feat: call webhooks at least once (#5454)

* feat: call webhooks at least once

* self review

* feat: improve notification observability

* feat: add notification tracing

* test(e2e): test at-least-once webhook delivery

* fix webhook notifications

* dedicated quota notifications handler

* fix linting

* fix e2e test

* wait less in e2e test

* fix: don't ignore failed events in handlers

* fix: don't ignore failed events in handlers

* faster requeues

* question

* fix retries

* fix retries

* retry

* don't instance ids query

* revert handler_projection

* statements can be nil

* cleanup

* make unit tests pass

* add comments

* add comments

* lint

* spool only active instances

* feat(config): handle inactive instances

* customizable HandleInactiveInstances

* call inactive instances quota webhooks

* test: handling with and w/o inactive instances

* omit retrying noop statements

* docs: describe projection options

* enable global handling of inactive instances

* self review

* requeue quota notifications every 5m

* remove caos_errors reference

* fix comment styles

* make handlers package flat

* fix linting

* fix repeating quota notifications

* test with more usage

* debug log channel init failures

internal/notification/handlers/already_handled.go

@@ -0,0 +1,27 @@
+package handlers
+
+import (
+	"context"
+
+	"github.com/zitadel/zitadel/internal/eventstore"
+	"github.com/zitadel/zitadel/internal/repository/user"
+)
+
+func (n *NotificationQueries) IsAlreadyHandled(ctx context.Context, event eventstore.Event, data map[string]interface{}, eventTypes ...eventstore.EventType) (bool, error) {
+	events, err := n.es.Filter(
+		ctx,
+		eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent).
+			InstanceID(event.Aggregate().InstanceID).
+			AddQuery().
+			AggregateTypes(user.AggregateType).
+			AggregateIDs(event.Aggregate().ID).
+			SequenceGreater(event.Sequence()).
+			EventTypes(eventTypes...).
+			EventData(data).
+			Builder(),
+	)
+	if err != nil {
+		return false, err
+	}
+	return len(events) > 0, nil
+}

internal/notification/handlers/config_filesystem.go

@@ -0,0 +1,21 @@
+package handlers
+
+import (
+	"context"
+
+	"github.com/zitadel/zitadel/internal/api/authz"
+	"github.com/zitadel/zitadel/internal/domain"
+	"github.com/zitadel/zitadel/internal/notification/channels/fs"
+)
+
+// GetFileSystemProvider reads the iam filesystem provider config
+func (n *NotificationQueries) GetFileSystemProvider(ctx context.Context) (*fs.Config, error) {
+	config, err := n.NotificationProviderByIDAndType(ctx, authz.GetInstance(ctx).InstanceID(), domain.NotificationProviderTypeFile)
+	if err != nil {
+		return nil, err
+	}
+	return &fs.Config{
+		Compact: config.Compact,
+		Path:    n.fileSystemPath,
+	}, nil
+}

internal/notification/handlers/config_log.go

@@ -0,0 +1,20 @@
+package handlers
+
+import (
+	"context"
+
+	"github.com/zitadel/zitadel/internal/api/authz"
+	"github.com/zitadel/zitadel/internal/domain"
+	"github.com/zitadel/zitadel/internal/notification/channels/log"
+)
+
+// GetLogProvider reads the iam log provider config
+func (n *NotificationQueries) GetLogProvider(ctx context.Context) (*log.Config, error) {
+	config, err := n.NotificationProviderByIDAndType(ctx, authz.GetInstance(ctx).InstanceID(), domain.NotificationProviderTypeLog)
+	if err != nil {
+		return nil, err
+	}
+	return &log.Config{
+		Compact: config.Compact,
+	}, nil
+}

internal/notification/handlers/config_smtp.go

@@ -0,0 +1,31 @@
+package handlers
+
+import (
+	"context"
+
+	"github.com/zitadel/zitadel/internal/api/authz"
+	"github.com/zitadel/zitadel/internal/crypto"
+	"github.com/zitadel/zitadel/internal/notification/channels/smtp"
+)
+
+// GetSMTPConfig reads the iam SMTP provider config
+func (n *NotificationQueries) GetSMTPConfig(ctx context.Context) (*smtp.Config, error) {
+	config, err := n.SMTPConfigByAggregateID(ctx, authz.GetInstance(ctx).InstanceID())
+	if err != nil {
+		return nil, err
+	}
+	password, err := crypto.DecryptString(config.Password, n.SMTPPasswordCrypto)
+	if err != nil {
+		return nil, err
+	}
+	return &smtp.Config{
+		From:     config.SenderAddress,
+		FromName: config.SenderName,
+		Tls:      config.TLS,
+		SMTP: smtp.SMTP{
+			Host:     config.Host,
+			User:     config.User,
+			Password: password,
+		},
+	}, nil
+}

