Commit Graph

3369 Commits

Author SHA1 Message Date
Stefan Benz
c21e171519
fix: add allowRegister check for register handling in login (#8782)
# Which Problems Are Solved

There is currently the possibility that you can jump to the register
path, even if register is disallowed through the settings.

# How the Problems Are Solved

Check before handling the HTTP requests if register is allowed.

# Additional Changes

Function to determine the resourceowner for all register related
functionality in the login.

# Additional Context

closes #8123
2024-10-16 13:09:32 +00:00
Tim Möhlmann
4ebc23aa1f
fix(load-test): correct k6 command (#8760) 2024-10-15 14:26:16 +02:00
Fabi
3c4a92a981
chore(github): add type to issue templates (#8775)
# Which Problems Are Solved

Github introduced the new issue types, which we want to add to our
issues. Starting point is to change the templates, so we can add the
right types.
2024-10-15 09:42:16 +00:00
Shubham Singh Sugara
7eb54e4c7b
fix: Update Defaults.yaml (#8731)
# Which Problems Are Solved
The primary issue addressed in this PR is that the defaults.yaml file
contains escaped characters (like `&lt;` for < and `&gt;` for >) in
message texts, which prevents valid HTML rendering in certain parts of
the Zitadel platform.
These escaped characters are used in user-facing content (e.g., email
templates or notifications), resulting in improperly displayed text,
where the HTML elements like line breaks or bold text don't render
correctly.

# How the Problems Are Solved
The solution involves replacing the escaped characters with their
corresponding HTML tags in the defaults.yaml file, ensuring that the
HTML renders correctly in the emails or user interfaces where these
messages are displayed.
This update ensures that:
- The HTML in these message templates is rendered properly, improving
the user experience.
- The content looks professional and adheres to web standards for
displaying HTML content.
    
# Additional Changes
N/A

# Additional Context
N/A

- Closes #8531

Co-authored-by: Max Peintner <max@caos.ch>
2024-10-14 07:42:08 +00:00
TrueQAP
c455b8b1eb
feat(i18n): Add Hungarian language support to ZITADEL (#8645)
- Fully translated all UI elements, documentation, and error messages
- Added Hungarian as a new supported language option
- Updated language selection menus and related configuration files
- Ensured consistency across all translated content

# Which Problems Are Solved

- ZITADEL was not accessible for Hungarian-speaking users due to lack of
language support
- Hungarian users had to rely on English or other languages to use the
platform
- Potential user base was limited due to language barrier

# How the Problems Are Solved

- Translated all user interface elements, including console and login
interfaces
- Translated all documentation files to Hungarian
- Added Hungarian translations for all error messages and notifications
- Implemented Hungarian as a selectable language option in the system

# Additional Changes

- Updated language selection menus to include Hungarian
- Modified configuration files to support Hungarian language
- Ensured consistent terminology and style across all translated content
- Added Hungarian language option to relevant dropdown menus and
settings

# Additional Context

- Relates to the ongoing internationalization efforts of ZITADEL
- Enhances accessibility for Hungarian-speaking developers and users
- Expands ZITADEL's potential user base in Hungary and
Hungarian-speaking regions

---------

Co-authored-by: Max Peintner <max@caos.ch>
Co-authored-by: Tim Möhlmann <tim+github@zitadel.com>
Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2024-10-11 09:00:50 +00:00
Elio Bischof
464ca0bd00
fix: always create SAML with metadata (#8696)
# Which Problems Are Solved

Adding a SAML IDPs with an empty metadata XML and URL leads to failed
projection events. The main IDP template projection succeeds, but the
subtable projection for SAML template fails, because the metadata field
is not nullable in that table. The SAML IDP shows up in list queries,
because the list method only queries the main template projection.
However, getting a SAML IDP created without metadata by ID misses the
SAML specific IDP data.

# How the Problems Are Solved

- The command for adding a SAML IDP properly ensures that non-empty
metadata is either given by XML or resolved by URL.
- The console doesn't send requests with empty metadata anymore. This
works by explicitly setting a single oneof option for either XML or URL
and emptying the other one.

# Additional Context

Closes #8443
2024-10-11 08:09:51 +00:00
Stuart Douglas
81920e599b
fix(SAML): log underlying error if SAML response validation fails (#8721)
# Which Problems Are Solved

If SAML response validation in crewjam/saml fails, a generic
"Authentication failed" error is thrown. This makes it challenging to
determine the actual cause, since there are a variety of reasons
response validation may fail.

# How the Problems Are Solved

Add a log statement if we receive a response validation error from
crewjam/saml that logs the internal `InvalidResponseError.PrivateErr`
error from crewjam/saml to stdout. We continue to return a generic error
message to the client to prevent leaking data.

Verified by running `go test -v ./internal/idp/providers/saml` in
verbose mode, which output the following line for the "response_invalid"
test case:
```
time="2024-10-03T14:53:10+01:00" level=info msg="invalid SAML response details" caller="/Users/sdouglas/Documents/thirdparty-repos/zitadel/internal/idp/providers/saml/session.go:72" error="cannot parse base64: illegal base64 data at input byte 2"
```

# Additional Changes

None

# Additional Context

- closes #8717

---------

Co-authored-by: Stuart Douglas <sdouglas@hopper.com>
2024-10-11 07:04:15 +00:00
Stefan Benz
4d593dace2
fix: add domain as attribute to list user auth methods (#8718)
# Which Problems Are Solved

There is no option to only query auth methods related to specific
domains.

