feat: add implementation for resend of email and phone code (#7348)

* fix: add implementation for resend of email and phone code

* fix: add implementation for resend of email and phone code

* fix: add implementation for resend of email and phone code

* fix: add implementation for resend of email and phone code

* fix: add implementation for resend of email and phone code

* fix: add implementation for resend of email and phone code

* fix: apply suggestions from code review

Co-authored-by: Livio Spring <livio.a@gmail.com>

* fix: review changes to remove resourceowner as parameters

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>

internal/api/grpc/user/v2/email.go

@@ -12,18 +12,17 @@ import (
 )
 
 func (s *Server) SetEmail(ctx context.Context, req *user.SetEmailRequest) (resp *user.SetEmailResponse, err error) {
-	var resourceOwner string // TODO: check if still needed
 	var email *domain.Email
 
 	switch v := req.GetVerification().(type) {
 	case *user.SetEmailRequest_SendCode:
-		email, err = s.command.ChangeUserEmailURLTemplate(ctx, req.GetUserId(), resourceOwner, req.GetEmail(), s.userCodeAlg, v.SendCode.GetUrlTemplate())
+		email, err = s.command.ChangeUserEmailURLTemplate(ctx, req.GetUserId(), req.GetEmail(), s.userCodeAlg, v.SendCode.GetUrlTemplate())
 	case *user.SetEmailRequest_ReturnCode:
-		email, err = s.command.ChangeUserEmailReturnCode(ctx, req.GetUserId(), resourceOwner, req.GetEmail(), s.userCodeAlg)
+		email, err = s.command.ChangeUserEmailReturnCode(ctx, req.GetUserId(), req.GetEmail(), s.userCodeAlg)
 	case *user.SetEmailRequest_IsVerified:
-		email, err = s.command.ChangeUserEmailVerified(ctx, req.GetUserId(), resourceOwner, req.GetEmail())
+		email, err = s.command.ChangeUserEmailVerified(ctx, req.GetUserId(), req.GetEmail())
 	case nil:
-		email, err = s.command.ChangeUserEmail(ctx, req.GetUserId(), resourceOwner, req.GetEmail(), s.userCodeAlg)
+		email, err = s.command.ChangeUserEmail(ctx, req.GetUserId(), req.GetEmail(), s.userCodeAlg)
 	default:
 		err = zerrors.ThrowUnimplementedf(nil, "USERv2-Ahng0", "verification oneOf %T in method SetEmail not implemented", v)
 	}
@@ -41,10 +40,36 @@ func (s *Server) SetEmail(ctx context.Context, req *user.SetEmailRequest) (resp
 	}, nil
 }
 
+func (s *Server) ResendEmailCode(ctx context.Context, req *user.ResendEmailCodeRequest) (resp *user.ResendEmailCodeResponse, err error) {
+	var email *domain.Email
+
+	switch v := req.GetVerification().(type) {
+	case *user.ResendEmailCodeRequest_SendCode:
+		email, err = s.command.ResendUserEmailCodeURLTemplate(ctx, req.GetUserId(), s.userCodeAlg, v.SendCode.GetUrlTemplate())
+	case *user.ResendEmailCodeRequest_ReturnCode:
+		email, err = s.command.ResendUserEmailReturnCode(ctx, req.GetUserId(), s.userCodeAlg)
+	case nil:
+		email, err = s.command.ResendUserEmailCode(ctx, req.GetUserId(), s.userCodeAlg)
+	default:
+		err = zerrors.ThrowUnimplementedf(nil, "USERv2-faj0l0nj5x", "verification oneOf %T in method ResendEmailCode not implemented", v)
+	}
+	if err != nil {
+		return nil, err
+	}
+
+	return &user.ResendEmailCodeResponse{
+		Details: &object.Details{
+			Sequence:      email.Sequence,
+			ChangeDate:    timestamppb.New(email.ChangeDate),
+			ResourceOwner: email.ResourceOwner,
+		},
+		VerificationCode: email.PlainCode,
+	}, nil
+}
+
 func (s *Server) VerifyEmail(ctx context.Context, req *user.VerifyEmailRequest) (*user.VerifyEmailResponse, error) {
 	details, err := s.command.VerifyUserEmail(ctx,
 		req.GetUserId(),
-		"", // TODO: check if still needed
 		req.GetVerificationCode(),
 		s.userCodeAlg,
 	)

internal/api/grpc/user/v2/email_integration_test.go

@@ -3,7 +3,9 @@
 package user_test
 
 import (
+	"fmt"
 	"testing"
+	"time"
 
 	"github.com/muhlemmer/gu"
 	"github.com/stretchr/testify/assert"
@@ -24,6 +26,14 @@ func TestServer_SetEmail(t *testing.T) {
 		want    *user.SetEmailResponse
 		wantErr bool
 	}{
+		{
+			name: "user not existing",
+			req: &user.SetEmailRequest{
+				UserId: "xxx",
+				Email:  "default-verifier@mouse.com",
+			},
+			wantErr: true,
+		},
 		{
 			name: "default verfication",
 			req: &user.SetEmailRequest{
@@ -133,6 +143,107 @@ func TestServer_SetEmail(t *testing.T) {
 	}
 }
 
+func TestServer_ResendEmailCode(t *testing.T) {
+	userID := Tester.CreateHumanUser(CTX).GetUserId()
+	verifiedUserID := Tester.CreateHumanUserVerified(CTX, Tester.Organisation.ID, fmt.Sprintf("%d@mouse.com", time.Now().UnixNano())).GetUserId()
+
+	tests := []struct {
+		name    string
+		req     *user.ResendEmailCodeRequest
+		want    *user.ResendEmailCodeResponse
+		wantErr bool
+	}{
+		{
+			name: "user not existing",
+			req: &user.ResendEmailCodeRequest{
+				UserId: "xxx",
+			},
+			wantErr: true,
+		},
+		{
+			name: "user no code",
+			req: &user.ResendEmailCodeRequest{
+				UserId: verifiedUserID,
+			},
+			wantErr: true,
+		},
+		{
+			name: "resend",
+			req: &user.ResendEmailCodeRequest{
+				UserId: userID,
+			},
+			want: &user.ResendEmailCodeResponse{
+				Details: &object.Details{
+					Sequence:      1,
+					ChangeDate:    timestamppb.Now(),
+					ResourceOwner: Tester.Organisation.ID,
+				},
+			},
+		},
+		{
+			name: "custom url template",
+			req: &user.ResendEmailCodeRequest{
+				UserId: userID,
+				Verification: &user.ResendEmailCodeRequest_SendCode{
+					SendCode: &user.SendEmailVerificationCode{
+						UrlTemplate: gu.Ptr("https://example.com/email/verify?userID={{.UserID}}&code={{.Code}}&orgID={{.OrgID}}"),
+					},
+				},
+			},
+			want: &user.ResendEmailCodeResponse{
+				Details: &object.Details{
+					Sequence:      1,
+					ChangeDate:    timestamppb.Now(),
+					ResourceOwner: Tester.Organisation.ID,
+				},
+			},
+		},
+		{
+			name: "template error",
+			req: &user.ResendEmailCodeRequest{
+				UserId: userID,
+				Verification: &user.ResendEmailCodeRequest_SendCode{
+					SendCode: &user.SendEmailVerificationCode{
+						UrlTemplate: gu.Ptr("{{"),
+					},
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "return code",
+			req: &user.ResendEmailCodeRequest{
+				UserId: userID,
+				Verification: &user.ResendEmailCodeRequest_ReturnCode{
+					ReturnCode: &user.ReturnEmailVerificationCode{},
+				},
+			},
+			want: &user.ResendEmailCodeResponse{
+				Details: &object.Details{
+					Sequence:      1,
+					ChangeDate:    timestamppb.Now(),
+					ResourceOwner: Tester.Organisation.ID,
+				},
+				VerificationCode: gu.Ptr("xxx"),
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := Client.ResendEmailCode(CTX, tt.req)
+			if tt.wantErr {
+				require.Error(t, err)
+			} else {
+				require.NoError(t, err)
+			}
+			integration.AssertDetails(t, tt.want, got)
+			if tt.want.GetVerificationCode() != "" {
+				assert.NotEmpty(t, got.GetVerificationCode())
+			}
+		})
+	}
+}
+
 func TestServer_VerifyEmail(t *testing.T) {
 	userResp := Tester.CreateHumanUser(CTX)
 	tests := []struct {

