fix: v2 human command (#3435)

* add/register human command done * validations * crypto * move clientid * keys * fix: clientID * remove v2 package * tests * tests running * revert old code * instance domain from ctx * chore: rename zitadel app ids * comments * fix: test
2025-08-11 18:57:32 +00:00 · 2022-04-12 16:20:17 +02:00
parent 4a0d61d75a
commit cea2567e22
97 changed files with 3524 additions and 2832 deletions
--- a/internal/command/user_human.go
+++ b/internal/command/user_human.go
@@ -4,13 +4,14 @@ import (
 	"context"
 	"strings"

+	"github.com/caos/zitadel/internal/command/preparation"
 	"github.com/caos/zitadel/internal/crypto"
-	"github.com/caos/zitadel/internal/eventstore"
-
 	"github.com/caos/zitadel/internal/domain"
-	caos_errs "github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore"
 	"github.com/caos/zitadel/internal/eventstore/v1/models"
 	"github.com/caos/zitadel/internal/repository/user"
+	"golang.org/x/text/language"
 )

 func (c *Commands) getHuman(ctx context.Context, userID, resourceowner string) (*domain.Human, error) {
@@ -19,51 +20,258 @@ func (c *Commands) getHuman(ctx context.Context, userID, resourceowner string) (
 		return nil, err
 	}
 	if !isUserStateExists(human.UserState) {
-		return nil, caos_errs.ThrowNotFound(nil, "COMMAND-M9dsd", "Errors.User.NotFound")
+		return nil, errors.ThrowNotFound(nil, "COMMAND-M9dsd", "Errors.User.NotFound")
 	}
 	return writeModelToHuman(human), nil
 }

-func (c *Commands) AddHuman(ctx context.Context, orgID string, human *domain.Human, initCodeGenerator crypto.Generator, phoneCodeGenerator crypto.Generator) (*domain.Human, error) {
-	if orgID == "" {
-		return nil, caos_errs.ThrowInvalidArgument(nil, "COMMAND-XYFk9", "Errors.ResourceOwnerMissing")
+type AddHuman struct {
+	// Username is required
+	Username string
+	// FirstName is required
+	FirstName string
+	// LastName is required
+	LastName string
+	// NickName is required
+	NickName string
+	// DisplayName is required
+	DisplayName string
+	// Email is required
+	Email Email
+	// PreferredLang is required
+	PreferredLang language.Tag
+	// Gender is required
+	Gender domain.Gender
+	//Phone represents an international phone number
+	Phone Phone
+	//Password is optional
+	Password string
+	//PasswordChangeRequired is used if the `Password`-field is set
+	PasswordChangeRequired bool
+	Passwordless           bool
+	ExternalIDP            bool
+	Register               bool
+}
+
+func (c *Commands) AddHuman(ctx context.Context, resourceOwner string, human *AddHuman) (*domain.HumanDetails, error) {
+	return c.v2.AddHuman(ctx, resourceOwner, human)
+}
+
+func (c *commandNew) AddHuman(ctx context.Context, resourceOwner string, human *AddHuman) (*domain.HumanDetails, error) {
+	if resourceOwner == "" {
+		return nil, errors.ThrowInvalidArgument(nil, "COMMA-5Ky74", "Errors.Internal")
 	}
-	domainPolicy, err := c.getOrgDomainPolicy(ctx, orgID)
-	if err != nil {
-		return nil, caos_errs.ThrowPreconditionFailed(err, "COMMAND-33M9f", "Errors.Org.DomainPolicy.NotFound")
-	}
-	pwPolicy, err := c.getOrgPasswordComplexityPolicy(ctx, orgID)
-	if err != nil {
-		return nil, caos_errs.ThrowPreconditionFailed(err, "COMMAND-M5Fsd", "Errors.Org.PasswordComplexityPolicy.NotFound")
-	}
-	events, addedHuman, err := c.addHuman(ctx, orgID, human, domainPolicy, pwPolicy, initCodeGenerator, phoneCodeGenerator)
+	userID, err := c.id.Next()
 	if err != nil {
 		return nil, err
 	}
-	pushedEvents, err := c.eventstore.Push(ctx, events...)
+	agg := user.NewAggregate(userID, resourceOwner)
+	cmds, err := preparation.PrepareCommands(ctx, c.es.Filter, addHumanCommand(agg, human, c.userPasswordAlg, c.phoneAlg, c.emailAlg, c.initCodeAlg))
 	if err != nil {
 		return nil, err
 	}

