fix: setup instance domain handling (#3529)

2025-05-15 17:38:19 +00:00 · 2022-04-28 10:30:41 +02:00 · 2022-04-28 10:30:41 +02:00 · 00f7dbe875
commit 00f7dbe875
parent 70e98460ab
16 changed files with 152 additions and 113 deletions
--- a/cmd/admin/setup/03.go
+++ b/cmd/admin/setup/03.go
@ -4,6 +4,7 @@ import (
 	"context"
 	"database/sql"
 	"fmt"
+	"strings"

 	"github.com/zitadel/zitadel/internal/api/authz"
 	"github.com/zitadel/zitadel/internal/command"
@ -14,15 +15,18 @@ import (
 )

 type DefaultInstance struct {
-	InstanceSetup command.InstanceSetup
+	InstanceName string
+	CustomDomain string
+	Org          command.OrgSetup

+	instanceSetup     command.InstanceSetup
 	userEncryptionKey *crypto.KeyConfig
 	masterKey         string
 	db                *sql.DB
 	es                *eventstore.Eventstore
-	domain            string
 	defaults          systemdefaults.SystemDefaults
 	zitadelRoles      []authz.RoleMapping
+	externalDomain    string
 	externalSecure    bool
 	externalPort      uint16
 }
@ -47,6 +51,7 @@ func (mig *DefaultInstance) Execute(ctx context.Context) error {
 		nil,
 		nil,
 		nil,
+		mig.externalDomain,
 		mig.externalSecure,
 		mig.externalPort,
 		nil,
@ -60,9 +65,16 @@ func (mig *DefaultInstance) Execute(ctx context.Context) error {
 	if err != nil {
 		return err
 	}
-	ctx = authz.WithRequestedDomain(ctx, mig.domain)

-	_, _, err = cmd.SetUpInstance(ctx, &mig.InstanceSetup, mig.externalSecure)
+	mig.instanceSetup.InstanceName = mig.InstanceName
+	mig.instanceSetup.CustomDomain = mig.CustomDomain
+	mig.instanceSetup.Org = mig.Org
+	mig.instanceSetup.Org.Human.Email.Address = strings.TrimSpace(mig.instanceSetup.Org.Human.Email.Address)
+	if mig.instanceSetup.Org.Human.Email.Address == "" {
+		mig.instanceSetup.Org.Human.Email.Address = "admin@" + mig.instanceSetup.CustomDomain
+	}
+
+	_, _, err = cmd.SetUpInstance(ctx, &mig.instanceSetup)
 	return err
 }

--- a/cmd/admin/setup/config.go
+++ b/cmd/admin/setup/config.go
@ -19,6 +19,7 @@ type Config struct {
 	Database        database.Config
 	SystemDefaults  systemdefaults.SystemDefaults
 	InternalAuthZ   authz.Config
+	ExternalDomain  string
 	ExternalPort    uint16
 	ExternalSecure  bool
 	Log             *logging.Config
--- a/cmd/admin/setup/setup.go
+++ b/cmd/admin/setup/setup.go
@ -3,7 +3,6 @@ package setup
 import (
 	"context"
 	_ "embed"
-	"strings"

 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
@ -60,24 +59,14 @@ func Setup(config *Config, steps *Steps, masterKey string) {
 	steps.s1ProjectionTable = &ProjectionTable{dbClient: dbClient}
 	steps.s2AssetsTable = &AssetTable{dbClient: dbClient}

