feat: v2 api add way to list authentication factors (#9065)

# Which Problems Are Solved The v2 api currently has no endpoint the get all second factors of a user. # How the Problems Are Solved Our v1 api has the ListHumanAuthFactors which got added to the v2 api under the User resource. # Additional Changes # Additional Context Closes #8833 --------- Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2025-08-11 18:17:35 +00:00 · 2025-01-02 14:14:49 +01:00
parent e1f0d46393
commit a3d80f93ff
7 changed files with 518 additions and 2 deletions
--- a/internal/api/grpc/object/v2/converter.go
+++ b/internal/api/grpc/object/v2/converter.go
@@ -9,6 +9,7 @@ import (
 	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/query"
 	"github.com/zitadel/zitadel/pkg/grpc/object/v2"
+	user_pb "github.com/zitadel/zitadel/pkg/grpc/user/v2"
 )

 func DomainToDetailsPb(objectDetail *domain.ObjectDetails) *object.Details {
@@ -70,3 +71,105 @@ func TextMethodToQuery(method object.TextQueryMethod) query.TextComparison {
 		return -1
 	}
 }
+
+func AuthMethodsToPb(mfas *query.AuthMethods) []*user_pb.AuthFactor {
+	factors := make([]*user_pb.AuthFactor, len(mfas.AuthMethods))
+	for i, mfa := range mfas.AuthMethods {
+		factors[i] = AuthMethodToPb(mfa)
+	}
+	return factors
+}
+
+func AuthMethodToPb(mfa *query.AuthMethod) *user_pb.AuthFactor {
+	factor := &user_pb.AuthFactor{
+		State: MFAStateToPb(mfa.State),
+	}
+	switch mfa.Type {
+	case domain.UserAuthMethodTypeTOTP:
+		factor.Type = &user_pb.AuthFactor_Otp{
+			Otp: &user_pb.AuthFactorOTP{},
+		}
+	case domain.UserAuthMethodTypeU2F:
+		factor.Type = &user_pb.AuthFactor_U2F{
+			U2F: &user_pb.AuthFactorU2F{
+				Id:   mfa.TokenID,
+				Name: mfa.Name,
+			},
+		}
+	case domain.UserAuthMethodTypeOTPSMS:
+		factor.Type = &user_pb.AuthFactor_OtpSms{
+			OtpSms: &user_pb.AuthFactorOTPSMS{},
+		}
+	case domain.UserAuthMethodTypeOTPEmail:
+		factor.Type = &user_pb.AuthFactor_OtpEmail{
+			OtpEmail: &user_pb.AuthFactorOTPEmail{},
+		}
+	case domain.UserAuthMethodTypeUnspecified:
+	case domain.UserAuthMethodTypePasswordless:
+	case domain.UserAuthMethodTypePassword:
+	case domain.UserAuthMethodTypeIDP:
+	case domain.UserAuthMethodTypeOTP:
+	case domain.UserAuthMethodTypePrivateKey:
+	}
+	return factor
+}
+
+func AuthFactorsToPb(authFactors []user_pb.AuthFactors) []domain.UserAuthMethodType {
+	factors := make([]domain.UserAuthMethodType, len(authFactors))
+	for i, authFactor := range authFactors {
+		factors[i] = AuthFactorToPb(authFactor)
+	}
+	return factors
+}
+
+func AuthFactorToPb(authFactor user_pb.AuthFactors) domain.UserAuthMethodType {
+	switch authFactor {
+	case user_pb.AuthFactors_OTP:
+		return domain.UserAuthMethodTypeTOTP
+	case user_pb.AuthFactors_OTP_SMS:
+		return domain.UserAuthMethodTypeOTPSMS
+	case user_pb.AuthFactors_OTP_EMAIL:
+		return domain.UserAuthMethodTypeOTPEmail
+	case user_pb.AuthFactors_U2F:
+		return domain.UserAuthMethodTypeU2F
+	default:
+		return domain.UserAuthMethodTypeUnspecified
+	}
+}
+
+func AuthFactorStatesToPb(authFactorStates []user_pb.AuthFactorState) []domain.MFAState {
+	factorStates := make([]domain.MFAState, len(authFactorStates))
+	for i, authFactorState := range authFactorStates {
+		factorStates[i] = AuthFactorStateToPb(authFactorState)
+	}
+	return factorStates
+}
+
+func AuthFactorStateToPb(authFactorState user_pb.AuthFactorState) domain.MFAState {
+	switch authFactorState {
+	case user_pb.AuthFactorState_AUTH_FACTOR_STATE_UNSPECIFIED:
