Commit Graph

3323 Commits

Author SHA1 Message Date
Livio Spring
5b40af79f0
fix: correctly check user state (#8631)
# Which Problems Are Solved

ZITADEL's user account deactivation mechanism did not work correctly
with service accounts. Deactivated service accounts retained the ability
to request tokens, which could lead to unauthorized access to
applications and resources.

# How the Problems Are Solved

Additionally to checking the user state on the session API and login UI,
the state is checked on all oidc session methods resulting in a new
token or when returning the user information (userinfo, introspection,
id_token / access_token and saml attributes)
2024-09-17 13:21:49 +00:00
Livio Spring
ca1914e235
fix: user grants deactivation (#8634)
# Which Problems Are Solved

ZITADEL's user grants deactivation mechanism did not work correctly.
Deactivated user grants were still provided in token, which could lead
to unauthorized access to applications and resources.
Additionally, the management and auth API always returned the state as
active or did not provide any information about the state.

# How the Problems Are Solved

- Correctly check the user grant state on active for tokens and user
information (userinfo, introspection, saml attributes)
- Map state in API and display in Console
2024-09-17 12:18:29 +00:00
Stefan Benz
4ac722d934
fix: use body for update user on user v2 API (#8635)
Use body for update user endpoint on user v2 API.
2024-09-17 11:53:43 +00:00
Livio Spring
d01bd1c51a
fix: correctly check app state on authentication (#8630)
# Which Problems Are Solved

In Zitadel, even after an organization is deactivated, associated
projects, respectively their applications remain active. Users across
other organizations can still log in and access through these
applications, leading to unauthorized access.
Additionally, if a project was deactivated access to applications was
also still possible.

# How the Problems Are Solved

- Correctly check the status of the organization and related project. 
(Corresponding functions have been renamed to `Active...`)
2024-09-17 11:34:14 +00:00
Tim Möhlmann
77aa02a521
fix(projection): increase transaction duration (#8632)
# Which Problems Are Solved

Reduce the chance for projection dead-locks. Increasing or disabling the
projection transaction duration solved dead-locks in all reported cases.

# How the Problems Are Solved

Increase the default transaction duration to 1 minute.
Due to the high value it is functionally similar to disabling,
however it still provides a safety net for transaction that do freeze,
perhaps due to connection issues with the database.


# Additional Changes

- Integration test uses default.
- Technical advisory

# Additional Context

- Related to https://github.com/zitadel/zitadel/issues/8517

---------

Co-authored-by: Silvan <silvan.reusser@gmail.com>
2024-09-17 10:08:13 +00:00
Stefan Benz
5fdad7b8f4
feat: user v3 api update (#8582)
# Which Problems Are Solved

Users are not yet able to update their information an status in user API
v3.

# How the Problems Are Solved

Add endpoints and functionality to update users and their status in user
API v3.

# Additional Changes

Aggregate_type and event_types are updated with "userschema" to avoid
conflicts with old events.

# Additional Context

closes #7898
2024-09-17 08:27:48 +00:00
Stefan Benz
c297a62c4f
docs: notification provider docs (#8626)
# Which Problems Are Solved

There is no documentation on how to use the HTTP providers for SMS and
Email.

# How the Problems Are Solved

Add documentation and correct the tags in the proto files to correctly
group the calls for the API docs.

# Additional Changes

None

# Additional Context

None

---------

Co-authored-by: Fabi <fabienne@zitadel.com>
2024-09-16 13:28:29 +02:00
mffap
68e78ff7c0
docs: Update regions and link to changelog changelog (#8617)
Update readme with regions, and a link to the change log
2024-09-16 08:03:10 +00:00
Livio Spring
8831b33013
fix: prevent password init on email verification for external users (#8602)
# Which Problems Are Solved

If a user is created through the login UI with an IdP and an unverified
email, the user is prompted with the email verification and to set a
password.
This was unintentionally changed with #8291

# How the Problems Are Solved

- Check if the user has any IdP linked when computing the
EmailVerification step.

