fix(auth): derive SSO display name from email local-part#23
Open
hunzlahmalik wants to merge 1 commit into
Open
fix(auth): derive SSO display name from email local-part#23hunzlahmalik wants to merge 1 commit into
hunzlahmalik wants to merge 1 commit into
Conversation
oauth2-proxy was putting the Cognito sub UUID into x-auth-request-user instead of a human-readable username, so newly-provisioned SSO users landed with a UUID as their User.name. Drop the header read in the ForwardAuth middleware and use the email local-part instead — the same value both apps already fell back to when the header was absent; we're promoting that fallback to the only source. Existing users with UUID names are not auto-corrected: the middleware does not re-sync the name field on subsequent logins. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
x-auth-request-userheader read in the ForwardAuth middleware — oauth2-proxy was putting the CognitosubUUID into that header, so newly-provisioned SSO users landed with a UUID (e.g.892ae5ac-0021-…) as theirUser.name.authentication.test.tsinto one — after the fix, thex-auth-request-user-absent branch is the only branch. Also update theAUTH_TYPEJSDoc inenv.tsto drop the stale mention ofX-Auth-Request-User.Existing users with UUID
namevalues are not auto-corrected — the middleware does not re-sync the field on subsequent logins. A backfill is out of scope here.Test plan
yarn test server/middlewares/authentication.test.tspassesyarn tsc --noEmitpassescognito:usernameis the baresubUUID lands athttps://foss-wiki.local.moneta.devwithUser.name= email local-part, not the UUIDSELECT email, name FROM users ORDER BY "createdAt" DESC LIMIT 5;reflects the new behavior🤖 Generated with Claude Code