feat: Hosted login translation API (#10011)

# Which Problems Are Solved

This PR implements https://github.com/zitadel/zitadel/issues/9850

# How the Problems Are Solved

  - New protobuf definition
  - Implementation of retrieval of system translations
- Implementation of retrieval and persistence of organization and
instance level translations

# Additional Context

- Closes #9850

# TODO

- [x] Integration tests for Get and Set hosted login translation
endpoints
- [x] DB migration test
- [x] Command function tests
- [x] Command util functions tests
- [x] Query function test
- [x] Query util functions tests

go.mod

@@ -7,6 +7,7 @@ toolchain go1.24.1
 require (
 	cloud.google.com/go/profiler v0.4.2
 	cloud.google.com/go/storage v1.54.0
+	dario.cat/mergo v1.0.2
 	github.com/BurntSushi/toml v1.5.0
 	github.com/DATA-DOG/go-sqlmock v1.5.2
 	github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/trace v1.27.0
@@ -65,6 +66,7 @@ require (
 	github.com/riverqueue/river v0.22.0
 	github.com/riverqueue/river/riverdriver v0.22.0
 	github.com/riverqueue/river/rivertype v0.22.0
+	github.com/riverqueue/rivercontrib/otelriver v0.5.0
 	github.com/rs/cors v1.11.1
 	github.com/santhosh-tekuri/jsonschema/v5 v5.3.1
 	github.com/shopspring/decimal v1.3.1
@@ -146,7 +148,6 @@ require (
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect
 	github.com/riverqueue/river/rivershared v0.22.0 // indirect
-	github.com/riverqueue/rivercontrib/otelriver v0.5.0 // indirect
 	github.com/sagikazarmark/locafero v0.7.0 // indirect
 	github.com/sourcegraph/conc v0.3.0 // indirect
 	github.com/spiffe/go-spiffe/v2 v2.5.0 // indirect

go.sum

@@ -24,6 +24,8 @@ cloud.google.com/go/storage v1.54.0 h1:Du3XEyliAiftfyW0bwfdppm2MMLdpVAfiIg4T2nAI
 cloud.google.com/go/storage v1.54.0/go.mod h1:hIi9Boe8cHxTyaeqh7KMMwKg088VblFK46C2x/BWaZE=
 cloud.google.com/go/trace v1.11.3 h1:c+I4YFjxRQjvAhRmSsmjpASUKq88chOX854ied0K/pE=
 cloud.google.com/go/trace v1.11.3/go.mod h1:pt7zCYiDSQjC9Y2oqCsh9jF4GStB/hmjrYLsxRR27q8=
+dario.cat/mergo v1.0.2 h1:85+piFYR1tMbRrLcDwR18y4UKJ3aH1Tbzi24VRW1TK8=
+dario.cat/mergo v1.0.2/go.mod h1:E/hbnu0NxMFBjpMIE34DRGLWqDy0g5FuKDhCb31ngxA=
 dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
 github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8=
 github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU=

internal/api/authz/context_mock.go

@@ -1,10 +1,28 @@
 package authz
 
-import "context"
+import (
+	"context"
 
-func NewMockContext(instanceID, orgID, userID string) context.Context {
+	"golang.org/x/text/language"
+)
+
+type MockContextInstanceOpts func(i *instance)
+
+func WithMockDefaultLanguage(lang language.Tag) MockContextInstanceOpts {
+	return func(i *instance) {
+		i.defaultLanguage = lang
+	}
+}
+
+func NewMockContext(instanceID, orgID, userID string, opts ...MockContextInstanceOpts) context.Context {
 	ctx := context.WithValue(context.Background(), dataKey, CtxData{UserID: userID, OrgID: orgID})
-	return context.WithValue(ctx, instanceKey, &instance{id: instanceID})
+
+	i := &instance{id: instanceID}
+	for _, o := range opts {
+		o(i)
+	}
+
+	return context.WithValue(ctx, instanceKey, i)
 }
 
 func NewMockContextWithAgent(instanceID, orgID, userID, agentID string) context.Context {

internal/api/grpc/settings/v2/integration_test/query_test.go

@@ -0,0 +1,432 @@
+//go:build integration
+
+package settings_test
+
+import (
+	"context"
+	"testing"
+	"time"
+
+	"github.com/brianvoe/gofakeit/v6"
+	"github.com/muhlemmer/gu"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+	"google.golang.org/protobuf/types/known/structpb"
+	"google.golang.org/protobuf/types/known/timestamppb"
+
+	"github.com/zitadel/zitadel/internal/integration"
+	"github.com/zitadel/zitadel/pkg/grpc/idp"
+	idp_pb "github.com/zitadel/zitadel/pkg/grpc/idp/v2"
+	object_pb "github.com/zitadel/zitadel/pkg/grpc/object/v2"
+	"github.com/zitadel/zitadel/pkg/grpc/settings/v2"
+)
+
+func TestServer_GetSecuritySettings(t *testing.T) {
+	_, err := Client.SetSecuritySettings(AdminCTX, &settings.SetSecuritySettingsRequest{
+		EmbeddedIframe: &settings.EmbeddedIframeSettings{
+			Enabled:        true,
+			AllowedOrigins: []string{"foo", "bar"},
+		},
+		EnableImpersonation: true,
+	})
+	require.NoError(t, err)
+
+	tests := []struct {
+		name    string
+		ctx     context.Context
+		want    *settings.GetSecuritySettingsResponse
+		wantErr bool
+	}{
+		{
+			name:    "permission error",
+			ctx:     Instance.WithAuthorization(CTX, integration.UserTypeOrgOwner),
+			wantErr: true,
+		},
+		{
+			name: "success",
+			ctx:  AdminCTX,
+			want: &settings.GetSecuritySettingsResponse{
+				Settings: &settings.SecuritySettings{
+					EmbeddedIframe: &settings.EmbeddedIframeSettings{
+						Enabled:        true,
+						AllowedOrigins: []string{"foo", "bar"},
+					},
+					EnableImpersonation: true,
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			retryDuration, tick := integration.WaitForAndTickWithMaxDuration(tt.ctx, time.Minute)
+			assert.EventuallyWithT(t, func(ct *assert.CollectT) {
+				resp, err := Client.GetSecuritySettings(tt.ctx, &settings.GetSecuritySettingsRequest{})
+				if tt.wantErr {
+					assert.Error(ct, err)
+					return
+				}
+				if !assert.NoError(ct, err) {
+					return
+				}
+				got, want := resp.GetSettings(), tt.want.GetSettings()
+				assert.Equal(ct, want.GetEmbeddedIframe().GetEnabled(), got.GetEmbeddedIframe().GetEnabled(), "enable iframe embedding")
+				assert.Equal(ct, want.GetEmbeddedIframe().GetAllowedOrigins(), got.GetEmbeddedIframe().GetAllowedOrigins(), "allowed origins")
+				assert.Equal(ct, want.GetEnableImpersonation(), got.GetEnableImpersonation(), "enable impersonation")
+			}, retryDuration, tick)
+		})
+	}
+}
+
+func idpResponse(id, name string, linking, creation, autoCreation, autoUpdate bool, autoLinking idp_pb.AutoLinkingOption) *settings.IdentityProvider {
+	return &settings.IdentityProvider{
+		Id:   id,
+		Name: name,
+		Type: settings.IdentityProviderType_IDENTITY_PROVIDER_TYPE_OAUTH,
+		Options: &idp_pb.Options{
+			IsLinkingAllowed:  linking,
+			IsCreationAllowed: creation,
+			IsAutoCreation:    autoCreation,
+			IsAutoUpdate:      autoUpdate,
+			AutoLinking:       autoLinking,
+		},
+	}
+}
+
+func TestServer_GetActiveIdentityProviders(t *testing.T) {
+	instance := integration.NewInstance(CTX)
+	isolatedIAMOwnerCTX := instance.WithAuthorization(CTX, integration.UserTypeIAMOwner)
+
+	instance.AddGenericOAuthProvider(isolatedIAMOwnerCTX, gofakeit.AppName()) // inactive
+	idpActiveName := gofakeit.AppName()
+	idpActiveResp := instance.AddGenericOAuthProvider(isolatedIAMOwnerCTX, idpActiveName)
+	instance.AddProviderToDefaultLoginPolicy(isolatedIAMOwnerCTX, idpActiveResp.GetId())
+	idpActiveResponse := idpResponse(idpActiveResp.GetId(), idpActiveName, true, true, true, true, idp_pb.AutoLinkingOption_AUTO_LINKING_OPTION_USERNAME)
+	idpLinkingDisallowedName := gofakeit.AppName()
+	idpLinkingDisallowedResp := instance.AddGenericOAuthProviderWithOptions(isolatedIAMOwnerCTX, idpLinkingDisallowedName, false, true, true, idp.AutoLinkingOption_AUTO_LINKING_OPTION_USERNAME)
+	instance.AddProviderToDefaultLoginPolicy(isolatedIAMOwnerCTX, idpLinkingDisallowedResp.GetId())
+	idpLinkingDisallowedResponse := idpResponse(idpLinkingDisallowedResp.GetId(), idpLinkingDisallowedName, false, true, true, true, idp_pb.AutoLinkingOption_AUTO_LINKING_OPTION_USERNAME)
+	idpCreationDisallowedName := gofakeit.AppName()
+	idpCreationDisallowedResp := instance.AddGenericOAuthProviderWithOptions(isolatedIAMOwnerCTX, idpCreationDisallowedName, true, false, true, idp.AutoLinkingOption_AUTO_LINKING_OPTION_USERNAME)
+	instance.AddProviderToDefaultLoginPolicy(isolatedIAMOwnerCTX, idpCreationDisallowedResp.GetId())
+	idpCreationDisallowedResponse := idpResponse(idpCreationDisallowedResp.GetId(), idpCreationDisallowedName, true, false, true, true, idp_pb.AutoLinkingOption_AUTO_LINKING_OPTION_USERNAME)
+	idpNoAutoCreationName := gofakeit.AppName()
+	idpNoAutoCreationResp := instance.AddGenericOAuthProviderWithOptions(isolatedIAMOwnerCTX, idpNoAutoCreationName, true, true, false, idp.AutoLinkingOption_AUTO_LINKING_OPTION_USERNAME)
+	instance.AddProviderToDefaultLoginPolicy(isolatedIAMOwnerCTX, idpNoAutoCreationResp.GetId())
+	idpNoAutoCreationResponse := idpResponse(idpNoAutoCreationResp.GetId(), idpNoAutoCreationName, true, true, false, true, idp_pb.AutoLinkingOption_AUTO_LINKING_OPTION_USERNAME)
+	idpNoAutoLinkingName := gofakeit.AppName()
+	idpNoAutoLinkingResp := instance.AddGenericOAuthProviderWithOptions(isolatedIAMOwnerCTX, idpNoAutoLinkingName, true, true, true, idp.AutoLinkingOption_AUTO_LINKING_OPTION_UNSPECIFIED)
+	instance.AddProviderToDefaultLoginPolicy(isolatedIAMOwnerCTX, idpNoAutoLinkingResp.GetId())
+	idpNoAutoLinkingResponse := idpResponse(idpNoAutoLinkingResp.GetId(), idpNoAutoLinkingName, true, true, true, true, idp_pb.AutoLinkingOption_AUTO_LINKING_OPTION_UNSPECIFIED)
+
+	type args struct {
+		ctx context.Context
+		req *settings.GetActiveIdentityProvidersRequest
+	}
+	tests := []struct {
+		name    string
+		args    args
+		want    *settings.GetActiveIdentityProvidersResponse
+		wantErr bool
+	}{
+		{
+			name: "permission error",
+			args: args{
+				ctx: instance.WithAuthorization(CTX, integration.UserTypeNoPermission),
+				req: &settings.GetActiveIdentityProvidersRequest{},
+			},
+			wantErr: true,
+		},
+		{
+			name: "success, all",
+			args: args{
+				ctx: isolatedIAMOwnerCTX,
+				req: &settings.GetActiveIdentityProvidersRequest{},
+			},
+			want: &settings.GetActiveIdentityProvidersResponse{
+				Details: &object_pb.ListDetails{
+					TotalResult: 5,
+					Timestamp:   timestamppb.Now(),
+				},
+				IdentityProviders: []*settings.IdentityProvider{
+					idpActiveResponse,
+					idpLinkingDisallowedResponse,
+					idpCreationDisallowedResponse,
+					idpNoAutoCreationResponse,
+					idpNoAutoLinkingResponse,
+				},
+			},
+		},
+		{
+			name: "success, exclude linking disallowed",
+			args: args{
+				ctx: isolatedIAMOwnerCTX,
+				req: &settings.GetActiveIdentityProvidersRequest{
+					LinkingAllowed: gu.Ptr(true),
+				},
+			},
+			want: &settings.GetActiveIdentityProvidersResponse{
+				Details: &object_pb.ListDetails{
+					TotalResult: 4,
+					Timestamp:   timestamppb.Now(),
+				},
+				IdentityProviders: []*settings.IdentityProvider{
+					idpActiveResponse,
+					idpCreationDisallowedResponse,
+					idpNoAutoCreationResponse,
+					idpNoAutoLinkingResponse,
+				},
+			},
+		},
+		{
+			name: "success, only linking disallowed",
+			args: args{
+				ctx: isolatedIAMOwnerCTX,
+				req: &settings.GetActiveIdentityProvidersRequest{
+					LinkingAllowed: gu.Ptr(false),
+				},
+			},
+			want: &settings.GetActiveIdentityProvidersResponse{
+				Details: &object_pb.ListDetails{
+					TotalResult: 1,
+					Timestamp:   timestamppb.Now(),
+				},
+				IdentityProviders: []*settings.IdentityProvider{
+					idpLinkingDisallowedResponse,
+				},
+			},
+		},
+		{
+			name: "success, exclude creation disallowed",
+			args: args{
+				ctx: isolatedIAMOwnerCTX,
+				req: &settings.GetActiveIdentityProvidersRequest{
+					CreationAllowed: gu.Ptr(true),
+				},
+			},
+			want: &settings.GetActiveIdentityProvidersResponse{
+				Details: &object_pb.ListDetails{
+					TotalResult: 4,
+					Timestamp:   timestamppb.Now(),
+				},
+				IdentityProviders: []*settings.IdentityProvider{
+					idpActiveResponse,
+					idpLinkingDisallowedResponse,
+					idpNoAutoCreationResponse,
+					idpNoAutoLinkingResponse,
+				},
+			},
+		},
+		{
+			name: "success, only creation disallowed",
+			args: args{
+				ctx: isolatedIAMOwnerCTX,
+				req: &settings.GetActiveIdentityProvidersRequest{
+					CreationAllowed: gu.Ptr(false),
+				},
+			},
+			want: &settings.GetActiveIdentityProvidersResponse{
+				Details: &object_pb.ListDetails{
+					TotalResult: 1,
+					Timestamp:   timestamppb.Now(),
+				},
+				IdentityProviders: []*settings.IdentityProvider{
+					idpCreationDisallowedResponse,
+				},
+			},
+		},
+		{
+			name: "success, auto creation",
+			args: args{
+				ctx: isolatedIAMOwnerCTX,
+				req: &settings.GetActiveIdentityProvidersRequest{
+					AutoCreation: gu.Ptr(true),
+				},
+			},
+			want: &settings.GetActiveIdentityProvidersResponse{
+				Details: &object_pb.ListDetails{
+					TotalResult: 4,
+					Timestamp:   timestamppb.Now(),
+				},
+				IdentityProviders: []*settings.IdentityProvider{
+					idpActiveResponse,
+					idpLinkingDisallowedResponse,
+					idpCreationDisallowedResponse,
+					idpNoAutoLinkingResponse,
+				},
+			},
+		},
+		{
+			name: "success, no auto creation",
+			args: args{
+				ctx: isolatedIAMOwnerCTX,
+				req: &settings.GetActiveIdentityProvidersRequest{
+					AutoCreation: gu.Ptr(false),
+				},
+			},
+			want: &settings.GetActiveIdentityProvidersResponse{
+				Details: &object_pb.ListDetails{
+					TotalResult: 1,
+					Timestamp:   timestamppb.Now(),
+				},
+				IdentityProviders: []*settings.IdentityProvider{
+					idpNoAutoCreationResponse,
+				},
+			},
+		},
+		{
+			name: "success, auto linking",
+			args: args{
+				ctx: isolatedIAMOwnerCTX,
+				req: &settings.GetActiveIdentityProvidersRequest{
+					AutoLinking: gu.Ptr(true),
+				},
+			},
+			want: &settings.GetActiveIdentityProvidersResponse{
+				Details: &object_pb.ListDetails{
+					TotalResult: 4,
+					Timestamp:   timestamppb.Now(),
+				},
+				IdentityProviders: []*settings.IdentityProvider{
+					idpActiveResponse,
+					idpLinkingDisallowedResponse,
+					idpCreationDisallowedResponse,
+					idpNoAutoCreationResponse,
+				},
+			},
+		},
+		{
+			name: "success, no auto linking",
+			args: args{
+				ctx: isolatedIAMOwnerCTX,
+				req: &settings.GetActiveIdentityProvidersRequest{
+					AutoLinking: gu.Ptr(false),
+				},
+			},
+			want: &settings.GetActiveIdentityProvidersResponse{
+				Details: &object_pb.ListDetails{
+					TotalResult: 1,
+					Timestamp:   timestamppb.Now(),
+				},
+				IdentityProviders: []*settings.IdentityProvider{
+					idpNoAutoLinkingResponse,
+				},
+			},
+		},
+		{
+			name: "success, exclude all",
+			args: args{
+				ctx: isolatedIAMOwnerCTX,
+				req: &settings.GetActiveIdentityProvidersRequest{
+					LinkingAllowed:  gu.Ptr(true),
+					CreationAllowed: gu.Ptr(true),
+					AutoCreation:    gu.Ptr(true),
+					AutoLinking:     gu.Ptr(true),
+				},
+			},
+			want: &settings.GetActiveIdentityProvidersResponse{
+				Details: &object_pb.ListDetails{
+					TotalResult: 1,
+					Timestamp:   timestamppb.Now(),
+				},
+				IdentityProviders: []*settings.IdentityProvider{
+					idpActiveResponse,
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			retryDuration, tick := integration.WaitForAndTickWithMaxDuration(tt.args.ctx, time.Minute)
+			assert.EventuallyWithT(t, func(ct *assert.CollectT) {
+				got, err := instance.Client.SettingsV2.GetActiveIdentityProviders(tt.args.ctx, tt.args.req)
+				if tt.wantErr {
+					assert.Error(ct, err)
+					return
+				}
+				if !assert.NoError(ct, err) {
+					return
+				}
+				for i, result := range tt.want.GetIdentityProviders() {
+					assert.EqualExportedValues(ct, result, got.GetIdentityProviders()[i])
+				}
+				integration.AssertListDetails(ct, tt.want, got)
+			}, retryDuration, tick)
+		})
+	}
+}
+
+func TestServer_GetHostedLoginTranslation(t *testing.T) {
+	// Given
+	translations := map[string]any{"loginTitle": gofakeit.Slogan()}
+
+	protoTranslations, err := structpb.NewStruct(translations)
+	require.NoError(t, err)
+
+	setupRequest := &settings.SetHostedLoginTranslationRequest{
+		Level: &settings.SetHostedLoginTranslationRequest_OrganizationId{
+			OrganizationId: Instance.DefaultOrg.GetId(),
+		},
+		Translations: protoTranslations,
+		Locale:       gofakeit.LanguageBCP(),
+	}
+	savedTranslation, err := Client.SetHostedLoginTranslation(AdminCTX, setupRequest)
+	require.NoError(t, err)
+
+	tt := []struct {
+		testName     string
+		inputCtx     context.Context
+		inputRequest *settings.GetHostedLoginTranslationRequest
+
+		expectedErrorCode codes.Code
+		expectedErrorMsg  string
+		expectedResponse  *settings.GetHostedLoginTranslationResponse
+	}{
+		{
+			testName:          "when unauthN context should return unauthN error",
+			inputCtx:          CTX,
+			inputRequest:      &settings.GetHostedLoginTranslationRequest{Locale: "en-US"},
+			expectedErrorCode: codes.Unauthenticated,
+			expectedErrorMsg:  "auth header missing",
+		},
+		{
+			testName:          "when unauthZ context should return unauthZ error",
+			inputCtx:          OrgOwnerCtx,
+			inputRequest:      &settings.GetHostedLoginTranslationRequest{Locale: "en-US"},
+			expectedErrorCode: codes.PermissionDenied,
+			expectedErrorMsg:  "No matching permissions found (AUTH-5mWD2)",
+		},
+		{
+			testName: "when authZ request should save to db and return etag",
+			inputCtx: AdminCTX,
+			inputRequest: &settings.GetHostedLoginTranslationRequest{
+				Level: &settings.GetHostedLoginTranslationRequest_OrganizationId{
+					OrganizationId: Instance.DefaultOrg.GetId(),
+				},
+				Locale: setupRequest.GetLocale(),
+			},
+			expectedResponse: &settings.GetHostedLoginTranslationResponse{
+				Etag:         savedTranslation.GetEtag(),
+				Translations: protoTranslations,
+			},
+		},
+	}
+
+	for _, tc := range tt {
+		t.Run(tc.testName, func(t *testing.T) {
+			// When
+			res, err := Client.GetHostedLoginTranslation(tc.inputCtx, tc.inputRequest)
+
+			// Then
+			assert.Equal(t, tc.expectedErrorCode, status.Code(err))
+			assert.Equal(t, tc.expectedErrorMsg, status.Convert(err).Message())
+
+			if tc.expectedErrorMsg == "" {
+				require.NoError(t, err)
+				assert.NotEmpty(t, res.GetEtag())
+				assert.NotEmpty(t, res.GetTranslations().GetFields())
+			}
+		})
+	}
+}

