fix: cleanup some todos (#3642)

* cleanup todo * fix: some todos
2025-03-01 00:07:22 +00:00 · 2022-05-16 16:35:49 +02:00 · 2022-05-16 16:35:49 +02:00 · 3a63fb765a
commit 3a63fb765a
parent 5c0f527a49
45 changed files with 130 additions and 199 deletions
--- a/cmd/admin/start/start.go
+++ b/cmd/admin/start/start.go
@ -157,7 +157,7 @@ func startAPIs(ctx context.Context, router *mux.Router, commands *command.Comman
 	if err != nil {
 		return fmt.Errorf("error starting auth repo: %w", err)
 	}
-	adminRepo, err := admin_es.Start(config.Admin, store, dbClient, login.HandlerPrefix)
+	adminRepo, err := admin_es.Start(config.Admin, store, dbClient)
 	if err != nil {
 		return fmt.Errorf("error starting admin repo: %w", err)
 	}
--- a/docs/docs/apis/proto/admin.md
+++ b/docs/docs/apis/proto/admin.md
@ -3405,7 +3405,7 @@ This is an empty request
 | Field | Type | Description | Validation |
 | ----- | ---- | ----------- | ----------- |
-| email |  string | TODO: check if no value is allowed | string.email: true<br />  |
+| email |  string | - | string.email: true<br />  |
 | is_email_verified |  bool | - |  |
--- a/docs/docs/apis/proto/app.md
+++ b/docs/docs/apis/proto/app.md
@ -16,7 +16,6 @@ title: zitadel/app.proto
 | Field | Type | Description | Validation |
 | ----- | ---- | ----------- | ----------- |
 | client_id |  string | - |  |
 | client_secret |  string | - |  |
 | auth_method_type |  APIAuthMethodType | - |  |
@ -72,7 +71,6 @@ title: zitadel/app.proto
 | grant_types | repeated OIDCGrantType | - |  |
 | app_type |  OIDCAppType | - |  |
 | client_id |  string | - |  |
 | client_secret |  string | - |  |
 | auth_method_type |  OIDCAuthMethodType | - |  |
 | post_logout_redirect_uris | repeated string | - |  |
 | version |  OIDCVersion | - |  |
--- a/docs/docs/apis/proto/auth.md
+++ b/docs/docs/apis/proto/auth.md
@ -1341,7 +1341,7 @@ This is an empty request
 | Field | Type | Description | Validation |
 | ----- | ---- | ----------- | ----------- |
-| email |  string | TODO: check if no value is allowed | string.email: true<br />  |
+| email |  string | - | string.email: true<br />  |
--- a/docs/docs/apis/proto/management.md
+++ b/docs/docs/apis/proto/management.md
@ -3155,7 +3155,7 @@ This is an empty request
 | Field | Type | Description | Validation |
 | ----- | ---- | ----------- | ----------- |
-| email |  string | TODO: check if no value is allowed | string.email: true<br />  |
+| email |  string | - | string.email: true<br />  |
 | is_email_verified |  bool | - |  |
@ -5159,7 +5159,7 @@ This is an empty response
 | Field | Type | Description | Validation |
 | ----- | ---- | ----------- | ----------- |
-| email |  string | TODO: check if no value is allowed | string.email: true<br />  |
+| email |  string | - | string.email: true<br />  |
 | is_email_verified |  bool | - |  |
--- a/internal/admin/repository/eventsourcing/handler/handler.go
+++ b/internal/admin/repository/eventsourcing/handler/handler.go
@ -28,13 +28,12 @@ func (h *handler) Eventstore() v1.Eventstore {
 	return h.es
 }
-func Register(configs Configs, bulkLimit, errorCount uint64, view *view.View, es v1.Eventstore, static static.Storage, loginPrefix string) []query.Handler {
+func Register(configs Configs, bulkLimit, errorCount uint64, view *view.View, es v1.Eventstore, static static.Storage) []query.Handler {
 	handlers := []query.Handler{}
 	if static != nil {
 		handlers = append(handlers, newStyling(
 			handler{view, bulkLimit, configs.cycleDuration("Styling"), errorCount, es},
-			static,
+			static))
 			loginPrefix))
 	}
 	return handlers
 }
--- a/internal/admin/repository/eventsourcing/handler/styling.go
+++ b/internal/admin/repository/eventsourcing/handler/styling.go
@ -11,6 +11,7 @@ import (
 	"github.com/muesli/gamut"
 	"github.com/zitadel/logging"
 	"github.com/zitadel/zitadel/internal/api/ui/login"
 	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/eventstore"
 	v1 "github.com/zitadel/zitadel/internal/eventstore/v1"
@ -31,16 +32,13 @@ type Styling struct {
 	handler
 	static       static.Storage
 	subscription *v1.Subscription
 	resourceUrl  string
 }
-func newStyling(handler handler, static static.Storage, loginPrefix string) *Styling {
+func newStyling(handler handler, static static.Storage) *Styling {
 	h := &Styling{
 		handler: handler,
 		static:  static,
 	}
 	h.resourceUrl = loginPrefix + "/resources/dynamic" //TODO: ?
