fix: handle default org id (#3769)

2025-08-12 00:57:33 +00:00 · 2022-06-03 14:30:39 +02:00
parent ebb73186b6
commit 0baaaf8a05
38 changed files with 331 additions and 158 deletions
--- a/internal/api/ui/login/custom_action.go
+++ b/internal/api/ui/login/custom_action.go
@@ -16,12 +16,9 @@ func (l *Login) customExternalUserMapping(ctx context.Context, user *domain.Exte
 	if resourceOwner == "" {
 		resourceOwner = config.AggregateID
 	}
-	if resourceOwner == authz.GetInstance(ctx).InstanceID() {
-		iam, err := l.query.Instance(ctx)
-		if err != nil {
-			return nil, err
-		}
-		resourceOwner = iam.GlobalOrgID
+	instance := authz.GetInstance(ctx)
+	if resourceOwner == instance.InstanceID() {
+		resourceOwner = instance.DefaultOrganisationID()
 	}
 	triggerActions, err := l.query.GetActiveActionsByFlowAndTriggerType(ctx, domain.FlowTypeExternalAuthentication, domain.TriggerTypePostAuthentication, resourceOwner)
 	if err != nil {
--- a/internal/api/ui/login/external_login_handler.go
+++ b/internal/api/ui/login/external_login_handler.go
@@ -12,6 +12,7 @@ import (
 	"github.com/zitadel/oidc/v2/pkg/oidc"
 	"golang.org/x/oauth2"

+	"github.com/zitadel/zitadel/internal/api/authz"
 	http_mw "github.com/zitadel/zitadel/internal/api/http/middleware"
 	"github.com/zitadel/zitadel/internal/crypto"
 	"github.com/zitadel/zitadel/internal/domain"
@@ -204,32 +205,26 @@ func (l *Login) handleExternalUserAuthenticated(w http.ResponseWriter, r *http.R
 		if errors.IsNotFound(err) {
 			err = nil
 		}
-		iam, err := l.query.Instance(r.Context())
-		if err != nil {
-			l.renderExternalNotFoundOption(w, r, authReq, nil, nil, nil, nil, err)
-			return
-		}
+		resourceOwner := authz.GetInstance(r.Context()).DefaultOrganisationID()

-		resourceOwner := iam.GlobalOrgID
-
-		if authReq.RequestedOrgID != "" && authReq.RequestedOrgID != iam.GlobalOrgID {
+		if authReq.RequestedOrgID != "" && authReq.RequestedOrgID != resourceOwner {
 			resourceOwner = authReq.RequestedOrgID
 		}

 		orgIAMPolicy, err := l.getOrgDomainPolicy(r, resourceOwner)
 		if err != nil {
-			l.renderExternalNotFoundOption(w, r, authReq, nil, nil, nil, nil, err)
+			l.renderExternalNotFoundOption(w, r, authReq, nil, nil, nil, err)
 			return
 		}

 		human, idpLinking, _ := l.mapExternalUserToLoginUser(orgIAMPolicy, externalUser, idpConfig)
 		if !idpConfig.AutoRegister {
-			l.renderExternalNotFoundOption(w, r, authReq, iam, orgIAMPolicy, human, idpLinking, err)
+			l.renderExternalNotFoundOption(w, r, authReq, orgIAMPolicy, human, idpLinking, err)
 			return
 		}
 		authReq, err = l.authRepo.AuthRequestByID(r.Context(), authReq.ID, userAgentID)
 		if err != nil {
-			l.renderExternalNotFoundOption(w, r, authReq, iam, orgIAMPolicy, human, idpLinking, err)
+			l.renderExternalNotFoundOption(w, r, authReq, orgIAMPolicy, human, idpLinking, err)
 			return
 		}
 		l.handleAutoRegister(w, r, authReq)
@@ -249,20 +244,15 @@ func (l *Login) handleExternalUserAuthenticated(w http.ResponseWriter, r *http.R
 	l.renderNextStep(w, r, authReq)
 }

