feat(api): new session service (#5801)

* backup new protoc plugin * backup * session * backup * initial implementation * change to specific events * implement tests * cleanup * refactor: use new protoc plugin for api v2 * change package * simplify code * cleanup * cleanup * fix merge * start queries * fix tests * improve returned values * add token to projection * tests * test db map * update query * permission checks * fix tests and linting * rework token creation * i18n * refactor token check and fix tests * session to PB test * request to query tests * cleanup proto * test user check * add comment * simplify database map type * Update docs/docs/guides/integrate/access-zitadel-system-api.md Co-authored-by: Tim Möhlmann <tim+github@zitadel.com> * fix test * cleanup * docs --------- Co-authored-by: Tim Möhlmann <tim+github@zitadel.com>
2025-08-12 07:57:32 +00:00 · 2023-05-05 17:34:53 +02:00
parent 74377c2c37
commit c2cb84cd24
55 changed files with 3911 additions and 106 deletions
--- a/internal/command/command.go
+++ b/internal/command/command.go
@@ -20,6 +20,7 @@ import (
 	"github.com/zitadel/zitadel/internal/repository/org"
 	proj_repo "github.com/zitadel/zitadel/internal/repository/project"
 	"github.com/zitadel/zitadel/internal/repository/quota"
+	"github.com/zitadel/zitadel/internal/repository/session"
 	usr_repo "github.com/zitadel/zitadel/internal/repository/user"
 	usr_grant_repo "github.com/zitadel/zitadel/internal/repository/usergrant"
 	"github.com/zitadel/zitadel/internal/static"
@@ -29,7 +30,7 @@ import (
 type Commands struct {
 	httpClient *http.Client

-	checkPermission permissionCheck
+	checkPermission domain.PermissionCheck
 	newEmailCode    func(ctx context.Context, filter preparation.FilterToQueryReducer, codeAlg crypto.EncryptionAlgorithm) (*CryptoCodeWithExpiry, error)

 	eventstore     *eventstore.Eventstore
@@ -50,6 +51,8 @@ type Commands struct {
 	domainVerificationAlg       crypto.EncryptionAlgorithm
 	domainVerificationGenerator crypto.Generator
 	domainVerificationValidator func(domain, token, verifier string, checkType api_http.CheckType) error
+	sessionTokenCreator         func(sessionID string) (id string, token string, err error)
+	sessionTokenVerifier        func(ctx context.Context, sessionToken, sessionID, tokenID string) (err error)

 	multifactors         domain.MultifactorConfigs
 	webauthnConfig       *webauthn_helper.Config
@@ -71,24 +74,21 @@ func StartCommands(
 	externalDomain string,
 	externalSecure bool,
 	externalPort uint16,
-	idpConfigEncryption,
-	otpEncryption,
-	smtpEncryption,
-	smsEncryption,
-	userEncryption,
-	domainVerificationEncryption,
-	oidcEncryption,
-	samlEncryption crypto.EncryptionAlgorithm,
+	idpConfigEncryption, otpEncryption, smtpEncryption, smsEncryption, userEncryption, domainVerificationEncryption, oidcEncryption, samlEncryption crypto.EncryptionAlgorithm,
 	httpClient *http.Client,
-	membershipsResolver authz.MembershipsResolver,
+	permissionCheck domain.PermissionCheck,
+	sessionTokenVerifier func(ctx context.Context, sessionToken string, sessionID string, tokenID string) (err error),
 ) (repo *Commands, err error) {
 	if externalDomain == "" {
 		return nil, errors.ThrowInvalidArgument(nil, "COMMAND-Df21s", "no external domain specified")
 	}
+	idGenerator := id.SonyFlakeGenerator()
+	// reuse the oidcEncryption to be able to handle both tokens in the interceptor later on
+	sessionAlg := oidcEncryption
 	repo = &Commands{
 		eventstore:            es,
 		static:                staticStore,
-		idGenerator:           id.SonyFlakeGenerator(),
+		idGenerator:           idGenerator,
 		zitadelRoles:          zitadelRoles,
 		externalDomain:        externalDomain,
 		externalSecure:        externalSecure,
@@ -107,10 +107,10 @@ func StartCommands(
 		certificateAlgorithm:  samlEncryption,
 		webauthnConfig:        webAuthN,
 		httpClient:            httpClient,
-		checkPermission: func(ctx context.Context, permission, orgID, resourceID string, allowSelf bool) (err error) {
-			return authz.CheckPermission(ctx, membershipsResolver, zitadelRoles, permission, orgID, resourceID, allowSelf)
-		},
-		newEmailCode: newEmailCode,
+		checkPermission:       permissionCheck,
+		newEmailCode:          newEmailCode,
+		sessionTokenCreator:   sessionTokenCreator(idGenerator, sessionAlg),
+		sessionTokenVerifier:  sessionTokenVerifier,
 	}

 	instance_repo.RegisterEventMappers(repo.eventstore)
@@ -121,6 +121,7 @@ func StartCommands(
 	keypair.RegisterEventMappers(repo.eventstore)
 	action.RegisterEventMappers(repo.eventstore)
 	quota.RegisterEventMappers(repo.eventstore)
+	session.RegisterEventMappers(repo.eventstore)

 	repo.userPasswordAlg = crypto.NewBCrypt(defaults.SecretGenerators.PasswordSaltCost)
 	repo.machineKeySize = int(defaults.SecretGenerators.MachineKeySize)
--- a/internal/command/main_test.go
+++ b/internal/command/main_test.go
@@ -10,6 +10,7 @@ import (
 	"golang.org/x/text/language"

 	"github.com/zitadel/zitadel/internal/crypto"
+	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/errors"
 	"github.com/zitadel/zitadel/internal/eventstore"
 	"github.com/zitadel/zitadel/internal/eventstore/repository"
@@ -19,6 +20,7 @@ import (
 	key_repo "github.com/zitadel/zitadel/internal/repository/keypair"
 	"github.com/zitadel/zitadel/internal/repository/org"
 	proj_repo "github.com/zitadel/zitadel/internal/repository/project"
+	"github.com/zitadel/zitadel/internal/repository/session"
 	usr_repo "github.com/zitadel/zitadel/internal/repository/user"
 	"github.com/zitadel/zitadel/internal/repository/usergrant"
 )
@@ -38,6 +40,7 @@ func eventstoreExpect(t *testing.T, expects ...expect) *eventstore.Eventstore {
 	usergrant.RegisterEventMappers(es)
 	key_repo.RegisterEventMappers(es)
 	action_repo.RegisterEventMappers(es)
+	session.RegisterEventMappers(es)
 	return es
 }

@@ -125,6 +128,11 @@ func expectFilter(events ...*repository.Event) expect {
 		m.ExpectFilterEvents(events...)
