From fb331ce935ebe1f93390232fd3e160aa5d4aaa26 Mon Sep 17 00:00:00 2001
From: Max Peintner <peintnerm@gmail.com>
Date: Wed, 11 Dec 2024 09:20:40 +0100
Subject: [PATCH 1/9] improve language handling

---
 apps/login/src/app/sessions/route.ts | 30 ----------------------------
 apps/login/src/i18n/request.ts       | 22 +++++++++++++++++---
 apps/login/src/lib/i18n.ts           |  1 +
 3 files changed, 20 insertions(+), 33 deletions(-)
 delete mode 100644 apps/login/src/app/sessions/route.ts

diff --git a/apps/login/src/app/sessions/route.ts b/apps/login/src/app/sessions/route.ts
deleted file mode 100644
index 9f7655664d..0000000000
--- a/apps/login/src/app/sessions/route.ts
+++ /dev/null
@@ -1,30 +0,0 @@
-import { getAllSessions } from "@/lib/cookies";
-import { listSessions } from "@/lib/zitadel";
-import { Session } from "@zitadel/proto/zitadel/session/v2/session_pb";
-import { NextRequest, NextResponse } from "next/server";
-
-async function loadSessions(ids: string[]): Promise<Session[]> {
-  const response = await listSessions(
-    ids.filter((id: string | undefined) => !!id),
-  );
-
-  return response?.sessions ?? [];
-}
-
-export async function GET(request: NextRequest) {
-  const sessionCookies = await getAllSessions();
-  const ids = sessionCookies.map((s) => s.id);
-  let sessions: Session[] = [];
-  if (ids && ids.length) {
-    sessions = await loadSessions(ids);
-  }
-
-  const responseHeaders = new Headers();
-  responseHeaders.set("Access-Control-Allow-Origin", "*");
-  responseHeaders.set("Access-Control-Allow-Headers", "*");
-
-  return NextResponse.json(
-    { sessions },
-    { status: 200, headers: responseHeaders },
-  );
-}
diff --git a/apps/login/src/i18n/request.ts b/apps/login/src/i18n/request.ts
index 2641c0fa26..59c9da42cc 100644
--- a/apps/login/src/i18n/request.ts
+++ b/apps/login/src/i18n/request.ts
@@ -1,12 +1,28 @@
-import { LANGUAGE_COOKIE_NAME } from "@/lib/i18n";
+import { LANGS, LANGUAGE_COOKIE_NAME, LANGUAGE_HEADER_NAME } from "@/lib/i18n";
 import deepmerge from "deepmerge";
 import { getRequestConfig } from "next-intl/server";
-import { cookies } from "next/headers";
+import { cookies, headers } from "next/headers";
 
 export default getRequestConfig(async () => {
   const fallback = "en";
   const cookiesList = await cookies();
-  const locale: string = cookiesList.get(LANGUAGE_COOKIE_NAME)?.value ?? "en";
+
+  let locale: string = fallback;
+
+  const languageHeader = await (await headers()).get(LANGUAGE_HEADER_NAME);
+  if (languageHeader) {
+    const headerLocale = languageHeader.split(",")[0].split("-")[0]; // Extract the language code
+    if (LANGS.map((l) => l.code).includes(headerLocale)) {
+      locale = headerLocale;
+    }
+  }
+
+  const languageCookie = cookiesList?.get(LANGUAGE_COOKIE_NAME);
+  if (languageCookie && languageCookie.value) {
+    if (LANGS.map((l) => l.code).includes(languageCookie.value)) {
+      locale = languageCookie.value;
+    }
+  }
 
   const userMessages = (await import(`../../locales/${locale}.json`)).default;
   const fallbackMessages = (await import(`../../locales/${fallback}.json`))
diff --git a/apps/login/src/lib/i18n.ts b/apps/login/src/lib/i18n.ts
index aba1d3069c..6d41256077 100644
--- a/apps/login/src/lib/i18n.ts
+++ b/apps/login/src/lib/i18n.ts
@@ -23,3 +23,4 @@ export const LANGS: Lang[] = [
 ];
 
 export const LANGUAGE_COOKIE_NAME = "NEXT_LOCALE";
+export const LANGUAGE_HEADER_NAME = "accept-language";

From 1a26192a0d6b14ac56702610cf85e148f01c3552 Mon Sep 17 00:00:00 2001
From: Max Peintner <peintnerm@gmail.com>
Date: Wed, 11 Dec 2024 09:56:49 +0100
Subject: [PATCH 2/9] missing zh translations

---
 apps/login/locales/zh.json | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/apps/login/locales/zh.json b/apps/login/locales/zh.json
index 68348b3fe7..e09fe04215 100644
--- a/apps/login/locales/zh.json
+++ b/apps/login/locales/zh.json
@@ -122,6 +122,18 @@
     }
   },
   "register": {
+    "methods": {
+      "passkey": "密钥",
+      "password": "密码"
+    },
+    "disabled": {
+      "title": "注册已禁用",
+      "description": "您的设置不允许注册新用户。"
+    },
+    "missingdata": {
+      "title": "缺少数据",
+      "description": "请提供所有必需的数据。"
+    },
     "title": "注册",
     "description": "创建您的 ZITADEL 账户。",
     "selectMethod": "选择您想使用的认证方法",
@@ -151,7 +163,8 @@
   },
   "signedin": {
     "title": "欢迎 {user}！",
-    "description": "您已登录。"
+    "description": "您已登录。",
+    "continue": "继续"
   },
   "verify": {
     "userIdMissing": "未提供用户 ID！",

From b68ea3274814aab4a830eeb0be84198f88a3d82f Mon Sep 17 00:00:00 2001
From: Max Peintner <peintnerm@gmail.com>
Date: Thu, 12 Dec 2024 16:37:58 +0100
Subject: [PATCH 3/9] let users change their password if mfa is enforce but no
 mfa is yet set

---
 .../src/app/(login)/password/change/page.tsx  |  5 +-
 .../src/components/change-password-form.tsx   | 19 ++--
 apps/login/src/lib/self.ts                    | 14 +--
 apps/login/src/lib/zitadel.ts                 | 90 +++++++++++++++++++
 4 files changed, 111 insertions(+), 17 deletions(-)

diff --git a/apps/login/src/app/(login)/password/change/page.tsx b/apps/login/src/app/(login)/password/change/page.tsx
index 1ba48a589d..d20b8b935c 100644
--- a/apps/login/src/app/(login)/password/change/page.tsx
+++ b/apps/login/src/app/(login)/password/change/page.tsx
@@ -32,7 +32,9 @@ export default async function Page(props: {
     sessionFactors?.factors?.user?.organizationId,
   );
 
-  const loginSettings = await getLoginSettings(organization);
+  const loginSettings = await getLoginSettings(
+    sessionFactors?.factors?.user?.organizationId,
+  );
 
   return (
     <DynamicTheme branding={branding}>
@@ -68,6 +70,7 @@ export default async function Page(props: {
             authRequestId={authRequestId}
             organization={organization}
             passwordComplexitySettings={passwordComplexity}
+            loginSettings={loginSettings}
           />
         ) : (
           <div className="py-4">
diff --git a/apps/login/src/components/change-password-form.tsx b/apps/login/src/components/change-password-form.tsx
index 416966c62b..5cb794a473 100644
--- a/apps/login/src/components/change-password-form.tsx
+++ b/apps/login/src/components/change-password-form.tsx
@@ -6,10 +6,11 @@ import {
   symbolValidator,
   upperCaseValidator,
 } from "@/helpers/validators";
-import { setMyPassword } from "@/lib/self";
 import { sendPassword } from "@/lib/server/password";
+import { checkSessionAndSetPassword } from "@/lib/zitadel";
 import { create } from "@zitadel/client";
 import { ChecksSchema } from "@zitadel/proto/zitadel/session/v2/session_service_pb";
+import { LoginSettings } from "@zitadel/proto/zitadel/settings/v2/login_settings_pb";
 import { PasswordComplexitySettings } from "@zitadel/proto/zitadel/settings/v2/password_settings_pb";
 import { useTranslations } from "next-intl";
 import { useRouter } from "next/navigation";
@@ -31,6 +32,7 @@ type Inputs =
 
 type Props = {
   passwordComplexitySettings: PasswordComplexitySettings;
+  loginSettings?: LoginSettings;
   sessionId: string;
   loginName: string;
   authRequestId?: string;
@@ -39,6 +41,7 @@ type Props = {
 
 export function ChangePasswordForm({
   passwordComplexitySettings,
+  loginSettings,
   sessionId,
   loginName,
   authRequestId,
@@ -60,9 +63,11 @@ export function ChangePasswordForm({
 
   async function submitChange(values: Inputs) {
     setLoading(true);
-    const changeResponse = await setMyPassword({
-      sessionId: sessionId,
+
+    const changeResponse = checkSessionAndSetPassword({
+      sessionId,
       password: values.password,
+      forceMfa: !!(loginSettings?.forceMfa || loginSettings?.forceMfaLocalOnly),
     })
       .catch(() => {
         setError("Could not change password");
@@ -72,8 +77,12 @@ export function ChangePasswordForm({
         setLoading(false);
       });
 
-    if (changeResponse && "error" in changeResponse) {
-      setError(changeResponse.error);
+    if (changeResponse && "error" in changeResponse && changeResponse.error) {
+      setError(
+        typeof changeResponse.error === "string"
+          ? changeResponse.error
+          : "Unknown error",
+      );
       return;
     }
 
diff --git a/apps/login/src/lib/self.ts b/apps/login/src/lib/self.ts
index ebe08fe518..6eea8206c9 100644
--- a/apps/login/src/lib/self.ts
+++ b/apps/login/src/lib/self.ts
@@ -1,9 +1,6 @@
 "use server";
 
-import {
-  createSessionServiceClient,
-  createUserServiceClient,
-} from "@zitadel/client/v2";
+import { createUserServiceClient } from "@zitadel/client/v2";
 import { createServerTransport } from "@zitadel/node";
 import { getSessionCookieById } from "./cookies";
 import { getSession } from "./zitadel";
@@ -13,12 +10,6 @@ const transport = (token: string) =>
     baseUrl: process.env.ZITADEL_API_URL!,
   });
 
-const sessionService = (sessionId: string) => {
-  return getSessionCookieById({ sessionId }).then((session) => {
-    return createSessionServiceClient(transport(session.token));
-  });
-};
-
 const myUserService = (sessionToken: string) => {
   return createUserServiceClient(transport(sessionToken));
 };
@@ -41,7 +32,7 @@ export async function setMyPassword({
     return { error: "Could not load session" };
   }
 
-  const service = await myUserService(sessionCookie.token);
+  const service = await myUserService(`${sessionCookie.token}`);
 
   if (!session?.factors?.user?.id) {
     return { error: "No user id found in session" };
@@ -56,6 +47,7 @@ export async function setMyPassword({
       {},
     )
     .catch((error) => {
+      console.log(error);
       if (error.code === 7) {
         return { error: "Session is not valid." };
       }
diff --git a/apps/login/src/lib/zitadel.ts b/apps/login/src/lib/zitadel.ts
index e273a24c65..3740c578da 100644
--- a/apps/login/src/lib/zitadel.ts
+++ b/apps/login/src/lib/zitadel.ts
@@ -12,6 +12,7 @@ import { RequestChallenges } from "@zitadel/proto/zitadel/session/v2/challenge_p
 import { Checks } from "@zitadel/proto/zitadel/session/v2/session_service_pb";
 import { IDPInformation } from "@zitadel/proto/zitadel/user/v2/idp_pb";
 import {
+  AuthenticationMethodType,
   RetrieveIdentityProviderIntentRequest,
   SetPasswordRequestSchema,
   VerifyPasskeyRegistrationRequest,
@@ -38,6 +39,7 @@ import {
   UserState,
 } from "@zitadel/proto/zitadel/user/v2/user_pb";
 import { unstable_cacheLife as cacheLife } from "next/cache";
+import { getSessionCookieById } from "./cookies";
 import { PROVIDER_MAPPING } from "./idp";
 
 const transport = createServerTransport(
@@ -582,6 +584,94 @@ export async function setPassword(
   });
 }
 
+type CheckSessionAndSetPasswordCommand = {
+  sessionId: string;
+  password: string;
+  forceMfa: boolean;
+};
+
+export async function checkSessionAndSetPassword({
+  sessionId,
+  password,
+  forceMfa,
+}: CheckSessionAndSetPasswordCommand) {
+  const sessionCookie = await getSessionCookieById({ sessionId });
+
+  const { session } = await getSession({
+    sessionId: sessionCookie.id,
+    sessionToken: sessionCookie.token,
+  });
+
+  if (!session || !session.factors?.user?.id) {
+    return { error: "Could not load session" };
+  }
+
+  const payload = create(SetPasswordRequestSchema, {
+    userId: session.factors.user.id,
+    newPassword: {
+      password,
+    },
+  });
+
+  // check if the user has no password set in order to set a password
+  const authmethods = await listAuthenticationMethodTypes(
+    session.factors.user.id,
+  );
+
+  if (!authmethods) {
+    return { error: "Could not load auth methods" };
+  }
+
+  const requiredAuthMethodsForForceMFA = [
+    AuthenticationMethodType.OTP_EMAIL,
+    AuthenticationMethodType.OTP_SMS,
+    AuthenticationMethodType.TOTP,
+    AuthenticationMethodType.U2F,
+  ];
+
+  const hasNoMFAMethods = requiredAuthMethodsForForceMFA.every(
+    (method) => !authmethods.authMethodTypes.includes(method),
+  );
+
+  // if the user has no MFA but MFA is enforced, we can set a password otherwise we use the token of the user
+  if (forceMfa && hasNoMFAMethods) {
+    return userService.setPassword(payload, {}).catch((error) => {
+      // throw error if failed precondition (ex. User is not yet initialized)
+      if (error.code === 9 && error.message) {
+        return { error: "Failed precondition" };
+      } else {
+        throw error;
+      }
+    });
+  } else {
+    const myUserService = (sessionToken: string) => {
+      return createUserServiceClient(
+        createServerTransport(sessionToken, {
+          baseUrl: process.env.ZITADEL_API_URL!,
+        }),
+      );
+    };
+
+    const selfService = await myUserService(`${sessionCookie.token}`);
+
+    return selfService
+      .setPassword(
+        {
+          userId: session.factors.user.id,
+          newPassword: { password, changeRequired: false },
+        },
+        {},
+      )
+      .catch((error) => {
+        console.log(error);
+        if (error.code === 7) {
+          return { error: "Session is not valid." };
+        }
+        throw error;
+      });
+  }
+}
+
 /**
  *
  * @param server

From 911edd39b0fb1a8e9591b626088b31e1e4803ebb Mon Sep 17 00:00:00 2001
From: Max Peintner <peintnerm@gmail.com>
Date: Thu, 12 Dec 2024 17:46:11 +0100
Subject: [PATCH 4/9] streamlined resend code buttons

---
 apps/login/locales/de.json                    |  2 +
 apps/login/locales/en.json                    |  2 +
 apps/login/locales/es.json                    |  2 +
 apps/login/locales/it.json                    |  2 +
 apps/login/locales/zh.json                    |  2 +
 .../src/components/set-password-form.tsx      | 52 +++++++++++--------
 apps/login/src/components/verify-form.tsx     | 30 ++++++++---
 7 files changed, 62 insertions(+), 30 deletions(-)

diff --git a/apps/login/locales/de.json b/apps/login/locales/de.json
index 4d5f0c1530..ba0fce27e3 100644
--- a/apps/login/locales/de.json
+++ b/apps/login/locales/de.json
@@ -24,6 +24,7 @@
       "title": "Passwort festlegen",
       "description": "Legen Sie das Passwort für Ihr Konto fest",
       "codeSent": "Ein Code wurde an Ihre E-Mail-Adresse gesendet.",
+      "noCodeReceived": "Keinen Code erhalten?",
       "resend": "Erneut senden",
       "submit": "Weiter"
     },
@@ -173,6 +174,7 @@
     "verify": {
       "title": "Benutzer verifizieren",
       "description": "Geben Sie den Code ein, der in der Bestätigungs-E-Mail angegeben ist.",
+      "noCodeReceived": "Keinen Code erhalten?",
       "resendCode": "Code erneut senden",
       "submit": "Weiter"
     }
diff --git a/apps/login/locales/en.json b/apps/login/locales/en.json
index c7fd5e30b9..265304387f 100644
--- a/apps/login/locales/en.json
+++ b/apps/login/locales/en.json
@@ -24,6 +24,7 @@
       "title": "Set Password",
       "description": "Set the password for your account",
       "codeSent": "A code has been sent to your email address.",
+      "noCodeReceived": "Didn't receive a code?",
       "resend": "Resend code",
       "submit": "Continue"
     },
@@ -173,6 +174,7 @@
     "verify": {
       "title": "Verify user",
       "description": "Enter the Code provided in the verification email.",
+      "noCodeReceived": "Didn't receive a code?",
       "resendCode": "Resend code",
       "submit": "Continue"
     }
diff --git a/apps/login/locales/es.json b/apps/login/locales/es.json
index e722db5812..35bbb9385d 100644
--- a/apps/login/locales/es.json
+++ b/apps/login/locales/es.json
@@ -24,6 +24,7 @@
       "title": "Establecer Contraseña",
       "description": "Establece la contraseña para tu cuenta",
       "codeSent": "Se ha enviado un código a su correo electrónico.",
+      "noCodeReceived": "¿No recibiste un código?",
       "resend": "Reenviar código",
       "submit": "Continuar"
     },
@@ -173,6 +174,7 @@
     "verify": {
       "title": "Verificar usuario",
       "description": "Introduce el código proporcionado en el correo electrónico de verificación.",
+      "noCodeReceived": "¿No recibiste un código?",
       "resendCode": "Reenviar código",
       "submit": "Continuar"
     }
diff --git a/apps/login/locales/it.json b/apps/login/locales/it.json
index 9467f0ba84..4e21e3dc9d 100644
--- a/apps/login/locales/it.json
+++ b/apps/login/locales/it.json
@@ -24,6 +24,7 @@
       "title": "Imposta Password",
       "description": "Imposta la password per il tuo account",
       "codeSent": "Un codice è stato inviato al tuo indirizzo email.",
+      "noCodeReceived": "Non hai ricevuto un codice?",
       "resend": "Invia di nuovo",
       "submit": "Continua"
     },
@@ -173,6 +174,7 @@
     "verify": {
       "title": "Verifica utente",
       "description": "Inserisci il codice fornito nell'email di verifica.",
+      "noCodeReceived": "Non hai ricevuto un codice?",
       "resendCode": "Invia di nuovo il codice",
       "submit": "Continua"
     }
diff --git a/apps/login/locales/zh.json b/apps/login/locales/zh.json
index e09fe04215..818a8b449e 100644
--- a/apps/login/locales/zh.json
+++ b/apps/login/locales/zh.json
@@ -24,6 +24,7 @@
       "title": "设置密码",
       "description": "为您的账户设置密码",
       "codeSent": "验证码已发送到您的邮箱。",
+      "noCodeReceived": "没有收到验证码？",
       "resend": "重发验证码",
       "submit": "继续"
     },
@@ -173,6 +174,7 @@
     "verify": {
       "title": "验证用户",
       "description": "输入验证邮件中的验证码。",
+      "noCodeReceived": "没有收到验证码？",
       "resendCode": "重发验证码",
       "submit": "继续"
     }
diff --git a/apps/login/src/components/set-password-form.tsx b/apps/login/src/components/set-password-form.tsx
index d2e5c73940..fd801640d7 100644
--- a/apps/login/src/components/set-password-form.tsx
+++ b/apps/login/src/components/set-password-form.tsx
@@ -18,7 +18,7 @@ import { useTranslations } from "next-intl";
 import { useRouter } from "next/navigation";
 import { useState } from "react";
 import { FieldValues, useForm } from "react-hook-form";
-import { Alert } from "./alert";
+import { Alert, AlertType } from "./alert";
 import { BackButton } from "./back-button";
 import { Button, ButtonVariants } from "./button";
 import { TextInput } from "./input";
@@ -192,31 +192,39 @@ export function SetPasswordForm({
     <form className="w-full">
       <div className="pt-4 grid grid-cols-1 gap-4 mb-4">
         {codeRequired && (
-          <div className="flex flex-row items-end">
-            <div className="flex-1">
-              <TextInput
-                type="text"
-                required
-                {...register("code", {
-                  required: "This field is required",
-                })}
-                label="Code"
-                autoComplete="one-time-code"
-                error={errors.code?.message as string}
-                data-testid="code-text-input"
-              />
-            </div>
-
-            <div className="ml-4 mb-1">
-              <Button
-                variant={ButtonVariants.Secondary}
-                data-testid="resend-button"
-                onClick={() => resendCode()}
+          <Alert type={AlertType.INFO}>
+            <div className="flex flex-row">
+              <span className="flex-1 mr-auto text-left">
+                {t("set.noCodeReceived")}
+              </span>
+              <button
+                aria-label="Resend OTP Code"
                 disabled={loading}
+                type="button"
+                className="ml-4 text-primary-light-500 dark:text-primary-dark-500 hover:dark:text-primary-dark-400 hover:text-primary-light-400 cursor-pointer disabled:cursor-default disabled:text-gray-400 dark:disabled:text-gray-700"
+                onClick={() => {
+                  resendCode();
+                }}
+                data-testid="resend-button"
               >
                 {t("set.resend")}
-              </Button>
+              </button>
             </div>
+          </Alert>
+        )}
+        {codeRequired && (
+          <div className="flex flex-row items-end">
+            <TextInput
+              type="text"
+              required
+              {...register("code", {
+                required: "This field is required",
+              })}
+              label="Code"
+              autoComplete="one-time-code"
+              error={errors.code?.message as string}
+              data-testid="code-text-input"
+            />
           </div>
         )}
         <div className="">
diff --git a/apps/login/src/components/verify-form.tsx b/apps/login/src/components/verify-form.tsx
index 377d5b9cfc..308732cba9 100644
--- a/apps/login/src/components/verify-form.tsx
+++ b/apps/login/src/components/verify-form.tsx
@@ -1,11 +1,12 @@
 "use client";
 
-import { Alert } from "@/components/alert";
+import { Alert, AlertType } from "@/components/alert";
 import { resendVerification, sendVerification } from "@/lib/server/email";
 import { useTranslations } from "next-intl";
 import { useRouter } from "next/navigation";
 import { useCallback, useEffect, useState } from "react";
 import { useForm } from "react-hook-form";
+import { BackButton } from "./back-button";
 import { Button, ButtonVariants } from "./button";
 import { TextInput } from "./input";
 import { Spinner } from "./spinner";
@@ -96,6 +97,25 @@ export function VerifyForm({ userId, code, isInvite, params }: Props) {
   return (
     <>
       <form className="w-full">
+        <Alert type={AlertType.INFO}>
+          <div className="flex flex-row">
+            <span className="flex-1 mr-auto text-left">
+              {t("verify.noCodeReceived")}
+            </span>
+            <button
+              aria-label="Resend OTP Code"
+              disabled={loading}
+              type="button"
+              className="ml-4 text-primary-light-500 dark:text-primary-dark-500 hover:dark:text-primary-dark-400 hover:text-primary-light-400 cursor-pointer disabled:cursor-default disabled:text-gray-400 dark:disabled:text-gray-700"
+              onClick={() => {
+                resendCode();
+              }}
+              data-testid="resend-button"
+            >
+              {t("verify.resendCode")}
+            </button>
+          </div>
+        </Alert>
         <div className="">
           <TextInput
             type="text"
@@ -112,13 +132,7 @@ export function VerifyForm({ userId, code, isInvite, params }: Props) {
         )}
 
         <div className="mt-8 flex w-full flex-row items-center">
-          <Button
-            type="button"
-            onClick={() => resendCode()}
-            variant={ButtonVariants.Secondary}
-          >
-            {t("verify.resendCode")}
-          </Button>
+          <BackButton />
           <span className="flex-grow"></span>
           <Button
             type="submit"

From 8dc0e14f13a6dd7afbbdfc34c3ad7b77368724fa Mon Sep 17 00:00:00 2001
From: Max Peintner <peintnerm@gmail.com>
Date: Thu, 12 Dec 2024 17:52:41 +0100
Subject: [PATCH 5/9] clean settings fetch

---
 apps/login/src/app/(login)/password/change/page.tsx | 1 -
 apps/login/src/components/change-password-form.tsx  | 4 ----
 apps/login/src/lib/zitadel.ts                       | 9 +++++++--
 3 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/apps/login/src/app/(login)/password/change/page.tsx b/apps/login/src/app/(login)/password/change/page.tsx
index d20b8b935c..bbcaea4950 100644
--- a/apps/login/src/app/(login)/password/change/page.tsx
+++ b/apps/login/src/app/(login)/password/change/page.tsx
@@ -70,7 +70,6 @@ export default async function Page(props: {
             authRequestId={authRequestId}
             organization={organization}
             passwordComplexitySettings={passwordComplexity}
-            loginSettings={loginSettings}
           />
         ) : (
           <div className="py-4">
diff --git a/apps/login/src/components/change-password-form.tsx b/apps/login/src/components/change-password-form.tsx
index 5cb794a473..ac62b7dc84 100644
--- a/apps/login/src/components/change-password-form.tsx
+++ b/apps/login/src/components/change-password-form.tsx
@@ -10,7 +10,6 @@ import { sendPassword } from "@/lib/server/password";
 import { checkSessionAndSetPassword } from "@/lib/zitadel";
 import { create } from "@zitadel/client";
 import { ChecksSchema } from "@zitadel/proto/zitadel/session/v2/session_service_pb";
-import { LoginSettings } from "@zitadel/proto/zitadel/settings/v2/login_settings_pb";
 import { PasswordComplexitySettings } from "@zitadel/proto/zitadel/settings/v2/password_settings_pb";
 import { useTranslations } from "next-intl";
 import { useRouter } from "next/navigation";
@@ -32,7 +31,6 @@ type Inputs =
 
 type Props = {
   passwordComplexitySettings: PasswordComplexitySettings;
-  loginSettings?: LoginSettings;
   sessionId: string;
   loginName: string;
   authRequestId?: string;
@@ -41,7 +39,6 @@ type Props = {
 
 export function ChangePasswordForm({
   passwordComplexitySettings,
-  loginSettings,
   sessionId,
   loginName,
   authRequestId,
@@ -67,7 +64,6 @@ export function ChangePasswordForm({
     const changeResponse = checkSessionAndSetPassword({
       sessionId,
       password: values.password,
-      forceMfa: !!(loginSettings?.forceMfa || loginSettings?.forceMfaLocalOnly),
     })
       .catch(() => {
         setError("Could not change password");
diff --git a/apps/login/src/lib/zitadel.ts b/apps/login/src/lib/zitadel.ts
index 3740c578da..67c2332e66 100644
--- a/apps/login/src/lib/zitadel.ts
+++ b/apps/login/src/lib/zitadel.ts
@@ -587,13 +587,11 @@ export async function setPassword(
 type CheckSessionAndSetPasswordCommand = {
   sessionId: string;
   password: string;
-  forceMfa: boolean;
 };
 
 export async function checkSessionAndSetPassword({
   sessionId,
   password,
-  forceMfa,
 }: CheckSessionAndSetPasswordCommand) {
   const sessionCookie = await getSessionCookieById({ sessionId });
 