internal/api/grpc/settings/v2/integration_test/server_test.go

@@ -13,9 +13,9 @@ import (
 )
 
 var (
-	CTX, AdminCTX context.Context
+	CTX, AdminCTX, UserTypeLoginCtx, OrgOwnerCtx context.Context
-	Instance      *integration.Instance
+	Instance                                     *integration.Instance
-	Client        settings.SettingsServiceClient
+	Client                                       settings.SettingsServiceClient
 )
 
 func TestMain(m *testing.M) {
@@ -27,6 +27,9 @@ func TestMain(m *testing.M) {
 
 		CTX = ctx
 		AdminCTX = Instance.WithAuthorization(ctx, integration.UserTypeIAMOwner)
+		UserTypeLoginCtx = Instance.WithAuthorization(ctx, integration.UserTypeLogin)
+		OrgOwnerCtx = Instance.WithAuthorization(ctx, integration.UserTypeOrgOwner)
+
 		Client = Instance.Client.SettingsV2
 		return m.Run()
 	}())

internal/api/grpc/settings/v2/integration_test/settings_test.go

@@ -4,78 +4,23 @@ package settings_test
 
 import (
 	"context"
+	"crypto/md5"
+	"encoding/hex"
+	"fmt"
 	"testing"
-	"time"
 
-	"github.com/brianvoe/gofakeit/v6"
-	"github.com/muhlemmer/gu"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+	"google.golang.org/protobuf/types/known/structpb"
 	"google.golang.org/protobuf/types/known/timestamppb"
 
 	"github.com/zitadel/zitadel/internal/integration"
-	"github.com/zitadel/zitadel/pkg/grpc/idp"
-	idp_pb "github.com/zitadel/zitadel/pkg/grpc/idp/v2"
 	object_pb "github.com/zitadel/zitadel/pkg/grpc/object/v2"
 	"github.com/zitadel/zitadel/pkg/grpc/settings/v2"
 )
 
-func TestServer_GetSecuritySettings(t *testing.T) {
-	_, err := Client.SetSecuritySettings(AdminCTX, &settings.SetSecuritySettingsRequest{
-		EmbeddedIframe: &settings.EmbeddedIframeSettings{
-			Enabled:        true,
-			AllowedOrigins: []string{"foo", "bar"},
-		},
-		EnableImpersonation: true,
-	})
-	require.NoError(t, err)
-
-	tests := []struct {
-		name    string
-		ctx     context.Context
-		want    *settings.GetSecuritySettingsResponse
-		wantErr bool
-	}{
-		{
-			name:    "permission error",
-			ctx:     Instance.WithAuthorization(CTX, integration.UserTypeOrgOwner),
-			wantErr: true,
-		},
-		{
-			name: "success",
-			ctx:  AdminCTX,
-			want: &settings.GetSecuritySettingsResponse{
-				Settings: &settings.SecuritySettings{
-					EmbeddedIframe: &settings.EmbeddedIframeSettings{
-						Enabled:        true,
-						AllowedOrigins: []string{"foo", "bar"},
-					},
-					EnableImpersonation: true,
-				},
-			},
-		},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			retryDuration, tick := integration.WaitForAndTickWithMaxDuration(tt.ctx, time.Minute)
-			assert.EventuallyWithT(t, func(ct *assert.CollectT) {
-				resp, err := Client.GetSecuritySettings(tt.ctx, &settings.GetSecuritySettingsRequest{})
-				if tt.wantErr {
-					assert.Error(ct, err)
-					return
-				}
-				if !assert.NoError(ct, err) {
-					return
-				}
-				got, want := resp.GetSettings(), tt.want.GetSettings()
-				assert.Equal(ct, want.GetEmbeddedIframe().GetEnabled(), got.GetEmbeddedIframe().GetEnabled(), "enable iframe embedding")
-				assert.Equal(ct, want.GetEmbeddedIframe().GetAllowedOrigins(), got.GetEmbeddedIframe().GetAllowedOrigins(), "allowed origins")
-				assert.Equal(ct, want.GetEnableImpersonation(), got.GetEnableImpersonation(), "enable impersonation")
-			}, retryDuration, tick)
-		})
-	}
-}
-
 func TestServer_SetSecuritySettings(t *testing.T) {
 	type args struct {
 		ctx context.Context
@@ -183,280 +128,64 @@ func TestServer_SetSecuritySettings(t *testing.T) {
 	}
 }
 
-func idpResponse(id, name string, linking, creation, autoCreation, autoUpdate bool, autoLinking idp_pb.AutoLinkingOption) *settings.IdentityProvider {
+func TestSetHostedLoginTranslation(t *testing.T) {
-	return &settings.IdentityProvider{
+	translations := map[string]any{"loginTitle": "Welcome to our service"}
-		Id:   id,
-		Name: name,
-		Type: settings.IdentityProviderType_IDENTITY_PROVIDER_TYPE_OAUTH,
-		Options: &idp_pb.Options{
-			IsLinkingAllowed:  linking,
-			IsCreationAllowed: creation,
-			IsAutoCreation:    autoCreation,
-			IsAutoUpdate:      autoUpdate,
-			AutoLinking:       autoLinking,
-		},
-	}
-}
 
-func TestServer_GetActiveIdentityProviders(t *testing.T) {
+	protoTranslations, err := structpb.NewStruct(translations)
-	instance := integration.NewInstance(CTX)
+	require.Nil(t, err)
-	isolatedIAMOwnerCTX := instance.WithAuthorization(CTX, integration.UserTypeIAMOwner)
 
-	instance.AddGenericOAuthProvider(isolatedIAMOwnerCTX, gofakeit.AppName()) // inactive
+	hash := md5.Sum(fmt.Append(nil, translations))
-	idpActiveName := gofakeit.AppName()
-	idpActiveResp := instance.AddGenericOAuthProvider(isolatedIAMOwnerCTX, idpActiveName)
-	instance.AddProviderToDefaultLoginPolicy(isolatedIAMOwnerCTX, idpActiveResp.GetId())
-	idpActiveResponse := idpResponse(idpActiveResp.GetId(), idpActiveName, true, true, true, true, idp_pb.AutoLinkingOption_AUTO_LINKING_OPTION_USERNAME)
-	idpLinkingDisallowedName := gofakeit.AppName()
-	idpLinkingDisallowedResp := instance.AddGenericOAuthProviderWithOptions(isolatedIAMOwnerCTX, idpLinkingDisallowedName, false, true, true, idp.AutoLinkingOption_AUTO_LINKING_OPTION_USERNAME)
-	instance.AddProviderToDefaultLoginPolicy(isolatedIAMOwnerCTX, idpLinkingDisallowedResp.GetId())
-	idpLinkingDisallowedResponse := idpResponse(idpLinkingDisallowedResp.GetId(), idpLinkingDisallowedName, false, true, true, true, idp_pb.AutoLinkingOption_AUTO_LINKING_OPTION_USERNAME)
-	idpCreationDisallowedName := gofakeit.AppName()
-	idpCreationDisallowedResp := instance.AddGenericOAuthProviderWithOptions(isolatedIAMOwnerCTX, idpCreationDisallowedName, true, false, true, idp.AutoLinkingOption_AUTO_LINKING_OPTION_USERNAME)
-	instance.AddProviderToDefaultLoginPolicy(isolatedIAMOwnerCTX, idpCreationDisallowedResp.GetId())
-	idpCreationDisallowedResponse := idpResponse(idpCreationDisallowedResp.GetId(), idpCreationDisallowedName, true, false, true, true, idp_pb.AutoLinkingOption_AUTO_LINKING_OPTION_USERNAME)
-	idpNoAutoCreationName := gofakeit.AppName()
-	idpNoAutoCreationResp := instance.AddGenericOAuthProviderWithOptions(isolatedIAMOwnerCTX, idpNoAutoCreationName, true, true, false, idp.AutoLinkingOption_AUTO_LINKING_OPTION_USERNAME)
-	instance.AddProviderToDefaultLoginPolicy(isolatedIAMOwnerCTX, idpNoAutoCreationResp.GetId())
-	idpNoAutoCreationResponse := idpResponse(idpNoAutoCreationResp.GetId(), idpNoAutoCreationName, true, true, false, true, idp_pb.AutoLinkingOption_AUTO_LINKING_OPTION_USERNAME)
-	idpNoAutoLinkingName := gofakeit.AppName()
-	idpNoAutoLinkingResp := instance.AddGenericOAuthProviderWithOptions(isolatedIAMOwnerCTX, idpNoAutoLinkingName, true, true, true, idp.AutoLinkingOption_AUTO_LINKING_OPTION_UNSPECIFIED)
-	instance.AddProviderToDefaultLoginPolicy(isolatedIAMOwnerCTX, idpNoAutoLinkingResp.GetId())
-	idpNoAutoLinkingResponse := idpResponse(idpNoAutoLinkingResp.GetId(), idpNoAutoLinkingName, true, true, true, true, idp_pb.AutoLinkingOption_AUTO_LINKING_OPTION_UNSPECIFIED)
 
