feat: implement register Passkey user API v2 (#5873)

* command/crypto: DRY the code - reuse the the algorithm switch to create a secret generator - add a verifyCryptoCode function * command: crypto code tests * migrate webauthn package * finish integration tests with webauthn mock client
2025-08-11 20:27:32 +00:00 · 2023-05-24 13:22:00 +03:00
parent 6839a5c203
commit a301c40f9f
44 changed files with 2528 additions and 517 deletions
--- a/internal/command/user_v2_passkey.go
+++ b/internal/command/user_v2_passkey.go
@@ -0,0 +1,156 @@
+package command
+
+import (
+	"context"
+	"io"
+
+	"github.com/zitadel/logging"
+
+	"github.com/zitadel/zitadel/internal/api/authz"
+	"github.com/zitadel/zitadel/internal/crypto"
+	"github.com/zitadel/zitadel/internal/domain"
+	caos_errs "github.com/zitadel/zitadel/internal/errors"
+	"github.com/zitadel/zitadel/internal/eventstore"
+	"github.com/zitadel/zitadel/internal/repository/user"
+)
+
+// RegisterUserPasskey creates a passkey registration for the current authenticated user.
+// UserID, ussualy taken from the request is compaired against the user ID in the context.
+func (c *Commands) RegisterUserPasskey(ctx context.Context, userID, resourceOwner string, authenticator domain.AuthenticatorAttachment) (*domain.PasskeyRegistrationDetails, error) {
+	if err := authz.UserIDInCTX(ctx, userID); err != nil {
+		return nil, err
+	}
+	return c.registerUserPasskey(ctx, userID, resourceOwner, authenticator)
+}
+
+// RegisterUserPasskeyWithCode registers a new passkey for a unauthenticated user id.
+// The resource is protected by the code, identified by the codeID.
+func (c *Commands) RegisterUserPasskeyWithCode(ctx context.Context, userID, resourceOwner string, authenticator domain.AuthenticatorAttachment, codeID, code string, alg crypto.EncryptionAlgorithm) (*domain.PasskeyRegistrationDetails, error) {
+	event, err := c.verifyUserPasskeyCode(ctx, userID, resourceOwner, codeID, code, alg)
+	if err != nil {
+		return nil, err
+	}
+
+	return c.registerUserPasskey(ctx, userID, resourceOwner, authenticator, event)
+}
+
+type eventCallback func(context.Context, *eventstore.Aggregate) eventstore.Command
+
+// verifyUserPasskeyCode verifies a passkey code, identified by codeID and userID.
+// A code can only be used once.
+// Upon success an event callback is returned, which must be called after
+// all other events for the current request are created.
+// This prevent consuming a code when another error occurred after verification.
+func (c *Commands) verifyUserPasskeyCode(ctx context.Context, userID, resourceOwner, codeID, code string, alg crypto.EncryptionAlgorithm) (eventCallback, error) {
+	wm := NewHumanPasswordlessInitCodeWriteModel(userID, codeID, resourceOwner)
+	err := c.eventstore.FilterToQueryReducer(ctx, wm)
+	if err != nil {
+		return nil, err
+	}
+	err = verifyCryptoCode(ctx, c.eventstore.Filter, domain.SecretGeneratorTypePasswordlessInitCode, alg, wm.ChangeDate, wm.Expiration, wm.CryptoCode, code)
+	if err != nil || wm.State != domain.PasswordlessInitCodeStateActive {
+		c.verifyUserPasskeyCodeFailed(ctx, wm)
+		return nil, caos_errs.ThrowInvalidArgument(err, "COMMAND-Eeb2a", "Errors.User.Code.Invalid")
+	}
+	return func(ctx context.Context, userAgg *eventstore.Aggregate) eventstore.Command {
+		return user.NewHumanPasswordlessInitCodeCheckSucceededEvent(ctx, userAgg, codeID)
+	}, nil
+}
+
+func (c *Commands) verifyUserPasskeyCodeFailed(ctx context.Context, wm *HumanPasswordlessInitCodeWriteModel) {
+	userAgg := UserAggregateFromWriteModel(&wm.WriteModel)
+	_, err := c.eventstore.Push(ctx, user.NewHumanPasswordlessInitCodeCheckFailedEvent(ctx, userAgg, wm.CodeID))
+	logging.WithFields("userID", userAgg.ID).OnError(err).Error("RegisterUserPasskeyWithCode push failed")
+}
+
+func (c *Commands) registerUserPasskey(ctx context.Context, userID, resourceOwner string, authenticator domain.AuthenticatorAttachment, events ...eventCallback) (*domain.PasskeyRegistrationDetails, error) {
+	wm, userAgg, webAuthN, err := c.createUserPasskey(ctx, userID, resourceOwner, authenticator)
+	if err != nil {
+		return nil, err
+	}
+	return c.pushUserPasskey(ctx, wm, userAgg, webAuthN, events...)
