Commit Graph

3408 Commits

Author SHA1 Message Date
Livio Spring
94f267d475
fix: respect PrivateLabelingSetting on project for login texts (#8744)
# Which Problems Are Solved

Admins can set the branding to be used from the project's organization.
Until now, only the branding (colors) were respected, but texts were
still loaded from the user's organization.

# How the Problems Are Solved

Respect the setting when loading the texts for the login pages.

# Additional Changes

None

# Additional Context

- closes #8502
2024-10-09 09:02:28 +00:00
Tim Möhlmann
17303d1524
perf(milestones): remove legacy token event reducer (#8747)
# Which Problems Are Solved

Since the optiimzation of the token endpoint, we longer push the
`user.token.added` event. However, the milestone projection keeps
quering for it, including a payload query.

This incured a static waste of DB resources.

# How the Problems Are Solved

Remove the `user.token.added` event reducer from the milestone
projection

# Additional Changes

- none

# Additional Context

- Related to https://github.com/zitadel/zitadel/issues/8742. Other
changes ommitted so this PR can be backported to stable.
2024-10-09 08:00:07 +00:00
Stefan Benz
911cb42d70
fix: check if project has resourceOwner and ownerID (#8725)
# Which Problems Are Solved

There is no check that the creation of a project also has a resource
owner.

# How the Problems Are Solved

Check if resource owner and the ID of the owner are provided on command
side.

# Additional Changes

None

# Additional Context

Closes #7794
2024-10-08 15:07:27 +00:00
dependabot[bot]
34195157ce
chore(deps-dev): bump webpack from 5.89.0 to 5.95.0 in /load-test (#8726)
Bumps [webpack](https://github.com/webpack/webpack) from 5.89.0 to
5.95.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/webpack/webpack/releases">webpack's
releases</a>.</em></p>
<blockquote>
<h2>v5.95.0</h2>
<h2>Bug Fixes</h2>
<ul>
<li>Fixed hanging when attempting to read a symlink-like file that it
can't read</li>
<li>Handle <code>default</code> for import context element
dependency</li>
<li>Merge duplicate chunks call after split chunks</li>
<li>Generate correctly code for dynamically importing the same file
twice and destructuring</li>
<li>Use content hash as [base] and [name] for extracted DataURI's</li>
<li>Distinguish <code>module</code> and <code>import</code> in
<code>module-import</code> for externals <code>import</code>'s</li>
<li>[Types] Make <code>EnvironmentPlugin</code> default values types
less strict</li>
<li>[Types] Typescript 5.6 compatibility</li>
</ul>
<h2>New Features</h2>
<ul>
<li>Add new <code>optimization.avoidEntryIife</code> option
(<code>true</code> by default for the <code>production</code> mode)</li>
<li>Pass output.hash* options to loader context</li>
</ul>
<h2>Performance</h2>
<ul>
<li>Avoid unneeded re-visit in build chunk graph</li>
</ul>
<h2>v5.94.0</h2>
<h2>Bug Fixes</h2>
<ul>
<li>Added runtime condition for harmony reexport checked</li>
<li>Handle properly
<code>data</code>/<code>http</code>/<code>https</code> protocols in
source maps</li>
<li>Make <code>bigint</code> optimistic when browserslist not found</li>
<li>Move <code>@​types/eslint-scope</code> to dev deps</li>
<li>Related in asset stats is now always an array when no related
found</li>
<li>Handle ASI for export declarations</li>
<li>Mangle destruction incorrect with export named default properly</li>
<li>Fixed unexpected asi generation with sequence expression</li>
<li>Fixed a lot of types</li>
</ul>
<h2>New Features</h2>
<ul>
<li>Added new external type &quot;module-import&quot;</li>
<li>Support <code>webpackIgnore</code> for <code>new URL()</code>
construction</li>
<li>[CSS] <code>@import</code> pathinfo support</li>
</ul>
<h2>Security</h2>
<ul>
<li>Fixed DOM clobbering in auto public path</li>
</ul>
<h2>v5.93.0</h2>
<h2>Bug Fixes</h2>
<ul>
<li>Generate correct relative path to runtime chunks</li>
<li>Makes <code>DefinePlugin</code> quieter under default log level</li>
<li>Fixed mangle destructuring default in namespace import</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="e20fd634fd"><code>e20fd63</code></a>
chore(release): 5.95.0</li>
<li><a
href="4866b0daf1"><code>4866b0d</code></a>
feat: added new <code>optimization.entryIife</code> option</li>
<li><a
href="d90f6920f0"><code>d90f692</code></a>
fix: merge duplicate chunks after split chunks</li>
<li><a
href="90dec30ff4"><code>90dec30</code></a>
fix(externals): distinguish “module” and “import” in
“module-import”</li>
<li><a
href="c1a0a4666e"><code>c1a0a46</code></a>
fix(externals): distinguish “module” and “import” in
“module-import”</li>
<li><a
href="14d8fa8dd5"><code>14d8fa8</code></a>
fix: all tests cases</li>
<li><a
href="dae16ad11e"><code>dae16ad</code></a>
feat: pass output.hash* options to loader context</li>
<li><a
href="75d185d27e"><code>75d185d</code></a>
feat: pass <code>output.hash*</code> options to loader context</li>
<li><a
href="46e0b9cc05"><code>46e0b9c</code></a>
test: update</li>
<li><a
href="8e62f9f36b"><code>8e62f9f</code></a>
test</li>
<li>Additional commits viewable in <a
href="https://github.com/webpack/webpack/compare/v5.89.0...v5.95.0">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=webpack&package-manager=npm_and_yarn&previous-version=5.89.0&new-version=5.95.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/zitadel/zitadel/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Max Peintner <max@caos.ch>
2024-10-08 14:33:15 +02:00
Livio Spring
91b2d67325
fix: correctly compute user state (#8740)
# Which Problems Are Solved