# How the Problems Are Solved

Add domain as attribute to the ListAuthenticationMethodTypes request.

# Additional Changes

OwnerRemoved column removed from the projection.

# Additional Context

Closes #8615

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>
2024-10-10 16:50:53 +00:00
Livio Spring
df2033253d
fix: only allow domain discovery if no organization was preselected (#8748)
# Which Problems Are Solved

If an organization was preselected using an orgID or primaryDomain
scope, users could still switch to another organization, if the latter
allowed domain discovery and the entered username / or login_hint
included the corresponding domain suffix.

# How the Problems Are Solved

Domain discovery will only be done in case no org was preselected.

# Additional Changes

None

# Additional Context

- closes https://github.com/zitadel/zitadel/issues/8464
- closes https://github.com/zitadel/zitadel/issues/8588
2024-10-10 15:29:53 +00:00
Livio Spring
16171ce3b9
fix: pass sessionID to OTP email link (#8745)
# Which Problems Are Solved

OTP Email links currently could not use / include the sessionID they
belong to. This prevents an easy use for redirecting and handling OTP
via email through the session API.

# How the Problems Are Solved

Added the sessionID as placeholder for the OTP Email link template.

# Additional Changes

List all available placeholders in the url_templates of V2 endpoints.

# Additional Context

- discussed in a customer meeting
2024-10-10 13:53:32 +00:00
Fabi
222915ca3d
chore: test issue type (#8750)
# Which Problems Are Solved

We want to use the new issue types of github
2024-10-09 14:03:40 +02:00
Livio Spring
94f267d475
fix: respect PrivateLabelingSetting on project for login texts (#8744)
# Which Problems Are Solved

Admins can set the branding to be used from the project's organization.
Until now, only the branding (colors) were respected, but texts were
still loaded from the user's organization.

# How the Problems Are Solved

Respect the setting when loading the texts for the login pages.

# Additional Changes

None

# Additional Context

- closes #8502
2024-10-09 09:02:28 +00:00
Tim Möhlmann
17303d1524
perf(milestones): remove legacy token event reducer (#8747)
# Which Problems Are Solved

Since the optiimzation of the token endpoint, we longer push the
`user.token.added` event. However, the milestone projection keeps
quering for it, including a payload query.

This incured a static waste of DB resources.

# How the Problems Are Solved

Remove the `user.token.added` event reducer from the milestone
projection

# Additional Changes

- none

# Additional Context

- Related to https://github.com/zitadel/zitadel/issues/8742. Other
changes ommitted so this PR can be backported to stable.
2024-10-09 08:00:07 +00:00
Stefan Benz
911cb42d70
fix: check if project has resourceOwner and ownerID (#8725)
# Which Problems Are Solved

There is no check that the creation of a project also has a resource
owner.

# How the Problems Are Solved

Check if resource owner and the ID of the owner are provided on command
side.

