fix: setup instance domain handling (#3529)

cmd/admin/setup/03.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"database/sql"
 	"fmt"
+	"strings"
 
 	"github.com/zitadel/zitadel/internal/api/authz"
 	"github.com/zitadel/zitadel/internal/command"
@@ -14,15 +15,18 @@ import (
 )
 
 type DefaultInstance struct {
-	InstanceSetup command.InstanceSetup
+	InstanceName string
+	CustomDomain string
+	Org          command.OrgSetup
 
+	instanceSetup     command.InstanceSetup
 	userEncryptionKey *crypto.KeyConfig
 	masterKey         string
 	db                *sql.DB
 	es                *eventstore.Eventstore
-	domain            string
 	defaults          systemdefaults.SystemDefaults
 	zitadelRoles      []authz.RoleMapping
+	externalDomain    string
 	externalSecure    bool
 	externalPort      uint16
 }
@@ -47,6 +51,7 @@ func (mig *DefaultInstance) Execute(ctx context.Context) error {
 		nil,
 		nil,
 		nil,
+		mig.externalDomain,
 		mig.externalSecure,
 		mig.externalPort,
 		nil,
@@ -60,9 +65,16 @@ func (mig *DefaultInstance) Execute(ctx context.Context) error {
 	if err != nil {
 		return err
 	}
-	ctx = authz.WithRequestedDomain(ctx, mig.domain)
 
-	_, _, err = cmd.SetUpInstance(ctx, &mig.InstanceSetup, mig.externalSecure)
+	mig.instanceSetup.InstanceName = mig.InstanceName
+	mig.instanceSetup.CustomDomain = mig.CustomDomain
+	mig.instanceSetup.Org = mig.Org
+	mig.instanceSetup.Org.Human.Email.Address = strings.TrimSpace(mig.instanceSetup.Org.Human.Email.Address)
+	if mig.instanceSetup.Org.Human.Email.Address == "" {
+		mig.instanceSetup.Org.Human.Email.Address = "admin@" + mig.instanceSetup.CustomDomain
+	}
+
+	_, _, err = cmd.SetUpInstance(ctx, &mig.instanceSetup)
 	return err
 }
 

cmd/admin/setup/config.go

@@ -19,6 +19,7 @@ type Config struct {
 	Database        database.Config
 	SystemDefaults  systemdefaults.SystemDefaults
 	InternalAuthZ   authz.Config
+	ExternalDomain  string
 	ExternalPort    uint16
 	ExternalSecure  bool
 	Log             *logging.Config

cmd/admin/setup/setup.go

@@ -3,7 +3,6 @@ package setup
 import (
 	"context"
 	_ "embed"
-	"strings"
 
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
@@ -60,24 +59,14 @@ func Setup(config *Config, steps *Steps, masterKey string) {
 	steps.s1ProjectionTable = &ProjectionTable{dbClient: dbClient}
 	steps.s2AssetsTable = &AssetTable{dbClient: dbClient}
 
