Account

Overview

The Account domain is a default domain in comby, representing user accounts and managing their lifecycle, credentials, sessions, and related data. It encapsulates core functionalities for account management in a centralized, event-sourced architecture. The domain is implemented through the Account aggregate, which provides a robust structure for modeling user accounts, handling domain events, and enforcing business rules.

An Account can be associated with multiple Identities, each of which is linked to a specific Tenant. This allows a user with a single account to log in to multiple tenants.

Email & Password with OPAQUE (v2.2+)

OPAQUE (Oblivious Pseudorandom Function with Authenticated Key Exchange) is a Password-Authenticated Key Exchange (PAKE) protocol that enables secure authentication without exposing passwords to the server. The comby implementation uses Ristretto255 (prime-order elliptic curve group) and HKDF/HMAC for key derivation.

• No plaintext passwords on the server: No plaintext password ever reaches the server. The server never sees or stores the user’s actual password.
• Private key is never stored in plaintext: The client’s long-term private key is encrypted with a password-derived secret (via OPRF). The server only stores this encrypted envelope.
• Mutual authentication: Both the client and server generate cryptographic proofs during login to authenticate each other. To recover the private key, the client must know the password and interact with the server’s OPRF.
• Server-stored data: Envelope, clientPublicKey, serverPublicKey and email is safe to expose without compromising passwords
• Security guarantees:
  • Resistant to offline dictionary attacks
  • Forward secrecy through ephemeral Diffie-Hellman keys
  • Replay protection via nonces
  • Binding proofs to prevent man-in-the-middle or session confusion attacks

You can enable OPAQUE at runtime or as an environment variable:

// enable OPAQUE as environment variable
COMBY_DEFAULT_ACCOUNT_REGISTRATION_TYPES="opaque"

// enable OPAQUE at runtime - but before default registration (and seeding)
comby.DEFAULT_ACCOUNT_REGISTRATION_TYPES="opaque" // or "opaque,emailpassword" to enable both
//

You can also change the OPAQUE Server Private Key:

// or as environment variable with prefix: COMBY_
comby.DEFAULT_ACCOUNT_OPAQUE_SERVER_PRIVATE_KEY="your-private-key-value-will-be-kdfed-sha-256"

Cryptographic Components in comby OPAQUE

Elliptic Curve Group

• Ristretto255 - Prime-order group, 128-bit security; Used for OPRF, identity key pair, and ephemeral Diffie-Hellman

Key Derivation & Hashing

• Hash-to-Curve: Ristretto255 hash-to-element with domain separation string OPAQUE-oprf
• SHA-512: Hash function for HKDF; Used in HMAC for proofs
• HKDF (HMAC-based Key Derivation Function) with SHA-512: Used to derive encryption keys from OPRF output and session keys from ECDH shared secret
• SHA-256: Used on server for deriving the OPRF private key from an application constant

Encryption

• AES-256-GCM (WebCrypto API on client): Encrypts the client’s private key into the envelope; 12-byte random nonce per encryption
• Message Authentication HMAC-SHA-512: Used for client proof and server proof in the login phase; Binds session parameters, nonces, and OPRF result

Randomness

• Crypto-secure RNG: crypto.getRandomValues on client (browser); crypto/rand on server (Go); Used for blinding factors, nonces, and ephemeral keys

Structure

The Account struct serves as the root aggregate, holding entities Credentials, OneTimeToken, and a collection of Session objects. Credentials contains attributes for email, password, and the next allowed login time. OneTimeToken represents single-use tokens with attributes for the key, type, and expiration time. Session stores details about active user sessions, including a unique session UUID, session key, and expiration time. The relationships illustrate how an account aggregates these entities to manage authentication and session handling.

Commands

• AccountCommandActivate
• AccountCommandChangePassword
• AccountCommandConfirmPasswordReset
• AccountCommandConfirmRegister
• AccountCommandCreate
• AccountCommandLogin
• AccountCommandLoginOAuth
• AccountCommandLoginOpaque
• AccountCommandLogout
• AccountCommandRegister
• AccountCommandRegisterOpaque
• AccountCommandRemove
• AccountCommandRemoveAttribute
• AccountCommandRequestPasswordReset
• AccountCommandSetAttribute
• AccountCommandUpdate
• AccountCommandUpdateCredentials
• AccountCommandUpdateCredentialsOpaque
• AccountCommandUpdateState

AccountCommandActivate

AccountCommandActivate is a domain command to activate an account.

