feat(login): additionally use email/phone for authentication (#4563)

* feat: add ability to disable login by email and phone * feat: check login by email and phone * fix: set verified email / phone correctly on notify users * update projection version * fix merge * fix email/phone verified reduce tests * fix user tests * loginname check * cleanup * fix: update user projection version to handle fixed statement
2025-08-12 08:07:32 +00:00 · 2022-10-17 21:19:15 +02:00
parent 9ae58b62fd
commit b0b1e94090
54 changed files with 1245 additions and 768 deletions
--- a/internal/api/grpc/admin/import.go
+++ b/internal/api/grpc/admin/import.go
@@ -442,7 +442,7 @@ func (s *Server) importData(ctx context.Context, orgs []*admin_pb.DataOrg) (*adm
 			}
 		}
 		if org.LoginPolicy != nil {
-			_, err = s.command.AddLoginPolicy(ctx, org.GetOrgId(), management.AddLoginPolicyToDomain(org.GetLoginPolicy()))
+			_, err = s.command.AddLoginPolicy(ctx, org.GetOrgId(), management.AddLoginPolicyToCommand(org.GetLoginPolicy()))
 			if err != nil {
 				errors = append(errors, &admin_pb.ImportDataError{Type: "login_policy", Id: org.GetOrgId(), Message: err.Error()})
 			}
--- a/internal/api/grpc/admin/login_policy.go
+++ b/internal/api/grpc/admin/login_policy.go
@@ -22,14 +22,14 @@ func (s *Server) GetLoginPolicy(ctx context.Context, _ *admin_pb.GetLoginPolicyR
 }

 func (s *Server) UpdateLoginPolicy(ctx context.Context, p *admin_pb.UpdateLoginPolicyRequest) (*admin_pb.UpdateLoginPolicyResponse, error) {
-	policy, err := s.command.ChangeDefaultLoginPolicy(ctx, updateLoginPolicyToDomain(p))
+	policy, err := s.command.ChangeDefaultLoginPolicy(ctx, updateLoginPolicyToCommand(p))
 	if err != nil {
 		return nil, err
 	}
 	return &admin_pb.UpdateLoginPolicyResponse{
 		Details: object.ChangeToDetailsPb(
 			policy.Sequence,
-			policy.ChangeDate,
+			policy.EventDate,
 			policy.ResourceOwner,
 		),
 	}, nil
--- a/internal/api/grpc/admin/login_policy_converter.go
+++ b/internal/api/grpc/admin/login_policy_converter.go
@@ -3,13 +3,13 @@ package admin
 import (
 	"github.com/zitadel/zitadel/internal/api/grpc/object"
 	policy_grpc "github.com/zitadel/zitadel/internal/api/grpc/policy"
-	"github.com/zitadel/zitadel/internal/domain"
+	"github.com/zitadel/zitadel/internal/command"
 	"github.com/zitadel/zitadel/internal/query"
 	admin_pb "github.com/zitadel/zitadel/pkg/grpc/admin"
 )

-func updateLoginPolicyToDomain(p *admin_pb.UpdateLoginPolicyRequest) *domain.LoginPolicy {
-	return &domain.LoginPolicy{
+func updateLoginPolicyToCommand(p *admin_pb.UpdateLoginPolicyRequest) *command.ChangeLoginPolicy {
+	return &command.ChangeLoginPolicy{
 		AllowUsernamePassword:      p.AllowUsernamePassword,
 		AllowRegister:              p.AllowRegister,
 		AllowExternalIDP:           p.AllowExternalIdp,
@@ -18,6 +18,8 @@ func updateLoginPolicyToDomain(p *admin_pb.UpdateLoginPolicyRequest) *domain.Log
 		HidePasswordReset:          p.HidePasswordReset,
 		IgnoreUnknownUsernames:     p.IgnoreUnknownUsernames,
 		AllowDomainDiscovery:       p.AllowDomainDiscovery,
+		DisableLoginWithEmail:      p.DisableLoginWithEmail,
+		DisableLoginWithPhone:      p.DisableLoginWithPhone,
 		DefaultRedirectURI:         p.DefaultRedirectUri,
 		PasswordCheckLifetime:      p.PasswordCheckLifetime.AsDuration(),
 		ExternalLoginCheckLifetime: p.ExternalLoginCheckLifetime.AsDuration(),
--- a/internal/api/grpc/management/policy_login.go
+++ b/internal/api/grpc/management/policy_login.go
@@ -30,28 +30,28 @@ func (s *Server) GetDefaultLoginPolicy(ctx context.Context, req *mgmt_pb.GetDefa
 }

