feat: custom login UI Phase 1 — username + password flow

[JohnRDOrazio]

Summary

Implements Phase 1 of the custom login UI (#3) to replace the Zitadel Login V2 container. Login pages now live inside the OntoKit frontend, inheriting the app's dark/light theme automatically.

• Server Actions (lib/auth/zitadel-session.ts): createSession, verifyPassword, listAuthMethods, finalizeAuthRequest — all calls made server-side using the login-client PAT
• Encrypted cookie (lib/auth/login-session.ts): JWE (A256GCM) encrypted HTTP-only cookie stores login state between steps (10 min TTL)
• Shared components: AuthCard, AuthInput, BackLink — reusable across all auth pages
• Login pages: Username entry (/auth/login?authRequest=<id>) and password verification (/auth/login/password)
• MFA detection: After password verification, checks for second-factor requirements and redirects to /auth/login/mfa (Phase 3)
• Adds ZITADEL_LOGIN_PAT env var to schema and .env.example

Architecture

User clicks "Sign in"
  → NextAuth redirects to Zitadel /oauth/v2/authorize
  → Zitadel redirects to /auth/login?authRequest=<id>
  → Username page: createSession → encrypted cookie → /auth/login/password
  → Password page: verifyPassword → finalizeAuthRequest → callback URL
  → NextAuth callback completes OIDC flow → session created

Remaining phases (future PRs)

• Phase 2: Password reset + logout pages
• Phase 3: MFA (TOTP + Passkey)
• Phase 4: Registration + email verification

Test plan

• Update compose.yaml to point Zitadel login URLs to http://localhost:3000/auth/login
• Set ZITADEL_LOGIN_PAT in .env.local
• Click "Sign in" → verify redirect to custom username page
• Enter valid username → verify redirect to password page
• Enter valid password → verify redirect back to app with session
• Enter invalid username → verify "User not found" error
• Enter wrong password → verify "Incorrect password" error
• Verify dark mode renders correctly on login pages
• Verify the login session cookie expires after 10 minutes

Closes #3

🤖 Generated with Claude Code

[coderabbitai]

Warning

Rate limit exceeded

@JohnRDOrazio has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 9 minutes and 49 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 9 minutes and 49 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 8e5ce418-8060-45ed-8190-c81367e0d04e

📥 Commits

Reviewing files that changed from the base of the PR and between a68dfb3 and 85e9976.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (11)

• .env.example
• app/auth/login/layout.tsx
• app/auth/login/page.tsx
• app/auth/login/password/page.tsx
• components/auth/AuthCard.tsx
• components/auth/AuthInput.tsx
• components/auth/BackLink.tsx
• lib/auth/login-session.ts
• lib/auth/zitadel-session.ts
• lib/env.ts
• package.json

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feature/custom-login-ui

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

In general, to mitigate SSRF when constructing URLs from user input, you (a) ensure that the origin (scheme + host + port) is not user-controlled, and (b) strictly validate or normalize any user-controlled path segments so they cannot inject extra slashes, .., or other unexpected characters. Using an allow‑list of acceptable patterns is preferable to trying to sanitize arbitrary strings.

For this specific case, we should validate sessionId before using it in the URL path. Zitadel session IDs are opaque strings but are typically safe to treat as URL-safe tokens. A conservative fix is to restrict sessionId to a safe character set (e.g., alphanumerics, -, _, ., ~) and optionally a reasonable length. If the value does not match, we throw an error instead of issuing the HTTP request. This keeps existing functionality for valid IDs but blocks malformed or attacker-crafted paths.

Concretely, in lib/auth/zitadel-session.ts:

1. Add a small helper function, e.g., validateSessionId, near the other helpers in this file. It checks sessionId against a regular expression like /^[A-Za-z0-9._~-]{1,256}$/ and throws an error if invalid.
2. Call validateSessionId(sessionId) at the start of getSession and at the start of verifyPassword (or at least once early in the flow before any network request uses it). This ensures all uses of sessionId are constrained, including the internal call from verifyPassword to getSession.
3. No external dependencies are required; TypeScript/JavaScript regexes suffice.

This approach does not change successful behavior for legitimate session IDs, but it prevents malformed values from reaching fetch and addresses the CodeQL SSRF concern.

To fix this, we should constrain the sessionId parameter before using it in the request URL. Since the hostname is already fixed, the main remaining risk is path manipulation or unexpected characters in sessionId. A robust mitigation is to validate sessionId against a strict pattern that matches the format used by Zitadel session IDs (or, if that format is not known, a conservative alphanumeric/UUID-like pattern), and reject or error out if the value does not conform. This ensures that only well-formed identifiers are used in the path, preventing an attacker from inserting /, \, ?, #, or .. sequences.

The best way to fix the problem without changing existing functionality is:

• Introduce a small helper function, e.g. validateSessionId(sessionId: string): void, near the top of lib/auth/zitadel-session.ts.
• This function should check sessionId against a whitelist regex allowing only expected characters (for example, [A-Za-z0-9_-]+), and throw an error if it fails.
• Call validateSessionId(sessionId); at the start of any function that ultimately uses sessionId in a request URL, specifically verifyPassword (and optionally also getSession for consistency).
• The rest of the logic (fetch, response handling) remains unchanged, so existing, valid IDs continue to work.

No external libraries are necessary; a simple regex-based validation is sufficient. All changes are confined to lib/auth/zitadel-session.ts inside the shown regions.