fix: passwordless (#1116)

* fix passwordless session handling * only check passwordless when enabled in policy * set preferred user name in webauthn * fix tests * add passwordless in setup * fix(console): exclude credentials for passwordless (#1115) * fix: exclude creds * fix i18n type loginpolicy * fix enter on dialog input * remove arg Co-authored-by: Max Peintner <max@caos.ch>
2025-08-22 06:28:24 +00:00 · 2020-12-17 16:22:27 +01:00
parent c5287364a4
commit b183d49761
19 changed files with 194 additions and 40 deletions
--- a/internal/setup/config.go
+++ b/internal/setup/config.go
@@ -14,6 +14,7 @@ type IAMSetUp struct {
 	Step6 *Step6
 	Step7 *Step7
 	Step8 *Step8
+	Step9 *Step9
 }

 func (setup *IAMSetUp) steps(currentDone iam_model.Step) ([]step, error) {
@@ -29,6 +30,7 @@ func (setup *IAMSetUp) steps(currentDone iam_model.Step) ([]step, error) {
 		setup.Step6,
 		setup.Step7,
 		setup.Step8,
+		setup.Step9,
 	} {
 		if step.step() <= currentDone {
 			continue
--- a/internal/setup/step9.go
+++ b/internal/setup/step9.go
@@ -0,0 +1,74 @@
+package setup
+
+import (
+	"context"
+
+	"github.com/caos/logging"
+
+	"github.com/caos/zitadel/internal/eventstore/models"
+	es_sdk "github.com/caos/zitadel/internal/eventstore/sdk"
+	iam_model "github.com/caos/zitadel/internal/iam/model"
+	iam_es_model "github.com/caos/zitadel/internal/iam/repository/eventsourcing/model"
+)
+
+type Step9 struct {
+	Passwordless bool
+
+	setup *Setup
+}
+
+func (step *Step9) isNil() bool {
+	return step == nil
+}
+
+func (step *Step9) step() iam_model.Step {
+	return iam_model.Step9
+}
+
+func (step *Step9) init(setup *Setup) {
+	step.setup = setup
+}
+
+func (step *Step9) execute(ctx context.Context) (*iam_model.IAM, error) {
+	if !step.Passwordless {
+		return step.setup.IamEvents.IAMByID(ctx, step.setup.iamID)
+	}
+	iam, agg, err := step.setPasswordlessAllowedInPolicy(ctx)
+	if err != nil {
+		logging.Log("SETUP-Gdbjq").WithField("step", step.step()).WithError(err).Error("unable to finish setup (add default mfa to login policy)")
+		return nil, err
+	}
+	iam, agg2, err := step.addMFAToPolicy(ctx)
+	if err != nil {
+		logging.Log("SETUP-Gdbjq").WithField("step", step.step()).WithError(err).Error("unable to finish setup (add default mfa to login policy)")
+		return nil, err
+	}
+	agg.Events = append(agg.Events, agg2.Events...)
+	iam, agg, push, err := step.setup.IamEvents.PrepareSetupDone(ctx, iam, agg, step.step())
+	if err != nil {
+		logging.Log("SETUP-Cnf21").WithField("step", step.step()).WithError(err).Error("unable to finish setup (prepare setup done)")
+		return nil, err
+	}
+	err = es_sdk.PushAggregates(ctx, push, iam.AppendEvents, agg)
+	if err != nil {
+		logging.Log("SETUP-NFq21").WithField("step", step.step()).WithError(err).Error("unable to finish setup")
+		return nil, err
+	}
+	return iam_es_model.IAMToModel(iam), nil
+}
+
+func (step *Step9) setPasswordlessAllowedInPolicy(ctx context.Context) (*iam_es_model.IAM, *models.Aggregate, error) {
+	logging.Log("SETUP-DAd1h").Info("enabling passwordless in loginPolicy")
+	iam, err := step.setup.IamEvents.IAMByID(ctx, step.setup.iamID)
+	if err != nil {
+		return nil, nil, err
+	}
+	iam.DefaultLoginPolicy.AggregateID = step.setup.iamID
+	iam.DefaultLoginPolicy.PasswordlessType = iam_model.PasswordlessTypeAllowed
+	return step.setup.IamEvents.PrepareChangeLoginPolicy(ctx, iam.DefaultLoginPolicy)
+}
+
+func (step *Step9) addMFAToPolicy(ctx context.Context) (*iam_es_model.IAM, *models.Aggregate, error) {
+	logging.Log("SETUP-DAd1h").Info("adding MFA to loginPolicy")
+	return step.setup.IamEvents.PrepareAddMultiFactorToLoginPolicy(ctx, step.setup.iamID, iam_model.MultiFactorTypeU2FWithPIN)
+}