 func (s *Server) AddCustomLoginPolicy(ctx context.Context, req *mgmt_pb.AddCustomLoginPolicyRequest) (*mgmt_pb.AddCustomLoginPolicyResponse, error) {
-	policy, err := s.command.AddLoginPolicy(ctx, authz.GetCtxData(ctx).OrgID, AddLoginPolicyToDomain(req))
+	policy, err := s.command.AddLoginPolicy(ctx, authz.GetCtxData(ctx).OrgID, AddLoginPolicyToCommand(req))
 	if err != nil {
 		return nil, err
 	}
 	return &mgmt_pb.AddCustomLoginPolicyResponse{
 		Details: object.AddToDetailsPb(
 			policy.Sequence,
-			policy.ChangeDate,
+			policy.EventDate,
 			policy.ResourceOwner,
 		),
 	}, nil
 }

 func (s *Server) UpdateCustomLoginPolicy(ctx context.Context, req *mgmt_pb.UpdateCustomLoginPolicyRequest) (*mgmt_pb.UpdateCustomLoginPolicyResponse, error) {
-	policy, err := s.command.ChangeLoginPolicy(ctx, authz.GetCtxData(ctx).OrgID, updateLoginPolicyToDomain(req))
+	policy, err := s.command.ChangeLoginPolicy(ctx, authz.GetCtxData(ctx).OrgID, updateLoginPolicyToCommand(req))
 	if err != nil {
 		return nil, err
 	}
 	return &mgmt_pb.UpdateCustomLoginPolicyResponse{
 		Details: object.ChangeToDetailsPb(
 			policy.Sequence,
-			policy.ChangeDate,
+			policy.EventDate,
 			policy.ResourceOwner,
 		),
 	}, nil
--- a/internal/api/grpc/management/policy_login_converter.go
+++ b/internal/api/grpc/management/policy_login_converter.go
@@ -4,13 +4,13 @@ import (
 	idp_grpc "github.com/zitadel/zitadel/internal/api/grpc/idp"
 	"github.com/zitadel/zitadel/internal/api/grpc/object"
 	policy_grpc "github.com/zitadel/zitadel/internal/api/grpc/policy"
-	"github.com/zitadel/zitadel/internal/domain"
+	"github.com/zitadel/zitadel/internal/command"
 	"github.com/zitadel/zitadel/internal/query"
 	mgmt_pb "github.com/zitadel/zitadel/pkg/grpc/management"
 )

