This reduces the initial payload of the `listMyProjectOrgs` to get the
active org by setting the limit of the initial orgs to 100.
Partial of #8272
---------
Co-authored-by: Livio Spring <livio.a@gmail.com>
# Which Problems Are Solved
#8291 added backwards compatibilty for users who were created through
the user V2 API and want to sign in to the login UI.
There were however to issues, where users might be prompted to set a
password even if they already had one set or they would not be able to
submit the email verification code.
# How the Problems Are Solved
- Replaced `SearchUserAuthMethods `with `ListUserAuthMethodTypes` to
check for set up auth methods.
- Fixed page / javascript to disable submit button.
# Additional Changes
- Changed `ListActiveUserAuthMethodTypes ` to `ListUserAuthMethodTypes`
and a `activeOnly` boolean parameter
# Additional Context
- relates to #8291
- noticed internally on QA
# Which Problems Are Solved
Bigger systems need to process many events during the initialisation
phase of the `eventstore.fields`-table. During setup these calls can
time out.
# How the Problems Are Solved
Changed the default behaviour of these projections to not time out and
increased the bulk limit.
(cherry picked from commit 6c1df83071)
# Which Problems Are Solved
- `pgxpool -> pgx` dependency throws "MaxSize must be >= 1" on init if
`postgres.MaxOpenConns` isn't set in the ZItadel config
# How the Problems Are Solved
Only override the `MaxConns` with the Zitadel configured `MaxOpenConns`
if greater than 0 (default value). The default `MaxConns` [is derived by
`pgxpool`](ea9610f672/pgxpool/pool.go (L309-L324))
itself in a sensible way, but somewhat undocumented: checks for explicit
config in connection url or config and falls back on max(num_cpus, 4).
# Additional Changes
Applied same check in cockroach config
# Additional Context
This is likely a regression from the changes in
https://github.com/zitadel/zitadel/pull/8325
(cherry picked from commit e009ed9fe4)
# Which Problems Are Solved
The success and failure URLs post IDP intent are limited to 200
characters. This is very low given the standard for URL lengths is much
higher
https://www.baeldung.com/cs/max-url-length#maximum-length-of-a-url-in-different-browsers
Name of the Browser | URL Length
-- | --
Google Chrome | Maximum of 2048 characters for a URL
Mozilla Firefox | The address bar no longer shows the URL after 65536
characters
Internet Explorer | Maximum length of the URL is 2083 characters
Safari | Supports up to 80000 characters for a URL
Opera | Can display up to 190000 characters in its address bar
Apache | Supports a maximum of 4000 characters
The user post SSO login w/ Zitadel, sees deep links to out app e.g.
`www.mycompany.com/idp/success?deeplink=app/mypage/id/test#thing=abcdef`
and these are usually greater than 200 characters.
# How the Problems Are Solved
Replace this example text with a concise list of changes that this PR
introduces.
- Update validation check for SuccessURL length on v2 and v3 APIs to a
max of 2048 characters
- Update validation check for FailureURL length on v2 and v3 APIs to a
max of 2048 characters
I didn't find any docs t update reflecting this change in length
# Additional Context
Fixes the error
```<PreparedRequest [POST]>, status: 400, reason: Bad Request, response: {"code":3,"message":"invalid StartIdentityProviderIntentRequest.Urls: embedded message failed validation | caused by: invalid RedirectURLs.SuccessUrl: value length must be between 1 and 200 runes, inclusive"}```
(cherry picked from commit d90db6693c)
# Which Problems Are Solved
The connection pool of go uses a high amount of database connections.
# How the Problems Are Solved
The standard lib connection pool was replaced by `pgxpool.Pool`
# Additional Changes
The `db.BeginTx`-spans are removed because they cause to much noise in
the traces.
# Additional Context
- part of https://github.com/zitadel/zitadel/issues/7639
(cherry picked from commit 99c645cc60)
# Which Problems Are Solved
While #8285 also checked for `+proto` and `+json` grpc content types, it
accidentally matched all grpc-web requests to grpc.
# How the Problems Are Solved
- fixed the regex by checking for an exact match (added start `^` and
end `$` anchors)
# Additional Changes
None
# Additional Context
- relates to #8285
(cherry picked from commit d7c0ec282a)
# Which Problems Are Solved
ZITADEL returned a 404 Unimplemented error if the client sent
'application/grpc+proto' or 'application/grpc+json' which are both valid
content types.