-	type args struct {
+	tt := []struct {
-		ctx context.Context
+		testName     string
-		req *settings.GetActiveIdentityProvidersRequest
+		inputCtx     context.Context
-	}
+		inputRequest *settings.SetHostedLoginTranslationRequest
-	tests := []struct {
+
-		name    string
+		expectedErrorCode codes.Code
-		args    args
+		expectedErrorMsg  string
-		want    *settings.GetActiveIdentityProvidersResponse
+		expectedResponse  *settings.SetHostedLoginTranslationResponse
-		wantErr bool
 	}{
 		{
-			name: "permission error",
+			testName:          "when unauthN context should return unauthN error",
-			args: args{
+			inputCtx:          CTX,
-				ctx: instance.WithAuthorization(CTX, integration.UserTypeNoPermission),
+			expectedErrorCode: codes.Unauthenticated,
-				req: &settings.GetActiveIdentityProvidersRequest{},
+			expectedErrorMsg:  "auth header missing",
-			},
-			wantErr: true,
 		},
 		{
-			name: "success, all",
+			testName:          "when unauthZ context should return unauthZ error",
-			args: args{
+			inputCtx:          UserTypeLoginCtx,
-				ctx: isolatedIAMOwnerCTX,
+			expectedErrorCode: codes.PermissionDenied,
-				req: &settings.GetActiveIdentityProvidersRequest{},
+			expectedErrorMsg:  "No matching permissions found (AUTH-5mWD2)",
-			},
-			want: &settings.GetActiveIdentityProvidersResponse{
-				Details: &object_pb.ListDetails{
-					TotalResult: 5,
-					Timestamp:   timestamppb.Now(),
-				},
-				IdentityProviders: []*settings.IdentityProvider{
-					idpActiveResponse,
-					idpLinkingDisallowedResponse,
-					idpCreationDisallowedResponse,
-					idpNoAutoCreationResponse,
-					idpNoAutoLinkingResponse,
-				},
-			},
 		},
 		{
-			name: "success, exclude linking disallowed",
+			testName: "when authZ request should save to db and return etag",
-			args: args{
+			inputCtx: AdminCTX,
-				ctx: isolatedIAMOwnerCTX,
+			inputRequest: &settings.SetHostedLoginTranslationRequest{
-				req: &settings.GetActiveIdentityProvidersRequest{
+				Level: &settings.SetHostedLoginTranslationRequest_OrganizationId{
-					LinkingAllowed: gu.Ptr(true),
+					OrganizationId: Instance.DefaultOrg.GetId(),
 				},
+				Translations: protoTranslations,
+				Locale:       "en-US",
 			},
-			want: &settings.GetActiveIdentityProvidersResponse{
+			expectedResponse: &settings.SetHostedLoginTranslationResponse{
-				Details: &object_pb.ListDetails{
+				Etag: hex.EncodeToString(hash[:]),
-					TotalResult: 4,
-					Timestamp:   timestamppb.Now(),
-				},
-				IdentityProviders: []*settings.IdentityProvider{
-					idpActiveResponse,
-					idpCreationDisallowedResponse,
-					idpNoAutoCreationResponse,
-					idpNoAutoLinkingResponse,
-				},
-			},
-		},
-		{
-			name: "success, only linking disallowed",
-			args: args{
-				ctx: isolatedIAMOwnerCTX,
-				req: &settings.GetActiveIdentityProvidersRequest{
-					LinkingAllowed: gu.Ptr(false),
-				},
-			},
-			want: &settings.GetActiveIdentityProvidersResponse{
-				Details: &object_pb.ListDetails{
-					TotalResult: 1,
-					Timestamp:   timestamppb.Now(),
-				},
-				IdentityProviders: []*settings.IdentityProvider{
-					idpLinkingDisallowedResponse,
-				},
-			},
-		},
-		{
-			name: "success, exclude creation disallowed",
-			args: args{
-				ctx: isolatedIAMOwnerCTX,
-				req: &settings.GetActiveIdentityProvidersRequest{
-					CreationAllowed: gu.Ptr(true),
-				},
-			},
-			want: &settings.GetActiveIdentityProvidersResponse{
-				Details: &object_pb.ListDetails{
-					TotalResult: 4,
-					Timestamp:   timestamppb.Now(),
-				},
-				IdentityProviders: []*settings.IdentityProvider{
-					idpActiveResponse,
-					idpLinkingDisallowedResponse,
-					idpNoAutoCreationResponse,
-					idpNoAutoLinkingResponse,
-				},
-			},
-		},
-		{
-			name: "success, only creation disallowed",
-			args: args{
-				ctx: isolatedIAMOwnerCTX,
-				req: &settings.GetActiveIdentityProvidersRequest{
-					CreationAllowed: gu.Ptr(false),
-				},
-			},
-			want: &settings.GetActiveIdentityProvidersResponse{
-				Details: &object_pb.ListDetails{
-					TotalResult: 1,
-					Timestamp:   timestamppb.Now(),
-				},
-				IdentityProviders: []*settings.IdentityProvider{
-					idpCreationDisallowedResponse,
-				},
-			},
-		},
-		{
-			name: "success, auto creation",
-			args: args{
-				ctx: isolatedIAMOwnerCTX,
-				req: &settings.GetActiveIdentityProvidersRequest{
-					AutoCreation: gu.Ptr(true),
-				},
-			},
-			want: &settings.GetActiveIdentityProvidersResponse{
-				Details: &object_pb.ListDetails{
-					TotalResult: 4,
-					Timestamp:   timestamppb.Now(),
-				},
-				IdentityProviders: []*settings.IdentityProvider{
-					idpActiveResponse,
-					idpLinkingDisallowedResponse,
-					idpCreationDisallowedResponse,
-					idpNoAutoLinkingResponse,
-				},
-			},
-		},
-		{
-			name: "success, no auto creation",
-			args: args{
-				ctx: isolatedIAMOwnerCTX,
-				req: &settings.GetActiveIdentityProvidersRequest{
-					AutoCreation: gu.Ptr(false),
-				},
-			},
-			want: &settings.GetActiveIdentityProvidersResponse{
-				Details: &object_pb.ListDetails{
-					TotalResult: 1,
-					Timestamp:   timestamppb.Now(),
-				},
-				IdentityProviders: []*settings.IdentityProvider{
-					idpNoAutoCreationResponse,
-				},
-			},
-		},
-		{
-			name: "success, auto linking",
-			args: args{
-				ctx: isolatedIAMOwnerCTX,
-				req: &settings.GetActiveIdentityProvidersRequest{
-					AutoLinking: gu.Ptr(true),
-				},
-			},
-			want: &settings.GetActiveIdentityProvidersResponse{
-				Details: &object_pb.ListDetails{
-					TotalResult: 4,
-					Timestamp:   timestamppb.Now(),
-				},
-				IdentityProviders: []*settings.IdentityProvider{
-					idpActiveResponse,
-					idpLinkingDisallowedResponse,
-					idpCreationDisallowedResponse,
-					idpNoAutoCreationResponse,
-				},
-			},
-		},
-		{
-			name: "success, no auto linking",
-			args: args{
-				ctx: isolatedIAMOwnerCTX,
-				req: &settings.GetActiveIdentityProvidersRequest{
-					AutoLinking: gu.Ptr(false),
-				},
-			},
-			want: &settings.GetActiveIdentityProvidersResponse{
-				Details: &object_pb.ListDetails{
-					TotalResult: 1,
-					Timestamp:   timestamppb.Now(),
-				},
-				IdentityProviders: []*settings.IdentityProvider{
-					idpNoAutoLinkingResponse,
-				},
-			},
-		},
-		{
-			name: "success, exclude all",
-			args: args{
-				ctx: isolatedIAMOwnerCTX,
-				req: &settings.GetActiveIdentityProvidersRequest{
-					LinkingAllowed:  gu.Ptr(true),
-					CreationAllowed: gu.Ptr(true),
-					AutoCreation:    gu.Ptr(true),
-					AutoLinking:     gu.Ptr(true),
-				},
-			},
-			want: &settings.GetActiveIdentityProvidersResponse{
-				Details: &object_pb.ListDetails{
-					TotalResult: 1,
-					Timestamp:   timestamppb.Now(),
-				},
-				IdentityProviders: []*settings.IdentityProvider{
-					idpActiveResponse,
-				},
 			},
 		},
 	}
-	for _, tt := range tests {
+
-		t.Run(tt.name, func(t *testing.T) {
+	for _, tc := range tt {
-			retryDuration, tick := integration.WaitForAndTickWithMaxDuration(tt.args.ctx, time.Minute)
+		t.Run(tc.testName, func(t *testing.T) {
-			assert.EventuallyWithT(t, func(ct *assert.CollectT) {
+			// When
-				got, err := instance.Client.SettingsV2.GetActiveIdentityProviders(tt.args.ctx, tt.args.req)
+			res, err := Client.SetHostedLoginTranslation(tc.inputCtx, tc.inputRequest)
-				if tt.wantErr {
+
-					assert.Error(ct, err)
+			// Then
-					return
+			assert.Equal(t, tc.expectedErrorCode, status.Code(err))
-				}
+			assert.Equal(t, tc.expectedErrorMsg, status.Convert(err).Message())
-				if !assert.NoError(ct, err) {
+
-					return
+			if tc.expectedErrorMsg == "" {
-				}
+				require.NoError(t, err)
-				for i, result := range tt.want.GetIdentityProviders() {
+				assert.Equal(t, tc.expectedResponse.GetEtag(), res.GetEtag())
-					assert.EqualExportedValues(ct, result, got.GetIdentityProviders()[i])
+			}
-				}
-				integration.AssertListDetails(ct, tt.want, got)
-			}, retryDuration, tick)
 		})
 	}
 }