internal/api/grpc/user/v2/phone.go

@@ -12,18 +12,17 @@ import (
 )
 
 func (s *Server) SetPhone(ctx context.Context, req *user.SetPhoneRequest) (resp *user.SetPhoneResponse, err error) {
-	var resourceOwner string // TODO: check if still needed
 	var phone *domain.Phone
 
 	switch v := req.GetVerification().(type) {
 	case *user.SetPhoneRequest_SendCode:
-		phone, err = s.command.ChangeUserPhone(ctx, req.GetUserId(), resourceOwner, req.GetPhone(), s.userCodeAlg)
+		phone, err = s.command.ChangeUserPhone(ctx, req.GetUserId(), req.GetPhone(), s.userCodeAlg)
 	case *user.SetPhoneRequest_ReturnCode:
-		phone, err = s.command.ChangeUserPhoneReturnCode(ctx, req.GetUserId(), resourceOwner, req.GetPhone(), s.userCodeAlg)
+		phone, err = s.command.ChangeUserPhoneReturnCode(ctx, req.GetUserId(), req.GetPhone(), s.userCodeAlg)
 	case *user.SetPhoneRequest_IsVerified:
-		phone, err = s.command.ChangeUserPhoneVerified(ctx, req.GetUserId(), resourceOwner, req.GetPhone())
+		phone, err = s.command.ChangeUserPhoneVerified(ctx, req.GetUserId(), req.GetPhone())
 	case nil:
-		phone, err = s.command.ChangeUserPhone(ctx, req.GetUserId(), resourceOwner, req.GetPhone(), s.userCodeAlg)
+		phone, err = s.command.ChangeUserPhone(ctx, req.GetUserId(), req.GetPhone(), s.userCodeAlg)
 	default:
 		err = zerrors.ThrowUnimplementedf(nil, "USERv2-Ahng0", "verification oneOf %T in method SetPhone not implemented", v)
 	}
@@ -41,10 +40,35 @@ func (s *Server) SetPhone(ctx context.Context, req *user.SetPhoneRequest) (resp
 	}, nil
 }
 
+func (s *Server) ResendPhoneCode(ctx context.Context, req *user.ResendPhoneCodeRequest) (resp *user.ResendPhoneCodeResponse, err error) {
+	var phone *domain.Phone
+	switch v := req.GetVerification().(type) {
+	case *user.ResendPhoneCodeRequest_SendCode:
+		phone, err = s.command.ResendUserPhoneCode(ctx, req.GetUserId(), s.userCodeAlg)
+	case *user.ResendPhoneCodeRequest_ReturnCode:
+		phone, err = s.command.ResendUserPhoneCodeReturnCode(ctx, req.GetUserId(), s.userCodeAlg)
+	case nil:
+		phone, err = s.command.ResendUserPhoneCode(ctx, req.GetUserId(), s.userCodeAlg)
+	default:
+		err = zerrors.ThrowUnimplementedf(nil, "USERv2-ResendUserPhoneCode", "verification oneOf %T in method SetPhone not implemented", v)
+	}
+	if err != nil {
+		return nil, err
+	}
+
+	return &user.ResendPhoneCodeResponse{
+		Details: &object.Details{
+			Sequence:      phone.Sequence,
+			ChangeDate:    timestamppb.New(phone.ChangeDate),
+			ResourceOwner: phone.ResourceOwner,
+		},
+		VerificationCode: phone.PlainCode,
+	}, nil
+}
+
 func (s *Server) VerifyPhone(ctx context.Context, req *user.VerifyPhoneRequest) (*user.VerifyPhoneResponse, error) {
 	details, err := s.command.VerifyUserPhone(ctx,
 		req.GetUserId(),
-		"", // TODO: check if still needed
 		req.GetVerificationCode(),
 		s.userCodeAlg,
 	)

internal/api/grpc/user/v2/phone_integration_test.go

@@ -3,7 +3,9 @@
 package user_test
 
 import (
+	"fmt"
 	"testing"
+	"time"
 
 	"github.com/muhlemmer/gu"
 	"github.com/stretchr/testify/assert"
@@ -118,6 +120,80 @@ func TestServer_SetPhone(t *testing.T) {
 	}
 }
 
+func TestServer_ResendPhoneCode(t *testing.T) {
+	userID := Tester.CreateHumanUser(CTX).GetUserId()
+	verifiedUserID := Tester.CreateHumanUserVerified(CTX, Tester.Organisation.ID, fmt.Sprintf("%d@mouse.com", time.Now().UnixNano())).GetUserId()
+
+	tests := []struct {
+		name    string
+		req     *user.ResendPhoneCodeRequest
+		want    *user.ResendPhoneCodeResponse
+		wantErr bool
+	}{
+		{
+			name: "user not existing",
+			req: &user.ResendPhoneCodeRequest{
+				UserId: "xxx",
+			},
+			wantErr: true,
+		},
+		{
+			name: "user not existing",
+			req: &user.ResendPhoneCodeRequest{
+				UserId: verifiedUserID,
+			},
+			wantErr: true,
+		},
+		{
+			name: "resend code",
+			req: &user.ResendPhoneCodeRequest{
+				UserId: userID,
+				Verification: &user.ResendPhoneCodeRequest_SendCode{
+					SendCode: &user.SendPhoneVerificationCode{},
+				},
+			},
+			want: &user.ResendPhoneCodeResponse{
+				Details: &object.Details{
+					Sequence:      1,
+					ChangeDate:    timestamppb.Now(),
+					ResourceOwner: Tester.Organisation.ID,
+				},
+			},
+		},
+		{
+			name: "return code",
+			req: &user.ResendPhoneCodeRequest{
+				UserId: userID,
+				Verification: &user.ResendPhoneCodeRequest_ReturnCode{
+					ReturnCode: &user.ReturnPhoneVerificationCode{},
+				},
+			},
+			want: &user.ResendPhoneCodeResponse{
+				Details: &object.Details{
+					Sequence:      1,
+					ChangeDate:    timestamppb.Now(),
+					ResourceOwner: Tester.Organisation.ID,
+				},
+				VerificationCode: gu.Ptr("xxx"),
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := Client.ResendPhoneCode(CTX, tt.req)
+			if tt.wantErr {
+				require.Error(t, err)
+			} else {
+				require.NoError(t, err)
+			}
+			integration.AssertDetails(t, tt.want, got)
+			if tt.want.GetVerificationCode() != "" {
+				assert.NotEmpty(t, got.GetVerificationCode())
+			}
+		})
+	}
+}
+
 func TestServer_VerifyPhone(t *testing.T) {
 	userResp := Tester.CreateHumanUser(CTX)
 	tests := []struct {

internal/api/ui/login/mfa_init_sms.go

@@ -99,7 +99,7 @@ func (l *Login) handleRegisterSMSCheck(w http.ResponseWriter, r *http.Request) {
 	if formData.Code == "" {
 		data.Phone = formData.NewPhone
 		if formData.NewPhone != formData.Phone {
-			_, err = l.command.ChangeUserPhone(ctx, authReq.UserID, authReq.UserOrgID, formData.NewPhone, l.userCodeAlg)
+			_, err = l.command.ChangeUserPhone(ctx, authReq.UserID, formData.NewPhone, l.userCodeAlg)
 			if err != nil {
 				// stay in edit more
 				data.Edit = true
@@ -109,7 +109,7 @@ func (l *Login) handleRegisterSMSCheck(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	_, err = l.command.VerifyUserPhone(ctx, authReq.UserID, authReq.UserOrgID, formData.Code, l.userCodeAlg)
+	_, err = l.command.VerifyUserPhone(ctx, authReq.UserID, formData.Code, l.userCodeAlg)
 	if err != nil {
 		l.renderRegisterSMS(w, r, authReq, data, err)
 		return

internal/command/user_v2_email.go

@@ -16,30 +16,52 @@ import (
 
 // ChangeUserEmail sets a user's email address, generates a code
 // and triggers a notification e-mail with the default confirmation URL format.
-func (c *Commands) ChangeUserEmail(ctx context.Context, userID, resourceOwner, email string, alg crypto.EncryptionAlgorithm) (*domain.Email, error) {
+func (c *Commands) ChangeUserEmail(ctx context.Context, userID, email string, alg crypto.EncryptionAlgorithm) (*domain.Email, error) {
-	return c.changeUserEmailWithCode(ctx, userID, resourceOwner, email, alg, false, "")
+	return c.changeUserEmailWithCode(ctx, userID, email, alg, false, "")
 }
 
