Overview - Zitadel/zitadel

zitadel/zitadel

7 days30 days

Latest CI Pipeline Executions

Fuzzy

Succeeded
list-admin-query
1802b5a8 implement suggestions
17 hours ago by livio-a
Failed
list-admin-query
1802b5a8 implement suggestions
22 hours ago by livio-a
Succeeded
list-admin-query
1802b5a8 Merge 759fd291a70391d1c2afb60055a1b349ed571926 into 686de9996788f24b77f555b19adf7bfdd66644b3
22 hours ago by livio-a
Succeeded
docs-complement-naming
15bb3e55 docs: correct "complement" flow names
23 hours ago by livio-a
Succeeded
list-admin-query
83f0f328 fix(api): implement missing filters on ListAdministrators endpoint
23 hours ago by livio-a
Succeeded
list-admin-query
83f0f328 Merge 5844a647b2a87e60691088a02a47a1a3d880df15 into 686de9996788f24b77f555b19adf7bfdd66644b3
23 hours ago by livio-a
Succeeded
next
eeae2c60 feat: Add recovery code MFA support (#9954)  One-time recovery codes are a common multi-factor authentication (MFA) backup method, letting users access their account if they lose other MFA devices. Support for recovery codes can also reduce support burden for users locked out of their accounts and provide a more secure and reliable form of verification than security questions. # Which Problems Are Solved Zitadel currently lacks support for recovery codes. # How the Problems Are Solved This PR partially addresses recovery code support in Zitadel. Importantly, it adds recovery codes as a new 2FA `Factor` and an additional `Check` type for the Session API. ``` Example recovery code flow: 1. User generates N new recovery codes using `POST /v2/users/{user_id}/recovery_codes` 2. Zitadel hashes and stores these codes and returns the un-hashed codes in the response 3. User creates new session with an additional check: `recoveryCode` 4. Code is checked against hash and, if valid, cannot be used again 5. User attempts to adds N more codes using the same endpoint 6. If `remaining_codes + N <= RecoveryCodes->MaxCount` config value, then recovery codes are added in addition to original codes 7. User can remove all recovery codes using `DEL /v2/users/:userId/recovery_codes` ``` This PR adds: - [x] Session recovery_code check support on `POST+PATCH /v2/sessions` endpoints - [x] Adds `mfa_recovery_code_checked_at` column (default null) to `projections.sessions8` table - [x] Support for `SECOND_FACTOR_TYPE_RECOVERY_CODES` as available 2FA method on login policy - [x] Support for importing recovery codes in /import code Missing, will _not_ implement in this PR: - [ ] Admin console support for displaying Recovery Code settings for user(s) - [ ] Zitadel Typescript login support for recovery codes TODO: - [x] Additional unit and integration tests - [x] Error translations # Additional Changes None # Additional Context - Closes #6898 --------- Co-authored-by: Livio Spring <livio.a@gmail.com> (cherry picked from commit 5beeb5738a9be3cedb64e7820c6bad75ab624c2e)
3 days ago by livio-a
Succeeded
main
565ac734 test: fix SAML IdP unit tests (#11270) # Which Problems Are Solved Similar to https://github.com/zitadel/zitadel/pull/11241, there are additional unit tests where certificates expired. # How the Problems Are Solved The tests use dedicated combinations of SAML metadata, certificates and responses and also already use the `TimeNow` function from the `crewjam/saml` package to overwrite necessary time validations. This PR now additionally sets the `Clock` variable in the same package, which is used in XML validations like the signing. # Additional Changes None # Additional Context - relates to #11241 - requires backport to at least v4.x
3 days ago by livio-a
Succeeded
main
4e6f68c5 feat(relational): implement session repository (#11109) # Which Problems Are Solved As part of going to a relation storage model, we need to implement the repository for handling sessions and their events. # How the Problems Are Solved - Adds a migration step to create the necessary tables and types in the database. - Adds the repository implementation for sessions. - Implements a projection handler for session events to handle the events written by the old command handlers. - Updates the `Session` type and `SessionRepository` interface: - added `CreatorID` - Adjusted `Delete` method to return amount of affected columns - Removed sub-repository clumns from the main interface - Added `CreatorIDCondition`, `ExpirationCondition`, `ExistsFactor` and `ExistsMetadata` - Removed `SetUserAgent` - Methods of `SessionFactor` and `SessionChallenge` have been made public - fixed enumer on `SessionFactorType` - Adds a `JSON` type to the repository package to easy can JSON columns, resp. jsonb object inside a property of a `JSONArray` object. - Adds a `NoChange` interface, which can be implemented to signal that a `Change` interface implementation is not writing any changes to the statement builder, e.g. `CTEChange` # Additional Changes - Fixes the operators enums. `TextOperations` had wrong comments and `NumberOperations` additionally also had from comparisons. - Fixes downgrade of migration step 008. # Additional Context - closes https://github.com/zitadel/zitadel/issues/10212
3 days ago by livio-a