internal/api/grpc/settings/v2/query.go

@@ -0,0 +1,209 @@
+package settings
+
+import (
+	"context"
+
+	"google.golang.org/protobuf/types/known/timestamppb"
+
+	"github.com/zitadel/zitadel/internal/api/authz"
+	"github.com/zitadel/zitadel/internal/api/grpc/object/v2"
+	"github.com/zitadel/zitadel/internal/domain"
+	"github.com/zitadel/zitadel/internal/i18n"
+	"github.com/zitadel/zitadel/internal/query"
+	object_pb "github.com/zitadel/zitadel/pkg/grpc/object/v2"
+	"github.com/zitadel/zitadel/pkg/grpc/settings/v2"
+)
+
+func (s *Server) GetLoginSettings(ctx context.Context, req *settings.GetLoginSettingsRequest) (*settings.GetLoginSettingsResponse, error) {
+	current, err := s.query.LoginPolicyByID(ctx, true, object.ResourceOwnerFromReq(ctx, req.GetCtx()), false)
+	if err != nil {
+		return nil, err
+	}
+	return &settings.GetLoginSettingsResponse{
+		Settings: loginSettingsToPb(current),
+		Details: &object_pb.Details{
+			Sequence:      current.Sequence,
+			CreationDate:  timestamppb.New(current.CreationDate),
+			ChangeDate:    timestamppb.New(current.ChangeDate),
+			ResourceOwner: current.OrgID,
+		},
+	}, nil
+}
+
+func (s *Server) GetPasswordComplexitySettings(ctx context.Context, req *settings.GetPasswordComplexitySettingsRequest) (*settings.GetPasswordComplexitySettingsResponse, error) {
+	current, err := s.query.PasswordComplexityPolicyByOrg(ctx, true, object.ResourceOwnerFromReq(ctx, req.GetCtx()), false)
+	if err != nil {
+		return nil, err
+	}
+	return &settings.GetPasswordComplexitySettingsResponse{
+		Settings: passwordComplexitySettingsToPb(current),
+		Details: &object_pb.Details{
+			Sequence:      current.Sequence,
+			CreationDate:  timestamppb.New(current.CreationDate),
+			ChangeDate:    timestamppb.New(current.ChangeDate),
+			ResourceOwner: current.ResourceOwner,
+		},
+	}, nil
+}
+
+func (s *Server) GetPasswordExpirySettings(ctx context.Context, req *settings.GetPasswordExpirySettingsRequest) (*settings.GetPasswordExpirySettingsResponse, error) {
+	current, err := s.query.PasswordAgePolicyByOrg(ctx, true, object.ResourceOwnerFromReq(ctx, req.GetCtx()), false)
+	if err != nil {
+		return nil, err
+	}
+	return &settings.GetPasswordExpirySettingsResponse{
+		Settings: passwordExpirySettingsToPb(current),
+		Details: &object_pb.Details{
+			Sequence:      current.Sequence,
+			CreationDate:  timestamppb.New(current.CreationDate),
+			ChangeDate:    timestamppb.New(current.ChangeDate),
+			ResourceOwner: current.ResourceOwner,
+		},
+	}, nil
+}
+
+func (s *Server) GetBrandingSettings(ctx context.Context, req *settings.GetBrandingSettingsRequest) (*settings.GetBrandingSettingsResponse, error) {
+	current, err := s.query.ActiveLabelPolicyByOrg(ctx, object.ResourceOwnerFromReq(ctx, req.GetCtx()), false)
+	if err != nil {
+		return nil, err
+	}
+	return &settings.GetBrandingSettingsResponse{
+		Settings: brandingSettingsToPb(current, s.assetsAPIDomain(ctx)),
+		Details: &object_pb.Details{
+			Sequence:      current.Sequence,
+			CreationDate:  timestamppb.New(current.CreationDate),
+			ChangeDate:    timestamppb.New(current.ChangeDate),
+			ResourceOwner: current.ResourceOwner,
+		},
+	}, nil
+}
+
+func (s *Server) GetDomainSettings(ctx context.Context, req *settings.GetDomainSettingsRequest) (*settings.GetDomainSettingsResponse, error) {
+	current, err := s.query.DomainPolicyByOrg(ctx, true, object.ResourceOwnerFromReq(ctx, req.GetCtx()), false)
+	if err != nil {
+		return nil, err
+	}
+	return &settings.GetDomainSettingsResponse{
+		Settings: domainSettingsToPb(current),
+		Details: &object_pb.Details{
+			Sequence:      current.Sequence,
+			CreationDate:  timestamppb.New(current.CreationDate),
+			ChangeDate:    timestamppb.New(current.ChangeDate),
+			ResourceOwner: current.ResourceOwner,
+		},
+	}, nil
+}
+
+func (s *Server) GetLegalAndSupportSettings(ctx context.Context, req *settings.GetLegalAndSupportSettingsRequest) (*settings.GetLegalAndSupportSettingsResponse, error) {
+	current, err := s.query.PrivacyPolicyByOrg(ctx, true, object.ResourceOwnerFromReq(ctx, req.GetCtx()), false)
+	if err != nil {
+		return nil, err
+	}
+	return &settings.GetLegalAndSupportSettingsResponse{
+		Settings: legalAndSupportSettingsToPb(current),
+		Details: &object_pb.Details{
+			Sequence:      current.Sequence,
+			CreationDate:  timestamppb.New(current.CreationDate),
+			ChangeDate:    timestamppb.New(current.ChangeDate),
+			ResourceOwner: current.ResourceOwner,
+		},
+	}, nil
+}
+
+func (s *Server) GetLockoutSettings(ctx context.Context, req *settings.GetLockoutSettingsRequest) (*settings.GetLockoutSettingsResponse, error) {
+	current, err := s.query.LockoutPolicyByOrg(ctx, true, object.ResourceOwnerFromReq(ctx, req.GetCtx()))
+	if err != nil {
+		return nil, err
+	}
+	return &settings.GetLockoutSettingsResponse{
+		Settings: lockoutSettingsToPb(current),
+		Details: &object_pb.Details{
+			Sequence:      current.Sequence,
+			CreationDate:  timestamppb.New(current.CreationDate),
+			ChangeDate:    timestamppb.New(current.ChangeDate),
+			ResourceOwner: current.ResourceOwner,
+		},
+	}, nil
+}
+
+func (s *Server) GetActiveIdentityProviders(ctx context.Context, req *settings.GetActiveIdentityProvidersRequest) (*settings.GetActiveIdentityProvidersResponse, error) {
+	queries, err := activeIdentityProvidersToQuery(req)
+	if err != nil {
+		return nil, err
+	}
+
+	links, err := s.query.IDPLoginPolicyLinks(ctx, object.ResourceOwnerFromReq(ctx, req.GetCtx()), &query.IDPLoginPolicyLinksSearchQuery{Queries: queries}, false)
+	if err != nil {
+		return nil, err
+	}
+
+	return &settings.GetActiveIdentityProvidersResponse{
+		Details:           object.ToListDetails(links.SearchResponse),
+		IdentityProviders: identityProvidersToPb(links.Links),
+	}, nil
+}
+
+func activeIdentityProvidersToQuery(req *settings.GetActiveIdentityProvidersRequest) (_ []query.SearchQuery, err error) {
+	q := make([]query.SearchQuery, 0, 4)
+	if req.CreationAllowed != nil {
+		creationQuery, err := query.NewIDPTemplateIsCreationAllowedSearchQuery(*req.CreationAllowed)
+		if err != nil {
+			return nil, err
+		}
+		q = append(q, creationQuery)
+	}
+	if req.LinkingAllowed != nil {
+		creationQuery, err := query.NewIDPTemplateIsLinkingAllowedSearchQuery(*req.LinkingAllowed)
+		if err != nil {
+			return nil, err
+		}
+		q = append(q, creationQuery)
+	}
+	if req.AutoCreation != nil {
+		creationQuery, err := query.NewIDPTemplateIsAutoCreationSearchQuery(*req.AutoCreation)
+		if err != nil {
+			return nil, err
+		}
+		q = append(q, creationQuery)
+	}
+	if req.AutoLinking != nil {
+		compare := query.NumberEquals
+		if *req.AutoLinking {
+			compare = query.NumberNotEquals
+		}
+		creationQuery, err := query.NewIDPTemplateAutoLinkingSearchQuery(0, compare)
+		if err != nil {
+			return nil, err
+		}
+		q = append(q, creationQuery)
+	}
+	return q, nil
+}
+
+func (s *Server) GetGeneralSettings(ctx context.Context, _ *settings.GetGeneralSettingsRequest) (*settings.GetGeneralSettingsResponse, error) {
+	instance := authz.GetInstance(ctx)
+	return &settings.GetGeneralSettingsResponse{
+		SupportedLanguages: domain.LanguagesToStrings(i18n.SupportedLanguages()),
+		DefaultOrgId:       instance.DefaultOrganisationID(),
+		DefaultLanguage:    instance.DefaultLanguage().String(),
+	}, nil
+}
+
+func (s *Server) GetSecuritySettings(ctx context.Context, req *settings.GetSecuritySettingsRequest) (*settings.GetSecuritySettingsResponse, error) {
+	policy, err := s.query.SecurityPolicy(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return &settings.GetSecuritySettingsResponse{
+		Settings: securityPolicyToSettingsPb(policy),
+	}, nil
+}
+
+func (s *Server) GetHostedLoginTranslation(ctx context.Context, req *settings.GetHostedLoginTranslationRequest) (*settings.GetHostedLoginTranslationResponse, error) {
+	translation, err := s.query.GetHostedLoginTranslation(ctx, req)
+	if err != nil {
+		return nil, err
+	}
+
+	return translation, nil
+}

internal/api/grpc/settings/v2/settings.go

@@ -3,202 +3,10 @@ package settings
 import (
 	"context"
 
-	"google.golang.org/protobuf/types/known/timestamppb"
-
-	"github.com/zitadel/zitadel/internal/api/authz"
 	"github.com/zitadel/zitadel/internal/api/grpc/object/v2"
-	"github.com/zitadel/zitadel/internal/domain"
-	"github.com/zitadel/zitadel/internal/i18n"
-	"github.com/zitadel/zitadel/internal/query"
-	object_pb "github.com/zitadel/zitadel/pkg/grpc/object/v2"
 	"github.com/zitadel/zitadel/pkg/grpc/settings/v2"
 )
 
-func (s *Server) GetLoginSettings(ctx context.Context, req *settings.GetLoginSettingsRequest) (*settings.GetLoginSettingsResponse, error) {
-	current, err := s.query.LoginPolicyByID(ctx, true, object.ResourceOwnerFromReq(ctx, req.GetCtx()), false)
-	if err != nil {
-		return nil, err
-	}
-	return &settings.GetLoginSettingsResponse{
-		Settings: loginSettingsToPb(current),
-		Details: &object_pb.Details{
-			Sequence:      current.Sequence,
-			CreationDate:  timestamppb.New(current.CreationDate),
-			ChangeDate:    timestamppb.New(current.ChangeDate),
-			ResourceOwner: current.OrgID,
-		},
-	}, nil
-}
-
-func (s *Server) GetPasswordComplexitySettings(ctx context.Context, req *settings.GetPasswordComplexitySettingsRequest) (*settings.GetPasswordComplexitySettingsResponse, error) {
-	current, err := s.query.PasswordComplexityPolicyByOrg(ctx, true, object.ResourceOwnerFromReq(ctx, req.GetCtx()), false)
-	if err != nil {
-		return nil, err
-	}
-	return &settings.GetPasswordComplexitySettingsResponse{
-		Settings: passwordComplexitySettingsToPb(current),
-		Details: &object_pb.Details{
-			Sequence:      current.Sequence,
-			CreationDate:  timestamppb.New(current.CreationDate),
-			ChangeDate:    timestamppb.New(current.ChangeDate),
-			ResourceOwner: current.ResourceOwner,
-		},
-	}, nil
-}
-
-func (s *Server) GetPasswordExpirySettings(ctx context.Context, req *settings.GetPasswordExpirySettingsRequest) (*settings.GetPasswordExpirySettingsResponse, error) {
-	current, err := s.query.PasswordAgePolicyByOrg(ctx, true, object.ResourceOwnerFromReq(ctx, req.GetCtx()), false)
-	if err != nil {
-		return nil, err
-	}
-	return &settings.GetPasswordExpirySettingsResponse{
-		Settings: passwordExpirySettingsToPb(current),
-		Details: &object_pb.Details{
-			Sequence:      current.Sequence,
-			CreationDate:  timestamppb.New(current.CreationDate),
-			ChangeDate:    timestamppb.New(current.ChangeDate),
-			ResourceOwner: current.ResourceOwner,
-		},
-	}, nil
-}
-
-func (s *Server) GetBrandingSettings(ctx context.Context, req *settings.GetBrandingSettingsRequest) (*settings.GetBrandingSettingsResponse, error) {
-	current, err := s.query.ActiveLabelPolicyByOrg(ctx, object.ResourceOwnerFromReq(ctx, req.GetCtx()), false)
-	if err != nil {
-		return nil, err
-	}
-	return &settings.GetBrandingSettingsResponse{
-		Settings: brandingSettingsToPb(current, s.assetsAPIDomain(ctx)),
-		Details: &object_pb.Details{
-			Sequence:      current.Sequence,
-			CreationDate:  timestamppb.New(current.CreationDate),
-			ChangeDate:    timestamppb.New(current.ChangeDate),
-			ResourceOwner: current.ResourceOwner,
-		},
-	}, nil
-}
-
-func (s *Server) GetDomainSettings(ctx context.Context, req *settings.GetDomainSettingsRequest) (*settings.GetDomainSettingsResponse, error) {
-	current, err := s.query.DomainPolicyByOrg(ctx, true, object.ResourceOwnerFromReq(ctx, req.GetCtx()), false)
-	if err != nil {
-		return nil, err
-	}
-	return &settings.GetDomainSettingsResponse{
-		Settings: domainSettingsToPb(current),
-		Details: &object_pb.Details{
-			Sequence:      current.Sequence,
-			CreationDate:  timestamppb.New(current.CreationDate),
-			ChangeDate:    timestamppb.New(current.ChangeDate),
-			ResourceOwner: current.ResourceOwner,
-		},
-	}, nil
-}
-
-func (s *Server) GetLegalAndSupportSettings(ctx context.Context, req *settings.GetLegalAndSupportSettingsRequest) (*settings.GetLegalAndSupportSettingsResponse, error) {
-	current, err := s.query.PrivacyPolicyByOrg(ctx, true, object.ResourceOwnerFromReq(ctx, req.GetCtx()), false)
-	if err != nil {
-		return nil, err
-	}
-	return &settings.GetLegalAndSupportSettingsResponse{
-		Settings: legalAndSupportSettingsToPb(current),
-		Details: &object_pb.Details{
-			Sequence:      current.Sequence,
-			CreationDate:  timestamppb.New(current.CreationDate),
-			ChangeDate:    timestamppb.New(current.ChangeDate),
-			ResourceOwner: current.ResourceOwner,
-		},
-	}, nil
-}
-
-func (s *Server) GetLockoutSettings(ctx context.Context, req *settings.GetLockoutSettingsRequest) (*settings.GetLockoutSettingsResponse, error) {
-	current, err := s.query.LockoutPolicyByOrg(ctx, true, object.ResourceOwnerFromReq(ctx, req.GetCtx()))
-	if err != nil {
-		return nil, err
-	}
-	return &settings.GetLockoutSettingsResponse{
-		Settings: lockoutSettingsToPb(current),
-		Details: &object_pb.Details{
-			Sequence:      current.Sequence,
-			CreationDate:  timestamppb.New(current.CreationDate),
-			ChangeDate:    timestamppb.New(current.ChangeDate),
-			ResourceOwner: current.ResourceOwner,
-		},
-	}, nil
-}
-
-func (s *Server) GetActiveIdentityProviders(ctx context.Context, req *settings.GetActiveIdentityProvidersRequest) (*settings.GetActiveIdentityProvidersResponse, error) {
-	queries, err := activeIdentityProvidersToQuery(req)
-	if err != nil {
-		return nil, err
-	}
-
-	links, err := s.query.IDPLoginPolicyLinks(ctx, object.ResourceOwnerFromReq(ctx, req.GetCtx()), &query.IDPLoginPolicyLinksSearchQuery{Queries: queries}, false)
-	if err != nil {
-		return nil, err
-	}
-
-	return &settings.GetActiveIdentityProvidersResponse{
-		Details:           object.ToListDetails(links.SearchResponse),
-		IdentityProviders: identityProvidersToPb(links.Links),
-	}, nil
-}
-
-func activeIdentityProvidersToQuery(req *settings.GetActiveIdentityProvidersRequest) (_ []query.SearchQuery, err error) {
-	q := make([]query.SearchQuery, 0, 4)
-	if req.CreationAllowed != nil {
-		creationQuery, err := query.NewIDPTemplateIsCreationAllowedSearchQuery(*req.CreationAllowed)
-		if err != nil {
-			return nil, err
-		}
-		q = append(q, creationQuery)
-	}
-	if req.LinkingAllowed != nil {
-		creationQuery, err := query.NewIDPTemplateIsLinkingAllowedSearchQuery(*req.LinkingAllowed)
-		if err != nil {
-			return nil, err
-		}
-		q = append(q, creationQuery)
-	}
-	if req.AutoCreation != nil {
-		creationQuery, err := query.NewIDPTemplateIsAutoCreationSearchQuery(*req.AutoCreation)
-		if err != nil {
-			return nil, err
-		}
-		q = append(q, creationQuery)
-	}
-	if req.AutoLinking != nil {
-		compare := query.NumberEquals
-		if *req.AutoLinking {
-			compare = query.NumberNotEquals
-		}
-		creationQuery, err := query.NewIDPTemplateAutoLinkingSearchQuery(0, compare)
-		if err != nil {
-			return nil, err
-		}
-		q = append(q, creationQuery)
-	}
-	return q, nil
-}
-
-func (s *Server) GetGeneralSettings(ctx context.Context, _ *settings.GetGeneralSettingsRequest) (*settings.GetGeneralSettingsResponse, error) {
-	instance := authz.GetInstance(ctx)
-	return &settings.GetGeneralSettingsResponse{
-		SupportedLanguages: domain.LanguagesToStrings(i18n.SupportedLanguages()),
-		DefaultOrgId:       instance.DefaultOrganisationID(),
-		DefaultLanguage:    instance.DefaultLanguage().String(),
-	}, nil
-}
-
-func (s *Server) GetSecuritySettings(ctx context.Context, req *settings.GetSecuritySettingsRequest) (*settings.GetSecuritySettingsResponse, error) {
-	policy, err := s.query.SecurityPolicy(ctx)
-	if err != nil {
-		return nil, err
-	}
-	return &settings.GetSecuritySettingsResponse{
-		Settings: securityPolicyToSettingsPb(policy),
-	}, nil
-}
-
 func (s *Server) SetSecuritySettings(ctx context.Context, req *settings.SetSecuritySettingsRequest) (*settings.SetSecuritySettingsResponse, error) {
 	details, err := s.command.SetSecurityPolicy(ctx, securitySettingsToCommand(req))
 	if err != nil {
@@ -208,3 +16,12 @@ func (s *Server) SetSecuritySettings(ctx context.Context, req *settings.SetSecur
 		Details: object.DomainToDetailsPb(details),
 	}, nil
 }
+
+func (s *Server) SetHostedLoginTranslation(ctx context.Context, req *settings.SetHostedLoginTranslationRequest) (*settings.SetHostedLoginTranslationResponse, error) {
+	res, err := s.command.SetHostedLoginTranslation(ctx, req)
+	if err != nil {
+		return nil, err
+	}
+
+	return res, nil
+}