-	instanceSetup := config.DefaultInstance
+	steps.S3DefaultInstance.instanceSetup = config.DefaultInstance
-	instanceSetup.InstanceName = steps.S3DefaultInstance.InstanceSetup.InstanceName
-	instanceSetup.CustomDomain = steps.S3DefaultInstance.InstanceSetup.CustomDomain
-	instanceSetup.Org = steps.S3DefaultInstance.InstanceSetup.Org
-	steps.S3DefaultInstance.InstanceSetup = instanceSetup
-
-	steps.S3DefaultInstance.InstanceSetup.Org.Human.Email.Address = strings.TrimSpace(steps.S3DefaultInstance.InstanceSetup.Org.Human.Email.Address)
-	if steps.S3DefaultInstance.InstanceSetup.Org.Human.Email.Address == "" {
-		steps.S3DefaultInstance.InstanceSetup.Org.Human.Email.Address = "admin@" + instanceSetup.CustomDomain
-	}
-
-	steps.S3DefaultInstance.es = eventstoreClient
-	steps.S3DefaultInstance.db = dbClient
-	steps.S3DefaultInstance.defaults = config.SystemDefaults
-	steps.S3DefaultInstance.masterKey = masterKey
-	steps.S3DefaultInstance.domain = instanceSetup.CustomDomain
-	steps.S3DefaultInstance.zitadelRoles = config.InternalAuthZ.RolePermissionMappings
 	steps.S3DefaultInstance.userEncryptionKey = config.EncryptionKeys.User
+	steps.S3DefaultInstance.masterKey = masterKey
+	steps.S3DefaultInstance.db = dbClient
+	steps.S3DefaultInstance.es = eventstoreClient
+	steps.S3DefaultInstance.defaults = config.SystemDefaults
+	steps.S3DefaultInstance.zitadelRoles = config.InternalAuthZ.RolePermissionMappings
+	steps.S3DefaultInstance.externalDomain = config.ExternalDomain
 	steps.S3DefaultInstance.externalSecure = config.ExternalSecure
 	steps.S3DefaultInstance.externalPort = config.ExternalPort
 
@@ -85,9 +74,9 @@ func Setup(config *Config, steps *Steps, masterKey string) {
 	err = migration.Migrate(ctx, eventstoreClient, steps.s1ProjectionTable)
 	logging.OnError(err).Fatal("unable to migrate step 1")
 	err = migration.Migrate(ctx, eventstoreClient, steps.s2AssetsTable)
-	logging.OnError(err).Fatal("unable to migrate step 3")
+	logging.OnError(err).Fatal("unable to migrate step 2")
 	err = migration.Migrate(ctx, eventstoreClient, steps.S3DefaultInstance)
-	logging.OnError(err).Fatal("unable to migrate step 4")
+	logging.OnError(err).Fatal("unable to migrate step 3")
 }
 
 func initSteps(v *viper.Viper, files ...string) func() {

cmd/admin/setup/steps.yaml

@@ -1,21 +1,21 @@
 S3DefaultInstance:
-  InstanceSetup:
+  InstanceName: Localhost
-    InstanceName: Localhost
+  CustomDomain: localhost
-    CustomDomain: localhost
+  Org:
-    Org:
+    Name: ZITADEL
-      Name: ZITADEL
+    Human:
-      Human:
+      UserName: zitadel-admin
-        UserName: zitadel-admin
+      FirstName: ZITADEL
-        FirstName: ZITADEL
+      LastName: Admin
-        LastName: Admin
+      NickName:
-        NickName:
+      DisplayName:
-        DisplayName:
+      Email:
-        Email:
+        Address: #autogenerated if empty. uses domain from config and prefixes admin@. for example: admin@domain.tdl
-          Address: #autogenerated if empty. uses domain from config and prefixes admin@. for example: admin@domain.tdl
+        Verified: true
-          Verified: true
+      PreferredLanguage: en
-        PreferredLanguage:
+      Gender:
-        Gender:
+      Phone:
-        Phone:
+        Number:
-          Number:
+        Verified:
-          Verified:
+      Password: Password1!
-        Password: Password1!
+      PasswordChangeRequired: true

cmd/admin/start/config.go

@@ -28,6 +28,7 @@ type Config struct {
 	Log             *logging.Config
 	Port            uint16
 	ExternalPort    uint16
+	ExternalDomain  string
 	ExternalSecure  bool
 	HTTP2HostHeader string
 	HTTP1HostHeader string

