fix wizard empty state

t-aleksander · t-aleksander · commit 473505aef47b · 2026-03-27T11:52:35.000+01:00
diff --git a/crates/defguard_common/src/db/models/initial_setup_wizard.rs b/crates/defguard_common/src/db/models/initial_setup_wizard.rs
@@ -14,6 +14,10 @@ pub enum InitialSetupStep {
     // Adoption is not present, since the proxy is saved
     // only after completing adoption step.
     EdgeComponent,
+    InternalUrlSettings,
+    InternalUrlSslConfig,
+    ExternalUrlSettings,
+    ExternalUrlSslConfig,
     Confirmation,
     Finished,
 }
diff --git a/crates/defguard_core/src/handlers/component_setup.rs b/crates/defguard_core/src/handlers/component_setup.rs
@@ -609,13 +609,13 @@ pub async fn setup_proxy_tls_stream(
             Ok(wizard) => {
                 if !wizard.completed {
                     let state = InitialSetupState {
-                        step: InitialSetupStep::Confirmation,
+                        step: InitialSetupStep::InternalUrlSettings,
                     };
                     if let Err(err) = state.save(&pool).await {
                         yield Ok(flow.error(&format!("Failed to update setup step in wizard: {err}")));
                         return;
                     }
-                    debug!("Initial setup step advanced to 'Confirmation'");
+                    debug!("Initial setup step advanced to 'InternalUrlSettings'");
                 }
             }
             Err(err) => {
diff --git a/crates/defguard_proxy_manager/src/handler.rs b/crates/defguard_proxy_manager/src/handler.rs
@@ -121,6 +121,7 @@ impl ProxyHandler {
         }
     }
 
+    #[allow(clippy::too_many_arguments)]
     pub(super) fn from_proxy(
         proxy: &Proxy<Id>,
         pool: PgPool,
diff --git a/crates/defguard_setup/src/handlers/auto_wizard.rs b/crates/defguard_setup/src/handlers/auto_wizard.rs
@@ -7,6 +7,7 @@ use defguard_common::{
     db::models::{
         Certificates, WireguardNetwork,
         certificates::{CoreCertSource, ProxyCertSource},
+        initial_setup_wizard::InitialSetupStep,
         settings::update_current_settings,
         setup_auto_adoption::{AutoAdoptionWizardState, AutoAdoptionWizardStep},
         wireguard::LocationMfaMode,
@@ -26,6 +27,8 @@ use serde_json::json;
 use sqlx::{PgPool, query_scalar};
 use tracing::{debug, info};
 
+use crate::handlers::initial_wizard::advance_initial_wizard_to_step;
+
 pub(crate) async fn is_auto_wizard_active(pool: &PgPool) -> Result<bool, WebError> {
     let wizard = Wizard::get(pool).await?;
     Ok(wizard.active_wizard == ActiveWizard::AutoAdoption)
@@ -185,6 +188,7 @@ pub async fn set_internal_url_settings(
     };
 
     advance_auto_wizard_to_step(&pool, AutoAdoptionWizardStep::InternalUrlSslConfig).await?;
+    advance_initial_wizard_to_step(&pool, InitialSetupStep::InternalUrlSslConfig).await?;
 
     info!("Auto-adoption wizard internal URL settings applied");
 
@@ -216,10 +220,11 @@ pub async fn get_internal_ssl_info(
 }
 
 /// SSL configuration type for the external (proxy) web server.
-#[derive(Deserialize, Serialize, Debug, Clone, PartialEq)]
+#[derive(Default, Deserialize, Serialize, Debug, Clone, PartialEq)]
 #[serde(rename_all = "snake_case")]
 pub enum ExternalSslType {
     /// No SSL - plain HTTP, user manages reverse proxy / SSL termination themselves.
+    #[default]
     None,
     /// Obtain certificate via ACME / Let's Encrypt.
     LetsEncrypt,
@@ -238,12 +243,6 @@ pub struct ExternalUrlSettingsConfig {
     key_pem: Option<String>,
 }
 
-impl Default for ExternalSslType {
-    fn default() -> Self {
-        Self::None
-    }
-}
-
 /// Updates external proxy URL settings (step 4).
 pub async fn set_external_url_settings(
     _: AdminOrSetupRole,
@@ -360,6 +359,7 @@ pub async fn set_external_url_settings(
     };
 
     advance_auto_wizard_to_step(&pool, AutoAdoptionWizardStep::ExternalUrlSslConfig).await?;
+    advance_initial_wizard_to_step(&pool, InitialSetupStep::ExternalUrlSslConfig).await?;
 
     info!("Auto-adoption wizard external URL settings applied");
     Ok(ApiResponse::new(
diff --git a/crates/defguard_setup/src/handlers/initial_wizard.rs b/crates/defguard_setup/src/handlers/initial_wizard.rs
@@ -37,12 +37,18 @@ use tracing::{debug, info};
 
 use crate::handlers::auto_wizard::{advance_auto_wizard_to_step, is_auto_wizard_active};
 