-	instanceSetup := config.DefaultInstance
-	instanceSetup.InstanceName = steps.S3DefaultInstance.InstanceSetup.InstanceName
-	instanceSetup.CustomDomain = steps.S3DefaultInstance.InstanceSetup.CustomDomain
-	instanceSetup.Org = steps.S3DefaultInstance.InstanceSetup.Org
-	steps.S3DefaultInstance.InstanceSetup = instanceSetup
-
-	steps.S3DefaultInstance.InstanceSetup.Org.Human.Email.Address = strings.TrimSpace(steps.S3DefaultInstance.InstanceSetup.Org.Human.Email.Address)
-	if steps.S3DefaultInstance.InstanceSetup.Org.Human.Email.Address == "" {
-		steps.S3DefaultInstance.InstanceSetup.Org.Human.Email.Address = "admin@" + instanceSetup.CustomDomain
-	}
-
-	steps.S3DefaultInstance.es = eventstoreClient
-	steps.S3DefaultInstance.db = dbClient
-	steps.S3DefaultInstance.defaults = config.SystemDefaults
-	steps.S3DefaultInstance.masterKey = masterKey
-	steps.S3DefaultInstance.domain = instanceSetup.CustomDomain
-	steps.S3DefaultInstance.zitadelRoles = config.InternalAuthZ.RolePermissionMappings
+	steps.S3DefaultInstance.instanceSetup = config.DefaultInstance
 	steps.S3DefaultInstance.userEncryptionKey = config.EncryptionKeys.User
+	steps.S3DefaultInstance.masterKey = masterKey
+	steps.S3DefaultInstance.db = dbClient
+	steps.S3DefaultInstance.es = eventstoreClient
+	steps.S3DefaultInstance.defaults = config.SystemDefaults
+	steps.S3DefaultInstance.zitadelRoles = config.InternalAuthZ.RolePermissionMappings
+	steps.S3DefaultInstance.externalDomain = config.ExternalDomain
 	steps.S3DefaultInstance.externalSecure = config.ExternalSecure
 	steps.S3DefaultInstance.externalPort = config.ExternalPort

@ -85,9 +74,9 @@ func Setup(config *Config, steps *Steps, masterKey string) {
 	err = migration.Migrate(ctx, eventstoreClient, steps.s1ProjectionTable)
 	logging.OnError(err).Fatal("unable to migrate step 1")
 	err = migration.Migrate(ctx, eventstoreClient, steps.s2AssetsTable)
-	logging.OnError(err).Fatal("unable to migrate step 3")
+	logging.OnError(err).Fatal("unable to migrate step 2")
 	err = migration.Migrate(ctx, eventstoreClient, steps.S3DefaultInstance)
-	logging.OnError(err).Fatal("unable to migrate step 4")
+	logging.OnError(err).Fatal("unable to migrate step 3")
 }

 func initSteps(v *viper.Viper, files ...string) func() {
--- a/cmd/admin/setup/steps.yaml
+++ b/cmd/admin/setup/steps.yaml
@ -1,21 +1,21 @@
 S3DefaultInstance:
-  InstanceSetup:
-    InstanceName: Localhost
-    CustomDomain: localhost
-    Org:
-      Name: ZITADEL
-      Human:
-        UserName: zitadel-admin
-        FirstName: ZITADEL
-        LastName: Admin
-        NickName:
-        DisplayName:
-        Email:
-          Address: #autogenerated if empty. uses domain from config and prefixes admin@. for example: admin@domain.tdl
-          Verified: true
-        PreferredLanguage:
-        Gender:
-        Phone:
-          Number:
-          Verified:
-        Password: Password1!
+  InstanceName: Localhost
+  CustomDomain: localhost
+  Org:
+    Name: ZITADEL
+    Human:
+      UserName: zitadel-admin
+      FirstName: ZITADEL
+      LastName: Admin
+      NickName:
+      DisplayName:
+      Email:
+        Address: #autogenerated if empty. uses domain from config and prefixes admin@. for example: admin@domain.tdl
+        Verified: true
+      PreferredLanguage: en
+      Gender:
+      Phone:
+        Number:
+        Verified:
+      Password: Password1!
+      PasswordChangeRequired: true
--- a/cmd/admin/start/config.go
+++ b/cmd/admin/start/config.go
@ -28,6 +28,7 @@ type Config struct {
 	Log             *logging.Config
 	Port            uint16
 	ExternalPort    uint16
+	ExternalDomain  string
 	ExternalSecure  bool
 	HTTP2HostHeader string
 	HTTP1HostHeader string
--- a/cmd/admin/start/start.go
+++ b/cmd/admin/start/start.go
@ -118,6 +118,7 @@ func startZitadel(config *Config, masterKey string) error {
 		storage,
 		authZRepo,
 		webAuthNConfig,
+		config.ExternalDomain,
 		config.ExternalSecure,
 		config.ExternalPort,
 		keys.IDPConfig,
@ -161,7 +162,7 @@ func startAPIs(ctx context.Context, router *mux.Router, commands *command.Comman
 	if err != nil {
 		return fmt.Errorf("error starting admin repo: %w", err)
 	}
-	if err := authenticatedAPIs.RegisterServer(ctx, system.CreateServer(commands, queries, adminRepo, config.DefaultInstance, config.ExternalSecure)); err != nil {
+	if err := authenticatedAPIs.RegisterServer(ctx, system.CreateServer(commands, queries, adminRepo, config.DefaultInstance)); err != nil {
 		return err
 	}
 	if err := authenticatedAPIs.RegisterServer(ctx, admin.CreateServer(commands, queries, adminRepo, assets.HandlerPrefix, keys.User)); err != nil {
--- a/cmd/defaults.yaml
+++ b/cmd/defaults.yaml
@ -5,6 +5,7 @@ Log:

 Port: 8080
 ExternalPort: 8080
+ExternalDomain:  #must be provided
 ExternalSecure: true
 HTTP2HostHeader: ":authority"
 HTTP1HostHeader: "host"
@ -172,7 +173,7 @@ DefaultInstance:
      Email:
        Address:
        Verified: false
-      PreferredLanguage:
+      PreferredLanguage: en
      Gender:
      Phone:
        Number:
--- a/internal/api/grpc/admin/user_converter.go
+++ b/internal/api/grpc/admin/user_converter.go
@ -14,16 +14,16 @@ func setUpOrgHumanToCommand(human *admin_grpc.SetUpOrgRequest_Human) command.Add
 	lang, err := language.Parse(human.Profile.PreferredLanguage)
 	logging.OnError(err).Debug("unable to parse language")
 	return command.AddHuman{
-		Username:      human.UserName,
-		FirstName:     human.Profile.FirstName,
-		LastName:      human.Profile.LastName,
-		NickName:      human.Profile.NickName,
-		DisplayName:   human.Profile.DisplayName,
-		PreferredLang: lang,
-		Gender:        user_grpc.GenderToDomain(human.Profile.Gender),
-		Email:         setUpOrgHumanEmailToDomain(human.Email),
-		Phone:         setUpOrgHumanPhoneToDomain(human.Phone),
-		Password:      human.Password,
+		Username:          human.UserName,
+		FirstName:         human.Profile.FirstName,
+		LastName:          human.Profile.LastName,
+		NickName:          human.Profile.NickName,
+		DisplayName:       human.Profile.DisplayName,
+		PreferredLanguage: lang,
+		Gender:            user_grpc.GenderToDomain(human.Profile.Gender),
+		Email:             setUpOrgHumanEmailToDomain(human.Email),
+		Phone:             setUpOrgHumanPhoneToDomain(human.Phone),
+		Password:          human.Password,
 	}
 }

--- a/internal/api/grpc/management/user.go
+++ b/internal/api/grpc/management/user.go
@ -209,12 +209,8 @@ func (s *Server) AddHumanUser(ctx context.Context, req *mgmt_pb.AddHumanUserRequ
 			Address:  req.Email.Email,
 			Verified: req.Email.IsEmailVerified,
 		},
-		PreferredLang: lang,
-		Gender:        user_grpc.GenderToDomain(req.Profile.Gender),
-		Phone: command.Phone{
-			Number:   req.Phone.Phone,
-			Verified: req.Phone.IsPhoneVerified,
-		},
+		PreferredLanguage:      lang,
+		Gender:                 user_grpc.GenderToDomain(req.Profile.Gender),
 		Password:               req.InitialPassword,
 		PasswordChangeRequired: true,
 		Passwordless:           false,
--- a/internal/api/grpc/system/instance.go
+++ b/internal/api/grpc/system/instance.go
@ -41,7 +41,7 @@ func (s *Server) GetInstance(ctx context.Context, req *system_pb.GetInstanceRequ
 }