internal/command/hosted_login_translation.go

@@ -0,0 +1,73 @@
+package command
+
+import (
+	"context"
+	"crypto/md5"
+	"encoding/hex"
+	"fmt"
+
+	"golang.org/x/text/language"
+
+	"github.com/zitadel/zitadel/internal/api/authz"
+	"github.com/zitadel/zitadel/internal/eventstore"
+	"github.com/zitadel/zitadel/internal/repository/instance"
+	"github.com/zitadel/zitadel/internal/repository/org"
+	"github.com/zitadel/zitadel/internal/telemetry/tracing"
+	"github.com/zitadel/zitadel/internal/zerrors"
+	"github.com/zitadel/zitadel/pkg/grpc/settings/v2"
+)
+
+func (c *Commands) SetHostedLoginTranslation(ctx context.Context, req *settings.SetHostedLoginTranslationRequest) (res *settings.SetHostedLoginTranslationResponse, err error) {
+	ctx, span := tracing.NewSpan(ctx)
+	defer func() { span.EndWithError(err) }()
+
+	var agg eventstore.Aggregate
+	switch t := req.GetLevel().(type) {
+	case *settings.SetHostedLoginTranslationRequest_Instance:
+		agg = instance.NewAggregate(authz.GetInstance(ctx).InstanceID()).Aggregate
+	case *settings.SetHostedLoginTranslationRequest_OrganizationId:
+		agg = org.NewAggregate(t.OrganizationId).Aggregate
+	default:
+		return nil, zerrors.ThrowInvalidArgument(nil, "COMMA-YB6Sri", "Errors.Arguments.Level.Invalid")
+	}
+
+	lang, err := language.Parse(req.GetLocale())
+	if err != nil || lang.IsRoot() {
+		return nil, zerrors.ThrowInvalidArgument(nil, "COMMA-xmjATA", "Errors.Arguments.Locale.Invalid")
+	}
+
+	commands, wm, err := c.setTranslationEvents(ctx, agg, lang, req.GetTranslations().AsMap())
+	if err != nil {
+		return nil, err
+	}
+
+	pushedEvents, err := c.eventstore.Push(ctx, commands...)
+	if err != nil {
+		return nil, zerrors.ThrowInternal(err, "COMMA-i8nqFl", "Errors.Internal")
+	}
+
+	err = AppendAndReduce(wm, pushedEvents...)
+	if err != nil {
+		return nil, err
+	}
+
+	etag := md5.Sum(fmt.Append(nil, wm.Translation))
+	return &settings.SetHostedLoginTranslationResponse{
+		Etag: hex.EncodeToString(etag[:]),
+	}, nil
+}
+
+func (c *Commands) setTranslationEvents(ctx context.Context, agg eventstore.Aggregate, lang language.Tag, translations map[string]any) ([]eventstore.Command, *HostedLoginTranslationWriteModel, error) {
+	wm := NewHostedLoginTranslationWriteModel(agg.ID)
+	events := []eventstore.Command{}
+	switch agg.Type {
+	case instance.AggregateType:
+		events = append(events, instance.NewHostedLoginTranslationSetEvent(ctx, &agg, translations, lang))
+	case org.AggregateType:
+		events = append(events, org.NewHostedLoginTranslationSetEvent(ctx, &agg, translations, lang))
+	default:
+		return nil, nil, zerrors.ThrowInvalidArgument(nil, "COMMA-0aw7In", "Errors.Arguments.LevelType.Invalid")
+	}
+
+	return events, wm, nil
+}

internal/command/hosted_login_translation_model.go

@@ -0,0 +1,45 @@
+package command
+
+import (
+	"golang.org/x/text/language"
+
+	"github.com/zitadel/zitadel/internal/eventstore"
+	"github.com/zitadel/zitadel/internal/repository/instance"
+	"github.com/zitadel/zitadel/internal/repository/org"
+)
+
+type HostedLoginTranslationWriteModel struct {
+	eventstore.WriteModel
+	Language    language.Tag
+	Translation map[string]any
+	Level       string
+	LevelID     string
+}
+
+func NewHostedLoginTranslationWriteModel(resourceID string) *HostedLoginTranslationWriteModel {
+	return &HostedLoginTranslationWriteModel{
+		WriteModel: eventstore.WriteModel{
+			AggregateID:   resourceID,
+			ResourceOwner: resourceID,
+		},
+	}
+}
+
+func (wm *HostedLoginTranslationWriteModel) Reduce() error {
+	for _, event := range wm.Events {
+		switch e := event.(type) {
+		case *org.HostedLoginTranslationSetEvent:
+			wm.Language = e.Language
+			wm.Translation = e.Translation
+			wm.Level = e.Level
+			wm.LevelID = e.Aggregate().ID
+		case *instance.HostedLoginTranslationSetEvent:
+			wm.Language = e.Language
+			wm.Translation = e.Translation
+			wm.Level = e.Level
+			wm.LevelID = e.Aggregate().ID
+		}
+	}
+
+	return wm.WriteModel.Reduce()
+}

internal/command/hosted_login_translation_test.go

@@ -0,0 +1,211 @@
+package command
+
+import (
+	"context"
+	"crypto/md5"
+	"encoding/hex"
+	"errors"
+	"fmt"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"golang.org/x/text/language"
+	"google.golang.org/protobuf/types/known/structpb"
+
+	"github.com/zitadel/zitadel/internal/api/authz"
+	"github.com/zitadel/zitadel/internal/api/service"
+	"github.com/zitadel/zitadel/internal/eventstore"
+	"github.com/zitadel/zitadel/internal/repository/instance"
+	"github.com/zitadel/zitadel/internal/repository/org"
+	"github.com/zitadel/zitadel/internal/zerrors"
+	"github.com/zitadel/zitadel/pkg/grpc/settings/v2"
+)
+
+func TestSetTranslationEvents(t *testing.T) {
+	t.Parallel()
+
+	testCtx := authz.SetCtxData(context.Background(), authz.CtxData{UserID: "test-user"})
+	testCtx = service.WithService(testCtx, "test-service")
+
+	tt := []struct {
+		testName string
+
+		inputAggregate    eventstore.Aggregate
+		inputLanguage     language.Tag
+		inputTranslations map[string]any
+
+		expectedCommands   []eventstore.Command
+		expectedWriteModel *HostedLoginTranslationWriteModel
+		expectedError      error
+	}{
+		{
+			testName:          "when aggregate type is instance should return matching write model and instance.hosted_login_translation_set event",
+			inputAggregate:    eventstore.Aggregate{ID: "123", Type: instance.AggregateType},
+			inputLanguage:     language.MustParse("en-US"),
+			inputTranslations: map[string]any{"test": "translation"},
+			expectedCommands: []eventstore.Command{
+				instance.NewHostedLoginTranslationSetEvent(testCtx, &eventstore.Aggregate{ID: "123", Type: instance.AggregateType}, map[string]any{"test": "translation"}, language.MustParse("en-US")),
+			},
+			expectedWriteModel: &HostedLoginTranslationWriteModel{
+				WriteModel: eventstore.WriteModel{AggregateID: "123", ResourceOwner: "123"},
+			},
+		},
+		{
+			testName:          "when aggregate type is org should return matching write model and org.hosted_login_translation_set event",
+			inputAggregate:    eventstore.Aggregate{ID: "123", Type: org.AggregateType},
+			inputLanguage:     language.MustParse("en-GB"),
+			inputTranslations: map[string]any{"test": "translation"},
+			expectedCommands: []eventstore.Command{
+				org.NewHostedLoginTranslationSetEvent(testCtx, &eventstore.Aggregate{ID: "123", Type: org.AggregateType}, map[string]any{"test": "translation"}, language.MustParse("en-GB")),
+			},
+			expectedWriteModel: &HostedLoginTranslationWriteModel{
+				WriteModel: eventstore.WriteModel{AggregateID: "123", ResourceOwner: "123"},
+			},
+		},
+		{
+			testName:          "when aggregate type is neither org nor instance should return invalid argument error",
+			inputAggregate:    eventstore.Aggregate{ID: "123"},
+			inputLanguage:     language.MustParse("en-US"),
+			inputTranslations: map[string]any{"test": "translation"},
+			expectedError:     zerrors.ThrowInvalidArgument(nil, "COMMA-0aw7In", "Errors.Arguments.LevelType.Invalid"),
+		},
+	}
+
+	for _, tc := range tt {
+		t.Run(tc.testName, func(t *testing.T) {
+			t.Parallel()
+
+			// Given
+			c := Commands{}
+
+			// When
+			events, writeModel, err := c.setTranslationEvents(testCtx, tc.inputAggregate, tc.inputLanguage, tc.inputTranslations)
+
+			// Verify
+			require.Equal(t, tc.expectedError, err)
+			assert.Equal(t, tc.expectedWriteModel, writeModel)
+
+			require.Len(t, events, len(tc.expectedCommands))
+			assert.ElementsMatch(t, tc.expectedCommands, events)
+		})
+	}
+}
+
+func TestSetHostedLoginTranslation(t *testing.T) {
+	t.Parallel()
+
+	testCtx := authz.SetCtxData(context.Background(), authz.CtxData{UserID: "test-user"})
+	testCtx = service.WithService(testCtx, "test-service")
+	testCtx = authz.WithInstanceID(testCtx, "instance-id")
+
+	testTranslation := map[string]any{"test": "translation", "translation": "2"}
+	protoTranslation, err := structpb.NewStruct(testTranslation)
+	require.NoError(t, err)
+
+	hashTestTranslation := md5.Sum(fmt.Append(nil, testTranslation))
+	require.NotEmpty(t, hashTestTranslation)
+
+	tt := []struct {
+		testName string
+
+		mockPush func(*testing.T) *eventstore.Eventstore
+
+		inputReq *settings.SetHostedLoginTranslationRequest
+
+		expectedError  error
+		expectedResult *settings.SetHostedLoginTranslationResponse
+	}{
+		{
+			testName: "when locale is malformed should return invalid argument error",
+			mockPush: func(t *testing.T) *eventstore.Eventstore { return &eventstore.Eventstore{} },
+			inputReq: &settings.SetHostedLoginTranslationRequest{
+				Level:  &settings.SetHostedLoginTranslationRequest_Instance{},
+				Locale: "123",
+			},
+
+			expectedError: zerrors.ThrowInvalidArgument(nil, "COMMA-xmjATA", "Errors.Arguments.Locale.Invalid"),
+		},
+		{
+			testName: "when locale is unknown should return invalid argument error",
+			mockPush: func(t *testing.T) *eventstore.Eventstore { return &eventstore.Eventstore{} },
+			inputReq: &settings.SetHostedLoginTranslationRequest{
+				Level:  &settings.SetHostedLoginTranslationRequest_Instance{},
+				Locale: "root",
+			},
+
+			expectedError: zerrors.ThrowInvalidArgument(nil, "COMMA-xmjATA", "Errors.Arguments.Locale.Invalid"),
+		},
+		{
+			testName: "when event pushing fails should return internal error",
+
+			mockPush: expectEventstore(expectPushFailed(
+				errors.New("mock push failed"),
+				instance.NewHostedLoginTranslationSetEvent(
+					testCtx, &eventstore.Aggregate{
+						ID:            "instance-id",
+						Type:          instance.AggregateType,
+						ResourceOwner: "instance-id",
+						InstanceID:    "instance-id",
+						Version:       instance.AggregateVersion,
+					},
+					testTranslation,
+					language.MustParse("it-CH"),
+				),
+			)),
+
+			inputReq: &settings.SetHostedLoginTranslationRequest{
+				Level:        &settings.SetHostedLoginTranslationRequest_Instance{},
+				Locale:       "it-CH",
+				Translations: protoTranslation,
+			},
+
+			expectedError: zerrors.ThrowInternal(errors.New("mock push failed"), "COMMA-i8nqFl", "Errors.Internal"),
+		},
+		{
+			testName: "when request is valid should return expected response",
+
+			mockPush: expectEventstore(expectPush(
+				org.NewHostedLoginTranslationSetEvent(
+					testCtx, &eventstore.Aggregate{
+						ID:            "org-id",
+						Type:          org.AggregateType,
+						ResourceOwner: "org-id",
+						InstanceID:    "",
+						Version:       org.AggregateVersion,
+					},
+					testTranslation,
+					language.MustParse("it-CH"),
+				),
+			)),
+
+			inputReq: &settings.SetHostedLoginTranslationRequest{
+				Level:        &settings.SetHostedLoginTranslationRequest_OrganizationId{OrganizationId: "org-id"},
+				Locale:       "it-CH",
+				Translations: protoTranslation,
+			},
+
+			expectedResult: &settings.SetHostedLoginTranslationResponse{
+				Etag: hex.EncodeToString(hashTestTranslation[:]),
+			},
+		},
+	}
+
+	for _, tc := range tt {
+		t.Run(tc.testName, func(t *testing.T) {
+			t.Parallel()
+
+			// Given
+			c := Commands{
+				eventstore: tc.mockPush(t),
+			}
+
+			// When
+			res, err := c.SetHostedLoginTranslation(testCtx, tc.inputReq)
+
+			// Verify
+			require.Equal(t, tc.expectedError, err)
+			assert.Equal(t, tc.expectedResult, res)
+		})
+	}
+}

internal/database/mock/sql_mock.go

@@ -14,9 +14,9 @@ type SQLMock struct {
 	mock sqlmock.Sqlmock
 }
 
-type expectation func(m sqlmock.Sqlmock)
+type Expectation func(m sqlmock.Sqlmock)
 
