feat(api): add otp (sms and email) checks in session api (#6422)

* feat: add otp (sms and email) checks in session api * implement sending * fix tests * add tests * add integration tests * fix merge main and add tests * put default OTP Email url into config --------- Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2025-08-15 03:07:36 +00:00 · 2023-08-24 11:41:52 +02:00
parent 29fa3d417c
commit bb40e173bd
27 changed files with 2077 additions and 151 deletions
--- a/proto/zitadel/session/v2alpha/challenge.proto
+++ b/proto/zitadel/session/v2alpha/challenge.proto
@@ -37,8 +37,33 @@ message RequestChallenges {
      }
    ];
  }
+  message OTPSMS {
+    bool return_code = 1;
+  }
+  message OTPEmail {
+    message SendCode {
+      optional string url_template = 1 [
+        (validate.rules).string = {min_len: 1, max_len: 200},
+        (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+          min_length: 1;
+          max_length: 200;
+          example: "\"https://example.com/otp/verify?userID={{.UserID}}&code={{.Code}}\"";
+          description: "\"Optionally set a url_template, which will be used in the mail sent by ZITADEL to guide the user to your verification page. If no template is set, the default ZITADEL url will be used.\""
+        }
+      ];
+    }
+    message ReturnCode {}
+
+    // if no delivery_type is specified, an email is sent with the default url
+    oneof delivery_type {
+      SendCode send_code = 2;
+      ReturnCode return_code = 3;
+    }
+  }

  optional WebAuthN web_auth_n = 1;
+  optional OTPSMS otp_sms = 2;
+  optional OTPEmail otp_email = 3;
 }

 message Challenges {
@@ -52,4 +77,6 @@ message Challenges {
  }

  optional WebAuthN web_auth_n = 1;
+  optional string otp_sms = 2;
+  optional string otp_email = 3;
 }
--- a/proto/zitadel/session/v2alpha/session.proto
+++ b/proto/zitadel/session/v2alpha/session.proto
@@ -47,6 +47,8 @@ message Factors {
  WebAuthNFactor web_auth_n = 3;
  IntentFactor intent = 4;
  TOTPFactor totp = 5;
+  OTPFactor otp_sms = 6;
+  OTPFactor otp_email = 7;
 }

 message UserFactor {
@@ -110,6 +112,14 @@ message TOTPFactor {
  ];
 }

+message OTPFactor {
+  google.protobuf.Timestamp verified_at = 1 [
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+      description: "\"time when the One-Time Password was last checked\"";
+    }
+  ];
+}
+
 message SearchQuery {
  oneof query {
    option (validate.required) = true;
--- a/proto/zitadel/session/v2alpha/session_service.proto
+++ b/proto/zitadel/session/v2alpha/session_service.proto
@@ -380,6 +380,16 @@ message Checks {
      description: "\"Checks the Time-based One-Time Password and updates the session on success. Requires that the user is already checked, either in the previous or the same request.\"";
    }
  ];
+  optional CheckOTP otp_sms = 6 [
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+      description: "\"Checks the One-Time Password sent over SMS and updates the session on success. Requires that the user is already checked, either in the previous or the same request.\"";
+    }
+  ];
+  optional CheckOTP otp_email = 7 [
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+      description: "\"Checks the One-Time Password sent over Email and updates the session on success. Requires that the user is already checked, either in the previous or the same request.\"";
+    }
+  ];
 }

 message CheckUser {
@@ -456,4 +466,14 @@ message CheckTOTP {
      example: "\"323764\"";
    }
  ];
+}
+
+message CheckOTP {
+  string otp = 1 [
+    (validate.rules).string = {min_len: 1},
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+      min_length: 1;
+      example: "\"3237642\"";
+    }
+  ];
 }