 func (s *Server) AddInstance(ctx context.Context, req *system_pb.AddInstanceRequest) (*system_pb.AddInstanceResponse, error) {
-	id, details, err := s.command.SetUpInstance(ctx, AddInstancePbToSetupInstance(req, s.DefaultInstance), s.ExternalSecure)
+	id, details, err := s.command.SetUpInstance(ctx, AddInstancePbToSetupInstance(req, s.DefaultInstance))
 	if err != nil {
 		return nil, err
 	}
--- a/internal/api/grpc/system/instance_converter.go
+++ b/internal/api/grpc/system/instance_converter.go
@ -1,13 +1,14 @@
 package system

 import (
+	"golang.org/x/text/language"
+
 	instance_grpc "github.com/zitadel/zitadel/internal/api/grpc/instance"
 	"github.com/zitadel/zitadel/internal/api/grpc/object"
 	"github.com/zitadel/zitadel/internal/command"
 	"github.com/zitadel/zitadel/internal/query"
 	instance_pb "github.com/zitadel/zitadel/pkg/grpc/instance"
 	system_pb "github.com/zitadel/zitadel/pkg/grpc/system"
-	"golang.org/x/text/language"
 )

 func AddInstancePbToSetupInstance(req *system_pb.AddInstanceRequest, defaultInstance command.InstanceSetup) *command.InstanceSetup {
@ -35,7 +36,7 @@ func AddInstancePbToSetupInstance(req *system_pb.AddInstanceRequest, defaultInst
 		if req.OwnerProfile.PreferredLanguage != "" {
 			lang, err := language.Parse(req.OwnerProfile.PreferredLanguage)
 			if err == nil {
-				defaultInstance.Org.Human.PreferredLang = lang
+				defaultInstance.Org.Human.PreferredLanguage = lang
 			}
 		}
 	}
--- a/internal/api/grpc/system/server.go
+++ b/internal/api/grpc/system/server.go
@ -25,7 +25,6 @@ type Server struct {
 	query           *query.Queries
 	administrator   repository.AdministratorRepository
 	DefaultInstance command.InstanceSetup
-	ExternalSecure  bool
 }

 type Config struct {
@ -36,13 +35,12 @@ func CreateServer(command *command.Commands,
 	query *query.Queries,
 	repo repository.Repository,
 	defaultInstance command.InstanceSetup,
-	externalSecure bool) *Server {
+) *Server {
 	return &Server{
 		command:         command,
 		query:           query,
 		administrator:   repo,
 		DefaultInstance: defaultInstance,
-		ExternalSecure:  externalSecure,
 	}
 }

--- a/internal/command/command.go
+++ b/internal/command/command.go
@ -10,6 +10,7 @@ import (
 	sd "github.com/zitadel/zitadel/internal/config/systemdefaults"
 	"github.com/zitadel/zitadel/internal/crypto"
 	"github.com/zitadel/zitadel/internal/domain"
+	"github.com/zitadel/zitadel/internal/errors"
 	"github.com/zitadel/zitadel/internal/eventstore"
 	"github.com/zitadel/zitadel/internal/id"
 	"github.com/zitadel/zitadel/internal/repository/action"
@ -28,6 +29,7 @@ type Commands struct {
 	static         static.Storage
 	idGenerator    id.Generator
 	zitadelRoles   []authz.RoleMapping
+	externalDomain string
 	externalSecure bool
 	externalPort   uint16