# How the Problems Are Solved
changed the header matcher to regexp
# Additional Context
Problem occured in
https://github.com/zitadel/typescript/tree/grpc-transport
(cherry picked from commit aa273ad000)
# Which Problems Are Solved
During performance testing of the `eventstore.fields` table we found
some long running queries which searched for the aggregate id.
# How the Problems Are Solved
A new index was added to the `eventstore.fields`-table called
`f_aggregate_object_type_idx`.
# Additional Changes
None
# Additional Context
- Table was added in https://github.com/zitadel/zitadel/pull/8191
- Part of https://github.com/zitadel/zitadel/issues/7639
(cherry picked from commit 23bebc7e30)
# Which Problems Are Solved
- `pgxpool -> pgx` dependency throws "MaxSize must be >= 1" on init if
`postgres.MaxOpenConns` isn't set in the ZItadel config
# How the Problems Are Solved
Only override the `MaxConns` with the Zitadel configured `MaxOpenConns`
if greater than 0 (default value). The default `MaxConns` [is derived by
`pgxpool`](ea9610f672/pgxpool/pool.go (L309-L324))
itself in a sensible way, but somewhat undocumented: checks for explicit
config in connection url or config and falls back on max(num_cpus, 4).
# Additional Changes
Applied same check in cockroach config
# Additional Context
This is likely a regression from the changes in
https://github.com/zitadel/zitadel/pull/8325
# Which Problems Are Solved
The success and failure URLs post IDP intent are limited to 200
characters. This is very low given the standard for URL lengths is much
higher
https://www.baeldung.com/cs/max-url-length#maximum-length-of-a-url-in-different-browsers
Name of the Browser | URL Length
-- | --
Google Chrome | Maximum of 2048 characters for a URL
Mozilla Firefox | The address bar no longer shows the URL after 65536
characters
Internet Explorer | Maximum length of the URL is 2083 characters
Safari | Supports up to 80000 characters for a URL
Opera | Can display up to 190000 characters in its address bar
Apache | Supports a maximum of 4000 characters
The user post SSO login w/ Zitadel, sees deep links to out app e.g.
`www.mycompany.com/idp/success?deeplink=app/mypage/id/test#thing=abcdef`
and these are usually greater than 200 characters.
# How the Problems Are Solved
Replace this example text with a concise list of changes that this PR
introduces.
- Update validation check for SuccessURL length on v2 and v3 APIs to a
max of 2048 characters
- Update validation check for FailureURL length on v2 and v3 APIs to a
max of 2048 characters
I didn't find any docs t update reflecting this change in length
# Additional Context
Fixes the error
```<PreparedRequest [POST]>, status: 400, reason: Bad Request, response: {"code":3,"message":"invalid StartIdentityProviderIntentRequest.Urls: embedded message failed validation | caused by: invalid RedirectURLs.SuccessUrl: value length must be between 1 and 200 runes, inclusive"}```
# Which Problems Are Solved
The mirror command read the configurations in the wrong order
# How the Problems Are Solved
The Pre execution run of `mirror` reads the default config first and
then applies the custom configs
# Which Problems Are Solved
The connection pool of go uses a high amount of database connections.
# How the Problems Are Solved
The standard lib connection pool was replaced by `pgxpool.Pool`
# Additional Changes
The `db.BeginTx`-spans are removed because they cause to much noise in
the traces.
# Additional Context
- part of https://github.com/zitadel/zitadel/issues/7639
# Which Problems Are Solved
Bigger systems need to process many events during the initialisation
phase of the `eventstore.fields`-table. During setup these calls can
time out.
# How the Problems Are Solved
Changed the default behaviour of these projections to not time out and
increased the bulk limit.
# Which Problems Are Solved
User created through the User V2 API without any authentication method
and possibly unverified email address was not able to login through the
current hosted login UI.
An unverified email address would result in a mail verification and not
an initialization mail like it would with the management API. Also the
login UI would then require the user to enter the init code, which the
user never received.
# How the Problems Are Solved
- When verifying the email through the login UI, it will check for
existing auth methods (password, IdP, passkeys). In case there are none,
the user will be prompted to set a password.
- When a user was created through the V2 API with a verified email and
no auth method, the user will be prompted to set a password in the login
UI.
- Since setting a password requires a corresponding code, the code will
be generated and sent when login in.
# Additional Changes
- Changed `RequestSetPassword` to get the codeGenerator from the
eventstore instead of getting it from query.
# Additional Context
- closes https://github.com/zitadel/zitadel/issues/6600
- closes https://github.com/zitadel/zitadel/issues/8235
---------
Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
# Which Problems Are Solved
Both the login UI and the IdP intent flow have their own IdP callback
endpoints.