 // ChangeUserEmailURLTemplate sets a user's email address, generates a code
 // and triggers a notification e-mail with the confirmation URL rendered from the passed urlTmpl.
 // urlTmpl must be a valid [tmpl.Template].
-func (c *Commands) ChangeUserEmailURLTemplate(ctx context.Context, userID, resourceOwner, email string, alg crypto.EncryptionAlgorithm, urlTmpl string) (*domain.Email, error) {
+func (c *Commands) ChangeUserEmailURLTemplate(ctx context.Context, userID, email string, alg crypto.EncryptionAlgorithm, urlTmpl string) (*domain.Email, error) {
 	if err := domain.RenderConfirmURLTemplate(io.Discard, urlTmpl, userID, "code", "orgID"); err != nil {
 		return nil, err
 	}
-	return c.changeUserEmailWithCode(ctx, userID, resourceOwner, email, alg, false, urlTmpl)
+	return c.changeUserEmailWithCode(ctx, userID, email, alg, false, urlTmpl)
 }
 
 // ChangeUserEmailReturnCode sets a user's email address, generates a code and does not send a notification email.
 // The generated plain text code will be set in the returned Email object.
-func (c *Commands) ChangeUserEmailReturnCode(ctx context.Context, userID, resourceOwner, email string, alg crypto.EncryptionAlgorithm) (*domain.Email, error) {
+func (c *Commands) ChangeUserEmailReturnCode(ctx context.Context, userID, email string, alg crypto.EncryptionAlgorithm) (*domain.Email, error) {
-	return c.changeUserEmailWithCode(ctx, userID, resourceOwner, email, alg, true, "")
+	return c.changeUserEmailWithCode(ctx, userID, email, alg, true, "")
+}
+
+// ResendUserEmailCode generates a new code if there is a code existing
+// and triggers a notification e-mail with the default confirmation URL format.
+func (c *Commands) ResendUserEmailCode(ctx context.Context, userID string, alg crypto.EncryptionAlgorithm) (*domain.Email, error) {
+	return c.resendUserEmailCode(ctx, userID, alg, false, "")
+}
+
+// ResendUserEmailCodeURLTemplate generates a new code if there is a code existing
+// and triggers a notification e-mail with the confirmation URL rendered from the passed urlTmpl.
+// urlTmpl must be a valid [tmpl.Template].
+func (c *Commands) ResendUserEmailCodeURLTemplate(ctx context.Context, userID string, alg crypto.EncryptionAlgorithm, urlTmpl string) (*domain.Email, error) {
+	if err := domain.RenderConfirmURLTemplate(io.Discard, urlTmpl, userID, "code", "orgID"); err != nil {
+		return nil, err
+	}
+	return c.resendUserEmailCode(ctx, userID, alg, false, urlTmpl)
+}
+
+// ResendUserEmailReturnCode generates a new code if there is a code existing and does not send a notification email.
+// The generated plain text code will be set in the returned Email object.
+func (c *Commands) ResendUserEmailReturnCode(ctx context.Context, userID string, alg crypto.EncryptionAlgorithm) (*domain.Email, error) {
+	return c.resendUserEmailCode(ctx, userID, alg, true, "")
 }
 
 // ChangeUserEmailVerified sets a user's email address and marks it is verified.
 // No code is generated and no confirmation e-mail is send.
-func (c *Commands) ChangeUserEmailVerified(ctx context.Context, userID, resourceOwner, email string) (*domain.Email, error) {
+func (c *Commands) ChangeUserEmailVerified(ctx context.Context, userID, email string) (*domain.Email, error) {
-	cmd, err := c.NewUserEmailEvents(ctx, userID, resourceOwner)
+	cmd, err := c.NewUserEmailEvents(ctx, userID)
 	if err != nil {
 		return nil, err
 	}
@@ -53,29 +75,46 @@ func (c *Commands) ChangeUserEmailVerified(ctx context.Context, userID, resource
 	return cmd.Push(ctx)
 }
 
-func (c *Commands) changeUserEmailWithCode(ctx context.Context, userID, resourceOwner, email string, alg crypto.EncryptionAlgorithm, returnCode bool, urlTmpl string) (*domain.Email, error) {
+func (c *Commands) changeUserEmailWithCode(ctx context.Context, userID, email string, alg crypto.EncryptionAlgorithm, returnCode bool, urlTmpl string) (*domain.Email, error) {
 	config, err := secretGeneratorConfig(ctx, c.eventstore.Filter, domain.SecretGeneratorTypeVerifyEmailCode)
 	if err != nil {
 		return nil, err
 	}
 	gen := crypto.NewEncryptionGenerator(*config, alg)
-	return c.changeUserEmailWithGenerator(ctx, userID, resourceOwner, email, gen, returnCode, urlTmpl)
+	return c.changeUserEmailWithGenerator(ctx, userID, email, gen, returnCode, urlTmpl)
+}
+
+func (c *Commands) resendUserEmailCode(ctx context.Context, userID string, alg crypto.EncryptionAlgorithm, returnCode bool, urlTmpl string) (*domain.Email, error) {
+	config, err := secretGeneratorConfig(ctx, c.eventstore.Filter, domain.SecretGeneratorTypeVerifyEmailCode) //nolint:staticcheck
+	if err != nil {
+		return nil, err
+	}
+	gen := crypto.NewEncryptionGenerator(*config, alg)
+	return c.resendUserEmailCodeWithGenerator(ctx, userID, gen, returnCode, urlTmpl)
 }
 
 // changeUserEmailWithGenerator set a user's email address.
 // returnCode controls if the plain text version of the code will be set in the return object.
 // When the plain text code is returned, no notification e-mail will be send to the user.
 // urlTmpl allows changing the target URL that is used by the e-mail and should be a validated Go template, if used.
-func (c *Commands) changeUserEmailWithGenerator(ctx context.Context, userID, resourceOwner, email string, gen crypto.Generator, returnCode bool, urlTmpl string) (*domain.Email, error) {
+func (c *Commands) changeUserEmailWithGenerator(ctx context.Context, userID, email string, gen crypto.Generator, returnCode bool, urlTmpl string) (*domain.Email, error) {
-	cmd, err := c.changeUserEmailWithGeneratorEvents(ctx, userID, resourceOwner, email, gen, returnCode, urlTmpl)
+	cmd, err := c.changeUserEmailWithGeneratorEvents(ctx, userID, email, gen, returnCode, urlTmpl)
 	if err != nil {
 		return nil, err
 	}
 	return cmd.Push(ctx)
 }
 
-func (c *Commands) changeUserEmailWithGeneratorEvents(ctx context.Context, userID, resourceOwner, email string, gen crypto.Generator, returnCode bool, urlTmpl string) (*UserEmailEvents, error) {
+func (c *Commands) resendUserEmailCodeWithGenerator(ctx context.Context, userID string, gen crypto.Generator, returnCode bool, urlTmpl string) (*domain.Email, error) {
-	cmd, err := c.NewUserEmailEvents(ctx, userID, resourceOwner)
+	cmd, err := c.resendUserEmailCodeWithGeneratorEvents(ctx, userID, gen, returnCode, urlTmpl)
+	if err != nil {
+		return nil, err
+	}
+	return cmd.Push(ctx)
+}
+
+func (c *Commands) changeUserEmailWithGeneratorEvents(ctx context.Context, userID, email string, gen crypto.Generator, returnCode bool, urlTmpl string) (*UserEmailEvents, error) {
+	cmd, err := c.NewUserEmailEvents(ctx, userID)
 	if err != nil {
 		return nil, err
 	}
@@ -93,17 +132,36 @@ func (c *Commands) changeUserEmailWithGeneratorEvents(ctx context.Context, userI
 	return cmd, nil
 }
 