cmd/admin/start/start.go

@@ -118,6 +118,7 @@ func startZitadel(config *Config, masterKey string) error {
 		storage,
 		authZRepo,
 		webAuthNConfig,
+		config.ExternalDomain,
 		config.ExternalSecure,
 		config.ExternalPort,
 		keys.IDPConfig,
@@ -161,7 +162,7 @@ func startAPIs(ctx context.Context, router *mux.Router, commands *command.Comman
 	if err != nil {
 		return fmt.Errorf("error starting admin repo: %w", err)
 	}
-	if err := authenticatedAPIs.RegisterServer(ctx, system.CreateServer(commands, queries, adminRepo, config.DefaultInstance, config.ExternalSecure)); err != nil {
+	if err := authenticatedAPIs.RegisterServer(ctx, system.CreateServer(commands, queries, adminRepo, config.DefaultInstance)); err != nil {
 		return err
 	}
 	if err := authenticatedAPIs.RegisterServer(ctx, admin.CreateServer(commands, queries, adminRepo, assets.HandlerPrefix, keys.User)); err != nil {

cmd/defaults.yaml

@@ -5,6 +5,7 @@ Log:
 
 Port: 8080
 ExternalPort: 8080
+ExternalDomain:  #must be provided
 ExternalSecure: true
 HTTP2HostHeader: ":authority"
 HTTP1HostHeader: "host"
@@ -172,7 +173,7 @@ DefaultInstance:
       Email:
         Address:
         Verified: false
-      PreferredLanguage:
+      PreferredLanguage: en
       Gender:
       Phone:
         Number:

internal/api/grpc/admin/user_converter.go

@@ -14,16 +14,16 @@ func setUpOrgHumanToCommand(human *admin_grpc.SetUpOrgRequest_Human) command.Add
 	lang, err := language.Parse(human.Profile.PreferredLanguage)
 	logging.OnError(err).Debug("unable to parse language")
 	return command.AddHuman{
-		Username:      human.UserName,
+		Username:          human.UserName,
-		FirstName:     human.Profile.FirstName,
+		FirstName:         human.Profile.FirstName,
-		LastName:      human.Profile.LastName,
+		LastName:          human.Profile.LastName,
-		NickName:      human.Profile.NickName,
+		NickName:          human.Profile.NickName,
-		DisplayName:   human.Profile.DisplayName,
+		DisplayName:       human.Profile.DisplayName,
-		PreferredLang: lang,
+		PreferredLanguage: lang,
-		Gender:        user_grpc.GenderToDomain(human.Profile.Gender),
+		Gender:            user_grpc.GenderToDomain(human.Profile.Gender),
-		Email:         setUpOrgHumanEmailToDomain(human.Email),
+		Email:             setUpOrgHumanEmailToDomain(human.Email),
-		Phone:         setUpOrgHumanPhoneToDomain(human.Phone),
+		Phone:             setUpOrgHumanPhoneToDomain(human.Phone),
-		Password:      human.Password,
+		Password:          human.Password,
 	}
 }
 

internal/api/grpc/management/user.go

@@ -209,12 +209,8 @@ func (s *Server) AddHumanUser(ctx context.Context, req *mgmt_pb.AddHumanUserRequ
 			Address:  req.Email.Email,
 			Verified: req.Email.IsEmailVerified,
 		},
-		PreferredLang: lang,
+		PreferredLanguage:      lang,
-		Gender:        user_grpc.GenderToDomain(req.Profile.Gender),
+		Gender:                 user_grpc.GenderToDomain(req.Profile.Gender),
-		Phone: command.Phone{
-			Number:   req.Phone.Phone,
-			Verified: req.Phone.IsPhoneVerified,
-		},
 		Password:               req.InitialPassword,
 		PasswordChangeRequired: true,
 		Passwordless:           false,

internal/api/grpc/system/instance.go

@@ -41,7 +41,7 @@ func (s *Server) GetInstance(ctx context.Context, req *system_pb.GetInstanceRequ
 }
 