 	h.subscribe()
 	return h
@ -218,7 +216,7 @@ func (m *Styling) writeFile(policy *iam_model.LabelPolicyView) (io.Reader, int64
 	}
 	cssContent += "}"
 	if policy.FontURL != "" {
-		cssContent += fmt.Sprintf(fontFaceTemplate, fontname, m.resourceUrl, policy.AggregateID, policy.FontURL)
+		cssContent += fmt.Sprintf(fontFaceTemplate, fontname, login.HandlerPrefix+login.EndpointDynamicResources, policy.AggregateID, policy.FontURL)
 	}
 	cssContent += ".lgn-dark-theme {"
 	if policy.PrimaryColorDark != "" {
--- a/internal/admin/repository/eventsourcing/repository.go
+++ b/internal/admin/repository/eventsourcing/repository.go
@ -22,7 +22,7 @@ type EsRepository struct {
 	eventstore.AdministratorRepo
 }
-func Start(conf Config, static static.Storage, dbClient *sql.DB, loginPrefix string) (*EsRepository, error) {
+func Start(conf Config, static static.Storage, dbClient *sql.DB) (*EsRepository, error) {
 	es, err := v1.Start(dbClient)
 	if err != nil {
 		return nil, err
@ -32,7 +32,7 @@ func Start(conf Config, static static.Storage, dbClient *sql.DB, loginPrefix str
 		return nil, err
 	}
-	spool := spooler.StartSpooler(conf.Spooler, es, view, dbClient, static, loginPrefix)
+	spool := spooler.StartSpooler(conf.Spooler, es, view, dbClient, static)
 	return &EsRepository{
 		spooler: spool,
--- a/internal/admin/repository/eventsourcing/spooler/spooler.go
+++ b/internal/admin/repository/eventsourcing/spooler/spooler.go
@ -18,12 +18,12 @@ type SpoolerConfig struct {
 	Handlers              handler.Configs
 }
-func StartSpooler(c SpoolerConfig, es v1.Eventstore, view *view.View, sql *sql.DB, static static.Storage, loginPrefix string) *spooler.Spooler {
+func StartSpooler(c SpoolerConfig, es v1.Eventstore, view *view.View, sql *sql.DB, static static.Storage) *spooler.Spooler {
 	spoolerConfig := spooler.Config{
 		Eventstore:        es,
 		Locker:            &locker{dbClient: sql},
 		ConcurrentWorkers: c.ConcurrentWorkers,
-		ViewHandlers:      handler.Register(c.Handlers, c.BulkLimit, c.FailureCountUntilSkip, view, es, static, loginPrefix),
+		ViewHandlers:      handler.Register(c.Handlers, c.BulkLimit, c.FailureCountUntilSkip, view, es, static),
 	}
 	spool := spoolerConfig.New()
 	spool.Start()
--- a/internal/api/assets/asset.go
+++ b/internal/api/assets/asset.go
@ -81,7 +81,7 @@ func NewHandler(commands *command.Commands, verifier *authz.TokenVerifier, authC
 		query:           queries,
 	}
-	verifier.RegisterServer("Management-API", "assets", AssetsService_AuthMethods) //TODO: separate api?
+	verifier.RegisterServer("Assets-API", "assets", AssetsService_AuthMethods)
 	router := mux.NewRouter()
 	router.Use(sentryhttp.New(sentryhttp.Options{}).Handle, instanceInterceptor)
 	RegisterRoutes(router, h)
--- a/internal/api/grpc/action/action.go
+++ b/internal/api/grpc/action/action.go
@ -1,11 +1,12 @@
 package action
 import (
 	"google.golang.org/protobuf/types/known/durationpb"
 	object_grpc "github.com/zitadel/zitadel/internal/api/grpc/object"
 	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/query"
 	action_pb "github.com/zitadel/zitadel/pkg/grpc/action"
 	"google.golang.org/protobuf/types/known/durationpb"
 )
 func FlowTypeToDomain(flowType action_pb.FlowType) domain.FlowType {
--- a/internal/api/grpc/admin/domain_policy.go
+++ b/internal/api/grpc/admin/domain_policy.go
@ -86,9 +86,6 @@ func domainPolicyToDomain(userLoginMustBeDomain, validateOrgDomains, smtpSenderA
 func updateDomainPolicyToDomain(req *admin_pb.UpdateDomainPolicyRequest) *domain.DomainPolicy {
 	return &domain.DomainPolicy{
 		// ObjectRoot: models.ObjectRoot{
 		// 	// AggreagateID: //TODO: there should only be ONE default
 		// },
 		UserLoginMustBeDomain:                  req.UserLoginMustBeDomain,
 		ValidateOrgDomains:                     req.ValidateOrgDomains,
 		SMTPSenderAddressMatchesInstanceDomain: req.SmtpSenderAddressMatchesInstanceDomain,
--- a/internal/api/grpc/admin/idp_converter_test.go
+++ b/internal/api/grpc/admin/idp_converter_test.go
@ -45,7 +45,7 @@ func Test_addOIDCIDPRequestToDomain(t *testing.T) {
 				"State",
 				"OIDCConfig.AuthorizationEndpoint",
 				"OIDCConfig.TokenEndpoint",
-				"Type", //TODO: default (0) is oidc
+				"Type",
 				"JWTConfig",
 			)
 		})
@ -79,7 +79,7 @@ func Test_addOIDCIDPRequestToDomainOIDCIDPConfig(t *testing.T) {
 			got := addOIDCIDPRequestToDomainOIDCIDPConfig(tt.args.req)
 			test.AssertFieldsMapped(t, got,
 				"ObjectRoot",
-				"ClientSecret", //TODO: is client secret string enough for backend?
