chore: move the go code into a subfolder

2025-08-12 07:57:32 +00:00 · 2025-08-05 15:20:32 -07:00
parent 4ad22ba456
commit cd2921de26
2978 changed files with 373 additions and 300 deletions
--- a/apps/api/internal/authz/repository/eventsourcing/eventstore/token_verifier.go
+++ b/apps/api/internal/authz/repository/eventsourcing/eventstore/token_verifier.go
@@ -0,0 +1,341 @@
+package eventstore
+
+import (
+	"context"
+	"encoding/base64"
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/go-jose/go-jose/v4"
+	"github.com/muhlemmer/gu"
+	"github.com/zitadel/logging"
+	"github.com/zitadel/oidc/v3/pkg/oidc"
+	"github.com/zitadel/oidc/v3/pkg/op"
+
+	"github.com/zitadel/zitadel/internal/api/authz"
+	http_util "github.com/zitadel/zitadel/internal/api/http"
+	"github.com/zitadel/zitadel/internal/authz/repository/eventsourcing/view"
+	"github.com/zitadel/zitadel/internal/command"
+	"github.com/zitadel/zitadel/internal/crypto"
+	"github.com/zitadel/zitadel/internal/domain"
+	"github.com/zitadel/zitadel/internal/eventstore"
+	"github.com/zitadel/zitadel/internal/query"
+	"github.com/zitadel/zitadel/internal/telemetry/tracing"
+	usr_model "github.com/zitadel/zitadel/internal/user/model"
+	usr_view "github.com/zitadel/zitadel/internal/user/repository/view"
+	"github.com/zitadel/zitadel/internal/user/repository/view/model"
+	"github.com/zitadel/zitadel/internal/zerrors"
+)
+
+type TokenVerifierRepo struct {
+	TokenVerificationKey crypto.EncryptionAlgorithm
+	Eventstore           *eventstore.Eventstore
+	View                 *view.View
+	Query                *query.Queries
+	ExternalSecure       bool
+}
+
+func (repo *TokenVerifierRepo) Health() error {
+	return repo.View.Health()
+}
+
+func (repo *TokenVerifierRepo) tokenByID(ctx context.Context, tokenID, userID string) (_ *usr_model.TokenView, err error) {
+	ctx, span := tracing.NewSpan(ctx)
+	defer func() { span.EndWithError(err) }()
+
+	instanceID := authz.GetInstance(ctx).InstanceID()
+
+	// always load the latest sequence first, so in case the token was not found by id,
+	// the sequence will be equal or lower than the actual projection and no events are lost
+	sequence, err := repo.View.GetLatestState(ctx)
+	logging.WithFields("instanceID", instanceID, "userID", userID, "tokenID", tokenID).
+		OnError(err).
+		Errorf("could not get current sequence for token check")
+
+	token, viewErr := repo.View.TokenByIDs(tokenID, userID, instanceID)
+	if viewErr != nil && !zerrors.IsNotFound(viewErr) {
+		return nil, viewErr
+	}
+	if zerrors.IsNotFound(viewErr) {
+		token = new(model.TokenView)
+		token.ID = tokenID
+		token.UserID = userID
+		if sequence != nil {
+			token.ChangeDate = sequence.EventCreatedAt
+		}
+	}
+
+	events, esErr := repo.getUserEvents(ctx, userID, instanceID, token.ChangeDate, token.GetRelevantEventTypes())
+	if zerrors.IsNotFound(viewErr) && len(events) == 0 {
+		return nil, zerrors.ThrowNotFound(nil, "EVENT-4T90g", "Errors.Token.NotFound")
+	}
+
+	if esErr != nil {
+		logging.WithError(viewErr).WithField("traceID", tracing.TraceIDFromCtx(ctx)).Debug("error retrieving new events")
+		return model.TokenViewToModel(token), nil
+	}
+	viewToken := *token
+	for _, event := range events {
+		err := token.AppendEventIfMyToken(event)
+		if err != nil {
+			return model.TokenViewToModel(&viewToken), nil
+		}
+	}
+	if !token.Expiration.After(time.Now().UTC()) || token.Deactivated {
+		return nil, zerrors.ThrowNotFound(nil, "EVENT-5Bm9s", "Errors.Token.NotFound")
+	}
+	return model.TokenViewToModel(token), nil
+}
+
+func (repo *TokenVerifierRepo) VerifyAccessToken(ctx context.Context, tokenString, verifierClientID, projectID string) (userID string, agentID string, clientID, prefLang, resourceOwner string, err error) {
+	ctx, span := tracing.NewSpan(ctx)