A customer reported, that after a created user (in initial state) got
(manually) locked and a new initial code would be created, the user
could not be locked again.

# How the Problems Are Solved

Query for the initial code added event

# Additional Changes

None

# Additional Context

- reported by a customer
2024-10-07 16:50:17 +02:00
Tim Möhlmann
a84b259e8c
perf(oidc): nest position clause for session terminated query (#8738)
# Which Problems Are Solved

Optimize the query that checks for terminated sessions in the access
token verifier. The verifier is used in auth middleware, userinfo and
introspection.


# How the Problems Are Solved

The previous implementation built a query for certain events and then
appended a single `PositionAfter` clause. This caused the postgreSQL
planner to use indexes only for the instance ID, aggregate IDs,
aggregate types and event types. Followed by an expensive sequential
scan for the position. This resulting in internal over-fetching of rows
before the final filter was applied.


![Screenshot_20241007_105803](https://github.com/user-attachments/assets/f2d91976-be87-428b-b604-a211399b821c)

Furthermore, the query was searching for events which are not always
applicable. For example, there was always a session ID search and if
there was a user ID, we would also search for a browser fingerprint in
event payload (expensive). Even if those argument string would be empty.

This PR changes:

1. Nest the position query, so that a full `instance_id, aggregate_id,
aggregate_type, event_type, "position"` index can be matched.
2. Redefine the `es_wm` index to include the `position` column.
3. Only search for events for the IDs that actually have a value. Do not
search (noop) if none of session ID, user ID or fingerpint ID are set.

New query plan:


![Screenshot_20241007_110648](https://github.com/user-attachments/assets/c3234c33-1b76-4b33-a4a9-796f69f3d775)


# Additional Changes

- cleanup how we load multi-statement migrations and make that a bit
more reusable.

# Additional Context

- Related to https://github.com/zitadel/zitadel/issues/7639
2024-10-07 12:49:55 +00:00
Hidde Wieringa
2bd3f44094
docs: remove duplicate from API path prefixes (#8739)
# Which Problems Are Solved

The `/oauth/v1` path prefix is duplicated, which is an error in most
proxies.


# How the Problems Are Solved

Remove the duplicate path prefix from the docs.

Co-authored-by: Fabi <fabienne@zitadel.com>
2024-10-07 13:53:05 +02:00
Stefan Benz
d03ad62edd
fix: add default organization as query for org v2 list (#8719)
# Which Problems Are Solved

To get the default organization we have no direct solution.

# How the Problems Are Solved

Add default organization as query to the org v2 List.

# Additional Changes

None

# Additional Context

Closes #8616

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>
2024-10-07 09:28:39 +00:00
Livio Spring
f653589609
fix: twilio code generation and verification (#8728)
# Which Problems Are Solved

The recently added possibility to generate and verify codes through
Twilio verification service did failed on checking OTP SMS code through
the session API. Additionally, password codes generated by the V2 API
and sent through phone would always use the internal generator and
verification mechanism rather than the configured.

# How the Problems Are Solved

- Correctly set the verifier for OTP SMS for the session API
  - Always use the internal verifier for OTP Email (for now)
- Select the generator / verifier based on the configuration for
password codes with notification type SMS for V2 APIs

# Additional Changes

None

# Additional Context

- relates to #8678 
- reported by customer

---------

Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2024-10-07 07:12:44 +02:00
Tim Möhlmann
25dc7bfe72
perf(cache): pgx pool connector (#8703)
# Which Problems Are Solved

Cache implementation using a PGX connection pool.

# How the Problems Are Solved

Defines a new schema `cache` in the zitadel database.
A table for string keys and a table for objects is defined.
For postgreSQL, tables are unlogged and partitioned by cache name for
performance.

Cockroach does not have unlogged tables and partitioning is an
enterprise feature that uses alternative syntax combined with sharding.
Regular tables are used here.