-func NewSQLMock(t *testing.T, expectations ...expectation) *SQLMock {
+func NewSQLMock(t *testing.T, expectations ...Expectation) *SQLMock {
 	db, mock, err := sqlmock.New(
 		sqlmock.QueryMatcherOption(sqlmock.QueryMatcherEqual),
 		sqlmock.ValueConverterOption(new(TypeConverter)),
@@ -45,7 +45,7 @@ func (m *SQLMock) Assert(t *testing.T) {
 	m.DB.Close()
 }
 
-func ExpectBegin(err error) expectation {
+func ExpectBegin(err error) Expectation {
 	return func(m sqlmock.Sqlmock) {
 		e := m.ExpectBegin()
 		if err != nil {
@@ -54,7 +54,7 @@ func ExpectBegin(err error) expectation {
 	}
 }
 
-func ExpectCommit(err error) expectation {
+func ExpectCommit(err error) Expectation {
 	return func(m sqlmock.Sqlmock) {
 		e := m.ExpectCommit()
 		if err != nil {
@@ -89,7 +89,7 @@ func WithExecRowsAffected(affected driver.RowsAffected) ExecOpt {
 	}
 }
 
-func ExcpectExec(stmt string, opts ...ExecOpt) expectation {
+func ExcpectExec(stmt string, opts ...ExecOpt) Expectation {
 	return func(m sqlmock.Sqlmock) {
 		e := m.ExpectExec(stmt)
 		for _, opt := range opts {
@@ -122,7 +122,7 @@ func WithQueryResult(columns []string, rows [][]driver.Value) QueryOpt {
 	}
 }
 
-func ExpectQuery(stmt string, opts ...QueryOpt) expectation {
+func ExpectQuery(stmt string, opts ...QueryOpt) Expectation {
 	return func(m sqlmock.Sqlmock) {
 		e := m.ExpectQuery(stmt)
 		for _, opt := range opts {

internal/query/hosted_login_translation.go

@@ -0,0 +1,256 @@
+package query
+
+import (
+	"context"
+	"crypto/md5"
+	"database/sql"
+	_ "embed"
+	"encoding/hex"
+	"encoding/json"
+	"fmt"
+	"time"
+
+	"dario.cat/mergo"
+	sq "github.com/Masterminds/squirrel"
+	"github.com/zitadel/logging"
+	"golang.org/x/text/language"
+	"google.golang.org/protobuf/types/known/structpb"
+
+	"github.com/zitadel/zitadel/internal/api/authz"
+	"github.com/zitadel/zitadel/internal/query/projection"
+	"github.com/zitadel/zitadel/internal/repository/instance"
+	"github.com/zitadel/zitadel/internal/telemetry/tracing"
+	"github.com/zitadel/zitadel/internal/v2/org"
+	"github.com/zitadel/zitadel/internal/zerrors"
+	"github.com/zitadel/zitadel/pkg/grpc/settings/v2"
+)
+
+var (
+	//go:embed v2-default.json
+	defaultLoginTranslations []byte
+
+	defaultSystemTranslations map[language.Tag]map[string]any
+
+	hostedLoginTranslationTable = table{
+		name:          projection.HostedLoginTranslationTable,
+		instanceIDCol: projection.HostedLoginTranslationInstanceIDCol,
+	}
+
+	hostedLoginTranslationColInstanceID = Column{
+		name:  projection.HostedLoginTranslationInstanceIDCol,
+		table: hostedLoginTranslationTable,
+	}
+	hostedLoginTranslationColResourceOwner = Column{
+		name:  projection.HostedLoginTranslationAggregateIDCol,
+		table: hostedLoginTranslationTable,
+	}
+	hostedLoginTranslationColResourceOwnerType = Column{
+		name:  projection.HostedLoginTranslationAggregateTypeCol,
+		table: hostedLoginTranslationTable,
+	}
+	hostedLoginTranslationColLocale = Column{
+		name:  projection.HostedLoginTranslationLocaleCol,
+		table: hostedLoginTranslationTable,
+	}
+	hostedLoginTranslationColFile = Column{
+		name:  projection.HostedLoginTranslationFileCol,
+		table: hostedLoginTranslationTable,
+	}
+	hostedLoginTranslationColEtag = Column{
+		name:  projection.HostedLoginTranslationEtagCol,
+		table: hostedLoginTranslationTable,
+	}
+)
+
+func init() {
+	err := json.Unmarshal(defaultLoginTranslations, &defaultSystemTranslations)
+	if err != nil {
+		panic(err)
+	}
+}
+
+type HostedLoginTranslations struct {
+	SearchResponse
+	HostedLoginTranslations []*HostedLoginTranslation
+}
+
+type HostedLoginTranslation struct {
+	AggregateID  string
+	Sequence     uint64
+	CreationDate time.Time
+	ChangeDate   time.Time
+
+	Locale    string
+	File      map[string]any
+	LevelType string
+	LevelID   string
+	Etag      string
+}
+
+func (q *Queries) GetHostedLoginTranslation(ctx context.Context, req *settings.GetHostedLoginTranslationRequest) (res *settings.GetHostedLoginTranslationResponse, err error) {
+	ctx, span := tracing.NewSpan(ctx)
+	defer func() { span.EndWithError(err) }()
+
+	inst := authz.GetInstance(ctx)
+	defaultInstLang := inst.DefaultLanguage()
+
+	lang, err := language.BCP47.Parse(req.GetLocale())
+	if err != nil || lang.IsRoot() {
+		return nil, zerrors.ThrowInvalidArgument(nil, "QUERY-rZLAGi", "Errors.Arguments.Locale.Invalid")
+	}
+	parentLang := lang.Parent()
+	if parentLang.IsRoot() {
+		parentLang = lang
+	}
+
+	sysTranslation, systemEtag, err := getSystemTranslation(parentLang, defaultInstLang)
+	if err != nil {
+		return nil, err
+	}
+
+	var levelID, resourceOwner string
+	switch t := req.GetLevel().(type) {
+	case *settings.GetHostedLoginTranslationRequest_System:
+		return getTranslationOutputMessage(sysTranslation, systemEtag)
+	case *settings.GetHostedLoginTranslationRequest_Instance:
+		levelID = authz.GetInstance(ctx).InstanceID()
+		resourceOwner = instance.AggregateType
+	case *settings.GetHostedLoginTranslationRequest_OrganizationId:
+		levelID = t.OrganizationId
+		resourceOwner = org.AggregateType
+	default:
+		return nil, zerrors.ThrowInvalidArgument(nil, "QUERY-YB6Sri", "Errors.Arguments.Level.Invalid")
+	}
+
+	stmt, scan := prepareHostedLoginTranslationQuery()
+
+	langORBaseLang := sq.Or{
+		sq.Eq{hostedLoginTranslationColLocale.identifier(): lang.String()},
+		sq.Eq{hostedLoginTranslationColLocale.identifier(): parentLang.String()},
+	}
+	eq := sq.Eq{
+		hostedLoginTranslationColInstanceID.identifier():        inst.InstanceID(),
+		hostedLoginTranslationColResourceOwner.identifier():     levelID,
+		hostedLoginTranslationColResourceOwnerType.identifier(): resourceOwner,
+	}
+
+	query, args, err := stmt.Where(eq).Where(langORBaseLang).ToSql()
+	if err != nil {
+		logging.WithError(err).Error("unable to generate sql statement")
+		return nil, zerrors.ThrowInternal(err, "QUERY-ZgCMux", "Errors.Query.SQLStatement")
+	}
+
+	var trs []*HostedLoginTranslation
+	err = q.client.QueryContext(ctx, func(rows *sql.Rows) error {
+		trs, err = scan(rows)
+		return err
+	}, query, args...)
+	if err != nil {
+		logging.WithError(err).Error("failed to query translations")
+		return nil, zerrors.ThrowInternal(err, "QUERY-6k1zjx", "Errors.Internal")
+	}
+
+	requestedTranslation, parentTranslation := &HostedLoginTranslation{}, &HostedLoginTranslation{}
+	for _, tr := range trs {
+		if tr == nil {
+			continue
+		}
+
+		if tr.LevelType == resourceOwner {
+			requestedTranslation = tr
+		} else {
+			parentTranslation = tr
+		}
+	}
+
+	if !req.GetIgnoreInheritance() {
+
+		// There is no record for the requested level, set the upper level etag
+		if requestedTranslation.Etag == "" {
+			requestedTranslation.Etag = parentTranslation.Etag
+		}
+
+		// Case where Level == ORGANIZATION -> Check if we have an instance level translation
+		// If so, merge it with the translations we have
+		if parentTranslation != nil && parentTranslation.LevelType == instance.AggregateType {
+			if err := mergo.Merge(&requestedTranslation.File, parentTranslation.File); err != nil {
+				return nil, zerrors.ThrowInternal(err, "QUERY-pdgEJd", "Errors.Query.MergeTranslations")
+			}
+		}
+
+		// The DB query returned no results, we have to set the system translation etag
+		if requestedTranslation.Etag == "" {
+			requestedTranslation.Etag = systemEtag
+		}
+
+		// Merge the system translations
+		if err := mergo.Merge(&requestedTranslation.File, sysTranslation); err != nil {
+			return nil, zerrors.ThrowInternal(err, "QUERY-HdprNF", "Errors.Query.MergeTranslations")
+		}
+	}
+
+	return getTranslationOutputMessage(requestedTranslation.File, requestedTranslation.Etag)
+}
+
+func getSystemTranslation(lang, instanceDefaultLang language.Tag) (map[string]any, string, error) {
+	translation, ok := defaultSystemTranslations[lang]
+	if !ok {
+		translation, ok = defaultSystemTranslations[instanceDefaultLang]
+		if !ok {
+			return nil, "", zerrors.ThrowNotFoundf(nil, "QUERY-6gb5QR", "Errors.Query.HostedLoginTranslationNotFound-%s", lang)
+		}
+	}
+
+	hash := md5.Sum(fmt.Append(nil, translation))
+
+	return translation, hex.EncodeToString(hash[:]), nil
+}
+
+func prepareHostedLoginTranslationQuery() (sq.SelectBuilder, func(*sql.Rows) ([]*HostedLoginTranslation, error)) {
+	return sq.Select(
+			hostedLoginTranslationColFile.identifier(),
+			hostedLoginTranslationColResourceOwnerType.identifier(),
+			hostedLoginTranslationColEtag.identifier(),
+		).From(hostedLoginTranslationTable.identifier()).
+			Limit(2).
+			PlaceholderFormat(sq.Dollar),
+		func(r *sql.Rows) ([]*HostedLoginTranslation, error) {
+			translations := make([]*HostedLoginTranslation, 0, 2)
+			for r.Next() {
+				var rawTranslation json.RawMessage
+				translation := &HostedLoginTranslation{}
+				err := r.Scan(
+					&rawTranslation,
+					&translation.LevelType,
+					&translation.Etag,
+				)
+				if err != nil {
+					return nil, err
+				}
+
+				if err := json.Unmarshal(rawTranslation, &translation.File); err != nil {
+					return nil, err
+				}
+
+				translations = append(translations, translation)
+			}
+
+			if err := r.Close(); err != nil {
+				return nil, zerrors.ThrowInternal(err, "QUERY-oc7r7i", "Errors.Query.CloseRows")
+			}
+
+			return translations, nil
+		}
+}
+
+func getTranslationOutputMessage(translation map[string]any, etag string) (*settings.GetHostedLoginTranslationResponse, error) {
+	protoTranslation, err := structpb.NewStruct(translation)
+	if err != nil {
+		return nil, zerrors.ThrowInternal(err, "QUERY-70ppPp", "Errors.Protobuf.ConvertToStruct")
+	}
+
+	return &settings.GetHostedLoginTranslationResponse{
+		Translations: protoTranslation,
+		Etag:         etag,
+	}, nil
+}