# Additional Changes

None

# Additional Context

- reported in a support request
2024-09-13 15:51:06 +00:00
Livio Spring
14383cfe8c
fix: race condition in system jwt signature check (#8618) 2024-09-13 17:18:37 +02:00
Stefan Benz
289378713e
fix: smtp provider (#8610)
There were some problems after changing from SMTP providers to email
providers (https://github.com/zitadel/zitadel/pull/8545):
- panic (nil pointer) on SMTP provider retrieval for HTTP configs
- old SMTP configuration created before the multi SMTP configurations
(without id)
  - were not projected / listed
  - could not be always be activated
- Console treated HTTP configs as SMTP

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>
2024-09-13 13:22:25 +00:00
Max Peintner
3d87220180
docs: typescript repo update (#8563)
The typescript repository documentation is updated

---------

Co-authored-by: Fabi <fabienne@zitadel.com>
Co-authored-by: Livio Spring <livio.a@gmail.com>
2024-09-13 07:04:18 +00:00
Tim Möhlmann
3b140a67c8
fix(oidc): always set sub claim (#8598)
# Which Problems Are Solved

When the `openid` scope was not requested, as is possible in machine
authentication, we didn't set the `sub` (subject) claim to tokens and
possibly also userInfo and introspection.

This fix always sets the `sub` claim for all cases.

# How the Problems Are Solved

Set the `Subject` field to regardless of passed scopes.

# Additional Changes

- none

# Additional Context

According to standards:

- [RFC9068 - JSON Web Token (JWT) Profile for OAuth 2.0 Access
Tokens](https://datatracker.ietf.org/doc/html/rfc9068#name-data-structure)
this claim is **required**.
- [RFC7667 - OAuth 2.0 Token
Introspection](https://datatracker.ietf.org/doc/html/rfc7662#section-2.2)
the claim is optional, however there is no correlation to the `openid`
or OpenID Connect. Therefore it doesn't harm to always return this
claim.
- [OpenID connect, User Info
Response](https://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse):
"The sub (subject) Claim **MUST** always be returned in the UserInfo
Response."

Closes https://github.com/zitadel/zitadel/issues/8591
2024-09-12 12:36:33 +00:00
hofq
0db92c69d4
docs: upstream sent too big header while reading response header from upstream (#8466)
# Which Problems Are Solved


- If you operate Zitadel behind a Reverse Proxy or Ingress inside a
Kubernetes cluster,
you may encounter an Error like `upstream sent too big header while
reading response header from upstream`
- The Docs explain how to solve it

# How the Problems Are Solved

- Adding Troubleshooting Docs for too big upstream header, so people
that search for it find a solution.

---------

Co-authored-by: Elio Bischof <elio@zitadel.com>
2024-09-12 10:22:06 +00:00
Stefan Benz
87e8ac48ae
chore: fix crdb version on v24.2.1 (#8607)
Fix crdb to version v24.2.1 for e2e tests
2024-09-12 09:30:56 +02:00
Stefan Benz
21c38b061d
feat: add http as smtp provider (#8545)
# Which Problems Are Solved

Send Email messages as a HTTP call to a relay, for own logic on handling
different Email providers

# How the Problems Are Solved

Create endpoints under Email provider to manage SMTP and HTTP in the
notification handlers.

# Additional Changes

Clean up old logic in command and query side to handle the general Email
providers with deactivate, activate and remove.

# Additional Context

Partially closes #8270

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>
2024-09-12 06:27:29 +02:00
Tim Möhlmann
d8a71d217c
test: upload integration server logs as artifacts (#8600)
# Which Problems Are Solved

Upload the integration test server logs as artifacts, even if the tests
fail.
Before this change logs where printed through the Makefile.
However if a test would fail, the logs wouldn't get printed.

# How the Problems Are Solved

- Add an extra build step that pushes `tmp/zitadel.log` and
`tmp/race.log.$pid` to artificats storage.
- Logs are no longer printed in the `core_integration_reports` Makefile
recipe.