-async fn advance_initial_wizard_to_step(
+pub(crate) async fn advance_initial_wizard_to_step(
     pool: &PgPool,
     step: InitialSetupStep,
 ) -> Result<(), WebError> {
     let wizard = Wizard::get(pool).await?;
 
+    // Don't try to advance if the initial wizard is not active
+    if wizard.active_wizard != ActiveWizard::Initial {
+        debug!("Not advancing initial wizard step as initial wizard is not active");
+        return Ok(());
+    }
+
     // Don't try to advance if setup is already completed
     if wizard.completed {
         debug!("Not advancing setup step as initial setup is already completed");
@@ -329,7 +335,7 @@ pub async fn set_general_config(
 
     info!("Initial general configuration applied");
 
-    advance_initial_wizard_to_step(&pool, InitialSetupStep::Ca).await?;
+    advance_initial_wizard_to_step(&pool, InitialSetupStep::InternalUrlSettings).await?;
 
     Ok(ApiResponse::with_status(StatusCode::CREATED))
 }
diff --git a/crates/defguard_setup/tests/auto_wizard_url_settings.rs b/crates/defguard_setup/tests/auto_wizard_url_settings.rs
@@ -56,7 +56,7 @@ fn generate_test_cert_pem(common_name: &str) -> (String, String) {
     let dn = vec![(DnType::CommonName, common_name)];
     let csr = Csr::new(&key_pair, &san, dn).unwrap();
     let cert = ca.sign_csr(&csr).unwrap();
-    let cert_pem = der_to_pem(&cert.der().to_vec(), PemLabel::Certificate).unwrap();
+    let cert_pem = der_to_pem(cert.der(), PemLabel::Certificate).unwrap();
     let key_pem = der_to_pem(key_pair.serialize_der().as_slice(), PemLabel::PrivateKey).unwrap();
     (cert_pem, key_pem)
 }
diff --git a/web/src/pages/MigrationWizardPage/steps/MigrationWizardExternalUrlSslConfigStep.tsx b/web/src/pages/MigrationWizardPage/steps/MigrationWizardExternalUrlSslConfigStep.tsx
@@ -61,6 +61,15 @@ export const MigrationWizardExternalUrlSslConfigStep = () => {
 
   const [acmeState, setAcmeState] = useState<AcmeStepState>(defaultAcmeState);
 
+  // If ssl_type is not set (e.g. fresh browser session), redirect back so the
+  // user can re-submit the settings step and repopulate the store.
+  // biome-ignore lint/correctness/useExhaustiveDependencies: only run on mount
+  useEffect(() => {
+    if (sslType === null) {
+      useMigrationWizardStore.getState().back();
+    }
+  }, []);
+
   const { data: sslInfoData } = useQuery({
     queryKey: ['external_ssl_info'],
     queryFn: () => api.initial_setup.getExternalSslInfo(),
@@ -301,7 +310,7 @@ export const MigrationWizardExternalUrlSslConfigStep = () => {
           text={m.controls_back()}
           variant="outlined"
           onClick={() => useMigrationWizardStore.getState().back()}
-          disabled={isLetsEncryptProcessing || acmeState.isComplete}
+          disabled={isLetsEncryptProcessing}
         />
         <div className="right">
           <Button
diff --git a/web/src/pages/MigrationWizardPage/steps/MigrationWizardInternalUrlSslConfigStep.tsx b/web/src/pages/MigrationWizardPage/steps/MigrationWizardInternalUrlSslConfigStep.tsx
@@ -1,4 +1,5 @@
 import { useQuery } from '@tanstack/react-query';
+import { useEffect } from 'react';
 import { m } from '../../../paraglide/messages';
 import api from '../../../shared/api/api';
 import { Controls } from '../../../shared/components/Controls/Controls';
@@ -16,6 +17,15 @@ export const MigrationWizardInternalUrlSslConfigStep = () => {
   const sslType = useMigrationWizardStore((s) => s.internal_ssl_type);
   const certInfo = useMigrationWizardStore((s) => s.internal_ssl_cert_info);
 
