feat: allow IAM and Org Owners to generate a passwordless registration link (#2619)

proto/zitadel/management.proto

@@ -574,6 +574,19 @@ service ManagementService {
         };
     }
 
+    // Adds a new passwordless authenticator link to the user and returns it directly
+    // This link enables the user to register a new device if current passwordless devices are all platform authenticators
+    // e.g. User has already registered Windows Hello and wants to register FaceID on the iPhone
+    rpc AddPasswordlessRegistration(AddPasswordlessRegistrationRequest) returns (AddPasswordlessRegistrationResponse) {
+        option (google.api.http) = {
+            post: "/users/{user_id}/passwordless/_link"
+            body: "*"
+        };
+        option (zitadel.v1.auth_option) = {
+            permission: "user.credential.write"
+        };
+    }
+
     // Adds a new passwordless authenticator link to the user and sends it to the registered email address
     // This link enables the user to register a new device if current passwordless devices are all platform authenticators
     // e.g. User has already registered Windows Hello and wants to register FaceID on the iPhone
@@ -583,7 +596,7 @@ service ManagementService {
             body: "*"
         };
         option (zitadel.v1.auth_option) = {
-            permission: "authenticated"
+            permission: "user.write"
         };
     }
 
@@ -3290,6 +3303,16 @@ message ListHumanPasswordlessResponse {
     repeated zitadel.user.v1.WebAuthNToken result = 1;
 }
 
+message AddPasswordlessRegistrationRequest {
+    string user_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message AddPasswordlessRegistrationResponse {
+    zitadel.v1.ObjectDetails details = 1;
+    string link = 2;
+    google.protobuf.Duration expiration = 3;
+}
+
 message SendPasswordlessRegistrationRequest {
     string user_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
 }