# Additional Changes

- `postgres.Config` can return a pxg pool. See following discussion

# Additional Context

- Part of https://github.com/zitadel/zitadel/issues/8648
- Closes https://github.com/zitadel/zitadel/issues/8647

---------

Co-authored-by: Silvan <silvan.reusser@gmail.com>
2024-10-04 13:15:41 +00:00
Livio Spring
bee0744d46
fix: update logging to allow slog field overwrite (#8720)
# Which Problems Are Solved

When using slog (e.g. in OIDC) the logs field name can not be
overwritten.
This is necessary for example to change log level to severity.

# How the Problems Are Solved

- Update logging library

# Additional Changes

None

# Additional Context

None
2024-10-04 12:48:00 +00:00
alfa-alex
78b19c32ac
docs: add required parameter for authorization code grant (#8506) (#8709)
# Which Problems Are Solved

The current docs of the Authorization code grant do not mention that for
the authentication method type "None (PKCE)", you need to additionally
provide a `client_id` parameter.

# How the Problems Are Solved

Missing parameter is added to the docs.

# Additional Context

- Closes #8506
2024-10-04 12:15:15 +00:00
Stefan Benz
0bcf136f6f
fix: correctly create SMTP provider list (#8724)
# Which Problems Are Solved

https://github.com/zitadel/zitadel/pull/8545 incorrectly created the
list of current smtp providers, if an SMTP provider was changed, that
was created before https://github.com/zitadel/zitadel/pull/6932 /
[v2.50.0](https://github.com/zitadel/zitadel/releases/tag/v2.50.0)).
This led to problems when trying to send emails to users (email
verification and OTP email).

# How the Problems Are Solved

Correctly handle events of old SMTP configurations, which do not have an
id set.

# Additional Changes

None

# Additional Context

- relates to #8545
- support requests from cloud customers
2024-10-04 09:34:44 +00:00
Elio Bischof
fb481256ec
docs: reorganize actions v3 docs (#8712)
# Which Problems Are Solved

The actions v2 docs have broken links. Also, actions docs are
distributed and the navigation feels messy.

# How the Problems Are Solved

- The two actions v2 docs pages are integrated into the more accurate
actions v3 API section. Redirects are added to the Vercel config.


![image](https://github.com/user-attachments/assets/0b3b2255-4b90-45b3-be1d-ee875dd86f03)

![image](https://github.com/user-attachments/assets/a35314d7-11fb-446e-ae47-9d3e65adeccd)

- The broken links are fixed.

# Additional Changes

A text is added to the actions v3 section describing the changes coming
with v3.


![image](https://github.com/user-attachments/assets/bba0c9a2-36af-4820-aa84-a823b8801d79)

# Additional Context

- Replaces #8688
- Broken links reported in
https://discord.com/channels/927474939156643850/1275551972283646055
- Broken links reported in
https://discord.com/channels/927474939156643850/1168451861515354133/1280394234679136267

---------

Co-authored-by: Fabi <fabienne@zitadel.com>
2024-10-03 16:26:05 +00:00
Stefan Benz
5e57d3bebb
fix: correct error messages for policy queries (#8722)
# Which Problems Are Solved

Errors messages are mixed up for some policies

# How the Problems Are Solved

Define new error IDs and correct the messages.

# Additional Changes

None

# Additional Context

None
2024-10-03 17:53:03 +02:00
Elio Bischof
c0615e95e2
fix: update dependencies (#8713)
# Which Problems Are Solved

NPM dependencies are outdated.

# How the Problems Are Solved

```bash
cd console
yarn upgrade 
yarn add typescript@5.1
```

```bash
cd load-test
npm update
```
2024-10-03 11:03:44 +00:00
Livio Spring
18499274dd
fix(SAML): check on empty nameID (#8714)
# Which Problems Are Solved

If a SAML IdP did not send a `NameID` (even though required by the
specification), ZITADEL would crash.

# How the Problems Are Solved

- Check specifically if the `Subject` and its `NameID` is passed

# Additional Changes

None

# Additional Context

- closes https://github.com/zitadel/zitadel/issues/8654
2024-10-03 08:17:33 +00:00
Elio Bischof
be53caafea
docs(linux, macos): default postgres admin password (#8687) 2024-10-02 17:03:11 +00:00
Elio Bischof
a2f2ffb737
docs(nginx): pass host as received from client (#8690)
# Which Problems Are Solved

The Host header reaching ZITADEL must be the same like it is requested
by the browser, or all sorts of issues arise. However, in the NginX
docs, it is appended by the port.

# How the Problems Are Solved

Port is removed from examples

# Additional Context

- Closes https://github.com/zitadel/zitadel/issues/7804
- Relates to https://github.com/netbirdio/netbird/issues/1395
2024-10-02 16:47:58 +00:00
Silvan
ddeeeed303
fix(handler): optimise snapshot hanlding (#8652)
# Which Problems Are Solved

There are cases where not all statements of multiExec are succeed. This
leads to inconsistent states. One example is [LDAP
IDPs](https://github.com/zitadel/zitadel/issues/7959).