-func (l *Login) renderExternalNotFoundOption(w http.ResponseWriter, r *http.Request, authReq *domain.AuthRequest, iam *query.Instance, orgIAMPolicy *query.DomainPolicy, human *domain.Human, externalIDP *domain.UserIDPLink, err error) {
+func (l *Login) renderExternalNotFoundOption(w http.ResponseWriter, r *http.Request, authReq *domain.AuthRequest, orgIAMPolicy *query.DomainPolicy, human *domain.Human, externalIDP *domain.UserIDPLink, err error) {
 	var errID, errMessage string
 	if err != nil {
 		errID, errMessage = l.getErrorMessage(r, err)
 	}
 	if orgIAMPolicy == nil {
-		iam, err = l.query.Instance(r.Context())
-		if err != nil {
-			l.renderError(w, r, authReq, err)
-			return
-		}
-		resourceOwner := iam.GlobalOrgID
+		resourceOwner := authz.GetInstance(r.Context()).DefaultOrganisationID()

-		if authReq.RequestedOrgID != "" && authReq.RequestedOrgID != iam.GlobalOrgID {
+		if authReq.RequestedOrgID != "" && authReq.RequestedOrgID != resourceOwner {
 			resourceOwner = authReq.RequestedOrgID
 		}

@@ -317,7 +307,7 @@ func (l *Login) handleExternalNotFoundOptionCheck(w http.ResponseWriter, r *http
 	data := new(externalNotFoundOptionFormData)
 	authReq, err := l.getAuthRequestAndParseData(r, data)
 	if err != nil {
-		l.renderExternalNotFoundOption(w, r, authReq, nil, nil, nil, nil, err)
+		l.renderExternalNotFoundOption(w, r, authReq, nil, nil, nil, err)
 		return
 	}
 	if data.Link {
@@ -327,7 +317,7 @@ func (l *Login) handleExternalNotFoundOptionCheck(w http.ResponseWriter, r *http
 		userAgentID, _ := http_mw.UserAgentIDFromCtx(r.Context())
 		err = l.authRepo.ResetLinkingUsers(r.Context(), authReq.ID, userAgentID)
 		if err != nil {
-			l.renderExternalNotFoundOption(w, r, authReq, nil, nil, nil, nil, err)
+			l.renderExternalNotFoundOption(w, r, authReq, nil, nil, nil, err)
 		}
 		l.handleLogin(w, r)
 		return
@@ -336,29 +326,23 @@ func (l *Login) handleExternalNotFoundOptionCheck(w http.ResponseWriter, r *http
 }

 func (l *Login) handleAutoRegister(w http.ResponseWriter, r *http.Request, authReq *domain.AuthRequest) {
-	iam, err := l.query.Instance(r.Context())
-	if err != nil {
-		l.renderExternalNotFoundOption(w, r, authReq, nil, nil, nil, nil, err)
-		return
-	}
-
-	resourceOwner := iam.GlobalOrgID
+	resourceOwner := authz.GetInstance(r.Context()).DefaultOrganisationID()
 	memberRoles := []string{domain.RoleSelfManagementGlobal}

-	if authReq.RequestedOrgID != "" && authReq.RequestedOrgID != iam.GlobalOrgID {
+	if authReq.RequestedOrgID != "" && authReq.RequestedOrgID != resourceOwner {
 		memberRoles = nil
 		resourceOwner = authReq.RequestedOrgID
 	}

 	orgIamPolicy, err := l.getOrgDomainPolicy(r, resourceOwner)
 	if err != nil {
-		l.renderExternalNotFoundOption(w, r, authReq, nil, nil, nil, nil, err)
+		l.renderExternalNotFoundOption(w, r, authReq, nil, nil, nil, err)
 		return
 	}

 	idpConfig, err := l.authRepo.GetIDPConfigByID(r.Context(), authReq.SelectedIDPConfigID)
 	if err != nil {
-		l.renderExternalNotFoundOption(w, r, authReq, iam, orgIamPolicy, nil, nil, err)
+		l.renderExternalNotFoundOption(w, r, authReq, orgIamPolicy, nil, nil, err)
 		return
 	}