-	err = AppendAndReduce(addedHuman, pushedEvents...)
+	events, err := c.es.Push(ctx, cmds...)
 	if err != nil {
 		return nil, err
 	}

-	return writeModelToHuman(addedHuman), nil
+	return &domain.HumanDetails{
+		ID: userID,
+		ObjectDetails: domain.ObjectDetails{
+			Sequence:      events[len(events)-1].Sequence(),
+			EventDate:     events[len(events)-1].CreationDate(),
+			ResourceOwner: events[len(events)-1].Aggregate().ResourceOwner,
+		},
+	}, nil
+}
+
+type humanCreationCommand interface {
+	eventstore.Command
+	AddPhoneData(phoneNumber string)
+	AddPasswordData(secret *crypto.CryptoValue, changeRequired bool)
+}
+
+func addHumanCommand(a *user.Aggregate, human *AddHuman, passwordAlg crypto.HashAlgorithm, phoneAlg, emailAlg, initCodeAlg crypto.EncryptionAlgorithm) preparation.Validation {
+	return func() (_ preparation.CreateCommands, err error) {
+		if !human.Email.Valid() {
+			return nil, errors.ThrowInvalidArgument(nil, "USER-Ec7dM", "Errors.Invalid.Argument")
+		}
+		if human.Username = strings.TrimSpace(human.Username); human.Username == "" {
+			return nil, errors.ThrowInvalidArgument(nil, "V2-zzad3", "Errors.Invalid.Argument")
+		}
+
+		if human.FirstName = strings.TrimSpace(human.FirstName); human.FirstName == "" {
+			return nil, errors.ThrowInvalidArgument(nil, "USER-UCej2", "Errors.Invalid.Argument")
+		}
+		if human.LastName = strings.TrimSpace(human.LastName); human.LastName == "" {
+			return nil, errors.ThrowInvalidArgument(nil, "USER-DiAq8", "Errors.Invalid.Argument")
+		}
+		human.ensureDisplayName()
+
+		if human.Phone.Number, err = FormatPhoneNumber(human.Phone.Number); err != nil {
+			return nil, errors.ThrowInvalidArgument(nil, "USER-tD6ax", "Errors.Invalid.Argument")
+		}
+
+		return func(ctx context.Context, filter preparation.FilterToQueryReducer) ([]eventstore.Command, error) {
+			domainPolicy, err := domainPolicyWriteModel(ctx, filter)
+			if err != nil {
+				return nil, err
+			}
+
+			if err = userValidateDomain(ctx, a, human.Username, domainPolicy.UserLoginMustBeDomain, filter); err != nil {
+				return nil, err
+			}
+
+			var createCmd humanCreationCommand
+			if human.Register {
+				createCmd = user.NewHumanRegisteredEvent(
+					ctx,
+					&a.Aggregate,
+					human.Username,
+					human.FirstName,
+					human.LastName,
+					human.NickName,
+					human.DisplayName,
+					human.PreferredLang,
+					human.Gender,
+					human.Email.Address,
+					domainPolicy.UserLoginMustBeDomain,
+				)
+			} else {
+				createCmd = user.NewHumanAddedEvent(
+					ctx,
+					&a.Aggregate,
+					human.Username,
+					human.FirstName,
+					human.LastName,
+					human.NickName,
+					human.DisplayName,
+					human.PreferredLang,
+					human.Gender,
+					human.Email.Address,
+					domainPolicy.UserLoginMustBeDomain,
+				)
+			}
+
+			if human.Phone.Number != "" {
+				createCmd.AddPhoneData(human.Phone.Number)
+			}
+
+			if human.Password != "" {
+				if err = humanValidatePassword(ctx, filter, human.Password); err != nil {
+					return nil, err
+				}
+
+				secret, err := crypto.Hash([]byte(human.Password), passwordAlg)
+				if err != nil {
+					return nil, err
+				}
+				createCmd.AddPasswordData(secret, human.PasswordChangeRequired)
+			}
+
+			cmds := make([]eventstore.Command, 0, 3)
+			cmds = append(cmds, createCmd)
+
+			//add init code if
+			// email not verified or
+			// user not registered and password set
+			if human.shouldAddInitCode() {
+				value, expiry, err := newUserInitCode(ctx, filter, initCodeAlg)
+				if err != nil {
+					return nil, err
+				}
+				cmds = append(cmds, user.NewHumanInitialCodeAddedEvent(ctx, &a.Aggregate, value, expiry))
+			}
+
+			if human.Email.Verified {
+				cmds = append(cmds, user.NewHumanEmailVerifiedEvent(ctx, &a.Aggregate))
+			} else {
+				value, expiry, err := newEmailCode(ctx, filter, emailAlg)
+				if err != nil {
+					return nil, err
+				}
+				cmds = append(cmds, user.NewHumanEmailCodeAddedEvent(ctx, &a.Aggregate, value, expiry))
+			}
+
+			if human.Phone.Verified {
+				cmds = append(cmds, user.NewHumanPhoneVerifiedEvent(ctx, &a.Aggregate))
+			} else if human.Phone.Number != "" {
+				value, expiry, err := newPhoneCode(ctx, filter, phoneAlg)
+				if err != nil {
+					return nil, err
+				}
+				cmds = append(cmds, user.NewHumanPhoneCodeAddedEvent(ctx, &a.Aggregate, value, expiry))
+			}
+
+			return cmds, nil
+		}, nil
+	}
+}
+
+func userValidateDomain(ctx context.Context, a *user.Aggregate, username string, mustBeDomain bool, filter preparation.FilterToQueryReducer) error {
+	if mustBeDomain {
+		return nil
+	}
+
+	usernameSplit := strings.Split(username, "@")
+	if len(usernameSplit) != 2 {
+		return errors.ThrowInvalidArgument(nil, "COMMAND-Dfd21", "Errors.User.Invalid")
+	}
+
+	domainCheck := NewOrgDomainVerifiedWriteModel(usernameSplit[1])
+	events, err := filter(ctx, domainCheck.Query())
+	if err != nil {
+		return err
+	}
+	domainCheck.AppendEvents(events...)
+	if err = domainCheck.Reduce(); err != nil {
+		return err
+	}
+
+	if domainCheck.Verified && domainCheck.ResourceOwner != a.ResourceOwner {
+		return errors.ThrowInvalidArgument(nil, "COMMAND-SFd21", "Errors.User.DomainNotAllowedAsUsername")
+	}
+
+	return nil
+}
+
+func humanValidatePassword(ctx context.Context, filter preparation.FilterToQueryReducer, password string) error {
+	passwordComplexity, err := passwordComplexityPolicyWriteModel(ctx, filter)
+	if err != nil {
+		return err
+	}
+
+	return passwordComplexity.Validate(password)
+}
+
+func (h *AddHuman) ensureDisplayName() {
+	if strings.TrimSpace(h.DisplayName) != "" {
+		return
+	}
+	h.DisplayName = h.FirstName + " " + h.LastName
+}
+
+func (h *AddHuman) shouldAddInitCode() bool {
+	//user without idp
+	return !h.Email.Verified ||
+		//user with idp
+		!h.ExternalIDP &&
+			!h.Passwordless &&
+			h.Password != ""
 }