+	defer func() { span.EndWithError(err) }()
+
+	tokenID, subject, ok := repo.getTokenIDAndSubject(ctx, tokenString)
+	if !ok {
+		return "", "", "", "", "", zerrors.ThrowUnauthenticated(nil, "APP-Reb32", "invalid token")
+	}
+	if strings.HasPrefix(tokenID, command.IDPrefixV2) {
+		return repo.verifyAccessTokenV2(ctx, tokenID, verifierClientID, projectID)
+	}
+	if sessionID, ok := strings.CutPrefix(tokenID, authz.SessionTokenPrefix); ok {
+		userID, clientID, resourceOwner, err = repo.verifySessionToken(ctx, sessionID, tokenString)
+		return
+	}
+	return repo.verifyAccessTokenV1(ctx, tokenID, subject, verifierClientID, projectID)
+}
+
+func (repo *TokenVerifierRepo) verifyAccessTokenV1(ctx context.Context, tokenID, subject, verifierClientID, projectID string) (userID, agentID, clientID, prefLang, resourceOwner string, err error) {
+	ctx, span := tracing.NewSpan(ctx)
+	defer func() { span.EndWithError(err) }()
+
+	_, tokenSpan := tracing.NewNamedSpan(ctx, "tokenByID")
+	token, err := repo.tokenByID(ctx, tokenID, subject)
+	tokenSpan.EndWithError(err)
+	if err != nil {
+		return "", "", "", "", "", zerrors.ThrowUnauthenticated(err, "APP-BxUSiL", "invalid token")
+	}
+	if token.Actor != nil {
+		return "", "", "", "", "", zerrors.ThrowPermissionDenied(nil, "APP-wai8O", "Errors.TokenExchange.Token.NotForAPI")
+	}
+	if !token.Expiration.After(time.Now().UTC()) {
+		return "", "", "", "", "", zerrors.ThrowUnauthenticated(err, "APP-k9KS0", "invalid token")
+	}
+	if token.IsPAT {
+		return token.UserID, "", "", "", token.ResourceOwner, nil
+	}
+	if err = verifyAudience(token.Audience, verifierClientID, projectID); err != nil {
+		return "", "", "", "", "", err
+	}
+	return token.UserID, token.UserAgentID, token.ApplicationID, token.PreferredLanguage, token.ResourceOwner, nil
+}
+
+func (repo *TokenVerifierRepo) verifyAccessTokenV2(ctx context.Context, token, verifierClientID, projectID string) (userID, agentID, clientID, prefLang, resourceOwner string, err error) {
+	ctx, span := tracing.NewSpan(ctx)
+	defer func() { span.EndWithError(err) }()
+
+	activeToken, err := repo.Query.ActiveAccessTokenByToken(ctx, token)
+	if err != nil {
+		return "", "", "", "", "", err
+	}
+	if activeToken.Actor != nil {
+		return "", "", "", "", "", zerrors.ThrowPermissionDenied(nil, "APP-Shi0J", "Errors.TokenExchange.Token.NotForAPI")
+	}
+	if err = verifyAudience(activeToken.Audience, verifierClientID, projectID); err != nil {
+		return "", "", "", "", "", err
+	}
+	if err = repo.checkAuthentication(ctx, activeToken.AuthMethods, activeToken.UserID); err != nil {
+		return "", "", "", "", "", err
+	}
+	prefLang = gu.Value(activeToken.PreferredLanguage).String()
+	agentID = gu.Value(gu.Value(activeToken.UserAgent).FingerprintID)
+
+	return activeToken.UserID, agentID, activeToken.ClientID, prefLang, activeToken.ResourceOwner, nil
+}
+
+func (repo *TokenVerifierRepo) verifySessionToken(ctx context.Context, sessionID, token string) (userID, clientID, resourceOwner string, err error) {
+	ctx, span := tracing.NewSpan(ctx)
+	defer func() { span.EndWithError(err) }()
+
+	session, err := repo.Query.SessionByID(ctx, true, sessionID, token, nil)
+	if err != nil {
+		return "", "", "", err
+	}
+	if !session.Expiration.IsZero() && session.Expiration.Before(time.Now()) {
+		return "", "", "", zerrors.ThrowPermissionDenied(nil, "AUTHZ-EGDo3", "session expired")
+	}
+	if err = repo.checkAuthentication(ctx, authMethodsFromSession(session), session.UserFactor.UserID); err != nil {
+		return "", "", "", err
+	}
+	return session.UserFactor.UserID, "", session.UserFactor.ResourceOwner, nil
+}
+
+// checkAuthentication ensures the session or token was authenticated (at least a single [domain.UserAuthMethodType]).