+		return domain.MFAStateUnspecified
+	case user_pb.AuthFactorState_AUTH_FACTOR_STATE_NOT_READY:
+		return domain.MFAStateNotReady
+	case user_pb.AuthFactorState_AUTH_FACTOR_STATE_READY:
+		return domain.MFAStateReady
+	case user_pb.AuthFactorState_AUTH_FACTOR_STATE_REMOVED:
+		return domain.MFAStateRemoved
+	default:
+		return domain.MFAStateUnspecified
+	}
+}
+
+func MFAStateToPb(state domain.MFAState) user_pb.AuthFactorState {
+	switch state {
+	case domain.MFAStateNotReady:
+		return user_pb.AuthFactorState_AUTH_FACTOR_STATE_NOT_READY
+	case domain.MFAStateReady:
+		return user_pb.AuthFactorState_AUTH_FACTOR_STATE_READY
+	case domain.MFAStateUnspecified, domain.MFAStateRemoved:
+		// Handle all remaining cases so the linter succeeds
+		return user_pb.AuthFactorState_AUTH_FACTOR_STATE_UNSPECIFIED
+	default:
+		return user_pb.AuthFactorState_AUTH_FACTOR_STATE_UNSPECIFIED
+	}
+}
--- a/internal/api/grpc/user/v2/integration_test/user_test.go
+++ b/internal/api/grpc/user/v2/integration_test/user_test.go
@@ -10,6 +10,8 @@ import (
 	"testing"
 	"time"

+	"github.com/zitadel/logging"
+
 	"github.com/brianvoe/gofakeit/v6"
 	"github.com/muhlemmer/gu"
 	"github.com/stretchr/testify/assert"
@@ -2629,6 +2631,247 @@ func TestServer_ListAuthenticationMethodTypes(t *testing.T) {
 	}
 }

+func TestServer_ListAuthenticationFactors(t *testing.T) {
+	tests := []struct {
+		name    string
+		args    *user.ListAuthenticationFactorsRequest
+		want    *user.ListAuthenticationFactorsResponse
+		dep     func(args *user.ListAuthenticationFactorsRequest, want *user.ListAuthenticationFactorsResponse)
+		wantErr bool
+		ctx     context.Context
+	}{
+		{
+			name: "no auth",
+			args: &user.ListAuthenticationFactorsRequest{},
+			want: &user.ListAuthenticationFactorsResponse{
+				Result: nil,
+			},
+			dep: func(args *user.ListAuthenticationFactorsRequest, want *user.ListAuthenticationFactorsResponse) {
+				userIDWithoutAuth := Instance.CreateHumanUser(CTX).GetUserId()
+				args.UserId = userIDWithoutAuth
+			},
+			ctx: CTX,
+		},
+		{
+			name: "with u2f",
+			args: &user.ListAuthenticationFactorsRequest{},
+			want: &user.ListAuthenticationFactorsResponse{
+				Result: []*user.AuthFactor{
+					{
+						State: user.AuthFactorState_AUTH_FACTOR_STATE_READY,
+					},
+				},
+			},
+			dep: func(args *user.ListAuthenticationFactorsRequest, want *user.ListAuthenticationFactorsResponse) {
+				userWithU2F := Instance.CreateHumanUser(CTX).GetUserId()
+				U2FId := Instance.RegisterUserU2F(CTX, userWithU2F)
+
+				args.UserId = userWithU2F
+				want.Result[0].Type = &user.AuthFactor_U2F{
+					U2F: &user.AuthFactorU2F{
+						Id:   U2FId,
+						Name: "nice name",
+					},
+				}
+			},
+			ctx: CTX,
+		},
+		{
+			name: "with totp, u2f",
+			args: &user.ListAuthenticationFactorsRequest{},
+			want: &user.ListAuthenticationFactorsResponse{
+				Result: []*user.AuthFactor{
+					{
+						State: user.AuthFactorState_AUTH_FACTOR_STATE_READY,
+						Type: &user.AuthFactor_Otp{
+							Otp: &user.AuthFactorOTP{},
+						},
+					},
+					{
+						State: user.AuthFactorState_AUTH_FACTOR_STATE_READY,
+					},
+				},
+			},
+			dep: func(args *user.ListAuthenticationFactorsRequest, want *user.ListAuthenticationFactorsResponse) {
+				userWithTOTP := Instance.CreateHumanUserWithTOTP(CTX, "secret").GetUserId()
+				U2FIdWithTOTP := Instance.RegisterUserU2F(CTX, userWithTOTP)
+
+				args.UserId = userWithTOTP
+				want.Result[1].Type = &user.AuthFactor_U2F{