@ -62,6 +64,7 @@ func StartCommands(es *eventstore.Eventstore,
 	staticStore static.Storage,
 	authZRepo authz_repo.Repository,
 	webAuthN *webauthn_helper.Config,
+	externalDomain string,
 	externalSecure bool,
 	externalPort uint16,
 	idpConfigEncryption,
@ -72,11 +75,15 @@ func StartCommands(es *eventstore.Eventstore,
 	domainVerificationEncryption,
 	oidcEncryption crypto.EncryptionAlgorithm,
 ) (repo *Commands, err error) {
+	if externalDomain == "" {
+		return nil, errors.ThrowInvalidArgument(nil, "COMMAND-Df21s", "not external domain specified")
+	}
 	repo = &Commands{
 		eventstore:            es,
 		static:                staticStore,
 		idGenerator:           id.SonyFlakeGenerator,
 		zitadelRoles:          zitadelRoles,
+		externalDomain:        externalDomain,
 		externalSecure:        externalSecure,
 		externalPort:          externalPort,
 		keySize:               defaults.KeyConfig.Size,
--- a/internal/command/instance.go
+++ b/internal/command/instance.go
@ -157,7 +157,7 @@ func (s *InstanceSetup) generateIDs() (err error) {
 	return nil
 }

-func (c *Commands) SetUpInstance(ctx context.Context, setup *InstanceSetup, externalSecure bool) (string, *domain.ObjectDetails, error) {
+func (c *Commands) SetUpInstance(ctx context.Context, setup *InstanceSetup) (string, *domain.ObjectDetails, error) {
 	instanceID, err := id.SonyFlakeGenerator.Next()
 	if err != nil {
 		return "", nil, err
@ -167,8 +167,7 @@ func (c *Commands) SetUpInstance(ctx context.Context, setup *InstanceSetup, exte
 		return "", nil, err
 	}

-	requestedDomain := authz.GetInstance(ctx).RequestedDomain()
-	ctx = authz.SetCtxData(authz.WithRequestedDomain(authz.WithInstanceID(ctx, instanceID), requestedDomain), authz.CtxData{OrgID: instanceID, ResourceOwner: instanceID})
+	ctx = authz.SetCtxData(authz.WithRequestedDomain(authz.WithInstanceID(ctx, instanceID), c.externalDomain), authz.CtxData{OrgID: instanceID, ResourceOwner: instanceID})

 	orgID, err := id.SonyFlakeGenerator.Next()
 	if err != nil {
@ -185,8 +184,6 @@ func (c *Commands) SetUpInstance(ctx context.Context, setup *InstanceSetup, exte
 	}
 	ctx = authz.WithConsole(ctx, setup.zitadel.projectID, setup.zitadel.consoleAppID)

-	setup.Org.Human.PasswordChangeRequired = true
-
 	instanceAgg := instance.NewAggregate(instanceID)
 	orgAgg := org.NewAggregate(orgID)
 	userAgg := user.NewAggregate(userID, orgID)
@ -302,7 +299,7 @@ func (c *Commands) SetUpInstance(ctx context.Context, setup *InstanceSetup, exte
 		ApplicationType:          domain.OIDCApplicationTypeUserAgent,
 		AuthMethodType:           domain.OIDCAuthMethodTypeNone,
 		PostLogoutRedirectUris:   []string{},
-		DevMode:                  !externalSecure,
+		DevMode:                  !c.externalSecure,
 		AccessTokenType:          domain.OIDCTokenTypeBearer,
 		AccessTokenRoleAssertion: false,
 		IDTokenRoleAssertion:     false,
--- a/internal/command/user_human.go
+++ b/internal/command/user_human.go
@ -39,8 +39,8 @@ type AddHuman struct {
 	DisplayName string
 	// Email is required
 	Email Email
-	// PreferredLang is required
-	PreferredLang language.Tag
+	// PreferredLanguage is required
+	PreferredLanguage language.Tag
 	// Gender is required
 	Gender domain.Gender
 	//Phone represents an international phone number
@ -98,6 +98,9 @@ func AddHumanCommand(a *user.Aggregate, human *AddHuman, passwordAlg crypto.Hash
 			return nil, errors.ThrowInvalidArgument(nil, "V2-zzad3", "Errors.Invalid.Argument")
 		}