internal/notification/handlers/config_twilio.go

@@ -0,0 +1,35 @@
+package handlers
+
+import (
+	"context"
+
+	"github.com/zitadel/zitadel/internal/crypto"
+	"github.com/zitadel/zitadel/internal/domain"
+	"github.com/zitadel/zitadel/internal/errors"
+	"github.com/zitadel/zitadel/internal/notification/channels/twilio"
+	"github.com/zitadel/zitadel/internal/query"
+)
+
+// GetTwilioConfig reads the iam Twilio provider config
+func (n *NotificationQueries) GetTwilioConfig(ctx context.Context) (*twilio.Config, error) {
+	active, err := query.NewSMSProviderStateQuery(domain.SMSConfigStateActive)
+	if err != nil {
+		return nil, err
+	}
+	config, err := n.SMSProviderConfig(ctx, active)
+	if err != nil {
+		return nil, err
+	}
+	if config.TwilioConfig == nil {
+		return nil, errors.ThrowNotFound(nil, "HANDLER-8nfow", "Errors.SMS.Twilio.NotFound")
+	}
+	token, err := crypto.DecryptString(config.TwilioConfig.Token, n.SMSTokenCrypto)
+	if err != nil {
+		return nil, err
+	}
+	return &twilio.Config{
+		SID:          config.TwilioConfig.SID,
+		Token:        token,
+		SenderNumber: config.TwilioConfig.SenderNumber,
+	}, nil
+}

internal/notification/handlers/ctx.go

@@ -0,0 +1,15 @@
+package handlers
+
+import (
+	"context"
+
+	"github.com/zitadel/zitadel/internal/api/authz"
+	"github.com/zitadel/zitadel/internal/eventstore"
+)
+
+const NotifyUserID = "NOTIFICATION" //TODO: system?
+
+func HandlerContext(event eventstore.Aggregate) context.Context {
+	ctx := authz.WithInstanceID(context.Background(), event.InstanceID)
+	return authz.SetCtxData(ctx, authz.CtxData{UserID: NotifyUserID, OrgID: event.ResourceOwner})
+}

internal/notification/handlers/origin.go

@@ -0,0 +1,28 @@
+package handlers
+
+import (
+	"context"
+
+	"github.com/zitadel/zitadel/internal/api/authz"
+	http_utils "github.com/zitadel/zitadel/internal/api/http"
+	"github.com/zitadel/zitadel/internal/errors"
+	"github.com/zitadel/zitadel/internal/query"
+)
+
+func (n *NotificationQueries) Origin(ctx context.Context) (context.Context, string, error) {
+	primary, err := query.NewInstanceDomainPrimarySearchQuery(true)
+	if err != nil {
+		return ctx, "", err
+	}
+	domains, err := n.SearchInstanceDomains(ctx, &query.InstanceDomainSearchQueries{
+		Queries: []query.SearchQuery{primary},
+	})
+	if err != nil {
+		return ctx, "", err
+	}
+	if len(domains.Domains) < 1 {
+		return ctx, "", errors.ThrowInternal(nil, "NOTIF-Ef3r1", "Errors.Notification.NoDomain")
+	}
+	ctx = authz.WithRequestedDomain(ctx, domains.Domains[0].Domain)
+	return ctx, http_utils.BuildHTTP(domains.Domains[0].Domain, n.externalPort, n.externalSecure), nil
+}

internal/notification/handlers/queries.go

@@ -0,0 +1,46 @@
+package handlers
+
+import (
+	"net/http"
+
+	"github.com/zitadel/zitadel/internal/crypto"
+	"github.com/zitadel/zitadel/internal/eventstore"
+	_ "github.com/zitadel/zitadel/internal/notification/statik"
+	"github.com/zitadel/zitadel/internal/query"
+)
+
+type NotificationQueries struct {
+	*query.Queries
+	es                 *eventstore.Eventstore
+	externalPort       uint16
+	externalSecure     bool
+	fileSystemPath     string
+	UserDataCrypto     crypto.EncryptionAlgorithm
+	SMTPPasswordCrypto crypto.EncryptionAlgorithm
+	SMSTokenCrypto     crypto.EncryptionAlgorithm
+	statikDir          http.FileSystem
+}
+
+func NewNotificationQueries(
+	baseQueries *query.Queries,
+	es *eventstore.Eventstore,
+	externalPort uint16,
+	externalSecure bool,
+	fileSystemPath string,
+	userDataCrypto crypto.EncryptionAlgorithm,
+	smtpPasswordCrypto crypto.EncryptionAlgorithm,
+	smsTokenCrypto crypto.EncryptionAlgorithm,
+	statikDir http.FileSystem,
+) *NotificationQueries {
+	return &NotificationQueries{
+		Queries:            baseQueries,
+		es:                 es,
+		externalPort:       externalPort,
+		externalSecure:     externalSecure,
+		fileSystemPath:     fileSystemPath,
+		UserDataCrypto:     userDataCrypto,
+		SMTPPasswordCrypto: smtpPasswordCrypto,
+		SMSTokenCrypto:     smsTokenCrypto,
+		statikDir:          statikDir,
+	}
+}