Domain Command Struct:

type AccountCommandActivate struct {
	// Outline of the command
	Email string `json:"email"` // Email of the account to activate.
}

Domain Command Handling Method: AccountCommandActivate is a domain command handler handling the activation of an account. (AccountCommandActivate)

func (ch *commandHandler) AccountCommandActivate(ctx context.Context, cmd comby.Command, domainCmd *AccountCommandActivate) ([]comby.Event, error)

AccountCommandChangePassword

Domain Command Struct:

type AccountCommandChangePassword struct {
	Email           string `json:"email"`
	PasswordCurrent string `json:"passwordCurrent"`
	NewPassword     string `json:"newPassword"`
}

Domain Command Handling Method:

func (ch *commandHandler) AccountCommandChangePassword(ctx context.Context, cmd comby.Command, domainCmd *AccountCommandChangePassword) ([]comby.Event, error)

AccountCommandConfirmPasswordReset

Domain Command Struct:

type AccountCommandConfirmPasswordReset struct {
	OneTimeToken string `json:"oneTimeToken"`
	NewPassword  string `json:"newPassword"`
}

Domain Command Handling Method:

func (ch *commandHandler) AccountCommandConfirmPasswordReset(ctx context.Context, cmd comby.Command, domainCmd *AccountCommandConfirmPasswordReset) ([]comby.Event, error)

AccountCommandConfirmRegister

Domain Command Struct:

type AccountCommandConfirmRegister struct {
	OneTimeToken string `json:"oneTimeToken"`
}

Domain Command Handling Method:

func (ch *commandHandler) AccountCommandConfirmRegister(ctx context.Context, cmd comby.Command, domainCmd *AccountCommandConfirmRegister) ([]comby.Event, error)

AccountCommandCreate

Domain Command Struct:

type AccountCommandCreate struct {
	AccountUuid string `json:"accountUuid"`
	Email       string `json:"email,omitempty"`
	Password    string `json:"password,omitempty"`
	Type        string `json:"type,omitempty"` // default: emailPassword (available: emailPassword, opaque)
}

Domain Command Handling Method:

func (ch *commandHandler) AccountCommandCreate(ctx context.Context, cmd comby.Command, domainCmd *AccountCommandCreate) ([]comby.Event, error)

AccountCommandLogin

Domain Command Struct:

type AccountCommandLogin struct {
	Email       string `json:"email"`
	Password    string `json:"password"`
	SessionUuid string `json:"sessionUuid"`
	SessionKey  string `json:"sessionKey"`
}

Domain Command Handling Method:

func (ch *commandHandler) AccountCommandLogin(ctx context.Context, cmd comby.Command, domainCmd *AccountCommandLogin) ([]comby.Event, error)

AccountCommandLoginOAuth

Domain Command Struct:

type AccountCommandLoginOAuth struct {
	AccountUuid string `json:"accountUuid"`
	Email       string `json:"email,omitempty"`
	NewPassword string `json:"newPassword,omitempty"`
	SessionUuid string `json:"sessionUuid"`
	SessionKey  string `json:"sessionKey"`
	Attributes  string `json:"attributes,omitempty"`
}

Domain Command Handling Method:

func (ch *commandHandler) AccountCommandLoginOAuth(ctx context.Context, cmd comby.Command, domainCmd *AccountCommandLoginOAuth) ([]comby.Event, error)

AccountCommandLoginOpaque

AccountCommandLoginOpaque represents OPAQUE login command

Domain Command Struct:

type AccountCommandLoginOpaque struct {
	Email       string `json:"email"`
	SessionUuid string `json:"sessionUuid"`
	SessionKey  string `json:"sessionKey"`
	SessionData []byte `json:"sessionData"` // OPAQUE session key data
}

Domain Command Handling Method:

func (ch *commandHandler) AccountCommandLoginOpaque(ctx context.Context, cmd comby.Command, domainCmd *AccountCommandLoginOpaque) ([]comby.Event, error)

AccountCommandLogout

AccountCommandLogout handles logging out of a user account or session, with strict access control to ensure security and proper authorization.