-func (c *Commands) VerifyUserEmail(ctx context.Context, userID, resourceOwner, code string, alg crypto.EncryptionAlgorithm) (*domain.ObjectDetails, error) {
+func (c *Commands) resendUserEmailCodeWithGeneratorEvents(ctx context.Context, userID string, gen crypto.Generator, returnCode bool, urlTmpl string) (*UserEmailEvents, error) {
+	cmd, err := c.NewUserEmailEvents(ctx, userID)
+	if err != nil {
+		return nil, err
+	}
+	if authz.GetCtxData(ctx).UserID != userID {
+		if err = c.checkPermission(ctx, domain.PermissionUserWrite, cmd.aggregate.ResourceOwner, userID); err != nil {
+			return nil, err
+		}
+	}
+	if cmd.model.Code == nil {
+		return nil, zerrors.ThrowPreconditionFailed(err, "EMAIL-5w5ilin4yt", "Errors.User.Code.Empty")
+	}
+	if err = cmd.AddGeneratedCode(ctx, gen, urlTmpl, returnCode); err != nil {
+		return nil, err
+	}
+	return cmd, nil
+}
+
+func (c *Commands) VerifyUserEmail(ctx context.Context, userID, code string, alg crypto.EncryptionAlgorithm) (*domain.ObjectDetails, error) {
 	config, err := secretGeneratorConfig(ctx, c.eventstore.Filter, domain.SecretGeneratorTypeVerifyEmailCode)
 	if err != nil {
 		return nil, err
 	}
 	gen := crypto.NewEncryptionGenerator(*config, alg)
-	return c.verifyUserEmailWithGenerator(ctx, userID, resourceOwner, code, gen)
+	return c.verifyUserEmailWithGenerator(ctx, userID, code, gen)
 }
 
-func (c *Commands) verifyUserEmailWithGenerator(ctx context.Context, userID, resourceOwner, code string, gen crypto.Generator) (*domain.ObjectDetails, error) {
+func (c *Commands) verifyUserEmailWithGenerator(ctx context.Context, userID, code string, gen crypto.Generator) (*domain.ObjectDetails, error) {
-	cmd, err := c.NewUserEmailEvents(ctx, userID, resourceOwner)
+	cmd, err := c.NewUserEmailEvents(ctx, userID)
 	if err != nil {
 		return nil, err
 	}
@@ -131,12 +189,12 @@ type UserEmailEvents struct {
 // NewUserEmailEvents constructs a UserEmailEvents with a Human Email Write Model,
 // filtered by userID and resourceOwner.
 // If a model cannot be found, or it's state is invalid and error is returned.
-func (c *Commands) NewUserEmailEvents(ctx context.Context, userID, resourceOwner string) (*UserEmailEvents, error) {
+func (c *Commands) NewUserEmailEvents(ctx context.Context, userID string) (*UserEmailEvents, error) {
 	if userID == "" {
 		return nil, zerrors.ThrowInvalidArgument(nil, "COMMAND-0Gzs3", "Errors.User.Email.IDMissing")
 	}
 
-	model, err := c.emailWriteModel(ctx, userID, resourceOwner)
+	model, err := c.emailWriteModel(ctx, userID, "")
 	if err != nil {
 		return nil, err
 	}

internal/command/user_v2_phone.go

@@ -15,20 +15,20 @@ import (
 
 // ChangeUserPhone sets a user's phone number, generates a code
 // and triggers a notification sms.
-func (c *Commands) ChangeUserPhone(ctx context.Context, userID, resourceOwner, phone string, alg crypto.EncryptionAlgorithm) (*domain.Phone, error) {
+func (c *Commands) ChangeUserPhone(ctx context.Context, userID, phone string, alg crypto.EncryptionAlgorithm) (*domain.Phone, error) {
-	return c.changeUserPhoneWithCode(ctx, userID, resourceOwner, phone, alg, false)
+	return c.changeUserPhoneWithCode(ctx, userID, phone, alg, false)
 }
 
 // ChangeUserPhoneReturnCode sets a user's phone number, generates a code and does not send a notification sms.
 // The generated plain text code will be set in the returned Phone object.
-func (c *Commands) ChangeUserPhoneReturnCode(ctx context.Context, userID, resourceOwner, phone string, alg crypto.EncryptionAlgorithm) (*domain.Phone, error) {
+func (c *Commands) ChangeUserPhoneReturnCode(ctx context.Context, userID, phone string, alg crypto.EncryptionAlgorithm) (*domain.Phone, error) {
-	return c.changeUserPhoneWithCode(ctx, userID, resourceOwner, phone, alg, true)
+	return c.changeUserPhoneWithCode(ctx, userID, phone, alg, true)
 }
 
 // ChangeUserPhoneVerified sets a user's phone number and marks it is verified.
 // No code is generated and no confirmation sms is send.
-func (c *Commands) ChangeUserPhoneVerified(ctx context.Context, userID, resourceOwner, phone string) (*domain.Phone, error) {
+func (c *Commands) ChangeUserPhoneVerified(ctx context.Context, userID, phone string) (*domain.Phone, error) {
-	cmd, err := c.NewUserPhoneEvents(ctx, userID, resourceOwner)
+	cmd, err := c.NewUserPhoneEvents(ctx, userID)
 	if err != nil {
 		return nil, err
 	}
@@ -42,20 +42,41 @@ func (c *Commands) ChangeUserPhoneVerified(ctx context.Context, userID, resource
 	return cmd.Push(ctx)
 }
 
-func (c *Commands) changeUserPhoneWithCode(ctx context.Context, userID, resourceOwner, phone string, alg crypto.EncryptionAlgorithm, returnCode bool) (*domain.Phone, error) {
+// ResendUserPhoneCode generates a code
+// and triggers a notification sms.
+func (c *Commands) ResendUserPhoneCode(ctx context.Context, userID string, alg crypto.EncryptionAlgorithm) (*domain.Phone, error) {
+	return c.resendUserPhoneCode(ctx, userID, alg, false)
+}
+
+// ResendUserPhoneCodeReturnCode generates a code and does not send a notification sms.
+// The generated plain text code will be set in the returned Phone object.
+func (c *Commands) ResendUserPhoneCodeReturnCode(ctx context.Context, userID string, alg crypto.EncryptionAlgorithm) (*domain.Phone, error) {
+	return c.resendUserPhoneCode(ctx, userID, alg, true)
+}
+
+func (c *Commands) changeUserPhoneWithCode(ctx context.Context, userID, phone string, alg crypto.EncryptionAlgorithm, returnCode bool) (*domain.Phone, error) {
 	config, err := secretGeneratorConfig(ctx, c.eventstore.Filter, domain.SecretGeneratorTypeVerifyPhoneCode)
 	if err != nil {
 		return nil, err
 	}
 	gen := crypto.NewEncryptionGenerator(*config, alg)
-	return c.changeUserPhoneWithGenerator(ctx, userID, resourceOwner, phone, gen, returnCode)
+	return c.changeUserPhoneWithGenerator(ctx, userID, phone, gen, returnCode)
+}
+
+func (c *Commands) resendUserPhoneCode(ctx context.Context, userID string, alg crypto.EncryptionAlgorithm, returnCode bool) (*domain.Phone, error) {
+	config, err := secretGeneratorConfig(ctx, c.eventstore.Filter, domain.SecretGeneratorTypeVerifyPhoneCode) //nolint:staticcheck
+	if err != nil {
+		return nil, err
+	}
+	gen := crypto.NewEncryptionGenerator(*config, alg)
+	return c.resendUserPhoneCodeWithGenerator(ctx, userID, gen, returnCode)
 }
 
 // changeUserPhoneWithGenerator set a user's phone number.
 // returnCode controls if the plain text version of the code will be set in the return object.
 // When the plain text code is returned, no notification sms will be send to the user.
-func (c *Commands) changeUserPhoneWithGenerator(ctx context.Context, userID, resourceOwner, phone string, gen crypto.Generator, returnCode bool) (*domain.Phone, error) {
+func (c *Commands) changeUserPhoneWithGenerator(ctx context.Context, userID, phone string, gen crypto.Generator, returnCode bool) (*domain.Phone, error) {
-	cmd, err := c.NewUserPhoneEvents(ctx, userID, resourceOwner)
+	cmd, err := c.NewUserPhoneEvents(ctx, userID)
 	if err != nil {
 		return nil, err
 	}
@@ -73,17 +94,39 @@ func (c *Commands) changeUserPhoneWithGenerator(ctx context.Context, userID, res
 	return cmd.Push(ctx)
 }
 