+				"ClientSecret",
 				"IDPConfigID",
 				"AuthorizationEndpoint",
 				"TokenEndpoint",
@ -116,7 +116,7 @@ func Test_updateIDPToDomain(t *testing.T) {
 				"OIDCConfig",
 				"JWTConfig",
 				"State",
-				"Type", //TODO: type should not be changeable
+				"Type",
 			)
 		})
 	}
--- a/internal/api/grpc/admin/instance_converter.go
+++ b/internal/api/grpc/admin/instance_converter.go
@ -5,6 +5,7 @@ import (
 	"github.com/zitadel/zitadel/internal/api/grpc/object"
 	"github.com/zitadel/zitadel/internal/query"
 	admin_pb "github.com/zitadel/zitadel/pkg/grpc/admin"
 	"github.com/zitadel/zitadel/pkg/grpc/instance"
 )
 func ListInstanceDomainsRequestToModel(req *admin_pb.ListInstanceDomainsRequest) (*query.InstanceDomainSearchQueries, error) {
@ -15,11 +16,26 @@ func ListInstanceDomainsRequestToModel(req *admin_pb.ListInstanceDomainsRequest)
 	}
 	return &query.InstanceDomainSearchQueries{
 		SearchRequest: query.SearchRequest{
-			Offset: offset,
+			Offset:        offset,
-			Limit:  limit,
+			Limit:         limit,
-			Asc:    asc,
+			Asc:           asc,
 			SortingColumn: fieldNameToInstanceDomainColumn(req.SortingColumn),
 		},
 		//SortingColumn: //TODO: sorting
 		Queries: queries,
 	}, nil
 }
 func fieldNameToInstanceDomainColumn(fieldName instance.DomainFieldName) query.Column {
 	switch fieldName {
 	case instance.DomainFieldName_DOMAIN_FIELD_NAME_DOMAIN:
 		return query.InstanceDomainDomainCol
 	case instance.DomainFieldName_DOMAIN_FIELD_NAME_PRIMARY:
 		return query.InstanceDomainIsPrimaryCol
 	case instance.DomainFieldName_DOMAIN_FIELD_NAME_GENERATED:
 		return query.InstanceDomainIsGeneratedCol
 	case instance.DomainFieldName_DOMAIN_FIELD_NAME_CREATION_DATE:
 		return query.InstanceDomainCreationDateCol
 	default:
 		return query.Column{}
 	}
 }
--- a/internal/api/grpc/admin/org.go
+++ b/internal/api/grpc/admin/org.go
@ -52,15 +52,13 @@ func (s *Server) SetUpOrg(ctx context.Context, req *admin_pb.SetUpOrgRequest) (*
 	if err != nil {
 		return nil, err
 	}
 	_ = userIDs                                                                        //TODO: handle userIDs
 	human := setUpOrgHumanToCommand(req.User.(*admin_pb.SetUpOrgRequest_Human_).Human) //TODO: handle machine
 	org := setUpOrgOrgToDomain(req.Org)                                                //TODO: handle domain
 	_ = org
 	userID, objectDetails, err := s.command.SetUpOrg(ctx, &command.OrgSetup{
-		Name:  req.Org.Name,
+		Name:         req.Org.Name,
-		Human: human,
+		CustomDomain: req.Org.Domain,
-	})
+		Human:        human,
 	}, userIDs...)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/api/grpc/admin/org_converter.go
+++ b/internal/api/grpc/admin/org_converter.go
@ -3,7 +3,6 @@ package admin
 import (
 	"github.com/zitadel/zitadel/internal/api/grpc/object"
 	org_grpc "github.com/zitadel/zitadel/internal/api/grpc/org"
 	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/query"
 	"github.com/zitadel/zitadel/pkg/grpc/admin"
 	"github.com/zitadel/zitadel/pkg/grpc/org"
@ -34,14 +33,3 @@ func fieldNameToOrgColumn(fieldName org.OrgFieldName) query.Column {
 		return query.Column{}
 	}
 }
 func setUpOrgOrgToDomain(req *admin.SetUpOrgRequest_Org) *domain.Org {
 	org := &domain.Org{
 		Name:    req.Name,
 		Domains: []*domain.OrgDomain{},
 	}
 	if req.Domain != "" {
 		org.Domains = append(org.Domains, &domain.OrgDomain{Domain: req.Domain})
 	}
 	return org
 }
--- a/internal/api/grpc/idp/converter.go
+++ b/internal/api/grpc/idp/converter.go
@ -190,8 +190,6 @@ func IDPViewToConfigPb(config *query.IDP) idp_pb.IDPConfig {
 func FieldNameToModel(fieldName idp_pb.IDPFieldName) query.Column {
 	switch fieldName {
 	// case admin.IdpSearchKey_IDPSEARCHKEY_IDP_CONFIG_ID: //TODO: not implemented in proto
 	// 	return iam_model.IDPConfigSearchKeyIdpConfigID
 	case idp_pb.IDPFieldName_IDP_FIELD_NAME_NAME:
 		return query.IDPNameCol
 	default:
--- a/internal/api/grpc/management/idp_converter_test.go
+++ b/internal/api/grpc/management/idp_converter_test.go
@ -45,7 +45,7 @@ func Test_addOIDCIDPRequestToDomain(t *testing.T) {
 				"State",
 				"OIDCConfig.AuthorizationEndpoint",
 				"OIDCConfig.TokenEndpoint",
-				"Type", //TODO: default (0) is oidc
+				"Type",
 				"JWTConfig",
 			)
 		})
@ -79,7 +79,7 @@ func Test_addOIDCIDPRequestToDomainOIDCIDPConfig(t *testing.T) {
 			got := addOIDCIDPRequestToDomainOIDCIDPConfig(tt.args.req)
 			test.AssertFieldsMapped(t, got,
 				"ObjectRoot",
-				"ClientSecret", //TODO: is client secret string enough for backend?
+				"ClientSecret",
 				"IDPConfigID",
 				"AuthorizationEndpoint",
 				"TokenEndpoint",
@ -116,7 +116,7 @@ func Test_updateIDPToDomain(t *testing.T) {
 				"OIDCConfig",
 				"JWTConfig",
 				"State",
-				"Type", //TODO: type should not be changeable
+				"Type",
 			)
 		})
 	}
--- a/internal/api/grpc/project/application.go
+++ b/internal/api/grpc/project/application.go
@ -65,7 +65,6 @@ func AppAPIConfigToPb(app *query.APIApp) app_pb.AppConfig {
 	return &app_pb.App_ApiConfig{
 		ApiConfig: &app_pb.APIConfig{
 			ClientId:       app.ClientID,
 			ClientSecret:   "", //TODO: remove from proto
 			AuthMethodType: APIAuthMethodeTypeToPb(app.AuthMethodType),
 		},
 	}
--- a/internal/api/grpc/user/membership.go
+++ b/internal/api/grpc/user/membership.go
@ -2,10 +2,8 @@ package user
 import (
 	"github.com/zitadel/zitadel/internal/api/grpc/object"
 	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/errors"
 	"github.com/zitadel/zitadel/internal/query"
 	user_model "github.com/zitadel/zitadel/internal/user/model"
 	user_pb "github.com/zitadel/zitadel/pkg/grpc/user"
 )
@ -36,62 +34,6 @@ func MembershipQueryToQuery(req *user_pb.MembershipQuery) (query.SearchQuery, er
 	}
 }
 func MembershipIAMQueryToModel(q *user_pb.MembershipIAMQuery) []*user_model.UserMembershipSearchQuery {
 	return []*user_model.UserMembershipSearchQuery{
 		{
 			Key:    user_model.UserMembershipSearchKeyMemberType,
 			Method: domain.SearchMethodEquals,
 			Value:  user_model.MemberTypeIam,
 		},
 		//TODO: q.IAM?