+  // If ssl_type is not set (e.g. fresh browser session), redirect back so the
+  // user can re-submit the settings step and repopulate the store.
+  // biome-ignore lint/correctness/useExhaustiveDependencies: only run on mount
+  useEffect(() => {
+    if (sslType === null) {
+      useMigrationWizardStore.getState().back();
+    }
+  }, []);
+
   const { data: sslInfoData } = useQuery({
     queryKey: ['internal_ssl_info'],
     queryFn: () => api.initial_setup.getInternalSslInfo(),
diff --git a/web/src/pages/MigrationWizardPage/store/useMigrationWizardStore.tsx b/web/src/pages/MigrationWizardPage/store/useMigrationWizardStore.tsx
@@ -30,10 +30,10 @@ interface StoreValues extends MigrationWizardApiState {
   authentication_period_days: number;
   mfa_code_timeout_seconds: number;
   // internal URL SSL configuration
-  internal_ssl_type: InternalSslType;
+  internal_ssl_type: InternalSslType | null;
   internal_ssl_cert_info: CertInfo | null;
   // external URL SSL configuration
-  external_ssl_type: ExternalSslType;
+  external_ssl_type: ExternalSslType | null;
   external_ssl_cert_info: CertInfo | null;
   // ca
   ca_common_name: string;
@@ -65,9 +65,9 @@ const defaults: StoreValues = {
   default_admin_group_name: 'admin',
   authentication_period_days: 30,
   mfa_code_timeout_seconds: 300,
-  internal_ssl_type: 'none',
+  internal_ssl_type: null,
   internal_ssl_cert_info: null,
-  external_ssl_type: 'none',
+  external_ssl_type: null,
   external_ssl_cert_info: null,
   ca_common_name: m.migration_wizard_ca_placeholder_common_name(),
   ca_email: '',
diff --git a/web/src/pages/SetupPage/autoAdoption/steps/AutoAdoptionExternalUrlSslConfigStep.tsx b/web/src/pages/SetupPage/autoAdoption/steps/AutoAdoptionExternalUrlSslConfigStep.tsx
@@ -1,5 +1,5 @@
 import { useQuery } from '@tanstack/react-query';
-import { useCallback, useEffect, useState } from 'react';
+import { useCallback, useEffect } from 'react';
 import { m } from '../../../../paraglide/messages';
 import api from '../../../../shared/api/api';
 import { Controls } from '../../../../shared/components/Controls/Controls';
@@ -61,7 +61,14 @@ export const AutoAdoptionExternalUrlSslConfigStep = () => {
   const sslType = useAutoAdoptionSetupWizardStore((s) => s.external_ssl_type);
   const certInfo = useAutoAdoptionSetupWizardStore((s) => s.external_ssl_cert_info);
 
-  const [acmeState, setAcmeState] = useState<AcmeStepState>(defaultAcmeState);
+  // If ssl_type is not set (e.g. fresh browser session), redirect back so the
+  // user can re-submit the settings step and repopulate the store.
+  // biome-ignore lint/correctness/useExhaustiveDependencies: only run on mount
+  useEffect(() => {
+    if (sslType === null) {
+      setActiveStep(AutoAdoptionSetupStep.ExternalUrlSettings);
+    }
+  }, []);
 
   const { data: sslInfoData } = useQuery({
     queryKey: ['external_ssl_info'],
@@ -99,33 +106,24 @@ export const AutoAdoptionExternalUrlSslConfigStep = () => {
     };
   }, []);
 
-  const stepDone = useCallback(
-    (stepId: AcmeStepId): boolean => {
-      const stepIndex = ACME_STEP_IDS.indexOf(stepId);
-      const currentIndex = acmeState.currentStep
-        ? ACME_STEP_IDS.indexOf(acmeState.currentStep)
-        : -1;
-      return stepIndex < currentIndex || acmeState.isComplete;
-    },
-    [acmeState.isComplete, acmeState.currentStep],
-  );
+  const stepDone = useCallback((stepId: AcmeStepId): boolean => {
+    const stepIndex = ACME_STEP_IDS.indexOf(stepId);
+    const currentIndex = acmeState.currentStep
+      ? ACME_STEP_IDS.indexOf(acmeState.currentStep)
+      : -1;
+    return stepIndex < currentIndex || acmeState.isComplete;
+  }, []);
 
-  const stepLoading = useCallback(
-    (stepId: AcmeStepId): boolean => {
-      return acmeState.isProcessing && acmeState.currentStep === stepId;
-    },
-    [acmeState.isProcessing, acmeState.currentStep],
-  );
+  const stepLoading = useCallback((stepId: AcmeStepId): boolean => {
+    return acmeState.isProcessing && acmeState.currentStep === stepId;
+  }, []);
 