# Additional Changes

None

# Additional Context

Closes #7794
2024-10-08 15:07:27 +00:00
dependabot[bot]
34195157ce
chore(deps-dev): bump webpack from 5.89.0 to 5.95.0 in /load-test (#8726)
Bumps [webpack](https://github.com/webpack/webpack) from 5.89.0 to
5.95.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/webpack/webpack/releases">webpack's
releases</a>.</em></p>
<blockquote>
<h2>v5.95.0</h2>
<h2>Bug Fixes</h2>
<ul>
<li>Fixed hanging when attempting to read a symlink-like file that it
can't read</li>
<li>Handle <code>default</code> for import context element
dependency</li>
<li>Merge duplicate chunks call after split chunks</li>
<li>Generate correctly code for dynamically importing the same file
twice and destructuring</li>
<li>Use content hash as [base] and [name] for extracted DataURI's</li>
<li>Distinguish <code>module</code> and <code>import</code> in
<code>module-import</code> for externals <code>import</code>'s</li>
<li>[Types] Make <code>EnvironmentPlugin</code> default values types
less strict</li>
<li>[Types] Typescript 5.6 compatibility</li>
</ul>
<h2>New Features</h2>
<ul>
<li>Add new <code>optimization.avoidEntryIife</code> option
(<code>true</code> by default for the <code>production</code> mode)</li>
<li>Pass output.hash* options to loader context</li>
</ul>
<h2>Performance</h2>
<ul>
<li>Avoid unneeded re-visit in build chunk graph</li>
</ul>
<h2>v5.94.0</h2>
<h2>Bug Fixes</h2>
<ul>
<li>Added runtime condition for harmony reexport checked</li>
<li>Handle properly
<code>data</code>/<code>http</code>/<code>https</code> protocols in
source maps</li>
<li>Make <code>bigint</code> optimistic when browserslist not found</li>
<li>Move <code>@​types/eslint-scope</code> to dev deps</li>
<li>Related in asset stats is now always an array when no related
found</li>
<li>Handle ASI for export declarations</li>
<li>Mangle destruction incorrect with export named default properly</li>
<li>Fixed unexpected asi generation with sequence expression</li>
<li>Fixed a lot of types</li>
</ul>
<h2>New Features</h2>
<ul>
<li>Added new external type &quot;module-import&quot;</li>
<li>Support <code>webpackIgnore</code> for <code>new URL()</code>
construction</li>
<li>[CSS] <code>@import</code> pathinfo support</li>
</ul>
<h2>Security</h2>
<ul>
<li>Fixed DOM clobbering in auto public path</li>
</ul>
<h2>v5.93.0</h2>
<h2>Bug Fixes</h2>
<ul>
<li>Generate correct relative path to runtime chunks</li>
<li>Makes <code>DefinePlugin</code> quieter under default log level</li>
<li>Fixed mangle destructuring default in namespace import</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="e20fd634fd"><code>e20fd63</code></a>
chore(release): 5.95.0</li>
<li><a
href="4866b0daf1"><code>4866b0d</code></a>
feat: added new <code>optimization.entryIife</code> option</li>
<li><a
href="d90f6920f0"><code>d90f692</code></a>
fix: merge duplicate chunks after split chunks</li>
<li><a
href="90dec30ff4"><code>90dec30</code></a>
fix(externals): distinguish “module” and “import” in
“module-import”</li>
<li><a
href="c1a0a4666e"><code>c1a0a46</code></a>
fix(externals): distinguish “module” and “import” in
“module-import”</li>
<li><a
href="14d8fa8dd5"><code>14d8fa8</code></a>
fix: all tests cases</li>
<li><a
href="dae16ad11e"><code>dae16ad</code></a>
feat: pass output.hash* options to loader context</li>
<li><a
href="75d185d27e"><code>75d185d</code></a>
feat: pass <code>output.hash*</code> options to loader context</li>
<li><a
href="46e0b9cc05"><code>46e0b9c</code></a>
test: update</li>
<li><a
href="8e62f9f36b"><code>8e62f9f</code></a>
test</li>
<li>Additional commits viewable in <a
href="https://github.com/webpack/webpack/compare/v5.89.0...v5.95.0">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=webpack&package-manager=npm_and_yarn&previous-version=5.89.0&new-version=5.95.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/zitadel/zitadel/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Max Peintner <max@caos.ch>
2024-10-08 14:33:15 +02:00
Livio Spring
91b2d67325
fix: correctly compute user state (#8740)
# Which Problems Are Solved

A customer reported, that after a created user (in initial state) got
(manually) locked and a new initial code would be created, the user
could not be locked again.

# How the Problems Are Solved

Query for the initial code added event

# Additional Changes

None

# Additional Context

- reported by a customer
2024-10-07 16:50:17 +02:00
Tim Möhlmann
a84b259e8c
perf(oidc): nest position clause for session terminated query (#8738)
# Which Problems Are Solved

Optimize the query that checks for terminated sessions in the access
token verifier. The verifier is used in auth middleware, userinfo and
introspection.


# How the Problems Are Solved

The previous implementation built a query for certain events and then
appended a single `PositionAfter` clause. This caused the postgreSQL
planner to use indexes only for the instance ID, aggregate IDs,
aggregate types and event types. Followed by an expensive sequential
scan for the position. This resulting in internal over-fetching of rows
before the final filter was applied.


![Screenshot_20241007_105803](https://github.com/user-attachments/assets/f2d91976-be87-428b-b604-a211399b821c)

Furthermore, the query was searching for events which are not always
applicable. For example, there was always a session ID search and if
there was a user ID, we would also search for a browser fingerprint in
event payload (expensive). Even if those argument string would be empty.

This PR changes:

1. Nest the position query, so that a full `instance_id, aggregate_id,
aggregate_type, event_type, "position"` index can be matched.
2. Redefine the `es_wm` index to include the `position` column.
3. Only search for events for the IDs that actually have a value. Do not
search (noop) if none of session ID, user ID or fingerpint ID are set.

New query plan:


![Screenshot_20241007_110648](https://github.com/user-attachments/assets/c3234c33-1b76-4b33-a4a9-796f69f3d775)


# Additional Changes

- cleanup how we load multi-statement migrations and make that a bit
more reusable.

# Additional Context

- Related to https://github.com/zitadel/zitadel/issues/7639
2024-10-07 12:49:55 +00:00
Hidde Wieringa
2bd3f44094
docs: remove duplicate from API path prefixes (#8739)
# Which Problems Are Solved

The `/oauth/v1` path prefix is duplicated, which is an error in most
proxies.


# How the Problems Are Solved

Remove the duplicate path prefix from the docs.

Co-authored-by: Fabi <fabienne@zitadel.com>
2024-10-07 13:53:05 +02:00
Stefan Benz
d03ad62edd
fix: add default organization as query for org v2 list (#8719)
# Which Problems Are Solved

To get the default organization we have no direct solution.

# How the Problems Are Solved

Add default organization as query to the org v2 List.

