+++ b/internal/domain/user.go
@@ -48,11 +48,13 @@ type UserAuthMethodType int32

 const (
 	UserAuthMethodTypeUnspecified UserAuthMethodType = iota
-	UserAuthMethodTypeOTP
+	UserAuthMethodTypeTOTP
 	UserAuthMethodTypeU2F
 	UserAuthMethodTypePasswordless
 	UserAuthMethodTypePassword
 	UserAuthMethodTypeIDP
+	UserAuthMethodTypeOTPSMS
+	UserAuthMethodTypeOTPEmail
 	userAuthMethodTypeCount
 )

@@ -67,15 +69,14 @@ func HasMFA(methods []UserAuthMethodType) bool {
 	var factors int
 	for _, method := range methods {
 		switch method {
-		case UserAuthMethodTypePassword:
-			factors++
 		case UserAuthMethodTypePasswordless:
 			return true
-		case UserAuthMethodTypeU2F:
-			factors++
-		case UserAuthMethodTypeOTP:
-			factors++
-		case UserAuthMethodTypeIDP:
+		case UserAuthMethodTypePassword,
+			UserAuthMethodTypeU2F,
+			UserAuthMethodTypeTOTP,
+			UserAuthMethodTypeOTPSMS,
+			UserAuthMethodTypeOTPEmail,
+			UserAuthMethodTypeIDP:
 			factors++
 		case UserAuthMethodTypeUnspecified,
 			userAuthMethodTypeCount: