# Which Problems Are Solved
- Role deletion or update API returns `404 Not Found` when the role key
contains a slash (`/`), even if URL encoded.
- This breaks management of hierarchical role keys like
`admin/org/reader`.
# How the Problems Are Solved
- Updated the HTTP binding in the protobuf definition for the affected
endpoints to use `{role_key=**}` instead of `{role_key}`.
- This change enables proper decoding and handling of slashes in role
keys as a single path variable.
# Additional Changes
None
# Additional Context
- Closes https://github.com/zitadel/zitadel/issues/9948
Co-authored-by: Masum Patel <patelmasum98@gmail.com>
Co-authored-by: Tim Möhlmann <tim+github@zitadel.com>
# Which Problems Are Solved
When adding 2 orgs with the same ID, you get a positive response from
the API, later when the org is projected, it errors due to the id
already in use
# How the Problems Are Solved
Check org with orgID specified does not already exist before adding
events
# Additional Changes
Added additional test case for adding same org with same name twice
# Additional Context
- Closes https://github.com/zitadel/zitadel/issues/10127
---------
Co-authored-by: Silvan <27845747+adlerhurst@users.noreply.github.com>
# Which Problems Are Solved
The SAML session (v2 login) currently does not push a
`AuthenticationSucceededOnApplication` milestone upon successful SAML
login for the first time. The changes in this PR address this issue.
# How the Problems Are Solved
Add a new function to set the appropriate milestone, and call this
function after a successful SAML request.
# Additional Changes
N/A
# Additional Context
- Closes#9592
---------
Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
# Which Problems Are Solved
- Dependabot creates noisy PRs to the mirror repo zitadel/typescript.
# How the Problems Are Solved
- We mark the dependabot file as an example, effectively disabling
dependabot.
- For cases this isn't intuitive enough, we add a guiding sentence to
the README.md
- Dependabot for the login [is already enabled in the zitadel
repo](https://github.com/zitadel/zitadel/blob/main/.github/dependabot.yml#L25-L37).
# Additional Changes
- Updates the CONTRIBUTING.md with instructions about how to submit
changes related to the mirror repo.
- @stebenz please dismiss the relevant Vanta checks if necessary.
---------
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
# Which Problems Are Solved
Action runs on PRs from forks can't authenticate at depot.
# How the Problems Are Solved
- The GitHub secret DEPOT_TOKEN is statically passed as env variable to
the steps that use the depot CLI, as described
[here](https://github.com/depot/setup-action#authentication).
- Removed the oidc argument from the depot/setup-action, as we pass the
env statically to the relevant steps.
- The `id-token: write` permission is removed from all workflows, as
it's not needed anymore.
# Additional Changes
Removed the obsolete comment
```yaml
# latest if branch is main, otherwise image version which is the pull request number
```
# Additional Context
Required by these approved PRs so their checks can be executed:
- https://github.com/zitadel/zitadel/pull/9982
- https://github.com/zitadel/zitadel/pull/9958
# Which Problems Are Solved
The latest merge on main corrupted some unit tests.
# How the Problems Are Solved
Fix them as intended on the PR.
# Additional Changes
None
# Additional Context
relates to
4c942f3477
# Which Problems Are Solved
When changes are pulled or pushed from or to a login repository, they
can't be merged to zitadel, because the commit histories differ.
# How the Problems Are Solved
Changed the commands to allow diverging commit histories.
Pulling takes a lot of commits into the zitadel repo branch like this.
This is fine, as we anyway squash-merge PRs to a single commit.
So we don't care about a branches commit history.
# Additional Changes
Added an exception to the close-pr.yml workflow so sync PRs are not
auto-closed.
---------
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Florian Forster <florian@zitadel.com>
Co-authored-by: Max Peintner <peintnerm@gmail.com>
Co-authored-by: Max Peintner <max@caos.ch>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
# Which Problems Are Solved
Enhancing integration test for creating org; currently the test does not
check if the created org has the assigned custom id, this will resolve
this issue.
# Which Problems Are Solved
After changing some internal logic, which should have failed the
integration test, but didn't, I noticed that some integration tests were
never executed. The make command lists all `integration_test` packages,
but some are named `integration`
# How the Problems Are Solved
Correct wrong integration test package names.
# Additional Changes
None
# Additional Context
- noticed internally
- backport to 3.x and 2.x
# Which Problems Are Solved
Fixes issue when users would get an error message when attempting to
resend invitation code when logging in
# How the Problems Are Solved
Changing the permission check for looking for `org.write` to
`ommand.checkPermissionUpdateUser()`
# Additional Context
- Closes https://github.com/zitadel/zitadel/issues/10100
- backport to 3.x
# Which Problems Are Solved
The CORS handler for the new connectRPC handlers was missing, leading to
unhandled preflight requests and a unusable api for browser based calls,
e.g. cross domain gRPC-web requests.
# How the Problems Are Solved
- Added the http CORS middleware to the connectRPC handlers.
- Added `Grpc-Timeout`, `Connect-Protocol-Version`,`Connect-Timeout-Ms`
to the default allowed headers (this improves also the old grpc-web
handling)
- Added `Grpc-Status`, `Grpc-Message`, `Grpc-Status-Details-Bin` to the
default exposed headers (this improves also the old grpc-web handling)
# Additional Changes
None
# Additional Context
noticed internally while testing other issues
# Which Problems Are Solved
When an organization domain is verified, e.g. also when creating a new
organization (incl. generated domain), existing usernames are checked if
the domain has been claimed.
The query was not optimized for instances with many users and
organizations.
# How the Problems Are Solved
- Replace the query, which was searching over the users projection with
(computed loginnames) with a dedicated query checking the loginnames
projection directly.
- All occurrences have been updated to use the new query.
# Additional Changes
None
# Additional Context
- reported through support
- requires backport to v3.x
# Which Problems Are Solved
The close PR action currently fails because of unescaped backticks.
# How the Problems Are Solved
Backticks are escaped.
# Additional Changes
- Adding a login remote immediately fetches for better UX.
- Adding a subtree is not necessary, as it is already added in the repo.
- Fix and clarify PR migration steps.
- Add workflow dispatch event
# Which Problems Are Solved
When authenticating with email or phone number in the login V1, users
were not able to request a password reset and would be given a "User not
found" error.
This was due to a check of the loginname of the auth request, which in
those cases would not match the user's stored loginname.
# How the Problems Are Solved
Switch to a check of the resolved userID in the auth request. (We still
check the user again, since the ID might be a placeholder for an unknown
user and we do not want to disclose any information by omitting a check
and reduce the response time.)
# Additional Changes
None
# Additional Context
- reported through support
- requires backport to v3.x
# Which Problems Are Solved
Customers reported, that if the session / access token in Console
expired and they re-authenticated, the user list would be empty.
While reproducing the issue, we discovered that the necessary
organization information, would be missing in the access token, since
this would already be missing in the OIDC session creation when using an
id_token_hint.
# How the Problems Are Solved
- Ensure the user's organization is set in the login v1 auth request.
This is used to create the OIDC and token information.
# Additional Changes
None
# Additional Context
- reported by customers
- requires backport to v3.x
<!--
Please inform yourself about the contribution guidelines on submitting a
PR here:
https://github.com/zitadel/zitadel/blob/main/CONTRIBUTING.md#submit-a-pull-request-pr.
Take note of how PR/commit titles should be written and replace the
template texts in the sections below. Don't remove any of the sections.
It is important that the commit history clearly shows what is changed
and why.
Important: By submitting a contribution you agree to the terms from our
Licensing Policy as described here:
https://github.com/zitadel/zitadel/blob/main/LICENSING.md#community-contributions.
-->
# Which Problems Are Solved
1. The sorting columns in the gRPC endpoint
`ListInstanceTrustedDomains()` are incorrect, and return the following
error when invalid sorting options are chosen:
```
Unknown (2)
ERROR: missing FROM-clause entry for table "instance_domains" (SQLSTATE 42P01)
```
The sorting columns that are valid to list `instance_trusted_domains`
are
* `trusted_domain_field_name_unspecified`
* `trusted_domain_field_name_domain`
* `trusted_domain_field_name_creation_date`
However, the currently configured sorting columns are
* `domain_field_name_unspecified`
* `domain_field_name_domain`
* `domain_field_name_primary`
* `domain_field_name_generated`
* `domain_field_name_creation_date`
Configuring the actual columns of `instance_trusted_domains` makes this
endpoint **backward incompatible**. Therefore, the fix in this PR is to
no longer return an error when an invalid sorting column (non-existing
column) is chosen and to sort the results by `creation_date` for invalid
sorting columns.
2. This PR also fixes the `sorting_column` included in the responses of
both `ListInstanceTrustedDomains()` and `ListInstanceDomains()`
endpoints, as they now point to the default option irrespective of the
chosen option in the request i.e.,
* `TRUSTED_DOMAIN_FIELD_NAME_UNSPECIFIED` in case of
`ListInstanceTrustedDomains()`, and
* `DOMAIN_FIELD_NAME_UNSPECIFIED` in case of `ListInstanceDomains()`
# How the Problems Are Solved
* Map the sorting columns to valid columns of `instance_trusted_domain`
- If the sorting column is not one of the columns, the mapping defaults
to `creation_date`
* Set the `sorting_column` explicitly (from the request) in the
`ListInstanceDomainsResponse` and `ListInstanceTrustedDomainsResponse`
# Additional Changes
A small fix to return the chosen `sorting_column` in the responses of
the `ListInstanceTrustedDomains()` and `ListInstanceDomains()` endpoints
# Additional Context
- Closes#9839
This pull request enhances the documentation site configuration by
introducing a new plugin and making minor adjustments to existing
settings. The primary focus is on integrating the
`@signalwire/docusaurus-plugin-llms-txt` plugin to improve content
handling and adding relevant dependencies.
### Plugin Integration:
*
[`docs/docusaurus.config.js`](diffhunk://#diff-28742c737e523f302e6de471b7fc27284dc8cf720be639e6afe4c17a550cd654R245-R255):
Added the `@signalwire/docusaurus-plugin-llms-txt` plugin with
configuration options, including a depth of 3, log level of 1, exclusion
of certain routes, and enabling markdown file support.
*
[`docs/package.json`](diffhunk://#diff-adfa337ce44dc2902621da20152a048dac41878cf3716dfc4cc56d03aa212a56R33):
Included the `@signalwire/docusaurus-plugin-llms-txt` dependency
(version `^1.2.0`) to support the new plugin integration.
### Configuration Adjustments:
*
[`docs/docusaurus.config.js`](diffhunk://#diff-28742c737e523f302e6de471b7fc27284dc8cf720be639e6afe4c17a550cd654L221):
Removed the `docItemComponent` property under the `module.exports`
configuration.
This PR implements a SAML cookie which is used to save information to
complete the form post. It is primarily used to avoid sending the
information as url search params and therefore reducing its length.
# Which Problems Are Solved
To generate the docs, we rely on a protoc plugin to generate an openAPI
definition from connectRPC / proto.
Since the plugin is not available on buf.build, we currently download
the released version. As the tar contains a licence and a readme, this
overwrote existing internal files.
# How the Problems Are Solved
Download and extract the plugin in a separate folder and update
buf.gen.yaml accordingly.
# Additional Changes
None
# Additional Context
relates to #9483
# Which Problems Are Solved
The unreleased new resource apis have been removed from the docs:
https://github.com/zitadel/zitadel/pull/10015
# How the Problems Are Solved
Add them to the docs sidenav again, since they're now released.
# Additional Changes
none
# Additional Context
none
---------
Co-authored-by: Fabienne <fabienne.gerschwiler@gmail.com>
Co-authored-by: Marco Ardizzone <marco@zitadel.com>
# Which Problems Are Solved
The commands for the resource based v2beta AuthorizationService API are
added.
Authorizations, previously knows as user grants, give a user in a
specific organization and project context roles.
The project can be owned or granted.
The given roles can be used to restrict access within the projects
applications.