+		if human.PreferredLanguage == language.Und {
+			return nil, errors.ThrowInvalidArgument(nil, "USER-Sfd11", "Errors.Invalid.Argument")
+		}
 		if human.FirstName = strings.TrimSpace(human.FirstName); human.FirstName == "" {
 			return nil, errors.ThrowInvalidArgument(nil, "USER-UCej2", "Errors.Invalid.Argument")
 		}
@ -130,7 +133,7 @@ func AddHumanCommand(a *user.Aggregate, human *AddHuman, passwordAlg crypto.Hash
 					human.LastName,
 					human.NickName,
 					human.DisplayName,
-					human.PreferredLang,
+					human.PreferredLanguage,
 					human.Gender,
 					human.Email.Address,
 					domainPolicy.UserLoginMustBeDomain,
@ -144,7 +147,7 @@ func AddHumanCommand(a *user.Aggregate, human *AddHuman, passwordAlg crypto.Hash
 					human.LastName,
 					human.NickName,
 					human.DisplayName,
-					human.PreferredLang,
+					human.PreferredLanguage,
 					human.Gender,
 					human.Email.Address,
 					domainPolicy.UserLoginMustBeDomain,
--- a/internal/command/user_human_test.go
+++ b/internal/command/user_human_test.go
@ -93,6 +93,7 @@ func TestCommandSide_AddHuman(t *testing.T) {
 					Email: Email{
 						Address: "email@test.ch",
 					},
+					PreferredLanguage: language.English,
 				},
 			},
 			res: res{
@ -130,6 +131,7 @@ func TestCommandSide_AddHuman(t *testing.T) {
 						Address:  "email@test.ch",
 						Verified: true,
 					},
+					PreferredLanguage: language.English,
 				},
 			},
 			res: res{
@ -210,7 +212,7 @@ func TestCommandSide_AddHuman(t *testing.T) {
 									"lastname",
 									"",
 									"firstname lastname",
-									language.Und,
+									language.English,
 									domain.GenderUnspecified,
 									"email@test.ch",
 									true,
@ -257,6 +259,7 @@ func TestCommandSide_AddHuman(t *testing.T) {
 					Email: Email{
 						Address: "email@test.ch",
 					},
+					PreferredLanguage: language.English,
 				},
 				secretGenerator: GetMockSecretGenerator(t),
 			},
@ -375,6 +378,7 @@ func TestCommandSide_AddHuman(t *testing.T) {
 					Email: Email{
 						Address: "email@test.ch",
 					},
+					PreferredLanguage: language.English,
 				},
 				secretGenerator: GetMockSecretGenerator(t),
 			},
@ -470,6 +474,7 @@ func TestCommandSide_AddHuman(t *testing.T) {
 						Address:  "email@test.ch",
 						Verified: true,
 					},
+					PreferredLanguage:      language.English,
 					PasswordChangeRequired: true,
 				},
 				secretGenerator: GetMockSecretGenerator(t),
@ -554,6 +559,7 @@ func TestCommandSide_AddHuman(t *testing.T) {
 					Phone: Phone{
 						Number: "+41711234567",
 					},
+					PreferredLanguage: language.English,
 				},
 				secretGenerator: GetMockSecretGenerator(t),
 			},
@ -668,6 +674,7 @@ func TestCommandSide_AddHuman(t *testing.T) {
 						Number:   "+41711234567",
 						Verified: true,
 					},
+					PreferredLanguage: language.English,
 				},
 				secretGenerator: GetMockSecretGenerator(t),
 			},
@ -920,8 +927,9 @@ func TestCommandSide_ImportHuman(t *testing.T) {
 						ChangeRequired: true,
 					},
 					Profile: &domain.Profile{
-						FirstName: "firstname",
-						LastName:  "lastname",
+						FirstName:         "firstname",
+						LastName:          "lastname",
+						PreferredLanguage: language.English,
 					},
 					Email: &domain.Email{
 						EmailAddress: "email@test.ch",
@ -940,7 +948,7 @@ func TestCommandSide_ImportHuman(t *testing.T) {
 						FirstName:         "firstname",
 						LastName:          "lastname",
 						DisplayName:       "firstname lastname",