 	}
 }
+func expectFilterError(err error) expect {
+	return func(m *mock.MockRepository) {
+		m.ExpectFilterEventsError(err)
+	}
+}

 func expectFilterOrgDomainNotFound() expect {
 	return func(m *mock.MockRepository) {
@@ -250,14 +258,14 @@ func (m *mockInstance) SecurityPolicyAllowedOrigins() []string {
 	return nil
 }

-func newMockPermissionCheckAllowed() permissionCheck {
-	return func(ctx context.Context, permission, orgID, resourceID string, allowSelf bool) (err error) {
+func newMockPermissionCheckAllowed() domain.PermissionCheck {
+	return func(ctx context.Context, permission, orgID, resourceID string) (err error) {
 		return nil
 	}
 }

-func newMockPermissionCheckNotAllowed() permissionCheck {
-	return func(ctx context.Context, permission, orgID, resourceID string, allowSelf bool) (err error) {
+func newMockPermissionCheckNotAllowed() domain.PermissionCheck {
+	return func(ctx context.Context, permission, orgID, resourceID string) (err error) {
 		return errors.ThrowPermissionDenied(nil, "AUTHZ-HKJD33", "Errors.PermissionDenied")
 	}
 }
--- a/internal/command/permission.go
+++ b/internal/command/permission.go
@@ -1,11 +0,0 @@
-package command
-
-import (
-	"context"
-)
-
-type permissionCheck func(ctx context.Context, permission, orgID, resourceID string, allowSelf bool) (err error)
-
-const (
-	permissionUserWrite = "user.write"
-)
--- a/internal/command/session.go
+++ b/internal/command/session.go
@@ -0,0 +1,225 @@
+package command
+
+import (
+	"context"
+	"encoding/base64"
+	"fmt"
+	"time"
+
+	"github.com/zitadel/zitadel/internal/api/authz"
+	"github.com/zitadel/zitadel/internal/crypto"
+	"github.com/zitadel/zitadel/internal/domain"
+	caos_errs "github.com/zitadel/zitadel/internal/errors"
+	"github.com/zitadel/zitadel/internal/eventstore"
+	"github.com/zitadel/zitadel/internal/id"
+	"github.com/zitadel/zitadel/internal/repository/session"
+	"github.com/zitadel/zitadel/internal/telemetry/tracing"
+)
+
+type SessionCheck func(ctx context.Context, cmd *SessionChecks) error
+
+type SessionChecks struct {
+	checks []SessionCheck
+
+	sessionWriteModel  *SessionWriteModel
+	passwordWriteModel *HumanPasswordWriteModel
+	eventstore         *eventstore.Eventstore
+	userPasswordAlg    crypto.HashAlgorithm
+	createToken        func(sessionID string) (id string, token string, err error)
+	now                func() time.Time
+}
+
+func (c *Commands) NewSessionChecks(checks []SessionCheck, session *SessionWriteModel) *SessionChecks {
+	return &SessionChecks{
+		checks:            checks,
+		sessionWriteModel: session,
+		eventstore:        c.eventstore,
+		userPasswordAlg:   c.userPasswordAlg,
+		createToken:       c.sessionTokenCreator,
+		now:               time.Now,
+	}
+}
+
+// CheckUser defines a user check to be executed for a session update
+func CheckUser(id string) SessionCheck {
+	return func(ctx context.Context, cmd *SessionChecks) error {
+		if cmd.sessionWriteModel.UserID != "" && id != "" && cmd.sessionWriteModel.UserID != id {
+			return caos_errs.ThrowInvalidArgument(nil, "", "user change not possible")
+		}
+		return cmd.sessionWriteModel.UserChecked(ctx, id, cmd.now())
+	}
+}
+
+// CheckPassword defines a password check to be executed for a session update
+func CheckPassword(password string) SessionCheck {
+	return func(ctx context.Context, cmd *SessionChecks) error {
+		if cmd.sessionWriteModel.UserID == "" {
+			return caos_errs.ThrowPreconditionFailed(nil, "COMMAND-Sfw3f", "Errors.User.UserIDMissing")
+		}
+		cmd.passwordWriteModel = NewHumanPasswordWriteModel(cmd.sessionWriteModel.UserID, "")
+		err := cmd.eventstore.FilterToQueryReducer(ctx, cmd.passwordWriteModel)
+		if err != nil {
+			return err
+		}
+		if cmd.passwordWriteModel.UserState == domain.UserStateUnspecified || cmd.passwordWriteModel.UserState == domain.UserStateDeleted {
+			return caos_errs.ThrowPreconditionFailed(nil, "COMMAND-Df4b3", "Errors.User.NotFound")
+		}
+
+		if cmd.passwordWriteModel.Secret == nil {
+			return caos_errs.ThrowPreconditionFailed(nil, "COMMAND-WEf3t", "Errors.User.Password.NotSet")
+		}
+		ctx, spanPasswordComparison := tracing.NewNamedSpan(ctx, "crypto.CompareHash")
