Merge branch 'main' into next-rc

cmd/defaults.yaml

@@ -438,32 +438,25 @@ SystemDefaults:
     # Passwords previously hashed with a different algorithm
     # or cost are automatically re-hashed using this config,
     # upon password validation or update.
+    # Configure the Hasher config by environment variable using JSON notation:
+    # ZITADEL_SYSTEMDEFAULTS_PASSWORDHASHER_HASHER='{"Algorithm":"pbkdf2","Rounds":290000,"Hash":"sha256"}'
     Hasher:
-      Algorithm: "bcrypt" # ZITADEL_SYSTEMDEFAULTS_PASSWORDHASHER_HASHER_ALGORITHM
+      # Supported algorithms: "argon2i", "argon2id", "bcrypt", "scrypt", "pbkdf2"
+      # Depending on the algorithm, different configuration options take effect.
+      Algorithm: bcrypt
+      # Cost takes effect for the algorithms bcrypt and scrypt
       Cost: 14 # ZITADEL_SYSTEMDEFAULTS_PASSWORDHASHER_HASHER_COST
-
-    # Other supported Hasher configs:
-
-    # Hasher:
-    #   Algorithm: "argon2i" # ZITADEL_SYSTEMDEFAULTS_PASSWORDHASHER_HASHER_ALGORITHM
-    #   Time: 3 # ZITADEL_SYSTEMDEFAULTS_PASSWORDHASHER_HASHER_TIME
-    #   Memory: 32768 # ZITADEL_SYSTEMDEFAULTS_PASSWORDHASHER_HASHER_MEMORY
-    #   Threads: 4 # ZITADEL_SYSTEMDEFAULTS_PASSWORDHASHER_HASHER_THREADS
-
-    # Hasher:
-    #   Algorithm: "argon2id" # ZITADEL_SYSTEMDEFAULTS_PASSWORDHASHER_HASHER_ALGORITHM
-    #   Time: 1 # ZITADEL_SYSTEMDEFAULTS_PASSWORDHASHER_HASHER_TIME
-    #   Memory: 65536 # ZITADEL_SYSTEMDEFAULTS_PASSWORDHASHER_HASHER_MEMORY
-    #   Threads: 4 # ZITADEL_SYSTEMDEFAULTS_PASSWORDHASHER_HASHER_THREADS
-
-    # Hasher:
-    #   Algorithm: "scrypt" # ZITADEL_SYSTEMDEFAULTS_PASSWORDHASHER_HASHER_ALGORITHM
-    #   Cost: 15 # ZITADEL_SYSTEMDEFAULTS_PASSWORDHASHER_HASHER_COST
-
-    # Hasher:
-    #   Algorithm: "pbkdf2" # ZITADEL_SYSTEMDEFAULTS_PASSWORDHASHER_HASHER_ALGORITHM
-    #   Rounds: 290000 # ZITADEL_SYSTEMDEFAULTS_PASSWORDHASHER_HASHER_ROUNDS
-    #   Hash: "sha256" # Can be "sha1", "sha224", "sha256", "sha384" or "sha512" # ZITADEL_SYSTEMDEFAULTS_PASSWORDHASHER_HASHER_HASH
+      # Time takes effect for the algorithms argon2i and argon2id
+      Time: 3 # ZITADEL_SYSTEMDEFAULTS_PASSWORDHASHER_HASHER_TIME
+      # Memory takes effect for the algorithms argon2i and argon2id
+      Memory: 32768 # ZITADEL_SYSTEMDEFAULTS_PASSWORDHASHER_HASHER_MEMORY
+      # Threads takes effect for the algorithms argon2i and argon2id
+      Threads: 4 # ZITADEL_SYSTEMDEFAULTS_PASSWORDHASHER_HASHER_THREADS
+      # Rounds takes effect for the algorithm pbkdf2
+      Rounds: 290000 # ZITADEL_SYSTEMDEFAULTS_PASSWORDHASHER_HASHER_ROUNDS
+      # Hash takes effect for the algorithm pbkdf2
+      # Can be "sha1", "sha224", "sha256", "sha384" or "sha512"
+      Hash: sha256 # ZITADEL_SYSTEMDEFAULTS_PASSWORDHASHER_HASHER_HASH
 