internal/query/hosted_login_translation_test.go

@@ -0,0 +1,337 @@
+package query
+
+import (
+	"crypto/md5"
+	"database/sql"
+	"database/sql/driver"
+	"encoding/hex"
+	"encoding/json"
+	"fmt"
+	"maps"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"golang.org/x/text/language"
+	"google.golang.org/protobuf/runtime/protoimpl"
+	"google.golang.org/protobuf/types/known/structpb"
+
+	"github.com/zitadel/zitadel/internal/api/authz"
+	"github.com/zitadel/zitadel/internal/database"
+	"github.com/zitadel/zitadel/internal/database/mock"
+	"github.com/zitadel/zitadel/internal/zerrors"
+	"github.com/zitadel/zitadel/pkg/grpc/settings/v2"
+)
+
+func TestGetSystemTranslation(t *testing.T) {
+	okTranslation := defaultLoginTranslations
+
+	parsedOKTranslation := map[string]map[string]any{}
+	require.Nil(t, json.Unmarshal(okTranslation, &parsedOKTranslation))
+
+	hashOK := md5.Sum(fmt.Append(nil, parsedOKTranslation["de"]))
+
+	tt := []struct {
+		testName string
+
+		inputLanguage          language.Tag
+		inputInstanceLanguage  language.Tag
+		systemTranslationToSet []byte
+
+		expectedLanguage map[string]any
+		expectedEtag     string
+		expectedError    error
+	}{
+		{
+			testName:               "when neither input language nor system default language have translation should return not found error",
+			systemTranslationToSet: okTranslation,
+			inputLanguage:          language.MustParse("ro"),
+			inputInstanceLanguage:  language.MustParse("fr"),
+
+			expectedError: zerrors.ThrowNotFoundf(nil, "QUERY-6gb5QR", "Errors.Query.HostedLoginTranslationNotFound-%s", "ro"),
+		},
+		{
+			testName:               "when input language has no translation should fallback onto instance default",
+			systemTranslationToSet: okTranslation,
+			inputLanguage:          language.MustParse("ro"),
+			inputInstanceLanguage:  language.MustParse("de"),
+
+			expectedLanguage: parsedOKTranslation["de"],
+			expectedEtag:     hex.EncodeToString(hashOK[:]),
+		},
+		{
+			testName:               "when input language has translation should return it",
+			systemTranslationToSet: okTranslation,
+			inputLanguage:          language.MustParse("de"),
+			inputInstanceLanguage:  language.MustParse("en"),
+
+			expectedLanguage: parsedOKTranslation["de"],
+			expectedEtag:     hex.EncodeToString(hashOK[:]),
+		},
+	}
+
+	for _, tc := range tt {
+		t.Run(tc.testName, func(t *testing.T) {
+			// Given
+			defaultLoginTranslations = tc.systemTranslationToSet
+
+			// When
+			translation, etag, err := getSystemTranslation(tc.inputLanguage, tc.inputInstanceLanguage)
+
+			// Verify
+			require.Equal(t, tc.expectedError, err)
+			assert.Equal(t, tc.expectedLanguage, translation)
+			assert.Equal(t, tc.expectedEtag, etag)
+		})
+	}
+}
+
+func TestGetTranslationOutput(t *testing.T) {
+	t.Parallel()
+
+	validMap := map[string]any{"loginHeader": "A login header"}
+	protoMap, err := structpb.NewStruct(validMap)
+	require.NoError(t, err)
+
+	hash := md5.Sum(fmt.Append(nil, validMap))
+	encodedHash := hex.EncodeToString(hash[:])
+
+	tt := []struct {
+		testName         string
+		inputTranslation map[string]any
+		expectedError    error
+		expectedResponse *settings.GetHostedLoginTranslationResponse
+	}{
+		{
+			testName:         "when unparsable map should return internal error",
+			inputTranslation: map[string]any{"\xc5z": "something"},
+			expectedError:    zerrors.ThrowInternal(protoimpl.X.NewError("invalid UTF-8 in string: %q", "\xc5z"), "QUERY-70ppPp", "Errors.Protobuf.ConvertToStruct"),
+		},
+		{
+			testName:         "when input translation is valid should return expected response message",
+			inputTranslation: validMap,
+			expectedResponse: &settings.GetHostedLoginTranslationResponse{
+				Translations: protoMap,
+				Etag:         hex.EncodeToString(hash[:]),
+			},
+		},
+	}
+
+	for _, tc := range tt {
+		t.Run(tc.testName, func(t *testing.T) {
+			t.Parallel()
+
+			// When
+			res, err := getTranslationOutputMessage(tc.inputTranslation, encodedHash)
+
+			// Verify
+			require.Equal(t, tc.expectedError, err)
+			assert.Equal(t, tc.expectedResponse, res)
+		})
+	}
+}
+
+func TestGetHostedLoginTranslation(t *testing.T) {
+	query := `SELECT projections.hosted_login_translations.file, projections.hosted_login_translations.aggregate_type, projections.hosted_login_translations.etag
+	FROM projections.hosted_login_translations
+	WHERE projections.hosted_login_translations.aggregate_id = $1
+	AND projections.hosted_login_translations.aggregate_type = $2
+	AND projections.hosted_login_translations.instance_id = $3
+	AND (projections.hosted_login_translations.locale = $4 OR projections.hosted_login_translations.locale = $5)
+	LIMIT 2`
+	okTranslation := defaultLoginTranslations
+
+	parsedOKTranslation := map[string]map[string]any{}
+	require.NoError(t, json.Unmarshal(okTranslation, &parsedOKTranslation))
+
+	protoDefaultTranslation, err := structpb.NewStruct(parsedOKTranslation["en"])
+	require.Nil(t, err)
+
+	defaultWithDBTranslations := maps.Clone(parsedOKTranslation["en"])
+	defaultWithDBTranslations["test"] = "translation"
+	defaultWithDBTranslations["test2"] = "translation2"
+	protoDefaultWithDBTranslation, err := structpb.NewStruct(defaultWithDBTranslations)
+	require.NoError(t, err)
+
+	nilProtoDefaultMap, err := structpb.NewStruct(nil)
+	require.NoError(t, err)
+
+	hashDefaultTranslations := md5.Sum(fmt.Append(nil, parsedOKTranslation["en"]))
+
+	tt := []struct {
+		testName string
+
+		defaultInstanceLanguage language.Tag
+		sqlExpectations         []mock.Expectation
+
+		inputRequest *settings.GetHostedLoginTranslationRequest
+
+		expectedError  error
+		expectedResult *settings.GetHostedLoginTranslationResponse
+	}{
+		{
+			testName: "when input language is invalid should return invalid argument error",
+
+			inputRequest: &settings.GetHostedLoginTranslationRequest{},
+
+			expectedError: zerrors.ThrowInvalidArgument(nil, "QUERY-rZLAGi", "Errors.Arguments.Locale.Invalid"),
+		},
+		{
+			testName: "when input language is root should return invalid argument error",
+
+			defaultInstanceLanguage: language.English,
+			inputRequest: &settings.GetHostedLoginTranslationRequest{
+				Locale: "root",
+			},
+
+			expectedError: zerrors.ThrowInvalidArgument(nil, "QUERY-rZLAGi", "Errors.Arguments.Locale.Invalid"),
+		},
+		{
+			testName: "when no system translation is available should return not found error",
+
+			defaultInstanceLanguage: language.Romanian,
+			inputRequest: &settings.GetHostedLoginTranslationRequest{
+				Locale: "ro-RO",
+			},
+
+			expectedError: zerrors.ThrowNotFoundf(nil, "QUERY-6gb5QR", "Errors.Query.HostedLoginTranslationNotFound-%s", "ro"),
+		},
+		{
+			testName: "when requesting system translation should return it",
+
+			defaultInstanceLanguage: language.English,
+			inputRequest: &settings.GetHostedLoginTranslationRequest{
+				Locale: "en-US",
+				Level:  &settings.GetHostedLoginTranslationRequest_System{},
+			},
+
+			expectedResult: &settings.GetHostedLoginTranslationResponse{
+				Translations: protoDefaultTranslation,
+				Etag:         hex.EncodeToString(hashDefaultTranslations[:]),
+			},
+		},
+		{
+			testName: "when querying DB fails should return internal error",
+
+			defaultInstanceLanguage: language.English,
+			sqlExpectations: []mock.Expectation{
+				mock.ExpectQuery(
+					query,
+					mock.WithQueryArgs("123", "org", "instance-id", "en-US", "en"),
+					mock.WithQueryErr(sql.ErrConnDone),
+				),
+			},
+			inputRequest: &settings.GetHostedLoginTranslationRequest{
+				Locale: "en-US",
+				Level: &settings.GetHostedLoginTranslationRequest_OrganizationId{
+					OrganizationId: "123",
+				},
+			},
+
+			expectedError: zerrors.ThrowInternal(sql.ErrConnDone, "QUERY-6k1zjx", "Errors.Internal"),
+		},
+		{
+			testName: "when querying DB returns no result should return system translations",
+
+			defaultInstanceLanguage: language.English,
+			sqlExpectations: []mock.Expectation{
+				mock.ExpectQuery(
+					query,
+					mock.WithQueryArgs("123", "org", "instance-id", "en-US", "en"),
+					mock.WithQueryResult(
+						[]string{"file", "aggregate_type", "etag"},
+						[][]driver.Value{},
+					),
+				),
+			},
+			inputRequest: &settings.GetHostedLoginTranslationRequest{
+				Locale: "en-US",
+				Level: &settings.GetHostedLoginTranslationRequest_OrganizationId{
+					OrganizationId: "123",
+				},
+			},
+
+			expectedResult: &settings.GetHostedLoginTranslationResponse{
+				Translations: protoDefaultTranslation,
+				Etag:         hex.EncodeToString(hashDefaultTranslations[:]),
+			},
+		},
+		{
+			testName: "when querying DB returns no result and inheritance disabled should return empty result",
+
+			defaultInstanceLanguage: language.English,
+			sqlExpectations: []mock.Expectation{
+				mock.ExpectQuery(
+					query,
+					mock.WithQueryArgs("123", "org", "instance-id", "en-US", "en"),
+					mock.WithQueryResult(
+						[]string{"file", "aggregate_type", "etag"},
+						[][]driver.Value{},
+					),
+				),
+			},
+			inputRequest: &settings.GetHostedLoginTranslationRequest{
+				Locale: "en-US",
+				Level: &settings.GetHostedLoginTranslationRequest_OrganizationId{
+					OrganizationId: "123",
+				},
+				IgnoreInheritance: true,
+			},
+
+			expectedResult: &settings.GetHostedLoginTranslationResponse{
+				Etag:         "",
+				Translations: nilProtoDefaultMap,
+			},
+		},
+		{
+			testName: "when querying DB returns records should return merged result",
+
+			defaultInstanceLanguage: language.English,
+			sqlExpectations: []mock.Expectation{
+				mock.ExpectQuery(
+					query,
+					mock.WithQueryArgs("123", "org", "instance-id", "en-US", "en"),
+					mock.WithQueryResult(
+						[]string{"file", "aggregate_type", "etag"},
+						[][]driver.Value{
+							{[]byte(`{"test": "translation"}`), "org", "etag-org"},
+							{[]byte(`{"test2": "translation2"}`), "instance", "etag-instance"},
+						},
+					),
+				),
+			},
+			inputRequest: &settings.GetHostedLoginTranslationRequest{
+				Locale: "en-US",
+				Level: &settings.GetHostedLoginTranslationRequest_OrganizationId{
+					OrganizationId: "123",
+				},
+			},
+
+			expectedResult: &settings.GetHostedLoginTranslationResponse{
+				Etag:         "etag-org",
+				Translations: protoDefaultWithDBTranslation,
+			},
+		},
+	}
+
+	for _, tc := range tt {
+		t.Run(tc.testName, func(t *testing.T) {
+			// Given
+			db := &database.DB{DB: mock.NewSQLMock(t, tc.sqlExpectations...).DB}
+			querier := Queries{client: db}
+
+			ctx := authz.NewMockContext("instance-id", "org-id", "user-id", authz.WithMockDefaultLanguage(tc.defaultInstanceLanguage))
+
+			// When
+			res, err := querier.GetHostedLoginTranslation(ctx, tc.inputRequest)
+
+			// Verify
+			require.Equal(t, tc.expectedError, err)
+
+			if tc.expectedError == nil {
+				assert.Equal(t, tc.expectedResult.GetEtag(), res.GetEtag())
+				assert.Equal(t, tc.expectedResult.GetTranslations().GetFields(), res.GetTranslations().GetFields())
+			}
+		})
+	}
+}

internal/query/projection/hosted_login_translation.go

@@ -0,0 +1,144 @@
+package projection
+
+import (
+	"context"
+	"crypto/md5"
+	"encoding/hex"
+	"fmt"
+
+	"github.com/zitadel/zitadel/internal/eventstore"
+	old_handler "github.com/zitadel/zitadel/internal/eventstore/handler"
+	"github.com/zitadel/zitadel/internal/eventstore/handler/v2"
+	"github.com/zitadel/zitadel/internal/repository/instance"
+	"github.com/zitadel/zitadel/internal/repository/org"
+	"github.com/zitadel/zitadel/internal/zerrors"
+)
+
+const (
+	HostedLoginTranslationTable = "projections.hosted_login_translations"
+
+	HostedLoginTranslationInstanceIDCol    = "instance_id"
+	HostedLoginTranslationCreationDateCol  = "creation_date"
+	HostedLoginTranslationChangeDateCol    = "change_date"
+	HostedLoginTranslationAggregateIDCol   = "aggregate_id"
+	HostedLoginTranslationAggregateTypeCol = "aggregate_type"
+	HostedLoginTranslationSequenceCol      = "sequence"
+	HostedLoginTranslationLocaleCol        = "locale"
+	HostedLoginTranslationFileCol          = "file"
+	HostedLoginTranslationEtagCol          = "etag"
+)
+
+type hostedLoginTranslationProjection struct{}
+
+func newHostedLoginTranslationProjection(ctx context.Context, config handler.Config) *handler.Handler {
+	return handler.NewHandler(ctx, &config, new(hostedLoginTranslationProjection))
+}
+
+// Init implements [handler.initializer]
+func (p *hostedLoginTranslationProjection) Init() *old_handler.Check {
+	return handler.NewTableCheck(
+		handler.NewTable([]*handler.InitColumn{
+			handler.NewColumn(HostedLoginTranslationInstanceIDCol, handler.ColumnTypeText),
+			handler.NewColumn(HostedLoginTranslationCreationDateCol, handler.ColumnTypeTimestamp),
+			handler.NewColumn(HostedLoginTranslationChangeDateCol, handler.ColumnTypeTimestamp),
+			handler.NewColumn(HostedLoginTranslationAggregateIDCol, handler.ColumnTypeText),
+			handler.NewColumn(HostedLoginTranslationAggregateTypeCol, handler.ColumnTypeText),
+			handler.NewColumn(HostedLoginTranslationSequenceCol, handler.ColumnTypeInt64),
+			handler.NewColumn(HostedLoginTranslationLocaleCol, handler.ColumnTypeText),
+			handler.NewColumn(HostedLoginTranslationFileCol, handler.ColumnTypeJSONB),
+			handler.NewColumn(HostedLoginTranslationEtagCol, handler.ColumnTypeText),
+		},
+			handler.NewPrimaryKey(
+				HostedLoginTranslationInstanceIDCol,
+				HostedLoginTranslationAggregateIDCol,
+				HostedLoginTranslationAggregateTypeCol,
+				HostedLoginTranslationLocaleCol,
+			),
+		),
+	)
+}
+
+func (hltp *hostedLoginTranslationProjection) Name() string {
+	return HostedLoginTranslationTable
+}
+
+func (hltp *hostedLoginTranslationProjection) Reducers() []handler.AggregateReducer {
+	return []handler.AggregateReducer{
+		{
+			Aggregate: org.AggregateType,
+			EventReducers: []handler.EventReducer{
+				{
+					Event:  org.HostedLoginTranslationSet,
+					Reduce: hltp.reduceSet,
+				},
+			},
+		},
+		{
+			Aggregate: instance.AggregateType,
+			EventReducers: []handler.EventReducer{
+				{
+					Event:  instance.HostedLoginTranslationSet,
+					Reduce: hltp.reduceSet,
+				},
+			},
+		},
+	}
+}
+
+func (hltp *hostedLoginTranslationProjection) reduceSet(e eventstore.Event) (*handler.Statement, error) {
+
+	switch e := e.(type) {
+	case *org.HostedLoginTranslationSetEvent:
+		orgEvent := *e
+		return handler.NewUpsertStatement(
+			&orgEvent,
+			[]handler.Column{
+				handler.NewCol(HostedLoginTranslationInstanceIDCol, nil),
+				handler.NewCol(HostedLoginTranslationAggregateIDCol, nil),
+				handler.NewCol(HostedLoginTranslationAggregateTypeCol, nil),
+				handler.NewCol(HostedLoginTranslationLocaleCol, nil),
+			},
+			[]handler.Column{
+				handler.NewCol(HostedLoginTranslationInstanceIDCol, orgEvent.Aggregate().InstanceID),
+				handler.NewCol(HostedLoginTranslationAggregateIDCol, orgEvent.Aggregate().ID),
+				handler.NewCol(HostedLoginTranslationAggregateTypeCol, orgEvent.Aggregate().Type),
+				handler.NewCol(HostedLoginTranslationCreationDateCol, handler.OnlySetValueOnInsert(HostedLoginTranslationTable, orgEvent.CreationDate())),
+				handler.NewCol(HostedLoginTranslationChangeDateCol, orgEvent.CreationDate()),
+				handler.NewCol(HostedLoginTranslationSequenceCol, orgEvent.Sequence()),
+				handler.NewCol(HostedLoginTranslationLocaleCol, orgEvent.Language),
+				handler.NewCol(HostedLoginTranslationFileCol, orgEvent.Translation),
+				handler.NewCol(HostedLoginTranslationEtagCol, hltp.computeEtag(orgEvent.Translation)),
+			},
+		), nil
+	case *instance.HostedLoginTranslationSetEvent:
+		instanceEvent := *e
+		return handler.NewUpsertStatement(
+			&instanceEvent,
+			[]handler.Column{
+				handler.NewCol(HostedLoginTranslationInstanceIDCol, nil),
+				handler.NewCol(HostedLoginTranslationAggregateIDCol, nil),
+				handler.NewCol(HostedLoginTranslationAggregateTypeCol, nil),
+				handler.NewCol(HostedLoginTranslationLocaleCol, nil),
+			},
+			[]handler.Column{
+				handler.NewCol(HostedLoginTranslationInstanceIDCol, instanceEvent.Aggregate().InstanceID),
+				handler.NewCol(HostedLoginTranslationAggregateIDCol, instanceEvent.Aggregate().ID),
+				handler.NewCol(HostedLoginTranslationAggregateTypeCol, instanceEvent.Aggregate().Type),
+				handler.NewCol(HostedLoginTranslationCreationDateCol, handler.OnlySetValueOnInsert(HostedLoginTranslationTable, instanceEvent.CreationDate())),
+				handler.NewCol(HostedLoginTranslationChangeDateCol, instanceEvent.CreationDate()),
+				handler.NewCol(HostedLoginTranslationSequenceCol, instanceEvent.Sequence()),
+				handler.NewCol(HostedLoginTranslationLocaleCol, instanceEvent.Language),
+				handler.NewCol(HostedLoginTranslationFileCol, instanceEvent.Translation),
+				handler.NewCol(HostedLoginTranslationEtagCol, hltp.computeEtag(instanceEvent.Translation)),
+			},
+		), nil
+	default:
+		return nil, zerrors.ThrowInvalidArgumentf(nil, "PROJE-AZshaa", "reduce.wrong.event.type %v", []eventstore.EventType{org.HostedLoginTranslationSet})
+	}
+
+}
+
+func (hltp *hostedLoginTranslationProjection) computeEtag(translation map[string]any) string {
+	hash := md5.Sum(fmt.Append(nil, translation))
+	return hex.EncodeToString(hash[:])
+}