+					U2F: &user.AuthFactorU2F{
+						Id:   U2FIdWithTOTP,
+						Name: "nice name",
+					},
+				}
+			},
+			ctx: CTX,
+		},
+		{
+			name: "with totp, u2f filtered",
+			args: &user.ListAuthenticationFactorsRequest{
+				AuthFactors: []user.AuthFactors{user.AuthFactors_U2F},
+			},
+			want: &user.ListAuthenticationFactorsResponse{
+				Result: []*user.AuthFactor{
+					{
+						State: user.AuthFactorState_AUTH_FACTOR_STATE_READY,
+					},
+				},
+			},
+			dep: func(args *user.ListAuthenticationFactorsRequest, want *user.ListAuthenticationFactorsResponse) {
+				userWithTOTP := Instance.CreateHumanUserWithTOTP(CTX, "secret").GetUserId()
+				U2FIdWithTOTP := Instance.RegisterUserU2F(CTX, userWithTOTP)
+
+				args.UserId = userWithTOTP
+				want.Result[0].Type = &user.AuthFactor_U2F{
+					U2F: &user.AuthFactorU2F{
+						Id:   U2FIdWithTOTP,
+						Name: "nice name",
+					},
+				}
+			},
+			ctx: CTX,
+		},
+		{
+			name: "with sms",
+			args: &user.ListAuthenticationFactorsRequest{},
+			want: &user.ListAuthenticationFactorsResponse{
+				Result: []*user.AuthFactor{
+					{
+						State: user.AuthFactorState_AUTH_FACTOR_STATE_READY,
+						Type: &user.AuthFactor_OtpSms{
+							OtpSms: &user.AuthFactorOTPSMS{},
+						},
+					},
+				},
+			},
+			dep: func(args *user.ListAuthenticationFactorsRequest, want *user.ListAuthenticationFactorsResponse) {
+				userWithSMS := Instance.CreateHumanUserVerified(CTX, Instance.DefaultOrg.GetId(), gofakeit.Email(), gofakeit.Phone()).GetUserId()
+				Instance.RegisterUserOTPSMS(CTX, userWithSMS)
+
+				args.UserId = userWithSMS
+			},
+			ctx: CTX,
+		},
+		{
+			name: "with email",
+			args: &user.ListAuthenticationFactorsRequest{},
+			want: &user.ListAuthenticationFactorsResponse{
+				Result: []*user.AuthFactor{
+					{
+						State: user.AuthFactorState_AUTH_FACTOR_STATE_READY,
+						Type: &user.AuthFactor_OtpEmail{
+							OtpEmail: &user.AuthFactorOTPEmail{},
+						},
+					},
+				},
+			},
+			dep: func(args *user.ListAuthenticationFactorsRequest, want *user.ListAuthenticationFactorsResponse) {
+				userWithEmail := Instance.CreateHumanUserVerified(CTX, Instance.DefaultOrg.GetId(), gofakeit.Email(), gofakeit.Phone()).GetUserId()
+				Instance.RegisterUserOTPEmail(CTX, userWithEmail)
+
+				args.UserId = userWithEmail
+			},
+			ctx: CTX,
+		},
+		{
+			name: "with not ready u2f",
+			args: &user.ListAuthenticationFactorsRequest{},
+			want: &user.ListAuthenticationFactorsResponse{
+				Result: []*user.AuthFactor{},
+			},
+			dep: func(args *user.ListAuthenticationFactorsRequest, want *user.ListAuthenticationFactorsResponse) {
+				userWithNotReadyU2F := Instance.CreateHumanUser(CTX).GetUserId()
+				_, err := Instance.Client.UserV2.RegisterU2F(CTX, &user.RegisterU2FRequest{
+					UserId: userWithNotReadyU2F,
+					Domain: Instance.Domain,
+				})
+				logging.OnError(err).Panic("Could not register u2f")
+
+				args.UserId = userWithNotReadyU2F
+			},
+			ctx: CTX,
+		},
+		{
+			name: "with not ready u2f state filtered",
+			args: &user.ListAuthenticationFactorsRequest{
+				States: []user.AuthFactorState{user.AuthFactorState_AUTH_FACTOR_STATE_NOT_READY},
+			},
+			want: &user.ListAuthenticationFactorsResponse{
+				Result: []*user.AuthFactor{
+					{
+						State: user.AuthFactorState_AUTH_FACTOR_STATE_NOT_READY,
+					},
+				},
+			},
+			dep: func(args *user.ListAuthenticationFactorsRequest, want *user.ListAuthenticationFactorsResponse) {