 	}
 }
 func MembershipOrgQueryToModel(q *user_pb.MembershipOrgQuery) []*user_model.UserMembershipSearchQuery {
 	return []*user_model.UserMembershipSearchQuery{
 		{
 			Key:    user_model.UserMembershipSearchKeyMemberType,
 			Method: domain.SearchMethodEquals,
 			Value:  user_model.MemberTypeOrganisation,
 		},
 		{
 			Key:    user_model.UserMembershipSearchKeyObjectID,
 			Method: domain.SearchMethodEquals,
 			Value:  q.OrgId,
 		},
 	}
 }
 func MembershipProjectQueryToModel(q *user_pb.MembershipProjectQuery) []*user_model.UserMembershipSearchQuery {
 	return []*user_model.UserMembershipSearchQuery{
 		{
 			Key:    user_model.UserMembershipSearchKeyMemberType,
 			Method: domain.SearchMethodEquals,
 			Value:  user_model.MemberTypeProject,
 		},
 		{
 			Key:    user_model.UserMembershipSearchKeyObjectID,
 			Method: domain.SearchMethodEquals,
 			Value:  q.ProjectId,
 		},
 	}
 }
 func MembershipProjectGrantQueryToModel(q *user_pb.MembershipProjectGrantQuery) []*user_model.UserMembershipSearchQuery {
 	return []*user_model.UserMembershipSearchQuery{
 		{
 			Key:    user_model.UserMembershipSearchKeyMemberType,
 			Method: domain.SearchMethodEquals,
 			Value:  user_model.MemberTypeProjectGrant,
 		},
 		{
 			Key:    user_model.UserMembershipSearchKeyObjectID,
 			Method: domain.SearchMethodEquals,
 			Value:  q.ProjectGrantId,
 		},
 	}
 }
 func MembershipsToMembershipsPb(memberships []*query.Membership) []*user_pb.Membership {
 	converted := make([]*user_pb.Membership, len(memberships))
 	for i, membership := range memberships {
--- a/internal/api/http/middleware/auth_interceptor.go
+++ b/internal/api/http/middleware/auth_interceptor.go
@ -62,7 +62,7 @@ func authorize(r *http.Request, verifier *authz.TokenVerifier, authConfig authz.
 		return nil, errors.New("auth header missing")
 	}
-	ctxSetter, err := authz.CheckUserAuthorization(authCtx, &httpReq{}, authToken, http_util.GetOrgID(r), verifier, authConfig, authOpt, r.RequestURI) //TODO: permission
+	ctxSetter, err := authz.CheckUserAuthorization(authCtx, &httpReq{}, authToken, http_util.GetOrgID(r), verifier, authConfig, authOpt, r.RequestURI)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/api/oidc/auth_request.go
+++ b/internal/api/oidc/auth_request.go
@ -29,7 +29,6 @@ func (o *OPStorage) CreateAuthRequest(ctx context.Context, req *oidc.AuthRequest
 		return nil, errors.ThrowPreconditionFailed(err, "OIDC-Gqrfg", "Errors.Internal")
 	}
 	authRequest := CreateAuthRequestToBusiness(ctx, req, userAgentID, userID)
 	//TODO: ensure splitting of command and query side durring auth request and login refactoring
 	resp, err := o.repo.CreateAuthRequest(ctx, authRequest)
 	if err != nil {
 		return nil, err
--- a/internal/api/ui/login/register_org_handler.go
+++ b/internal/api/ui/login/register_org_handler.go
@ -66,8 +66,7 @@ func (l *Login) handleRegisterOrgCheck(w http.ResponseWriter, r *http.Request) {
 		l.renderRegisterOrg(w, r, authRequest, data, err)
 		return
 	}
-	_ = userIDs //TODO: handle userIDs
+	_, _, err = l.command.SetUpOrg(ctx, data.toCommandOrg(), userIDs...)
 	_, _, err = l.command.SetUpOrg(ctx, data.toCommandOrg())
 	if err != nil {
 		l.renderRegisterOrg(w, r, authRequest, data, err)
 		return
--- a/internal/api/ui/login/renderer.go
+++ b/internal/api/ui/login/renderer.go
@ -432,7 +432,7 @@ func (l *Login) getErrorMessage(r *http.Request, err error) (errID, errMsg strin
 }
 func (l *Login) getTheme(r *http.Request) string {
-	return "zitadel" //TODO: impl
+	return "zitadel"
 }
 func (l *Login) getThemeMode(r *http.Request) string {
--- a/internal/command/org.go
+++ b/internal/command/org.go
@ -17,11 +17,12 @@ import (
 )
 type OrgSetup struct {
-	Name  string
+	Name         string
-	Human AddHuman
+	CustomDomain string
 	Human        AddHuman
 }
-func (c *Commands) SetUpOrg(ctx context.Context, o *OrgSetup) (string, *domain.ObjectDetails, error) {
+func (c *Commands) SetUpOrg(ctx context.Context, o *OrgSetup, userIDs ...string) (string, *domain.ObjectDetails, error) {
 	orgID, err := id.SonyFlakeGenerator.Next()
 	if err != nil {
 		return "", nil, err
@ -35,11 +36,19 @@ func (c *Commands) SetUpOrg(ctx context.Context, o *OrgSetup) (string, *domain.O
 	orgAgg := org.NewAggregate(orgID)
 	userAgg := user_repo.NewAggregate(userID, orgID)
-	cmds, err := preparation.PrepareCommands(ctx, c.eventstore.Filter,
+	validations := []preparation.Validation{
-		AddOrgCommand(ctx, orgAgg, o.Name),
+		AddOrgCommand(ctx, orgAgg, o.Name, userIDs...),
 		AddHumanCommand(userAgg, &o.Human, c.userPasswordAlg, c.userEncryption),
 		c.AddOrgMemberCommand(orgAgg, userID, domain.RoleOrgOwner),
-	)
+	}
 	if o.CustomDomain != "" {
 		validations = append(validations, AddOrgDomain(orgAgg, o.CustomDomain))
 		for _, userID := range userIDs {
 			validations = append(validations, c.prepareUserDomainClaimed(userID))
 		}
 	}
 	cmds, err := preparation.PrepareCommands(ctx, c.eventstore.Filter, validations...)
