This repository was archived by the owner on Oct 27, 2025. It is now read-only.
Mirror zitadel repo #595
Merged
Mirror zitadel repo #595
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This PR fixes an issue where a user was not redirected to an IDP correctly if the user has entered the loginname and has an IDP as single auth method
# Which Problems Are Solved The new login UI user case sensitive matching for usernames and email addresses. This is different from the v1 login and not expected by customers, leading to not found user errors. # How the Problems Are Solved The user search is changed to case insensitive matching. # Additional Changes None # Additional Context - reported by a customer - requires backport to 4.x --------- Co-authored-by: Livio Spring <[email protected]>
<!-- Please inform yourself about the contribution guidelines on submitting a PR here: https://github.com/zitadel/zitadel/blob/main/CONTRIBUTING.md#submit-a-pull-request-pr. Take note of how PR/commit titles should be written and replace the template texts in the sections below. Don't remove any of the sections. It is important that the commit history clearly shows what is changed and why. Important: By submitting a contribution you agree to the terms from our Licensing Policy as described here: https://github.com/zitadel/zitadel/blob/main/LICENSING.md#community-contributions. --> # Which Problems Are Solved Don't show the external IdP section, if none are configured. # How the Problems Are Solved - Checks if the length of `identityProviders` is non-empty. # Additional Changes - Added 2 additional null-checks for `identityProviders` # Additional Context - Closes #10401 Co-authored-by: Max Peintner <[email protected]> Co-authored-by: Livio Spring <[email protected]>
…edirect ` param as post logout uri (#10500) Closes #10413 This PR changes the logout success page of the V2 login to `/logout/done` and accepts both `post_logout_redirect` as well as `post_logout_redirect_uri` as a param for the post logout url. # Which Problems Are Solved The new Login V2 aligns with the login V1 now. Accepts `post_logout_redirect` as well as `post_logout_redirect_uri` as a param for the post logout url. # How the Problems Are Solved Both search params are now accepted.
This PR sets the page title to the same title as the respective pages
and introduces a default title ("Login with Zitadel").
Closes #10282
# Which Problems Are Solved
Missing page title on pages.
# How the Problems Are Solved
Using the hosted translation service, we load and merge properties to
set the page title
---------
Co-authored-by: Livio Spring <[email protected]>
<!-- Please inform yourself about the contribution guidelines on submitting a PR here: https://github.com/zitadel/zitadel/blob/main/CONTRIBUTING.md#submit-a-pull-request-pr. Take note of how PR/commit titles should be written and replace the template texts in the sections below. Don't remove any of the sections. It is important that the commit history clearly shows what is changed and why. Important: By submitting a contribution you agree to the terms from our Licensing Policy as described here: https://github.com/zitadel/zitadel/blob/main/LICENSING.md#community-contributions. --> # Which Problems Are Solved Next.js's Image Optimization feature requires that hostnames for remote images be explicitly defined in the `next.config.js` file via `remotePatterns`. This configuration is static and evaluated at **build time**. However, the `ZITADEL_API_URL`, which is supposed to be used for additional whitelisted hostnames, is a dynamic environment variable only known at **run time**. This creates a fundamental conflict, making it impossible to add the user-provided URL to the configuration when building the public Docker image. Consequently, images like instance logos fail to load. The existing workaround uses a permissive wildcard pattern (`*.zitadel.*`). This is a significant security risk, as it could allow malicious actors to abuse the server as an open image-resizing proxy, leading to potential denial-of-service (DDoS) attacks or excessive costs. # How the Problems Are Solved This change disables the Next.js Image Optimization feature entirely by setting `unoptimized: true` in the `images` configuration. By doing this, Next.js will no longer attempt to optimize, cache, or validate remote image sources. Instead, it will pass the original image URL directly to the client. This approach resolves the issue by: 1. **Eliminating the need for `remotePatterns`**, which bypasses the build-time vs. run-time configuration conflict. 2. **Improving security** by removing the overly permissive wildcard pattern. 3. **Ensuring functionality**, as remote images now load correctly. The trade-off is the loss of performance benefits from Next.js image optimization, but I see this as an acceptable compromise to restore essential functionality and secure the application. Fixes #10456 Co-authored-by: Max Peintner <[email protected]>
Fix CSP img-src to allow ZITADEL instance assets # Which Problems Are Solved Login app was failing to load images (logos, branding assets) from ZITADEL instances due to Content Security Policy restrictions. The CSP img-src directive only allowed 'self' and https://vercel.com, blocking images from ZITADEL domains like https://login-*.zitadel.app. # How the Problems Are Solved - Dynamic CSP configuration: Extract hostname from ZITADEL_API_URL environment variable - Fallback support: Use *.zitadel.cloud wildcard when no specific URL is configured - Environment-aware: Works across dev/staging/prod without hardcoded domains