-  const stepError = useCallback(
-    (stepId: AcmeStepId): string | null => {
-      if (acmeState.errorMessage && acmeState.currentStep === stepId) {
-        return acmeState.errorMessage;
-      }
-      return null;
-    },
-    [acmeState.errorMessage, acmeState.currentStep],
-  );
+  const stepError = useCallback((stepId: AcmeStepId): string | null => {
+    if (acmeState.errorMessage && acmeState.currentStep === stepId) {
+      return acmeState.errorMessage;
+    }
+    return null;
+  }, []);
 
   const handleDownloadCaCert = () => {
     if (!sslInfoData?.ca_cert_pem) return;
@@ -303,7 +301,7 @@ export const AutoAdoptionExternalUrlSslConfigStep = () => {
           text={m.initial_setup_controls_back()}
           variant="outlined"
           onClick={() => setActiveStep(AutoAdoptionSetupStep.ExternalUrlSettings)}
-          disabled={isLetsEncryptProcessing || acmeState.isComplete}
+          disabled={isLetsEncryptProcessing}
         />
         <div className="right">
           <Button
diff --git a/web/src/pages/SetupPage/autoAdoption/steps/AutoAdoptionInternalUrlSslConfigStep.tsx b/web/src/pages/SetupPage/autoAdoption/steps/AutoAdoptionInternalUrlSslConfigStep.tsx
@@ -1,4 +1,5 @@
 import { useQuery } from '@tanstack/react-query';
+import { useEffect } from 'react';
 import { m } from '../../../../paraglide/messages';
 import api from '../../../../shared/api/api';
 import { Controls } from '../../../../shared/components/Controls/Controls';
@@ -17,6 +18,14 @@ export const AutoAdoptionInternalUrlSslConfigStep = () => {
   const setActiveStep = useAutoAdoptionSetupWizardStore((s) => s.setActiveStep);
   const sslType = useAutoAdoptionSetupWizardStore((s) => s.internal_ssl_type);
   const certInfo = useAutoAdoptionSetupWizardStore((s) => s.internal_ssl_cert_info);
+  // If ssl_type is not set (e.g. fresh browser session), redirect back so the
+  // user can re-submit the settings step and repopulate the store.
+  // biome-ignore lint/correctness/useExhaustiveDependencies: only run on mount
+  useEffect(() => {
+    if (sslType === null) {
+      setActiveStep(AutoAdoptionSetupStep.InternalUrlSettings);
+    }
+  }, []);
 
   const { data: sslInfoData } = useQuery({
     queryKey: ['internal_ssl_info'],
diff --git a/web/src/pages/SetupPage/autoAdoption/steps/style.scss b/web/src/pages/SetupPage/autoAdoption/steps/style.scss
@@ -87,11 +87,12 @@
   .ssl-result-card-header {
     h3 {
       font: var(--t-body-primary-600);
-      color: var(--fg-neutral);
+      color: var(--fg-faded);
     }
 
     p {
-      color: var(--fg-neutral);
+      color: var(--fg-faded);
+      font: var(--t-body-sm-400);
     }
   }
 
diff --git a/web/src/pages/SetupPage/initial/steps/SetupExternalUrlSslConfigStep.tsx b/web/src/pages/SetupPage/initial/steps/SetupExternalUrlSslConfigStep.tsx
@@ -99,6 +99,15 @@ export const SetupExternalUrlSslConfigStep = () => {
     };
   }, []);
 
+  // If ssl_type is not set (e.g. fresh browser session), redirect back so the
+  // user can re-submit the settings step and repopulate the store.
+  // biome-ignore lint/correctness/useExhaustiveDependencies: only run on mount
+  useEffect(() => {
+    if (sslType === null) {
+      setActiveStep(SetupPageStep.ExternalUrlSettings);
+    }
+  }, []);
+
   const stepDone = useCallback(
     (stepId: AcmeStepId): boolean => {
       const stepIndex = ACME_STEP_IDS.indexOf(stepId);
@@ -303,7 +312,7 @@ export const SetupExternalUrlSslConfigStep = () => {
           text={m.initial_setup_controls_back()}
           variant="outlined"
           onClick={() => setActiveStep(SetupPageStep.ExternalUrlSettings)}
-          disabled={isLetsEncryptProcessing || acmeState.isComplete}
+          disabled={isLetsEncryptProcessing}
         />
         <div className="right">
           <Button
diff --git a/web/src/pages/SetupPage/initial/steps/SetupInternalUrlSslConfigStep.tsx b/web/src/pages/SetupPage/initial/steps/SetupInternalUrlSslConfigStep.tsx
@@ -1,4 +1,5 @@
 import { useQuery } from '@tanstack/react-query';
+import { useEffect } from 'react';
 import { m } from '../../../../paraglide/messages';
 import api from '../../../../shared/api/api';
 import { Controls } from '../../../../shared/components/Controls/Controls';
@@ -18,6 +19,15 @@ export const SetupInternalUrlSslConfigStep = () => {
   const sslType = useSetupWizardStore((s) => s.internal_ssl_type);
   const certInfo = useSetupWizardStore((s) => s.internal_ssl_cert_info);
 