 func (c *Commands) ImportHuman(ctx context.Context, orgID string, human *domain.Human, passwordless bool, initCodeGenerator crypto.Generator, phoneCodeGenerator crypto.Generator, passwordlessCodeGenerator crypto.Generator) (_ *domain.Human, passwordlessCode *domain.PasswordlessInitCode, err error) {
 	if orgID == "" {
-		return nil, nil, caos_errs.ThrowInvalidArgument(nil, "COMMAND-5N8fs", "Errors.ResourceOwnerMissing")
+		return nil, nil, errors.ThrowInvalidArgument(nil, "COMMAND-5N8fs", "Errors.ResourceOwnerMissing")
 	}
 	domainPolicy, err := c.getOrgDomainPolicy(ctx, orgID)
 	if err != nil {
-		return nil, nil, caos_errs.ThrowPreconditionFailed(err, "COMMAND-2N9fs", "Errors.Org.DomainPolicy.NotFound")
+		return nil, nil, errors.ThrowPreconditionFailed(err, "COMMAND-2N9fs", "Errors.Org.DomainPolicy.NotFound")
 	}
 	pwPolicy, err := c.getOrgPasswordComplexityPolicy(ctx, orgID)
 	if err != nil {
-		return nil, nil, caos_errs.ThrowPreconditionFailed(err, "COMMAND-4N8gs", "Errors.Org.PasswordComplexityPolicy.NotFound")
+		return nil, nil, errors.ThrowPreconditionFailed(err, "COMMAND-4N8gs", "Errors.Org.PasswordComplexityPolicy.NotFound")
 	}
 	events, addedHuman, addedCode, code, err := c.importHuman(ctx, orgID, human, passwordless, domainPolicy, pwPolicy, initCodeGenerator, phoneCodeGenerator, passwordlessCodeGenerator)
 	if err != nil {
@@ -89,53 +297,24 @@ func (c *Commands) ImportHuman(ctx context.Context, orgID string, human *domain.
 	return writeModelToHuman(addedHuman), passwordlessCode, nil
 }

