Even though this is a feature it's released as fix so that we can back port to earlier revisions.
As reported by multiple users startup of ZITADEL after leaded to downtime and worst case rollbacks to the previously deployed version.
The problem starts rising when there are too many events to process after the start of ZITADEL. The root cause are changes on projections (database tables) which must be recomputed. This PR solves this problem by adding a new step to the setup phase which prefills the projections. The step can be enabled by adding the `--init-projections`-flag to `setup`, `start-from-init` and `start-from-setup`. Setting this flag results in potentially longer duration of the setup phase but reduces the risk of the problems mentioned in the paragraph above.
(cherry picked from commit 17953e9040)
This implementation increases parallel write capabilities of the eventstore.
Please have a look at the technical advisories: [05](https://zitadel.com/docs/support/advisory/a10005) and [06](https://zitadel.com/docs/support/advisory/a10006).
The implementation of eventstore.push is rewritten and stored events are migrated to a new table `eventstore.events2`.
If you are using cockroach: make sure that the database user of ZITADEL has `VIEWACTIVITY` grant. This is used to query events.
* take baseurl if saved on event
* refactor: make es mocks reusable
* Revert "refactor: make es mocks reusable"
This reverts commit 434ce12a6a.
* make messages testable
* test asset url
* fmt
* fmt
* simplify notification.Start
* test url combinations
* support init code added
* support password changed
* support reset pw
* support user domain claimed
* support add pwless login
* support verify phone
* Revert "support verify phone"
This reverts commit e40503303e.
* save trigger origin from ctx
* add ready for review check
* camel
* test email otp
* fix variable naming
* fix DefaultOTPEmailURLV2
* Revert "fix DefaultOTPEmailURLV2"
This reverts commit fa34d4d2a8.
* fix email otp challenged test
* fix email otp challenged test
* pass origin in login and gateway requests
* take origin from header
* take x-forwarded if present
* Update internal/notification/handlers/queries.go
Co-authored-by: Tim Möhlmann <tim+github@zitadel.com>
* Update internal/notification/handlers/commands.go
Co-authored-by: Tim Möhlmann <tim+github@zitadel.com>
* move origin header to ctx if available
* generate
* cleanup
* use forwarded header
* support X-Forwarded-* headers
* standardize context handling
* fix linting
---------
Co-authored-by: Tim Möhlmann <tim+github@zitadel.com>
* feat: migrate external id
* implement tests and some renaming
* fix projection
* cleanup
* i18n
* fix event type
* handle migration for new services as well
* typo
* feat: add phone change and code verification for user v2 api
* feat: add phone change and code verification for user v2 api
* fix: add ignored phone.proto
* fix: integration tests
* Update proto/zitadel/user/v2alpha/user_service.proto
* Update idp_template.go
---------
Co-authored-by: Livio Spring <livio.a@gmail.com>
* feat: use passwap for human user passwords
* fix tests
* passwap config
* add the event mapper
* cleanup query side and api
* solve linting errors
* regression test
* try to fix linter errors again
* pass systemdefaults into externalConfigChange migration
* fix: user password set in auth view
* pin passwap v0.2.0
* v2: validate hashed password hash based on prefix
* resolve remaining comments
* add error tag and translation for unsupported hash encoding
* fix unit test
---------
Co-authored-by: Livio Spring <livio.a@gmail.com>
This fix provides a possibility to pass a domain on the session, which
will be used (as rpID) to create a passkey / u2f assertion and
attestation. This is useful in cases where the login UI is served under
a different domain / origin than the ZITADEL API.
* feat(api): add password reset and change to user service
* integration tests
* invalidate password check after password change
* handle notification type
* fix proto
* command/crypto: DRY the code
- reuse the the algorithm switch to create a secret generator
- add a verifyCryptoCode function
* command: crypto code tests
* migrate webauthn package
* finish integration tests with webauthn mock client
* chore(proto): update versions
* change protoc plugin
* some cleanups
* define api for setting emails in new api
* implement user.SetEmail
* move SetEmail buisiness logic into command
* resuse newCryptoCode
* command: add ChangeEmail unit tests
Not complete, was not able to mock the generator.