# Additional Changes

None

# Additional Context

Closes #8616

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>
2024-10-07 09:28:39 +00:00
Livio Spring
f653589609
fix: twilio code generation and verification (#8728)
# Which Problems Are Solved

The recently added possibility to generate and verify codes through
Twilio verification service did failed on checking OTP SMS code through
the session API. Additionally, password codes generated by the V2 API
and sent through phone would always use the internal generator and
verification mechanism rather than the configured.

# How the Problems Are Solved

- Correctly set the verifier for OTP SMS for the session API
  - Always use the internal verifier for OTP Email (for now)
- Select the generator / verifier based on the configuration for
password codes with notification type SMS for V2 APIs

# Additional Changes

None

# Additional Context

- relates to #8678 
- reported by customer

---------

Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2024-10-07 07:12:44 +02:00
Tim Möhlmann
25dc7bfe72
perf(cache): pgx pool connector (#8703)
# Which Problems Are Solved

Cache implementation using a PGX connection pool.

# How the Problems Are Solved

Defines a new schema `cache` in the zitadel database.
A table for string keys and a table for objects is defined.
For postgreSQL, tables are unlogged and partitioned by cache name for
performance.

Cockroach does not have unlogged tables and partitioning is an
enterprise feature that uses alternative syntax combined with sharding.
Regular tables are used here.

# Additional Changes

- `postgres.Config` can return a pxg pool. See following discussion

# Additional Context

- Part of https://github.com/zitadel/zitadel/issues/8648
- Closes https://github.com/zitadel/zitadel/issues/8647

---------

Co-authored-by: Silvan <silvan.reusser@gmail.com>
2024-10-04 13:15:41 +00:00
Livio Spring
bee0744d46
fix: update logging to allow slog field overwrite (#8720)
# Which Problems Are Solved

When using slog (e.g. in OIDC) the logs field name can not be
overwritten.
This is necessary for example to change log level to severity.

# How the Problems Are Solved

- Update logging library

# Additional Changes

None

# Additional Context

None
2024-10-04 12:48:00 +00:00
alfa-alex
78b19c32ac
docs: add required parameter for authorization code grant (#8506) (#8709)
# Which Problems Are Solved

The current docs of the Authorization code grant do not mention that for
the authentication method type "None (PKCE)", you need to additionally
provide a `client_id` parameter.

# How the Problems Are Solved

Missing parameter is added to the docs.

# Additional Context

- Closes #8506
2024-10-04 12:15:15 +00:00
Stefan Benz
0bcf136f6f
fix: correctly create SMTP provider list (#8724)
# Which Problems Are Solved

https://github.com/zitadel/zitadel/pull/8545 incorrectly created the
list of current smtp providers, if an SMTP provider was changed, that
was created before https://github.com/zitadel/zitadel/pull/6932 /
[v2.50.0](https://github.com/zitadel/zitadel/releases/tag/v2.50.0)).
This led to problems when trying to send emails to users (email
verification and OTP email).

# How the Problems Are Solved

Correctly handle events of old SMTP configurations, which do not have an
id set.

# Additional Changes

None

# Additional Context

- relates to #8545
- support requests from cloud customers
2024-10-04 09:34:44 +00:00
Elio Bischof
fb481256ec
docs: reorganize actions v3 docs (#8712)
# Which Problems Are Solved

The actions v2 docs have broken links. Also, actions docs are
distributed and the navigation feels messy.

# How the Problems Are Solved

- The two actions v2 docs pages are integrated into the more accurate
actions v3 API section. Redirects are added to the Vercel config.


![image](https://github.com/user-attachments/assets/0b3b2255-4b90-45b3-be1d-ee875dd86f03)

![image](https://github.com/user-attachments/assets/a35314d7-11fb-446e-ae47-9d3e65adeccd)

- The broken links are fixed.

# Additional Changes

A text is added to the actions v3 section describing the changes coming
with v3.


![image](https://github.com/user-attachments/assets/bba0c9a2-36af-4820-aa84-a823b8801d79)

# Additional Context

- Replaces #8688
- Broken links reported in
https://discord.com/channels/927474939156643850/1275551972283646055
- Broken links reported in
https://discord.com/channels/927474939156643850/1168451861515354133/1280394234679136267

---------

Co-authored-by: Fabi <fabienne@zitadel.com>
2024-10-03 16:26:05 +00:00
Stefan Benz
5e57d3bebb
fix: correct error messages for policy queries (#8722)
# Which Problems Are Solved

Errors messages are mixed up for some policies

# How the Problems Are Solved

Define new error IDs and correct the messages.

# Additional Changes

None

# Additional Context

None
2024-10-03 17:53:03 +02:00
Elio Bischof
c0615e95e2
fix: update dependencies (#8713)
# Which Problems Are Solved

NPM dependencies are outdated.

# How the Problems Are Solved

```bash
cd console
yarn upgrade 
yarn add typescript@5.1
```

```bash
cd load-test
npm update
```
2024-10-03 11:03:44 +00:00
Livio Spring
18499274dd
fix(SAML): check on empty nameID (#8714)
# Which Problems Are Solved

If a SAML IdP did not send a `NameID` (even though required by the
specification), ZITADEL would crash.