-						PreferredLanguage: language.Und,
+						PreferredLanguage: language.English,
 					},
 					Email: &domain.Email{
 						EmailAddress: "email@test.ch",
@ -1001,8 +1009,9 @@ func TestCommandSide_ImportHuman(t *testing.T) {
 						ChangeRequired: false,
 					},
 					Profile: &domain.Profile{
-						FirstName: "firstname",
-						LastName:  "lastname",
+						FirstName:         "firstname",
+						LastName:          "lastname",
+						PreferredLanguage: language.English,
 					},
 					Email: &domain.Email{
 						EmailAddress:    "email@test.ch",
@ -1022,7 +1031,7 @@ func TestCommandSide_ImportHuman(t *testing.T) {
 						FirstName:         "firstname",
 						LastName:          "lastname",
 						DisplayName:       "firstname lastname",
-						PreferredLanguage: language.Und,
+						PreferredLanguage: language.English,
 					},
 					Email: &domain.Email{
 						EmailAddress:    "email@test.ch",
@ -1094,8 +1103,9 @@ func TestCommandSide_ImportHuman(t *testing.T) {
 				human: &domain.Human{
 					Username: "username",
 					Profile: &domain.Profile{
-						FirstName: "firstname",
-						LastName:  "lastname",
+						FirstName:         "firstname",
+						LastName:          "lastname",
+						PreferredLanguage: language.English,
 					},
 					Email: &domain.Email{
 						EmailAddress:    "email@test.ch",
@ -1117,7 +1127,7 @@ func TestCommandSide_ImportHuman(t *testing.T) {
 						FirstName:         "firstname",
 						LastName:          "lastname",
 						DisplayName:       "firstname lastname",
-						PreferredLanguage: language.Und,
+						PreferredLanguage: language.English,
 					},
 					Email: &domain.Email{
 						EmailAddress:    "email@test.ch",
@ -1203,8 +1213,9 @@ func TestCommandSide_ImportHuman(t *testing.T) {
 						ChangeRequired: false,
 					},
 					Profile: &domain.Profile{
-						FirstName: "firstname",
-						LastName:  "lastname",
+						FirstName:         "firstname",
+						LastName:          "lastname",
+						PreferredLanguage: language.English,
 					},
 					Email: &domain.Email{
 						EmailAddress:    "email@test.ch",
@ -1226,7 +1237,7 @@ func TestCommandSide_ImportHuman(t *testing.T) {
 						FirstName:         "firstname",
 						LastName:          "lastname",
 						DisplayName:       "firstname lastname",
-						PreferredLanguage: language.Und,
+						PreferredLanguage: language.English,
 					},
 					Email: &domain.Email{
 						EmailAddress:    "email@test.ch",
@ -1312,8 +1323,9 @@ func TestCommandSide_ImportHuman(t *testing.T) {
 				human: &domain.Human{
 					Username: "username",
 					Profile: &domain.Profile{
-						FirstName: "firstname",
-						LastName:  "lastname",
+						FirstName:         "firstname",
+						LastName:          "lastname",
+						PreferredLanguage: language.English,
 					},
 					Password: &domain.Password{
 						SecretString:   "password",
@ -1339,7 +1351,7 @@ func TestCommandSide_ImportHuman(t *testing.T) {
 						FirstName:         "firstname",
 						LastName:          "lastname",
 						DisplayName:       "firstname lastname",
-						PreferredLanguage: language.Und,
+						PreferredLanguage: language.English,
 					},
 					Email: &domain.Email{
 						EmailAddress: "email@test.ch",
@ -1411,8 +1423,9 @@ func TestCommandSide_ImportHuman(t *testing.T) {
 				human: &domain.Human{
 					Username: "username",
 					Profile: &domain.Profile{
-						FirstName: "firstname",
-						LastName:  "lastname",
+						FirstName:         "firstname",
+						LastName:          "lastname",