-func (c *Commands) VerifyUserPhone(ctx context.Context, userID, resourceOwner, code string, alg crypto.EncryptionAlgorithm) (*domain.ObjectDetails, error) {
+// resendUserPhoneCodeWithGenerator generates a new code.
+// returnCode controls if the plain text version of the code will be set in the return object.
+// When the plain text code is returned, no notification sms will be send to the user.
+func (c *Commands) resendUserPhoneCodeWithGenerator(ctx context.Context, userID string, gen crypto.Generator, returnCode bool) (*domain.Phone, error) {
+	cmd, err := c.NewUserPhoneEvents(ctx, userID)
+	if err != nil {
+		return nil, err
+	}
+	if authz.GetCtxData(ctx).UserID != userID {
+		if err = c.checkPermission(ctx, domain.PermissionUserWrite, cmd.aggregate.ResourceOwner, userID); err != nil {
+			return nil, err
+		}
+	}
+	if cmd.model.Code == nil {
+		return nil, zerrors.ThrowPreconditionFailed(err, "PHONE-5xrra88eq8", "Errors.User.Code.Empty")
+	}
+	if err = cmd.AddGeneratedCode(ctx, gen, returnCode); err != nil {
+		return nil, err
+	}
+	return cmd.Push(ctx)
+}
+
+func (c *Commands) VerifyUserPhone(ctx context.Context, userID, code string, alg crypto.EncryptionAlgorithm) (*domain.ObjectDetails, error) {
 	config, err := secretGeneratorConfig(ctx, c.eventstore.Filter, domain.SecretGeneratorTypeVerifyPhoneCode)
 	if err != nil {
 		return nil, err
 	}
 	gen := crypto.NewEncryptionGenerator(*config, alg)
-	return c.verifyUserPhoneWithGenerator(ctx, userID, resourceOwner, code, gen)
+	return c.verifyUserPhoneWithGenerator(ctx, userID, code, gen)
 }
 
-func (c *Commands) verifyUserPhoneWithGenerator(ctx context.Context, userID, resourceOwner, code string, gen crypto.Generator) (*domain.ObjectDetails, error) {
+func (c *Commands) verifyUserPhoneWithGenerator(ctx context.Context, userID, code string, gen crypto.Generator) (*domain.ObjectDetails, error) {
-	cmd, err := c.NewUserPhoneEvents(ctx, userID, resourceOwner)
+	cmd, err := c.NewUserPhoneEvents(ctx, userID)
 	if err != nil {
 		return nil, err
 	}
@@ -111,12 +154,12 @@ type UserPhoneEvents struct {
 // NewUserPhoneEvents constructs a UserPhoneEvents with a Human Phone Write Model,
 // filtered by userID and resourceOwner.
 // If a model cannot be found, or it's state is invalid and error is returned.
-func (c *Commands) NewUserPhoneEvents(ctx context.Context, userID, resourceOwner string) (*UserPhoneEvents, error) {
+func (c *Commands) NewUserPhoneEvents(ctx context.Context, userID string) (*UserPhoneEvents, error) {
 	if userID == "" {
 		return nil, zerrors.ThrowInvalidArgument(nil, "COMMAND-xP292j", "Errors.User.Phone.IDMissing")
 	}
 
-	model, err := c.phoneWriteModelByID(ctx, userID, resourceOwner)
+	model, err := c.phoneWriteModelByID(ctx, userID, "")
 	if err != nil {
 		return nil, err
 	}

internal/command/user_v2_phone_test.go

@@ -27,7 +27,6 @@ func TestCommands_ChangeUserPhone(t *testing.T) {
 	}
 	type args struct {
 		userID string
-		resourceOwner string
 		phone  string
 	}
 	tests := []struct {
@@ -75,7 +74,6 @@ func TestCommands_ChangeUserPhone(t *testing.T) {
 			},
 			args: args{
 				userID: "user1",
-				resourceOwner: "org1",
 				phone:  "",
 			},
 			wantErr: zerrors.ThrowPermissionDenied(nil, "AUTHZ-HKJD33", "Errors.PermissionDenied"),
@@ -119,7 +117,6 @@ func TestCommands_ChangeUserPhone(t *testing.T) {
 			},
 			args: args{
 				userID: "user1",
-				resourceOwner: "org1",
 				phone:  "",
 			},
 			wantErr: zerrors.ThrowInvalidArgument(nil, "PHONE-Zt0NV", "Errors.User.Phone.Empty"),
@@ -163,7 +160,6 @@ func TestCommands_ChangeUserPhone(t *testing.T) {
 			},
 			args: args{
 				userID: "user1",
-				resourceOwner: "org1",
 				phone:  "+41791234567",
 			},
 			wantErr: zerrors.ThrowPreconditionFailed(nil, "COMMAND-Uch5e", "Errors.User.Phone.NotChanged"),
@@ -175,7 +171,7 @@ func TestCommands_ChangeUserPhone(t *testing.T) {
 				eventstore:      tt.fields.eventstore,
 				checkPermission: tt.fields.checkPermission,
 			}
-			_, err := c.ChangeUserPhone(context.Background(), tt.args.userID, tt.args.resourceOwner, tt.args.phone, crypto.CreateMockEncryptionAlg(gomock.NewController(t)))
+			_, err := c.ChangeUserPhone(context.Background(), tt.args.userID, tt.args.phone, crypto.CreateMockEncryptionAlg(gomock.NewController(t)))
 			require.ErrorIs(t, err, tt.wantErr)
 			// successful cases are tested in TestCommands_changeUserPhoneWithGenerator
 		})
@@ -189,7 +185,6 @@ func TestCommands_ChangeUserPhoneReturnCode(t *testing.T) {
 	}
 	type args struct {
 		userID string
-		resourceOwner string
 		phone  string
 	}
 	tests := []struct {
@@ -237,7 +232,6 @@ func TestCommands_ChangeUserPhoneReturnCode(t *testing.T) {
 			},
 			args: args{
 				userID: "user1",
-				resourceOwner: "org1",
 				phone:  "+41791234567",
 			},
 			wantErr: zerrors.ThrowPermissionDenied(nil, "AUTHZ-HKJD33", "Errors.PermissionDenied"),
@@ -281,7 +275,6 @@ func TestCommands_ChangeUserPhoneReturnCode(t *testing.T) {
 			},
 			args: args{
 				userID: "user1",
-				resourceOwner: "org1",
 				phone:  "",
 			},
 			wantErr: zerrors.ThrowInvalidArgument(nil, "PHONE-Zt0NV", "Errors.User.Phone.Empty"),
@@ -293,13 +286,237 @@ func TestCommands_ChangeUserPhoneReturnCode(t *testing.T) {
 				eventstore:      tt.fields.eventstore,
 				checkPermission: tt.fields.checkPermission,
 			}
-			_, err := c.ChangeUserPhoneReturnCode(context.Background(), tt.args.userID, tt.args.resourceOwner, tt.args.phone, crypto.CreateMockEncryptionAlg(gomock.NewController(t)))
+			_, err := c.ChangeUserPhoneReturnCode(context.Background(), tt.args.userID, tt.args.phone, crypto.CreateMockEncryptionAlg(gomock.NewController(t)))
 			require.ErrorIs(t, err, tt.wantErr)
 			// successful cases are tested in TestCommands_changeUserPhoneWithGenerator
 		})
 	}
 }
 