-func AddLoginPolicyToDomain(p *mgmt_pb.AddCustomLoginPolicyRequest) *domain.LoginPolicy {
-	return &domain.LoginPolicy{
+func AddLoginPolicyToCommand(p *mgmt_pb.AddCustomLoginPolicyRequest) *command.AddLoginPolicy {
+	return &command.AddLoginPolicy{
 		AllowUsernamePassword:      p.AllowUsernamePassword,
 		AllowRegister:              p.AllowRegister,
 		AllowExternalIDP:           p.AllowExternalIdp,
@@ -27,22 +27,24 @@ func AddLoginPolicyToDomain(p *mgmt_pb.AddCustomLoginPolicyRequest) *domain.Logi
 		MultiFactorCheckLifetime:   p.MultiFactorCheckLifetime.AsDuration(),
 		SecondFactors:              policy_grpc.SecondFactorsTypesToDomain(p.SecondFactors),
 		MultiFactors:               policy_grpc.MultiFactorsTypesToDomain(p.MultiFactors),
-		IDPProviders:               addLoginPolicyIDPsToDomain(p.Idps),
+		IDPProviders:               addLoginPolicyIDPsToCommand(p.Idps),
+		DisableLoginWithEmail:      p.DisableLoginWithEmail,
+		DisableLoginWithPhone:      p.DisableLoginWithPhone,
 	}
 }
-func addLoginPolicyIDPsToDomain(idps []*mgmt_pb.AddCustomLoginPolicyRequest_IDP) []*domain.IDPProvider {
-	providers := make([]*domain.IDPProvider, len(idps))
+func addLoginPolicyIDPsToCommand(idps []*mgmt_pb.AddCustomLoginPolicyRequest_IDP) []*command.AddLoginPolicyIDP {
+	providers := make([]*command.AddLoginPolicyIDP, len(idps))
 	for i, idp := range idps {
-		providers[i] = &domain.IDPProvider{
-			Type:        idp_grpc.IDPProviderTypeFromPb(idp.OwnerType),
-			IDPConfigID: idp.IdpId,
+		providers[i] = &command.AddLoginPolicyIDP{
+			Type:     idp_grpc.IDPProviderTypeFromPb(idp.OwnerType),
+			ConfigID: idp.IdpId,
 		}
 	}
 	return providers
 }

-func updateLoginPolicyToDomain(p *mgmt_pb.UpdateCustomLoginPolicyRequest) *domain.LoginPolicy {
-	return &domain.LoginPolicy{
+func updateLoginPolicyToCommand(p *mgmt_pb.UpdateCustomLoginPolicyRequest) *command.ChangeLoginPolicy {
+	return &command.ChangeLoginPolicy{
 		AllowUsernamePassword:      p.AllowUsernamePassword,
 		AllowRegister:              p.AllowRegister,
 		AllowExternalIDP:           p.AllowExternalIdp,
@@ -51,6 +53,8 @@ func updateLoginPolicyToDomain(p *mgmt_pb.UpdateCustomLoginPolicyRequest) *domai
 		HidePasswordReset:          p.HidePasswordReset,
 		IgnoreUnknownUsernames:     p.IgnoreUnknownUsernames,
 		AllowDomainDiscovery:       p.AllowDomainDiscovery,
+		DisableLoginWithEmail:      p.DisableLoginWithEmail,
+		DisableLoginWithPhone:      p.DisableLoginWithPhone,
 		DefaultRedirectURI:         p.DefaultRedirectUri,
 		PasswordCheckLifetime:      p.PasswordCheckLifetime.AsDuration(),
 		ExternalLoginCheckLifetime: p.ExternalLoginCheckLifetime.AsDuration(),
--- a/internal/api/grpc/policy/login_policy.go
+++ b/internal/api/grpc/policy/login_policy.go
@@ -22,6 +22,8 @@ func ModelLoginPolicyToPb(policy *query.LoginPolicy) *policy_pb.LoginPolicy {
 		HidePasswordReset:          policy.HidePasswordReset,
 		IgnoreUnknownUsernames:     policy.IgnoreUnknownUsernames,
 		AllowDomainDiscovery:       policy.AllowDomainDiscovery,
+		DisableLoginWithEmail:      policy.DisableLoginWithEmail,
+		DisableLoginWithPhone:      policy.DisableLoginWithPhone,
 		DefaultRedirectUri:         policy.DefaultRedirectURI,
 		PasswordCheckLifetime:      durationpb.New(policy.PasswordCheckLifetime),
 		ExternalLoginCheckLifetime: durationpb.New(policy.ExternalLoginCheckLifetime),