If statements get executed only partially this can lead to inconsistent
states or even break projections for objects which might not were
correctly created in a sub table.

This behaviour is possible because we use
[`SAVEPOINTS`](https://www.postgresql.org/docs/current/sql-savepoint.html)
during each statement of a multiExec.

# How the Problems Are Solved

SAVEPOINTS are only created at the beginning of an exec function not
during every execution like before. Additionally `RELEASE` or `ROLLBACK`
of `SAVEPOINTS` are only used when needed.

# Additional Changes

- refactor some unused parameters

# Additional Context

- closes https://github.com/zitadel/zitadel/issues/7959
2024-10-02 18:34:19 +03:00
Livio Spring
dc7330f251
fix(API): select org context by domain (#8706)
# Which Problems Are Solved

V2 and V3 APIs allow setting the organization context by providing the
organization domain in the request. Users currently experience the
following error: "rpc error: code = Unauthenticated desc = context
missing (AUTH-rKLWEH)"

# How the Problems Are Solved

Correctly check the org domain when set.

# Additional Changes

None

# Additional Context

- support request
2024-10-02 06:38:54 +00:00
Livio Spring
c347e75485
fix: ignore projectID and origin check for service accounts (#8704)
# Which Problems Are Solved

Calls with tokens issued through JWT Profile or Client Credentials
Grants were no longer possible and threw a "could not read projectid by
clientid (AUTH-GHpw2)" error.
ZITADEL checks the allowed origins of an application and load its
projectID into the context on any API call.
Tokens from service accounts did not contain any clientID and therefore
never did that check.
But due to a change in https://github.com/zitadel/zitadel/pull/8580,
were the service user id was set as client_id in the OIDC session to fix
the introspection response
(https://github.com/zitadel/zitadel/issues/8590).

# How the Problems Are Solved

- Check if the project and origin were retrieved and only then check the
origins

# Additional Changes

None.

# Additional Context

- closes https://github.com/zitadel/zitadel/issues/8676
- relates to https://github.com/zitadel/zitadel/pull/8580 (released on
2.62.0)
- relates to https://github.com/zitadel/zitadel/issues/8590
2024-10-01 16:38:28 +02:00
Tim Möhlmann
63d733b3a2
perf(oidc): disable push of user token meta-event (#8691)
# Which Problems Are Solved

When executing many concurrent authentication requests on a single
machine user, there were performance issues. As the same aggregate is
being searched and written to concurrently, we traced it down to a
locking issue on the used index.
We already optimized the token endpoint by creating a separate OIDC
aggregate.

At the time we decided to push a single event to the user aggregate, for
the user audit log. See [technical advisory
10010](https://zitadel.com/docs/support/advisory/a10010) for more
details.

However, a recent security fix introduced an additional search query on
the user aggregate, causing the locking issue we found.

# How the Problems Are Solved

Add a feature flag which disables pushing of the `user.token.v2.added`.
The event has no importance and was only added for informational
purposes on the user objects. The `oidc_session.access_token.added` is
the actual payload event and is pushed on the OIDC session aggregate and
can still be used for audit trail.

# Additional Changes

- Fix an event mapper type for
`SystemOIDCSingleV1SessionTerminationEventType`

# Additional Context

- Reported by support request
- https://github.com/zitadel/zitadel/pull/7822 changed the token
aggregate
- https://github.com/zitadel/zitadel/pull/8631 introduced user state
check

Load test trace graph with `user.token.v2.added` **enabled**. Query
times are steadily increasing:


![image](https://github.com/user-attachments/assets/4aa25055-8721-4e93-b695-625560979909)

Load test trace graph with `user.token.v2.added` **disabled**. Query
times constant:


![image](https://github.com/user-attachments/assets/a7657f6c-0c55-401b-8291-453da5d5caf9)

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>
2024-09-26 13:55:41 +00:00
Mostafa Galal
7247f62006
docs(guides): Fixing incorrect placement of hyphen in overview (#8681)
# Which Problems Are Solved

- There was an incorrect placement of a hyphen in a sentence.

# How the Problems Are Solved

- Corrected by replacing the hyphen with a comma and adding a verb
(ready to go, offering a)

Co-authored-by: Fabi <fabienne@zitadel.com>
2024-09-26 14:54:36 +02:00
Livio Spring
14e2aba1bc
feat: Add Twilio Verification Service (#8678)
# Which Problems Are Solved
Twilio supports a robust, multi-channel verification service that
notably supports multi-region SMS sender numbers required for our use
case. Currently, Zitadel does much of the work of the Twilio Verify (eg.
localization, code generation, messaging) but doesn't support the pool
of sender numbers that Twilio Verify does.

# How the Problems Are Solved
To support this API, we need to be able to store the Twilio Service ID
and send that in a verification request where appropriate: phone number
verification and SMS 2FA code paths.