Succeeded
main
5f34d1af chore: forward port organization v2 API changes (#11207) # Which Problems Are Solved Recent changes to the v2beta and v2 API of the organization service were directly merged to the `next` branch and release on v4.x, since the ongoing move to the relation table, blocked it from being merged into main. # How the Problems Are Solved This PR ports the following changes into main: - fix(api): correct permission check in organization v2beta service: https://github.com/zitadel/zitadel/commit/8dcfff97ed52a8b9fc77ecb1f972744f42cff3ed - fix(actions v1): return org metadata again (https://github.com/zitadel/zitadel/pull/11040) - feat(api): move organization api (https://github.com/zitadel/zitadel/pull/11045) # Additional Changes None # Additional Context relates to #10772 --------- Co-authored-by: Gayathri Vijayan <66356931+grvijayan@users.noreply.github.com>
4 days ago by livio-a
Succeeded
org-v2-main
651ad927 fix(action): execute without features set (#11271) # Which Problems Are Solved A customer noted that one some of their environments actions were never executed at all. During the investigation it was discovered, that these systems did not have any features set. # How the Problems Are Solved Fix the `scanAuthzInstance` function to handle queries without features returned correctly. # Additional Changes None # Additional Context - reported through support - requires backport to v4.x and v3.x
4 days ago by livio-a
Succeeded
org-v2-main
651ad927 Merge 2f5752e283756cd39a25500b13e6df6c11ed3600 into 4c8a668585aff5798a158b0b2ea56a899fc6e566
4 days ago by livio-a
Succeeded
main
4c8a6685 fix(action): execute without features set (#11271) # Which Problems Are Solved A customer noted that one some of their environments actions were never executed at all. During the investigation it was discovered, that these systems did not have any features set. # How the Problems Are Solved Fix the `scanAuthzInstance` function to handle queries without features returned correctly. # Additional Changes None # Additional Context - reported through support - requires backport to v4.x and v3.x
4 days ago by livio-a
Succeeded
action-feature
bf129786 fix(login): cleanup server logs (#11195) Closes #11184 # Which Problems Are Solved - loginName: This information is already retrievable from the URL parameters during the authentication flow, so logging it presented no additional exposure. - idpIntent: This was being logged to the server console (server-side logs), so it was never exposed to the client/browser. These changes simply clean up the server logs to prevent unnecessary data noise. # How the Problems Are Solved - Removed idpIntent logging from `apps/login/src/lib/server/idp-intent.ts` - Removed loginName logging from `apps/login/src/lib/server/password.ts` --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
4 days ago by livio-a
Succeeded
action-feature
bf129786 Merge 853d66e7b98cbca427d50aa924ce017b78d66e42 into 9f1119823b9ad03dbb8da627931f236c5f539fde
4 days ago by livio-a
Succeeded
main
9f111982 fix(login): cleanup server logs (#11195) Closes #11184 # Which Problems Are Solved - loginName: This information is already retrievable from the URL parameters during the authentication flow, so logging it presented no additional exposure. - idpIntent: This was being logged to the server console (server-side logs), so it was never exposed to the client/browser. These changes simply clean up the server logs to prevent unnecessary data noise. # How the Problems Are Solved - Removed idpIntent logging from `apps/login/src/lib/server/idp-intent.ts` - Removed loginName logging from `apps/login/src/lib/server/password.ts` --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
4 days ago by livio-a
Succeeded
fix-lgn-rm-logs
0b9c5e8b fix(login): delete custom request headers when their value is empty (#11263) # Which Problems Are Solved The application automatically appends the x-zitadel-public-host header when a public host is configured. In some deployment scenarios where the host is determined by default or via other means, sending this header allows for improper routing or is simply redundant. The existing CUSTOM_REQUEST_HEADERS configuration only supported adding or overwriting headers, offering no way to remove headers that were set by default logic. # How the Problems Are Solved Extended the `CUSTOM_REQUEST_HEADERS` handling in `src/lib/zitadel.ts`. The logic now checks for empty header values. If a header is defined in `CUSTOM_REQUEST_HEADERS` with an empty value (e.g., x-zitadel-public-host:), the interceptor will delete that header from the request instead of setting it to an empty string. This allows users to opt-out of default headers via configuration.
4 days ago by livio-a
Succeeded
fix-lgn-rm-logs
0b9c5e8b Merge 665d34d8e77b437ec48e808a0e3875b6b96f10f6 into 072755f85a1fa093f8027c53a1c8e1ab5dd1b7ad
4 days ago by livio-a
Succeeded
session-repository-impl
16a1eea3 apply suggestions
4 days ago by livio-a
Succeeded
session-repository-impl
16a1eea3 Merge 8c1355bcaaeedaa4bc0d7679cc1ccbfed43c8f3b into 072755f85a1fa093f8027c53a1c8e1ab5dd1b7ad
4 days ago by livio-a