# Additional Changes

Do not remove coverage data when generating the coverage report in
`core_integration_reports`. This is to prevent future "File not found"
erros when running the command repeatedly.

# Additional Context

Reported as internal feedback
2024-09-11 17:51:18 +00:00
Stefan Benz
1a75414315
fix: add apple as identity provider type to settings v2 api (#8472)
# Which Problems Are Solved

Apple is not availabe as IDP type in the settings v2 API.

# How the Problems Are Solved

Add Apple as type.

# Additional Changes

None

# Additional Context

None

Co-authored-by: Max Peintner <max@caos.ch>
2024-09-11 14:26:28 +00:00
Max Peintner
f6da528296
fix(console): dynamic documentation button (#8596)
This PR makes the documenation dynamic according to the external links
2024-09-11 12:55:19 +00:00
Stygmates
05af47b9ab
feat(console): Display seconds and milliseconds in the tooltip of the user audit log (#8495)
# Which Problems Are Solved

The exact timestamp including the seconds and milliseconds in the user
audit log is not shown, either in the direct log or in the tooltip that
appears when hovering over the item.


![353743484-e9f18fa8-4691-4e8f-a0c9-e223e2c48ffe](https://github.com/user-attachments/assets/aaeff804-62a6-435d-a15d-e0d05106e6b5)


# How the Problems Are Solved

The exact timestamp is added to the tooltip that appears when hovering
over the item.


![image](https://github.com/user-attachments/assets/d1052d85-1558-45f4-9d7f-49340acc684e)

# Additional Changes

None

# Additional Context
- Closes #8371

---------

Co-authored-by: Max Peintner <max@caos.ch>
Co-authored-by: Fabi <fabienne@zitadel.com>
2024-09-11 11:52:44 +00:00
Livio Spring
a07b2f4677
feat: invite user link (#8578)
# Which Problems Are Solved

As an administrator I want to be able to invite users to my application
with the API V2, some user data I will already prefil, the user should
add the authentication method themself (password, passkey, sso).

# How the Problems Are Solved

- A user can now be created with a email explicitly set to false.
- If a user has no verified email and no authentication method, an
`InviteCode` can be created through the User V2 API.
  - the code can be returned or sent through email
- additionally `URLTemplate` and an `ApplicatioName` can provided for
the email
- The code can be resent and verified through the User V2 API
- The V1 login allows users to verify and resend the code and set a
password (analog user initialization)
- The message text for the user invitation can be customized

# Additional Changes

- `verifyUserPasskeyCode` directly uses `crypto.VerifyCode` (instead of
`verifyEncryptedCode`)
- `verifyEncryptedCode` is removed (unnecessarily queried for the code
generator)

# Additional Context

- closes #8310
- TODO: login V2 will have to implement invite flow:
https://github.com/zitadel/typescript/issues/166
2024-09-11 10:53:55 +00:00
Tim Möhlmann
02c78a19c6
fix(actions-v3): check feature flag on list methods (#8595)
# Which Problems Are Solved

In actions/v3 there was no check for the feature flag on any of the:

- ListExecutionFunctions
- ListExecutionMethods
- ListExecutionServices

In the integration tests `ensureFeatureEnabled` relies on
`ListExecutionMethods` to return an error if the feature is not enabled.
This fix makes the test wait untill the feature is fully projected.

# How the Problems Are Solved

Add the feature check to all of the above methods.

# Additional Changes

- none

# Additional Context

Flaky introduced in https://github.com/zitadel/zitadel/pull/8407
2024-09-11 09:43:44 +00:00
Silvan
15c9f71bee
test(load): add machine jwt profile test for a single user (#8593)
# How the Problems Are Solved

Adds a new load test to use the token endpoint with a single user by
multiple threads.
2024-09-11 09:23:24 +00:00
Tim Möhlmann
58a7eb1f26
perf(oidc): remove get user by ID from jwt profile grant (#8580)
# Which Problems Are Solved

Improve performance by removing a GetUserByID call. The call also
executed a Trigger on projections, which significantly impacted
concurrent requests.

# How the Problems Are Solved

Token creation needs information from the user, such as the resource
owner and access token type.