+		err = crypto.CompareHash(cmd.passwordWriteModel.Secret, []byte(password), cmd.userPasswordAlg)
+		spanPasswordComparison.EndWithError(err)
+		if err != nil {
+			//TODO: maybe we want to reset the session in the future https://github.com/zitadel/zitadel/issues/5807
+			return caos_errs.ThrowInvalidArgument(err, "COMMAND-SAF3g", "Errors.User.Password.Invalid")
+		}
+		cmd.sessionWriteModel.PasswordChecked(ctx, cmd.now())
+		return nil
+	}
+}
+
+// Check will execute the checks specified and return an error on the first occurrence
+func (s *SessionChecks) Check(ctx context.Context) error {
+	for _, check := range s.checks {
+		if err := check(ctx, s); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (s *SessionChecks) commands(ctx context.Context) (string, []eventstore.Command, error) {
+	if len(s.sessionWriteModel.commands) == 0 {
+		return "", nil, nil
+	}
+
+	tokenID, token, err := s.createToken(s.sessionWriteModel.AggregateID)
+	if err != nil {
+		return "", nil, err
+	}
+	s.sessionWriteModel.SetToken(ctx, tokenID)
+	return token, s.sessionWriteModel.commands, nil
+}
+
+func (c *Commands) CreateSession(ctx context.Context, checks []SessionCheck, metadata map[string][]byte) (set *SessionChanged, err error) {
+	sessionID, err := c.idGenerator.Next()
+	if err != nil {
+		return nil, err
+	}
+	sessionWriteModel := NewSessionWriteModel(sessionID, authz.GetCtxData(ctx).OrgID)
+	err = c.eventstore.FilterToQueryReducer(ctx, sessionWriteModel)
+	if err != nil {
+		return nil, err
+	}
+	cmd := c.NewSessionChecks(checks, sessionWriteModel)
+	cmd.sessionWriteModel.Start(ctx)
+	return c.updateSession(ctx, cmd, metadata)
+}
+
+func (c *Commands) UpdateSession(ctx context.Context, sessionID, sessionToken string, checks []SessionCheck, metadata map[string][]byte) (set *SessionChanged, err error) {
+	sessionWriteModel := NewSessionWriteModel(sessionID, authz.GetCtxData(ctx).OrgID)
+	err = c.eventstore.FilterToQueryReducer(ctx, sessionWriteModel)
+	if err != nil {
+		return nil, err
+	}
+	if err := c.sessionPermission(ctx, sessionWriteModel, sessionToken, domain.PermissionSessionWrite); err != nil {
+		return nil, err
+	}
+	cmd := c.NewSessionChecks(checks, sessionWriteModel)
+	return c.updateSession(ctx, cmd, metadata)
+}
+
+func (c *Commands) TerminateSession(ctx context.Context, sessionID, sessionToken string) (*domain.ObjectDetails, error) {
+	sessionWriteModel := NewSessionWriteModel(sessionID, "")
+	if err := c.eventstore.FilterToQueryReducer(ctx, sessionWriteModel); err != nil {
+		return nil, err
+	}
+	if err := c.sessionPermission(ctx, sessionWriteModel, sessionToken, domain.PermissionSessionDelete); err != nil {
+		return nil, err
+	}
+	if sessionWriteModel.State != domain.SessionStateActive {
+		return writeModelToObjectDetails(&sessionWriteModel.WriteModel), nil
+	}
+	terminate := session.NewTerminateEvent(ctx, &session.NewAggregate(sessionWriteModel.AggregateID, sessionWriteModel.ResourceOwner).Aggregate)
+	pushedEvents, err := c.eventstore.Push(ctx, terminate)
+	if err != nil {
+		return nil, err
+	}
+	err = AppendAndReduce(sessionWriteModel, pushedEvents...)
+	if err != nil {
+		return nil, err
+	}
+	return writeModelToObjectDetails(&sessionWriteModel.WriteModel), nil
+}
+
+// updateSession execute the [SessionChecks] where new events will be created and as well as for metadata (changes)
+func (c *Commands) updateSession(ctx context.Context, checks *SessionChecks, metadata map[string][]byte) (set *SessionChanged, err error) {
+	if checks.sessionWriteModel.State == domain.SessionStateTerminated {
+		return nil, caos_errs.ThrowPreconditionFailed(nil, "COMAND-SAjeh", "Errors.Session.Terminated")
+	}
+	if err := checks.Check(ctx); err != nil {
+		// TODO: how to handle failed checks (e.g. pw wrong) https://github.com/zitadel/zitadel/issues/5807
+		return nil, err
+	}
+	checks.sessionWriteModel.ChangeMetadata(ctx, metadata)
+	sessionToken, cmds, err := checks.commands(ctx)
+	if err != nil {
+		return nil, err
+	}
+	if len(cmds) == 0 {
+		return sessionWriteModelToSessionChanged(checks.sessionWriteModel), nil
+	}
+	pushedEvents, err := c.eventstore.Push(ctx, cmds...)
+	if err != nil {
+		return nil, err
+	}
+	err = AppendAndReduce(checks.sessionWriteModel, pushedEvents...)