@@ -633,6 +631,13 @@ export async function checkSessionAndSetPassword({
     (method) => !authmethods.authMethodTypes.includes(method),
   );
 
+  const loginSettings = await getLoginSettings(
+    session.factors.user.organizationId,
+  );
+  const forceMfa = !!(
+    loginSettings?.forceMfa || loginSettings?.forceMfaLocalOnly
+  );
+
   // if the user has no MFA but MFA is enforced, we can set a password otherwise we use the token of the user
   if (forceMfa && hasNoMFAMethods) {
     return userService.setPassword(payload, {}).catch((error) => {

From 16822afe83aa4d3f12c563d126e8b957ccc8df24 Mon Sep 17 00:00:00 2001
From: Max Peintner <peintnerm@gmail.com>
Date: Thu, 12 Dec 2024 18:13:49 +0100
Subject: [PATCH 6/9] fix server action

---
 .../src/components/change-password-form.tsx   |   6 +-
 apps/login/src/lib/server/password.ts         | 107 +++++++++++++++++-
 apps/login/src/lib/zitadel.ts                 |  98 +---------------
 3 files changed, 112 insertions(+), 99 deletions(-)

diff --git a/apps/login/src/components/change-password-form.tsx b/apps/login/src/components/change-password-form.tsx
index ac62b7dc84..f8c22029f7 100644
--- a/apps/login/src/components/change-password-form.tsx
+++ b/apps/login/src/components/change-password-form.tsx
@@ -6,8 +6,10 @@ import {
   symbolValidator,
   upperCaseValidator,
 } from "@/helpers/validators";
-import { sendPassword } from "@/lib/server/password";
-import { checkSessionAndSetPassword } from "@/lib/zitadel";
+import {
+  checkSessionAndSetPassword,
+  sendPassword,
+} from "@/lib/server/password";
 import { create } from "@zitadel/client";
 import { ChecksSchema } from "@zitadel/proto/zitadel/session/v2/session_service_pb";
 import { PasswordComplexitySettings } from "@zitadel/proto/zitadel/settings/v2/password_settings_pb";
diff --git a/apps/login/src/lib/server/password.ts b/apps/login/src/lib/server/password.ts
index 5e202aabd5..5ae40bf563 100644
--- a/apps/login/src/lib/server/password.ts
+++ b/apps/login/src/lib/server/password.ts
@@ -6,23 +6,30 @@ import {
 } from "@/lib/server/cookie";
 import {
   getLoginSettings,
+  getSession,
   getUserByID,
   listAuthenticationMethodTypes,
   listUsers,
   passwordReset,
   setPassword,
+  setUserPassword,
 } from "@/lib/zitadel";
 import { create } from "@zitadel/client";
+import { createUserServiceClient } from "@zitadel/client/v2";
+import { createServerTransport } from "@zitadel/node";
 import {
   Checks,
   ChecksSchema,
 } from "@zitadel/proto/zitadel/session/v2/session_service_pb";
 import { LoginSettings } from "@zitadel/proto/zitadel/settings/v2/login_settings_pb";
 import { User, UserState } from "@zitadel/proto/zitadel/user/v2/user_pb";
-import { AuthenticationMethodType } from "@zitadel/proto/zitadel/user/v2/user_service_pb";
+import {
+  AuthenticationMethodType,
+  SetPasswordRequestSchema,
+} from "@zitadel/proto/zitadel/user/v2/user_service_pb";
 import { headers } from "next/headers";
 import { getNextUrl } from "../client";
-import { getSessionCookieByLoginName } from "../cookies";
+import { getSessionCookieById, getSessionCookieByLoginName } from "../cookies";
 
 type ResetPasswordCommand = {
   loginName: string;
@@ -302,5 +309,99 @@ export async function changePassword(command: {
   }
   const userId = user.userId;
 
-  return setPassword(userId, command.password, user, command.code);
+  return setUserPassword(userId, command.password, user, command.code);
+}
+
+type CheckSessionAndSetPasswordCommand = {
+  sessionId: string;
+  password: string;
+};
+
+export async function checkSessionAndSetPassword({
+  sessionId,
+  password,
+}: CheckSessionAndSetPasswordCommand) {
+  const sessionCookie = await getSessionCookieById({ sessionId });
+
+  const { session } = await getSession({
+    sessionId: sessionCookie.id,
+    sessionToken: sessionCookie.token,
+  });
+
+  if (!session || !session.factors?.user?.id) {
+    return { error: "Could not load session" };
+  }
+
+  const payload = create(SetPasswordRequestSchema, {
+    userId: session.factors.user.id,
+    newPassword: {
+      password,
+    },
+  });
+
+  // check if the user has no password set in order to set a password
+  const authmethods = await listAuthenticationMethodTypes(
+    session.factors.user.id,
+  );
+
+  if (!authmethods) {
+    return { error: "Could not load auth methods" };
+  }
+
+  const requiredAuthMethodsForForceMFA = [
+    AuthenticationMethodType.OTP_EMAIL,
+    AuthenticationMethodType.OTP_SMS,
+    AuthenticationMethodType.TOTP,
+    AuthenticationMethodType.U2F,
+  ];
+
+  const hasNoMFAMethods = requiredAuthMethodsForForceMFA.every(
+    (method) => !authmethods.authMethodTypes.includes(method),
+  );
+
+  const loginSettings = await getLoginSettings(
+    session.factors.user.organizationId,
+  );
+
+  const forceMfa = !!(
+    loginSettings?.forceMfa || loginSettings?.forceMfaLocalOnly
+  );
+
+  // if the user has no MFA but MFA is enforced, we can set a password otherwise we use the token of the user
+  if (forceMfa && hasNoMFAMethods) {
+    return setPassword(payload).catch((error) => {
+      // throw error if failed precondition (ex. User is not yet initialized)
+      if (error.code === 9 && error.message) {
+        return { error: "Failed precondition" };
+      } else {
+        throw error;
+      }
+    });
+  } else {
+    const myUserService = (sessionToken: string) => {
+      return createUserServiceClient(
+        createServerTransport(sessionToken, {
+          baseUrl: process.env.ZITADEL_API_URL!,
+        }),
+      );
+    };
+
+    const selfService = await myUserService(`${sessionCookie.token}`);
+
+    return selfService
+      .setPassword(
+        {
+          userId: session.factors.user.id,
+          newPassword: { password, changeRequired: false },
+        },
+        {},
+      )
+      .catch((error) => {
+        console.log(error);
+        if (error.code === 7) {
+          return { error: "Session is not valid." };
+        }
+        throw error;
+      });
+  }
 }
diff --git a/apps/login/src/lib/zitadel.ts b/apps/login/src/lib/zitadel.ts
index 67c2332e66..8e50916b87 100644
--- a/apps/login/src/lib/zitadel.ts
+++ b/apps/login/src/lib/zitadel.ts
@@ -12,8 +12,8 @@ import { RequestChallenges } from "@zitadel/proto/zitadel/session/v2/challenge_p
 import { Checks } from "@zitadel/proto/zitadel/session/v2/session_service_pb";
 import { IDPInformation } from "@zitadel/proto/zitadel/user/v2/idp_pb";
 import {
-  AuthenticationMethodType,
   RetrieveIdentityProviderIntentRequest,
+  SetPasswordRequest,
   SetPasswordRequestSchema,
   VerifyPasskeyRegistrationRequest,
   VerifyU2FRegistrationRequest,
@@ -39,7 +39,6 @@ import {
   UserState,
 } from "@zitadel/proto/zitadel/user/v2/user_pb";
 import { unstable_cacheLife as cacheLife } from "next/cache";
-import { getSessionCookieById } from "./cookies";
 import { PROVIDER_MAPPING } from "./idp";
 
