Commit Graph

3251 Commits

Author SHA1 Message Date
Tim Möhlmann
ab4daa0ebb
fix(webkeys): remove include private key from projection index (#8436)
# Which Problems Are Solved

When Web keys with a large RSA Bitsize were generated, the new web key
did not get projected.
Zitadel logs printed the following errors:

```
time="2024-08-15T09:18:47Z" level=debug msg="execution of statements failed" caller="/home/tim/Repositories/zitadel/zitadel/internal/eventstore/handler/v2/handler.go:518" error="statement failed: ID=CRDB-pKtsr Message=exec failed Parent=(ERROR: index row size 3400 exceeds btree version 4 maximum 2704 for index \"web_keys_web_key_state_idx\" (SQLSTATE 54000))" lastProcessedIndex=-1 projection=projections.web_keys
```


# How the Problems Are Solved

Remove the the `WithInclude` option with the Private key from the
`web_keys` projection index and bump the projection version.

# Additional Changes

- Correct RPC summaries for documentation
- Fix docs slug in sidebar.js

# Additional Context

- Found during release review.
2024-08-16 11:41:09 +00:00
Stefan Benz
83c78a470c
fix: add information about target response into error message if inte… (#8281)
# Which Problems Are Solved

Execution responses with HTTP StatusCode not equal to 200 interrupt the
client request silently.

# How the Problems Are Solved

Adds information about the recieved StatusCode and Body into the error
if StatusCode not 200.

# Additional Context

Closes #8177

---------

Co-authored-by: Elio Bischof <elio@zitadel.com>
Co-authored-by: Livio Spring <livio.a@gmail.com>
2024-08-16 11:26:15 +02:00
Livio Spring
11d01b9b35
fix(console): allow user filtering with read permission (#8152)
# Which Problems Are Solved

The filter option was not displayed on the user list page for users who
only have `user.read` permission, e.g. an IAM_OWNER_VIEWER or
ORG_OWNER_VIEWER

# How the Problems Are Solved

- Filter is correctly displayed.

# Additional Changes

None.

# Additional Context

- noticed by a customer
- needs backports
2024-08-15 22:08:52 +00:00
Livio Spring
0af37d45e9
fix: handle user remove correctly in v1 sessions for login (#8432)
# Which Problems Are Solved

In case a user was deleted and recreated with the same id, they would
never be able to authenticate through the login UI, since it would
return an error "User not active".
This was due to the check in the auth request / session handling for the
login UI, where the user removed event would terminate an further event
check and ignore the newly added user.

# How the Problems Are Solved

- The user removed event no longer returns an error, but is handled as a
session termination event.
(A user removed event will already delete the user and the preceding
`activeUserById` function will deny the authentication.)

# Additional Changes

Updated tests to be able to handle multiple events in the mocks.

# Additional Context

closes https://github.com/zitadel/zitadel/issues/8201

Co-authored-by: Silvan <silvan.reusser@gmail.com>
2024-08-15 05:39:54 +00:00
Stefan Benz
5fab533e37
feat: org v2 ListOrganizations (#8411)
# Which Problems Are Solved

Org v2 service does not have a ListOrganizations endpoint.

# How the Problems Are Solved

Implement ListOrganizations endpoint.

# Additional Changes

- moved descriptions in the protos to comments
- corrected the RemoveNoPermissions for the ListUsers, to get the
correct TotalResults

# Additional Context

For new typescript login
2024-08-15 06:37:06 +02:00
Stefan Benz
3e3d46ac0d
feat: idp v2 api GetIDPByID (#8425)
# Which Problems Are Solved

GetIDPByID as endpoint in the API v2 so that it can be available for the
new login.

# How the Problems Are Solved

Create GetIDPByID endpoint with IDP v2 API, throught the GetProviderByID
implementation from admin and management API.

# Additional Changes

- Remove the OwnerType attribute from the response, as the information
is available through the resourceOwner.
- correct refs to messages in proto which are used for doc generation
- renaming of elements for API v3

# Additional Context

Closes #8337

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>
2024-08-14 18:18:29 +00:00
Tim Möhlmann
64a3bb3149
feat(v3alpha): web key resource (#8262)
# Which Problems Are Solved

Implement a new API service that allows management of OIDC signing web
keys.
This allows users to manage rotation of the instance level keys. which
are currently managed based on expiry.