# Which Problems Are Solved - Most inputs have hardcoded label # How the Problems Are Solved - add usage of i18n library for every label - add labels to i18n translation files # Additional Changes - fixed key used in `device-code-form.tsx` by submit button - `v2-default.json` was update and contains all values from login app not only newly added key for labels. # Additional Context N.A --------- Co-authored-by: David Skewis <[email protected]> Co-authored-by: Max Peintner <[email protected]>
…613) # Which Problems Are Solved Integration tests were failing with Minified React error 419 caused by React 19 Suspense boundary issues during server-side rendering (SSR) to client-side rendering (CSR) transitions. # How the Problems Are Solved The fix handles infrastructure-level SSR errors gracefully while maintaining proper error detection for actual application issues. - Added Cypress error handling for React 19 SSR hydration errors that don't affect functionality # Additional Changes Enhanced Next.js configuration with React 19 compatibility optimizations: - `optimizePackageImports`: @radix-ui/react-tooltip and @heroicons/react can have large bundle sizes if not optimized. Such packages are suggested to be optimized in https://nextjs.org/docs/app/api-reference/config/next-config-js/optimizePackageImports - `poweredByHeader`: Not that important. Benefits are smaller HTTP headers, Tiny bandwidth savings, and more professional appearance due to cleaner response headers, added it as a "security best practice". # Additional Context - Replaces #10611
Closes #10498 The registration form's legal checkboxes had incorrect validation logic that prevented users from completing registration when only one legal document (ToS or Privacy Policy) was configured, or when no legal documents were required. additionally removes a duplicate description for "or use Identity Provider" # Which Problems Are Solved Having only partial legal documents was blocking users to register. The logic now conditionally renders checkboxes and checks if all provided documents are accepted. # How the Problems Are Solved - Fixed checkbox validation: Now properly validates based on which legal documents are actually available - acceptance logic: Only requires acceptance of checkboxes that are shown - No legal docs support: Users can proceed when no legal documents are configured - Proper state management: Fixed checkbox state tracking and mixed-up test IDs --------- Co-authored-by: Stefan Benz <[email protected]>
… methods (#10610) Fixed an issue in `isSessionValid()` where users with multiple configured MFA methods (e.g., TOTP and U2F) would have their sessions incorrectly invalidated. The function previously used exclusive if-else logic that only checked the first matching method, causing validation to fail even when other configured methods were successfully verified. Closes #10529 # Which Problems Are Solved [#10529](zitadel/zitadel#10529) # How the Problems Are Solved - Replaced exclusive if-else if chain with inclusive validation logic - Session is now considered valid if ANY configured MFA method has been verified - Improved error logging to show all configured methods and their verification status Example: A user with both TOTP and U2F configured can now successfully authenticate using either method, whereas previously the session would be invalid if they used U2F but TOTP was checked first.
This PR removes the Vercel Analytics integration from the login application to reduce external dependencies and improve privacy. # Which Problems Are Solved cleaner csp # How the Problems Are Solved - Removed dependency: Uninstalled @vercel/analytics package from package.json - Updated layout component: Removed Analytics import and component usage from layout.tsx - Updated Content Security Policy: Removed Vercel domains (https://va.vercel-scripts.com and https://vercel.com) from CSP configuration in csp.js
Safari was not creating session cookies during local development, causing authentication failures. This was due to nextjs default setting of SameSite cookie property. We explicitly set "strict" for session cookies now. Closes #10473 # Which Problems Are Solved Authentication Issues with Safari in local development # How the Problems Are Solved - Cleaner API: Replaced confusing sameSite boolean/string parameters with iFrameEnabled boolean - Better logic flow: iFrameEnabled: true → sameSite: "none" (for iframe embedding) Production → sameSite: "strict" (maximum security)
This PR completely removes Next.js image optimization from the login app by replacing all next/image components with standard HTML <img> tags and removing the image optimization configuration. Closes zitadel/zitadel-charts#381 # Which Problems Are Solved Users were encountering issue when loading images in dedicated environments. These happened due to nextjs imaging optimizations creating different paths for images. # How the Problems Are Solved - Removed Next.js Image Optimization Config - Removed images: { unoptimized: true } configuration from [next.config.mjs](vscode-file://vscode-app/Applications/Visual%20Studio%20Code.app/Contents/Resources/app/out/vs/code/electron-browser/workbench/workbench.html) This config was redundant since we no longer use next/image components - Replaced next/image with standard <img> tags
…nterference (#10644)
The /login route was experiencing issues with React Server Component
(RSC) requests interfering with one-time authentication callbacks. When
users navigated to /login via client-side routing (router.push()),
Next.js automatically triggered _rsc requests that could consume
single-use createCallback tokens, breaking OIDC and SAML authentication
flows.
