feat: implement register Passkey user API v2 (#5873)

* command/crypto: DRY the code - reuse the the algorithm switch to create a secret generator - add a verifyCryptoCode function * command: crypto code tests * migrate webauthn package * finish integration tests with webauthn mock client
2025-08-11 19:07:30 +00:00 · 2023-05-24 13:22:00 +03:00
parent 6839a5c203
commit a301c40f9f
44 changed files with 2528 additions and 517 deletions
--- a/internal/notification/handlers/usernotifier.go
+++ b/internal/notification/handlers/usernotifier.go
@@ -394,6 +394,9 @@ func (u *userNotifier) reducePasswordlessCodeRequested(event eventstore.Event) (
 	if !ok {
 		return nil, errors.ThrowInvalidArgumentf(nil, "HANDL-EDtjd", "reduce.wrong.event.type %s", user.HumanPasswordlessInitCodeAddedType)
 	}
+	if e.CodeReturned {
+		return crdb.NewNoOpStatement(e), nil
+	}
 	ctx := HandlerContext(event.Aggregate())
 	alreadyHandled, err := u.checkIfCodeAlreadyHandledOrExpired(ctx, event, e.Expiry, map[string]interface{}{"id": e.ID}, user.HumanPasswordlessInitCodeSentType)
 	if err != nil {
@@ -442,7 +445,7 @@ func (u *userNotifier) reducePasswordlessCodeRequested(event eventstore.Event) (
 		e,
 		u.metricSuccessfulDeliveriesEmail,
 		u.metricFailedDeliveriesEmail,
-	).SendPasswordlessRegistrationLink(notifyUser, origin, code, e.ID)
+	).SendPasswordlessRegistrationLink(notifyUser, origin, code, e.ID, e.URLTemplate)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/notification/types/email_verification_code_test.go
+++ b/internal/notification/types/email_verification_code_test.go
@@ -12,27 +12,6 @@ import (
 )

 func TestNotify_SendEmailVerificationCode(t *testing.T) {
-	type res struct {
-		url                                string
-		args                               map[string]interface{}
-		messageType                        string
-		allowUnverifiedNotificationChannel bool
-	}
-	notify := func(dst *res) Notify {
-		return func(
-			url string,
-			args map[string]interface{},
-			messageType string,
-			allowUnverifiedNotificationChannel bool,
-		) error {
-			dst.url = url
-			dst.args = args
-			dst.messageType = messageType
-			dst.allowUnverifiedNotificationChannel = allowUnverifiedNotificationChannel
-			return nil
-		}
-	}
-
 	type args struct {
 		user    *query.NotifyUser
 		origin  string
@@ -42,7 +21,7 @@ func TestNotify_SendEmailVerificationCode(t *testing.T) {
 	tests := []struct {
 		name    string
 		args    args
-		want    *res
+		want    *notifyResult
 		wantErr error
 	}{
 		{
@@ -56,7 +35,7 @@ func TestNotify_SendEmailVerificationCode(t *testing.T) {
 				code:    "123",
 				urlTmpl: "",
 			},
-			want: &res{
+			want: &notifyResult{
 				url:                                "https://example.com/ui/login/mail/verification?userID=user1&code=123&orgID=org1",
 				args:                               map[string]interface{}{"Code": "123"},
 				messageType:                        domain.VerifyEmailMessageType,
@@ -74,8 +53,8 @@ func TestNotify_SendEmailVerificationCode(t *testing.T) {
 				code:    "123",
 				urlTmpl: "{{",
 			},
-			want:    &res{},
-			wantErr: caos_errs.ThrowInvalidArgument(nil, "USERv2-ooD8p", "Errors.User.Email.InvalidURLTemplate"),
+			want:    &notifyResult{},
+			wantErr: caos_errs.ThrowInvalidArgument(nil, "DOMAIN-oGh5e", "Errors.User.InvalidURLTemplate"),
 		},
 		{
 			name: "template success",
@@ -88,7 +67,7 @@ func TestNotify_SendEmailVerificationCode(t *testing.T) {
 				code:    "123",
 				urlTmpl: "https://example.com/email/verify?userID={{.UserID}}&code={{.Code}}&orgID={{.OrgID}}",
 			},
-			want: &res{
+			want: &notifyResult{
 				url:                                "https://example.com/email/verify?userID=user1&code=123&orgID=org1",
 				args:                               map[string]interface{}{"Code": "123"},
 				messageType:                        domain.VerifyEmailMessageType,
@@ -98,8 +77,8 @@ func TestNotify_SendEmailVerificationCode(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			got := new(res)
-			err := notify(got).SendEmailVerificationCode(tt.args.user, tt.args.origin, tt.args.code, tt.args.urlTmpl)
+			got, notify := mockNotify()
+			err := notify.SendEmailVerificationCode(tt.args.user, tt.args.origin, tt.args.code, tt.args.urlTmpl)
 			require.ErrorIs(t, err, tt.wantErr)
 			assert.Equal(t, tt.want, got)
 		})
--- a/internal/notification/types/passwordless_registration_link.go
+++ b/internal/notification/types/passwordless_registration_link.go
@@ -1,12 +1,24 @@
 package types

 import (
+	"strings"
+
 	"github.com/zitadel/zitadel/internal/api/ui/login"
 	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/query"
 )

