fix(auth): derive SSO display name from email local-part#23
Open
hunzlahmalik wants to merge 1 commit into
Open
fix(auth): derive SSO display name from email local-part#23hunzlahmalik wants to merge 1 commit into
hunzlahmalik wants to merge 1 commit into
Conversation
oauth2-proxy was putting the Cognito sub UUID into x-auth-request-user instead of a human-readable username, so newly-provisioned SSO users landed with a UUID as their profile fullname. Drop the header read in the ForwardAuth middleware and use the email local-part instead — the same value both apps already fell back to when the header was absent; we're promoting that fallback to the only source. Existing profiles with UUID fullnames are not auto-corrected: the middleware does not re-sync :fullname on subsequent logins. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
x-auth-request-userheader read in the ForwardAuth middleware — oauth2-proxy was putting the CognitosubUUID into that header, so newly-provisioned SSO users landed with a UUID (e.g.892ae5ac-0021-…) as theirprofile.fullname.x-auth-request-auto-register-*tests: drop the now-unused header from the request maps, and add an explicit assertion that:fullnameequals the email local-part.Existing profiles with UUID
:fullnameare not auto-corrected — the middleware does not re-sync the field on subsequent logins. A backfill is out of scope here.Test plan
pnpm run testfrombackend/passes (focused:backend-tests.http-middleware-test)cognito:usernameis the baresubUUID lands athttps://foss-design.local.moneta.devwithprofile.fullname= email local-part, not the UUIDSELECT email, fullname FROM profile ORDER BY created_at DESC LIMIT 5;reflects the new behavior🤖 Generated with Claude Code