# How the Problems Are Solved

- Check specifically if the `Subject` and its `NameID` is passed

# Additional Changes

None

# Additional Context

- closes https://github.com/zitadel/zitadel/issues/8654
2024-10-03 08:17:33 +00:00
Elio Bischof
be53caafea
docs(linux, macos): default postgres admin password (#8687) 2024-10-02 17:03:11 +00:00
Elio Bischof
a2f2ffb737
docs(nginx): pass host as received from client (#8690)
# Which Problems Are Solved

The Host header reaching ZITADEL must be the same like it is requested
by the browser, or all sorts of issues arise. However, in the NginX
docs, it is appended by the port.

# How the Problems Are Solved

Port is removed from examples

# Additional Context

- Closes https://github.com/zitadel/zitadel/issues/7804
- Relates to https://github.com/netbirdio/netbird/issues/1395
2024-10-02 16:47:58 +00:00
Silvan
ddeeeed303
fix(handler): optimise snapshot hanlding (#8652)
# Which Problems Are Solved

There are cases where not all statements of multiExec are succeed. This
leads to inconsistent states. One example is [LDAP
IDPs](https://github.com/zitadel/zitadel/issues/7959).

If statements get executed only partially this can lead to inconsistent
states or even break projections for objects which might not were
correctly created in a sub table.

This behaviour is possible because we use
[`SAVEPOINTS`](https://www.postgresql.org/docs/current/sql-savepoint.html)
during each statement of a multiExec.

# How the Problems Are Solved

SAVEPOINTS are only created at the beginning of an exec function not
during every execution like before. Additionally `RELEASE` or `ROLLBACK`
of `SAVEPOINTS` are only used when needed.

# Additional Changes

- refactor some unused parameters

# Additional Context

- closes https://github.com/zitadel/zitadel/issues/7959
2024-10-02 18:34:19 +03:00
Livio Spring
dc7330f251
fix(API): select org context by domain (#8706)
# Which Problems Are Solved

V2 and V3 APIs allow setting the organization context by providing the
organization domain in the request. Users currently experience the
following error: "rpc error: code = Unauthenticated desc = context
missing (AUTH-rKLWEH)"

# How the Problems Are Solved

Correctly check the org domain when set.

# Additional Changes

None

# Additional Context

- support request
2024-10-02 06:38:54 +00:00
Livio Spring
c347e75485
fix: ignore projectID and origin check for service accounts (#8704)
# Which Problems Are Solved

Calls with tokens issued through JWT Profile or Client Credentials
Grants were no longer possible and threw a "could not read projectid by
clientid (AUTH-GHpw2)" error.
ZITADEL checks the allowed origins of an application and load its
projectID into the context on any API call.
Tokens from service accounts did not contain any clientID and therefore
never did that check.
But due to a change in https://github.com/zitadel/zitadel/pull/8580,
were the service user id was set as client_id in the OIDC session to fix
the introspection response
(https://github.com/zitadel/zitadel/issues/8590).

# How the Problems Are Solved

- Check if the project and origin were retrieved and only then check the
origins

# Additional Changes

None.

# Additional Context

- closes https://github.com/zitadel/zitadel/issues/8676
- relates to https://github.com/zitadel/zitadel/pull/8580 (released on
2.62.0)
- relates to https://github.com/zitadel/zitadel/issues/8590
2024-10-01 16:38:28 +02:00
Tim Möhlmann
63d733b3a2
perf(oidc): disable push of user token meta-event (#8691)
# Which Problems Are Solved

When executing many concurrent authentication requests on a single
machine user, there were performance issues. As the same aggregate is
being searched and written to concurrently, we traced it down to a
locking issue on the used index.
We already optimized the token endpoint by creating a separate OIDC
aggregate.

At the time we decided to push a single event to the user aggregate, for
the user audit log. See [technical advisory
10010](https://zitadel.com/docs/support/advisory/a10010) for more
details.

However, a recent security fix introduced an additional search query on
the user aggregate, causing the locking issue we found.

# How the Problems Are Solved

Add a feature flag which disables pushing of the `user.token.v2.added`.
The event has no importance and was only added for informational
purposes on the user objects. The `oidc_session.access_token.added` is
the actual payload event and is pushed on the OIDC session aggregate and
can still be used for audit trail.

# Additional Changes

- Fix an event mapper type for
`SystemOIDCSingleV1SessionTerminationEventType`

# Additional Context

- Reported by support request
- https://github.com/zitadel/zitadel/pull/7822 changed the token
aggregate
- https://github.com/zitadel/zitadel/pull/8631 introduced user state
check

Load test trace graph with `user.token.v2.added` **enabled**. Query
times are steadily increasing:


![image](https://github.com/user-attachments/assets/4aa25055-8721-4e93-b695-625560979909)

Load test trace graph with `user.token.v2.added` **disabled**. Query
times constant:


![image](https://github.com/user-attachments/assets/a7657f6c-0c55-401b-8291-453da5d5caf9)

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>
2024-09-26 13:55:41 +00:00
Mostafa Galal
7247f62006
docs(guides): Fixing incorrect placement of hyphen in overview (#8681)
# Which Problems Are Solved

- There was an incorrect placement of a hyphen in a sentence.