 const transport = createServerTransport(
@@ -538,7 +537,7 @@ export async function passwordReset(
  * @param code optional if the password should be set with a code (reset), no code for initial setup of password
  * @returns
  */
-export async function setPassword(
+export async function setUserPassword(
   userId: string,
   password: string,
   user: User,
@@ -584,97 +583,8 @@ export async function setPassword(
   });
 }
 
-type CheckSessionAndSetPasswordCommand = {
-  sessionId: string;
-  password: string;
-};
-
-export async function checkSessionAndSetPassword({
-  sessionId,
-  password,
-}: CheckSessionAndSetPasswordCommand) {
-  const sessionCookie = await getSessionCookieById({ sessionId });
-
-  const { session } = await getSession({
-    sessionId: sessionCookie.id,
-    sessionToken: sessionCookie.token,
-  });
-
-  if (!session || !session.factors?.user?.id) {
-    return { error: "Could not load session" };
-  }
-
-  const payload = create(SetPasswordRequestSchema, {
-    userId: session.factors.user.id,
-    newPassword: {
-      password,
-    },
-  });
-
-  // check if the user has no password set in order to set a password
-  const authmethods = await listAuthenticationMethodTypes(
-    session.factors.user.id,
-  );
-
-  if (!authmethods) {
-    return { error: "Could not load auth methods" };
-  }
-
-  const requiredAuthMethodsForForceMFA = [
-    AuthenticationMethodType.OTP_EMAIL,
-    AuthenticationMethodType.OTP_SMS,
-    AuthenticationMethodType.TOTP,
-    AuthenticationMethodType.U2F,
-  ];
-
-  const hasNoMFAMethods = requiredAuthMethodsForForceMFA.every(
-    (method) => !authmethods.authMethodTypes.includes(method),
-  );
-
-  const loginSettings = await getLoginSettings(
-    session.factors.user.organizationId,
-  );
-  const forceMfa = !!(
-    loginSettings?.forceMfa || loginSettings?.forceMfaLocalOnly
-  );
-
-  // if the user has no MFA but MFA is enforced, we can set a password otherwise we use the token of the user
-  if (forceMfa && hasNoMFAMethods) {
-    return userService.setPassword(payload, {}).catch((error) => {
-      // throw error if failed precondition (ex. User is not yet initialized)
-      if (error.code === 9 && error.message) {
-        return { error: "Failed precondition" };
-      } else {
-        throw error;
-      }
-    });
-  } else {
-    const myUserService = (sessionToken: string) => {
-      return createUserServiceClient(
-        createServerTransport(sessionToken, {
-          baseUrl: process.env.ZITADEL_API_URL!,
-        }),
-      );
-    };
-
-    const selfService = await myUserService(`${sessionCookie.token}`);
-
-    return selfService
-      .setPassword(
-        {
-          userId: session.factors.user.id,
-          newPassword: { password, changeRequired: false },
-        },
-        {},
-      )
-      .catch((error) => {
-        console.log(error);
-        if (error.code === 7) {
-          return { error: "Session is not valid." };
-        }
-        throw error;
-      });
-  }
+export async function setPassword(payload: SetPasswordRequest) {
+  return userService.setPassword(payload, {});
 }
 
 /**

From 8c6c41072d5733c4c012ca2c96eaecca92ed1513 Mon Sep 17 00:00:00 2001
From: Max Peintner <peintnerm@gmail.com>
Date: Fri, 13 Dec 2024 10:16:36 +0100
Subject: [PATCH 7/9] fix u2f hostname, layout, check for password change
 required  before all other checks after pws check, totp design

---
 apps/login/src/components/auth-methods.tsx    | 53 ++++---------------
 .../src/components/set-password-form.tsx      |  6 +--
 apps/login/src/components/verify-form.tsx     |  2 +-
 apps/login/src/lib/server/password.ts         | 26 +++++----
 apps/login/src/lib/server/u2f.ts              | 16 +++---
 apps/login/src/lib/zitadel.ts                 | 12 +----
 6 files changed, 36 insertions(+), 79 deletions(-)

diff --git a/apps/login/src/components/auth-methods.tsx b/apps/login/src/components/auth-methods.tsx
index 578fdee810..23b5de1a95 100644
--- a/apps/login/src/components/auth-methods.tsx
+++ b/apps/login/src/components/auth-methods.tsx
@@ -32,7 +32,7 @@ const LinkWrapper = ({
 