This command enforces the following rules:

1. Self-Logout:

• A user can log out their own account or session.
• This ensures users have full control over their own sessions while preventing unauthorized access to other accounts.

2. System Tenant Authorization:

• Only the system tenant is permitted to log out other users or their sessions.
• This restriction ensures that account-wide or cross-tenant session management is tightly controlled and limited to system-level administrators.

Domain Command Struct:

type AccountCommandLogout struct {
	AccountUuid string `json:"accountUuid,omitempty"`
	SessionUuid string `json:"sessionUuid,omitempty"`
}

Domain Command Handling Method:

func (ch *commandHandler) AccountCommandLogout(ctx context.Context, cmd comby.Command, domainCmd *AccountCommandLogout) ([]comby.Event, error)

AccountCommandRegister

Domain Command Struct:

type AccountCommandRegister struct {
	AccountUuid     string `json:"accountUuid"`
	Email           string `json:"email"`
	Password        string `json:"password"`
	InvitationToken string `json:"invitationToken,omitempty"`
}

Domain Command Handling Method:

func (ch *commandHandler) AccountCommandRegister(ctx context.Context, cmd comby.Command, domainCmd *AccountCommandRegister) ([]comby.Event, error)

AccountCommandRegisterOpaque

Domain Command Struct:

type AccountCommandRegisterOpaque struct {
	AccountUuid            string                         `json:"accountUuid"`
	Email                  string                         `json:"email"`
	OpaqueCredentialRecord *opaque.OpaqueCredentialRecord `json:"opaqueCredentialRecord"`
	InvitationToken        string                         `json:"invitationToken,omitempty"`
}

Domain Command Handling Method:

func (ch *commandHandler) AccountCommandRegisterOpaque(ctx context.Context, cmd comby.Command, domainCmd *AccountCommandRegisterOpaque) ([]comby.Event, error)

AccountCommandRemove

AccountCommandRemove handles the deletion of accounts, with strict rules to ensure proper access control.

This command enforces the following restrictions:

1. Self-Deletion Prohibited:

• A user cannot delete their own account under any circumstances. This ensures a safeguard against accidental or unauthorized self-deletion.

2. System Tenant Authorization:

• Only system tenants are permitted to delete accounts belonging to other users or tenants.
• This restriction ensures that account deletion is controlled centrally and prevents unauthorized cross-tenant modifications.

Domain Command Struct:

type AccountCommandRemove struct {
	AccountUuid string `json:"accountUuid"`
}

Domain Command Handling Method:

func (ch *commandHandler) AccountCommandRemove(ctx context.Context, cmd comby.Command, domainCmd *AccountCommandRemove) ([]comby.Event, error)

AccountCommandRemoveAttribute

Domain Command Struct:

type AccountCommandRemoveAttribute struct {
	AccountUuid string `json:"accountUuid"`
	Key         string `json:"key"`
}

Domain Command Handling Method:

func (ch *commandHandler) AccountCommandRemoveAttribute(ctx context.Context, cmd comby.Command, domainCmd *AccountCommandRemoveAttribute) ([]comby.Event, error)

AccountCommandRequestPasswordReset

Domain Command Struct:

type AccountCommandRequestPasswordReset struct {
	Email string `json:"email"`
}

Domain Command Handling Method:

func (ch *commandHandler) AccountCommandRequestPasswordReset(ctx context.Context, cmd comby.Command, domainCmd *AccountCommandRequestPasswordReset) ([]comby.Event, error)

AccountCommandSetAttribute

Domain Command Struct:

type AccountCommandSetAttribute struct {
	AccountUuid string `json:"accountUuid"`
	Key         string `json:"key"`
	Value       any    `json:"value"`
}

Domain Command Handling Method:

func (ch *commandHandler) AccountCommandSetAttribute(ctx context.Context, cmd comby.Command, domainCmd *AccountCommandSetAttribute) ([]comby.Event, error)

AccountCommandUpdate

Domain Command Struct:

type AccountCommandUpdate struct {
	AccountUuid   string   `json:"accountUuid"`
	Attributes    string   `json:"attributes,omitempty"`
	PatchedFields []string `json:"patchedFields"`
}

Domain Command Handling Method:

func (ch *commandHandler) AccountCommandUpdate(ctx context.Context, cmd comby.Command, domainCmd *AccountCommandUpdate) ([]comby.Event, error)

AccountCommandUpdateCredentials

AccountCommandUpdateCredentials handles updating the credentials (email and password) of an account, with strict access control to ensure security and proper authorization.