This PR does the following: 
- Adds the ability to use Twilio Verify of standard messaging through
Twilio
- Adds support for international numbers and more reliable verification
messages sent from multiple numbers
- Adds a new Twilio configuration option to support Twilio Verify in the
admin console
- Sends verification SMS messages through Twilio Verify
- Implements Twilio Verification Checks for codes generated through the
same

# Additional Changes

# Additional Context
- base was implemented by @zhirschtritt in
https://github.com/zitadel/zitadel/pull/8268 ❤️
- closes https://github.com/zitadel/zitadel/issues/8581

---------

Co-authored-by: Zachary Hirschtritt <zachary.hirschtritt@klaviyo.com>
Co-authored-by: Joey Biscoglia <joey.biscoglia@klaviyo.com>
2024-09-26 09:14:33 +02:00
Tim Möhlmann
4eaa3163b6
feat(storage): generic cache interface (#8628)
# Which Problems Are Solved

We identified the need of caching.
Currently we have a number of places where we use different ways of
caching, like go maps or LRU.
We might also want shared chaches in the future, like Redis-based or in
special SQL tables.

# How the Problems Are Solved

Define a generic Cache interface which allows different implementations.

- A noop implementation is provided and enabled as.
- An implementation using go maps is provided
  - disabled in defaults.yaml
  - enabled in integration tests
- Authz middleware instance objects are cached using the interface.

# Additional Changes

- Enabled integration test command raceflag
- Fix a race condition in the limits integration test client
- Fix a number of flaky integration tests. (Because zitadel is super
fast now!) 🎸 🚀

# Additional Context

Related to https://github.com/zitadel/zitadel/issues/8648
2024-09-25 21:40:21 +02:00
dependabot[bot]
a6ea83168d
chore(deps): bump micromatch from 4.0.7 to 4.0.8 in /docs (#8493)
Bumps [micromatch](https://github.com/micromatch/micromatch) from 4.0.7
to 4.0.8.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/micromatch/micromatch/releases">micromatch's
releases</a>.</em></p>
<blockquote>
<h2>4.0.8</h2>
<p>Ultimate release that fixes both CVE-2024-4067 and CVE-2024-4068. We
consider the issues low-priority, so even if you see automated scanners
saying otherwise, don't be scared.</p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/micromatch/micromatch/blob/master/CHANGELOG.md">micromatch's
changelog</a>.</em></p>
<blockquote>
<h2>[4.0.8] - 2024-08-22</h2>
<ul>
<li>backported CVE-2024-4067 fix (from v4.0.6) over to 4.x branch</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="8bd704ec0d"><code>8bd704e</code></a>
4.0.8</li>
<li><a
href="a0e68416a4"><code>a0e6841</code></a>
run verb to generate README documentation</li>
<li><a
href="4ec288484f"><code>4ec2884</code></a>
Merge branch 'v4' into hauserkristof-feature/v4.0.8</li>
<li><a
href="03aa805217"><code>03aa805</code></a>
Merge pull request <a
href="https://redirect.github.com/micromatch/micromatch/issues/266">#266</a>
from hauserkristof/feature/v4.0.8</li>
<li><a
href="814f5f70ef"><code>814f5f7</code></a>
lint</li>
<li><a
href="67fcce6a10"><code>67fcce6</code></a>
fix: CHANGELOG about braces &amp; CVE-2024-4068, v4.0.5</li>
<li><a
href="113f2e3fa7"><code>113f2e3</code></a>
fix: CVE numbers in CHANGELOG</li>
<li><a
href="d9dbd9a266"><code>d9dbd9a</code></a>
feat: updated CHANGELOG</li>
<li><a
href="2ab13157f4"><code>2ab1315</code></a>
fix: use actions/setup-node@v4</li>
<li><a
href="1406ea38f3"><code>1406ea3</code></a>
feat: rework test to work on macos with node 10,12 and 14</li>
<li>Additional commits viewable in <a
href="https://github.com/micromatch/micromatch/compare/4.0.7...4.0.8">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=micromatch&package-manager=npm_and_yarn&previous-version=4.0.7&new-version=4.0.8)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/zitadel/zitadel/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-09-25 13:53:38 +00:00
Stefan Benz
62cdec222e
feat: user v3 contact email and phone (#8644)
# Which Problems Are Solved

Endpoints to maintain email and phone contact on user v3 are not
implemented.

# How the Problems Are Solved

Add 3 endpoints with SetContactEmail, VerifyContactEmail and
ResendContactEmailCode.
Add 3 endpoints with SetContactPhone, VerifyContactPhone and
ResendContactPhoneCode.
Refactor the logic how contact is managed in the user creation and
update.

# Additional Changes

None

# Additional Context

- part of https://github.com/zitadel/zitadel/issues/6433

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>
2024-09-25 13:31:31 +00:00
mffap
624fee97c0
docs: optimized examples and sdk for search (#8657)
# Which Problems Are Solved

Page title was "introduction" and the headings were missing a h2 level.
This makes it difficult to index for search, both internal and external.