# How the Problems Are Solved

- Corrected by replacing the hyphen with a comma and adding a verb
(ready to go, offering a)

Co-authored-by: Fabi <fabienne@zitadel.com>
2024-09-26 14:54:36 +02:00
Livio Spring
14e2aba1bc
feat: Add Twilio Verification Service (#8678)
# Which Problems Are Solved
Twilio supports a robust, multi-channel verification service that
notably supports multi-region SMS sender numbers required for our use
case. Currently, Zitadel does much of the work of the Twilio Verify (eg.
localization, code generation, messaging) but doesn't support the pool
of sender numbers that Twilio Verify does.

# How the Problems Are Solved
To support this API, we need to be able to store the Twilio Service ID
and send that in a verification request where appropriate: phone number
verification and SMS 2FA code paths.

This PR does the following: 
- Adds the ability to use Twilio Verify of standard messaging through
Twilio
- Adds support for international numbers and more reliable verification
messages sent from multiple numbers
- Adds a new Twilio configuration option to support Twilio Verify in the
admin console
- Sends verification SMS messages through Twilio Verify
- Implements Twilio Verification Checks for codes generated through the
same

# Additional Changes

# Additional Context
- base was implemented by @zhirschtritt in
https://github.com/zitadel/zitadel/pull/8268 ❤️
- closes https://github.com/zitadel/zitadel/issues/8581

---------

Co-authored-by: Zachary Hirschtritt <zachary.hirschtritt@klaviyo.com>
Co-authored-by: Joey Biscoglia <joey.biscoglia@klaviyo.com>
2024-09-26 09:14:33 +02:00
Tim Möhlmann
4eaa3163b6
feat(storage): generic cache interface (#8628)
# Which Problems Are Solved

We identified the need of caching.
Currently we have a number of places where we use different ways of
caching, like go maps or LRU.
We might also want shared chaches in the future, like Redis-based or in
special SQL tables.

# How the Problems Are Solved

Define a generic Cache interface which allows different implementations.

- A noop implementation is provided and enabled as.
- An implementation using go maps is provided
  - disabled in defaults.yaml
  - enabled in integration tests
- Authz middleware instance objects are cached using the interface.

# Additional Changes

- Enabled integration test command raceflag
- Fix a race condition in the limits integration test client
- Fix a number of flaky integration tests. (Because zitadel is super
fast now!) 🎸 🚀

# Additional Context

Related to https://github.com/zitadel/zitadel/issues/8648
2024-09-25 21:40:21 +02:00
dependabot[bot]
a6ea83168d
chore(deps): bump micromatch from 4.0.7 to 4.0.8 in /docs (#8493)
Bumps [micromatch](https://github.com/micromatch/micromatch) from 4.0.7
to 4.0.8.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/micromatch/micromatch/releases">micromatch's
releases</a>.</em></p>
<blockquote>
<h2>4.0.8</h2>
<p>Ultimate release that fixes both CVE-2024-4067 and CVE-2024-4068. We
consider the issues low-priority, so even if you see automated scanners
saying otherwise, don't be scared.</p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/micromatch/micromatch/blob/master/CHANGELOG.md">micromatch's
changelog</a>.</em></p>
<blockquote>
<h2>[4.0.8] - 2024-08-22</h2>
<ul>
<li>backported CVE-2024-4067 fix (from v4.0.6) over to 4.x branch</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="8bd704ec0d"><code>8bd704e</code></a>
4.0.8</li>
<li><a
href="a0e68416a4"><code>a0e6841</code></a>
run verb to generate README documentation</li>
<li><a
href="4ec288484f"><code>4ec2884</code></a>
Merge branch 'v4' into hauserkristof-feature/v4.0.8</li>
<li><a
href="03aa805217"><code>03aa805</code></a>
Merge pull request <a
href="https://redirect.github.com/micromatch/micromatch/issues/266">#266</a>
from hauserkristof/feature/v4.0.8</li>
<li><a
href="814f5f70ef"><code>814f5f7</code></a>
lint</li>
<li><a
href="67fcce6a10"><code>67fcce6</code></a>
fix: CHANGELOG about braces &amp; CVE-2024-4068, v4.0.5</li>
<li><a
href="113f2e3fa7"><code>113f2e3</code></a>
fix: CVE numbers in CHANGELOG</li>
<li><a
href="d9dbd9a266"><code>d9dbd9a</code></a>
feat: updated CHANGELOG</li>
<li><a
href="2ab13157f4"><code>2ab1315</code></a>
fix: use actions/setup-node@v4</li>
<li><a
href="1406ea38f3"><code>1406ea3</code></a>
feat: rework test to work on macos with node 10,12 and 14</li>
<li>Additional commits viewable in <a
href="https://github.com/micromatch/micromatch/compare/4.0.7...4.0.8">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=micromatch&package-manager=npm_and_yarn&previous-version=4.0.7&new-version=4.0.8)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/zitadel/zitadel/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-09-25 13:53:38 +00:00
Stefan Benz
62cdec222e
feat: user v3 contact email and phone (#8644)
# Which Problems Are Solved

Endpoints to maintain email and phone contact on user v3 are not
implemented.