+  // If ssl_type is not set (e.g. fresh browser session), redirect back so the
+  // user can re-submit the settings step and repopulate the store.
+  // biome-ignore lint/correctness/useExhaustiveDependencies: only run on mount
+  useEffect(() => {
+    if (sslType === null) {
+      setActiveStep(SetupPageStep.InternalUrlSettings);
+    }
+  }, []);
+
   const { data: sslInfoData } = useQuery({
     queryKey: ['internal_ssl_info'],
     queryFn: () => api.initial_setup.getInternalSslInfo(),
diff --git a/web/src/routes/_wizard/setup.tsx b/web/src/routes/_wizard/setup.tsx
@@ -37,6 +37,10 @@ const initialStepMap: Record<InitialSetupStepValue, SetupPageStepValue> = {
   ca: SetupPageStep.CertificateAuthority,
   ca_summary: SetupPageStep.CASummary,
   edge_component: SetupPageStep.EdgeComponent,
+  internal_url_settings: SetupPageStep.InternalUrlSettings,
+  internal_url_ssl_config: SetupPageStep.InternalUrlSslConfig,
+  external_url_settings: SetupPageStep.ExternalUrlSettings,
+  external_url_ssl_config: SetupPageStep.ExternalUrlSslConfig,
   confirmation: SetupPageStep.Confirmation,
   finished: SetupPageStep.Confirmation,
 };
diff --git a/web/src/shared/api/types.ts b/web/src/shared/api/types.ts
@@ -837,6 +837,10 @@ export type InitialSetupStepValue =
   | 'ca'
   | 'ca_summary'
   | 'edge_component'
+  | 'internal_url_settings'
+  | 'internal_url_ssl_config'
+  | 'external_url_settings'
+  | 'external_url_ssl_config'
   | 'confirmation'
   | 'finished';
 

Original file line number	Diff line number	Diff line change
`@@ -609,13 +609,13 @@ pub async fn setup_proxy_tls_stream(`
`609`	`609`	`Ok(wizard) => {`
`610`	`610`	`if !wizard.completed {`
`611`	`611`	`let state = InitialSetupState {`
`612`		`- step: InitialSetupStep::Confirmation,`
	`612`	`+ step: InitialSetupStep::InternalUrlSettings,`
`613`	`613`	`};`
`614`	`614`	`if let Err(err) = state.save(&pool).await {`
`615`	`615`	`yield Ok(flow.error(&format!("Failed to update setup step in wizard: {err}")));`
`616`	`616`	`return;`
`617`	`617`	`}`
`618`		`- debug!("Initial setup step advanced to 'Confirmation'");`
	`618`	`+ debug!("Initial setup step advanced to 'InternalUrlSettings'");`
`619`	`619`	`}`
`620`	`620`	`}`
`621`	`621`	`Err(err) => {`
Original file line number	Diff line number	Diff line change
`@@ -121,6 +121,7 @@ impl ProxyHandler {`
`121`	`121`	`}`
`122`	`122`	`}`
`123`	`123`
	`124`	`+ #[allow(clippy::too_many_arguments)]`
`124`	`125`	`pub(super) fn from_proxy(`
`125`	`126`	`proxy: &Proxy<Id>,`
`126`	`127`	`pool: PgPool,`
Original file line number	Diff line number	Diff line change
`@@ -56,7 +56,7 @@ fn generate_test_cert_pem(common_name: &str) -> (String, String) {`
`56`	`56`	`let dn = vec![(DnType::CommonName, common_name)];`
`57`	`57`	`let csr = Csr::new(&key_pair, &san, dn).unwrap();`
`58`	`58`	`let cert = ca.sign_csr(&csr).unwrap();`
`59`		`- let cert_pem = der_to_pem(&cert.der().to_vec(), PemLabel::Certificate).unwrap();`
	`59`	`+ let cert_pem = der_to_pem(cert.der(), PemLabel::Certificate).unwrap();`
`60`	`60`	`let key_pem = der_to_pem(key_pair.serialize_der().as_slice(), PemLabel::PrivateKey).unwrap();`
`61`	`61`	`(cert_pem, key_pem)`
`62`	`62`	`}`