The API accepts the generation of the following key types and
parameters:

- RSA keys with 2048, 3072 or 4096 bit in size and:
  - Signing with SHA-256 (RS256)
  - Signing with SHA-384 (RS384)
  - Signing with SHA-512 (RS512)
- ECDSA keys with
  - P256 curve
  - P384 curve
  - P512 curve
- ED25519 keys

# How the Problems Are Solved

Keys are serialized for storage using the JSON web key format from the
`jose` library. This is the format that will be used by OIDC for
signing, verification and publication.

Each instance can have a number of key pairs. All existing public keys
are meant to be used for token verification and publication the keys
endpoint. Keys can be activated and the active private key is meant to
sign new tokens. There is always exactly 1 active signing key:

1. When the first key for an instance is generated, it is automatically
activated.
2. Activation of the next key automatically deactivates the previously
active key.
3. Keys cannot be manually deactivated from the API
4. Active keys cannot be deleted

# Additional Changes

- Query methods that later will be used by the OIDC package are already
implemented. Preparation for #8031
- Fix indentation in french translation for instance event
- Move user_schema translations to consistent positions in all
translation files

# Additional Context

- Closes #8030
- Part of #7809

---------

Co-authored-by: Elio Bischof <elio@zitadel.com>
2024-08-14 14:18:14 +00:00
Livio Spring
e2e1100124
feat(idp): provide auto only options (#8420)
# Which Problems Are Solved

As of now, **automatic creation** and **automatic linking options** were
only considered if the corresponding **allowed option** (account
creation / linking allowed) was enabled.

With this PR, this is no longer needed and allows administrators to
address cases, where only an **automatic creation** is allowed, but
users themselves should not be allowed to **manually** create new
accounts using an identity provider or edit the information during the
process.
Also, allowing users to only link to the proposed existing account is
now possible with an enabled **automatic linking option**, while
disabling **account linking allowed**.

# How the Problems Are Solved

- Check for **automatic** options without the corresponding **allowed**
option.
- added technical advisory to notify about the possible behavior change

# Additional Changes

- display the error message on the IdP linking step in the login UI (in
case there is one)
- display an error in case no option is possible
- exchanged deprecated `eventstoreExpect` with `expectEventstore` in
touched test files

# Additional Context

closes https://github.com/zitadel/zitadel/issues/7393

---------

Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2024-08-14 13:04:26 +00:00
Max Peintner
d32e22734f
docs: update typescript repo (#8394)
server package is node package now, idp scope is implemented

---------

Co-authored-by: Fabi <fabienne@zitadel.com>
2024-08-14 11:56:58 +00:00
Tim Möhlmann
fcda6580ff
fix(query): print log line on secret generator error (#8424)
# Which Problems Are Solved

Log some details when a secret generator is not found.
This should help us debugging such issue.

# How the Problems Are Solved

When a secret generator by type query fails,
we log the generator type and instance id for which
the generator was requested.

# Additional Changes

- none

# Additional Context

- Related to https://github.com/zitadel/zitadel/issues/8379
- Also encountered in https://github.com/zitadel/zitadel/pull/8407
2024-08-13 14:52:43 +02:00
Elio Bischof
042c438813
feat(v3alpha): read actions (#8357)
# Which Problems Are Solved

The current v3alpha actions APIs don't exactly adhere to the [new
resources API
design](https://zitadel.com/docs/apis/v3#standard-resources).

# How the Problems Are Solved

- **Improved ID access**: The aggregate ID is added to the resource
details object, so accessing resource IDs and constructing proto
messages for resources is easier
- **Explicit Instances**: Optionally, the instance can be explicitly
given in each request
- **Pagination**: A default search limit and a max search limit are
added to the defaults.yaml. They apply to the new v3 APIs (currently
only actions). The search query defaults are changed to ascending by
creation date, because this makes the pagination results the most
deterministic. The creation date is also added to the object details.
The bug with updated creation dates is fixed for executions and targets.
- **Removed Sequences**: Removed Sequence from object details and
ProcessedSequence from search details

# Additional Changes

Object details IDs are checked in unit test only if an empty ID is
expected. Centralizing the details check also makes this internal object
more flexible for future evolutions.