internal/notification/handlers/quotanotifier.go

@@ -0,0 +1,99 @@
+package handlers
+
+import (
+	"context"
+	"net/http"
+
+	"github.com/zitadel/zitadel/internal/command"
+	"github.com/zitadel/zitadel/internal/errors"
+	"github.com/zitadel/zitadel/internal/eventstore"
+	"github.com/zitadel/zitadel/internal/eventstore/handler"
+	"github.com/zitadel/zitadel/internal/eventstore/handler/crdb"
+	"github.com/zitadel/zitadel/internal/notification/channels/webhook"
+	_ "github.com/zitadel/zitadel/internal/notification/statik"
+	"github.com/zitadel/zitadel/internal/notification/types"
+	"github.com/zitadel/zitadel/internal/query/projection"
+	"github.com/zitadel/zitadel/internal/repository/quota"
+)
+
+const (
+	QuotaNotificationsProjectionTable = "projections.notifications_quota"
+)
+
+type quotaNotifier struct {
+	crdb.StatementHandler
+	commands                       *command.Commands
+	queries                        *NotificationQueries
+	metricSuccessfulDeliveriesJSON string
+	metricFailedDeliveriesJSON     string
+}
+
+func NewQuotaNotifier(
+	ctx context.Context,
+	config crdb.StatementHandlerConfig,
+	commands *command.Commands,
+	queries *NotificationQueries,
+	metricSuccessfulDeliveriesJSON,
+	metricFailedDeliveriesJSON string,
+) *quotaNotifier {
+	p := new(quotaNotifier)
+	config.ProjectionName = QuotaNotificationsProjectionTable
+	config.Reducers = p.reducers()
+	p.StatementHandler = crdb.NewStatementHandler(ctx, config)
+	p.commands = commands
+	p.queries = queries
+	p.metricSuccessfulDeliveriesJSON = metricSuccessfulDeliveriesJSON
+	p.metricFailedDeliveriesJSON = metricFailedDeliveriesJSON
+	projection.NotificationsQuotaProjection = p
+	return p
+}
+
+func (u *quotaNotifier) reducers() []handler.AggregateReducer {
+	return []handler.AggregateReducer{
+		{
+			Aggregate: quota.AggregateType,
+			EventRedusers: []handler.EventReducer{
+				{
+					Event:  quota.NotificationDueEventType,
+					Reduce: u.reduceNotificationDue,
+				},
+			},
+		},
+	}
+}
+
+func (u *quotaNotifier) reduceNotificationDue(event eventstore.Event) (*handler.Statement, error) {
+	e, ok := event.(*quota.NotificationDueEvent)
+	if !ok {
+		return nil, errors.ThrowInvalidArgumentf(nil, "HANDL-DLxdE", "reduce.wrong.event.type %s", quota.NotificationDueEventType)
+	}
+	ctx := HandlerContext(event.Aggregate())
+	alreadyHandled, err := u.queries.IsAlreadyHandled(ctx, event, map[string]interface{}{"dueEventID": e.ID}, quota.NotifiedEventType)
+	if err != nil {
+		return nil, err
+	}
+	if alreadyHandled {
+		return crdb.NewNoOpStatement(e), nil
+	}
+	err = types.SendJSON(
+		ctx,
+		webhook.Config{
+			CallURL: e.CallURL,
+			Method:  http.MethodPost,
+		},
+		u.queries.GetFileSystemProvider,
+		u.queries.GetLogProvider,
+		e,
+		e,
+		u.metricSuccessfulDeliveriesJSON,
+		u.metricFailedDeliveriesJSON,
+	).WithoutTemplate()
+	if err != nil {
+		return nil, err
+	}
+	err = u.commands.UsageNotificationSent(ctx, e)
+	if err != nil {
+		return nil, err
+	}
+	return crdb.NewNoOpStatement(e), nil
+}

internal/notification/handlers/translator.go

@@ -0,0 +1,39 @@
+package handlers
+
+import (
+	"context"
+
+	"github.com/zitadel/logging"
+
+	"github.com/zitadel/zitadel/internal/api/authz"
+	"github.com/zitadel/zitadel/internal/i18n"
+)
+
+func (n *NotificationQueries) GetTranslatorWithOrgTexts(ctx context.Context, orgID, textType string) (*i18n.Translator, error) {
+	translator, err := i18n.NewTranslator(n.statikDir, n.GetDefaultLanguage(ctx), "")
+	if err != nil {
+		return nil, err
+	}
+
+	allCustomTexts, err := n.CustomTextListByTemplate(ctx, authz.GetInstance(ctx).InstanceID(), textType, false)
+	if err != nil {
+		return translator, nil
+	}
+	customTexts, err := n.CustomTextListByTemplate(ctx, orgID, textType, false)
+	if err != nil {
+		return translator, nil
+	}
+	allCustomTexts.CustomTexts = append(allCustomTexts.CustomTexts, customTexts.CustomTexts...)
+
+	for _, text := range allCustomTexts.CustomTexts {
+		msg := i18n.Message{
+			ID:   text.Template + "." + text.Key,
+			Text: text.Text,
+		}
+		err = translator.AddMessages(text.Language, msg)
+		logging.WithFields("instanceID", authz.GetInstance(ctx).InstanceID(), "orgID", orgID, "messageType", textType, "messageID", msg.ID).
+			OnError(err).
+			Warn("could not add translation message")
+	}
+	return translator, nil
+}