+	if err != nil {
+		return nil, err
+	}
+	changed := sessionWriteModelToSessionChanged(checks.sessionWriteModel)
+	changed.NewToken = sessionToken
+	return changed, nil
+}
+
+// sessionPermission will check that the provided sessionToken is correct or
+// if empty, check that the caller is granted the necessary permission
+func (c *Commands) sessionPermission(ctx context.Context, sessionWriteModel *SessionWriteModel, sessionToken, permission string) (err error) {
+	if sessionToken == "" {
+		return c.checkPermission(ctx, permission, authz.GetCtxData(ctx).OrgID, sessionWriteModel.AggregateID)
+	}
+	return c.sessionTokenVerifier(ctx, sessionToken, sessionWriteModel.AggregateID, sessionWriteModel.TokenID)
+}
+
+func sessionTokenCreator(idGenerator id.Generator, sessionAlg crypto.EncryptionAlgorithm) func(sessionID string) (id string, token string, err error) {
+	return func(sessionID string) (id string, token string, err error) {
+		id, err = idGenerator.Next()
+		if err != nil {
+			return "", "", err
+		}
+		encrypted, err := sessionAlg.Encrypt([]byte(fmt.Sprintf(authz.SessionTokenFormat, sessionID, id)))
+		if err != nil {
+			return "", "", err
+		}
+		return id, base64.RawURLEncoding.EncodeToString(encrypted), nil
+	}
+}
+
+type SessionChanged struct {
+	*domain.ObjectDetails
+	ID       string
+	NewToken string
+}
+
+func sessionWriteModelToSessionChanged(wm *SessionWriteModel) *SessionChanged {
+	return &SessionChanged{
+		ObjectDetails: &domain.ObjectDetails{
+			Sequence:      wm.ProcessedSequence,
+			EventDate:     wm.ChangeDate,
+			ResourceOwner: wm.ResourceOwner,
+		},
+		ID: wm.AggregateID,
+	}
+}
--- a/internal/command/session_model.go
+++ b/internal/command/session_model.go
@@ -0,0 +1,139 @@
+package command
+
+import (
+	"bytes"
+	"context"
+	"time"
+
+	"github.com/zitadel/zitadel/internal/domain"
+	"github.com/zitadel/zitadel/internal/eventstore"
+	"github.com/zitadel/zitadel/internal/repository/session"
+)
+
+type SessionWriteModel struct {
+	eventstore.WriteModel
+
+	TokenID           string
+	UserID            string
+	UserCheckedAt     time.Time
+	PasswordCheckedAt time.Time
+	Metadata          map[string][]byte
+	State             domain.SessionState
+
+	commands  []eventstore.Command
+	aggregate *eventstore.Aggregate
+}
+
+func NewSessionWriteModel(sessionID string, resourceOwner string) *SessionWriteModel {
+	return &SessionWriteModel{
+		WriteModel: eventstore.WriteModel{
+			AggregateID:   sessionID,
+			ResourceOwner: resourceOwner,
+		},
+		Metadata:  make(map[string][]byte),
+		aggregate: &session.NewAggregate(sessionID, resourceOwner).Aggregate,
+	}
+}
+
+func (wm *SessionWriteModel) Reduce() error {
+	for _, event := range wm.Events {
+		switch e := event.(type) {
+		case *session.AddedEvent:
+			wm.reduceAdded(e)
+		case *session.UserCheckedEvent:
+			wm.reduceUserChecked(e)
+		case *session.PasswordCheckedEvent:
+			wm.reducePasswordChecked(e)
+		case *session.TokenSetEvent:
+			wm.reduceTokenSet(e)
+		case *session.TerminateEvent:
+			wm.reduceTerminate()
+		}
+	}
+	return wm.WriteModel.Reduce()
+}
+
+func (wm *SessionWriteModel) Query() *eventstore.SearchQueryBuilder {
+	query := eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent).
+		AddQuery().
+		AggregateTypes(session.AggregateType).
+		AggregateIDs(wm.AggregateID).
+		EventTypes(
+			session.AddedType,
+			session.UserCheckedType,
+			session.PasswordCheckedType,
+			session.TokenSetType,
+			session.MetadataSetType,
+			session.TerminateType,
+		).