@@ -371,12 +355,12 @@ func (l *Login) handleAutoRegister(w http.ResponseWriter, r *http.Request, authR
 	user, externalIDP, metadata := l.mapExternalUserToLoginUser(orgIamPolicy, linkingUser, idpConfig)
 	user, metadata, err = l.customExternalUserToLoginUserMapping(user, nil, authReq, idpConfig, metadata, resourceOwner)
 	if err != nil {
-		l.renderExternalNotFoundOption(w, r, authReq, iam, orgIamPolicy, nil, nil, err)
+		l.renderExternalNotFoundOption(w, r, authReq, orgIamPolicy, nil, nil, err)
 		return
 	}
 	err = l.authRepo.AutoRegisterExternalUser(setContext(r.Context(), resourceOwner), user, externalIDP, memberRoles, authReq.ID, userAgentID, resourceOwner, metadata, domain.BrowserInfoFromRequest(r))
 	if err != nil {
-		l.renderExternalNotFoundOption(w, r, authReq, iam, orgIamPolicy, user, externalIDP, err)
+		l.renderExternalNotFoundOption(w, r, authReq, orgIamPolicy, user, externalIDP, err)
 		return
 	}
 	authReq, err = l.authRepo.AuthRequestByID(r.Context(), authReq.ID, authReq.AgentID)
--- a/internal/api/ui/login/external_register_handler.go
+++ b/internal/api/ui/login/external_register_handler.go
@@ -8,6 +8,7 @@ import (
 	"github.com/zitadel/oidc/v2/pkg/oidc"
 	"golang.org/x/text/language"

+	"github.com/zitadel/zitadel/internal/api/authz"
 	http_mw "github.com/zitadel/zitadel/internal/api/http/middleware"
 	"github.com/zitadel/zitadel/internal/domain"
 	iam_model "github.com/zitadel/zitadel/internal/iam/model"
@@ -111,12 +112,7 @@ func (l *Login) handleExternalRegisterCallback(w http.ResponseWriter, r *http.Re
 }

 func (l *Login) handleExternalUserRegister(w http.ResponseWriter, r *http.Request, authReq *domain.AuthRequest, idpConfig *iam_model.IDPConfigView, userAgentID string, tokens *oidc.Tokens) {
-	iam, err := l.query.Instance(r.Context())
-	if err != nil {
-		l.renderRegisterOption(w, r, authReq, err)
-		return
-	}
-	resourceOwner := iam.GlobalOrgID
+	resourceOwner := authz.GetInstance(r.Context()).DefaultOrganisationID()
 	if authReq.RequestedOrgID != "" {
 		resourceOwner = authReq.RequestedOrgID
 	}
@@ -134,11 +130,11 @@ func (l *Login) handleExternalUserRegister(w http.ResponseWriter, r *http.Reques
 		l.renderExternalRegisterOverview(w, r, authReq, orgIamPolicy, user, externalIDP, nil)
 		return
 	}
-	l.registerExternalUser(w, r, authReq, iam, user, externalIDP)
+	l.registerExternalUser(w, r, authReq, user, externalIDP)
 }