internal/notification/handlers/usernotifier.go

@@ -0,0 +1,589 @@
+package handlers
+
+import (
+	"context"
+	"time"
+
+	"github.com/zitadel/zitadel/internal/command"
+	"github.com/zitadel/zitadel/internal/crypto"
+	"github.com/zitadel/zitadel/internal/domain"
+	"github.com/zitadel/zitadel/internal/errors"
+	"github.com/zitadel/zitadel/internal/eventstore"
+	"github.com/zitadel/zitadel/internal/eventstore/handler"
+	"github.com/zitadel/zitadel/internal/eventstore/handler/crdb"
+	"github.com/zitadel/zitadel/internal/notification/types"
+	"github.com/zitadel/zitadel/internal/query/projection"
+	"github.com/zitadel/zitadel/internal/repository/user"
+)
+
+const (
+	UserNotificationsProjectionTable = "projections.notifications"
+)
+
+type userNotifier struct {
+	crdb.StatementHandler
+	commands     *command.Commands
+	queries      *NotificationQueries
+	assetsPrefix func(context.Context) string
+	metricSuccessfulDeliveriesEmail,
+	metricFailedDeliveriesEmail,
+	metricSuccessfulDeliveriesSMS,
+	metricFailedDeliveriesSMS string
+}
+
+func NewUserNotifier(
+	ctx context.Context,
+	config crdb.StatementHandlerConfig,
+	commands *command.Commands,
+	queries *NotificationQueries,
+	assetsPrefix func(context.Context) string,
+	metricSuccessfulDeliveriesEmail,
+	metricFailedDeliveriesEmail,
+	metricSuccessfulDeliveriesSMS,
+	metricFailedDeliveriesSMS string,
+) *userNotifier {
+	p := new(userNotifier)
+	config.ProjectionName = UserNotificationsProjectionTable
+	config.Reducers = p.reducers()
+	p.StatementHandler = crdb.NewStatementHandler(ctx, config)
+	p.commands = commands
+	p.queries = queries
+	p.assetsPrefix = assetsPrefix
+	p.metricSuccessfulDeliveriesEmail = metricSuccessfulDeliveriesEmail
+	p.metricFailedDeliveriesEmail = metricFailedDeliveriesEmail
+	p.metricSuccessfulDeliveriesSMS = metricSuccessfulDeliveriesSMS
+	p.metricFailedDeliveriesSMS = metricFailedDeliveriesSMS
+	projection.NotificationsProjection = p
+	return p
+}
+
+func (u *userNotifier) reducers() []handler.AggregateReducer {
+	return []handler.AggregateReducer{
+		{
+			Aggregate: user.AggregateType,
+			EventRedusers: []handler.EventReducer{
+				{
+					Event:  user.UserV1InitialCodeAddedType,
+					Reduce: u.reduceInitCodeAdded,
+				},
+				{
+					Event:  user.HumanInitialCodeAddedType,
+					Reduce: u.reduceInitCodeAdded,
+				},
+				{
+					Event:  user.UserV1EmailCodeAddedType,
+					Reduce: u.reduceEmailCodeAdded,
+				},
+				{
+					Event:  user.HumanEmailCodeAddedType,
+					Reduce: u.reduceEmailCodeAdded,
+				},
+				{
+					Event:  user.UserV1PasswordCodeAddedType,
+					Reduce: u.reducePasswordCodeAdded,
+				},
+				{
+					Event:  user.HumanPasswordCodeAddedType,
+					Reduce: u.reducePasswordCodeAdded,
+				},
+				{
+					Event:  user.UserDomainClaimedType,
+					Reduce: u.reduceDomainClaimed,
+				},
+				{
+					Event:  user.HumanPasswordlessInitCodeRequestedType,
+					Reduce: u.reducePasswordlessCodeRequested,
+				},
+				{
+					Event:  user.UserV1PhoneCodeAddedType,
+					Reduce: u.reducePhoneCodeAdded,
+				},
+				{
+					Event:  user.HumanPhoneCodeAddedType,
+					Reduce: u.reducePhoneCodeAdded,
+				},
+				{
+					Event:  user.HumanPasswordChangedType,
+					Reduce: u.reducePasswordChanged,
+				},
+			},
+		},
+	}
+}
+
+func (u *userNotifier) reduceInitCodeAdded(event eventstore.Event) (*handler.Statement, error) {
+	e, ok := event.(*user.HumanInitialCodeAddedEvent)
+	if !ok {
+		return nil, errors.ThrowInvalidArgumentf(nil, "HANDL-EFe2f", "reduce.wrong.event.type %s", user.HumanInitialCodeAddedType)