+// It will also check if there was a multi-factor authentication, if either MFA is forced by the login policy or if the user has set up any second factor
+func (repo *TokenVerifierRepo) checkAuthentication(ctx context.Context, authMethods []domain.UserAuthMethodType, userID string) error {
+	if len(authMethods) == 0 {
+		return zerrors.ThrowPermissionDenied(nil, "AUTHZ-Kl3p0", "authentication required")
+	}
+	if domain.HasMFA(authMethods) {
+		return nil
+	}
+	requirements, err := repo.Query.ListUserAuthMethodTypesRequired(setCallerCtx(ctx, userID), userID)
+	if err != nil {
+		return err
+	}
+	if requirements.UserType == domain.UserTypeMachine {
+		return nil
+	}
+	if domain.RequiresMFA(
+		requirements.ForceMFA,
+		requirements.ForceMFALocalOnly,
+		!hasIDPAuthentication(authMethods),
+	) {
+		return zerrors.ThrowPermissionDenied(nil, "AUTHZ-Kl3p0", "mfa required")
+	}
+	return nil
+}
+
+func hasIDPAuthentication(authMethods []domain.UserAuthMethodType) bool {
+	for _, method := range authMethods {
+		if method == domain.UserAuthMethodTypeIDP {
+			return true
+		}
+	}
+	return false
+}
+
+func authMethodsFromSession(session *query.Session) []domain.UserAuthMethodType {
+	types := make([]domain.UserAuthMethodType, 0, domain.UserAuthMethodTypeIDP)
+	if !session.PasswordFactor.PasswordCheckedAt.IsZero() {
+		types = append(types, domain.UserAuthMethodTypePassword)
+	}
+	if !session.WebAuthNFactor.WebAuthNCheckedAt.IsZero() {
+		if session.WebAuthNFactor.UserVerified {
+			types = append(types, domain.UserAuthMethodTypePasswordless)
+		} else {
+			types = append(types, domain.UserAuthMethodTypeU2F)
+		}
+	}
+	if !session.IntentFactor.IntentCheckedAt.IsZero() {
+		types = append(types, domain.UserAuthMethodTypeIDP)
+	}
+	if !session.TOTPFactor.TOTPCheckedAt.IsZero() {
+		types = append(types, domain.UserAuthMethodTypeTOTP)
+	}
+	if !session.OTPSMSFactor.OTPCheckedAt.IsZero() {
+		types = append(types, domain.UserAuthMethodTypeOTPSMS)
+	}
+	if !session.OTPEmailFactor.OTPCheckedAt.IsZero() {
+		types = append(types, domain.UserAuthMethodTypeOTPEmail)
+	}
+	return types
+}
+
+func setCallerCtx(ctx context.Context, userID string) context.Context {
+	ctxData := authz.GetCtxData(ctx)
+	ctxData.UserID = userID
+	return authz.SetCtxData(ctx, ctxData)
+}
+
+func (repo *TokenVerifierRepo) ProjectIDAndOriginsByClientID(ctx context.Context, clientID string) (projectID string, origins []string, err error) {
+	app, err := repo.View.ApplicationByOIDCClientID(ctx, clientID)
+	if err != nil {
+		return "", nil, err
+	}
+	return app.ProjectID, app.OIDCConfig.AllowedOrigins, nil
+}
+
+func (repo *TokenVerifierRepo) VerifierClientID(ctx context.Context, appName string) (clientID, projectID string, err error) {
+	ctx, span := tracing.NewSpan(ctx)
+	defer func() { span.EndWithError(err) }()
+
+	app, err := repo.View.ApplicationByProjecIDAndAppName(ctx, authz.GetInstance(ctx).ProjectID(), appName)
+	if err != nil {
+		return "", "", err
+	}
+	if app.OIDCConfig != nil {
+		clientID = app.OIDCConfig.ClientID