For client credentials this is solved in a single search. By getting the
user by username (`client_id`), the user details and secret were
obtained in a single query. After that verification and token creation
can proceed. For JWT profile it is a bit more complex. We didn't know
anything about the user until after JWT verification.
The verification did a query for the AuthN key and after that we did a
GetUserByID to get remaining details.

This change uses a joined query when the OIDC library calls the
`GetKeyByIDAndClientID` method on the token storage. The found user
details are set to the verifieer object and returned after verification
is completed.
It is safe because the `jwtProfileKeyStorage` is a single-use object as
a wrapper around `query.Queries`.
This way getting the public key and user details are obtained in a
single query.

# Additional Changes

- Correctly set the `client_id` field with machine's username.

# Additional Context

- Related to: https://github.com/zitadel/zitadel/issues/8352
2024-09-11 12:04:09 +03:00
Tim Möhlmann
3aba942162
feat: add debug events API (#8533)
# Which Problems Are Solved

Add a debug API which allows pushing a set of events to be reduced in a
dedicated projection.
The events can carry a sleep duration which simulates a slow query
during projection handling.

# How the Problems Are Solved

- `CreateDebugEvents` allows pushing multiple events which simulate the
lifecycle of a resource. Each event has a `projectionSleep` field, which
issues a `pg_sleep()` statement query in the projection handler :
  - Add
  - Change
  - Remove
- `ListDebugEventsStates` list the current state of the projection,
optionally with a Trigger
- `GetDebugEventsStateByID` get the current state of the aggregate ID in
the projection, optionally with a Trigger


# Additional Changes

- none

# Additional Context

-  Allows reproduction of https://github.com/zitadel/zitadel/issues/8517
2024-09-11 08:24:00 +00:00
Tim Möhlmann
a569501108
chore(test): set connection lifetimes for postgresql (#8586)
# Which Problems Are Solved

defaults.yaml only specifies defaults for cockroach. Therefore, options
omitted for postgresql are actually set to `0`.
This means that the connections timeouts are set to `0` and connections
were not reused, resulting in a performance penalty while running the
integration tests.

# How the Problems Are Solved

Set MaxConnLifeTime and MaxConnIdleTime options in postgres


# Additional Changes

- none

# Additional Context

- none

Co-authored-by: Silvan <silvan.reusser@gmail.com>
Co-authored-by: Livio Spring <livio.a@gmail.com>
2024-09-11 07:45:02 +00:00
Mark Stosberg
762efd0a20
docs: some English spelling and grammar fixes (#8592)
- English typo and grammar fixes.

Co-authored-by: Fabi <fabienne@zitadel.com>
2024-09-11 06:51:01 +00:00
Tim Möhlmann
328c409271
fix(oidc): roles in service user ID token (#8561)
# Which Problems Are Solved

Return the user's project roles when the
`urn:zitadel:iam:org:projects:roles` scope is requested.
We alreayd returned it for access tokens, now also ID tokens.

# How the Problems Are Solved

Set `idTokenRoleAssertion` to `true` when calling
`accessTokenResponseFromSession` for service users. This parameter is
normally set to the client config. However, service user authentication
does not have a client.

# Additional Changes

- none

# Additional Context

- Introduced in https://github.com/zitadel/zitadel/pull/8046
- Closes https://github.com/zitadel/zitadel/issues/8107

Co-authored-by: Livio Spring <livio.a@gmail.com>
2024-09-11 04:45:59 +00:00
Tim Möhlmann
622a176be4
fix(tests): check eventual web key state (#8587)
# Which Problems Are Solved

Deal with eventual consistency in the webkey integration tests.

# How the Problems Are Solved

Use an eventual with T for the list state check.

# Additional Changes

- none

# Additional Context

- none

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>
2024-09-10 11:15:25 +00:00
Livio Spring
650c21f18a
fix: check if pw login allowed (#8584)
# Which Problems Are Solved

When checking for the next step for the login UI and a user did not yet
have an IdP linked, they would always be presented the password check
screen, even if the local authentication was disabled.