-func (c *Commands) addHuman(ctx context.Context, orgID string, human *domain.Human, domainPolicy *domain.DomainPolicy, pwPolicy *domain.PasswordComplexityPolicy, initCodeGenerator crypto.Generator, phoneCodeGenerator crypto.Generator) ([]eventstore.Command, *HumanWriteModel, error) {
-	if orgID == "" || !human.IsValid() {
-		return nil, nil, caos_errs.ThrowInvalidArgument(nil, "COMMAND-67Ms8", "Errors.User.Invalid")
-	}
-	if human.Password != nil && human.SecretString != "" {
-		human.ChangeRequired = true
-	}
-	return c.createHuman(ctx, orgID, human, nil, false, false, domainPolicy, pwPolicy, initCodeGenerator, phoneCodeGenerator)
-}
-
-func (c *Commands) importHuman(ctx context.Context, orgID string, human *domain.Human, passwordless bool, domainPolicy *domain.DomainPolicy, pwPolicy *domain.PasswordComplexityPolicy, initCodeGenerator crypto.Generator, phoneCodeGenerator crypto.Generator, passwordlessCodeGenerator crypto.Generator) (events []eventstore.Command, humanWriteModel *HumanWriteModel, passwordlessCodeWriteModel *HumanPasswordlessInitCodeWriteModel, code string, err error) {
-	if orgID == "" || !human.IsValid() {
-		return nil, nil, nil, "", caos_errs.ThrowInvalidArgument(nil, "COMMAND-00p2b", "Errors.User.Invalid")
-	}
-	events, humanWriteModel, err = c.createHuman(ctx, orgID, human, nil, false, passwordless, domainPolicy, pwPolicy, initCodeGenerator, phoneCodeGenerator)
-	if err != nil {
-		return nil, nil, nil, "", err
-	}
-	if passwordless {
-		var codeEvent eventstore.Command
-		codeEvent, passwordlessCodeWriteModel, code, err = c.humanAddPasswordlessInitCode(ctx, human.AggregateID, orgID, true, passwordlessCodeGenerator)
-		if err != nil {
-			return nil, nil, nil, "", err
-		}
-		events = append(events, codeEvent)
-	}
-	return events, humanWriteModel, passwordlessCodeWriteModel, code, nil
-}
-
 func (c *Commands) RegisterHuman(ctx context.Context, orgID string, human *domain.Human, link *domain.UserIDPLink, orgMemberRoles []string, initCodeGenerator crypto.Generator, phoneCodeGenerator crypto.Generator) (*domain.Human, error) {
 	if orgID == "" {
-		return nil, caos_errs.ThrowInvalidArgument(nil, "COMMAND-GEdf2", "Errors.ResourceOwnerMissing")
+		return nil, errors.ThrowInvalidArgument(nil, "COMMAND-GEdf2", "Errors.ResourceOwnerMissing")
 	}
 	domainPolicy, err := c.getOrgDomainPolicy(ctx, orgID)
 	if err != nil {
-		return nil, caos_errs.ThrowPreconditionFailed(err, "COMMAND-33M9f", "Errors.Org.DomainPolicy.NotFound")
+		return nil, errors.ThrowPreconditionFailed(err, "COMMAND-33M9f", "Errors.Org.DomainPolicy.NotFound")
 	}
 	pwPolicy, err := c.getOrgPasswordComplexityPolicy(ctx, orgID)
 	if err != nil {
-		return nil, caos_errs.ThrowPreconditionFailed(err, "COMMAND-M5Fsd", "Errors.Org.PasswordComplexityPolicy.NotFound")
+		return nil, errors.ThrowPreconditionFailed(err, "COMMAND-M5Fsd", "Errors.Org.PasswordComplexityPolicy.NotFound")
 	}
 	loginPolicy, err := c.getOrgLoginPolicy(ctx, orgID)
 	if err != nil {
-		return nil, caos_errs.ThrowPreconditionFailed(err, "COMMAND-Dfg3g", "Errors.Org.LoginPolicy.NotFound")
+		return nil, errors.ThrowPreconditionFailed(err, "COMMAND-Dfg3g", "Errors.Org.LoginPolicy.NotFound")
 	}
 	if !loginPolicy.AllowRegister {
-		return nil, caos_errs.ThrowPreconditionFailed(err, "COMMAND-SAbr3", "Errors.Org.LoginPolicy.RegistrationNotAllowed")
+		return nil, errors.ThrowPreconditionFailed(err, "COMMAND-SAbr3", "Errors.Org.LoginPolicy.RegistrationNotAllowed")
 	}
 	userEvents, registeredHuman, err := c.registerHuman(ctx, orgID, human, link, domainPolicy, pwPolicy, initCodeGenerator, phoneCodeGenerator)
 	if err != nil {
@@ -171,12 +350,41 @@ func (c *Commands) RegisterHuman(ctx context.Context, orgID string, human *domai
 	return writeModelToHuman(registeredHuman), nil
 }