+	} else if app.APIConfig != nil {
+		clientID = app.APIConfig.ClientID
+	}
+	return clientID, app.ProjectID, nil
+}
+
+func (repo *TokenVerifierRepo) getUserEvents(ctx context.Context, userID, instanceID string, changeDate time.Time, eventTypes []eventstore.EventType) (_ []eventstore.Event, err error) {
+	ctx, span := tracing.NewSpan(ctx)
+	defer func() { span.EndWithError(err) }()
+	query, err := usr_view.UserByIDQuery(userID, instanceID, changeDate, eventTypes)
+	if err != nil {
+		return nil, err
+	}
+	return repo.Eventstore.Filter(ctx, query)
+}
+
+// getTokenIDAndSubject returns the TokenID and Subject of both opaque tokens and JWTs
+func (repo *TokenVerifierRepo) getTokenIDAndSubject(ctx context.Context, accessToken string) (tokenID string, subject string, valid bool) {
+	// accessToken can be either opaque or JWT
+	// let's try opaque first:
+	tokenIDSubject, err := repo.decryptAccessToken(accessToken)
+	if err != nil {
+		logging.WithError(err).Warn("token verifier repo: decrypt access token")
+		// if decryption did not work, it might be a JWT
+		accessTokenClaims, err := op.VerifyAccessToken[*oidc.AccessTokenClaims](ctx, accessToken, repo.jwtTokenVerifier(ctx))
+		if err != nil {
+			logging.WithError(err).Warn("token verifier repo: verify JWT access token")
+			return "", "", false
+		}
+		return accessTokenClaims.JWTID, accessTokenClaims.Subject, true
+	}
+	splitToken := strings.Split(tokenIDSubject, ":")
+	if len(splitToken) != 2 {
+		return "", "", false
+	}
+	return splitToken[0], splitToken[1], true
+}
+
+func (repo *TokenVerifierRepo) jwtTokenVerifier(ctx context.Context) *op.AccessTokenVerifier {
+	keySet := &openIDKeySet{repo.Query}
+	return op.NewAccessTokenVerifier(http_util.DomainContext(ctx).Origin(), keySet)
+}
+
+func (repo *TokenVerifierRepo) decryptAccessToken(token string) (string, error) {
+	tokenData, err := base64.RawURLEncoding.DecodeString(token)
+	if err != nil {
+		return "", zerrors.ThrowUnauthenticated(nil, "APP-ASdgg", "invalid token")
+	}
+	tokenIDSubject, err := repo.TokenVerificationKey.DecryptString(tokenData, repo.TokenVerificationKey.EncryptionKeyID())
+	if err != nil {
+		return "", zerrors.ThrowUnauthenticated(nil, "APP-8EF0zZ", "invalid token")
+	}
+	return tokenIDSubject, nil
+}
+
+func verifyAudience(audience []string, verifierClientID, projectID string) error {
+	for _, aud := range audience {
+		if verifierClientID == aud || projectID == aud {
+			return nil
+		}
+	}
+	return zerrors.ThrowUnauthenticated(nil, "APP-Zxfako", "invalid audience")
+}
+
+type openIDKeySet struct {
+	*query.Queries
+}
+
+// VerifySignature implements the oidc.KeySet interface
+// providing an implementation for the keys retrieved directly from Queries
+func (o *openIDKeySet) VerifySignature(ctx context.Context, jws *jose.JSONWebSignature) (payload []byte, err error) {
+	keySet, err := o.Queries.GetWebKeySet(ctx)
+	if err != nil {
+		return nil, err
+	}
+	keyID, alg := oidc.GetKeyIDAndAlg(jws)
+	key, err := oidc.FindMatchingKey(keyID, oidc.KeyUseSignature, alg, keySet.Keys...)