This makes configuration hard to impossible (e.g. Github only allows one
endpoint) for customers.
# How the Problems Are Solved
- The login UI prefixes the `state` parameter when creating an auth /
SAML request.
- All requests now use the `/idp/callback` or the corresponding
variation (e.g. SAML)
- On callback, the state, resp. its prefix is checked. In case of the
login UI prefix, the request will be forwarded to the existing login UI
handler without the prefix state.
Existing setups will therefore not be affected and also requests started
before this release can be handled without any impact.
- Console only lists the "new" endpoint(s). Any
`/login/externalidp/callback` is removed.
# Additional Changes
- Cleaned up some images from the IdP documentation.
- fix the error handling in `handleExternalNotFoundOptionCheck`
# Additional Context
- closes#8236
# Which Problems Are Solved
ListOrgs has no option to select for organizations specific to Ids.
# How the Problems Are Solved
Add OrgIDQuery to ListOrgs.
# Additional Changes
Clean up double mapping for the OrgQueries.
# Additional Context
- noted internally while checking performance issues (in Console)
# Which Problems Are Solved
In the console a wrong translation is shown for the password re auth
time, it is shown that it is the time after which users have to renew
their password, but it is the time, after which they have to
authenticate again with their password
# How the Problems Are Solved
Translations are changed in all languages
Co-authored-by: Livio Spring <livio.a@gmail.com>
# Which Problems Are Solved
Logs the type of sonyflake strategy used for generating unique machine
IDs
# How the Problems Are Solved
- Created function to log machine id strategy on the start up logs
# Additional Changes
- Added public function for retrieving current strategy set by
configuration
# Additional Context
- Closes#7750
# Which Problems Are Solved
Solves the problem described in #8264.
# How the Problems Are Solved
Added a UserID field which can be set during Machine User creation.
# Additional Changes
Added addition unit and integration tests to cover the cases where a
UserID field is present.
# Additional Context
- Closes#8264
Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
# Which Problems Are Solved
- A note should be added to the ZITADEL management console showing that
the name and function in the javascript have to be the same
# How the Problems Are Solved
- A new cnsl-info-section is added to the create/update action dialog
# Additional Context
Here's a screenshot showing the note:
![Captura desde 2024-07-12
13-08-35](https://github.com/user-attachments/assets/62de5491-1895-4101-8bcf-1c8433661fd2)
- Closes#7874
Co-authored-by: Fabi <fabienne@zitadel.com>
# Which Problems Are Solved
- The UI layout is broken in Upload your Profile Picture
# How the Problems Are Solved
- MatDialog module was missing
# Additional Context
Here's a screenshot showing the fix
![Captura desde 2024-07-12
12-18-43](https://github.com/user-attachments/assets/7a01fa0e-3e89-4679-9606-085610f5adfe)
- Closes#8284
Co-authored-by: Fabi <fabienne@zitadel.com>
# Which Problems Are Solved
- Corrected a typo in the file
`internal/api/ui/login/static/i18n/zh.yaml` where "Migrosoft" was
changed to "Microsoft".
# How the Problems Are Solved
- Updated the misspelled word "Migrosoft" to "Microsoft" for consistency
and accuracy.
# Additional Changes
- None
# Additional Context
- None
# Which Problems Are Solved
While #8285 also checked for `+proto` and `+json` grpc content types, it
accidentally matched all grpc-web requests to grpc.
# How the Problems Are Solved
- fixed the regex by checking for an exact match (added start `^` and
end `$` anchors)
# Additional Changes
None
# Additional Context
- relates to #8285
# Which Problems Are Solved
ZITADEL returned a 404 Unimplemented error if the client sent
'application/grpc+proto' or 'application/grpc+json' which are both valid
content types.
# How the Problems Are Solved
changed the header matcher to regexp
# Additional Context
Problem occured in
https://github.com/zitadel/typescript/tree/grpc-transport
# Which Problems Are Solved
- `<details>` tag is rendered in some cases in the docs, instead of
rendering a detail section which can be expanded
- New API V2 and V3 services where not rendered correctly
- The plugin which made it possible to integrate external code files and
show them on the docs didn't work anymore
# How the Problems Are Solved
- remove / from details tag, so it is properly rendered
- changing link source from tag to auto
- Someone already forked the repository and made it available for
docusaurus v3, we integrated the forked version
---------
Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
# Which Problems Are Solved
In User v2 API, the ListUsers endpoint doesn't provide the information
to which organization the user belongs to.