# How the Problems Are Solved

- Correctly check the login policy for the `Allow Username Password`
option
- In case the user has no IdP linked yet, fallback to the organizations
configuration (and redirect if possible)
- the user can be auto-linked based on the username / email after
successfully authenticating at the IdP

# Additional Changes

None

# Additional Context

- closes https://github.com/zitadel/zitadel/issues/5106
- closes https://github.com/zitadel/zitadel/issues/7502
2024-09-10 12:55:32 +02:00
Fabi
ccf222f0f6
docs(api): fix title of project grant member list (#8548)
# Which Problems Are Solved

The title of the project grant member list was wrong

# How the Problems Are Solved

Added right title
2024-09-09 12:09:34 +00:00
Livio Spring
abe2502b27
chore: use default (lts) node version for devcontainer (#8532)
# Which Problems Are Solved

Node devcontainer still used node version 18.

# How the Problems Are Solved

Use default (lts) version to mitigate problems.

# Additional Changes

None

# Additional Context

- reference:
https://github.com/devcontainers/features/tree/main/src/node

Co-authored-by: Tim Möhlmann <tim+github@zitadel.com>
2024-09-09 12:58:25 +03:00
Stefan Benz
5bdf1a4547
feat: add http as sms provider (#8540)
# Which Problems Are Solved

Send SMS messages as a HTTP call to a relay, for own logic on handling
different SMS providers.

# How the Problems Are Solved

Add HTTP as SMS provider type and handling of webhook messages in the
notification handlers.

# Additional Changes

Clean up old Twilio events, which were supposed to handle the general
SMS providers with deactivate, activate and remove.

# Additional Context

Partially closes #8270

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>
2024-09-06 13:11:36 +00:00
Tim Möhlmann
d2e0ac07f1
chore(tests): use a coverage server binary (#8407)
# Which Problems Are Solved

Use a single server instance for API integration tests. This optimizes
the time taken for the integration test pipeline,
because it allows running tests on multiple packages in parallel. Also,
it saves time by not start and stopping a zitadel server for every
package.

# How the Problems Are Solved

- Build a binary with `go build -race -cover ....`
- Integration tests only construct clients. The server remains running
in the background.
- The integration package and tested packages now fully utilize the API.
No more direct database access trough `query` and `command` packages.
- Use Makefile recipes to setup, start and stop the server in the
background.
- The binary has the race detector enabled
- Init and setup jobs are configured to halt immediately on race
condition
- Because the server runs in the background, races are only logged. When
the server is stopped and race logs exist, the Makefile recipe will
throw an error and print the logs.
- Makefile recipes include logic to print logs and convert coverage
reports after the server is stopped.
- Some tests need a downstream HTTP server to make requests, like quota
and milestones. A new `integration/sink` package creates an HTTP server
and uses websockets to forward HTTP request back to the test packages.
The package API uses Go channels for abstraction and easy usage.

# Additional Changes

- Integration test files already used the `//go:build integration`
directive. In order to properly split integration from unit tests,
integration test files need to be in a `integration_test` subdirectory
of their package.
- `UseIsolatedInstance` used to overwrite the `Tester.Client` for each
instance. Now a `Instance` object is returned with a gRPC client that is
connected to the isolated instance's hostname.
- The `Tester` type is now `Instance`. The object is created for the
first instance, used by default in any test. Isolated instances are also
`Instance` objects and therefore benefit from the same methods and
values. The first instance and any other us capable of creating an
isolated instance over the system API.
- All test packages run in an Isolated instance by calling
`NewInstance()`
- Individual tests that use an isolated instance use `t.Parallel()`

# Additional Context

- Closes #6684
- https://go.dev/doc/articles/race_detector
- https://go.dev/doc/build-cover

---------

Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2024-09-06 14:47:57 +02:00
Silvan
b522588d98
fix(eventstore): precise decimal (#8527)
# Which Problems Are Solved

Float64 which was used for the event.Position field is [not precise in
go and gets rounded](https://github.com/golang/go/issues/47300). This
can lead to unprecies position tracking of events and therefore
projections especially on cockcoachdb as the position used there is a
big number.

example of a unprecies position:
exact: 1725257931223002628
float64: 1725257931223002624.000000

# How the Problems Are Solved

The float64 was replaced by
[github.com/jackc/pgx-shopspring-decimal](https://github.com/jackc/pgx-shopspring-decimal).