+	}
+	ctx := HandlerContext(event.Aggregate())
+	alreadyHandled, err := u.checkIfCodeAlreadyHandledOrExpired(ctx, event, e.Expiry, nil,
+		user.UserV1InitialCodeAddedType, user.UserV1InitialCodeSentType,
+		user.HumanInitialCodeAddedType, user.HumanInitialCodeSentType)
+	if err != nil {
+		return nil, err
+	}
+	if alreadyHandled {
+		return crdb.NewNoOpStatement(e), nil
+	}
+	code, err := crypto.DecryptString(e.Code, u.queries.UserDataCrypto)
+	if err != nil {
+		return nil, err
+	}
+	colors, err := u.queries.ActiveLabelPolicyByOrg(ctx, e.Aggregate().ResourceOwner, false)
+	if err != nil {
+		return nil, err
+	}
+
+	template, err := u.queries.MailTemplateByOrg(ctx, e.Aggregate().ResourceOwner, false)
+	if err != nil {
+		return nil, err
+	}
+
+	notifyUser, err := u.queries.GetNotifyUserByID(ctx, true, e.Aggregate().ID, false)
+	if err != nil {
+		return nil, err
+	}
+	translator, err := u.queries.GetTranslatorWithOrgTexts(ctx, notifyUser.ResourceOwner, domain.InitCodeMessageType)
+	if err != nil {
+		return nil, err
+	}
+
+	ctx, origin, err := u.queries.Origin(ctx)
+	if err != nil {
+		return nil, err
+	}
+	err = types.SendEmail(
+		ctx,
+		string(template.Template),
+		translator,
+		notifyUser,
+		u.queries.GetSMTPConfig,
+		u.queries.GetFileSystemProvider,
+		u.queries.GetLogProvider,
+		colors,
+		u.assetsPrefix(ctx),
+		e,
+		u.metricSuccessfulDeliveriesEmail,
+		u.metricFailedDeliveriesEmail,
+	).SendUserInitCode(notifyUser, origin, code)
+	if err != nil {
+		return nil, err
+	}
+	err = u.commands.HumanInitCodeSent(ctx, e.Aggregate().ResourceOwner, e.Aggregate().ID)
+	if err != nil {
+		return nil, err
+	}
+	return crdb.NewNoOpStatement(e), nil
+}
+
+func (u *userNotifier) reduceEmailCodeAdded(event eventstore.Event) (*handler.Statement, error) {
+	e, ok := event.(*user.HumanEmailCodeAddedEvent)
+	if !ok {
+		return nil, errors.ThrowInvalidArgumentf(nil, "HANDL-SWf3g", "reduce.wrong.event.type %s", user.HumanEmailCodeAddedType)
+	}
+	ctx := HandlerContext(event.Aggregate())
+	alreadyHandled, err := u.checkIfCodeAlreadyHandledOrExpired(ctx, event, e.Expiry, nil,
+		user.UserV1EmailCodeAddedType, user.UserV1EmailCodeSentType,
+		user.HumanEmailCodeAddedType, user.HumanEmailCodeSentType)
+	if err != nil {
+		return nil, err
+	}
+	if alreadyHandled {
+		return crdb.NewNoOpStatement(e), nil
+	}
+	code, err := crypto.DecryptString(e.Code, u.queries.UserDataCrypto)
+	if err != nil {
+		return nil, err
+	}
+	colors, err := u.queries.ActiveLabelPolicyByOrg(ctx, e.Aggregate().ResourceOwner, false)
+	if err != nil {
+		return nil, err
+	}
+
+	template, err := u.queries.MailTemplateByOrg(ctx, e.Aggregate().ResourceOwner, false)
+	if err != nil {
+		return nil, err
+	}
+
+	notifyUser, err := u.queries.GetNotifyUserByID(ctx, true, e.Aggregate().ID, false)
+	if err != nil {
+		return nil, err
+	}
+	translator, err := u.queries.GetTranslatorWithOrgTexts(ctx, notifyUser.ResourceOwner, domain.VerifyEmailMessageType)
+	if err != nil {
+		return nil, err
+	}
+
+	ctx, origin, err := u.queries.Origin(ctx)
+	if err != nil {
+		return nil, err
+	}
+	err = types.SendEmail(
+		ctx,
+		string(template.Template),
+		translator,
+		notifyUser,
+		u.queries.GetSMTPConfig,
+		u.queries.GetFileSystemProvider,
+		u.queries.GetLogProvider,
+		colors,
+		u.assetsPrefix(ctx),
+		e,
+		u.metricSuccessfulDeliveriesEmail,
+		u.metricFailedDeliveriesEmail,
+	).SendEmailVerificationCode(notifyUser, origin, code)
+	if err != nil {
+		return nil, err
+	}