+						PreferredLanguage: language.English,
 					},
 					Password: &domain.Password{
 						SecretString:   "password",
@ -1439,7 +1452,7 @@ func TestCommandSide_ImportHuman(t *testing.T) {
 						FirstName:         "firstname",
 						LastName:          "lastname",
 						DisplayName:       "firstname lastname",
-						PreferredLanguage: language.Und,
+						PreferredLanguage: language.English,
 					},
 					Email: &domain.Email{
 						EmailAddress: "email@test.ch",
@ -2767,7 +2780,7 @@ func newAddHumanEvent(password string, changeRequired bool, phone string) *user.
 		"lastname",
 		"",
 		"firstname lastname",
-		language.Und,
+		language.English,
 		domain.GenderUnspecified,
 		"email@test.ch",
 		true,
@ -2844,7 +2857,7 @@ func TestAddHumanCommand(t *testing.T) {
 			},
 		},
 		{
-			name: "invalid first name",
+			name: "invalid preferred language",
 			args: args{
 				a: agg,
 				human: &AddHuman{
@ -2854,6 +2867,22 @@ func TestAddHumanCommand(t *testing.T) {
 					},
 				},
 			},
+			want: Want{
+				ValidationErr: errors.ThrowInvalidArgument(nil, "USER-Sfd11", "Errors.Invalid.Argument"),
+			},
+		},
+		{
+			name: "invalid first name",
+			args: args{
+				a: agg,
+				human: &AddHuman{
+					Username:          "username",
+					PreferredLanguage: language.English,
+					Email: Email{
+						Address: "support@zitadel.ch",
+					},
+				},
+			},
 			want: Want{
 				ValidationErr: errors.ThrowInvalidArgument(nil, "USER-UCej2", "Errors.Invalid.Argument"),
 			},
@ -2863,9 +2892,10 @@ func TestAddHumanCommand(t *testing.T) {
 			args: args{
 				a: agg,
 				human: &AddHuman{
-					Username:  "username",
-					FirstName: "hurst",
-					Email:     Email{Address: "support@zitadel.ch"},
+					Username:          "username",
+					PreferredLanguage: language.English,
+					FirstName:         "hurst",
+					Email:             Email{Address: "support@zitadel.ch"},
 				},
 			},
 			want: Want{
@ -2877,11 +2907,12 @@ func TestAddHumanCommand(t *testing.T) {
 			args: args{
 				a: agg,
 				human: &AddHuman{
-					Email:     Email{Address: "support@zitadel.ch"},
-					FirstName: "gigi",
-					LastName:  "giraffe",
-					Password:  "short",
-					Username:  "username",
+					Email:             Email{Address: "support@zitadel.ch"},
+					PreferredLanguage: language.English,
+					FirstName:         "gigi",
+					LastName:          "giraffe",
+					Password:          "short",
+					Username:          "username",
 				},
 				filter: NewMultiFilter().Append(
 					func(ctx context.Context, queryFactory *eventstore.SearchQueryBuilder) ([]eventstore.Event, error) {
@ -2919,11 +2950,12 @@ func TestAddHumanCommand(t *testing.T) {
 			args: args{
 				a: agg,
 				human: &AddHuman{
-					Email:     Email{Address: "support@zitadel.ch", Verified: true},
-					FirstName: "gigi",
-					LastName:  "giraffe",
-					Password:  "",
-					Username:  "username",
+					Email:             Email{Address: "support@zitadel.ch", Verified: true},
+					PreferredLanguage: language.English,
+					FirstName:         "gigi",
+					LastName:          "giraffe",
+					Password:          "",
+					Username:          "username",
 				},
 				passwordAlg: crypto.CreateMockHashAlg(gomock.NewController(t)),
 				filter: NewMultiFilter().Append(
@ -2963,7 +2995,7 @@ func TestAddHumanCommand(t *testing.T) {
 						"giraffe",
 						"",
 						"gigi giraffe",
-						language.Und,
+						language.English,
 						0,
 						"support@zitadel.ch",
 						true,