# How the Problems Are Solved

Add 3 endpoints with SetContactEmail, VerifyContactEmail and
ResendContactEmailCode.
Add 3 endpoints with SetContactPhone, VerifyContactPhone and
ResendContactPhoneCode.
Refactor the logic how contact is managed in the user creation and
update.

# Additional Changes

None

# Additional Context

- part of https://github.com/zitadel/zitadel/issues/6433

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>
2024-09-25 13:31:31 +00:00
mffap
624fee97c0
docs: optimized examples and sdk for search (#8657)
# Which Problems Are Solved

Page title was "introduction" and the headings were missing a h2 level.
This makes it difficult to index for search, both internal and external.

# How the Problems Are Solved

* Change the page title
* Pulled all headings one level up

# Additional Changes

- Show all elements in sdk-example folder automaticalls
2024-09-25 08:14:58 +00:00
Tim Möhlmann
aeb379e7de
fix(eventstore): revert precise decimal (#8527) (#8679) 2024-09-24 18:43:29 +02:00
Nico Schett
eb97be6fdf
docs(pylon.mdx): update to pylon v2 (#8643)
Hi!

I just release Pylon v2. Due to some breaking changes I need to adapt
the docs.

- Docs: https://pylon.cronit.io/docs/getting-started
- Release notes: https://pylon.cronit.io/docs/release-notes/v2.0
- Migration guide:
https://pylon.cronit.io/docs/release-notes/migrating-from-v1-to-v2
2024-09-24 06:43:39 +00:00
Silvan
e5e233b439
docs(office_hours): add Q&A on 2024-09-25 (#8646)
Added meeting schedule for office hours
2024-09-19 14:27:37 +00:00
dependabot[bot]
ebef53629a
chore(deps): bump body-parser from 1.20.2 to 1.20.3 in /console (#8640)
Bumps [body-parser](https://github.com/expressjs/body-parser) from
1.20.2 to 1.20.3.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/expressjs/body-parser/releases">body-parser's
releases</a>.</em></p>
<blockquote>
<h2>1.20.3</h2>
<h2>What's Changed</h2>
<h3>Important</h3>
<ul>
<li>deps: qs@6.13.0</li>
<li>add <code>depth</code> option to customize the depth level in the
parser</li>
<li><strong>IMPORTANT:</strong> The default <code>depth</code> level for
parsing URL-encoded data is now <code>32</code> (previously was
<code>Infinity</code>). <a
href="1752951367/README.md (depth)">Documentation</a></li>
</ul>
<h3>Other changes</h3>
<ul>
<li>chore: add support for OSSF scorecard reporting by <a
href="https://github.com/inigomarquinez"><code>@​inigomarquinez</code></a>
in <a
href="https://redirect.github.com/expressjs/body-parser/pull/522">expressjs/body-parser#522</a></li>
<li>ci: fix errors in ci github action for node 8 and 9 by <a
href="https://github.com/inigomarquinez"><code>@​inigomarquinez</code></a>
in <a
href="https://redirect.github.com/expressjs/body-parser/pull/523">expressjs/body-parser#523</a></li>
<li>fix: pin to node@22.4.1 by <a
href="https://github.com/wesleytodd"><code>@​wesleytodd</code></a> in <a
href="https://redirect.github.com/expressjs/body-parser/pull/527">expressjs/body-parser#527</a></li>
<li>deps: qs@6.12.3 by <a
href="https://github.com/melikhov-dev"><code>@​melikhov-dev</code></a>
in <a
href="https://redirect.github.com/expressjs/body-parser/pull/521">expressjs/body-parser#521</a></li>
<li>Add OSSF Scorecard badge by <a
href="https://github.com/bjohansebas"><code>@​bjohansebas</code></a> in
<a
href="https://redirect.github.com/expressjs/body-parser/pull/531">expressjs/body-parser#531</a></li>
<li>Linter by <a
href="https://github.com/UlisesGascon"><code>@​UlisesGascon</code></a>
in <a
href="https://redirect.github.com/expressjs/body-parser/pull/534">expressjs/body-parser#534</a></li>
<li>Release: 1.20.3 by <a
href="https://github.com/UlisesGascon"><code>@​UlisesGascon</code></a>
in <a
href="https://redirect.github.com/expressjs/body-parser/pull/535">expressjs/body-parser#535</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a
href="https://github.com/inigomarquinez"><code>@​inigomarquinez</code></a>
made their first contribution in <a
href="https://redirect.github.com/expressjs/body-parser/pull/522">expressjs/body-parser#522</a></li>
<li><a
href="https://github.com/melikhov-dev"><code>@​melikhov-dev</code></a>
made their first contribution in <a
href="https://redirect.github.com/expressjs/body-parser/pull/521">expressjs/body-parser#521</a></li>
<li><a
href="https://github.com/bjohansebas"><code>@​bjohansebas</code></a>
made their first contribution in <a
href="https://redirect.github.com/expressjs/body-parser/pull/531">expressjs/body-parser#531</a></li>
<li><a
href="https://github.com/UlisesGascon"><code>@​UlisesGascon</code></a>
made their first contribution in <a
href="https://redirect.github.com/expressjs/body-parser/pull/534">expressjs/body-parser#534</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/expressjs/body-parser/compare/1.20.2...1.20.3">https://github.com/expressjs/body-parser/compare/1.20.2...1.20.3</a></p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/expressjs/body-parser/blob/master/HISTORY.md">body-parser's
changelog</a>.</em></p>
<blockquote>
<h1>1.20.3 / 2024-09-10</h1>
<ul>
<li>deps: qs@6.13.0</li>
<li>add <code>depth</code> option to customize the depth level in the
parser</li>
<li>IMPORTANT: The default <code>depth</code> level for parsing
URL-encoded data is now <code>32</code> (previously was
<code>Infinity</code>)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="1752951367"><code>1752951</code></a>
1.20.3</li>
<li><a
href="39744cfe2a"><code>39744cf</code></a>
chore: linter (<a
href="https://redirect.github.com/expressjs/body-parser/issues/534">#534</a>)</li>
<li><a
href="b2695c4450"><code>b2695c4</code></a>
Merge commit from fork</li>
<li><a
href="ade0f3f82f"><code>ade0f3f</code></a>
add scorecard to readme (<a
href="https://redirect.github.com/expressjs/body-parser/issues/531">#531</a>)</li>
<li><a
href="99a1bd6245"><code>99a1bd6</code></a>
deps: qs@6.12.3 (<a
href="https://redirect.github.com/expressjs/body-parser/issues/521">#521</a>)</li>
<li><a
href="9478591605"><code>9478591</code></a>
fix: pin to node@22.4.1</li>
<li><a
href="83db46a1e5"><code>83db46a</code></a>
ci: fix errors in ci github action for node 8 and 9 (<a
href="https://redirect.github.com/expressjs/body-parser/issues/523">#523</a>)</li>
<li><a
href="9d4e2125b5"><code>9d4e212</code></a>
chore: add support for OSSF scorecard reporting (<a
href="https://redirect.github.com/expressjs/body-parser/issues/522">#522</a>)</li>
<li>See full diff in <a
href="https://github.com/expressjs/body-parser/compare/1.20.2...1.20.3">compare
view</a></li>
</ul>
</details>
<details>
<summary>Maintainer changes</summary>
<p>This version was pushed to npm by <a
href="https://www.npmjs.com/~ulisesgascon">ulisesgascon</a>, a new
releaser for body-parser since your current version.</p>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=body-parser&package-manager=npm_and_yarn&previous-version=1.20.2&new-version=1.20.3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/zitadel/zitadel/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Max Peintner <max@caos.ch>
2024-09-18 14:17:29 +00:00
mffap
87ac5ed254
docs: Improve http notification doc (#8642)
# Which Problems Are Solved