* Revert "resuse newCryptoCode"
This reverts commit c89e90ae35.
* undo change to crypto code generators
* command: use a generator so we can test properly
* command: reorganise ChangeEmail
improve test coverage
* implement VerifyEmail
including unit tests
* add URL template tests
* proto: change context to object
* remove old auth option
* remove old auth option
* fix linting errors
run gci on modified files
* add permission checks and fix some errors
* comments
* comments
---------
Co-authored-by: Livio Spring <livio.a@gmail.com>
Co-authored-by: Tim Möhlmann <tim+github@zitadel.com>
Add functionality to configure the access token type on the service accounts to provide the oidc library with the necessary information to create the right type of access token.
Request an access_token for service users with OAuth 2.0 Client Credentials Grant. Added functionality to generate and remove a secret on service users.
* docs: update cockroachdb version to 22.2
* feat(adminAPI): ListEventTypes returns the list of event types ZITADEL implements
* feat(adminAPI): ListAggregateTypes returns the list of aggregate types ZITADEL implements
* feat(adminAPI): ListEvents allows `IAM_OWNERS` to search for events
* fix: handle UserLoginMustBeDomain changes correctly
* fix: remove verified domains (and not only primary) as suffix
* fix: ensure testability by changing map to slice
* cleanup
* reduce complexity of DomainPolicyUsernamesWriteModel.Reduce()
* add test for removed org policy
* feat(command): remove org
* refactor: imports, unused code, error handling
* reduce org removed in action
* add org deletion to projections
* add org removal to projections
* add org removal to projections
* org removed projection
* lint import
* projections
* fix: table names in tests
* fix: table names in tests
* logging
* add org state
* fix(domain): add Owner removed to object details
* feat(ListQuery): add with owner removed
* fix(org-delete): add bool to functions to select with owner removed
* fix(org-delete): add bools to user grants with events to determine if dependencies lost owner
* fix(org-delete): add unit tests for owner removed and org removed events
* fix(org-delete): add handling of org remove for grants and members
* fix(org-delete): correction of unit tests for owner removed
* fix(org-delete): update projections, unit tests and get functions
* fix(org-delete): add change date to authnkeys and owner removed to org metadata
* fix(org-delete): include owner removed for login names
* fix(org-delete): some column fixes in projections and build for queries with owner removed
* indexes
* fix(org-delete): include review changes
* fix(org-delete): change user projection name after merge
* fix(org-delete): include review changes for project grant where no project owner is necessary
* fix(org-delete): include auth and adminapi tables with owner removed information
* fix(org-delete): cleanup username and orgdomain uniqueconstraints when org is removed
* fix(org-delete): add permissions for org.remove
* remove unnecessary unique constraints
* fix column order in primary keys
* fix(org-delete): include review changes
* fix(org-delete): add owner removed indexes and chang setup step to create tables
* fix(org-delete): move PK order of instance_id and change added user_grant from review
* fix(org-delete): no params for prepareUserQuery
* change to step 6
* merge main
* fix(org-delete): OldUserName rename to private
* fix linting
* cleanup
* fix: remove org test
* create prerelease
* chore: delete org-delete as prerelease
Co-authored-by: Stefan Benz <stefan@caos.ch>
Co-authored-by: Livio Spring <livio.a@gmail.com>
Co-authored-by: Fabi <38692350+hifabienne@users.noreply.github.com>
Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
* fix: try using only user session if no user is set (id_token_hint) on prompt none
* fix caos errors As implementation
* implement request mode
* return explicit error on invalid refresh token use
* begin token revocation
* token revocation
* tests
* tests
* cleanup
* set op config
* add revocation endpoint to config
* add revocation endpoint to config