+		Builder()
+
+	if wm.ResourceOwner != "" {
+		query.ResourceOwner(wm.ResourceOwner)
+	}
+	return query
+}
+
+func (wm *SessionWriteModel) reduceAdded(e *session.AddedEvent) {
+	wm.State = domain.SessionStateActive
+}
+
+func (wm *SessionWriteModel) reduceUserChecked(e *session.UserCheckedEvent) {
+	wm.UserID = e.UserID
+	wm.UserCheckedAt = e.CheckedAt
+}
+
+func (wm *SessionWriteModel) reducePasswordChecked(e *session.PasswordCheckedEvent) {
+	wm.PasswordCheckedAt = e.CheckedAt
+}
+
+func (wm *SessionWriteModel) reduceTokenSet(e *session.TokenSetEvent) {
+	wm.TokenID = e.TokenID
+}
+
+func (wm *SessionWriteModel) reduceTerminate() {
+	wm.State = domain.SessionStateTerminated
+}
+
+func (wm *SessionWriteModel) Start(ctx context.Context) {
+	wm.commands = append(wm.commands, session.NewAddedEvent(ctx, wm.aggregate))
+}
+
+func (wm *SessionWriteModel) UserChecked(ctx context.Context, userID string, checkedAt time.Time) error {
+	wm.commands = append(wm.commands, session.NewUserCheckedEvent(ctx, wm.aggregate, userID, checkedAt))
+	// set the userID so other checks can use it
+	wm.UserID = userID
+	return nil
+}
+
+func (wm *SessionWriteModel) PasswordChecked(ctx context.Context, checkedAt time.Time) {
+	wm.commands = append(wm.commands, session.NewPasswordCheckedEvent(ctx, wm.aggregate, checkedAt))
+}
+
+func (wm *SessionWriteModel) SetToken(ctx context.Context, tokenID string) {
+	wm.commands = append(wm.commands, session.NewTokenSetEvent(ctx, wm.aggregate, tokenID))
+}
+
+func (wm *SessionWriteModel) ChangeMetadata(ctx context.Context, metadata map[string][]byte) {
+	var changed bool
+	for key, value := range metadata {
+		currentValue, exists := wm.Metadata[key]
+
+		if len(value) != 0 {
+			// if a value is provided, and it's not equal, change it
+			if !bytes.Equal(currentValue, value) {
+				wm.Metadata[key] = value
+				changed = true
+			}
+		} else {
+			// if there's no / an empty value, we only need to remove it on existing entries
+			if exists {
+				delete(wm.Metadata, key)
+				changed = true
+			}
+		}
+	}
+	if changed {
+		wm.commands = append(wm.commands, session.NewMetadataSetEvent(ctx, wm.aggregate, wm.Metadata))
+	}
+}
--- a/internal/command/session_test.go
+++ b/internal/command/session_test.go
@@ -0,0 +1,547 @@
+package command
+
+import (
+	"context"
+	"testing"
+	"time"
+
+	"github.com/golang/mock/gomock"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"golang.org/x/text/language"
+
+	"github.com/zitadel/zitadel/internal/api/authz"
+	"github.com/zitadel/zitadel/internal/crypto"
+	"github.com/zitadel/zitadel/internal/domain"
+	caos_errs "github.com/zitadel/zitadel/internal/errors"
+	"github.com/zitadel/zitadel/internal/eventstore"
+	"github.com/zitadel/zitadel/internal/id"
+	"github.com/zitadel/zitadel/internal/id/mock"
+	"github.com/zitadel/zitadel/internal/repository/session"
+	"github.com/zitadel/zitadel/internal/repository/user"
+)
+
+func TestCommands_CreateSession(t *testing.T) {
+	type fields struct {
+		eventstore   *eventstore.Eventstore
+		idGenerator  id.Generator
+		tokenCreator func(sessionID string) (string, string, error)
+	}
+	type args struct {
+		ctx      context.Context
+		checks   []SessionCheck
+		metadata map[string][]byte
+	}
+	type res struct {
+		want *SessionChanged
+		err  error
+	}
+	tests := []struct {
+		name   string
+		fields fields
+		args   args
+		res    res
+	}{
+		{
+			"id generator fails",
+			fields{
+				idGenerator: mock.NewIDGeneratorExpectError(t, caos_errs.ThrowInternal(nil, "id", "generator failed")),
+			},
+			args{
+				ctx: context.Background(),
+			},
+			res{
+				err: caos_errs.ThrowInternal(nil, "id", "generator failed"),
+			},
+		},
+		{
+			"eventstore failed",
+			fields{
+				idGenerator: mock.NewIDGeneratorExpectIDs(t, "sessionID"),
+				eventstore: eventstoreExpect(t,
+					expectFilterError(caos_errs.ThrowInternal(nil, "id", "filter failed")),
+				),
+			},
+			args{
+				ctx: context.Background(),
+			},
+			res{
+				err: caos_errs.ThrowInternal(nil, "id", "filter failed"),
+			},
+		},
+		{
+			"empty session",
+			fields{
+				idGenerator: mock.NewIDGeneratorExpectIDs(t, "sessionID"),
+				eventstore: eventstoreExpect(t,
+					expectFilter(),
+					expectPush(
+						eventPusherToEvents(
+							session.NewAddedEvent(context.Background(), &session.NewAggregate("sessionID", "org1").Aggregate),
+							session.NewTokenSetEvent(context.Background(), &session.NewAggregate("sessionID", "org1").Aggregate,
+								"tokenID",
+							),
+						),
+					),
+				),
+				tokenCreator: func(sessionID string) (string, string, error) {
+					return "tokenID",
+						"token",
+						nil
+				},
+			},
+			args{
+				ctx: authz.NewMockContext("", "org1", ""),
+			},
+			res{
+				want: &SessionChanged{
+					ObjectDetails: &domain.ObjectDetails{ResourceOwner: "org1"},
+					ID:            "sessionID",
+					NewToken:      "token",
+				},
+			},
+		},
+		// the rest is tested in the Test_updateSession
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			c := &Commands{
+				eventstore:          tt.fields.eventstore,