+func TestCommands_ResendUserPhoneCode(t *testing.T) {
+	type fields struct {
+		eventstore      *eventstore.Eventstore
+		checkPermission domain.PermissionCheck
+	}
+	type args struct {
+		userID string
+	}
+	tests := []struct {
+		name    string
+		fields  fields
+		args    args
+		wantErr error
+	}{
+		{
+			name: "missing permission",
+			fields: fields{
+				eventstore: eventstoreExpect(
+					t,
+					expectFilter(
+						eventFromEventPusher(
+							instance.NewSecretGeneratorAddedEvent(context.Background(),
+								&instance.NewAggregate("inst1").Aggregate,
+								domain.SecretGeneratorTypeVerifyPhoneCode,
+								12, time.Minute, true, true, true, true,
+							),
+						),
+					),
+					expectFilter(
+						eventFromEventPusher(
+							func() eventstore.Command {
+								event := user.NewHumanAddedEvent(context.Background(),
+									&user.NewAggregate("user1", "org1").Aggregate,
+									"username",
+									"firstname",
+									"lastname",
+									"nickname",
+									"displayname",
+									language.German,
+									domain.GenderUnspecified,
+									"email@test.ch",
+									true,
+								)
+								event.AddPhoneData("+41791234567")
+								return event
+							}(),
+						),
+					),
+				),
+				checkPermission: newMockPermissionCheckNotAllowed(),
+			},
+			args: args{
+				userID: "user1",
+			},
+			wantErr: zerrors.ThrowPermissionDenied(nil, "AUTHZ-HKJD33", "Errors.PermissionDenied"),
+		},
+		{
+			name: "no code",
+			fields: fields{
+				eventstore: eventstoreExpect(
+					t,
+					expectFilter(
+						eventFromEventPusher(
+							instance.NewSecretGeneratorAddedEvent(context.Background(),
+								&instance.NewAggregate("inst1").Aggregate,
+								domain.SecretGeneratorTypeVerifyPhoneCode,
+								12, time.Minute, true, true, true, true,
+							),
+						),
+					),
+					expectFilter(
+						eventFromEventPusher(
+							func() eventstore.Command {
+								event := user.NewHumanAddedEvent(context.Background(),
+									&user.NewAggregate("user1", "org1").Aggregate,
+									"username",
+									"firstname",
+									"lastname",
+									"nickname",
+									"displayname",
+									language.German,
+									domain.GenderUnspecified,
+									"email@test.ch",
+									true,
+								)
+								event.AddPhoneData("+41791234567")
+								return event
+							}(),
+						),
+					),
+				),
+				checkPermission: newMockPermissionCheckAllowed(),
+			},
+			args: args{
+				userID: "user1",
+			},
+			wantErr: zerrors.ThrowPreconditionFailed(nil, "PHONE-5xrra88eq8", "Errors.User.Code.Empty"),
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			c := &Commands{
+				eventstore:      tt.fields.eventstore,
+				checkPermission: tt.fields.checkPermission,
+			}
+			_, err := c.ResendUserPhoneCode(context.Background(), tt.args.userID, crypto.CreateMockEncryptionAlg(gomock.NewController(t)))
+			require.ErrorIs(t, err, tt.wantErr)
+			// successful cases are tested in TestCommands_resendUserPhoneCodeWithGenerator
+		})
+	}
+}
+
+func TestCommands_ResendUserPhoneCodeReturnCode(t *testing.T) {
+	type fields struct {
+		eventstore      *eventstore.Eventstore
+		checkPermission domain.PermissionCheck
+	}
+	type args struct {
+		userID string
+	}
+	tests := []struct {
+		name    string
+		fields  fields
+		args    args
+		wantErr error
+	}{
+		{
+			name: "missing permission",
+			fields: fields{
+				eventstore: eventstoreExpect(
+					t,
+					expectFilter(
+						eventFromEventPusher(
+							instance.NewSecretGeneratorAddedEvent(context.Background(),
+								&instance.NewAggregate("inst1").Aggregate,
+								domain.SecretGeneratorTypeVerifyPhoneCode,
+								12, time.Minute, true, true, true, true,
+							),
+						),
+					),
+					expectFilter(
+						eventFromEventPusher(
+							func() eventstore.Command {
+								event := user.NewHumanAddedEvent(context.Background(),
+									&user.NewAggregate("user1", "org1").Aggregate,
+									"username",
+									"firstname",
+									"lastname",
+									"nickname",
+									"displayname",
+									language.German,
+									domain.GenderUnspecified,
+									"email@test.ch",
+									true,
+								)
+								event.AddPhoneData("+41791234567")
+								return event
+							}(),
+						),
+					),
+				),
+				checkPermission: newMockPermissionCheckNotAllowed(),
+			},
+			args: args{
+				userID: "user1",
+			},
+			wantErr: zerrors.ThrowPermissionDenied(nil, "AUTHZ-HKJD33", "Errors.PermissionDenied"),
+		},
+		{
+			name: "no code",
+			fields: fields{
+				eventstore: eventstoreExpect(
+					t,
+					expectFilter(
+						eventFromEventPusher(
+							instance.NewSecretGeneratorAddedEvent(context.Background(),
+								&instance.NewAggregate("inst1").Aggregate,
+								domain.SecretGeneratorTypeVerifyEmailCode,
+								12, time.Minute, true, true, true, true,
+							),
+						),
+					),
+					expectFilter(
+						eventFromEventPusher(
+							func() eventstore.Command {
+								event := user.NewHumanAddedEvent(context.Background(),
+									&user.NewAggregate("user1", "org1").Aggregate,
+									"username",
+									"firstname",
+									"lastname",
+									"nickname",
+									"displayname",
+									language.German,
+									domain.GenderUnspecified,
+									"email@test.ch",
+									true,
+								)
+								event.AddPhoneData("+41791234567")
+								return event
+							}(),
+						),
+					),
+				),
+				checkPermission: newMockPermissionCheckAllowed(),
+			},
+			args: args{
+				userID: "user1",
+			},
+			wantErr: zerrors.ThrowPreconditionFailed(nil, "PHONE-5xrra88eq8", "Errors.User.Code.Empty"),
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			c := &Commands{
+				eventstore:      tt.fields.eventstore,
+				checkPermission: tt.fields.checkPermission,
+			}
+			_, err := c.ResendUserPhoneCodeReturnCode(context.Background(), tt.args.userID, crypto.CreateMockEncryptionAlg(gomock.NewController(t)))
+			require.ErrorIs(t, err, tt.wantErr)
+			// successful cases are tested in TestCommands_resendUserPhoneCodeWithGenerator
+		})
+	}
+}
+
 func TestCommands_ChangeUserPhoneVerified(t *testing.T) {
 	type fields struct {
 		eventstore      *eventstore.Eventstore
@@ -307,7 +524,6 @@ func TestCommands_ChangeUserPhoneVerified(t *testing.T) {
 	}
 	type args struct {
 		userID string
-		resourceOwner string
 		phone  string
 	}
 	tests := []struct {
@@ -325,7 +541,6 @@ func TestCommands_ChangeUserPhoneVerified(t *testing.T) {
 			},
 			args: args{
 				userID: "",
-				resourceOwner: "org1",
 				phone:  "+41791234567",
 			},
 			wantErr: zerrors.ThrowInvalidArgument(nil, "COMMAND-xP292j", "Errors.User.Phone.IDMissing"),
@@ -360,7 +575,6 @@ func TestCommands_ChangeUserPhoneVerified(t *testing.T) {
 			},
 			args: args{
 				userID: "user1",
-				resourceOwner: "org1",
 				phone:  "+41791234567",
 			},
 			wantErr: zerrors.ThrowPermissionDenied(nil, "AUTHZ-HKJD33", "Errors.PermissionDenied"),
@@ -395,7 +609,6 @@ func TestCommands_ChangeUserPhoneVerified(t *testing.T) {
 			},
 			args: args{
 				userID: "user1",
-				resourceOwner: "org1",
 				phone:  "",
 			},
 			wantErr: zerrors.ThrowInvalidArgument(nil, "PHONE-Zt0NV", "Errors.User.Phone.Empty"),
@@ -439,7 +652,6 @@ func TestCommands_ChangeUserPhoneVerified(t *testing.T) {
 			},
 			args: args{
 				userID: "user1",
-				resourceOwner: "org1",
 				phone:  "+41791234568",
 			},
 			want: &domain.Phone{
@@ -458,7 +670,7 @@ func TestCommands_ChangeUserPhoneVerified(t *testing.T) {
 				eventstore:      tt.fields.eventstore,
 				checkPermission: tt.fields.checkPermission,
 			}
-			got, err := c.ChangeUserPhoneVerified(context.Background(), tt.args.userID, tt.args.resourceOwner, tt.args.phone)
+			got, err := c.ChangeUserPhoneVerified(context.Background(), tt.args.userID, tt.args.phone)
 			require.ErrorIs(t, err, tt.wantErr)
 			assert.Equal(t, got, tt.want)
 		})
@@ -472,7 +684,6 @@ func TestCommands_changeUserPhoneWithGenerator(t *testing.T) {
 	}
 	type args struct {
 		userID     string
-		resourceOwner string
 		phone      string
 		returnCode bool
 	}