* migration version
* error handling in token revocation
* migration version
* update oidc lib to 1.0.0
* fix: save data (userAgentID) of otp verified event
* fix: change event to human.seftregistered on org setup
* fix: change event to human.seftregistered on org setup only from login
* fix: set password
* feat: user meta data events
* feat: user meta data set tests
* feat: user meta data tests
* feat: user meta data in protos
* feat: user meta data command api
* feat: user meta data query side
* feat: proto correct order, fix handlers
* feat: proto correct order
* feat: fixes of pr comments
* feat: fixes of pr comments
* feat: value as byte array
* feat: metadata feature
* Update internal/auth/repository/eventsourcing/handler/meta_data.go
Co-authored-by: Silvan <silvan.reusser@gmail.com>
* Update internal/command/user_meta_data.go
Co-authored-by: Silvan <silvan.reusser@gmail.com>
* Update proto/zitadel/metadata.proto
Co-authored-by: Silvan <silvan.reusser@gmail.com>
* Update proto/zitadel/metadata.proto
Co-authored-by: Silvan <silvan.reusser@gmail.com>
* fix: rename metadata files and table
* fix: rename meta data to metadat in protos
* Update internal/domain/metadata.go
Co-authored-by: Silvan <silvan.reusser@gmail.com>
* fix: rename vars
* fix: rebiuld docs
* Update internal/iam/repository/view/metadata_view.go
Co-authored-by: Silvan <silvan.reusser@gmail.com>
Co-authored-by: Silvan <silvan.reusser@gmail.com>
* begin pw less registration
* create pwless one time codes
* send pwless link
* separate send and add passwordless link
* separate send and add passwordless link events
* custom message text for passwordless registration
* begin custom login texts for passwordless
* i18n
* i18n message
* i18n message
* custom message text
* custom login text
* org design and texts
* create link in human import process
* fix import human tests
* begin passwordless init required step
* passwordless init
* passwordless init
* do not return link in mgmt api
* prompt
* passwordless init only (no additional prompt)
* cleanup
* cleanup
* add passwordless prompt to custom login text
* increase init code complexity
* fix grpc
* cleanup
* fix and add some cases for nextStep tests
* fix tests
* Update internal/notification/static/i18n/en.yaml
* Update internal/notification/static/i18n/de.yaml
* Update proto/zitadel/management.proto
* Update internal/ui/login/static/i18n/de.yaml
* Update internal/ui/login/static/i18n/de.yaml
* Update internal/ui/login/static/i18n/de.yaml
Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>
* fix: check ids in proto
* fix sign out
* improve displayed login name after user selection
* fix init user in login
* fix init password in login
Co-authored-by: fabi <fabienne.gerschwiler@gmail.com>
* fix: org tests
* fix: org tests
* fix: user grant test
* fix: user grant test
* fix: project and project role test
* fix: project grant test
* fix: project grant test
* fix: project member, grant member, app changed tests
* fix: application tests
* fix: application tests
* fix: add oidc app test
* fix: add oidc app test
* fix: add api keys test
* fix: iam policies
* fix: iam and org member tests
* fix: idp config tests
* fix: iam tests
* fix: user tests
* fix: user tests
* fix: user tests
* fix: user tests
* fix: user tests
* fix: user tests
* fix: user tests
* fix: user tests
* fix: user tests
* fix: user tests
* fix: org domain test
* fix: org tests
* fix: org tests
* fix: implement org idps
* fix: pr requests
* fix: email tests
* fix: fix idp check
* fix: fix user profile
* fix: org tests
* fix: org tests
* fix: user grant test
* fix: user grant test
* fix: project and project role test
* fix: project grant test
* fix: project grant test
* fix: project member, grant member, app changed tests
* fix: application tests
* fix: application tests
* fix: add oidc app test
* fix: add oidc app test
* fix: add api keys test
* fix: iam policies
* fix: iam and org member tests
* fix: clock skew validation
* revert crypto changes
* fix: tests
* fix project grant member commands
Co-authored-by: Livio Amstutz <livio.a@gmail.com>