+				userWithNotReadyU2F := Instance.CreateHumanUser(CTX).GetUserId()
+				U2FNotReady, err := Instance.Client.UserV2.RegisterU2F(CTX, &user.RegisterU2FRequest{
+					UserId: userWithNotReadyU2F,
+					Domain: Instance.Domain,
+				})
+				logging.OnError(err).Panic("Could not register u2f")
+
+				args.UserId = userWithNotReadyU2F
+				want.Result[0].Type = &user.AuthFactor_U2F{
+					U2F: &user.AuthFactorU2F{
+						Id:   U2FNotReady.GetU2FId(),
+						Name: "",
+					},
+				}
+			},
+			ctx: CTX,
+		},
+		{
+			name: "with no userId",
+			args: &user.ListAuthenticationFactorsRequest{
+				UserId: "",
+			},
+			ctx:     CTX,
+			wantErr: true,
+		},
+		{
+			name: "with no permission",
+			args: &user.ListAuthenticationFactorsRequest{},
+			dep: func(args *user.ListAuthenticationFactorsRequest, want *user.ListAuthenticationFactorsResponse) {
+				userWithTOTP := Instance.CreateHumanUserWithTOTP(CTX, "totp").GetUserId()
+
+				args.UserId = userWithTOTP
+			},
+			ctx:     UserCTX,
+			wantErr: true,
+		},
+		{
+			name: "with unknown user",
+			args: &user.ListAuthenticationFactorsRequest{
+				UserId: "unknown",
+			},
+			want: &user.ListAuthenticationFactorsResponse{},
+			ctx:  CTX,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if tt.dep != nil {
+				tt.dep(tt.args, tt.want)
+			}
+
+			retryDuration, tick := integration.WaitForAndTickWithMaxDuration(CTX, time.Minute)
+			require.EventuallyWithT(t, func(ttt *assert.CollectT) {
+				got, err := Client.ListAuthenticationFactors(tt.ctx, tt.args)
+				if tt.wantErr {
+					require.Error(ttt, err)
+					return
+				}
+				require.NoError(ttt, err)
+
+				assert.ElementsMatch(t, tt.want.GetResult(), got.GetResult())
+			}, retryDuration, tick, "timeout waiting for expected auth methods result")
+
+		})
+	}
+}
+
 func TestServer_CreateInviteCode(t *testing.T) {
 	type args struct {
 		ctx     context.Context
--- a/internal/api/grpc/user/v2/user.go
+++ b/internal/api/grpc/user/v2/user.go
@@ -597,6 +597,39 @@ func (s *Server) ListAuthenticationMethodTypes(ctx context.Context, req *user.Li
 	}, nil
 }

+func (s *Server) ListAuthenticationFactors(ctx context.Context, req *user.ListAuthenticationFactorsRequest) (*user.ListAuthenticationFactorsResponse, error) {
+	query := new(query.UserAuthMethodSearchQueries)
+
+	if err := query.AppendUserIDQuery(req.UserId); err != nil {
+		return nil, err
+	}
+
+	authMethodsType := []domain.UserAuthMethodType{domain.UserAuthMethodTypeU2F, domain.UserAuthMethodTypeTOTP, domain.UserAuthMethodTypeOTPSMS, domain.UserAuthMethodTypeOTPEmail}
+	if len(req.GetAuthFactors()) > 0 {
+		authMethodsType = object.AuthFactorsToPb(req.GetAuthFactors())
+	}
+	if err := query.AppendAuthMethodsQuery(authMethodsType...); err != nil {
+		return nil, err
+	}
+
+	states := []domain.MFAState{domain.MFAStateReady}
+	if len(req.GetStates()) > 0 {
+		states = object.AuthFactorStatesToPb(req.GetStates())
+	}
+	if err := query.AppendStatesQuery(states...); err != nil {
+		return nil, err
+	}
+
+	authMethods, err := s.query.SearchUserAuthMethods(ctx, query, s.checkPermission)
+	if err != nil {
+		return nil, err
+	}
+
+	return &user.ListAuthenticationFactorsResponse{
+		Result: object.AuthMethodsToPb(authMethods),
+	}, nil
+}
+
 func authMethodTypesToPb(methodTypes []domain.UserAuthMethodType) []user.AuthenticationMethodType {
 	methods := make([]user.AuthenticationMethodType, len(methodTypes))
 	for i, method := range methodTypes {