261 task update thunder idp to latest version to support admin initiated user registration via url flow

[Aravinda-HWK]

📌 Description

This PR is to update the ipd to v0.22.0 to support admin-initiated user registration via URL flow.

• Closes [TASK] Update Thunder IdP to Latest Version to Support Admin-Initiated User Registration via URL Flow #261

---

🔍 Changes Made

• Update the add_user.sh script to support the latest changes
• Remove all related things to admin generated password and decrypt the password things
• Add the USER_ONBOARDING flow
• Update the gen-thunder.sh file to update the configuration files

---

✅ Checklist (Email System)

• Core services tested (SMTP, IMAP, mail storage, end-to-end delivery)
• Security & compliance verified (auth via Thunder IDP, TLS, DKIM/SPF/DMARC, spam/virus filtering)
• Configuration & deployment checked (configs generated, Docker/Compose updated)
• Reliability confirmed (error handling, logging, monitoring)
• Documentation & usage notes updated (README, deployment, API)

---

🧪 Testing Instructions

---

📷 Screenshots / Logs (if applicable)

---

⚠️ Notes for Reviewers

[gemini-code-assist]

Summary of Changes

Hello @Aravinda-HWK, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces a significant upgrade to the Thunder Identity Provider, moving it to version 0.22.0. The core change revolves around a more secure and streamlined admin-initiated user registration process. Instead of administrators directly handling and encrypting user passwords, the system now generates unique invite URLs. These URLs empower users to complete their own registration and set their passwords, thereby enhancing security and simplifying the onboarding experience. The update also includes necessary adjustments to configuration scripts to support the new IDP version and its features.

Highlights

• Thunder IDP Version Update: The Thunder Identity Provider (IDP) has been upgraded to version 0.22.0, bringing the system up to date with the latest features and improvements.
• Admin-Initiated User Registration via URL: A new workflow has been implemented for admin-initiated user registration, which now uses a URL-based invitation system. This replaces the previous method of generating and encrypting admin-assigned passwords.
• Removal of Password Decryption Logic: The script and associated logic for generating and decrypting admin-generated user passwords have been removed, enhancing security by shifting password management to the end-user.
• Enhanced Thunder Configuration Management: The configuration generation process for Thunder has been updated to dynamically modify deployment and application settings, ensuring proper integration with the updated IDP.

Changelog

• scripts/decrypt/decrypt_password.sh
  • Removed the script responsible for decrypting admin-generated user passwords.
• scripts/setup/setup.sh
  • Updated the step numbering in the setup script from 1/8 to 1/3.
  • Added descriptive messages for cloning the configuration repository and generating service configurations.
• scripts/user/add_user.sh
  • Removed variables and functions related to password generation and encryption.
  • Introduced variables for storing user invite URLs.
  • Modified the user creation process to leverage Thunder's 'USER_ONBOARDING' flow, which involves starting a flow, submitting user type, and submitting the user's email to obtain an invite URL.
  • Updated the output to display invite URLs instead of encrypted passwords.
• scripts/user/create_test_users.sh
  • Modified the SQLite insertion command to remove the 'password_initialized' column, simplifying test user creation.
• scripts/utils/thunder-auth.sh
  • Refactored the authentication process to use a two-step flow with 'flowId' for starting and completing authentication, aligning with the updated Thunder API.
  • Exported 'FLOW_ID' for subsequent steps.
• services/config-scripts/gen-configs.sh
  • Replaced the call to 'gen-thunder-certs.sh' with 'gen-thunder.sh'.
• services/config-scripts/gen-thunder-certs.sh
  • Removed the script dedicated solely to generating Thunder certificates.
• services/config-scripts/gen-thunder.sh
  • Added a new script to handle both certificate copying and dynamic configuration updates for Thunder's 'deployment.yaml', 'develop-config.js', and 'gate-config.js' files.
• services/docker-compose.yaml
  • Updated the Thunder Docker image version from '0.14.0' to '0.22.0' across all related services ('thunder-db-init', 'thunder-setup', 'thunder').
  • Added new volume mounts for 'deployment.yaml', 'develop-config.js', and 'gate-config.js' to the 'thunder' service.
  • Added a volume mount for 'deployment.yaml' to the 'thunder-setup' service.
  • Modified the port binding for the 'thunder' service to expose port 8090 directly.

Activity

• No specific activity was provided in the context for this pull request.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request successfully updates the Thunder IDP to a newer version, introducing an admin-initiated user registration flow via invite URLs. This is a great security and usability improvement over the previous admin-generated password system. The implementation is mostly well-executed across the shell scripts and Docker configurations. However, I've identified a critical security vulnerability related to incorrect private key permissions, along with several high and medium-severity issues concerning script robustness, security best practices, and code maintainability that should be addressed before merging.

[maneeshaxyz]

LGTM.