 export const TOTP = (alreadyAdded: boolean, link: string) => {
   return (
-    <LinkWrapper alreadyAdded={alreadyAdded} link={link} key={link}>
+    <LinkWrapper key={link} alreadyAdded={alreadyAdded} link={link} key={link}>
       <div
         className={clsx(
           "font-medium flex items-center",
@@ -40,45 +40,12 @@ export const TOTP = (alreadyAdded: boolean, link: string) => {
         )}
       >
         <svg
-          className="h-9 w-9 transform -translate-x-[2px] mr-4"
-          version="1.1"
-          baseProfile="basic"
-          id="Layer_1"
+          className="h-8 w-8 transform -translate-x-[2px] mr-4 fill-current text-black dark:text-white"
           xmlns="http://www.w3.org/2000/svg"
-          xmlnsXlink="http://www.w3.org/1999/xlink"
-          x="0px"
-          y="0px"
-          viewBox="0 0 512 512"
-          xmlSpace="preserve"
+          viewBox="0 0 24 24"
         >
-          <path
-            fill="#1A73E8"
-            d="M440,255.99997v0.00006C440,273.12085,426.12085,287,409.00003,287H302l-46-93.01001l49.6507-85.9951
-c8.56021-14.82629,27.51834-19.9065,42.34518-11.34724l0.00586,0.0034c14.82776,8.55979,19.90875,27.51928,11.34857,42.34682
-L309.70001,225h99.30002C426.12085,225,440,238.87917,440,255.99997z"
-          />
-          <path
-            fill="#EA4335"
-            d="M348.00174,415.34897l-0.00586,0.00339c-14.82684,8.55927-33.78497,3.47903-42.34518-11.34723L256,318.01001
-l-49.65065,85.99509c-8.5602,14.82629-27.51834,19.90652-42.34517,11.34729l-0.00591-0.00342
-c-14.82777-8.55978-19.90875-27.51929-11.34859-42.34683L202.29999,287L256,285l53.70001,2l49.6503,86.00214
-C367.91049,387.82968,362.8295,406.78918,348.00174,415.34897z"
-          />
-          <path
-            fill="#FBBC04"
-            d="M256,193.98999L242,232l-39.70001-7l-49.6503-86.00212
-c-8.56017-14.82755-3.47919-33.78705,11.34859-42.34684l0.00591-0.00341c14.82683-8.55925,33.78497-3.47903,42.34517,11.34726
-L256,193.98999z"
-          />
-          <path
-            fill="#34A853"
-            d="M248,225l-36,62H102.99997C85.87916,287,72,273.12085,72,256.00003v-0.00006
-C72,238.87917,85.87916,225,102.99997,225H248z"
-          />
-          <polygon
-            fill="#185DB7"
-            points="309.70001,287 202.29999,287 256,193.98999 "
-          />
+          <title>timer-lock-outline</title>
+          <path d="M11 8H13V14H11V8M13 19.92C12.67 19.97 12.34 20 12 20C8.13 20 5 16.87 5 13S8.13 6 12 6C14.82 6 17.24 7.67 18.35 10.06C18.56 10.04 18.78 10 19 10C19.55 10 20.07 10.11 20.57 10.28C20.23 9.22 19.71 8.24 19.03 7.39L20.45 5.97C20 5.46 19.55 5 19.04 4.56L17.62 6C16.07 4.74 14.12 4 12 4C7.03 4 3 8.03 3 13S7.03 22 12 22C12.42 22 12.83 21.96 13.24 21.91C13.09 21.53 13 21.12 13 20.7V19.92M15 1H9V3H15V1M23 17.3V20.8C23 21.4 22.4 22 21.7 22H16.2C15.6 22 15 21.4 15 20.7V17.2C15 16.6 15.6 16 16.2 16V14.5C16.2 13.1 17.6 12 19 12S21.8 13.1 21.8 14.5V16C22.4 16 23 16.6 23 17.3M20.5 14.5C20.5 13.7 19.8 13.2 19 13.2S17.5 13.7 17.5 14.5V16H20.5V14.5Z" />
         </svg>{" "}
         <span>Authenticator App</span>
       </div>
@@ -93,7 +60,7 @@ C72,238.87917,85.87916,225,102.99997,225H248z"
 
 export const U2F = (alreadyAdded: boolean, link: string) => {
   return (
-    <LinkWrapper alreadyAdded={alreadyAdded} link={link}>
+    <LinkWrapper key={link} alreadyAdded={alreadyAdded} link={link}>
       <div
         className={clsx(
           "font-medium flex items-center",
@@ -127,7 +94,7 @@ export const U2F = (alreadyAdded: boolean, link: string) => {
 
 export const EMAIL = (alreadyAdded: boolean, link: string) => {
   return (
-    <LinkWrapper alreadyAdded={alreadyAdded} link={link}>
+    <LinkWrapper key={link} alreadyAdded={alreadyAdded} link={link}>
       <div
         className={clsx(
           "font-medium flex items-center",
@@ -162,7 +129,7 @@ export const EMAIL = (alreadyAdded: boolean, link: string) => {
 
 export const SMS = (alreadyAdded: boolean, link: string) => {
   return (
-    <LinkWrapper alreadyAdded={alreadyAdded} link={link}>
+    <LinkWrapper key={link} alreadyAdded={alreadyAdded} link={link}>
       <div
         className={clsx(
           "font-medium flex items-center",
@@ -196,7 +163,7 @@ export const SMS = (alreadyAdded: boolean, link: string) => {
 
 export const PASSKEYS = (alreadyAdded: boolean, link: string) => {
   return (
-    <LinkWrapper alreadyAdded={alreadyAdded} link={link}>
+    <LinkWrapper key={link} alreadyAdded={alreadyAdded} link={link}>
       <div
         className={clsx(
           "font-medium flex items-center",
@@ -230,7 +197,7 @@ export const PASSKEYS = (alreadyAdded: boolean, link: string) => {
 
 export const PASSWORD = (alreadyAdded: boolean, link: string) => {
   return (
-    <LinkWrapper alreadyAdded={alreadyAdded} link={link}>
+    <LinkWrapper key={link} alreadyAdded={alreadyAdded} link={link}>
       <div
         className={clsx(
           "font-medium flex items-center",
diff --git a/apps/login/src/components/set-password-form.tsx b/apps/login/src/components/set-password-form.tsx
index fd801640d7..d093d1d131 100644
--- a/apps/login/src/components/set-password-form.tsx
+++ b/apps/login/src/components/set-password-form.tsx
@@ -213,7 +213,7 @@ export function SetPasswordForm({
           </Alert>
         )}
         {codeRequired && (
-          <div className="flex flex-row items-end">
+          <div>
             <TextInput
               type="text"
               required
@@ -227,7 +227,7 @@ export function SetPasswordForm({
             />
           </div>
         )}
-        <div className="">
+        <div>
           <TextInput
             type="password"
             autoComplete="new-password"
@@ -240,7 +240,7 @@ export function SetPasswordForm({
             data-testid="password-text-input"
           />
         </div>
-        <div className="">
+        <div>
           <TextInput
             type="password"
             required
diff --git a/apps/login/src/components/verify-form.tsx b/apps/login/src/components/verify-form.tsx
index 308732cba9..003b261b02 100644
--- a/apps/login/src/components/verify-form.tsx
+++ b/apps/login/src/components/verify-form.tsx
@@ -116,7 +116,7 @@ export function VerifyForm({ userId, code, isInvite, params }: Props) {
             </button>
           </div>
         </Alert>
-        <div className="">
+        <div className="mt-4">
           <TextInput
             type="text"
             autoComplete="one-time-code"
diff --git a/apps/login/src/lib/server/password.ts b/apps/login/src/lib/server/password.ts
index 5ae40bf563..47bf260eaa 100644
--- a/apps/login/src/lib/server/password.ts
+++ b/apps/login/src/lib/server/password.ts
@@ -149,18 +149,10 @@ export async function sendPassword(command: UpdateSessionCommand) {
     return { error: "Could not verify password!" };
   }
 
-  const availableSecondFactors = authMethods?.filter(
-    (m: AuthenticationMethodType) =>
-      m !== AuthenticationMethodType.PASSWORD &&
-      m !== AuthenticationMethodType.PASSKEY,
-  );
-
   const humanUser = user.type.case === "human" ? user.type.value : undefined;
 