This command enforces the following rules:

1. Self-Account Update:

• A user can only update the credentials of their own account.
• This restriction ensures users cannot modify the credentials of other accounts, maintaining strict isolation.

2. System Tenant Administrator Override:

• The system tenant administrator is allowed to update credentials for any account.
• This provides a controlled mechanism for administrative recovery or management of user credentials.

Domain Command Struct:

type AccountCommandUpdateCredentials struct {
	AccountUuid string `json:"accountUuid"`
	Email       string `json:"email"`
	Password    string `json:"password"`
}

Domain Command Handling Method:

func (ch *commandHandler) AccountCommandUpdateCredentials(ctx context.Context, cmd comby.Command, domainCmd *AccountCommandUpdateCredentials) ([]comby.Event, error)

AccountCommandUpdateCredentialsOpaque

Domain Command Struct:

type AccountCommandUpdateCredentialsOpaque struct {
	Email                  string                         `json:"email"`
	PasswordResetToken     string                         `json:"passwordResetToken"`
	OpaqueCredentialRecord *opaque.OpaqueCredentialRecord `json:"opaqueCredentialRecord"`
}

Domain Command Handling Method:

func (ch *commandHandler) AccountCommandUpdateCredentialsOpaque(ctx context.Context, cmd comby.Command, domainCmd *AccountCommandUpdateCredentialsOpaque) ([]comby.Event, error)

AccountCommandUpdateState

Domain Command Struct:

type AccountCommandUpdateState struct {
	AccountUuid string `json:"accountUuid"`
	State       string `json:"state"`
}

Domain Command Handling Method:

func (ch *commandHandler) AccountCommandUpdateState(ctx context.Context, cmd comby.Command, domainCmd *AccountCommandUpdateState) ([]comby.Event, error)

Queries

Domain Query Structs:

• AccountQueryList
• AccountQueryModelByEmail
• AccountQueryModelEmailPassword
• AccountQueryModel
• AccountQueryModelOneTimeToken

Domain Query Responses:

• AccountQueryListResponse
• AccountQueryItemResponse

AccountQueryList

AccountQueryList returns a list of accounts based on the context of the requestor.

This query exhibits unique behavior, as its results vary depending on the context of the requesting entity. Specifically, the query's outcome can be classified into three distinct cases:

1. System Tenant Context:

• When the requestor represents the system tenant, the query retrieves all accounts.
• This includes not only the accounts directly tied to the system tenant but also any identities belonging to other tenants.
• This behavior ensures that the system tenant maintains global visibility across all tenant identities.

2. Specific Tenant Context:

• If the requestor represents a specific tenant, the query returns all accounts associated with that tenant.
• Importantly, it excludes accounts or identities that are linked to other tenants.
• This ensures that a tenant's view remains isolated, adhering to a strict multi-tenancy principle.

3. Equal Sender and Target Context:

• In cases where an account requests the list of accounts, the query returns only the requesting account itself.
• This includes all identities associated with the requesting account, regardless of their tenant.
• This behavior ensures that the account sees only its own information while maintaining visibility into all related identities.

Domain Query Struct:

type AccountQueryList struct {
	Page       int64  `json:"page,omitempty"`
	PageSize   int64  `json:"pageSize,omitempty"`
	OrderBy    string `json:"orderBy,omitempty"`
	Attributes string `json:"attributes,omitempty"`
}

Domain Query Handling Method:

func (qh *queryHandler) AccountQueryList(ctx context.Context, qry comby.Query, domainQry *AccountQueryList) (*AccountQueryListResponse, error)

AccountQueryModelByEmail

Domain Query Struct:

type AccountQueryModelByEmail struct {
	Email string `json:"email"`
}

Domain Query Handling Method:

func (qh *queryHandler) AccountQueryModelByEmail(ctx context.Context, qry comby.Query, domainQry *AccountQueryModelByEmail) (*AccountQueryItemResponse, error)