+				idGenerator:         tt.fields.idGenerator,
+				sessionTokenCreator: tt.fields.tokenCreator,
+			}
+			got, err := c.CreateSession(tt.args.ctx, tt.args.checks, tt.args.metadata)
+			require.ErrorIs(t, err, tt.res.err)
+			assert.Equal(t, tt.res.want, got)
+		})
+	}
+}
+
+func TestCommands_UpdateSession(t *testing.T) {
+	type fields struct {
+		eventstore    *eventstore.Eventstore
+		tokenVerifier func(ctx context.Context, sessionToken, sessionID, tokenID string) (err error)
+	}
+	type args struct {
+		ctx          context.Context
+		sessionID    string
+		sessionToken string
+		checks       []SessionCheck
+		metadata     map[string][]byte
+	}
+	type res struct {
+		want *SessionChanged
+		err  error
+	}
+	tests := []struct {
+		name   string
+		fields fields
+		args   args
+		res    res
+	}{
+		{
+			"eventstore failed",
+			fields{
+				eventstore: eventstoreExpect(t,
+					expectFilterError(caos_errs.ThrowInternal(nil, "id", "filter failed")),
+				),
+			},
+			args{
+				ctx: context.Background(),
+			},
+			res{
+				err: caos_errs.ThrowInternal(nil, "id", "filter failed"),
+			},
+		},
+		{
+			"invalid session token",
+			fields{
+				eventstore: eventstoreExpect(t,
+					expectFilter(
+						eventFromEventPusher(
+							session.NewAddedEvent(context.Background(), &session.NewAggregate("sessionID", "org1").Aggregate)),
+						eventFromEventPusher(
+							session.NewTokenSetEvent(context.Background(), &session.NewAggregate("sessionID", "org1").Aggregate,
+								"tokenID")),
+					),
+				),
+				tokenVerifier: func(ctx context.Context, sessionToken, sessionID, tokenID string) (err error) {
+					return caos_errs.ThrowPermissionDenied(nil, "COMMAND-sGr42", "Errors.Session.Token.Invalid")
+				},
+			},
+			args{
+				ctx:          context.Background(),
+				sessionID:    "sessionID",
+				sessionToken: "invalid",
+			},
+			res{
+				err: caos_errs.ThrowPermissionDenied(nil, "COMMAND-sGr42", "Errors.Session.Token.Invalid"),
+			},
+		},
+		{
+			"no change",
+			fields{
+				eventstore: eventstoreExpect(t,
+					expectFilter(
+						eventFromEventPusher(
+							session.NewAddedEvent(context.Background(), &session.NewAggregate("sessionID", "org1").Aggregate)),
+						eventFromEventPusher(
+							session.NewTokenSetEvent(context.Background(), &session.NewAggregate("sessionID", "org1").Aggregate,
+								"tokenID")),
+					),
+				),
+				tokenVerifier: func(ctx context.Context, sessionToken, sessionID, tokenID string) (err error) {
+					return nil
+				},
+			},
+			args{
+				ctx:          context.Background(),
+				sessionID:    "sessionID",
+				sessionToken: "token",
+			},
+			res{
+				want: &SessionChanged{
+					ObjectDetails: &domain.ObjectDetails{
+						ResourceOwner: "org1",
+					},
+					ID:       "sessionID",
+					NewToken: "",
+				},
+			},
+		},
+		// the rest is tested in the Test_updateSession
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			c := &Commands{
+				eventstore:           tt.fields.eventstore,
+				sessionTokenVerifier: tt.fields.tokenVerifier,
+			}
+			got, err := c.UpdateSession(tt.args.ctx, tt.args.sessionID, tt.args.sessionToken, tt.args.checks, tt.args.metadata)
+			require.ErrorIs(t, err, tt.res.err)
+			assert.Equal(t, tt.res.want, got)
+		})
+	}
+}
+
+func TestCommands_updateSession(t *testing.T) {
+	testNow := time.Now()
+	type fields struct {
+		eventstore *eventstore.Eventstore
+	}
+	type args struct {
+		ctx      context.Context
+		checks   *SessionChecks
+		metadata map[string][]byte
+	}
+	type res struct {
+		want *SessionChanged
+		err  error
+	}
+	tests := []struct {
+		name   string
+		fields fields
+		args   args
+		res    res
+	}{
+		{
+			"terminated",
+			fields{
+				eventstore: eventstoreExpect(t),
+			},
+			args{
+				ctx: context.Background(),
+				checks: &SessionChecks{
+					sessionWriteModel: &SessionWriteModel{State: domain.SessionStateTerminated},
+				},
+			},
+			res{
+				err: caos_errs.ThrowPreconditionFailed(nil, "COMAND-SAjeh", "Errors.Session.Terminated"),
+			},
+		},
+		{
+			"check failed",
+			fields{
+				eventstore: eventstoreExpect(t),
+			},
+			args{
+				ctx: context.Background(),
+				checks: &SessionChecks{
+					sessionWriteModel: NewSessionWriteModel("sessionID", "org1"),
+					checks: []SessionCheck{
+						func(ctx context.Context, cmd *SessionChecks) error {
+							return caos_errs.ThrowInternal(nil, "id", "check failed")
+						},
+					},
+				},
+			},
+			res{
+				err: caos_errs.ThrowInternal(nil, "id", "check failed"),
+			},
+		},
+		{
+			"no change",
+			fields{
+				eventstore: eventstoreExpect(t),
+			},
+			args{
+				ctx: context.Background(),
+				checks: &SessionChecks{
+					sessionWriteModel: NewSessionWriteModel("sessionID", "org1"),
+					checks:            []SessionCheck{},
+				},
+			},
+			res{
+				want: &SessionChanged{
+					ObjectDetails: &domain.ObjectDetails{
+						ResourceOwner: "org1",
+					},
+					ID:       "sessionID",
+					NewToken: "",
+				},
+			},
+		},
+		{
+			"set user, password, metadata and token",
+			fields{
+				eventstore: eventstoreExpect(t,