# Which Problems Are Solved
When users attempt to log in, Next.js automatically makes requests with
the `_rsc=1` query parameter for React Server Components. The current
implementation treats these as server errors:
```typescript
// Before
if (_rsc) {
return NextResponse.json({ error: "No _rsc supported" }, { status: 500 });
}
```
This results in:
- Spurious 500 error logs polluting monitoring systems
- False alerts for server failures
- Difficulty distinguishing real issues from benign RSC requests
# How the Problems Are Solved
This PR implements a comprehensive refactoring that:
- Eliminates RSC interference by providing server actions for internal
auth flow completion
- Separates concerns between external flow initiation and internal flow
completion
- Extracts shared utilities to improve code maintainability and
reusability
- Maintains full backward compatibility for external applications
# Additional Context
## New Architecture
- auth-flow.ts: Shared utilities for auth flow completion with RSC
protection
- flow-initiation.ts: Extracted OIDC/SAML flow initiation logic (~400
lines)
- auth.ts: Server actions for internal components
## Route Handler Simplification
- route.ts: Reduced from ~350 lines to ~75 lines
- External-only focus: Now handles only flow initiation for external
applications
- Removed completion logic: External apps use their own callback URLs
- Enhanced validation: Early RSC blocking and parameter validation
## Flow Logic Improvements
- Early return patterns: Guard clauses eliminate deep nesting
- Better error handling: Specific error messages for different failure
modes
- Fixed SAML flow: Addressed incomplete logic
- Consistent session handling: Unified approach across OIDC and SAML
<!-- Please inform yourself about the contribution guidelines on submitting a PR here: https://github.com/zitadel/zitadel/blob/main/CONTRIBUTING.md#submit-a-pull-request-pr. Take note of how PR/commit titles should be written and replace the template texts in the sections below. Don't remove any of the sections. It is important that the commit history clearly shows what is changed and why. Important: By submitting a contribution you agree to the terms from our Licensing Policy as described here: https://github.com/zitadel/zitadel/blob/main/LICENSING.md#community-contributions. --> # Which Problems Are Solved When deploying the login application behind proxies or using Vercel rewrites (e.g., `zitadel.com/login` → `login-zitadel-qa.vercel.app`), the application was using the internal rewritten host instead of the original user-facing host. This caused several issues: 1. **Broken Password Reset Emails**: Email links contained internal hosts like `login-zitadel-qa.vercel.app` instead of `zitadel.com` 2. **Inconsistent User Experience**: Users would see different domains in various parts of the flow 3. **Security Concerns**: Internal infrastructure details were exposed to end users 4. **Scattered Logic**: Host detection logic was duplicated across multiple files with inconsistent error handling # How the Problems Are Solved Created comprehensive host detection utilities in `/lib/server/host.ts` and `/lib/client/host.ts`: **Server-side utilities:** - `getOriginalHost()` - Returns the original user-facing host - `getOriginalHostWithProtocol()` - Returns host with proper protocol (http/https)
…egistration (#10729) Closes #10727 Closes #10577 # Which Problems Are Solved This PR fixes the organization domain scope when provided and introduces a deep-link feature for external applications, that sends users directly into passkey registration flow using either session-based or sessionless flows. Previously, the `/passkey/set` page only supported session-based registration, limiting external application integration scenarios. The `/passkey/set` page now supports: - `code` search parameter for automatic passkey registration - `userId` parameter for sessionless flows (similar to `/verify` and `/password/set` pages) - Auto-submit functionality when verification codes are provided # How the Problems Are Solved The organization scope is fixed by the backend handler for OIDC flows, now correctly submitting a `suffix` queryparam to the /loginname url which is used to show in the input field. The passkey code support is implemented by support multiple integration patterns: - **Session-based**: `/passkey/set?sessionId=123&code=abc123` (existing flow) - **Sessionless**: `/passkey/set?userId=123456&code=abc123` (new flow) External Application Integration Flow 1. External app triggers passkey register and obtains code 2. User verification link containing `userId`, `code` and `id` parameters 3. User clicks link → `/passkey/set?userId=123&code=abc&id=123` 4. Page loads user information using `userId` parameter 5. Auto-submit triggers passkey registration when `code` and `id` is present 6. User completes WebAuthn request 7. Passkey is registered and user continues authentication flow This enables external applications to seamlessly integrate passkey registration into their user onboarding