 func (s *Server) AddInstance(ctx context.Context, req *system_pb.AddInstanceRequest) (*system_pb.AddInstanceResponse, error) {
-	id, details, err := s.command.SetUpInstance(ctx, AddInstancePbToSetupInstance(req, s.DefaultInstance), s.ExternalSecure)
+	id, details, err := s.command.SetUpInstance(ctx, AddInstancePbToSetupInstance(req, s.DefaultInstance))
 	if err != nil {
 		return nil, err
 	}

internal/api/grpc/system/instance_converter.go

@@ -1,13 +1,14 @@
 package system
 
 import (
+	"golang.org/x/text/language"
+
 	instance_grpc "github.com/zitadel/zitadel/internal/api/grpc/instance"
 	"github.com/zitadel/zitadel/internal/api/grpc/object"
 	"github.com/zitadel/zitadel/internal/command"
 	"github.com/zitadel/zitadel/internal/query"
 	instance_pb "github.com/zitadel/zitadel/pkg/grpc/instance"
 	system_pb "github.com/zitadel/zitadel/pkg/grpc/system"
-	"golang.org/x/text/language"
 )
 
 func AddInstancePbToSetupInstance(req *system_pb.AddInstanceRequest, defaultInstance command.InstanceSetup) *command.InstanceSetup {
@@ -35,7 +36,7 @@ func AddInstancePbToSetupInstance(req *system_pb.AddInstanceRequest, defaultInst
 		if req.OwnerProfile.PreferredLanguage != "" {
 			lang, err := language.Parse(req.OwnerProfile.PreferredLanguage)
 			if err == nil {
-				defaultInstance.Org.Human.PreferredLang = lang
+				defaultInstance.Org.Human.PreferredLanguage = lang
 			}
 		}
 	}

internal/api/grpc/system/server.go

@@ -25,7 +25,6 @@ type Server struct {
 	query           *query.Queries
 	administrator   repository.AdministratorRepository
 	DefaultInstance command.InstanceSetup
-	ExternalSecure  bool
 }
 
 type Config struct {
@@ -36,13 +35,12 @@ func CreateServer(command *command.Commands,
 	query *query.Queries,
 	repo repository.Repository,
 	defaultInstance command.InstanceSetup,
-	externalSecure bool) *Server {
+) *Server {
 	return &Server{
 		command:         command,
 		query:           query,
 		administrator:   repo,
 		DefaultInstance: defaultInstance,
-		ExternalSecure:  externalSecure,
 	}
 }
 

internal/command/command.go

@@ -10,6 +10,7 @@ import (
 	sd "github.com/zitadel/zitadel/internal/config/systemdefaults"
 	"github.com/zitadel/zitadel/internal/crypto"
 	"github.com/zitadel/zitadel/internal/domain"
+	"github.com/zitadel/zitadel/internal/errors"
 	"github.com/zitadel/zitadel/internal/eventstore"
 	"github.com/zitadel/zitadel/internal/id"
 	"github.com/zitadel/zitadel/internal/repository/action"
@@ -28,6 +29,7 @@ type Commands struct {
 	static         static.Storage
 	idGenerator    id.Generator
 	zitadelRoles   []authz.RoleMapping
+	externalDomain string
 	externalSecure bool
 	externalPort   uint16
 
@@ -62,6 +64,7 @@ func StartCommands(es *eventstore.Eventstore,
 	staticStore static.Storage,
 	authZRepo authz_repo.Repository,
 	webAuthN *webauthn_helper.Config,
+	externalDomain string,
 	externalSecure bool,
 	externalPort uint16,
 	idpConfigEncryption,
@@ -72,11 +75,15 @@ func StartCommands(es *eventstore.Eventstore,
 	domainVerificationEncryption,
 	oidcEncryption crypto.EncryptionAlgorithm,
 ) (repo *Commands, err error) {
+	if externalDomain == "" {
+		return nil, errors.ThrowInvalidArgument(nil, "COMMAND-Df21s", "not external domain specified")
+	}
 	repo = &Commands{
 		eventstore:            es,
 		static:                staticStore,
 		idGenerator:           id.SonyFlakeGenerator,
 		zitadelRoles:          zitadelRoles,
+		externalDomain:        externalDomain,
 		externalSecure:        externalSecure,
 		externalPort:          externalPort,
 		keySize:               defaults.KeyConfig.Size,

internal/command/instance.go

@@ -157,7 +157,7 @@ func (s *InstanceSetup) generateIDs() (err error) {
 	return nil
 }
 