-  if (
-    availableSecondFactors?.length == 0 &&
-    humanUser?.passwordChangeRequired
-  ) {
+  // check if the user has to change password first
+  if (humanUser?.passwordChangeRequired) {
     const params = new URLSearchParams({
       loginName: session.factors?.user?.loginName,
     });
@@ -176,7 +168,13 @@ export async function sendPassword(command: UpdateSessionCommand) {
     return { redirect: "/password/change?" + params };
   }
 
-  if (availableSecondFactors?.length == 1) {
+  const availableMultiFactors = authMethods?.filter(
+    (m: AuthenticationMethodType) =>
+      m !== AuthenticationMethodType.PASSWORD &&
+      m !== AuthenticationMethodType.PASSKEY,
+  );
+
+  if (availableMultiFactors?.length == 1) {
     const params = new URLSearchParams({
       loginName: session.factors?.user.loginName,
     });
@@ -192,7 +190,7 @@ export async function sendPassword(command: UpdateSessionCommand) {
       );
     }
 
-    const factor = availableSecondFactors[0];
+    const factor = availableMultiFactors[0];
     // if passwordless is other method, but user selected password as alternative, perform a login
     if (factor === AuthenticationMethodType.TOTP) {
       return { redirect: `/otp/time-based?` + params };
@@ -203,7 +201,7 @@ export async function sendPassword(command: UpdateSessionCommand) {
     } else if (factor === AuthenticationMethodType.U2F) {
       return { redirect: `/u2f?` + params };
     }
-  } else if (availableSecondFactors?.length >= 1) {
+  } else if (availableMultiFactors?.length >= 1) {
     const params = new URLSearchParams({
       loginName: session.factors.user.loginName,
     });
@@ -226,7 +224,7 @@ export async function sendPassword(command: UpdateSessionCommand) {
     return { error: "Initial User not supported" };
   } else if (
     (loginSettings?.forceMfa || loginSettings?.forceMfaLocalOnly) &&
-    !availableSecondFactors.length
+    !availableMultiFactors.length
   ) {
     const params = new URLSearchParams({
       loginName: session.factors.user.loginName,
diff --git a/apps/login/src/lib/server/u2f.ts b/apps/login/src/lib/server/u2f.ts
index a174d0bc56..5cbd80611b 100644
--- a/apps/login/src/lib/server/u2f.ts
+++ b/apps/login/src/lib/server/u2f.ts
@@ -32,23 +32,25 @@ export async function addU2F(command: RegisterU2FCommand) {
     sessionToken: sessionCookie.token,
   });
 
-  const domain = (await headers()).get("host");
+  const host = (await headers()).get("host");
 
-  if (!domain) {
+  if (!host) {
     return { error: "Could not get domain" };
   }
 
+  const [hostname, port] = host.split(":");
+
+  if (!hostname) {
+    throw new Error("Could not get hostname");
+  }
+
   const userId = session?.session?.factors?.user?.id;
 
   if (!session || !userId) {
     return { error: "Could not get session" };
   }
 
-  return registerU2F(
-    userId,
-    domain,
-    // sessionCookie.token
-  );
+  return registerU2F(userId, hostname);
 }
 
 export async function verifyU2F(command: VerifyU2FCommand) {
diff --git a/apps/login/src/lib/zitadel.ts b/apps/login/src/lib/zitadel.ts
index 8e50916b87..306d168b63 100644
--- a/apps/login/src/lib/zitadel.ts
+++ b/apps/login/src/lib/zitadel.ts
@@ -620,17 +620,7 @@ export async function createPasskeyRegistrationLink(
  * @returns the newly set email
  */
 
-// TODO check for token requirements!
-export async function registerU2F(
-  userId: string,
-  domain: string,
-  // token: string,
-) {
-  // const transport = createServerTransport(token, {
-  //   baseUrl: process.env.ZITADEL_API_URL!,
-  // });
-
-  // const service = createUserServiceClient(transport);
+export async function registerU2F(userId: string, domain: string) {
   return userService.registerU2F({
     userId,
     domain,

From d09b45d8f5ea9739de2e7968f3b753b1f28e13c8 Mon Sep 17 00:00:00 2001
From: Max Peintner <peintnerm@gmail.com>
Date: Fri, 13 Dec 2024 10:18:00 +0100
Subject: [PATCH 8/9] default org on account chooser

---
 apps/login/src/app/(login)/accounts/page.tsx | 19 +++++++++++++++++--
 1 file changed, 17 insertions(+), 2 deletions(-)

diff --git a/apps/login/src/app/(login)/accounts/page.tsx b/apps/login/src/app/(login)/accounts/page.tsx
index c3944a3768..9d2e6a0b9f 100644
--- a/apps/login/src/app/(login)/accounts/page.tsx
+++ b/apps/login/src/app/(login)/accounts/page.tsx
@@ -1,8 +1,13 @@
 import { DynamicTheme } from "@/components/dynamic-theme";
 import { SessionsList } from "@/components/sessions-list";
 import { getAllSessionCookieIds } from "@/lib/cookies";
-import { getBrandingSettings, listSessions } from "@/lib/zitadel";
+import {
+  getBrandingSettings,
+  getDefaultOrg,
+  listSessions,
+} from "@/lib/zitadel";
 import { UserPlusIcon } from "@heroicons/react/24/outline";
+import { Organization } from "@zitadel/proto/zitadel/org/v2/org_pb";
 import { getLocale, getTranslations } from "next-intl/server";
 import Link from "next/link";
 
@@ -30,9 +35,19 @@ export default async function Page(props: {
   const authRequestId = searchParams?.authRequestId;
   const organization = searchParams?.organization;
 
+  let defaultOrganization;
+  if (!organization) {
+    const org: Organization | null = await getDefaultOrg();
+    if (org) {
+      defaultOrganization = org.id;
+    }
+  }
+
   let sessions = await loadSessions();
 
-  const branding = await getBrandingSettings(organization);
+  const branding = await getBrandingSettings(
+    organization ?? defaultOrganization,
+  );
 
   return (
     <DynamicTheme branding={branding}>

From d68e752686f33af22621a2513c5330994d665b52 Mon Sep 17 00:00:00 2001
From: Max Peintner <peintnerm@gmail.com>
Date: Fri, 13 Dec 2024 10:18:57 +0100
Subject: [PATCH 9/9] rm duplicate prop

---
 apps/login/src/components/auth-methods.tsx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/login/src/components/auth-methods.tsx b/apps/login/src/components/auth-methods.tsx
index 23b5de1a95..ff0bcf0b32 100644
--- a/apps/login/src/components/auth-methods.tsx
+++ b/apps/login/src/components/auth-methods.tsx
@@ -32,7 +32,7 @@ const LinkWrapper = ({
 
 export const TOTP = (alreadyAdded: boolean, link: string) => {
   return (
-    <LinkWrapper key={link} alreadyAdded={alreadyAdded} link={link} key={link}>
+    <LinkWrapper key={link} alreadyAdded={alreadyAdded} link={link}>
       <div
         className={clsx(
           "font-medium flex items-center",