-func (l *Login) registerExternalUser(w http.ResponseWriter, r *http.Request, authReq *domain.AuthRequest, iam *query.Instance, user *domain.Human, externalIDP *domain.UserIDPLink) {
-	resourceOwner := iam.GlobalOrgID
+func (l *Login) registerExternalUser(w http.ResponseWriter, r *http.Request, authReq *domain.AuthRequest, user *domain.Human, externalIDP *domain.UserIDPLink) {
+	resourceOwner := authz.GetInstance(r.Context()).DefaultOrganisationID()
 	memberRoles := []string{domain.RoleSelfManagementGlobal}

 	if authReq.RequestedOrgID != "" && authReq.RequestedOrgID != resourceOwner {
@@ -204,15 +200,10 @@ func (l *Login) handleExternalRegisterCheck(w http.ResponseWriter, r *http.Reque
 		return
 	}

-	iam, err := l.query.Instance(r.Context())
-	if err != nil {
-		l.renderRegisterOption(w, r, authReq, err)
-		return
-	}
-	resourceOwner := iam.GlobalOrgID
+	resourceOwner := authz.GetInstance(r.Context()).DefaultOrganisationID()
 	memberRoles := []string{domain.RoleSelfManagementGlobal}

-	if authReq.RequestedOrgID != "" && authReq.RequestedOrgID != iam.GlobalOrgID {
+	if authReq.RequestedOrgID != "" && authReq.RequestedOrgID != resourceOwner {
 		memberRoles = nil
 		resourceOwner = authReq.RequestedOrgID
 	}
--- a/internal/api/ui/login/jwt_handler.go
+++ b/internal/api/ui/login/jwt_handler.go
@@ -112,7 +112,7 @@ func (l *Login) jwtExtractionUserNotFound(w http.ResponseWriter, r *http.Request
 		err = nil
 	}
 	if !idpConfig.AutoRegister {
-		l.renderExternalNotFoundOption(w, r, authReq, nil, nil, nil, nil, err)
+		l.renderExternalNotFoundOption(w, r, authReq, nil, nil, nil, err)
 		return
 	}
 	authReq, err = l.authRepo.AuthRequestByID(r.Context(), authReq.ID, authReq.AgentID)
--- a/internal/api/ui/login/login_handler.go
+++ b/internal/api/ui/login/login_handler.go
@@ -98,10 +98,13 @@ func (l *Login) renderLogin(w http.ResponseWriter, r *http.Request, authReq *dom
 	data := l.getUserData(r, authReq, "Login", errID, errMessage)
 	funcs := map[string]interface{}{
 		"hasUsernamePasswordLogin": func() bool {
-			return authReq.LoginPolicy != nil && authReq.LoginPolicy.AllowUsernamePassword
+			return authReq != nil && authReq.LoginPolicy != nil && authReq.LoginPolicy.AllowUsernamePassword
 		},
 		"hasExternalLogin": func() bool {
-			return authReq.LoginPolicy != nil && authReq.LoginPolicy.AllowExternalIDP && authReq.AllowedExternalIDPs != nil && len(authReq.AllowedExternalIDPs) > 0
+			return authReq != nil && authReq.LoginPolicy != nil && authReq.LoginPolicy.AllowExternalIDP && authReq.AllowedExternalIDPs != nil && len(authReq.AllowedExternalIDPs) > 0
+		},
+		"hasRegistration": func() bool {
+			return authReq != nil && authReq.LoginPolicy != nil && authReq.LoginPolicy.AllowRegister
 		},
 	}
 	l.renderer.RenderTemplate(w, r, l.getTranslator(r.Context(), authReq), l.renderer.Templates[tmplLogin], data, funcs)
--- a/internal/api/ui/login/register_handler.go
+++ b/internal/api/ui/login/register_handler.go
@@ -5,6 +5,7 @@ import (

 	"golang.org/x/text/language"

+	"github.com/zitadel/zitadel/internal/api/authz"
 	http_mw "github.com/zitadel/zitadel/internal/api/http/middleware"
 	"github.com/zitadel/zitadel/internal/domain"
 	caos_errs "github.com/zitadel/zitadel/internal/errors"
@@ -61,16 +62,11 @@ func (l *Login) handleRegisterCheck(w http.ResponseWriter, r *http.Request) {
 		l.renderRegister(w, r, authRequest, data, err)
 		return
 	}
-	iam, err := l.query.Instance(r.Context())
-	if err != nil {
-		l.renderRegister(w, r, authRequest, data, err)
-		return
-	}