AccountQueryModelEmailPassword

Domain Query Struct:

type AccountQueryModelEmailPassword struct {
	Email              string `json:"email"`
	Password           string `json:"password"`
	IncludeLastSession bool   `json:"includeLastSession,omitempty"`
	IncludeAllSessions bool   `json:"includeAllSessions,omitempty"`
}

Domain Query Handling Method:

func (qh *queryHandler) AccountQueryModelEmailPassword(ctx context.Context, qry comby.Query, domainQry *AccountQueryModelEmailPassword) (*AccountQueryItemResponse, error)

AccountQueryModel

Domain Query Struct:

type AccountQueryModel struct {
	AccountUuid string `json:"accountUuid"`
}

Domain Query Handling Method:

func (qh *queryHandler) AccountQueryModel(ctx context.Context, qry comby.Query, domainQry *AccountQueryModel) (*AccountQueryItemResponse, error)

AccountQueryModelOneTimeToken

Domain Query Struct:

type AccountQueryModelOneTimeToken struct {
	OneTimeToken string `json:"ott"`
}

Domain Query Handling Method:

func (qh *queryHandler) AccountQueryModelOneTimeToken(ctx context.Context, qry comby.Query, domainQry *AccountQueryModelOneTimeToken) (*AccountQueryItemResponse, error)

AccountQueryListResponse

type AccountQueryListResponse struct {
	Items    []*readmodel.AccountModel `json:"items,omitempty"`
	Total    int64                     `json:"total,omitempty"`
	Page     int64                     `json:"page,omitempty"`
	PageSize int64                     `json:"pageSize,omitempty"`
}

AccountQueryItemResponse

type AccountQueryItemResponse struct {
	Item *readmodel.AccountModel `json:"item,omitempty"`
}

Events

• AccountPasswordChangedEvent
• AccountPasswordResetConfirmedEvent
• AccountRegisterConfirmedEvent
• AccountLoggedInEvent
• AccountLoggedInOpaqueEvent
• AccountLoggedOutEvent
• AccountRegisteredEvent
• AccountRegisteredOpaqueEvent
• AccountRemovedEvent
• AccountAttributeRemovedEvent
• AccountPasswordResetRequestedEvent
• AccountPasswordResetOpaqueRequestedEvent
• AccountAttributeSetEvent
• AccountUpdatedEvent
• AccountCredentialsUpdatedEvent
• AccountCredentialsOpaqueUpdatedEvent
• AccountOneTimeTokenUpdatedEvent
• AccountStateUpdatedEvent

AccountPasswordChangedEvent

AccountPasswordChangedEvent is an domain event that is triggered when the password of an account has changed.

Domain Event Struct:

type AccountPasswordChangedEvent struct {
	NewHashedPassword string `json:"newHashedPassword"` // The new hashed password for the account.
}

Domain Event Handling Method:

func (agg *Account) AccountPasswordChangedEvent(ctx context.Context, evt comby.Event, domainEvt *AccountPasswordChangedEvent) (error)

AccountPasswordResetConfirmedEvent

Domain Event Struct:

type AccountPasswordResetConfirmedEvent struct {
	NewHashedPassword string `json:"newHashedPassword"`
	State             string `json:"state"`
}

Domain Event Handling Method:

func (agg *Account) AccountPasswordResetConfirmedEvent(ctx context.Context, evt comby.Event, domainEvt *AccountPasswordResetConfirmedEvent) (error)

AccountRegisterConfirmedEvent

Domain Event Struct:

type AccountRegisterConfirmedEvent struct {
	State string `json:"state"`
}

Domain Event Handling Method:

func (agg *Account) AccountRegisterConfirmedEvent(ctx context.Context, evt comby.Event, domainEvt *AccountRegisterConfirmedEvent) (error)

AccountLoggedInEvent

Domain Event Struct:

type AccountLoggedInEvent struct {
	SessionUuid string `json:"sessionUuid"`
	SessionKey  string `json:"sessionKey"`
	ExpiredAt   int64  `json:"expiredAt"`
}

Domain Event Handling Method:

func (agg *Account) AccountLoggedInEvent(ctx context.Context, evt comby.Event, domainEvt *AccountLoggedInEvent) (error)

AccountLoggedInOpaqueEvent

Events for OPAQUE operations

Domain Event Struct:

type AccountLoggedInOpaqueEvent struct {
	Email       string `json:"email"`
	SessionUuid string `json:"sessionUuid"`
	SessionKey  string `json:"sessionKey"`
	ExpiredAt   int64  `json:"expiredAt"`
	Success     bool   `json:"success"`
}