# How the Problems Are Solved
Add the details to the user results from the ListUsers endpoint, so that
the OrgID is also included as ResourceOwner.
# Additional Changes
None
# Additional Context
Closes#8172
# Which Problems Are Solved
TOTP remove endpoint available in management API, not in user v2 API.
# How the Problems Are Solved
Add endpoint RemoveTOTP to user v2 API.
# Additional Changes
None
# Additional Context
close#6605
---------
Co-authored-by: Livio Spring <livio.a@gmail.com>
# Which Problems Are Solved
Extends load tests by testing session creation.
# How the Problems Are Solved
The test creates a session including a check for user id.
# Additional Context
- part of https://github.com/zitadel/zitadel/issues/7639
# Which Problems Are Solved
During performance testing of the `eventstore.fields` table we found
some long running queries which searched for the aggregate id.
# How the Problems Are Solved
A new index was added to the `eventstore.fields`-table called
`f_aggregate_object_type_idx`.
# Additional Changes
None
# Additional Context
- Table was added in https://github.com/zitadel/zitadel/pull/8191
- Part of https://github.com/zitadel/zitadel/issues/7639
# Which Problems Are Solved
- It is not possible to introspect service user token if
`urn:zitadel:iam:org:project🆔{projectid}:aud` scope is not added in
token request.
- Adding this note to the document could reduce confusion and debugging
time
-
https://discord.com/channels/927474939156643850/1168857403945660436/1168930850029707386
---------
Co-authored-by: Livio Spring <livio.a@gmail.com>
# Which Problems Are Solved
Fixes a panic which can occur if there are no events to reduce in the fields handler
# How the Problems Are Solved
Check if there are any events to reduce
# Additional Context
- Panic was added in https://github.com/zitadel/zitadel/pull/8191
# Which Problems Are Solved
Improve the performance of human imports by optimizing the query that
finds domains claimed by other organizations.
# How the Problems Are Solved
Use the fields search table introduced in
https://github.com/zitadel/zitadel/pull/8191 by storing each
organization domain as Object ID and the verified status as field value.
# Additional Changes
- Feature flag for this optimization
# Additional Context
- Performance improvements for import are evaluated and acted upon
internally at the moment
---------
Co-authored-by: adlerhurst <silvan.reusser@gmail.com>
# Which Problems Are Solved
Imporve the performance of user grant addition, especially for import.
# How the Problems Are Solved
Use the search table to query for the project grant state.
This could easily be done by making the search used in
`checkProjectGrantPreCondition` reusable.
# Additional Changes
Chanded event declerations to `const` in the
`internal/repository/project` package.
# Additional Context
- Performance improvements for import are evaluated and acted upon
internally at the moment
---------
Co-authored-by: adlerhurst <silvan.reusser@gmail.com>
Co-authored-by: Livio Spring <livio.a@gmail.com>
# Which Problems Are Solved
We found multiple cases where either the error was not properly handled,
which led to panics.
# How the Problems Are Solved
Handle the errors.
# Additional Changes
None.
# Additional Context
- noticed internally
# Which Problems Are Solved
The metric `http_server_return_code_counter` doesn't record calls to the
gRPC gateway.
# How the Problems Are Solved
The DefaultMetricsHandler that is used for the gPRC gateway doesn't
record `http_server_return_code_counter`.
Instead of the DefaultMetricsHandler, a custom metrics handler which
includes `http_server_return_code_counter` is created for the gRPC
gateway
# Additional Changes
The DefaultMetricsHandler function is removed, as it is no longer used.
# Additional Context
Reported by a customer
---------
Co-authored-by: Silvan <silvan.reusser@gmail.com>
# Which Problems Are Solved
There are some undocumented parameters that can be used. A good example
is on the "Verify SMS OTP" page.
# How the Problems Are Solved
Expiry and Domain chips are added to the Verify SMS OTP and Verify Email
OTP message text configs in the console.
# Additional Context
- Closes#7134
---------
Co-authored-by: Fabi <fabienne@zitadel.com>
Co-authored-by: Elio Bischof <elio@zitadel.com>
# Which Problems Are Solved
The client ID for OIDC applications has an `@` in it, which is not
allowed in some 3rd-party systems (such as AWS).
# How the Problems Are Solved
Per @fforootd and @hifabienne in #6222, remove the project suffix and
the `@` from the client ID and just use the generated ID.
# Additional Changes
N/A
# Additional Context
- Closes#6222
---------
Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
Co-authored-by: Livio Spring <livio.a@gmail.com>