@@ -490,7 +701,6 @@ func TestCommands_changeUserPhoneWithGenerator(t *testing.T) {
 			},
 			args: args{
 				userID:     "",
-				resourceOwner: "org1",
 				phone:      "+41791234567",
 				returnCode: false,
 			},
@@ -526,7 +736,6 @@ func TestCommands_changeUserPhoneWithGenerator(t *testing.T) {
 			},
 			args: args{
 				userID:     "user1",
-				resourceOwner: "org1",
 				phone:      "+41791234567",
 				returnCode: false,
 			},
@@ -562,7 +771,6 @@ func TestCommands_changeUserPhoneWithGenerator(t *testing.T) {
 			},
 			args: args{
 				userID:     "user1",
-				resourceOwner: "org1",
 				phone:      "",
 				returnCode: false,
 			},
@@ -598,7 +806,6 @@ func TestCommands_changeUserPhoneWithGenerator(t *testing.T) {
 			},
 			args: args{
 				userID:     "user1",
-				resourceOwner: "org1",
 				phone:      "+41791234567",
 				returnCode: false,
 			},
@@ -651,7 +858,6 @@ func TestCommands_changeUserPhoneWithGenerator(t *testing.T) {
 			},
 			args: args{
 				userID:     "user1",
-				resourceOwner: "org1",
 				phone:      "+41791234568",
 				returnCode: false,
 			},
@@ -711,7 +917,6 @@ func TestCommands_changeUserPhoneWithGenerator(t *testing.T) {
 			},
 			args: args{
 				userID:     "user1",
-				resourceOwner: "org1",
 				phone:      "+41791234568",
 				returnCode: true,
 			},
@@ -732,7 +937,251 @@ func TestCommands_changeUserPhoneWithGenerator(t *testing.T) {
 				eventstore:      tt.fields.eventstore,
 				checkPermission: tt.fields.checkPermission,
 			}
-			got, err := c.changeUserPhoneWithGenerator(context.Background(), tt.args.userID, tt.args.resourceOwner, tt.args.phone, GetMockSecretGenerator(t), tt.args.returnCode)
+			got, err := c.changeUserPhoneWithGenerator(context.Background(), tt.args.userID, tt.args.phone, GetMockSecretGenerator(t), tt.args.returnCode)
+			require.ErrorIs(t, err, tt.wantErr)
+			assert.Equal(t, got, tt.want)
+		})
+	}
+}
+
+func TestCommands_resendUserPhoneCodeWithGenerator(t *testing.T) {
+	type fields struct {
+		eventstore      *eventstore.Eventstore
+		checkPermission domain.PermissionCheck
+	}
+	type args struct {
+		userID     string
+		returnCode bool
+	}
+	tests := []struct {
+		name    string
+		fields  fields
+		args    args
+		want    *domain.Phone
+		wantErr error
+	}{
+		{
+			name: "missing user",
+			fields: fields{
+				eventstore: eventstoreExpect(t),
+			},
+			args: args{
+				userID:     "",
+				returnCode: false,
+			},
+			wantErr: zerrors.ThrowInvalidArgument(nil, "COMMAND-xP292j", "Errors.User.Phone.IDMissing"),
+		},
+		{
+			name: "missing permission",
+			fields: fields{
+				eventstore: eventstoreExpect(
+					t,
+					expectFilter(
+						eventFromEventPusher(
+							func() eventstore.Command {
+								event := user.NewHumanAddedEvent(context.Background(),
+									&user.NewAggregate("user1", "org1").Aggregate,
+									"username",
+									"firstname",
+									"lastname",
+									"nickname",
+									"displayname",
+									language.German,
+									domain.GenderUnspecified,
+									"email@test.ch",
+									true,
+								)
+								event.AddPhoneData("+41791234567")
+								return event
+							}(),
+						),
+					),
+				),
+				checkPermission: newMockPermissionCheckNotAllowed(),
+			},
+			args: args{
+				userID:     "user1",
+				returnCode: false,
+			},
+			wantErr: zerrors.ThrowPermissionDenied(nil, "AUTHZ-HKJD33", "Errors.PermissionDenied"),
+		},
+		{
+			name: "no code",
+			fields: fields{
+				eventstore: eventstoreExpect(
+					t,
+					expectFilter(
+						eventFromEventPusher(
+							func() eventstore.Command {
+								event := user.NewHumanAddedEvent(context.Background(),
+									&user.NewAggregate("user1", "org1").Aggregate,
+									"username",
+									"firstname",
+									"lastname",
+									"nickname",
+									"displayname",
+									language.German,
+									domain.GenderUnspecified,
+									"email@test.ch",
+									true,
+								)
+								event.AddPhoneData("+41791234567")
+								return event
+							}(),
+						),
+					),
+				),
+				checkPermission: newMockPermissionCheckAllowed(),
+			},
+			args: args{
+				userID:     "user1",
+				returnCode: false,
+			},
+			wantErr: zerrors.ThrowPreconditionFailed(nil, "PHONE-5xrra88eq8", "Errors.User.Code.Empty"),
+		},
+		{
+			name: "resend",
+			fields: fields{
+				eventstore: eventstoreExpect(
+					t,
+					expectFilter(
+						eventFromEventPusher(
+							func() eventstore.Command {
+								event := user.NewHumanAddedEvent(context.Background(),
+									&user.NewAggregate("user1", "org1").Aggregate,
+									"username",
+									"firstname",
+									"lastname",
+									"nickname",
+									"displayname",
+									language.German,
+									domain.GenderUnspecified,
+									"email@test.ch",
+									true,
+								)
+								event.AddPhoneData("+41791234567")
+								return event
+							}(),
+						),
+						eventFromEventPusher(
+							user.NewHumanPhoneCodeAddedEventV2(context.Background(),
+								&user.NewAggregate("user1", "org1").Aggregate,
+								&crypto.CryptoValue{
+									CryptoType: crypto.TypeEncryption,
+									Algorithm:  "enc",
+									KeyID:      "id",
+									Crypted:    []byte("a"),
+								},
+								time.Hour*1,
+								true,
+							),
+						),
+					),
+					expectPush(
+						user.NewHumanPhoneCodeAddedEventV2(context.Background(),
+							&user.NewAggregate("user1", "org1").Aggregate,
+							&crypto.CryptoValue{
+								CryptoType: crypto.TypeEncryption,
+								Algorithm:  "enc",
+								KeyID:      "id",
+								Crypted:    []byte("a"),
+							},
+							time.Hour*1,
+							false,
+						),
+					),
+				),
+				checkPermission: newMockPermissionCheckAllowed(),
+			},
+			args: args{
+				userID:     "user1",
+				returnCode: false,
+			},
+			want: &domain.Phone{
+				ObjectRoot: models.ObjectRoot{
+					AggregateID:   "user1",
+					ResourceOwner: "org1",
+				},
+				PhoneNumber:     "+41791234567",
+				IsPhoneVerified: false,
+			},
+		},
+		{
+			name: "return code",
+			fields: fields{
+				eventstore: eventstoreExpect(
+					t,
+					expectFilter(
+						eventFromEventPusher(
+							func() eventstore.Command {
+								event := user.NewHumanAddedEvent(context.Background(),
+									&user.NewAggregate("user1", "org1").Aggregate,
+									"username",
+									"firstname",
+									"lastname",
+									"nickname",
+									"displayname",
+									language.German,
+									domain.GenderUnspecified,
+									"email@test.ch",
+									true,
+								)
+								event.AddPhoneData("+41791234567")
+								return event
+							}(),
+						),
+						eventFromEventPusher(
+							user.NewHumanPhoneCodeAddedEventV2(context.Background(),
+								&user.NewAggregate("user1", "org1").Aggregate,
+								&crypto.CryptoValue{
+									CryptoType: crypto.TypeEncryption,
+									Algorithm:  "enc",
+									KeyID:      "id",
+									Crypted:    []byte("a"),
+								},
+								time.Hour*1,
+								true,
+							),
+						),
+					),
+					expectPush(
+						user.NewHumanPhoneCodeAddedEventV2(context.Background(),
+							&user.NewAggregate("user1", "org1").Aggregate,
+							&crypto.CryptoValue{
+								CryptoType: crypto.TypeEncryption,
+								Algorithm:  "enc",
+								KeyID:      "id",
+								Crypted:    []byte("a"),
+							},
+							time.Hour*1,
+							true,
+						),
+					),
+				),
+				checkPermission: newMockPermissionCheckAllowed(),
+			},
+			args: args{
+				userID:     "user1",
+				returnCode: true,
+			},
+			want: &domain.Phone{
+				ObjectRoot: models.ObjectRoot{
+					AggregateID:   "user1",
+					ResourceOwner: "org1",
+				},
+				PhoneNumber:     "+41791234567",
+				IsPhoneVerified: false,
+				PlainCode:       gu.Ptr("a"),
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			c := &Commands{
+				eventstore:      tt.fields.eventstore,
+				checkPermission: tt.fields.checkPermission,
+			}
+			got, err := c.resendUserPhoneCodeWithGenerator(context.Background(), tt.args.userID, GetMockSecretGenerator(t), tt.args.returnCode)
 			require.ErrorIs(t, err, tt.wantErr)
 			assert.Equal(t, got, tt.want)
 		})