# Additional Context

- Closes #8169 
- Depends on https://github.com/zitadel/zitadel/pull/8225

---------

Co-authored-by: Silvan <silvan.reusser@gmail.com>
Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2024-08-12 22:32:01 +02:00
Fabi
18c3f574a9
docs: fix broken links (#8421)
# Which Problems Are Solved
^Since publishing the new V2 GA APi, we have a lot of broken links in
our docs

# How the Problems Are Solved

replace api links with v2 links
2024-08-12 13:58:49 +02:00
Silvan
cd3ffbd3eb
fix(mirror): use correct statements on push (#8414)
# Which Problems Are Solved

The mirror command used the wrong position to filter for events if
different database technologies for source and destination were used.

# How the Problems Are Solved

The statements which diverge are stored on the client so that different
technologies can use different statements.

# Additional Context

- https://discord.com/channels/927474939156643850/1256396896243552347
2024-08-12 10:33:45 +00:00
Livio Spring
3f25e36fbd
fix: provide device auth config (#8419)
# Which Problems Are Solved

There was no default configuration for `DeviceAuth`, which makes it
impossible to override by environment variables.
Additionally, a custom `CharAmount` value would overwrite also the
`DashInterval`.

# How the Problems Are Solved

- added to defaults.yaml
- fixed customization

# Additional Changes

None.

# Additional Context

- noticed during a customer request
2024-08-12 12:55:07 +03:00
Fabi
2e7235ebf2
fix: change pr template to not link to existing issues and prs (#8412)
# Which Problems Are Solved

In the PR template we have added some ideas about additional context,
but we link to existing prs and issues as an example.
So everytime someone doesn't change the description when creating the
issue, its a mention to that issue or pr.


# How the Problems Are Solved
replace with non existing values


![Uploading image.png…]()
2024-08-09 15:41:40 +02:00
Silvan
523d73f674
fix(fields): use read commit isolation level in trigger (#8410)
# Which Problems Are Solved

If the processing time of serializable transactions in the fields
handler take too long, the next iteration can fail.

# How the Problems Are Solved

Changed the isolation level of the current states query to Read Commited
2024-08-09 09:24:28 +00:00
Silvan
c6b405ca96
chore(stable): update to v2.53.9 (#8405)
# Which Problems Are Solved

Update stable to latest 2.53
2024-08-08 11:26:22 +02:00
Silvan
7cb814c3eb
docs: add office hour #4 (#8398)
Announces office hours `login UI deepdive`
2024-08-08 08:05:48 +00:00
Silvan
5adebd552f
test(e2e): wait before select org (#8403)
# Which Problems Are Solved

The e2e tests fail because the organization selection is too fast.

# How the Problems Are Solved

Wait until console has loaded properly.

# Additional Context

- The tests still use the wrong browser, #8404 describes the problem
- closes https://github.com/zitadel/zitadel/issues/8378
2024-08-08 09:53:55 +02:00
Nico Schett
a91e344a62
docs: update pylon.mdx (#8399)
# Which Problems Are Solved

Add a link to the Pylon website.
2024-08-07 13:16:57 +02:00
Elio Bischof
eb834c9a35
fix: update oidc lib (#8393)
# Which Problems Are Solved

OIDC redirects have wrong headers

# How the Problems Are Solved

This is fixed with https://github.com/zitadel/oidc/pull/632. This change
updates the OIDC lib to a fixed version.
2024-08-06 13:07:55 +00:00
Silvan
646ffe7a26
fix(fields): await running queries during trigger (#8391)
# Which Problems Are Solved

During triggering of the fields table WriteTooOld errors can occure when
using cockroachdb.

# How the Problems Are Solved

The statements exclusively lock the projection before they start to
insert data by using `FOR UPDATE`.
2024-08-06 11:27:28 +00:00
Benjamin Roedell
0f6003f9a1
docs: Clarify third party apps NOT use embedded view (#8322)
# Which Problems Are Solved

The text appears to contradict the statement in the page on oauth.net.

# How the Problems Are Solved

The text has been updated to reflect the statement in the page on
oauth.net.

# Additional Changes

None

# Additional Context

The page [OAUTH2.0 for mobile and native
apps](https://oauth.net/2/native-apps/) linked just above the text that
was changed states:
> It describes things like not allowing the third-party application to
open an embedded web view which is more susceptible to phishing attacks,
as well as platform-specific recommendations on how to do so.