# Additional Changes

Correct behaviour of makefile for load tests.
Rename `latestSequence`-queries to `latestPosition`
2024-09-06 12:19:19 +03:00
Tim Möhlmann
2981ff04da
docs(oidc): web keys (#8508)
# Which Problems Are Solved

Explain the web key implementation and usage in zitadel.

# How the Problems Are Solved

Add documentation

# Additional Changes

- none

# Additional Context

- Related to https://github.com/zitadel/zitadel/issues/7809
- Example cURL commands are broken:
https://github.com/zitadel/zitadel/issues/8507

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>
2024-09-06 08:58:06 +02:00
Elio Bischof
32e6884141
docs: enterprise support for charts (#8551)
# Which Problems Are Solved

Charts support is not described anywhere

# How the Problems Are Solved

It is listed in
https://zitadel.com/docs/support/software-release-cycles-support#enterprise-supported
along the LDAP IDP and the Terraform Provider
2024-09-05 21:59:35 +02:00
Max Peintner
2b73a4a180
chore(docs): increase heap size (#8547)
more memory, less problems
2024-09-04 12:38:41 +00:00
Livio Spring
25bce59119
fix(api): pass trusted domain in body instead of param (#8544)
# Which Problems Are Solved

The trusted domain cannot be sent in the request body.

# How the Problems Are Solved

Added missing mapping

# Additional Changes

None

# Additional Context

None
2024-09-04 11:34:26 +00:00
Livio Spring
382a97c30f
feat(oidc): end session by id_token_hint and without cookie (#8542)
# Which Problems Are Solved

The end_session_endpoint currently always requires the userAgent cookie
to be able to terminate session created through the hosted login UI.
Only tokens issued through the Login V2 can be used to directly
terminate a specific session and without the need of a cookie.
This PR adds the possibility to terminate a single V1 session or all V1
sessions belonging to the same user agent without the need of the
userAgent cookie by providing an id_token as `id_token_hint` which
contains the id of a V1 session as `sid`.

# How the Problems Are Solved

- #8525 added the `sid` claim for id_tokens issued through the login UI
- The `sid` can now be checked for the `V1_` prefix and queries for
either the userAgentID and depending on the
`OIDCSingleV1SessionTermination` flag all userIDs of active session from
the same user agent id
- The `OIDCSingleV1SessionTermination` flag is added with default value
false to keep the existing behavior of terminating all sessions even in
case of providing an id_token_hint

# Additional Changes

- pass `context.Context` into session view functions for querying the
database with that context

# Additional Context

- relates to #8499 
- closes #8501
2024-09-04 10:14:50 +00:00
Livio Spring
c26a07210c
fix: update IDP Success and Failure URLs to accept up to 2048 characters again (#8543)
# Which Problems Are Solved

Durning the review of #8540, I noticed that the max length of the
success and failure url was set back to 200 instead of 2048 as changed
in #8327.
Looks like this was accidentally changed during the v2 GA release and
migration to v3 resources

# How the Problems Are Solved

Reapplied the change to 2048 max length

# Additional Changes

None

# Additional Context

- relates to #8327
- relates to #8343
  - requires backport until 2.58.x
- relates to #8494
  - requires backport to 2.60.x
2024-09-04 09:25:40 +00:00
Stygmates
d47ce93025
fix(console): Verify if the LDAP IDP has just been created (#8496)
# Which Problems Are Solved

After the creation of an LDAP IDP on instance or org level, the button
changes to 'Save' and with each click a new IDP will be created.