# How the Problems Are Solved

* Change the page title
* Pulled all headings one level up

# Additional Changes

- Show all elements in sdk-example folder automaticalls
2024-09-25 08:14:58 +00:00
Tim Möhlmann
aeb379e7de
fix(eventstore): revert precise decimal (#8527) (#8679) 2024-09-24 18:43:29 +02:00
Nico Schett
eb97be6fdf
docs(pylon.mdx): update to pylon v2 (#8643)
Hi!

I just release Pylon v2. Due to some breaking changes I need to adapt
the docs.

- Docs: https://pylon.cronit.io/docs/getting-started
- Release notes: https://pylon.cronit.io/docs/release-notes/v2.0
- Migration guide:
https://pylon.cronit.io/docs/release-notes/migrating-from-v1-to-v2
2024-09-24 06:43:39 +00:00
Silvan
e5e233b439
docs(office_hours): add Q&A on 2024-09-25 (#8646)
Added meeting schedule for office hours
2024-09-19 14:27:37 +00:00
dependabot[bot]
ebef53629a
chore(deps): bump body-parser from 1.20.2 to 1.20.3 in /console (#8640)
Bumps [body-parser](https://github.com/expressjs/body-parser) from
1.20.2 to 1.20.3.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/expressjs/body-parser/releases">body-parser's
releases</a>.</em></p>
<blockquote>
<h2>1.20.3</h2>
<h2>What's Changed</h2>
<h3>Important</h3>
<ul>
<li>deps: qs@6.13.0</li>
<li>add <code>depth</code> option to customize the depth level in the
parser</li>
<li><strong>IMPORTANT:</strong> The default <code>depth</code> level for
parsing URL-encoded data is now <code>32</code> (previously was
<code>Infinity</code>). <a
href="1752951367/README.md (depth)">Documentation</a></li>
</ul>
<h3>Other changes</h3>
<ul>
<li>chore: add support for OSSF scorecard reporting by <a
href="https://github.com/inigomarquinez"><code>@​inigomarquinez</code></a>
in <a
href="https://redirect.github.com/expressjs/body-parser/pull/522">expressjs/body-parser#522</a></li>
<li>ci: fix errors in ci github action for node 8 and 9 by <a
href="https://github.com/inigomarquinez"><code>@​inigomarquinez</code></a>
in <a
href="https://redirect.github.com/expressjs/body-parser/pull/523">expressjs/body-parser#523</a></li>
<li>fix: pin to node@22.4.1 by <a
href="https://github.com/wesleytodd"><code>@​wesleytodd</code></a> in <a
href="https://redirect.github.com/expressjs/body-parser/pull/527">expressjs/body-parser#527</a></li>
<li>deps: qs@6.12.3 by <a
href="https://github.com/melikhov-dev"><code>@​melikhov-dev</code></a>
in <a
href="https://redirect.github.com/expressjs/body-parser/pull/521">expressjs/body-parser#521</a></li>
<li>Add OSSF Scorecard badge by <a
href="https://github.com/bjohansebas"><code>@​bjohansebas</code></a> in
<a
href="https://redirect.github.com/expressjs/body-parser/pull/531">expressjs/body-parser#531</a></li>
<li>Linter by <a
href="https://github.com/UlisesGascon"><code>@​UlisesGascon</code></a>
in <a
href="https://redirect.github.com/expressjs/body-parser/pull/534">expressjs/body-parser#534</a></li>
<li>Release: 1.20.3 by <a
href="https://github.com/UlisesGascon"><code>@​UlisesGascon</code></a>
in <a
href="https://redirect.github.com/expressjs/body-parser/pull/535">expressjs/body-parser#535</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a
href="https://github.com/inigomarquinez"><code>@​inigomarquinez</code></a>
made their first contribution in <a
href="https://redirect.github.com/expressjs/body-parser/pull/522">expressjs/body-parser#522</a></li>
<li><a
href="https://github.com/melikhov-dev"><code>@​melikhov-dev</code></a>
made their first contribution in <a
href="https://redirect.github.com/expressjs/body-parser/pull/521">expressjs/body-parser#521</a></li>
<li><a
href="https://github.com/bjohansebas"><code>@​bjohansebas</code></a>
made their first contribution in <a
href="https://redirect.github.com/expressjs/body-parser/pull/531">expressjs/body-parser#531</a></li>
<li><a
href="https://github.com/UlisesGascon"><code>@​UlisesGascon</code></a>
made their first contribution in <a
href="https://redirect.github.com/expressjs/body-parser/pull/534">expressjs/body-parser#534</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/expressjs/body-parser/compare/1.20.2...1.20.3">https://github.com/expressjs/body-parser/compare/1.20.2...1.20.3</a></p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/expressjs/body-parser/blob/master/HISTORY.md">body-parser's
changelog</a>.</em></p>
<blockquote>
<h1>1.20.3 / 2024-09-10</h1>
<ul>
<li>deps: qs@6.13.0</li>
<li>add <code>depth</code> option to customize the depth level in the
parser</li>
<li>IMPORTANT: The default <code>depth</code> level for parsing
URL-encoded data is now <code>32</code> (previously was
<code>Infinity</code>)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="1752951367"><code>1752951</code></a>
1.20.3</li>
<li><a
href="39744cfe2a"><code>39744cf</code></a>
chore: linter (<a
href="https://redirect.github.com/expressjs/body-parser/issues/534">#534</a>)</li>
<li><a
href="b2695c4450"><code>b2695c4</code></a>
Merge commit from fork</li>
<li><a
href="ade0f3f82f"><code>ade0f3f</code></a>
add scorecard to readme (<a
href="https://redirect.github.com/expressjs/body-parser/issues/531">#531</a>)</li>
<li><a
href="99a1bd6245"><code>99a1bd6</code></a>
deps: qs@6.12.3 (<a
href="https://redirect.github.com/expressjs/body-parser/issues/521">#521</a>)</li>
<li><a
href="9478591605"><code>9478591</code></a>
fix: pin to node@22.4.1</li>
<li><a
href="83db46a1e5"><code>83db46a</code></a>
ci: fix errors in ci github action for node 8 and 9 (<a
href="https://redirect.github.com/expressjs/body-parser/issues/523">#523</a>)</li>
<li><a
href="9d4e2125b5"><code>9d4e212</code></a>
chore: add support for OSSF scorecard reporting (<a
href="https://redirect.github.com/expressjs/body-parser/issues/522">#522</a>)</li>
<li>See full diff in <a
href="https://github.com/expressjs/body-parser/compare/1.20.2...1.20.3">compare
view</a></li>
</ul>
</details>
<details>
<summary>Maintainer changes</summary>
<p>This version was pushed to npm by <a
href="https://www.npmjs.com/~ulisesgascon">ulisesgascon</a>, a new
releaser for body-parser since your current version.</p>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=body-parser&package-manager=npm_and_yarn&previous-version=1.20.2&new-version=1.20.3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/zitadel/zitadel/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Max Peintner <max@caos.ch>
2024-09-18 14:17:29 +00:00
mffap
87ac5ed254
docs: Improve http notification doc (#8642)
# Which Problems Are Solved

