fix: pass necessary webauthn data through events (#1541)

internal/command/user_human_webauthn.go

@@ -2,11 +2,13 @@ package command
 
 import (
 	"context"
+
 	"github.com/caos/logging"
-	"github.com/caos/zitadel/internal/eventstore"
 
 	"github.com/caos/zitadel/internal/domain"
 	caos_errs "github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore"
+	"github.com/caos/zitadel/internal/eventstore/v1/models"
 	usr_repo "github.com/caos/zitadel/internal/repository/user"
 	"github.com/caos/zitadel/internal/telemetry/tracing"
 )
@@ -45,7 +47,12 @@ func (c *Commands) getHumanU2FLogin(ctx context.Context, userID, authReqID, reso
 		return nil, caos_errs.ThrowNotFound(nil, "COMMAND-5m88U", "Errors.User.NotFound")
 	}
 	return &domain.WebAuthNLogin{
+		ObjectRoot: models.ObjectRoot{
+			AggregateID: tokenReadModel.AggregateID,
+		},
 		Challenge:            tokenReadModel.Challenge,
+		AllowedCredentialIDs: tokenReadModel.AllowedCredentialIDs,
+		UserVerification:     tokenReadModel.UserVerification,
 	}, nil
 }
 
@@ -259,6 +266,8 @@ func (c *Commands) HumanBeginU2FLogin(ctx context.Context, userID, resourceOwner
 			ctx,
 			userAgg,
 			webAuthNLogin.Challenge,
+			webAuthNLogin.AllowedCredentialIDs,
+			webAuthNLogin.UserVerification,
 			authRequestDomainToAuthRequestInfo(authRequest),
 		),
 	)
@@ -281,6 +290,8 @@ func (c *Commands) HumanBeginPasswordlessLogin(ctx context.Context, userID, reso
 			ctx,
 			userAgg,
 			webAuthNLogin.Challenge,
+			webAuthNLogin.AllowedCredentialIDs,
+			webAuthNLogin.UserVerification,
 			authRequestDomainToAuthRequestInfo(authRequest),
 		),
 	)

internal/command/user_human_webauthn_model.go

@@ -303,6 +303,9 @@ type HumanU2FLoginReadModel struct {
 
 	AuthReqID            string
 	Challenge            string
+	AllowedCredentialIDs [][]byte
+	UserVerification     domain.UserVerificationRequirement
+	User
 	State domain.UserState
 }
 
@@ -335,6 +338,8 @@ func (wm *HumanU2FLoginReadModel) Reduce() error {
 		switch e := event.(type) {
 		case *user.HumanU2FBeginLoginEvent:
 			wm.Challenge = e.Challenge
+			wm.AllowedCredentialIDs = e.AllowedCredentialIDs
+			wm.UserVerification = e.UserVerification
 			wm.State = domain.UserStateActive
 		case *user.UserRemovedEvent:
 			wm.State = domain.UserStateDeleted

internal/repository/user/human_mfa_passwordless.go

@@ -2,8 +2,9 @@ package user
 
 import (
 	"context"
-	"github.com/caos/zitadel/internal/eventstore"
 
+	"github.com/caos/zitadel/internal/domain"
+	"github.com/caos/zitadel/internal/eventstore"
 	"github.com/caos/zitadel/internal/eventstore/repository"
 )
 
@@ -170,18 +171,20 @@ func NewHumanPasswordlessBeginLoginEvent(
 	ctx context.Context,
 	aggregate *eventstore.Aggregate,
 	challenge string,
+	allowedCredentialIDs [][]byte,
+	userVerification domain.UserVerificationRequirement,
 	info *AuthRequestInfo,
 ) *HumanPasswordlessBeginLoginEvent {
 	return &HumanPasswordlessBeginLoginEvent{
-		HumanWebAuthNBeginLoginEvent: *NewHumanWebAuthNBeginLoginEvent(
+		HumanWebAuthNBeginLoginEvent: *NewHumanWebAuthNBeginLoginEvent(eventstore.NewBaseEventForPush(
-			eventstore.NewBaseEventForPush(
 			ctx,
 			aggregate,
 			HumanPasswordlessTokenBeginLoginType,
 		),
 			challenge,
-			info,
+			allowedCredentialIDs,
-		),
+			userVerification,
+			info),
 	}
 }
 

internal/repository/user/human_mfa_u2f.go

@@ -2,8 +2,9 @@ package user
 
 import (
 	"context"
-	"github.com/caos/zitadel/internal/eventstore"
 
+	"github.com/caos/zitadel/internal/domain"
+	"github.com/caos/zitadel/internal/eventstore"
 	"github.com/caos/zitadel/internal/eventstore/repository"
 )
 
@@ -166,12 +167,7 @@ type HumanU2FBeginLoginEvent struct {
 	HumanWebAuthNBeginLoginEvent
 }
 
-func NewHumanU2FBeginLoginEvent(
+func NewHumanU2FBeginLoginEvent(ctx context.Context, aggregate *eventstore.Aggregate, challenge string, allowedCredentialIDs [][]byte, userVerification domain.UserVerificationRequirement, info *AuthRequestInfo) *HumanU2FBeginLoginEvent {
-	ctx context.Context,
-	aggregate *eventstore.Aggregate,
-	challenge string,
-	info *AuthRequestInfo,
-) *HumanU2FBeginLoginEvent {
 	return &HumanU2FBeginLoginEvent{
 		HumanWebAuthNBeginLoginEvent: *NewHumanWebAuthNBeginLoginEvent(
 			eventstore.NewBaseEventForPush(
@@ -180,6 +176,8 @@ func NewHumanU2FBeginLoginEvent(
 				HumanU2FTokenBeginLoginType,
 			),
 			challenge,
+			allowedCredentialIDs,
+			userVerification,
 			info,
 		),
 	}

internal/repository/user/human_mfa_web_auth_n.go

@@ -181,6 +181,8 @@ type HumanWebAuthNBeginLoginEvent struct {
 	eventstore.BaseEvent `json:"-"`
 
 	Challenge            string                             `json:"challenge"`
+	AllowedCredentialIDs [][]byte                           `json:"allowedCredentialIDs"`
+	UserVerification     domain.UserVerificationRequirement `json:"userVerification"`
 	*AuthRequestInfo
 }
 
@@ -192,14 +194,12 @@ func (e *HumanWebAuthNBeginLoginEvent) UniqueConstraints() []*eventstore.EventUn
 	return nil
 }
 
-func NewHumanWebAuthNBeginLoginEvent(
+func NewHumanWebAuthNBeginLoginEvent(base *eventstore.BaseEvent, challenge string, allowedCredentialIDs [][]byte, userVerification domain.UserVerificationRequirement, info *AuthRequestInfo) *HumanWebAuthNBeginLoginEvent {
-	base *eventstore.BaseEvent,
-	challenge string,
-	info *AuthRequestInfo,
-) *HumanWebAuthNBeginLoginEvent {
 	return &HumanWebAuthNBeginLoginEvent{
 		BaseEvent:            *base,
 		Challenge:            challenge,
+		AllowedCredentialIDs: allowedCredentialIDs,
+		UserVerification:     userVerification,
 		AuthRequestInfo:      info,
 	}
 }