The commands for the resource based v2beta InteralPermissionService API
are added.
Administrators, previously knows as memberships, give a user in a
specific organization and project context roles.
The project can be owned or granted.
The give roles give the user permissions to manage different resources
in Zitadel.
API definitions from https://github.com/zitadel/zitadel/issues/9165 are
implemented.
Contains endpoints for user metadata.
# How the Problems Are Solved
### New Methods
- CreateAuthorization
- UpdateAuthorization
- DeleteAuthorization
- ActivateAuthorization
- DeactivateAuthorization
- ListAuthorizations
- CreateAdministrator
- UpdateAdministrator
- DeleteAdministrator
- ListAdministrators
- SetUserMetadata to set metadata on a user
- DeleteUserMetadata to delete metadata on a user
- ListUserMetadata to query for metadata of a user
## Deprecated Methods
### v1.ManagementService
- GetUserGrantByID
- ListUserGrants
- AddUserGrant
- UpdateUserGrant
- DeactivateUserGrant
- ReactivateUserGrant
- RemoveUserGrant
- BulkRemoveUserGrant
### v1.AuthService
- ListMyUserGrants
- ListMyProjectPermissions
# Additional Changes
- Permission checks for metadata functionality on query and command side
- correct existence checks for resources, for example you can only be an
administrator on an existing project
- combined all member tables to singular query for the administrators
- add permission checks for command an query side functionality
- combined functions on command side where necessary for easier
maintainability
# Additional Context
Closes#9165
---------
Co-authored-by: Elio Bischof <elio@zitadel.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Livio Spring <livio.a@gmail.com>
# Which Problems Are Solved
The current maintained gRPC server in combination with a REST (grpc)
gateway is getting harder and harder to maintain. Additionally, there
have been and still are issues with supporting / displaying `oneOf`s
correctly.
We therefore decided to exchange the server implementation to
connectRPC, which apart from supporting connect as protocol, also also
"standard" gRCP clients as well as HTTP/1.1 / rest like clients, e.g.
curl directly call the server without any additional gateway.
# How the Problems Are Solved
- All v2 services are moved to connectRPC implementation. (v1 services
are still served as pure grpc servers)
- All gRPC server interceptors were migrated / copied to a corresponding
connectRPC interceptor.
- API.ListGrpcServices and API. ListGrpcMethods were changed to include
the connect services and endpoints.
- gRPC server reflection was changed to a `StaticReflector` using the
`ListGrpcServices` list.
- The `grpc.Server` interfaces was split into different combinations to
be able to handle the different cases (grpc server and prefixed gateway,
connect server with grpc gateway, connect server only, ...)
- Docs of services serving connectRPC only with no additional gateway
(instance, webkey, project, app, org v2 beta) are changed to expose that
- since the plugin is not yet available on buf, we download it using
`postinstall` hook of the docs
# Additional Changes
- WebKey service is added as v2 service (in addition to the current
v2beta)
# Additional Context
closes#9483
---------
Co-authored-by: Elio Bischof <elio@zitadel.com>
# Which Problems Are Solved
The production endpoint of the service ping was wrong.
Additionally we discussed in the sprint review, that we could randomize
the default interval to prevent all systems to report data at the very
same time and also require a minimal interval.
# How the Problems Are Solved
- fixed the endpoint
- If the interval is set to @daily (default), we generate a random time
(minute, hour) as a cron format.
- Check if the interval is more than 30min and return an error if not.
- Fixed yaml indent on `ResourceCount`
# Additional Changes
None
# Additional Context
as discussed internally
# Which Problems Are Solved
Fixes the releasing of multi-architecture login images.
# How the Problems Are Solved
- The login-container workflow extends the bake definition with a file
docker-bake-release.hcl wich adds the platforms linux/arm and linux/amd
to all relevant build targets. The used technique is similar to how the
docker metadata action allows to extend the bake definitions.
- The local login tag is moved to the metadata bake target, which is
always inherited and overwritten in the pipeline
- Packages write permission is added
# Additional Changes
- The MIT license is noted in container labels and annotations
- The Image is built from root so that the local proto files are used
---------
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