-func (notify Notify) SendPasswordlessRegistrationLink(user *query.NotifyUser, origin, code, codeID string) error {
-	url := domain.PasswordlessInitCodeLink(origin+login.HandlerPrefix+login.EndpointPasswordlessRegistration, user.ID, user.ResourceOwner, codeID, code)
+func (notify Notify) SendPasswordlessRegistrationLink(user *query.NotifyUser, origin, code, codeID, urlTmpl string) error {
+	var url string
+	if urlTmpl == "" {
+		url = domain.PasswordlessInitCodeLink(origin+login.HandlerPrefix+login.EndpointPasswordlessRegistration, user.ID, user.ResourceOwner, codeID, code)
+	} else {
+		var buf strings.Builder
+		if err := domain.RenderPasskeyURLTemplate(&buf, urlTmpl, user.ID, user.ResourceOwner, codeID, code); err != nil {
+			return err
+		}
+		url = buf.String()
+	}
+
 	return notify(url, nil, domain.PasswordlessRegistrationMessageType, true)
 }
--- a/internal/notification/types/passwordless_registration_link_test.go
+++ b/internal/notification/types/passwordless_registration_link_test.go
@@ -0,0 +1,88 @@
+package types
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/zitadel/zitadel/internal/domain"
+	caos_errs "github.com/zitadel/zitadel/internal/errors"
+	"github.com/zitadel/zitadel/internal/query"
+)
+
+func TestNotify_SendPasswordlessRegistrationLink(t *testing.T) {
+	type args struct {
+		user    *query.NotifyUser
+		origin  string
+		code    string
+		codeID  string
+		urlTmpl string
+	}
+	tests := []struct {
+		name    string
+		args    args
+		want    *notifyResult
+		wantErr error
+	}{
+		{
+			name: "default URL",
+			args: args{
+				user: &query.NotifyUser{
+					ID:            "user1",
+					ResourceOwner: "org1",
+				},
+				origin:  "https://example.com",
+				code:    "123",
+				codeID:  "456",
+				urlTmpl: "",
+			},
+			want: &notifyResult{
+				url:                                "https://example.com/ui/login/login/passwordless/init?userID=user1&orgID=org1&codeID=456&code=123",
+				messageType:                        domain.PasswordlessRegistrationMessageType,
+				allowUnverifiedNotificationChannel: true,
+			},
+		},
+		{
+			name: "template error",
+			args: args{
+				user: &query.NotifyUser{
+					ID:            "user1",
+					ResourceOwner: "org1",
+				},
+				origin:  "https://example.com",
+				code:    "123",
+				codeID:  "456",
+				urlTmpl: "{{",
+			},
+			want:    &notifyResult{},
+			wantErr: caos_errs.ThrowInvalidArgument(nil, "DOMAIN-oGh5e", "Errors.User.InvalidURLTemplate"),
+		},
+		{
+			name: "template success",
+			args: args{
+				user: &query.NotifyUser{
+					ID:            "user1",
+					ResourceOwner: "org1",
+				},
+				origin:  "https://example.com",
+				code:    "123",
+				codeID:  "456",
+				urlTmpl: "https://example.com/passkey/register?userID={{.UserID}}&orgID={{.OrgID}}&codeID={{.CodeID}}&code={{.Code}}",
+			},
+			want: &notifyResult{
+				url:                                "https://example.com/passkey/register?userID=user1&orgID=org1&codeID=456&code=123",
+				messageType:                        domain.PasswordlessRegistrationMessageType,
+				allowUnverifiedNotificationChannel: true,
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, notify := mockNotify()
+			err := notify.SendPasswordlessRegistrationLink(tt.args.user, tt.args.origin, tt.args.code, tt.args.codeID, tt.args.urlTmpl)
+			require.ErrorIs(t, err, tt.wantErr)
+			assert.Equal(t, tt.want, got)
+		})
+	}
+}
--- a/internal/notification/types/types_test.go
+++ b/internal/notification/types/types_test.go
@@ -0,0 +1,23 @@
+package types
+
+type notifyResult struct {
+	url                                string
+	args                               map[string]interface{}
+	messageType                        string
+	allowUnverifiedNotificationChannel bool
+}
+
+// mockNotify returns a notifyResult and Notify function for easy mocking.
+// The notifyResult will only be populated after Notify is called.
+func mockNotify() (*notifyResult, Notify) {
+	dst := new(notifyResult)
+	return dst, func(url string, args map[string]interface{}, messageType string, allowUnverifiedNotificationChannel bool) error {
+		*dst = notifyResult{
+			url:                                url,
+			args:                               args,
+			messageType:                        messageType,
+			allowUnverifiedNotificationChannel: allowUnverifiedNotificationChannel,
+		}
+		return nil
+	}
+}