Co-authored-by: Max Peintner <max@caos.ch>
2024-08-06 09:22:57 +02:00
Nico Schett
31ecbe04ec
docs: update custom-domain.md (#8367)
Co-authored-by: Fabi <fabienne@zitadel.com>
2024-08-05 15:56:39 +02:00
Fuzzbizz
1c7c550d60
fix: singular/plural wording (#8381)
Simple language fix
2024-08-05 12:40:29 +02:00
Tim Möhlmann
4e3fd305ab
fix(crypto): reject decrypted strings with non-UTF8 characters. (#8374)
# Which Problems Are Solved

We noticed logging where 500: Internal Server errors were returned from
the token endpoint, mostly for the `refresh_token` grant. The error was
thrown by the database as it received non-UTF8 strings for token IDs

Zitadel uses symmetric encryption for opaque tokens, including refresh
tokens. Encrypted values are base64 encoded. It appeared to be possible
to send garbage base64 to the token endpoint, which will pass decryption
and string-splitting. In those cases the resulting ID is not a valid
UTF-8 string.

Invalid non-UTF8 strings are now rejected during token decryption.

# How the Problems Are Solved

- `AESCrypto.DecryptString()` checks if the decrypted bytes only contain
valid UTF-8 characters before converting them into a string.
- `AESCrypto.Decrypt()` is unmodified and still allows decryption on
non-UTF8 byte strings.
- `FromRefreshToken` now uses `DecryptString` instead of `Decrypt`

# Additional Changes

- Unit tests added for `FromRefreshToken` and
`AESCrypto.DecryptString()`.
- Fuzz tests added for `FromRefreshToken` and
`AESCrypto.DecryptString()`. This was to pinpoint the problem
- Testdata with values that resulted in invalid strings are committed.
In the pipeline this results in the Fuzz tests to execute as regular
unit-test cases. As we don't use the `-fuzz` flag in the pipeline no
further fuzzing is performed.

# Additional Context

- Closes #7765
- https://go.dev/doc/tutorial/fuzz
2024-08-02 08:38:37 +00:00
Livio Spring
3d071fc505
feat: trusted (instance) domains (#8369)
# Which Problems Are Solved

ZITADEL currently selects the instance context based on a HTTP header
(see https://github.com/zitadel/zitadel/issues/8279#issue-2399959845 and
checks it against the list of instance domains. Let's call it instance
or API domain.
For any context based URL (e.g. OAuth, OIDC, SAML endpoints, links in
emails, ...) the requested domain (instance domain) will be used. Let's
call it the public domain.
In cases of proxied setups, all exposed domains (public domains) require
the domain to be managed as instance domain.
This can either be done using the "ExternalDomain" in the runtime config
or via system API, which requires a validation through CustomerPortal on
zitadel.cloud.

# How the Problems Are Solved

- Two new headers / header list are added:
- `InstanceHostHeaders`: an ordered list (first sent wins), which will
be used to match the instance.
(For backward compatibility: the `HTTP1HostHeader`, `HTTP2HostHeader`
and `forwarded`, `x-forwarded-for`, `x-forwarded-host` are checked
afterwards as well)
- `PublicHostHeaders`: an ordered list (first sent wins), which will be
used as public host / domain. This will be checked against a list of
trusted domains on the instance.
- The middleware intercepts all requests to the API and passes a
`DomainCtx` object with the hosts and protocol into the context
(previously only a computed `origin` was passed)
- HTTP / GRPC server do not longer try to match the headers to instances
themself, but use the passed `http.DomainContext` in their interceptors.
- The `RequestedHost` and `RequestedDomain` from authz.Instance are
removed in favor of the `http.DomainContext`
- When authenticating to or signing out from Console UI, the current
`http.DomainContext(ctx).Origin` (already checked by instance
interceptor for validity) is used to compute and dynamically add a
`redirect_uri` and `post_logout_redirect_uri`.
- Gateway passes all configured host headers (previously only did
`x-zitadel-*`)
- Admin API allows to manage trusted domain

# Additional Changes

None

# Additional Context

- part of #8279 
- open topics: 
  - "single-instance" mode
  - Console UI
2024-07-31 18:00:38 +03:00
Elio Bischof
cc3ec1e2a7
feat(v3alpha): write actions (#8225)
# Which Problems Are Solved

The current v3alpha actions APIs don't exactly adhere to the [new
resources API
design](https://zitadel.com/docs/apis/v3#standard-resources).