# How the Problems Are Solved

Similar to what was done in #7572, we check if the IDP was just created

# Additional Changes

None

# Additional Context

- Closes #8444
- Follow-up for PR #7572

Co-authored-by: Max Peintner <max@caos.ch>
Co-authored-by: Livio Spring <livio.a@gmail.com>
2024-09-04 05:52:42 +00:00
Elio Bischof
9a1140289a
chore: automatically bump charts (#8537)
# Which Problems Are Solved

Bumping charts needs a manual trigger.

# How the Problems Are Solved

The charts bump workflow is run after every ZITADEL release.

Co-authored-by: Livio Spring <livio.a@gmail.com>
2024-09-04 05:16:17 +00:00
Eko Eryanto
889201568d
feat: add indonesia translation (#8459)
Co-authored-by: Livio Spring <livio.a@gmail.com>
2024-09-03 16:05:47 +00:00
Livio Spring
9ec9ad4314
feat(oidc): sid claim for id_tokens issued through login V1 (#8525)
# Which Problems Are Solved

id_tokens issued for auth requests created through the login UI
currently do not provide a sid claim.
This is due to the fact that (SSO) sessions for the login UI do not have
one and are only computed by the userAgent(ID), the user(ID) and the
authentication checks of the latter.

This prevents client to track sessions and terminate specific session on
the end_session_endpoint.

# How the Problems Are Solved

- An `id` column is added to the `auth.user_sessions` table.
- The `id` (prefixed with `V1_`) is set whenever a session is added or
updated to active (from terminated)
- The id is passed to the `oidc session` (as v2 sessionIDs), to expose
it as `sid` claim

# Additional Changes

- refactored `getUpdateCols` to handle different column value types and
add arguments for query

# Additional Context

- closes #8499 
- relates to #8501
2024-09-03 13:19:00 +00:00
Elio Bischof
41b7bf976d
fix: map gRPC Gateway paths correctly (#8536)
# Which Problems Are Solved

Alpha APIs are not available accessible using REST.

# How the Problems Are Solved

The base_path property for the swagger definition has nothing to do with
the reverse proxy generation. Reusing it and omitting its segments in
the individual methods leads to a wrong path mapping. To fix this, the
full paths are added to all the GW mappings.

# Additional Context

Replace this example with links to related issues, discussions, discord
threads, or other sources with more context.
Use the Closing #issue syntax for issues that are resolved with this PR.
- Closes #8507
2024-09-03 14:32:42 +02:00
Stefan Benz
a9eb50321c
fix: update userschema api to v3alpha definition (#8511)
# Which Problems Are Solved

UserSchema API is currently not completely as defined for v3alpha.

# How the Problems Are Solved

Update the protos and integration tests.

# Additional Changes

None

# Additional Context

None
2024-09-02 11:24:15 +00:00
dependabot[bot]
bbdf9dbb20
chore(deps): bump elliptic from 6.5.5 to 6.5.7 in /docs (#8447)
Bumps [elliptic](https://github.com/indutny/elliptic) from 6.5.5 to
6.5.7.
<details>
<summary>Commits</summary>
<ul>
<li><a
href="3e46a48fdd"><code>3e46a48</code></a>
6.5.7</li>
<li><a
href="accb61e9c1"><code>accb61e</code></a>
lib: DER signature decoding correction</li>
<li><a
href="03e06e135c"><code>03e06e1</code></a>
6.5.6</li>
<li><a
href="7ac5360118"><code>7ac5360</code></a>
Merge commit from fork</li>
<li>See full diff in <a
href="https://github.com/indutny/elliptic/compare/v6.5.5...v6.5.7">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=elliptic&package-manager=npm_and_yarn&previous-version=6.5.5&new-version=6.5.7)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/zitadel/zitadel/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Max Peintner <max@caos.ch>
2024-09-02 09:20:03 +00:00
Max Peintner
aefba7fc6c
chore(console): update dependencies (#8526)
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-09-02 08:00:33 +00:00
Mark Stosberg
e6f849f325
docs: typo fixes (#8519)
Co-authored-by: Fabi <fabienne@zitadel.com>
2024-09-02 07:25:01 +00:00