The docs contained typos and links that led to 404.
More subejectively the docs did not provide enough guidance for new
users what providers are and how to configure an HTTP provider and then
activate them. Only basic links to the API docs were given without
examples on how to achieve a basic configuration.

# How the Problems Are Solved

References and typos fixed and reworked the guide.

# Additional Changes

Added code highlighting for json and bash.

# Additional Context

We could further improve by adding more help on this page on how to
configure SMS and SMTP providers.
2024-09-18 15:38:55 +02:00
Max Peintner
e68b5d4a83
chore(console): dependencies (#8638)
Updates the dependencies

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-09-18 10:00:36 +00:00
Livio Spring
5b40af79f0
fix: correctly check user state (#8631)
# Which Problems Are Solved

ZITADEL's user account deactivation mechanism did not work correctly
with service accounts. Deactivated service accounts retained the ability
to request tokens, which could lead to unauthorized access to
applications and resources.

# How the Problems Are Solved

Additionally to checking the user state on the session API and login UI,
the state is checked on all oidc session methods resulting in a new
token or when returning the user information (userinfo, introspection,
id_token / access_token and saml attributes)
2024-09-17 13:21:49 +00:00
Livio Spring
ca1914e235
fix: user grants deactivation (#8634)
# Which Problems Are Solved

ZITADEL's user grants deactivation mechanism did not work correctly.
Deactivated user grants were still provided in token, which could lead
to unauthorized access to applications and resources.
Additionally, the management and auth API always returned the state as
active or did not provide any information about the state.

# How the Problems Are Solved

- Correctly check the user grant state on active for tokens and user
information (userinfo, introspection, saml attributes)
- Map state in API and display in Console
2024-09-17 12:18:29 +00:00
Stefan Benz
4ac722d934
fix: use body for update user on user v2 API (#8635)
Use body for update user endpoint on user v2 API.
2024-09-17 11:53:43 +00:00
Livio Spring
d01bd1c51a
fix: correctly check app state on authentication (#8630)
# Which Problems Are Solved

In Zitadel, even after an organization is deactivated, associated
projects, respectively their applications remain active. Users across
other organizations can still log in and access through these
applications, leading to unauthorized access.
Additionally, if a project was deactivated access to applications was
also still possible.

# How the Problems Are Solved

- Correctly check the status of the organization and related project. 
(Corresponding functions have been renamed to `Active...`)
2024-09-17 11:34:14 +00:00
Tim Möhlmann
77aa02a521
fix(projection): increase transaction duration (#8632)
# Which Problems Are Solved

Reduce the chance for projection dead-locks. Increasing or disabling the
projection transaction duration solved dead-locks in all reported cases.