Domain Event Handling Method: Event handler for OPAQUE login

func (agg *Account) AccountLoggedInOpaqueEvent(ctx context.Context, evt comby.Event, domainEvt *AccountLoggedInOpaqueEvent) (error)

AccountLoggedOutEvent

Domain Event Struct:

type AccountLoggedOutEvent struct {
	SessionUuid string `json:"sessionUuid"`
}

Domain Event Handling Method:

func (agg *Account) AccountLoggedOutEvent(ctx context.Context, evt comby.Event, domainEvt *AccountLoggedOutEvent) (error)

AccountRegisteredEvent

Domain Event Struct:

type AccountRegisteredEvent struct {
	State string `json:"state,omitempty"`
}

Domain Event Handling Method:

func (agg *Account) AccountRegisteredEvent(ctx context.Context, evt comby.Event, domainEvt *AccountRegisteredEvent) (error)

AccountRegisteredOpaqueEvent

Domain Event Struct:

type AccountRegisteredOpaqueEvent struct {
	State                  string                         `json:"state,omitempty"`
	Email                  string                         `json:"email,omitempty"`
	OpaqueCredentialRecord *opaque.OpaqueCredentialRecord `json:"opaqueCredentialRecord,omitempty"`
}

Domain Event Handling Method:

func (agg *Account) AccountRegisteredOpaqueEvent(ctx context.Context, evt comby.Event, domainEvt *AccountRegisteredOpaqueEvent) (error)

AccountRemovedEvent

Domain Event Struct:

type AccountRemovedEvent struct {
	State string `json:"state,omitempty"`
}

Domain Event Handling Method:

func (agg *Account) AccountRemovedEvent(ctx context.Context, evt comby.Event, domainEvt *AccountRemovedEvent) (error)

AccountAttributeRemovedEvent

Domain Event Struct:

type AccountAttributeRemovedEvent struct {
	Key string `json:"key"`
}

Domain Event Handling Method:

func (agg *Account) AccountAttributeRemovedEvent(ctx context.Context, evt comby.Event, domainEvt *AccountAttributeRemovedEvent) (error)

AccountPasswordResetRequestedEvent

Domain Event Struct:

type AccountPasswordResetRequestedEvent struct {
	Email string `json:"email"`
	Code  string `json:"code"`
}

Domain Event Handling Method:

func (agg *Account) AccountPasswordResetRequestedEvent(ctx context.Context, evt comby.Event, domainEvt *AccountPasswordResetRequestedEvent) (error)

AccountPasswordResetOpaqueRequestedEvent

Domain Event Struct:

type AccountPasswordResetOpaqueRequestedEvent struct {
	Email string `json:"email"`
	Code  string `json:"code"`
}

Domain Event Handling Method:

func (agg *Account) AccountPasswordResetOpaqueRequestedEvent(ctx context.Context, evt comby.Event, domainEvt *AccountPasswordResetOpaqueRequestedEvent) (error)

AccountAttributeSetEvent

Domain Event Struct:

type AccountAttributeSetEvent struct {
	Key   string `json:"key"`
	Value any    `json:"value"`
}

Domain Event Handling Method:

func (agg *Account) AccountAttributeSetEvent(ctx context.Context, evt comby.Event, domainEvt *AccountAttributeSetEvent) (error)

AccountUpdatedEvent

Domain Event Struct:

type AccountUpdatedEvent struct {
	Attributes string `json:"attributes,omitempty"`
}

Domain Event Handling Method:

func (agg *Account) AccountUpdatedEvent(ctx context.Context, evt comby.Event, domainEvt *AccountUpdatedEvent) (error)

AccountCredentialsUpdatedEvent

Domain Event Struct:

type AccountCredentialsUpdatedEvent struct {
	Email    string `json:"email,omitempty"`
	Password string `json:"password,omitempty"`
}

Domain Event Handling Method:

func (agg *Account) AccountCredentialsUpdatedEvent(ctx context.Context, evt comby.Event, domainEvt *AccountCredentialsUpdatedEvent) (error)

