fix(login): make sure first email verification is done before MFA check (#9039)

# Which Problems Are Solved During authentication in the login UI, there is a check if the user's MFA is already checked or needs to be setup. In cases where the user was just set up or especially, if the user was just federated without a verified email address, this can lead to the problem, where OTP Email cannot be setup as there's no verified email address. # How the Problems Are Solved - Added a check if there's no verified email address on the user and require a mail verification check before checking for MFA. Note: that if the user had a verified email address, but changed it and has not verified it, they will still be prompted with an MFA check before the email verification. This is make sure, we don't break the existing behavior and the user's authentication is properly checked. # Additional Changes None # Additional Context - closes https://github.com/zitadel/zitadel/issues/9035 (cherry picked from commit f20539ef8f)
2025-08-15 05:57:36 +00:00 · 2024-12-13 12:37:20 +01:00
parent 21baec924a
commit b9e351ab84
5 changed files with 66 additions and 6 deletions
--- a/internal/user/repository/view/model/user.go
+++ b/internal/user/repository/view/model/user.go
@@ -79,6 +79,7 @@ type HumanView struct {
 	AvatarKey                string         `json:"storeKey" gorm:"column:avatar_key"`
 	Email                    string         `json:"email" gorm:"column:email"`
 	IsEmailVerified          bool           `json:"-" gorm:"column:is_email_verified"`
+	VerifiedEmail            string         `json:"-" gorm:"column:verified_email"`
 	Phone                    string         `json:"phone" gorm:"column:phone"`
 	IsPhoneVerified          bool           `json:"-" gorm:"column:is_phone_verified"`
 	Country                  string         `json:"country" gorm:"column:country"`
@@ -170,6 +171,7 @@ func UserToModel(user *UserView) *model.UserView {
 			Gender:                   model.Gender(user.Gender),
 			Email:                    user.Email,
 			IsEmailVerified:          user.IsEmailVerified,
+			VerifiedEmail:            user.VerifiedEmail,
 			Phone:                    user.Phone,
 			IsPhoneVerified:          user.IsPhoneVerified,
 			Country:                  user.Country,
--- a/internal/user/repository/view/user_by_id.sql
+++ b/internal/user/repository/view/user_by_id.sql
@@ -42,6 +42,7 @@ SELECT
    , h.gender
    , h.email
    , h.is_email_verified
+    , n.verified_email
    , h.phone
    , h.is_phone_verified
    , (SELECT COALESCE((SELECT state FROM auth_methods WHERE method_type = 1), 0)) AS otp_state
@@ -77,6 +78,9 @@ FROM projections.users13 u
    LEFT JOIN projections.users13_humans h
        ON u.instance_id = h.instance_id
        AND u.id = h.user_id
+    LEFT JOIN projections.users13_notifications n
+        ON u.instance_id = n.instance_id
+        AND u.id = n.user_id
    LEFT JOIN projections.login_names3 l
        ON u.instance_id = l.instance_id
        AND u.id = l.user_id