+					expectPush(
+						eventPusherToEvents(
+							session.NewUserCheckedEvent(context.Background(), &session.NewAggregate("sessionID", "org1").Aggregate,
+								"userID", testNow),
+							session.NewPasswordCheckedEvent(context.Background(), &session.NewAggregate("sessionID", "org1").Aggregate,
+								testNow),
+							session.NewMetadataSetEvent(context.Background(), &session.NewAggregate("sessionID", "org1").Aggregate,
+								map[string][]byte{"key": []byte("value")}),
+							session.NewTokenSetEvent(context.Background(), &session.NewAggregate("sessionID", "org1").Aggregate,
+								"tokenID"),
+						),
+					),
+				),
+			},
+			args{
+				ctx: context.Background(),
+				checks: &SessionChecks{
+					sessionWriteModel: NewSessionWriteModel("sessionID", "org1"),
+					checks: []SessionCheck{
+						CheckUser("userID"),
+						CheckPassword("password"),
+					},
+					eventstore: eventstoreExpect(t,
+						expectFilter(
+							eventFromEventPusher(
+								user.NewHumanAddedEvent(context.Background(), &user.NewAggregate("userID", "org1").Aggregate,
+									"username", "", "", "", "", language.English, domain.GenderUnspecified, "", false),
+							),
+							eventFromEventPusher(
+								user.NewHumanPasswordChangedEvent(context.Background(), &user.NewAggregate("userID", "org1").Aggregate,
+									&crypto.CryptoValue{
+										CryptoType: crypto.TypeHash,
+										Algorithm:  "hash",
+										KeyID:      "",
+										Crypted:    []byte("password"),
+									}, false, ""),
+							),
+						),
+					),
+					createToken: func(sessionID string) (string, string, error) {
+						return "tokenID",
+							"token",
+							nil
+					},
+					userPasswordAlg: crypto.CreateMockHashAlg(gomock.NewController(t)),
+					now: func() time.Time {
+						return testNow
+					},
+				},
+				metadata: map[string][]byte{
+					"key": []byte("value"),
+				},
+			},
+			res{
+				want: &SessionChanged{
+					ObjectDetails: &domain.ObjectDetails{
+						ResourceOwner: "org1",
+					},
+					ID:       "sessionID",
+					NewToken: "token",
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			c := &Commands{
+				eventstore: tt.fields.eventstore,
+			}
+			got, err := c.updateSession(tt.args.ctx, tt.args.checks, tt.args.metadata)
+			require.ErrorIs(t, err, tt.res.err)
+			assert.Equal(t, tt.res.want, got)
+		})
+	}
+}
+
+func TestCommands_TerminateSession(t *testing.T) {
+	type fields struct {
+		eventstore    *eventstore.Eventstore
+		tokenVerifier func(ctx context.Context, sessionToken, sessionID, tokenID string) (err error)
+	}
+	type args struct {
+		ctx          context.Context
+		sessionID    string
+		sessionToken string
+	}
+	type res struct {
+		want *domain.ObjectDetails
+		err  error
+	}
+	tests := []struct {
+		name   string
+		fields fields
+		args   args
+		res    res
+	}{
+		{
+			"eventstore failed",
+			fields{
+				eventstore: eventstoreExpect(t,
+					expectFilterError(caos_errs.ThrowInternal(nil, "id", "filter failed")),
+				),
+			},
+			args{
+				ctx: context.Background(),
+			},
+			res{
+				err: caos_errs.ThrowInternal(nil, "id", "filter failed"),
+			},
+		},
+		{
+			"invalid session token",
+			fields{
+				eventstore: eventstoreExpect(t,
+					expectFilter(
+						eventFromEventPusher(
+							session.NewAddedEvent(context.Background(), &session.NewAggregate("sessionID", "org1").Aggregate)),
+						eventFromEventPusher(
+							session.NewTokenSetEvent(context.Background(), &session.NewAggregate("sessionID", "org1").Aggregate,
+								"tokenID")),
+					),
+				),
+				tokenVerifier: func(ctx context.Context, sessionToken, sessionID, tokenID string) (err error) {
+					return caos_errs.ThrowPermissionDenied(nil, "COMMAND-sGr42", "Errors.Session.Token.Invalid")
+				},
+			},
+			args{
+				ctx:          context.Background(),
+				sessionID:    "sessionID",
+				sessionToken: "invalid",
+			},
+			res{
+				err: caos_errs.ThrowPermissionDenied(nil, "COMMAND-sGr42", "Errors.Session.Token.Invalid"),
+			},
+		},
+		{
+			"not active",
+			fields{
+				eventstore: eventstoreExpect(t,
+					expectFilter(
+						eventFromEventPusher(
+							session.NewAddedEvent(context.Background(), &session.NewAggregate("sessionID", "org1").Aggregate)),
+						eventFromEventPusher(
+							session.NewTokenSetEvent(context.Background(), &session.NewAggregate("sessionID", "org1").Aggregate,
+								"tokenID")),
+						eventFromEventPusher(
+							session.NewTerminateEvent(context.Background(), &session.NewAggregate("sessionID", "org1").Aggregate)),
+					),
+				),
+				tokenVerifier: func(ctx context.Context, sessionToken, sessionID, tokenID string) (err error) {
+					return nil
+				},
+			},
+			args{
+				ctx:          context.Background(),
+				sessionID:    "sessionID",
+				sessionToken: "token",
+			},
+			res{
+				want: &domain.ObjectDetails{
+					ResourceOwner: "org1",
+				},
+			},
+		},
+		{
+			"push failed",
+			fields{
+				eventstore: eventstoreExpect(t,
+					expectFilter(
+						eventFromEventPusher(
