fix: registration allowed check and pass loginname to registration (#4507)

internal/api/ui/login/register_option_handler.go

@@ -2,8 +2,12 @@ package login
 
 import (
 	"net/http"
+	"strings"
+
+	"github.com/zitadel/logging"
 
 	"github.com/zitadel/zitadel/internal/domain"
+	"github.com/zitadel/zitadel/internal/query"
 )
 
 const (
@@ -43,7 +47,8 @@ func (l *Login) renderRegisterOption(w http.ResponseWriter, r *http.Request, aut
 		}
 		// if only direct registration is allowed, show the form
 		if allowed && !externalAllowed {
-			l.renderRegister(w, r, authReq, nil, nil)
+			data := l.passLoginHintToRegistration(r, authReq)
+			l.renderRegister(w, r, authReq, data, nil)
 			return
 		}
 	}
@@ -77,9 +82,43 @@ func (l *Login) handleRegisterOptionCheck(w http.ResponseWriter, r *http.Request
 }
 
 func registrationAllowed(authReq *domain.AuthRequest) bool {
-	return authReq != nil && authReq.LoginPolicy != nil && authReq.LoginPolicy.AllowRegister
+	return authReq != nil && authReq.LoginPolicy != nil && authReq.LoginPolicy.AllowRegister && authReq.LoginPolicy.AllowUsernamePassword
 }
 
 func externalRegistrationAllowed(authReq *domain.AuthRequest) bool {
 	return authReq != nil && authReq.LoginPolicy != nil && authReq.LoginPolicy.AllowExternalIDP && authReq.AllowedExternalIDPs != nil && len(authReq.AllowedExternalIDPs) > 0
 }
+
+func (l *Login) passLoginHintToRegistration(r *http.Request, authReq *domain.AuthRequest) *registerFormData {
+	data := &registerFormData{}
+	if authReq == nil {
+		return data
+	}
+	data.Email = authReq.LoginHint
+	domainPolicy, err := l.getOrgDomainPolicy(r, authReq.RequestedOrgID)
+	if err != nil {
+		logging.WithFields("authRequest", authReq.ID, "org", authReq.RequestedOrgID).Error("unable to load domain policy for registration loginHint")
+		return data
+	}
+	data.Username = authReq.LoginHint
+	if !domainPolicy.UserLoginMustBeDomain {
+		return data
+	}
+	searchQuery, err := query.NewOrgDomainOrgIDSearchQuery(authReq.RequestedOrgID)
+	if err != nil {
+		logging.WithFields("authRequest", authReq.ID, "org", authReq.RequestedOrgID).Error("unable to search query for registration loginHint")
+		return data
+	}
+	domains, err := l.query.SearchOrgDomains(r.Context(), &query.OrgDomainSearchQueries{Queries: []query.SearchQuery{searchQuery}})
+	if err != nil {
+		logging.WithFields("authRequest", authReq.ID, "org", authReq.RequestedOrgID).Error("unable to load domains for registration loginHint")
+		return data
+	}
+	for _, orgDomain := range domains.Domains {
+		if orgDomain.IsVerified && strings.HasSuffix(authReq.LoginHint, "@"+orgDomain.Domain) {
+			data.Username = strings.TrimSuffix(authReq.LoginHint, "@"+orgDomain.Domain)
+			return data
+		}
+	}
+	return data
+}

internal/api/ui/login/static/templates/register.html

@@ -41,7 +41,7 @@
         <div class="lgn-field double">
             <label class="lgn-label" for="username">{{t "RegistrationUser.UsernameLabel"}}</label>
             <div class="lgn-suffix-wrapper">
-                <input class="lgn-input lgn-suffix-input" type="text" id="username" name="username" autocomplete="email" value="{{ .Email }}" required>
+                <input class="lgn-input lgn-suffix-input" type="text" id="username" name="username" autocomplete="email" value="{{ .Username }}" required>
                 {{if .ShowUsernameSuffix}}
                     <span id="default-login-suffix" lgnsuffix class="loginname-suffix">@{{.PrimaryDomain}}</span>
                 {{end}}

internal/auth/repository/eventsourcing/eventstore/auth_request.go

@@ -713,6 +713,7 @@ func (repo *AuthRequestRepo) checkDomainDiscovery(ctx context.Context, request *
 	}
 	// discovery was allowed, so set the org as requested org
 	request.SetOrgInformation(org.ID, org.Name, org.Domain, false)
+	request.LoginHint = loginName
 	request.Prompt = append(request.Prompt, domain.PromptCreate)
 	return true
 }