 	if err != nil {
 		return "", nil, err
 	}
@ -57,7 +66,7 @@ func (c *Commands) SetUpOrg(ctx context.Context, o *OrgSetup) (string, *domain.O
 //AddOrgCommand defines the commands to create a new org,
 // this includes the verified default domain
-func AddOrgCommand(ctx context.Context, a *org.Aggregate, name string) preparation.Validation {
+func AddOrgCommand(ctx context.Context, a *org.Aggregate, name string, userIDs ...string) preparation.Validation {
 	return func() (preparation.CreateCommands, error) {
 		if name = strings.TrimSpace(name); name == "" {
 			return nil, errors.ThrowInvalidArgument(nil, "ORG-mruNY", "Errors.Invalid.Argument")
--- a/internal/command/project_application_api.go
+++ b/internal/command/project_application_api.go
@ -44,8 +44,6 @@ func AddAPIAppCommand(app *addAPIApp, clientSecretAlg crypto.HashAlgorithm) prep
 				return nil, errors.ThrowInternal(err, "V2-f0pgP", "Errors.Internal")
 			}
 			//requires client secret
 			// TODO(release blocking):we have to return the secret
 			if app.AuthMethodType == domain.APIAuthMethodTypeBasic {
 				app.ClientSecret, app.ClientSecretPlain, err = newAppClientSecret(ctx, filter, clientSecretAlg)
 				if err != nil {
--- a/internal/command/user.go
+++ b/internal/command/user.go
@ -340,6 +340,38 @@ func (c *Commands) userDomainClaimed(ctx context.Context, userID string) (events
 	}, changedUserGrant, nil
 }
 func (c *Commands) prepareUserDomainClaimed(userID string) preparation.Validation {
 	return func() (_ preparation.CreateCommands, err error) {
 		return func(ctx context.Context, filter preparation.FilterToQueryReducer) ([]eventstore.Command, error) {
 			userWriteModel, err := userWriteModelByID(ctx, filter, userID, "")
 			if err != nil {
 				return nil, err
 			}
 			if !userWriteModel.UserState.Exists() {
 				return nil, caos_errs.ThrowNotFound(nil, "COMMAND-ii9K0", "Errors.User.NotFound")
 			}
 			domainPolicy, err := domainPolicyWriteModel(ctx, filter)
 			if err != nil {
 				return nil, err
 			}
 			userAgg := UserAggregateFromWriteModel(&userWriteModel.WriteModel)
 			id, err := c.idGenerator.Next()
 			if err != nil {
 				return nil, err
 			}
 			return []eventstore.Command{user.NewDomainClaimedEvent(
 				ctx,
 				userAgg,
 				fmt.Sprintf("%s@temporary.%s", id, authz.GetInstance(ctx).RequestedDomain()),
 				userWriteModel.UserName,
 				domainPolicy.UserLoginMustBeDomain),
 			}, nil
 		}, nil
 	}
 }
 func (c *Commands) UserDomainClaimedSent(ctx context.Context, orgID, userID string) (err error) {
 	if userID == "" {
 		return caos_errs.ThrowInvalidArgument(nil, "COMMAND-5m0fs", "Errors.IDMissing")
@ -414,3 +446,17 @@ func ExistsUser(ctx context.Context, filter preparation.FilterToQueryReducer, id
 func newUserInitCode(ctx context.Context, filter preparation.FilterToQueryReducer, alg crypto.EncryptionAlgorithm) (value *crypto.CryptoValue, expiry time.Duration, err error) {
 	return newCryptoCodeWithExpiry(ctx, filter, domain.SecretGeneratorTypeInitCode, alg)
 }
 func userWriteModelByID(ctx context.Context, filter preparation.FilterToQueryReducer, userID, resourceOwner string) (*UserWriteModel, error) {
 	user := NewUserWriteModel(userID, resourceOwner)
 	events, err := filter(ctx, user.Query())
 	if err != nil {
 		return nil, err
 	}
 	if len(events) == 0 {
 		return nil, nil
 	}
 	user.AppendEvents(events...)
 	err = user.Reduce()
 	return user, err
 }
--- a/internal/eventstore/handler/crdb/init.go
+++ b/internal/eventstore/handler/crdb/init.go
@ -344,7 +344,7 @@ func columnType(columnType ColumnType) string {
 	case ColumnTypeBytes:
 		return "BYTES"
 	default:
-		panic("") //TODO: remove?
+		panic("unknown column type")
 		return ""
 	}
 }
--- a/internal/query/instance.go
+++ b/internal/query/instance.go
@ -248,7 +248,6 @@ func prepareInstancesQuery() (sq.SelectBuilder, func(*sql.Rows) (*Instances, err
 			for rows.Next() {
 				instance := new(Instance)
 				lang := ""
 				//TODO: Get Host
 				err := rows.Scan(
 					&instance.ID,
 					&instance.CreationDate,
--- a/internal/query/project.go
+++ b/internal/query/project.go
@ -59,10 +59,6 @@ var (
 		name:  projection.ProjectColumnInstanceID,
 		table: projectsTable,
 	}
 	ProjectColumnCreator = Column{
 		name:  projection.ProjectColumnCreator,
 		table: projectsTable,
 	}
 	ProjectColumnSequence = Column{
 		name:  projection.ProjectColumnSequence,
 		table: projectsTable,
--- a/internal/query/project_grant.go
+++ b/internal/query/project_grant.go
@ -65,10 +65,6 @@ var (
 		name:  projection.ProjectGrantColumnRoleKeys,
 		table: projectGrantsTable,
 	}
 	ProjectGrantColumnCreator = Column{
 		name:  projection.ProjectGrantColumnCreator,
 		table: projectGrantsTable,
 	}
 	ProjectGrantColumnGrantedOrgName = Column{
 		name:  projection.OrgColumnName,
 		table: orgsTable.setAlias(ProjectGrantGrantedOrgTableAlias),
--- a/internal/query/project_role.go
+++ b/internal/query/project_role.go
@ -53,10 +53,6 @@ var (
 		name:  projection.ProjectRoleColumnGroupName,
 		table: projectRolesTable,
 	}
 	ProjectRoleColumnCreator = Column{
 		name:  projection.ProjectRoleColumnCreator,
 		table: projectRolesTable,
 	}
 )
 type ProjectRoles struct {
--- a/internal/query/projection/app.go
+++ b/internal/query/projection/app.go
@ -94,17 +94,17 @@ func NewAppProjection(ctx context.Context, config crdb.StatementHandlerConfig) *
 			crdb.NewColumn(AppOIDCConfigColumnClientID, crdb.ColumnTypeText),
 			crdb.NewColumn(AppOIDCConfigColumnClientSecret, crdb.ColumnTypeJSONB, crdb.Nullable()),
 			crdb.NewColumn(AppOIDCConfigColumnRedirectUris, crdb.ColumnTypeTextArray, crdb.Nullable()),
-			crdb.NewColumn(AppOIDCConfigColumnResponseTypes, crdb.ColumnTypeEnumArray, crdb.Nullable()), //TODO: null?