+func (c *Commands) addHuman(ctx context.Context, orgID string, human *domain.Human, domainPolicy *domain.DomainPolicy, pwPolicy *domain.PasswordComplexityPolicy, initCodeGenerator crypto.Generator, phoneCodeGenerator crypto.Generator) ([]eventstore.Command, *HumanWriteModel, error) {
+	if orgID == "" || !human.IsValid() {
+		return nil, nil, errors.ThrowInvalidArgument(nil, "COMMAND-67Ms8", "Errors.User.Invalid")
+	}
+	if human.Password != nil && human.SecretString != "" {
+		human.ChangeRequired = true
+	}
+	return c.createHuman(ctx, orgID, human, nil, false, false, domainPolicy, pwPolicy, initCodeGenerator, phoneCodeGenerator)
+}
+
+func (c *Commands) importHuman(ctx context.Context, orgID string, human *domain.Human, passwordless bool, domainPolicy *domain.DomainPolicy, pwPolicy *domain.PasswordComplexityPolicy, initCodeGenerator crypto.Generator, phoneCodeGenerator crypto.Generator, passwordlessCodeGenerator crypto.Generator) (events []eventstore.Command, humanWriteModel *HumanWriteModel, passwordlessCodeWriteModel *HumanPasswordlessInitCodeWriteModel, code string, err error) {
+	if orgID == "" || !human.IsValid() {
+		return nil, nil, nil, "", errors.ThrowInvalidArgument(nil, "COMMAND-00p2b", "Errors.User.Invalid")
+	}
+	events, humanWriteModel, err = c.createHuman(ctx, orgID, human, nil, false, passwordless, domainPolicy, pwPolicy, initCodeGenerator, phoneCodeGenerator)
+	if err != nil {
+		return nil, nil, nil, "", err
+	}
+	if passwordless {
+		var codeEvent eventstore.Command
+		codeEvent, passwordlessCodeWriteModel, code, err = c.humanAddPasswordlessInitCode(ctx, human.AggregateID, orgID, true, passwordlessCodeGenerator)
+		if err != nil {
+			return nil, nil, nil, "", err
+		}
+		events = append(events, codeEvent)
+	}
+	return events, humanWriteModel, passwordlessCodeWriteModel, code, nil
+}
+
 func (c *Commands) registerHuman(ctx context.Context, orgID string, human *domain.Human, link *domain.UserIDPLink, domainPolicy *domain.DomainPolicy, pwPolicy *domain.PasswordComplexityPolicy, initCodeGenerator crypto.Generator, phoneCodeGenerator crypto.Generator) ([]eventstore.Command, *HumanWriteModel, error) {
 	if human != nil && human.Username == "" {
 		human.Username = human.EmailAddress
 	}
 	if orgID == "" || !human.IsValid() || link == nil && (human.Password == nil || human.SecretString == "") {
-		return nil, nil, caos_errs.ThrowInvalidArgument(nil, "COMMAND-9dk45", "Errors.User.Invalid")
+		return nil, nil, errors.ThrowInvalidArgument(nil, "COMMAND-9dk45", "Errors.User.Invalid")
 	}
 	if human.Password != nil && human.SecretString != "" {
 		human.ChangeRequired = false
@@ -184,21 +392,21 @@ func (c *Commands) registerHuman(ctx context.Context, orgID string, human *domai
 	return c.createHuman(ctx, orgID, human, link, true, false, domainPolicy, pwPolicy, initCodeGenerator, phoneCodeGenerator)
 }

