feat(login): use default org for login without provided org context (#6625)

* start feature flags * base feature events on domain const * setup default features * allow setting feature in system api * allow setting feature in admin api * set settings in login based on feature * fix rebasing * unit tests * i18n * update policy after domain discovery * some changes from review * check feature and value type * check feature and value type
2025-08-12 08:07:32 +00:00 · 2023-09-29 10:21:32 +02:00
parent d01f4d229f
commit 68bfab2fb3
41 changed files with 875 additions and 38 deletions
--- a/internal/api/grpc/admin/feature.go
+++ b/internal/api/grpc/admin/feature.go
@@ -0,0 +1,20 @@
+package admin
+
+import (
+	"context"
+
+	object_pb "github.com/zitadel/zitadel/internal/api/grpc/object"
+	"github.com/zitadel/zitadel/internal/domain"
+	admin_pb "github.com/zitadel/zitadel/pkg/grpc/admin"
+)
+
+func (s *Server) ActivateFeatureLoginDefaultOrg(ctx context.Context, _ *admin_pb.ActivateFeatureLoginDefaultOrgRequest) (*admin_pb.ActivateFeatureLoginDefaultOrgResponse, error) {
+	details, err := s.command.SetBooleanInstanceFeature(ctx, domain.FeatureLoginDefaultOrg, true)
+	if err != nil {
+		return nil, err
+	}
+	return &admin_pb.ActivateFeatureLoginDefaultOrgResponse{
+		Details: object_pb.DomainToChangeDetailsPb(details),
+	}, nil
+
+}
--- a/internal/api/grpc/system/feature.go
+++ b/internal/api/grpc/system/feature.go
@@ -0,0 +1,34 @@
+package system
+
+import (
+	"context"
+
+	object_pb "github.com/zitadel/zitadel/internal/api/grpc/object"
+	"github.com/zitadel/zitadel/internal/domain"
+	"github.com/zitadel/zitadel/internal/errors"
+	system_pb "github.com/zitadel/zitadel/pkg/grpc/system"
+)
+
+func (s *Server) SetInstanceFeature(ctx context.Context, req *system_pb.SetInstanceFeatureRequest) (*system_pb.SetInstanceFeatureResponse, error) {
+	details, err := s.setInstanceFeature(ctx, req)
+	if err != nil {
+		return nil, err
+	}
+	return &system_pb.SetInstanceFeatureResponse{
+		Details: object_pb.DomainToChangeDetailsPb(details),
+	}, nil
+
+}
+
+func (s *Server) setInstanceFeature(ctx context.Context, req *system_pb.SetInstanceFeatureRequest) (*domain.ObjectDetails, error) {
+	feat := domain.Feature(req.FeatureId)
+	if !feat.IsAFeature() {
+		return nil, errors.ThrowInvalidArgument(nil, "SYST-SGV45", "Errors.Feature.NotExisting")
+	}
+	switch t := req.Value.(type) {
+	case *system_pb.SetInstanceFeatureRequest_Bool:
+		return s.command.SetBooleanInstanceFeature(ctx, feat, t.Bool)
+	default:
+		return nil, errors.ThrowInvalidArgument(nil, "SYST-dag5g", "Errors.Feature.TypeNotSupported")
+	}
+}
--- a/internal/api/ui/login/login.go
+++ b/internal/api/ui/login/login.go
@@ -11,6 +11,7 @@ import (
 	"github.com/gorilla/mux"
 	"github.com/rakyll/statik/fs"

+	"github.com/zitadel/zitadel/feature"
 	"github.com/zitadel/zitadel/internal/api/authz"
 	http_utils "github.com/zitadel/zitadel/internal/api/http"
 	"github.com/zitadel/zitadel/internal/api/http/middleware"
@@ -40,6 +41,7 @@ type Login struct {
 	samlAuthCallbackURL func(context.Context, string) string
 	idpConfigAlg        crypto.EncryptionAlgorithm
 	userCodeAlg         crypto.EncryptionAlgorithm
+	featureCheck        feature.Checker
 }

 type Config struct {
@@ -76,6 +78,7 @@ func CreateLogin(config Config,
 	userCodeAlg crypto.EncryptionAlgorithm,
 	idpConfigAlg crypto.EncryptionAlgorithm,
 	csrfCookieKey []byte,
+	featureCheck feature.Checker,
 ) (*Login, error) {
 	login := &Login{
 		oidcAuthCallbackURL: oidcAuthCallbackURL,
@@ -88,6 +91,7 @@ func CreateLogin(config Config,
 		authRepo:            authRepo,
 		idpConfigAlg:        idpConfigAlg,
 		userCodeAlg:         userCodeAlg,
+		featureCheck:        featureCheck,
 	}
 	statikFS, err := fs.NewWithNamespace("login")
 	if err != nil {
--- a/internal/api/ui/login/renderer.go
+++ b/internal/api/ui/login/renderer.go
@@ -506,25 +506,19 @@ func (l *Login) getOrgID(r *http.Request, authReq *domain.AuthRequest) string {
 }

 func (l *Login) getPrivateLabelingID(r *http.Request, authReq *domain.AuthRequest) string {
-	privateLabelingOrgID := authz.GetInstance(r.Context()).InstanceID()
-	if authReq == nil {
-		if id := r.FormValue(queryOrgID); id != "" {
-			return id
-		}
-		return privateLabelingOrgID
+	defaultID := authz.GetInstance(r.Context()).DefaultOrganisationID()
+	f, err := l.featureCheck.CheckInstanceBooleanFeature(r.Context(), domain.FeatureLoginDefaultOrg)
+	logging.OnError(err).Warnf("could not check feature %s", domain.FeatureLoginDefaultOrg)
+	if !f.Boolean {
+		defaultID = authz.GetInstance(r.Context()).InstanceID()
 	}
-	if authReq.PrivateLabelingSetting != domain.PrivateLabelingSettingUnspecified {
-		privateLabelingOrgID = authReq.ApplicationResourceOwner
+	if authReq != nil {
+		return authReq.PrivateLabelingOrgID(defaultID)
 	}
-	if authReq.PrivateLabelingSetting == domain.PrivateLabelingSettingAllowLoginUserResourceOwnerPolicy || authReq.PrivateLabelingSetting == domain.PrivateLabelingSettingUnspecified {
-		if authReq.UserOrgID != "" {
-			privateLabelingOrgID = authReq.UserOrgID
-		}
+	if id := r.FormValue(queryOrgID); id != "" {
+		return id
 	}
-	if authReq.RequestedOrgID != "" {
-		privateLabelingOrgID = authReq.RequestedOrgID
-	}
-	return privateLabelingOrgID
+	return defaultID
 }

 func (l *Login) getOrgName(authReq *domain.AuthRequest) string {