-	resourceOwner := iam.GlobalOrgID
+	resourceOwner := authz.GetInstance(r.Context()).DefaultOrganisationID()
 	memberRoles := []string{domain.RoleSelfManagementGlobal}

-	if authRequest != nil && authRequest.RequestedOrgID != "" && authRequest.RequestedOrgID != iam.GlobalOrgID {
+	if authRequest != nil && authRequest.RequestedOrgID != "" && authRequest.RequestedOrgID != resourceOwner {
 		memberRoles = nil
 		resourceOwner = authRequest.RequestedOrgID
 	}
@@ -114,10 +110,6 @@ func (l *Login) renderRegister(w http.ResponseWriter, r *http.Request, authReque
 	if formData.Language == "" {
 		formData.Language = l.renderer.ReqLang(translator, r).String()
 	}
-	data := registerData{
-		baseData:         l.getBaseData(r, authRequest, "Register", errID, errMessage),
-		registerFormData: *formData,
-	}

 	var resourceOwner string
 	if authRequest != nil {
@@ -125,12 +117,12 @@ func (l *Login) renderRegister(w http.ResponseWriter, r *http.Request, authReque
 	}

 	if resourceOwner == "" {
-		iam, err := l.query.Instance(r.Context())
-		if err != nil {
-			l.renderRegister(w, r, authRequest, formData, err)
-			return
-		}
-		resourceOwner = iam.GlobalOrgID
+		resourceOwner = authz.GetInstance(r.Context()).DefaultOrganisationID()
+	}
+
+	data := registerData{
+		baseData:         l.getBaseData(r, authRequest, "Register", errID, errMessage),
+		registerFormData: *formData,
 	}

 	pwPolicy, description, _ := l.getPasswordComplexityPolicy(r, authRequest, resourceOwner)
--- a/internal/api/ui/login/renderer.go
+++ b/internal/api/ui/login/renderer.go
@@ -211,6 +211,9 @@ func CreateRenderer(pathPrefix string, staticDir http.FileSystem, staticStorage
 		"hasExternalLogin": func() bool {
 			return false
 		},
+		"hasRegistration": func() bool {
+			return true
+		},
 		"idpProviderClass": func(stylingType domain.IDPConfigStylingType) string {
 			return stylingType.GetCSSClass()
 		},
@@ -299,7 +302,7 @@ func (l *Login) chooseNextStep(w http.ResponseWriter, r *http.Request, authReq *
 	case *domain.LinkUsersStep:
 		l.linkUsers(w, r, authReq, err)
 	case *domain.ExternalNotFoundOptionStep:
-		l.renderExternalNotFoundOption(w, r, authReq, nil, nil, nil, nil, err)
+		l.renderExternalNotFoundOption(w, r, authReq, nil, nil, nil, err)
 	case *domain.ExternalLoginStep:
 		l.handleExternalLoginStep(w, r, authReq, step.SelectedIDPConfigID)
 	case *domain.GrantRequiredStep:
@@ -346,7 +349,7 @@ func (l *Login) getBaseData(r *http.Request, authReq *domain.AuthRequest, title
 		PrivateLabelingOrgID:   l.getPrivateLabelingID(r, authReq),
 		OrgID:                  l.getOrgID(r, authReq),
 		OrgName:                l.getOrgName(authReq),
-		PrimaryDomain:          l.getOrgPrimaryDomain(authReq),
+		PrimaryDomain:          l.getOrgPrimaryDomain(r, authReq),
 		DisplayLoginNameSuffix: l.isDisplayLoginNameSuffix(authReq),
 		AuthReqID:              getRequestID(authReq, r),
 		CSRF:                   csrf.TemplateField(r),
@@ -490,11 +493,17 @@ func (l *Login) getOrgName(authReq *domain.AuthRequest) string {
 	return authReq.RequestedOrgName
 }