+	if err != nil {
+		return nil, fmt.Errorf("invalid signature: %w", err)
+	}
+	return jws.Verify(&key)
+}
--- a/apps/api/internal/authz/repository/eventsourcing/eventstore/user_membership.go
+++ b/apps/api/internal/authz/repository/eventsourcing/eventstore/user_membership.go
@@ -0,0 +1,90 @@
+package eventstore
+
+import (
+	"context"
+
+	"github.com/zitadel/zitadel/internal/api/authz"
+	"github.com/zitadel/zitadel/internal/query"
+	"github.com/zitadel/zitadel/internal/telemetry/tracing"
+)
+
+type UserMembershipRepo struct {
+	Queries *query.Queries
+}
+
+func (repo *UserMembershipRepo) SearchMyMemberships(ctx context.Context, orgID string, shouldTriggerBulk bool) (_ []*authz.Membership, err error) {
+	ctx, span := tracing.NewSpan(ctx)
+	defer func() { span.EndWithError(err) }()
+
+	memberships, err := repo.searchUserMemberships(ctx, orgID, shouldTriggerBulk)
+	if err != nil {
+		return nil, err
+	}
+	return userMembershipsToMemberships(memberships), nil
+}
+
+func (repo *UserMembershipRepo) searchUserMemberships(ctx context.Context, orgID string, shouldTriggerBulk bool) (_ []*query.Membership, err error) {
+	ctx, span := tracing.NewSpan(ctx)
+	defer func() { span.EndWithError(err) }()
+	ctxData := authz.GetCtxData(ctx)
+	userIDQuery, err := query.NewMembershipUserIDQuery(ctxData.UserID)
+	if err != nil {
+		return nil, err
+	}
+	orgIDsQuery, err := query.NewMembershipResourceOwnersSearchQuery(orgID, authz.GetInstance(ctx).InstanceID())
+	if err != nil {
+		return nil, err
+	}
+	grantedIDQuery, err := query.NewMembershipGrantedOrgIDSearchQuery(orgID)
+	if err != nil {
+		return nil, err
+	}
+	memberships, err := repo.Queries.Memberships(ctx, &query.MembershipSearchQuery{
+		Queries: []query.SearchQuery{userIDQuery, query.Or(orgIDsQuery, grantedIDQuery)},
+	}, shouldTriggerBulk)
+	if err != nil {
+		return nil, err
+	}
+	return memberships.Memberships, nil
+}
+
+func userMembershipToMembership(membership *query.Membership) *authz.Membership {
+	if membership.IAM != nil {
+		return &authz.Membership{
+			MemberType:  authz.MemberTypeIAM,
+			AggregateID: membership.IAM.IAMID,
+			ObjectID:    membership.IAM.IAMID,
+			Roles:       membership.Roles,
+		}
+	}
+	if membership.Org != nil {
+		return &authz.Membership{
+			MemberType:  authz.MemberTypeOrganization,
+			AggregateID: membership.Org.OrgID,
+			ObjectID:    membership.Org.OrgID,
+			Roles:       membership.Roles,
+		}
+	}
+	if membership.Project != nil {
+		return &authz.Membership{
+			MemberType:  authz.MemberTypeProject,
+			AggregateID: membership.Project.ProjectID,
+			ObjectID:    membership.Project.ProjectID,
+			Roles:       membership.Roles,
+		}
+	}
+	return &authz.Membership{
+		MemberType:  authz.MemberTypeProjectGrant,
+		AggregateID: membership.ProjectGrant.ProjectID,
+		ObjectID:    membership.ProjectGrant.GrantID,
+		Roles:       membership.Roles,
+	}
+}
+
+func userMembershipsToMemberships(memberships []*query.Membership) []*authz.Membership {
+	result := make([]*authz.Membership, len(memberships))
+	for i, m := range memberships {
+		result[i] = userMembershipToMembership(m)
+	}
+	return result
+}
--- a/apps/api/internal/authz/repository/eventsourcing/repository.go
+++ b/apps/api/internal/authz/repository/eventsourcing/repository.go
@@ -0,0 +1,45 @@
+package eventsourcing
+
+import (
+	"context"
+
+	"github.com/zitadel/zitadel/internal/authz/repository"
+	authz_es "github.com/zitadel/zitadel/internal/authz/repository/eventsourcing/eventstore"
+	authz_view "github.com/zitadel/zitadel/internal/authz/repository/eventsourcing/view"
+	"github.com/zitadel/zitadel/internal/crypto"
+	"github.com/zitadel/zitadel/internal/database"
+	"github.com/zitadel/zitadel/internal/eventstore"
+	"github.com/zitadel/zitadel/internal/query"
+)
+
+type EsRepository struct {
+	authz_es.UserMembershipRepo
+	authz_es.TokenVerifierRepo
+}
+
+func Start(queries *query.Queries, es *eventstore.Eventstore, dbClient *database.DB, keyEncryptionAlgorithm crypto.EncryptionAlgorithm, externalSecure bool) (repository.Repository, error) {