The docs contained typos and links that led to 404.
More subejectively the docs did not provide enough guidance for new
users what providers are and how to configure an HTTP provider and then
activate them. Only basic links to the API docs were given without
examples on how to achieve a basic configuration.

# How the Problems Are Solved

References and typos fixed and reworked the guide.

# Additional Changes

Added code highlighting for json and bash.

# Additional Context

We could further improve by adding more help on this page on how to
configure SMS and SMTP providers.
2024-09-18 15:38:55 +02:00
Max Peintner
e68b5d4a83
chore(console): dependencies (#8638)
Updates the dependencies

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-09-18 10:00:36 +00:00
Livio Spring
5b40af79f0
fix: correctly check user state (#8631)
# Which Problems Are Solved

ZITADEL's user account deactivation mechanism did not work correctly
with service accounts. Deactivated service accounts retained the ability
to request tokens, which could lead to unauthorized access to
applications and resources.

# How the Problems Are Solved

Additionally to checking the user state on the session API and login UI,
the state is checked on all oidc session methods resulting in a new
token or when returning the user information (userinfo, introspection,
id_token / access_token and saml attributes)
2024-09-17 13:21:49 +00:00
Livio Spring
ca1914e235
fix: user grants deactivation (#8634)
# Which Problems Are Solved

ZITADEL's user grants deactivation mechanism did not work correctly.
Deactivated user grants were still provided in token, which could lead
to unauthorized access to applications and resources.
Additionally, the management and auth API always returned the state as
active or did not provide any information about the state.

# How the Problems Are Solved

- Correctly check the user grant state on active for tokens and user
information (userinfo, introspection, saml attributes)
- Map state in API and display in Console
2024-09-17 12:18:29 +00:00
Stefan Benz
4ac722d934
fix: use body for update user on user v2 API (#8635)
Use body for update user endpoint on user v2 API.
2024-09-17 11:53:43 +00:00
Livio Spring
d01bd1c51a
fix: correctly check app state on authentication (#8630)
# Which Problems Are Solved

In Zitadel, even after an organization is deactivated, associated
projects, respectively their applications remain active. Users across
other organizations can still log in and access through these
applications, leading to unauthorized access.
Additionally, if a project was deactivated access to applications was
also still possible.

# How the Problems Are Solved

- Correctly check the status of the organization and related project. 
(Corresponding functions have been renamed to `Active...`)
2024-09-17 11:34:14 +00:00