AccountCredentialsOpaqueUpdatedEvent

Domain Event Struct:

type AccountCredentialsOpaqueUpdatedEvent struct {
	Email                  string                         `json:"email"`
	OpaqueCredentialRecord *opaque.OpaqueCredentialRecord `json:"opaqueCredentialRecord"`
}

Domain Event Handling Method:

func (agg *Account) AccountCredentialsOpaqueUpdatedEvent(ctx context.Context, evt comby.Event, domainEvt *AccountCredentialsOpaqueUpdatedEvent) (error)

AccountOneTimeTokenUpdatedEvent

Domain Event Struct:

type AccountOneTimeTokenUpdatedEvent struct {
	Key       string `json:"key"`
	ExpiredAt int64  `json:"expiredAt"`
}

Domain Event Handling Method:

func (agg *Account) AccountOneTimeTokenUpdatedEvent(ctx context.Context, evt comby.Event, domainEvt *AccountOneTimeTokenUpdatedEvent) (error)

AccountStateUpdatedEvent

Domain Event Struct:

type AccountStateUpdatedEvent struct {
	State string `json:"state"`
}

Domain Event Handling Method:

func (agg *Account) AccountStateUpdatedEvent(ctx context.Context, evt comby.Event, domainEvt *AccountStateUpdatedEvent) (error)

Aggregate

Account represents the root aggregate for managing authentication and session handling.

• Credentials: Attributes for email, password, and the next allowed login time.
• CredentialsOpaque: OPAQUE credentials for passwordless authentication.
• OneTimeToken: Single-use tokens with attributes for the key, type, and expiration time.
• Session: Details about active user sessions, including a unique session UUID, session key, and expiration time.

Aggregate Struct:

type Account struct {
	*comby.BaseAggregate
	// Entities
	Credentials       *Credentials
	CredentialsOpaque *CredentialsOpaque
	OneTimeToken      *OneTimeToken
	Sessions          []*Session
	// Value Objects
	State string
}

Methods

• ChangePassword
• ConfirmPasswordReset
• ConfirmRegister
• Login
• LoginWithOpaque
• Logout
• LogoutSession
• Register
• RegisterWithOPAQUE
• Remove
• RemoveAttribute
• RequestPasswordReset
• RequestPasswordResetOpaque
• SetAttribute
• Update
• UpdateCredentials
• UpdateCredentialsOpaque
• UpdateOneTimeToken
• UpdateState

ChangePassword

func (agg *Account) ChangePassword(passwordCurrent, newPassword string) (error)

ConfirmPasswordReset

func (agg *Account) ConfirmPasswordReset(oneTimeToken, newPassword string) (error)

ConfirmRegister

func (agg *Account) ConfirmRegister(oneTimeToken string) (error)

Login

func (agg *Account) Login(email, password, sessionUuid, sessionKey string) (error)

LoginWithOpaque

LoginWithOpaque handles OPAQUE-based authentication

func (agg *Account) LoginWithOpaque(email, sessionUuid, sessionKey string, sessionData []byte) (error)

Logout

func (agg *Account) Logout() (error)

LogoutSession

func (agg *Account) LogoutSession(sessionUuid string) (error)

Register

func (agg *Account) Register(email, password, state string) (error)

RegisterWithOPAQUE

RegisterWithOPAQUE registers an account using OPAQUE credentials

func (agg *Account) RegisterWithOPAQUE(email, state string, credentialRecord *opaque.OpaqueCredentialRecord) (error)

Remove

func (agg *Account) Remove() (error)

RemoveAttribute

func (agg *Account) RemoveAttribute(key string) (error)

RequestPasswordReset

func (agg *Account) RequestPasswordReset(email string) (error)

RequestPasswordResetOpaque

func (agg *Account) RequestPasswordResetOpaque(email string) (error)

SetAttribute

func (agg *Account) SetAttribute(key string, value any) (error)

Update

func (agg *Account) Update(attributes string) (error)

UpdateCredentials

func (agg *Account) UpdateCredentials(email, password string) (error)

UpdateCredentialsOpaque

func (agg *Account) UpdateCredentialsOpaque(email string, opaqueCredentialRecord *opaque.OpaqueCredentialRecord) (error)

UpdateOneTimeToken

func (agg *Account) UpdateOneTimeToken(key string, expiredAt int64) (error)