-func (c *Commands) SetUpInstance(ctx context.Context, setup *InstanceSetup, externalSecure bool) (string, *domain.ObjectDetails, error) {
+func (c *Commands) SetUpInstance(ctx context.Context, setup *InstanceSetup) (string, *domain.ObjectDetails, error) {
 	instanceID, err := id.SonyFlakeGenerator.Next()
 	if err != nil {
 		return "", nil, err
@@ -167,8 +167,7 @@ func (c *Commands) SetUpInstance(ctx context.Context, setup *InstanceSetup, exte
 		return "", nil, err
 	}
 
-	requestedDomain := authz.GetInstance(ctx).RequestedDomain()
+	ctx = authz.SetCtxData(authz.WithRequestedDomain(authz.WithInstanceID(ctx, instanceID), c.externalDomain), authz.CtxData{OrgID: instanceID, ResourceOwner: instanceID})
-	ctx = authz.SetCtxData(authz.WithRequestedDomain(authz.WithInstanceID(ctx, instanceID), requestedDomain), authz.CtxData{OrgID: instanceID, ResourceOwner: instanceID})
 
 	orgID, err := id.SonyFlakeGenerator.Next()
 	if err != nil {
@@ -185,8 +184,6 @@ func (c *Commands) SetUpInstance(ctx context.Context, setup *InstanceSetup, exte
 	}
 	ctx = authz.WithConsole(ctx, setup.zitadel.projectID, setup.zitadel.consoleAppID)
 
-	setup.Org.Human.PasswordChangeRequired = true
-
 	instanceAgg := instance.NewAggregate(instanceID)
 	orgAgg := org.NewAggregate(orgID)
 	userAgg := user.NewAggregate(userID, orgID)
@@ -302,7 +299,7 @@ func (c *Commands) SetUpInstance(ctx context.Context, setup *InstanceSetup, exte
 		ApplicationType:          domain.OIDCApplicationTypeUserAgent,
 		AuthMethodType:           domain.OIDCAuthMethodTypeNone,
 		PostLogoutRedirectUris:   []string{},
-		DevMode:                  !externalSecure,
+		DevMode:                  !c.externalSecure,
 		AccessTokenType:          domain.OIDCTokenTypeBearer,
 		AccessTokenRoleAssertion: false,
 		IDTokenRoleAssertion:     false,

internal/command/user_human.go

@@ -39,8 +39,8 @@ type AddHuman struct {
 	DisplayName string
 	// Email is required
 	Email Email
-	// PreferredLang is required
+	// PreferredLanguage is required
-	PreferredLang language.Tag
+	PreferredLanguage language.Tag
 	// Gender is required
 	Gender domain.Gender
 	//Phone represents an international phone number
@@ -98,6 +98,9 @@ func AddHumanCommand(a *user.Aggregate, human *AddHuman, passwordAlg crypto.Hash
 			return nil, errors.ThrowInvalidArgument(nil, "V2-zzad3", "Errors.Invalid.Argument")
 		}
 