+			crdb.NewColumn(AppOIDCConfigColumnResponseTypes, crdb.ColumnTypeEnumArray, crdb.Nullable()),
-			crdb.NewColumn(AppOIDCConfigColumnGrantTypes, crdb.ColumnTypeEnumArray, crdb.Nullable()),    //TODO: null?
+			crdb.NewColumn(AppOIDCConfigColumnGrantTypes, crdb.ColumnTypeEnumArray, crdb.Nullable()),
 			crdb.NewColumn(AppOIDCConfigColumnApplicationType, crdb.ColumnTypeEnum),
 			crdb.NewColumn(AppOIDCConfigColumnAuthMethodType, crdb.ColumnTypeEnum),
 			crdb.NewColumn(AppOIDCConfigColumnPostLogoutRedirectUris, crdb.ColumnTypeTextArray, crdb.Nullable()),
 			crdb.NewColumn(AppOIDCConfigColumnDevMode, crdb.ColumnTypeBool),
 			crdb.NewColumn(AppOIDCConfigColumnAccessTokenType, crdb.ColumnTypeEnum),
-			crdb.NewColumn(AppOIDCConfigColumnAccessTokenRoleAssertion, crdb.ColumnTypeBool, crdb.Nullable()), //TODO: null?
+			crdb.NewColumn(AppOIDCConfigColumnAccessTokenRoleAssertion, crdb.ColumnTypeBool, crdb.Default(false)),
-			crdb.NewColumn(AppOIDCConfigColumnIDTokenRoleAssertion, crdb.ColumnTypeBool, crdb.Nullable()),     //TODO: null?
+			crdb.NewColumn(AppOIDCConfigColumnIDTokenRoleAssertion, crdb.ColumnTypeBool, crdb.Default(false)),
-			crdb.NewColumn(AppOIDCConfigColumnIDTokenUserinfoAssertion, crdb.ColumnTypeBool, crdb.Nullable()), //TODO: null?
+			crdb.NewColumn(AppOIDCConfigColumnIDTokenUserinfoAssertion, crdb.ColumnTypeBool, crdb.Default(false)),
-			crdb.NewColumn(AppOIDCConfigColumnClockSkew, crdb.ColumnTypeInt64, crdb.Nullable()),               //TODO: null?
+			crdb.NewColumn(AppOIDCConfigColumnClockSkew, crdb.ColumnTypeInt64, crdb.Default(0)),
 			crdb.NewColumn(AppOIDCConfigColumnAdditionalOrigins, crdb.ColumnTypeTextArray, crdb.Nullable()),
 		},
 			crdb.NewPrimaryKey(AppOIDCConfigColumnAppID),
--- a/internal/query/projection/project.go
+++ b/internal/query/projection/project.go
@ -26,7 +26,6 @@ const (
 	ProjectColumnProjectRoleCheck       = "project_role_check"
 	ProjectColumnHasProjectCheck        = "has_project_check"
 	ProjectColumnPrivateLabelingSetting = "private_labeling_setting"
 	ProjectColumnCreator                = "creator_id" //TODO: necessary?
 )
 type ProjectProjection struct {
@ -51,7 +50,6 @@ func NewProjectProjection(ctx context.Context, config crdb.StatementHandlerConfi
 			crdb.NewColumn(ProjectColumnProjectRoleCheck, crdb.ColumnTypeBool),
 			crdb.NewColumn(ProjectColumnHasProjectCheck, crdb.ColumnTypeBool),
 			crdb.NewColumn(ProjectColumnPrivateLabelingSetting, crdb.ColumnTypeEnum),
 			crdb.NewColumn(ProjectColumnCreator, crdb.ColumnTypeText),
 		},
 			crdb.NewPrimaryKey(ProjectColumnInstanceID, ProjectColumnID),
 			crdb.WithIndex(crdb.NewIndex("ro_idx", []string{ProjectColumnResourceOwner})),
@ -111,7 +109,6 @@ func (p *ProjectProjection) reduceProjectAdded(event eventstore.Event) (*handler
 			handler.NewCol(ProjectColumnHasProjectCheck, e.HasProjectCheck),
 			handler.NewCol(ProjectColumnPrivateLabelingSetting, e.PrivateLabelingSetting),
 			handler.NewCol(ProjectColumnState, domain.ProjectStateActive),
 			handler.NewCol(ProjectColumnCreator, e.EditorUser()),
 		},
 	), nil
 }
--- a/internal/query/projection/project_grant.go
+++ b/internal/query/projection/project_grant.go
@ -26,7 +26,6 @@ const (
 	ProjectGrantColumnProjectID     = "project_id"
 	ProjectGrantColumnGrantedOrgID  = "granted_org_id"
 	ProjectGrantColumnRoleKeys      = "granted_role_keys"
 	ProjectGrantColumnCreator       = "creator_id" //TODO: necessary?