     # Verifiers enable the possibility of verifying
     # passwords that are previously hashed using another
@@ -478,19 +471,32 @@ SystemDefaults:
     # https://passlib.readthedocs.io/en/stable/modular_crypt_format.html
     #
     # Supported verifiers: (uncomment to enable)
-    Verifiers:
+    Verifiers: # ZITADEL_SYSTEMDEFAULTS_PASSWORDHASHER_VERIFIERS
     #   - "argon2" # verifier for both argon2i and argon2id.
     #   - "bcrypt"
     #   - "md5"
     #   - "scrypt"
     #   - "pbkdf2" # verifier for all pbkdf2 hash modes.
   SecretHasher:
     # Set hasher configuration for machine users, API and OIDC client secrets.
-    # See PasswordHasher for all possible options
     Hasher:
-      Algorithm: "bcrypt" # ZITADEL_SYSTEMDEFAULTS_SECRETHASHER_HASHER_ALGORITHM
+      # Supported algorithms: "argon2i", "argon2id", "bcrypt", "scrypt", "pbkdf2"
+      # Depending on the algorithm, different configuration options take effect.
+      Algorithm: bcrypt
+      # Cost takes effect for the algorithms bcrypt and scrypt
       Cost: 4 # ZITADEL_SYSTEMDEFAULTS_SECRETHASHER_HASHER_COST
-    Verifiers:
+      # Time takes effect for the algorithms argon2i and argon2id
+      Time: 3 # ZITADEL_SYSTEMDEFAULTS_SECRETHASHER_HASHER_TIME
+      # Memory takes effect for the algorithms argon2i and argon2id
+      Memory: 32768 # ZITADEL_SYSTEMDEFAULTS_SECRETHASHER_HASHER_MEMORY
+      # Threads takes effect for the algorithms argon2i and argon2id
+      Threads: 4 # ZITADEL_SYSTEMDEFAULTS_SECRETHASHER_HASHER_THREADS
+      # Rounds takes effect for the algorithm pbkdf2
+      Rounds: 290000 # ZITADEL_SYSTEMDEFAULTS_SECRETHASHER_HASHER_ROUNDS
+      # Hash takes effect for the algorithm pbkdf2
+      # Can be "sha1", "sha224", "sha256", "sha384" or "sha512"
+      Hash: sha256 # ZITADEL_SYSTEMDEFAULTS_SECRETHASHER_HASHER_HASH
+    Verifiers: # ZITADEL_SYSTEMDEFAULTS_SECRETHASHER_VERIFIERS
   Multifactors:
     OTP:
       # If this is empty, the issuer is the requested domain

docs/docs/guides/manage/console/default-settings.mdx

@@ -207,7 +207,7 @@ The following properties can be set:
 - Has Uppercase
 - Has Lowercase
 - Has Number
-- Has Symbol
+- Has Symbol (Everything that is not a number or letter)
 
 <img
   src="/docs/img/guides/console/complexity.png"

go.mod

@@ -1,9 +1,6 @@
 module github.com/zitadel/zitadel
 
-go 1.22
-
-// https://go.dev/doc/toolchain
-toolchain go1.22.2
+go 1.22.2
 
 require (
 	cloud.google.com/go/storage v1.40.0

internal/command/instance.go

@@ -389,7 +389,7 @@ func setupSMTPSettings(commands *Commands, validations *[]preparation.Validation
 		return
 	}
 	*validations = append(*validations,
-		commands.prepareAddSMTPConfig(
+		commands.prepareAddAndActivateSMTPConfig(
 			instanceAgg,
 			smtpConfig.Description,
 			smtpConfig.From,

internal/command/smtp.go

@@ -306,7 +306,7 @@ func (c *Commands) getSMTPConfig(ctx context.Context, instanceID, id, domain str
 }
 
 // TODO: SetUpInstance still uses this and would be removed as soon as deprecated PrepareCommands is removed
-func (c *Commands) prepareAddSMTPConfig(a *instance.Aggregate, description, from, name, replyTo, hostAndPort, user string, password []byte, tls bool) preparation.Validation {
+func (c *Commands) prepareAddAndActivateSMTPConfig(a *instance.Aggregate, description, from, name, replyTo, hostAndPort, user string, password []byte, tls bool) preparation.Validation {
 	return func() (preparation.CreateCommands, error) {
 		if from = strings.TrimSpace(from); from == "" {
 			return nil, zerrors.ThrowInvalidArgument(nil, "INST-mruNY", "Errors.Invalid.Argument")
@@ -358,6 +358,11 @@ func (c *Commands) prepareAddSMTPConfig(a *instance.Aggregate, description, from
 					user,
 					smtpPassword,
 				),
+				instance.NewSMTPConfigActivatedEvent(
+					ctx,
+					&a.Aggregate,
+					id,
+				),
 			}, nil
 		}, nil
 	}

internal/repository/instance/smtp_config.go

@@ -4,7 +4,6 @@ import (
 	"context"
 
 	"github.com/zitadel/zitadel/internal/crypto"
-	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/eventstore"
 	"github.com/zitadel/zitadel/internal/zerrors"
 )
@@ -22,16 +21,15 @@ const (
 type SMTPConfigAddedEvent struct {
 	eventstore.BaseEvent `json:"-"`
 
-	ID             string                 `json:"id,omitempty"`
-	Description    string                 `json:"description,omitempty"`
-	SenderAddress  string                 `json:"senderAddress,omitempty"`
-	SenderName     string                 `json:"senderName,omitempty"`
-	ReplyToAddress string                 `json:"replyToAddress,omitempty"`
-	TLS            bool                   `json:"tls,omitempty"`
-	Host           string                 `json:"host,omitempty"`
-	User           string                 `json:"user,omitempty"`
-	Password       *crypto.CryptoValue    `json:"password,omitempty"`
-	State          domain.SMTPConfigState `json:"state,omitempty"`
+	ID             string              `json:"id,omitempty"`
+	Description    string              `json:"description,omitempty"`
+	SenderAddress  string              `json:"senderAddress,omitempty"`
+	SenderName     string              `json:"senderName,omitempty"`
+	ReplyToAddress string              `json:"replyToAddress,omitempty"`
+	TLS            bool                `json:"tls,omitempty"`
+	Host           string              `json:"host,omitempty"`
+	User           string              `json:"user,omitempty"`
+	Password       *crypto.CryptoValue `json:"password,omitempty"`
 }
 
 func NewSMTPConfigAddedEvent(