+}
+
+func (c *Commands) createUserPasskey(ctx context.Context, userID, resourceOwner string, authenticator domain.AuthenticatorAttachment) (*HumanWebAuthNWriteModel, *eventstore.Aggregate, *domain.WebAuthNToken, error) {
+	passwordlessTokens, err := c.getHumanPasswordlessTokens(ctx, userID, resourceOwner)
+	if err != nil {
+		return nil, nil, nil, err
+	}
+	return c.addHumanWebAuthN(ctx, userID, resourceOwner, false, passwordlessTokens, authenticator, domain.UserVerificationRequirementRequired)
+}
+
+func (c *Commands) pushUserPasskey(ctx context.Context, wm *HumanWebAuthNWriteModel, userAgg *eventstore.Aggregate, webAuthN *domain.WebAuthNToken, events ...eventCallback) (*domain.PasskeyRegistrationDetails, error) {
+	cmds := make([]eventstore.Command, len(events)+1)
+	cmds[0] = user.NewHumanPasswordlessAddedEvent(ctx, userAgg, wm.WebauthNTokenID, webAuthN.Challenge)
+	for i, event := range events {
+		cmds[i+1] = event(ctx, userAgg)
+	}
+
+	err := c.pushAppendAndReduce(ctx, wm, cmds...)
+	if err != nil {
+		return nil, err
+	}
+	return &domain.PasskeyRegistrationDetails{
+		ObjectDetails:                      writeModelToObjectDetails(&wm.WriteModel),
+		PasskeyID:                          wm.WebauthNTokenID,
+		PublicKeyCredentialCreationOptions: webAuthN.CredentialCreationData,
+	}, nil
+}
+
+// AddUserPasskeyCode generates a Passkey code and sends an email
+// with the default generated URL (pointing to zitadel).
+func (c *Commands) AddUserPasskeyCode(ctx context.Context, userID, resourceOwner string, alg crypto.EncryptionAlgorithm) (*domain.ObjectDetails, error) {
+	details, err := c.addUserPasskeyCode(ctx, userID, resourceOwner, alg, "", false)
+	if err != nil {
+		return nil, err
+	}
+	return details.ObjectDetails, err
+}
+
+// AddUserPasskeyCodeURLTemplate generates a Passkey code and sends an email
+// with the URL created from passed template string.
+// The template is executed as a test, before pushing to the eventstore.
+func (c *Commands) AddUserPasskeyCodeURLTemplate(ctx context.Context, userID, resourceOwner string, alg crypto.EncryptionAlgorithm, urlTmpl string) (*domain.ObjectDetails, error) {
+	if err := domain.RenderPasskeyURLTemplate(io.Discard, urlTmpl, userID, resourceOwner, "codeID", "code"); err != nil {
+		return nil, err
+	}
+	details, err := c.addUserPasskeyCode(ctx, userID, resourceOwner, alg, urlTmpl, false)
+	if err != nil {
+		return nil, err
+	}
+	return details.ObjectDetails, err
+}
+
+// AddUserPasskeyCodeReturn generates and returns a Passkey code.
+// No email will be send to the user.
+func (c *Commands) AddUserPasskeyCodeReturn(ctx context.Context, userID, resourceOwner string, alg crypto.EncryptionAlgorithm) (*domain.PasskeyCodeDetails, error) {
+	return c.addUserPasskeyCode(ctx, userID, resourceOwner, alg, "", true)
+}
+
+func (c *Commands) addUserPasskeyCode(ctx context.Context, userID, resourceOwner string, alg crypto.EncryptionAlgorithm, urlTmpl string, returnCode bool) (*domain.PasskeyCodeDetails, error) {
+	codeID, err := c.idGenerator.Next()
+	if err != nil {
+		return nil, err
+	}
+	code, err := c.newCode(ctx, c.eventstore.Filter, domain.SecretGeneratorTypePasswordlessInitCode, alg)
+	if err != nil {
+		return nil, err
+	}
+	wm := NewHumanPasswordlessInitCodeWriteModel(userID, codeID, resourceOwner)
+	err = c.eventstore.FilterToQueryReducer(ctx, wm)
+	if err != nil {
+		return nil, err
+	}
+	agg := UserAggregateFromWriteModel(&wm.WriteModel)
+
+	cmd := user.NewHumanPasswordlessInitCodeRequestedEvent(ctx, agg, codeID, code.Crypted, code.Expiry, urlTmpl, returnCode)
+	err = c.pushAppendAndReduce(ctx, wm, cmd)
+	if err != nil {
+		return nil, err
+	}
+	return &domain.PasskeyCodeDetails{
+		ObjectDetails: writeModelToObjectDetails(&wm.WriteModel),
+		CodeID:        codeID,
+		Code:          code.Plain,
+	}, nil
+}