-func (l *Login) getOrgPrimaryDomain(authReq *domain.AuthRequest) string {
-	if authReq == nil {
+func (l *Login) getOrgPrimaryDomain(r *http.Request, authReq *domain.AuthRequest) string {
+	orgID := authz.GetInstance(r.Context()).DefaultOrganisationID()
+	if authReq != nil && authReq.RequestedPrimaryDomain != "" {
+		return authReq.RequestedPrimaryDomain
+	}
+	org, err := l.query.OrgByID(r.Context(), orgID)
+	if err != nil {
+		logging.New().WithError(err).Error("cannot get default org")
 		return ""
 	}
-	return authReq.RequestedPrimaryDomain
+	return org.Domain
 }

 func (l *Login) isDisplayLoginNameSuffix(authReq *domain.AuthRequest) bool {
--- a/internal/api/ui/login/static/templates/external_not_found_option.html
+++ b/internal/api/ui/login/static/templates/external_not_found_option.html
@@ -39,7 +39,7 @@
            <div class="lgn-suffix-wrapper">
                <input class="lgn-input lgn-suffix-input" type="text" id="username" name="username"
                       value="{{ .Username }}" required>
-                {{if .DisplayLoginNameSuffix}}
+                {{if .ShowUsername}}
                <span id="default-login-suffix" lgnsuffix class="loginname-suffix">@{{.PrimaryDomain}}</span>
                {{end}}
            </div>
--- a/internal/api/ui/login/static/templates/external_register_overview.html
+++ b/internal/api/ui/login/static/templates/external_register_overview.html
@@ -39,7 +39,7 @@
            <div class="lgn-suffix-wrapper">
                <input class="lgn-input lgn-suffix-input" type="text" id="username" name="username"
                       value="{{ .Username }}" required>
-                {{if .DisplayLoginNameSuffix}}
+                {{if .ShowUsername}}
                <span id="default-login-suffix" lgnsuffix class="loginname-suffix">@{{.PrimaryDomain}}</span>
                {{end}}
            </div>
--- a/internal/api/ui/login/static/templates/login.html
+++ b/internal/api/ui/login/static/templates/login.html
@@ -35,7 +35,7 @@
    <div class="lgn-actions lgn-reverse-order">
        <button class="lgn-raised-button lgn-primary lgn-initial-focus" id="submit-button" type="submit">{{t "Login.NextButtonText"}}</button>
        <span class="fill-space"></span>
-        {{if .LoginPolicy.AllowRegister}}
+        {{if hasRegistration}}
        <button class="lgn-stroked-button" name="register" value="true" formnovalidate>{{t "Login.RegisterButtonText"}}</button>
        {{end}}
    </div>
@@ -60,4 +60,4 @@
 <script src="{{ resourceUrl "scripts/default_form_validation.js" }}"></script>
 <script src="{{ resourceUrl "scripts/input_suffix_offset.js" }}"></script>

-{{template "main-bottom" .}}
+{{template "main-bottom" .}}
--- a/internal/api/ui/login/static/templates/register.html
+++ b/internal/api/ui/login/static/templates/register.html
@@ -42,7 +42,7 @@
            <label class="lgn-label" for="username">{{t "RegistrationUser.UsernameLabel"}}</label>
            <div class="lgn-suffix-wrapper">
                <input class="lgn-input lgn-suffix-input" type="text" id="username" name="username" autocomplete="email" value="{{ .Email }}" required>
-                {{if .DisplayLoginNameSuffix}}
+                {{if .ShowUsername}}
                    <span id="default-login-suffix" lgnsuffix class="loginname-suffix">@{{.PrimaryDomain}}</span>
                {{end}}
            </div>