-func (c *Commands) createHuman(ctx context.Context, orgID string, human *domain.Human, link *domain.UserIDPLink, selfregister, passwordless bool, domainPolicy *domain.DomainPolicy, pwPolicy *domain.PasswordComplexityPolicy, initCodeGenerator crypto.Generator, phoneCodeGenerator crypto.Generator) ([]eventstore.Command, *HumanWriteModel, error) {
+func (c *Commands) createHuman(ctx context.Context, orgID string, human *domain.Human, link *domain.UserIDPLink, selfregister, passwordless bool, domainPolicy *domain.DomainPolicy, pwPolicy *domain.PasswordComplexityPolicy, initCodeGenerator crypto.Generator, phoneCodeGenerator crypto.Generator) (events []eventstore.Command, addedHuman *HumanWriteModel, err error) {
 	if err := human.CheckDomainPolicy(domainPolicy); err != nil {
 		return nil, nil, err
 	}
 	if !domainPolicy.UserLoginMustBeDomain {
 		usernameSplit := strings.Split(human.Username, "@")
 		if len(usernameSplit) != 2 {
-			return nil, nil, caos_errs.ThrowInvalidArgument(nil, "COMMAND-Dfd21", "Errors.User.Invalid")
+			return nil, nil, errors.ThrowInvalidArgument(nil, "COMMAND-Dfd21", "Errors.User.Invalid")
 		}
 		domainCheck := NewOrgDomainVerifiedWriteModel(usernameSplit[1])
 		if err := c.eventstore.FilterToQueryReducer(ctx, domainCheck); err != nil {
 			return nil, nil, err
 		}
 		if domainCheck.Verified && domainCheck.ResourceOwner != orgID {
-			return nil, nil, caos_errs.ThrowInvalidArgument(nil, "COMMAND-SFd21", "Errors.User.DomainNotAllowedAsUsername")
+			return nil, nil, errors.ThrowInvalidArgument(nil, "COMMAND-SFd21", "Errors.User.DomainNotAllowedAsUsername")
 		}
 	}
 	userID, err := c.idGenerator.Next()
@@ -213,10 +421,9 @@ func (c *Commands) createHuman(ctx context.Context, orgID string, human *domain.
 		}
 	}

-	addedHuman := NewHumanWriteModel(human.AggregateID, orgID)
+	addedHuman = NewHumanWriteModel(human.AggregateID, orgID)
 	//TODO: adlerhurst maybe we could simplify the code below
 	userAgg := UserAggregateFromWriteModel(&addedHuman.WriteModel)
-	var events []eventstore.Command

 	if selfregister {
 		events = append(events, createRegisterHumanEvent(ctx, userAgg, human, domainPolicy.UserLoginMustBeDomain))
@@ -259,7 +466,7 @@ func (c *Commands) createHuman(ctx context.Context, orgID string, human *domain.

 func (c *Commands) HumanSkipMFAInit(ctx context.Context, userID, resourceowner string) (err error) {
 	if userID == "" {
-		return caos_errs.ThrowInvalidArgument(nil, "COMMAND-2xpX9", "Errors.User.UserIDMissing")
+		return errors.ThrowInvalidArgument(nil, "COMMAND-2xpX9", "Errors.User.UserIDMissing")
 	}

 	existingHuman, err := c.getHumanWriteModelByID(ctx, userID, resourceowner)
@@ -267,7 +474,7 @@ func (c *Commands) HumanSkipMFAInit(ctx context.Context, userID, resourceowner s
 		return err
 	}
 	if !isUserStateExists(existingHuman.UserState) {
-		return caos_errs.ThrowNotFound(nil, "COMMAND-m9cV8", "Errors.User.NotFound")
+		return errors.ThrowNotFound(nil, "COMMAND-m9cV8", "Errors.User.NotFound")
 	}

 	_, err = c.eventstore.Push(ctx,
@@ -340,10 +547,10 @@ func createRegisterHumanEvent(ctx context.Context, aggregate *eventstore.Aggrega

 func (c *Commands) HumansSignOut(ctx context.Context, agentID string, userIDs []string) error {
 	if agentID == "" {
-		return caos_errs.ThrowInvalidArgument(nil, "COMMAND-2M0ds", "Errors.User.UserIDMissing")
+		return errors.ThrowInvalidArgument(nil, "COMMAND-2M0ds", "Errors.User.UserIDMissing")
 	}
 	if len(userIDs) == 0 {
-		return caos_errs.ThrowInvalidArgument(nil, "COMMAND-M0od3", "Errors.User.UserIDMissing")
+		return errors.ThrowInvalidArgument(nil, "COMMAND-M0od3", "Errors.User.UserIDMissing")
 	}
 	events := make([]eventstore.Command, 0)
 	for _, userID := range userIDs {