+	err = u.commands.HumanEmailVerificationCodeSent(ctx, e.Aggregate().ResourceOwner, e.Aggregate().ID)
+	if err != nil {
+		return nil, err
+	}
+	return crdb.NewNoOpStatement(e), nil
+}
+
+func (u *userNotifier) reducePasswordCodeAdded(event eventstore.Event) (*handler.Statement, error) {
+	e, ok := event.(*user.HumanPasswordCodeAddedEvent)
+	if !ok {
+		return nil, errors.ThrowInvalidArgumentf(nil, "HANDL-Eeg3s", "reduce.wrong.event.type %s", user.HumanPasswordCodeAddedType)
+	}
+	ctx := HandlerContext(event.Aggregate())
+	alreadyHandled, err := u.checkIfCodeAlreadyHandledOrExpired(ctx, event, e.Expiry, nil,
+		user.UserV1PasswordCodeAddedType, user.UserV1PasswordCodeSentType,
+		user.HumanPasswordCodeAddedType, user.HumanPasswordCodeSentType)
+	if err != nil {
+		return nil, err
+	}
+	if alreadyHandled {
+		return crdb.NewNoOpStatement(e), nil
+	}
+	code, err := crypto.DecryptString(e.Code, u.queries.UserDataCrypto)
+	if err != nil {
+		return nil, err
+	}
+	colors, err := u.queries.ActiveLabelPolicyByOrg(ctx, e.Aggregate().ResourceOwner, false)
+	if err != nil {
+		return nil, err
+	}
+
+	template, err := u.queries.MailTemplateByOrg(ctx, e.Aggregate().ResourceOwner, false)
+	if err != nil {
+		return nil, err
+	}
+
+	notifyUser, err := u.queries.GetNotifyUserByID(ctx, true, e.Aggregate().ID, false)
+	if err != nil {
+		return nil, err
+	}
+	translator, err := u.queries.GetTranslatorWithOrgTexts(ctx, notifyUser.ResourceOwner, domain.PasswordResetMessageType)
+	if err != nil {
+		return nil, err
+	}
+
+	ctx, origin, err := u.queries.Origin(ctx)
+	if err != nil {
+		return nil, err
+	}
+	notify := types.SendEmail(
+		ctx,
+		string(template.Template),
+		translator,
+		notifyUser,
+		u.queries.GetSMTPConfig,
+		u.queries.GetFileSystemProvider,
+		u.queries.GetLogProvider,
+		colors,
+		u.assetsPrefix(ctx),
+		e,
+		u.metricSuccessfulDeliveriesEmail,
+		u.metricFailedDeliveriesEmail,
+	)
+	if e.NotificationType == domain.NotificationTypeSms {
+		notify = types.SendSMSTwilio(
+			ctx,
+			translator,
+			notifyUser,
+			u.queries.GetTwilioConfig,
+			u.queries.GetFileSystemProvider,
+			u.queries.GetLogProvider,
+			colors,
+			u.assetsPrefix(ctx),
+			e,
+			u.metricSuccessfulDeliveriesSMS,
+			u.metricFailedDeliveriesSMS,
+		)
+	}
+	err = notify.SendPasswordCode(notifyUser, origin, code)
+	if err != nil {
+		return nil, err
+	}
+	err = u.commands.PasswordCodeSent(ctx, e.Aggregate().ResourceOwner, e.Aggregate().ID)
+	if err != nil {
+		return nil, err
+	}
+	return crdb.NewNoOpStatement(e), nil
+}
+
+func (u *userNotifier) reduceDomainClaimed(event eventstore.Event) (*handler.Statement, error) {
+	e, ok := event.(*user.DomainClaimedEvent)
+	if !ok {
+		return nil, errors.ThrowInvalidArgumentf(nil, "HANDL-Drh5w", "reduce.wrong.event.type %s", user.UserDomainClaimedType)
+	}
+	ctx := HandlerContext(event.Aggregate())
+	alreadyHandled, err := u.queries.IsAlreadyHandled(ctx, event, nil,
+		user.UserDomainClaimedType, user.UserDomainClaimedSentType)
+	if err != nil {
+		return nil, err
+	}
+	if alreadyHandled {
+		return crdb.NewNoOpStatement(e), nil
+	}
+	colors, err := u.queries.ActiveLabelPolicyByOrg(ctx, e.Aggregate().ResourceOwner, false)
+	if err != nil {
+		return nil, err
+	}
+
+	template, err := u.queries.MailTemplateByOrg(ctx, e.Aggregate().ResourceOwner, false)
+	if err != nil {
+		return nil, err
+	}
+
+	notifyUser, err := u.queries.GetNotifyUserByID(ctx, true, e.Aggregate().ID, false)
+	if err != nil {
+		return nil, err
+	}