 )
 type ProjectGrantProjection struct {
@ -49,7 +48,6 @@ func NewProjectGrantProjection(ctx context.Context, config crdb.StatementHandler
 			crdb.NewColumn(ProjectGrantColumnProjectID, crdb.ColumnTypeText),
 			crdb.NewColumn(ProjectGrantColumnGrantedOrgID, crdb.ColumnTypeText),
 			crdb.NewColumn(ProjectGrantColumnRoleKeys, crdb.ColumnTypeTextArray),
 			crdb.NewColumn(ProjectGrantColumnCreator, crdb.ColumnTypeText),
 		},
 			crdb.NewPrimaryKey(ProjectGrantColumnInstanceID, ProjectGrantColumnGrantID),
 			crdb.WithIndex(crdb.NewIndex("ro_idx", []string{ProjectGrantColumnResourceOwner})),
@ -116,7 +114,6 @@ func (p *ProjectGrantProjection) reduceProjectGrantAdded(event eventstore.Event)
 			handler.NewCol(ProjectGrantColumnSequence, e.Sequence()),
 			handler.NewCol(ProjectGrantColumnGrantedOrgID, e.GrantedOrgID),
 			handler.NewCol(ProjectGrantColumnRoleKeys, pq.StringArray(e.RoleKeys)),
 			handler.NewCol(ProjectGrantColumnCreator, e.EditorUser()),
 		},
 	), nil
 }
--- a/internal/query/projection/project_grant_test.go
+++ b/internal/query/projection/project_grant_test.go
@ -220,7 +220,7 @@ func TestProjectGrantProjection_reduces(t *testing.T) {
 				executer: &testExecuter{
 					executions: []execution{
 						{
-							expectedStmt: "INSERT INTO projections.project_grants (grant_id, project_id, creation_date, change_date, resource_owner, instance_id, state, sequence, granted_org_id, granted_role_keys, creator_id) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11)",
+							expectedStmt: "INSERT INTO projections.project_grants (grant_id, project_id, creation_date, change_date, resource_owner, instance_id, state, sequence, granted_org_id, granted_role_keys) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10)",
 							expectedArgs: []interface{}{
 								"grant-id",
 								"agg-id",
@ -232,7 +232,6 @@ func TestProjectGrantProjection_reduces(t *testing.T) {
 								uint64(15),
 								"granted-org-id",
 								pq.StringArray{"admin", "user"},
 								"editor-user",
 							},
 						},
 					},
--- a/internal/query/projection/project_role.go
+++ b/internal/query/projection/project_role.go
@ -22,7 +22,6 @@ const (
 	ProjectRoleColumnInstanceID    = "instance_id"
 	ProjectRoleColumnDisplayName   = "display_name"
 	ProjectRoleColumnGroupName     = "group_name"
 	ProjectRoleColumnCreator       = "creator_id" //TODO: necessary?
 )
 type ProjectRoleProjection struct {
@ -44,7 +43,6 @@ func NewProjectRoleProjection(ctx context.Context, config crdb.StatementHandlerC
 			crdb.NewColumn(ProjectRoleColumnInstanceID, crdb.ColumnTypeText),
 			crdb.NewColumn(ProjectRoleColumnDisplayName, crdb.ColumnTypeText),
 			crdb.NewColumn(ProjectRoleColumnGroupName, crdb.ColumnTypeText),
 			crdb.NewColumn(ProjectRoleColumnCreator, crdb.ColumnTypeText),
 		},
 			crdb.NewPrimaryKey(ProjectRoleColumnInstanceID, ProjectRoleColumnProjectID, ProjectRoleColumnKey),
 		),
@ -96,7 +94,6 @@ func (p *ProjectRoleProjection) reduceProjectRoleAdded(event eventstore.Event) (
 			handler.NewCol(ProjectRoleColumnSequence, e.Sequence()),
 			handler.NewCol(ProjectRoleColumnDisplayName, e.DisplayName),
 			handler.NewCol(ProjectRoleColumnGroupName, e.Group),
 			handler.NewCol(ProjectRoleColumnCreator, e.EditorUser()),
 		},
 	), nil
 }
--- a/internal/query/projection/project_role_test.go
+++ b/internal/query/projection/project_role_test.go
@ -143,7 +143,7 @@ func TestProjectRoleProjection_reduces(t *testing.T) {
 				executer: &testExecuter{
 					executions: []execution{
 						{
-							expectedStmt: "INSERT INTO projections.project_roles (role_key, project_id, creation_date, change_date, resource_owner, instance_id, sequence, display_name, group_name, creator_id) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10)",
+							expectedStmt: "INSERT INTO projections.project_roles (role_key, project_id, creation_date, change_date, resource_owner, instance_id, sequence, display_name, group_name) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)",
 							expectedArgs: []interface{}{
 								"key",
 								"agg-id",
@ -154,7 +154,6 @@ func TestProjectRoleProjection_reduces(t *testing.T) {
 								uint64(15),
 								"Key",
 								"Group",
 								"editor-user",
 							},
 						},
 					},
--- a/internal/query/projection/project_test.go
+++ b/internal/query/projection/project_test.go
@ -178,7 +178,7 @@ func TestProjectProjection_reduces(t *testing.T) {
 				executer: &testExecuter{
 					executions: []execution{
 						{
-							expectedStmt: "INSERT INTO projections.projects (id, creation_date, change_date, resource_owner, instance_id, sequence, name, project_role_assertion, project_role_check, has_project_check, private_labeling_setting, state, creator_id) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13)",
+							expectedStmt: "INSERT INTO projections.projects (id, creation_date, change_date, resource_owner, instance_id, sequence, name, project_role_assertion, project_role_check, has_project_check, private_labeling_setting, state) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12)",
 							expectedArgs: []interface{}{
 								"agg-id",
 								anyArg{},
@ -192,7 +192,6 @@ func TestProjectProjection_reduces(t *testing.T) {
 								true,
 								domain.PrivateLabelingSettingEnforceProjectResourceOwnerPolicy,
 								domain.ProjectStateActive,
 								"editor-user",
 							},
 						},
 					},
--- a/internal/query/user_test.go
+++ b/internal/query/user_test.go
@ -88,7 +88,6 @@ var (
 		` projections.users.change_date,` +
 		` projections.users.resource_owner,` +
 		` projections.users.sequence,` +
 		//` projections.users.state,` + //TODO:
 		` projections.users_humans.user_id,` +
 		` projections.users_humans.first_name,` +
 		` projections.users_humans.last_name,` +
@ -105,7 +104,6 @@ var (
 		"change_date",
 		"resource_owner",