internal/static/i18n/bg.yaml

@@ -130,6 +130,7 @@ Errors:
       NotFound: Кодът не е намерен
       Expired: Кодът е изтекъл
       GeneratorAlgNotSupported: Неподдържан генераторен алгоритъм
+      Invalid: кодът е невалиден
     Password:
       NotFound: Паролата не е намерена
       Empty: Паролата е празна

internal/static/i18n/cs.yaml

@@ -127,6 +127,7 @@ Errors:
       NotFound: Kód nenalezen
       Expired: Kód vypršel
       GeneratorAlgNotSupported: Nepodporovaný algoritmus generátoru
+      Invalid: Kód je neplatný
     Password:
       NotFound: Heslo nenalezeno
       Empty: Heslo je prázdné

internal/static/i18n/de.yaml

@@ -128,6 +128,7 @@ Errors:
       NotFound: Code konnte nicht gefunden werden
       Expired: Code ist abgelaufen
       GeneratorAlgNotSupported: Generator Algorithmus wird nicht unterstützt
+      Invalid: Code ist nicht gültig
     Password:
       NotFound: Password nicht gefunden
       Empty: Passwort ist leer

internal/static/i18n/en.yaml

@@ -128,6 +128,7 @@ Errors:
       NotFound: Code not found
       Expired: Code is expired
       GeneratorAlgNotSupported: Unsupported generator algorithm
+      Invalid: Code is invalid
     Password:
       NotFound: Password not found
       Empty: Password is empty

internal/static/i18n/es.yaml

@@ -128,6 +128,7 @@ Errors:
       NotFound: Código no encontrado
       Expired: El código ha caducado
       GeneratorAlgNotSupported: Algoritmo generador no soportado
+      Invalid: El código no es válido
     Password:
       NotFound: Contraseña no encontrada
       Empty: La contraseña está vacía

internal/static/i18n/fr.yaml

@@ -128,6 +128,7 @@ Errors:
       NotFound: Code non trouvé
       Expired: Le code est expiré
       GeneratorAlgNotSupported: Algorithme de générateur non pris en charge
+      Invalid: Le code n'est pas valide
     Password:
       NotFound: Mot de passe non trouvé
       Empty: Le mot de passe est vide

internal/static/i18n/it.yaml

@@ -128,6 +128,7 @@ Errors:
       NotFound: Codice non trovato
       Expired: Il codice è scaduto
       GeneratorAlgNotSupported: L'algoritmo del generatore non è supportato
+      Invalid: Il codice non è valido
     Password:
       NotFound: Password non trovato
       Empty: La password è vuota

internal/static/i18n/ja.yaml

@@ -120,6 +120,7 @@ Errors:
       NotFound: コードが見つかりません
       Expired: 有効期限切れのコードです
       GeneratorAlgNotSupported: サポートされていない生成アルゴリズムです
+      Invalid: コードが無効
     Password:
       NotFound: パスワードが見つかりません
       Empty: パスワードは空です

internal/static/i18n/nl.yaml

@@ -128,6 +128,7 @@ Errors:
       NotFound: Code niet gevonden
       Expired: Code is verlopen
       GeneratorAlgNotSupported: Generator algoritme wordt niet ondersteund
+      Invalid: Code is ongeldig
     Password:
       NotFound: Wachtwoord niet gevonden
       Empty: Wachtwoord is leeg

internal/static/i18n/pl.yaml

@@ -128,6 +128,7 @@ Errors:
       NotFound: Kod nie znaleziony
       Expired: Kod jest przedawniony
       GeneratorAlgNotSupported: Nieobsługiwany algorytm generatora
+      Invalid: Kod jest nieprawidłowy
     Password:
       NotFound: Hasło nie znalezione
       Empty: Hasło jest puste

internal/static/i18n/pt.yaml

@@ -128,6 +128,7 @@ Errors:
       NotFound: Código não encontrado
       Expired: Código expirou
       GeneratorAlgNotSupported: Algoritmo do gerador não suportado
+      Invalid: Código é inválido
     Password:
       NotFound: Senha não encontrada
       Empty: Senha está vazia

internal/static/i18n/ru.yaml

@@ -127,6 +127,7 @@ Errors:
       NotFound: Код не найден
       Expired: Срок действия кода истек
       GeneratorAlgNotSupported: Неподдерживаемый алгоритм генератора
+      Invalid: Код недействителен
     Password:
       NotFound: Пароль не найден
       Empty: Пароль пуст

internal/static/i18n/zh.yaml

@@ -128,6 +128,7 @@ Errors:
       NotFound: 验证码不存在
       Expired: 验证码已过期
       GeneratorAlgNotSupported: 不支持的生成器算法
+      Invalid: 代码无效
     Password:
       NotFound: 未找到密码
       Empty: 密码为空

proto/zitadel/user/v2beta/user_service.proto

@@ -231,6 +231,32 @@ service UserService {
     };
   }
 
+
+  // Resend code to verify user email
+  rpc ResendEmailCode (ResendEmailCodeRequest) returns (ResendEmailCodeResponse) {
+    option (google.api.http) = {
+      post: "/v2beta/users/{user_id}/email/resend"
+      body: "*"
+    };
+
+    option (zitadel.protoc_gen_zitadel.v2.options) = {
+      auth_option: {
+        permission: "authenticated"
+      }
+    };
+
+    option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
+      summary: "Resend code to verify user email";
+      description: "Resend code to verify user email."
+      responses: {
+        key: "200"
+        value: {
+          description: "OK";
+        }
+      };
+    };
+  }
+
   // Verify the email with the provided code
   rpc VerifyEmail (VerifyEmailRequest) returns (VerifyEmailResponse) {
     option (google.api.http) = {
@@ -281,6 +307,30 @@ service UserService {
     };
   }
 
+  rpc ResendPhoneCode (ResendPhoneCodeRequest) returns (ResendPhoneCodeResponse) {
+    option (google.api.http) = {
+      post: "/v2beta/users/{user_id}/phone/resend"
+      body: "*"
+    };
+
+    option (zitadel.protoc_gen_zitadel.v2.options) = {
+      auth_option: {
+        permission: "authenticated"
+      }
+    };
+
+    option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
+      summary: "Resend code to verify user phone";
+      description: "Resend code to verify user phone."
+      responses: {
+        key: "200"
+        value: {
+          description: "OK";
+        }
+      };
+    };
+  }
+
   // Verify the phone with the provided code
   rpc VerifyPhone (VerifyPhoneRequest) returns (VerifyPhoneResponse) {
     option (google.api.http) = {
@@ -963,6 +1013,29 @@ message SetEmailResponse{
   optional string verification_code = 2;
 }
 
+message ResendEmailCodeRequest{
+  string user_id = 1 [
+    (validate.rules).string = {min_len: 1, max_len: 200},
+    (google.api.field_behavior) = REQUIRED,
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+      min_length: 1;
+      max_length: 200;
+      example: "\"69629026806489455\"";
+    }
+  ];
+  // if no verification is specified, an email is sent with the default url
+  oneof verification {
+    SendEmailVerificationCode send_code = 2;
+    ReturnEmailVerificationCode return_code = 3;
+  }
+}
+
+message ResendEmailCodeResponse{
+  zitadel.object.v2beta.Details details = 1;
+  // in case the verification was set to return_code, the code will be returned
+  optional string verification_code = 2;
+}
+
 message VerifyEmailRequest{
   string user_id = 1 [
     (validate.rules).string = {min_len: 1, max_len: 200},
@@ -1022,6 +1095,29 @@ message SetPhoneResponse{
   optional string verification_code = 2;
 }
 
+message ResendPhoneCodeRequest{
+  string user_id = 1 [
+    (validate.rules).string = {min_len: 1, max_len: 200},
+    (google.api.field_behavior) = REQUIRED,
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+      min_length: 1;
+      max_length: 200;
+      example: "\"69629026806489455\"";
+    }
+  ];
+  // if no verification is specified, an sms is sent
+  oneof verification {
+    SendPhoneVerificationCode send_code = 3;
+    ReturnPhoneVerificationCode return_code = 4;
+  }
+}
+
+message ResendPhoneCodeResponse{
+  zitadel.object.v2beta.Details details = 1;
+  // in case the verification was set to return_code, the code will be returned
+  optional string verification_code = 2;
+}
+
 message VerifyPhoneRequest{
   string user_id = 1 [
     (validate.rules).string = {min_len: 1, max_len: 200},