# How the Problems Are Solved

- **Breaking**: The current v3alpha actions APIs are removed. This is
breaking.
- **Resource Namespace**: New v3alpha actions APIs for targets and
executions are added under the namespace /resources.
- **Feature Flag**: New v3alpha actions APIs still have to be activated
using the actions feature flag
- **Reduced Executions Overhead**: Executions are managed similar to
settings according to the new API design: an empty list of targets
basically makes an execution a Noop. So a single method, SetExecution is
enough to cover all use cases. Noop executions are not returned in
future search requests.
- **Compatibility**: The executions created with previous v3alpha APIs
are still available to be managed with the new executions API.

# Additional Changes

- Removed integration tests which test executions but rely on readable
targets. They are added again with #8169

# Additional Context

Closes #8168
2024-07-31 14:42:12 +02:00
Livio Spring
a1d24353db
fix: prevent error reason leakage in case of IgnoreUnknownUsernames (#8372)
# Which Problems Are Solved

ZITADEL administrators can enable a setting called "Ignoring unknown
usernames" which helps mitigate attacks that try to guess/enumerate
usernames. If enabled, ZITADEL will show the password prompt even if the
user doesn't exist and report "Username or Password invalid".
Due to a implementation change to prevent deadlocks calling the
database, the flag would not be correctly respected in all cases and an
attacker would gain information if an account exist within ZITADEL,
since the error message shows "object not found" instead of the generic
error message.

# How the Problems Are Solved

- Proper check of the error using an error function / type and
`errors.Is`

# Additional Changes

None.

# Additional Context

- raised in a support request

Co-authored-by: Silvan <silvan.reusser@gmail.com>
2024-07-31 14:23:57 +02:00
Livio Spring
189505c80f
fix: sanitize output for email (#8373)
# Which Problems Are Solved

ZITADEL uses HTML for emails and renders certain information such as
usernames dynamically. That information can be entered by users or
administrators. Due to a missing output sanitization, these emails could
include malicious code.
This may potentially lead to a threat where an attacker, without
privileges, could send out altered notifications that are part of the
registration processes. An attacker could create a malicious link, where
the injected code would be rendered as part of the email.

During investigation of this issue a related issue was found and
mitigated, where on the user's detail page the username was not
sanitized and would also render HTML, giving an attacker the same
vulnerability.

While it was possible to inject HTML including javascript, the execution
of such scripts would be prevented by most email clients and the Content
Security Policy in Console UI.

# How the Problems Are Solved

- All arguments used for email are sanitized (`html.EscapeString`)
- The email text no longer `html.UnescapeString` (HTML in custom text is
still possible)
- Console no longer uses `[innerHtml]` to render the username

# Additional Changes

None

# Additional Context

- raised via email

---------

Co-authored-by: peintnermax <max@caos.ch>
2024-07-31 14:21:10 +02:00
Max Peintner
918736c026
chore(console): upgrade dependencies (#8368)
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-07-30 16:12:39 +02:00
Max Peintner
51210c8e34
fix(console): fill cachedorgs when read from local storage (#8363)
This fixes a problem where the org settings were hidden.
The console reads the context from either a query param or the local
storage. When one context was found, it executed a single request with
orgId filter. This let to a single org and then to a hidden org setting,
as we hide org settings for instances with a single result.
2024-07-30 11:38:20 +00:00
Silvan
3f77d87b52
chore(stable): update to v2.52.2 (#8349)
# Which Problems Are Solved

Update stable release to next minor
2024-07-29 04:53:31 +00:00
Stefan Benz
7d2d85f57c
feat: api v2beta to api v2 (#8283)
# Which Problems Are Solved

The v2beta services are stable but not GA.

# How the Problems Are Solved

The v2beta services are copied to v2. The corresponding v1 and v2beta
services are deprecated.