 		"sequence",
 		//"state", //TODO:
 		"user_id",
 		"first_name",
 		"last_name",
@ -120,7 +118,6 @@ var (
 		` projections.users.change_date,` +
 		` projections.users.resource_owner,` +
 		` projections.users.sequence,` +
 		//` projections.users.state,` + //TODO:
 		` projections.users_humans.user_id,` +
 		` projections.users_humans.email,` +
 		` projections.users_humans.is_email_verified` +
@ -132,7 +129,6 @@ var (
 		"change_date",
 		"resource_owner",
 		"sequence",
 		//"state", //TODO:
 		"user_id",
 		"email",
 		"is_email_verified",
@ -142,7 +138,6 @@ var (
 		` projections.users.change_date,` +
 		` projections.users.resource_owner,` +
 		` projections.users.sequence,` +
 		//` projections.users.state,` + //TODO:
 		` projections.users_humans.user_id,` +
 		` projections.users_humans.phone,` +
 		` projections.users_humans.is_phone_verified` +
@ -154,7 +149,6 @@ var (
 		"change_date",
 		"resource_owner",
 		"sequence",
 		//"state", //TODO:
 		"user_id",
 		"phone",
 		"is_phone_verified",
@ -163,28 +157,15 @@ var (
 	userUniqueQuery = `SELECT projections.users.id,` +
 		` projections.users.state,` +
 		` projections.users.username,` +
 		//` login_names.login_names,` +
 		//` preferred_login_name.login_name,` +
 		` projections.users_humans.user_id,` +
 		` projections.users_humans.email,` +
 		` projections.users_humans.is_email_verified` +
 		` FROM projections.users` +
 		` LEFT JOIN projections.users_humans ON projections.users.id = projections.users_humans.user_id`
 	//` LEFT JOIN` +
 	//` (SELECT login_names.user_id, ARRAY_AGG(login_names.login_name) as login_names` +
 	//` FROM projections.login_names as login_names` +
 	//` GROUP BY login_names.user_id) as login_names` +
 	//` on login_names.user_id = projections.users.id` +
 	//` LEFT JOIN` +
 	//` (SELECT preferred_login_name.user_id, preferred_login_name.login_name FROM projections.login_names as preferred_login_name WHERE preferred_login_name.is_primary = $1) as preferred_login_name` +
 	//` on preferred_login_name.user_id = projections.users.id`
 	userUniqueCols = []string{
 		"id",
 		"state",
 		"username",
 		//"login_names",
 		//"login_name",
 		//human
 		"user_id",
 		"email",
 		"is_email_verified",
--- a/internal/repository/policy/policy_domain.go
+++ b/internal/repository/policy/policy_domain.go
@ -10,7 +10,6 @@ import (
 )
 const (
 	//TODO: use for org events as suffix (when possible)
 	DomainPolicyAddedEventType   = "policy.domain.added"
 	DomainPolicyChangedEventType = "policy.domain.changed"
 	DomainPolicyRemovedEventType = "policy.domain.removed"
--- a/proto/zitadel/admin.proto
+++ b/proto/zitadel/admin.proto
@ -2892,7 +2892,7 @@ message SetUpOrgRequest {
                    min_length: 1;
                    example: "\"gigi@caos.ch\"";
                }
-            ];  //TODO: check if no value is allowed
+            ];
            bool is_email_verified = 2;
        }
        message Phone {
--- a/proto/zitadel/app.proto
+++ b/proto/zitadel/app.proto
@ -63,6 +63,8 @@ message AppNameQuery {
 }
 message OIDCConfig {
    reserved "client_secret";
    reserved 6;
    repeated string redirect_uris = 1 [
        (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
            example: "[\"https://console.zitadel.ch/auth/callback\"]";
@ -90,12 +92,6 @@ message OIDCConfig {
            description: "generated oauth2/oidc client id";
        }
    ];
    string client_secret = 6 [
        (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
            example: "\"gjöq34589uasgh\"";
            description: "generated secret for this config";
        }
    ];
    OIDCAuthMethodType auth_method_type = 7 [
        (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
            description: "defines how the application passes login credentials";
@ -208,18 +204,14 @@ enum APIAuthMethodType {
 }
 message APIConfig {
    reserved "client_secret";
    reserved 2;
    string client_id = 1 [
        (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
            example: "\"69629023906488334@ZITADEL\"";
            description: "generated oauth2/oidc client_id";
        }
    ];
    string client_secret = 2 [
        (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
            example: "\"gjöq34589uasgh\"";
            description: "generated secret for this config";
        }
    ];
    APIAuthMethodType auth_method_type = 3 [
        (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
            description: "defines how the api passes the login credentials";
--- a/proto/zitadel/auth.proto
+++ b/proto/zitadel/auth.proto
@ -771,7 +771,7 @@ message GetMyEmailResponse {
 }
 message SetMyEmailRequest {
-    string email = 1 [(validate.rules).string.email = true]; //TODO: check if no value is allowed
+    string email = 1 [(validate.rules).string.email = true];
 }
 message SetMyEmailResponse {
--- a/proto/zitadel/management.proto
+++ b/proto/zitadel/management.proto
@ -138,7 +138,6 @@ service ManagementService {
                value: {
                    description: "OK";
                }
                //TODO: errors
            };
        };
    }
@ -2952,7 +2951,7 @@ message AddHumanUserRequest {
        zitadel.user.v1.Gender gender = 6;
    }
    message Email {
-        string email = 1 [(validate.rules).string.email = true];  //TODO: check if no value is allowed
+        string email = 1 [(validate.rules).string.email = true];
        bool is_email_verified = 2;
    }
    message Phone {
@ -2984,7 +2983,7 @@ message ImportHumanUserRequest {
        zitadel.user.v1.Gender gender = 6;
    }
    message Email {
-        string email = 1 [(validate.rules).string.email = true];  //TODO: check if no value is allowed
+        string email = 1 [(validate.rules).string.email = true];
        bool is_email_verified = 2;
    }
    message Phone {