UpdateState

func (agg *Account) UpdateState(state string) (error)

Event Handlers

Reactor

Domain Event	Method
aggregate.AccountRegisteredEvent	AccountRegisteredEvent
aggregate.AccountPasswordResetRequestedEvent	AccountPasswordResetRequestedEvent

AccountReadmodel

Domain Event	Method
tenantAggregate.TenantAttributeRemovedEvent	TenantAttributeRemovedEvent
tenantAggregate.TenantAttributeSetEvent	TenantAttributeSetEvent
tenantAggregate.TenantUpdatedEvent	TenantUpdatedEvent
tenantAggregate.TenantRemovedEvent	TenantRemovedEvent
tenantAggregate.TenantCreatedEvent	TenantCreatedEvent
identityAggregate.IdentityRemovedEvent	IdentityRemovedEvent
identityAggregate.IdentityProfileUpdatedEvent	IdentityProfileUpdatedEvent
identityAggregate.IdentityAddedGroupEvent	IdentityAddedGroupEvent
identityAggregate.IdentityCreatedEvent	IdentityCreatedEvent
groupAggregate.GroupAddedEvent	GroupAddedEvent
groupAggregate.GroupRemovedEvent	GroupRemovedEvent
groupAggregate.GroupUpdatedEvent	GroupUpdatedEvent
accountAggregate.AccountCredentialsOpaqueUpdatedEvent	AccountCredentialsOpaqueUpdatedEvent
accountAggregate.AccountOneTimeTokenUpdatedEvent	AccountOneTimeTokenUpdatedEvent
accountAggregate.AccountStateUpdatedEvent	AccountStateUpdatedEvent
accountAggregate.AccountRegisteredOpaqueEvent	AccountRegisteredOpaqueEvent
accountAggregate.AccountLoggedInOpaqueEvent	AccountLoggedInOpaqueEvent
accountAggregate.AccountAttributeRemovedEvent	AccountAttributeRemovedEvent
accountAggregate.AccountAttributeSetEvent	AccountAttributeSetEvent
accountAggregate.AccountLoggedOutEvent	AccountLoggedOutEvent
accountAggregate.AccountLoggedInEvent	AccountLoggedInEvent
accountAggregate.AccountUpdatedEvent	AccountUpdatedEvent
accountAggregate.AccountRegisteredEvent	AccountRegisteredEvent
accountAggregate.AccountCredentialsUpdatedEvent	AccountCredentialsUpdatedEvent
accountAggregate.AccountRemovedEvent	AccountRemovedEvent
accountAggregate.AccountPasswordResetConfirmedEvent	AccountPasswordResetConfirmedEvent
accountAggregate.AccountPasswordResetRequestedEvent	AccountPasswordResetRequestedEvent
accountAggregate.AccountPasswordChangedEvent	AccountPasswordChangedEvent
accountAggregate.AccountRegisterConfirmedEvent	AccountRegisterConfirmedEvent

Custom Permissions

Name	Type	Comment
AccountCommandActivate	Command	Activate an existing account
AccountCommandChangePassword	Command	Change password of an existing account
AccountCommandRequestPasswordReset	Command	Request password reset of an existing account
AccountCommandConfirmPasswordReset	Command	Confirm password reset of an existing account
AccountCommandConfirmRegister	Command	Confirm registration of an new account
AccountCommandCreate	Command	Create new account manually
AccountCommandLoginOAuth	Command	Login into an existing account using OAuth
AccountCommandLogin	Command	Login into an existing account
AccountCommandLogout	Command	Logout an account
AccountCommandRegister	Command	Register new account
AccountCommandRemove	Command	Remove existing account
AccountCommandUpdateCredentials	Command	Update credentials of an existing account
AccountCommandUpdate	Command	Update account
AccountCommandSetAttribute	Command	Set single attribute of an existing account
AccountCommandRemoveAttribute	Command	Remove single attribute of an existing account
AccountCommandUpdateState	Command	Update state of an existing account
AccountCommandRegisterOpaque	Command	Register a new account (OPAQUE)
AccountCommandLoginOpaque	Command	Login to an existing account (OPAQUE)
AccountQueryModelOneTimeToken	Query	Request account details by one time password
AccountQueryModelEmailPassword	Query	Request account details by email and password
AccountQueryModel	Query	Request account details