# Additional Context

Closes #7236

---------

Co-authored-by: Elio Bischof <elio@zitadel.com>
2024-07-26 22:39:55 +02:00
Stefan Benz
bc16962aac
feat: api v2beta to api v2 protos (#8343)
# Which Problems Are Solved

The go linter can't limit the checks to the diff in
https://github.com/zitadel/zitadel/pull/8283 because it's too large

# How the Problems Are Solved

The protos from https://github.com/zitadel/zitadel/pull/8283 are merged
separately

# Additional Context

Contributes to #7236

---------

Co-authored-by: Elio Bischof <elio@zitadel.com>
2024-07-26 12:28:28 +02:00
RedstonePfalz
57428a1281
fix: Fixed more spelling and grammar misstakes (#8359)
# Which Problems Are Solved

I fixed more spelling and grammar misstakes in the German language
files.

# Additional Context

- Follow-up for PR #8240

Co-authored-by: Fabi <fabienne@zitadel.com>
2024-07-26 11:33:01 +02:00
Livio Spring
3b59b5cb1a
fix(login): correctly render logo based on theme mode (#8355)
# Which Problems Are Solved

The initial load of the login UI with dark mode preference
(prefers-color-scheme: dark) first rendered the logo configured for
light mode. Also switching from dark to light or vice versa would result
in the same behavior.
This was due to a mixed logic of server (based on cookie) and client
(prefers-color-scheme and cookie) deciding which mode to render.

# How the Problems Are Solved

- Since the main logic of which mode to use (`prefers-color-scheme`) can
only be achieve client side, both logos will be served in the HTML and
either will be rendered based on CSS.

# Additional Changes

None

# Additional Context

- closes #2085
2024-07-25 07:38:36 +00:00
Elio Bischof
693e27b906
fix: remove default TOS and privacy links (#8122)
# Which Problems Are Solved

The default terms of service and privacy policy links are applied to all
new ZITADEL instances, also for self hosters. However, the links
contents don't apply to self-hosters.

# How the Problems Are Solved

The links are removed from the DefaultInstance section in the
*defaults.yaml* file.
By default, the links are not shown anymore in the hosted login pages.
They can still be configured using the privacy policy.

# Additional Context

- Found because of a support request
2024-07-25 08:39:10 +02:00
Joey Biscoglia
f34897a8c8
feat: add delete phone endpoint to v2 api (#8321)
# Which Problems Are Solved

- Adds delete phone endpoint to v2 api

# How the Problems Are Solved

- Adds new endpoint with DELETE method to /v2beta/users/:userId/phone
which removes currently set phone number

# Additional Changes

- Added integration test for new endpoint.

# Additional Context

- Solves
https://discord.com/channels/927474939156643850/1255557862286032996
2024-07-24 13:46:07 +00:00
Livio Spring
8d13247413
revert: "feat(IDP): use single callback endpoint"
This reverts commit e126ccc9aa.

# Which Problems Are Solved

#8295 introduced the possibility to handle idps on a single callback,
but broke current setups.

# How the Problems Are Solved

- Revert the change until a proper solution is found. Revert is needed
as docs were also changed.

# Additional Changes

None.

# Additional Context

- relates to #8295
2024-07-24 12:29:05 +00:00
Elio Bischof
c3f8439a49
fix: vue logout url (#8353)
# Which Problems Are Solved

The default vue logout URL doesn't work with the @zitadel/vue defaults

# How the Problems Are Solved

A trailing slash is added to the default logout URL.

# Additional Context

Found while testing https://github.com/zitadel/zitadel-vue/pull/53
2024-07-24 11:03:02 +02:00
mffap
91dcebbfc9
docs(migrate): update password section (#8232)
# Which Problems Are Solved

Password reset in combination of md5 was not clear

# How the Problems Are Solved

Some additional information in the docs
2024-07-23 14:13:35 +00:00
Silvan
f8b711ca5c
docs(actions): correct actions examples (#8350)
# Which Problems Are Solved

The docs currently link to the wrong trigger.

# How the Problems Are Solved

Changed the links.
2024-07-23 15:45:11 +02:00
Max Peintner
215dbf0cf6
fix(console): reduce initial load time (#8273)
This reduces the initial payload of the `listMyProjectOrgs` to get the
active org by setting the limit of the initial orgs to 100.