+		if human.PreferredLanguage == language.Und {
+			return nil, errors.ThrowInvalidArgument(nil, "USER-Sfd11", "Errors.Invalid.Argument")
+		}
 		if human.FirstName = strings.TrimSpace(human.FirstName); human.FirstName == "" {
 			return nil, errors.ThrowInvalidArgument(nil, "USER-UCej2", "Errors.Invalid.Argument")
 		}
@@ -130,7 +133,7 @@ func AddHumanCommand(a *user.Aggregate, human *AddHuman, passwordAlg crypto.Hash
 					human.LastName,
 					human.NickName,
 					human.DisplayName,
-					human.PreferredLang,
+					human.PreferredLanguage,
 					human.Gender,
 					human.Email.Address,
 					domainPolicy.UserLoginMustBeDomain,
@@ -144,7 +147,7 @@ func AddHumanCommand(a *user.Aggregate, human *AddHuman, passwordAlg crypto.Hash
 					human.LastName,
 					human.NickName,
 					human.DisplayName,
-					human.PreferredLang,
+					human.PreferredLanguage,
 					human.Gender,
 					human.Email.Address,
 					domainPolicy.UserLoginMustBeDomain,

internal/command/user_human_test.go

@@ -93,6 +93,7 @@ func TestCommandSide_AddHuman(t *testing.T) {
 					Email: Email{
 						Address: "email@test.ch",
 					},
+					PreferredLanguage: language.English,
 				},
 			},
 			res: res{
@@ -130,6 +131,7 @@ func TestCommandSide_AddHuman(t *testing.T) {
 						Address:  "email@test.ch",
 						Verified: true,
 					},
+					PreferredLanguage: language.English,
 				},
 			},
 			res: res{
@@ -210,7 +212,7 @@ func TestCommandSide_AddHuman(t *testing.T) {
 									"lastname",
 									"",
 									"firstname lastname",
-									language.Und,
+									language.English,
 									domain.GenderUnspecified,
 									"email@test.ch",
 									true,
@@ -257,6 +259,7 @@ func TestCommandSide_AddHuman(t *testing.T) {
 					Email: Email{
 						Address: "email@test.ch",
 					},
+					PreferredLanguage: language.English,
 				},
 				secretGenerator: GetMockSecretGenerator(t),
 			},
@@ -375,6 +378,7 @@ func TestCommandSide_AddHuman(t *testing.T) {
 					Email: Email{
 						Address: "email@test.ch",
 					},
+					PreferredLanguage: language.English,
 				},
 				secretGenerator: GetMockSecretGenerator(t),
 			},
@@ -470,6 +474,7 @@ func TestCommandSide_AddHuman(t *testing.T) {
 						Address:  "email@test.ch",
 						Verified: true,
 					},
+					PreferredLanguage:      language.English,
 					PasswordChangeRequired: true,
 				},
 				secretGenerator: GetMockSecretGenerator(t),
@@ -554,6 +559,7 @@ func TestCommandSide_AddHuman(t *testing.T) {
 					Phone: Phone{
 						Number: "+41711234567",
 					},
+					PreferredLanguage: language.English,
 				},
 				secretGenerator: GetMockSecretGenerator(t),
 			},
@@ -668,6 +674,7 @@ func TestCommandSide_AddHuman(t *testing.T) {
 						Number:   "+41711234567",
 						Verified: true,
 					},
+					PreferredLanguage: language.English,
 				},
 				secretGenerator: GetMockSecretGenerator(t),
 			},
@@ -920,8 +927,9 @@ func TestCommandSide_ImportHuman(t *testing.T) {
 						ChangeRequired: true,
 					},
 					Profile: &domain.Profile{
-						FirstName: "firstname",
+						FirstName:         "firstname",
-						LastName:  "lastname",
+						LastName:          "lastname",
+						PreferredLanguage: language.English,
 					},
 					Email: &domain.Email{
 						EmailAddress: "email@test.ch",
@@ -940,7 +948,7 @@ func TestCommandSide_ImportHuman(t *testing.T) {
 						FirstName:         "firstname",
 						LastName:          "lastname",
 						DisplayName:       "firstname lastname",
-						PreferredLanguage: language.Und,