# Which Problems Are Solved Add projects to the relational tables # How the Problems Are Solved - Define table migrations - Define and implement Project and Project Role repositories. - Provide projection handlers to populate the relational tables. # Additional Changes - Statement Builder now has a constructor which allows setting of a base query with arguments. - Certain operations, like Get, Update and Delete require the Primary Key to be set as conditions. However, this requires knowledge of the implementation and table definition. This PR proposes an additional condition for repositories: `PrimaryKeyCondition`. This gives clarity on the required IDs for these operations. - Added couple of helpers to the repository package, to allow more DRY code. - getOne / getMany: generic functions for query execution and scanning. - checkRestrictingColumns, checkPkCondition: simplify condition checking, instead of using ladders of conditionals. - Added a couple of helpers to the repository test package: - Transaction, savepoint and rollback helpers. - Create instance and organization helpers for objects that depend on them (like projects). # Additional Context - after zitadel/zitadel#10809 - closes #10765
Closes #10671 # Which Problems Are Solved Users with only password authentication method were immediately shown an error "Username Password not allowed" when `loginSettings.allowUsernamePassword` was set to false. However, the IDP flow could potentially allow the user to register a new account or link an existing account, providing a better user experience than a dead-end error. # How the Problems Are Solved - Modified single password method case to attempt IDP redirect before showing error - This allows users to potentially register or link accounts through the IDP flow instead of hitting an immediate error - Only show error as last resort when no IDP alternative is available
# Which Problems Are Solved Replaces Turbo by Nx and lays the foundation for the next CI improvements. It enables using Nx Cloud to speed the up the pipelines that affect any node package. It streamlines the dev experience for frontend and backend developers by providing the following commands: | Task | Command | Notes | |------|---------|--------| | **Production** | `nx run PROJECT:prod` | Production server | | **Develop** | `nx run PROJECT:dev` | Hot reloading development server | | **Test** | `nx run PROJECT:test` | Run all tests | | **Lint** | `nx run PROJECT:lint` | Check code style | | **Lint Fix** | `nx run PROJECT:lint-fix` | Auto-fix style issues | The following values can be used for PROJECT: - @zitadel/zitadel (root commands) - @zitadel/api, - @zitadel/login, - @zitadel/console, - @zitadel/docs, - @zitadel/client - @zitadel/proto The project names and folders are streamlined: | Old Folder | New Folder | | --- | --- | | ./e2e | ./tests/functional-ui | | ./load-test | ./benchmark | | ./build/zitadel | ./apps/api | | ./console | ./apps/console (postponed so the PR is reviewable) | Also, all references to the TypeScript repo are removed so we can archive it. # How the Problems Are Solved - Ran `npx nx@latest init` - Replaced all turbo.json by project.json and fixed the target configs - Removed Turbo dependency - All JavaScript related code affected by a PRs changes is quality-checked using the `nx affected` command - We move PR checks that are runnable using Nx into the `check` workflow. For workflows where we don't use Nx, yet, we restore previously built dependency artifacts from Nx. - We only use a single and easy to understand dev container - The CONTRIBUTING.md is streamlined - The setup with a generated client pat is orchestrated with Nx - Everything related to the TypeScript repo is updated or removed. A **Deploy with Vercel** button is added to the docs and the CONTRIBUTING.md. # Additional Changes - NPM package names have a consistent pattern. - Docker bake is removed. The login container is built and released like the core container. - The integration tests build the login container before running, so they don't rely on the login container action anymore. This fixes consistently failing checks on PRs from forks. - The docs build in GitHub actions is removed, as we already build on Vercel. # Additional Context - Internal discussion: https://zitadel.slack.com/archives/C087ADF8LRX/p1756277884928169 - Workflow dispatch test: https://github.com/zitadel/zitadel/actions/runs/17760122959 --------- Co-authored-by: Florian Forster <[email protected]> Co-authored-by: Tim Möhlmann <[email protected]> Co-authored-by: Copilot <[email protected]>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
👋 Thanks for your contribution @eliobischof! This repository Your changes are not lost. Submitting them to the main repository is easy:
|
peintnermax
approved these changes
Oct 9, 2025
peintnermax
reviewed
Oct 9, 2025
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Definition of Ready