+							session.NewAddedEvent(context.Background(), &session.NewAggregate("sessionID", "org1").Aggregate)),
+						eventFromEventPusher(
+							session.NewTokenSetEvent(context.Background(), &session.NewAggregate("sessionID", "org1").Aggregate,
+								"tokenID"),
+						),
+					),
+					expectPushFailed(
+						caos_errs.ThrowInternal(nil, "id", "pushed failed"),
+						eventPusherToEvents(
+							session.NewTerminateEvent(context.Background(), &session.NewAggregate("sessionID", "org1").Aggregate)),
+					),
+				),
+				tokenVerifier: func(ctx context.Context, sessionToken, sessionID, tokenID string) (err error) {
+					return nil
+				},
+			},
+			args{
+				ctx:          context.Background(),
+				sessionID:    "sessionID",
+				sessionToken: "token",
+			},
+			res{
+				err: caos_errs.ThrowInternal(nil, "id", "pushed failed"),
+			},
+		},
+		{
+			"terminate",
+			fields{
+				eventstore: eventstoreExpect(t,
+					expectFilter(
+						eventFromEventPusher(
+							session.NewAddedEvent(context.Background(), &session.NewAggregate("sessionID", "org1").Aggregate)),
+						eventFromEventPusher(
+							session.NewTokenSetEvent(context.Background(), &session.NewAggregate("sessionID", "org1").Aggregate,
+								"tokenID"),
+						),
+					),
+					expectPush(
+						eventPusherToEvents(
+							session.NewTerminateEvent(context.Background(), &session.NewAggregate("sessionID", "org1").Aggregate)),
+					),
+				),
+				tokenVerifier: func(ctx context.Context, sessionToken, sessionID, tokenID string) (err error) {
+					return nil
+				},
+			},
+			args{
+				ctx:          context.Background(),
+				sessionID:    "sessionID",
+				sessionToken: "token",
+			},
+			res{
+				want: &domain.ObjectDetails{
+					ResourceOwner: "org1",
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			c := &Commands{
+				eventstore:           tt.fields.eventstore,
+				sessionTokenVerifier: tt.fields.tokenVerifier,
+			}
+			got, err := c.TerminateSession(tt.args.ctx, tt.args.sessionID, tt.args.sessionToken)
+			require.ErrorIs(t, err, tt.res.err)
+			assert.Equal(t, tt.res.want, got)
+		})
+	}
+}
--- a/internal/command/user_v2_email.go
+++ b/internal/command/user_v2_email.go
@@ -6,6 +6,7 @@ import (

 	"github.com/zitadel/logging"

+	"github.com/zitadel/zitadel/internal/api/authz"
 	"github.com/zitadel/zitadel/internal/crypto"
 	"github.com/zitadel/zitadel/internal/domain"
 	caos_errs "github.com/zitadel/zitadel/internal/errors"
@@ -42,7 +43,7 @@ func (c *Commands) ChangeUserEmailVerified(ctx context.Context, userID, resource
 	if err != nil {
 		return nil, err
 	}
-	if err = c.checkPermission(ctx, permissionUserWrite, cmd.aggregate.ResourceOwner, userID, false); err != nil {
+	if err = c.checkPermission(ctx, domain.PermissionUserWrite, cmd.aggregate.ResourceOwner, userID); err != nil {
 		return nil, err
 	}
 	if err = cmd.Change(ctx, domain.EmailAddress(email)); err != nil {
@@ -70,8 +71,10 @@ func (c *Commands) changeUserEmailWithGenerator(ctx context.Context, userID, res
 	if err != nil {
 		return nil, err
 	}
-	if err = c.checkPermission(ctx, permissionUserWrite, cmd.aggregate.ResourceOwner, userID, true); err != nil {
-		return nil, err
+	if authz.GetCtxData(ctx).UserID != userID {
+		if err = c.checkPermission(ctx, domain.PermissionUserWrite, cmd.aggregate.ResourceOwner, userID); err != nil {
+			return nil, err
+		}
 	}
 	if err = cmd.Change(ctx, domain.EmailAddress(email)); err != nil {
 		return nil, err
--- a/internal/command/user_v2_email_test.go
+++ b/internal/command/user_v2_email_test.go
@@ -24,7 +24,7 @@ import (
 func TestCommands_ChangeUserEmail(t *testing.T) {
 	type fields struct {
 		eventstore      *eventstore.Eventstore
-		checkPermission permissionCheck
+		checkPermission domain.PermissionCheck
 	}
 	type args struct {
 		userID        string
@@ -174,7 +174,7 @@ func TestCommands_ChangeUserEmail(t *testing.T) {
 func TestCommands_ChangeUserEmailURLTemplate(t *testing.T) {
 	type fields struct {
 		eventstore      *eventstore.Eventstore
-		checkPermission permissionCheck
+		checkPermission domain.PermissionCheck
 	}
 	type args struct {
 		userID        string
@@ -300,7 +300,7 @@ func TestCommands_ChangeUserEmailURLTemplate(t *testing.T) {
 func TestCommands_ChangeUserEmailReturnCode(t *testing.T) {
 	type fields struct {
 		eventstore      *eventstore.Eventstore
-		checkPermission permissionCheck
+		checkPermission domain.PermissionCheck
 	}
 	type args struct {
 		userID        string
@@ -410,7 +410,7 @@ func TestCommands_ChangeUserEmailReturnCode(t *testing.T) {
 func TestCommands_ChangeUserEmailVerified(t *testing.T) {
 	type fields struct {
 		eventstore      *eventstore.Eventstore
-		checkPermission permissionCheck
+		checkPermission domain.PermissionCheck
 	}
 	type args struct {
 		userID        string
@@ -569,7 +569,7 @@ func TestCommands_ChangeUserEmailVerified(t *testing.T) {
 func TestCommands_changeUserEmailWithGenerator(t *testing.T) {
 	type fields struct {
 		eventstore      *eventstore.Eventstore
-		checkPermission permissionCheck
+		checkPermission domain.PermissionCheck
 	}
 	type args struct {
 		userID        string