+						PreferredLanguage: language.English,
 					},
 					Email: &domain.Email{
 						EmailAddress: "email@test.ch",
@@ -1001,8 +1009,9 @@ func TestCommandSide_ImportHuman(t *testing.T) {
 						ChangeRequired: false,
 					},
 					Profile: &domain.Profile{
-						FirstName: "firstname",
+						FirstName:         "firstname",
-						LastName:  "lastname",
+						LastName:          "lastname",
+						PreferredLanguage: language.English,
 					},
 					Email: &domain.Email{
 						EmailAddress:    "email@test.ch",
@@ -1022,7 +1031,7 @@ func TestCommandSide_ImportHuman(t *testing.T) {
 						FirstName:         "firstname",
 						LastName:          "lastname",
 						DisplayName:       "firstname lastname",
-						PreferredLanguage: language.Und,
+						PreferredLanguage: language.English,
 					},
 					Email: &domain.Email{
 						EmailAddress:    "email@test.ch",
@@ -1094,8 +1103,9 @@ func TestCommandSide_ImportHuman(t *testing.T) {
 				human: &domain.Human{
 					Username: "username",
 					Profile: &domain.Profile{
-						FirstName: "firstname",
+						FirstName:         "firstname",
-						LastName:  "lastname",
+						LastName:          "lastname",
+						PreferredLanguage: language.English,
 					},
 					Email: &domain.Email{
 						EmailAddress:    "email@test.ch",
@@ -1117,7 +1127,7 @@ func TestCommandSide_ImportHuman(t *testing.T) {
 						FirstName:         "firstname",
 						LastName:          "lastname",
 						DisplayName:       "firstname lastname",
-						PreferredLanguage: language.Und,
+						PreferredLanguage: language.English,
 					},
 					Email: &domain.Email{
 						EmailAddress:    "email@test.ch",
@@ -1203,8 +1213,9 @@ func TestCommandSide_ImportHuman(t *testing.T) {
 						ChangeRequired: false,
 					},
 					Profile: &domain.Profile{
-						FirstName: "firstname",
+						FirstName:         "firstname",
-						LastName:  "lastname",
+						LastName:          "lastname",
+						PreferredLanguage: language.English,
 					},
 					Email: &domain.Email{
 						EmailAddress:    "email@test.ch",
@@ -1226,7 +1237,7 @@ func TestCommandSide_ImportHuman(t *testing.T) {
 						FirstName:         "firstname",
 						LastName:          "lastname",
 						DisplayName:       "firstname lastname",
-						PreferredLanguage: language.Und,
+						PreferredLanguage: language.English,
 					},
 					Email: &domain.Email{
 						EmailAddress:    "email@test.ch",
@@ -1312,8 +1323,9 @@ func TestCommandSide_ImportHuman(t *testing.T) {
 				human: &domain.Human{
 					Username: "username",
 					Profile: &domain.Profile{
-						FirstName: "firstname",
+						FirstName:         "firstname",
-						LastName:  "lastname",
+						LastName:          "lastname",
+						PreferredLanguage: language.English,
 					},
 					Password: &domain.Password{
 						SecretString:   "password",
@@ -1339,7 +1351,7 @@ func TestCommandSide_ImportHuman(t *testing.T) {
 						FirstName:         "firstname",
 						LastName:          "lastname",
 						DisplayName:       "firstname lastname",
-						PreferredLanguage: language.Und,
+						PreferredLanguage: language.English,
 					},
 					Email: &domain.Email{
 						EmailAddress: "email@test.ch",
@@ -1411,8 +1423,9 @@ func TestCommandSide_ImportHuman(t *testing.T) {
 				human: &domain.Human{
 					Username: "username",
 					Profile: &domain.Profile{
-						FirstName: "firstname",
+						FirstName:         "firstname",
-						LastName:  "lastname",
+						LastName:          "lastname",