+	translator, err := u.queries.GetTranslatorWithOrgTexts(ctx, notifyUser.ResourceOwner, domain.DomainClaimedMessageType)
+	if err != nil {
+		return nil, err
+	}
+
+	ctx, origin, err := u.queries.Origin(ctx)
+	if err != nil {
+		return nil, err
+	}
+	err = types.SendEmail(
+		ctx,
+		string(template.Template),
+		translator,
+		notifyUser,
+		u.queries.GetSMTPConfig,
+		u.queries.GetFileSystemProvider,
+		u.queries.GetLogProvider,
+		colors,
+		u.assetsPrefix(ctx),
+		e,
+		u.metricSuccessfulDeliveriesEmail,
+		u.metricFailedDeliveriesEmail,
+	).SendDomainClaimed(notifyUser, origin, e.UserName)
+	if err != nil {
+		return nil, err
+	}
+	err = u.commands.UserDomainClaimedSent(ctx, e.Aggregate().ResourceOwner, e.Aggregate().ID)
+	if err != nil {
+		return nil, err
+	}
+	return crdb.NewNoOpStatement(e), nil
+}
+
+func (u *userNotifier) reducePasswordlessCodeRequested(event eventstore.Event) (*handler.Statement, error) {
+	e, ok := event.(*user.HumanPasswordlessInitCodeRequestedEvent)
+	if !ok {
+		return nil, errors.ThrowInvalidArgumentf(nil, "HANDL-EDtjd", "reduce.wrong.event.type %s", user.HumanPasswordlessInitCodeAddedType)
+	}
+	ctx := HandlerContext(event.Aggregate())
+	alreadyHandled, err := u.checkIfCodeAlreadyHandledOrExpired(ctx, event, e.Expiry, map[string]interface{}{"id": e.ID}, user.HumanPasswordlessInitCodeSentType)
+	if err != nil {
+		return nil, err
+	}
+	if alreadyHandled {
+		return crdb.NewNoOpStatement(e), nil
+	}
+	code, err := crypto.DecryptString(e.Code, u.queries.UserDataCrypto)
+	if err != nil {
+		return nil, err
+	}
+	colors, err := u.queries.ActiveLabelPolicyByOrg(ctx, e.Aggregate().ResourceOwner, false)
+	if err != nil {
+		return nil, err
+	}
+
+	template, err := u.queries.MailTemplateByOrg(ctx, e.Aggregate().ResourceOwner, false)
+	if err != nil {
+		return nil, err
+	}
+
+	notifyUser, err := u.queries.GetNotifyUserByID(ctx, true, e.Aggregate().ID, false)
+	if err != nil {
+		return nil, err
+	}
+	translator, err := u.queries.GetTranslatorWithOrgTexts(ctx, notifyUser.ResourceOwner, domain.PasswordlessRegistrationMessageType)
+	if err != nil {
+		return nil, err
+	}
+
+	ctx, origin, err := u.queries.Origin(ctx)
+	if err != nil {
+		return nil, err
+	}
+	err = types.SendEmail(
+		ctx,
+		string(template.Template),
+		translator,
+		notifyUser,
+		u.queries.GetSMTPConfig,
+		u.queries.GetFileSystemProvider,
+		u.queries.GetLogProvider,
+		colors,
+		u.assetsPrefix(ctx),
+		e,
+		u.metricSuccessfulDeliveriesEmail,
+		u.metricFailedDeliveriesEmail,
+	).SendPasswordlessRegistrationLink(notifyUser, origin, code, e.ID)
+	if err != nil {
+		return nil, err
+	}
+	err = u.commands.HumanPasswordlessInitCodeSent(ctx, e.Aggregate().ID, e.Aggregate().ResourceOwner, e.ID)
+	if err != nil {
+		return nil, err
+	}
+	return crdb.NewNoOpStatement(e), nil
+}
+
+func (u *userNotifier) reducePasswordChanged(event eventstore.Event) (*handler.Statement, error) {
+	e, ok := event.(*user.HumanPasswordChangedEvent)
+	if !ok {
+		return nil, errors.ThrowInvalidArgumentf(nil, "HANDL-Yko2z8", "reduce.wrong.event.type %s", user.HumanPasswordChangedType)
+	}
+	ctx := HandlerContext(event.Aggregate())
+	alreadyHandled, err := u.queries.IsAlreadyHandled(ctx, event, nil, user.HumanPasswordChangeSentType)
+	if err != nil {
+		return nil, err
+	}
+	if alreadyHandled {
+		return crdb.NewNoOpStatement(e), nil
+	}
+
+	notificationPolicy, err := u.queries.NotificationPolicyByOrg(ctx, true, e.Aggregate().ResourceOwner, false)
+	if errors.IsNotFound(err) {
+		return crdb.NewNoOpStatement(e), nil
+	}
