mikkel/pvm
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
16 commits 1 branch 0 tags 222 KiB
Commit graph

4 commits

Author SHA1 Message Date
Mikkel Georgsen
28a827efa1 Add custom login UI replacing Zitadel built-in login pages 
Replace Zitadel's built-in login v1 with a fully custom SvelteKit-based
login experience using Zitadel Session API v2. Keeps the existing OIDC
authorization code flow (Auth.js handles token exchange) while providing
branded login, signup, password reset, and TOTP pages.

- Enable Login V2 in docker-compose, assign IAM_LOGIN_CLIENT role in setup script
- Add server-only Zitadel API client ($lib/server/zitadel.ts) with session,
  user, and auth-request management functions
- Create reusable auth UI components (AuthCard, FormField, FormError, LoadingButton)
- Rewrite login page with email/password form and TOTP second factor support
- Add signup page with auto-login after registration
- Add password reset flow (request + verify pages)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-08 13:54:01 +01:00
Mikkel Georgsen
ed0578cd07 Address security/tech debt: token refresh, JWKS thundering herd, config safety, jq migration 
- Add token refresh logic in Auth.js JWT callback with 60s expiry buffer
- Fix JWKS cache thundering herd with Mutex + double-checked locking
- Make trustHost conditional (dev-only) via SvelteKit's $app/environment
- Make devMode conditional on ZITADEL_PRODUCTION env var in setup script
- Replace fragile grep/cut JSON parsing with jq in setup-zitadel.sh
- Add OIDC_GRANT_TYPE_REFRESH_TOKEN to Zitadel OIDC app grant types
- Update TODO_SECURITY.md: mark resolved items, add RefreshAccessTokenError frontend handling

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-08 13:17:42 +01:00
Mikkel Georgsen
c0cb2d25a0 Fix auth flow: federated logout, login page move, and healthcheck 
- Add federated logout endpoint that clears Auth.js session AND ends
  Zitadel SSO session via OIDC end_session endpoint
- Move sign-in page from /auth/signin to /login to avoid Auth.js
  route conflict causing ERR_TOO_MANY_REDIRECTS
- Add callbackUrl to all signIn calls so users land on /dashboard
- Store id_token in session for federated logout id_token_hint
- Fix Zitadel healthcheck using binary ready command (no curl needed)
- Update post_logout_redirect_uri in setup script

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-08 12:55:35 +01:00
Mikkel Georgsen
a22ba48709 Add Zitadel OIDC setup, SMTP config, and security fixes 
- Add setup-zitadel.sh: idempotent script that creates PVM project
  and OIDC app via Zitadel Management API using machine user PAT
- Add machine user + PAT auto-generation to docker-compose via
  FIRSTINSTANCE env vars with bind-mounted machinekey directory
- Add SMTP configuration for email sending (verification, password reset)
- Fix JWT algorithm confusion attack: restrict to RS256/384/512 only
- Add docs/TODO_SECURITY.md tracking review findings
- Update .env.example files with correct local dev URLs
- Add docker/machinekey/ to .gitignore

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-08 12:34:44 +01:00