# How the Problems Are Solved

Increase the default transaction duration to 1 minute.
Due to the high value it is functionally similar to disabling,
however it still provides a safety net for transaction that do freeze,
perhaps due to connection issues with the database.


# Additional Changes

- Integration test uses default.
- Technical advisory

# Additional Context

- Related to https://github.com/zitadel/zitadel/issues/8517

---------

Co-authored-by: Silvan <silvan.reusser@gmail.com>
2024-09-17 10:08:13 +00:00
Stefan Benz
5fdad7b8f4
feat: user v3 api update (#8582)
# Which Problems Are Solved

Users are not yet able to update their information an status in user API
v3.

# How the Problems Are Solved

Add endpoints and functionality to update users and their status in user
API v3.

# Additional Changes

Aggregate_type and event_types are updated with "userschema" to avoid
conflicts with old events.

# Additional Context

closes #7898
2024-09-17 08:27:48 +00:00
Stefan Benz
c297a62c4f
docs: notification provider docs (#8626)
# Which Problems Are Solved

There is no documentation on how to use the HTTP providers for SMS and
Email.

# How the Problems Are Solved

Add documentation and correct the tags in the proto files to correctly
group the calls for the API docs.

# Additional Changes

None

# Additional Context

None

---------

Co-authored-by: Fabi <fabienne@zitadel.com>
2024-09-16 13:28:29 +02:00
mffap
68e78ff7c0
docs: Update regions and link to changelog changelog (#8617)
Update readme with regions, and a link to the change log
2024-09-16 08:03:10 +00:00
Livio Spring
8831b33013
fix: prevent password init on email verification for external users (#8602)
# Which Problems Are Solved

If a user is created through the login UI with an IdP and an unverified
email, the user is prompted with the email verification and to set a
password.
This was unintentionally changed with #8291

# How the Problems Are Solved

- Check if the user has any IdP linked when computing the
EmailVerification step.

# Additional Changes

None

# Additional Context

- reported in a support request
2024-09-13 15:51:06 +00:00
Livio Spring
14383cfe8c
fix: race condition in system jwt signature check (#8618) 2024-09-13 17:18:37 +02:00
Stefan Benz
289378713e
fix: smtp provider (#8610)
There were some problems after changing from SMTP providers to email
providers (https://github.com/zitadel/zitadel/pull/8545):
- panic (nil pointer) on SMTP provider retrieval for HTTP configs
- old SMTP configuration created before the multi SMTP configurations
(without id)
  - were not projected / listed
  - could not be always be activated
- Console treated HTTP configs as SMTP

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>
2024-09-13 13:22:25 +00:00
Max Peintner
3d87220180
docs: typescript repo update (#8563)
The typescript repository documentation is updated

---------

Co-authored-by: Fabi <fabienne@zitadel.com>
Co-authored-by: Livio Spring <livio.a@gmail.com>
2024-09-13 07:04:18 +00:00
Tim Möhlmann
3b140a67c8
fix(oidc): always set sub claim (#8598)
# Which Problems Are Solved

When the `openid` scope was not requested, as is possible in machine
authentication, we didn't set the `sub` (subject) claim to tokens and
possibly also userInfo and introspection.

This fix always sets the `sub` claim for all cases.

# How the Problems Are Solved

Set the `Subject` field to regardless of passed scopes.

# Additional Changes

- none

# Additional Context

According to standards:

- [RFC9068 - JSON Web Token (JWT) Profile for OAuth 2.0 Access
Tokens](https://datatracker.ietf.org/doc/html/rfc9068#name-data-structure)
this claim is **required**.
- [RFC7667 - OAuth 2.0 Token
Introspection](https://datatracker.ietf.org/doc/html/rfc7662#section-2.2)
the claim is optional, however there is no correlation to the `openid`
or OpenID Connect. Therefore it doesn't harm to always return this
claim.
- [OpenID connect, User Info
Response](https://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse):
"The sub (subject) Claim **MUST** always be returned in the UserInfo
Response."

Closes https://github.com/zitadel/zitadel/issues/8591
2024-09-12 12:36:33 +00:00
hofq
0db92c69d4
docs: upstream sent too big header while reading response header from upstream (#8466)
# Which Problems Are Solved


- If you operate Zitadel behind a Reverse Proxy or Ingress inside a
Kubernetes cluster,
you may encounter an Error like `upstream sent too big header while
reading response header from upstream`
- The Docs explain how to solve it

# How the Problems Are Solved

- Adding Troubleshooting Docs for too big upstream header, so people
that search for it find a solution.

---------

Co-authored-by: Elio Bischof <elio@zitadel.com>
2024-09-12 10:22:06 +00:00
Stefan Benz
87e8ac48ae
chore: fix crdb version on v24.2.1 (#8607)
Fix crdb to version v24.2.1 for e2e tests
2024-09-12 09:30:56 +02:00