+	view, err := authz_view.StartView(dbClient, queries)
+	if err != nil {
+		return nil, err
+	}
+
+	return &EsRepository{
+		authz_es.UserMembershipRepo{
+			Queries: queries,
+		},
+		authz_es.TokenVerifierRepo{
+			TokenVerificationKey: keyEncryptionAlgorithm,
+			Eventstore:           es,
+			View:                 view,
+			Query:                queries,
+			ExternalSecure:       externalSecure,
+		},
+	}, nil
+}
+
+func (repo *EsRepository) Health(ctx context.Context) error {
+	if err := repo.TokenVerifierRepo.Health(); err != nil {
+		return err
+	}
+	return nil
+}
--- a/apps/api/internal/authz/repository/eventsourcing/view/application.go
+++ b/apps/api/internal/authz/repository/eventsourcing/view/application.go
@@ -0,0 +1,44 @@
+package view
+
+import (
+	"context"
+
+	"github.com/zitadel/zitadel/internal/query"
+	"github.com/zitadel/zitadel/internal/telemetry/tracing"
+	"github.com/zitadel/zitadel/internal/zerrors"
+)
+
+func (v *View) ApplicationByOIDCClientID(ctx context.Context, clientID string) (*query.App, error) {
+	return v.Query.AppByOIDCClientID(ctx, clientID)
+}
+
+func (v *View) ApplicationByProjecIDAndAppName(ctx context.Context, projectID, appName string) (_ *query.App, err error) {
+	ctx, span := tracing.NewSpan(ctx)
+	defer func() { span.EndWithError(err) }()
+
+	nameQuery, err := query.NewAppNameSearchQuery(query.TextEquals, appName)
+	if err != nil {
+		return nil, err
+	}
+	projectQuery, err := query.NewAppProjectIDSearchQuery(projectID)
+	if err != nil {
+		return nil, err
+	}
+
+	queries := &query.AppSearchQueries{
+		Queries: []query.SearchQuery{
+			nameQuery,
+			projectQuery,
+		},
+	}
+
+	apps, err := v.Query.SearchApps(ctx, queries, nil)
+	if err != nil {
+		return nil, err
+	}
+	if len(apps.Apps) != 1 {
+		return nil, zerrors.ThrowNotFound(nil, "VIEW-svLQq", "app not found")
+	}
+
+	return apps.Apps[0], nil
+}
--- a/apps/api/internal/authz/repository/eventsourcing/view/token.go
+++ b/apps/api/internal/authz/repository/eventsourcing/view/token.go
@@ -0,0 +1,37 @@
+package view
+
+import (
+	"context"
+
+	"github.com/zitadel/zitadel/internal/api/authz"
+	"github.com/zitadel/zitadel/internal/query"
+	usr_view "github.com/zitadel/zitadel/internal/user/repository/view"
+	usr_view_model "github.com/zitadel/zitadel/internal/user/repository/view/model"
+)
+
+const (
+	tokenTable = "auth.tokens"
+)
+
+func (v *View) TokenByIDs(tokenID, userID, instanceID string) (*usr_view_model.TokenView, error) {
+	return usr_view.TokenByIDs(v.Db, tokenTable, tokenID, userID, instanceID)
+}
+
+func (v *View) GetLatestState(ctx context.Context) (_ *query.CurrentState, err error) {
+	q := &query.CurrentStateSearchQueries{
+		Queries: make([]query.SearchQuery, 2),
+	}
+	q.Queries[0], err = query.NewCurrentStatesInstanceIDSearchQuery(authz.GetInstance(ctx).InstanceID())
+	if err != nil {
+		return nil, err
+	}
+	q.Queries[1], err = query.NewCurrentStatesProjectionSearchQuery(tokenTable)
+	if err != nil {
+		return nil, err
+	}
+	states, err := v.Query.SearchCurrentStates(ctx, q)
+	if err != nil || states.SearchResponse.Count == 0 {
+		return nil, err
+	}
+	return states.CurrentStates[0], nil
+}
--- a/apps/api/internal/authz/repository/eventsourcing/view/view.go
+++ b/apps/api/internal/authz/repository/eventsourcing/view/view.go
@@ -0,0 +1,30 @@
+package view
+
+import (
+	"github.com/jinzhu/gorm"
+
+	"github.com/zitadel/zitadel/internal/database"
+	"github.com/zitadel/zitadel/internal/query"
+)
+
+type View struct {
+	Db     *gorm.DB
+	client *database.DB
+	Query  *query.Queries
+}
+
+func StartView(sqlClient *database.DB, queries *query.Queries) (*View, error) {
+	gorm, err := gorm.Open("postgres", sqlClient.DB)
+	if err != nil {
+		return nil, err
+	}
+	return &View{
+		Db:     gorm,
+		Query:  queries,
+		client: sqlClient,
+	}, nil
+}
+
+func (v *View) Health() (err error) {
+	return v.Db.DB().Ping()
+}