+	if err != nil {
+		return nil, err
+	}
+
+	if notificationPolicy.PasswordChange {
+		colors, err := u.queries.ActiveLabelPolicyByOrg(ctx, e.Aggregate().ResourceOwner, false)
+		if err != nil {
+			return nil, err
+		}
+
+		template, err := u.queries.MailTemplateByOrg(ctx, e.Aggregate().ResourceOwner, false)
+		if err != nil {
+			return nil, err
+		}
+
+		notifyUser, err := u.queries.GetNotifyUserByID(ctx, true, e.Aggregate().ID, false)
+		if err != nil {
+			return nil, err
+		}
+		translator, err := u.queries.GetTranslatorWithOrgTexts(ctx, notifyUser.ResourceOwner, domain.PasswordChangeMessageType)
+		if err != nil {
+			return nil, err
+		}
+
+		ctx, origin, err := u.queries.Origin(ctx)
+		if err != nil {
+			return nil, err
+		}
+		err = types.SendEmail(
+			ctx,
+			string(template.Template),
+			translator,
+			notifyUser,
+			u.queries.GetSMTPConfig,
+			u.queries.GetFileSystemProvider,
+			u.queries.GetLogProvider,
+			colors,
+			u.assetsPrefix(ctx),
+			e,
+			u.metricSuccessfulDeliveriesEmail,
+			u.metricFailedDeliveriesEmail,
+		).SendPasswordChange(notifyUser, origin)
+		if err != nil {
+			return nil, err
+		}
+		err = u.commands.PasswordChangeSent(ctx, e.Aggregate().ResourceOwner, e.Aggregate().ID)
+		if err != nil {
+			return nil, err
+		}
+	}
+	return crdb.NewNoOpStatement(e), nil
+}
+
+func (u *userNotifier) reducePhoneCodeAdded(event eventstore.Event) (*handler.Statement, error) {
+	e, ok := event.(*user.HumanPhoneCodeAddedEvent)
+	if !ok {
+		return nil, errors.ThrowInvalidArgumentf(nil, "HANDL-He83g", "reduce.wrong.event.type %s", user.HumanPhoneCodeAddedType)
+	}
+	ctx := HandlerContext(event.Aggregate())
+	alreadyHandled, err := u.checkIfCodeAlreadyHandledOrExpired(ctx, event, e.Expiry, nil,
+		user.UserV1PhoneCodeAddedType, user.UserV1PhoneCodeSentType,
+		user.HumanPhoneCodeAddedType, user.HumanPhoneCodeSentType)
+	if err != nil {
+		return nil, err
+	}
+	if alreadyHandled {
+		return crdb.NewNoOpStatement(e), nil
+	}
+	code, err := crypto.DecryptString(e.Code, u.queries.UserDataCrypto)
+	if err != nil {
+		return nil, err
+	}
+	colors, err := u.queries.ActiveLabelPolicyByOrg(ctx, e.Aggregate().ResourceOwner, false)
+	if err != nil {
+		return nil, err
+	}
+
+	notifyUser, err := u.queries.GetNotifyUserByID(ctx, true, e.Aggregate().ID, false)
+	if err != nil {
+		return nil, err
+	}
+	translator, err := u.queries.GetTranslatorWithOrgTexts(ctx, notifyUser.ResourceOwner, domain.VerifyPhoneMessageType)
+	if err != nil {
+		return nil, err
+	}
+
+	ctx, origin, err := u.queries.Origin(ctx)
+	if err != nil {
+		return nil, err
+	}
+	err = types.SendSMSTwilio(
+		ctx,
+		translator,
+		notifyUser,
+		u.queries.GetTwilioConfig,
+		u.queries.GetFileSystemProvider,
+		u.queries.GetLogProvider,
+		colors,
+		u.assetsPrefix(ctx),
+		e,
+		u.metricSuccessfulDeliveriesSMS,
+		u.metricFailedDeliveriesSMS,
+	).SendPhoneVerificationCode(notifyUser, origin, code)
+	if err != nil {
+		return nil, err
+	}
+	err = u.commands.HumanPhoneVerificationCodeSent(ctx, e.Aggregate().ResourceOwner, e.Aggregate().ID)
+	if err != nil {
+		return nil, err
+	}
+	return crdb.NewNoOpStatement(e), nil
+}
+
+func (u *userNotifier) checkIfCodeAlreadyHandledOrExpired(ctx context.Context, event eventstore.Event, expiry time.Duration, data map[string]interface{}, eventTypes ...eventstore.EventType) (bool, error) {
+	if event.CreationDate().Add(expiry).Before(time.Now().UTC()) {
+		return true, nil
+	}
+	return u.queries.IsAlreadyHandled(ctx, event, data, eventTypes...)
+}