internal/query/projection/projection.go

@@ -86,6 +86,7 @@ var (
 	UserSchemaProjection                *handler.Handler
 	WebKeyProjection                    *handler.Handler
 	DebugEventsProjection               *handler.Handler
+	HostedLoginTranslationProjection    *handler.Handler
 
 	ProjectGrantFields      *handler.FieldHandler
 	OrgDomainVerifiedFields *handler.FieldHandler
@@ -179,6 +180,7 @@ func Create(ctx context.Context, sqlClient *database.DB, es handler.EventStore,
 	UserSchemaProjection = newUserSchemaProjection(ctx, applyCustomConfig(projectionConfig, config.Customizations["user_schemas"]))
 	WebKeyProjection = newWebKeyProjection(ctx, applyCustomConfig(projectionConfig, config.Customizations["web_keys"]))
 	DebugEventsProjection = newDebugEventsProjection(ctx, applyCustomConfig(projectionConfig, config.Customizations["debug_events"]))
+	HostedLoginTranslationProjection = newHostedLoginTranslationProjection(ctx, applyCustomConfig(projectionConfig, config.Customizations["hosted_login_translation"]))
 
 	ProjectGrantFields = newFillProjectGrantFields(applyCustomConfig(projectionConfig, config.Customizations[fieldsProjectGrant]))
 	OrgDomainVerifiedFields = newFillOrgDomainVerifiedFields(applyCustomConfig(projectionConfig, config.Customizations[fieldsOrgDomainVerified]))
@@ -357,5 +359,6 @@ func newProjectionsList() {
 		UserSchemaProjection,
 		WebKeyProjection,
 		DebugEventsProjection,
+		HostedLoginTranslationProjection,
 	}
 }

internal/repository/instance/eventstore.go

@@ -130,4 +130,5 @@ func init() {
 	eventstore.RegisterFilterEventMapper(AggregateType, NotificationPolicyChangedEventType, NotificationPolicyChangedEventMapper)
 	eventstore.RegisterFilterEventMapper(AggregateType, TrustedDomainAddedEventType, eventstore.GenericEventMapper[TrustedDomainAddedEvent])
 	eventstore.RegisterFilterEventMapper(AggregateType, TrustedDomainRemovedEventType, eventstore.GenericEventMapper[TrustedDomainRemovedEvent])
+	eventstore.RegisterFilterEventMapper(AggregateType, HostedLoginTranslationSet, HostedLoginTranslationSetEventMapper)
 }

internal/repository/instance/hosted_login_translation.go

@@ -0,0 +1,55 @@
+package instance
+
+import (
+	"context"
+
+	"golang.org/x/text/language"
+
+	"github.com/zitadel/zitadel/internal/eventstore"
+	"github.com/zitadel/zitadel/internal/zerrors"
+)
+
+const (
+	HostedLoginTranslationSet = instanceEventTypePrefix + "hosted_login_translation.set"
+)
+
+type HostedLoginTranslationSetEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	Translation map[string]any `json:"translation,omitempty"`
+	Language    language.Tag   `json:"language,omitempty"`
+	Level       string         `json:"level,omitempty"`
+}
+
+func NewHostedLoginTranslationSetEvent(ctx context.Context, aggregate *eventstore.Aggregate, translation map[string]any, language language.Tag) *HostedLoginTranslationSetEvent {
+	return &HostedLoginTranslationSetEvent{
+		BaseEvent:   *eventstore.NewBaseEventForPush(ctx, aggregate, HostedLoginTranslationSet),
+		Translation: translation,
+		Language:    language,
+		Level:       string(aggregate.Type),
+	}
+}
+
+func (e *HostedLoginTranslationSetEvent) Payload() any {
+	return e
+}
+
+func (e *HostedLoginTranslationSetEvent) UniqueConstraints() []*eventstore.UniqueConstraint {
+	return nil
+}
+
+func (e *HostedLoginTranslationSetEvent) Fields() []*eventstore.FieldOperation {
+	return nil
+}
+
+func HostedLoginTranslationSetEventMapper(event eventstore.Event) (eventstore.Event, error) {
+	translationSet := &HostedLoginTranslationSetEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+	err := event.Unmarshal(translationSet)
+	if err != nil {
+		return nil, zerrors.ThrowInternal(err, "INST-lOxtJJ", "unable to unmarshal hosted login translation set event")
+	}
+
+	return translationSet, nil
+}

internal/repository/org/eventstore.go

@@ -114,4 +114,5 @@ func init() {
 	eventstore.RegisterFilterEventMapper(AggregateType, NotificationPolicyAddedEventType, NotificationPolicyAddedEventMapper)
 	eventstore.RegisterFilterEventMapper(AggregateType, NotificationPolicyChangedEventType, NotificationPolicyChangedEventMapper)
 	eventstore.RegisterFilterEventMapper(AggregateType, NotificationPolicyRemovedEventType, NotificationPolicyRemovedEventMapper)
+	eventstore.RegisterFilterEventMapper(AggregateType, HostedLoginTranslationSet, HostedLoginTranslationSetEventMapper)
 }

internal/repository/org/hosted_login_translation.go

@@ -0,0 +1,55 @@
+package org
+
+import (
+	"context"
+
+	"golang.org/x/text/language"
+
+	"github.com/zitadel/zitadel/internal/eventstore"
+	"github.com/zitadel/zitadel/internal/zerrors"
+)
+
+const (
+	HostedLoginTranslationSet = orgEventTypePrefix + "hosted_login_translation.set"
+)
+
+type HostedLoginTranslationSetEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	Translation map[string]any `json:"translation,omitempty"`
+	Language    language.Tag   `json:"language,omitempty"`
+	Level       string         `json:"level,omitempty"`
+}
+
+func NewHostedLoginTranslationSetEvent(ctx context.Context, aggregate *eventstore.Aggregate, translation map[string]any, language language.Tag) *HostedLoginTranslationSetEvent {
+	return &HostedLoginTranslationSetEvent{
+		BaseEvent:   *eventstore.NewBaseEventForPush(ctx, aggregate, HostedLoginTranslationSet),
+		Translation: translation,
+		Language:    language,
+		Level:       string(aggregate.Type),
+	}
+}
+
+func (e *HostedLoginTranslationSetEvent) Payload() any {
+	return e
+}
+
+func (e *HostedLoginTranslationSetEvent) UniqueConstraints() []*eventstore.UniqueConstraint {
+	return nil
+}
+
+func (e *HostedLoginTranslationSetEvent) Fields() []*eventstore.FieldOperation {
+	return nil
+}
+
+func HostedLoginTranslationSetEventMapper(event eventstore.Event) (eventstore.Event, error) {
+	translationSet := &HostedLoginTranslationSetEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+	err := event.Unmarshal(translationSet)
+	if err != nil {
+		return nil, zerrors.ThrowInternal(err, "ORG-BH82Eb", "unable to unmarshal hosted login translation set event")
+	}
+
+	return translationSet, nil
+}

proto/zitadel/settings/v2/settings.proto

@@ -10,4 +10,4 @@ enum ResourceOwnerType {
   RESOURCE_OWNER_TYPE_UNSPECIFIED = 0;
   RESOURCE_OWNER_TYPE_INSTANCE = 1;
   RESOURCE_OWNER_TYPE_ORG = 2;
-}
+}

proto/zitadel/settings/v2/settings_service.proto

@@ -15,6 +15,8 @@ import "google/api/annotations.proto";
 import "google/api/field_behavior.proto";
 import "protoc-gen-openapiv2/options/annotations.proto";
 import "validate/validate.proto";
+import "google/protobuf/struct.proto";
+import "zitadel/settings/v2/settings.proto";
 
 option go_package = "github.com/zitadel/zitadel/pkg/grpc/settings/v2;settings";
 
@@ -362,6 +364,69 @@ service SettingsService {
       description: "Set the security settings of the ZITADEL instance."
     };
   }
+
+  // Get Hosted Login Translation
+  //
+  // Returns the translations in the requested locale for the hosted login.
+  // The translations returned are based on the input level specified (system, instance or organization).
+  //
+  // If the requested level doesn't contain all translations, and ignore_inheritance is set to false,
+  // a merging process fallbacks onto the higher levels ensuring all keys in the file have a translation,
+  // which could be in the default language if the one of the locale is missing on all levels.
+  //
+  // The etag returned in the response represents the hash of the translations as they are stored on DB
+  // and its reliable only if ignore_inheritance = true.
+  //
+  // Required permissions:
+  //   - `iam.policy.read`
+  rpc GetHostedLoginTranslation(GetHostedLoginTranslationRequest) returns (GetHostedLoginTranslationResponse) {
+    option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
+      responses: {
+        key: "200";
+        value: {
+          description: "The localized translations.";
+        }
+      };
+    };
+
+    option (google.api.http) = {
+      get: "/v2/settings/hosted_login_translation"
+    };
+
+    option (zitadel.protoc_gen_zitadel.v2.options) = {
+      auth_option: {
+        permission: "iam.policy.read"
+      }
+    };
+  }
+
+  // Set Hosted Login Translation
+  //
+  // Sets the input translations at the specified level (instance or organization) for the input language.
+  //
+  // Required permissions:
+  //   - `iam.policy.write`
+  rpc SetHostedLoginTranslation(SetHostedLoginTranslationRequest) returns (SetHostedLoginTranslationResponse) {
+    option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
+      responses: {
+        key: "200";
+        value: {
+          description: "The translations was successfully set.";
+        }
+      };
+    };
+    
+    option (google.api.http) = {
+      put: "/v2/settings/hosted_login_translation";
+      body: "*"
+    };
+
+    option (zitadel.protoc_gen_zitadel.v2.options) = {
+      auth_option: {
+        permission: "iam.policy.write"
+      }
+    };
+  }
 }
 
 message GetLoginSettingsRequest {
@@ -480,4 +545,76 @@ message SetSecuritySettingsRequest{
 
 message SetSecuritySettingsResponse{
   zitadel.object.v2.Details details = 1;
+}
+
+message GetHostedLoginTranslationRequest {
+  oneof level {
+    bool system = 1 [(validate.rules).bool = {const: true}];
+    bool instance = 2 [(validate.rules).bool = {const: true}];
+    string organization_id = 3;
+  }
+
+  string locale = 4 [
+    (validate.rules).string = {min_len: 2},
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+      min_length: 2;
+      example: "\"fr-FR\"";
+    }
+  ];
+
+  // if set to true, higher levels are ignored, if false higher levels are merged into the file
+  bool ignore_inheritance = 5;
+}
+
+message GetHostedLoginTranslationResponse {
+  // hash of the payload
+  string etag = 1 [
+    (validate.rules).string = {min_len: 32, max_len: 32},
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+      min_length: 32;
+      max_length: 32;
+      example: "\"42a1ba123e6ea6f0c93e286ed97c7018\"";
+    }
+  ];
+
+  google.protobuf.Struct translations = 2 [
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+        example: "{\"common\":{\"back\":\"Indietro\"},\"accounts\":{\"title\":\"Account\",\"description\":\"Seleziona l'account che desideri utilizzare.\",\"addAnother\":\"Aggiungi un altro account\",\"noResults\":\"Nessun account trovato\"}}";
+        description: "Translations contains the translations in the request language.";
+    }
+  ];
+}
+
+message SetHostedLoginTranslationRequest {
+  oneof level {
+    bool instance = 1 [(validate.rules).bool = {const: true}];
+    string organization_id = 2;
+  }
+ 
+  string locale = 3 [
+    (validate.rules).string = {min_len: 2},
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+      min_length: 2;
+      example: "\"fr-FR\"";
+    }
+  ];
+
+  google.protobuf.Struct translations = 4 [
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+        example: "{\"common\":{\"back\":\"Indietro\"},\"accounts\":{\"title\":\"Account\",\"description\":\"Seleziona l'account che desideri utilizzare.\",\"addAnother\":\"Aggiungi un altro account\",\"noResults\":\"Nessun account trovato\"}}";
+        description: "Translations should contain the translations in the specified locale.";
+    }
+  ];
+}
+
+message SetHostedLoginTranslationResponse {
+  // hash of the saved translation. Valid only when ignore_inheritance = true
+  string etag = 1 [
+    (validate.rules).string = {min_len: 32, max_len: 32},
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+      min_length: 32;
+      max_length: 32;
+      example: "\"42a1ba123e6ea6f0c93e286ed97c7018\"";
+    }
+  ];
 }