+						PreferredLanguage: language.English,
 					},
 					Password: &domain.Password{
 						SecretString:   "password",
@@ -1439,7 +1452,7 @@ func TestCommandSide_ImportHuman(t *testing.T) {
 						FirstName:         "firstname",
 						LastName:          "lastname",
 						DisplayName:       "firstname lastname",
-						PreferredLanguage: language.Und,
+						PreferredLanguage: language.English,
 					},
 					Email: &domain.Email{
 						EmailAddress: "email@test.ch",
@@ -2767,7 +2780,7 @@ func newAddHumanEvent(password string, changeRequired bool, phone string) *user.
 		"lastname",
 		"",
 		"firstname lastname",
-		language.Und,
+		language.English,
 		domain.GenderUnspecified,
 		"email@test.ch",
 		true,
@@ -2844,7 +2857,7 @@ func TestAddHumanCommand(t *testing.T) {
 			},
 		},
 		{
-			name: "invalid first name",
+			name: "invalid preferred language",
 			args: args{
 				a: agg,
 				human: &AddHuman{
@@ -2854,6 +2867,22 @@ func TestAddHumanCommand(t *testing.T) {
 					},
 				},
 			},
+			want: Want{
+				ValidationErr: errors.ThrowInvalidArgument(nil, "USER-Sfd11", "Errors.Invalid.Argument"),
+			},
+		},
+		{
+			name: "invalid first name",
+			args: args{
+				a: agg,
+				human: &AddHuman{
+					Username:          "username",
+					PreferredLanguage: language.English,
+					Email: Email{
+						Address: "support@zitadel.ch",
+					},
+				},
+			},
 			want: Want{
 				ValidationErr: errors.ThrowInvalidArgument(nil, "USER-UCej2", "Errors.Invalid.Argument"),
 			},
@@ -2863,9 +2892,10 @@ func TestAddHumanCommand(t *testing.T) {
 			args: args{
 				a: agg,
 				human: &AddHuman{
-					Username:  "username",
+					Username:          "username",
-					FirstName: "hurst",
+					PreferredLanguage: language.English,
-					Email:     Email{Address: "support@zitadel.ch"},
+					FirstName:         "hurst",
+					Email:             Email{Address: "support@zitadel.ch"},
 				},
 			},
 			want: Want{
@@ -2877,11 +2907,12 @@ func TestAddHumanCommand(t *testing.T) {
 			args: args{
 				a: agg,
 				human: &AddHuman{
-					Email:     Email{Address: "support@zitadel.ch"},
+					Email:             Email{Address: "support@zitadel.ch"},
-					FirstName: "gigi",
+					PreferredLanguage: language.English,
-					LastName:  "giraffe",
+					FirstName:         "gigi",
-					Password:  "short",
+					LastName:          "giraffe",
-					Username:  "username",
+					Password:          "short",
+					Username:          "username",
 				},
 				filter: NewMultiFilter().Append(
 					func(ctx context.Context, queryFactory *eventstore.SearchQueryBuilder) ([]eventstore.Event, error) {
@@ -2919,11 +2950,12 @@ func TestAddHumanCommand(t *testing.T) {
 			args: args{
 				a: agg,
 				human: &AddHuman{
-					Email:     Email{Address: "support@zitadel.ch", Verified: true},
+					Email:             Email{Address: "support@zitadel.ch", Verified: true},
-					FirstName: "gigi",
+					PreferredLanguage: language.English,
-					LastName:  "giraffe",
+					FirstName:         "gigi",
-					Password:  "",
+					LastName:          "giraffe",
-					Username:  "username",
+					Password:          "",
+					Username:          "username",
 				},
 				passwordAlg: crypto.CreateMockHashAlg(gomock.NewController(t)),
 				filter: NewMultiFilter().Append(
@@ -2963,7 +2995,7 @@ func TestAddHumanCommand(t *testing.T) {
 						"giraffe",
 						"",
 						"gigi giraffe",
-						language.Und,
+						language.English,
 						0,
 						"support@zitadel.ch",
 						true,