Partial of #8272

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>
2024-07-22 14:18:26 +00:00
Livio Spring
0e99c8356a
fix: correctly check user auth methods and enable button (#8342)
# Which Problems Are Solved

#8291 added backwards compatibilty for users who were created through
the user V2 API and want to sign in to the login UI.
There were however to issues, where users might be prompted to set a
password even if they already had one set or they would not be able to
submit the email verification code.

# How the Problems Are Solved

- Replaced `SearchUserAuthMethods `with `ListUserAuthMethodTypes` to
check for set up auth methods.
- Fixed page / javascript to disable submit button.

# Additional Changes

- Changed `ListActiveUserAuthMethodTypes ` to `ListUserAuthMethodTypes`
and a `activeOnly` boolean parameter

# Additional Context

- relates to #8291
- noticed internally on QA
2024-07-22 14:46:27 +02:00
Zach H
e009ed9fe4
fix: always use pgxpool config if MaxOpenConns isn't set (#8328)
# Which Problems Are Solved

- `pgxpool -> pgx` dependency throws "MaxSize must be >= 1" on init if
`postgres.MaxOpenConns` isn't set in the ZItadel config

# How the Problems Are Solved

Only override the `MaxConns` with the Zitadel configured `MaxOpenConns`
if greater than 0 (default value). The default `MaxConns` [is derived by
`pgxpool`](ea9610f672/pgxpool/pool.go (L309-L324))
itself in a sensible way, but somewhat undocumented: checks for explicit
config in connection url or config and falls back on max(num_cpus, 4).

# Additional Changes

Applied same check in cockroach config 

# Additional Context

This is likely a regression from the changes in
https://github.com/zitadel/zitadel/pull/8325
2024-07-22 05:29:20 +00:00
Harsha Reddy
d90db6693c
fix: update IDP Success and Failure URLs to accept up to 2048 characters (#8327)
# Which Problems Are Solved

The success and failure URLs post IDP intent are limited to 200
characters. This is very low given the standard for URL lengths is much
higher
https://www.baeldung.com/cs/max-url-length#maximum-length-of-a-url-in-different-browsers


Name of the Browser | URL Length
-- | --
Google Chrome | Maximum of 2048 characters for a URL
Mozilla Firefox | The address bar no longer shows the URL after 65536
characters
Internet Explorer | Maximum length of the URL is 2083 characters
Safari | Supports up to 80000 characters for a URL
Opera | Can display up to 190000 characters in its address bar
Apache | Supports a maximum of 4000 characters



The user post SSO login w/ Zitadel, sees deep links to out app e.g.
`www.mycompany.com/idp/success?deeplink=app/mypage/id/test#thing=abcdef`
and these are usually greater than 200 characters.

# How the Problems Are Solved

Replace this example text with a concise list of changes that this PR
introduces.
- Update validation check for SuccessURL length on v2 and v3 APIs to a
max of 2048 characters
- Update validation check for FailureURL length on v2 and v3 APIs to a
max of 2048 characters

I didn't find any docs t update reflecting this change in length

# Additional Context
Fixes the error

```<PreparedRequest [POST]>, status: 400, reason: Bad Request, response: {"code":3,"message":"invalid StartIdentityProviderIntentRequest.Urls: embedded message failed validation | caused by: invalid RedirectURLs.SuccessUrl: value length must be between 1 and 200 runes, inclusive"}```
2024-07-19 12:27:28 +00:00
Silvan
0ea3c5691f
fix(mirror): read config correctly (#8330)
# Which Problems Are Solved

The mirror command read the configurations in the wrong order

# How the Problems Are Solved

The Pre execution run of `mirror` reads the default config first and
then applies the custom configs
2024-07-18 14:00:58 +00:00
Miguel Cabrerizo
b3a60863f5
feat(console): replace secret generator dialogs with cards (#8307) 2024-07-18 05:33:10 +00:00
Silvan
99c645cc60
refactor(database): exchange connection pool (#8325)
# Which Problems Are Solved

The connection pool of go uses a high amount of database connections.

# How the Problems Are Solved

The standard lib connection pool was replaced by `pgxpool.Pool`

# Additional Changes

The `db.BeginTx`-spans are removed because they cause to much noise in
the traces.

# Additional Context

- part of https://github.com/zitadel/zitadel/issues/7639
2024-07-17 15:16:02 +00:00